Hi, Joshua
I think you are trying to run application in Tizen 2.x (Tizen 2.3 or Tizen 2.4) since you got below smack deny.
|
type=1400 audit(1420366222.567:8): lsm=SMACK fn=smack_inode_permission action="" subject="_" object="device::app_logging" requested=w pid=271 comm="enlightenment" name="log_main" dev="devtmpfs" ino=2067 |
You can see that object label is "device::app_logging", this is smack label of /dev/log_main and it is unique label for log_main
Unlike Tizen 2.x, Tizen 3.0 allows 3-domain Smack concept; https://wiki.tizen.org/wiki/Security:SmackThreeDomainModel, "device::app_logging" label is not allowed in 3.0.
|
P.S: We find that all the processes/files have the default label "_". Do we need to change them and if yes, how? |
Actuallly enlightenment process( comm="enlightenment" ) is running based on smack label, "e17". This is defined in /usr/lib/systemd/system/e17.service (SmackProcessLabel=e17 / example of Tizen 2.4)
|
# # Starts the enlightenment wm/compositor #
[Unit] Description=Enlightenment WM/Compositor After=xorg.service
[Service] User=app Group=app Type=notify EnvironmentFile=-/etc/sysconfig/e17 OOMScoreAdjust=-900 #ExecStart=/usr/bin/enlightenment_start $OPTIONS ...[ommitted]... SmackProcessLabel=e17 |
You don't have to change smack label since all label of Tizen are set by system. You have to check below ways since smack is mounted well, and booting process should set smack label too.
1. You can check whether smack is mounted on /sys/fs
|
sh-4.1$ mount | grep smack smackfs on /sys/fs/smackfs type smackfs ( rw,nosuid, nodev, noexec) smackfs on /smack type smackfs (rw, relatime) |
2. You can check whether systemd executes each service file well.
|
sh-4.1$ su (converted to root user) sh-4.1# systemctl status e17.service (check process id of enlighentment and status of running) sh-4.1# cat /proc/[Process ID]/attr/current ( check smack label of enlightenment process via seeing proc filesystem) |
|
-sh-4.1# chsmack -e "System" /usr/apps/org.tizen.w-home/bin/w-home |
"System" is unavailable label for application, and unique label for Tizen 3.0. You have to not set smack label via chsmack in case of application. Application is created by SDK as you know, and smack label of process would be created like "org.tizen.w-home"
Also if application sets privilege via SDK, then applications can have smack rule and access the resources.
You can get more information about smack for Tizen 2.x in https://wiki.tizen.org/wiki/Security/Tizen_2.x_Smack_Developer_Guide
Best regards
Seongwook
------- Original Message -------
Sender : 이종화<[email protected]> S3(사원)/사원/S/W Platform Lab(VD)/삼성전자
Date : 2016-02-01 10:11 (GMT+09:00)
Title : Re: [Dev] Fwd: Smack - Home screen issue
Hi,
For first smack denial you commented, it assaulted because "_" label is predefined smack label which only allowed read and execution
not write or append. And all device node which are created under tmpfs have "_" label. So you have to set proper lable to device node
you want to access with command 'chsmack -a <label> <file>'. Also it can be defined udev rule for later automatic labeling.
In addition to, "*" is smack label for allowing every access.
>-sh-4.1# chsmack -e "System" /usr/apps/org.tizen.w-home/bin/w-home
>/usr/apps/org.tizen.w-home/bin/w-home: Operation not supported
You did it as a root user, arent you? AFAIK, there is no extra privilege such as CAP_SMACK_ADMIN, it follows system privileges.
So ift you access root privilege it won't be happened. If it still occur even if you're root user, check whether XATTR option
is enabled for your filesystem, such as CONFIG_EXT3_FS_XATTR, CONFIG_TMPFS_XATTR..
Thanks,
Jonghwa
------- Original Message -------
Sender : Joshua Varghese<[email protected]>
Date : 2016-01-30 19:28 (GMT+09:00)
Title : [Dev] Fwd: Smack - Home screen issue
Hi,
We are trying to install apps on our MIPS based platform. We learnt that SMACK is necessary for apps installation. So, we enabled SMACK (which we disabled earlier). We are getting the boot-animation logo but the menu screen doesn't show up. In our kernel logs, we find errors which say "permission denied" e.g (" type=1400 audit(1420366222.567:8): lsm=SMACK fn=smack_inode_permission action="" subject="_" object="device::app_logging" requested=w pid=271 comm="enlightenment" name="log_main" dev="devtmpfs" ino=2067 ") and in the dlogutil logs, we find errors related to w-home ("E/PRIVILEGE_CONTROL( 493): privilege-control.c: get_smack_from_binary(468) > Getting exec label from file /usr/apps/org.tizen.w-home/bin/w-home failed "). We tried to give w-home executable permissions using chsmack, but we get an error "Operation not supported". Could this be because we don't have the CAP_SMACK_ADMIN privilege. What do we do?
-sh-4.1# chsmack -e "System" /usr/apps/org.tizen.w-home/bin/w-home
/usr/apps/org.tizen.w-home/bin/w-home: Operation not supported
P.S: We find that all the processes/files have the default label "_". Do we need to change them and if yes, how?
Please find the attached Kernel and dlogutil logs
Thanks & Regards,
Atchyut Sreekar Durga
JongHwa Lee | 이 종 화 (李 鐘 和)
Platform Solution Lab, S/W Center, SEC, M: 82-10-2827-9616
=========================
Seongwook Chung
Engineer
Security Lab.
Samsung Electronics
=========================
|
|
_______________________________________________ Dev mailing list [email protected] https://lists.tizen.org/listinfo/dev
