On Oct 18, 2016 11:01, "Sava Mikalački" <mikalac...@gmail.com> wrote: > > Yes, this folder already exists in the system. If you place a file in a correct XML structure, it gets picked up by a file observer in IntentFirewall and thus enables filtering of application components. And yes, I want to have a dynamic way of handling disabled applications. As I said this worked on my Marshmallow build but now I have problems with Nougat. My initial implementation of the app use systemUID but still I get permission denied when i try to create a file.
I would imagine system app can already do that with respect to DAC and se linux permissions. If you revert everything and run your app as a system app, what happens? Granted, I'm not 100% sure offhand if you should be doing this with respect to Android compatibility concerns, but that's not my problem. > > 2016-10-18 16:57 GMT+02:00 William Roberts <bill.c.robe...@gmail.com>: >> >> On Oct 18, 2016 10:50, "Sava Mikalački" <mikalac...@gmail.com> wrote: >> > >> > I'm not sure how to answer the ownership question. I'm trying to allow my application to write files in data/system/ifw >> >> So this already exists, is this location for intent firewall policies? >> >> which would be picked up by the IntentFilter and then block certain application components from executing. >> >> So you want a platform app that can dynamically add/modify a policy file for ifw? >> >> I have existing code that does that and it worked on Marshmallow but its not working on Nougat because of that permission denied exception when creating a file in data/system/ifw folder. Does that help out in your question? >> > >> > 2016-10-18 16:47 GMT+02:00 Stephen Smalley <s...@tycho.nsa.gov>: >> >> >> >> On 10/18/2016 10:41 AM, Sava Mikalački wrote: >> >> > Thanks everyone for your quick answers. Yes, compilation worked once I >> >> > defined the type in file.te. I will try this out and also will try with >> >> > system_app, probably thats simpler as you said. Whats confusing me is >> >> > that I get Permission denied exception when I try to create a file in >> >> > that directory with a system app but there is no selinux avc denial >> >> > before the exception, it just fires the exception and thats it, so I'm >> >> > afraid if changing the sepolicy would even work. >> >> >> >> What's the ownership and mode of the directory? >> >> >> >> > >> >> > 2016-10-18 16:35 GMT+02:00 Stephen Smalley <s...@tycho.nsa.gov >> >> > <mailto:s...@tycho.nsa.gov>>: >> >> > >> >> > On 10/18/2016 10:23 AM, William Roberts wrote: >> >> > > On Oct 18, 2016 9:34 AM, "Sava Mikalački" < mikalac...@gmail.com <mailto:mikalac...@gmail.com> >> >> > > <mailto:mikalac...@gmail.com <mailto:mikalac...@gmail.com>>> wrote: >> >> > >> >> >> > >> I'm trying to extend aosp file_contexts by adding a new entry for >> >> > > /data/system/ifw. I've created a file_contexts under my vendor directory >> >> > > structure but if I try to use the new label, build crashes with unknown >> >> > > type. I'm >> >> > > >> >> > > You need to declare the type with the type keyword: >> >> > > >> >> > > type system_data_ifw, file_type; >> >> > > >> >> > > trying to enable a platform_app to write to data/system/ifw and here is >> >> > > what I have so far: >> >> > >> file_contexts: >> >> > >> /data/system/ifw(/.*)? u:object_r:system_data_ifw:s0 >> >> > >> platform_app.te: >> >> > >> allow platform_app system_data_ifw:file create_file_perms; >> >> > > >> >> > > Platform applications shouldn't be creating stuff around the system, >> >> > > they should stick to their sandbox. I cant recall offhand, but a never >> >> > > allow I wrote might assert itself on that allow rule. >> >> > >> >> > Probably not since it is a new type he just defined. However, it occurs >> >> > to me that DAC will be a problem for this use case, since platform apps >> >> > can be assigned arbitrary UIDs and thus won't be able to pass the DAC >> >> > checks on writing to /data/system/ifw unless you set up a group, map a >> >> > permission to that group, assign that group to /data/system/ifw, and >> >> > make it group-writable. Simpler if you use a system_app or some other >> >> > fixed UID app instead, although that carries its own set of issues. >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > -- >> >> > I have only two questions: How much and give it to me. >> >> >> > >> > >> > >> > -- >> > I have only two questions: How much and give it to me. > > > > > -- > I have only two questions: How much and give it to me.
_______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.