Here is the logcat failure Unable to create files subdir /data/user/0/<package name>/cache
Thanks. Sent from my Android phone using Symantec TouchDown (www.symantec.com) -----Original Message----- From: Stephen Smalley [s...@tycho.nsa.gov] Received: Wednesday, 02 Dec 2015, 11:52PM To: Inamdar Sharif [isha...@nvidia.com]; seandroid-list@tycho.nsa.gov [seandroid-list@tycho.nsa.gov] CC: n...@google.com [n...@google.com] Subject: Re: MLS constraints blocking untrusted app to access app_data_file On 12/02/2015 01:17 PM, Inamdar Sharif wrote: > It's data/data/<packagename> That's not on the sdcard, unless it is just a symlink there? > > Sent from my Android phone using Symantec TouchDown > (www.symantec.com<http://www.symantec.com>) > > -----Original Message----- > *From:* Stephen Smalley [s...@tycho.nsa.gov] > *Received:* Wednesday, 02 Dec 2015, 11:42PM > *To:* Inamdar Sharif [isha...@nvidia.com]; seandroid-list@tycho.nsa.gov > [seandroid-list@tycho.nsa.gov] > *CC:* n...@google.com [n...@google.com] > *Subject:* Re: MLS constraints blocking untrusted app to access > app_data_file > > On 12/02/2015 12:36 PM, Inamdar Sharif wrote: >> I first moved the app to sdcard. >> Then did the upgrade and then tried to run from sdcard. >> >> Thanks. > > What's the pathname prefix of the app data directory? > e.g. they typically live in /data/data, /data/user/<N>, > /mnt/expand/<UUID>/user/<N> or likewise with user_de instead of user. > >> >> Sent from my Android phone using Symantec TouchDown >> (<http://>www.symantec.com <http://www.symantec.com>) >> >> -----Original Message----- >> *From:* Stephen Smalley [s...@tycho.nsa.gov] >> *Received:* Wednesday, 02 Dec 2015, 9:52PM >> *To:* Inamdar Sharif [isha...@nvidia.com]; seandroid-list@tycho.nsa.gov >> [seandroid-list@tycho.nsa.gov] >> *CC:* Nick Kralevich [n...@google.com] >> *Subject:* Re: MLS constraints blocking untrusted app to access >> app_data_file >> >> On 12/02/2015 11:01 AM, Inamdar Sharif wrote: >>> Yes the app is trying to access it own app data directory. >>> >>> What more information you need so that I can gather that?? >>> Also how to get more info?? >>> >>> What I think that when we do upgrade it does not label the app directory >>> again which leads to denial. >> >> So, you moved the app data directory to SD before upgrading to M? Or >> afterward? If afterward, did it have the correct label prior to moving it? >> >> What's the path prefix of the app data directory? >> >>> >>> Thanks. >>> >>> -----Original Message----- >>> From: Stephen Smalley [mailto:s...@tycho.nsa.gov] >>> Sent: Wednesday, December 02, 2015 8:42 PM >>> To: Inamdar Sharif; seandroid-list@tycho.nsa.gov >>> Cc: Nick Kralevich >>> Subject: Re: MLS constraints blocking untrusted app to access app_data_file >>> >>> On 12/02/2015 09:35 AM, Inamdar Sharif wrote: >>>> Steps are: >>>> >>>> 1) Install the app on the device. >>>> 2)Move the app to the sdcard. >>>> 3)Try to run the app from the sdcard.----> Failed. >>>> >>>> This happens after upgrading to Android M. >>> >>> I don't think I can test that, as the only devices I have that run M are >>> Nexus and have no real SDcard support. >>> >>> The question remains as to why the app data directory is not being labeled >>> with the appropriate categories That's the bug - the data directory needs >>> to be labeled consistently with the app. I assume btw that this is the app >>> trying to access its own appdata directory; I can't tell that from only the >>> information you >> provided since you omitted any identifying information from the denial >> (and fully determining it might require syscall audit or other logging). >>> >>>> >>>> Thanks. >>>> >>>> -----Original Message----- >>>> From: Stephen Smalley [mailto:s...@tycho.nsa.gov] >>>> Sent: Wednesday, December 02, 2015 7:51 PM >>>> To: Inamdar Sharif; seandroid-list@tycho.nsa.gov >>>> Subject: Re: MLS constraints blocking untrusted app to access >>>> app_data_file >>>> >>>> On 12/02/2015 12:37 AM, Inamdar Sharif wrote: >>>>> Hi, >>>>> >>>>> I am getting the below avc denied for almost every untrusted app >>>>> >>>>> type=1400 audit(0.0:1078): avc: denied { search } for name="#" dev="#" >>>>> ino=# scontext=u:r:untrusted_app:s0:c512,c768 >>>>> tcontext=u:object_r:app_data_file:s0 tclass=dir permissive=0 >>>>> >>>>> Usecase: Apps on SDCard try to access their files. >>>>> >>>>> I know the reason about why this is happening: >>>>> >>>>> 1)untrusted_app and app_data_file has different security level >>>>> >>>>> 2)untrusted_app is not mlstrustedsubject >>>>> >>>>> 3)app_data_file is not mlstrustedobject >>>>> >>>>> But I am not sure how I can solve this issue. >>>>> >>>>> Please let me know any pointers on how to solve this issue. >>>>> >>>>> Thanks. >>>> >>>> Can you provide step-by-step instructions for reproducing the denial? >>>> >>>> Why is the directory not labeled with the category set? >>>> What does ls -Z of the directory show? >>>> >>>> >>>> ---------------------------------------------------------------------- >>>> ------------- This email message is for the sole use of the intended >>>> recipient(s) and may contain confidential information. Any >>>> unauthorized review, use, disclosure or distribution is prohibited. >>>> If you are not the intended recipient, please contact the sender by >>>> reply email and destroy all copies of the original message. >>>> ---------------------------------------------------------------------- >>>> ------------- >>>> >>>> _______________________________________________ >>>> Seandroid-list mailing list >>>> Seandroid-list@tycho.nsa.gov >>>> To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. >>>> To get help, send an email containing "help" to >>>> seandroid-list-requ...@tycho.nsa.gov. >>>> >>> >>> >> >
_______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
