I first moved the app to sdcard. Then did the upgrade and then tried to run from sdcard.
Thanks. Sent from my Android phone using Symantec TouchDown (www.symantec.com) -----Original Message----- From: Stephen Smalley [[email protected]] Received: Wednesday, 02 Dec 2015, 9:52PM To: Inamdar Sharif [[email protected]]; [email protected] [[email protected]] CC: Nick Kralevich [[email protected]] Subject: Re: MLS constraints blocking untrusted app to access app_data_file On 12/02/2015 11:01 AM, Inamdar Sharif wrote: > Yes the app is trying to access it own app data directory. > > What more information you need so that I can gather that?? > Also how to get more info?? > > What I think that when we do upgrade it does not label the app directory > again which leads to denial. So, you moved the app data directory to SD before upgrading to M? Or afterward? If afterward, did it have the correct label prior to moving it? What's the path prefix of the app data directory? > > Thanks. > > -----Original Message----- > From: Stephen Smalley [mailto:[email protected]] > Sent: Wednesday, December 02, 2015 8:42 PM > To: Inamdar Sharif; [email protected] > Cc: Nick Kralevich > Subject: Re: MLS constraints blocking untrusted app to access app_data_file > > On 12/02/2015 09:35 AM, Inamdar Sharif wrote: >> Steps are: >> >> 1) Install the app on the device. >> 2)Move the app to the sdcard. >> 3)Try to run the app from the sdcard.----> Failed. >> >> This happens after upgrading to Android M. > > I don't think I can test that, as the only devices I have that run M are > Nexus and have no real SDcard support. > > The question remains as to why the app data directory is not being labeled > with the appropriate categories That's the bug - the data directory needs to > be labeled consistently with the app. I assume btw that this is the app > trying to access its own app data directory; I can't tell that from only the > information you provided since you omitted any identifying information from > the denial (and fully determining it might require syscall audit or other > logging). > >> >> Thanks. >> >> -----Original Message----- >> From: Stephen Smalley [mailto:[email protected]] >> Sent: Wednesday, December 02, 2015 7:51 PM >> To: Inamdar Sharif; [email protected] >> Subject: Re: MLS constraints blocking untrusted app to access >> app_data_file >> >> On 12/02/2015 12:37 AM, Inamdar Sharif wrote: >>> Hi, >>> >>> I am getting the below avc denied for almost every untrusted app >>> >>> type=1400 audit(0.0:1078): avc: denied { search } for name="#" dev="#" >>> ino=# scontext=u:r:untrusted_app:s0:c512,c768 >>> tcontext=u:object_r:app_data_file:s0 tclass=dir permissive=0 >>> >>> Usecase: Apps on SDCard try to access their files. >>> >>> I know the reason about why this is happening: >>> >>> 1)untrusted_app and app_data_file has different security level >>> >>> 2)untrusted_app is not mlstrustedsubject >>> >>> 3)app_data_file is not mlstrustedobject >>> >>> But I am not sure how I can solve this issue. >>> >>> Please let me know any pointers on how to solve this issue. >>> >>> Thanks. >> >> Can you provide step-by-step instructions for reproducing the denial? >> >> Why is the directory not labeled with the category set? >> What does ls -Z of the directory show? >> >> >> ---------------------------------------------------------------------- >> ------------- This email message is for the sole use of the intended >> recipient(s) and may contain confidential information. Any >> unauthorized review, use, disclosure or distribution is prohibited. >> If you are not the intended recipient, please contact the sender by >> reply email and destroy all copies of the original message. >> ---------------------------------------------------------------------- >> ------------- >> >> _______________________________________________ >> Seandroid-list mailing list >> [email protected] >> To unsubscribe, send email to [email protected]. >> To get help, send an email containing "help" to >> [email protected]. >> > >
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
