Yes Nguyen, this is exactly what I want to do, so that I can create different policies for owner and secondary users.
Thanks Stephen, I will try to use boolean as you mentioned in end of your mail. I pulled google's master branch somewhere around Januray and then started modified policies on my own, that might be the reason that applications are crashing when i changed levefrom tag to 'user' from 'none'. Anyways that is not working so I have again modified and using levelfrom=none in my seapp_context. Will try to write isOwner to differentiate between owner and secondary users and hence write different policies. Thanks Chris, this is exactly what I want (you sort of read my mind). If the booleans, as suggested by Stephen doesn't fulfill my requirements I will try the changes as suggested by you. Though it requires a lot of changes, but I will try to do them. Will be really thankful to you if you can post the pull request as you mentioned above. In the mean time I will follow your guidance to achieve my goal. Thanks Pankaj Kushwaha On Wed, Aug 13, 2014 at 9:53 PM, Chris Stone < [email protected]> wrote: > Hi Pankaj, > > At Graphite Software we have done what you are trying to do. I will just > give you some background on what we are doing because it helps to define > the use case. Our Secure Spaces product uses Android's multi user > capabilities to create multiple spaces on phones. For instance, you can > have a personal space, a work space, or a mobile banking space. Each of > these spaces has different security needs. We have the ability to set > different SELinux policies for each space to meet those needs. For > instance, one may want apps in their work space or mobile banking space to > run in a much stricter SELinux policy than their personal space. > > We did this by changing frameworks/base classes. We add a field to the > UserInfo class which contains an seinfo value for that user. Then we modify > ActivityManagerService to use the seinfo value from the UserInfo class when > it launches an app. There is also a bunch of other changes to things like > DevicePolicyManager and UserManager to make the seinfo value persistent in > the user xml files. Of course, we also add domains to the SELinux policy > which defines the allows, and link those domains to the seinfo value via > seapp_contexts. > > In our case, the seinfo value is set from policy which is downloaded from > our management server when the space is created, although we also have a > test app that runs on the phone to set policy for the different spaces on > the phone. > > My intent here is just to give you an idea of how you could achieve what > you are trying to do. One way is to modify the appropriate classes in > frameworks base, which is what we have done. If there is enough interest I > could post a pull request with our changes to the SEAndroid bitbucket repo. > However, I could not do this quickly due to delivery deadlines that are > keeping me pretty busy, and because I would have to modify our solution to > make it more generic, i.e., not dependent on our management server. > > Cheers, > Chris Stone. > > > On Tue, Aug 12, 2014 at 11:11 PM, Pankaj Kushwaha < > [email protected]> wrote: > >> Hi, >> >> I was thinking two make two different sepolicies for two users present on >> same tablet. >> Is it possible somehow ?? >> >> I started it with creating different policies for untrusted_app first. >> For this I thought of passing different seinfo for owner and secondary >> user and on based of different seinfo like default and default_owner I will >> write rules in seapp_context to give these applications different labels >> like untrusted_app and untrusted_app_owner, and then write rules for this. >> But when I tried this actually, i came to know that in >> PackageManagerService.java installation of app happens only once, whether I >> am in primary user or secondary user. So wasn't able to change label at >> time of installation. >> >> Then I thought of changing levelfrom tag in seapp_context, replaced >> levelfrom=none to levelfrom=user, that added sensitivity and cgroup to the >> label. It made all apps to crash at boot itself. >> >> I observed that user for same application across different users is >> u0_a27 and u10_a27, u0_a65 and u10_a65 and so on. >> >> Can anyone please help me in achieving this ? >> Is there any way to write rules on cgroup basis or user basis ? >> >> Thanks >> Pankaj Kushwaha >> >> _______________________________________________ >> Seandroid-list mailing list >> [email protected] >> To unsubscribe, send email to [email protected]. >> To get help, send an email containing "help" to >> [email protected]. >> > >
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
