Android SELinux, Sandbox
Closed this issue · 5 comments
Interesting topic, but I have a question that I hope they can answer for me.
You wrote:
By default, Android has a strong security model and incorporates full system SELinux policies, strong app sandboxing.
Rooting your device allows an attacker to easily gain extremely high privileges. Android's architecture is built upon principle of least privilege. By default, unrestricted root is found nowhere in the system due to the full system SELinux policy. Even the init system does not have unrestricted root access. Exposing privileges far greater than any other part of the OS to the application layer is not a good idea.
That sounds very good, but why are root vulnerabilities still possible?
It's not clear what you mean. "Rooting" on Android does not necessarily mean exploiting a vulnerability in the operating system — it involves the user specifically unlocking the bootloader and making changes to their system, such as in the case of Magisk or other common rooting tools.
I was wondering why root vulnerabilities are still possible when in a standard Android the user does not use tools like Magisk and the system model regulates the root user as you described.
In this vulnerability, someone first broke out of the Chrome sandbox and then scammed root privileges. (I know the vulnerability has already been fixed)
- Exploiting CVE-2020-0041 - Part 1: Escaping the Chrome Sandbox
- Exploiting CVE-2020-0041 - Part 2: Escalating to root
Why is the issue closed???
I was wondering why root vulnerabilities are still possible when in a standard Android the user does not use tools like Magisk and the system model regulates the root user as you described.
Vulnerabilities are always possible in anything. One can reduce the likelihood of them occurring, make them more difficult to exploit and reduce the impact/severity of a successfully exploited vulnerability however, nothing is perfect. Magisk and similar tools make it significantly easier for an attacker to acquire root privileges when compared to the default.
Why is the issue closed???
It's not valid.
Vulnerabilities are always possible in anything. One can reduce the likelihood of them occurring, make them more difficult to exploit and reduce the impact/severity of a successfully exploited vulnerability however, nothing is perfect.
I know that, which is why I don't use an Android device. I only have a test device here because I'm interested in the topic.
Magisk and similar tools make it significantly easier for an attacker to acquire root privileges when compared to the default.
Because I am interested in this topic, I am trying to find out how easy it is. But it's hard to get in-depth information about it, because a lot of it is written very superficially. I have also already searched and read something in the forum of xda-developers. No matter where I search, I can't find any examples in the wild. The only reports and vulnerabilities I found were related to the standard Android model. Quite without Magisk, AddonSU and although there are things like Sandbox or SELinux.
The website is quite clear already about the issues with this. You keep ignoring what has already been written.