On Aug 12, 2014 8:13 PM, "Pankaj Kushwaha" <[email protected]> wrote: > > Hi, > > I was thinking two make two different sepolicies for two users present on same tablet. > Is it possible somehow ??
What's the use case? > > I started it with creating different policies for untrusted_app first. > For this I thought of passing different seinfo for owner and secondary user and on based of different seinfo like default and default_owner I will write rules in seapp_context to give these applications different labels like untrusted_app and untrusted_app_owner, and then write rules for this. > But when I tried this actually, i came to know that in PackageManagerService.java installation of app happens only once, whether I am in primary user or secondary user. So wasn't able to change label at time of installation. > > Then I thought of changing levelfrom tag in seapp_context, replaced levelfrom=none to levelfrom=user, that added sensitivity and cgroup to the label. It made all apps to crash at boot itself. MLS is not used on aosp so it hasn't been tested. Perhaps the NSA reference policy has those rules worked out? You should put the device in permissive mode and collect the audit logs and post them. > > I observed that user for same application across different users is u0_a27 and u10_a27, u0_a65 and u10_a65 and so on. > > Can anyone please help me in achieving this ? > Is there any way to write rules on cgroup basis or user basis ? Right now you could use the levelfrom construct and mls constraints but those are typically written to be applied consistently. If you know the uid of the user you could specify it in user=<uid> and than set a new type, but this is very static. The use case and deployment scenario would really drive what might need to change to support this. > > Thanks > Pankaj Kushwaha > > _______________________________________________ > Seandroid-list mailing list > [email protected] > To unsubscribe, send email to [email protected]. > To get help, send an email containing "help" to [email protected].
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
