SEAndroid
January 21, 2012 6:53 PM   Subscribe

The U.S. National Security Agency (NSA) has begun releasing Security-Enhanced Android patches and tools, which port their Security-Enhanced Linux tools to Android devices. SEAndroid and SELinux provide mandatory access control designed to limit the amount of damage that rogue or exploited software can do.

There was a talk about this at the Linux Security Summit in September 2011 which spawned various news stories. See the Unofficial and Official SELinux Intros/FAQs.

All the security enhancements here pertain only to securing processes running on the device from interfering with one another, i.e. it's careful app sandboxing, not encryption.

There are not afaik any plans to provide any message layer security infrastructure publicly, although the NSA builds such tools for government security purposes, and certifies encryption standards.

Android users could already obtain VoIP, IM, Email, etc. encryption, and anonymity software from the Guardian Project though.
posted by jeffburdges (35 comments total) 16 users marked this as a favorite

 
All I know about selinux is that when they installed it at work EVERYTHING broke and nobody seems able to fix it.

:(
posted by DU at 7:04 PM on January 21, 2012


I love the idea of SELinux, but man it was a pain to install (circa 2006).
posted by zippy at 7:09 PM on January 21, 2012


Is this going to break my Sprint NASCAR app?
posted by benzenedream at 7:19 PM on January 21, 2012 [3 favorites]


I remember configuring the SELinux extensions on a couple of gentoo kernels I built and then wishing I owned a firearm so I could put the machine out of its misery. On the other hand, I suspect that was mostly my trying to use what was essentially a bastion host as a desktop machine.

I'm all for this to be honest, user quibbles aside.
posted by iamabot at 7:56 PM on January 21, 2012


FLOSS Weekly had an interesting podcast last year on SELinux in general. It sounds so wonderful and probably is when everything is working, but getting everything working will make you want to kill yourself.
posted by zengargoyle at 7:58 PM on January 21, 2012 [1 favorite]


As a self-confessed Android fanboi, although by no means uncritical and the Dear knows with reason, it does give my black, twisted soul a twitch of pleasure that while certain people are going UNSAFE! UNSAFE! MALWARE! MALWARE! the only darn mobile OS getting the NSA love is (a) open (b) Linux and (c) Android.
posted by Devonian at 8:05 PM on January 21, 2012 [3 favorites]


Onpxqbbe zhpu?
posted by lalochezia at 8:40 PM on January 21, 2012 [1 favorite]


Has the NSA has not heard of OpenBSD?
posted by leotrotsky at 8:52 PM on January 21, 2012 [2 favorites]


I eagerly await the Oracle lawsuit.
posted by PeterMcDermott at 9:11 PM on January 21, 2012 [1 favorite]


Has the NSA has not heard of OpenBSD?

Sure. And since Theo doesn't seem terribly interested in MAC, I guess they aren't interested in beating their head against that wasll.

All I know about selinux is that when they installed it at work EVERYTHING broke and nobody seems able to fix it.

Time To Harden Up.
posted by rodgerd at 10:00 PM on January 21, 2012 [3 favorites]


I eagerly await the Oracle lawsuit.

What cause of action? How do they get by sovereign immunity.
posted by Ironmouth at 10:09 PM on January 21, 2012


Is this going to break my Sprint NASCAR app?

one can only hope...
posted by sexyrobot at 10:09 PM on January 21, 2012 [1 favorite]


As long as your distro has reasonable selinux policies accompanying it's packages and you don't do anything wacky with your app configurations (or are willing to generate selinux policy for your idiosyncrasies), it's no problem. If you're planning on converting a running system, you just use permissive mode (which logs stuff that WOULD be a violation) audit those logs and generate local policy from them!

I'm typing this on a laptop using selinux in enforcing mode, which is the default in Fedora 16, several years ago this would've been madness but now not only is it feasible but it literally never interferes with my life (I had some issues in the 16 beta/alpha phases, but it all got worked out). It's also pretty easy (and awesome) in a server environment.

Also, {ps,ls,lsof,netstat} -Z is your friend.
posted by Matt Oneiros at 10:12 PM on January 21, 2012 [2 favorites]


Enabling selinux is like having someone question EVERYTHING ANYONE EVER DOES EVER NO MATTER HOW MINUTE on your computer. I would hate working with Linux if I couldn't disable it.
posted by spiderskull at 10:36 PM on January 21, 2012


On the one hand, the NSA loves security.
On the other hand, the NSA loooooves putting backdoors in things that other people use. (I don't know a lot, but I wouldn't be surprised if they could even make one that is secure, in that others can't take advantage of it. And/or one that is all but invisible even in open source)

Where do people think this release (likely) falls between those conflicting passions?
posted by -harlequin- at 10:39 PM on January 21, 2012 [1 favorite]


"Enabling selinux is like having someone question EVERYTHING ANYONE EVER DOES EVER NO MATTER HOW MINUTE on your computer."

Naw, it's more like saying "my secretary should never sleep with my wife" or "the gas station attendant should never have direct access to my back pocket."

"Where do people think this release (likely) falls between those conflicting passions?"

SELinux is open source, free for all the world to see. If there was a backdoor in selinux's published source it would need to be fairly clever, now whether you trust the person you got your kernel from to not tinker with that source when building your kernel, that is another matter...

Or trusting the compiler (also open sourced) which builds that source, or the person who compiled your compiler, or the closed source processor building the compiler which compiled the compiler which compiled your kernel which includes the perfectly reasonable and easy to audit selinux source.

If the NSA is putting backdoors in anything, they're putting it in the processor architectures.

If one wishes to assume the NSA is backdooring our computers at the processor level then quite logically selinux is merely an inoculation against the grosser methodologies of competing organizations.
posted by Matt Oneiros at 11:08 PM on January 21, 2012 [4 favorites]


> Where do people think this release (likely) falls between those conflicting passions?

The main thing that makes me comfortable about using open source software from is NSA is because they're the NSA. I don't mean I trust the NSA, I mean that there many very smart people that would just lurve to make their bones by finding a backdoor in SElinux. Not to say I don't worry about backdoors in open source, but if they're going to come, I think they'll come in the guise of much more mundane patches from (seemlingly) much more mundane sources, not under the NSA's own banner.
posted by adamt at 11:15 PM on January 21, 2012 [3 favorites]


Once upon a time, developers and sysadmins simply ran servers as root, and argued that dropping privs and changing permissions was "too hard". It took a fairly large number of Epic Fails to turn things around, and there are still moronic developers in proprietary software companies arguing that they need root privs when they don't (BMC, IBM, Oracle, I'm looking at a selection of *your* products), but eventually we're at the point where almost all sysadmins and devs look at you like you've suggested human excrement would be the ideal accompaniment to the roast beef if you demand the root keys to run most software.

That's a good thing, and the point of it is that I wonder how long it is before running without MACs in place will be seen as braindead, too. Getting it running causes pain, but the amount of pain it solves is pretty phenominal, too. I think we will get there, it's really a question of how many years it takes.
posted by rodgerd at 1:47 AM on January 22, 2012 [5 favorites]


One likely byproduct of this is to make it a lot harder to crack root on a phone you've bought. The NSA may be doing this to help the supercitizens (corporations) not people.
posted by Malor at 2:39 AM on January 22, 2012 [3 favorites]


One thing I'd like to see is better logging, something users can actually use to see what their apps are doing. System logs get filled up with tons of stuff, and most of them have no utility for users.

Figuring out what's 'useful' information to show a user concerned about personal privacy would be a difficult problem, though.
posted by delmoi at 3:48 AM on January 22, 2012


I donno if SEAndroid might help carriers prevent jail breaking, maybe, but users still have long term physical access. Admittedly people took way way too long developing an untethered jailbreak for iOS 4.

I'd expect non-official distributions like CyanogenMOD could use SEAndroid to reduce the threat from government spyware like the Bundestrojaner though.
posted by jeffburdges at 5:26 AM on January 22, 2012


I love SELinux for servers. You know exactly what roles should exist, there are existing policies from most distributions for most server software and from there audit2allow is pretty easy to extend if you're doing something unconventional. The roles rarely (or never) change so you basically do some legwork exactly once and sleep just a tiny bit better at night.

I've never tried on the desktop, it sounds unpleasant. The roles are too poorly specified and change too frequently, the combinatorial explosion of possible configurations is insane and to top it off the policies either don't exist or are years old.

Android might just be the right place to work MAC into things, you don't need to accomodate ancient protocols or full POSIX for apps. I'll definitely run it once there are builds for my device.
posted by Skorgu at 8:06 AM on January 22, 2012 [1 favorite]


Where do people think this release (likely) falls between those conflicting passions?

"WHATTA YA MEAN IM NOT TRYING TO HELP"
posted by clavdivs at 9:55 AM on January 22, 2012 [1 favorite]


What cause of action? How do they get by sovereign immunity.

It's Oracle and Boies Schiller we're talking about. Don't confuse them with issues like the law. This case could mean beelions and beelions of dollars!
posted by PeterMcDermott at 10:37 AM on January 22, 2012


Question: Can I use this to install an app that during installing, demands access to my GPS and contacts info etc, but does not need those things for any legitimate purpose. Click "yes I agree to that" so that it will install, while actually denying the app access to that stuff?

If so, what are the chances that most apps will not crash when they try to steal info that I deem they have no legitimate use for, and they find it blocked?
posted by -harlequin- at 3:22 PM on January 22, 2012


You may've just hit upon the killer app for SEAndroid there, harlequin. I donno how Android shares that data amongst applications. I donno if they'll protect against the internal Android sharing, but yes maybe they'll worry about exactly that.

I'd imagine this'll help firewall NDK apps nicely regardless. You could certainly run sexy applications that need linux libraries without giving them any real access though.

There could always be applications that phone home for legit purposes but also report bad stuff when doing so though.
posted by jeffburdges at 4:17 PM on January 22, 2012


"Where do people think this release (likely) falls between those conflicting passions?

Alan Cox actually asked exactly this question when SELinux was first presented at a Linux Kernel summit. As I recall, the NSA dude presenting the work replied that in addition to the Echelon/warrantless wiretapping stuff (I paraphrase), the NSA also has an information assurance division that's responsible for securing the technical infrastructure of the govt. and has been preaching to a broader audience for a while now.

It seems like the fox guarding the henhouse but it makes sense from the broader perspective to have all computer security stuff under one roof.
posted by ianso at 12:37 AM on January 23, 2012


Question: Can I use this to install an app that during installing, demands access to my GPS and contacts info etc, but does not need those things for any legitimate purpose.

I haven't used it yet, but I expect this to be possible. From the wikipedia entry on MAC: "In practice, a subject is usually a process or thread; objects are constructs such as files, directories, TCP/UDP ports, shared memory segments, etc. Subjects and objects each have a set of security attributes. Whenever a subject attempts to access an object, an authorization rule enforced by the operating system kernel examines these security attributes and decides whether the access can take place. Any operation by any subject on any object will be tested against the set of authorization rules (aka policy) to determine if the operation is allowed." So in this case, you'd be able to define a policy that says Angry Birds cannot access the file that contains your contacts or the device interface that provides your GPS information.

There already is an application that allows you to do what you're looking for. It's called LBE Privacy Guard [Market Link] and is a mighty fine app. You need root. There are different groups for applications that can be defined to whitelist or blacklist applications, you can have it prompt or always deny, etc. It's a really great app and you can see it work when you set it to prompt - like if an application requests access, it says "X is requesting access to your contacts, do you want to Allow/Allow Once/Deny/etc". It also has lots of other neat features and is one of the few apps I'd consider 'necessary'.

One likely byproduct of this is to make it a lot harder to crack root on a phone you've bought.

If you are suggesting that a phone provider is going to install a properly-configured version of SELinux on their phones you have a lot more faith that they care at all about security than I do. Also, unless there is a way for the phone providers to update the SELinux policy on the phone for every app that's installed, but not allow users to change that policy, I don't think it would be much harder to crack. New applications will need policy defined in order to run properly, and that will have to be defined by the carrier (write it for every known app and automatically install it when an app is installed) or the user (which means they will be defining a policy for each app as it gets installed, which I imagine will cause much wailing and gnashing of teeth). In the case of allowing users to modify the policy, just grant authority for the rooting application to change necessary files and let it go. It's kind of a cat and mouse game in any case.
posted by nTeleKy at 8:09 AM on January 23, 2012 [1 favorite]


I was going to jump in and recommend Droid Wall as a way to firewall applications that don't need access to the network. Looks like LBE has even finer grained control. I'll check it out.
posted by kookywon at 1:06 PM on January 23, 2012 [1 favorite]


There is a CyanogenMod App Store "proposal" by Koushik Dutta that plans on hosting banned apps.

There is a brief summary on slashdot.org says it'll focus on applications banned by Google, like "emulators, legally-questionable music services, tethering apps and one-click root apps" but they'd still employ an "an approval process to weed out malicious applications", presumably/ideally requiring all the applications be open source.
posted by jeffburdges at 5:49 PM on January 23, 2012


LBE has finer control for "app permissions" - can it access GPS, contacts, camera, etc. Droidwall actually has finer control for network permissions - what ports/protocols/networks can be used in what ways by what applications. I actually use both of them for that reason. Droidwall is awesome because it's just a front-end for iptables, which is the standard linux firewall and has lots o' features. LBE is awesome because it lets me control all the Android app permissions, even after they've been granted during install.
posted by nTeleKy at 1:48 PM on January 25, 2012 [1 favorite]


Defending Your Cellphone Against Malware
Imho, mostly puff about phone vulnerabilities being the next big thing, but reports an interesting warning about reprovisionning texts.
posted by jeffburdges at 5:55 PM on January 29, 2012


RFID credit card hacking is easy
posted by jeffburdges at 4:54 PM on January 30, 2012


Do You Like Online Privacy? You May Be a Terrorist

I donno if SELinux makes their list yet though. :)
posted by jeffburdges at 1:46 PM on February 2, 2012


Unauthorized iOS Apps Leak Private Data Less Than Approved Ones
(I'll leave this here since I mentioned the CyanogenMod App Store upthread, presumably an SEAndroid based App Store could offer the user rather tight control)
posted by jeffburdges at 3:28 AM on February 15, 2012


« Older The Truck They Couldn't Drown...  |  In 2009, Roxana Altamirano mad... Newer »


This thread has been archived and is closed to new comments