Those are component names you're referencing not package names. What you
would need at the mac_perms layer is individual component seinfo
labeling which is presently not supported there.
On 01/10/2014 01:20 PM, William Roberts wrote:
Id be ok with that assuming we add support to mac_perms for prefix matching...
Off the top of my head I recall seeing some applications during
running invoke services
that run as separate process but do not have the isolated uid range.
Prefix matching in
seapp_contexts was a big help with getting everything into the right
domain. I typically
only use key in mac_permissions.xml.
As an example, if you run firefox like so:
user=_app name=org.mozilla.firefox seinfo=mozilla domain=untrusted_app
type=app_data_file level=s0:c1
user=_app name=org.mozilla.firefox.seinfo=mozilla UpdateService
domain=untrusted_app type=app_data_file level=s0:c1
user=_app name=org.mozilla.firefox.PasswordsProvider seinfo=mozilla
domain=untrusted_app type=app_data_file level=s0:c1
You can preifx match like so:
user=_app name=org.mozilla.firefox* domain=untrusted_app
type=app_data_file level=s0:c1
Or if you really wanted to get crazy:
user=_app name=org.mozilla.firefox seinfo=mozilla domain=untrusted_app
type=app_data_file level=s0:c2
user=_app name=org.mozilla.firefox.seinfo=mozilla UpdateService
domain=untrusted_app type=app_data_file level=s0:c3
user=_app name=org.mozilla.firefox.PasswordsProvider seinfo=mozilla
domain=untrusted_app type=app_data_file level=s0:c4
This is really just something I made up. Currently its possible,
doesn't mean I'm endorsing it. However, the separate
launches of firefox, and matching input selectors are real.
My concern is, if we match in PMS with mac_perms.xml and drop
seapp_contexts, we would lose the ability to do the crazy scenario
as PMS only sees:
package="org.mozilla.firefox"
And everything will launch with a single seinfo value, and no other
discerning input selector will match.
Thanks,
Bill
On Fri, Jan 10, 2014 at 9:44 AM, Stephen Smalley <[email protected]> wrote:
On 01/10/2014 12:35 PM, William Roberts wrote:
Does it make sense to be able to do package name matching in
mac_perms.xml and seap_contexts?
Especially considering that seapp_contexts supports prefix matching
and mac_perms.xml does not.
Should we drop this or move towards deprecating this from mac_perms.xml?
I'm ok with dropping it from seapp_contexts; that support predated
mac_permissions.xml.
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
