I'm working on a custom build based on Android 6.0.1 for Nexus 7. This 
custom build adds a special daemon that is started from init.rc and exposes 
some API to applications. Particularly, one of available methods creates a 
new file at /data/daemon_dir and returns a file descriptor making it 
possible to write to this file from an app.

The daemon has its own SELinux context (here it's named custom_daemon). And 
/data/daemon_dir has custom_daemon_file context. There are sepolicy rules 
that grant file creation to the daemon and file writes to untrusted_app.

The configuration described above worked on Android 5. But after merging 
with Android 6, I'm getting the following denial:

07-11 21:57:46.735 13389-13389/? W/Binder_2: type=1400 audit(0.0:945): avc: 
denied { write } for path="/data/daemon_dir/some_file" dev="mmcblk0p30" 
ino=496817 scontext=u:r:untrusted_app:s0:c512,c768 
tcontext=u:object_r:custom_daemon_file:s0 tclass=file permissive=0


Here are the rules that should allow the operation:

allow untrusted_app custom_daemon_file:file rw_file_perms;
allow untrusted_app custom_daemon_file:dir r_dir_perms;

allow custom_daemon custom_daemon_file:dir create_dir_perms;
allow custom_daemon custom_daemon_file:file create_file_perms;


An interesting thing in this denial report is that scontext is 
untrusted_app. But the denial is logged for the daemon process (13389 is 
one of its thread IDs and Binder_2 is a name of the binder thread that 
handles the API call).

I believe this mismatch is what is causing the denial but cannot understand 
why this happens and how this can be fixed.

-- 
-- 
unsubscribe: android-porting+unsubscr...@googlegroups.com
website: http://groups.google.com/group/android-porting

--- 
You received this message because you are subscribed to the Google Groups 
"android-porting" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to android-porting+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to