I¹d like to resurface this email thread. Summary: When we upgrade from JB to KK load, the /data/data/<app> dirs are not relabeled. We use patches from SEAndroid 4.4.2 branch and verified that selinux_android_restorecon_pkgdir() is invoked. However, the call fails because inode_owner_or_capable() returns false.
We believe that installd should have FOWNER capability so the function inode_owner_or_capable() should return true. Is our understanding correct? Do we need any patch to make it work? Thanks, Tai On 4/6/15, 8:41 AM, "Stephen Smalley" <s...@tycho.nsa.gov> wrote: >On 04/03/2015 05:02 PM, Tai Nguyen (tainguye) wrote: >>Do we have any restriction on using app_data_file domain for system_app? >>We made the following change, but the data directory still show >>system_app_data_file. >>- File mac_permissions.xml >> <signer signature="@PLATFORM" > >> <!-- CFG app --> >> <package name="cip.cfg"> >> <seinfo value="cfg_app" /> >> </package> >>- File seapp_contexts >>user=system seinfo=cfg_app name=cip.cfg domain=system_app >>type=app_data_file >>This is for KitKat 4.4 code base. The app needs to be system_app for >>other interaction but its data does not need to be protected. > >You need to specify whether you are using one of our branches (and if >so, which one, e.g. seandroid-4.4.4) or vanilla AOSP (and if so, which >release tag or branch, e.g. android-4.4.4_r2.0.1 or >kitkat-mr2.2-release). Vanilla android-4.4.x_rN does not include the >code changes necessary to automatically relabel the app's /data/data >directory on upgrades but should label it correctly on first creation >regardless, whereas our seandroid-4.4.x branches include a backport of >the support that went into Android 5.0 Lollipop. Are you seeing the >problem on an upgrade with an already existing /data/data/cip.cfg >directory or on first creation? > >They would all be in our seandroid-4.4.x branches. Since you said >4.4.2, look at seandroid-4.4.2 branch in frameworks/base, >frameworks/native, and external/libselinux. > >The AOSP commits are listed below, but you'll find it easier to use our >seandroid-4.4.2 branch as it already includes the changes back-ported to >4.4.2. > >https://android-review.googlesource.com/#/c/89215/ >https://android-review.googlesource.com/#/c/82802/ >https://android-review.googlesource.com/#/c/82970/ >https://android-review.googlesource.com/#/c/89166/ >https://android-review.googlesource.com/#/c/89216/ > > _______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
