Jamie Nguyen
jamie****@tomoy*****
Thu Feb 24 05:24:50 JST 2011
Tetsuo Handa wrote: > Jamie Nguyen wrote: >> I've come across some rather unusual behaviour. I decided to delete >> everything in exception policy, save and reboot. However, two entries >> are automatically re-added without user intervention: >> >> initialize_domain /sbin/hotplug from any >> initialize_domain /sbin/modprobe from any >> > Yes, these entries are built-in policy configured via > CONFIG_CCSECURITY_BUILTIN_INITIALIZERS and loaded by ccs_mm_init(). > > /sbin/hotplug and /sbin/modprobe might be executed before /sbin/init starts and > these programs might execute other programs such as /bin/sh . By the moment > /sbin/ccs-init is executed and MAC is activated, these programs and/or their > descendent programs might be running. If these programs run in the <kernel> > domain, it can result in executing /bin/sh from the <kernel> domain (this is > not a good thing). Thus, the built-in policy chases these programs away from > the <kernel> domain so that we don't need to give "file execute /bin/sh" to the > <kernel> domain. > > On android, /sbin/hotplug and /sbin/modprobe and /sbin/init do not exist. > Thus, we do > > sed -i -e 's:/sbin/modprobe /sbin/hotplug::' -e 's:/sbin/ccs-start:/init:' -- security/ccsecurity/Kconfig > > at http://tomoyo.sourceforge.jp/1.8/android-arm.html . > > Recent distributions might be using /sbin/udevd instead. > You can modify CONFIG_CCSECURITY_BUILTIN_INITIALIZERS in your kernel config. Oh yes, of course. I forgot about this kernel config option! Thanks for the explanation.
TOMOYO
Fork