On Mon, Dec 14, 2015 at 10:52 AM, Roberts, William C < [email protected]> wrote:
> > > > -----Original Message----- > > From: Roberts, William C > > Sent: Monday, December 14, 2015 10:38 AM > > To: 'Stephen Smalley' <[email protected]>; [email protected] > > Subject: RE: mac_override: What does ignore mean? > > > > > >> On 12/14/2015 11:57 AM, Roberts, William C wrote: > > > >>> According to: > > > >>> http://selinuxproject.org/page/ObjectClassesPerms#capability2, > > > >>> mac_override is ignored. What does that actually mean? Is it > > > >>> always denied (my guess) or always allowed? > > > >> > > > >> It is never checked by SELinux, only by Smack. > > > >> > > > > > > > > What does that entail exactly? The messages printed to dmesg are > > > > "avc denied". Does the "is capable" checks call into SE Linux and > > > > EPERM is always > > > returned? > > > > > > > > I ask this in the context of an out of tree driver that is currently > > > > and incorrectly > > > coded with a capable(MAC_OVERRIDE) check. > > > > > > No, the logic performed by the capable hook is not specific to any > > > capability; it just checks whether that permission bit is set in the > corresponding > > access vector. > > > So you can allow it in policy and it should be fine. But it is wrong > > > for the driver to be using that capability... > > > > That's what I thought based on looking at the code. I advised the driver > team that > > they Should be doing some other type of is_capable() check, likely > SYS_ADMIN > > for their needs. > > > > Thanks, I just wanted to confirm. > > FYI more details: > > Here is the code: > > https://android.googlesource.com/kernel/x86_64.git/+/android-x86_64-fugu-3.10-marshmallow/drivers/staging/sep54/sepfs.c > > Line 240. > > They have a UID/GID access list for each command, if the process has cap > MAC_OVERRIDE, the check is skipped. I don't know why > They even need this capable check, they should just add the privileged > components into their ACL and drop this. Better yet, if they > need finer access controls, they could do an implementation and out of > tree patch ala binder (would like to avoid this). The best part is, their commented out with not supported on Android L elsewhere in the file. > _______________________________________________ > Seandroid-list mailing list > [email protected] > To unsubscribe, send email to [email protected]. > To get help, send an email containing "help" to > [email protected]. > -- Respectfully, William C Roberts
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
