On Sat, Sep 20, 2014 at 12:08 AM, Nick Kralevich <[email protected]> wrote:
> > I'm really starting to get annoyed at BOARD_SEPOLICY_REPLACE. > > A few times now, I've seen people misusing this to bypass neverallow > rules. For example, just today I saw someone who copied over domain.te, > commented out a bunch of neverallow rules, then used > "BOARD_SEPOLICY_REPLACE += domain.te" to get their policy to compile. Not > only do we have two copies of domain.te floating around, people will be > rudely surprised when their devices fail CTS. > > I really think some of the usage of BOARD_SEPOLICY_REPLACE happens (unless it is really misused) because of the issue I mentioned in the previous email. Not all OEMs (especially some small one) would be brave enough to go to Google as Stephan suggested and propose some additional exceptions that can be valid ones. And some OEMs might even have some weird processes/native daemons that might even not apply to a wider audience (I don't know what can it be, but I am suspecting it might be the case). So, just removing possibility to of BOARD_SEPOLICY_REPLACE, makes writing a policy harder. If you allow such a fragmentation (adding powerful native services and daemons) for your OS, you can't remove the mechanism to specify the policy for them. Or then you should provide a proper other mechanism to archive it. But don't misunderstand me, I think the issue is really tricky: you, as a OS provider, want the basic security policy to stay secure, and this includes these "neverallow" rules. Adding more exceptions to them, makes the overall policy less secure (since the attack surface grows), and there is no way really (unless of course you see some rules commented out as you mentioned) automatically to determine if a certain additional exception from a rule is legitimate or not. I think the good requirement might be that components that comes from 3rd parties and which are trusted enough that are added to sensitive domains or for example as exceptions to sensitive "neverallow" rules, might need to confirm to additional verification/security testing and etc. to ensure that their security level is appropriate. So automatic check can be smth like this: if you see a new exception in neverallow rule, then you check that component listed has been certified/tested for this purpose. I don't really know how you run these checks internally in reality, but I just want to give an idea of what can be a process. Best Regards, Elena.
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
