On Fri, Jul 27, 2012 at 12:35 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
On Fri, 2012-07-27 at 12:33 -0700, Haiqing Jiang wrote:The latter. Although this suggests to me that we ought to explore using
> Exactly. I was thinking of adding the policy into if (app_ndk). But
> later on I wondered whether it could be generic for platformappdomain.
> So, what is your opinion? Add the permissions to if (app_ndk) or to
> platformappdomain rules? Thanks.
different types on the lib directory for platform apps vs. third party
apps, possibly based on seinfo=, so that we can allow platform apps to
execute platform shared objects while blocking execution of any .so
files shipped by a third party app as a safety measure.
>
> On Fri, Jul 27, 2012 at 11:52 AM, Stephen Smalley <sds@xxxxxxxxxxxxx>
> wrote:
> On Fri, 2012-07-27 at 11:46 -0700, Haiqing Jiang wrote:
> > This is the denial information. What is your opinion?
> Thanks.
> >
> >
> > 5>[ 2978.206604] type=1400 audit(1342634359.195:1155): avc:
> denied
> > { open } for pid=10393 comm="android.cts.jni"
> name="libjnitest.so"
> > dev=mmcblk0p12 ino=578521 scontext=u:r:release_app:s0:c41
> > tcontext=u:object_r:system_data_file:s0 tclass=file
> > <5>[12124.019561] type=1400 audit(1342643505.007:1919):
> avc: denied
> > { open } for pid=24055 comm="ationTestRunner"
> > name="libctspermission_jni.so" dev=mmcblk0p12 ino=578541
> > scontext=u:r:release_app:s0:c41
> > tcontext=u:object_r:system_data_file:s0 tclass=file
>
>
> It is trying to execute a shared object from the lib
> directory. So it
> is the same as app_ndk, except for platformappdomain rather
> than
> untrusted_app.
>
> >
> >
> > On Fri, Jul 27, 2012 at 11:37 AM, Stephen Smalley
> <sds@xxxxxxxxxxxxx>
> > wrote:
> > On Fri, 2012-07-27 at 11:34 -0700, Haiqing Jiang
> wrote:
> > > ---
> > > app.te | 2 ++
> > > 1 files changed, 2 insertions(+), 0 deletions(-)
> > >
> > > diff --git a/app.te b/app.te
> > > index 85de816..dca2e0c 100644
> > > --- a/app.te
> > > +++ b/app.te
> > > @@ -83,6 +83,8 @@ allow platformappdomain
> > platform_app_data_file:notdevfile_class_set
> create_file_
> > > # App sdcard file accesses
> > > allow platformappdomain sdcard:dir
> create_dir_perms;
> > > allow platformappdomain sdcard:file
> create_file_perms;
> > > +# System data file accesses XXX????
> > > +allow platformappdomain system_data_file:file
> open;
> > >
> > > #
> > > # Untrusted apps.
> >
> >
> > Need to know more about the denial to diagnose.
> > Also, enabling syscall audit may help with getting
> full
> > pathnames,
> > although you likely need the ARM audit patches for
> that.
> >
> > --
> > Stephen Smalley
> > National Security Agency
> >
> >
> >
> >
> >
> > --
> > -----------------------------------
> > Haiqing Jiang, PH.D student
> >
> >
> > Computer Science Department, North Carolina State University
> >
> >
> >
> >
>
> --
> Stephen Smalley
> National Security Agency
>
>
>
>
>
>
> --
> -----------------------------------
> Haiqing Jiang, PH.D student
>
>
> Computer Science Department, North Carolina State University
>
>
>
--
Stephen Smalley
National Security Agency
-----------------------------------
Haiqing Jiang, PH.D studentComputer Science Department, North Carolina State University
