path: root/en/security/selinux/index.html

<html devsite>
  <head>
    <title>Security-Enhanced Linux in Android</title>
    <meta name="project_path" value="/_project.yaml" />
    <meta name="book_path" value="/_book.yaml" />
  </head>
  <body>
  <!--
      Copyright 2017 The Android Open Source Project

      Licensed under the Apache License, Version 2.0 (the "License");
      you may not use this file except in compliance with the License.
      You may obtain a copy of the License at

          http://www.apache.org/licenses/LICENSE-2.0

      Unless required by applicable law or agreed to in writing, software
      distributed under the License is distributed on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
      See the License for the specific language governing permissions and
      limitations under the License.
  -->


<p>The Android security model is based in part on the concept of application
sandboxes. Each application runs in its own sandbox. Prior to Android 4.3,
these sandboxes were defined by the creation of a unique Linux UID for each
application at time of installation. Starting with Android 4.3,
Security-Enhanced Linux (SELinux) is used to further define the boundaries of
the Android application sandbox.</p>

<aside class="note"><strong>Note:</strong> For details on Android 8.0 SELinux,
see <a href="/security/selinux/images/SELinux_Treble.pdf">SELinux for Android
8.0</a>.</aside>

<p>As part of the Android <a href="/security/index.html">
security model</a>, Android uses SELinux to enforce mandatory access control
(MAC) over all processes, even processes running with root/superuser privileges
(a.k.a. Linux capabilities). SELinux enhances Android security by confining
privileged processes and automating security policy creation.</p>

<p>Many companies and organizations have contributed to SELinux; their
contributions are publicly available for review on
<a href="https://android.googlesource.com/" class="external">android.googlesource.com</a>,
aka the Android Open Source Project (AOSP). With SELinux, Android can better
protect and confine system services, control access to application data and
system logs, reduce the effects of malicious software, and protect users from
potential flaws in code on mobile devices.</p>

<p>Android includes SELinux in enforcing mode and a corresponding security
policy that works by default across AOSP. In enforcing mode, illegitimate
actions are prevented and all attempted violations are logged by the kernel to
<code>dmesg</code> and <code>logcat</code>. Android device manufacturers should
gather information about errors so they may refine their software and SELinux
policies before enforcing them.</p>

<h2 id=background>Background</h2>
<p>SELinux operates on the ethos of default denial: Anything not explicitly
allowed is denied. SELinux can operate in one of two global modes:</p>
<ul>
<li><em>Permissive</em> mode, in which permission denials are logged but not
enforced.</li>
<li><em>Enforcing</em> mode, in which permissions denials are both logged
<strong>and</strong> enforced.</li>
</ul>

<p>SELinux also supports a <em>per-domain permissive</em> mode in which specific
domains (processes) can be made permissive while placing the rest of the system
in global enforcing mode. A domain is simply a label identifying a process or set
of processes in the security policy, where all processes labeled with the same
domain are treated identically by the security policy. Per-domain permissive
mode enables incremental application of SELinux to an ever-increasing portion of
the system and policy development for new services (while keeping the rest of
the system enforcing).</p>

<p>The Android 5.0 release moved to full enforcement of SELinux, building on the
permissive release of Android 4.3 and the partial enforcement of Android 4.4.
With this change, Android shifted from enforcement on a limited set of crucial
domains (<code>installd</code>, <code>netd</code>, <code>vold</code> and
<code>zygote</code>) to everything (more than 60 domains). Specifically:</p>

<ul>
<li>Everything is in enforcing mode in Android 5.x and higher.</li>
<li>No processes other than <code>init</code> should run in the
<code>init</code> domain.</li>
<li>Any generic denial (for a <code>block_device</code>,
<code>socket_device</code>, <code>default_service</code>, etc.) indicates that
device needs a special domain.</li>
</ul>
<p>As a result, manufacturers need to better understand and scale their SELinux
implementations to provide compatible devices.</p>

<h2 id=supporting_documentation>Additional resources</h2>

<p>For help constructing useful SELinux policies, refer to the following
resources:</p>

<ul><li><a href="https://events.linuxfoundation.org/sites/events/files/slides/abs2014_seforandroid_smalley.pdf" class="external">
Security Enhancements for Linux</a></li>

<li><a href="http://www.cs.columbia.edu/~lierranli/coms6998-7Spring2014/papers/SEAndroid-NDSS2013.pdf" class="external">
Security Enhanced (SE) Android: Bringing Flexible MAC to Android</a></li>

<li><a href="http://freecomputerbooks.com/books/The_SELinux_Notebook-4th_Edition.pdf" class="external">
The SELinux Notebook, 4th Edition</a></li>

<li><a href="http://selinuxproject.org/page/ObjectClassesPerms" class="external">
SELinux Object Classes and Permissions Reference</a></li>

<li><a href="https://www.nsa.gov/resources/everyone/digital-media-center/publications/research-papers/assets/files/implementing-selinux-as-linux-security-module-report.pdf" class="external">
Implementing SELinux as a Linux Security Module</a></li>

<li><a href="https://www.nsa.gov/resources/everyone/digital-media-center/publications/research-papers/assets/files/configuring-selinux-policy-report.pdf" class="external">
Configuring the SELinux Policy</a></li>

<li><a href="https://www.gnu.org/software/m4/manual/index.html" class="external">
GNU M4 - GNU Macro Processor Manual</a></li>
</ul>

  </body>
</html>