Hi Chris, I created a new domain untrusted_app_owner.te and wrote some rules in it, and other one i.e. untrusted_app.te is same as it is. I made seinfo changes in ActivityManagerService, so that when app is started it checks whether user is 0 or any secondary user.
If seinfo is 'default' and user is 0 it passes seinfo as 'default_owner' else it passes 'default'. Now in seapp_context I have written code such that if we get seinfo as 'deafult_owner' we give that a label 'untrusted_app_owner'. Now in this way if a run a app, say Google chrome in owner it gets labelled as 'untrusted_app_owner' and if I run same app in any other user it gets labelled as 'untrusted_app' and hence follows rule as written in untrusted_app_owner.te and untrusted_app. I have almost done what I was willing to do. Now my question is, Is this approach fine ?? Also I wanted to know that what was the reason to modify code in UserInfo, UserManager ,DevicePolicyManager and user xml files ? I got this when i grepped all running processes with 'chrome' - u:r:untrusted_app:s0 u10_a31 6484 6400 com.android.chrome u:r:untrusted_app_owner:s0 u0_a31 8580 127 com.android.chrome Thanks Pankaj Kushwaha On Thu, Aug 14, 2014 at 11:21 AM, Pankaj Kushwaha < [email protected]> wrote: > Yes Nguyen, this is exactly what I want to do, so that I can create > different policies for owner and secondary users. > > Thanks Stephen, I will try to use boolean as you mentioned in end of your > mail. I pulled google's master branch somewhere around Januray and then > started modified policies on my own, that might be the reason that > applications are crashing when i changed levefrom tag to 'user' from > 'none'. Anyways that is not working so I have again modified and using > levelfrom=none in my seapp_context. > Will try to write isOwner to differentiate between owner and secondary > users and hence write different policies. > > Thanks Chris, this is exactly what I want (you sort of read my mind). If > the booleans, as suggested by Stephen doesn't fulfill my requirements I > will try the changes as suggested by you. Though it requires a lot of > changes, but I will try to do them. Will be really thankful to you if you > can post the pull request as you mentioned above. In the mean time I will > follow your guidance to achieve my goal. > > Thanks > Pankaj Kushwaha > > > > > On Wed, Aug 13, 2014 at 9:53 PM, Chris Stone < > [email protected]> wrote: > >> Hi Pankaj, >> >> At Graphite Software we have done what you are trying to do. I will just >> give you some background on what we are doing because it helps to define >> the use case. Our Secure Spaces product uses Android's multi user >> capabilities to create multiple spaces on phones. For instance, you can >> have a personal space, a work space, or a mobile banking space. Each of >> these spaces has different security needs. We have the ability to set >> different SELinux policies for each space to meet those needs. For >> instance, one may want apps in their work space or mobile banking space to >> run in a much stricter SELinux policy than their personal space. >> >> We did this by changing frameworks/base classes. We add a field to the >> UserInfo class which contains an seinfo value for that user. Then we modify >> ActivityManagerService to use the seinfo value from the UserInfo class when >> it launches an app. There is also a bunch of other changes to things like >> DevicePolicyManager and UserManager to make the seinfo value persistent in >> the user xml files. Of course, we also add domains to the SELinux policy >> which defines the allows, and link those domains to the seinfo value via >> seapp_contexts. >> >> In our case, the seinfo value is set from policy which is downloaded from >> our management server when the space is created, although we also have a >> test app that runs on the phone to set policy for the different spaces on >> the phone. >> >> My intent here is just to give you an idea of how you could achieve what >> you are trying to do. One way is to modify the appropriate classes in >> frameworks base, which is what we have done. If there is enough interest I >> could post a pull request with our changes to the SEAndroid bitbucket repo. >> However, I could not do this quickly due to delivery deadlines that are >> keeping me pretty busy, and because I would have to modify our solution to >> make it more generic, i.e., not dependent on our management server. >> >> Cheers, >> Chris Stone. >> >> >> On Tue, Aug 12, 2014 at 11:11 PM, Pankaj Kushwaha < >> [email protected]> wrote: >> >>> Hi, >>> >>> I was thinking two make two different sepolicies for two users present >>> on same tablet. >>> Is it possible somehow ?? >>> >>> I started it with creating different policies for untrusted_app first. >>> For this I thought of passing different seinfo for owner and secondary >>> user and on based of different seinfo like default and default_owner I will >>> write rules in seapp_context to give these applications different labels >>> like untrusted_app and untrusted_app_owner, and then write rules for this. >>> But when I tried this actually, i came to know that in >>> PackageManagerService.java installation of app happens only once, whether I >>> am in primary user or secondary user. So wasn't able to change label at >>> time of installation. >>> >>> Then I thought of changing levelfrom tag in seapp_context, replaced >>> levelfrom=none to levelfrom=user, that added sensitivity and cgroup to the >>> label. It made all apps to crash at boot itself. >>> >>> I observed that user for same application across different users is >>> u0_a27 and u10_a27, u0_a65 and u10_a65 and so on. >>> >>> Can anyone please help me in achieving this ? >>> Is there any way to write rules on cgroup basis or user basis ? >>> >>> Thanks >>> Pankaj Kushwaha >>> >>> _______________________________________________ >>> Seandroid-list mailing list >>> [email protected] >>> To unsubscribe, send email to [email protected]. >>> To get help, send an email containing "help" to >>> [email protected]. >>> >> >> >
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
