I've seen a lot of this too. Having said that, I'm mildly worried about
introducing yet-another way to allow this connection, since each different
way we introduce raises the SELinux learning curve. If we're going to do
something, I'd want it to be bigger.
What about something like:
sets_property(uncrypt, powerctl_prop);
define(`sets_property', `
unix_socket_connect($1, property, init)
allow $1 $2:property_service set;
')
Then sets_property implicitly grants access to the property space.
Alternatively, I'd love to see an SELinux lint tool, which looked for
common SELinux misconfigurations and warned on them. For example, a
property_service set without the ability to connect to init would be an
error, as would specifying duplicate allow rules within the same file.
-- Nick
On Mon, May 4, 2015 at 2:06 PM, <[email protected]> wrote:
> I am seeing a lot of this:
>
> unix_socket_connect(uncrypt, property, init)
> allow uncrypt powerctl_prop:property_service set;
>
> I am seeing things where people forget the write on the socket, to
> actually send the set cmd (testing might be missing this, etc) as well as
> a failure to neatly macro them like in the base policy. I think the
> unix_socket_connect() can be a bit confusing the first time one encounters
> it.
>
> I am proposing a macro that more in line fits with the semantics of
> Android, and aligns to the use_.* (keystore) style macros. Not compile
> tested.
>
> #
> # Allows a domain to connect and write to the property service
> # socket.
> #
> # use_property_service(domain)
> define(`use_property_service', `
> unix_socket_connect($1, property, init)
> ')
>
> Any hatred over this? Patches welcomed upstream?
>
>
> _______________________________________________
> Seandroid-list mailing list
> [email protected]
> To unsubscribe, send email to [email protected].
> To get help, send an email containing "help" to
> [email protected].
>
--
Nick Kralevich | Android Security | [email protected] | 650.214.4037
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
