An additional permission enforcement - not quite. AppOps allows runtime
enforcement over certain application operation primitives, like playing
audio or accessing coarse location. There really isn't a 1:1 mapping
from these primitives to permissions. However, in some cases certain
operations do correspond directly to middleware permissions. Take a look
at frameworks/base/core/java/android/app/AppOpsManager.java, and in
particular the 'sOpPerms' array. Also, I don't believe that all the
controls with AppOps are currently being enforced, i.e. it seems more
work needs to be done in that area.
What we have provided with EOps (enterprise ops) is a way to exert
enterprise like controls over this operation set. Anything listed in the
'sOpNames' array, from the same AppOpsManager.java file, can be further
controlled with our mechanism. Of course you'll have to write the
correct policy to external/sepolicy/eops.xml first.
Lastly, our SEAdmin app has been extended to enable the hidden AppOps
interface, but the EOps mechanism is not in any way dependent on the
SEAdmin app for operation and the SEAdmin app cannot override settings
locked by the eops.xml configuration.
On 09/10/2014 10:37 AM, Tal Palant wrote:
So does it allow to configure an additional permission enforcement
rather than the current android permission model? in other words can
this be used to disallow a permission given to an application during
installation?
On Mon, Sep 8, 2014 at 2:01 AM, Robert Craig <robertpcr...@gmail.com
<mailto:robertpcr...@gmail.com>> wrote:
We dropped the permissions aspect of install-time MAC around the
release of 4.4. The current install-time MAC simply assigns a
seinfo value to each app when it is installed based on a MAC
policy configuration which is then subsequently used to determine
the SELinux security context for the app process and its
/data/data directory based on the seapp_contexts configuration. We
are currently moving towards using the seinfo tags in conjunction
with AppOps and IntentFirewall for run time enforcement to replace
the permissions aspect of install-time mac that was dropped. If
interested, you can look into the changes made to the AppOps
functionality at
frameworks/base/services/java/com/android/server/AppOpsService.java.
This MMAC mechanism builds upon the AppOps functionality
introduced in Android 4.3 and extends it to support enterprise
control over certain run time application operations. We are also
looking into adding similar enterprise like controls to the
existing IntentFirewall code.
On Sat, Sep 6, 2014 at 9:07 AM, Tal Palant <tal.pal...@gmail.com
<mailto:tal.pal...@gmail.com>> wrote:
Thanks for the reference.
After installing the application and setting the SEinfo i
can't see where the SEinfo is used in determining whether or
not to grant an application permissions?
On Sat, Sep 6, 2014 at 12:38 PM, Tal Palant
<tal.pal...@gmail.com <mailto:tal.pal...@gmail.com>> wrote:
Thanks for the reference.
After installing the application and setting the SEinfo i
can't see where the SEinfo is used in determining whether
or not to grant an application permissions?
On Wed, Sep 3, 2014 at 10:02 PM, Stephen Smalley
<s...@tycho.nsa.gov <mailto:s...@tycho.nsa.gov>> wrote:
On 09/03/2014 11:35 AM, Tal Palant wrote:
> Hi,
>
> can anyone please explain in details or refer me to
an source that
> explains how install time mac works in depth
Our NDSS paper explains the general approach, although
some things have
changed since it was published. The code itself is fairly
self-contained and easy to understand, see
frameworks/base/services/java/com/android/server/pm/SELinuxMMAC.java
and
the calls to SELinuxMMAC method from
frameworks/base/services/java/com/android/server/pm/PackageManagerService.java.
Note that there is an important difference between
AOSP and our
seandroid* branches in the latter.
--
?? ???? ????
?? ?? ??? ?? ?? ???
--
?? ???? ????
?? ?? ??? ?? ?? ???
_______________________________________________
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov <mailto:Seandroid-list@tycho.nsa.gov>
To unsubscribe, send email to
seandroid-list-le...@tycho.nsa.gov
<mailto:seandroid-list-le...@tycho.nsa.gov>.
To get help, send an email containing "help" to
seandroid-list-requ...@tycho.nsa.gov
<mailto:seandroid-list-requ...@tycho.nsa.gov>.
--
?? ???? ????
?? ?? ??? ?? ?? ???
_______________________________________________
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to
seandroid-list-requ...@tycho.nsa.gov.
_______________________________________________
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to
seandroid-list-requ...@tycho.nsa.gov.
