I'm trying to figure out how to label a file in /proc/PID with a different
SELinux label. In particular, I'm trying to apply an SELinux label to the
file /proc/PID/oom_score_adj .
I thought this would be easy to do by adding the following line to
genfs_contexts:
genfscon proc /oom_score_adj u:object_r:MY_NEW_LABEL:s0
but this doesn't seem to be working. /proc/PID/oom_score_adj continues to
be labeled with the process' label.
shell@flounder:/ $ ls -laZ /proc/self/oom_score_adj
-rw-r--r-- shell shell u:r:shell:s0 oom_score_adj
My understanding was that, for /proc, the numeric portion of the path was
ignored, and genfscon paths could be relative to the top of the /proc/PID
directory. Quoting linux/security/selinux/hooks.c
else {
/* each process gets a /proc/PID/ entry. Strip off the
* PID part to get a valid selinux labeling.
* e.g. /proc/1/net/rpc/nfs -> /net/rpc/nfs */
while (path[1] >= '0' && path[1] <= '9') {
path[1] = '/';
path++;
}
rc = security_genfs_sid("proc", path, tclass, sid);
}
free_page((unsigned long)buffer);
This logic seems to work for /proc/PID/net, since the files in that
directory (but not the directory itself) are labeled with
u:object_r:proc_net:s0 . And it seems to work for subdirectories of
/proc/PID/net, in particular /proc/PID/net/xt_qtaguid/ctrl in Android is
labeled as u:object_r:qtaguid_proc:s0 . However, it doesn't seem to work
for files in /proc/PID itself.
I've briefly looked through the SELinux code which handles /proc/PID
labeling, but it's unclear to me how this code actually works, and how the
/proc/PID labels are even created in the first place. The first genfscon
proc rule is:
genfscon proc / u:object_r:proc:s0
which, if the comment in the code is to be believed, should make all
/proc/PID files labeled with "u:object_r:proc:s0". That's obviously not the
case...
So, my questions are:
1) How do I get a custom label on a file in /proc/PID ?
2) How does the genfscon statements in the policy interact with /proc/PID
labeling? Are genfscon statements even consulted at all? And if not, how
does /proc/PID/net labeling work?
Thanks,
-- Nick
--
Nick Kralevich | Android Security | [email protected] | 650.214.4037
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
