AOSP Insider
AOSP Framework & Internals
3 min read

Domains and Types

Learn about Domains and Types.

Android's security architecture relies heavily on Security-Enhanced Linux (SELinux) to enforce boundaries between applications and system services. Understanding SELinux begins with grasping the concepts of domains and types, which form the foundation of Mandatory Access Control (MAC).

Mandatory Access Control (MAC) vs DAC

Linux traditionally uses Discretionary Access Control (DAC), where resource owners (users) decide the access permissions (read, write, execute) for their files. In a DAC system, a compromised process running under a specific user ID has access to all resources owned by that user.

SELinux introduces Mandatory Access Control (MAC). In MAC, the operating system enforces security policies defined by administrators. Even if a process runs as root, it is confined by the SELinux policy. Android uses MAC to implement the principle of least privilege, ensuring that processes can only access the resources explicitly required to function.

SELinux Subjects (Domains) and Objects (Types)

In SELinux terminology, security policies are built around subjects and objects.

  • Subjects: Active entities that request access to resources. These are typically processes. In SELinux, the security attribute assigned to a subject is called a domain.
  • Objects: Passive entities that subjects act upon. These include files, directories, sockets, devices, and properties. The security attribute assigned to an object is called a type.

When a process (subject) in a specific domain attempts to access a file (object) of a specific type, the kernel's SELinux subsystem checks the policy to determine if the access is permitted.

Type Enforcement (TE)

Type Enforcement is the core mechanism of SELinux on Android. It defines the rules that govern the interactions between domains and types. A TE policy specifies which domains are allowed to perform which operations on which types.

For example, a TE rule might explicitly state that the mediaserver domain is allowed to read files labeled with the media_rw_data_file type. If this rule is missing, the access is denied, regardless of the DAC permissions.

TE rules are written in .te files located in the system/sepolicy/ directory of the AOSP tree.

Android Domain Naming Conventions

Android follows specific naming conventions for domains and types to maintain readability and organization within the policy files.

  • Domains: Typically correspond to the process name or function. Examples include:

    • init: The init process.
    • system_server: The core Android system process.
    • appdomain: A generic domain for untrusted third-party apps.
    • hal_audio_default: The default audio HAL process.

  • Types: Often end with suffixes denoting the resource class. Examples include:

    • _file: Represents files (e.g., system_file, app_data_file).
    • _device: Represents device nodes in /dev (e.g., audio_device, video_device).
    • _prop: Represents system properties (e.g., hwservicemanager_prop, build_prop).
    • _service: Represents Binder services (e.g., audioserver_service, activity_service).

Understanding these conventions makes it significantly easier to read and write SELinux policies in AOSP.

Previous Lesson
HAL Debugging Techniques
Next Lesson
Contexts