If we consider the sceanario, that we have two apps (one rogue and another “good” app) running on the system that have been signed with same key and therefore same userId (but belonging to two different domains), would security policy come in the middle and prevent the rogue app from accessing the asset belonging to “good” app?
From: William Roberts [mailto:[email protected]] Sent: Friday, April 03, 2015 7:09 PM To: Datta, Souvik Cc: [email protected]; Stephen Smalley Subject: RE: Preventing untrusted_app domain from accessing database On Apr 3, 2015 9:36 AM, "Datta, Souvik" <[email protected]<mailto:[email protected]>> wrote: > > In the beginning my aim was to prevent the untrusted_app domain from > accessing the database through content provider. But from the reply from > William Roberts, I realized that that would be possible only through Android > Manifest file permission. > > But if I want to prevent a rogue downloadable app (untrusted_app domain) from > accessing the database fifle directly, would it be possible to prevent this > direct access by using security context in Android 4.4.4 (with setenforce as > 1) Android already has sandboxing between apps. So as long as you both dont run in the same uid (which implies same signing key) then your fine. Also dont chmod the file to world read/write. If you need more guarantees then you can author app specific policy if you have source code control like an OEM. > > > > > -----Original Message----- > From: Stephen Smalley [mailto:[email protected]<mailto:[email protected]>] > Sent: Friday, April 03, 2015 6:51 PM > To: Datta, Souvik; > [email protected]<mailto:[email protected]> > Subject: Re: Preventing untrusted_app domain from accessing database > > On 04/03/2015 09:16 AM, Datta, Souvik wrote: > > Hello Stephen, > > > > I am using Android 4.4.4 which is distributed by a Silicon Vendor for > > the embedded target that I am working on. I went ahead and modified > > <build>/external/sepolicy/untrusted_app.te file by commenting out > > #permissive untrusted_app; and then did a build. But this did not have > > any effect. In other words, the process belonging to untrusted_app > > domain could still access the database > > (u:object_r:hm_phonebookaccess_data_file:s0) > > > > Is there any other way, this can be handled other than moving to a > > different version of SEAndroid? > > Are you trying to prevent direct access to the file or the ability to use the > ContentProvider? Two different issues. The former is enforceable by SELinux > at the kernel level. The latter is a matter of Android permissions enforced > by the middleware. > > > _______________________________________________ > Seandroid-list mailing list > [email protected]<mailto:[email protected]> > To unsubscribe, send email to > [email protected]<mailto:[email protected]>. > To get help, send an email containing "help" to > [email protected]<mailto:[email protected]>.
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
