If you're looking for an upgrade from your existing 4.4 policy than I
would say yes, the master branch version would be more secure and, in
large, should be compatible. master has more domains in enforcing versus
the 4.4 variant which I believe is using permissive and unconfined
together for each domain. You could also consider using our seandroid
master branch too. We typically have even more domains in enforcing mode
than seen in AOSP. You can checkout out the source at
https://bitbucket.org/seandroid/external-sepolicy.git.
On 03/07/2014 12:53 AM, Jaejyn Shin wrote:
Thank you for your detail explanation.
I am building Android 4.4 branch and I modified lots of source codes
in it.
I found many "untrusted_app" when I typed "ps -Z".
This happened because I used userdebug mode image, so I will try to
run CTS again using user-mode image.
(I could not find any "untrusted_app" in my user-mode image)
Regardless of this matter, can I apply the recent policy files which
are from AOSP master
branch(https://android.googlesource.com/platform/external/sepolicy/+/master)
to my Android 4.4 ?
I want to make more secure my android device.
Is it compatible?
Thank you
Best regards
2014-03-07 11:31 GMT+09:00 Robert Craig <[email protected]
<mailto:[email protected]>>:
Are you building our seandroid 4.4 based branch, or are you
building the AOSP 4.4 branch? Depending on that answer the remedy
to your problem will slightly differ. Some things to watch out for
though.
If you're seeing a bunch of untrusted_app denials then that might
indicate an incorrectly composed mac_permissions.xml (source at
external/sepolicy/mac_permissions.xml, processed form at
system/etc/security/mac_permissions.xml in your out directory)
file. If you run a "ps -Z" do you see a bunch of untrusted_app
domains for all your apps?
The mac_permissions.xml file is responsible for taken the cert
used to sign an apk and assign it an seinfo tag which is
interpreted by the seapp_contexts
(external/sepolicy/seapp_contexts) file. The seapp_contexts file
then assigns the appropriate app domain (platform_app, shared_app,
media_app, release_app, untrusted_app) based on a series of
selectors (one of which is the seinfo tag). If you do have
untrusted_app domains this means all your apps are dropping to the
default stanza in the mac_permissions.xml file which then
translates to untrusted_app because of the default seinfo tag.
You'll need to get the correct certs into the mac_permissions.xml
file to solve this.
To remedy this you could try to construct an appropriate keys.conf
(external/sepolicy/keys.conf) file. That file is used for
controlling the mapping of "tags" found in the mac_permissions.xml
signature stanzas with actual public keys found in pem files that
you're using to resign your apps. The tags are then substituted
out for the correct certs when building the image. You might also
have success by simply adding the DEFAULT_SYSTEM_DEV_CERTIFICATE
set to the directory of your new certs when building your image;
doing this in lieu of building a keys.conf file. If none of these
work you can always hand edit the mac_permissions.xml file with
the correct cert.
On Thu, Mar 6, 2014 at 7:11 PM, Jaejyn Shin
<[email protected] <mailto:[email protected]>> wrote:
Dear SEAndroid developers
I ran the CTS Test using my Android 4.4 image(CTS: Android plan).
Then, there were lots of denial logs and most of the logs were
generated from "untrusted_app".
the # of total denial logs: 31962
the # of total denial logs from untrusted_app: 31958
To remove the denial logs and also to make secure my android
device, I consider to apply the recent SEPolicy from AOSP
master branch
(https://android.googlesource.com/platform/external/sepolicy/+/master)
Can I apply the recent sepolicy to my Android 4.4 device ?
It is compatible and safe ?
Thank you
Best regards
_______________________________________________
Seandroid-list mailing list
[email protected] <mailto:[email protected]>
To unsubscribe, send email to
[email protected]
<mailto:[email protected]>.
To get help, send an email containing "help" to
[email protected]
<mailto:[email protected]>.
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
