If anyconnect is touching iptables directly then your running a rooted version of the application. I would recommend you use one that makes use of Android's VPNService. I would also discourage use of vpn_app, as that will probably go away in the future. All 3rd party apps should run in untrusted, unless your doing some tight coupled integration or running rooted apps that require additional permissions.
On Mon, Oct 28, 2013 at 3:17 PM, Tai Nguyen (tainguye) <[email protected]>wrote: > Hi all, > > Has anyone created rules to support AnyConnect VPN app yet? I see the > following rules in seandroid 4.2 branch > > # > # 3rd party VPN clients that have seinfo=vpn in mac_permissions.xml > # This is a more secure alternative to allowing untrusted_app access > # to create a VPN tunnel. > type vpn_app, domain; > app_domain(vpn_app) > net_domain(vpn_app) > allow vpn_app tun_device:chr_file rw_file_perms; > allow vpn_app system_data_file:file { execute open }; > allow vpn_app qtaguid_device:chr_file r_file_perms; > allow vpn_app vpn_app_data_file:dir create_dir_perms; > allow vpn_app vpn_app_data_file:notdevfile_class_set create_file_perms; > allow vpn_app vpn_app:netlink_route_socket write; > > However, I don't think this is completed since any connect app need to > configure iptable. > > Thanks, > Tai > -- Respectfully, William C Roberts
