On 15-12-29 05:22 PM, Stephen Smalley wrote:
I don't understand why the filesystem relabelto operation is required (I
suspect it may be related to our fs_use entry for ecryptfs). Even when the
mount-point context matches the context of the vfat filesystem, you still
need a relabelto operation (i.e. the operation still seems to be required
even when we are relabeling from X to X).
Permission is always checked on a context= mount, regardless of
whether the context actually differs.
Do you happen to know why selinux chooses to ignore the security label
in that operation? Was it done just to simplify the implementation?
Performance does not seem to be valid concern here.
If we change the neverallow rule to something like this:
neverallow domain {fs_type -contextmount_type -sdcard_type}:filesystem
relabelto;
Then everything works great. Unfortunately, we cannot do that without
violating CDD :-(
Correct, and making this change in AOSP would violate the intent of
the neverallow in the first place as it would then be possible to
remount /system as a sdcard type and then write to it.
I understand the intent of the aosp change (to prevent remounts under
/system that change security context), but the effect of the sepolicy
change is too broad. Can't you block context-remounts under /system
without blocking them everywhere else, too?
I think the only real options here are either to try to get a
waiver/exception to the CDD for this one case, or don't use ecryptfs
over vfat. In Android 6.0, with adoptable storage, wouldn't the
sdcard be formatted with ext4 and thus your existing fs_use entry
would work fine?
We need to support Lollipop. Further, some Marshmallow devices allow
access to external storage in a "portable" mode.
-James M
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
