The other system likes an embedded Linux distribution. These system have separated exec files in a different partition, but some of them may have the same filename.
As your suggestion, I think it's a good way that simply set process in the different system have different domains. Then, compile those policies in both systems into a single one sepolicy file. But it seems that the non-android system will have to follow Android's neverallow. Is there any way that can let Android system get pass the CTS test, and meanwhile the other system can add some policies that may break Android's neverallow. On 2016/1/1 4:58, Stephen Smalley wrote: > On Tue, Dec 29, 2015 at 10:19 PM, weiyuan <[email protected]> wrote: >> Dear ALL: >> >> Happy New Year! >> >> I want to run multiple isolated systems running on the same kernel in a >> device simultaneously, >> these systems will be isolated through running in different namespaces(one >> of these systems will be android). >> Sence there is only one kernel, and these systems need to run >> simultaneously, that means there >> will be only one sepolicy to be loaded into kernel. >> >> In order to achieving minimal privileges for all processes in each system, >> and make use of the current Android policies, >> I have thought of following two ways: >> >> 1. add "role r types xxxdomain;" in roles for each system, and these >> "xxxdomain" are attributes just like domain, >> and every init of systems will runs in different "xxxdomain". >> So for the processes that created from the same exec file will be running >> in different domains. >> >> 2. another way is use the mechanism RBAC. >> Adding a new user and a new role for each system, so prcesses of >> different system will be running in different roles. >> (But I'm not sure how to let different system enter different user/role) >> >> >> What's your opinion of these two ways, and what's your suggestion to secure >> each system with SELinux? >> >> >> >> Another question: Will Android make use of RBAC in the future? > > You said that only one of the systems will run Android. What are the > others running? A conventional Linux distribution? An embedded Linux > distribution? > > You said that processes created from the same exec file will be > running in different domains. That implies that the different > "systems" are sharing a common partition containing executables. What > would that partition contain if the other systems are not in fact > running Android? > > You don't technically need to use separate users or roles in the > security contexts, as you can simply run each child init process in > its own domain and then prohibit any transitions from those child init > domains to the domains used by the other systems. You only need > distinct roles if you want to share a domain across the systems but > maintain some form of SELinux-enforced distinction among them, and > even then, the distinction will only exist if you either define > different sets of role-type authorizations or define constraints on > roles. > > I think you may find it challenging to pass the CTS tests, because > they will read the policy and check the neverallows on all of the > domains. That includes neverallows designed to ensure that you can > never transition from a domain to a non-domain and vice versa, so you > can't simply avoid them by using domains that lack the domain > attribute. > > I don't know whether Android will ever use RBAC; I certainly wouldn't > rule it out. > > . > _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
