On 03/22/2013 10:22 AM, Richard Haines wrote:
Problem: setool/MMAC are interpreting the mac_permissions.xml contents
incorrectly when there are two entries using the same signature.
For example when using setool to generate mac_permissions.xml entries for
two apps sharing the same signature it will generate two separate entries:
setool --build whitelist SEAndroidDemo.apk SEAndroidDemoB.apk
<signer signature="-Same signature as seandroiddemob-">
<package name="com.example.seandroiddemo">
<allow-permission name="android.permission.READ_EXTERNAL_STORAGE" />
<allow-permission name="android.permission.SEND_SMS" />
<allow-permission name="android.permission.WRITE_EXTERNAL_STORAGE" />
<allow-permission name="com.example.seandroiddemo.permission.DEADLY_ACTIVITY"
/>
</package>
</signer>
<signer signature="-Same signature as seandroiddemo-">
<package name="com.example.seandroiddemob">
<allow-permission name="com.example.seandroiddemo.permission.DEADLY_ACTIVITY"
/>
</package>
</signer>
In this case the internal logic of install-MMAC will replace the first
stanza by the second one (because the sigs match). We noted this
limitation in some of the comments in the head of mac_permissions.xml
file. We presently don't have a way to handle multiple, duplicate tags.
Potential way to solve this is with a set of precedence rules on the
input selectors.
Adding the above to mac_permissions.xml and running setool:
setool --policy external/sepolicy/mac_permissions.xml SEAndroidDemo.apk
SEAndroidDemoB.apk
Gives:
MMAC policy failed for com.example.seandroiddemo (./SEAndroidDemo.apk).
Signature based policy (3082...e41a) checked.
null
Default policy stanza checked.
Policy blacklist rejected package com.example.seandroiddemo
Denied permission android.permission.WRITE_EXTERNAL_STORAGE
Set of blacklisted permissions is:
android.permission.ACCESS_COARSE_LOCATION
android.permission.ACCESS_FINE_LOCATION
android.permission.AUTHENTICATE_ACCOUNTS
android.permission.CALL_PHONE
android.permission.CAMERA
android.permission.READ_LOGS
android.permission.WRITE_EXTERNAL_STORAGE
This seems correct. The SEAndroidDemo.apk only has the second stanza for
the sig check (because of the explanation above) and fails that and
falls to the default stanza. Which fails on the blacklist from
android.permission.WRITE_EXTERNAL_STORAGE.
Running the emulator will produce the following errors in logcat:
I/SELinuxMMAC( 301): package (com.example.seandroiddemob) installed with
seinfo=null
W/SELinuxMMAC( 301): MMAC_DENIAL: Policy blacklisted permission
android.permission.WRITE_EXTERNAL_STORAGE for package com.example.seandroiddemo
W/PackageManager( 301): Installing application package
com.example.seandroiddemo failed due to policy.
Correct again. The seandroiddemob is installed based on the second
stanza you've supplied but has no seinfo tag, and so the seinfo value is
null. The other package fails for the same reason the setool gave. No
sig stanza passes and so ultimately fails on the default stanza.
However if they are added as a single signature entry as shown, then setool and
MMAC are both okay.
<signer signature="-signature-">
<package name="com.example.seandroiddemo">
<allow-permission name="android.permission.READ_EXTERNAL_STORAGE" />
<allow-permission name="android.permission.SEND_SMS" />
<allow-permission name="android.permission.WRITE_EXTERNAL_STORAGE" />
<allow-permission name="com.example.seandroiddemo.permission.DEADLY_ACTIVITY"
/>
</package>
<package name="com.example.seandroiddemob">
<allow-permission name="com.example.seandroiddemo.permission.DEADLY_ACTIVITY"
/>
</package>
</signer>
Correct. Now, no stanza is replaced.
So should setool and MMAC be modified to handle either case.
This is certainly a viable path to take. I imagine more of a set of
precedence rules based on input selectors where stanzas are not
replaced. This is certainly the path we are taken with our other
middleware components, i.e. intent_mac and content providers.
Richard
--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to majord...@tycho.nsa.gov with
the words "unsubscribe seandroid-list" without quotes as the message.
--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to majord...@tycho.nsa.gov with
the words "unsubscribe seandroid-list" without quotes as the message.
