On 04/06/2015 08:41 AM, Stephen Smalley wrote: > On 04/03/2015 05:02 PM, Tai Nguyen (tainguye) wrote: >> Do we have any restriction on using app_data_file domain for system_app? >> >> We made the following change, but the data directory still show >> system_app_data_file. >> >> - File mac_permissions.xml >> >> <signer signature="@PLATFORM" > >> <!-- CFG app --> >> <package name="cip.cfg"> >> <seinfo value="cfg_app" /> >> </package> >> >> - File seapp_contexts >> user=system seinfo=cfg_app name=cip.cfg domain=system_app type=app_data_file >> >> This is for KitKat 4.4 code base. The app needs to be system_app for >> other interaction but its data does not need to be protected. > > You need to specify whether you are using one of our branches (and if > so, which one, e.g. seandroid-4.4.4) or vanilla AOSP (and if so, which > release tag or branch, e.g. android-4.4.4_r2.0.1 or > kitkat-mr2.2-release). Vanilla android-4.4.x_rN does not include the > code changes necessary to automatically relabel the app's /data/data > directory on upgrades but should label it correctly on first creation > regardless, whereas our seandroid-4.4.x branches include a backport of > the support that went into Android 5.0 Lollipop. Are you seeing the > problem on an upgrade with an already existing /data/data/cip.cfg > directory or on first creation? > > With regard to your configuration, you can either select on package name > in mac_permissions.xml and map to a unique seinfo or you can select on > package name in seapp_contexts; you shouldn't need to do both. For > example, you ought to be able to achieve the desired effect in this case > just via a change to seapp_contexts since the app is already platform > signed and would get the platform seinfo; you can just add this line to > seapp_contexts: > user=system seinfo=platform name=cip.cfg domain=system_app > type=app_data_file > and not need to change mac_permissions.xml at all.
Perhaps the first question though that ought to be asked is why wouldn't you want its data to be protected against direct open by untrusted apps? _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
