Iptables even with ‘su’ from a system_app won’t work.
1. Zygote spawned applications have 0 caps (you need net_admin IIRC) 2. Zygote spawned applications have NO_NEW_PRIVS set, which means setuid (and gaining caps) is pretty worthless (man prctl) 3. You would never get this far (hopefully) but selinux also bolsters these restrictions by not granting capabilities, etc. A recent thread just explained this, if you’re looking for further details: http://marc.info/?l=seandroid-list&m=145623380322624&w=2 As far as enabling netd to support your use-cases, I cannot say for sure, but it sounds plausible, but is a bit off topic for this mailing list. Bill From: Seandroid-list [mailto:[email protected]] On Behalf Of Alex Boyd Sent: Wednesday, February 24, 2016 10:27 AM To: William Roberts <[email protected]>; Joshua Brindle <[email protected]> Cc: [email protected] Subject: RE: Enable System App to use IPTables Just to clarify because I don’t want to lose anything in translation and I’m rather new at this ( I’ve been an application engineer for sometime, but nothing this close to the kernel ). 1. Just invoking iptables really isn’t an option without su ( which basically opens up everything ). 2. A Linux system service would need to handle communication with iptables, one already exists (netd, but I am assuming this probably doesn’t have the capability to block a specific uid access to a specific interface ) To do this the right way, I would need to : 1. add the necessary capabilities inside of netd ( poking around in the source right now, I only see a few commands that it supports ("list", "getcfg", "setcfg", "clearaddrs", "ipv6privacyextensions", "ipv6", "setmtu") 2. add an interface to those capabilities in the android framework most likely in the NetworkManagementService.java and the INetworkManagementService.aidl 3. inside of the system_app use Context.getSystemService(Context.NETWORKMANAGEMENT_SERVICE) to interact with the newly added methods to the NetowrkManagementService ? I hope I am not totally missing the message. Thanks again for all the help. From: William Roberts<mailto:[email protected]> Sent: Wednesday, February 24, 2016 12:28 PM To: Joshua Brindle<mailto:[email protected]> Cc: [email protected]<mailto:[email protected]>; Alex Boyd<mailto:[email protected]> Subject: Re: Enable System App to use IPTables On Feb 24, 2016 09:19, "Joshua Brindle" <[email protected]<mailto:[email protected]>> wrote: > > Alex Boyd wrote: >> >> Unlock iptables with SELinux policy >> I am trying to customize Android so that it has a built in firewall. I >> want to allow my Settings app to block different apps from using >> mobile data and/or wifi. >> > > You probably want to modify netd to handle the firewalling and send a message > over its socket to tell it what to do. system_app isn't terribly privileged > and netd already manages iptables rules. Also doesn't iptables need capabilities? apps on Android have their capability set cleared in the zygote. > >> My approach so far has been to add new selinux policy rules to allow >> system level apps to interact with iptables. I have tried multiple >> different policies, but here is what I currently have. >> >> >> file_contexts >> >> /system/bin/iptables u:object_r:iptables_exec:s0 >> >> >> system_app.te >> >> type iptables_exec; >> >> allow system_app iptables_exec:file { rx_file_perms }; >> >> >> I didn't define a new "domain" for iptables and I wasn't sure if I >> needed to declare the system_app domain again, or if this would just >> be appended to that. >> >> Thanks in advance for any help. If anyone has any pointers on where to >> look to get a better understanding of SELinux inside of android, >> please let me know. >> >> >> >> >> >> >> _______________________________________________ >> Seandroid-list mailing list >> [email protected]<mailto:[email protected]> >> To unsubscribe, send email to >> [email protected]<mailto:[email protected]>. >> To get help, send an email containing "help" to >> [email protected]<mailto:[email protected]>. > > > _______________________________________________ > Seandroid-list mailing list > [email protected]<mailto:[email protected]> > To unsubscribe, send email to > [email protected]<mailto:[email protected]>. > To get help, send an email containing "help" to > [email protected]<mailto:[email protected]>.
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
