1page.title=Customizing SELinux
2@jd:body
3
4<!--
5    Copyright 2014 The Android Open Source Project
6
7    Licensed under the Apache License, Version 2.0 (the "License");
8    you may not use this file except in compliance with the License.
9    You may obtain a copy of the License at
10
11        http://www.apache.org/licenses/LICENSE-2.0
12
13    Unless required by applicable law or agreed to in writing, software
14    distributed under the License is distributed on an "AS IS" BASIS,
15    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16    See the License for the specific language governing permissions and
17    limitations under the License.
18-->
19<div id="qv-wrapper">
20  <div id="qv">
21    <h2>In this document</h2>
22    <ol id="auto-toc">
23    </ol>
24  </div>
25</div>
26
27<p>Once you've integrated this base level of functionality and thoroughly analyzed
28the results, you may add your own policy settings to cover your customizations
29to the Android operating system. Of course, these policies must still meet the <a href="{@docRoot}compatibility/index.html">Android Compatibility program</a> requirements and not remove the default SELinux settings.</p>
30
31<p>Manufacturers should not remove existing security settings. Otherwise, they
32risk breaking the Android SELinux implementation and the applications it
33governs. This includes third-party applications that will likely need to be
34improved to be compliant and operational. Applications must require no
35modification to continue functioning on SELinux-enabled devices.</p>
36
37<p>When embarking upon customizing SELinux, manufacturers should remember to:</p>
38
39<ul>
40  <li>Write SELinux policy for all new daemons
41  <li>Use predefined domains whenever appropriate
42  <li>Assign a domain to any process spawned as an <code>init</code> service
43  <li>Become familiar with the macros before writing policy
44  <li>Submit changes to core policy to AOSP
45</ul>
46
47<p>And not to:</p>
48
49<ul>
50  <li>Create incompatible policy
51  <li>Allow end user policy customization
52  <li>Allow MDM policy customizations
53  <li>Scare users with policy violations
54  <li>Add backdoors
55</ul>
56
57<p>See the <em>Kernel Security Features</em> section of the <a href="{@docRoot}compatibility/android-cdd.pdf">Android Compatibility Definition document</a> for specific requirements.</p>
58
59<p>SELinux uses a whitelist approach, meaning all access must be explicitly
60allowed in policy in order to be granted. Since Android's default SELinux
61policy already supports the Android Open Source Project, OEMs are not required
62to modify SELinux settings in any way. If they do customize SELinux settings,
63they should take great care not to break existing applications. Here is how we
64recommend proceeding:</p>
65
66<ol>
67  <li>Use the <a href="https://android.googlesource.com/kernel/common/">latest Android kernel</a>.
68  <li>Adopt the <a href="http://en.wikipedia.org/wiki/Principle_of_least_privilege">principle of least privilege</a>.
69  <li>Address only your own additions to Android. The default policy works with the <a href="https://android.googlesource.com/">Android Open Source Project</a> codebase automatically.
70  <li>Compartmentalize software components into modules that conduct singular tasks.
71  <li>Create SELinux policies that isolate those tasks from unrelated functions.
72  <li>Put those policies in *.te files (the extension for SELinux policy source
73files) within the <code>/device/manufacturer/device-name/sepolicy</code> directory and use
74<code>BOARD_SEPOLICY</code> variables to include them in your build.
75  <li>Make new domains permissive initially. In Android 4.4 and earlier, this is done
76using a permissive declaration. In later versions of Android, per-domain
77permissive mode is specified using the <code>permissive_or_unconfined()</code> macro.
78  <li>Analyze results and refine your domain definitions.
79  <li>Remove the permissive declaration when no further denials appear in userdebug
80builds.
81</ol>
82
83<p>Once integrated, OEM Android development should include a step to ensure
84SELinux compatibility going forward. In an ideal software development process,
85SELinux policy changes only when the software model changes and not the actual
86implementation.</p>
87
88<p>As device manufacturers begin to customize SELinux, they should first audit
89their additions to Android. If they've added a component that conducts a new
90function, the manufacturers will need to ensure the component meets the
91security policy applied by Android, as well as any associated policy crafted by
92the OEM, before turning on enforcing mode.</p>
93
94<p>To prevent unnecessary issues, it is better to be overbroad and over-compatible
95than too restrictive and incompatible, which results in broken device
96functions. Conversely, if a manufacturer's changes will benefit others, it
97should supply the modifications to the default SELinux policy as a <a href="{@docRoot}source/submit-patches.html">patch</a>. If the patch is applied to the default security policy, the manufacturer will no longer need to make this change with each new Android release.</p>
98
99<h2 id=example_policy_statements>Example policy statements</h2>
100
101<p>First, note SELinux is based upon the <a href="https://www.gnu.org/software/m4/manual/index.html">M4</a> computer language and therefore supports a variety of macros to save time.</p>
102
103<p>In the following example, all domains are granted access to read or write to <code>/dev/null</code> and read from <code>/dev/0</code>.</p>
104
105<pre>
106# Allow read / write access to /dev/null
107allow domain null_device:chr_file { getattr open read ioctl lock append write};
108
109# Allow read-only access to /dev/zero
110allow domain zero_device:chr_file { getattr open read ioctl lock };
111</pre>
112
113
114<p>This same statement can be written with SELinux <code>*_file_perms</code> macros (shorthand):</p>
115
116<pre>
117# Allow read / write access to /dev/null
118allow domain null_device:chr_file rw_file_perms;
119
120# Allow read-only access to /dev/zero
121allow domain zero_device:chr_file r_file_perms;
122</pre>
123
124<h2 id=example_policy>Example policy</h2>
125
126<p>Here is a complete example policy for DHCP, which we examine below:</p>
127
128<pre>
129type dhcp, domain;
130permissive_or_unconfined(dhcp)
131type dhcp_exec, exec_type, file_type;
132type dhcp_data_file, file_type, data_file_type;
133
134init_daemon_domain(dhcp)
135net_domain(dhcp)
136
137allow dhcp self:capability { setgid setuid net_admin net_raw net_bind_service
138};
139allow dhcp self:packet_socket create_socket_perms;
140allow dhcp self:netlink_route_socket { create_socket_perms nlmsg_write };
141allow dhcp shell_exec:file rx_file_perms;
142allow dhcp system_file:file rx_file_perms;
143# For /proc/sys/net/ipv4/conf/*/promote_secondaries
144allow dhcp proc_net:file write;
145allow dhcp system_prop:property_service set ;
146unix_socket_connect(dhcp, property, init)
147
148type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
149allow dhcp dhcp_data_file:dir create_dir_perms;
150allow dhcp dhcp_data_file:file create_file_perms;
151
152allow dhcp netd:fd use;
153allow dhcp netd:fifo_file rw_file_perms;
154allow dhcp netd:{ dgram_socket_class_set unix_stream_socket } { read write };
155allow dhcp netd:{ netlink_kobject_uevent_socket netlink_route_socket
156netlink_nflog_socket } { read write };
157</pre>
158
159<p>Let’s dissect the example:</p>
160
161<p>In the first line, the type declaration, the DHCP daemon inherits from the base
162security policy (<code>domain</code>). From the previous statement examples, we know DHCP can read from and write
163to <code>/dev/null.</code></p>
164
165<p>In the second line, DHCP is identified as an experimental domain (<code>permissive_or_unconfined</code>) with only minimal rules enforced.</p>
166
167<p>In the <code>init_daemon_domain(dhcp)</code> line, the policy states DHCP is spawned from <code>init</code> and is allowed to communicate with it.</p>
168
169<p>In the <code>net_domain(dhcp)</code> line, the policy allows DHCP to use common network functionality from the <code>net</code> domain such as reading and writing TCP packets, communicating over sockets, and conducting DNS requests.</p>
170
171<p>In the line <code>allow dhcp proc_net:file write;</code>, the policy states DHCP can write to specific files in <code>/proc</code>. This line demonstrates SELinux’s fine-grained file labeling. It uses the <code>proc_net</code> label to limit write access to only the files under <code>/proc/sys/net</code>.</p>
172
173<p>The final block of the example starting with <code>allow dhcp netd:fd use;</code> depicts how applications may be allowed to interact with one another. The
174policy says DHCP and netd may communicate with one another via file
175descriptors, FIFO files, datagram sockets, and UNIX stream sockets. DHCP may
176only read to and write from the datagram sockets and UNIX stream sockets and
177not create or open them.</p>
178
179<h2 id=available_controls>Available controls</h2>
180
181<table>
182 <tr>
183    <td>
184<p><strong>Domain</strong></p>
185</td>
186    <td>
187<p><strong>Capability</strong></p>
188</td>
189 </tr>
190 <tr>
191    <td>
192<p>file</p>
193</td>
194    <td>
195<pre>
196ioctl read write create getattr setattr lock relabelfrom relabelto append
197unlink link rename execute swapon quotaon mounton</pre>
198</td>
199 </tr>
200 <tr>
201 <td>
202<p>directory</p>
203</td>
204 <td>
205<pre>
206add_name remove_name reparent search rmdir open audit_access execmod</pre>
207</td>
208 </tr>
209 <tr>
210 <td>
211<p>socket</p>
212</td>
213 <td>
214<pre>
215ioctl read write create getattr setattr lock relabelfrom relabelto append bind
216connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg
217name_bind</pre>
218</td>
219 </tr>
220 <tr>
221 <td>
222<p>filesystem</p>
223</td>
224 <td>
225<pre>
226mount remount unmount getattr relabelfrom relabelto transition associate
227quotamod quotaget</pre>
228 </td>
229 </tr>
230 <tr>
231 <td>
232<p>process</p>
233 </td>
234 <td>
235<pre>
236fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched
237getsession getpgid setpgid getcap setcap share getattr setexec setfscreate
238noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem
239execstack execheap setkeycreate setsockcreate</pre>
240</td>
241 </tr>
242 <tr>
243 <td>
244<p>security</p>
245</td>
246 <td>
247<pre>
248compute_av compute_create compute_member check_context load_policy
249compute_relabel compute_user setenforce setbool setsecparam setcheckreqprot
250read_policy</pre>
251</td>
252 </tr>
253 <tr>
254 <td>
255<p>capability</p>
256</td>
257 <td>
258<pre>
259chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap
260linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock
261ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin
262sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write
263audit_control setfcap</pre>
264</td>
265 </tr>
266 <tr>
267 <td>
268<p><strong>MORE</strong></p>
269</td>
270 <td>
271<p><strong>AND MORE</strong></p>
272</td>
273 </tr>
274</table>
275