On 04/24/2014 02:23 PM, pragma wrote: > Hello SEAndroid folks, > > I created and maintain an Android app called Network Log. It uses > iptables logging to monitor network transmissions and record statistics > about them. > > Historically, Android has shipped with a Linux kernel with the > iptables/netfilter LOG (CONFIG_NETFILTER_XT_TARGET_LOG) target enabled. > To monitor the logging using the LOG target, you would typically read > /proc/kmsg and watch for the logging output. Network Log has no > problems doing this with SEAndroid since it uses the system's grep or > cat commands in a su root shell to read /proc/kmsg. > > However, more recent Android systems have been using the newer(ish) > NFLOG (CONFIG_NETFILTER_XT_TARGET_NFLOG) target instead. This target > requires using netlink sockets to read the logging information. My app > uses a native binary based on > http://netfilter.org/projects/libnetfilter_log/ to interact with NFLOG. > The app installs this binary to the app's files location > (/data/data/com.googlecode.networklog/files/) and executes it in a su > root shell. This has been working successfully until SEAndroid started > shipping in Enforcing mode. > > My question is: Is there a simple way for the app or the end-user to > allow the nflog binary to run without being restricted? What would be > your recommendations? Alternatively, might there be a better approach > for interacting with NFLOG of which SEAndroid is more tolerant? > > Thanks for your attention.
You need to move away from having your app directly execute setuid helpers (which is already disabled in Android 4.3 and later even apart from SELinux by nosuid mount of /system) and instead have it get its information from a legitimate service running on the platform that has the necessary access rights. So if you want this information to be available to apps, it needs to be read by some system service and then exported to apps via an API, not directly collected by the app. _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
