Home | History | Annotate | Download | only in selinux
      1 page.title=Security-Enhanced Linux in Android
      2 @jd:body
      3 
      4 <!--
      5     Copyright 2014 The Android Open Source Project
      6 
      7     Licensed under the Apache License, Version 2.0 (the "License");
      8     you may not use this file except in compliance with the License.
      9     You may obtain a copy of the License at
     10 
     11         http://www.apache.org/licenses/LICENSE-2.0
     12 
     13     Unless required by applicable law or agreed to in writing, software
     14     distributed under the License is distributed on an "AS IS" BASIS,
     15     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     16     See the License for the specific language governing permissions and
     17     limitations under the License.
     18 -->
     19 <div id="qv-wrapper">
     20   <div id="qv">
     21     <h2>In this document</h2>
     22     <ol id="auto-toc">
     23     </ol>
     24   </div>
     25 </div>
     26 
     27 <h2 id=introduction>Introduction</h2>
     28 
     29 <p>The Android security model is based in part on the concept of application
     30 sandboxes. Each application runs in its own sandbox. Prior to Android 4.3,
     31 these sandboxes were defined by the creation of a unique Linux UID for each
     32 application at time of installation. Starting with Android 4.3,
     33 Security-Enhanced Linux (SELinux) is used to further define the boundaries of
     34 the Android application sandbox.</p>
     35 
     36 <p>As part of the Android <a href="{@docRoot}devices/tech/security/index.html">security model</a>, Android uses SELinux to enforce mandatory access control (MAC) over all
     37 processes, even processes running with root/superuser privileges (a.k.a. Linux
     38 capabilities). SELinux enhances Android security by confining privileged
     39 processes and automating security policy creation.</p>
     40 
     41 <p>Contributions to it have been made by a number of companies and organizations;
     42 all Android code and contributors are publicly available for review on <a href="https://android.googlesource.com/">android.googlesource.com</a>. With SELinux, Android can better protect and confine system services, control
     43 access to application data and system logs, reduce the effects of malicious
     44 software, and protect users from potential flaws in code on mobile devices.</p>
     45 
     46 <p>Android includes SELinux in enforcing mode and a corresponding security policy
     47 that works by default across the <a href="https://android.googlesource.com/">Android Open Source Project</a>. In enforcing mode, illegitimate actions are prevented and all attempted
     48 violations are logged by the kernel to <code>dmesg</code> and <code>logcat</code>. Android device manufacturers should gather information about errors so they
     49 may refine their software and SELinux policies before enforcing them.</p>
     50 
     51 <h2 id=background>Background</h2>
     52 
     53 <p>SELinux operates on the ethos of default denial. Anything that is not
     54 explicitly allowed is denied. SELinux can operate in one of two global modes:
     55 permissive mode, in which permission denials are logged but not enforced, and
     56 enforcing mode, in which denials are both logged and enforced. SELinux also
     57 supports a per-domain permissive mode in which specific domains (processes) can
     58 be made permissive while placing the rest of the system in global enforcing
     59 mode. A domain is simply a label identifying a process or set of processes in
     60 the security policy, where all processes labeled with the same domain are
     61 treated identically by the security policy. Per-domain permissive mode enables
     62 incremental application of SELinux to an ever-increasing portion of the system.
     63 Per-domain permissive mode also enables policy development for new services
     64 while keeping the rest of the system enforcing.</p>
     65 
     66 <p>In the Android 5.0 (L) release, Android moves to full enforcement of SELinux. This builds
     67 upon the permissive release of 4.3 and the partial enforcement of 4.4. In
     68 short, Android is shifting from enforcement on a limited set of crucial domains
     69 (<code>installd</code>, <code>netd</code>, <code>vold</code> and <code>zygote</code>) to everything (more than 60 domains). This means manufacturers will have to
     70 better understand and scale their SELinux implementations to provide compatible
     71 devices. Understand that:</p>
     72 
     73 <ul>
     74   <li> Everything is in enforcing mode in the 5.0 release
     75   <li> No processes other than <code>init</code> should run in the <code>init</code> domain
     76   <li> Any generic denial (for a block_device, socket_device, default_service, etc.)
     77 indicates that device needs a special domain
     78 </ul>
     79 
     80 <h2 id=supporting_documentation>Supporting documentation</h2>
     81 
     82 <p>See the documentation below for details on constructing useful policies:</p>
     83 
     84 <p><a href="http://seandroid.bitbucket.org/PapersandPresentations.html">http://seandroid.bitbucket.org/PapersandPresentations.html</a></p>
     85 
     86 <p><a href="https://www.codeproject.com/Articles/806904/Android-Security-Customization-with-SEAndroid">https://www.codeproject.com/Articles/806904/Android-Security-Customization-with-SEAndroid</a></p>
     87 
     88 <p><a href="https://events.linuxfoundation.org/sites/events/files/slides/abs2014_seforandroid_smalley.pdf">https://events.linuxfoundation.org/sites/events/files/slides/abs2014_seforandroid_smalley.pdf</a></p>
     89 
     90 <p><a href="https://www.internetsociety.org/sites/default/files/02_4.pdf">https://www.internetsociety.org/sites/default/files/02_4.pdf</a></p>
     91 
     92 <p><a href="http://freecomputerbooks.com/books/The_SELinux_Notebook-4th_Edition.pdf">http://freecomputerbooks.com/books/The_SELinux_Notebook-4th_Edition.pdf</a></p>
     93 
     94 <p><a href="http://selinuxproject.org/page/ObjectClassesPerms">http://selinuxproject.org/page/ObjectClassesPerms</a></p>
     95 
     96 <p><a href="https://www.nsa.gov/research/_files/publications/implementing_selinux.pdf">https://www.nsa.gov/research/_files/publications/implementing_selinux.pdf</a></p>
     97 
     98 <p><a href="https://www.nsa.gov/research/_files/publications/selinux_configuring_policy.pdf">https://www.nsa.gov/research/_files/publications/selinux_configuring_policy.pdf</a></p>
     99 
    100 <p><a href="https://www.gnu.org/software/m4/manual/index.html">https://www.gnu.org/software/m4/manual/index.html</a></p>
    101 
    102 <h2 id=help>Help</h2>
    103 
    104 <p>Over time, Android intends to support common manufacturer additions in its
    105 default SELinux policy. For more information, contact <a href="mailto:security (a] android.com">security (a] android.com</a>.</p>
    106