In user/userdebug builds, the ADB shell runs in the shell UID and thus any capability checks will be denied by DAC even before you reach the SELinux check. In the eng build, the ADB shell runs as root (as if you had run an adb root command on the userdebug build or were on the emulator), and thus you will pass the DAC check and reach the SELinux check.
On Mon, May 19, 2014 at 2:41 PM, Tai Nguyen (tainguye) <[email protected]> wrote: > All, > > On my user/user debug loads, adb shell user can run ps command without any > audit message. > > shell@android:/ $ id > > uid=2000(shell) gid=2000(shell) > groups=1003(graphics),1004(input),1007(log),1009(mount),1011(adb),1015(sdcard_rw),1028(sdcard_r),2001(cache),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) > context=u:r:shell:s0 > > > However, on my eng loads, a ps command generate a lot of audit message about > sys_ptrace > > audit(1400521005.486:189): avc: denied { sys_ptrace } for pid=3624 > comm="ps" capability=19 scontext=u:r:shell:s0 tcontext=u:r:shell:s0 > tclass=capability > > audit(1400521005.486:190): avc: denied { sys_ptrace } for pid=3624 > comm="ps" capability=19 scontext=u:r:shell:s0 tcontext=u:r:shell:s0 > tclass=capability > > root@android:/ # id > > uid=0(root) gid=0(root) context=u:r:shell:s0 > > > We don’t have boolean and I grep for sys_ptrace and don’t see any rule, > including dontaudit, for shell domain. > > So, what can cause different result between eng build and user/user debug > build? > > Thanks, > Tai > > > _______________________________________________ > Seandroid-list mailing list > [email protected] > To unsubscribe, send email to [email protected]. > To get help, send an email containing "help" to > [email protected]. _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
