Also, you can put the files under vendor/<oem>/common/sepolicy instead and just define BOARD_SEPOLICY_DIRS += vendor/<oem>/common/sepolicy BOARD_SEPOLICY_UNION += mac_permissions.xml seapp_contexts in your device-partial.mk or other similar .mk file instead to keep it with the app itself.
On 12/12/2014 08:25 AM, Stephen Smalley wrote: > You can create your own seapp_contexts, mac_permissions.xml, and > optionally keys.conf files with only the stanzas for your seinfo value > and your app's signer and package name, put them in a > device/vendor/board/sepolicy subdirectory, and define > BOARD_SEPOLICY_DIRS += device/vendor/board/sepolicy > BOARD_SEPOLICY_UNION += mac_permissions.xml seapp_contexts > in your BoardConfig.mk file. > > See the external/sepolicy files for the syntax of each file. > The build process will automatically combine the contents of the files > you specify with BOARD_SEPOLICY_UNION with the external/sepolicy files > to produce the final files for the device. > > In our branches (seandroid-5.0.1 or seandroid), we have a tool called > "setool" that can be used to generate stanzas for mac_permissions.xml > from a given apk file, but you can also just do it by hand. > > On 12/12/2014 06:02 AM, Pankaj Kushwaha wrote: >> Hi, >> >> In my case, our app is a 3rd party app which will be pre-built (part of >> system.img) and will be uploaded on google play as well for any updated >> (just like gmail, google maps, etc). >> >> So there are no chances that anyone else will install app with same >> package name. >> Will there be any other consequences if I revert these two patches ? >> >> Also can you please guide me on how to add a new signer for my app ? >> Because my apk doesn't have any .mk file so how will the system know >> that app has to pick which seinfo from mac_permissions.xml ? >> I just keep my signed apk in vendor/<oem>/common/apps/ folder. >> >> Thanks >> Pankaj Kushwaha >> >> On Thu, Dec 11, 2014 at 8:18 PM, Stephen Smalley <[email protected] >> <mailto:[email protected]>> wrote: >> >> Correct. We simply want to preclude the unsafe practice of assigning >> domain by package name only, as anyone can create an app with any >> package name, and first one to be installed with that name wins. So you >> must bind it to a specific signature as well. >> >> On 12/11/2014 09:35 AM, William Roberts wrote: >> > It appears to me that you can just specify a signer in Mac perms XML >> > with and use a custom seinfo in seapp contexts. >> > >> > On Dec 10, 2014 10:56 PM, "Pankaj Kushwaha" >> > <[email protected] >> <mailto:[email protected]> >> <mailto:[email protected] >> <mailto:[email protected]>>> >> > wrote: >> > >> > Hi, >> > >> > I was running some of the third party apps in my custom domain, by >> > adding below line in seapp_context- >> > user=_app seinfo=default name=<pacakge_name> domain=<custom_domain> >> > type=<custom_file_type> >> > and tehre were few other changes as well. >> > >> > But in android L I am unable to do so because of below patches- >> > https://android-review.googlesource.com/#/c/90142/ >> > https://android-review.googlesource.com/#/c/90143/ >> > >> > I just wanted to know that is there any other way to run my app in >> > custom domain in andorid L ? >> > If not, if I remove above two patches in what way will it effect my >> > other functionality ? >> > >> > Thanks >> > Pankaj Kushwaha >> > >> > _______________________________________________ >> > Seandroid-list mailing list >> > [email protected] >> <mailto:[email protected]> >> <mailto:[email protected] >> <mailto:[email protected]>> >> > To unsubscribe, send email to [email protected] >> <mailto:[email protected]> >> > <mailto:[email protected] >> <mailto:[email protected]>>. >> > To get help, send an email containing "help" to >> > [email protected] >> <mailto:[email protected]> >> > <mailto:[email protected] >> <mailto:[email protected]>>. >> > >> > >> > >> > _______________________________________________ >> > Seandroid-list mailing list >> > [email protected] <mailto:[email protected]> >> > To unsubscribe, send email to [email protected] >> <mailto:[email protected]>. >> > To get help, send an email containing "help" to >> [email protected] >> <mailto:[email protected]>. >> > >> >> >> >> _______________________________________________ >> Seandroid-list mailing list >> [email protected] >> To unsubscribe, send email to [email protected]. >> To get help, send an email containing "help" to >> [email protected]. >> > _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
