On 02/12/2013 10:35 AM, Tai Nguyen (tainguye) wrote:
Hi,
What are these audit messages mean? Do we miss a transition for
/system/bin/mksh, thus, it has domain shell_exec? I think this is
related to the interface where each app registers its command interface
to our debugsh service; thus, allowing user to run those commands in our
debug shell.
The default policy does not allow app domains to execute the shell.
So you either need to allow it for the app domain or define a domain
transition on the shell into a separate domain (but do not use the same
shell domain as adb shell as that should have different permissions).
The cts.te rules allow app domains to execute shells or other system
executables if the android_cts boolean is enabled via:
# Execute the shell or other system executables.
allow appdomain shell_exec:file rx_file_perms;
allow appdomain system_file:file rx_file_perms;
But I wouldn't recommend that for all app domains.
--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to [email protected] with
the words "unsubscribe seandroid-list" without quotes as the message.
