Stephen Smalley wrote:
Hi,
Attached are a couple of patches, one for libselinux and one for
sepolicy, that replace levelFromUid=true|false with a more general
levelFrom=none|app|user|all mechanism, while still providing
compatibility with the older levelFromUid syntax. This extension allows
the policy writer to decide whether to instantiate a unique level for
each app, for each user, or for the combination of both. levelFrom=app
is identical to the older levelFromUid=true, while levelFrom=user only
instantiates unique levels per Android user, and levelFrom=all
instantiates a unique level per (user,app) pair.
Have you determined if isolated_app will be treated as a different user
with levelFrom=user?
I'm not quite ready to upstream this however, as there are some known
issues:
- When cloning the app data directories for a new user, we don't have
the seinfo information readily available and thus we just copy the
security context from the original app data directory presently. So the
app data directories for the non-default users can't be labeled
differently right now.
I think this is a general problem. If the seapp_contexts ever changes on
a running system, which will be a certainty once someone can push policy
over MDM, there will need to be a way to relabel all of /data/. I assume
using the MDM API (load_policy + relabel). I'll add this to my todo list
to look at.
- Which configuration you choose for levelFrom will affect how you
configure the rest of sepolicy wrt which domains will need to be able to
override the MLS constraints. So we would need to introduce a policy
tunable for controlling the levelFrom setting and ensuring consistency
between the policy and seapp_contexts.
Aren't policies that use different labeling strategies inherently
implementing a different security model? Can the current policy really
meet all the use cases without getting unwieldy?
Feedback on the idea, implementation, or on how to resolve the lingering
issues is welcome.
--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to majord...@tycho.nsa.gov with
the words "unsubscribe seandroid-list" without quotes as the message.
