Re: Failed to perform read/write operation from /hardware/qcom/audio/post_proc/volume_listener.c

2018-05-30 Thread Jeffrey Vander Stoep via Seandroid-list 
source.android.com has a number of resources
https://source.android.com/security/selinux/ including a quick-start guide
on writing device-specific policy for Android
https://source.android.com/security/selinux/device-policy.

On Wed, May 30, 2018 at 7:22 AM Mantesh Eksambe <
mantesh.eksambe@gmail.com> wrote:

> Thank you sir.
>
> I would like to learn in detail about android SELINUX. Could you please
> suggest me  the correct reference for that.
>
>
> On Tue, May 29, 2018 at 7:12 PM, Stephen Smalley 
> wrote:
>
>> On 05/27/2018 09:08 AM, Mantesh Eksambe wrote:
>> > Hi,
>> >
>> > I want to perform file read write operation from /hardware <
>> http://androidxref.com/8.0.0_r4/xref/hardware/>/qcom <
>> http://androidxref.com/8.0.0_r4/xref/hardware/qcom/>/audio <
>> http://androidxref.com/8.0.0_r4/xref/hardware/qcom/audio/>/post_proc <
>> http://androidxref.com/8.0.0_r4/xref/hardware/qcom/audio/post_proc/>/volume_listener.c
>> <
>> http://androidxref.com/8.0.0_r4/xref/hardware/qcom/audio/post_proc/volume_listener.c>
>> effect file. I have created directory at /data/vendor/misc/my_dir.
>> > So i want to write effect data from volume_listener.c to my directory.
>> >
>> > As per my understanding post_proc effect comes under hal_audio_default
>> domain. Then i have added "allow hal_audio_default system_data_file:file {
>> write create };" in hal_audio.te file. But after adding I'm facing
>> following issue while building AOSP
>> >
>> > NOTE - I'm working on Android Oreo.
>> >
>> > Error -
>> >
>> > libsepol.report_failure: neverallow on line 856 of
>> system/sepolicy/public/domain.te (or line 9111 of policy.conf) violated by
>> allow hal_audio_default system_data_file:file { write create };
>> >
>> > I hope you understand my issue. please help me to solve this issue.
>> > Please find attached build log for more clarity.
>>
>> You need to define a type other than system_data_file and assign it to
>> your directory via file_contexts so that your process only needs
>> create/write to your own type and not arbitrary system data files.
>>
>>
> ___
> Seandroid-list mailing list
> Seandroid-list@tycho.nsa.gov
> To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
> To get help, send an email containing "help" to
> seandroid-list-requ...@tycho.nsa.gov.
___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

Re: Questions about execution binary from /data.

2018-04-02 Thread Jeffrey Vander Stoep via Seandroid-list 
Hi Han,

Privileged system components such as system_app are disallowed from
executing content off the read-write /data partition because it is less
trusted than dm-verity protected read-only partitions such as /system. I
recommend you put your python binary on the system partition.

On Mon, Apr 2, 2018 at 6:10 AM HAN  wrote:

> Hi everone,
>
>
>
> My system_app needs to execute python binary to run python script.
>
> So I copied the binary into a path "/data/misc/user/0/python"
>
> but execution is blocked by below neverallow.
>
>
>
> Where should I put my python binary into?
>
> Are there any areas that are most commonly used in this case?
>
>
>
>
>
> http://androidxref.com/8.0.0_r4/xref/system/sepolicy/private/app.te#497
>
>
> --
>
> # Blacklist app domains not allowed to execute from /data
>
> neverallow {
>
>   bluetooth
>
>   isolated_app
>
>   nfc
>
>   radio
>
>   shared_relro
>
>   system_app
>
> } {
>
>   data_file_type
>
>   -dalvikcache_data_file
>
>   -system_data_file # shared libs in apks
>
>   -apk_data_file
>
> }:file no_x_file_perms;
>
>
> --
>
>
>
> Thanks.
>
> HAN
>