STATIC.x

Kunal Dawn

Security-Enhanced Linux in Android

Leave a comment

SELinux operates on the ethos of default denial. Anything that is not explicitly allowed is denied. SELinux can operate in one of two global modes: permissive mode, in which permission denials are logged but not enforced, and enforcing mode, in which denials are both logged and enforced. SELinux also supports a per-domain permissive mode in which specific domains (processes) can be made permissive while placing the rest of the system in global enforcing mode. A domain is simply a label identifying a process or set of processes in the security policy, where all processes labeled with the same domain are treated identically by the security policy. Per-domain permissive mode enables incremental application of SELinux to an ever-increasing portion of the system. Per-domain permissive mode also enables policy development for new services while keeping the rest of the system enforcing.

In the Android 5.0 (L) release, Android moves to full enforcement of SELinux. This builds upon the permissive release of 4.3 and the partial enforcement of 4.4. In short, Android is shifting from enforcement on a limited set of crucial domains (installd, netd, vold and zygote) to everything (more than 60 domains). This means manufacturers will have to better understand and scale their SELinux implementations to provide compatible devices. Understand that:

  • Everything is in enforcing mode in the 5.0 release
  • No processes other than init should run in the init domain
  • Any generic denial (for a block_device, socket_device, default_service, etc.) indicates that device needs a special domain

See the documentation below for details on constructing useful policies:

http://seandroid.bitbucket.org/PapersandPresentations.html

https://www.codeproject.com/Articles/806904/Android-Security-Customization-with-SEAndroid

https://www.nsa.gov/research/_files/publications/implementing_selinux.pdf

https://events.linuxfoundation.org/sites/events/files/slides/abs2014_seforandroid_smalley.pdf

https://www.internetsociety.org/sites/default/files/02_4.pdf

https://www.gnu.org/software/m4/manual/index.html

http://freecomputerbooks.com/books/The_SELinux_Notebook-4th_Edition.pdf

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s