On 11/30/2015 05:56 AM, GPS wrote:
Hi Stephen, Thanks for taking time to reply.
2. If you need to assign a specific domain to a system app, you can use
seapp_contexts for that purpose.
This is precisely what I need help with. I would like to keep a system
apk, instead of a daemon. I have written an apk that implements my
service, its own aidl etc.
This service is meant to be called from apps, which might come from
play-store etc (i.e. will be untrusted/third party, but might consider
signature security etc). Ideally I would like the service to be started
or bound from these apps, but, if required, I can also start the service
from BOOT_COMPLETED intent if it helps.
Can you please guide me on what to modify in seapp_contexts file? I do
not fully understand this file. In AOSP, following are the contents of
file externals/sepolicy/seapp_contexts:
....
isSystemServer=true domain=system_server
user=system domain=system_app type=system_app_data_file
user=bluetooth domain=bluetooth type=bluetooth_data_file
user=nfc domain=nfc type=nfc_data_file
...
What does it represent? Do all apps started by "system" user get
"system_app" context? How to ensure that a specific *user* owns the
process of the service I am interested in? Or is it the other way around?
First, if you haven't already seen them, let me point you to some
resources for Android SELinux information:
SELinux in Android, https://source.android.com/security/selinux/index.html
SE for Android web site, http://seandroid.bitbucket.org/index.html
SE for Android mailing list, subscribe via email to
seandroid-list-j...@tycho.nsa.gov
SELinux mailing list, subscribe via email to selinux-j...@tycho.nsa.gov
Presentation from ABS2014 (slides 29- on Labeling Apps),
http://events.linuxfoundation.org/sites/events/files/slides/abs2014_seforandroid_smalley.pdf
Yes, by default, all apps that run with the system UID (if they specify
that in their manifest, via sharedUserId) are automatically placed into
the system_app domain, and likewise for other predefined platform UIDs.
However, most apps do not need to specify a particular UID and will
just run in a system-selected app UID, which corresponds to the entries
with user=_app in seapp_contexts. You can run your app in a specific
domain by specifying an entry that also includes a name= field with your
app's package name, but you'll need to then also specify a seinfo= field
that ties the app to a particular signature (which you can add to
mac_permissions.xml if it is not already defined).
Suggest taking follow-ups to seandroid-list.
--
You received this message because you are subscribed to the Google Groups "Android
Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to android-security-discuss+unsubscr...@googlegroups.com.
Visit this group at http://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
