Thanks for your comments. On Apr 29, 2015, at 11:33 AM, William Roberts <bill.c.robe...@gmail.com> wrote:
> > On Apr 29, 2015 8:27 AM, "Stephen Smalley" <s...@tycho.nsa.gov> wrote: > > > > On 04/29/2015 10:53 AM, Stephen Smalley wrote: > > > On 04/29/2015 10:10 AM, Clifford Liem wrote: > > >> Background: > > >> > > >> We are using eCryptfs as a way to encrypt directories as well as PID > > >> namespaces as a way to isolate processes. > > > > > > I believe Samsung has been using ecryptfs as well, not sure how they are > > > addressing it, but perhaps they can do all of the mounting from vold or > > > zygote. > > > > > > Wondering how use of PID namespaces might affect binder services that > > > rely on the sender PID information provided by the kernel binder driver > > > and those that rely on getpidcon(), e.g. servicemanager and keystore. > > > > BTW, what do you see as the security benefit of PID namespaces? They > > are primarily advertised as a way to support process > > suspend/resume/migration, not a security feature. > > Yes network and mount table name (IIRC clone_netns and clone_ns) flags are > handy for isolation but not pid. > Yes, we’re using mount and network namespaces as well. > > > > If you just want to prevent accessing another process' /proc/pid files, > > you can already do that via SELinux (if you run them in different > > security contexts, either using different domains or levelFrom=), or by > > using hidepid. > > > > As far as cdd recourse, their is a waiver process however im more in the > mindset of fixing limitations on master or the design causing the issue, and > frown on waivers. I agree. We would rather fix limitations in the design than look for a waiver. Perhaps we can explore Forrest’s (Samsung) idea of pushing a PR back to AOSP that considers expanding the design of the neverallows. (Thanks for that, Forrest!) Cliff > _______________________________________________ > > Seandroid-list mailing list > > Seandroid-list@tycho.nsa.gov > > To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. > > To get help, send an email containing "help" to > > seandroid-list-requ...@tycho.nsa.gov.
_______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
