On 03/10/2014 12:37 PM, Stephen Smalley wrote: > On 03/10/2014 12:18 PM, Tai Nguyen (tainguye) wrote: >> It seems that we have some different rule enforcing in normal mode and >> emulator mode. >> Assume that we don’t allow shell to run shell executable. > > Not sure what this means. shell domain has to be able to execute sh > (shell_exec) obviously. Do you mean it cannot execute shell_data_file > in your policy? > >> >> Here is our test executable >> >> root@android:/data/local/tmp # ls -Z >> >> -rwxrwxrwx root root u:object_r:shell_data_file:s0 myscript >> >> -r-xr-xr-x shell shell u:object_r:shell_data_file:s0 su >> >> >> In normal kernel, the rule works as expected >> >> shell@android:/data/local/tmp $ id >> >> uid=2000(shell) gid=2000(shell) >> groups=1003(graphics),1004(input),1007(log),1009(mount),1011(adb),1015(sdcard_rw),1028(sdcard_r),2001(cache),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) >> context=u:r:shell:s0 >> >> shell@android:/data/local/tmp $ ./myscript >> >> /system/bin/sh: ./myscript: can't execute: Permission denied > > What's the actual avc denial here? > >> However, in emulator mode, the rule doesn’t work >> >> root@android:/data/local/tmp # id >> >> uid=0(root) gid=0(root) context=u:r:shell:s0 >> >> root@android:/data/local/tmp # ./myscript >> >> This is a test >> >> root@android:/data/local/tmp # ./su >> >> su: applet not found // This means su is running and returns error >> >> >> So, why does the emulator kernel (i.e., qemu) have different behavior ? >> It seems to enforce other rules, but not this case. > > Is ls -Z /data/local/tmp identical for myscript and su on the emulator > as on the device? > > Technically for scripts you only need read access since they are > actually "executed" by invoking sh with the pathname of the script as an > argument and sh only needs read access to the script file. Whether or > not you encounter the execute check just depends on whether you invoke > the script via exec (and it has the execute mode bit set) or whether you > call it indirectly via sh. > > Also, what are the kernel versions for your "normal kernel" and your > emulator, respectively?
Also, is your emulator in enforcing mode? getenforce shows what? _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
