1 page.title=Security-Enhanced Linux in Android 2 @jd:body 3 4 <!-- 5 Copyright 2014 The Android Open Source Project 6 7 Licensed under the Apache License, Version 2.0 (the "License"); 8 you may not use this file except in compliance with the License. 9 You may obtain a copy of the License at 10 11 http://www.apache.org/licenses/LICENSE-2.0 12 13 Unless required by applicable law or agreed to in writing, software 14 distributed under the License is distributed on an "AS IS" BASIS, 15 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 See the License for the specific language governing permissions and 17 limitations under the License. 18 --> 19 <div id="qv-wrapper"> 20 <div id="qv"> 21 <h2>In this document</h2> 22 <ol id="auto-toc"> 23 </ol> 24 </div> 25 </div> 26 27 <h2 id=introduction>Introduction</h2> 28 29 <p>The Android security model is based in part on the concept of application 30 sandboxes. Each application runs in its own sandbox. Prior to Android 4.3, 31 these sandboxes were defined by the creation of a unique Linux UID for each 32 application at time of installation. Starting with Android 4.3, 33 Security-Enhanced Linux (SELinux) is used to further define the boundaries of 34 the Android application sandbox.</p> 35 36 <p>As part of the Android <a href="{@docRoot}security/index.html"> 37 security model</a>, Android uses SELinux to enforce mandatory access control 38 (MAC) over all processes, even processes running with root/superuser privileges 39 (a.k.a. Linux capabilities). SELinux enhances Android security by confining 40 privileged processes and automating security policy creation.</p> 41 42 <p>Contributions to it have been made by a number 43 of companies and organizations; all Android code 44 and contributors are publicly available for review on <a 45 href="https://android.googlesource.com/">android.googlesource.com</a>. With 46 SELinux, Android can better protect and confine system services, control 47 access to application data and system logs, reduce the effects of malicious 48 software, and protect users from potential flaws in code on mobile devices.</p> 49 50 <p>Android includes SELinux in enforcing mode and a 51 corresponding security policy that works by default across the <a 52 href="https://android.googlesource.com/">Android Open Source Project</a>. In 53 enforcing mode, illegitimate actions are prevented and all attempted violations 54 are logged by the kernel to <code>dmesg</code> and <code>logcat</code>. Android 55 device manufacturers should gather information about errors so they may 56 refine their software and SELinux policies before enforcing them.</p> 57 58 <h2 id=background>Background</h2> 59 60 <p>SELinux operates on the ethos of default denial. Anything that is not 61 explicitly allowed is denied. SELinux can operate in one of two global modes: 62 permissive mode, in which permission denials are logged but not enforced, and 63 enforcing mode, in which denials are both logged and enforced. SELinux also 64 supports a per-domain permissive mode in which specific domains (processes) can 65 be made permissive while placing the rest of the system in global enforcing 66 mode. A domain is simply a label identifying a process or set of processes in 67 the security policy, where all processes labeled with the same domain are 68 treated identically by the security policy. Per-domain permissive mode enables 69 incremental application of SELinux to an ever-increasing portion of the system. 70 Per-domain permissive mode also enables policy development for new services 71 while keeping the rest of the system enforcing.</p> 72 73 <p>In the Android 5.0 (L) release, Android moves to full enforcement of 74 SELinux. This builds upon the permissive release of 4.3 and the partial 75 enforcement of 4.4. In short, Android is shifting from enforcement on a 76 limited set of crucial domains (<code>installd</code>, <code>netd</code>, 77 <code>vold</code> and <code>zygote</code>) to everything (more than 60 78 domains). This means manufacturers will have to better understand and scale 79 their SELinux implementations to provide compatible devices. Understand 80 that:</p> 81 82 83 <ul> 84 <li>Everything is in enforcing mode in the 5.0 release</li> 85 <li> No processes other than <code>init</code> should run in the 86 <code>init</code> domain</li> 87 <li> Any generic denial (for a block_device, socket_device, default_service, 88 etc.) indicates that device needs a special domain</li> 89 </ul> 90 91 <h2 id=supporting_documentation>Supporting documentation</h2> 92 93 <p>See the documentation below for details on constructing useful policies:</p> 94 95 <p><a href="http://seandroid.bitbucket.org/PapersandPresentations.html"> 96 http://seandroid.bitbucket.org/PapersandPresentations.html</a></p> 97 98 <p><a href="https://www.codeproject.com/Articles/806904/Android-Security-Customization-with-SEAndroid"> 99 https://www.codeproject.com/Articles/806904/ 100 Android-Security-Customization-with-SEAndroid</a></p> 101 102 <p><a href="https://events.linuxfoundation.org/sites/events/files/slides/abs2014_seforandroid_smalley.pdf"> 103 https://events.linuxfoundation.org/sites/events/files/slides/ 104 abs2014_seforandroid_smalley.pdf</a></p> 105 106 <p><a href="https://www.internetsociety.org/sites/default/files/02_4.pdf"> 107 https://www.internetsociety.org/sites/default/files/02_4.pdf</a></p> 108 109 <p><a href="http://freecomputerbooks.com/books/The_SELinux_Notebook-4th_Edition.pdf"> 110 http://freecomputerbooks.com/books/The_SELinux_Notebook-4th_Edition.pdf</a></p> 111 112 <p><a href="http://selinuxproject.org/page/ObjectClassesPerms"> 113 http://selinuxproject.org/page/ObjectClassesPerms</a></p> 114 115 <p><a href="https://www.nsa.gov/resources/everyone/digital-media-center/publications/research-papers/assets/files/implementing-selinux-as-linux-security-module-report.pdf"> 116 https://www.nsa.gov/resources/everyone/digital-media-center/publications/ 117 research-papers/assets/files/ 118 implementing-selinux-as-linux-security-module-report.pdf</a></p> 119 120 <p><a href="https://www.nsa.gov/resources/everyone/digital-media-center/publications/research-papers/assets/files/configuring-selinux-policy-report.pdf"> 121 https://www.nsa.gov/resources/everyone/digital-media-center/publications/ 122 research-papers/assets/files/configuring-selinux-policy-report.pdf</a></p> 123 124 <p><a href="https://www.gnu.org/software/m4/manual/index.html"> 125 https://www.gnu.org/software/m4/manual/index.html</a></p> 126
