Hi,
We've recently released a new set of middleware mac (MMAC) controls
that are working toward replacing the obsolete revoke-perms and cp_mac
branches. This new feature, called Eops (enterprise operations), is a
security extension to the AppOps (application operations) feature that
is already present on Android 4.3+ devices. While being hidden in AOSP,
AppOps lets users fine tune certain functionality requested by apps by
allowing the user to toggle access rights. Eops has exposed the
management console under the Settings app and provided an extension to
the AppOps security service code whereby a hard coded set of rules
explicitly denies certain access rights to groups of installed apps.
These extensions will allow an enterprise like control over certain
operations after an app has been successfully installed. Eops is not a
frontend for SELinux which somehow ties app permissions to SELinux
contexts. Rather, it is an extension of the MMAC controls that currently
exist on Android devices, using the seinfo labels that are already
assigned to apps upon install. Presently, Eops can not fully meet the
entire functionality and controls offered by the revoke-perms and cp_mac
projects. It is our goal to further explore ways to either bring the
remaining functionality of both revoke-perms and cp_mac over to this new
implementation or asses whether those additional controls and
functionality are truly needed. Regardless of implementation design, we
are no longer going to actively develop against the revoke-perms and
cp_mac branches. We see Eops as a viable way forward in this regard.
In order to try out this new feature you'll first need to be working
from our main seandroid branches and then update your local_manifest.xml
file; we've included the Settings app as a maintained project. Be sure
to copy the new local_manifest.xml to .repo/local_manifest.xml and then
simply do a repo sync. We've decided to keep this new feature set on our
main seandroid branches and might consider back porting to other
branches in the future. Some useful information about Eops and the
policy file that drives it can be found at external/sepolicy/eops.xml.
Feedback on design, implementation and feature-requests are always welcome.
Thanks
--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to [email protected] with
the words "unsubscribe seandroid-list" without quotes as the message.
