You might also want to make sure that the middleware mac is running in
enforcing mode when installing apps for your tests. If you're in
permissive mode and you try to install an app that is bounced by the
mac_perms stanzas then you could still be installed and that might be
what you're experiencing. We use a property key for this,
persist.mmac.enforce. You can toggle this value by using "setprop
persist.mmac.enforce 1" or by adding this to one of you .prop files in
you build. We do have plans in the future to always be running in
enforcing mode to avoid this.
On 12/05/2013 07:44 AM, rpcraig wrote:
On 12/05/2013 03:39 AM, Severin Friede wrote:
Dear Mr. Craig,
thank you very much for the answer. I followed your steps but
unfortunately I could install apps signed with my own key that need
the permissions i am denying. Could you please verify the following
steps I have done so far:
------------------------------------------
1.) mac_permissions.xml
I created a new signer tag:
<!-- university key -->
<signer signature="@UNIVERSITY">
<seinfo value="university" />
<package name="com.example.seandroid_connectinternet" >
<deny-permission name="android.permission.INTERNET" />
<deny-permission name="android.permission.ACCESS_NETWORK_STATE" />
<seinfo value="university" />
</package>
</signer>
When checking the new mac_permissions.xml file with setool i get the
message that the policy is passed, but i shouldn, the app requested
permissions for INTERNET and ACCESS_NETWORK_STATE:
"MMAC policy passed for com.example.seandroid_connectinternet
(/home/..../apps/signed_apk/SEAndroid-ConnectInternet_signed.apk)"
If your passing the pre-generated mac_permissions.xml file to setool
then your @UNIVERSITY key will not be expanded to a X509 cert (hex
value). At this time, setool has no knowledge of a keys.conf file in
order to make that kind of substitution. Therefore, setool tries to
interpret that signature stanza and sees @UNIVERSITY as a non valid
signature and the stanza is skipped. Since you have a default stanza,
that is what is eventually checked and therefore passes. Best bet is
to place the cert value into the signature attribute and rerun the tool.
I assume you added this stanza to the
external/sepolicy/mac_permissions.xml file? A better test might be to
just build the mac_permissions.xml file with "mmm -B
external/sepolicy/" after you make your change and then run setool
against the generated file
"out/target/product/mako/system/etc/security/mac_permissions.xml". You
also might want to make sure that your @UNIVERSITY variable was
properly expanded by just opening the generated mac_permissions.xml first.
You mentioned that you could install apps signed with your key against
this stanza. Was this tested on a phone or just by running the tool?
If you could still install the app on a phone then that suggests the
cert you generated is possibly bad.
