SEAndroid: Labels of files in /data/data/APPDIR/lib directory

SEAndroid: Labels of files in /data/data/APPDIR/lib directory

[Michal Mašek]

Hi,

I am trying to make our application operational under
SEAndroid. Currently the application produces "open" and "execute"
denials when it is loading its dynamic libraries from
/data/data/APPDIR/lib directory:

<5>[ 3913.711395] type=1400 audit(1341923463.083:9): avc:  denied  {
open } for  pid=1832 comm="t.circletech.cc" name="libsdl-1.2.so"
dev=mmcblk0p12 ino=578446 scontext=u:r:untrusted_app:s0:c38
tcontext=u:object_r:system_data_file:s0 tclass=file

<5>[ 3913.711730] type=1400 audit(1341923463.083:10): avc:  denied  {
execute } for  pid=1832 comm="t.circletech.cc"
path="/data/data/net.circletech.cc/lib/libsdl-1.2.so" dev=mmcblk0p12
ino=578446 scontext=u:r:untrusted_app:s0:c38
tcontext=u:object_r:system_data_file:s0 tclass=file


My guess is that these libraries should have a different label. Such
that the application is allowed to load them. But which one? And how to
change it? I tried to change the policy (file_contexts), but it had no
effect (it seems that files in the lib directory are relabeled during
installation).

Thank you,
Michal Mašek



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SEAndroid: Labels of files in /data/data/APPDIR/lib directory

[Stephen Smalley]

On Tue, 2012-07-10 at 15:57 +0200, Michal Mašek wrote:
> Hi,
> 
> I am trying to make our application operational under
> SEAndroid. Currently the application produces "open" and "execute"
> denials when it is loading its dynamic libraries from
> /data/data/APPDIR/lib directory:
> 
> <5>[ 3913.711395] type=1400 audit(1341923463.083:9): avc:  denied  {
> open } for  pid=1832 comm="t.circletech.cc" name="libsdl-1.2.so"
> dev=mmcblk0p12 ino=578446 scontext=u:r:untrusted_app:s0:c38
> tcontext=u:object_r:system_data_file:s0 tclass=file
> 
> <5>[ 3913.711730] type=1400 audit(1341923463.083:10): avc:  denied  {
> execute } for  pid=1832 comm="t.circletech.cc"
> path="/data/data/net.circletech.cc/lib/libsdl-1.2.so" dev=mmcblk0p12
> ino=578446 scontext=u:r:untrusted_app:s0:c38
> tcontext=u:object_r:system_data_file:s0 tclass=file
> 
> 
> My guess is that these libraries should have a different label. Such
> that the application is allowed to load them. But which one? And how to
> change it? I tried to change the policy (file_contexts), but it had no
> effect (it seems that files in the lib directory are relabeled during
> installation).

The /data/data/APPDIR directory should be labeled with the app_data_file
type (not system_data_file as in your avc denials above) and the same
category assigned to the app process (i.e. :c38 in the above denial).
The fact that it is instead system_data_file suggests that you installed
the app when not running SE Android and did not erase and reflash your
data partition.  Or maybe you installed the app from the recovery
console?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SEAndroid: Labels of files in /data/data/APPDIR/lib directory

[Michal Mašek]

On 07/10/2012 04:13 PM, Stephen Smalley wrote:
> The /data/data/APPDIR directory should be labeled with the
> app_data_file
> type (not system_data_file as in your avc denials above) and the same
> category assigned to the app process (i.e. :c38 in the above denial).

The /data/data/APPDIR is labeled with the app_data_file
type as you say it should be:
# ls -lZ /data/data/
...
drwxr-x--x app_38 app_38 u:object_r:app_data_file:s0:c38 net.circletech.cc

However the /data/data/APPDIR/lib and everything in it is labeled with
type system_data_file:
# ls -lZ /data/data/net.circletech.cc/
drwxr-xr-x system system u:object_r:system_data_file:s0 lib


> The fact that it is instead system_data_file suggests that you
> installed
> the app when not running SE Android and did not erase and reflash your
> data partition.

I have built the SEAndroid from sources as full_maguro-eng and I am
running it on Galaxy Nexus. I cleared the cache and userdata before
flashing the system. Getenforce says that the SELinux is running in
permissive mode.

I checked the /data/data directory before installation and the directory
of our application is not there. Than I installed the application via
"adb install" and the directory was created with the above mentioned
labels. I also tried to download the apk file through the android web
browser and installed it from Downloads app but it had the same effect.


Btw. i randomly checked directories of some of the system apps and the
lib subdirectory is always labeled with the system_data_file type, eg.:
# ls -lZ /data/data/com.android.providers.contacts/
drwxrwx--x app_0    app_0  u:object_r:app_data_file:s0:c0 databases
drwxrwx--x app_0    app_0  u:object_r:app_data_file:s0:c0 files
drwxr-xr-x system   system u:object_r:system_data_file:s0 lib
drwxrwx--x app_0    app_0  u:object_r:app_data_file:s0:c0 shared_prefs


Isn't it possible that during installation the lib directory is created
somewhere else, somewhere where it would be labeled with
system_data_file type and than moved to /data/data/APPDIR with its label
intact? Or maybe there is something else I am missing?

Thanks for your help,
Michal Mašek


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SEAndroid: Labels of files in /data/data/APPDIR/lib directory

[Stephen Smalley]

On Tue, 2012-07-10 at 17:48 +0200, Michal Mašek wrote:
> On 07/10/2012 04:13 PM, Stephen Smalley wrote:
> > The /data/data/APPDIR directory should be labeled with the
> > app_data_file
> > type (not system_data_file as in your avc denials above) and the same
> > category assigned to the app process (i.e. :c38 in the above denial).
> 
> The /data/data/APPDIR is labeled with the app_data_file
> type as you say it should be:
> # ls -lZ /data/data/
> ...
> drwxr-x--x app_38 app_38 u:object_r:app_data_file:s0:c38 net.circletech.cc
> 
> However the /data/data/APPDIR/lib and everything in it is labeled with
> type system_data_file:
> # ls -lZ /data/data/net.circletech.cc/
> drwxr-xr-x system system u:object_r:system_data_file:s0 lib
> 
> 
> > The fact that it is instead system_data_file suggests that you
> > installed
> > the app when not running SE Android and did not erase and reflash your
> > data partition.
> 
> I have built the SEAndroid from sources as full_maguro-eng and I am
> running it on Galaxy Nexus. I cleared the cache and userdata before
> flashing the system. Getenforce says that the SELinux is running in
> permissive mode.
> 
> I checked the /data/data directory before installation and the directory
> of our application is not there. Than I installed the application via
> "adb install" and the directory was created with the above mentioned
> labels. I also tried to download the apk file through the android web
> browser and installed it from Downloads app but it had the same effect.
> 
> 
> Btw. i randomly checked directories of some of the system apps and the
> lib subdirectory is always labeled with the system_data_file type, eg.:
> # ls -lZ /data/data/com.android.providers.contacts/
> drwxrwx--x app_0    app_0  u:object_r:app_data_file:s0:c0 databases
> drwxrwx--x app_0    app_0  u:object_r:app_data_file:s0:c0 files
> drwxr-xr-x system   system u:object_r:system_data_file:s0 lib
> drwxrwx--x app_0    app_0  u:object_r:app_data_file:s0:c0 shared_prefs
> 
> 
> Isn't it possible that during installation the lib directory is created
> somewhere else, somewhere where it would be labeled with
> system_data_file type and than moved to /data/data/APPDIR with its label
> intact? Or maybe there is something else I am missing?

Sorry, my mistake.  We label the lib subdirectories with
system_data_file because Android assigns the system UID to them rather
than the app UID to them.  So the label is correct, and you just need to
adjust your policy.  If you look at app.te, you'll see an app_ndk
boolean that is supposed to allow third party apps to execute shared
objects from their data directories.  But it appears that the rule is
incorrectly written in terms of app_data_file rather than
system_data_file.  So switch the type in that rule and then enable that
policy boolean via SEManager and you should be good to go.  You could
also be more selective by putting your app in a more specific domain.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SEAndroid: Labels of files in /data/data/APPDIR/lib directory

[Michal Mašek]

On 07/10/2012 05:59 PM, Stephen Smalley wrote:
> On Tue, 2012-07-10 at 17:48 +0200, Michal Mašek wrote:
>> On 07/10/2012 04:13 PM, Stephen Smalley wrote:
>>> The /data/data/APPDIR directory should be labeled with the
>>> app_data_file
>>> type (not system_data_file as in your avc denials above) and the same
>>> category assigned to the app process (i.e. :c38 in the above denial).
>>
>> The /data/data/APPDIR is labeled with the app_data_file
>> type as you say it should be:
>> # ls -lZ /data/data/
>> ...
>> drwxr-x--x app_38 app_38 u:object_r:app_data_file:s0:c38 net.circletech.cc
>>
>> However the /data/data/APPDIR/lib and everything in it is labeled with
>> type system_data_file:
>> # ls -lZ /data/data/net.circletech.cc/
>> drwxr-xr-x system system u:object_r:system_data_file:s0 lib
>>
>>
>>> The fact that it is instead system_data_file suggests that you
>>> installed
>>> the app when not running SE Android and did not erase and reflash your
>>> data partition.
>>
>> I have built the SEAndroid from sources as full_maguro-eng and I am
>> running it on Galaxy Nexus. I cleared the cache and userdata before
>> flashing the system. Getenforce says that the SELinux is running in
>> permissive mode.
>>
>> I checked the /data/data directory before installation and the directory
>> of our application is not there. Than I installed the application via
>> "adb install" and the directory was created with the above mentioned
>> labels. I also tried to download the apk file through the android web
>> browser and installed it from Downloads app but it had the same effect.
>>
>>
>> Btw. i randomly checked directories of some of the system apps and the
>> lib subdirectory is always labeled with the system_data_file type, eg.:
>> # ls -lZ /data/data/com.android.providers.contacts/
>> drwxrwx--x app_0    app_0  u:object_r:app_data_file:s0:c0 databases
>> drwxrwx--x app_0    app_0  u:object_r:app_data_file:s0:c0 files
>> drwxr-xr-x system   system u:object_r:system_data_file:s0 lib
>> drwxrwx--x app_0    app_0  u:object_r:app_data_file:s0:c0 shared_prefs
>>
>>
>> Isn't it possible that during installation the lib directory is created
>> somewhere else, somewhere where it would be labeled with
>> system_data_file type and than moved to /data/data/APPDIR with its label
>> intact? Or maybe there is something else I am missing?
> 
> Sorry, my mistake.  We label the lib subdirectories with
> system_data_file because Android assigns the system UID to them rather
> than the app UID to them.  So the label is correct, and you just need to
> adjust your policy.  If you look at app.te, you'll see an app_ndk
> boolean that is supposed to allow third party apps to execute shared
> objects from their data directories.  But it appears that the rule is
> incorrectly written in terms of app_data_file rather than
> system_data_file.  So switch the type in that rule and then enable that
> policy boolean via SEManager and you should be good to go.  You could
> also be more selective by putting your app in a more specific domain.

Thank you. The app_ndk boolean is exactly what I was looking for.
However, to resolve all denials, I also had to allow the application to
"open" the system_data_file, not just to "execute" it:

diff --git a/app.te b/app.te
index ed76ccf..137aad7 100644
--- a/app.te
+++ b/app.te
@@ -70,7 +70,7 @@ allow untrusted_app sdcard:file create_file_perms;
 # Native app support.
 bool app_ndk false;
 if (app_ndk) {
-allow untrusted_app app_data_file:file execute;
+allow untrusted_app system_data_file:file { execute open };
 }

--
Michal Mašek


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SEAndroid: Labels of files in /data/data/APPDIR/lib directory

[Stephen Smalley]

On Wed, 2012-07-11 at 16:32 +0200, Michal Mašek wrote:
> Thank you. The app_ndk boolean is exactly what I was looking for.
> However, to resolve all denials, I also had to allow the application to
> "open" the system_data_file, not just to "execute" it:
> 
> diff --git a/app.te b/app.te
> index ed76ccf..137aad7 100644
> --- a/app.te
> +++ b/app.te
> @@ -70,7 +70,7 @@ allow untrusted_app sdcard:file create_file_perms;
>  # Native app support.
>  bool app_ndk false;
>  if (app_ndk) {
> -allow untrusted_app app_data_file:file execute;
> +allow untrusted_app system_data_file:file { execute open };
>  }

Thanks.  Patch was corrupted (maybe whitespace-damaged by your mail
client?) so I had to apply it by hand, but you are still listed as the
author.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.