now I have following rules:
allow test ssd_device:blk_file {read write getattr open ioctl};
allow test block_device:dir search;
Now I am getting following denials:
01-07 17:02:48.259 I/auditd ( 270): type=1400 audit(0.0:5): avc: denied
{ read write } for comm="test" name="mmcblk0p23" dev="tmpfs" ino=9154
scontext=u:r:test:s0 tcontext=u:object_r:storage_partition_device:s0
tclass=blk_file
ssd is linked as follows:
shell@dinesh:/dev/block/bootdevice/by-name # ls -l
lrwxrwxrwx root root 1970-01-07 17:02 ssd ->
/dev/block/mmcblk0p23
Looks like some change is required in patches to resolve the original issue.
Thanks,
Dinesh
On Tue, Jun 24, 2014 at 4:52 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote:
> On 06/24/2014 01:00 AM, Dinesh Garg wrote:
> > Would it be safe to provide "allow test block_device:dir search" rule? I
> > wanted my daemon to have access to just ssd_device. Is there a way to
> > restrict to ssd_device ?
>
> That is safe; it only allows the test domain to search directories under
> /dev/block (which is required to look up files under it), not to open
> any other block device files under it other than the block device file
> that you explicitly labeled with ssd_device. So your rules are:
> allow test block_device:dir search;
> allow test ssd_device:blk_file { read write getattr open ioctl };
>
> If your test domain tries to open another block device, you should get a
> denial because you do not allow test block_device:blk_file anywhere.
>
>
>
>
>
>
_______________________________________________
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to
seandroid-list-requ...@tycho.nsa.gov.
