On 06/20/2016 04:24 AM, YongQin Liu wrote: > Hi, William > > Sorry for late response, my laptop OS was crashed last Friday:( > > Thanks for your suggestion first, and some comments in line. > On 17 June 2016 at 07:50, William Roberts <bill.c.robe...@gmail.com > <mailto:bill.c.robe...@gmail.com>> wrote: > > Typing this from my phone, might not be great. Dac override is > triggered when the process permissions don't match with the owner > group and mode of a file. Dan Walsh has info on it here: > http://danwalsh.livejournal.com/69478.html > > > I checked that, but still not find a good method to know which > file/operation caused that denials. > > I would try and add an auditallow statement(s) to find what file > it's accessing that might be causing this, and then adjust the dac > permissions accordingly. > > After I added following rule: > auditallow logd self:capability dac_override; > > I got following message in console log: > [ 7.076059] audit: type=1400 audit(10.759:3): avc: denied { > dac_override } for pid=1734 comm="logd" capability=1 > scontext=u:r:logd:s0 tcontext=u:r:logd:s0 tclass=capability permissive=1 > [ 7.093377] audit: type=1400 audit(10.775:4): avc: granted { > dac_override } for pid=1734 comm="logd" capability=1 > scontext=u:r:logd:s0 tcontext=u:r:logd:s0 tclass=capability > [ 7.107007] (stk) :ldisc installation timeout > [ 7.114174] (stk) :ldisc_install = 0 > [ 7.114176] audit: type=1400 audit(10.795:5): avc: granted { > dac_override } for pid=1734 comm="logd" capability=1 > scontext=u:r:logd:s0 tcontext=u:r:logd:s0 tclass=capability > [ 7.149786] logd.auditd: start > [ 7.152983] logd.klogd: 7110154165 > [ 7.193079] logd.auditd: policy loaded > [ 7.199590] logd.auditd: integrity enforcement suppressed; not rebooting > > Seems no clue on which file caused that denials. > > Do you have any comments on the output above?
You can get more information about denials by enabling syscall audit and forcing audit pathname collection to always occur. Make sure you have CONFIG_AUDITSYSCALL=y in your kernel config, and patch your kernel to set audit_default = 1 in kernel/audit.c and to set audit_n_rules = 1 in kernel/auditsc.c (normally this would get handled by userspace, but here you want it enabled before logd.auditd has even finished initializing, and the Android logd.auditd doesn't support loading syscall filters anyway). See for example https://www.mail-archive.com/seandroid-list%40tycho.nsa.gov/msg02286.html _______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
