so just to sum up, there is basically no permission revocation or denial in SEAndroid?
On Tue, Jun 23, 2015 at 7:09 PM, Stephen Smalley <[email protected]> wrote: > On 06/23/2015 11:42 AM, Tal Palant wrote: > > so basically install time mac isn't relevant in Android M? > > And the first part of labeling is used to block applications with a > > large variety of permissions from being installed all together? > > As rpcraig explained, only the part of install-time MAC that supported > labeling of apps based on signature and optionally package name was ever > upstreamed into AOSP. And even in our own branches, we dropped the part > of install-time MAC that was enforcing restrictions over Android > permissions long ago; only the support for enforcing a whitelist of what > apps could be installed remained. Regardless, that was always an > install-time permissions check not a runtime check. > > We also had experimental runtime permission revocation support in our > branches for a while back in the 4.2 and earlier days, but dropped that > when Android 4.3 was released with App Ops, and switched over to working > on that. Which led to our Enterprise Ops mechanism for enforcing > enterprise restrictions over App Ops. As the new runtime permissions > mechanism seems similar to or based upon App Ops, that seems like a > possible area for investigation but we can't do that until we have > source for M. > > None of our middleware MAC enforcement mechanisms were ever accepted > into AOSP, only our SELinux contributions. M does include several > advances to SELinux in Android, and there will be a couple of talks at > the upcoming Linux Security Summit that will be discussing those advances. > > -- טל פולו פלנט כי שם כזה יש רק אחד
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
