Stephen Smalley wrote:
On 01/15/2013 09:32 PM, Joshua Brindle wrote:
William Roberts wrote:
On Tue, Jan 15, 2013 at 6:06 PM, Joshua Brindle<[email protected]>
wrote:
William Roberts wrote:
In watchdog.te their is:
# because of /dev/__kmsg__ and /dev/__null__
allow watchdogd device:chr_file create_file_perms;
Would a dynamic type transition not work for this?
Transitions are only hints, you still need full privileges to create the
file type and write to the directory or the type transition will fail.
But would it avoid read/write on device:file?
Oops, missed that that was actually the question. If Robert is right and
they are transient it might be fine to label them watchdog_device and if
they get leaked somehow the next process won't be able to open them.
/dev/__null__ is just a privately created copy (create, open, unlink) of
/dev/null. Created by open_devnull_stdio() in system/core/init/util.c, called by
init, ueventd, and watchdogd (which btw all share the same executable). Doesn't
matter if it gets leaked since it is the null device.
But nothing is enforcing that it is the null device, right?
/dev/__kmsg__ is a privately created copy (create, open, fcntl FD_CLOEXEC,
unlink) of /dev/kmsg. Created by klog_init() in system/core/libcutils/klog.c,
called by init, ueventd, watchdogd and others. Due to FD_CLOEXEC, it won't leak
on exec. Further, the default "device" type can only be read/written by
unconfined domains, ueventd, watchdogd, and system (system_server). So even it
somehow leaked, access would only be possible for those domains.
watchdogd just opens /dev/watchdog (which is labeled with watchdog_device), sets
the timeout, and then periodically writes to it. Doesn't exec anything, doesn't
communicate with anything else.
So it isn't clear it is worth labeling these private device nodes with a
distinct type. Let's say you defined a type_transition watchdogd device:chr_file
watchdog_device; so that they were also labeled watchdog_device. What are you
preventing? Since watchdogd is creating them, it can create any device it wants
in that type, so you aren't truly limiting the kinds of devices it can access.
Looks like the set of domains that can read/write watchdog_device doesn't
include system_server, so I guess that's a small benefit.
--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to [email protected] with
the words "unsubscribe seandroid-list" without quotes as the message.
