In another custom ROM build, I'm seeing problem again where the data file
for my system app is not getting created with the context
I specified, attiqi_app_data_file. I'm seeing errors in logcat (see below).
Am I missing allow rules for "installd" ? This is what I have:
**** seapp_context ***
# process name is diagandroid.iqd
# package name is com.att.iqi
user=system seinfo=platform domain=attiqi_app name=diagandroid.iqd
user=system seinfo=platform name=com.att.iqi type=attiqi_app_data_file
**** snippet from my te file ****
allow installd {
attiqi_app_data_file
}:dir { create_dir_perms relabelfrom relabelto };
allow installd {
attiqi_app_data_file
}:notdevfile_class_set { create_file_perms relabelfrom relabelto };
**** Errors from logcat ****
12-21 18:05:55.569 905 905 E SELinux : selinux_android_setfilecon:
Error setting context for pkgdir /data/data/com.att.iqi, uid 1000:
Permission denied
12-21 18:05:55.569 905 905 E installd: Failed to setfilecon
/data/data/com.att.iqi: Permission denied
On Tue, Dec 6, 2016 at 12:10 PM, Stephen Smalley <[email protected]> wrote:
> On 12/06/2016 03:01 PM, Helen Chiang wrote:
> > The name of the process is "diagandroid.iqd", package name is
> "com.att.iqi".
> > Is this a problem?
>
> Ok, so add two entries to seapp_contexts, one to assign the domain by
> process name and the other to assign the type by package name, ala:
> user=system seinfo=platform name=diagandroid.iqd domain=attiqi_app
> user=system seinfo=platform name=com.att.iqi type=attiqi_app_data_file
>
> >
> > On Tue, Dec 6, 2016 at 11:34 AM, Stephen Smalley <[email protected]
> > <mailto:[email protected]>> wrote:
> >
> > On 12/06/2016 02:00 PM, Helen Chiang wrote:
> > > I declared a new file type and it seems to work but when I use ls
> -Z
> > > /data/data/<my-app>, it still shows
> > > "u:object_r:system_app_data_file:s0". Its proc file
> /proc/<PID>/stat
> > > shows the new file label, "u:r:attiqi_app:s0"
> > >
> > > bullhead:/data/data # ls -Z /proc/6795/stat
> > > u:r:attiqi_app:s0 /proc/6795/stat
> > >
> > >
> > > bullhead:/data/data # ls -Zl /data/data/com.att.iqi
> > > total 24
> > >
> > > drwxrwx--x 2 system system u:object_r:system_app_data_file:s0 4096
> > > 2016-12-06 10:38 app_iq_archive
> > > drwxrwx--x 2 system system u:object_r:system_app_data_file:s0 4096
> > > 2016-12-06 10:35 cache
> > > drwxrwx--x 2 system system u:object_r:system_app_data_file:s0 4096
> > > 2016-12-06 10:35 files
> > >
> > >
> > > What am I missing? Is this what you'd expect?
> > >
> > > From seapp_contexts
> > >
> > > user=system seinfo=platform domain=attiqi_app name=diagandroid.iqd
> > > type=attiqi_app_data_file
> >
> > The name doesn't match the /data/data name (diagandroid.iqd vs
> > com.att.iqi)?
> > Did you mean to omit the list from your reply?
> >
> > >
> > >
> > > This is what I have in the TE file for my new domain:
> > > type attiqi_app_data_file, file_type, data_file_type;
> > >
> > > allow installd {
> > > attiqi_app_data_file
> > > }:dir { create_dir_perms relabelfrom relabelto };
> > >
> > > allow installd {
> > > attiqi_app_data_file
> > > }:notdevfile_class_set { create_file_perms relabelfrom relabelto };
> > >
> > > allow system_server { attiqi_app_data_file }:dir { getattr read
> > search };
> > > allow system_server { attiqi_app_data_file }:file { getattr read
> > write };
> > > allow system_server attiqi_app_data_file:dir create_dir_perms;
> > > allow system_server attiqi_app_data_file:file create_file_perms;
> > >
> > >
> > > type attiqi_app, domain, domain_deprecated;
> > >
> > > # Include all appdomain rules
> > > app_domain(attiqi_app)
> > > # Access the network.
> > > net_domain(attiqi_app)
> > > # Access bluetooth.
> > > bluetooth_domain(attiqi_app)
> > >
> > >
> > >
> > >
> > >
> > > > Also, what you're saying seems to imply that if I run as
> > untrusted_app,
> > > > I can actually access /proc/<PID>/stat of any untrusted app?
> > This also
> > > > means any 3rd party app can read /proc/<PID>/stat of another.
> > >
> > > On a conventional Linux system, /proc/pid/stat is
> > world-readable, so
> > > apps used to be able to access any /proc/pid/stat at all.
> > When SELinux
> > > went enforcing for all apps in Android (5.0), we could at
> > least limit
> > > them to only being able to do it for other third party apps,
> > and when
> > > levelFrom=user was enabled (6.0), we could limit them to doing
> > it for
> > > other third party apps running for the same user. Then, in
> > some version
> > > (don't remember which one), they also starting mounting /proc
> with
> > > hidepid=2, so apps cannot see other's /proc/pid at all (unless
> > they have
> > > AID_READPROC in their group set). Hopefully they'll
> > eventually turn on
> > > levelFrom=all at some point too, at which point SELinux will
> > further
> > > isolate all apps with unique category sets (not just per-user).
> > >
> > >
> >
> >
>
>
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
