Over the past couple weeks we've pushed a number of changes to the Eops
code as well as to supported tooling in order to extend the
functionality and appeal of this new mechanism. The changes include:
* Reload capability through /data/security/eops.xml. As with the other
middleware policies, the /data/security version gets precedence over its
/system/etc/security counterpart on boot.
* A new caching mechanism that should help speed up policy lookups.
Prior to this change, each operation lookup issued a separate call into
the PMS in order to retrieve the seinfo tag for the package requesting
the operation. This lookup is need to tie the seinfo string to the
policy stanza from the eops.xml policy. These lookups are now cached to
improve future lookups.
* Runtime policy updates without a reboot. No reboot is needed in order
to have new eops.xml files applied. A FileObserver has been placed on
the /data/security/eops.xml file that can handle policy reloads without
needing a reboot. Also of interest is that if the
/data/security/eops.xml is removed then the
/system/etc/security/eops.xml policy file is reloaded and used.
* Additions to the build*bundle suite of policy tools. Added
buildeopbundle which will create a policy bundle ready to be delivered
to the phone as an update using the ConfigUpdateInstallReceiver
mechainsm already in place in AOSP. A new EopsInstallReceiver.java class
was also added to the ConfigUpdateInstallReceiver mechanism to handle
the delivery of the updated policy.
* Additions to the SEAdmin app which can handle reloading the eops.xml
policy. This is achieved by pushing the eops_bundle.zip file, which is
produced by the buildeopbundle tool, to the sdcard. Then, by opening the
SEAdmin app and looking for the 'Middleware Policy' tab and then the
'Reload Eops Policy' option.
All these changes have been applied to our seandroid branches as well as
the various 4.3 branches. So you only need to do a repo sync to get the
fresh material. As always we welcome any feedback.
On 10/10/2013 03:57 PM, Stephen Smalley wrote:
This functionality is now also available on the seandroid-4.3 branch,
and the wiki has been updated to describe it,
http://selinuxproject.org/page/SEforAndroid#Middleware_MAC
On 10/10/2013 12:48 PM, rpcraig wrote:
Hi,
We've recently released a new set of middleware mac (MMAC) controls
that are working toward replacing the obsolete revoke-perms and cp_mac
branches. This new feature, called Eops (enterprise operations), is a
security extension to the AppOps (application operations) feature that
is already present on Android 4.3+ devices. While being hidden in AOSP,
AppOps lets users fine tune certain functionality requested by apps by
allowing the user to toggle access rights. Eops has exposed the
management console under the Settings app and provided an extension to
the AppOps security service code whereby a hard coded set of rules
explicitly denies certain access rights to groups of installed apps.
These extensions will allow an enterprise like control over certain
operations after an app has been successfully installed. Eops is not a
frontend for SELinux which somehow ties app permissions to SELinux
contexts. Rather, it is an extension of the MMAC controls that currently
exist on Android devices, using the seinfo labels that are already
assigned to apps upon install. Presently, Eops can not fully meet the
entire functionality and controls offered by the revoke-perms and cp_mac
projects. It is our goal to further explore ways to either bring the
remaining functionality of both revoke-perms and cp_mac over to this new
implementation or asses whether those additional controls and
functionality are truly needed. Regardless of implementation design, we
are no longer going to actively develop against the revoke-perms and
cp_mac branches. We see Eops as a viable way forward in this regard.
In order to try out this new feature you'll first need to be working
from our main seandroid branches and then update your local_manifest.xml
file; we've included the Settings app as a maintained project. Be sure
to copy the new local_manifest.xml to .repo/local_manifest.xml and then
simply do a repo sync. We've decided to keep this new feature set on our
main seandroid branches and might consider back porting to other
branches in the future. Some useful information about Eops and the
policy file that drives it can be found at external/sepolicy/eops.xml.
Feedback on design, implementation and feature-requests are always welcome.
Thanks
--
This message was distributed to subscribers of the seandroid-list
mailing list.
If you no longer wish to subscribe, send mail to [email protected]
with
the words "unsubscribe seandroid-list" without quotes as the message.
--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to [email protected] with
the words "unsubscribe seandroid-list" without quotes as the message.
