On 08/13/2014 03:34 AM, Pankaj Kushwaha wrote: > PK : denials is not the issue. I was just trying that how can I have > different label for same app running for two different users on same > device, so that I can write different policies for them.
Well, you said that apps crashed when you tried using levelFrom=user. That implies either a bug in the code or a policy denial, which one we can't tell without seeing dmesg and logcat output. >> PK : I tried adding following line in seapp_contexts file and made a > new file named untrusted_app_owner.te - > user=_app seinfo=default name=com.andrwq.recorder > domain=untrusted_app_owner type=app_data_file levelFrom=none user=u0_* 1. Duplicate user= key in the line. That's an error. We should have check_seapp reject any duplicate keys in a line. libselinux will presently just end up using the last one, so effectively you ended up with user=u0_*. We should have it reject it entirely. 2. The user= field in seapp_contexts is not the same as what you see when you run ps or ls (i.e. it isn't the name obtained via getpwuid). Given that the encoding could change at any time (as it did when JB introduced multi-user and switched from app_M to uN_aM) and that it did not seem useful to support assigning domains/types based on individual user or app IDs, we stopped using getpwuid() and started just directly using the android_filesystem_config.h definitions to map the Linux UID to a suitable lookup key (see the git history of external/libselinux/src/android.c). The user= field in seapp_contexts can only currently be one of the predefined platform users (e.g. "system", "bluetooth", etc) or "_app" for regular apps or "_isolated" for isolated services. So user=u0_* will never match. > When I installed this package i.e. com.andrwq.recorder in owner (primary > user) I expected that it will create a label untrusted_app_owner, but > it was still untrusted_app. Also i tried modifying above line used, > user=u0 and user=0, but still the same result. At the moment your only option for using the user ID is levelFrom=user, so you can try to get that working. Or you could introduce a new key in seapp_contexts with corresponding libselinux support to allow specifying e.g. owner versus secondary. Unfortunately we already use user= for what is actually the app ID since when we started there was no multi-user support in Android, so you'll have to pick a new key name. Could just use a boolean owner=true|false similar to isSystemServer. _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
