On Oct 18, 2016 11:43, "Sava Mikalački" <mikalac...@gmail.com> wrote: > > Yup, exactly as Stephen said. When I set my app to share the system uid, I do get the following denial: > type=1400 audit(0.0:15): avc: denied { write } for name="ifw" dev="dm-0" ino=678613 scontext=u:r:system_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0 > > Here is the output of the commands Stephen pointed out: > $ ls -lZd /data/system/ifw > drwx------ 2 system system u:object_r:system_data_file:s0 4096 1971-01-02 12:23 /data/system/ifw > > $ ps -eZ | grep com.ariel.guardian > system 4017 503 1588756 68980 SyS_epoll_ 768b37aa74 S com.ariel.guardian > > So, if I create a new file type label and assign allow rule to the system_app for this file type, would that (at least in theory) work?
Yes. > > > 2016-10-18 17:13 GMT+02:00 William Roberts <bill.c.robe...@gmail.com>: >> >> On Oct 18, 2016 11:08, "Stephen Smalley" <s...@tycho.nsa.gov> wrote: >> > >> > On 10/18/2016 10:56 AM, Stephen Smalley wrote: >> > > On 10/18/2016 10:49 AM, Sava Mikalački wrote: >> > >> I'm not sure how to answer the ownership question. I'm trying to allow >> > >> my application to write files in data/system/ifw which would be picked >> > >> up by the IntentFilter and then block certain application components >> > >> from executing. I have existing code that does that and it worked on >> > >> Marshmallow but its not working on Nougat because of that permission >> > >> denied exception when creating a file in data/system/ifw folder. Does >> > >> that help out in your question? >> > > >> > > On a device running 7.0, ls -ld /data/system/ifw shows that it is owned >> > > by the system UID and is only writable by owner. So your app has to run >> > > with the system UID (and thus would be system_app) in order to write >> > > there. I don't really think that's new to 7.0 though. >> > >> > What is new to 7.0 is that system_app is no longer allowed to >> > create/write to system_data_file, which is the default type on >> > /data/system/ifw. So SELinux would deny those attempts (but you should >> > get avc messages in logcat / dmesg). >> >> That's fantastic, I didn't notice that change. System apps have been spewing stuff around system long enough IMO. >> >> > >> > ls -lZd /data/system/ifw and ps -eZ | grep <name-of-your-app> might be >> > interesting. >> > > > > > > -- > I have only two questions: How much and give it to me.
_______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.