It appeared to me that we are not getting uevent notifications on these file creations (created on the fly when you set the governor, e.g. echo interactive > /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor and then ls -Z /sys/devices/system/cpu/cpufreq/interactive). So I didn't see a good way to handle it from ueventd.
On the kernel side, we could perhaps inherit the label from the parent directory on these dynamic sysfs file creations so that we are at least in the same type as the parent, but that will require a kernel change. Since it is the init.hammerhead.rc file that initially sets the governor and therefore "creates" the file (even though it is created by writing the name to a different file), there is at least some logic to perform a restorecon_recursive at the same place (could move it up right after setting the governor). Open to alternative suggestions but I couldn't see anything better... On 07/17/2014 04:02 PM, Nick Kralevich wrote: > At first glance, these patches just seem like a bandaid on the problem. > I want to dig into this problem more to see if there's a better solution... > > -- Nick > > > On Thu, Jul 17, 2014 at 12:15 PM, Stephen Smalley <[email protected] > <mailto:[email protected]>> wrote: > > I don't know if this is the best solution, but it seems to solve the > similar problem for /sys/devices/system/cpu/cpufreq/ondemand on > hammerhead: > https://android-review.googlesource.com/#/c/101800/ > https://android-review.googlesource.com/#/c/101741/ > > On 07/17/2014 10:04 AM, Stephen Smalley wrote: > > Hmm...don't know if this is related, but even on current AOSP > master, if > > I adb shell su 0 restorecon -Rv /sys it finds some wrongly labeled > > entries under /sys/devices/system/cpu/cpufreq: > > > > SELinux: Relabeling /sys/devices/system/cpu/cpufreq/ondemand from > > u:object_r:sysfs:s0 to u:object_r:sysfs_devices_system_cpu:s0. > > > > SELinux: Relabeling > > /sys/devices/system/cpu/cpufreq/ondemand/powersave_bias from > > u:object_r:sysfs:s0 to u:object_r:sysfs_devices_system_cpu:s0. > > > > SELinux: Relabeling > > /sys/devices/system/cpu/cpufreq/ondemand/sampling_rate from > > u:object_r:sysfs:s0 to u:object_r:sysfs_devices_system_cpu:s0. > > > > SELinux: Relabeling > /sys/devices/system/cpu/cpufreq/ondemand/io_is_busy > > from u:object_r:sysfs:s0 to u:object_r:sysfs_devices_system_cpu:s0. > > ... > > > > On 07/17/2014 09:33 AM, Nick Kralevich wrote: > >> If the files in /sys/devices/system/cpu/interactive are created > >> post-boot, then the boot time labeling support isn't sufficient > to label > >> these files. Applying the following patches *may* help: > >> > >> * https://android-review.googlesource.com/92902 > >> * https://android-review.googlesource.com/100249 > >> > >> The second patch, in particular, waits for any uevent messages and > >> properly updates the labels on dynamically created /sys files. > >> > >> -- Nick > >> > >> > >> > >> On Thu, Jul 17, 2014 at 5:53 AM, Pankaj Kushwaha > >> <[email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>>> > >> wrote: > >> > >> Hi, > >> > >> I have written a new daemon which interacts with files > present in > >> '/sys/devices/system/cpu/cpufreq/interactive/' folder. > >> I was trying to provide a new label to this folder, but I was > unable > >> to do so. > >> > >> I tried adding new label in same way as it was done for > >> '/sys/devices/system/cpu/cpufreq/' but I wasn't able to relabel > >> 'interactive' folder. > >> I noticed that this folder is created when device is booted, > while > >> other folders prior to this are built when boot process starts. > >> > >> I also tried to change label from genfs_context but again failed. > >> > >> I also thought of making this folder from init.rc but still > it was > >> not relabled. > >> > >> Also as per file_context rules (/sys/devices/system/cpu(/.*)? > >> u:object_r:sysfs_devices_system_cpu:s0), interactive folder > should > >> have 'sysfs_devices_system_cpu' label, but in actual it has > 'sysfs' > >> label. > >> > >> Is there any specific reason that we are not allowed to > change label > >> of this folder ? > >> > >> I added following lines in file.te and file_context - > >> file_context : > >> /sys/devices/system/cpu/cpufreq/interactive(/.*)? > >> u:object_r:sysfs_interactive:s0 > >> file.te : > >> type sysfs_interactive, fs_type, sysfs_type, mlstrustedobject; > >> > >> Thanks > >> Pankaj Kushwaha > >> > >> _______________________________________________ > >> Seandroid-list mailing list > >> [email protected] > <mailto:[email protected]> > <mailto:[email protected] > <mailto:[email protected]>> > >> To unsubscribe, send email to > [email protected] > <mailto:[email protected]> > >> <mailto:[email protected] > <mailto:[email protected]>>. > >> To get help, send an email containing "help" to > >> [email protected] > <mailto:[email protected]> > >> <mailto:[email protected] > <mailto:[email protected]>>. > >> > >> > >> > >> > >> -- > >> Nick Kralevich | Android Security | [email protected] > <mailto:[email protected]> > >> <mailto:[email protected] <mailto:[email protected]>> | 650.214.4037 > <tel:650.214.4037> > >> > >> > >> _______________________________________________ > >> Seandroid-list mailing list > >> [email protected] <mailto:[email protected]> > >> To unsubscribe, send email to [email protected] > <mailto:[email protected]>. > >> To get help, send an email containing "help" to > [email protected] > <mailto:[email protected]>. > >> > > > > _______________________________________________ > > Seandroid-list mailing list > > [email protected] <mailto:[email protected]> > > To unsubscribe, send email to [email protected] > <mailto:[email protected]>. > > To get help, send an email containing "help" to > [email protected] > <mailto:[email protected]>. > > > > > > > > > -- > Nick Kralevich | Android Security | [email protected] > <mailto:[email protected]> | 650.214.4037 > > > _______________________________________________ > Seandroid-list mailing list > [email protected] > To unsubscribe, send email to [email protected]. > To get help, send an email containing "help" to > [email protected]. > _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
