Re: /storage/emulated security label

Wed, 23 Jan 2013 21:42:43 -0800 

That's weird, if I recall emulated is used for the fuse mount. I wonder why
that app isn't going the normal route....
On Jan 23, 2013 9:29 PM, "Peck, Michael A" <[email protected]> wrote:

>  An app I installed (Big Win Basketball) kept crashing whenever SELinux
> enforcing mode was turned on.  This is on a Galaxy Nexus (maguro).****
>
> Oddly, with enforcing mode turned off, no denial messages were showing up
> in the log.****
>
> ** **
>
> <5>[  552.326965] type=1400 audit(1358990973.587:16): avc:  denied  {
> search } for  pid=1907 comm="igwinbasketball" name="/" dev=tmpfs ino=2500
> scontext=u:r:untrusted_app:s0:c48,c256 tcontext=u:object_r:tmpfs:s0
> tclass=dir****
>
> ** **
>
> From logcat:****
>
> E/AndroidRuntime( 3105): Caused by: java.lang.IllegalArgumentException:
> Invalid path: /storage/emulated/0****
>
> E/AndroidRuntime( 3105): Caused by: libcore.io.ErrnoException: statfs
> failed: EACCES (Permission denied)****
>
> ** **
>
> I eventually noticed (using a Terminal Emulator app) that from the
> perspective of running apps, /storage/emulated is labeled as
> u:object_r:tmpfs:s0 (but from the perspective of ‘adb shell’ it’s labeled
> u:object_r:rootfs:s0), which I think was preventing the app from being able
> to access /storage/emulated/0 (which is correctly labeled
> u:object_r:sdcard:s0).****
>
> ** **
>
> I modified dalvik/vm/Init.cpp to label /storage/emulated as
> u:object_r:sdcard:s0 when mounting and that seemed to fix the problem.  Not
> sure if that is the right approach or the right label (though it’s already
> setting gid=1028 which is sdcard_r, so labeling as sdcard might make sense).
> ****
>
> ** **
>
> diff --git a/vm/Init.cpp b/vm/Init.cpp****
>
> index 11d884e..639da90 100644****
>
> --- a/vm/Init.cpp****
>
> +++ b/vm/Init.cpp****
>
> @@ -1658,7 +1658,7 @@ static bool initZygote()****
>
>      const char* target_base = getenv("EMULATED_STORAGE_TARGET");****
>
>      if (target_base != NULL) {****
>
>          if (mount("tmpfs", target_base, "tmpfs", MS_NOSUID | MS_NODEV,***
> *
>
> -                "uid=0,gid=1028,mode=0050") == -1) {****
>
> +
> "uid=0,gid=1028,mode=0050,fscontext=u:object_r:sdcard:s0") == -****
>
>              SLOGE("Failed to mount tmpfs to %s: %s", target_base,
> strerror(errn****
>
>              return -1;****
>
>          }****
>
> ** **
>

Reply via email to