Discussion:
Regarding SELinux denial for writing to /tmp from unstrusted_app
Sameer Joshi
2016-12-01 02:13:55 UTC
Permalink
Hi All,

I want to give access to untrusted app to write to /tmp directory.

This is on top of 6.0 M code.

Denial was following:

[ 151.092299] type=1400 audit(1479910142.370:18): avc: denied { write }
for pid=2947 comm="a.android.flare" name="/" dev="tmpfs" ino=5591
scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:tmpfs:s0
tclass=dir permissive=0

To solve this, I did following in untrusted_app.te ( as per the output
from audit2allow) :

allow untrusted_app tmpfs:dir write;

Even after adding this rule, this denial keeps on appearing again.

Any way to fix this?

Regards,

Sameer Joshi
William Roberts
2016-12-01 03:03:28 UTC
Permalink
Post by Sameer Joshi
Hi All,
I want to give access to untrusted app to write to /tmp directory.
This is on top of 6.0 M code.
[ 151.092299] type=1400 audit(1479910142.370:18): avc: denied { write }
for pid=2947 comm="a.android.flare" name="/" dev="tmpfs" ino=5591
scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:tmpfs:s0
tclass=dir permissive=0
Post by Sameer Joshi
To solve this, I did following in untrusted_app.te ( as per the output
allow untrusted_app tmpfs:dir write;
Even after adding this rule, this denial keeps on appearing again.
Any way to fix this?
typeattribute tmpfs, mlstrustedobject;

This is likely very bad. Allowing a world accessable writable place for
apps allows one app to malform the data another app will access.
Post by Sameer Joshi
Regards,
Sameer Joshi
_______________________________________________
Seandroid-list mailing list
To get help, send an email containing "help" to
Seandroid-list-***@tycho.nsa.gov.
Nick Kralevich
2016-12-01 12:24:18 UTC
Permalink
+1 to what William said. Android in the past has rejected global /tmp
directories for the security problems it causes. See
https://code.google.com/p/android/issues/detail?id=17156 comment #3.

-- Nick
Post by Sameer Joshi
Post by Sameer Joshi
Hi All,
I want to give access to untrusted app to write to /tmp directory.
This is on top of 6.0 M code.
[ 151.092299] type=1400 audit(1479910142.370:18): avc: denied { write }
for pid=2947 comm="a.android.flare" name="/" dev="tmpfs" ino=5591
scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:tmpfs:s0
tclass=dir permissive=0
Post by Sameer Joshi
To solve this, I did following in untrusted_app.te ( as per the output
allow untrusted_app tmpfs:dir write;
Even after adding this rule, this denial keeps on appearing again.
Any way to fix this?
typeattribute tmpfs, mlstrustedobject;
This is likely very bad. Allowing a world accessable writable place for
apps allows one app to malform the data another app will access.
Post by Sameer Joshi
Regards,
Sameer Joshi
_______________________________________________
Seandroid-list mailing list
To get help, send an email containing "help" to
_______________________________________________
Seandroid-list mailing list
To get help, send an email containing "help" to
--
Nick Kralevich | Android Security | ***@google.com | 650.214.4037
Loading...