On 02/28/2014 11:33 AM, [email protected] wrote: > Ok, but not really the answer I was after. The security model used at the > lower levels seem to make sense in that you're just reinforcing the > existing security model there. i.e. installd should only be able to do a > select number of things and your SELinux policy just reinforces that. But > when it comes to apps it seems your current security model isn't really > reinforcing the Android model. Aren't all apps considered equal? Yes, they > are run in their own sandbox protected by their uid with granted > permissions based on signature or location. But, it seems like to reinforce > that notion all system apps should be put into the same domain. And then > all non system apps should be put into a separate domain. Why the current > distinction among the system apps, i.e. media, platform, release, and > shared? Aren't they just equivalent; same partitioned set? This just seems > like unneeded complexity in the policy and divergence from Android > documentation concerning apps.
The fact that they are signed with different keys despite having the same origin suggests that they fall into different equivalence classes with respect to Android permissions (e.g. platform gets the platform signature-only permissions, while each of the others only gets its own signature-only permissions) and potentially with respect to sharing resources at the OS level (since apps signed by the same key can run in the same UID or even the same process). We're certainly willing to coalesce some or all of them if it turns out that the distinction is not worthwhile, but there are differences among them presently in the SELinux policy. We have made it easy to add rules to all of them by the platformappdomain attribute and rules at the bottom of platform_app.te. Even if you coalesced those four domains, you'd still need separate domains for the system apps that run in fixed UIDs, i.e. system (system_app), bluetooth, nfc, radio, and shell. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/groups/opt_out.
