On Sun, Dec 20, 2015 at 1:12 AM, James Muir <[email protected]> wrote:
> Hi All,
>
> We use ecryptfs with Android and have the following entry in our fs_use
> file:
>
> fs_use_xattr ecryptfs u:object_r:labeledfs:s0;
>
> Everything works very well when we create ecryptfs filesystems over ext4
> directories. But, we also want to do this over directories that do not
> support extended security attributes (e.g. vfat) and that has been
> problematic.
>
> We can get ecryptfs over vfat mostly working via a context mount (note that
> vfat uses genfs_contexts). But, unfortunately, a context mount requires a
> filesystem relabelto operation, and that is not permitted because of a
> neverallow statement that Stephen added:
>
> # Restrict context mounts to specific types marked with
> # the contextmount_type attribute.
> neverallow domain {fs_type -contextmount_type}:filesystem relabelto;
>
> Here is a link to the commit:
>
>
> https://bitbucket.org/seandroid/external-sepolicy/commits/75e2ef92601c485348c40cc8884839fba27046ba
>
> There is an exception in the neverallow for contextmount_type filesystems.
> But, the se-android policy makes such file systems read-only, so we cannot
> apply that context to our ecryptfs over vfat filesystem.
>
> I don't understand why the filesystem relabelto operation is required (I
> suspect it may be related to our fs_use entry for ecryptfs). Even when the
> mount-point context matches the context of the vfat filesystem, you still
> need a relabelto operation (i.e. the operation still seems to be required
> even when we are relabeling from X to X).
Permission is always checked on a context= mount, regardless of
whether the context actually differs.
> If we change the neverallow rule to something like this:
>
> neverallow domain {fs_type -contextmount_type -sdcard_type}:filesystem
> relabelto;
>
> Then everything works great. Unfortunately, we cannot do that without
> violating CDD :-(
Correct, and making this change in AOSP would violate the intent of
the neverallow in the first place as it would then be possible to
remount /system as a sdcard type and then write to it.
> It seems like we need another entry in our fs_use file for ecryptfs over
> vfat (ecryptfs_vfat).
>
> Does the selinux policy language support something like that? Can we have
> multiple ecryptfs entries in fs_use (i.e. one for ecryptfs_ext4 and one for
> ecryptfs_vfat?)
No, I'm afraid not.
I think the only real options here are either to try to get a
waiver/exception to the CDD for this one case, or don't use ecryptfs
over vfat. In Android 6.0, with adoptable storage, wouldn't the
sdcard be formatted with ext4 and thus your existing fs_use entry
would work fine?
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
