Thanks again On Saturday, July 26, 2014 9:26:42 PM UTC+3, nnk wrote: > > Correct. > > It's possible that other device manufacturers have extended SELinux 4.4 > beyond the specific processes. That would be a per-manufacturer decision. > > Other processes on 4.4 are bound by the standard Unix DAC (discretionary > access control) sandbox. > > -- Nick > > > On Sat, Jul 26, 2014 at 10:40 AM, Tal Palant <[email protected] > <javascript:>> wrote: > >> Thanks again for the reply. >> >> Just one last thing to make sure i understand correctly. >> >> currently in android 4.4 SEAndroid is configured only to prevent specific >> processes (like installd) from accessing specific resources? >> >> >> On Saturday, July 26, 2014 8:00:12 PM UTC+3, nnk wrote: >> >>> Access to standard Android permissions are not handled by SELinux today. >>> >>> -- Nick >>> >>> >>> On Sat, Jul 26, 2014 at 9:28 AM, Tal Palant <[email protected]> wrote: >>> >>>> Thanks for the answer. >>>> >>>> Do you have information regrading the ability of the current SEAndroid >>>> mode to influence the permissions given to applications? >>>> >>>> Can the current SEAndroid mode block permissions given to applications >>>> during installation? >>>> >>>> >>>> On Saturday, July 26, 2014 7:24:10 PM UTC+3, nnk wrote: >>>> >>>>> That document is correct. In Android 4.4, there was a focus on locking >>>>> down some of the highest privileged processes in Android: installd, netd, >>>>> vold, and zygote. Other security domains were in permissive, defaulting >>>>> to >>>>> the standard Unix security model (DAC). >>>>> >>>>> AOSP master has a substantially more complete SELinux implementation. >>>>> All SELinux security domains are in enforcing, and most uses of the >>>>> minimally restrictive "unconfined" domain have been removed. >>>>> >>>>> -- Nick >>>>> >>>>> >>>>> On Sat, Jul 26, 2014 at 8:44 AM, Tal Palant <[email protected]> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> i found this statement in: "http://source.android.com/dev >>>>>> ices/tech/security/se-linux.html" >>>>>> >>>>>> In Android 4.3, SELinux was fully permissive. In Android 4.4, SELinux >>>>>> was made enforcing for the domains for several root processes: >>>>>> installd, netd, vold and zygote. *All other processes, including >>>>>> other services and all apps, remain in permissive mode to allow further >>>>>> evaluation and prevent failures in Android 4.4. Still, an errant >>>>>> application could trigger an action in a root process that is not >>>>>> allowed, >>>>>> thereby causing the process or the application to crash.* >>>>>> >>>>>> which mean that SEAndroid is not fully enabled yet, can anyone >>>>>> confirm this please? >>>>>> >>>>>> -- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "Android Security Discussions" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to android-security-discuss+unsub >>>>>> [email protected]. >>>>>> To post to this group, send email to [email protected] >>>>>> . >>>>>> >>>>>> Visit this group at http://groups.google.com/group >>>>>> /android-security-discuss. >>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Nick Kralevich | Android Security | [email protected] | 650.214.4037 >>>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Android Security Discussions" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To post to this group, send email to [email protected]. >>>> Visit this group at http://groups.google.com/ >>>> group/android-security-discuss. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> >>> >>> -- >>> Nick Kralevich | Android Security | [email protected] | 650.214.4037 >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "Android Security Discussions" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] >> <javascript:>. >> To post to this group, send email to [email protected] >> <javascript:>. >> Visit this group at >> http://groups.google.com/group/android-security-discuss. >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > Nick Kralevich | Android Security | [email protected] <javascript:> | > 650.214.4037 >
-- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
