1 <html devsite> 2 <head> 3 <title>Implementing SELinux</title> 4 <meta name="project_path" value="/_project.yaml" /> 5 <meta name="book_path" value="/_book.yaml" /> 6 </head> 7 <body> 8 <!-- 9 Copyright 2017 The Android Open Source Project 10 11 Licensed under the Apache License, Version 2.0 (the "License"); 12 you may not use this file except in compliance with the License. 13 You may obtain a copy of the License at 14 15 http://www.apache.org/licenses/LICENSE-2.0 16 17 Unless required by applicable law or agreed to in writing, software 18 distributed under the License is distributed on an "AS IS" BASIS, 19 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 20 See the License for the specific language governing permissions and 21 limitations under the License. 22 --> 23 24 25 26 <p>SELinux is set up to default-deny, which means that every single access for 27 which it has a hook in the kernel must be explicitly allowed by policy. This 28 means a policy file is comprised of a large amount of information regarding 29 rules, types, classes, permissions, and more. A full consideration of SELinux 30 is out of the scope of this document, but an understanding of how to write 31 policy rules is now essential when bringing up new Android devices. There is a 32 great deal of information available regarding SELinux already. See <a 33 href="/security/selinux#supporting_documentation">Supporting 34 documentation</a> for suggested resources.</p> 35 36 <h2 id=summary_of_steps>Summary of steps</h2> 37 38 <p>Here is a brief summary of the steps needed to implement SELinux on your 39 Android device:</p> 40 41 <ol> 42 <li>Add SELinux support in the kernel and configuration. 43 <li>Grant each service (process or daemon) started from <code>init</code> its own domain. 44 <li>Identify these services by: 45 <ul> 46 <li>Reviewing the init.<device>.rc file and finding all services. 47 <li>Examining warnings of the form <em>init: Warning! Service name needs a SELinux domain defined; please fix!</em> in <code>dmesg</code> output. 48 <li>Checking <code>ps -Z | grep init</code> output to see which services are running in the init domain. 49 </ul> 50 <li>Label all new processes, drivers, sockets, etc. 51 All objects need to be labeled 52 properly to ensure they interact properly with the policies you apply. See the 53 labels used in AOSP for examples to follow in label name creation. 54 <li>Institute security policies that fully cover all labels and restrict 55 permissions to their absolute minimum. 56 </ol> 57 58 <p>Ideally, OEMs start with the policies in the AOSP and then build upon them for 59 their own customizations.</p> 60 61 <h2 id=key_files>Key files</h2> 62 63 <p>SELinux for Android is accompanied by everything you need to enable SELinux 64 now. You merely need to integrate the <a href="https://android.googlesource.com/kernel/common/">latest Android kernel</a> and then incorporate the files found in the <a href="https://android.googlesource.com/platform/system/sepolicy/">system/sepolicy</a> directory:</p> 65 66 <p><a href="https://android.googlesource.com/kernel/common/">https://android.googlesource.com/kernel/common/ </a></p> 67 68 <p><a href="https://android.googlesource.com/platform/system/sepolicy/">https://android.googlesource.com/platform/system/sepolicy/</a></p> 69 70 <p>Those files when compiled comprise the SELinux kernel security policy and cover 71 the upstream Android operating system. You should not need to modify the 72 system/sepolicy files directly. Instead, add your own device-specific policy 73 files within the /device/manufacturer/device-name/sepolicy directory.</p> 74 75 <p>Here are the files you must create or edit in order to implement SELinux:</p> 76 77 <ul> 78 <li><em>New SELinux policy source (*.te) files</em> - Located in the 79 <root>/device/manufacturer/device-name/sepolicy directory. These files define 80 domains and their labels. The new policy files get 81 concatenated with the existing policy files during compilation into a single 82 SELinux kernel policy file. 83 <p class="caution"><strong>Important:</strong> Do not alter the app.te file 84 provided by the Android Open Source Project. 85 Doing so risks breaking all third-party applications.</p> 86 <li><em>Updated BoardConfig.mk makefile</em> - Located in the <device-name> 87 directory containing the sepolicy subdirectory. It must be updated to reference 88 the sepolicy subdirectory once created if it 89 wasnt in initial implementation. 90 <li><em>file_contexts</em> - Located in the sepolicy subdirectory. This file 91 assigns labels to files and is used by various userspace components. As you 92 create new policies, create or update this file to 93 assign new labels to files. In order to apply new file_contexts, you must 94 rebuild the filesystem image or run <code>restorecon</code> on the file to be 95 relabeled. On upgrades, changes to file_contexts are automatically applied to 96 the system and userdata partitions as part of the upgrade. Changes can also be 97 automatically applied on upgrade to other partitions by adding 98 restorecon_recursive calls to your init.<em>board</em>.rc file after the 99 partition has been mounted read-write. 100 <li><em>genfs_contexts</em> - Located in the sepolicy subdirectory. This file 101 assigns labels to filesystems such as proc or vfat that do not support extended 102 attributes. This configuration is loaded as part of the kernel policy but 103 changes may not take effect for in-core inodes, requiring a reboot or 104 unmounting and re-mounting the filesystem to fully apply the change. Specific 105 labels may also be assigned to specific mounts such as vfat using the context= 106 mount option. 107 <li><em>property_contexts</em> - Located in the sepolicy subdirectory. This 108 file assigns labels to Android system properties to control what processes can 109 set them. This configuration is read by the init process during startup. 110 <li><em>service_contexts</em> - Located in the sepolicy subdirectory. This 111 file assigns labels to Android binder services to control what processes can 112 add (register) and find (lookup) a binder reference for the service. This 113 configuration is read by the servicemanager process during startup. 114 <li><em>seapp_contexts</em> - Located in the sepolicy subdirectory. This file 115 assigns labels to app processes and /data/data directories. This configuration 116 is read by the zygote process on each app launch and by installd during 117 startup. 118 <li><em>mac_permissions.xml</em> - Located in the sepolicy subdirectory. This 119 file assigns a seinfo tag to apps based on their signature and optionally their 120 package name. The seinfo tag can then be used as a key in the seapp_contexts 121 file to assign a specific label to all apps with that seinfo tag. This 122 configuration is read by system_server during startup. 123 </ul> 124 125 <p>Then just update your BoardConfig.mk makefile - located in the directory 126 containing the sepolicy subdirectory - to reference the sepolicy subdirectory 127 and each policy file once created, as shown below. The BOARD_SEPOLICY variables 128 and their meaning is documented in the system/sepolicy/README file.</p> 129 130 <pre class="devsite-click-to-copy"> 131 BOARD_SEPOLICY_DIRS += \ 132 <root>/device/manufacturer/device-name/sepolicy 133 134 BOARD_SEPOLICY_UNION += \ 135 genfs_contexts \ 136 file_contexts \ 137 sepolicy.te 138 </pre> 139 140 <p class="note"><strong>Note:</strong> As of the M release, 141 BOARD_SEPOLICY_UNION is no longer required as all policy files found within any 142 directory included in the BOARD_SEPOLICY_DIRS variable are joined with the 143 base policy automatically.</p> 144 145 <p>After rebuilding your device, it is enabled with SELinux. You can now either 146 customize your SELinux policies to accommodate your own additions to the 147 Android operating system as described in <a 148 href="customize.html">Customization</a> or verify your existing setup as 149 covered in <a href="validate.html">Validation</a>.</p> 150 151 <p>Once the new policy files and BoardConfig.mk updates are in place, the new 152 policy settings are automatically built into the final kernel policy file.</p> 153 154 <h2 id=use_cases>Use cases</h2> 155 156 <p>Here are specific examples of exploits to consider when crafting your own 157 software and associated SELinux policies:</p> 158 159 <p><strong>Symlinks</strong> - Because symlinks appear as files, they are often read just as that. This can 160 lead to exploits. For instance, some privileged components such as init change 161 the permissions of certain files, sometimes to be excessively open.</p> 162 163 <p>Attackers might then replace those files with symlinks to code they control, 164 allowing the attacker to overwrite arbitrary files. But if you know your 165 application will never traverse a symlink, you can prohibit it from doing so 166 with SELinux.</p> 167 168 <p><strong>System files</strong> - Consider the class of system files that should only be modified by the 169 system server. Still, since netd, init, and vold run as root, they can access 170 those system files. So if netd became compromised, it could compromise those 171 files and potentially the system server itself.</p> 172 173 <p>With SELinux, you can identify those files as system server data files. 174 Therefore, the only domain that has read/write access to them is system server. 175 Even if netd became compromised, it could not switch domains to the system 176 server domain and access those system files although it runs as root.</p> 177 178 <p><strong>App data</strong> - Another example is the class of functions that must run as root but should 179 not get to access app data. This is incredibly useful as wide-ranging 180 assertions can be made, such as certain domains unrelated to application data 181 being prohibited from accessing the internet.</p> 182 183 <p><strong>setattr</strong> - For commands such as chmod and chown, you could identify the set of files 184 where the associated domain can conduct setattr. Anything outside of that could 185 be prohibited from these changes, even by root. So an application might run 186 chmod and chown against those labeled app_data_files but not shell_data_files 187 or system_data_files.</p> 188 189 <h2 id=steps_in_detail>Steps in detail</h2> 190 191 <p>Here is a detailed view of how Android recommends you employ and customize 192 SELinux to protect your devices:</p> 193 194 <ol> 195 <li>Enable SELinux in the kernel: 196 <code>CONFIG_SECURITY_SELINUX=y</code> 197 <li>Change the kernel_cmdline parameter so that:<br/> 198 <pre class="devsite-click-to-copy"> 199 BOARD_KERNEL_CMDLINE := androidboot.selinux=permissive 200 </pre> 201 <br/> 202 This is only for initial development of policy for the device. Once you have 203 an initial bootstrap policy, remove this parameter so that your device is 204 enforcing or it will fail CTS. 205 <li>Boot up the system in permissive and see what denials are encountered on boot:<br/> 206 On Ubuntu 14.04 or newer: 207 <br/> 208 <pre class="devsite-terminal devsite-click-to-copy"> 209 adb shell su -c dmesg | grep denied | audit2allow -p out/target/product/<var>BOARD</var>/root/sepolicy 210 </pre> 211 <br/> 212 On Ubuntu 12.04:<br/> 213 <pre class="devsite-terminal devsite-click-to-copy"> 214 adb shell su -c dmesg | grep denied | audit2allow 215 </pre> 216 <li>Evaluate the output. See <a href="validate.html">Validation</a> for instructions and tools. 217 <li>Identify devices, and other new files that need labeling. 218 <li>Use existing or new labels for your objects. 219 Look at the *_contexts files to 220 see how things were previously labeled and use knowledge of the label meanings 221 to assign a new one. Ideally, this will be an existing label which will fit 222 into policy, but sometimes a new label will be needed, and rules for access to 223 that label will be needed, as well. 224 <li>Identify domains/processes that should have their own security domains. A policy will likely need to be written for each of these from scratch. All services spawned from <code>init</code>, for instance, should have their own. The following commands help reveal those that remain running (but ALL services need such a treatment):<br/> 225 <pre class="devsite-terminal devsite-click-to-copy"> 226 adb shell su -c ps -Z | grep init 227 </pre> 228 <pre class="devsite-terminal devsite-click-to-copy"> 229 adb shell su -c dmesg | grep 'avc: ' 230 </pre> 231 <li>Review init.<device>.rc to identify any which are without a type. 232 These should 233 be given domains EARLY in order to avoid adding rules to init or otherwise 234 confusing <code>init</code> accesses with ones that are in their own policy. 235 <li>Set up <code>BOARD_CONFIG.mk</code> to use <code>BOARD_SEPOLICY_*</code> variables. See 236 the README in system/sepolicy for details on setting this up. 237 <li> Examine the init.<device>.rc and fstab.<device> file and make sure every use of mount 238 corresponds to a properly labeled filesystem or that a context= mount option is specified. 239 <li> Go through each denial and create SELinux policy to properly handle each. See 240 the examples within <a href="customize.html">Customization</a>. 241 </ol> 242 243 </body> 244 </html> 245
