Just to clarify because I don’t want to lose anything in translation and I’m
rather new at this ( I’ve been an application engineer for sometime, but
nothing this close to the kernel ).
1. Just invoking iptables really isn’t an option without su ( which basically
opens up everything ).
2. A Linux system service would need to handle communication with iptables, one
already exists (netd, but I am assuming this probably doesn’t have the
capability to block a specific uid access to a specific interface )
To do this the right way, I would need to :
1. add the necessary capabilities inside of netd ( poking around in the source
right now, I only see a few commands that it supports ("list", "getcfg",
"setcfg", "clearaddrs", "ipv6privacyextensions", "ipv6", "setmtu")
2. add an interface to those capabilities in the android framework most likely
in the NetworkManagementService.java and the INetworkManagementService.aidl
3. inside of the system_app use
Context.getSystemService(Context.NETWORKMANAGEMENT_SERVICE) to interact with
the newly added methods to the NetowrkManagementService ?
I hope I am not totally missing the message.
Thanks again for all the help.
From: William Roberts
Sent: Wednesday, February 24, 2016 12:28 PM
To: Joshua Brindle
Cc: [email protected]; Alex Boyd
Subject: Re: Enable System App to use IPTables
On Feb 24, 2016 09:19, "Joshua Brindle" <[email protected]> wrote:
>
> Alex Boyd wrote:
>>
>> Unlock iptables with SELinux policy
>> I am trying to customize Android so that it has a built in firewall. I
>> want to allow my Settings app to block different apps from using
>> mobile data and/or wifi.
>>
>
> You probably want to modify netd to handle the firewalling and send a message
> over its socket to tell it what to do. system_app isn't terribly privileged
> and netd already manages iptables rules.
Also doesn't iptables need capabilities? apps on Android have their capability
set cleared in the zygote.
>
>> My approach so far has been to add new selinux policy rules to allow
>> system level apps to interact with iptables. I have tried multiple
>> different policies, but here is what I currently have.
>>
>>
>> file_contexts
>>
>> /system/bin/iptables u:object_r:iptables_exec:s0
>>
>>
>> system_app.te
>>
>> type iptables_exec;
>>
>> allow system_app iptables_exec:file { rx_file_perms };
>>
>>
>> I didn't define a new "domain" for iptables and I wasn't sure if I
>> needed to declare the system_app domain again, or if this would just
>> be appended to that.
>>
>> Thanks in advance for any help. If anyone has any pointers on where to
>> look to get a better understanding of SELinux inside of android,
>> please let me know.
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Seandroid-list mailing list
>> [email protected]
>> To unsubscribe, send email to [email protected].
>> To get help, send an email containing "help" to
>> [email protected].
>
>
> _______________________________________________
> Seandroid-list mailing list
> [email protected]
> To unsubscribe, send email to [email protected].
> To get help, send an email containing "help" to
> [email protected].
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
