On 07/03/2014 11:49 AM, "François GILBERT" wrote:
>
>
> Hello SEAndroid folks,
>
> As I was browsing the rule of SEAndroid, I read a lot of "self" allow
> rules (i.e allow bluetooth self:tun_socket create_socket_perms;). And i
> was wondering about the usefulness of this rules.
>
> For attributes, I see the usefulness of them :
>
> allow bluetoothdomain self:socket create_socket_perms;
>
> As the previous rule can be re-write as something like the following rule
> and it's make perfect sense.
>
> allow { platform_app system release_app radio untrusted_app shared_app }
> { platform_app system release_app radio untrusted_app shared_app } :
> socket create_socket_perms
>
> But for some rules like "allow bluetooth self:tun_socket
> create_socket_perms" I do not see the usefulness. I mean a type has all
> permission in its own domain? or I'm wrong and this permissions must be
> present in the policy as well as others permissions?
Others explained why self rules are useful, but I also wanted to note
that your rewritten allow rule above is not equivalent to the original
rule. Your rewritten rule allows it for every pairing of domains in
bluetoothdomain, whereas the original rule only allows it between each
domain in bluetoothdomain and itself.
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
