The initial ram-disk that init is loaded out of, and the policy itself, is compiled into boot.img (Kernel + Ramdisk + meta data). But as Nick described, the bootloader and a trusted boot process should prevent the replacing of boot.img outside of trusted channels. Ie using fastboot flash boot.img wipes the data, so go nuts, the only thing you can do is destroy the users data, not exfiltrate it. The SELinux policy, and other security designs shouldn't allow the reload or attack of teh loaded policy. Ie. an exploit in webkit shouldn't cause your sepolicy to be tampered with. As always, good security involves multiple layers, and perfect implementations.
Bill On Fri, Jun 6, 2014 at 11:29 AM, Nick Kralevich <[email protected]> wrote: > > Locked bootloaders prevent the modification of the boot image, which > contains the SELinux policy and the init binary. All Android devices are > required to ship with a locked bootloader by default, although many devices > (including Nexus devices) allow bootloader unlocking. > > An unlockable bootloader allows the attack you described. > > To protect the data on the device, a bootloader unlock MUST be accompanied > by a data wipe. This destroys the data if someone attempts to replace key > parts of the operating system, such as the SELinux policy or init binary. > > Some manufacturers go beyond locked bootloaders and do signature validation > of the boot partition and /system. See, for example > https://source.android.com/devices/tech/security/dm-verity.html > > -- Nick > > > > On Fri, Jun 6, 2014 at 10:41 AM, Dinesh Garg <[email protected]> wrote: >> >> Hi, >> I was looking at system/core/init/init.c. It seems that SEAndroid policy >> is being loaded from here and hence enforced. Is not it that attacker can >> replace init.c with the one not enforcing selinux policy? If it is true, how >> seandroid is secure. if not true, what am I missing? Or is it that init.c >> goes inside boot.img which is signed and hence image is verified during boot >> load and there is no way attacker can replace init.c ? >> >> Thanks, >> Dinesh >> >> _______________________________________________ >> Seandroid-list mailing list >> [email protected] >> To unsubscribe, send email to [email protected]. >> To get help, send an email containing "help" to >> [email protected]. > > > > > -- > Nick Kralevich | Android Security | [email protected] | 650.214.4037 > > _______________________________________________ > Seandroid-list mailing list > [email protected] > To unsubscribe, send email to [email protected]. > To get help, send an email containing "help" to > [email protected]. -- Respectfully, William C Roberts _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
