This Week In CyanogenMod

Week Ending: July 19, 2013 – Special SELinux Edition

“This Week in CyanogenMod” is an ongoing feature that aims to serve as a one-stop shop for weekly updates. Topics discussed are culled from our social media accounts, gerrit, status updates and general thoughts.

 This week was about all SELinux and adjusting our source to accommodate it.

What is SELinux?

The project’s official description reads “SELinux is a security enhancement to Linux which allows users and administrators more control over access control.”

SELinux is a set of Open sourced and peer reviewed changes to the core Android Software stack to help prevent apps from performing malicious activities. This is done by establishing a set of policies that act as mandatory access controls (MAC). Depending on the policy, it can do things such as prevent apps from running or accessing specific data, to preventing root access altogether.

SELinux has wide-scale adoption throughout the linux landscape, with Fedora, Red Hat and others incorporating policies to better the system security. The default policies are usually written per distribution, by their maintainers – we have begun this process for CyanogenMod.

We will be working on this policy creation in parallel to Google’s own policies for Android, which we believe will be released with the Android 4.3 source; effectively getting us ahead of the eventual 4.3 source release. As this process is open source, policy creation and suggestions will be handled via our gerrit instance.

What it’s not?

SELinux is not a backdoor for government agencies to spy on you. It is not PRISM, PROMIS, CARNIVORE, The Great Firewall or any other ominous Big Brother-like initiative.

Access Control Modes

By default, we will be shipping with SELinux capabilities enabled in the kernel, but in a Permissive mode. What this means is that your phone will behave exactly as it currently does, with no noticeable change to the user.

There are 3 modes in total, Enforcing, Permissive and Disabled. While in Enforcing mode, SELinux policies are enforced, preventing whatever causes a violation (ie su). Permissive mode logs policy violations, but does not prevent the activity that caused it. Disabled turns SELinux off.

We are using Permissive mode as our default so we can come up with sensible policies. If you submit a log for us to analyze (via JIRA) for SELinux policy improvements, the logged exceptions will be of high value.

This will be an ongoing process as we work to incorporate sensible policies for each device repo. As always our source is available on Github and patches will be peer reviewed via gerrit. For those more attuned to personal data security, you are welcome to watch and audit our efforts. For the rest of you, sit back and relax – no need for pitchforks.

Got a suggestion for a topic you’d like to see in the next round-up? Let us know in the comments below. All device/port requests will be ignored.

  • Paul Curtis

    Great work :) I wondered what all the SELinux changes were in the latest nightly builds, and if they had anything to do with 4.3. Thanks.

  • Matthew Smith

    I’ve installed several versions of Fedora which have SELinux enabled. It’s always a PITA and the only solution is to turn it off at boot time. The latest problem (in Fedora 19) was that filesystems wouldn’t mount with it. On previous occasions it kept giving me access alerts. I really hope we don’t find that happening with CM – let’s not let the best Android distro end up like the worst major Linux distro.

  • Brett Daugherty

    CM – Looking out for the security of its users. Donated.

  • Evan Reichard

    “… let’s not let the best Android distro end up like the worst major Linux distro.”

    If you actually read the post you’d see that it’s not enforcing by default; it’s only in permissive mode which “logs”, not alerts.

  • manicpop

    Hopefully some bugs in Fedora’s SELinux policies have not turned you off to SELinux as a whole. While I can’t speak to any filesystem issues, the biggest problem with SELinux on desktop Linux is that not all applications you install want to do things “the right way.” If you want the extra security that SELinux provides, learning how to write policies and set exceptions is the way to go. If you’re not using your system as a server or for critical stuff, you might as well turn it off or set it to permissive (so you can see what it’s complaining about but it won’t stop anything).

    Don’t worry about CM implementing SELinux especially if it’s running in permissive mode — it won’t cause the end user any problems. It will allow developers to find out what kind of issues running it in enforcing more would cause, and to correct them.

  • Ethan Cottier

    Does this mean one could run the Barclay’s ping it app without having to flash stock unrooted?

  • Jodå

    I just hope Google does it in a similar way so that root access is not impossible on stock rom starting from 4.3…

  • lcf

    Not 100% sure about that. If some specific application needs more control, then maybe just new well-defined app. privileges should be created. There are “eng” type builds, where you can do what you want, but easily accessible root on “user” builds giving full control over the system in production software may leave many normal end-users defenseless against malicious apps.

  • Jodå

    Does many normal end-users root their phone? 😉 Most people don’t. Most people don’t even know what root is. I think they should leave it the way it is. I would be very disappointed with Google if they more or less would block root in stock roms.

  • Dave S

    Very interesting. Are you guys really going to enable “plain” SELinux or you’re looking into taking advantage of the work already done by SEAndroid project?

    Several changes have been made there to original SELinux implementation. Plus new concept of MMAC (Middleware MAC) were introduced at the Android level

  • rootarded

    Embracing NSA made SELinux is pretty stupid.

  • Chris Gruel

    Isn’t that exactly what they would say if it was specifically for PRISM? 😉

  • Mikael Arhelger

    Any chance to have a stable release on GT-I9070 soon?

  • Brian Oswald

    Thank you for everything, CM team!

  • Christopher Williamson

    It’s completely open source – the code is available making it completely impossible to be a ‘backdoor’ in to your phone, etc. since we would all know about it! :)

  • Scott Dowdle

    SELinux has been working fine in Fedora for several years and twice as many releases. Turning it off is not a “solution” nor is it the “only” thing. Get a clue. If you have valid policy bugs, please provide the bugzilla id. I’d say Fedora is the best distro but I don’t expect everyone to agree with me. :)

  • Scott Dowdle

    Ok, and if I understand correctly, CM is adopting SELinux because Google appears to be.

  • rootarded

    And thats a reply from someone who obviously dont know sh*t. They can include innocent looking code that they know how to easily exploit. All exploits are not known and documented. I would be willing to bet the NSA has a group of people who do nothing but exploit services.

  • Christopher Williamson

    There goes a reply from someone who suffers from extreme paranoia. I’m actually a senior software developer and system engineer – if it hasn’t been discovered by now on the back of this ‘PRISM’ nonsense, it isn’t there. Wake up and smell the coffee.

  • Soothsayerer

    Since we know with certainty it is not impossible to expliot innocent flaws in open source code I find it impossible to understand why one would choose to believe an intentionally planted flaw could not also go unnoticed and later be explioted. At the end of the day any intentional capabilities the NSA might possess have the same consequences as innocent flaws in our software stacks. If they were ever to use the capability it is degraded and lost. You have to be a very high value target for them to waste such capabilities on you.

  • Jan Visser

    “All device/port requests will be ignored.”

  • Mikael Arhelger

    Figured. That is why I went back to stock firmware anyway.

  • Simon Lindgren

    What do you mean by “Embracing NSA”?

    Because that wording makes it seem like you don’t know what you’re talking about 😉

  • Simon Lindgren

    It should not give you these problems in a default install. If so, that is a bug. File it so it can be fixed (sadly, fixing bugs is not Fedoras forte…)

    If you get this because you are mucking about and changing things, it’s your own fault and you need to learn how to administer and adapt an SELinux system. Pretty much the same as you’d have to make sure the discretionary access controls (the classic user, group, others permissions) are set up correctly. SELinux is a little less forgiving since the default is to reject access.

    That said – SELinux has quite a few advanced concepts and is not that easy to learn. It could be that for you the appropriate thing actually is to disable it (or at least put it in permissive mode). But for something like Cyanogenmod, where the base system should pretty much be what the devs decide, these issues should be minimal.

  • Matthew Smith

    I didn’t change anything about the SELinux settings when I installed Fedora. The problems began from the word go, both with my root filesystem (which was newly formatted) and my home partition (which was carried over from a previous Linux install).

  • Gordon Freeman

    I want to tell you on behalf of the whole CM community how sad we all are that you went back to stock firmware. It will never be the same without you Mikael.

  • Mikael Arhelger

    Oh, how kind your words are :) I’ll be back!

  • Jules Kondo

    Word up guys! This is the true power of community driven progress. Great work!

  • insink71

    I believe ASOP uses DAC or discretionary access control [in lieu of MAC addressed in this blog].. to a point.. they run it through zygote, and if a process is untrusted the zygote takes over. Interesting CM will be using MAC. This is a more secure practice though; so, I applaud.

  • strauzo

    Users want root. An OS without root will die , specially an OS like Android that is used for Entertainment. The real implementation of stuff like Selinux, is not for security reason, but is adopted by google to try to take back the control of Android and sell their services. Users with root not like to buy everything. This is the real reason.

  • Jonnie Grund

    Prism nonsense?, the NSA forming a group with software vendors, service providers isn’t nonsense. Or, you are one of those oh, its just rumors or we’re conspiracy theorists. Almost every major world event road on the back of a conspiracy theory and labeling people conspiracy theorists is a tact to get the general public who don’t know anything besides what football games are on this weekend to look the other way. I on the other hand care when my ax dollars are being used to fund an organization that constitutionally doesn’t have the right to exist and formally under U. S. law they officially don’t exist. PRISM and a dozen other programs of it’s sort do exist. I guess you just drink some pretty crappy coffee.

  • Jonnie Grund

    It’s called ignorance, o “dumb on purpose” in the vernacular. To say something that has such overwhelming evidence that it does exist and you must have missed the Congressional hearings where the NSA admitted to Congress that it does exist.

  • Patrice Mathurin NGASSA

    How can I gain system privileges on CyanogenMod 11 (nightly build)?