Re: Permission denied error when opening /proc//stat file

Fri, 30 Dec 2016 09:47:16 -0800 

On Dec 21, 2016 9:35 PM, "Helen Chiang" <chiangh...@gmail.com> wrote:

In another custom ROM build, I'm seeing problem again where the data file
for my system app is not getting created with the context
I specified, attiqi_app_data_file. I'm seeing errors in logcat (see below).
Am I missing allow rules for "installd" ? This is what I have:

**** seapp_context ***
# process name is diagandroid.iqd
# package name is com.att.iqi

user=system seinfo=platform domain=attiqi_app name=diagandroid.iqd

user=system seinfo=platform name=com.att.iqi type=attiqi_app_data_file


**** snippet from my te file ****

allow installd {
    attiqi_app_data_file
}:dir { create_dir_perms relabelfrom relabelto };

allow installd {
    attiqi_app_data_file
}:notdevfile_class_set { create_file_perms relabelfrom relabelto };


**** Errors from logcat ****

12-21 18:05:55.569   905   905 E SELinux : selinux_android_setfilecon:
Error setting context for pkgdir /data/data/com.att.iqi, uid 1000:
Permission denied

12-21 18:05:55.569   905   905 E installd: Failed to setfilecon
/data/data/com.att.iqi: Permission denied


Did you get any avc: denied messages?



On Tue, Dec 6, 2016 at 12:10 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote:

> On 12/06/2016 03:01 PM, Helen Chiang wrote:
> > The name of the process is "diagandroid.iqd", package name is
> "com.att.iqi".
> > Is this a problem?
>
> Ok, so add two entries to seapp_contexts, one to assign the domain by
> process name and the other to assign the type by package name, ala:
> user=system seinfo=platform name=diagandroid.iqd domain=attiqi_app
> user=system seinfo=platform name=com.att.iqi type=attiqi_app_data_file
>
> >
> > On Tue, Dec 6, 2016 at 11:34 AM, Stephen Smalley <s...@tycho.nsa.gov
> > <mailto:s...@tycho.nsa.gov>> wrote:
> >
> >     On 12/06/2016 02:00 PM, Helen Chiang wrote:
> >     > I declared a new file type and it seems to work but when I use ls
> -Z
> >     >  /data/data/<my-app>, it still shows
> >     >  "u:object_r:system_app_data_file:s0". Its proc file
> /proc/<PID>/stat
> >     > shows the new file label, "u:r:attiqi_app:s0"
> >     >
> >     > bullhead:/data/data # ls -Z /proc/6795/stat
> >     > u:r:attiqi_app:s0 /proc/6795/stat
> >     >
> >     >
> >     > bullhead:/data/data # ls -Zl /data/data/com.att.iqi
> >     > total 24
> >     >
> >     > drwxrwx--x 2 system system u:object_r:system_app_data_file:s0 4096
> >     > 2016-12-06 10:38 app_iq_archive
> >     > drwxrwx--x 2 system system u:object_r:system_app_data_file:s0 4096
> >     > 2016-12-06 10:35 cache
> >     > drwxrwx--x 2 system system u:object_r:system_app_data_file:s0 4096
> >     > 2016-12-06 10:35 files
> >     >
> >     >
> >     > What am I missing? Is this what you'd expect?
> >     >
> >     > From seapp_contexts
> >     >
> >     > user=system seinfo=platform domain=attiqi_app name=diagandroid.iqd
> >     > type=attiqi_app_data_file
> >
> >     The name doesn't match the /data/data name (diagandroid.iqd vs
> >     com.att.iqi)?
> >     Did you mean to omit the list from your reply?
> >
> >     >
> >     >
> >     > This is what I have in the TE file for my new domain:
> >     > type attiqi_app_data_file, file_type, data_file_type;
> >     >
> >     > allow installd {
> >     >     attiqi_app_data_file
> >     > }:dir { create_dir_perms relabelfrom relabelto };
> >     >
> >     > allow installd {
> >     >     attiqi_app_data_file
> >     > }:notdevfile_class_set { create_file_perms relabelfrom relabelto };
> >     >
> >     > allow system_server { attiqi_app_data_file }:dir { getattr read
> >     search };
> >     > allow system_server { attiqi_app_data_file }:file { getattr read
> >     write };
> >     > allow system_server attiqi_app_data_file:dir create_dir_perms;
> >     > allow system_server attiqi_app_data_file:file create_file_perms;
> >     >
> >     >
> >     > type attiqi_app, domain, domain_deprecated;
>
> >     >
> >     > # Include all appdomain rules
> >     > app_domain(attiqi_app)
> >     > # Access the network.
> >     > net_domain(attiqi_app)
> >     > # Access bluetooth.
> >     > bluetooth_domain(attiqi_app)
>
> >     >
> >     >
> >     >
> >     >
> >     >
> >     >     > Also, what you're saying seems to imply that if I run as
> >     untrusted_app,
> >     >     > I can actually access /proc/<PID>/stat of any untrusted app?
> >     This also
> >     >     > means any 3rd party app can read /proc/<PID>/stat of another.
> >     >
> >     >     On a conventional Linux system, /proc/pid/stat is
> >     world-readable, so
> >     >     apps used to be able to access any /proc/pid/stat at all.
> >     When SELinux
> >     >     went enforcing for all apps in Android (5.0), we could at
> >     least limit
> >     >     them to only being able to do it for other third party apps,
> >     and when
> >     >     levelFrom=user was enabled (6.0), we could limit them to doing
> >     it for
> >     >     other third party apps running for the same user.  Then, in
> >     some version
> >     >     (don't remember which one), they also starting mounting /proc
> with
> >     >     hidepid=2, so apps cannot see other's /proc/pid at all (unless
> >     they have
> >     >     AID_READPROC in their group set).  Hopefully they'll
> >     eventually turn on
> >     >     levelFrom=all at some point too, at which point SELinux will
> >     further
> >     >     isolate all apps with unique category sets (not just per-user).
> >     >
> >     >
> >
> >
>
>

_______________________________________________
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to
seandroid-list-requ...@tycho.nsa.gov.

_______________________________________________
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

Reply via email to