On 05/08/2013 01:37 AM, William Roberts wrote:
Their is an issue with using the socket keyword in the init.rc when the
service is started with logwrapper. The resulting socket stays in the init
domain, thus when the child process is finally invoked by logwrapper, it,
most likely, cannot access its socket. An example of this is on the Mako
(Nexus 4) wpa_supplicant service.
I have a patch that I am uploading to Gerrit that lets one specify the
seccontext for sockets. This may
not be the best approach, but is an approach.
Also, ( I have not tested this), one could add the seclabel to the
wpa_supplicant service. This way it won't compute the wrong value.
Why this occurs:
in init.c
the security context for the child process is computed and stored in scon.
Either it uses the value in seclabel, or computes it via the following:
1. get its current context via getcon(&con)
2. get the filecontext of the executable via getfilecon(svc->args[0],
&fcon);
3. Computes the scon via security_compute_create(mycon, fcon,
string_to_security_class("process"), &scon)
4.
The issue arises when the getfilecon returns system_file (as logwrapper has
no unique label)
Since no transition occurs on init --> system_file, the computed context
remains init.
A fork then occurs and the value "init" is then used in
a setsockcreatecon(scon);
Thus the wpa_supplicant socket is labeled as init.
Your analysis sounds correct to me.
If we have to specify security contexts for sockets in init.rc, then it
would belong as part of the existing socket line, after the "mode user
group" information. But that seems a bit unpleasant to have to manually
specify the security context for each socket, just to address logwrapper
usage, when it can be automatically computed from policy.
I don't suppose we could just have init check to see if args[0] is
logwrapper and if so, compute the context from args[1] instead?
I guess it would also have to skip any options to logwrapper.
--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to [email protected] with
the words "unsubscribe seandroid-list" without quotes as the message.
