On 08/02/2013 10:24 PM, Peck, Michael A wrote:
> I'm running into a related issue on a Galaxy Nexus (maguro) running master +
> seandroid.
> The denials I'm seeing are coming from sdcardd, not the app.
> /mnt/sdcard or equivalent that the app is trying to access and its contents
> are properly labeled as u:object_r:sdcard_internal:s0, but /data/media/0
> (which sdcardd is trying to access) and its contents are
> u:object_r:unlabeled:s0.
> /data/media shouldn't be directly accessible from apps but needs to be
> accessible by sdcardd.
> Does installd.c need to be updated to set a security context when
> /data/media/0 is created?
>
> type=1400 msg=audit(1375476226.381:87): avc: denied { create } for pid=133
> comm="sdcard" name="facebook_ringtone_pop.m4a" scontext=u:r:sdcardd:s0
> tcontext=u:object_r:unlabeled:s0 tclass=file
> type=1400 msg=audit(1375476226.389:88): avc: denied { getattr } for
> pid=133 comm="sdcard"
> path="/data/media/0/media/audio/notifications/facebook_ringtone_pop.m4a"
> dev=mmcblk0p12 ino=447948 scontext=u:r:sdcardd:s0
> tcontext=u:object_r:unlabeled:s0 tclass=file
> type=1400 msg=audit(1375476226.389:89): avc: denied { write } for pid=141
> comm="sdcard" name="facebook_ringtone_pop.m4a" dev=mmcblk0p12 ino=447948
> scontext=u:r:sdcardd:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
> type=1400 msg=audit(1375476226.389:90): avc: denied { open } for pid=141
> comm="sdcard" name="facebook_ringtone_pop.m4a" dev=mmcblk0p12 ino=447948
> scontext=u:r:sdcardd:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
>
> shell@maguro:/data/media # ls -Z
> drwxrwx--- media_rw media_rw u:object_r:unlabeled:s0 0
> drwxrwxr-x media_rw media_rw u:object_r:system_data_file:s0 legacy
> drwxrwx--- media_rw media_rw u:object_r:system_data_file:s0 obb
>
> shell@maguro:/data/media/0 # ls -Z
> drwxrwxr-x media_rw media_rw u:object_r:unlabeled:s0 Alarms
> drwxrwxr-x media_rw media_rw u:object_r:unlabeled:s0 Android
> drwxrwxr-x media_rw media_rw u:object_r:unlabeled:s0 DCIM
> drwxrwxr-x media_rw media_rw u:object_r:unlabeled:s0 Download
> drwxrwxr-x media_rw media_rw u:object_r:unlabeled:s0 Movies
> drwxrwxr-x media_rw media_rw u:object_r:unlabeled:s0 Music
> drwxrwxr-x media_rw media_rw u:object_r:unlabeled:s0 Notifications
> drwxrwxr-x media_rw media_rw u:object_r:unlabeled:s0 Pictures
> drwxrwxr-x media_rw media_rw u:object_r:unlabeled:s0 Podcasts
> drwxrwxr-x media_rw media_rw u:object_r:unlabeled:s0 Ringtones
> drwxrwxr-x media_rw media_rw u:object_r:unlabeled:s0 media
I'm not seeing that here. Assuming you did reflash userdata correctly,
did you in fact update your local_manifest.xml file so that it includes
our modifications to frameworks/native as well? installd was moved from
frameworks/base to frameworks/native and our changes to support labeling
of multi-user data directories were "lost" in the 4.3 merge so we had to
revive them there.
--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to [email protected] with
the words "unsubscribe seandroid-list" without quotes as the message.
