Id be ok with that assuming we add support to mac_perms for prefix matching...
Off the top of my head I recall seeing some applications during running invoke services that run as separate process but do not have the isolated uid range. Prefix matching in seapp_contexts was a big help with getting everything into the right domain. I typically only use key in mac_permissions.xml. As an example, if you run firefox like so: user=_app name=org.mozilla.firefox seinfo=mozilla domain=untrusted_app type=app_data_file level=s0:c1 user=_app name=org.mozilla.firefox.seinfo=mozilla UpdateService domain=untrusted_app type=app_data_file level=s0:c1 user=_app name=org.mozilla.firefox.PasswordsProvider seinfo=mozilla domain=untrusted_app type=app_data_file level=s0:c1 You can preifx match like so: user=_app name=org.mozilla.firefox* domain=untrusted_app type=app_data_file level=s0:c1 Or if you really wanted to get crazy: user=_app name=org.mozilla.firefox seinfo=mozilla domain=untrusted_app type=app_data_file level=s0:c2 user=_app name=org.mozilla.firefox.seinfo=mozilla UpdateService domain=untrusted_app type=app_data_file level=s0:c3 user=_app name=org.mozilla.firefox.PasswordsProvider seinfo=mozilla domain=untrusted_app type=app_data_file level=s0:c4 This is really just something I made up. Currently its possible, doesn't mean I'm endorsing it. However, the separate launches of firefox, and matching input selectors are real. My concern is, if we match in PMS with mac_perms.xml and drop seapp_contexts, we would lose the ability to do the crazy scenario as PMS only sees: package="org.mozilla.firefox" And everything will launch with a single seinfo value, and no other discerning input selector will match. Thanks, Bill On Fri, Jan 10, 2014 at 9:44 AM, Stephen Smalley <[email protected]> wrote: > On 01/10/2014 12:35 PM, William Roberts wrote: >> Does it make sense to be able to do package name matching in >> mac_perms.xml and seap_contexts? >> Especially considering that seapp_contexts supports prefix matching >> and mac_perms.xml does not. >> Should we drop this or move towards deprecating this from mac_perms.xml? > > I'm ok with dropping it from seapp_contexts; that support predated > mac_permissions.xml. > -- Respectfully, William C Roberts _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
