[prev in list] [next in list] [prev in thread] [next in thread]
List: seandroid-list
Subject: Re: Question on relabel /data/data/<app>
From: Stephen Smalley <sds () tycho ! nsa ! gov>
Date: 2015-05-22 12:09:53
Message-ID: 555F1C91.7070600 () tycho ! nsa ! gov
[Download RAW message or body]
On 05/21/2015 06:37 PM, Tai Nguyen (tainguye) wrote:
> Iąd like to resurface this email thread.
>
> Summary: When we upgrade from JB to KK load, the /data/data/<app> dirs are
> not relabeled.
> We use patches from SEAndroid 4.4.2 branch and verified that
> selinux_android_restorecon_pkgdir()
> is invoked. However, the call fails because inode_owner_or_capable()
> returns false.
>
> We believe that installd should have FOWNER capability so the function
> inode_owner_or_capable() should return true.
> Is our understanding correct? Do we need any patch to make it work?
That sounds correct. In 5.0, installd retains CAP_FOWNER in
frameworks/native/cmds/installd/installd.c:drop_privileges(); it has:
capdata[CAP_TO_INDEX(CAP_DAC_OVERRIDE)].permitted |=
CAP_TO_MASK(CAP_DAC_OVERRIDE);
capdata[CAP_TO_INDEX(CAP_CHOWN)].permitted |=
CAP_TO_MASK(CAP_CHOWN);
capdata[CAP_TO_INDEX(CAP_SETUID)].permitted |=
CAP_TO_MASK(CAP_SETUID);
capdata[CAP_TO_INDEX(CAP_SETGID)].permitted |=
CAP_TO_MASK(CAP_SETGID);
capdata[CAP_TO_INDEX(CAP_FOWNER)].permitted |=
CAP_TO_MASK(CAP_FOWNER);
_______________________________________________
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to Seandroid-list-leave@tycho.nsa.gov.
To get help, send an email containing "help" to Seandroid-list-request@tycho.nsa.gov.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic