On 10/28/2013 06:17 PM, Tai Nguyen (tainguye) wrote:
> Hi all,
>
> Has anyone created rules to support AnyConnect VPN app yet? I see the
> following rules in seandroid 4.2 branch
>
> #
> # 3rd party VPN clients that have seinfo=vpn in mac_permissions.xml
> # This is a more secure alternative to allowing untrusted_app access
> # to create a VPN tunnel.
> type vpn_app, domain;
> app_domain(vpn_app)
> net_domain(vpn_app)
> allow vpn_app tun_device:chr_file rw_file_perms;
> allow vpn_app system_data_file:file { execute open };
> allow vpn_app qtaguid_device:chr_file r_file_perms;
> allow vpn_app vpn_app_data_file:dir create_dir_perms;
> allow vpn_app vpn_app_data_file:notdevfile_class_set create_file_perms;
> allow vpn_app vpn_app:netlink_route_socket write;
>
> However, I don't think this is completed since any connect app need to
> configure iptable.
Those rules were contributed by Joshua Brindle for the AnyConnect VPN
app. But as Bill points out, a regular app can't configure iptables.
We reverted vpn_app from our policy back in March (even from the
seandroid-4.2 branch, so if you have an up-to-date clone, it shouldn't
be there) as part of moving away from any per-app domains in the default
policy. You are of course free to revive it and tailor your
configuration for your specific set of apps, particularly for any
pre-installed ones, but it wasn't suitable for a general purpose policy.
--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to [email protected] with
the words "unsubscribe seandroid-list" without quotes as the message.
