I'd like to grant Android permissions (e.g. android.permission.DELETE_PACKAGES, which has protectionLevel=system|signature) to apps signed by a given signature and/or with a given package name from SELinux policies, but so far I haven't found a way that works. The mac_permissions.xml file used to accept an allow-permission tag that accepted Android permission strings, but <a href="https://android.googlesource.com/platform/frameworks/base/+/lollipop-mr1-cts-release/services/core/java/com/android/server/pm/SELinuxMMAC.java" rel="nofollow">based on the Lollipop code</a> that parses it, that tag doesn't seem to be supported anymore. I tried using it anyway, and it definitely seemed to be ignored by the system.
Ideally, I'd only have to add/modify SELinux policy files as opposed to core AndroidManifest files that declare the restricted permissions and specify their protection levels. Assume that apps with the given signature/package wouldn't otherwise be granted said permissions by PackageManager because they lack any of the special privileges that Android permission protection levels recognize (signed by platform cert, installed in /system, etc.), and that the permission is a system permission (i.e. declared by the <a href="https://android.googlesource.com/platform/frameworks/base/+/lollipop-mr1-cts-release/core/res/AndroidManifest.xml" rel="nofollow">frameworks/base/core/res AndroidManifest</a>) that is declared at OS build time.
Is there a way to allow a given app signature/package to use a given Android permission from SELinux?Answer1:
All the MMAC work was abandoned by the SE for Android project as none of it was accepted upstream. Currently, there is no supported mechanism for associating package permissions to SE Linux policy. If your building Android, one could restore that work in their tree, the branches to start with are the seandroid branches here: <a href="https://bitbucket.org/seandroid/frameworks-base/branches/" rel="nofollow">https://bitbucket.org/seandroid/frameworks-base/branches/</a>
However, the most up-to-date branches with the code are over a year old. So you may have porting issues.
Also, that code uses the mac_permissions.xml file for controlling access, but the EOPS, extended operations changes would also be of use, you can read up about it in its config file: <a href="https://bitbucket.org/seandroid/external-sepolicy/src/ccb97c52cda2bac69c0499b3c76bc8e0d28d636c/eops.xml?at=seandroid-5.1.1&fileviewer=file-view-default" rel="nofollow">https://bitbucket.org/seandroid/external-sepolicy/src/ccb97c52cda2bac69c0499b3c76bc8e0d28d636c/eops.xml?at=seandroid-5.1.1&fileviewer=file-view-default</a>
Bear in mind, the install time permission checks and the eops changes, while providing a form of mandatory access controls, don't really use core SE Linux technologies. By that, it can be used with or without an selnux enabled kernel.
If one really wanted to couple SE Linux to permission strings, it would require significant effort to label the permissions, and have Package Manager Service (PMS) and Activity Manager Service (AMS) compute whether or not access is allowed.
However, now that per-application android permission controls are available, most of the work is no longer needed.