On 02/23/2016 12:14 PM, YongQin Liu wrote:
Hi, Stephen
Thanks very much!
With commenting out the prctl(PR_CAPBSET_DROP...) call in
core/jni/com_android_internal_os_Zygote.cpp,
now I can run su from AndroidTerm shell.
so it's the 2 prctl calls mentioned in this thread keep from the running
of su in AndroidTerm app shell.
For the sepolicy rules, I only added following rules in one shell.te file:
userdebug_or_eng(`
allow shell su_exec:file x_file_perms;
')
Do you think is that excepted?
Seems no need to change the neverallow self:capability rules in app.te
you mentioned before.
The android version I am playing version is Marshmallow.
Not sure I follow. First, if SELinux is enforcing, then shell is
allowed no capabilities, so it cannot exercise any root privileges.
Second, in userdebug or eng builds, the rules in su.te are included and
those already define a domain transition from shell to the su domain, so
your rule above is neither necessary nor helpful (your rule merely
allows the su binary be executed within the shell domain, with no change
in SELinux domain/permissions, so it still is not allowed to use any
capabilities, whereas the domain_auto_trans() rule in su.te sets up a
domain transition into the su domain, which is allowed capabilities).
Also, commenting out those two prctl() calls obviously leaves your
system insecure and no longer consistent with Android (and presumably
would fail CTS security tests at that point). So that is obviously not
a workable solution for real use.
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
