Yes, this folder already exists in the system. If you place a file in a correct XML structure, it gets picked up by a file observer in IntentFirewall and thus enables filtering of application components. And yes, I want to have a dynamic way of handling disabled applications. As I said this worked on my Marshmallow build but now I have problems with Nougat. My initial implementation of the app use systemUID but still I get permission denied when i try to create a file.
2016-10-18 16:57 GMT+02:00 William Roberts <bill.c.robe...@gmail.com>: > On Oct 18, 2016 10:50, "Sava Mikalački" <mikalac...@gmail.com> wrote: > > > > I'm not sure how to answer the ownership question. I'm trying to allow > my application to write files in data/system/ifw > > So this already exists, is this location for intent firewall policies? > > which would be picked up by the IntentFilter and then block certain > application components from executing. > > So you want a platform app that can dynamically add/modify a policy file > for ifw? > > I have existing code that does that and it worked on Marshmallow but its > not working on Nougat because of that permission denied exception when > creating a file in data/system/ifw folder. Does that help out in your > question? > > > > 2016-10-18 16:47 GMT+02:00 Stephen Smalley <s...@tycho.nsa.gov>: > >> > >> On 10/18/2016 10:41 AM, Sava Mikalački wrote: > >> > Thanks everyone for your quick answers. Yes, compilation worked once I > >> > defined the type in file.te. I will try this out and also will try > with > >> > system_app, probably thats simpler as you said. Whats confusing me is > >> > that I get Permission denied exception when I try to create a file in > >> > that directory with a system app but there is no selinux avc denial > >> > before the exception, it just fires the exception and thats it, so I'm > >> > afraid if changing the sepolicy would even work. > >> > >> What's the ownership and mode of the directory? > >> > >> > > >> > 2016-10-18 16:35 GMT+02:00 Stephen Smalley <s...@tycho.nsa.gov > >> > <mailto:s...@tycho.nsa.gov>>: > >> > > >> > On 10/18/2016 10:23 AM, William Roberts wrote: > >> > > On Oct 18, 2016 9:34 AM, "Sava Mikalački" <mikalac...@gmail.com > <mailto:mikalac...@gmail.com> > >> > > <mailto:mikalac...@gmail.com <mailto:mikalac...@gmail.com>>> > wrote: > >> > >> > >> > >> I'm trying to extend aosp file_contexts by adding a new entry > for > >> > > /data/system/ifw. I've created a file_contexts under my vendor > directory > >> > > structure but if I try to use the new label, build crashes with > unknown > >> > > type. I'm > >> > > > >> > > You need to declare the type with the type keyword: > >> > > > >> > > type system_data_ifw, file_type; > >> > > > >> > > trying to enable a platform_app to write to data/system/ifw and > here is > >> > > what I have so far: > >> > >> file_contexts: > >> > >> /data/system/ifw(/.*)? > u:object_r:system_data_ifw:s0 > >> > >> platform_app.te: > >> > >> allow platform_app system_data_ifw:file create_file_perms; > >> > > > >> > > Platform applications shouldn't be creating stuff around the > system, > >> > > they should stick to their sandbox. I cant recall offhand, but > a never > >> > > allow I wrote might assert itself on that allow rule. > >> > > >> > Probably not since it is a new type he just defined. However, it > occurs > >> > to me that DAC will be a problem for this use case, since > platform apps > >> > can be assigned arbitrary UIDs and thus won't be able to pass the > DAC > >> > checks on writing to /data/system/ifw unless you set up a group, > map a > >> > permission to that group, assign that group to /data/system/ifw, > and > >> > make it group-writable. Simpler if you use a system_app or some > other > >> > fixed UID app instead, although that carries its own set of > issues. > >> > > >> > > >> > > >> > > >> > > >> > -- > >> > I have only two questions: How much and give it to me. > >> > > > > > > > > -- > > I have only two questions: How much and give it to me. > -- I have only two questions: How much and give it to me.
_______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
