On Thu, 2017-12-14 at 16:14 +0100, Jonas Cirotzki wrote: > Hi everyone, > > I wrote a small policy analysis tool for my bachelor thesis. Using > this > tool, I found the following rule in the policy for Android 7.1: > > allow runas radio : process dyntransition
Source policy appears to have this rule: runas.te:allow runas non_system_app_set:process dyntransition; # setcon With non_system_app_set defined as: te_macros:define(`non_system_app_set', `{ appdomain -system_app }') That appears to be the only usage of non_system_app_set in policy. > > I figured out that the radio type is assigned to com.android.phone. > However, executing > > # run-as com.android.phone id > > yields the following error: run-as: Package 'com.android.phone' is > not > an application . > > This is due to the fact that run-as rejects system packages (see here > [1]). This means that the selinux_android_setcontext() call here [2], > can never be reached, so this rule has no effect. > > Is there any reason why this allow rule is present in the policy? I don't think so; could likely rewrite the rule in runas.te with a list of only those app domains that are legitimate and drop non_system_app_set macro entirely. > > > Thanks in advance! > > Best, > Jonas Cirotzki > > > References: > [1] > https://android.googlesource.com/platform/system/core.git/+/android-7 > .1.2_r36/run-as/run-as.c#165 > [2] > https://android.googlesource.com/platform/system/core.git/+/android-7 > .1.2_r36/run-as/run-as.c#194 > > > >