Thank you for your answer. I will use the code in the future seandroid-4.* Thank you Best regards
2014-02-25 22:36 GMT+09:00 Stephen Smalley <[email protected]>: > On 02/25/2014 08:26 AM, Stephen Smalley wrote: > > On 02/24/2014 06:56 PM, Jaejyn Shin wrote: > >> Hi SEAndroid developers. > >> > >> I want to give a security context to downloaded application (from > market). > >> After studying MMAC, I realized that I can classify the applications > using > >> app signing key. > >> > >> I modified mac_permissions.xml, seapp_contexts and so on... > >> And I made my application using my own key in order to assign my_domain > to > >> my app, and install the app to my device (adb install). > >> > >> But my application was still in the untrusted_app domain. > >> I found the reason in the below code (SELinuxMMAC.java). > >> > ------------------------------------------------------------------------------------------------------- > >> public static void assignSeinfoValue(PackageParser.Package pkg) { > >> /* > >> * Non system installed apps should be treated the same. This > >> * means that any post-loaded apk will be assigned the default > >> * tag, if one exists in the policy, else null, without respect > >> * to the signing key. > >> */ > >> if (((pkg.applicationInfo.flags & ApplicationInfo.FLAG_SYSTEM) != > 0) || > >> ((pkg.applicationInfo.flags & > >> ApplicationInfo.FLAG_UPDATED_SYSTEM_APP) != 0)) { > >> // We just want one of the signatures to match. > >> for (Signature s : pkg.mSignatures) { > >> if (s == null) > >> continue; > >> if (sSigSeinfo.containsKey(s)) { > >> String seinfo = pkg.applicationInfo.seinfo = > >> sSigSeinfo.get(s); > >> if (DEBUG_POLICY_INSTALL) > >> Slog.i(TAG, "package (" + pkg.packageName + ") > labeled > >> with seinfo=" + seinfo); > >> return; > >> } > >> } > >> > >> // Check for seinfo labeled by package. > >> if (sPackageSeinfo.containsKey(pkg.packageName)) { > >> String seinfo = pkg.applicationInfo.seinfo = > >> sPackageSeinfo.get(pkg.packageName); > >> if (DEBUG_POLICY_INSTALL) > >> Slog.i(TAG, "package (" + pkg.packageName + > >> ") labeled with seinfo=" + seinfo); > >> return; > >> } > >> } > >> > >> // If we have a default seinfo value then great, otherwise > >> // we set a null object and that is what we started with. > >> String seinfo = pkg.applicationInfo.seinfo = sSigSeinfo.get(null); > >> if (DEBUG_POLICY_INSTALL) > >> Slog.i(TAG, "package (" + pkg.packageName + > >> ") labeled with seinfo=" + (seinfo == null ? "null" : > >> seinfo)); > >> } > >> > ------------------------------------------------------------------------------------------------------- > >> > >> I don't want to use package name or app name because of the security > >> problem. > >> > >> Is there any way to assign security context to downloaded app using my > app > >> signing key ? > > > > See: > > https://android-review.googlesource.com/#/c/80871/ > > BTW, this support, along with support for rejecting the installation of > apps that do not pass any stanza in mac_permissions.xml, is included in > our SELinuxMMAC.java code available from our seandroid and seandroid-4.* > branches. > > >
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
