On 11/14/2012 08:29 AM, Stephen Smalley wrote:
On 11/13/2012 05:16 PM, William Roberts wrote:
We've seen a lot of patches that look like their for support of ndk
debugging and the run-as setuid. Could someone please elaborate on these?
The patches enable the use of run-as and the ndk-gdb script from the
Android NDK when SE Android is enforcing. Previously, there was no
policy for run-as (so it would just run in the caller's context, and
thus just fail if it was run from an unprivileged shell), and run-as did
not set the SELinux security context in any way, so the resulting
command or shell would likewise have just run in the caller's context.
The changes are to enable the run-as and ndk-gdb functionality while
still preserving security.
The change to run-as ensures that the command or shell runs in the app's
security context, and the policy change allows the necessary permissions
for run-as and other commands invoked by ndk-gdb to operate, while still
limiting run-as to the least privilege required for its function. In
particular, run-as needs to be able to set its UID/GID (in order to
switch to the app UID/GID) and it needs to be able to search the app's
data directory, so it requires three Linux superuser capabilities and no
more, which is what we allowed in the policy. Its ability to exercise
CAP_DAC_READ_SEARCH is further constrained by policy restrictions on
what files/directories it can read/search. And it cannot execute any
program without first transitioning to a different security context (no
execute_no_trans permission to any file type).
One other tidbit: The run-as change that I posted (and uploaded to
AOSP) doesn't have the seinfo string available, so it only works if the
app being launched doesn't have an explicit seinfo string defined for
it. Bob posted an updated version of the patch along with the
corresponding frameworks/base change to allow run-as to get the seinfo
string by saving it in the packages.list file. We'll upload that as a
relative change on top of the basic support if/when the seinfo change
gets accepted. But my change is sufficient for enabling the run-as and
ndk-gdb functionality for third party apps with a default configuration.
--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to majord...@tycho.nsa.gov with
the words "unsubscribe seandroid-list" without quotes as the message.
