Hi Stephen, There is an additional reason for separate SELinux policies which I forgot to mention. An IT department may wish to do things like prevent users from saving files to an external SD card when they are in a managed space. We have different managed space SELinux policies. One of them disallows writing to external SD cards. The IT department can select this policy when the managed space is provisioned from the management server. Note that when in a personal space, writing to the external SD card is not prevented.
Cheers, Chris. On Thu, Aug 14, 2014 at 8:10 AM, Stephen Smalley <[email protected]> wrote: > On 08/14/2014 05:25 AM, Pankaj Kushwaha wrote: > > Hi Chris, > > > > I created a new domain untrusted_app_owner.te and wrote some rules in it, > > and other one i.e. untrusted_app.te is same as it is. > > I made seinfo changes in ActivityManagerService, so that when app is > > started it checks whether user is 0 or any secondary user. > > > > If seinfo is 'default' and user is 0 it passes seinfo as 'default_owner' > > else it passes 'default'. Now in seapp_context I have written code such > > that if we get seinfo as 'deafult_owner' we give that a label > > 'untrusted_app_owner'. > > > > Now in this way if a run a app, say Google chrome in owner it gets > labelled > > as 'untrusted_app_owner' and if I run same app in any other user it gets > > labelled as 'untrusted_app' and hence follows rule as written in > > untrusted_app_owner.te and untrusted_app. > > > > I have almost done what I was willing to do. > > Now my question is, Is this approach fine ?? > > Also I wanted to know that what was the reason to modify code in > UserInfo, > > UserManager ,DevicePolicyManager and user xml files ? > > > > I got this when i grepped all running processes with 'chrome' - > > u:r:untrusted_app:s0 u10_a31 6484 6400 > com.android.chrome > > u:r:untrusted_app_owner:s0 u0_a31 8580 127 com.android.chrome > > Question for both of you: What is the benefit of running the same app in > different domains for different users? I can understanding wanting to > reinforce multi-user separation in Android, which is why we have the > levelFrom=user construct, but not separate domains. How would > untrusted_app and untrusted_app_owner differ? In your earlier email, > Chris, you said you might want stricter policy in the business space > than in the personal space, but a) that seems dangerous (e.g. I would be > more concerned about malware in the personal space escalating its > privileges and attacking the business space), and b) I don't really see > how/why the OS-level permissions needed by any regular app would really > differ regardless of personal vs business space, except that I would > want to separate them from each other. For the latter, levelFrom=user > would seem a better fit, as it offers a way to prevent the personal apps > from reading/writing files created by the business apps, although you > still need to do a lot of work at the middleware layer too. >
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
