On Jul 12, 2016 21:20, "Jeffrey Vander Stoep" <je...@google.com> wrote: > > Hi Yongqin, > > Looks like a process is indiscriminately calling ashmem_get_size_region() (ioctl number 7704=ASHMEM_GET_SIZE) on a unix socket. This is a bug and should not be allowed. The selinux denial is working as intended. > > A similar bug was fixed here: > https://android-review.googlesource.com/#/c/198885/4/libs/binder/Parcel.cpp > > Does your tree include this patch? > > On Tue, Jul 12, 2016 at 8:43 PM YongQin Liu <yongqin....@linaro.org> wrote: >> >> Hi, All >> >> When I update to use tag android-6.0.1_r55, I got following avc denials during the boot up: >> >> avc: denied { ioctl } for pid=177 comm="Binder_2" path="socket:[10083]" dev="sockfs" ino=10083 ioctlcmd=7704 scontext=u:r:surfaceflinger:s0 tcontext=u:r:surfaceflinger:s0 tclass=unix_stream_socket permissive=0 >> >> and >> avc: denied { ioctl } for pid=465 comm="Binder_1" path="socket:[14454]" dev="sockfs" ino=14454 ioctlcmd=7704 scontext=u:r:system_server:s0 tcontext=u:r:system_server:s0 tclass=unix_stream_socket permissive=0 >> >> >> With following rules I can make the denials disappeared: >> 11:29:17 liuyq: hikey$ git diff --staged >> diff --git a/sepolicy/ioctl_macros b/sepolicy/ioctl_macros >> new file mode 100644 >> index 0000000..398976c >> --- /dev/null >> +++ b/sepolicy/ioctl_macros >> @@ -0,0 +1 @@ >> +define(`IOCTLTEST', `0x00007704') >> diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te >> new file mode 100644 >> index 0000000..7c337a9 >> --- /dev/null >> +++ b/sepolicy/surfaceflinger.te >> @@ -0,0 +1 @@ >> +allow surfaceflinger surfaceflinger:unix_stream_socket { IOCTLTEST }; >> diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te >> new file mode 100644 >> index 0000000..218a8a2 >> --- /dev/null >> +++ b/sepolicy/system_server.te >> @@ -0,0 +1 @@ >> +allow system_server system_server:unix_stream_socket { IOCTLTEST }; >> 11:29:19 liuyq: hikey$ >> >> >> but how should I find the real name for the ioctlcmd=7704? >> searched in kernel, and found 7704 is defined ad following: >> kernel/linaro/hisilicon/drivers/gpu/drm/radeon/r600d.h:1219:#define HDMI1_STATUS 0x7704
iirc the ioctlcmd prints as base 10 not hex. Is that correct Jeff? >> >> but it does not seem to be used for ioctl command. >> >> -- >> Best Regards, >> Yongqin Liu >> --------------------------------------------------------------- >> #mailing list >> linaro-andr...@lists.linaro.org >> http://lists.linaro.org/mailman/listinfo/linaro-android >> _______________________________________________ >> Seandroid-list mailing list >> Seandroid-list@tycho.nsa.gov >> To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. >> To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov. > > > _______________________________________________ > Seandroid-list mailing list > Seandroid-list@tycho.nsa.gov > To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. > To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
_______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
