I have a similar situation. We're customizing AOSP (Marshmallow and Nougat) and developing a device diagnostic service that runs as "system" user and installed as a privileged app. The use cases of this app is to read /proc/<PID>/stat periodically for overall OS process information. In principal, this app should be able to access everything that a system_app would, in addition to /proc/<PID>/stat. It also creates and access shared memory and unix sockets. Your previous answer implied that it would be insecure to make "system_app" a mlstrustedsubject. So, I want to create a new domain that has all the access as system_app and priv_app + mlstrustedsubject. Is there a way to do this without copying and pasting the rules directly from system_app and priv_app te files? Also, what allow rules are needed for shared memory and socket r/w ?
For DAC, I'm able to add AID_READPROC group to the app via a new permission in platform.xml. For access to /proc/<PID>/stat, I created a new domain as follows: 1. mac_permissions.xml <signer signature="@PLATFORM" > <package name="com.mydiag.app"> <seinfo value="mydiag" /> </package> </signer> 2. seapp_contexts user=system seinfo=mydiag domain=trusted_diag type=app_data_file levelFrom=user 3. trusted_diag.te type trusted_diag, domain, domain_deprecated; # Include all appdomain rules app_domain(trusted_diag) # Access the network. net_domain(trusted_diag) # Access bluetooth. bluetooth_domain(trusted_diag) # Access /proc/<PID>/stat files for metrics typeattribute trusted_diag mlstrustedsubject; r_dir_file(trusted_diag, system_app) r_dir_file(trusted_diag, platform_app) r_dir_file(trusted_diag, priv_app) r_dir_file(trusted_diag, untrusted_app) r_dir_file(trusted_diag, radio) [+ COPY LINES FROM system_app.te] On Thu, Dec 1, 2016 at 7:24 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 12/01/2016 07:07 AM, ני ס wrote: > > I have a java service app running as system. it tries to open > > /proc/<PID>/stat file of an untrusted_app using it, > > and I get this error: > > *type=1400 audit(1464336899.711:510): avc: denied { search } for > > pid=9929 comm="Binder_3" name="9886" dev="proc" ino=104925 > > scontext=u:r:system_app:s0 tcontext=u:r:untrusted_app:s0:c512,c768 > > tclass=dir permissive=0 > > *It seems that system_app lacks the permissions to view the > > untrusted_app dir. > > How can it be? > > Did I miss something? > > Note that when I connect as system (su system) I am able to read the > > file /proc/PID/stat of the untrusted_app > > su system doesn't put you into the system_app domain, so it isn't > reflective of what is allowed to a system app. > > The first question is why is your app trying to read /proc/PID/stat of > an untrusted app, since that may itself reflect a security problem. > > I believe that the above would be denied by both the default TE policy > (i.e. there is no allow system_app untrusted_app:dir search; rule in > system_app.te, nor any allow system_app untrusted_app:file > r_file_perms;), and the MLS constraints (i.e. the system app runs at s0 > while the untrusted app runs at s0:c512,c768, so the system app cannot > read or write to the /proc/pid files of the untrusted app under the > rules specified in the mls file; to do so, you would need to make > system_app a mlstrustedsubject, which should be avoided if possible). > > Also, this would also be denied by DAC in current Android due to /proc > being mounted with hidepid=2 unless your app also has AID_READPROC in > its group set. You didn't mention your Android version. > _______________________________________________ > Seandroid-list mailing list > Seandroid-list@tycho.nsa.gov > To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. > To get help, send an email containing "help" to > seandroid-list-requ...@tycho.nsa.gov.
_______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.