On Aug 8, 2013, at 12:35 PM, rpcraig wrote:
> On 08/08/2013 11:07 AM, Daniel Mirsky wrote:
>> Hello,
>>
>> We are trying to get seandroid 4.0.4 working on some custom hardware based
>> on the OMAP3EVM. Unfortunately, we do not have the latest Android builds
>> working on this hardware, so we have to use 4.0.4.
>
> 4.0.4! Wow, a blast from the past.
>
>>
>> I have gotten SELinux and SEAndroid running, but am having trouble with app
>> labeling. I have tried signing with a custom key (and adding the necessary
>> changes to mac_permissions, keys.conf, seapp_context, and app.te) as well as
>> signing with the platform key provided in build/target/product/security. I
>> have verified the signature from the generated mac_permissions.xml matches
>> the signature of my app (logged with PackageManager from within the app),
>> but it is still listed as untrusted_app in ps.
>>
>> I also tried editing mac_permissions.xml so the default entry is given an
>> seinfo label of "default":
>> <!-- All other keys -->
>> <default>
>> <seinfo value="default" />
>> </default>
>
> The stanzas will default deny if you don't include any of the other
> permission or allow-all tags. You should need something like:
>
> <default>
> <seinfo value="default"/>
> <allow-all />
> </default>
>
> Are your stanzas constructed in a similar fashion? With either a permission
> or allow-all tag?
> Let me try to build a 4.0.4 version here and see what I can diagnosis.
My stanzas do not have a permission or allow-all tag, but I would assume that
apps would still be set to the right domain without that. With the
mac_permissions.xml and seapp_contexts edits as described, ps -Z reports
u:r:kernel:s0 app_28 3201 2010
com.android.exchange
u:r:kernel:s0 app_4 3238 2010
android.process.media
u:r:kernel:s0 app_32 3324 2010
com.android.providers.calendar
u:r:kernel:s0 app_19 3406 2010
com.android.deskclock
u:r:kernel:s0 app_8 3420 2010
com.android.calendar
u:r:kernel:s0 app_5 3459 2010
com.android.gallery3d
u:r:kernel:s0 app_37 3473 2010
com.android.quicksearchbox
Without the edits, seapp_contexts
user=_app domain=untrusted_app type=app_data_file levelFrom=app
interprets a blank seinfo as untrusted, and ps -Z reports;
u:r:untrusted_app:s0:c28,c256 app_28 3109 2010
com.android.exchange
u:r:untrusted_app:s0:c10,c256 app_10 3210 2010 com.android.email
u:r:untrusted_app:s0:c37,c256 app_37 3371 2010
com.android.quicksearchbox
u:r:untrusted_app:s0:c4,c256 app_4 3417 2010
android.process.media
u:r:untrusted_app:s0:c19,c256 app_19 3432 2010
com.android.deskclock
Do I need the permission or allow-all tags just to have the process domains set
correctly?
>
>> and then edited seapp_contexts to check for seinfo="default" for
>> untrusted_app.
>> user=_app seinfo=default domain=untrusted_app type=app_data_file
>> levelFrom=app
>> This resulted in all apps being started in the kernel domain.
>>
>> It looks like the seinfo value is not being set. Is there a way to check the
>> seinfo value from adb?
> The seinfo value is saved off in the ApplicationInfo object with each
> package, so if you could dump that then yes. However, I don't know of a way
> to do this from adb. You can try 'dumpsys' but I believe that doesn't list
> the contents of the ApplicationInfo object. You might have to put in a few
> print statements in the code. Back in 4.04 the logic was directly inside the
> PMS code.
>
>
>> Is there a step I am missing? Where should I look to solve this issue?
>>
>> Thanks,
>> Dan
>>
>> --
>> This message was distributed to subscribers of the seandroid-list mailing
>> list.
>> If you no longer wish to subscribe, send mail to [email protected] with
>> the words "unsubscribe seandroid-list" without quotes as the message.
>
>
--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to [email protected] with
the words "unsubscribe seandroid-list" without quotes as the message.
