All of lore.kernel.org
 help / color / mirror / Atom feed
* Patches to target denies of GpsLocationProvider and media_app over mtp_device
@ 2012-07-11 22:39 hqjiang
  2012-07-11 22:39 ` [PATCH] Correct the denies of android.process.media when accessing to mtp_device hqjiang
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: hqjiang @ 2012-07-11 22:39 UTC (permalink / raw)
  To: selinux; +Cc: sds, bill.c.roberts

One thing should be paid attentions here: 
We add a new entry of "user=app_* name=android.process.media domain=media_app levelFromUid=true" to seapp_context file. 
One would say it's nonecessary because there's already one policy "user=app_* seinfo=media domain=media_app levelFromUid=true". 
But the thing is that the seinfo of "android.process.media" is not media. 

If you have better ideas, pleae let us know. And we can resubmit the refined patches later. 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH] Correct the denies of android.process.media when accessing to mtp_device
  2012-07-11 22:39 Patches to target denies of GpsLocationProvider and media_app over mtp_device hqjiang
@ 2012-07-11 22:39 ` hqjiang
  2012-07-12 13:35   ` Stephen Smalley
  2012-07-11 22:39 ` [PATCH] GPSLocation Provider needs socket connection hqjiang
  2012-07-12 10:13 ` Patches to target denies of GpsLocationProvider and media_app over mtp_device Robert Craig
  2 siblings, 1 reply; 6+ messages in thread
From: hqjiang @ 2012-07-11 22:39 UTC (permalink / raw)
  To: selinux; +Cc: sds, bill.c.roberts, hqjiang

---
 seapp_contexts |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/seapp_contexts b/seapp_contexts
index 502206a..1e98f91 100644
--- a/seapp_contexts
+++ b/seapp_contexts
@@ -38,3 +38,4 @@ user=app_* seinfo=shared domain=shared_app levelFromUid=true
 user=app_* seinfo=media domain=media_app levelFromUid=true
 user=app_* seinfo=release domain=release_app levelFromUid=true
 user=app_* seinfo=release name=com.android.browser domain=browser_app levelFromUid=true
+user=app_* name=android.process.media domain=media_app levelFromUid=true
-- 
1.7.0.4


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [PATCH] GPSLocation Provider needs socket connection
  2012-07-11 22:39 Patches to target denies of GpsLocationProvider and media_app over mtp_device hqjiang
  2012-07-11 22:39 ` [PATCH] Correct the denies of android.process.media when accessing to mtp_device hqjiang
@ 2012-07-11 22:39 ` hqjiang
  2012-07-12 13:36   ` Stephen Smalley
  2012-07-12 10:13 ` Patches to target denies of GpsLocationProvider and media_app over mtp_device Robert Craig
  2 siblings, 1 reply; 6+ messages in thread
From: hqjiang @ 2012-07-11 22:39 UTC (permalink / raw)
  To: selinux; +Cc: sds, bill.c.roberts, hqjiang

---
 system.te |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/system.te b/system.te
index 1a94c75..f35e9a2 100644
--- a/system.te
+++ b/system.te
@@ -192,3 +192,6 @@ allow system domain:file r_file_perms;
 # to uart driver and ctrl proc entry
 allow system gps_device:chr_file rw_file_perms;
 allow system gps_control:file rw_file_perms;
+
+# GpsLocationProvider Connection
+allow system rild:unix_stream_socket connectto;
-- 
1.7.0.4


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: Patches to target denies of GpsLocationProvider and media_app over mtp_device
  2012-07-11 22:39 Patches to target denies of GpsLocationProvider and media_app over mtp_device hqjiang
  2012-07-11 22:39 ` [PATCH] Correct the denies of android.process.media when accessing to mtp_device hqjiang
  2012-07-11 22:39 ` [PATCH] GPSLocation Provider needs socket connection hqjiang
@ 2012-07-12 10:13 ` Robert Craig
  2 siblings, 0 replies; 6+ messages in thread
From: Robert Craig @ 2012-07-12 10:13 UTC (permalink / raw)
  To: hqjiang; +Cc: selinux, sds, bill.c.roberts

[-- Attachment #1: Type: text/plain, Size: 1381 bytes --]

What branch are you on? I have a build of master that
has android.process.media labeled as

u:r:media_app:s0:c10

which would suggest to me that the seinfo string is media. If
your android.process.media is
not being labeled as media that what is its label. There was a brief period
on the master
branch that the mac_permissions.xml file was wrong because of some updates
on
Jelly Bean permissions needed by some of the apps. Specifically the
MediaProvider.
Are you seeing any "MMAC_DENIAL" messages in logcat for any media apps
during
install?

I would try to re-sync on master and see what happens.




On Wed, Jul 11, 2012 at 6:39 PM, hqjiang <hqjiang1988@gmail.com> wrote:

> One thing should be paid attentions here:
> We add a new entry of "user=app_* name=android.process.media
> domain=media_app levelFromUid=true" to seapp_context file.
> One would say it's nonecessary because there's already one policy
> "user=app_* seinfo=media domain=media_app levelFromUid=true".
> But the thing is that the seinfo of "android.process.media" is not media.
>
> If you have better ideas, pleae let us know. And we can resubmit the
> refined patches later.
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.govwith
> the words "unsubscribe selinux" without quotes as the message.
>

[-- Attachment #2: Type: text/html, Size: 1932 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] Correct the denies of android.process.media when accessing to mtp_device
  2012-07-11 22:39 ` [PATCH] Correct the denies of android.process.media when accessing to mtp_device hqjiang
@ 2012-07-12 13:35   ` Stephen Smalley
  0 siblings, 0 replies; 6+ messages in thread
From: Stephen Smalley @ 2012-07-12 13:35 UTC (permalink / raw)
  To: hqjiang; +Cc: selinux, bill.c.roberts

On Wed, 2012-07-11 at 15:39 -0700, hqjiang wrote:
> ---
>  seapp_contexts |    1 +
>  1 files changed, 1 insertions(+), 0 deletions(-)
> 
> diff --git a/seapp_contexts b/seapp_contexts
> index 502206a..1e98f91 100644
> --- a/seapp_contexts
> +++ b/seapp_contexts
> @@ -38,3 +38,4 @@ user=app_* seinfo=shared domain=shared_app levelFromUid=true
>  user=app_* seinfo=media domain=media_app levelFromUid=true
>  user=app_* seinfo=release domain=release_app levelFromUid=true
>  user=app_* seinfo=release name=com.android.browser domain=browser_app levelFromUid=true
> +user=app_* name=android.process.media domain=media_app levelFromUid=true

android.process.media was correctly labeled for us on the Xoom.  Need to
track down the real cause of the problem (if it persists after a
re-sync), not just hide it via configuration.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] GPSLocation Provider needs socket connection
  2012-07-11 22:39 ` [PATCH] GPSLocation Provider needs socket connection hqjiang
@ 2012-07-12 13:36   ` Stephen Smalley
  0 siblings, 0 replies; 6+ messages in thread
From: Stephen Smalley @ 2012-07-12 13:36 UTC (permalink / raw)
  To: hqjiang; +Cc: selinux, bill.c.roberts

On Wed, 2012-07-11 at 15:39 -0700, hqjiang wrote:
> ---
>  system.te |    3 +++
>  1 files changed, 3 insertions(+), 0 deletions(-)
> 
> diff --git a/system.te b/system.te
> index 1a94c75..f35e9a2 100644
> --- a/system.te
> +++ b/system.te
> @@ -192,3 +192,6 @@ allow system domain:file r_file_perms;
>  # to uart driver and ctrl proc entry
>  allow system gps_device:chr_file rw_file_perms;
>  allow system gps_control:file rw_file_perms;
> +
> +# GpsLocationProvider Connection
> +allow system rild:unix_stream_socket connectto;

This should be written using the unix_socket_connect() macro, which
takes three arguments: clientdomain, sockettype, serverdomain.  What
type is assigned to the socket file?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2012-07-12 13:36 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-07-11 22:39 Patches to target denies of GpsLocationProvider and media_app over mtp_device hqjiang
2012-07-11 22:39 ` [PATCH] Correct the denies of android.process.media when accessing to mtp_device hqjiang
2012-07-12 13:35   ` Stephen Smalley
2012-07-11 22:39 ` [PATCH] GPSLocation Provider needs socket connection hqjiang
2012-07-12 13:36   ` Stephen Smalley
2012-07-12 10:13 ` Patches to target denies of GpsLocationProvider and media_app over mtp_device Robert Craig

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.