From 6fba509e5552238a81244b6971bc35353ca04369 Mon Sep 17 00:00:00 2001
From: Mark Hecomovich
As part of the Android security model, Android uses SELinux to enforce mandatory access control (MAC) over all -processes, even processes running with root/superuser privileges (a.k.a. Linux -capabilities). SELinux enhances Android security by confining privileged -processes and automating security policy creation.
- -Contributions to it have been made by a number of companies and organizations; -all Android code and contributors are publicly available for review on android.googlesource.com. With SELinux, Android can better protect and confine system services, control +
As part of the Android +security model, Android uses SELinux to enforce mandatory access control +(MAC) over all processes, even processes running with root/superuser privileges +(a.k.a. Linux capabilities). SELinux enhances Android security by confining +privileged processes and automating security policy creation.
+ +Contributions to it have been made by a number +of companies and organizations; all Android code +and contributors are publicly available for review on android.googlesource.com. With +SELinux, Android can better protect and confine system services, control access to application data and system logs, reduce the effects of malicious software, and protect users from potential flaws in code on mobile devices.
-Android includes SELinux in enforcing mode and a corresponding security policy
-that works by default across the Android Open Source Project. In enforcing mode, illegitimate actions are prevented and all attempted
-violations are logged by the kernel to dmesg
and logcat
. Android device manufacturers should gather information about errors so they
-may refine their software and SELinux policies before enforcing them.
Android includes SELinux in enforcing mode and a
+corresponding security policy that works by default across the Android Open Source Project. In
+enforcing mode, illegitimate actions are prevented and all attempted violations
+are logged by the kernel to dmesg
and logcat
. Android
+device manufacturers should gather information about errors so they may
+refine their software and SELinux policies before enforcing them.
In the Android 5.0 (L) release, Android moves to full enforcement of SELinux. This builds
-upon the permissive release of 4.3 and the partial enforcement of 4.4. In
-short, Android is shifting from enforcement on a limited set of crucial domains
-(installd
, netd
, vold
and zygote
) to everything (more than 60 domains). This means manufacturers will have to
-better understand and scale their SELinux implementations to provide compatible
-devices. Understand that:
In the Android 5.0 (L) release, Android moves to full enforcement of
+SELinux. This builds upon the permissive release of 4.3 and the partial
+enforcement of 4.4. In short, Android is shifting from enforcement on a
+limited set of crucial domains (installd
, netd
,
+vold
and zygote
) to everything (more than 60
+domains). This means manufacturers will have to better understand and scale
+their SELinux implementations to provide compatible devices. Understand
+that:
init
should run in the init
domain
- init
should run in the
+init
domainSee the documentation below for details on constructing useful policies:
-http://seandroid.bitbucket.org/PapersandPresentations.html
++http://seandroid.bitbucket.org/PapersandPresentations.html
-https://www.codeproject.com/Articles/806904/Android-Security-Customization-with-SEAndroid
++https://www.codeproject.com/Articles/806904/ +Android-Security-Customization-with-SEAndroid
-https://events.linuxfoundation.org/sites/events/files/slides/abs2014_seforandroid_smalley.pdf
++https://events.linuxfoundation.org/sites/events/files/slides/ +abs2014_seforandroid_smalley.pdf
-https://www.internetsociety.org/sites/default/files/02_4.pdf
++https://www.internetsociety.org/sites/default/files/02_4.pdf
-http://freecomputerbooks.com/books/The_SELinux_Notebook-4th_Edition.pdf
++http://freecomputerbooks.com/books/The_SELinux_Notebook-4th_Edition.pdf
-http://selinuxproject.org/page/ObjectClassesPerms
++http://selinuxproject.org/page/ObjectClassesPerms
-https://www.nsa.gov/research/_files/publications/implementing_selinux.pdf
+ -https://www.nsa.gov/research/_files/publications/selinux_configuring_policy.pdf
+ - + -- cgit v1.2.3