This closes out any effort I’m making on this, unless Sierra has feedback or changes they want. With these edits, you can add Smack rules to your application just by edit/build/deploy your application with a few additional lines in your ADEF file. For example, to ensure your MQTT server can talk to internet clients:
smackRules:
{
app.mqtt @ w
@ app.mqtt w
}
On most systems, the default label for internet traffic is @ “web”. Giving @ and app.mqtt write access to each other will permit data to flow between remote connections and your sandboxed mqtt server.
Your mileage may vary, depending on your existing networking & smack configurations.
Something I considered was a requirement that one of the labels in each rule (either subject or object) needs to be the same as the application’s label. That way you could only add labels related to the application. If your reviewers have some worries about what kinds of rules could be written, that might be something to add to Supervisor.
Ultimately I decided against it, because there are legitimate reasons to set up rules for yourself and a second party to access a third label. (eg: use “rwt” permissions on a directory with the third label.)