On 02/24/2016 11:24 AM, Alex Boyd wrote:
Unlock iptables with SELinux policy
I am trying to customize Android so that it has a built in firewall. I
want to allow my Settings app to block different apps from using
mobile data and/or wifi.
My approach so far has been to add new selinux policy rules to allow
system level apps to interact with iptables. I have tried multiple
different policies, but here is what I currently have.
file_contexts
/system/bin/iptables u:object_r:iptables_exec:s0
system_app.te
type iptables_exec;
allow system_app iptables_exec:file { rx_file_perms };
I didn't define a new "domain" for iptables and I wasn't sure if I
needed to declare the system_app domain again, or if this would just
be appended to that.
Thanks in advance for any help. If anyone has any pointers on where to
look to get a better understanding of SELinux inside of android,
please let me know.
I don't believe this is possible from an app (except possibly on a
rooted device). You need to do it from a system service with the
necessary Linux capability (CAP_NET_ADMIN) in addition to the necessary
SELinux permissions (netd being a good example). Your app would fail
due to lack of CAP_NET_ADMIN even before hitting the SELinux check.
Some resources on Android SELinux include:
https://source.android.com/security/selinux/index.html
http://seandroid.bitbucket.org/PapersandPresentations.html (particularly
http://events.linuxfoundation.org/sites/events/files/slides/abs2014_seforandroid_smalley.pdf)
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
