updates from Haiqing Jiang on Jul. 19

updates from Haiqing Jiang on Jul. 19

[Haiqing Jiang]

I have several updates here, waiting for your insightful comments.

1: [PATCH 1/6] external/sepolicy: allow media_app more permissions on sdcard
currently media_app has merely create_file_perms. We add link_file_perms.
2: [PATCH 2/6] external/sepolicy: mediaserver open application data files
mediaserver has the open permissions over app_data_file.
3: [PATCH 3/6] external/sepolicy: mediaserver talk to rild via socket
mediaserver talk to radio level daemon via udp_stream_socket.
4: [PATCH 4/6] external/sepolicy: system talk to rild via socket
talk to rild via socket.
5: [PATCH 5/6] external/sepolicy: allow media_app read to application data files
allow media_app r_file_perms over app_data_file.
6: [PATCH 6/6] external/sepolicy: android_cts test denials
We got several denials from CTS test. We add corresponding policies in cts.te. 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 1/6] external/sepolicy: allow media_app more permissions on sdcard

[Haiqing Jiang]

---
 app.te |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/app.te b/app.te
index 0866e95..a5ff295 100644
--- a/app.te
+++ b/app.te
@@ -41,7 +41,7 @@ allow media_app cache_file:dir rw_dir_perms;
 allow media_app cache_file:file create_file_perms;
 # Access sdcard.
 allow media_app sdcard:dir create_dir_perms;
-allow media_app sdcard:file create_file_perms;
+allow media_app sdcard:file { create_file_perms link_file_perms };
 # Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
 allow media_app qtaguid_proc:file rw_file_perms;
 allow media_app qtaguid_device:chr_file r_file_perms;
-- 
1.7.0.4


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 2/6] external/sepolicy: mediaserver open application data files

[Haiqing Jiang]

---
 mediaserver.te |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/mediaserver.te b/mediaserver.te
index 057e39d..d3f0334 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -25,6 +25,7 @@ allow mediaserver sysfs:file rw_file_perms;
 # XXX Why?
 allow mediaserver apk_data_file:file { read getattr };
 allow mediaserver ion_device:chr_file rw_file_perms;
+allow mediaserver app_data_file:file open;
 
 # To use remote processor
 allow mediaserver rpmsg_device:chr_file rw_file_perms;
-- 
1.7.0.4


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 3/6] external/sepolicy: mediaserver talk to rild via socket

[Haiqing Jiang]

---
 mediaserver.te |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/mediaserver.te b/mediaserver.te
index d3f0334..6dd4d4a 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -40,3 +40,6 @@ allow mediaserver camera_calibration_file:file r_file_perms;
 # Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
 allow mediaserver qtaguid_proc:file rw_file_perms;
 allow mediaserver qtaguid_device:chr_file r_file_perms;
+
+# Talk to rild via socket
+unix_socket_connect(mediaserver, rild, rild)
-- 
1.7.0.4


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 4/6] external/sepolicy: system talk to rild via socket

[Haiqing Jiang]

---
 system.te |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/system.te b/system.te
index 5c34f81..1a25fd3 100644
--- a/system.te
+++ b/system.te
@@ -107,6 +107,7 @@ unix_socket_connect(system, dbus, dbusd)
 unix_socket_connect(system, gps, gpsd)
 unix_socket_connect(system, bluetooth, bluetoothd)
 unix_socket_send(system, wpa, wpa)
+unix_socket_connect(system, rild, rild)
 
 # Communicate over a socket created by surfaceflinger.
 allow system surfaceflinger:unix_stream_socket { read write setopt };
-- 
1.7.0.4


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 5/6] external/sepolicy: allow media_app read to application data files

[Haiqing Jiang]

---
 app.te |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/app.te b/app.te
index a5ff295..06da29b 100644
--- a/app.te
+++ b/app.te
@@ -45,6 +45,8 @@ allow media_app sdcard:file { create_file_perms link_file_perms };
 # Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
 allow media_app qtaguid_proc:file rw_file_perms;
 allow media_app qtaguid_device:chr_file r_file_perms;
+# Read to app_data_file
+allow media_app app_data_file:file r_file_perms;
 # Apps signed with the shared key.
 type shared_app, domain;
 app_domain(shared_app)
-- 
1.7.0.4


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 6/6] external/sepolicy: android_cts test denials

[Haiqing Jiang]

---
 cts.te |   21 +++++++++++++++++++++
 1 files changed, 21 insertions(+), 0 deletions(-)

diff --git a/cts.te b/cts.te
index 3600e94..08b770e 100644
--- a/cts.te
+++ b/cts.te
@@ -39,4 +39,25 @@ dontaudit appdomain self:netlink_kobject_uevent_socket create;
 
 # Tries to override DAC restrictions but expects to fail.
 dontaudit shell self:capability dac_override;
+
+# CTS test denials
+# Allow CTS test apks access to apk_tmp_file and shell_data_file
+allow appdomain apk_tmp_file:file rw_file_perms;
+allow appdomain shell_data_file:file r_file_perms;
+# Allow CTS test apks socket permissions (for testing networking functions (e.g., bluetooth))
+allow untrusted_app self:socket { bind create setopt shutdown listen };
+# Allow CTS Test apks to access to app/system_data_file
+allow appdomain app_data_file:file r_file_perms;
+allow appdomain system_data_file:file { x_file_perms open };
+# android.permission test denies
+allow appdomain block_device:lnk_file r_file_perms;
+allow appdomain cgroup:dir w_file_perms;
+allow appdomain media_app:lnk_file r_file_perms;
+allow appdomain radio_device:lnk_file r_file_perms;
+allow appdomain untrusted_app:lnk_file r_file_perms;
+allow appdomain zygote:netlink_selinux_socket getattr;
+# android.security test deny
+allow appdomain untrusted_app:netlink_route_socket { read bind create };
+# android.util test deny
+allow appdomain log_device:chr_file r_file_perms;
 }
-- 
1.7.0.4


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/6] external/sepolicy: allow media_app more permissions on sdcard

[Stephen Smalley]

On Thu, 2012-07-19 at 16:07 -0700, Haiqing Jiang wrote:
> ---
>  app.te |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/app.te b/app.te
> index 0866e95..a5ff295 100644
> --- a/app.te
> +++ b/app.te
> @@ -41,7 +41,7 @@ allow media_app cache_file:dir rw_dir_perms;
>  allow media_app cache_file:file create_file_perms;
>  # Access sdcard.
>  allow media_app sdcard:dir create_dir_perms;
> -allow media_app sdcard:file create_file_perms;
> +allow media_app sdcard:file { create_file_perms link_file_perms };
>  # Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
>  allow media_app qtaguid_proc:file rw_file_perms;
>  allow media_app qtaguid_device:chr_file r_file_perms;

create_file_perms already contains link_file_perms, so this does
nothing.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 2/6] external/sepolicy: mediaserver open application data files

[Stephen Smalley]

On Thu, 2012-07-19 at 16:07 -0700, Haiqing Jiang wrote:
> ---
>  mediaserver.te |    1 +
>  1 files changed, 1 insertions(+), 0 deletions(-)
> 
> diff --git a/mediaserver.te b/mediaserver.te
> index 057e39d..d3f0334 100644
> --- a/mediaserver.te
> +++ b/mediaserver.te
> @@ -25,6 +25,7 @@ allow mediaserver sysfs:file rw_file_perms;
>  # XXX Why?
>  allow mediaserver apk_data_file:file { read getattr };
>  allow mediaserver ion_device:chr_file rw_file_perms;
> +allow mediaserver app_data_file:file open;
>  
>  # To use remote processor
>  allow mediaserver rpmsg_device:chr_file rw_file_perms;

If this is required, then merge it into the existing allow rule for
app_data_file, at which point you can just use r_file_perms;
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 3/6] external/sepolicy: mediaserver talk to rild via socket

[Stephen Smalley]

On Thu, 2012-07-19 at 16:07 -0700, Haiqing Jiang wrote:
> ---
>  mediaserver.te |    3 +++
>  1 files changed, 3 insertions(+), 0 deletions(-)
> 
> diff --git a/mediaserver.te b/mediaserver.te
> index d3f0334..6dd4d4a 100644
> --- a/mediaserver.te
> +++ b/mediaserver.te
> @@ -40,3 +40,6 @@ allow mediaserver camera_calibration_file:file r_file_perms;
>  # Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
>  allow mediaserver qtaguid_proc:file rw_file_perms;
>  allow mediaserver qtaguid_device:chr_file r_file_perms;
> +
> +# Talk to rild via socket
> +unix_socket_connect(mediaserver, rild, rild)

Hmm...it used to be that only radio could connect to rild.
socket perms are 660 root radio, and mediaserver runs as media.
Doesn't seem like this is possible even under DAC.  Clarification
requested?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 4/6] external/sepolicy: system talk to rild via socket

[Stephen Smalley]

On Thu, 2012-07-19 at 16:07 -0700, Haiqing Jiang wrote:
> ---
>  system.te |    1 +
>  1 files changed, 1 insertions(+), 0 deletions(-)
> 
> diff --git a/system.te b/system.te
> index 5c34f81..1a25fd3 100644
> --- a/system.te
> +++ b/system.te
> @@ -107,6 +107,7 @@ unix_socket_connect(system, dbus, dbusd)
>  unix_socket_connect(system, gps, gpsd)
>  unix_socket_connect(system, bluetooth, bluetoothd)
>  unix_socket_send(system, wpa, wpa)
> +unix_socket_connect(system, rild, rild)
>  
>  # Communicate over a socket created by surfaceflinger.
>  allow system surfaceflinger:unix_stream_socket { read write setopt };

Same as prior one.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 5/6] external/sepolicy: allow media_app read to application data files

[Stephen Smalley]

On Thu, 2012-07-19 at 16:07 -0700, Haiqing Jiang wrote:
> ---
>  app.te |    2 ++
>  1 files changed, 2 insertions(+), 0 deletions(-)
> 
> diff --git a/app.te b/app.te
> index a5ff295..06da29b 100644
> --- a/app.te
> +++ b/app.te
> @@ -45,6 +45,8 @@ allow media_app sdcard:file { create_file_perms link_file_perms };
>  # Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
>  allow media_app qtaguid_proc:file rw_file_perms;
>  allow media_app qtaguid_device:chr_file r_file_perms;
> +# Read to app_data_file
> +allow media_app app_data_file:file r_file_perms;
>  # Apps signed with the shared key.
>  type shared_app, domain;
>  app_domain(shared_app)

Already allowed by this rule in app.te:
allow appdomain app_data_file:notdevfile_class_set create_file_perms;

Maybe your denial was due to MLS categories rather than TE.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 6/6] external/sepolicy: android_cts test denials

[Stephen Smalley]

On Thu, 2012-07-19 at 16:07 -0700, Haiqing Jiang wrote:
> ---
>  cts.te |   21 +++++++++++++++++++++
>  1 files changed, 21 insertions(+), 0 deletions(-)
> 
> diff --git a/cts.te b/cts.te
> index 3600e94..08b770e 100644
> --- a/cts.te
> +++ b/cts.te
> @@ -39,4 +39,25 @@ dontaudit appdomain self:netlink_kobject_uevent_socket create;
>  
>  # Tries to override DAC restrictions but expects to fail.
>  dontaudit shell self:capability dac_override;
> +
> +# CTS test denials
> +# Allow CTS test apks access to apk_tmp_file and shell_data_file
> +allow appdomain apk_tmp_file:file rw_file_perms;
> +allow appdomain shell_data_file:file r_file_perms;

These are presently allowed to platform_app; maybe you should need to
assign platform_app to the CTS apps?

> +# Allow CTS test apks socket permissions (for testing networking functions (e.g., bluetooth))
> +allow untrusted_app self:socket { bind create setopt shutdown listen };

app_bluetooth boolean or use one of the other app domains.

> +# Allow CTS Test apks to access to app/system_data_file
> +allow appdomain app_data_file:file r_file_perms;

Already allowed, but not across MLS categories (and this won't help).

> +allow appdomain system_data_file:file { x_file_perms open };

app_ndk boolean

> +# android.permission test denies
> +allow appdomain block_device:lnk_file r_file_perms;

Try to generalize, e.g.
allow appdomain dev_type:lnk_file r_file_perms;
would cover all device type symlinks.

> +allow appdomain cgroup:dir w_file_perms;
> +allow appdomain media_app:lnk_file r_file_perms;

Should already be allowed by:
allow appdomain domain:{ file lnk_file } r_file_perms;
in cts.te.

> +allow appdomain radio_device:lnk_file r_file_perms;
> +allow appdomain untrusted_app:lnk_file r_file_perms;

Ditto.

> +allow appdomain zygote:netlink_selinux_socket getattr;
> +# android.security test deny
> +allow appdomain untrusted_app:netlink_route_socket { read bind create };
> +# android.util test deny
> +allow appdomain log_device:chr_file r_file_perms;
>  }

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 1/6] external/sepolicy: allow media_app more permissions on sdcard

[Haiqing Jiang]

[-- Attachment #1: Type: text/plain, Size: 1128 bytes --]

I made a mistake. Sorry for that.

On Mon, Jul 23, 2012 at 6:22 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:

> On Thu, 2012-07-19 at 16:07 -0700, Haiqing Jiang wrote:
> > ---
> >  app.te |    2 +-
> >  1 files changed, 1 insertions(+), 1 deletions(-)
> >
> > diff --git a/app.te b/app.te
> > index 0866e95..a5ff295 100644
> > --- a/app.te
> > +++ b/app.te
> > @@ -41,7 +41,7 @@ allow media_app cache_file:dir rw_dir_perms;
> >  allow media_app cache_file:file create_file_perms;
> >  # Access sdcard.
> >  allow media_app sdcard:dir create_dir_perms;
> > -allow media_app sdcard:file create_file_perms;
> > +allow media_app sdcard:file { create_file_perms link_file_perms };
> >  # Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
> >  allow media_app qtaguid_proc:file rw_file_perms;
> >  allow media_app qtaguid_device:chr_file r_file_perms;
>
> create_file_perms already contains link_file_perms, so this does
> nothing.
>
> --
> Stephen Smalley
> National Security Agency
>
>


-- 
-----------------------------------
Haiqing Jiang, PH.D student

Computer Science Department, North Carolina State University

[-- Attachment #2: Type: text/html, Size: 1700 bytes --]

Re: [PATCH 2/6] external/sepolicy: mediaserver open application data files

[Haiqing Jiang]

[-- Attachment #1: Type: text/plain, Size: 1100 bytes --]

Thanks. I should be more careful to find the related existing policies.

On Mon, Jul 23, 2012 at 6:23 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:

> On Thu, 2012-07-19 at 16:07 -0700, Haiqing Jiang wrote:
> > ---
> >  mediaserver.te |    1 +
> >  1 files changed, 1 insertions(+), 0 deletions(-)
> >
> > diff --git a/mediaserver.te b/mediaserver.te
> > index 057e39d..d3f0334 100644
> > --- a/mediaserver.te
> > +++ b/mediaserver.te
> > @@ -25,6 +25,7 @@ allow mediaserver sysfs:file rw_file_perms;
> >  # XXX Why?
> >  allow mediaserver apk_data_file:file { read getattr };
> >  allow mediaserver ion_device:chr_file rw_file_perms;
> > +allow mediaserver app_data_file:file open;
> >
> >  # To use remote processor
> >  allow mediaserver rpmsg_device:chr_file rw_file_perms;
>
> If this is required, then merge it into the existing allow rule for
> app_data_file, at which point you can just use r_file_perms;
> --
> Stephen Smalley
> National Security Agency
>
>


-- 
-----------------------------------
Haiqing Jiang, PH.D student

Computer Science Department, North Carolina State University

[-- Attachment #2: Type: text/html, Size: 1662 bytes --]

Re: [PATCH 4/6] external/sepolicy: system talk to rild via socket

[Haiqing Jiang]

[-- Attachment #1: Type: text/plain, Size: 1066 bytes --]

I find the denial is from "GpsLocationProvider" which is labeled with
"system". And for somehow it requires socket connection.

On Mon, Jul 23, 2012 at 6:28 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:

> On Thu, 2012-07-19 at 16:07 -0700, Haiqing Jiang wrote:
> > ---
> >  system.te |    1 +
> >  1 files changed, 1 insertions(+), 0 deletions(-)
> >
> > diff --git a/system.te b/system.te
> > index 5c34f81..1a25fd3 100644
> > --- a/system.te
> > +++ b/system.te
> > @@ -107,6 +107,7 @@ unix_socket_connect(system, dbus, dbusd)
> >  unix_socket_connect(system, gps, gpsd)
> >  unix_socket_connect(system, bluetooth, bluetoothd)
> >  unix_socket_send(system, wpa, wpa)
> > +unix_socket_connect(system, rild, rild)
> >
> >  # Communicate over a socket created by surfaceflinger.
> >  allow system surfaceflinger:unix_stream_socket { read write setopt };
>
> Same as prior one.
>
> --
> Stephen Smalley
> National Security Agency
>
>


-- 
-----------------------------------
Haiqing Jiang, PH.D student

Computer Science Department, North Carolina State University

[-- Attachment #2: Type: text/html, Size: 1649 bytes --]

Re: [PATCH 3/6] external/sepolicy: mediaserver talk to rild via socket

[Haiqing Jiang]

[-- Attachment #1: Type: text/plain, Size: 1242 bytes --]

If in that case, I don't think it's a good idea to allow permission to
mediaserver over rild. Thanks for your comments.

On Mon, Jul 23, 2012 at 6:26 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:

> On Thu, 2012-07-19 at 16:07 -0700, Haiqing Jiang wrote:
> > ---
> >  mediaserver.te |    3 +++
> >  1 files changed, 3 insertions(+), 0 deletions(-)
> >
> > diff --git a/mediaserver.te b/mediaserver.te
> > index d3f0334..6dd4d4a 100644
> > --- a/mediaserver.te
> > +++ b/mediaserver.te
> > @@ -40,3 +40,6 @@ allow mediaserver camera_calibration_file:file
> r_file_perms;
> >  # Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
> >  allow mediaserver qtaguid_proc:file rw_file_perms;
> >  allow mediaserver qtaguid_device:chr_file r_file_perms;
> > +
> > +# Talk to rild via socket
> > +unix_socket_connect(mediaserver, rild, rild)
>
> Hmm...it used to be that only radio could connect to rild.
> socket perms are 660 root radio, and mediaserver runs as media.
> Doesn't seem like this is possible even under DAC.  Clarification
> requested?
>
> --
> Stephen Smalley
> National Security Agency
>
>


-- 
-----------------------------------
Haiqing Jiang, PH.D student

Computer Science Department, North Carolina State University

[-- Attachment #2: Type: text/html, Size: 1818 bytes --]

Re: [PATCH 3/6] external/sepolicy: mediaserver talk to rild via socket

[Stephen Smalley]

On Mon, 2012-07-23 at 15:05 -0700, Haiqing Jiang wrote:
> If in that case, I don't think it's a good idea to allow permission to
> mediaserver over rild. Thanks for your comments. 

It may be legitimate, but I want to understand why and how it happens
before allowing it.

> 
> On Mon, Jul 23, 2012 at 6:26 AM, Stephen Smalley <sds@tycho.nsa.gov>
> wrote:
>         On Thu, 2012-07-19 at 16:07 -0700, Haiqing Jiang wrote:
>         > ---
>         >  mediaserver.te |    3 +++
>         >  1 files changed, 3 insertions(+), 0 deletions(-)
>         >
>         > diff --git a/mediaserver.te b/mediaserver.te
>         > index d3f0334..6dd4d4a 100644
>         > --- a/mediaserver.te
>         > +++ b/mediaserver.te
>         > @@ -40,3 +40,6 @@ allow mediaserver
>         camera_calibration_file:file r_file_perms;
>         >  # Read/[write] to /proc/net/xt_qtaguid/ctrl
>         and /dev/xt_qtaguid
>         >  allow mediaserver qtaguid_proc:file rw_file_perms;
>         >  allow mediaserver qtaguid_device:chr_file r_file_perms;
>         > +
>         > +# Talk to rild via socket
>         > +unix_socket_connect(mediaserver, rild, rild)
>         
>         
>         Hmm...it used to be that only radio could connect to rild.
>         socket perms are 660 root radio, and mediaserver runs as
>         media.
>         Doesn't seem like this is possible even under DAC.
>          Clarification
>         requested?
>         
>         --
>         Stephen Smalley
>         National Security Agency
>         
> 
> 
> 
> 
> -- 
> -----------------------------------
> Haiqing Jiang, PH.D student
> 
> 
> Computer Science Department, North Carolina State University
> 
> 
> 

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 3/6] external/sepolicy: mediaserver talk to rild via socket

[Haiqing Jiang]

[-- Attachment #1: Type: text/plain, Size: 2108 bytes --]

I cannot find the corresponding avc logs at this moment.. I will let you
know when I find it.

On Tue, Jul 24, 2012 at 6:04 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:

> On Mon, 2012-07-23 at 15:05 -0700, Haiqing Jiang wrote:
> > If in that case, I don't think it's a good idea to allow permission to
> > mediaserver over rild. Thanks for your comments.
>
> It may be legitimate, but I want to understand why and how it happens
> before allowing it.
>
> >
> > On Mon, Jul 23, 2012 at 6:26 AM, Stephen Smalley <sds@tycho.nsa.gov>
> > wrote:
> >         On Thu, 2012-07-19 at 16:07 -0700, Haiqing Jiang wrote:
> >         > ---
> >         >  mediaserver.te |    3 +++
> >         >  1 files changed, 3 insertions(+), 0 deletions(-)
> >         >
> >         > diff --git a/mediaserver.te b/mediaserver.te
> >         > index d3f0334..6dd4d4a 100644
> >         > --- a/mediaserver.te
> >         > +++ b/mediaserver.te
> >         > @@ -40,3 +40,6 @@ allow mediaserver
> >         camera_calibration_file:file r_file_perms;
> >         >  # Read/[write] to /proc/net/xt_qtaguid/ctrl
> >         and /dev/xt_qtaguid
> >         >  allow mediaserver qtaguid_proc:file rw_file_perms;
> >         >  allow mediaserver qtaguid_device:chr_file r_file_perms;
> >         > +
> >         > +# Talk to rild via socket
> >         > +unix_socket_connect(mediaserver, rild, rild)
> >
> >
> >         Hmm...it used to be that only radio could connect to rild.
> >         socket perms are 660 root radio, and mediaserver runs as
> >         media.
> >         Doesn't seem like this is possible even under DAC.
> >          Clarification
> >         requested?
> >
> >         --
> >         Stephen Smalley
> >         National Security Agency
> >
> >
> >
> >
> >
> > --
> > -----------------------------------
> > Haiqing Jiang, PH.D student
> >
> >
> > Computer Science Department, North Carolina State University
> >
> >
> >
>
> --
> Stephen Smalley
> National Security Agency
>
>


-- 
-----------------------------------
Haiqing Jiang, PH.D student

Computer Science Department, North Carolina State University

[-- Attachment #2: Type: text/html, Size: 2943 bytes --]

Re: [PATCH 3/6] external/sepolicy: mediaserver talk to rild via socket

[Haiqing Jiang]

[-- Attachment #1: Type: text/plain, Size: 2882 bytes --]

Hi, Stephen

I find the denial. But have not ideas about the exact object related to the
denial. Please let me know your comments. Thanks.

*#============= mediaserver ==============
allow mediaserver rild:unix_stream_socket connectto;

<5>[ 9719.676422] type=1400 audit(1343162276.710:1512): avc:  denied  {
connectto } for  pid=519 comm=42696E646572205468726561642023
path=004D756C7469636C69656E74 scontext=u:r:mediaserver:s0
tcontext=u:r:rild:s0 tclass=unix_stream_socket*



On Tue, Jul 24, 2012 at 9:10 AM, Haiqing Jiang <hqjiang1988@gmail.com>wrote:

> I cannot find the corresponding avc logs at this moment.. I will let you
> know when I find it.
>
>
> On Tue, Jul 24, 2012 at 6:04 AM, Stephen Smalley <sds@tycho.nsa.gov>wrote:
>
>> On Mon, 2012-07-23 at 15:05 -0700, Haiqing Jiang wrote:
>> > If in that case, I don't think it's a good idea to allow permission to
>> > mediaserver over rild. Thanks for your comments.
>>
>> It may be legitimate, but I want to understand why and how it happens
>> before allowing it.
>>
>> >
>> > On Mon, Jul 23, 2012 at 6:26 AM, Stephen Smalley <sds@tycho.nsa.gov>
>> > wrote:
>> >         On Thu, 2012-07-19 at 16:07 -0700, Haiqing Jiang wrote:
>> >         > ---
>> >         >  mediaserver.te |    3 +++
>> >         >  1 files changed, 3 insertions(+), 0 deletions(-)
>> >         >
>> >         > diff --git a/mediaserver.te b/mediaserver.te
>> >         > index d3f0334..6dd4d4a 100644
>> >         > --- a/mediaserver.te
>> >         > +++ b/mediaserver.te
>> >         > @@ -40,3 +40,6 @@ allow mediaserver
>> >         camera_calibration_file:file r_file_perms;
>> >         >  # Read/[write] to /proc/net/xt_qtaguid/ctrl
>> >         and /dev/xt_qtaguid
>> >         >  allow mediaserver qtaguid_proc:file rw_file_perms;
>> >         >  allow mediaserver qtaguid_device:chr_file r_file_perms;
>> >         > +
>> >         > +# Talk to rild via socket
>> >         > +unix_socket_connect(mediaserver, rild, rild)
>> >
>> >
>> >         Hmm...it used to be that only radio could connect to rild.
>> >         socket perms are 660 root radio, and mediaserver runs as
>> >         media.
>> >         Doesn't seem like this is possible even under DAC.
>> >          Clarification
>> >         requested?
>> >
>> >         --
>> >         Stephen Smalley
>> >         National Security Agency
>> >
>> >
>> >
>> >
>> >
>> > --
>> > -----------------------------------
>> > Haiqing Jiang, PH.D student
>> >
>> >
>> > Computer Science Department, North Carolina State University
>> >
>> >
>> >
>>
>> --
>> Stephen Smalley
>> National Security Agency
>>
>>
>
>
> --
> -----------------------------------
> Haiqing Jiang, PH.D student
>
> Computer Science Department, North Carolina State University
>
>
>


-- 
-----------------------------------
Haiqing Jiang, PH.D student

Computer Science Department, North Carolina State University

[-- Attachment #2: Type: text/html, Size: 4477 bytes --]

Re: [PATCH 3/6] external/sepolicy: mediaserver talk to rild via socket

[Stephen Smalley]

On Tue, 2012-07-24 at 15:32 -0700, Haiqing Jiang wrote:
> Hi, Stephen
> 
> 
> I find the denial. But have not ideas about the exact object related
> to the denial. Please let me know your comments. Thanks. 
> 
> 
> #============= mediaserver ==============
> allow mediaserver rild:unix_stream_socket connectto;
> 
> <5>[ 9719.676422] type=1400 audit(1343162276.710:1512): avc:  denied
>  { connectto } for  pid=519 comm=42696E646572205468726561642023
> path=004D756C7469636C69656E74 scontext=u:r:mediaserver:s0
> tcontext=u:r:rild:s0 tclass=unix_stream_socket

Oh, it is a socket in the abstract namespace (path starts with the null
byte).  So it is not the /dev/socket/rild socket that is in view here.

So I guess you can add:
	allow mediaserver rild:unix_stream_socket connectto;
and not use the unix_socket_connect() macro because we do not want to
allow use of /dev/socket/rild, only the abstract socket connection.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.