On Jul 5, 2016 01:33, "Sameer Joshi" <[email protected]> wrote: > > Hi, > > I want to provide an application downloaded from app store , permission to access a particular directory which is shared between the platform service started from init.rc and that app. > > I wanted to know how can I define an "seinfo" string and assign a domain to this third party app using mac_permissions.xml, if I don't know the certificate its signed with.
You could extract the certificate from the apk. And use this in mac_permissions.xml. better yet, take the pem file from extraction and configure keys.conf. extracting the pem file, iirc, Robert Craig wrote a tool that was in the sepolicy project. I'd look through the old but bucket branches for it. If not you can unzip the apk and use openssl. The exact syntax and commands to do this I'd have to look up. But it is covered in exploring we for Android published by pakt (note that I profit from this). Also if this is a third party app, it's frowned upon to set up custom policy for it. Typically you would protect resources with the Android permission model at this level. This was any 3rd party app can request permissions to access the feature. If you need tight controls that is usually reserved for tight integration by the OEM. > > Is it possible to use only package name ? Yes but it's not secure. Anyone can select that package name. > > Also, is it possible to modify the rules in mac_permissions.xml on runtime ? This means if the running device gets to know the signing certificate of the app somehow, is there a way that it can use this certificate to define the domain for the app on runtime. We used to support placing the files in data/security, but that is no longer supported. > > Regards, > > Sameer Joshi > > > > _______________________________________________ > Seandroid-list mailing list > [email protected] > To unsubscribe, send email to [email protected]. > To get help, send an email containing "help" to [email protected].
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
