On 10/29/2013 11:52 AM, Tai Nguyen (tainguye) wrote:
> It seems like Android provides permission/groupID that can have NET_RAW
> capability, thus, allowing the app to use iptables command without running as
> root. So, in this case, although the app has the right android permission to
> gain NET_RAW capability, we still need to have rule to allows the VPN app
> with {net_admin, net_raw} capability, right?
You mean net_admin?
That's a signature permission, so the app would have to be signed with
the platform certificate. Not available to a third party app.
And yes, you would have to allow the net_admin capability in the policy,
e.g.
allow vpn_app self:capability net_admin;
--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to [email protected] with
the words "unsubscribe seandroid-list" without quotes as the message.
