On 12/05/2013 03:39 AM, Severin Friede wrote:
Dear Mr. Craig,
thank you very much for the answer. I followed your steps but
unfortunately I could install apps signed with my own key that need
the permissions i am denying. Could you please verify the following
steps I have done so far:
------------------------------------------
1.) mac_permissions.xml
I created a new signer tag:
<!-- university key -->
<signer signature="@UNIVERSITY">
<seinfo value="university" />
<package name="com.example.seandroid_connectinternet" >
<deny-permission name="android.permission.INTERNET" />
<deny-permission name="android.permission.ACCESS_NETWORK_STATE" />
<seinfo value="university" />
</package>
</signer>
When checking the new mac_permissions.xml file with setool i get the
message that the policy is passed, but i shouldn, the app requested
permissions for INTERNET and ACCESS_NETWORK_STATE:
"MMAC policy passed for com.example.seandroid_connectinternet
(/home/..../apps/signed_apk/SEAndroid-ConnectInternet_signed.apk)"
If your passing the pre-generated mac_permissions.xml file to setool
then your @UNIVERSITY key will not be expanded to a X509 cert (hex
value). At this time, setool has no knowledge of a keys.conf file in
order to make that kind of substitution. Therefore, setool tries to
interpret that signature stanza and sees @UNIVERSITY as a non valid
signature and the stanza is skipped. Since you have a default stanza,
that is what is eventually checked and therefore passes. Best bet is to
place the cert value into the signature attribute and rerun the tool.
I assume you added this stanza to the
external/sepolicy/mac_permissions.xml file? A better test might be to
just build the mac_permissions.xml file with "mmm -B external/sepolicy/"
after you make your change and then run setool against the generated
file "out/target/product/mako/system/etc/security/mac_permissions.xml".
You also might want to make sure that your @UNIVERSITY variable was
properly expanded by just opening the generated mac_permissions.xml first.
You mentioned that you could install apps signed with your key against
this stanza. Was this tested on a phone or just by running the tool? If
you could still install the app on a phone then that suggests the cert
you generated is possibly bad.
Then i put the deny-permisson tags into the default tag and i am
recieving:
"MMAC policy failed for com.example.seandroid_connectinternet
(/home/..../apps/signed_apk/SEAndroid-ConnectInternet_signed.apk).
null
Default policy stanza checked.
Policy blacklist rejected package com.example.seandroid_connectinternet
Denied permission android.permission.INTERNET
Set of blacklisted permissions is:
android.permission.ACCESS_NETWORK_STATE
android.permission.INTERNET"
I deleted the default tag and get the message that no policy stanza is
checked. There might be something wrong with my signature. how can i
debug this issue? do you have an idea what went wrong?
2.) keys.conf
i created a new signature pair and put my private key into
"build/target/product/security"
# University
[@UNIVERSITY]
ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/university.x509.pem
3.) seapp_contexts
Regarding to your information I copied the untrusted_app entry and
changed some values. I thought it would be nice to have my own custom
domain so I changed the untrusted_app domain to my custom
university_app domain. Therefore I changed the content of te_macros
file (see 4.)
user=_app seinfo=university domain=university_app type=app_data_file
levelFrom=app
4.) te_macros
I copied the untrusted_app macro to create my own
#####################################
# universityapp_domain(domain, file_type)
# Allow a base set of permissions required for all university apps.
define(`university_domain', `
# The new domain is part of universityappdomain
typeattribute $1 universityappdomain;
# The new university appdomain is a part of appdomain
app_domain($1)
# Allow the allocation and use of ptys
# Used by:
https://play.google.com/store/apps/details?id=jackpal.androidterm
create_pty($1)
# App sandbox file accesses.
# Possibly create a new sandbox for this app
allow $1 $2:dir create_dir_perms;
allow $1 $2:notdevfile_class_set create_file_perms;
')
5.) university.te
I created a custom domain policy file, the content is currently the
same as in untrusted.te but with my custom domain
type university_app, domain;
universityapp_domain(university_app, app_data_file)
net_domain(university_app)
bluetooth_domain(university_app)
allow universityappdomain tun_device:chr_file rw_file_perms;
# ASEC
allow universityappdomain asec_apk_file:dir { getattr };
allow universityappdomain asec_apk_file:file r_file_perms;
# Create tcp/udp sockets
allow universityappdomain node_type:{ tcp_socket udp_socket } node_bind;
allow universityappdomain self:{ tcp_socket udp_socket } {
create_socket_perms accept listen };
# Bind to a particular hostname/address/interface (e.g., localhost)
instead of
# ANY. Normally, apps should not be listening on all interfaces.
allow universityappdomain port:{ tcp_socket udp_socket } name_bind;
------------------------------------------------------------
- Do you find any errors?
Depends what you mean by errors. For simple syntax and structural checks
simply run checkpolicy against the generated sepolicy file.
- As far as my knowledge of SEAndroid goes, i have done install mac
and kernel policy, because of the custom domain and university.te
file, is this correct?
You modified mac_perms, seapp_contexts and sepolicy. That seems correct
to me.
- Do you recommend using the untrusted app domain instead of my custom
university app domain?
Depends on what your goals are. What are you trying to prevent, what are
your security goals, .....
I am looking forward to your answer, thank you very much for your effort!
2013/12/2 Robert Craig <[email protected]
<mailto:[email protected]>>
You can always add a signature stanza to the mac_permissions.xml
file. Invoking the command "setool --build keys YourApp.apk" will
give you the X.509 certificate needed for that stanza. You'll want
to follow the example stanzas already in the mac_permissions.xml
file as how to
construct the rest of the signature stanza. Some things to note
are, be sure to add an seinfo tag as that is what the
seapp_contexts configuration file uses to label the app process
and app package directory, and be sure to detail the maximal set
of permissions that your app or group of apps will be allowed on
installed. You'll then want to follow this with adding a new line
to the seapp_contexts file that uses the seinfo tag you described
with your signature stanza in the mac_permissions.xml file.
On Thu, Nov 28, 2013 at 8:50 AM, Severin Friede
<[email protected] <mailto:[email protected]>> wrote:
I need your help for my next issue. When browsing through the
"external/sepolicy" folder I found out that SEAndroid is able
to recognize apps by the signed key and assign them in the
appropriate domain. Is it possible to extend this behavior
with my own signing key? I want to assign my own apps (signed
with my key) to a custom domain and provide different
permissions for them.
