It seems like Android provides permission/groupID that can have NET_RAW
capability, thus, allowing the app to use iptables command without running as
root. So, in this case, although the app has the right android permission to
gain NET_RAW capability, we still need to have rule to allows the VPN app with
{net_admin, net_raw} capability, right?
Thanks,
Tai
From: William Roberts
<[email protected]<mailto:[email protected]>>
Date: Monday, October 28, 2013 6:48 PM
To: Tai Nguyen <[email protected]<mailto:[email protected]>>
Cc: "[email protected]<mailto:[email protected]>"
<[email protected]<mailto:[email protected]>>
Subject: Re: Rules for AnyConnect VPN app
If anyconnect is touching iptables directly then your running a rooted version
of the application. I would recommend you use one that makes use of Android's
VPNService. I would also discourage use of vpn_app, as that will probably go
away in the future. All 3rd party apps should run in untrusted, unless your
doing some tight coupled integration or running rooted apps that require
additional permissions.
On Mon, Oct 28, 2013 at 3:17 PM, Tai Nguyen (tainguye)
<[email protected]<mailto:[email protected]>> wrote:
Hi all,
Has anyone created rules to support AnyConnect VPN app yet? I see the following
rules in seandroid 4.2 branch
#
# 3rd party VPN clients that have seinfo=vpn in mac_permissions.xml
# This is a more secure alternative to allowing untrusted_app access
# to create a VPN tunnel.
type vpn_app, domain;
app_domain(vpn_app)
net_domain(vpn_app)
allow vpn_app tun_device:chr_file rw_file_perms;
allow vpn_app system_data_file:file { execute open };
allow vpn_app qtaguid_device:chr_file r_file_perms;
allow vpn_app vpn_app_data_file:dir create_dir_perms;
allow vpn_app vpn_app_data_file:notdevfile_class_set create_file_perms;
allow vpn_app vpn_app:netlink_route_socket write;
However, I don't think this is completed since any connect app need to
configure iptable.
Thanks,
Tai
--
Respectfully,
William C Roberts
