Pull requests

#16 Declined
Repository
billcroberts billcroberts
Branch
nsa-seandroid-blacklist
Repository
seandroid seandroid
Branch
seandroid

thirdparty app domain

Author
  1. William Roberts
Reviewers
Description

Add an attribute untrusted_app_domain Rework socket macros Support a blacklist 3rd party policy approach

FYI This needs more testing.. still in progress DO NOT MERGE, will clean up history later

Comments (9)

  1. seandroid repo owner

    I am writing a more complete set of neverallow rules to help with this, as I think the current approach isn't really getting us there.

  2. seandroid repo owner

    So I think a better/simpler way to do this is to define a boolean, and if true, simply add a set of allow rules to the existing untrusted_app domain. No need for a separate domain. Wondering though if we ought to in fact add allow rules based on appdomain, i.e. if this boolean is set, allow all permissions except for the ones prohibited to all app domains. Otherwise, you may have a situation where platform_app or release_app has fewer permissions than untrusted_app.

    1. William Roberts author

      Well I agree its simpler, not 100% sure if it's better (how do you measure that any ways). If you wanted to have assertions that cover "nice to haves" in untrusted_app vs ustrusted_bl_app you couldn't have them. Plus, unless you completely override app.te and build a whole new policy again, their is no way to build application domains off of existing ones. The base policy being more based on attributes makes extending it much easier, when what you want to do is not just basic allows.

    2. William Roberts author

      Oh and I would be ok with release_apps or platform_apps having fewer permissions. All those apps are known, plus, one of the benefits of SELinux is least privilege.

  3. seandroid repo owner

    Note however that appdomain includes shell; don't know if that matters to you (i.e. are you trying to confine adb shell more or less than third party apps?)