On 04/02/2015 09:54 PM, Datta, Souvik wrote: > Hi, > > > > I am using Android 4.4.4. I have a requirement that a database file > would be accessible (read and write) to only a certain application. It > is to be noted that the database file is also owned by that > application. I am very new to SEAndroid and therefore, with whatever > little understanding I have so far, I believe , to meet this > requirement, I have to do the following:- > > a) Define a new domain type (for the application) and an object (here it > is the database file) type. > > b) write a new policy file > > c) Perform an union of the custom policy file with > /external/sepolicy/*.te files through BoardConfig.mk > > d) Update seapp_contexts file. > > > > Following are my queries:- > > > > a) Are the above steps correct or am I missing something here? > > b) Do I have to update /external/sepolicy/file.te to add new object type? > > c) Should the new domain type be defined in the policy file?
First, Android 4.4.4 only placed certain root daemons (installd, netd, vold, zygote) into enforcing mode in order to protect them from misuse and contain damage from an exploit. It did not place apps into enforcing mode, so if you are using 4.4.4 as is, then untrusted_app is permissive and therefore unrestricted by SELinux. To change that, you would have to remove the permissive untrusted_app; line from external/sepolicy/untrusted_app.te (either directly or by using BOARD_SEPOLICY_REPLACE on that file). That's not officially supported in Android 4.4.4; you would be better served by moving to Android 5.x where all domains are enforcing in the first place, not to mention other security fixes and improvements included in 5.x. _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
