Would now be a good time to consider moving the Android policy to support CIL as aosp and seandroid have the CIL compiler installed (external/libsepol/cil - the cil/docs/Makefile will generate a CIL reference guide).
In the long term it may help alleviate some of these problems. Detailed information on the CIL design can be found at: https://github.com/SELinuxProject/cil/wiki (Note this is a bit dated and not all features are available yet (e.g. type inheritance), however the CIL ref guide lists all current features). Example CIL policy for the emulator and flo devices can be found at: http://taiga.selinuxproject.org/~rhaines/Android/aosp_cil_sepolicy-1138.tar.gz (only the emulator has been tested) >________________________________ > From: Dong Zhou <dong.z...@gm.com> >To: Elena Reshetova <elena.reshet...@gmail.com>; William Roberts ><bill.c.robe...@gmail.com> >Cc: "seandroid-list@tycho.nsa.gov" <seandroid-list@tycho.nsa.gov>; Stephen >Smalley <s...@tycho.nsa.gov> >Sent: Thursday, 12 February 2015, 3:20 >Subject: RE: To allow custom domain to extend system_app type (SEAndroid) > > > > >I started this thread because the device I am working on is very different >from a typical phone/tablet environment (I work for GM, so it is not too hard >to imagine the device :-)) , we have tons of customization to AOSP. Default >policy is a great starting point, but don't always work. There are many cases >like "i want system_app permissions plus a little more". So as far as i can >see , "extending" default policies is not bad approach at all. It is true it >might be over privileged in some cases, but it is a trade-off between >development time + future maintain-ablity vs. least privileged model. > > >I'd love to see SEAndroid policies become more extendable. > > >thanks > > >Joe > >________________________________ > >From: Seandroid-list <seandroid-list-boun...@tycho.nsa.gov> on behalf of Elena >Reshetova <elena.reshet...@gmail.com> >Sent: Wednesday, February 11, 2015 11:49 AM >To: William Roberts >Cc: seandroid-list@tycho.nsa.gov; Stephen Smalley >Subject: Re: To allow custom domain to extend system_app type (SEAndroid) > > > > > >While you can get finer grained granularity write custom domains for >everything from the OEM perspective Its awften the case that a particular >system app that does some additional privelege that other system apps don't >do. So by going a route where most people will not copy + paste system_app >allow rules and fixthem up for their domain, its also harder for them to stay >in line, and recoeve fixes to the base policy. Suppose, you remove some >allowance from base system_app becuase it closes some hole, or removes a >privelege that is no longer needed do to code change. All the copy + pastes >for these new domains will likely never get this change, as they wont ever >re-avaulate existing domains, just add to them. >> > > >+1 The worst of all is trying to sync up the rules that were for some reason >copied: becomes a never ending nightmare. I would rather define a correct >hierarchy when I know what I am doing and what I want to archive and be done >with it. Versus, copy now, maintain forever. > > >But I agree that hierarchy via attributes should be done with a great care for >each particular case. > > > > >Nothing in this message is intended to constitute an electronic signature >unless a specific statement to the contrary is included in this message. > >Confidentiality Note: This message is intended only for the person or entity >to which it is addressed. It may contain confidential and/or privileged >material. Any review, transmission, dissemination or other use, or taking of >any action in reliance upon this message by persons or entities other than the intended recipient is prohibited and may be unlawful. If you received this message in error, please contact the sender and delete it from your computer. >_______________________________________________ >Seandroid-list mailing list >Seandroid-list@tycho.nsa.gov >To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. >To get help, send an email containing "help" to >seandroid-list-requ...@tycho.nsa.gov. > > _______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
