KernelSU icon indicating copy to clipboard operation
KernelSU copied to clipboard

Published 20 hours ago verified publisher icon tiann

[security] restrictions on root process

Open Ylarod opened this issue 2 years ago • 5 comments
trafficstars

Should we restrict root process?

  1. setuid to manager_uid
  2. ptrace manager
  3. load_module without the manager's approval

Ylarod avatar Jan 14 '23 23:01 Ylarod

It is difficult to avoiding from attack by root process, so we don't need do something special for this because it is endless. For example, root process can write /data/adb/.ksu_allowlist, root process can ptrace init and make init do attack.

But, we can't just leave the door open at all because of the possibility of theft.

And also, capabilities is a good way to restrict root process, it provides CAP_SETUID, CAP_SYS_PTRACE and CAP_SYS_MODULE which could solve the three case you raised. but it still can't avoid all the attacks. I am thinking to introduce this feature to KernelSU.

tiann avatar Jan 15 '23 01:01 tiann

Also, I think we can use selinux to implement something like permission scope. For example, we create u:r:su_1:s0 u:r:su_2:s0 u:r:su_3:s0, and these contexts are not permissive. Users can customize permissions as their wish.

Ylarod avatar Jan 15 '23 01:01 Ylarod

group is also a useful way for permission control, like docker group. We need to sudo docker if not in docker group.

Android also uses this.

1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),1078(ext_data_rw),1079(ext_obb_rw),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid)

Ylarod avatar Jan 15 '23 01:01 Ylarod

Is it easy to control Android user groups like on regular Linux?

I heard that users and groups are hardcoded by Android's libc

Scirese avatar Jan 15 '23 03:01 Scirese

I think kernel-based security traces could perhaps be added to KernelSU. Add a "test" option to the existing root authorization switch, and every sensitive request of the root process in test mode must be approved by the user before it can be executed.

hlkg20220540 avatar May 02 '23 02:05 hlkg20220540

Android uses Linux!

While Android have hardcoded set of groups, it would be very to use group ids not used by Android.

Also I think privileges separation could be useful, some apps don't need full root access and may only need adb access, adb access is much more restricted than adb but is still enough permissions for most root apps!

Using a seccomp filter to tricks apps to thinking they have root instead of adb should fix most libsu implementations.

Fox2Code avatar Jun 25 '23 11:06 Fox2Code

App Profile now supports all of the above features!

Customizing SELinux:

  1. https://github.com/tiann/KernelSU/commit/70f2df11d1a8f5413cf243d1805894de81ada7d7
  2. https://github.com/tiann/KernelSU/commit/2bb73a2a92b0068b665bb49b97027ec1c6cd6b52

Customizing gid/uid:

  1. https://github.com/tiann/KernelSU/commit/076e5d3655c9eecd30493ea6561ec2371b937e9e
  2. https://github.com/tiann/KernelSU/commit/3abb7e4ca25030e03f506ff3497050757bd15889

Customizing groups:

  1. https://github.com/tiann/KernelSU/commit/68d639e32539b30f40867b4e9a333f0729cfadc8
  2. https://github.com/tiann/KernelSU/commit/c7f6a7d11b44edfbd6673005cbd4e8f3b03a8095

Customizing capabilities:

  1. https://github.com/tiann/KernelSU/commit/076e5d3655c9eecd30493ea6561ec2371b937e9e

Documentation will be added later.

tiann avatar Jul 01 '23 13:07 tiann