Problem: setool/MMAC are interpreting the mac_permissions.xml contents
incorrectly when there are two entries using the same signature.
For example when using setool to generate mac_permissions.xml entries for
two apps sharing the same signature it will generate two separate entries:
setool --build whitelist SEAndroidDemo.apk SEAndroidDemoB.apk
<signer signature="-Same signature as seandroiddemob-">
<package name="com.example.seandroiddemo">
<allow-permission name="android.permission.READ_EXTERNAL_STORAGE" />
<allow-permission name="android.permission.SEND_SMS" />
<allow-permission name="android.permission.WRITE_EXTERNAL_STORAGE" />
<allow-permission
name="com.example.seandroiddemo.permission.DEADLY_ACTIVITY" />
</package>
</signer>
<signer signature="-Same signature as seandroiddemo-">
<package name="com.example.seandroiddemob">
<allow-permission
name="com.example.seandroiddemo.permission.DEADLY_ACTIVITY" />
</package>
</signer>
Adding the above to mac_permissions.xml and running setool:
setool --policy external/sepolicy/mac_permissions.xml SEAndroidDemo.apk
SEAndroidDemoB.apk
Gives:
MMAC policy failed for com.example.seandroiddemo (./SEAndroidDemo.apk).
Signature based policy (3082...e41a) checked.
null
Default policy stanza checked.
Policy blacklist rejected package com.example.seandroiddemo
Denied permission android.permission.WRITE_EXTERNAL_STORAGE
Set of blacklisted permissions is:
android.permission.ACCESS_COARSE_LOCATION
android.permission.ACCESS_FINE_LOCATION
android.permission.AUTHENTICATE_ACCOUNTS
android.permission.CALL_PHONE
android.permission.CAMERA
android.permission.READ_LOGS
android.permission.WRITE_EXTERNAL_STORAGE
Running the emulator will produce the following errors in logcat:
I/SELinuxMMAC( 301): package (com.example.seandroiddemob) installed with
seinfo=null
W/SELinuxMMAC( 301): MMAC_DENIAL: Policy blacklisted permission
android.permission.WRITE_EXTERNAL_STORAGE for package com.example.seandroiddemo
W/PackageManager( 301): Installing application package
com.example.seandroiddemo failed due to policy.
However if they are added as a single signature entry as shown, then setool and
MMAC are both okay.
<signer signature="-signature-">
<package name="com.example.seandroiddemo">
<allow-permission name="android.permission.READ_EXTERNAL_STORAGE" />
<allow-permission name="android.permission.SEND_SMS" />
<allow-permission name="android.permission.WRITE_EXTERNAL_STORAGE" />
<allow-permission
name="com.example.seandroiddemo.permission.DEADLY_ACTIVITY" />
</package>
<package name="com.example.seandroiddemob">
<allow-permission
name="com.example.seandroiddemo.permission.DEADLY_ACTIVITY" />
</package>
</signer>
So should setool and MMAC be modified to handle either case.
Richard
--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to [email protected] with
the words "unsubscribe seandroid-list" without quotes as the message.
