On Thu, 2017-12-14 at 16:14 +0100, Jonas Cirotzki wrote:
> Hi everyone,
>
> I wrote a small policy analysis tool for my bachelor thesis. Using
> this
> tool, I found the following rule in the policy for Android 7.1:
>
> allow runas radio : process dyntransition
Source policy appears to have this rule:
runas.te:allow runas non_system_app_set:process dyntransition; # setcon
With non_system_app_set defined as:
te_macros:define(`non_system_app_set', `{ appdomain -system_app }')
That appears to be the only usage of non_system_app_set in policy.
>
> I figured out that the radio type is assigned to com.android.phone.
> However, executing
>
> # run-as com.android.phone id
>
> yields the following error: run-as: Package 'com.android.phone' is
> not
> an application .
>
> This is due to the fact that run-as rejects system packages (see here
> [1]). This means that the selinux_android_setcontext() call here [2],
> can never be reached, so this rule has no effect.
>
> Is there any reason why this allow rule is present in the policy?
I don't think so; could likely rewrite the rule in runas.te with a list
of only those app domains that are legitimate and drop
non_system_app_set macro entirely.
>
>
> Thanks in advance!
>
> Best,
> Jonas Cirotzki
>
>
> References:
> [1]
> https://android.googlesource.com/platform/system/core.git/+/android-7
> .1.2_r36/run-as/run-as.c#165
> [2]
> https://android.googlesource.com/platform/system/core.git/+/android-7
> .1.2_r36/run-as/run-as.c#194
>
>
>
>
