On Oct 18, 2016 10:50, "Sava Mikalački" <mikalac...@gmail.com> wrote: > > I'm not sure how to answer the ownership question. I'm trying to allow my application to write files in data/system/ifw
So this already exists, is this location for intent firewall policies? which would be picked up by the IntentFilter and then block certain application components from executing. So you want a platform app that can dynamically add/modify a policy file for ifw? I have existing code that does that and it worked on Marshmallow but its not working on Nougat because of that permission denied exception when creating a file in data/system/ifw folder. Does that help out in your question? > > 2016-10-18 16:47 GMT+02:00 Stephen Smalley <s...@tycho.nsa.gov>: >> >> On 10/18/2016 10:41 AM, Sava Mikalački wrote: >> > Thanks everyone for your quick answers. Yes, compilation worked once I >> > defined the type in file.te. I will try this out and also will try with >> > system_app, probably thats simpler as you said. Whats confusing me is >> > that I get Permission denied exception when I try to create a file in >> > that directory with a system app but there is no selinux avc denial >> > before the exception, it just fires the exception and thats it, so I'm >> > afraid if changing the sepolicy would even work. >> >> What's the ownership and mode of the directory? >> >> > >> > 2016-10-18 16:35 GMT+02:00 Stephen Smalley <s...@tycho.nsa.gov >> > <mailto:s...@tycho.nsa.gov>>: >> > >> > On 10/18/2016 10:23 AM, William Roberts wrote: >> > > On Oct 18, 2016 9:34 AM, "Sava Mikalački" <mikalac...@gmail.com <mailto:mikalac...@gmail.com> >> > > <mailto:mikalac...@gmail.com <mailto:mikalac...@gmail.com>>> wrote: >> > >> >> > >> I'm trying to extend aosp file_contexts by adding a new entry for >> > > /data/system/ifw. I've created a file_contexts under my vendor directory >> > > structure but if I try to use the new label, build crashes with unknown >> > > type. I'm >> > > >> > > You need to declare the type with the type keyword: >> > > >> > > type system_data_ifw, file_type; >> > > >> > > trying to enable a platform_app to write to data/system/ifw and here is >> > > what I have so far: >> > >> file_contexts: >> > >> /data/system/ifw(/.*)? u:object_r:system_data_ifw:s0 >> > >> platform_app.te: >> > >> allow platform_app system_data_ifw:file create_file_perms; >> > > >> > > Platform applications shouldn't be creating stuff around the system, >> > > they should stick to their sandbox. I cant recall offhand, but a never >> > > allow I wrote might assert itself on that allow rule. >> > >> > Probably not since it is a new type he just defined. However, it occurs >> > to me that DAC will be a problem for this use case, since platform apps >> > can be assigned arbitrary UIDs and thus won't be able to pass the DAC >> > checks on writing to /data/system/ifw unless you set up a group, map a >> > permission to that group, assign that group to /data/system/ifw, and >> > make it group-writable. Simpler if you use a system_app or some other >> > fixed UID app instead, although that carries its own set of issues. >> > >> > >> > >> > >> > >> > -- >> > I have only two questions: How much and give it to me. >> > > > > -- > I have only two questions: How much and give it to me.
_______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
