On 05/13/2015 02:43 PM, Datta, Souvik wrote:
> I just checked my Android kernel config file and found :-
> CONFIG_NETWORK_SECMARK=y
You also need these options set in your kernel configuration:
CONFIG_IP_NF_SECURITY=y
CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=y
CONFIG_NETFILTER_XT_TARGET_SECMARK=y
CONFIG_NF_CONNTRACK_SECMARK=y
These are all part of android-base.cfg now, but may be missing from
older kernels.
> So when you mentioned that it is not setup on standard AOSP, can you please
> explain whether I have to check some other things in AOSP.
I believe that the kernel and iptables support should exist in standard
AOSP these days, but older kernels or non-Nexus device kernels might not
all enable it.
> Moreover, I was thinking of adding following following in init.rc:
>
> "iptables -t security -A INPUT -p tcp --dport 4591 -j SECMARK --selctx
> u:object_r:http_packet_t:s0"
> AND
>
> "iptables -t mangle -A OUTPUT -p tcp --sport 4591 -j SECMARK --selctx
> u:object_r:http_packet_t:s0
Why the mangle table rather than the security table? You can use either
one but are less likely to conflict with other iptables usage if you
only use the security table. That is what it was added for.
Not sure you really want any OUTPUT rule though.
> Also add the following rule in a policy file :-
>
> neverallow platform_app http_packet_t:packet { recv send };
neverallow is just an assertion on policy checked at policy build time
and by CTS. Once you enable SECMARK, you will need to add allow rules
for :packet for any packets you want to send/recv; anything not allowed
will be denied. You'll want to allow domain unlabeled:packet { send
recv}; or all traffic will be blocked.
>
> NOTE : 4591 is the port through which the requests are being made to the http
> server (running in a process with domain as platform_app) to access the data
> base by the untrusted_app domain.
>
> Can you please confirm whether the above would work.
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
