Dear Nick Kralevich and related people During getting the source, I have questions.
I think that if I want to get and merge the commits(subject:"Finish fixing Zygote descriptor leakage problem"), I should also get and merge the commits (subject: "Remove old fork-and-specialize API"). It it right ? If it is right, is there another commit which I need to get and merge ? Thank you Best regards 2014-04-15 9:17 GMT+09:00 Jaejyn Shin <[email protected]>: > Dear William Roberts > > Okey, that is another good idea. > I will check the method after compatibility between the recent policy and > my device. > > Thank you Best regards > > > 2014-04-14 10:54 GMT+09:00 William Roberts <[email protected]>: > > IMHO you would probably be best advised to pull in all the current work on >> master into you're external project. >> On Apr 13, 2014 4:56 PM, "Jaejyn Shin" <[email protected]> wrote: >> >>> Dear Nick Kralevich >>> >>> Thank you for your nice advice !! >>> I will apply those commit and test it again. >>> >>> Thank you >>> Best regards >>> >>> >>> 2014-04-13 23:15 GMT+09:00 Nick Kralevich <[email protected]>: >>> >>>> >>>> Dave Platt committed the zygote socket changes. They are available by >>>> looking at his commit history: >>>> >>>> https://android-review.googlesource.com/#/q/owner:%22Dave+Platt%22 >>>> >>>> Applying those patches should be sufficient to resolve this problem. >>>> >>>> >>>> >>>> On Sat, Apr 12, 2014 at 10:19 PM, Jaejyn Shin >>>> <[email protected]>wrote: >>>> >>>>> Dear SEAndroid developer >>>>> >>>>> I found the below denial logs in my device >>>>> >>>>> 01-01 01:41:08.270 E/auditd ( 2997): auditd: type=1400 >>>>> msg=audit(1388540468.270:6): avc: denied { getopt } for pid=3489 comm= >>>>> "zygote" path="/dev/socket/zygote" scontext=u:r:untrusted_app:s0 >>>>> tcontext=u:r:zygote:s0 tclass=unix_stream_socket >>>>> 01-01 01:41:16.490 E/auditd ( 2997): auditd: type=1400 >>>>> msg=audit(1388540476.490:8): avc: denied { getattr } for pid=4519 comm >>>>> ="zygote" path="socket:[10409]" dev="sockfs" ino=10409 >>>>> scontext=u:r:untrusted_app:s0 tcontext=u:r:zygote:s0 >>>>> >>>>> This logs are shown many times from the lots of different applications. >>>>> >>>>> During analyzing this denial, I found a aosp commit >>>>> >>>>> https://android-review.googlesource.com/#/c/81300/ >>>>> >>>>> # Needed to close the zygote socket, which involves getopt / getattr >>>>> # This should be deleted after b/12061011 is fixed >>>>> allow appdomain zygote:unix_stream_socket { getopt getattr }; >>>>> >>>>> According the the comment of the commit, I understood that the allow >>>>> rule was removed after modifying zygote source (b/12061011 is fixed). >>>>> >>>>> I also don't want write the allow rule, but I want to modify my zygote >>>>> source. >>>>> >>>>> Is there anybody who know how to modify the zygote source ? >>>>> >>>>> Thank you >>>>> Best regards >>>>> >>>> >>>> >>>> >>>> -- >>>> Nick Kralevich | Android Security | [email protected] | 650.214.4037 >>>> >>> >>> >
