On 06/09/2014 12:42 PM, Tai Nguyen (tainguye) wrote: > I just updated Chrome from Play Store and now it stops working with our > device policy in enforcing mode. > Audit messages show that it tried to open > file /data/data/com.android.chrome/app_chrome/icudtl.dat. > > That file is labeled based on seapp_context of the Chrome app which is > based on signature. > Since Chrome sandbox runs as isolated_app which doesn’t have access to > Chrome app data file (e.g., google_app_data_file). > Thus, it stops working. > > At the high level, if we want to treat isolated app as a specialized > instance of the main app, it should have some > relationship to the main app (e.g., able to read main app data). Thus, > it seems like we need to map > isolated_app with signer as well so that we can create specific rules > for customized isolated_app to access its main app data. > > Is that the recommendation to handle situation like this (e.g., > google_isolated_app and google_app)? > Or is it better just map it to the main app (i.e., google_app instead of > isolated_app)? > Is there other option?
We don't yet truly take advantage of the isolated_app domain, as it inherits all of the rules in app.te via the app_domain() macro / appdomain attribute. I think we ultimately might want to refactor app.te into two attributes, one with a minimalist set of permissions that even isolated_app requires and one with a more complete set of permissions for regular app processes. I guess the question for your policy is whether there would be any real difference between google_isolated_app and google_app if you have to allow access to google_app_data_file to both domains. You can certainly map the Chrome sandbox process to either domain by adding an entry to seapp_contexts with user=_isolated seinfo=<whatever-seinfo-you-defined-in-mac_permissions.xml-for-google-apps> and have it take precedence over the default user=_isolated entry. _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
