This seems similar to: http://marc.info/?t=134283202200001&r=1&w=2
I'm not clear on how that was ultimately resolved. On 07/17/2014 05:20 PM, Stephen Smalley wrote: > It appeared to me that we are not getting uevent notifications on these > file creations (created on the fly when you set the governor, e.g. echo > interactive > /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor and > then ls -Z /sys/devices/system/cpu/cpufreq/interactive). So I didn't > see a good way to handle it from ueventd. > > On the kernel side, we could perhaps inherit the label from the parent > directory on these dynamic sysfs file creations so that we are at least > in the same type as the parent, but that will require a kernel change. > > Since it is the init.hammerhead.rc file that initially sets the governor > and therefore "creates" the file (even though it is created by writing > the name to a different file), there is at least some logic to perform a > restorecon_recursive at the same place (could move it up right after > setting the governor). > > Open to alternative suggestions but I couldn't see anything better... > > On 07/17/2014 04:02 PM, Nick Kralevich wrote: >> At first glance, these patches just seem like a bandaid on the problem. >> I want to dig into this problem more to see if there's a better solution... >> >> -- Nick >> >> >> On Thu, Jul 17, 2014 at 12:15 PM, Stephen Smalley <[email protected] >> <mailto:[email protected]>> wrote: >> >> I don't know if this is the best solution, but it seems to solve the >> similar problem for /sys/devices/system/cpu/cpufreq/ondemand on >> hammerhead: >> https://android-review.googlesource.com/#/c/101800/ >> https://android-review.googlesource.com/#/c/101741/ >> >> On 07/17/2014 10:04 AM, Stephen Smalley wrote: >> > Hmm...don't know if this is related, but even on current AOSP >> master, if >> > I adb shell su 0 restorecon -Rv /sys it finds some wrongly labeled >> > entries under /sys/devices/system/cpu/cpufreq: >> > >> > SELinux: Relabeling /sys/devices/system/cpu/cpufreq/ondemand from >> > u:object_r:sysfs:s0 to u:object_r:sysfs_devices_system_cpu:s0. >> > >> > SELinux: Relabeling >> > /sys/devices/system/cpu/cpufreq/ondemand/powersave_bias from >> > u:object_r:sysfs:s0 to u:object_r:sysfs_devices_system_cpu:s0. >> > >> > SELinux: Relabeling >> > /sys/devices/system/cpu/cpufreq/ondemand/sampling_rate from >> > u:object_r:sysfs:s0 to u:object_r:sysfs_devices_system_cpu:s0. >> > >> > SELinux: Relabeling >> /sys/devices/system/cpu/cpufreq/ondemand/io_is_busy >> > from u:object_r:sysfs:s0 to u:object_r:sysfs_devices_system_cpu:s0. >> > ... >> > >> > On 07/17/2014 09:33 AM, Nick Kralevich wrote: >> >> If the files in /sys/devices/system/cpu/interactive are created >> >> post-boot, then the boot time labeling support isn't sufficient >> to label >> >> these files. Applying the following patches *may* help: >> >> >> >> * https://android-review.googlesource.com/92902 >> >> * https://android-review.googlesource.com/100249 >> >> >> >> The second patch, in particular, waits for any uevent messages and >> >> properly updates the labels on dynamically created /sys files. >> >> >> >> -- Nick >> >> >> >> >> >> >> >> On Thu, Jul 17, 2014 at 5:53 AM, Pankaj Kushwaha >> >> <[email protected] >> <mailto:[email protected]> >> <mailto:[email protected] >> <mailto:[email protected]>>> >> >> wrote: >> >> >> >> Hi, >> >> >> >> I have written a new daemon which interacts with files >> present in >> >> '/sys/devices/system/cpu/cpufreq/interactive/' folder. >> >> I was trying to provide a new label to this folder, but I was >> unable >> >> to do so. >> >> >> >> I tried adding new label in same way as it was done for >> >> '/sys/devices/system/cpu/cpufreq/' but I wasn't able to relabel >> >> 'interactive' folder. >> >> I noticed that this folder is created when device is booted, >> while >> >> other folders prior to this are built when boot process starts. >> >> >> >> I also tried to change label from genfs_context but again failed. >> >> >> >> I also thought of making this folder from init.rc but still >> it was >> >> not relabled. >> >> >> >> Also as per file_context rules (/sys/devices/system/cpu(/.*)? >> >> u:object_r:sysfs_devices_system_cpu:s0), interactive folder >> should >> >> have 'sysfs_devices_system_cpu' label, but in actual it has >> 'sysfs' >> >> label. >> >> >> >> Is there any specific reason that we are not allowed to >> change label >> >> of this folder ? >> >> >> >> I added following lines in file.te and file_context - >> >> file_context : >> >> /sys/devices/system/cpu/cpufreq/interactive(/.*)? >> >> u:object_r:sysfs_interactive:s0 >> >> file.te : >> >> type sysfs_interactive, fs_type, sysfs_type, mlstrustedobject; >> >> >> >> Thanks >> >> Pankaj Kushwaha >> >> >> >> _______________________________________________ >> >> Seandroid-list mailing list >> >> [email protected] >> <mailto:[email protected]> >> <mailto:[email protected] >> <mailto:[email protected]>> >> >> To unsubscribe, send email to >> [email protected] >> <mailto:[email protected]> >> >> <mailto:[email protected] >> <mailto:[email protected]>>. >> >> To get help, send an email containing "help" to >> >> [email protected] >> <mailto:[email protected]> >> >> <mailto:[email protected] >> <mailto:[email protected]>>. >> >> >> >> >> >> >> >> >> >> -- >> >> Nick Kralevich | Android Security | [email protected] >> <mailto:[email protected]> >> >> <mailto:[email protected] <mailto:[email protected]>> | 650.214.4037 >> <tel:650.214.4037> >> >> >> >> >> >> _______________________________________________ >> >> Seandroid-list mailing list >> >> [email protected] <mailto:[email protected]> >> >> To unsubscribe, send email to [email protected] >> <mailto:[email protected]>. >> >> To get help, send an email containing "help" to >> [email protected] >> <mailto:[email protected]>. >> >> >> > >> > _______________________________________________ >> > Seandroid-list mailing list >> > [email protected] <mailto:[email protected]> >> > To unsubscribe, send email to [email protected] >> <mailto:[email protected]>. >> > To get help, send an email containing "help" to >> [email protected] >> <mailto:[email protected]>. >> > >> > >> >> >> >> >> -- >> Nick Kralevich | Android Security | [email protected] >> <mailto:[email protected]> | 650.214.4037 >> >> >> _______________________________________________ >> Seandroid-list mailing list >> [email protected] >> To unsubscribe, send email to [email protected]. >> To get help, send an email containing "help" to >> [email protected]. >> > > _______________________________________________ > Seandroid-list mailing list > [email protected] > To unsubscribe, send email to [email protected]. > To get help, send an email containing "help" to > [email protected]. > > _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
