This functionality is now also available on the seandroid-4.3 branch, and the wiki has been updated to describe it, http://selinuxproject.org/page/SEforAndroid#Middleware_MAC
On 10/10/2013 12:48 PM, rpcraig wrote: > Hi, > > We've recently released a new set of middleware mac (MMAC) controls > that are working toward replacing the obsolete revoke-perms and cp_mac > branches. This new feature, called Eops (enterprise operations), is a > security extension to the AppOps (application operations) feature that > is already present on Android 4.3+ devices. While being hidden in AOSP, > AppOps lets users fine tune certain functionality requested by apps by > allowing the user to toggle access rights. Eops has exposed the > management console under the Settings app and provided an extension to > the AppOps security service code whereby a hard coded set of rules > explicitly denies certain access rights to groups of installed apps. > These extensions will allow an enterprise like control over certain > operations after an app has been successfully installed. Eops is not a > frontend for SELinux which somehow ties app permissions to SELinux > contexts. Rather, it is an extension of the MMAC controls that currently > exist on Android devices, using the seinfo labels that are already > assigned to apps upon install. Presently, Eops can not fully meet the > entire functionality and controls offered by the revoke-perms and cp_mac > projects. It is our goal to further explore ways to either bring the > remaining functionality of both revoke-perms and cp_mac over to this new > implementation or asses whether those additional controls and > functionality are truly needed. Regardless of implementation design, we > are no longer going to actively develop against the revoke-perms and > cp_mac branches. We see Eops as a viable way forward in this regard. > > In order to try out this new feature you'll first need to be working > from our main seandroid branches and then update your local_manifest.xml > file; we've included the Settings app as a maintained project. Be sure > to copy the new local_manifest.xml to .repo/local_manifest.xml and then > simply do a repo sync. We've decided to keep this new feature set on our > main seandroid branches and might consider back porting to other > branches in the future. Some useful information about Eops and the > policy file that drives it can be found at external/sepolicy/eops.xml. > Feedback on design, implementation and feature-requests are always welcome. > > Thanks > > -- > This message was distributed to subscribers of the seandroid-list > mailing list. > If you no longer wish to subscribe, send mail to [email protected] > with > the words "unsubscribe seandroid-list" without quotes as the message. > > -- This message was distributed to subscribers of the seandroid-list mailing list. If you no longer wish to subscribe, send mail to [email protected] with the words "unsubscribe seandroid-list" without quotes as the message.
