The sh_domain is the one who does the real work since we want to provide the same service via ssh as well. The app is just the UI interface for the service. Thus, the app uses the sh_domain for actual work.
In this case, the sh_domain will have more privilege than the app. So, how do we work around this issue? Tai On 10/28/14, 9:49 AM, "Stephen Smalley" <[email protected]> wrote: >On 10/28/2014 09:38 AM, Tai Nguyen (tainguye) wrote: >> Our app runs and system command line so we have a domain transition >>rule for the command line. >> domain_auto_trans(my_app, my_sh_exec, my_sh_domain) >> >> The rule works as expected in JB, however, it doesn¹t work in KK. The >>shell program runs as my_app domain. >> Does KK block certain type of domain transition? > >Likely the same issue as in: >http://marc.info/?l=seandroid-list&m=141412798527687&w=2 > >Domain transitions on exec are suppressed by NO_NEW_PRIVS. > >What's the benefit of transitioning domains here? What do you allow to >my_sh_domain that you do not want to allow to my_app or vice versa? > _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
