On 02/24/2014 06:56 PM, Jaejyn Shin wrote:
> Hi SEAndroid developers.
>
> I want to give a security context to downloaded application (from market).
> After studying MMAC, I realized that I can classify the applications using
> app signing key.
>
> I modified mac_permissions.xml, seapp_contexts and so on...
> And I made my application using my own key in order to assign my_domain to
> my app, and install the app to my device (adb install).
>
> But my application was still in the untrusted_app domain.
> I found the reason in the below code (SELinuxMMAC.java).
> -------------------------------------------------------------------------------------------------------
> public static void assignSeinfoValue(PackageParser.Package pkg) {
> /*
> * Non system installed apps should be treated the same. This
> * means that any post-loaded apk will be assigned the default
> * tag, if one exists in the policy, else null, without respect
> * to the signing key.
> */
> if (((pkg.applicationInfo.flags & ApplicationInfo.FLAG_SYSTEM) != 0) ||
> ((pkg.applicationInfo.flags &
> ApplicationInfo.FLAG_UPDATED_SYSTEM_APP) != 0)) {
> // We just want one of the signatures to match.
> for (Signature s : pkg.mSignatures) {
> if (s == null)
> continue;
> if (sSigSeinfo.containsKey(s)) {
> String seinfo = pkg.applicationInfo.seinfo =
> sSigSeinfo.get(s);
> if (DEBUG_POLICY_INSTALL)
> Slog.i(TAG, "package (" + pkg.packageName + ") labeled
> with seinfo=" + seinfo);
> return;
> }
> }
>
> // Check for seinfo labeled by package.
> if (sPackageSeinfo.containsKey(pkg.packageName)) {
> String seinfo = pkg.applicationInfo.seinfo =
> sPackageSeinfo.get(pkg.packageName);
> if (DEBUG_POLICY_INSTALL)
> Slog.i(TAG, "package (" + pkg.packageName +
> ") labeled with seinfo=" + seinfo);
> return;
> }
> }
>
> // If we have a default seinfo value then great, otherwise
> // we set a null object and that is what we started with.
> String seinfo = pkg.applicationInfo.seinfo = sSigSeinfo.get(null);
> if (DEBUG_POLICY_INSTALL)
> Slog.i(TAG, "package (" + pkg.packageName +
> ") labeled with seinfo=" + (seinfo == null ? "null" :
> seinfo));
> }
> -------------------------------------------------------------------------------------------------------
>
> I don't want to use package name or app name because of the security
> problem.
>
> Is there any way to assign security context to downloaded app using my app
> signing key ?
See:
https://android-review.googlesource.com/#/c/80871/
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
