On 10/18/2014 04:27 AM, Tal Palant wrote: > Hello all, > > i know that in the past there was an option/ability to assign a unique > category for each application installed on the device. > > The rule will be something like this (i assume): > > "user=_app seinfo=release \ name=com.android.browser \ domain=browser_app \ > type=platform_app_data_file levelFrom=app" > > and levelForm=app will restrict it to the application itself and nothing > more. > > But how do i automatically generate such rules in advanced for all the > applications without knowing the applications that will be installed on the > device? > > Also will this rule be enough to block access to the specific application > files? > > Thanks in advance,
You can apply it to all non-system apps by adding levelFrom=app to the user=_app domain=untrusted_app type=app_data_file line in seapp_contexts, ala: user=_app domain=untrusted_app type=app_data_file levelFrom=app This would assign a unique category set to each such app, isolating each app to accessing only its own files. However, this will break compatibility, which is why it is not in AOSP. There we have recently uploaded a change to enable levelFrom=user (i.e. per-user category sets) in order to isolate apps for one user from apps for another user. We are not yet sure how well that will work in practice. _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
