> -----Original Message----- > From: Roberts, William C > Sent: Monday, December 14, 2015 10:38 AM > To: 'Stephen Smalley' <[email protected]>; [email protected] > Subject: RE: mac_override: What does ignore mean? > > > >> On 12/14/2015 11:57 AM, Roberts, William C wrote: > > >>> According to: > > >>> http://selinuxproject.org/page/ObjectClassesPerms#capability2, > > >>> mac_override is ignored. What does that actually mean? Is it > > >>> always denied (my guess) or always allowed? > > >> > > >> It is never checked by SELinux, only by Smack. > > >> > > > > > > What does that entail exactly? The messages printed to dmesg are > > > "avc denied". Does the "is capable" checks call into SE Linux and > > > EPERM is always > > returned? > > > > > > I ask this in the context of an out of tree driver that is currently > > > and incorrectly > > coded with a capable(MAC_OVERRIDE) check. > > > > No, the logic performed by the capable hook is not specific to any > > capability; it just checks whether that permission bit is set in the > > corresponding > access vector. > > So you can allow it in policy and it should be fine. But it is wrong > > for the driver to be using that capability... > > That's what I thought based on looking at the code. I advised the driver team > that > they Should be doing some other type of is_capable() check, likely SYS_ADMIN > for their needs. > > Thanks, I just wanted to confirm.
FYI more details: Here is the code: https://android.googlesource.com/kernel/x86_64.git/+/android-x86_64-fugu-3.10-marshmallow/drivers/staging/sep54/sepfs.c Line 240. They have a UID/GID access list for each command, if the process has cap MAC_OVERRIDE, the check is skipped. I don't know why They even need this capable check, they should just add the privileged components into their ACL and drop this. Better yet, if they need finer access controls, they could do an implementation and out of tree patch ala binder (would like to avoid this). _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
