I am wanting to route traffic on the android app I am developing, though I am having trouble accessing the ip tables on the kernel. I am not sure if this is even supposed to be accessible for normal app developers, but I am trying.
According to Android's network-stack, one is supposed to use /system/bin/ip-wrapper-1.0 to access the routing tables, for example, /system/bin/ip-wrapper-1.0 route add table 1001234 224.0.0.0/24 dev wlan0 to add a table and route multicast traffic.
Problem: This is giving me a permission denied issue. According to the documentation above, I need to add the following domain transition rule in the SELinux policy: domain_auto_trans(VENDOR-DOMAIN-NAME, netutils_wrapper_exec, netutils_wrapper)
What policy do I need to add this to? Do I need to create my own policy? How do I connect this policy to my specific program?
I have scoured the internet looking for documentation on what policy to add this to or how to create my own vender policy, but there's no clear documentation on this (or at least not that I understand...). I'd appreciate assistance on how to do this, or a firm answer on whether or not an app developer (not an android developer) should be touching this.
I am not sure if selinux on android is the same as on red hat, but I suppose, the concept should be the same.
You will need to create your own selinux module. SELinux modules are "compiled" (macros expanded etc.) before "installed" (loaded to memory).
SELinux module is nothing more than simple text file with bunch of allow-rules (or macros wrapping those rules). To compile a module you will probably need to find a tool that will do this for you, as the installation tools should exist on the system.
For example on Red Hat there is a package called
policycoreutils-develthat containsMakefilespecific for SELinux module compilation. You can call this makefile with you own definition of module as input and this will give you a compiled module- a .pp file. Install this .pp file and you are good to go!The thing you mentioned
domain_auto_transis a macro that will get expanded when you compile the module in which such macro is placed. Probably you can look up the insides of such macro.