On 04/30/2015 05:41 AM, Inamdar Sharif wrote: > Hi Guys, > > I just came across the change > https://android.googlesource.com/kernel/common/+/ba733f9857b966459316d0cd33b8da2e22f62d7d > > > > These are some of the questions: > > 1)What level of security this can provide?? Can anyone explain me with > an example?
See http://marc.info/?l=selinux&m=142861645215267&w=2 > 2)Also do we have any policy changes which would be required?? In order to use this mechanism, you need to update the target policy version to 30 (either change the default POLICYVERS to 30 in external/sepolicy/Android.mk or override it on the make command-line or in your BoardConfig) and you need to write allow rules with ioctl command whitelists. Otherwise, nothing changes by default. > Currently we have “ioctl” as the generic permission , so this means that > with this we have to specify which ioctl which source can > access??(correct me if I am wrong) The ioctl whitelists are only applied if specified in policy; if no whitelist is specified for a given (domain, type, class) triple, then it only checks the existing ioctl generic permission. So you can apply the ioctl whitelisting selectively. > Also doing this will not add to the policy ?? Not sure what you mean, but you have to add allow rules with ioctl whitelists if you want to control them at that granularity. But you still must be allowed ioctl permission in the first place, or no access will be granted. So this mechanism can only further restrict ioctl access to specific whitelists; it never allows something that would have been denied. _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
