On 01/24/2013 12:16 AM, Peck, Michael A wrote:
An app I installed (Big Win Basketball) kept crashing whenever SELinux enforcing mode was turned on. This is on a Galaxy Nexus (maguro).Oddly, with enforcing mode turned off, no denial messages were showing up in the log. <5>[ 552.326965] type=1400 audit(1358990973.587:16): avc: denied { search } for pid=1907 comm="igwinbasketball" name="/" dev=tmpfs ino=2500 scontext=u:r:untrusted_app:s0:c48,c256 tcontext=u:object_r:tmpfs:s0 tclass=dir From logcat: E/AndroidRuntime( 3105): Caused by: java.lang.IllegalArgumentException: Invalid path: /storage/emulated/0 E/AndroidRuntime( 3105): Caused by: libcore.io.ErrnoException: statfs failed: EACCES (Permission denied) I eventually noticed (using a Terminal Emulator app) that from the perspective of running apps, /storage/emulated is labeled as u:object_r:tmpfs:s0 (but from the perspective of ‘adb shell’ it’s labeled u:object_r:rootfs:s0), which I think was preventing the app from being able to access /storage/emulated/0 (which is correctly labeled u:object_r:sdcard:s0). I modified dalvik/vm/Init.cpp to label /storage/emulated as u:object_r:sdcard:s0 when mounting and that seemed to fix the problem. Not sure if that is the right approach or the right label (though it’s already setting gid=1028 which is sdcard_r, so labeling as sdcard might make sense). diff --git a/vm/Init.cpp b/vm/Init.cpp index 11d884e..639da90 100644 --- a/vm/Init.cpp +++ b/vm/Init.cpp @@ -1658,7 +1658,7 @@ static bool initZygote() const char* target_base = getenv("EMULATED_STORAGE_TARGET"); if (target_base != NULL) { if (mount("tmpfs", target_base, "tmpfs", MS_NOSUID | MS_NODEV, - "uid=0,gid=1028,mode=0050") == -1) { + "uid=0,gid=1028,mode=0050,fscontext=u:object_r:sdcard:s0") == - SLOGE("Failed to mount tmpfs to %s: %s", target_base, strerror(errn return -1; }
Thanks for investigating this. I have also seen this at times but had not yet chased it down. I agree that we should label it with something other than just the default tmpfs type, and sdcard is at least a reasonable starting point and consistent with the group ownership as you say. Perhaps you could upload this change to AOSP and see if you can get any comments? Add me as a reviewer and I'll add others.
-- This message was distributed to subscribers of the seandroid-list mailing list. If you no longer wish to subscribe, send mail to [email protected] with the words "unsubscribe seandroid-list" without quotes as the message.
