On 08/14/2014 08:38 AM, Stephen Smalley wrote: > On 08/14/2014 01:51 AM, Pankaj Kushwaha wrote: >> Yes Nguyen, this is exactly what I want to do, so that I can create >> different policies for owner and secondary users. >> >> Thanks Stephen, I will try to use boolean as you mentioned in end of your >> mail. I pulled google's master branch somewhere around Januray and then >> started modified policies on my own, that might be the reason that >> applications are crashing when i changed levefrom tag to 'user' from >> 'none'. Anyways that is not working so I have again modified and using >> levelfrom=none in my seapp_context. >> Will try to write isOwner to differentiate between owner and secondary >> users and hence write different policies. > > I don't think working from such an old snapshot of AOSP master is going > to be overly useful to you, as a) much has changed in policy since that > time - over 300 changes to external/sepolicy alone, and b) untrusted_app > was still permissive_or_unconfined in AOSP master back in January (went > enforcing+confined in May), so your untrusted_app domain will be > permissive in -userdebug or -eng builds and unconfined in -user builds. > > Either update to current AOSP master, or, if you want a stable version > as your baseline, use our seandroid-4.4.4 branch with android-4.4.4_r1.
With the attached patch (relative to current AOSP master or our branches), I have apps running in per-user levels, with their data directories assigned those levels: $ adb shell ps -Z | grep browser u:r:untrusted_app:s0:c522,c768 u10_a17 1780 121 com.android.browser u:r:untrusted_app:s0:c512,c768 u0_a17 2005 121 com.android.browser $ adb shell ls -Zd /data/user/0/com.android.browser /data/user/10/com.android.browser drwxr-x--x u0_a17 u0_a17 u:object_r:app_data_file:s0:c512,c768 com.android.browser drwxr-x--x u10_a17 u10_a17 u:object_r:app_data_file:s0:c522,c768 com.android.browser Note that the latter requires resetting/erasing userdata or triggering a relabel of it (which should happen automatically on an OTA that includes the seapp_contexts change). Note that I had to make several daemon domains mlstrustedsubjects to permit the apps with different levels to connect to them. It may be necessary to also add levelFrom=user to other entries in seapp_contexts for completeness, for any app that is run per-user. It may be necessary to mark additional domains with mlstrustedsubject or types with mlstrustedobject to exempt them from the level-based restrictions. However, be careful not to assign mlstrustedsubject to any of the app domains that you are trying to restrict in this way, nor mlstrustedobject to app_data_file as that would defeat the purpose. If you encounter app crashes, look for denials in dmesg or cat /proc/kmsg output.
diff --git a/adbd.te b/adbd.te index 3b654a1..a9a6355 100644 --- a/adbd.te +++ b/adbd.te @@ -1,6 +1,6 @@ # adbd seclabel is specified in init.rc since # it lives in the rootfs and has no unique file type. -type adbd, domain; +type adbd, domain, mlstrustedsubject; userdebug_or_eng(` allow adbd self:process setcurrent; diff --git a/logd.te b/logd.te index cde721a..ca6719a 100644 --- a/logd.te +++ b/logd.te @@ -1,5 +1,5 @@ # android user-space log manager -type logd, domain; +type logd, domain, mlstrustedsubject; type logd_exec, exec_type, file_type; init_daemon_domain(logd) diff --git a/mdnsd.te b/mdnsd.te index 7e14b52..e5fe1e2 100644 --- a/mdnsd.te +++ b/mdnsd.te @@ -1,5 +1,5 @@ # mdns daemon -type mdnsd, domain; +type mdnsd, domain, mlstrustedsubject; type mdnsd_exec, exec_type, file_type; init_daemon_domain(mdnsd) diff --git a/netd.te b/netd.te index 81275a7..ce89421 100644 --- a/netd.te +++ b/netd.te @@ -1,5 +1,5 @@ # network manager -type netd, domain; +type netd, domain, mlstrustedsubject; type netd_exec, exec_type, file_type; init_daemon_domain(netd) diff --git a/seapp_contexts b/seapp_contexts index 26d0c8f..046485a 100644 --- a/seapp_contexts +++ b/seapp_contexts @@ -44,4 +44,4 @@ user=shared_relro domain=shared_relro user=shell domain=shell type=shell_data_file user=_isolated domain=isolated_app user=_app seinfo=platform domain=platform_app type=app_data_file -user=_app domain=untrusted_app type=app_data_file +user=_app domain=untrusted_app type=app_data_file levelFrom=user
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
