From a833763ba04147e840fd054b613f759395bada35 Mon Sep 17 00:00:00 2001 From: Stephen Smalley <sds@tycho.nsa.gov> Date: Thu, 11 Sep 2014 14:07:28 -0400 Subject: [PATCH] Enable per-user isolation for normal apps. Add levelFrom=user to the entries for apps other than those that run in the predefined platform UIDs (e.g. system, nfc, radio, ...). This causes libselinux to assign a per-user category set computed from the user ID portion of the Linux UID to each app process and its /data/data/<pkgdir> or /data/user/N/<pkgdir> directory. These per-user category sets can be seen in the last field of ps -Z output for apps and ls -Z /data/data or /data/user/N output for the package directories. With this applied, apps running on behalf of one user cannot read or write files created by apps running on behalf of another user, even if the file is world-readable or -writable. Similar isolation is enforced over process interactions (including /proc/pid file access), local socket communications, and System V IPC, as expressed in the set of constraints defined in the mls configuration. At present, Binder IPC is not restricted by the mls configuration; if desired, there is a constraint in the configuration that can be uncommented to also apply isolation on direct binder IPC, although communication will still be possible indirectly via the system_server. Bug: 13507660 Change-Id: I3972f846ff5e7363799ba521f1258d662b18d64e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> --- seapp_contexts | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/seapp_contexts b/seapp_contexts index 2d00dda2e..2b8aec072 100644 --- a/seapp_contexts +++ b/seapp_contexts @@ -47,6 +47,6 @@ user=nfc domain=nfc type=nfc_data_file user=radio domain=radio type=radio_data_file user=shared_relro domain=shared_relro user=shell domain=shell type=shell_data_file -user=_isolated domain=isolated_app -user=_app seinfo=platform domain=platform_app type=app_data_file -user=_app domain=untrusted_app type=app_data_file +user=_isolated domain=isolated_app levelFrom=user +user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user +user=_app domain=untrusted_app type=app_data_file levelFrom=user -- GitLab