I’ve been tasked with working on the Middleware Flask implementation for the SE Android Project. After spending some time trying to figure out the existing Android Permission enforcement, as well as the current state of the SE Linux/Android implementation, I am starting to develop some concerns on the usefulness of the Middleware implementation of the seinfo tag information. The seinfo tag is defined in ‘class ApplicationInfo’. The ‘class ActivityManagerService’ maintains multiple Hash Sets of the current running applications (one indexed by packagename/uid, another indexed by pid) of ‘class ProcessRecord’, which contains a ‘ApplicationInfo info’ field that would contain the seinfo Tag information… However, the comment in ‘class ProcessRecord’ for the ‘ApplicationInfo info’ field is “all about the first app in the process” which would seem to imply that you can have other apps, (possibly installed with different Security Properties) associated with the Process, and could be a potential loophole for Middleware Flask enforcement. It could very well be that calling down to the SE Linux Kernel and extracting the Security Context associated with the pid may provide better ‘trust’ for a security ‘tag’, but I have yet to figure out the relationship between the ‘Flask’ labels returned by the SE Linux Security Context, and the X.509 Certs, (and associated digital signatures) used to verify the ‘trust’ levels of installed packages. Any comments on this and Middleware Flask implementation in general? Leonard Miyata |
