On 08/27/2013 08:17 AM, Stephen Smalley wrote:
> On 08/26/2013 09:48 PM, Peck, Michael A wrote:
>> Hi,
>>
>> When testing a bunch of applications, I'm getting a denial like the below
>> from about 60% of the apps. I'm using a very recent master branch (AOSP +
>> SE for Android) on a Galaxy Nexus.
>> I don't see any recent, related changes to the SELinux policy so perhaps
>> there was a recent change in AOSP causing many apps to try to get the
>> attributes of /data/app? Is anyone else seeing anything similar?
>>
>> type=1400 msg=audit(1377395793.361:557): avc: denied { getattr } for
>> pid=27640 comm="id.nycsubwaymap" path="/data/app" dev=mmcblk0p12 ino=773681
>> scontext=u:r:untrusted_app:s0:c58,c256 tcontext=u:object_r:apk_data_file:s0
>> tclass=dir
>
> Interesting, I haven't seen that. Does it only happen with apps from
> Google Play or with any of the AOSP apps?
>
> I suppose we could add getattr to domain.te; we already allow search to
> apk_data_file:dir and r_file_perms to apk_data_file:file there for all
> domains. getattr only permits stat(2) so it isn't a big deal to permit it.
Technically, it permits stat(2), getxattr(2), listxattr(2), and certain
ioctl calls (e.g. GETFLAGS, GETVERSION).
--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to [email protected] with
the words "unsubscribe seandroid-list" without quotes as the message.
