On 07/28/2015 09:59 PM, 심현용 wrote:
> Daer SEAndroid-developers.
>
> I heard that after android m os, mls is applied.
> When I develop my model, I met this denials log.
>
> avc: denied { ioctl } for pid=9055 comm="Binder_2" path="socket:[53263]"
> dev="sockfs" ino=53263 ioctlcmd=8927
> scontext=u:r:untrusted_app:s0:c512,c768
> tcontext=u:r:untrusted_app:s0:c512,c768 tclass=udp_socket permissive=1
>
> I think this untrusted_app is gms app, because I can see this issue at
> Google Account display.
>
> When I check my policy, but already policy is included my source.
>
> allow untrusted_app self:udp_socket ioctl;
>
> I think it maybe mls problem.
> I can fixed bellow method, but it should be wrong method.
> (If i applied it, mls need not anymore.)
>
> typeattribute untrusted_app mlstrustedsubject;
>
> Please help me this issue.
It can't be an MLS problem because the scontext= and tcontext= have
exactly the same levels (s0:c512,c768). MLS-caused denial can only
occur if they differ. Also, you should never make untrusted_app a
mlstrustedsubject (that should in fact trigger a neverallow) as that
would defeat the purpose of the MLS restrictions (which are to reinforce
multi-user separation, see [1]), nor should you ever make app_data_file
a mlstrustedobject, for the same reason. As noted by Jeff, this denial
is due to the new support for ioctl command whitelisting in M and the
fact that the base policy allows specific ioctl commands for
untrusted_app self:udp_socket. I don't have source for M, but dumping
the M preview binary policy using dispol from AOSP master, I see rules
like this:
allow untrusted_app untrusted_app : udp_socket { 0x5411 0x5451 };
allow untrusted_app untrusted_app : udp_socket { 0x8900-0x8926
0x8928-0x89ff };
allow untrusted_app untrusted_app : udp_socket { 0x8b00-0x8b09
0x8b1c-0x8bff };
You should find similar rules in source if you have M source, although
they may look different (e.g. might be written as a single rule, using
macros, or choosing to enumerate the individual ioctl values).
Jeff said you can ignore this one, but if you had to allow one like it,
you could write an allow rule along the lines of:
allow untrusted_app self:udp_socket 0x8927;
[1] https://android-review.googlesource.com/#/c/107443/
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
