seapp_contexts support for prefix matching on name

#2 Declined
  1. William Roberts
No description

Comments (6)

  1. seandroid repo owner

    Coding style: space between if and (. Implementation: Look at how we implemented prefix match support for username / cur->user. Note that you need to take whether it is a prefix or exact match into consideration in the seapp_context_cmp function to ensure that exact matches always win. Design: Matching on package name in seapp_contexts predated our mac_permissions.xml support. The mac_permissions.xml support is superior in that you can nest the package name entry within a signature entry and thereby ensure that it was signed by a particular certificate (as opposed to some random third party app with that name). Also we don't always get the same granularity for the seapp_contexts name; the process name that gets passed down is identical for content providers that share the same process. So I'm wondering whether we truly want to extend this feature in seapp_contexts rather than doing it at the mac_permissions.xml level.

  2. William Roberts author

    Well this patch is obviously not in the MMAC Parser. I looked at that briefly and saw you using the pkgname as a key to the install policy and that registered to me as more of an architectural change vs a fairly trivial change in libselinux. I wont have the bandwidth to support that feature for at least another month, as this works now and I am a lot faster in C.

  3. seandroid repo owner

    LGTM. However, we no longer have external/libselinux in our master local_manifest.xml file as we were synced up with AOSP in 4.3. If we were to restore it, we'd keep using the seandroid branch there for local changes; master tracks AOSP master these days.

  4. seandroid repo owner

    Sorry, that wasn't quite right - we weren't synced up in 4.3, but in AOSP master after 4.3 was forked. So the 4.3 local_manifest.xml still has external/libselinux but master does not.