Hi, Stephen Thanks very much!
With commenting out the prctl(PR_CAPBSET_DROP...) call in core/jni/com_android_internal_os_Zygote.cpp, now I can run su from AndroidTerm shell. so it's the 2 prctl calls mentioned in this thread keep from the running of su in AndroidTerm app shell. For the sepolicy rules, I only added following rules in one shell.te file: userdebug_or_eng(` allow shell su_exec:file x_file_perms; ') Do you think is that excepted? Seems no need to change the neverallow self:capability rules in app.te you mentioned before. The android version I am playing version is Marshmallow. Thanks, Yongqin Liu On 23 February 2016 at 21:32, Stephen Smalley <[email protected]> wrote: > On 02/23/2016 04:06 AM, YongQin Liu wrote: > >> Here is the output of the commands, any new findings? >> >> shell@flounder:/ $ su >> current_uid=2000, current_euid=0, current_gid=2000, current_egid=2000 >> su: setgid failed: Operation not permitted >> 1|shell@flounder:/ $ cat /proc/self/status >> CapInh: 0000000000000000 >> CapPrm: 0000000000000000 >> CapEff: 0000000000000000 >> CapBnd: 0000000000000000 >> > > Your bounding set is all-zeroes, so you can't gain any superuser > capabilities. This appears to be due to the prctl(PR_CAPBSET_DROP...) call > in core/jni/com_android_internal_os_Zygote.cpp. > > shell@flounder:/ $ id -Z >> context=u:r:shell:s0 <------is the "Operation not permitted" caused by >> this? if so, should not there be some avc denials in logcat for dmesg? >> shell@flounder:/ $ >> > > You said that SELinux was permissive, so it isn't relevant in this case > (but would indeed deny the capabilities if enforcing, and would generate > avc denials). > > -- Best Regards, Yongqin Liu --------------------------------------------------------------- #mailing list [email protected] <[email protected]> http://lists.linaro.org/mailman/listinfo/linaro-android
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
