1 <html devsite><head> 2 <title> SELinux</title> 3 <meta name="project_path" value="/_project.yaml"/> 4 <meta name="book_path" value="/_book.yaml"/> 5 </head> 6 <body> 7 <!-- 8 Copyright 2017 The Android Open Source Project 9 10 Licensed under the Apache License, Version 2.0 (the "License"); 11 you may not use this file except in compliance with the License. 12 You may obtain a copy of the License at 13 14 http://www.apache.org/licenses/LICENSE-2.0 15 16 Unless required by applicable law or agreed to in writing, software 17 distributed under the License is distributed on an "AS IS" BASIS, 18 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 19 See the License for the specific language governing permissions and 20 limitations under the License. 21 --> 22 23 <p> Android <a href="/compatibility/index.html">Android </a> SELinux </p> 24 25 <p> Android SELinux SELinux </p> 26 27 <p> SELinux </p> 28 29 <ul> 30 <li> SELinux </li><li></li><li> <code>init</code> </li><li></li><li> AOSP </li></ul> 31 32 <p></p> 33 34 <ul> 35 <li></li><li></li><li> MDM </li><li></li><li></li></ul> 36 37 <p><em></em> <a href="/compatibility/android-cdd.pdf">Android </a></p> 38 39 <p>SELinux Android SELinux Android (OEM) SELinux SELinux </p> 40 41 <ol> 42 <li><a href="https://android.googlesource.com/kernel/common/"> Android </a> 43 </li><li><a href="http://en.wikipedia.org/wiki/Principle_of_least_privilege"></a> 44 </li><li> Android SELinux <a href="https://android.googlesource.com/">Android </a> 45 </li><li> 46 </li><li> SELinux 47 </li><li> <code>/device/manufacturer/device-name/sepolicy</code> *.te te SELinux <code>BOARD_SEPOLICY</code> 48 </li><li> .te 49 </li><li> 50 </li><li> userdebug 51 </li></ol> 52 53 <p> (OEM) Android SELinux SELinux SELinux </p> 54 55 <p> SELinux Android Android (OEM) </p> 56 57 <p><a href="/source/submit-patches.html"></a> SELinux Android </p> 58 59 <h2 id="example_policy_statements"></h2> 60 61 <p>SELinux <a href="https://www.gnu.org/software/m4/manual/index.html">M4</a> </p> 62 63 <p> <code>/dev/null</code> <code>/dev/zero</code> </p> 64 65 <pre> 66 # Allow read / write access to /dev/null 67 allow domain null_device:chr_file { getattr open read ioctl lock append write}; 68 69 # Allow read-only access to /dev/zero 70 allow domain zero_device:chr_file { getattr open read ioctl lock }; 71 </pre> 72 73 <p> SELinux <code>*_file_perms</code> </p> 74 75 <pre> 76 # Allow read / write access to /dev/null 77 allow domain null_device:chr_file rw_file_perms; 78 79 # Allow read-only access to /dev/zero 80 allow domain zero_device:chr_file r_file_perms; 81 </pre> 82 83 <h2 id="example_policy"></h2> 84 85 <p> DHCP </p> 86 87 <pre> 88 type dhcp, domain; 89 permissive dhcp; 90 type dhcp_exec, exec_type, file_type; 91 type dhcp_data_file, file_type, data_file_type; 92 93 init_daemon_domain(dhcp) 94 net_domain(dhcp) 95 96 allow dhcp self:capability { setgid setuid net_admin net_raw net_bind_service 97 }; 98 allow dhcp self:packet_socket create_socket_perms; 99 allow dhcp self:netlink_route_socket { create_socket_perms nlmsg_write }; 100 allow dhcp shell_exec:file rx_file_perms; 101 allow dhcp system_file:file rx_file_perms; 102 # For /proc/sys/net/ipv4/conf/*/promote_secondaries 103 allow dhcp proc_net:file write; 104 allow dhcp system_prop:property_service set ; 105 unix_socket_connect(dhcp, property, init) 106 107 type_transition dhcp system_data_file:{ dir file } dhcp_data_file; 108 allow dhcp dhcp_data_file:dir create_dir_perms; 109 allow dhcp dhcp_data_file:file create_file_perms; 110 111 allow dhcp netd:fd use; 112 allow dhcp netd:fifo_file rw_file_perms; 113 allow dhcp netd:{ dgram_socket_class_set unix_stream_socket } { read write }; 114 allow dhcp netd:{ netlink_kobject_uevent_socket netlink_route_socket 115 netlink_nflog_socket } { read write }; 116 </pre> 117 118 <p></p> 119 120 <p> DHCP (<code>domain</code>) DHCP <code>/dev/null.</code> </p> 121 122 <p>DHCP </p> 123 124 <p> <code>init_daemon_domain(dhcp)</code> DHCP <code>init</code> </p> 125 126 <p> <code>net_domain(dhcp)</code> DHCP <code>net</code> TCP DNS </p> 127 128 <p> <code>allow dhcp proc_net:file write;</code> DHCP <code>/proc</code> SELinux <code>proc_net</code> DHCP <code>/proc/sys/net</code> </p> 129 130 <p> <code>allow dhcp netd:fd use;</code> DHCP netd FIFO UNIX DHCP UNIX </p> 131 132 <h2 id="available_controls"></h2> 133 134 <table> 135 <tbody><tr> 136 <td> 137 <p><strong></strong></p> 138 </td> 139 <td> 140 <p><strong></strong></p> 141 </td> 142 </tr> 143 <tr> 144 <td> 145 <p></p> 146 </td> 147 <td> 148 <pre> 149 150 ioctl read write create getattr setattr lock relabelfrom relabelto append 151 unlink link rename execute swapon quotaon mounton</pre> 152 </td> 153 </tr> 154 <tr> 155 <td> 156 <p></p> 157 </td> 158 <td> 159 <pre> 160 161 add_name remove_name reparent search rmdir open audit_access execmod</pre> 162 </td> 163 </tr> 164 <tr> 165 <td> 166 <p></p> 167 </td> 168 <td> 169 <pre> 170 171 ioctl read write create getattr setattr lock relabelfrom relabelto append bind 172 connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg 173 name_bind</pre> 174 </td> 175 </tr> 176 <tr> 177 <td> 178 <p></p> 179 </td> 180 <td> 181 <pre> 182 183 mount remount unmount getattr relabelfrom relabelto transition associate 184 quotamod quotaget</pre> 185 </td> 186 </tr> 187 <tr> 188 <td> 189 <p></p> 190 </td> 191 <td> 192 <pre> 193 194 fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched 195 getsession getpgid setpgid getcap setcap share getattr setexec setfscreate 196 noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem 197 execstack execheap setkeycreate setsockcreate</pre> 198 </td> 199 </tr> 200 <tr> 201 <td> 202 <p></p> 203 </td> 204 <td> 205 <pre> 206 207 compute_av compute_create compute_member check_context load_policy 208 compute_relabel compute_user setenforce setbool setsecparam setcheckreqprot 209 read_policy</pre> 210 </td> 211 </tr> 212 <tr> 213 <td> 214 <p></p> 215 </td> 216 <td> 217 <pre> 218 219 chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap 220 linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock 221 ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin 222 sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write 223 audit_control setfcap</pre> 224 </td> 225 </tr> 226 <tr> 227 <td> 228 <p><strong></strong></p> 229 </td> 230 <td> 231 <p><strong></strong></p> 232 </td> 233 </tr> 234 </tbody></table> 235 236 <h2 id="neverallow">neverallow </h2> 237 238 <p>SELinux <code>neverallow</code> <a href="/compatibility/index.html"></a> SELinux <code>neverallow</code> </p> 239 240 <p> <code>neverallow</code> Android 5.1 </p> 241 242 <p> 48<code>neverallow { domain -debuggerd -vold -dumpstate 243 -system_server } self:capability sys_ptrace;</code><br /> <code>ptrace</code> <code>sys_ptrace</code> <code>ptrace</code> </p> 244 245 <p> 76<code>neverallow { domain -appdomain -dumpstate -shell -system_server -zygote } { file_type -system_file -exec_type }:file execute;</code><br /> <code>/system</code> <code>neverallow</code> <code>/system</code> </p> 246 247 </body></html>
