1 page.title=Customizing SELinux 2 @jd:body 3 4 <!-- 5 Copyright 2014 The Android Open Source Project 6 7 Licensed under the Apache License, Version 2.0 (the "License"); 8 you may not use this file except in compliance with the License. 9 You may obtain a copy of the License at 10 11 http://www.apache.org/licenses/LICENSE-2.0 12 13 Unless required by applicable law or agreed to in writing, software 14 distributed under the License is distributed on an "AS IS" BASIS, 15 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 See the License for the specific language governing permissions and 17 limitations under the License. 18 --> 19 <div id="qv-wrapper"> 20 <div id="qv"> 21 <h2>In this document</h2> 22 <ol id="auto-toc"> 23 </ol> 24 </div> 25 </div> 26 27 <p>Once you've integrated this base level of functionality and thoroughly analyzed 28 the results, you may add your own policy settings to cover your customizations 29 to the Android operating system. Of course, these policies must still meet the <a href="{@docRoot}compatibility/index.html">Android Compatibility program</a> requirements and not remove the default SELinux settings.</p> 30 31 <p>Manufacturers should not remove existing security settings. Otherwise, they 32 risk breaking the Android SELinux implementation and the applications it 33 governs. This includes third-party applications that will likely need to be 34 improved to be compliant and operational. Applications must require no 35 modification to continue functioning on SELinux-enabled devices.</p> 36 37 <p>When embarking upon customizing SELinux, manufacturers should remember to:</p> 38 39 <ul> 40 <li>Write SELinux policy for all new daemons 41 <li>Use predefined domains whenever appropriate 42 <li>Assign a domain to any process spawned as an <code>init</code> service 43 <li>Become familiar with the macros before writing policy 44 <li>Submit changes to core policy to AOSP 45 </ul> 46 47 <p>And not to:</p> 48 49 <ul> 50 <li>Create incompatible policy 51 <li>Allow end user policy customization 52 <li>Allow MDM policy customizations 53 <li>Scare users with policy violations 54 <li>Add backdoors 55 </ul> 56 57 <p>See the <em>Kernel Security Features</em> section of the <a href="{@docRoot}compatibility/android-cdd.pdf">Android Compatibility Definition document</a> for specific requirements.</p> 58 59 <p>SELinux uses a whitelist approach, meaning all access must be explicitly 60 allowed in policy in order to be granted. Since Android's default SELinux 61 policy already supports the Android Open Source Project, OEMs are not required 62 to modify SELinux settings in any way. If they do customize SELinux settings, 63 they should take great care not to break existing applications. Here is how we 64 recommend proceeding:</p> 65 66 <ol> 67 <li>Use the <a href="https://android.googlesource.com/kernel/common/">latest Android kernel</a>. 68 <li>Adopt the <a href="http://en.wikipedia.org/wiki/Principle_of_least_privilege">principle of least privilege</a>. 69 <li>Address only your own additions to Android. The default policy works with the <a href="https://android.googlesource.com/">Android Open Source Project</a> codebase automatically. 70 <li>Compartmentalize software components into modules that conduct singular tasks. 71 <li>Create SELinux policies that isolate those tasks from unrelated functions. 72 <li>Put those policies in *.te files (the extension for SELinux policy source 73 files) within the <code>/device/manufacturer/device-name/sepolicy</code> directory and use 74 <code>BOARD_SEPOLICY</code> variables to include them in your build. 75 <li>Make new domains permissive initially. In Android 4.4 and earlier, this is done 76 using a permissive declaration. In later versions of Android, per-domain 77 permissive mode is specified using the <code>permissive_or_unconfined()</code> macro. 78 <li>Analyze results and refine your domain definitions. 79 <li>Remove the permissive declaration when no further denials appear in userdebug 80 builds. 81 </ol> 82 83 <p>Once integrated, OEM Android development should include a step to ensure 84 SELinux compatibility going forward. In an ideal software development process, 85 SELinux policy changes only when the software model changes and not the actual 86 implementation.</p> 87 88 <p>As device manufacturers begin to customize SELinux, they should first audit 89 their additions to Android. If they've added a component that conducts a new 90 function, the manufacturers will need to ensure the component meets the 91 security policy applied by Android, as well as any associated policy crafted by 92 the OEM, before turning on enforcing mode.</p> 93 94 <p>To prevent unnecessary issues, it is better to be overbroad and over-compatible 95 than too restrictive and incompatible, which results in broken device 96 functions. Conversely, if a manufacturer's changes will benefit others, it 97 should supply the modifications to the default SELinux policy as a <a href="{@docRoot}source/submit-patches.html">patch</a>. If the patch is applied to the default security policy, the manufacturer will no longer need to make this change with each new Android release.</p> 98 99 <h2 id=example_policy_statements>Example policy statements</h2> 100 101 <p>First, note SELinux is based upon the <a href="https://www.gnu.org/software/m4/manual/index.html">M4</a> computer language and therefore supports a variety of macros to save time.</p> 102 103 <p>In the following example, all domains are granted access to read or write to <code>/dev/null</code> and read from <code>/dev/0</code>.</p> 104 105 <pre> 106 # Allow read / write access to /dev/null 107 allow domain null_device:chr_file { getattr open read ioctl lock append write}; 108 109 # Allow read-only access to /dev/zero 110 allow domain zero_device:chr_file { getattr open read ioctl lock }; 111 </pre> 112 113 114 <p>This same statement can be written with SELinux <code>*_file_perms</code> macros (shorthand):</p> 115 116 <pre> 117 # Allow read / write access to /dev/null 118 allow domain null_device:chr_file rw_file_perms; 119 120 # Allow read-only access to /dev/zero 121 allow domain zero_device:chr_file r_file_perms; 122 </pre> 123 124 <h2 id=example_policy>Example policy</h2> 125 126 <p>Here is a complete example policy for DHCP, which we examine below:</p> 127 128 <pre> 129 type dhcp, domain; 130 permissive_or_unconfined(dhcp) 131 type dhcp_exec, exec_type, file_type; 132 type dhcp_data_file, file_type, data_file_type; 133 134 init_daemon_domain(dhcp) 135 net_domain(dhcp) 136 137 allow dhcp self:capability { setgid setuid net_admin net_raw net_bind_service 138 }; 139 allow dhcp self:packet_socket create_socket_perms; 140 allow dhcp self:netlink_route_socket { create_socket_perms nlmsg_write }; 141 allow dhcp shell_exec:file rx_file_perms; 142 allow dhcp system_file:file rx_file_perms; 143 # For /proc/sys/net/ipv4/conf/*/promote_secondaries 144 allow dhcp proc_net:file write; 145 allow dhcp system_prop:property_service set ; 146 unix_socket_connect(dhcp, property, init) 147 148 type_transition dhcp system_data_file:{ dir file } dhcp_data_file; 149 allow dhcp dhcp_data_file:dir create_dir_perms; 150 allow dhcp dhcp_data_file:file create_file_perms; 151 152 allow dhcp netd:fd use; 153 allow dhcp netd:fifo_file rw_file_perms; 154 allow dhcp netd:{ dgram_socket_class_set unix_stream_socket } { read write }; 155 allow dhcp netd:{ netlink_kobject_uevent_socket netlink_route_socket 156 netlink_nflog_socket } { read write }; 157 </pre> 158 159 <p>Lets dissect the example:</p> 160 161 <p>In the first line, the type declaration, the DHCP daemon inherits from the base 162 security policy (<code>domain</code>). From the previous statement examples, we know DHCP can read from and write 163 to <code>/dev/null.</code></p> 164 165 <p>In the second line, DHCP is identified as an experimental domain (<code>permissive_or_unconfined</code>) with only minimal rules enforced.</p> 166 167 <p>In the <code>init_daemon_domain(dhcp)</code> line, the policy states DHCP is spawned from <code>init</code> and is allowed to communicate with it.</p> 168 169 <p>In the <code>net_domain(dhcp)</code> line, the policy allows DHCP to use common network functionality from the <code>net</code> domain such as reading and writing TCP packets, communicating over sockets, and conducting DNS requests.</p> 170 171 <p>In the line <code>allow dhcp proc_net:file write;</code>, the policy states DHCP can write to specific files in <code>/proc</code>. This line demonstrates SELinuxs fine-grained file labeling. It uses the <code>proc_net</code> label to limit write access to only the files under <code>/proc/sys/net</code>.</p> 172 173 <p>The final block of the example starting with <code>allow dhcp netd:fd use;</code> depicts how applications may be allowed to interact with one another. The 174 policy says DHCP and netd may communicate with one another via file 175 descriptors, FIFO files, datagram sockets, and UNIX stream sockets. DHCP may 176 only read to and write from the datagram sockets and UNIX stream sockets and 177 not create or open them.</p> 178 179 <h2 id=available_controls>Available controls</h2> 180 181 <table> 182 <tr> 183 <td> 184 <p><strong>Domain</strong></p> 185 </td> 186 <td> 187 <p><strong>Capability</strong></p> 188 </td> 189 </tr> 190 <tr> 191 <td> 192 <p>file</p> 193 </td> 194 <td> 195 <pre> 196 ioctl read write create getattr setattr lock relabelfrom relabelto append 197 unlink link rename execute swapon quotaon mounton</pre> 198 </td> 199 </tr> 200 <tr> 201 <td> 202 <p>directory</p> 203 </td> 204 <td> 205 <pre> 206 add_name remove_name reparent search rmdir open audit_access execmod</pre> 207 </td> 208 </tr> 209 <tr> 210 <td> 211 <p>socket</p> 212 </td> 213 <td> 214 <pre> 215 ioctl read write create getattr setattr lock relabelfrom relabelto append bind 216 connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg 217 name_bind</pre> 218 </td> 219 </tr> 220 <tr> 221 <td> 222 <p>filesystem</p> 223 </td> 224 <td> 225 <pre> 226 mount remount unmount getattr relabelfrom relabelto transition associate 227 quotamod quotaget</pre> 228 </td> 229 </tr> 230 <tr> 231 <td> 232 <p>process</p> 233 </td> 234 <td> 235 <pre> 236 fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched 237 getsession getpgid setpgid getcap setcap share getattr setexec setfscreate 238 noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem 239 execstack execheap setkeycreate setsockcreate</pre> 240 </td> 241 </tr> 242 <tr> 243 <td> 244 <p>security</p> 245 </td> 246 <td> 247 <pre> 248 compute_av compute_create compute_member check_context load_policy 249 compute_relabel compute_user setenforce setbool setsecparam setcheckreqprot 250 read_policy</pre> 251 </td> 252 </tr> 253 <tr> 254 <td> 255 <p>capability</p> 256 </td> 257 <td> 258 <pre> 259 chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap 260 linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock 261 ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin 262 sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write 263 audit_control setfcap</pre> 264 </td> 265 </tr> 266 <tr> 267 <td> 268 <p><strong>MORE</strong></p> 269 </td> 270 <td> 271 <p><strong>AND MORE</strong></p> 272 </td> 273 </tr> 274 </table> 275
