Re: sigchld denials

Stephen Smalley Tue, 18 Feb 2014 08:33:13 -0800

On 02/18/2014 06:43 AM, Tomas wrote:
> Here is an example. 
> 
> Starting androidterm: 
> LABEL                          USER     PID   PPID  NAME 
> u:r:untrusted_app:s0           u0_a85    7829  153   jackpal.androidterm 
> u:r:untrusted_app:s0           u0_a85    7843  7829  /system/bin/sh 
> 
> Run su from androidterm: 
> LABEL                          USER     PID   PPID  NAME 
> u:r:untrusted_app:s0           u0_a85    7904  7843  su 
> u:r:untrusted_app:s0           u0_a85    7905  7904  su 
> u:r:init:s0                    root      7908  1     /system/xbin/su 
> u:r:init:s0                    root      7909  7908  /system/xbin/su 
> u:r:init_shell:s0              root      7911  7909  sh 
> u:r:zygote:s0                  root      7912  7911  app_process 
> 
> avc:  denied  { sigchld } for  pid=7911 comm="sh"
> 
> 
> I do not use gdbserver, it is not started. 
> I use Kouch Superuser forked from https://github.com/koush/Superuser It is 
> started via init.rc script, like all other CyanogenMod devices, not with the 
> install-recovery.sh.
> 
> Init structure of the device: 
> 
> init.rc 
>   import /init.environ.rc 
>   import /init.usb.rc 
>   import /init.${ro.hardware}.rc 
>   import /init.trace.rc 
>   - - - - 
>   import /init.slim.rc 
>   on boot 
>   - - - - 
> 
>   init.endeavoru.rc 
>     import init.endeavoru.htc.rc 
>     import init.endeavoru.common.rc 
>     import init.endeavoru.usb.rc 
>     import init.tegra3-common.rc 
>     import init.endeavoru.cm.rc 
> 
>   init.slim.rc 
>     import /init.superuser.rc 
>     on init 
>     - - - - 
> 
>     init.superuser.rc 
>       # su daemon 
>       service su_daemon /system/xbin/su --daemon 
>           oneshot 
>       on property:persist.sys.root_access=0 
>           stop su_daemon 
>       on property:persist.sys.root_access=2 
>           stop su_daemon 
>       on property:persist.sys.root_access=1 
>           start su_daemon 
>       on property:persist.sys.root_access=3 
>           start su_daemon
> 
> Btw. I found samsung s2 and s3 devices with same denials. So it is not 
> limited to my htc one x.


Ok, given your usage model, I'd recommend just allowing it in your
policy.  But it doesn't make sense in our policy; that is not how we use
init_shell domain and we run su in the su domain (but that only exists
in userdebug or eng builds and therefore likely isn't suitable for your
usage).
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to 
[email protected].

Re: sigchld denials

Reply via email to