All non system installed apps are treated the same, that is, resolved
against the default stanza. There was a prior effort, by us, to maintain
a separate set of changes that accounted for your scenario. However, we
decided to just be entirely consistent with AOSP and their
implementation which is mostly described by the code snippet you've
provided. There are plans to reintroduce the change back to AOSP for
consideration and that is currently under way. In the interim, you could
just comment out the leading if statement which will then resolve all
apps, regardless of location, against the full mac_permissions.xml file.
On 02/24/2014 06:56 PM, Jaejyn Shin wrote:
Hi SEAndroid developers.
I want to give a security context to downloaded application (from market).
After studying MMAC, I realized that I can classify the applications
using app signing key.
I modified mac_permissions.xml, seapp_contexts and so on...
And I made my application using my own key in order to assign
my_domain to my app, and install the app to my device (adb install).
But my application was still in the untrusted_app domain.
I found the reason in the below code (SELinuxMMAC.java).
-------------------------------------------------------------------------------------------------------
public static void assignSeinfoValue(PackageParser.Package pkg) {
/*
* Non system installed apps should be treated the same. This
* means that any post-loaded apk will be assigned the default
* tag, if one exists in the policy, else null, without respect
* to the signing key.
*/
if (((pkg.applicationInfo.flags & ApplicationInfo.FLAG_SYSTEM) !=
0) ||
((pkg.applicationInfo.flags &
ApplicationInfo.FLAG_UPDATED_SYSTEM_APP) != 0)) {
// We just want one of the signatures to match.
for (Signature s : pkg.mSignatures) {
if (s == null)
continue;
if (sSigSeinfo.containsKey(s)) {
String seinfo = pkg.applicationInfo.seinfo =
sSigSeinfo.get(s);
if (DEBUG_POLICY_INSTALL)
Slog.i(TAG, "package (" + pkg.packageName + ")
labeled with seinfo=" + seinfo);
return;
}
}
// Check for seinfo labeled by package.
if (sPackageSeinfo.containsKey(pkg.packageName)) {
String seinfo = pkg.applicationInfo.seinfo =
sPackageSeinfo.get(pkg.packageName);
if (DEBUG_POLICY_INSTALL)
Slog.i(TAG, "package (" + pkg.packageName +
") labeled with seinfo=" + seinfo);
return;
}
}
// If we have a default seinfo value then great, otherwise
// we set a null object and that is what we started with.
String seinfo = pkg.applicationInfo.seinfo = sSigSeinfo.get(null);
if (DEBUG_POLICY_INSTALL)
Slog.i(TAG, "package (" + pkg.packageName +
") labeled with seinfo=" + (seinfo == null ? "null" :
seinfo));
}
-------------------------------------------------------------------------------------------------------
I don't want to use package name or app name because of the security
problem.
Is there any way to assign security context to downloaded app using my
app signing key ?
Thank you
Best regards
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
