CODEWITHSUNDEEP
androidlinux-kernelselinux
akenhsu
akenhsu

Reputation: 63

what is c512,c768 of selinux process

I got a trouble that I have a app need to access /proc entry that I create by a kernel driver and I got a selinux denied issue:

avc: denied { write } for pid=30200 comm="omg.flashlight" name="omg_flash_brightness" dev="proc" ino=4026534208 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=file permissive=0

I try to solve this deny and I found I cannot allow untrusted_app to write proc:file since there will be CTS issue. I try to add a domain for the omg.flashlight APP. I use ps -Z and found the APP as follow

u:r:untrusted_app:s0:c512,c768 u0_a89    6669  382   com.omg.flashlight

I try to add following setting to make it a selinux domain in seapp_contexts:

user=app domain=omg_flashlight seinfo=platform name=com.omg.flashlight type=app_data_file

and I new an omg_flashlight.te:

type omg_flashlight,domain;
app_domain(omg_flashlight)

But the result is the same, the APP still is untrusted_app.

Does anyone know about this? I found there is c512,c768. Does anyone know what is this?

Thanks!

Upvotes: 5

Views: 7353

Answers (2)

Kiran mardi
Kiran mardi

Reputation: 11

you can try making the app as System_app or platform_app only when we compile the app with local_certificate:=platform and with the device keys used to sign the app with.

for making the app as system_app u need to have local_certificate:=platform and android:sharedUserId= "android.uid.system" in AndroidManifest.xml file

Upvotes: 1

Mr. Fish
Mr. Fish

Reputation: 837

First of all you need to fix your line in the seapp_context file:

user=_app seinfo=omg_flashlight domain=platform_app name=com.omg.flashlight type=app_data_file

The user=_app starts always with an underscore.

The process running as u:r:untrusted_app:s0:c512,c768 has the special privilege to access files within the category c512,c768. But you need to access a file type without multi level category u:object_r:proc:s0, so I don't think that is your problem.

Try to get your applicattion running as platform_app or system_app, depending on your device, and you should get access.

Update

You have mixed up seinfo and domain in your seapp_context, see above. If platform_app does not work, try system_app. Go to /system/etc/security/mac_permissions.xml and look for the seinfo of your app, it should be the same as defined in seapp_contexts.

<signer signature="your_app_signature"><allow-all/><seinfo value="omg_flashlight"/></signer>

If your application key is correct too, it will now run in the seapp_contexts defined domain.

Upvotes: 2

Related Questions