Continuing its recent commitments to patching up various security flaws with Android, CyanogenMod is currently testing out its implementation of SE Linux with its custom version of Android. A picture of CyanogenMod running the SELinux patch was posted up by Ricardo Cerqueira at the end of last week, which you can check out below.
SELinux is short for Security Enhanced Linux, and works on the premise of mandatory access controls (MAC) in order to manage administrator privies, rather than the root permissions that some of you may be familiar with. SELinxu is a set of kernel modifications which can be added to a Linux distribution, such as Android, in order to improve security.
This aims to separate enforcement of security decisions from the security policy itself, confining programs and other processes to the minimum amount of privilege that they require to do their jobs, thereby preventing any security bypasses and limiting the potential damage caused by a rouge program. Even if you install a malicious app, it won’t be able to access any other parts of your system or alter any administrator privileges.
SELinux was originally created by the National Security Agency as an example of how mandatory access controls could work with Linux, and was released to the open source community back at the end of 2000. Since then it’s been implemented into various Linux distributions in an effort to improve system security.
The recent NSA spying scandal is sure to put some people off from SE Linux, but remember that the NSA is equally as interested in securing data from prying eyes as it is in gathering intelligence. As Bogdan Petrovan already discussed regarding the relationship between the NSA and Android, being open-source, thousands of programmers have had the opportunity to go over the code, so it’s unlikely that anything remains hidden. Besides, the project has long been out of the NSA’s hands anyway.
The NSA is a longtime contributor to Linux security projects, including Security Enhanced Android
It’s also worth remembering that MAC wasn’t even invented by the NSA – the government agency simply showed how the feature could be used on Linux. There’s no evidence to suggest that the NSA was interested in spying on a small selection of Linux users; instead the project was designed to protect its own projects which used Linux.
In summary, it’s a promising new feature being worked on by a development team which has proven its commitment to user security in many of its recent projects. It’s still a work in progress, so don’t expect any nightly builds to show up quite yet, but I will certainly be updating if/when this update goes live.