On Oct 18, 2016 10:50, "Sava Mikalački" <mikalac...@gmail.com> wrote:
> I'm not sure how to answer the ownership question. I'm trying to allow my
application to write files in data/system/ifw
So this already exists, is this location for intent firewall policies?
which would be picked up by the IntentFilter and then block certain
application components from executing.
So you want a platform app that can dynamically add/modify a policy file
I have existing code that does that and it worked on Marshmallow but its
not working on Nougat because of that permission denied exception when
creating a file in data/system/ifw folder. Does that help out in your
> 2016-10-18 16:47 GMT+02:00 Stephen Smalley <s...@tycho.nsa.gov>:
>> On 10/18/2016 10:41 AM, Sava Mikalački wrote:
>> > Thanks everyone for your quick answers. Yes, compilation worked once I
>> > defined the type in file.te. I will try this out and also will try with
>> > system_app, probably thats simpler as you said. Whats confusing me is
>> > that I get Permission denied exception when I try to create a file in
>> > that directory with a system app but there is no selinux avc denial
>> > before the exception, it just fires the exception and thats it, so I'm
>> > afraid if changing the sepolicy would even work.
>> What's the ownership and mode of the directory?
>> > 2016-10-18 16:35 GMT+02:00 Stephen Smalley <s...@tycho.nsa.gov
>> > <mailto:s...@tycho.nsa.gov>>:
>> > On 10/18/2016 10:23 AM, William Roberts wrote:
>> > > On Oct 18, 2016 9:34 AM, "Sava Mikalački" <mikalac...@gmail.com
>> > > <mailto:mikalac...@gmail.com <mailto:mikalac...@gmail.com>>>
>> > >>
>> > >> I'm trying to extend aosp file_contexts by adding a new entry
>> > > /data/system/ifw. I've created a file_contexts under my vendor
>> > > structure but if I try to use the new label, build crashes with
>> > > type. I'm
>> > >
>> > > You need to declare the type with the type keyword:
>> > >
>> > > type system_data_ifw, file_type;
>> > >
>> > > trying to enable a platform_app to write to data/system/ifw and
>> > > what I have so far:
>> > >> file_contexts:
>> > >> /data/system/ifw(/.*)?
>> > >> platform_app.te:
>> > >> allow platform_app system_data_ifw:file create_file_perms;
>> > >
>> > > Platform applications shouldn't be creating stuff around the
>> > > they should stick to their sandbox. I cant recall offhand, but a
>> > > allow I wrote might assert itself on that allow rule.
>> > Probably not since it is a new type he just defined. However, it
>> > to me that DAC will be a problem for this use case, since platform
>> > can be assigned arbitrary UIDs and thus won't be able to pass the
>> > checks on writing to /data/system/ifw unless you set up a group,
>> > permission to that group, assign that group to /data/system/ifw,
>> > make it group-writable. Simpler if you use a system_app or some
>> > fixed UID app instead, although that carries its own set of issues.
>> > --
>> > I have only two questions: How much and give it to me.
> I have only two questions: How much and give it to me.
Seandroid-list mailing list
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to