On 04/24/2015 12:53 PM, Tai Nguyen (tainguye) wrote: > We can’t figure out what’s wrong in the below case. Hopefully, the > community can shed some light into it. > > We have a suid process, setmask. This process is launched by a service > shell, debugsh. A user can get a debugsh via ssh or launch debugsh > directly from adb shell. > Setmask has its own domain and it is transitioned from debugsh domain. > When debugsh is launched from adb shell, it also changes to debugsh. > So, Regardless of how debugsh is launch via ssh or adb shell, it runs in > debugsh domain. > > The issue is that setmask runs successfully via ssh and debugsh > interface, and setmask fails via adb shell. > > 1. ssh —> debugsh —> setmask : Success > 2. Adb —> debugsh —> setmask: Failure > > Since setmask is a suid program so it runs as root and it has > dac_override privilege, it works as expected in case 1. > Since both debugsh and setmask run in the same SELinux domain in both > cases, we can’t figure out why it fails in case 2. > > I recall a discussion about restricting privilege escalation in > app_domain. Since adb shell is app_domain, I wonder if that it the > reason setmask fails in case 2.
adbd drops all capabilities from the bounding set except for the few needed for run-as. I think that this has been true since Android 4.3. _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
