> -----Original Message----- > From: Stephen Smalley [mailto:s...@tycho.nsa.gov] > Sent: Friday, February 10, 2017 9:26 AM > To: Roberts, William C <william.c.robe...@intel.com>; 'seandroid- > l...@tycho.nsa.gov' <seandroid-list@tycho.nsa.gov> > Subject: Re: Using non-native executables from native services > > On Fri, 2017-02-10 at 16:44 +0000, Roberts, William C wrote: > > Bump anyone have any feedback? > > > > From: Roberts, William C > > Sent: Wednesday, February 8, 2017 10:45 AM > > To: seandroid-list@tycho.nsa.gov > > Subject: Using non-native executables from native services > > > > If a native service wishes to execute a non-native tool, like AM, it > > would require being able to execute the dalvikcache_data_file for > > that. However, doing so hits my neverallow: > > > > # > > # Assert that, to the extent possible, we're not loading executable > > content from # outside the rootfs or /system partition except for a > > few whitelisted domains. > > # > > neverallow { > > domain > > -appdomain > > -dumpstate > > -shell > > userdebug_or_eng(`-su') > > -system_server > > -webview_zygote > > -zygote > > } { file_type -system_file -exec_type -postinstall_file }:file > > execute; neverallow { > > domain > > -appdomain # for oemfs > > -recovery # for /tmp/update_binary in tmpfs } { fs_type -rootfs > > }:file execute; > > > > Before, I would just typeattribute the service into appdomain, which > > obviously has some non-desirable consequences since it was not a full > > app. This new neverallow precludes that: > > > > # Only domains spawned from zygote and runas may have the appdomain > > attribute. > > neverallow { domain -runas -webview_zygote -zygote } { > > appdomain -shell userdebug_or_eng(`-su') -bluetooth }:process { > > transition dyntransition }; > > > > What’s the best answer for this? In my particular case they wish to > > send a broadcast from their native service, should they just use some > > native broadcast API? > > I agree that would be better. Maybe that's a question for android- platform > or > one of the other android groups as to what is the recommended way to perform > such things from native services.
That's not a bad suggestion, ill hit the platform group up. If I get any feedback Ill post a link to this thread for others to find. _______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
