On Oct 18, 2016 10:33 AM, "Stephen Smalley" <s...@tycho.nsa.gov> wrote:
> On 10/18/2016 10:23 AM, William Roberts wrote:
> > On Oct 18, 2016 9:34 AM, "Sava Mikalački" <mikalac...@gmail.com
> > <mailto:mikalac...@gmail.com>> wrote:
> >>
> >> I'm trying to extend aosp file_contexts by adding a new entry for
> > /data/system/ifw. I've created a file_contexts under my vendor directory
> > structure but if I try to use the new label, build crashes with unknown
> > type. I'm
> >
> > You need to declare the type with the type keyword:
> >
> > type system_data_ifw, file_type;
> >
> > trying to enable a platform_app to write to data/system/ifw and here is
> > what I have so far:
> >> file_contexts:
> >> /data/system/ifw(/.*)?
> >> platform_app.te:
> >> allow platform_app system_data_ifw:file create_file_perms;
> >
> > Platform applications shouldn't be creating stuff around the system,
> > they should stick to their sandbox. I cant recall offhand, but a never
> > allow I wrote might assert itself on that allow rule.
> Probably not since it is a new type he just defined.

One could say don't allow platform apps to create things outside of their
sandbox type. I looked at my rule, it was only for untrusted app though.

However, it occurs
> to me that DAC will be a problem for this use case, since platform apps
> can be assigned arbitrary UIDs and thus won't be able to pass the DAC
> checks on writing to /data/system/ifw unless you set up a group, map a
> permission to that group, assign that group to /data/system/ifw, and
> make it group-writable.  Simpler if you use a system_app or some other
> fixed UID app instead, although that carries its own set of issues.

Yeah, bit we a know that chown 777 is the way to fix that;-p. Don't do
that, platform apps are no designed to be creating resources out the
application sandbox. If you need to create and share data, you can use a
host of mechanisms available on Android. Unix sockets and binder are
readily available. This way your platform app can selectively share it's
isolated data sandbox directory contents via passed fd as an example.
Seandroid-list mailing list
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 

Reply via email to