On 10/18/2016 10:49 AM, Sava Mikalački wrote: > I'm not sure how to answer the ownership question. I'm trying to allow > my application to write files in data/system/ifw which would be picked > up by the IntentFilter and then block certain application components > from executing. I have existing code that does that and it worked on > Marshmallow but its not working on Nougat because of that permission > denied exception when creating a file in data/system/ifw folder. Does > that help out in your question?
On a device running 7.0, ls -ld /data/system/ifw shows that it is owned by the system UID and is only writable by owner. So your app has to run with the system UID (and thus would be system_app) in order to write there. I don't really think that's new to 7.0 though. > > 2016-10-18 16:47 GMT+02:00 Stephen Smalley <s...@tycho.nsa.gov > <mailto:s...@tycho.nsa.gov>>: > > On 10/18/2016 10:41 AM, Sava Mikalački wrote: > > Thanks everyone for your quick answers. Yes, compilation worked once I > > defined the type in file.te. I will try this out and also will try with > > system_app, probably thats simpler as you said. Whats confusing me is > > that I get Permission denied exception when I try to create a file in > > that directory with a system app but there is no selinux avc denial > > before the exception, it just fires the exception and thats it, so I'm > > afraid if changing the sepolicy would even work. > > What's the ownership and mode of the directory? > > > > > 2016-10-18 16:35 GMT+02:00 Stephen Smalley <s...@tycho.nsa.gov > <mailto:s...@tycho.nsa.gov> > > <mailto:s...@tycho.nsa.gov <mailto:s...@tycho.nsa.gov>>>: > > > > On 10/18/2016 10:23 AM, William Roberts wrote: > > > On Oct 18, 2016 9:34 AM, "Sava Mikalački" <mikalac...@gmail.com > <mailto:mikalac...@gmail.com> > <mailto:mikalac...@gmail.com <mailto:mikalac...@gmail.com>> > > > <mailto:mikalac...@gmail.com <mailto:mikalac...@gmail.com> > <mailto:mikalac...@gmail.com <mailto:mikalac...@gmail.com>>>> wrote: > > >> > > >> I'm trying to extend aosp file_contexts by adding a new > entry for > > > /data/system/ifw. I've created a file_contexts under my > vendor directory > > > structure but if I try to use the new label, build crashes > with unknown > > > type. I'm > > > > > > You need to declare the type with the type keyword: > > > > > > type system_data_ifw, file_type; > > > > > > trying to enable a platform_app to write to data/system/ifw > and here is > > > what I have so far: > > >> file_contexts: > > >> /data/system/ifw(/.*)? > u:object_r:system_data_ifw:s0 > > >> platform_app.te: > > >> allow platform_app system_data_ifw:file create_file_perms; > > > > > > Platform applications shouldn't be creating stuff around the > system, > > > they should stick to their sandbox. I cant recall offhand, > but a never > > > allow I wrote might assert itself on that allow rule. > > > > Probably not since it is a new type he just defined. However, > it occurs > > to me that DAC will be a problem for this use case, since > platform apps > > can be assigned arbitrary UIDs and thus won't be able to pass > the DAC > > checks on writing to /data/system/ifw unless you set up a > group, map a > > permission to that group, assign that group to > /data/system/ifw, and > > make it group-writable. Simpler if you use a system_app or > some other > > fixed UID app instead, although that carries its own set of > issues. > > > > > > > > > > > > -- > > I have only two questions: How much and give it to me. > > > > > -- > I have only two questions: How much and give it to me. _______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
