Adding more detail to the features section - browser and bionic hardening #291
Comments
|
Wish I could do that, but dont know the full list of how they are hardened :') |
|
Can check the sepolicy repository’s commits, needs some analysis though(ex: how SELinux permissions work, what exactly these changes do, etc.). I think that this applies to the filesystem access hardening too (specifically ashmem afaict). The compiler related mitigations may be in platform_build. These sources are probably incomplete though, as some mitigations may be included in other areas. |
|
I may write a draft for this looking at these commits. |
|
Vanadium and the hardened libc are the 2 sections that probably need extra detail added (ex: how the libc is used and specifying what types of attacks are mitigated). The sepolicy changes are mostly removing code injection in the base OS. The other changes (hardened compiler toolchain and such) seem to be relatively minor, but I may be wrong about this. |
Lelmister101
changed the title
|
Edited the title to make it more specific. I’ll open more issues later if I think that other parts would also benefit from more detail. |
The verified boot part could use some details imo. Adding details to that like full dexpreopt for system apps, SElinux changes, removal of useless features like system_other odex etc |
|
I’ll probably open a different issue for those later on once I’ve properly researched them. I finished the PR for filesystem access hardening, but it’s a bit scuffed (#295). |
Lelmister101
changed the title
In the features page, some features mentioned don’t have any extra detail on how they are hardened what specific changes are made to harden them. A few examples of this are the hardened compiler toolchain, hardened app sandbox, and filesystem access hardening.
The text was updated successfully, but these errors were encountered: