We dropped the permissions aspect of install-time MAC around the release of 4.4. The current install-time MAC simply assigns a seinfo value to each app when it is installed based on a MAC policy configuration which is then subsequently used to determine the SELinux security context for the app process and its /data/data directory based on the seapp_contexts configuration. We are currently moving towards using the seinfo tags in conjunction with AppOps and IntentFirewall for run time enforcement to replace the permissions aspect of install-time mac that was dropped. If interested, you can look into the changes made to the AppOps functionality at frameworks/base/services/java/com/android/server/AppOpsService.java. This MMAC mechanism builds upon the AppOps functionality introduced in Android 4.3 and extends it to support enterprise control over certain run time application operations. We are also looking into adding similar enterprise like controls to the existing IntentFirewall code.
On Sat, Sep 6, 2014 at 9:07 AM, Tal Palant <tal.pal...@gmail.com> wrote: > Thanks for the reference. > After installing the application and setting the SEinfo i can't see where > the SEinfo is used in determining whether or not to grant an application > permissions? > > > On Sat, Sep 6, 2014 at 12:38 PM, Tal Palant <tal.pal...@gmail.com> wrote: > >> Thanks for the reference. >> After installing the application and setting the SEinfo i can't see where >> the SEinfo is used in determining whether or not to grant an application >> permissions? >> >> >> >> On Wed, Sep 3, 2014 at 10:02 PM, Stephen Smalley <s...@tycho.nsa.gov> >> wrote: >> >>> On 09/03/2014 11:35 AM, Tal Palant wrote: >>> > Hi, >>> > >>> > can anyone please explain in details or refer me to an source that >>> > explains how install time mac works in depth >>> >>> Our NDSS paper explains the general approach, although some things have >>> changed since it was published. The code itself is fairly >>> self-contained and easy to understand, see >>> frameworks/base/services/java/com/android/server/pm/SELinuxMMAC.java and >>> the calls to SELinuxMMAC method from >>> >>> frameworks/base/services/java/com/android/server/pm/PackageManagerService.java. >>> Note that there is an important difference between AOSP and our >>> seandroid* branches in the latter. >>> >>> >> >> >> -- >> טל פולו פלנט >> כי שם כזה יש רק אחד >> > > > > -- > טל פולו פלנט > כי שם כזה יש רק אחד > > _______________________________________________ > Seandroid-list mailing list > Seandroid-list@tycho.nsa.gov > To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. > To get help, send an email containing "help" to > seandroid-list-requ...@tycho.nsa.gov. >
_______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
