On Feb 24, 2016 09:19, "Joshua Brindle" <[email protected]> wrote:
>
> Alex Boyd wrote:
>>
>> Unlock iptables with SELinux policy
>> I am trying to customize Android so that it has a built in firewall. I
>> want to allow my Settings app to block different apps from using
>> mobile data and/or wifi.
>>
>
> You probably want to modify netd to handle the firewalling and send a
message over its socket to tell it what to do. system_app isn't terribly
privileged and netd already manages iptables rules.
Also doesn't iptables need capabilities? apps on Android have their
capability set cleared in the zygote.
>
>> My approach so far has been to add new selinux policy rules to allow
>> system level apps to interact with iptables. I have tried multiple
>> different policies, but here is what I currently have.
>>
>>
>> file_contexts
>>
>> /system/bin/iptables u:object_r:iptables_exec:s0
>>
>>
>> system_app.te
>>
>> type iptables_exec;
>>
>> allow system_app iptables_exec:file { rx_file_perms };
>>
>>
>> I didn't define a new "domain" for iptables and I wasn't sure if I
>> needed to declare the system_app domain again, or if this would just
>> be appended to that.
>>
>> Thanks in advance for any help. If anyone has any pointers on where to
>> look to get a better understanding of SELinux inside of android,
>> please let me know.
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Seandroid-list mailing list
>> [email protected]
>> To unsubscribe, send email to [email protected].
>> To get help, send an email containing "help" to
[email protected].
>
>
> _______________________________________________
> Seandroid-list mailing list
> [email protected]
> To unsubscribe, send email to [email protected].
> To get help, send an email containing "help" to
[email protected].
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
