On 01/17/2014 09:19 AM, Christopher Stone wrote: > I have modified zygote in the Dalvik VM to place android applications into > separate pid namespaces. This is done in a multi-user scenario, where there > is a pid namespace created for each user, and then all the android apps > started by the user are placed into that namespace. Currently, I am only > creating pid namespaces as a first step. I have noted that Zygote already > creates mount namespaces for android apps so that a private emulated > storage directory can be bind mounted. > > I do this by creating a namespace init process for each user. This init > process is forked from the dalvik vm, in the forkAndSpecializeCommon() > function of dalvik_system_Zygote.cpp, so it shares the same process > context of normal android apps. Then, at the point where zygote normally > forks to create an android app, the code is modified to signal the > namespace init process to fork the app instead. > > I am having a problem where the android app is running an SELinux getcon() > in selinux_android_setcontext() to set the SEAndroid context for the app. > The getcon() is returning -1 for Operation not permitted. I am running in > permissive mode. It is likely that there is a bug in my code, but, I wanted > to ask if there was a fundamental problem with what I am trying to do. For > instance, is there any reason why SELinux calls like getcon() will not work > in kernel pid namespaces?
getcon() is open + read of /proc/self/task/<tid>/attr/current. I don't know why that would be denied, but if it is happening even in permissive mode, it isn't SELinux denying it but more likely a pid namespace restriction on /proc accesses. On the setcon() call, which is open + write of the same file, SELinux does prohibit writing to /proc/self/task/<tid>/attr/current by anything other than the same task (i.e. a task can only change its own security context). _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
