Stephen said it best in http://www.spinics.net/lists/selinux/msg01471.html . Quoting him:
*setcon() presently fails with EPERM if a multi-threaded application tries to invoke it.* *You can't prevent a thread within a process (thread group) from accessing any of the memory - they share the same memory space. Thus, you can't safely run one thread in one security context and another thread in another security context.* Trying to isolate system_server threads using this mechanism is bound to fail. Even if setcon() worked on threads, many services use execute queues to do their operations, which would make it difficult to identify which thread is responsible for which activity. It would be nice to have a better solution but I'm not sure what it is. One thing I'd love to see is for setcon() to work on a thread-group basis. For example, imagine a "setcon_all()" function which set *every* thread to the provided security context atomically. This avoids the security concerns raised by Stephen. This, in conjunction with typebounds, could allow an application to start in a more privileged state, drop privileges using "setcon_all()", and continue executing with reduced privileges, regardless of the number of threads running at the time. -- Nick On Mon, Dec 1, 2014 at 3:31 PM, William Roberts <[email protected]> wrote: > > So I see that SELinux has typebounds, which can be used to enforce that > some new domain, has less privelges then its parent thus building some type > of hierachy. It also, > says if you have some kernel version greater than 2.6.39 you can control > thread contexts (http://selinuxproject.org/page/TypeRules). However, > setcon also allows the changing > of thread contexts. > > Also, setcon states that: > > A multi-threaded application can perform a setcon() prior to creating > any child threads, in which case all of the child threads will > inherit > the new context. However, setcon() will fail if there are any > other > threads running in the same process. > > > > So is their some use of these types of technologies to control threads in > system server to help overcome its limitation of one gigantic process? > > If no one can comment to this, can someone perhaps clarify the use of > setcon in multiple threaded environment, can you use it to get the main > thread, and child threads in all different domains? > > Bill > > > _______________________________________________ > Seandroid-list mailing list > [email protected] > To unsubscribe, send email to [email protected]. > To get help, send an email containing "help" to > [email protected]. > -- Nick Kralevich | Android Security | [email protected] | 650.214.4037
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
