Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

what is c512,c768 of selinux process

Tags:

android

linux-kernel

selinux

I got a trouble that I have a app need to access /proc entry that I create by a kernel driver and I got a selinux denied issue:

avc: denied { write } for pid=30200 comm="omg.flashlight" name="omg_flash_brightness" dev="proc" ino=4026534208 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:proc:s0 tclass=file permissive=0

I try to solve this deny and I found I cannot allow untrusted_app to write proc:file since there will be CTS issue. I try to add a domain for the omg.flashlight APP. I use ps -Z and found the APP as follow

u:r:untrusted_app:s0:c512,c768 u0_a89    6669  382   com.omg.flashlight

I try to add following setting to make it a selinux domain in seapp_contexts:

user=app domain=omg_flashlight seinfo=platform name=com.omg.flashlight type=app_data_file

and I new an omg_flashlight.te:

type omg_flashlight,domain;
app_domain(omg_flashlight)

But the result is the same, the APP still is untrusted_app.

Does anyone know about this? I found there is c512,c768. Does anyone know what is this?

Thanks!

like image 970
akenhsu Avatar asked Oct 19 '22 11:10

akenhsu

1 Answers

First of all you need to fix your line in the seapp_context file:

user=_app seinfo=omg_flashlight domain=platform_app name=com.omg.flashlight type=app_data_file

The user=_app starts always with an underscore.

The process running as u:r:untrusted_app:s0:c512,c768 has the special privilege to access files within the category c512,c768. But you need to access a file type without multi level category u:object_r:proc:s0, so I don't think that is your problem.

Try to get your applicattion running as platform_app or system_app, depending on your device, and you should get access.

Update

You have mixed up seinfo and domain in your seapp_context, see above. If platform_app does not work, try system_app. Go to /system/etc/security/mac_permissions.xml and look for the seinfo of your app, it should be the same as defined in seapp_contexts.

<signer signature="your_app_signature"><allow-all/><seinfo value="omg_flashlight"/></signer>

If your application key is correct too, it will now run in the seapp_contexts defined domain.

like image 116
Mr. Fish Avatar answered Oct 21 '22 04:10

Mr. Fish
Sign in to Comment

Related questions

Android - retrieve list of old notifications
Google Play Games, Firebase and the new Google Sign-in
Determine if Polygon is Within Map Bounds
getDefaultTracker() from a class that extends InputMethodService?
In Marshmallow, how to prompt two or more permissions dialog one by one like Hangouts does?
OR clause in firebase java android
Alternate for googleMap.setOnMyLocationChangeListener since deprecated
Using python3 on android with buildozer
Seamless async scene and textures loading - Unity & GearVR
Best practice for saving long text in Android
Google Play Game Services - Leaderboard closes authomatically
Communicating via Bluetooth serial with Python
Android emulator 2.0 crash when press power button
WaitForGcToComplete blocked for 89.851ms for cause DisableMovingGc [closed]
Do network location provider need internet to determine location?
React-Native Twitter login for Android
Android MediaCodec realtime h264 encoding/decoding latency
Copy files from a folder of SD card into another folder of SD card
Should I leave the bluetooth reflection hack in production code?
Can we use VectorDrawable or VectorXML as icons for push notifications in android?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!