On Oct 18, 2016 11:43, "Sava Mikalački" <mikalac...@gmail.com> wrote:
>
> Yup, exactly as Stephen said. When I set my app to share the system uid,
I do get the following denial:
> type=1400 audit(0.0:15): avc: denied { write } for name="ifw" dev="dm-0"
ino=678613 scontext=u:r:system_app:s0
tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0
>
> Here is the output of the commands Stephen pointed out:
> $ ls -lZd /data/system/ifw
> drwx------ 2 system system u:object_r:system_data_file:s0 4096 1971-01-02
12:23 /data/system/ifw
>
> $ ps -eZ | grep com.ariel.guardian
> system 4017 503 1588756 68980 SyS_epoll_ 768b37aa74 S
com.ariel.guardian
>
> So, if I create a new file type label and assign allow rule to the
system_app for this file type, would that (at least in theory) work?
Yes.
>
>
> 2016-10-18 17:13 GMT+02:00 William Roberts <bill.c.robe...@gmail.com>:
>>
>> On Oct 18, 2016 11:08, "Stephen Smalley" <s...@tycho.nsa.gov> wrote:
>> >
>> > On 10/18/2016 10:56 AM, Stephen Smalley wrote:
>> > > On 10/18/2016 10:49 AM, Sava Mikalački wrote:
>> > >> I'm not sure how to answer the ownership question. I'm trying to
allow
>> > >> my application to write files in data/system/ifw which would be
picked
>> > >> up by the IntentFilter and then block certain application components
>> > >> from executing. I have existing code that does that and it worked on
>> > >> Marshmallow but its not working on Nougat because of that permission
>> > >> denied exception when creating a file in data/system/ifw folder.
Does
>> > >> that help out in your question?
>> > >
>> > > On a device running 7.0, ls -ld /data/system/ifw shows that it is
owned
>> > > by the system UID and is only writable by owner. So your app has to
run
>> > > with the system UID (and thus would be system_app) in order to write
>> > > there. I don't really think that's new to 7.0 though.
>> >
>> > What is new to 7.0 is that system_app is no longer allowed to
>> > create/write to system_data_file, which is the default type on
>> > /data/system/ifw. So SELinux would deny those attempts (but you should
>> > get avc messages in logcat / dmesg).
>>
>> That's fantastic, I didn't notice that change. System apps have been
spewing stuff around system long enough IMO.
>>
>> >
>> > ls -lZd /data/system/ifw and ps -eZ | grep <name-of-your-app> might be
>> > interesting.
>> >
>
>
>
>
> --
> I have only two questions: How much and give it to me.
_______________________________________________
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to
seandroid-list-requ...@tycho.nsa.gov.
