William, I have a very similar question about native code. However, my question is how native parts of the core system can be extended (such as adding a new native service) in a secure manner. That is, outside the Dalvik VM, is there a way to run native code as a "user" without root permissions?
The following example is a bit "out there", but it is intended to clarify the above question with a concrete example. So, let's just say I want to build a native Apache webserver into my Android handset, perhaps for a piconet collaboration session with other users in the room. How could I start the Apache server securely if it lived in /system/bin, along side other apps like telnetd which have uid=0 root, gid = 0 root? Could I use sudo? Could I use chroot? I am not a Linux security expert. I imagine there is a fairly straightforward way to do the above. I just want some concrete examples. I would very much like to see one of the Android framework engineers respond... Thanks, Dan On Mon, Aug 17, 2009 at 12:03 PM, William Enck <[email protected]> wrote: > > I imagine some folks on this list have seen this (or a similar story): > > http://theandroidsite.com/2009/08/16/rooting-your-android-with-one-click/ > > I haven't investigated it in any depth, but my speculation is that the > exploitation of the referenced kernel privilege escalation vulnerability ( > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2692) results > from the ability to execute native code. > > I understand the public pressure to allow native code, and that Android's > security model provides protection at the process level; however, as an > Android user, I would like the ability to disallow third party native > libraries for security purposes (defense in depth). > > I imagine there is a library path that can be checked somewhere to ensure > JNI only allows the /system prefix. Alternatively, the LSM hook for mmap > could be useful. > > While this won't stop users from rooting their devices when kernel > privilege escalation vulnerabilities inevitably emerge, it provides a nice > buffer between the time the vulnerability is found to the time a security > patch is deployed that will protect many normal users. > > I'm going to take a look at generating a patch when I get a chance, but > that might not be for a little while. If anyone starts to work on this, > please let me know. > > Thanks, > -Will >
