Yes which is my concern. Do we want this granularity? On Fri, Jan 10, 2014 at 10:37 AM, rpcraig <[email protected]> wrote: > Those are component names you're referencing not package names. What you > would need at the mac_perms layer is individual component seinfo labeling > which is presently not supported there. > > > > > On 01/10/2014 01:20 PM, William Roberts wrote: >> >> Id be ok with that assuming we add support to mac_perms for prefix >> matching... >> >> Off the top of my head I recall seeing some applications during >> running invoke services >> that run as separate process but do not have the isolated uid range. >> Prefix matching in >> seapp_contexts was a big help with getting everything into the right >> domain. I typically >> only use key in mac_permissions.xml. >> >> >> As an example, if you run firefox like so: >> >> user=_app name=org.mozilla.firefox seinfo=mozilla domain=untrusted_app >> type=app_data_file level=s0:c1 >> user=_app name=org.mozilla.firefox.seinfo=mozilla UpdateService >> domain=untrusted_app type=app_data_file level=s0:c1 >> user=_app name=org.mozilla.firefox.PasswordsProvider seinfo=mozilla >> domain=untrusted_app type=app_data_file level=s0:c1 >> >> You can preifx match like so: >> user=_app name=org.mozilla.firefox* domain=untrusted_app >> type=app_data_file level=s0:c1 >> >> Or if you really wanted to get crazy: >> user=_app name=org.mozilla.firefox seinfo=mozilla domain=untrusted_app >> type=app_data_file level=s0:c2 >> user=_app name=org.mozilla.firefox.seinfo=mozilla UpdateService >> domain=untrusted_app type=app_data_file level=s0:c3 >> user=_app name=org.mozilla.firefox.PasswordsProvider seinfo=mozilla >> domain=untrusted_app type=app_data_file level=s0:c4 >> >> This is really just something I made up. Currently its possible, >> doesn't mean I'm endorsing it. However, the separate >> launches of firefox, and matching input selectors are real. >> >> My concern is, if we match in PMS with mac_perms.xml and drop >> seapp_contexts, we would lose the ability to do the crazy scenario >> as PMS only sees: >> package="org.mozilla.firefox" >> >> And everything will launch with a single seinfo value, and no other >> discerning input selector will match. >> >> Thanks, >> Bill >> >> On Fri, Jan 10, 2014 at 9:44 AM, Stephen Smalley <[email protected]> >> wrote: >>> >>> On 01/10/2014 12:35 PM, William Roberts wrote: >>>> >>>> Does it make sense to be able to do package name matching in >>>> mac_perms.xml and seap_contexts? >>>> Especially considering that seapp_contexts supports prefix matching >>>> and mac_perms.xml does not. >>>> Should we drop this or move towards deprecating this from mac_perms.xml? >>> >>> I'm ok with dropping it from seapp_contexts; that support predated >>> mac_permissions.xml. >>> >> >> >
-- Respectfully, William C Roberts _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
