I believe this issue has come up before, but my memory is a bit hazy on the details. Firstly, it is not necessary to have the requires device line in your adef. Typically you would format the SD card with a filesystem and then mount it somewhere. When you write a file on the filesystem, the kernel is accessing the underlying block device on your behalf so you don’t need read/write permissions on the raw device yourself. What you do need is permission to read/write the files/directories on the SD card’s filesystem.
The main problem is that when you do a requires dir, the existing files from that location are bind mounted into the sandbox. So assuming you have permission, you can read or write those files from within the sandbox. The problem is that when you create a new file, it isn’t created in the SD card filesystem. It’s created within the sandbox directory of the app. As an example from the command line, you could create an empty log.txt file on your SD card and then start a sandbox app that does requires dir on the SD card mount point. Then that sandboxed app could open the file and write to it. The writes would be stored on the SD card because the file that was opened is actually on the SD card.
What I said in the previous paragraph is mostly true, but I haven’t talked about SMACK yet. Every sandboxed app has a smack label. An app
Logger has the smack label
app.Logger. When you try to open log.txt for writing, SMACK may prevent that from succeeding. SMACK has the concept of each file having a label. This label may be set in the extended attributes of the filesystem or it may be applied as a default based on the mount options that were passed when mounting the filesystem. FAT filesystems (often used on SD cards) don’t support extended attributes. If you mount the filesystem with a default smack label that matches your app’s smack label, then the app will be able to access the log.txt file on the SD card.
Here’s a test I did:
- Format my SD card with a FAT filesystem in Windows
- Insert my SD card into my mangOH red and powered it up
- Mount my SD card with very permissive file permissions and an assigned default smack label of “sd”:
mount -ofmask=0111 -odmask=0000 -osmackfsdef=sd /dev/mmcblk0p1 /etc/sd/
- Create a file on the SD card:
- Create a smack rule which allows the app “myApp” to read, write and append to files with the “sd” smack label:
echo "app.myApp sd rwa" > /legato/smack/load2
- Simulate the environment the app is running under:
echo "app.myApp sd rwa" > /legato/smack/load2 && su -s /bin/sh appmyApp
- Append to the log file:
echo foo >> /etc/sd/log.txt
exit to exit from the appmyApp user shell
cat /etc/sd/log.txt and verify that the “foo” content is in the file.
The smack rules don’t persist across reboots. Supposedly you can write rules into
/etc/smack/accesses, but I haven’t tried that yet.