possible approach for levelFrom=user

Fri, 04 Sep 2015 10:55:18 -0700 

Hi Stephen,

I have a question for you.
In default Android-M, "levelfrom = user" is not applied into system_app.  But 
there is an alternative approach as you suggested in the link 
http://marc.info/?l=seandroid-list&m=141150669811670&w=2. See below:

- We could enable levelFrom=user for these apps(<Added by me> such as system 
app, nfc) too, thereby running
them with per-user levels like the other apps.  However, this would
break their interactions with system processes and resources unless we
annotate those system domains and types with which they interact with
mlstrustedsubject/object markings.

With a little change from above words, I think the solution could be even 
better than the one currently implemented in Android-M.

- We could enable levelFrom=user for these apps(<Added by me> such as system 
app, nfc) too, thereby running
them with per-user levels like the other apps.  However, this would
break their interactions with system processes and resources unless we
annotate those system domains and types with which they interact with
mlstrustedsubject.  For the system process data file in user 0, we set no 
category markings (:s0 only).

Here is our comparison:

Goal:  Multiple Categorized Security Protection for AFW Managed Profile
Design Choices:

     *   System App categorized in Managed Profile and not categorized in user 
0.
        *   Needs to define system app as mlstrustedsubject
        *   System App world readable data in the managed Profile cannot be 
accessed by the non_system app outside of the managed profile
        *   Any world readable data in managed Profile from non-system App can 
be accessed by system app if policy allows(Perhaps this case may not be often).
     *   System App in Managed Profile if not categorized
        *    Doesn't need to define system app as mlstrustedsubject
        *   System App world readable data in the managed Profile can be 
accessed by the non_system app outside of the managed profile
        *   Any world readable data in managed Profile from non-system App 
cannot be access by system app, Even both inside managed profile. This may 
break apps. (Perhaps this case may not be often).

Looks like option 1 not only more secure but also more stable than option 2.

Your comments are welcome.

Regards,
Jinlin


_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to 
[email protected].

Reply via email to