I'm working on a custom build based on Android 6.0.1 for Nexus 7. This
custom build adds a special daemon that is started from init.rc and exposes
some API to applications. Particularly, one of available methods creates a
new file at /data/daemon_dir and returns a file descriptor making it
possible to write to this file from an app.
The daemon has its own SELinux context (here it's named custom_daemon). And
/data/daemon_dir has custom_daemon_file context. There are sepolicy rules
that grant file creation to the daemon and file writes to untrusted_app.
The configuration described above worked on Android 5. But after merging
with Android 6, I'm getting the following denial:
07-11 21:57:46.735 13389-13389/? W/Binder_2: type=1400 audit(0.0:945): avc:
denied { write } for path="/data/daemon_dir/some_file" dev="mmcblk0p30"
ino=496817 scontext=u:r:untrusted_app:s0:c512,c768
tcontext=u:object_r:custom_daemon_file:s0 tclass=file permissive=0
Here are the rules that should allow the operation:
allow untrusted_app custom_daemon_file:file rw_file_perms;
allow untrusted_app custom_daemon_file:dir r_dir_perms;
allow custom_daemon custom_daemon_file:dir create_dir_perms;
allow custom_daemon custom_daemon_file:file create_file_perms;
An interesting thing in this denial report is that scontext is
untrusted_app. But the denial is logged for the daemon process (13389 is
one of its thread IDs and Binder_2 is a name of the binder thread that
handles the API call).
I believe this mismatch is what is causing the denial but cannot understand
why this happens and how this can be fixed.
--
--
unsubscribe: [email protected]
website: http://groups.google.com/group/android-porting
---
You received this message because you are subscribed to the Google Groups
"android-porting" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
