Updating not android setsummary the
SELinux is set up to default-deny, which means that every single access for which it has a hook in the kernel must be explicitly allowed by policy. This means a policy file is comprised of a large amount of information regarding rules, types, classes, permissions, and more. A full consideration of SELinux is out of the scope of this document, but an understanding of how to write policy rules is now essential when bringing up new Android devices. There is a great deal of information available regarding SELinux already. See Supporting documentation for suggested resources.Note: For details on implementing SELinux in Android 8.0, see SELinux for Android 8.0.
Summary of steps
Here is a brief summary of the steps needed to implement SELinux on your Android device:
- Add SELinux support in the kernel and configuration.
- Grant each service (process or daemon) started from its own domain.
- Identify these services by:
- Reviewing the init.<device>.rc file and finding all services.
- Examining warnings of the form init: Warning! Service name needs a SELinux domain defined; please fix! in output.
- Checking output to see which services are running in the init domain.
- Label all new processes, drivers, sockets, etc. All objects need to be labeled properly to ensure they interact properly with the policies you apply. See the labels used in AOSP for examples to follow in label name creation.
- Institute security policies that fully cover all labels and restrict permissions to their absolute minimum.
Ideally, OEMs start with the policies in the AOSP and then build upon them for their own customizations.
SELinux for Android is accompanied by everything you need to enable SELinux now. You merely need to integrate the latest Android kernel and then incorporate the files found in the system/sepolicy directory:
Those files when compiled comprise the SELinux kernel security policy and cover the upstream Android operating system. You should not need to modify the system/sepolicy files directly. Instead, add your own device-specific policy files within the /device/manufacturer/device-name/sepolicy directory.
Here are the files you must create or edit in order to implement SELinux:
- New SELinux policy source (*.te) files - Located in the
Then just update your BoardConfig.mk makefile - located in the directory containing the sepolicy subdirectory - to reference the sepolicy subdirectory and each policy file once created, as shown below. The BOARD_SEPOLICY variables and their meaning is documented in the system/sepolicy/README file.BOARD_SEPOLICY_DIRS += \ <root>/device/manufacturer/device-name/sepolicy BOARD_SEPOLICY_UNION += \ genfs_contexts \ file_contexts \ sepolicy.te
Note: As of the M release, BOARD_SEPOLICY_UNION is no longer required as all policy files found within any directory included in the BOARD_SEPOLICY_DIRS variable are joined with the base policy automatically.
After rebuilding your device, it is enabled with SELinux. You can now either customize your SELinux policies to accommodate your own additions to the Android operating system as described in Customization or verify your existing setup as covered in Validation.
Once the new policy files and BoardConfig.mk updates are in place, the new policy settings are automatically built into the final kernel policy file.
Here are specific examples of exploits to consider when crafting your own software and associated SELinux policies:
Symlinks - Because symlinks appear as files, they are often read just as that. This can lead to exploits. For instance, some privileged components such as init change the permissions of certain files, sometimes to be excessively open.
Attackers might then replace those files with symlinks to code they control, allowing the attacker to overwrite arbitrary files. But if you know your application will never traverse a symlink, you can prohibit it from doing so with SELinux.
System files - Consider the class of system files that should only be modified by the system server. Still, since netd, init, and vold run as root, they can access those system files. So if netd became compromised, it could compromise those files and potentially the system server itself.
With SELinux, you can identify those files as system server data files. Therefore, the only domain that has read/write access to them is system server. Even if netd became compromised, it could not switch domains to the system server domain and access those system files although it runs as root.
App data - Another example is the class of functions that must run as root but should not get to access app data. This is incredibly useful as wide-ranging assertions can be made, such as certain domains unrelated to application data being prohibited from accessing the internet.
setattr - For commands such as chmod and chown, you could identify the set of files where the associated domain can conduct setattr. Anything outside of that could be prohibited from these changes, even by root. So an application might run chmod and chown against those labeled app_data_files but not shell_data_files or system_data_files.
Steps in detail
Here is a detailed view of how Android recommends you employ and customize SELinux to protect your devices:
- Enable SELinux in the kernel:
- Change the kernel_cmdline parameter so that:
BOARD_KERNEL_CMDLINE := androidboot.selinux=permissive
This is only for initial development of policy for the device. Once you have an initial bootstrap policy, remove this parameter so that your device is enforcing or it will fail CTS.
- Boot up the system in permissive and see what denials are encountered on boot:
On Ubuntu 14.04 or newer:
adb shell su -c dmesg | grep denied | audit2allow -p out/target/product//root/sepolicy
On Ubuntu 12.04:
adb shell su -c dmesg | grep denied | audit2allow
- Evaluate the output. See Validation for instructions and tools.
- Identify devices, and other new files that need labeling.
- Use existing or new labels for your objects. Look at the *_contexts files to see how things were previously labeled and use knowledge of the label meanings to assign a new one. Ideally, this will be an existing label which will fit into policy, but sometimes a new label will be needed, and rules for access to that label will be needed, as well.
- Identify domains/processes that should have their own security domains. A policy will likely need to be written for each of these from scratch. All services spawned from , for instance, should have their own. The following commands help reveal those that remain running (but ALL services need such a treatment):
adb shell su -c ps -Z | grep init adb shell su -c dmesg | grep 'avc: '
- Review init.<device>.rc to identify any which are without a type. These should be given domains EARLY in order to avoid adding rules to init or otherwise confusing accesses with ones that are in their own policy.
- Set up to use variables. See the README in system/sepolicy for details on setting this up.
- Examine the init.<device>.rc and fstab.<device> file and make sure every use of “mount” corresponds to a properly labeled filesystem or that a context= mount option is specified.
- Go through each denial and create SELinux policy to properly handle each. See the examples within Customization.