44726

Is it possible to connect SELinux policy with Android permissions?

Question:

I'd like to grant Android permissions (e.g. android.permission.DELETE_PACKAGES, which has protectionLevel=system|signature) to apps signed by a given signature and/or with a given package name from SELinux policies, but so far I haven't found a way that works. The mac_permissions.xml file used to accept an allow-permission tag that accepted Android permission strings, but <a href="https://android.googlesource.com/platform/frameworks/base/+/lollipop-mr1-cts-release/services/core/java/com/android/server/pm/SELinuxMMAC.java" rel="nofollow">based on the Lollipop code</a> that parses it, that tag doesn't seem to be supported anymore. I tried using it anyway, and it definitely seemed to be ignored by the system.

Ideally, I'd only have to add/modify SELinux policy files as opposed to core AndroidManifest files that declare the restricted permissions and specify their protection levels. Assume that apps with the given signature/package wouldn't otherwise be granted said permissions by PackageManager because they lack any of the special privileges that Android permission protection levels recognize (signed by platform cert, installed in /system, etc.), and that the permission is a system permission (i.e. declared by the <a href="https://android.googlesource.com/platform/frameworks/base/+/lollipop-mr1-cts-release/core/res/AndroidManifest.xml" rel="nofollow">frameworks/base/core/res AndroidManifest</a>) that is declared at OS build time.

Is there a way to allow a given app signature/package to use a given Android permission from SELinux?

Answer1:

All the MMAC work was abandoned by the SE for Android project as none of it was accepted upstream. Currently, there is no supported mechanism for associating package permissions to SE Linux policy. If your building Android, one could restore that work in their tree, the branches to start with are the seandroid branches here: <a href="https://bitbucket.org/seandroid/frameworks-base/branches/" rel="nofollow">https://bitbucket.org/seandroid/frameworks-base/branches/</a>

However, the most up-to-date branches with the code are over a year old. So you may have porting issues.

Also, that code uses the mac_permissions.xml file for controlling access, but the EOPS, extended operations changes would also be of use, you can read up about it in its config file: <a href="https://bitbucket.org/seandroid/external-sepolicy/src/ccb97c52cda2bac69c0499b3c76bc8e0d28d636c/eops.xml?at=seandroid-5.1.1&fileviewer=file-view-default" rel="nofollow">https://bitbucket.org/seandroid/external-sepolicy/src/ccb97c52cda2bac69c0499b3c76bc8e0d28d636c/eops.xml?at=seandroid-5.1.1&fileviewer=file-view-default</a>

Bear in mind, the install time permission checks and the eops changes, while providing a form of mandatory access controls, don't really use core SE Linux technologies. By that, it can be used with or without an selnux enabled kernel.

If one really wanted to couple SE Linux to permission strings, it would require significant effort to label the permissions, and have Package Manager Service (PMS) and Activity Manager Service (AMS) compute whether or not access is allowed.

However, now that per-application android permission controls are available, most of the work is no longer needed.

Recommend

  • How to get data from firebase and show in android studio?
  • Android Training Sample- Scheduler Sample- unable to stop alarm
  • how do i get canonical names of packages of deafult apps in Android
  • How to check Whatsapp is installed in device in android?
  • Lock / Unlock ObservableCollection
  • Too easy to delete whole database
  • Technical difference between session and token based auth
  • Why android app size is increasing after publishing on market?
  • How to reference a JavaScript file in Lib from an HTML file in Data?
  • Raw partition access in Windows Vista [closed]
  • Segmentation Faults when Running MEX Files in Parallel
  • Posting to Facebook page from Facebook application without login to facebook
  • Postgresql & psycopg2: database does not exist
  • How to import data to a specified tablespace
  • method_missing in “Programming Ruby” over my head
  • Changing what attribute is displayed in drop down association filter in active admin with Rails 3.1
  • What is the difference between a CPU and a GPU oriented code?
  • Accesing properties in a UserControl from the MainWindow (WPF/MVVM)
  • Detect which app has been launched in android
  • Unable to save a query as a view table
  • Scala Slick Database Views
  • selectInput can't populate duplicate values (using uiOutput and renderUI) in Shiny
  • Is it possible to access raw iphone audio output?
  • Getting Started with LightInject
  • Playing a monetized YouTube song inside of a Google Chrome Extension. Do I have any options?
  • Modify a Google App Engine entity id?
  • R Leaflet Legend: specify order instead of alphabetical
  • No rows to manipulate in html table created with jQuery csvToTable?
  • Group variable in cobol
  • Oracle ListaGG, Top 3 most frequent values, given in one column, grouped by ID
  • rapply over a nested list in R
  • Creating a C++ function that calls other Lua function
  • Why isn't my “Fizz Buzz” test in R working?
  • Excel VBA How to populate a multi-dimensional (3d) array with values from multiple excel ranges?
  • Validate jQuery plugin, field not required
  • cordova is not defined - cordova.js has already been loaded :: Ionic
  • jQuery: add elements until a particular height is reached
  • Combining two different ActiveRecord collections into one
  • How to use carriage return with multiple line?
  • Projection media query: browser support and workarounds?