In another custom ROM build, I'm seeing problem again where the data file for my system app is not getting created with the context I specified, attiqi_app_data_file. I'm seeing errors in logcat (see below). Am I missing allow rules for "installd" ? This is what I have:
**** seapp_context *** # process name is diagandroid.iqd # package name is com.att.iqi user=system seinfo=platform domain=attiqi_app name=diagandroid.iqd user=system seinfo=platform name=com.att.iqi type=attiqi_app_data_file **** snippet from my te file **** allow installd { attiqi_app_data_file }:dir { create_dir_perms relabelfrom relabelto }; allow installd { attiqi_app_data_file }:notdevfile_class_set { create_file_perms relabelfrom relabelto }; **** Errors from logcat **** 12-21 18:05:55.569 905 905 E SELinux : selinux_android_setfilecon: Error setting context for pkgdir /data/data/com.att.iqi, uid 1000: Permission denied 12-21 18:05:55.569 905 905 E installd: Failed to setfilecon /data/data/com.att.iqi: Permission denied On Tue, Dec 6, 2016 at 12:10 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 12/06/2016 03:01 PM, Helen Chiang wrote: > > The name of the process is "diagandroid.iqd", package name is > "com.att.iqi". > > Is this a problem? > > Ok, so add two entries to seapp_contexts, one to assign the domain by > process name and the other to assign the type by package name, ala: > user=system seinfo=platform name=diagandroid.iqd domain=attiqi_app > user=system seinfo=platform name=com.att.iqi type=attiqi_app_data_file > > > > > On Tue, Dec 6, 2016 at 11:34 AM, Stephen Smalley <s...@tycho.nsa.gov > > <mailto:s...@tycho.nsa.gov>> wrote: > > > > On 12/06/2016 02:00 PM, Helen Chiang wrote: > > > I declared a new file type and it seems to work but when I use ls > -Z > > > /data/data/<my-app>, it still shows > > > "u:object_r:system_app_data_file:s0". Its proc file > /proc/<PID>/stat > > > shows the new file label, "u:r:attiqi_app:s0" > > > > > > bullhead:/data/data # ls -Z /proc/6795/stat > > > u:r:attiqi_app:s0 /proc/6795/stat > > > > > > > > > bullhead:/data/data # ls -Zl /data/data/com.att.iqi > > > total 24 > > > > > > drwxrwx--x 2 system system u:object_r:system_app_data_file:s0 4096 > > > 2016-12-06 10:38 app_iq_archive > > > drwxrwx--x 2 system system u:object_r:system_app_data_file:s0 4096 > > > 2016-12-06 10:35 cache > > > drwxrwx--x 2 system system u:object_r:system_app_data_file:s0 4096 > > > 2016-12-06 10:35 files > > > > > > > > > What am I missing? Is this what you'd expect? > > > > > > From seapp_contexts > > > > > > user=system seinfo=platform domain=attiqi_app name=diagandroid.iqd > > > type=attiqi_app_data_file > > > > The name doesn't match the /data/data name (diagandroid.iqd vs > > com.att.iqi)? > > Did you mean to omit the list from your reply? > > > > > > > > > > > This is what I have in the TE file for my new domain: > > > type attiqi_app_data_file, file_type, data_file_type; > > > > > > allow installd { > > > attiqi_app_data_file > > > }:dir { create_dir_perms relabelfrom relabelto }; > > > > > > allow installd { > > > attiqi_app_data_file > > > }:notdevfile_class_set { create_file_perms relabelfrom relabelto }; > > > > > > allow system_server { attiqi_app_data_file }:dir { getattr read > > search }; > > > allow system_server { attiqi_app_data_file }:file { getattr read > > write }; > > > allow system_server attiqi_app_data_file:dir create_dir_perms; > > > allow system_server attiqi_app_data_file:file create_file_perms; > > > > > > > > > type attiqi_app, domain, domain_deprecated; > > > > > > # Include all appdomain rules > > > app_domain(attiqi_app) > > > # Access the network. > > > net_domain(attiqi_app) > > > # Access bluetooth. > > > bluetooth_domain(attiqi_app) > > > > > > > > > > > > > > > > > > > Also, what you're saying seems to imply that if I run as > > untrusted_app, > > > > I can actually access /proc/<PID>/stat of any untrusted app? > > This also > > > > means any 3rd party app can read /proc/<PID>/stat of another. > > > > > > On a conventional Linux system, /proc/pid/stat is > > world-readable, so > > > apps used to be able to access any /proc/pid/stat at all. > > When SELinux > > > went enforcing for all apps in Android (5.0), we could at > > least limit > > > them to only being able to do it for other third party apps, > > and when > > > levelFrom=user was enabled (6.0), we could limit them to doing > > it for > > > other third party apps running for the same user. Then, in > > some version > > > (don't remember which one), they also starting mounting /proc > with > > > hidepid=2, so apps cannot see other's /proc/pid at all (unless > > they have > > > AID_READPROC in their group set). Hopefully they'll > > eventually turn on > > > levelFrom=all at some point too, at which point SELinux will > > further > > > isolate all apps with unique category sets (not just per-user). > > > > > > > > > > > >
_______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.