Re: [PATCH 1/1] allocate perms to platformappdomain over system_data_file

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Exactly. I was thinking of adding the policy into if (app_ndk). But later on I wondered whether it could be generic for platformappdomain. So, what is your opinion? Add the permissions to if (app_ndk) or to platformappdomain rules? Thanks. 

On Fri, Jul 27, 2012 at 11:52 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
On Fri, 2012-07-27 at 11:46 -0700, Haiqing Jiang wrote:
> This is the denial information. What is your opinion? Thanks.
>
>
> 5>[ 2978.206604] type=1400 audit(1342634359.195:1155): avc:  denied
>  { open } for  pid=10393 comm="android.cts.jni" name="libjnitest.so"
> dev=mmcblk0p12 ino=578521 scontext=u:r:release_app:s0:c41
> tcontext=u:object_r:system_data_file:s0 tclass=file
> <5>[12124.019561] type=1400 audit(1342643505.007:1919): avc:  denied
> { open } for  pid=24055 comm="ationTestRunner"
> name="libctspermission_jni.so" dev=mmcblk0p12 ino=578541
> scontext=u:r:release_app:s0:c41
> tcontext=u:object_r:system_data_file:s0 tclass=file

It is trying to execute a shared object from the lib directory.  So it
is the same as app_ndk, except for platformappdomain rather than
untrusted_app.

>
>
> On Fri, Jul 27, 2012 at 11:37 AM, Stephen Smalley <sds@xxxxxxxxxxxxx>
> wrote:
>         On Fri, 2012-07-27 at 11:34 -0700, Haiqing Jiang wrote:
>         > ---
>         >  app.te |    2 ++
>         >  1 files changed, 2 insertions(+), 0 deletions(-)
>         >
>         > diff --git a/app.te b/app.te
>         > index 85de816..dca2e0c 100644
>         > --- a/app.te
>         > +++ b/app.te
>         > @@ -83,6 +83,8 @@ allow platformappdomain
>         platform_app_data_file:notdevfile_class_set create_file_
>         >  # App sdcard file accesses
>         >  allow platformappdomain sdcard:dir create_dir_perms;
>         >  allow platformappdomain sdcard:file create_file_perms;
>         > +# System data file accesses XXX????
>         > +allow platformappdomain system_data_file:file open;
>         >
>         >  #
>         >  # Untrusted apps.
>
>
>         Need to know more about the denial to diagnose.
>         Also, enabling syscall audit may help with getting full
>         pathnames,
>         although you likely need the ARM audit patches for that.
>
>         --
>         Stephen Smalley
>         National Security Agency
>
>
>
>
>
> --
> -----------------------------------
> Haiqing Jiang, PH.D student
>
>
> Computer Science Department, North Carolina State University
>
>
>
>

--
Stephen Smalley
National Security Agency




--
-----------------------------------
Haiqing Jiang, PH.D student

Computer Science Department, North Carolina State University


[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux