1 page.title=Writing SELinux Policy 2 @jd:body 3 4 <!-- 5 Copyright 2014 The Android Open Source Project 6 7 Licensed under the Apache License, Version 2.0 (the "License"); 8 you may not use this file except in compliance with the License. 9 You may obtain a copy of the License at 10 11 http://www.apache.org/licenses/LICENSE-2.0 12 13 Unless required by applicable law or agreed to in writing, software 14 distributed under the License is distributed on an "AS IS" BASIS, 15 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 See the License for the specific language governing permissions and 17 limitations under the License. 18 --> 19 <div id="qv-wrapper"> 20 <div id="qv"> 21 <h2>In this document</h2> 22 <ol id="auto-toc"> 23 </ol> 24 </div> 25 </div> 26 27 28 29 <p>The Android Open Source Project (AOSP) provides a solid base policy for the 30 applications and services that are common across all Android devices. 31 Contributors to AOSP regularly refine this policy. The core policy is expected 32 to make up about 90–95% of the final on-device policy with device-specific 33 customizations making up the remaining 5–10%. This article focuses on these 34 device-specific customizations, how to write device-specific policy, and some 35 of the pitfalls to avoid along the way.</p> 36 37 <h2 id=device_bringup>Device bringup</h2> 38 39 <p>While writing device-specific policy, progress through the following steps in order.</p> 40 41 <h3 id=run_in_permissive_mode>Run in permissive mode</h3> 42 43 44 <p>When a device is in <a href="index.html#background">permissive mode</a>, 45 denials are logged but not enforced. Permissive mode is important for two 46 reasons:</p> 47 48 <ol> 49 <li> Permissive mode ensures that policy bringup does not delay other early device 50 bringup tasks. 51 <li> An enforced denial may mask other denials. For example, file access 52 typically entails a directory search, file open, then file read. In 53 enforcing mode, only the directory search denial would occur. Permissive 54 mode ensures all denials are seen. 55 </ol> 56 57 <p>The simplest way to put a device into permissive mode is via the 58 <a href="validate.html#switching_to_permissive">kernel command line</a>. This 59 can be added to the the devices BoardConfig.mk file: 60 <code>platform/device/<vendor>/<target>/BoardConfig.mk</code>. 61 After modifying the command line, perform <code>make clean</code>, then 62 <code>make bootimage</code>, and flash the new boot image.</p> 63 64 <p>After that, confirm permissive mode with:</p> 65 66 <p><code>adb getenforce</code></p> 67 68 69 <p>Two weeks is a reasonable amount of time to be in global permissive mode. After 70 addressing the majority of denials, move back into enforcing mode and address 71 bugs as they come in. Domains still producing denials or services still under 72 heavy development can be temporarily put into permissive mode, but move them 73 back to enforcing mode as soon as possible.</p> 74 75 <h3 id=enforce_early>Enforce early</h3> 76 77 78 <p>In enforcing mode, denials are both logged and enforced. It is a best practice 79 to get your device into enforcing mode as early as possible. Waiting to create 80 and enforce device-specific policy often results in a buggy product and a bad 81 user experience. Start early enough to participate in 82 <a href="https://en.wikipedia.org/wiki/Eating_your_own_dog_food">dogfooding</a> 83 and ensure full test coverage of functionality in real world usage. Starting 84 early ensures security concerns inform design decisions. Conversely, granting 85 permissions based solely on observed denials is an unsafe approach. Use this 86 time to perform a security audit of the device and file bugs against behavior 87 that should not be allowed.</p> 88 89 <h3 id=remove_or_delete_existing_policy>Remove or delete existing policy</h3> 90 91 92 <p>There are a number of good reasons to create device-specific policy from 93 scratch on a new device, which include:</p> 94 95 <ul> 96 <li> Security auditing 97 <li> <a href="#overuse_of_negation">Overly permissive policy</a> 98 <li> <a href="#policy_size_explosion">Policy size reduction</a> 99 <li> Dead policy 100 </ul> 101 102 <h3 id=address_denials_of_core_services>Address denials of core services</h3> 103 104 105 <p>Denials generated by core services are typically addressed by file labeling. 106 For example:</p> 107 108 <pre class="no-pretty-print"> 109 avc: denied { open } for pid=1003 comm=mediaserver path="/dev/kgsl-3d0 110 dev="tmpfs" scontext=u:r:mediaserver:s0 tcontext=u:object_r:device:s0 111 tclass=chr_file permissive=1 112 avc: denied { read write } for pid=1003 name="kgsl-3d0" dev="tmpfs" 113 scontext=u:r:mediaserver:s0 114 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1 115 </pre> 116 117 118 <p>is completely addressed by properly labeling <code>/dev/kgsl-3d0</code>. In 119 this example, <code>tcontext</code> is <code>device</code>. This represents a 120 default context where everything in <code>/dev</code> receives the 121 <a href="https://android.googlesource.com/platform/external/sepolicy/+/marshmallow-dev/file_contexts#31"> 122 device</a> label unless a more specific label is assigned. Simply accepting 123 the output from <a href="validate.html#using_audit2allow">audit2allow</a> here 124 would result in an incorrect and overly permissive rule.</p> 125 126 <p>To solve this kind of problem, give the file a more specific label, which in 127 this case is 128 <a href="https://android.googlesource.com/device/lge/hammerhead/+/marshmallow-dev/sepolicy/file_contexts#1"> 129 gpu_device</a>. No further permissions are needed as the 130 <a href="https://android.googlesource.com/platform/external/sepolicy/+/marshmallow-dev/mediaserver.te#24"> 131 mediaserver already has necessary permissions</a> in core policy to access the 132 gpu_device.</p> 133 134 <p>Other device-specific files that should be labeled with types predefined in 135 core policy:</p> 136 137 <ol> 138 <li> <a href="https://android.googlesource.com/device/lge/hammerhead/+/marshmallow-dev/sepolicy/file_contexts#31"> 139 block devices</a> 140 <li> <a href="https://android.googlesource.com/device/lge/hammerhead/+/marshmallow-dev/sepolicy/file_contexts#80"> 141 audio devices</a> 142 <li> <a href="https://android.googlesource.com/device/lge/hammerhead/+/marshmallow-dev/sepolicy/file_contexts#21"> 143 video devices</a> 144 <li> <a href="https://android.googlesource.com/device/lge/hammerhead/+/marshmallow-dev/sepolicy/file_contexts#89"> 145 sensors</a> 146 <li> <a href="https://android.googlesource.com/device/lge/hammerhead/+/marshmallow-dev/sepolicy/file_contexts#8"> 147 nfc</a> 148 <li> gps_device 149 <li> <a href="https://android.googlesource.com/device/lge/hammerhead/+/marshmallow-dev/sepolicy/file_contexts#139"> 150 files in /sys</a> 151 <li> files in /proc 152 </ol> 153 154 <p>In general, granting permissions to default labels is wrong. Many of these 155 permissions are disallowed by <a href="customize.html#neverallow">neverallow</a> 156 rules, but even when not explicitly disallowed, best practice is to provide a 157 specific label.</p> 158 159 <h3 id=label_new_services_and_address_denials>Label new services and address denials</h3> 160 161 162 <p>Init-launched services are required to run in their own SELinux domains. The 163 following example puts service foo into its own SELinux domain and grants it 164 permissions.</p> 165 166 <p>The service is launched in our devices <code>init.<target>.rc</code> file as:</p> 167 168 <pre class="no-pretty-print"> 169 service foo /system/bin/foo 170 class core 171 </pre> 172 173 <ol> 174 <li>Create a new domain "foo"<br /> 175 176 <p>Create the file <code>device/<oem>/<target>/sepolicy/foo.te</code> 177 with the following contents:</p> 178 179 <pre class="no-pretty-print"> 180 # foo service 181 type foo, domain; 182 type foo_exec, exec_type, file_type; 183 184 init_daemon_domain(foo) 185 </pre> 186 187 188 <p>This is the initial template for the foo SELinux domain, to which you 189 can add rules based on the specific operations performed by that executable.</p> 190 </li> 191 192 <li>Label <code>/system/bin/foo</code><br /> 193 194 <p>Add the following to <code>device/<oem>/<target>/sepolicy/ 195 file_contexts</code>:</p> 196 197 <pre class="no-pretty-print"> 198 /system/bin/foo u:object_r:foo_exec:s0 199 </pre> 200 201 202 <p>This makes sure the executable is properly labeled so SELinux runs the 203 service in the proper domain.</p> 204 </li> 205 206 <li>Build and flash the boot and system images.</li> 207 208 <li>Refine the SELinux rules for the domain.<br /> 209 210 <p>Use denials to determine the required permissions. The 211 <a href="validate.html#using_audit2allow">audit2allow</a> tool provides 212 good guidelines, but only use it to inform policy writing. Do 213 not just copy the output.</p> 214 </li> 215 </ol> 216 217 <h3 id=enforcing_mode>Switch back to enforcing mode</h3> 218 219 220 <p>Its fine to troubleshoot in permissive mode, but switch back to enforcing 221 mode as early as possible and try to remain there.</p> 222 223 <h2 id=common_mistakes>Common mistakes</h2> 224 225 226 <p>Here are a few solutions for common mistakes that happen when writing 227 device-specific policies.</p> 228 229 <h3 id=overuse_of_negation>Overuse of negation</h3> 230 231 232 <p>The following example rule is like locking the front door but leaving the 233 windows open:</p> 234 235 <p><code>allow { domain -untrusted_app } scary_debug_device:chr_file rw_file_perms</code>.</p> 236 237 <p>The intent is clear: everyone but third-party apps may have access to the debug 238 device. </p> 239 240 <p>The rule is flawed in a few of ways. The exclusion of <code>untrusted_app</code> 241 is trivial to work around because all apps may optionally run services in the 242 <code>isolated_app</code> domain. Likewise, if new domains for third-party apps 243 are added to AOSP, they will also have access to <code>scary_debug_device</code>. 244 The rule is overly permissive. Most domains will not benefit from having 245 access to this debugging tool. The rule should have been written to allow only 246 the domains that require access. </p> 247 248 <h3 id=debugging_features_in_production>Debugging features in production</h3> 249 250 251 <p>Debug features should not be present on production builds nor should their 252 policy.</p> 253 254 <p>The simplest alternative is to only allow the debug feature when SELinux is 255 disabled on eng/userdebug builds, such as <code>adb root</code> and 256 <code>adb setenforce 0</code>.</p> 257 258 <p>Another safe alternative is to enclose debug permissions in a 259 <a href="https://android.googlesource.com/device/lge/hammerhead/+/marshmallow-dev/sepolicy/platform_app.te#3"> 260 userdebug_or_eng</a> statement.</p> 261 262 <h3 id=policy_size_explosion>Policy size explosion</h3> 263 264 265 <p><a href="http://arxiv.org/abs/1510.05497">Characterizing SEAndroid Policies in the Wild</a> 266 describes a concerning trend in the growth of device policy customizations. 267 Device-specific policy should account for 5–10% of the overall policy running on 268 a device. Customizations in the 20%+ range almost certainly contain over 269 privileged domains and dead policy.</p> 270 271 <p>Unnecessarily large policy:</p> 272 273 <ul> 274 <li> Takes a double hit on memory as the policy sits in the ramdisk and is also 275 loaded into kernel memory. 276 <li> Wastes disk space by necessitating a larger bootimage. 277 <li> Affects runtime policy lookup times. 278 </ul> 279 280 <p> The following example shows two devices where the manufacturer-specific policy 281 comprised 50% and 40% of the on-device policy. A rewrite of the policy yielded 282 substantial security improvements with no loss in functionality, as shown 283 below. (AOSP devices Shamu and Flounder are included for comparison.)</p> 284 285 286 <p><img alt="Figure 1: Comparison of device-specific policy size after security audit." 287 src="images/selinux_device_policy_reduction.png" /></p> 288 <p class="img-caption"><strong>Figure 1</strong>. Comparison of device-specific 289 policy size after security audit.</p> 290 291 <p>In both cases, the policy was dramatically reduced both in size and in number 292 of permissions. The decrease in policy size is almost entirely due to removing 293 unnecessary permissions, many of which were likely rules generated by 294 audit2allow that were indiscriminately added to the policy. Dead domains were 295 also an issue for both devices.</p> 296 297 <h3 id=granting_the_dac_override_capability>Granting the dac_override capability</h3> 298 299 300 <p>A<code> dac_override</code> denial means that the offending process is 301 attempting to access a file with the incorrect unix user/group/world permissions. 302 The proper solution is almost never to grant the <code>dac_override</code> permission. 303 Instead <a href="https://android-review.googlesource.com/#/c/174530/5/update_engine.te@11"> 304 change the unix permissions on the file or process</a>. A few domains such as 305 init, vold, and installd genuinely need the ability to override unix file 306 permissions to access other processes files. See 307 <a href="http://danwalsh.livejournal.com/69478.html">Dan Walshs blog</a> 308 for a more in-depth explanation.</p> 309 310 <h2 id=additional_resources>Additional resources</h2> 311 312 313 <p>The <a href="http://seandroid.bitbucket.org/ForMoreInformation.html">SEAndroid 314 mailing list</a> is an excellent place to ask questions or request a code review.</p> 315 316 <p>AOSP provides a concise overview of <a href="index.html">SELinux on Android</a>.</p> 317 318 <p>A more in-depth description is available 319 <a href="http://seandroid.bitbucket.org/">here</a>.</p> 320 321
