1page.title=Security-Enhanced Linux in Android
2@jd:body
3
4<!--
5    Copyright 2014 The Android Open Source Project
6
7    Licensed under the Apache License, Version 2.0 (the "License");
8    you may not use this file except in compliance with the License.
9    You may obtain a copy of the License at
10
11        http://www.apache.org/licenses/LICENSE-2.0
12
13    Unless required by applicable law or agreed to in writing, software
14    distributed under the License is distributed on an "AS IS" BASIS,
15    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16    See the License for the specific language governing permissions and
17    limitations under the License.
18-->
19<div id="qv-wrapper">
20  <div id="qv">
21    <h2>In this document</h2>
22    <ol id="auto-toc">
23    </ol>
24  </div>
25</div>
26
27<h2 id=introduction>Introduction</h2>
28
29<p>The Android security model is based in part on the concept of application
30sandboxes. Each application runs in its own sandbox. Prior to Android 4.3,
31these sandboxes were defined by the creation of a unique Linux UID for each
32application at time of installation. Starting with Android 4.3,
33Security-Enhanced Linux (SELinux) is used to further define the boundaries of
34the Android application sandbox.</p>
35
36<p>As part of the Android <a href="{@docRoot}security/index.html">
37security model</a>, Android uses SELinux to enforce mandatory access control
38(MAC) over all processes, even processes running with root/superuser privileges
39(a.k.a. Linux capabilities). SELinux enhances Android security by confining
40privileged processes and automating security policy creation.</p>
41
42<p>Contributions to it have been made by a number
43of companies and organizations; all Android code
44and contributors are publicly available for review on <a
45href="https://android.googlesource.com/">android.googlesource.com</a>. With
46SELinux, Android can better protect and confine system services, control
47access to application data and system logs, reduce the effects of malicious
48software, and protect users from potential flaws in code on mobile devices.</p>
49
50<p>Android includes SELinux in enforcing mode and a
51corresponding security policy that works by default across the <a
52href="https://android.googlesource.com/">Android Open Source Project</a>. In
53enforcing mode, illegitimate actions are prevented and all attempted violations
54are logged by the kernel to <code>dmesg</code> and <code>logcat</code>. Android
55device manufacturers should gather information about errors so they may
56refine their software and SELinux policies before enforcing them.</p>
57
58<h2 id=background>Background</h2>
59
60<p>SELinux operates on the ethos of default denial. Anything that is not
61explicitly allowed is denied. SELinux can operate in one of two global modes:
62permissive mode, in which permission denials are logged but not enforced, and
63enforcing mode, in which denials are both logged and enforced. SELinux also
64supports a per-domain permissive mode in which specific domains (processes) can
65be made permissive while placing the rest of the system in global enforcing
66mode. A domain is simply a label identifying a process or set of processes in
67the security policy, where all processes labeled with the same domain are
68treated identically by the security policy. Per-domain permissive mode enables
69incremental application of SELinux to an ever-increasing portion of the system.
70Per-domain permissive mode also enables policy development for new services
71while keeping the rest of the system enforcing.</p>
72
73<p>In the Android 5.0 (L) release, Android moves to full enforcement of
74SELinux. This builds upon the permissive release of 4.3 and the partial
75enforcement of 4.4. In short, Android is shifting from enforcement on a
76limited set of crucial domains (<code>installd</code>, <code>netd</code>,
77<code>vold</code> and <code>zygote</code>) to everything (more than 60
78domains). This means manufacturers will have to better understand and scale
79their SELinux implementations to provide compatible devices. Understand
80that:</p>
81
82
83<ul>
84<li>Everything is in enforcing mode in the 5.0 release</li>
85<li> No processes other than <code>init</code> should run in the
86<code>init</code> domain</li>
87<li> Any generic denial (for a block_device, socket_device, default_service,
88etc.) indicates that device needs a special domain</li>
89</ul>
90
91<h2 id=supporting_documentation>Supporting documentation</h2>
92
93<p>See the documentation below for details on constructing useful policies:</p>
94
95<p><a href="http://seandroid.bitbucket.org/PapersandPresentations.html">
96http://seandroid.bitbucket.org/PapersandPresentations.html</a></p>
97
98<p><a href="https://www.codeproject.com/Articles/806904/Android-Security-Customization-with-SEAndroid">
99https://www.codeproject.com/Articles/806904/
100Android-Security-Customization-with-SEAndroid</a></p>
101
102<p><a href="https://events.linuxfoundation.org/sites/events/files/slides/abs2014_seforandroid_smalley.pdf">
103https://events.linuxfoundation.org/sites/events/files/slides/
104abs2014_seforandroid_smalley.pdf</a></p>
105
106<p><a href="https://www.internetsociety.org/sites/default/files/02_4.pdf">
107https://www.internetsociety.org/sites/default/files/02_4.pdf</a></p>
108
109<p><a href="http://freecomputerbooks.com/books/The_SELinux_Notebook-4th_Edition.pdf">
110http://freecomputerbooks.com/books/The_SELinux_Notebook-4th_Edition.pdf</a></p>
111
112<p><a href="http://selinuxproject.org/page/ObjectClassesPerms">
113http://selinuxproject.org/page/ObjectClassesPerms</a></p>
114
115<p><a href="https://www.nsa.gov/resources/everyone/digital-media-center/publications/research-papers/assets/files/implementing-selinux-as-linux-security-module-report.pdf">
116https://www.nsa.gov/resources/everyone/digital-media-center/publications/
117research-papers/assets/files/
118implementing-selinux-as-linux-security-module-report.pdf</a></p>
119
120<p><a href="https://www.nsa.gov/resources/everyone/digital-media-center/publications/research-papers/assets/files/configuring-selinux-policy-report.pdf">
121https://www.nsa.gov/resources/everyone/digital-media-center/publications/
122research-papers/assets/files/configuring-selinux-policy-report.pdf</a></p>
123
124<p><a href="https://www.gnu.org/software/m4/manual/index.html">
125https://www.gnu.org/software/m4/manual/index.html</a></p>
126