On 06/03/2013 10:58 AM, Thomas COUDRAY wrote:
Hi all,
I have a question about isolating apps from each other. I use the samsung
default policy.
*From The SELinux Notebook p299:*
Use of MLS categories to isolate apps
But when I use ps -Z, all app processes are labeled like this
"u:r:untrusted_app:s0" / "u:r:system_app:s0" / "u:r:samsung_app:s0".
There are all in the same category (s0).
That mean that any process can interact with an s0 process from a
category perspective.
And all processes with the same type (untrusted_app_t) and no
categories (s0) can affect each other from a selinux perspective.
Someone tell me that the reason maybe why all untrusted apps have no
categories is to protect the remaining system resources that do have
categories.
But I can't find system resources that have a category. Where are MLS used?
I don't know if I misunderstand something, but can any app (in the
same label) affect another app (from a selinux perspective) ?
If it's true, how can I isolate my own new app? (make a new policy and
use type-enforcement on it ?)
I assume you are referring to the Galaxy S4 policy?
If so, then my impression is that they are not using the per-app MLS
category support from our sample policy but are instead only using MLS
categories for their container implementation. I can't speak to the
specifics of that, as it was done by Samsung, not us. You can see for
yourself by looking at their seapp_contexts configuration file and
seeing how/if it uses the levelFrom and level specifiers.
Assuming that is correct, you do not have SELinux-enforced separation
between every app, only between "containers" (however that is defined).
You do however have separation between untrusted_app and other
domains/types on the system, so exactly how untrusted_app can interact
with samsung_app or other app domains or system domains like vold, and
how untrusted_app can access system files is all controlled by the TE
policy.
Also, my understanding is that the GS4 shipped with SELinux in
permissive mode by default, so you will have to put it into enforcing
mode yourself to have it enforce anything. At least the model I have
seen also disabled all AVC logging, so you would need to rebuild the
kernel from source to enable that for policy debugging.
If you are able to replace the seapp_contexts configuration on the
device or override it via /data/security/seapp_contexts, you could
re-enable the levelFrom support if you want such isolation, or you could
define a separate TE domain for your app.
--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to [email protected] with
the words "unsubscribe seandroid-list" without quotes as the message.
