Hi All, Thank you for your inputs. As Casey and Jonghwa suggested we enabled the XATTR for the EXT4 and TMPFS in our kernel and we got the CAP_SMACK_ADMIN and label issue fixed. Thank you Seongwook for explaining what we should look for so clearly. We can now see that the files on our platform have the expected labels, permissions and we can now the chsmack utility to change labels and accesses.
We are now facing a new issue, even after setting the XATTR we are still not able to see the home screen. On debugging we realized that the e17 service was the issue. We then ran the "/usr/bin/enlightment_start" (App executed by the service) and we were able to successfully get the start up logo and a wallpaper but w-home (i.e. the clock the setting etc.) did continuously tries to execute but fails. These are the logs that we've got: type=1400 audit(1420366395.073:6): lsm=SMACK fn=smack_unix_stream_connect action=denied subject="_" object="data-provider-master::badge" requested=w pid=814 comm="w-home" path="/tmp/.badge.service" type=1400 audit(1420454589.479:416): lsm=SMACK fn=smack_inode_permission action=denied subject="System" object="system::vconf" requested=x pid=5780 comm="w-home" name="db" dev="mmcblk0p2" ino=166 type=1400 audit(1420454589.509:417): lsm=SMACK fn=smack_inode_permission action=denied subject="System" object="system::homedir" requested=x pid=5780 comm="w-home" name="app" dev="mmcblk0p2" ino=904 type=1400 audit(1420454589.569:418): lsm=SMACK fn=smack_inode_permission action=denied subject="System" object="system::homedir" requested=x pid=5780 comm="w-home" name="app" dev="mmcblk0p2" ino=904 type=1400 audit(1420454589.589:419): lsm=SMACK fn=smack_inode_permission action=denied subject="System" object="system::homedir" requested=x pid=5780 comm="w-home" name="app" dev="mmcblk0p2" ino=904 type=1400 audit(1420454589.639:420): lsm=SMACK fn=smack_unix_stream_connect action=denied subject="System" object="_" requested=w pid=5780 comm="w-home" path=002F746D702F2E5831312D756E69782F5830 type=1400 audit(1420454589.659:421): lsm=SMACK fn=smack_inode_permission action=denied subject="System" object="system::homedir" requested=x pid=5780 comm="w-home" name="app" dev="mmcblk0p2" ino=904 type=1400 audit(1420454589.679:422): lsm=SMACK fn=smack_inode_permission action=denied subject="System" object="system::vconf" requested=x pid=5780 comm="w-home" name="db" dev="mmcblk0p2" ino=166 type=1400 audit(1420454589.709:423): lsm=SMACK fn=smack_inode_permission action=denied subject="System" object="system::vconf" requested=x pid=5780 comm="w-home" name="db" dev="mmcblk0p2" ino=166 type=1400 audit(1420454589.729:424): lsm=SMACK fn=smack_inode_permission action=denied subject="System" object="system::vconf" requested=x pid=5780 comm="w-home" name="db" dev="mmcblk0p2" ino=166 type=1400 audit(1420454589.739:425): lsm=SMACK fn=smack_inode_permission action=denied subject="System" object="system::vconf" requested=x pid=5780 comm="w-home" name="db" dev="mmcblk0p2" ino=166 If you have any clues on what is going on, please let us know. Thank you. Regards, Joshua ----- Original Message ----- From: "seongwook chung" <[email protected]> To: "Joshua Varghese" <[email protected]>, [email protected] Sent: Monday, February 1, 2016 7:44:05 AM Subject: Re: Re: [Dev] Fwd: Smack - Home screen issue Hi, Joshua I think you are trying to run application in Tizen 2.x (Tizen 2.3 or Tizen 2.4) since you got below smack deny. type=1400 audit(1420366222.567:8): lsm=SMACK fn=smack_inode_permission action=denied subject="_" object="device::app_logging" requested=w pid=271 comm="enlightenment" name="log_main" dev="devtmpfs" ino=2067 You can see that object label is "device::app_logging", this is smack label of /dev/log_main and it is unique label for log_main Unlike Tizen 2.x, Tizen 3.0 allows 3-domain Smack concept; https://wiki.tizen.org/wiki/Security:SmackThreeDomainModel , "device::app_logging" label is not allowed in 3.0. P.S: We find that all the processes/files have the default label "_". Do we need to change them and if yes, how? Actuallly enlightenment process( comm="enlightenment" ) is running based on smack label, "e17". This is defined in /usr/lib/systemd/system/e17.service (SmackProcessLabel=e17 / example of Tizen 2.4) # # Starts the enlightenment wm/compositor # [Unit] Description=Enlightenment WM/Compositor After=xorg.service [Service] User=app Group=app Type=notify EnvironmentFile=-/etc/sysconfig/e17 OOMScoreAdjust=-900 #ExecStart=/usr/bin/enlightenment_start $OPTIONS ...[ommitted]... SmackProcessLabel=e17 You don't have to change smack label since all label of Tizen are set by system. You have to check below ways since smack is mounted well, and booting process should set smack label too. 1. You can check whether smack is mounted on /sys/fs sh-4.1$ mount | grep smack smackfs on /sys/fs/smackfs type smackfs ( rw,nosuid, nodev, noexec) smackfs on /smack type smackfs (rw, relatime) 2. You can check whether systemd executes each service file well. sh-4.1$ su (converted to root user) sh-4.1# systemctl status e17.service (check process id of enlighentment and status of running) sh-4.1# cat /proc/[Process ID]/attr/current ( check smack label of enlightenment process via seeing proc filesystem) -sh-4.1# chsmack -e "System" /usr/apps/org.tizen.w-home/bin/w-home /usr/apps/org.tizen.w-home/bin/w-home: Operation not supported "System" is unavailable label for application, and unique label for Tizen 3.0. You have to not set smack label via chsmack in case of application. Application is created by SDK as you know, and smack label of process would be created like "org.tizen.w-home" Also if application sets privilege via SDK, then applications can have smack rule and access the resources. You can get more information about smack for Tizen 2.x in https://wiki.tizen.org/wiki/Security/Tizen_2.x_Smack_Developer_Guide Best regards Seongwook ------- Original Message ------- Sender : 이종화<[email protected]> S3(사원)/사원/S/W Platform Lab(VD)/삼성전자 Date : 2016-02-01 10:11 (GMT+09:00) Title : Re: [Dev] Fwd: Smack - Home screen issue Hi, For first smack denial you commented, it assaulted because "_" label is predefined smack label which only allowed read and execution not write or append. And all device node which are created under tmpfs have "_" label. So you have to set proper lable to device node you want to access with command 'chsmack -a <label> <file>'. Also it can be defined udev rule for later automatic labeling. In addition to, "*" is smack label for allowing every access. >-sh-4.1# chsmack -e "System" /usr/apps/org.tizen.w-home/bin/w-home >/usr/apps/org.tizen.w-home/bin/w-home: Operation not supported You did it as a root user, arent you? AFAIK, there is no extra privilege such as CAP_SMACK_ADMIN, it follows system privileges. So ift you access root privilege it won't be happened. If it still occur even if you're root user, check whether XATTR option is enabled for your filesystem, such as CONFIG_EXT3_FS_XATTR, CONFIG_TMPFS_XATTR.. Thanks, Jonghwa ------- Original Message ------- Sender : Joshua Varghese<[email protected]> Date : 2016-01-30 19:28 (GMT+09:00) Title : [Dev] Fwd: Smack - Home screen issue Hi, We are trying to install apps on our MIPS based platform. We learnt that SMACK is necessary for apps installation. So, we enabled SMACK (which we disabled earlier). We are getting the boot-animation logo but the menu screen doesn't show up. In our kernel logs, we find errors which say "permission denied" e.g (" type=1400 audit(1420366222.567:8): lsm=SMACK fn=smack_inode_permission action=denied subject="_" object="device::app_logging" requested=w pid=271 comm="enlightenment" name="log_main" dev="devtmpfs" ino=2067 ") and in the dlogutil logs, we find errors related to w-home ("E/PRIVILEGE_CONTROL( 493): privilege-control.c: get_smack_from_binary(468) > Getting exec label from file /usr/apps/org.tizen.w-home/bin/w-home failed "). We tried to give w-home executable permissions using chsmack, but we get an error "Operation not supported". Could this be because we don't have the CAP_SMACK_ADMIN privilege. What do we do? -sh-4.1# chsmack -e "System" /usr/apps/org.tizen.w-home/bin/w-home /usr/apps/org.tizen.w-home/bin/w-home: Operation not supported P.S: We find that all the processes/files have the default label "_". Do we need to change them and if yes, how? Please find the attached Kernel and dlogutil logs Thanks & Regards, Atchyut Sreekar Durga JongHwa Lee | 이 종 화 (李 鐘 和) Platform Solution Lab, S/W Center, SEC, M: 82-10-2827-9616 ========================= Seongwook Chung Engineer Security Lab. Samsung Electronics ========================= _______________________________________________ Dev mailing list [email protected] https://lists.tizen.org/listinfo/dev
