Titanium Backup AVC denials cause impaired functionality about aosp-su-patch HOT 9 CLOSED

I'm a bit unclear about what is going on in this. The permissions you have added do not appear to be relevant to the purpose of writing data to the /system partition. In particular, any installed application (like titanium backup) should be running in the untrusted_app context, and then by use of su, under the su context. Not system_app.

And what is going on with the kernel:process permission? That doesn't appear to be at all relevant.

This change has the feeling of being to enable some kind of hackaround for a hackaround for a bad implementation of su.

Have you communicated with the author of titanium backup to determine why it is trying to use these permissions, and maybe to come up with a better solution? As far as I can tell, su from the untrusted_app and su contexts should be capable of doing anything that this program would require. I bet you that he is performing an "su --context u:r:system_app:s0 -c do something" when just "su -c do something" would suffice (and work).

from aosp-su-patch.

That was my initial understanding as well. I am just not well versed enough with SELinux. I will talk to the author of TB to confirm.

from aosp-su-patch.

Ok, see if you can bring them into this issue tracker. Also note that the kernel:process permission was explicitly disincluded from the su policy (by google) with "allow su { domain -kernel }:process *;" which makes me nervous about adding it back in without first understanding the full implication. Obviously it adds in something that google thinks is bad to give over even to root.

The other ones are also a bit concerning, as they authorize system_app to transition to shell and toolbox contexts directly. shell context in particular, is concerning, since shell context is authorized to transition to su context. So essentially, this could allow any system_app to transition to su, possibly without even notifying the user, as long as su access is enabled for adb shell.

from aosp-su-patch.

Any updates on this issue?

from aosp-su-patch.

No... Been a bit busy with work (Black Friday/Cyber Monday stuff). I will get back to this soon

from aosp-su-patch.

Just ignoring the --context option does indeed work. I'm changing su to have a blacklist of apps with quirks.

from aosp-su-patch.

Perfect. Maybe we can turn this into a new feature, automatic context manipulation based on user lists, rather than a global blacklist.

calling userid, command, context override.
With wildcards in the command.

from aosp-su-patch.

Workaround added in seSuperuser/Superuser@f6174c3

from aosp-su-patch.

Lets call this fixed.

from aosp-su-patch.