Ah - I never thought that ps command uses privilege that normal users do not have.
Tai On 5/20/14, 4:56 PM, "Stephen Smalley" <[email protected]> wrote: >In user/userdebug builds, the ADB shell runs in the shell UID and thus >any capability checks will be denied by DAC even before you reach the >SELinux check. In the eng build, the ADB shell runs as root (as if >you had run an adb root command on the userdebug build or were on the >emulator), and thus you will pass the DAC check and reach the SELinux >check. > >On Mon, May 19, 2014 at 2:41 PM, Tai Nguyen (tainguye) ><[email protected]> wrote: >> All, >> >> On my user/user debug loads, adb shell user can run ps command without >>any >> audit message. >> >> shell@android:/ $ id >> >> uid=2000(shell) gid=2000(shell) >> >>groups=1003(graphics),1004(input),1007(log),1009(mount),1011(adb),1015(sd >>card_rw),1028(sdcard_r),2001(cache),3001(net_bt_admin),3002(net_bt),3003( >>inet),3006(net_bw_stats) >> context=u:r:shell:s0 >> >> >> However, on my eng loads, a ps command generate a lot of audit message >>about >> sys_ptrace >> >> audit(1400521005.486:189): avc: denied { sys_ptrace } for pid=3624 >> comm="ps" capability=19 scontext=u:r:shell:s0 tcontext=u:r:shell:s0 >> tclass=capability >> >> audit(1400521005.486:190): avc: denied { sys_ptrace } for pid=3624 >> comm="ps" capability=19 scontext=u:r:shell:s0 tcontext=u:r:shell:s0 >> tclass=capability >> >> root@android:/ # id >> >> uid=0(root) gid=0(root) context=u:r:shell:s0 >> >> >> We don¹t have boolean and I grep for sys_ptrace and don¹t see any rule, >> including dontaudit, for shell domain. >> >> So, what can cause different result between eng build and user/user >>debug >> build? >> >> Thanks, >> Tai >> >> >> _______________________________________________ >> Seandroid-list mailing list >> [email protected] >> To unsubscribe, send email to [email protected]. >> To get help, send an email containing "help" to >> [email protected]. _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
