SELinux for Android 8.0
Changes & Customizations
Table of Contents
Overview 3
Design goals 3
About Android 8.0 architecture 4
About SELinux 5
SELinux for Android 7.x. 6
SELinux source files 6
SELinux build logic 6
SELinux files 8
SELinux initialization 8
Android 8.0 SELinux design 8
First stage mount 8
SELinux contexts labeling 9
File contexts 9
Property contexts 9
Service contexts 10
Seapp contexts 11
MAC permissions 11
Object ownership and labeling 12
Type/attribute namespacing 12
System Property and process labeling ownership 12
File ownership 13
System (/system) 13
Vendor (/vendor) 13
Procfs (/proc) 14
08/16/2017 1
Debugfs (/sys/kernel/debug) 14
Tracefs (/sys/kernel/debug/tracing) 14
Sysfs (/sys) 14
tmpfs (/dev) 15
Rootfs (/) 15
Data (/data) 15
SELinux policy building and customization 15
Platform public sepolicy 15
Platform private sepolicy 16
Platform private mapping 16
Building SELinux policy 16
Policy compatibility 17
Compatibility attributes 18
Policy writability 19
Policy diffs 20
Platform upgrades 20
Same types 20
New types 21
Removed types 22
New class/permissions 24
Removed class/permissions 24
Vendor customization for new/relabeled types 24
Platform-public policy 25
Mapping to attribute chains 25
Version uprevs 25
Performance impact of multiple attributes 26
Customizing SEPolicy 26
Policy placement 26
Supported policy scenarios 27
08/16/2017 2
vendor-image-only extensions 27
vendor-image support to work with AOSP 27
system-image-only extensions 27
vendor-image extensions that serve extended AOSP components 28
system-image extensions that access only AOSP interfaces 29
vendor-image extensions that serve new system components 29
Unsupported policy scenarios 29
Additional extensions to system-image that need permission
to new vendor-image components after a framework-only OTA 29
© 2017 Google, Inc. All Rights Reserved. No express or implied warranties are provided for herein. All specifications are subject to
change and any expected future products, features or functionality will be provided on an if and when available basis.
Overview
This document describes SELinux changes and customizations designed to support
modularity and updatability of SELinux policy in Android 8.0. The goal of these changes is
to enable System on Chip (SoC) vendors and Original Device Manufacturer (ODM) partners
to customize SELinux settings in an isolated manner without cross-partition modifications.
Design goals
The SELinux policy build flow for Android 4.4 through Android 7.0 merged all sepolicy
fragments (platform and non-platform) then generated monolithic files in the root
directory. However, this flow contradicts the primary goal of Android 8.0 architecture,
which is to allow partners to update their parts of the policy, build their images
(vendor.img, boot.img, etc), then update those images independent of the platform or
vice versa (i.e., perform a platform update without updating partner images).
Android 8.0 design goals are:
● Policy Modularization. In Android 4.4 through Android 7.0, most SELinux files resided
in rootfs, thus SoC vendors and the ODM partners modified boot.img (for non-A/B
devices) or system.img (for A/B devices) every time policy was modified. The Android
8.0 model provides a method for vendors and partners to change only their partitions
when they need to modify their portions of the SELinux policy.
● Policy Compatibility. On devices running Android 8.0, it is possible to upgrade the
platform image ahead of vendor/partner images; this can occur during an over-the-air
(OTA) update, such as a framework OTA.
08/16/2017 3
While it is possible to have higher/newer platform (framework) version running on the
device, the opposite case is not supported; i.e., the non-platform images
(vendor.img/odm.img) cannot have a new version than the platform (system.img). So, a
newer platform version might introduce SELinux compatibility issues because the platform
SELinux policy is at a newer version than vendor/partner SELinux parts of the policy. The
Android 8.0 model provides a method to retain compatibility to prevent unnecessary
simultaneous OTAs.
About Android 8.0 architecture
An Android device includes the following partitions:
Figure 1. Android partitions.
● system.img. Contains mainly Android framework.
● boot.img. (kernel/ramdisk) Contains Linux kernel + Android patches.
● vendor.img. Contains SoC-specific code and configurations.
● odm.img. Contains device-specific code and configurations.
08/16/2017 4
● oem.img. Contains OEM/carrier-related configurations and customizations.
● bootloader. Brings up the kernel (vendor-proprietary).
● radio. Modem (proprietary).
Prior to Android 8.0, the vendor, odm, and oem images were optional; files belonging to
these images were placed in boot.img or system.img with symlinks (such as /vendor >
/system/vendor) when absent. Android 8.0 makes the vendor partition mandatory.
The goal is to modularize Android partitions and make them interchangeable by defining a
core, standard interface between the Android Platform (on system.img) and
vendor-provided code. This standard interface enables the Android Platform to be updated
without affecting the SoC and ODM partitions. For example, it should be possible to
upgrade a device system.img from Android 8.0 to Android P while other images (such as
vendor.img, odm.img, etc.) remain at Android 8.0. This modularity enables timely
Android platform upgrades (such as monthly security updates) without requiring SoC/ODM
partners to update SoC- and device-specific code.
About SELinux
SELinux is a labeling system that controls the permissions (read/write, etc.) a subject
context has over a target object such as directory/device/file
/process
/socket
/.
(For an analogy, refer to Your visual how-to guide for SELinux policy enforcement.)
Each process and object has an associated label, which is also called a context. Contexts
are comprised of a user, a role, a type and an multi-level-security (MLS) portion:
● The type of a process is often referred to as a domain and is defined in SELinux policy.
● The label of an object is usually decided by the corresponding security-contexts files.
SELinux policy also contains the rules that state how each domain may access each object.
In Android 4.4 → Android 7.0, SELinux policy files (sepolicy, file_contexts.bin,
property_contexts etc) are included the rootfs image as follows:
/
.
.
├── file_contexts.bin (file_contexts pre-N)
├── property_contexts
├── seapp_contexts
├── sepolicy
├── service_contexts
.
These files contain SELinux policy rules and labels from all development participants,
including ODM, SoC, and AOSP. In Android 8.0, these files are modular.
08/16/2017 5
- 1
- 2
- 3
前往页