On 24 February 2016 at 21:52, Stephen Smalley <[email protected]> wrote:
> On 02/23/2016 12:14 PM, YongQin Liu wrote: > >> Hi, Stephen >> >> Thanks very much! >> >> With commenting out the prctl(PR_CAPBSET_DROP...) call in >> core/jni/com_android_internal_os_Zygote.cpp, >> now I can run su from AndroidTerm shell. >> >> so it's the 2 prctl calls mentioned in this thread keep from the running >> of su in AndroidTerm app shell. >> >> For the sepolicy rules, I only added following rules in one shell.te file: >> userdebug_or_eng(` >> allow shell su_exec:file x_file_perms; >> ') >> >> Do you think is that excepted? >> Seems no need to change the neverallow self:capability rules in app.te >> you mentioned before. >> >> The android version I am playing version is Marshmallow. >> > Just tried again, here is the new updates: some updates: 1. my build is userdebug version based on marshmallow, in Enforcing mode. 2. no changes related sepolicy. no changes on shell.te domain mentioned above, not changes on the external/sepolicy project 3. 2 prctl changes as mentioned above 4. The application is integrated into the system with android:sharedUserId="android.uid.shell" in the Androidmanifest.xml > > Not sure I follow. First, if SELinux is enforcing, then shell is allowed > no capabilities, so it cannot exercise any root privileges. This only makes sense for user build, right? since there is no su.te in user build, so root privileges commands can not be run from shell domain. As you said below, if in userdebug or eng build, shell is allowed to run root privileges commands like running su from console or adb shell. >> SELinux would prevent the app from using any superuser capabilities even if these restrictions were not in effect (see the neverallow self:capability rules in app.te), And this only makes sense with user build too, right? > Second, in userdebug or eng builds, the rules in su.te are included and > those already define a domain transition from shell to the su domain, so > your rule above is neither necessary nor helpful (your rule merely allows > the su binary be executed within the shell domain, with no change in > SELinux domain/permissions, so it still is not allowed to use any > capabilities, whereas the domain_auto_trans() rule in su.te sets up a > domain transition into the su domain, which is allowed capabilities). > You are right here. without my change on shell.te, I can run su from the AndroidTerm shell too. > Also, commenting out those two prctl() calls obviously leaves your system > insecure and no longer consistent with Android (and presumably would fail > CTS security tests at that point). So that is obviously not a workable > solution for real use. > > Thanks, I know, this is only for study purpose. I did not know prctl has such effects on execve functions before. -- Best Regards, Yongqin Liu --------------------------------------------------------------- #mailing list [email protected] <[email protected]> http://lists.linaro.org/mailman/listinfo/linaro-android
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
