We can’t figure out what’s wrong in the below case. Hopefully, the community can shed some light into it.
We have a suid process, setmask. This process is launched by a service shell, debugsh. A user can get a debugsh via ssh or launch debugsh directly from adb shell. Setmask has its own domain and it is transitioned from debugsh domain. When debugsh is launched from adb shell, it also changes to debugsh. So, Regardless of how debugsh is launch via ssh or adb shell, it runs in debugsh domain. The issue is that setmask runs successfully via ssh and debugsh interface, and setmask fails via adb shell. 1. ssh —> debugsh —> setmask : Success 2. Adb —> debugsh —> setmask: Failure Since setmask is a suid program so it runs as root and it has dac_override privilege, it works as expected in case 1. Since both debugsh and setmask run in the same SELinux domain in both cases, we can’t figure out why it fails in case 2. I recall a discussion about restricting privilege escalation in app_domain. Since adb shell is app_domain, I wonder if that it the reason setmask fails in case 2.
_______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
