You can create your own seapp_contexts, mac_permissions.xml, and optionally keys.conf files with only the stanzas for your seinfo value and your app's signer and package name, put them in a device/vendor/board/sepolicy subdirectory, and define BOARD_SEPOLICY_DIRS += device/vendor/board/sepolicy BOARD_SEPOLICY_UNION += mac_permissions.xml seapp_contexts in your BoardConfig.mk file.
See the external/sepolicy files for the syntax of each file. The build process will automatically combine the contents of the files you specify with BOARD_SEPOLICY_UNION with the external/sepolicy files to produce the final files for the device. In our branches (seandroid-5.0.1 or seandroid), we have a tool called "setool" that can be used to generate stanzas for mac_permissions.xml from a given apk file, but you can also just do it by hand. On 12/12/2014 06:02 AM, Pankaj Kushwaha wrote: > Hi, > > In my case, our app is a 3rd party app which will be pre-built (part of > system.img) and will be uploaded on google play as well for any updated > (just like gmail, google maps, etc). > > So there are no chances that anyone else will install app with same > package name. > Will there be any other consequences if I revert these two patches ? > > Also can you please guide me on how to add a new signer for my app ? > Because my apk doesn't have any .mk file so how will the system know > that app has to pick which seinfo from mac_permissions.xml ? > I just keep my signed apk in vendor/<oem>/common/apps/ folder. > > Thanks > Pankaj Kushwaha > > On Thu, Dec 11, 2014 at 8:18 PM, Stephen Smalley <[email protected] > <mailto:[email protected]>> wrote: > > Correct. We simply want to preclude the unsafe practice of assigning > domain by package name only, as anyone can create an app with any > package name, and first one to be installed with that name wins. So you > must bind it to a specific signature as well. > > On 12/11/2014 09:35 AM, William Roberts wrote: > > It appears to me that you can just specify a signer in Mac perms XML > > with and use a custom seinfo in seapp contexts. > > > > On Dec 10, 2014 10:56 PM, "Pankaj Kushwaha" > > <[email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>>> > > wrote: > > > > Hi, > > > > I was running some of the third party apps in my custom domain, by > > adding below line in seapp_context- > > user=_app seinfo=default name=<pacakge_name> domain=<custom_domain> > > type=<custom_file_type> > > and tehre were few other changes as well. > > > > But in android L I am unable to do so because of below patches- > > https://android-review.googlesource.com/#/c/90142/ > > https://android-review.googlesource.com/#/c/90143/ > > > > I just wanted to know that is there any other way to run my app in > > custom domain in andorid L ? > > If not, if I remove above two patches in what way will it effect my > > other functionality ? > > > > Thanks > > Pankaj Kushwaha > > > > _______________________________________________ > > Seandroid-list mailing list > > [email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>> > > To unsubscribe, send email to [email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>>. > > To get help, send an email containing "help" to > > [email protected] > <mailto:[email protected]> > > <mailto:[email protected] > <mailto:[email protected]>>. > > > > > > > > _______________________________________________ > > Seandroid-list mailing list > > [email protected] <mailto:[email protected]> > > To unsubscribe, send email to [email protected] > <mailto:[email protected]>. > > To get help, send an email containing "help" to > [email protected] > <mailto:[email protected]>. > > > > > > _______________________________________________ > Seandroid-list mailing list > [email protected] > To unsubscribe, send email to [email protected]. > To get help, send an email containing "help" to > [email protected]. > _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
