From 6fba509e5552238a81244b6971bc35353ca04369 Mon Sep 17 00:00:00 2001 From: Mark Hecomovich Date: Wed, 27 Jul 2016 13:36:58 -0700 Subject: Docs: Fix broken links to NSA site Bug: 30195435 Change-Id: I4147629e7b1e9978e7ebfd96a1169afcefa3b88b --- src/security/selinux/index.jd | 85 ++++++++++++++++++++++++++++--------------- 1 file changed, 55 insertions(+), 30 deletions(-) diff --git a/src/security/selinux/index.jd b/src/security/selinux/index.jd index 8745f8ef..f331a358 100644 --- a/src/security/selinux/index.jd +++ b/src/security/selinux/index.jd @@ -33,20 +33,27 @@ application at time of installation. Starting with Android 4.3, Security-Enhanced Linux (SELinux) is used to further define the boundaries of the Android application sandbox.

-

As part of the Android security model, Android uses SELinux to enforce mandatory access control (MAC) over all -processes, even processes running with root/superuser privileges (a.k.a. Linux -capabilities). SELinux enhances Android security by confining privileged -processes and automating security policy creation.

- -

Contributions to it have been made by a number of companies and organizations; -all Android code and contributors are publicly available for review on android.googlesource.com. With SELinux, Android can better protect and confine system services, control +

As part of the Android +security model, Android uses SELinux to enforce mandatory access control +(MAC) over all processes, even processes running with root/superuser privileges +(a.k.a. Linux capabilities). SELinux enhances Android security by confining +privileged processes and automating security policy creation.

+ +

Contributions to it have been made by a number +of companies and organizations; all Android code +and contributors are publicly available for review on android.googlesource.com. With +SELinux, Android can better protect and confine system services, control access to application data and system logs, reduce the effects of malicious software, and protect users from potential flaws in code on mobile devices.

-

Android includes SELinux in enforcing mode and a corresponding security policy -that works by default across the Android Open Source Project. In enforcing mode, illegitimate actions are prevented and all attempted -violations are logged by the kernel to dmesg and logcat. Android device manufacturers should gather information about errors so they -may refine their software and SELinux policies before enforcing them.

+

Android includes SELinux in enforcing mode and a +corresponding security policy that works by default across the Android Open Source Project. In +enforcing mode, illegitimate actions are prevented and all attempted violations +are logged by the kernel to dmesg and logcat. Android +device manufacturers should gather information about errors so they may +refine their software and SELinux policies before enforcing them.

Background

@@ -63,38 +70,56 @@ incremental application of SELinux to an ever-increasing portion of the system. Per-domain permissive mode also enables policy development for new services while keeping the rest of the system enforcing.

-

In the Android 5.0 (L) release, Android moves to full enforcement of SELinux. This builds -upon the permissive release of 4.3 and the partial enforcement of 4.4. In -short, Android is shifting from enforcement on a limited set of crucial domains -(installd, netd, vold and zygote) to everything (more than 60 domains). This means manufacturers will have to -better understand and scale their SELinux implementations to provide compatible -devices. Understand that:

+

In the Android 5.0 (L) release, Android moves to full enforcement of +SELinux. This builds upon the permissive release of 4.3 and the partial +enforcement of 4.4. In short, Android is shifting from enforcement on a +limited set of crucial domains (installd, netd, +vold and zygote) to everything (more than 60 +domains). This means manufacturers will have to better understand and scale +their SELinux implementations to provide compatible devices. Understand +that:

+

Supporting documentation

See the documentation below for details on constructing useful policies:

-

http://seandroid.bitbucket.org/PapersandPresentations.html

+

+http://seandroid.bitbucket.org/PapersandPresentations.html

-

https://www.codeproject.com/Articles/806904/Android-Security-Customization-with-SEAndroid

+

+https://www.codeproject.com/Articles/806904/ +Android-Security-Customization-with-SEAndroid

-

https://events.linuxfoundation.org/sites/events/files/slides/abs2014_seforandroid_smalley.pdf

+

+https://events.linuxfoundation.org/sites/events/files/slides/ +abs2014_seforandroid_smalley.pdf

-

https://www.internetsociety.org/sites/default/files/02_4.pdf

+

+https://www.internetsociety.org/sites/default/files/02_4.pdf

-

http://freecomputerbooks.com/books/The_SELinux_Notebook-4th_Edition.pdf

+

+http://freecomputerbooks.com/books/The_SELinux_Notebook-4th_Edition.pdf

-

http://selinuxproject.org/page/ObjectClassesPerms

+

+http://selinuxproject.org/page/ObjectClassesPerms

-

https://www.nsa.gov/research/_files/publications/implementing_selinux.pdf

+

+https://www.nsa.gov/resources/everyone/digital-media-center/publications/ +research-papers/assets/files/ +implementing-selinux-as-linux-security-module-report.pdf

-

https://www.nsa.gov/research/_files/publications/selinux_configuring_policy.pdf

+

+https://www.nsa.gov/resources/everyone/digital-media-center/publications/ +research-papers/assets/files/configuring-selinux-policy-report.pdf

-

https://www.gnu.org/software/m4/manual/index.html

+

+https://www.gnu.org/software/m4/manual/index.html

-- cgit v1.2.3