For example I just installed Zynga "Words With Friends Free" from the Google
Play Store and got the denial just by starting up the app.
A lot of apps seem to like to run ps too, but that's a separate complaint.
I turned on enforcing mode and the app seems to run fine even with the denials.
type=1400 msg=audit(1377612264.272:9): avc: denied { getattr } for pid=1948
comm="com.zynga.words" path="/data/app" dev=mmcblk0p12 ino=773681
scontext=u:r:untrusted_app:s0:c59,c256 tcontext=u:object_r:apk_data_file:s0
tclass=dir
type=1400 msg=audit(1377612264.960:10): avc: denied { getattr } for pid=1977
comm="ps" path="/proc/126" dev=proc ino=2231
scontext=u:r:untrusted_app:s0:c59,c256 tcontext=u:r:zygote:s0 tclass=dir
type=1400 msg=audit(1377612264.960:11): avc: denied { search } for pid=1977
comm="ps" name="126" dev=proc ino=2231 scontext=u:r:untrusted_app:s0:c59,c256
tcontext=u:r:zygote:s0 tclass=dir
type=1400 msg=audit(1377612264.968:12): avc: denied { read } for pid=1977
comm="ps" name="cmdline" dev=proc ino=2539
scontext=u:r:untrusted_app:s0:c59,c256 tcontext=u:r:zygote:s0 tclass=file
type=1400 msg=audit(1377612264.968:13): avc: denied { open } for pid=1977
comm="ps" name="cmdline" dev=proc ino=2539
scontext=u:r:untrusted_app:s0:c59,c256 tcontext=u:r:zygote:s0 tclass=file
>-----Original Message-----
>From: Stephen Smalley [mailto:[email protected]]
>Sent: Tuesday, August 27, 2013 8:20 AM
>To: Peck, Michael A
>Cc: [email protected]
>Subject: Re: /data/app getattr denial
>
>On 08/27/2013 08:17 AM, Stephen Smalley wrote:
>> On 08/26/2013 09:48 PM, Peck, Michael A wrote:
>>> Hi,
>>>
>>> When testing a bunch of applications, I'm getting a denial like the below
>from about 60% of the apps. I'm using a very recent master branch (AOSP +
>SE for Android) on a Galaxy Nexus.
>>> I don't see any recent, related changes to the SELinux policy so perhaps
>there was a recent change in AOSP causing many apps to try to get the
>attributes of /data/app? Is anyone else seeing anything similar?
>>>
>>> type=1400 msg=audit(1377395793.361:557): avc: denied { getattr } for
>pid=27640 comm="id.nycsubwaymap" path="/data/app" dev=mmcblk0p12
>ino=773681 scontext=u:r:untrusted_app:s0:c58,c256
>tcontext=u:object_r:apk_data_file:s0 tclass=dir
>>
>> Interesting, I haven't seen that. Does it only happen with apps from
>> Google Play or with any of the AOSP apps?
>>
>> I suppose we could add getattr to domain.te; we already allow search to
>> apk_data_file:dir and r_file_perms to apk_data_file:file there for all
>> domains. getattr only permits stat(2) so it isn't a big deal to permit it.
>
>Technically, it permits stat(2), getxattr(2), listxattr(2), and certain
>ioctl calls (e.g. GETFLAGS, GETVERSION).
>
>
--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to [email protected] with
the words "unsubscribe seandroid-list" without quotes as the message.
