On 03/30/2015 03:42 AM, Jaejyn Shin wrote:
> Dear SEAndroid developer
>
> I always thank to your nice help.
>
> At this time, I have a question about setexeccon.
>
> I have a process that init process fork.
>
> init -> child_process
>
> The process starting code is in the init.c file.
>
> ----------------------------------------------------------------
> #define FILE_PATH "/cache/aaa/aaa"
>
> chmod(FILE_PATH, 0700);
> execv(FILE_PATH, args);
> ----------------------------------------------------------------
>
> I wanted to set the domain of the propcess as xxx domain, so I insert
> setexeccon function in front of the execv function like below.
>
> ----------------------------------------------------------------
> #define FILE_PATH "/cache/aaa/aaa"
>
> chmod(FILE_PATH, 0700);
> *if (is_selinux_enabled() > 0 && setexeccon("u:r:xxx:s0") < 0) {*
> *LOG_PRINT("cannot setexeccon('%s'): %s\n", "u:r:xxx:s0", strerror(errno));*
> *}*
> execv(FILE_PATH, args);
> ----------------------------------------------------------------
>
> However the process was still in the init domain.
>
> Is there something more needed to run the setexeccon function well ?
>
> (My seandroid is always running in the permissive-mode)
There is a neverallow rule in policy that should prevent you from
allowing execution of files from /cache, so this is not permissible
regardless. You do not want to run any executable from outside the
rootfs or /system with privilege.
Further, as /cache is mounted nosuid, SELinux domain transitions on exec
are disabled. Long ago we decided to treat nosuid flag as also a
no-context-transition bit since it implies that the filesystem is
untrusted for any kind of privilege change via an executable. You would
need to instead setcon() to the new context before executing the program
to make this work, but as I noted above, this will not be allowed once
you switch to enforcing and you cannot allow it in policy without
violating a neverallow (and thus CTS).
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
