On 05/07/2018 12:30 PM, Yongqin Liu wrote: > I run the commands as root with userdebug build, after run su command.
Can you run id -Z before and after running su? I'm trying to understand why the scontext is u:r:kernel:s0 instead of e.g. u:r:shell:s0 (regular shell) or u:r:su:s0 (su shell). Is it because it is a console rather than adb and there is no domain transition defined for shell execution from the console? Should there be a domain_auto_trans(kernel, shell_exec, shell) rule in policy? > > > It makes sense that you would need read and write permissions to the > underlying storage. I am a little puzzled > as to why it is showing up as a denial on a scontext of u:r:kernel:s0 > unless your console shell is running in > the kernel's context. > > I don't know what changed in the kernel but it seems correct that it > is now making these checks. Possibly > this was part of the changes to support mounting of filesystems from > user namespaces, to ensure that the > process was truly authorized to read/write the underlying storage. > > > I think I found the change, it the change here: > > https://android.googlesource.com/kernel/hikey-linaro/+/abbb65899aecfc97bda64b6816d1e501754cfe1f%5E%21/#F3 > > <https://android.googlesource.com/kernel/hikey-linaro/+/abbb65899aecfc97bda64b6816d1e501754cfe1f%5E%21/#F3> > > In the change, it calls do_iter_write in vfs_iter_write, and that makes > the vfs_iter_write call rw_verify_area in directly, > > https://android.googlesource.com/kernel/hikey-linaro/+/android-hikey-linaro-4.14/fs/read_write.c#938 > > <https://android.googlesource.com/kernel/hikey-linaro/+/android-hikey-linaro-4.14/fs/read_write.c#938> > > which calls security_file_permission for permission check. > > While the 4.9 vfs_iter_write does not security_file_permission in it's > implementation here: > > https://android.googlesource.com/kernel/hikey-linaro/+/android-hikey-linaro-4.9/fs/read_write.c > > <https://android.googlesource.com/kernel/hikey-linaro/+/android-hikey-linaro-4.9/fs/read_write.c> > > I do not verify my thought with any build yet, but I think if I reverted > the above change for 4.14 kernel, then the denials will go. > > Verified with the change > https://android.googlesource.com/kernel/hikey-linaro/+/abbb65899aecfc97bda64b6816d1e501754cfe1f%5E%21/#F3 > reverted, > and no similar avc denials reported again. And the original failed VTS test > cases passed now. > > Need to check on how to update the sepolicy rules on userspace side. Just make sure you wrap it with userdebug_or_eng() so it doesn't get included in user builds.
