Originally posted by liam
View Post
1.) Android security(specially at runtime) is not great from my experience(may have improved since the first 5 release tho), you can google it, is specially weak against injections and crappy apps that allows it(to be fair all JIT runtimes suffer from this in some form or the other)
2.) in 2.4 was true, today a proper hardened setting make it extremely challenging, unless of course your network facing service have a specific vulnerability and it can scale privileges or is SUID(CGroups2 can fix this with systemd be it nspawn isolation or simply cgroups magic if your kernel is recent enough, ofc selinux, acls can too). As always IPtables is your tough jacked friend.
3.) i love grsecurity very badass team
4.) systemd process isolation and container system partially fix this issue, since no root is the actual root outside systemd but the root on that namespace/PID, so far i haven't been able to escape nspawn or find any possible attack on it, same holds true on systemd process isolation(even parallel forking of hand crafted stack overrun/SIGXXXX code can't leave the parent process and scale privileges attaching to PID1(or any other PID for that matter) like all other inits allow). I'm sure someone will find a way but goddamn is tough as it is
5.) the systemd way is half way there(it does seccomp btw), the only step left is to remove the real root(or leave it as PID1 exclusive) and let systemd provide pseudo isolated roots users per PID. that should remove some impact to the user and allow old apps to still work but safer. This would require distros to preset some seccomp validation filter per service(selinux profiles would nice too) tho.
As a side note, removing fully the root users is not a magic pill, sure it will help again kiddie/mid grade attacks but hardcode privilege scalation attacks don't actually need root as an user to be present just a vulnerable page/context or PID to work some dark magic and not always you require a full attack to the O.S(in fact is rare) but scale or switch privileges enough to attach to an specific target(like lets say an Oracle DB that doesn't run as root to start with) since the hackers that have the skills to do this are often after money after all
Comment