On Oct 18, 2016 11:08, "Stephen Smalley" <s...@tycho.nsa.gov> wrote: > > On 10/18/2016 10:56 AM, Stephen Smalley wrote: > > On 10/18/2016 10:49 AM, Sava Mikalački wrote: > >> I'm not sure how to answer the ownership question. I'm trying to allow > >> my application to write files in data/system/ifw which would be picked > >> up by the IntentFilter and then block certain application components > >> from executing. I have existing code that does that and it worked on > >> Marshmallow but its not working on Nougat because of that permission > >> denied exception when creating a file in data/system/ifw folder. Does > >> that help out in your question? > > > > On a device running 7.0, ls -ld /data/system/ifw shows that it is owned > > by the system UID and is only writable by owner. So your app has to run > > with the system UID (and thus would be system_app) in order to write > > there. I don't really think that's new to 7.0 though. > > What is new to 7.0 is that system_app is no longer allowed to > create/write to system_data_file, which is the default type on > /data/system/ifw. So SELinux would deny those attempts (but you should > get avc messages in logcat / dmesg).
That's fantastic, I didn't notice that change. System apps have been spewing stuff around system long enough IMO. > > ls -lZd /data/system/ifw and ps -eZ | grep <name-of-your-app> might be > interesting. >
_______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.