On 03/10/2014 12:18 PM, Tai Nguyen (tainguye) wrote: > It seems that we have some different rule enforcing in normal mode and > emulator mode. > Assume that we don’t allow shell to run shell executable.
Not sure what this means. shell domain has to be able to execute sh (shell_exec) obviously. Do you mean it cannot execute shell_data_file in your policy? > > Here is our test executable > > root@android:/data/local/tmp # ls -Z > > -rwxrwxrwx root root u:object_r:shell_data_file:s0 myscript > > -r-xr-xr-x shell shell u:object_r:shell_data_file:s0 su > > > In normal kernel, the rule works as expected > > shell@android:/data/local/tmp $ id > > uid=2000(shell) gid=2000(shell) > groups=1003(graphics),1004(input),1007(log),1009(mount),1011(adb),1015(sdcard_rw),1028(sdcard_r),2001(cache),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) > context=u:r:shell:s0 > > shell@android:/data/local/tmp $ ./myscript > > /system/bin/sh: ./myscript: can't execute: Permission denied What's the actual avc denial here? > However, in emulator mode, the rule doesn’t work > > root@android:/data/local/tmp # id > > uid=0(root) gid=0(root) context=u:r:shell:s0 > > root@android:/data/local/tmp # ./myscript > > This is a test > > root@android:/data/local/tmp # ./su > > su: applet not found // This means su is running and returns error > > > So, why does the emulator kernel (i.e., qemu) have different behavior ? > It seems to enforce other rules, but not this case. Is ls -Z /data/local/tmp identical for myscript and su on the emulator as on the device? Technically for scripts you only need read access since they are actually "executed" by invoking sh with the pathname of the script as an argument and sh only needs read access to the script file. Whether or not you encounter the execute check just depends on whether you invoke the script via exec (and it has the execute mode bit set) or whether you call it indirectly via sh. Also, what are the kernel versions for your "normal kernel" and your emulator, respectively? _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
