On 03/06/2014 07:11 PM, Jaejyn Shin wrote: > Dear SEAndroid developers > > I ran the CTS Test using my Android 4.4 image(CTS: Android plan). > Then, there were lots of denial logs and most of the logs were generated > from "untrusted_app". > > the # of total denial logs: 31962 > the # of total denial logs from untrusted_app: 31958 > > To remove the denial logs and also to make secure my android device, I > consider to apply the recent SEPolicy from AOSP master branch > (https://android.googlesource.com/platform/external/sepolicy/+/master) > > Can I apply the recent sepolicy to my Android 4.4 device ? > It is compatible and safe ?
The short answer is no. But the full answer is complicated, see below. First, in Android 4.4, the untrusted_app domain was permissive, and therefore the denials are harmless, just log noise - they will not prevent any system calls from being executed by the apps. If you simply want to get rid of the log noise, just add unconfined_domain(untrusted_app) to your policy, either by adding it to your external/sepolicy/untrusted_app.te file or by using BOARD_SEPOLICY_UNION in your BoardConfig.mk file to add your own untrusted_app.te file from your device/<vendor>/<product> or vendor/<vendor>/<product> directories - see the Nexus device projects for examples. In current master, untrusted_app is permissive if building -userdebug or -eng and unconfined if building -user. In our seandroid and seandroid-4.4 branches, untrusted_app is fully confined and enforcing. Second, at least a subset of the changes in the master policy depend on code changes to other projects in master, so you cannot safely/compatibly use the master policy without either cherry-picking the corresponding code changes or reverting those particular policy changes. A couple of examples: - removal of /system/bin/ash and /system/bin/mksh in master, - introduction of restorecon_recursive support and addition of restorecon_recursive /data calls to init.rc in master. If you truly want to pursue that, then the easiest approach would be to use the seandroid-4.4.2 branches of our projects, which already contain the code changes cherry-picked from master relating to SE for Android. See: http://selinuxproject.org/page/SEforAndroid#Using_a_release_version for information about downloading our 4.4.2-based version. _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
