-
-
Notifications
You must be signed in to change notification settings - Fork 136
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding more detail to the features section - browser and bionic hardening #291
Comments
Wish I could do that, but dont know the full list of how they are hardened :') |
Can check the sepolicy repository’s commits, needs some analysis though(ex: how SELinux permissions work, what exactly these changes do, etc.). I think that this applies to the filesystem access hardening too (specifically ashmem afaict). The compiler related mitigations may be in platform_build. These sources are probably incomplete though, as some mitigations may be included in other areas. |
I may write a draft for this looking at these commits. |
Vanadium and the hardened libc are the 2 sections that probably need extra detail added (ex: how the libc is used and specifying what types of attacks are mitigated). The sepolicy changes are mostly removing code injection in the base OS. The other changes (hardened compiler toolchain and such) seem to be relatively minor, but I may be wrong about this. |
Edited the title to make it more specific. I’ll open more issues later if I think that other parts would also benefit from more detail. |
The verified boot part could use some details imo. Adding details to that like full dexpreopt for system apps, SElinux changes, removal of useless features like system_other odex etc |
I’ll probably open a different issue for those later on once I’ve properly researched them. I finished the PR for filesystem access hardening, but it’s a bit scuffed (#295). |
In the features page, some features mentioned don’t have any extra detail on how they are hardened what specific changes are made to harden them. A few examples of this are the hardened compiler toolchain, hardened app sandbox, and filesystem access hardening.
The text was updated successfully, but these errors were encountered: