Re: load new policy via application, but this not work

Fri, 22 Jan 2016 09:35:44 -0800 

On Fri, Jan 22, 2016 at 2:03 AM, 李孟樵 <[email protected]> wrote:

> HI,
> ROM: I build aosp-6.0.1-r7 aosp_flo-userdebug
> Devices: Nexus 7 II
> Goal: I want to use my application executes the command "load_policy" in
> this ROM.
>
> I have tried these steps as follows:
> step 1.creat an application
> 1-1 the main code is as follows
> >>Process process = Runtime.getRuntime().exec("su");
>

This does not type transition your suposed system_app to su domain. Thie is
no domain transition set
up for it in base policy. See externel/sepolicy/su.te.


> >>DataOutputStream os = new DataOutputStream(process.getOutputStream());
> >>os.writeBytes("load_policy /data/local/tmp/sepolicy.dontaudit\n");
> >>os.writeBytes("exit\n");
> >>os.flush();
> 1-2 Androidmanifest.xml
> add this
> android:sharedUserId="android.uid.system"
>
> step 2.App into AOSP
> /package/apps
> UserId: system
> context: sysem_app
>
> step 3.modify source code
> 3-1policy
> system_app.te: add "allow system_app su_exec:file rx_file_perms;"
> domain.te    : line 399 modify "neverallow { domain
> userdebug_or_eng(`-dumpstate -shell -su -system_app') } su_exec:file
> no_x_file_perms;"
> 3-2/system/core/libcutils/fs_config modify
> { 06755, AID_ROOT,      AID_SHELL,     0, "system/xbin/su" },
>
> app's execution result shows there is no error(nothing) in logcat, but
> didn't load new policy.
>
> Why this would NOT work?
> How can I achieve that?
>

I don't support doing this for many reasons, but if you wanted to do it,
and have control from a system_app you could:

1. in the init.rc do: chown /sys/fs/selinux/load to system system
2. Just write the policy from the java application using standard java file
io apis.

This old init.rc would help you get started:
https://bitbucket.org/seandroid/system-core/src/a4a432bebbb2092a23799056860e236f3de3e61d/rootdir/init.rc?at=seandroid-4.2&fileviewer=file-view-default

Bear in mind, that this will cause CTS failures, so if thats not a concern,
continue on your own accord.




>
> Lee
>
> _______________________________________________
> Seandroid-list mailing list
> [email protected]
> To unsubscribe, send email to [email protected].
> To get help, send an email containing "help" to
> [email protected].
>



-- 
Respectfully,

William C Roberts

_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to 
[email protected].

Reply via email to