so whats the labeling used for? On Mon, Jun 22, 2015, 13:23 Robert Craig <rpcr...@tycho.ncsc.mil> wrote:
> > Not quite correct. While our original install-time MAC implementation > featured two aspects, seinfo labeling based on app cert/package pairings > and install checks on the Android permission model, the latter never > really made it to the AOSP source. In fact, we dropped the permission > piece from our own branches a while ago (circa 4.3 days); the idea never > really scaled well and it was, admittedly, a bit complicated. So we're > not really clear on how the Android M code handles their permission > revocation. Also not sure on the strength of mechanism being used for > it. We would need to see the source for that. But once the source does > drop we're interested to see if some of our original ideas in this space > can be used in some manner. > > However, there have been some changes to the install-time MAC labeling > that are being used - on master branch for now and will appear in future > featured Android releases. We now impose an ordering on all stanzas > after being read - this helps with the union aspect of policy writing > without having to mung the mac_permissions.xml files. And, we further > restrict the structure of certain stanzas to simplify policy writing. > This patch covers those changes: > https://android-review.googlesource.com/#/c/146301/ > > Beyond that, we do maintain a slight difference between the AOSP source > and our internal tree. We're still continuing to support the patch that > will prevent an app install if no matching stanza is present in policy. > To date, AOSP has not been interested in that aspect of it. > > > On 06/20/2015 12:05 PM, Tal Palant wrote: > > Hello all, > > > > i have a question about install time mac and Android M. > > > > if i understand correctly the install time mac will continue to work > > behind the scenes, meaning after the user will get promoted by the > > application to grant a certain permission the install time mac will > > check if the application can use this permission and is some cases block > > the application usage of the permission? > > > > Does anything else change in perspective to Android M and install time > MAC? > > > > > > _______________________________________________ > > Seandroid-list mailing list > > Seandroid-list@tycho.nsa.gov > > To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. > > To get help, send an email containing "help" to > seandroid-list-requ...@tycho.nsa.gov. > > >
_______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
