On Tue, Dec 29, 2015 at 10:19 PM, weiyuan <[email protected]> wrote: > Dear ALL: > > Happy New Year! > > I want to run multiple isolated systems running on the same kernel in a > device simultaneously, > these systems will be isolated through running in different namespaces(one of > these systems will be android). > Sence there is only one kernel, and these systems need to run simultaneously, > that means there > will be only one sepolicy to be loaded into kernel. > > In order to achieving minimal privileges for all processes in each system, > and make use of the current Android policies, > I have thought of following two ways: > > 1. add "role r types xxxdomain;" in roles for each system, and these > "xxxdomain" are attributes just like domain, > and every init of systems will runs in different "xxxdomain". > So for the processes that created from the same exec file will be running > in different domains. > > 2. another way is use the mechanism RBAC. > Adding a new user and a new role for each system, so prcesses of different > system will be running in different roles. > (But I'm not sure how to let different system enter different user/role) > > > What's your opinion of these two ways, and what's your suggestion to secure > each system with SELinux? > > > > Another question: Will Android make use of RBAC in the future?
You said that only one of the systems will run Android. What are the others running? A conventional Linux distribution? An embedded Linux distribution? You said that processes created from the same exec file will be running in different domains. That implies that the different "systems" are sharing a common partition containing executables. What would that partition contain if the other systems are not in fact running Android? You don't technically need to use separate users or roles in the security contexts, as you can simply run each child init process in its own domain and then prohibit any transitions from those child init domains to the domains used by the other systems. You only need distinct roles if you want to share a domain across the systems but maintain some form of SELinux-enforced distinction among them, and even then, the distinction will only exist if you either define different sets of role-type authorizations or define constraints on roles. I think you may find it challenging to pass the CTS tests, because they will read the policy and check the neverallows on all of the domains. That includes neverallows designed to ensure that you can never transition from a domain to a non-domain and vice versa, so you can't simply avoid them by using domains that lack the domain attribute. I don't know whether Android will ever use RBAC; I certainly wouldn't rule it out. _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
