Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,737,304 Members 41,077 Now Online
XDA Developers Android and Mobile Development Forum

[Q] Security practicality of SElinux for Android's' MAC?

Tip us?
 
milleraj66
Old
#1  
Junior Member - OP
Thanks Meter 0
Posts: 13
Join Date: Aug 2012
Default [Q] Security practicality of SElinux for Android's' MAC?

Starting with Android 4.4 SELinux's MAC is enforced. Does this mean that if an app somehow can get installed and exploit the kernel to get root privileges, that MAC will still prevent that app with root privileges from accessing private app data?

Android Documentation says: "SELinux can be used to label these devices so the process assigned the root privilege can write to only those specified in the associated policy. In this way, the process cannot overwrite data and system settings outside of the specific raw block device." source - http://source.android.com/devices/te...html#use-cases

As a reference I am implementing a Mobile Device Management system and in the process I have to determine how secure Android OS is itself. That is why I need to know how secure corporate data stored on a device is to root-kits, spyware, and other malware.

p.s. This has been posted on the "Unix and Linux" StackExchange site with no one being able to answer yet. I'm hoping XDA's hands on experience with the Kernel will be able to help get this answered, Thank You .
 
nickkral
Old
#2  
Junior Member
Thanks Meter 4
Posts: 7
Join Date: Jun 2010
Quote:
Originally Posted by milleraj66 View Post
Starting with Android 4.4 SELinux's MAC is enforced. Does this mean that if an app somehow can get installed and exploit the kernel to get root privileges, that MAC will still prevent that app with root privileges from accessing private app data?
The answer is: "It depends."

Mandatory access controls systems like SELinux are very good at constraining application behavior to what is allowed by the security policy. In many cases, it can eliminate huge chunks of security vulnerabilities by sandboxing privileged applications so that exploitation of those applications is ineffective.

You may want to take a look at http://selinuxproject.org/~jmorris/l...rseandroid.pdf, specifically slides 7-9. This will give you an idea for what SELinux can and can't defend against.
Tags
mandatory access control, mobile device managment, root, security, selinux
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes