On Tue, 2012-07-10 at 12:27 -0400, Stephen Smalley wrote: > On Tue, 2012-07-10 at 16:17 +0000, Palarz Thomas-DCJ738 wrote: > > I've been working with trying SEAndroid on a Qualcomm dev board that > > uses the genlock driver as part of it's integration with > > SurfaceFlinger and have seen some denials that I'm having a hard time > > tracking down what is going on. > > > > The anon_inode is showing as unlabeled. Do I need to add some sort of > > transition rule? > > > > Initially, the anon_inodefs was showing as not supporting XATTRs in > > the SELinux init output, but I've gotten past that and added a > > genfscon (I used inotify as an example). > > > <snip> > > I add the following policy statements to at least allow me to move > > forward for the time being, but still get the denials. > > > > allow trusted_app genlock_device:chr_file write; > > allow trusted_app unlabeled:file write; > > > > I've verified that the above lines do make it into the policy.conf in > > the sepolicy_intermediates build output. > > > > I made the SEAndroid changes to the Qualcomm based on seandroid-4.0.3 > > and have double-checked the work. The kernel defconfig was rather > > different and I did have to add EXT4_FS_SECURITY=y. > > > > Any help? > > In modern kernel versions, linux/fs/anon_inodes.c:anon_inode_mkinode() > sets the S_PRIVATE flag in inode->i_flags, thereby disabling all > permission checking on it as there can be only one. So I'm guessing you > are using an old kernel? Your TE allow rules don't work because the > denial is occurring due to the MLS constraints - you are violating the > no-write-down restriction when a process with a category set tries to > write to a file with none. Ah, actually, that's a bug in our binder security hooks. Patch attached for seandroid-omap-panda-3.0. -- Stephen Smalley National Security Agency
>From ad2b2de6fcbd35a61e0a04c9da6c861abcf4ffcf Mon Sep 17 00:00:00 2001 From: Stephen Smalley <sds@xxxxxxxxxxxxx> Date: Tue, 10 Jul 2012 12:44:32 -0400 Subject: [PATCH] Do not apply permission checks to private files. --- security/selinux/hooks.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index b695066..befe091 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1864,6 +1864,9 @@ static int selinux_binder_transfer_file(struct task_struct *from, struct task_st return rc; } + if (unlikely(IS_PRIVATE(inode))) + return 0; + return avc_has_perm(sid, isec->sid, isec->sclass, file_to_av(file), &ad); } -- 1.7.10.4
