On 10/20/2014 09:13 AM, Tal Palant wrote: > will this effect the file permissions set to each application files?
levelFrom=app will assign a unique MLS category set to the app process and to its /data/data/<pkgdir> package directory. And any files the app process creates will inherit that category set. > > On Mon, Oct 20, 2014 at 4:08 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > >> On 10/18/2014 04:27 AM, Tal Palant wrote: >>> Hello all, >>> >>> i know that in the past there was an option/ability to assign a unique >>> category for each application installed on the device. >>> >>> The rule will be something like this (i assume): >>> >>> "user=_app seinfo=release \ name=com.android.browser \ >> domain=browser_app \ >>> type=platform_app_data_file levelFrom=app" >>> >>> and levelForm=app will restrict it to the application itself and nothing >>> more. >>> >>> But how do i automatically generate such rules in advanced for all the >>> applications without knowing the applications that will be installed on >> the >>> device? >>> >>> Also will this rule be enough to block access to the specific application >>> files? >>> >>> Thanks in advance, >> >> You can apply it to all non-system apps by adding levelFrom=app to the >> user=_app domain=untrusted_app type=app_data_file line in >> seapp_contexts, ala: >> >> user=_app domain=untrusted_app type=app_data_file levelFrom=app >> >> This would assign a unique category set to each such app, isolating each >> app to accessing only its own files. >> >> However, this will break compatibility, which is why it is not in AOSP. >> There we have recently uploaded a change to enable levelFrom=user (i.e. >> per-user category sets) in order to isolate apps for one user from apps >> for another user. We are not yet sure how well that will work in practice. _______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
