This issue is actually related to boolean. The result is different because our booleans are not set consistently in these modes. Thus, we actually have different policy. In the emulator mode, shell is allow to execute shell_data_file. So, avoiding boolean may make troubleshooting a little bit easier.
Tai On 3/10/14, 12:45 PM, "Stephen Smalley" <[email protected]> wrote: >On 03/10/2014 12:37 PM, Stephen Smalley wrote: >> On 03/10/2014 12:18 PM, Tai Nguyen (tainguye) wrote: >>> It seems that we have some different rule enforcing in normal mode and >>> emulator mode. >>> Assume that we don¹t allow shell to run shell executable. >> >> Not sure what this means. shell domain has to be able to execute sh >> (shell_exec) obviously. Do you mean it cannot execute shell_data_file >> in your policy? >> >>> >>> Here is our test executable >>> >>> root@android:/data/local/tmp # ls -Z >>> >>> -rwxrwxrwx root root u:object_r:shell_data_file:s0 >>>myscript >>> >>> -r-xr-xr-x shell shell u:object_r:shell_data_file:s0 su >>> >>> >>> In normal kernel, the rule works as expected >>> >>> shell@android:/data/local/tmp $ id >>> >>> uid=2000(shell) gid=2000(shell) >>> >>>groups=1003(graphics),1004(input),1007(log),1009(mount),1011(adb),1015(s >>>dcard_rw),1028(sdcard_r),2001(cache),3001(net_bt_admin),3002(net_bt),300 >>>3(inet),3006(net_bw_stats) >>> context=u:r:shell:s0 >>> >>> shell@android:/data/local/tmp $ ./myscript >>> >>> /system/bin/sh: ./myscript: can't execute: Permission denied >> >> What's the actual avc denial here? >> >>> However, in emulator mode, the rule doesn¹t work >>> >>> root@android:/data/local/tmp # id >>> >>> uid=0(root) gid=0(root) context=u:r:shell:s0 >>> >>> root@android:/data/local/tmp # ./myscript >>> >>> This is a test >>> >>> root@android:/data/local/tmp # ./su >>> >>> su: applet not found // This means su is running and returns error >>> >>> >>> So, why does the emulator kernel (i.e., qemu) have different behavior ? >>> It seems to enforce other rules, but not this case. >> >> Is ls -Z /data/local/tmp identical for myscript and su on the emulator >> as on the device? >> >> Technically for scripts you only need read access since they are >> actually "executed" by invoking sh with the pathname of the script as an >> argument and sh only needs read access to the script file. Whether or >> not you encounter the execute check just depends on whether you invoke >> the script via exec (and it has the execute mode bit set) or whether you >> call it indirectly via sh. >> >> Also, what are the kernel versions for your "normal kernel" and your >> emulator, respectively? > >Also, is your emulator in enforcing mode? getenforce shows what? > > _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
