On Oct 18, 2016 11:08, "Stephen Smalley" <s...@tycho.nsa.gov> wrote:
>
> On 10/18/2016 10:56 AM, Stephen Smalley wrote:
> > On 10/18/2016 10:49 AM, Sava Mikalački wrote:
> >> I'm not sure how to answer the ownership question. I'm trying to allow
> >> my application to write files in data/system/ifw which would be picked
> >> up by the IntentFilter and then block certain application components
> >> from executing. I have existing code that does that and it worked on
> >> Marshmallow but its not working on Nougat because of that permission
> >> denied exception when creating a file in data/system/ifw folder. Does
> >> that help out in your question?
> >
> > On a device running 7.0, ls -ld /data/system/ifw shows that it is owned
> > by the system UID and is only writable by owner.  So your app has to run
> > with the system UID (and thus would be system_app) in order to write
> > there.  I don't really think that's new to 7.0 though.
>
> What is new to 7.0 is that system_app is no longer allowed to
> create/write to system_data_file, which is the default type on
> /data/system/ifw.  So SELinux would deny those attempts (but you should
> get avc messages in logcat / dmesg).

That's fantastic, I didn't notice that change. System apps have been
spewing stuff around system long enough IMO.

>
> ls -lZd /data/system/ifw and ps -eZ | grep <name-of-your-app> might be
> interesting.
>
_______________________________________________
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

Reply via email to