On 04/13/2014 01:19 AM, Jaejyn Shin wrote:
> Dear SEAndroid developer
>
> I found the below denial logs in my device
>
> |01-01 01:41:08.270 E||/auditd| |( 2997): auditd: ||type||=1400
> msg=audit(1388540468.270:6): avc: denied { getopt } ||for| |pid=3489
> ||comm||=||"zygote"| |path=||"/dev/socket/zygote"|
> |scontext=u:r:untrusted_app:s0 tcontext=u:r:zygote:s0
> tclass=unix_stream_socket|
> |01-01 01:41:16.490 E||/auditd| |( 2997): auditd: ||type||=1400
> msg=audit(1388540476.490:8): avc: denied { getattr } ||for| |pid=4519
> ||comm||=||"zygote"| |path=||"socket:[10409]"| |dev=||"sockfs"|
> |ino=10409 scontext=u:r:untrusted_app:s0 tcontext=u:r:zygote:s0 |
> |
> |
> |This logs are shown many times from the lots of different applications.|
> |
> |
> |During analyzing this denial, I found a aosp commit |
> |
> |
> |https://android-review.googlesource.com/#/c/81300/
> |
> |
> |
> |
> # Needed to close the zygote socket, which involves getopt / getattr
> # This should be deleted after b/12061011 is fixed
> allow appdomain zygote:unix_stream_socket { getopt getattr };
>
> According the the comment of the commit, I understood that the allow
> rule was removed after modifying zygote source (b/12061011 is fixed).
>
> I also don't want write the allow rule, but I want to modify my zygote
> source.
Why not just revert the policy change (i.e. restore the allow rule)?
If you are building something based on 4.4.x rather than master, then
that seems the less risky path particularly given that this set of
changes spanned multiple projects and may have subtle dependencies on
other changes in master. Allowing the app domains to getopt and getattr
local sockets inherited from zygote doesn't seem like a major concern...
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
