Dear ALL: Happy New Year!
I want to run multiple isolated systems running on the same kernel in a device simultaneously, these systems will be isolated through running in different namespaces(one of these systems will be android). Sence there is only one kernel, and these systems need to run simultaneously, that means there will be only one sepolicy to be loaded into kernel. In order to achieving minimal privileges for all processes in each system, and make use of the current Android policies, I have thought of following two ways: 1. add "role r types xxxdomain;" in roles for each system, and these "xxxdomain" are attributes just like domain, and every init of systems will runs in different "xxxdomain". So for the processes that created from the same exec file will be running in different domains. 2. another way is use the mechanism RBAC. Adding a new user and a new role for each system, so prcesses of different system will be running in different roles. (But I'm not sure how to let different system enter different user/role) What's your opinion of these two ways, and what's your suggestion to secure each system with SELinux? Another question: Will Android make use of RBAC in the future? Regards, Weiyuan _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
