Welcome to XDA

Search to go directly to your device's forum

Register an account

Unlock full posting privileges

Ask a question

No registration required
Post Reply

[Q] Security practicality of SElinux for Android's' MAC?

OP milleraj66

27th June 2014, 09:45 PM   |  #1  
OP Junior Member
Thanks Meter: 0
 
13 posts
Join Date:Joined: Aug 2012
Starting with Android 4.4 SELinux's MAC is enforced. Does this mean that if an app somehow can get installed and exploit the kernel to get root privileges, that MAC will still prevent that app with root privileges from accessing private app data?

Android Documentation says: "SELinux can be used to label these devices so the process assigned the root privilege can write to only those specified in the associated policy. In this way, the process cannot overwrite data and system settings outside of the specific raw block device." source - http://source.android.com/devices/te...html#use-cases

As a reference I am implementing a Mobile Device Management system and in the process I have to determine how secure Android OS is itself. That is why I need to know how secure corporate data stored on a device is to root-kits, spyware, and other malware.

p.s. This has been posted on the "Unix and Linux" StackExchange site with no one being able to answer yet. I'm hoping XDA's hands on experience with the Kernel will be able to help get this answered, Thank You .
24th July 2014, 04:27 AM   |  #2  
Junior Member
Thanks Meter: 4
 
7 posts
Join Date:Joined: Jun 2010
Quote:
Originally Posted by milleraj66

Starting with Android 4.4 SELinux's MAC is enforced. Does this mean that if an app somehow can get installed and exploit the kernel to get root privileges, that MAC will still prevent that app with root privileges from accessing private app data?

The answer is: "It depends."

Mandatory access controls systems like SELinux are very good at constraining application behavior to what is allowed by the security policy. In many cases, it can eliminate huge chunks of security vulnerabilities by sandboxing privileged applications so that exploitation of those applications is ineffective.

You may want to take a look at http://selinuxproject.org/~jmorris/l...rseandroid.pdf, specifically slides 7-9. This will give you an idea for what SELinux can and can't defend against.
Post Reply Subscribe to Thread

Tags
mandatory access control, mobile device managment, root, security, selinux
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes