On Fri, 2012-07-27 at 12:33 -0700, Haiqing Jiang wrote:
> Exactly. I was thinking of adding the policy into if (app_ndk). But
> later on I wondered whether it could be generic for platformappdomain.
> So, what is your opinion? Add the permissions to if (app_ndk) or to
> platformappdomain rules? Thanks.
The latter. Although this suggests to me that we ought to explore using
different types on the lib directory for platform apps vs. third party
apps, possibly based on seinfo=, so that we can allow platform apps to
execute platform shared objects while blocking execution of any .so
files shipped by a third party app as a safety measure.
>
> On Fri, Jul 27, 2012 at 11:52 AM, Stephen Smalley <sds@xxxxxxxxxxxxx>
> wrote:
> On Fri, 2012-07-27 at 11:46 -0700, Haiqing Jiang wrote:
> > This is the denial information. What is your opinion?
> Thanks.
> >
> >
> > 5>[ 2978.206604] type=1400 audit(1342634359.195:1155): avc:
> denied
> > { open } for pid=10393 comm="android.cts.jni"
> name="libjnitest.so"
> > dev=mmcblk0p12 ino=578521 scontext=u:r:release_app:s0:c41
> > tcontext=u:object_r:system_data_file:s0 tclass=file
> > <5>[12124.019561] type=1400 audit(1342643505.007:1919):
> avc: denied
> > { open } for pid=24055 comm="ationTestRunner"
> > name="libctspermission_jni.so" dev=mmcblk0p12 ino=578541
> > scontext=u:r:release_app:s0:c41
> > tcontext=u:object_r:system_data_file:s0 tclass=file
>
>
> It is trying to execute a shared object from the lib
> directory. So it
> is the same as app_ndk, except for platformappdomain rather
> than
> untrusted_app.
>
> >
> >
> > On Fri, Jul 27, 2012 at 11:37 AM, Stephen Smalley
> <sds@xxxxxxxxxxxxx>
> > wrote:
> > On Fri, 2012-07-27 at 11:34 -0700, Haiqing Jiang
> wrote:
> > > ---
> > > app.te | 2 ++
> > > 1 files changed, 2 insertions(+), 0 deletions(-)
> > >
> > > diff --git a/app.te b/app.te
> > > index 85de816..dca2e0c 100644
> > > --- a/app.te
> > > +++ b/app.te
> > > @@ -83,6 +83,8 @@ allow platformappdomain
> > platform_app_data_file:notdevfile_class_set
> create_file_
> > > # App sdcard file accesses
> > > allow platformappdomain sdcard:dir
> create_dir_perms;
> > > allow platformappdomain sdcard:file
> create_file_perms;
> > > +# System data file accesses XXX????
> > > +allow platformappdomain system_data_file:file
> open;
> > >
> > > #
> > > # Untrusted apps.
> >
> >
> > Need to know more about the denial to diagnose.
> > Also, enabling syscall audit may help with getting
> full
> > pathnames,
> > although you likely need the ARM audit patches for
> that.
> >
> > --
> > Stephen Smalley
> > National Security Agency
> >
> >
> >
> >
> >
> > --
> > -----------------------------------
> > Haiqing Jiang, PH.D student
> >
> >
> > Computer Science Department, North Carolina State University
> >
> >
> >
> >
>
> --
> Stephen Smalley
> National Security Agency
>
>
>
>
>
>
> --
> -----------------------------------
> Haiqing Jiang, PH.D student
>
>
> Computer Science Department, North Carolina State University
>
>
>
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
