'Re: Random Questions'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       seandroid-list
Subject:    Re: Random Questions
From:       William Roberts <bill.c.roberts () gmail ! com>
Date:       2015-02-23 17:16:37
Message-ID: CAFftDdrKHkKJJsq9BZ0_gBN0zu7XiZ_Yb2fxirpg9rtOU=sG8g () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


On Feb 23, 2015 6:57 AM, "Stephen Smalley" <sds@tycho.nsa.gov> wrote:
>
> On 02/21/2015 08:19 PM, William Roberts wrote:
> > 1. why is /system/bin/install-recovery.sh using an explicit seclabel in
> > service as well as a type transition rule? I see others doing this as
well.
>
> Probably just to ensure that even if someone is able to modify the
> /system partition and drop their own install-recovery.sh script, it
> won't run in the init domain.  Although that would now be blocked by
> policy in AOSP master since init is no longer allowed to execute
> anything without changing domains.  I would think it could be dropped.
> seclabel is only needed for programs in the rootfs and for sh commands
> (if not placed into their own script file under /system/bin).
>
> > Whats the current state of CTS for SELinux, Is it still the:
> > 1. runtime domain checks
> > 2. all domans enforcing check
> > 3. No booleans check
> > 4. neverallow tests
> >
> > is it all contained in these files or is something else I am missing:
> > ./hostsidetests/security/src/android/cts/security/SELinuxHostTest.java
> > ./tests/tests/security/src/android/security/cts/SELinuxTest.java
> > ./tests/tests/security/jni/android_security_cts_SELinuxTest.cpp
> > ./tools/selinux
> > ./tools/selinux/SELinuxNeverallowTestGen.py
> > ./tools/selinux/SELinuxNeverallowTestFrame.py
>
> Yes, I believe that is correct.  Most of the tests have been moved to
> SELinuxHostTest, which is run on the build/test host and uses adb to
> pull files or run commands on the device.  This is to avoid the need to
> allow untrusted_app to directly perform various actions like reading the
> policy or reading all /proc/pid directories.  I have listed some
> suggestions for improvements to the testing on the wiki under Testing,
> https://bitbucket.org/seandroid/wiki/wiki/ToDo

Yep you covered a few tests I was thinking of there. We would want to scan
mac perms for the key cts was signed with to make sure their not trying to
trick us, but the could just hack on pm if they really wanted too.

I need to get cracking on the sdcard stuff I said I would do, life's been
busy.

[Attachment #5 (text/html)]

<p dir="ltr"><br>
On Feb 23, 2015 6:57 AM, &quot;Stephen Smalley&quot; &lt;<a \
href="mailto:sds@tycho.nsa.gov">sds@tycho.nsa.gov</a>&gt; wrote:<br> &gt;<br>
&gt; On 02/21/2015 08:19 PM, William Roberts wrote:<br>
&gt; &gt; 1. why is /system/bin/install-recovery.sh using an explicit seclabel in<br>
&gt; &gt; service as well as a type transition rule? I see others doing this as \
well.<br> &gt;<br>
&gt; Probably just to ensure that even if someone is able to modify the<br>
&gt; /system partition and drop their own install-recovery.sh script, it<br>
&gt; won&#39;t run in the init domain.   Although that would now be blocked by<br>
&gt; policy in AOSP master since init is no longer allowed to execute<br>
&gt; anything without changing domains.   I would think it could be dropped.<br>
&gt; seclabel is only needed for programs in the rootfs and for sh commands<br>
&gt; (if not placed into their own script file under /system/bin).<br>
&gt;<br>
&gt; &gt; Whats the current state of CTS for SELinux, Is it still the:<br>
&gt; &gt; 1. runtime domain checks<br>
&gt; &gt; 2. all domans enforcing check<br>
&gt; &gt; 3. No booleans check<br>
&gt; &gt; 4. neverallow tests<br>
&gt; &gt;<br>
&gt; &gt; is it all contained in these files or is something else I am missing:<br>
&gt; &gt; ./hostsidetests/security/src/android/cts/security/SELinuxHostTest.java<br>
&gt; &gt; ./tests/tests/security/src/android/security/cts/SELinuxTest.java<br>
&gt; &gt; ./tests/tests/security/jni/android_security_cts_SELinuxTest.cpp<br>
&gt; &gt; ./tools/selinux<br>
&gt; &gt; ./tools/selinux/SELinuxNeverallowTestGen.py<br>
&gt; &gt; ./tools/selinux/SELinuxNeverallowTestFrame.py<br>
&gt;<br>
&gt; Yes, I believe that is correct.   Most of the tests have been moved to<br>
&gt; SELinuxHostTest, which is run on the build/test host and uses adb to<br>
&gt; pull files or run commands on the device.   This is to avoid the need to<br>
&gt; allow untrusted_app to directly perform various actions like reading the<br>
&gt; policy or reading all /proc/pid directories.   I have listed some<br>
&gt; suggestions for improvements to the testing on the wiki under Testing,<br>
&gt; <a href="https://bitbucket.org/seandroid/wiki/wiki/ToDo">https://bitbucket.org/seandroid/wiki/wiki/ToDo</a></p>
 <p dir="ltr">Yep you covered a few tests I was thinking of there. We would want to \
scan mac perms for the key cts was signed with to make sure their not trying to trick \
us, but the could just hack on pm if they really wanted too.<br></p> <p dir="ltr">I \
need to get cracking on the sdcard stuff I said I would do, life&#39;s been busy.<br> \
</p>



_______________________________________________
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to Seandroid-list-leave@tycho.nsa.gov.
To get help, send an email containing "help" to Seandroid-list-request@tycho.nsa.gov.

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic