Thank you for your help Stephen. The information you gave me allowed me to fix the problem. The issue was that the /proc file system in the namespace init process that was created for the user was the wrong one, as it had the original proc file system mounted there. So, when the namespace init process forked to create an app, it would give the app a pid of, for example, 2. However, pid 2 in the /proc file system that was mounted, was not the correct pid 2, i.e., it was for pid 2 in the original namespace. Thus, the solution was to create the init process in it's own mount namespace as well, and then remount /proc in that mount namespace, so that the process pids in /proc matched the pids assigned to processes created in the namespace.
Cheers, Chris. On Fri, Jan 17, 2014 at 9:43 AM, Stephen Smalley <[email protected]> wrote: > On 01/17/2014 09:19 AM, Christopher Stone wrote: > > I have modified zygote in the Dalvik VM to place android applications > into > > separate pid namespaces. This is done in a multi-user scenario, where > there > > is a pid namespace created for each user, and then all the android apps > > started by the user are placed into that namespace. Currently, I am only > > creating pid namespaces as a first step. I have noted that Zygote already > > creates mount namespaces for android apps so that a private emulated > > storage directory can be bind mounted. > > > > I do this by creating a namespace init process for each user. This init > > process is forked from the dalvik vm, in the forkAndSpecializeCommon() > > function of dalvik_system_Zygote.cpp, so it shares the same process > > context of normal android apps. Then, at the point where zygote normally > > forks to create an android app, the code is modified to signal the > > namespace init process to fork the app instead. > > > > I am having a problem where the android app is running an SELinux > getcon() > > in selinux_android_setcontext() to set the SEAndroid context for the app. > > The getcon() is returning -1 for Operation not permitted. I am running in > > permissive mode. It is likely that there is a bug in my code, but, I > wanted > > to ask if there was a fundamental problem with what I am trying to do. > For > > instance, is there any reason why SELinux calls like getcon() will not > work > > in kernel pid namespaces? > > getcon() is open + read of /proc/self/task/<tid>/attr/current. > > I don't know why that would be denied, but if it is happening even in > permissive mode, it isn't SELinux denying it but more likely a pid > namespace restriction on /proc accesses. > > On the setcon() call, which is open + write of the same file, SELinux > does prohibit writing to /proc/self/task/<tid>/attr/current by anything > other than the same task (i.e. a task can only change its own security > context). > >
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
