Dear Mr. Craig,
thank you very much for the answer. I followed your steps but unfortunately
I could install apps signed with my own key that need the permissions i am
denying. Could you please verify the following steps I have done so far:
------------------------------------------
1.) mac_permissions.xml
I created a new signer tag:
<!-- university key -->
<signer signature="@UNIVERSITY">
<seinfo value="university" />
<package name="com.example.seandroid_connectinternet" >
<deny-permission name="android.permission.INTERNET" />
<deny-permission name="android.permission.ACCESS_NETWORK_STATE" />
<seinfo value="university" />
</package>
</signer>
When checking the new mac_permissions.xml file with setool i get the
message that the policy is passed, but i shouldn, the app requested
permissions for INTERNET and ACCESS_NETWORK_STATE:
"MMAC policy passed for com.example.seandroid_connectinternet
(/home/..../apps/signed_apk/SEAndroid-ConnectInternet_signed.apk)"
Then i put the deny-permisson tags into the default tag and i am recieving:
"MMAC policy failed for com.example.seandroid_connectinternet
(/home/..../apps/signed_apk/SEAndroid-ConnectInternet_signed.apk).
null
Default policy stanza checked.
Policy blacklist rejected package com.example.seandroid_connectinternet
Denied permission android.permission.INTERNET
Set of blacklisted permissions is:
android.permission.ACCESS_NETWORK_STATE
android.permission.INTERNET"
I deleted the default tag and get the message that no policy stanza is
checked. There might be something wrong with my signature. how can i debug
this issue? do you have an idea what went wrong?
2.) keys.conf
i created a new signature pair and put my private key into
"build/target/product/security"
# University
[@UNIVERSITY]
ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/university.x509.pem
3.) seapp_contexts
Regarding to your information I copied the untrusted_app entry and changed
some values. I thought it would be nice to have my own custom domain so I
changed the untrusted_app domain to my custom university_app domain.
Therefore I changed the content of te_macros file (see 4.)
user=_app seinfo=university domain=university_app type=app_data_file
levelFrom=app
4.) te_macros
I copied the untrusted_app macro to create my own
#####################################
# universityapp_domain(domain, file_type)
# Allow a base set of permissions required for all university apps.
define(`university_domain', `
# The new domain is part of universityappdomain
typeattribute $1 universityappdomain;
# The new university appdomain is a part of appdomain
app_domain($1)
# Allow the allocation and use of ptys
# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
create_pty($1)
# App sandbox file accesses.
# Possibly create a new sandbox for this app
allow $1 $2:dir create_dir_perms;
allow $1 $2:notdevfile_class_set create_file_perms;
')
5.) university.te
I created a custom domain policy file, the content is currently the same as
in untrusted.te but with my custom domain
type university_app, domain;
universityapp_domain(university_app, app_data_file)
net_domain(university_app)
bluetooth_domain(university_app)
allow universityappdomain tun_device:chr_file rw_file_perms;
# ASEC
allow universityappdomain asec_apk_file:dir { getattr };
allow universityappdomain asec_apk_file:file r_file_perms;
# Create tcp/udp sockets
allow universityappdomain node_type:{ tcp_socket udp_socket } node_bind;
allow universityappdomain self:{ tcp_socket udp_socket } {
create_socket_perms accept listen };
# Bind to a particular hostname/address/interface (e.g., localhost) instead
of
# ANY. Normally, apps should not be listening on all interfaces.
allow universityappdomain port:{ tcp_socket udp_socket } name_bind;
------------------------------------------------------------
- Do you find any errors?
- As far as my knowledge of SEAndroid goes, i have done install mac and
kernel policy, because of the custom domain and university.te file, is this
correct?
- Do you recommend using the untrusted app domain instead of my custom
university app domain?
I am looking forward to your answer, thank you very much for your effort!
2013/12/2 Robert Craig <[email protected]>
> You can always add a signature stanza to the mac_permissions.xml file.
> Invoking the command "setool --build keys YourApp.apk" will give you the
> X.509 certificate needed for that stanza. You'll want to follow the example
> stanzas already in the mac_permissions.xml file as how to
> construct the rest of the signature stanza. Some things to note are, be
> sure to add an seinfo tag as that is what the seapp_contexts configuration
> file uses to label the app process and app package directory, and be sure
> to detail the maximal set of permissions that your app or group of apps
> will be allowed on installed. You'll then want to follow this with adding a
> new line to the seapp_contexts file that uses the seinfo tag you described
> with your signature stanza in the mac_permissions.xml file.
>
>
> On Thu, Nov 28, 2013 at 8:50 AM, Severin Friede <[email protected]>wrote:
>
>> I need your help for my next issue. When browsing through the
>> "external/sepolicy" folder I found out that SEAndroid is able to recognize
>> apps by the signed key and assign them in the appropriate domain. Is it
>> possible to extend this behavior with my own signing key? I want to assign
>> my own apps (signed with my key) to a custom domain and provide different
>> permissions for them.
>>
>
>
