Hi all, But why is the "levelFrom" not added for other "user" types? For "user=bluetooth, nfc, radio", I assume there is only one such resource for each of them, so there is no need to add "levelFrom=user". However, for "user=system", I think each user has its own system_app, so it should be separated for different users by adding "levelFrom=user".
Thanks, Enfeng Huang -----Original Message----- From: Roberts, William C [mailto:william.c.robe...@intel.com] Sent: Friday, July 17, 2015 1:11 PM To: Stephen Smalley; Enfeng Huang Cc: seandroid-list@tycho.nsa.gov Subject: RE: New Categories on Non System App of Android M Preview > -----Original Message----- > From: Seandroid-list [mailto:seandroid-list-boun...@tycho.nsa.gov] On > Behalf Of Stephen Smalley > Sent: Friday, July 17, 2015 11:55 AM > To: Enfeng Huang > Cc: seandroid-list@tycho.nsa.gov > Subject: Re: New Categories on Non System App of Android M Preview > > See https://android-review.googlesource.com/#/c/107443/ > > On Fri, Jul 17, 2015 at 2:33 PM, Enfeng Huang <enfen...@samsung.com> wrote: > > Hi all, > > > > > > > > Recently, I found that there are 2 new SEAndroid categories > > (c512,c768) added to the non system app. > > > > Why should there be such a change? On the previous Android version, > > there is no category at all. > > > > Another question is why 2 categories are used instead of 1? I think > > that 1 category may be enough. If you look into external/libselinux/src/android.c at function seapp_context_lookup() it should Become apparent (hopefully) the underpinnings of this. You don't want collisions between various levelFrom options in seapp_contexts between category sets. IE you don't want levelFrom=user and levelFrom=app to collide and thus defeat MLS separation. levelFrom=app gets a category set where one might be from 0-255 and the other form 256-511 levelFrom=user gets a category set where one might be from 512-767 and the other form 768-1023 levelFrom=all is the above two and thus has 4 categories in the set. levelFrom user will provide MLS isolation between physical Android users (not the uid sandboxing mechanism that is internal to a user) levelFrom app will provide MLS isolation between apps and this reinforce the app sandboxing, however IIRC breaks inter app file sharing on open(). levelFrom all does both inter-user and inter-application This is all based on the current MLS rules as I can best remember offhand. To understand category sets, make sure you understand the MLS syntax and domby, etc statements. I found this reference handy for that (its terse but I found that to be the most helpful): http://selinuxproject.org/page/NB_MLS Another resource is the SELinux notebook: http://www.freetechbooks.com/the-selinux-notebook-the-foundations-t785.html Relevant code: if (cur->levelFrom != LEVELFROM_NONE) { char level[255]; switch (cur->levelFrom) { case LEVELFROM_APP: snprintf(level, sizeof level, "s0:c%u,c%u", appid & 0xff, 256 + (appid>>8 & 0xff)); break; case LEVELFROM_USER: snprintf(level, sizeof level, "s0:c%u,c%u", 512 + (userid & 0xff), 768 + (userid>>8 & 0xff)); break; case LEVELFROM_ALL: snprintf(level, sizeof level, "s0:c%u,c%u,c%u,c%u", appid & 0xff, 256 + (appid>>8 & 0xff), 512 + (userid & 0xff), 768 + (userid>>8 & 0xff)); > > > > > > > > Thanks, > > > > Enfeng Huang, software engineer @ Samsung Research America > > > > > > _______________________________________________ > > Seandroid-list mailing list > > Seandroid-list@tycho.nsa.gov > > To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. > > To get help, send an email containing "help" to > > seandroid-list-requ...@tycho.nsa.gov. > _______________________________________________ > Seandroid-list mailing list > Seandroid-list@tycho.nsa.gov > To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. > To get help, send an email containing "help" to Seandroid-list- > requ...@tycho.nsa.gov. _______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
