Thanks, two follow questions:
1) If an application developer crests files with world-readable permissions then SEAndroid policy (in theory) will still deny access to the application files by other applications? 2) what about files in the external storage? there we can't use the file labels used by SEAndroid. does it means that for these files the unique policy won't work? greetings, Tal On Mon, Oct 20, 2014 at 4:16 PM, Stephen Smalley <[email protected]> wrote: > On 10/20/2014 09:13 AM, Tal Palant wrote: > > will this effect the file permissions set to each application files? > > levelFrom=app will assign a unique MLS category set to the app process > and to its /data/data/<pkgdir> package directory. And any files the app > process creates will inherit that category set. > > > > > On Mon, Oct 20, 2014 at 4:08 PM, Stephen Smalley <[email protected]> > wrote: > > > >> On 10/18/2014 04:27 AM, Tal Palant wrote: > >>> Hello all, > >>> > >>> i know that in the past there was an option/ability to assign a unique > >>> category for each application installed on the device. > >>> > >>> The rule will be something like this (i assume): > >>> > >>> "user=_app seinfo=release \ name=com.android.browser \ > >> domain=browser_app \ > >>> type=platform_app_data_file levelFrom=app" > >>> > >>> and levelForm=app will restrict it to the application itself and > nothing > >>> more. > >>> > >>> But how do i automatically generate such rules in advanced for all the > >>> applications without knowing the applications that will be installed on > >> the > >>> device? > >>> > >>> Also will this rule be enough to block access to the specific > application > >>> files? > >>> > >>> Thanks in advance, > >> > >> You can apply it to all non-system apps by adding levelFrom=app to the > >> user=_app domain=untrusted_app type=app_data_file line in > >> seapp_contexts, ala: > >> > >> user=_app domain=untrusted_app type=app_data_file levelFrom=app > >> > >> This would assign a unique category set to each such app, isolating each > >> app to accessing only its own files. > >> > >> However, this will break compatibility, which is why it is not in AOSP. > >> There we have recently uploaded a change to enable levelFrom=user (i.e. > >> per-user category sets) in order to isolate apps for one user from apps > >> for another user. We are not yet sure how well that will work in > practice. > > -- טל פולו פלנט כי שם כזה יש רק אחד
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
