On Mon, Oct 7, 2013 at 3:13 PM, Tai Nguyen (tainguye) <[email protected]>wrote:
> This will work, but this will give the server access to all files and dir > on the system, right? So, it will give the server more privilege that > needed. We just want to give the server access to the /proc/<pid>/cmdline > file and not other files. > > On 10/7/13 3:01 PM, "Stephen Smalley" <[email protected]> wrote: > > >With regard to allowing it, you can allow it to read /proc/pid/cmdline > >for all domains by writing allow rules with the domain attribute, e.g. > > allow server domain:dir r_dir_perms; > > allow server domain:{ file lnk_file } r_file_perms; > >Or more succintly using the r_dir_file() macro as: > > r_dir_file(server, domain) > > > >If you want to allow it for just app domains, you can write similar > >rules using the appdomain attribute rather than domain, e.g. > > r_dir_file(server, appdomain) > > > > > > -- > This message was distributed to subscribers of the seandroid-list mailing > list. > If you no longer wish to subscribe, send mail to [email protected] > the words "unsubscribe seandroid-list" without quotes as the message. > Not all files, just ones that share the domain attribute which are really only files tied to a running process. So it will give access to most things under proc, but not to system_data_file. Does this clear it up? If not look at the denials you see allow X Y:file r_file_perms; Notice Y will be system or untrusted_app Those types have the attribute domain. Other types, like app_data_file or system_data_file do not share that attribute. Bill
