1page.title=Implementing SELinux
2@jd:body
3
4<!--
5    Copyright 2014 The Android Open Source Project
6
7    Licensed under the Apache License, Version 2.0 (the "License");
8    you may not use this file except in compliance with the License.
9    You may obtain a copy of the License at
10
11        http://www.apache.org/licenses/LICENSE-2.0
12
13    Unless required by applicable law or agreed to in writing, software
14    distributed under the License is distributed on an "AS IS" BASIS,
15    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16    See the License for the specific language governing permissions and
17    limitations under the License.
18-->
19<div id="qv-wrapper">
20  <div id="qv">
21    <h2>In this document</h2>
22    <ol id="auto-toc">
23    </ol>
24  </div>
25</div>
26
27<p>SELinux is set up to default-deny, which means that every single access for
28which it has a hook in the kernel must be explicitly allowed by policy.  This
29means a policy file is comprised of a large amount of information regarding
30rules, types, classes, permissions, and more.  A full consideration of SELinux
31is out of the scope of this document, but an understanding of how to write
32policy rules is now essential when bringing up new Android devices. There is a
33great deal of information available regarding SELinux already. See <a
34href="{@docRoot}devices/tech/security/se-linux.html#supporting_documentation">Supporting
35documentation</a> for suggested resources.</p>
36
37<h2 id=summary_of_steps>Summary of steps</h2>
38
39<p>Here is a brief summary of the steps needed to implement SELinux on your
40Android device:</p>
41
42<ol>
43  <li>Add SELinux support in the kernel and configuration.
44  <li>Grant each service (process or daemon) started from <code>init</code> its own domain.
45  <li>Identify these services by:
46  <ul>
47    <li>Reviewing the init file and finding all services.
48    <li>Examining warnings in <code>dmesg</code>.
49    <li>Searching (<code>grep</code>) through processes to see which run in the init domain.
50  </ul>
51  <li>Label all new processes, drivers, sockets, etc.
52All objects need to be labeled
53properly to ensure they interact properly with the policies you apply. See the
54labels used in AOSP for examples to follow in label name creation.
55  <li>Institute security policies that fully cover all labels and restrict
56permissions to their absolute minimum.
57</ol>
58
59<p>Ideally, OEMs start with the policies in the AOSP and then build upon them for
60their own customizations.</p>
61
62<h2 id=key_files>Key files</h2>
63
64<p>SELinux for Android is accompanied by everything you need to enable SELinux
65now. You merely need to integrate the <a href="https://android.googlesource.com/kernel/common/">latest Android kernel</a> and then incorporate the files found in the <a href="https://android.googlesource.com/platform/external/sepolicy/">external/sepolicy</a> directory:</p>
66
67<p><a href="https://android.googlesource.com/kernel/common/">https://android.googlesource.com/kernel/common/ </a></p>
68
69<p><a href="https://android.googlesource.com/platform/external/sepolicy/">https://android.googlesource.com/platform/external/sepolicy/</a></p>
70
71<p>Those files when compiled comprise the SELinux kernel security policy and cover
72the upstream Android operating system. You should not need to modify the
73external/sepolicy files directly. Instead, add your own device-specific policy
74files within the /device/manufacturer/device-name/sepolicy directory.</p>
75
76<p>Here are the files you must create or edit in order to implement SELinux:</p>
77
78<ul>
79  <li><em>New SELinux policy source (*.te) files</em> - Located in the <root>/device/manufacturer/device-name/sepolicy directory. These files define domains and their labels. The new policy files get
80concatenated with the existing policy files during compilation into a single
81SELinux kernel policy file.
82<p class="caution"><strong>Important:</strong> Do not alter the app.te file provided by the Android Open Source Project.
83Doing so risks breaking all third-party applications.</p>
84  <li><em>Updated BoardConfig.mk makefile</em> - Located in the <device-name> directory containing the sepolicy subdirectory. It must be updated to reference the sepolicy subdirectory once created if it
85wasn’t in initial implementation.
86  <li><em>Updated *_contexts files</em> - Located in the sepolicy subdirectory. These label files and
87are managed in the userspace. As you create new policies, update these files to
88reference them. In order to apply new *_contexts, you must run <code>restorecon</code> on the file to be relabeled.
89</ul>
90
91<p>Then just update your BoardConfig.mk makefile - located in the directory
92containing the sepolicy subdirectory - to reference the sepolicy subdirectory
93and each policy file once created, as shown below. The BOARD_SEPOLICY variables
94and their meaning is documented in the external/sepolicy/README file.</p>
95
96<pre>
97BOARD_SEPOLICY_DIRS += \
98        &lt;root>/device/manufacturer/device-name/sepolicy
99
100BOARD_SEPOLICY_UNION += \
101        genfs_contexts \
102        file_contexts \
103        sepolicy.te
104</pre>
105
106<p>After rebuilding your device, it is enabled with SELinux. You can now either
107customize your SELinux policies to accommodate your own additions to the
108Android operating system as described in <a
109href="customize.html">Customization</a> or verify your existing setup as
110covered in <a href="validate.html">Validation</a>.</p>
111
112<p>Once the new policy files and BoardConfig.mk updates are in place, the new
113policy settings are automatically built into the final kernel policy file.</p>
114
115<h2 id=use_cases>Use cases</h2>
116
117<p>Here are specific examples of exploits to consider when crafting your own
118software and associated SELinux policies:</p>
119
120<p><strong>Symlinks</strong> - Because symlinks appear as files, they are often read just as that. This can
121lead to exploits. For instance, some privileged components such as init change
122the permissions of certain files, sometimes to be excessively open.</p>
123
124<p>Attackers might then replace those files with symlinks to code they control,
125allowing the attacker to overwrite arbitrary files. But if you know your
126application will never traverse a symlink, you can prohibit it from doing so
127with SELinux.</p>
128
129<p><strong>System files</strong> - Consider the class of system files that should only be modified by the
130system server. Still, since netd, init, and vold run as root, they can access
131those system files. So if netd became compromised, it could compromise those
132files and potentially the system server itself.</p>
133
134<p>With SELinux, you can identify those files as system server data files.
135Therefore, the only domain that has read/write access to them is system server.
136Even if netd became compromised, it could not switch domains to the system
137server domain and access those system files although it runs as root.</p>
138
139<p><strong>App data</strong> - Another example is the class of functions that must run as root but should
140not get to access app data. This is incredibly useful as wide-ranging
141assertions can be made, such as certain domains unrelated to application data
142being prohibited from accessing the internet.</p>
143
144<p><strong>setattr</strong> - For commands such as chmod and chown, you could identify the set of files
145where the associated domain can conduct setattr. Anything outside of that could
146be prohibited from these changes, even by root. So an application might run
147chmod and chown against those labeled app_data_files but not shell_data_files
148or system_data_files.</p>
149
150<h2 id=steps_in_detail>Steps in detail</h2>
151
152<p>Here is a detailed view of how Android recommends you employ and customize
153SELinux to protect your devices:</p>
154
155<ol>
156  <li>Enable SELinux in the kernel:
157<code>CONFIG_SECURITY_SELINUX=y</code>
158  <li>Change the kernel_cmdline parameter so that:<br/>
159<code>BOARD_KERNEL_CMDLINE := androidboot.selinux=permissive</code>
160  <li>Boot up the system in permissive and see what denials are encountered on boot:<br/>
161<code>su -c dmesg | grep denied > ~/t.tmp su -c dmesg | grep denied | audit2allow</code>
162  <li>Evaluate the output. See <a href="validate.html">Validation</a> for instructions and tools.
163  <li>Identify devices, and other new files that need labeling.Identify devices, and
164other new files that need labeling.
165  <li>Use existing or new labels for your objects.
166Look at the *_contexts files to
167see how things were previously labeled and use knowledge of the label meanings
168to assign a new one. Ideally, this will be an existing label which will fit
169into policy, but sometimes a new label will be needed, and rules for access to
170that label will be needed, as well.
171  <li>Identify domains/processes that should have their own security domains. A policy will likely need to be written for each of these from scratch. All services spawned from <code>init</code>, for instance, should have their own. The following commands help reveal those that remain running (but ALL services need such a treatment):<br/>
172<code>$ adb shell su -c ps -Z | grep init</code><br/>
173<code>$ adb shell su -c dmesg | grep 'avc: '</code>
174  <li>Review init.<device>.rc to identify any which are without a type.
175These should
176be given domains EARLY in order to avoid adding rules to init or otherwise
177confusing <code>init</code> accesses with ones that are in their own policy.
178  <li>Set up <code>BOARD_CONFIG.mk</code> to use <code>BOARD_SEPOLICY_UNION</code> and <code>BOARD_SEPOLICY_DIRS</code>. See
179the README in /sepolicy for details on setting this up.
180  <li> Examine the init.&lt;device&gt;.rc file and make sure every use of “mount”
181corresponds to a properly labeled filesystem.
182  <li> Go through each denial and create SELinux policy to properly handle each. See
183the examples within <a href="customize.html">Customization</a>.
184</ol>
185