Confirm
502
edits
Changes
Updated for SELinux as Android supports SELinux in 4.3/4.4. Also updated how it's related to seccomp since we have seccomp now.
=== RBAC (Role Based Access Control) ===
==== Risks ====
* TBDAbility from the attacker to run arbitrary code on the device once a process has been compromised* Ability from the attacker to use a process in an unintended way and access resources that the Linux DAC cannot control access to* In some cases, ability from the attacker to exploit the kernel through vulnerable system calls, that the processes normally wouldn't use
==== Implementation ====
These frameworks are generally called Mandatory Access Control frameworks (MAC), allow setting white-lists of systems calls on any process, or group of processes, based on roles and types. Roles are assigned to the processes and users, types to the resources they access.
This allows the framework to control the access with little to no modification of the running program, unlike seccomp.
Both SELinux and seccomp enforce their policies by controlling system calls at the kernel level.
* Allows for extremely flexible configurations
* Restrictions are always enforced by the kernel
* Restrictions can also be configured for any process and therefore sand-boxing of the non-b2g processes (wpa_supplicant, init, etc.)
* Restrictions can be configured for the B2G process, even thus it's running as root
* Restrictions to the content-processes make little sense when seccomp-bpf is already being used.
** Further decrease performance
** Does not lock down the content-process more strictly than seccomp
** Similar checks being performed
* Possible to target only some processes (targeted policy), albeit a complete policy (all processes, no exception) is preferred from the security point of view.
* Misc & caveats:
** Requires a custom kernel with SELinux enabled, or other kernel patch based solution built and enabled, until Android 4.3 and 4.4 based Gonk, which has SELinux enabled kernels, userspace tools and an Android-only policy.
** Security policy can be extensive and eventually require modifications to run on different devices.
** Security policy from Android most likely needs large changes to run with B2G, and to be taken advantage of for B2G
=== Disk encryption ===
