On 08/14/2014 09:37 AM, Chris Stone wrote: > Hi Stephen, > > Separate SELinux policies for different users is really part of a bigger > picture. As you know the AOSP/Google SELinux policy runs in enforcing, but > most of the domains are set as permissive in the policy, so nothing is > really enforced. I suspect that Google is doing this because they cannot > guarantee that all apps will work under a properly enforcing policy.
This was true in 4.4 for all but the 4 root daemons, but significant work has gone into AOSP since 4.4 such that almost everything is fully confined+enforcing in AOSP master and is expected to be that way in L. The L Developer Preview had most domains confined+enforcing, including untrusted_app. See my Android Builders Summit slide deck or (next week) my LSS talk. Also, Samsung has been shipping untrusted_app in enforcing for quite a while on their devices, albeit with a more liberal policy than ours. > Of course, this doesn't answer your question, i.e., what happens if an app > in the personal space roots the phone. Well, first of all, managed spaces > file systems are encrypted with ecryptfs. Even root on the phone can not > read the managed space files. If permissive or unconfined, then it can steal the passphrase, or just wait for the managed space to mount the decrypted content and then access it. ecryptfs does not protect against root. > Secondly, we separate spaces further using > Linux kernel namespaces. We are not using full android stack containers > like Cellrox. We have modified the dalvik vm, so that when an app is > started for a space it is placed into a unique kernel namespace for that > user. The namespace work is still under construction, hence the deadlines > that are keeping me busy. Nonetheless, once complete, root in a personal > space is not root on the phone, it is only root in that space. > Additionally, root in the space will not be able to see processes, file > systems, or network devices that belong to other spaces. All of this is > done from a single instance of the Android middleware, we are not running > multiple copies of Android. See for example Docker "containers do not contain". They recognize that namespaces do not in themselves provide security and are in fact using SELinux to provide isolation. > So, the theory is that the personal space can run in permissive. Apps in > that space can go wild, but they can not affect apps in the managed spaces, > nor can they see managed space data. Additionally, apps in a personal space > can only root the space, they cannot root the phone. Not if they are permissive or unconfined. This is not a safe model. _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
