>From the Terminal Emulator app I see when running 'mount' these additional >mounts beyond what's seen through adb shell:
tmpfs /storage/emulated /dev/fuse /storage/emulated/0 /dev/fuse /storage/emulated/0/Android/obb /dev/fuse /storage/emulated/legacy /dev/fuse /storage/emulated/legacy/Android/obb /storage/emulated is labeled u:object_r:tmpfs:s0 but the other ones (and their contents) are labeled u:object_r:sdcard:s0 dalvik/vm/Init.cpp mounts /storage/emulated (I think once, then it's shared among all apps - don't know why it it's mounted just for app processes vs. system-wide?), dalvik_system_Zygote.cpp mounts the other ones (I think on a per-app basis, depending on the userid & the app's permissions). I'm using this Terminal Emulator app: http://f-droid.org/repository/browse/?fdid=jackpal.androidterm&fdpage=16 I actually have to turn off SELinux enforcing mode when starting the app, then turn it back on and go back to the app, because the policies block some tty stuff the app does when it starts up. Mike From: William Roberts [mailto:bill.c.robe...@gmail.com] Sent: Thursday, January 24, 2013 12:42 AM To: Peck, Michael A Cc: seandroid-list@tycho.nsa.gov Subject: Re: /storage/emulated security label That's weird, if I recall emulated is used for the fuse mount. I wonder why that app isn't going the normal route.... On Jan 23, 2013 9:29 PM, "Peck, Michael A" <mp...@mitre.org<mailto:mp...@mitre.org>> wrote: An app I installed (Big Win Basketball) kept crashing whenever SELinux enforcing mode was turned on. This is on a Galaxy Nexus (maguro). Oddly, with enforcing mode turned off, no denial messages were showing up in the log. <5>[ 552.326965] type=1400 audit(1358990973.587:16): avc: denied { search } for pid=1907 comm="igwinbasketball" name="/" dev=tmpfs ino=2500 scontext=u:r:untrusted_app:s0:c48,c256 tcontext=u:object_r:tmpfs:s0 tclass=dir >From logcat: E/AndroidRuntime( 3105): Caused by: java.lang.IllegalArgumentException: Invalid path: /storage/emulated/0 E/AndroidRuntime( 3105): Caused by: libcore.io.ErrnoException: statfs failed: EACCES (Permission denied) I eventually noticed (using a Terminal Emulator app) that from the perspective of running apps, /storage/emulated is labeled as u:object_r:tmpfs:s0 (but from the perspective of 'adb shell' it's labeled u:object_r:rootfs:s0), which I think was preventing the app from being able to access /storage/emulated/0 (which is correctly labeled u:object_r:sdcard:s0). I modified dalvik/vm/Init.cpp to label /storage/emulated as u:object_r:sdcard:s0 when mounting and that seemed to fix the problem. Not sure if that is the right approach or the right label (though it's already setting gid=1028 which is sdcard_r, so labeling as sdcard might make sense). diff --git a/vm/Init.cpp b/vm/Init.cpp index 11d884e..639da90 100644 --- a/vm/Init.cpp +++ b/vm/Init.cpp @@ -1658,7 +1658,7 @@ static bool initZygote() const char* target_base = getenv("EMULATED_STORAGE_TARGET"); if (target_base != NULL) { if (mount("tmpfs", target_base, "tmpfs", MS_NOSUID | MS_NODEV, - "uid=0,gid=1028,mode=0050") == -1) { + "uid=0,gid=1028,mode=0050,fscontext=u:object_r:sdcard:s0") == - SLOGE("Failed to mount tmpfs to %s: %s", target_base, strerror(errn return -1; }
