Thank you for your detail explanation. I am building Android 4.4 branch and I modified lots of source codes in it.
I found many "untrusted_app" when I typed "ps -Z". This happened because I used userdebug mode image, so I will try to run CTS again using user-mode image. (I could not find any "untrusted_app" in my user-mode image) Regardless of this matter, can I apply the recent policy files which are from AOSP master branch( https://android.googlesource.com/platform/external/sepolicy/+/master) to my Android 4.4 ? I want to make more secure my android device. Is it compatible? Thank you Best regards 2014-03-07 11:31 GMT+09:00 Robert Craig <[email protected]>: > Are you building our seandroid 4.4 based branch, or are you building the > AOSP 4.4 branch? Depending on that answer the remedy to your problem will > slightly differ. Some things to watch out for though. > > If you're seeing a bunch of untrusted_app denials then that might indicate > an incorrectly composed mac_permissions.xml (source at > external/sepolicy/mac_permissions.xml, processed form at > system/etc/security/mac_permissions.xml in your out directory) file. If you > run a "ps -Z" do you see a bunch of untrusted_app domains for all your apps? > > The mac_permissions.xml file is responsible for taken the cert used to > sign an apk and assign it an seinfo tag which is interpreted by the > seapp_contexts (external/sepolicy/seapp_contexts) file. The seapp_contexts > file then assigns the appropriate app domain (platform_app, shared_app, > media_app, release_app, untrusted_app) based on a series of selectors (one > of which is the seinfo tag). If you do have untrusted_app domains this > means all your apps are dropping to the default stanza in the > mac_permissions.xml file which then translates to untrusted_app because of > the default seinfo tag. You'll need to get the correct certs into the > mac_permissions.xml file to solve this. > > To remedy this you could try to construct an appropriate keys.conf > (external/sepolicy/keys.conf) file. That file is used for controlling the > mapping of "tags" found in the mac_permissions.xml signature stanzas with > actual public keys found in pem files that you're using to resign your > apps. The tags are then substituted out for the correct certs when building > the image. You might also have success by simply adding the > DEFAULT_SYSTEM_DEV_CERTIFICATE set to the directory of your new certs when > building your image; doing this in lieu of building a keys.conf file. If > none of these work you can always hand edit the mac_permissions.xml file > with the correct cert. > > > On Thu, Mar 6, 2014 at 7:11 PM, Jaejyn Shin <[email protected]>wrote: > >> Dear SEAndroid developers >> >> I ran the CTS Test using my Android 4.4 image(CTS: Android plan). >> Then, there were lots of denial logs and most of the logs were generated >> from "untrusted_app". >> >> the # of total denial logs: 31962 >> the # of total denial logs from untrusted_app: 31958 >> >> To remove the denial logs and also to make secure my android device, I >> consider to apply the recent SEPolicy from AOSP master branch ( >> https://android.googlesource.com/platform/external/sepolicy/+/master) >> >> Can I apply the recent sepolicy to my Android 4.4 device ? >> It is compatible and safe ? >> >> Thank you >> Best regards >> >> _______________________________________________ >> Seandroid-list mailing list >> [email protected] >> To unsubscribe, send email to [email protected]. >> To get help, send an email containing "help" to >> [email protected]. >> >> >
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
