Stephen Smalley wrote:
On Fri, 2012-09-28 at 09:16 -0400, Stephen Smalley wrote:
On Thu, 2012-09-27 at 22:00 -0400, Joshua Brindle wrote:
Stephen Smalley wrote:
On Thu, 2012-09-27 at 09:34 -0400, Stephen Smalley wrote:
<snip>
For now I would recommend at least this patch, to disable levelFromUid
for isolated services. You'll still need to add allow rules for the
interactions with the app domain, but you shouldn't need
mlstrustedsubject.
Should we add rules to allow appdomain access to isolated_app? If
isolated services is now encouraged it will be more common, right?
Yes, I think so.
So, to clarify, if you apply the change to disable levelFromUid and add
allow rules based on the denials you saw and re-test Chrome and confirm
that it works with no further denials, then you can submit that patch.
Did not entirely do the job:
<5>[ 151.940826] type=1400 audit(1348872749.366:19): avc: denied {
search } for pid=2197 comm="dboxed_process0" name="com.android.chrome"
dev=dm-0 ino=578620 scontext=u:r:isolated_app:s0
tcontext=u:object_r:app_data_file:s0:c57,c256 tclass=dir
--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to majord...@tycho.nsa.gov with
the words "unsubscribe seandroid-list" without quotes as the message.
