On 04/03/2015 05:02 PM, Tai Nguyen (tainguye) wrote: > Do we have any restriction on using app_data_file domain for system_app? > > We made the following change, but the data directory still show > system_app_data_file. > > - File mac_permissions.xml > > <signer signature="@PLATFORM" > > <!-- CFG app --> > <package name="cip.cfg"> > <seinfo value="cfg_app" /> > </package> > > - File seapp_contexts > user=system seinfo=cfg_app name=cip.cfg domain=system_app type=app_data_file > > This is for KitKat 4.4 code base. The app needs to be system_app for > other interaction but its data does not need to be protected.
You need to specify whether you are using one of our branches (and if so, which one, e.g. seandroid-4.4.4) or vanilla AOSP (and if so, which release tag or branch, e.g. android-4.4.4_r2.0.1 or kitkat-mr2.2-release). Vanilla android-4.4.x_rN does not include the code changes necessary to automatically relabel the app's /data/data directory on upgrades but should label it correctly on first creation regardless, whereas our seandroid-4.4.x branches include a backport of the support that went into Android 5.0 Lollipop. Are you seeing the problem on an upgrade with an already existing /data/data/cip.cfg directory or on first creation? With regard to your configuration, you can either select on package name in mac_permissions.xml and map to a unique seinfo or you can select on package name in seapp_contexts; you shouldn't need to do both. For example, you ought to be able to achieve the desired effect in this case just via a change to seapp_contexts since the app is already platform signed and would get the platform seinfo; you can just add this line to seapp_contexts: user=system seinfo=platform name=cip.cfg domain=system_app type=app_data_file and not need to change mac_permissions.xml at all. _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
