On 05/04/2018 09:56 AM, Yongqin Liu wrote:
> Hi, All
>
> When I run "mkfs.ext2 /dev/block/loop7" with 4.14 kernel on AOSP master
> build, i got the following denials:
>
> [ 3004.028178] type=1400 audit(1525358655.127:5624): avc: denied { read } for
> pid=2868 comm="loop7" path="/data/local/tmp/fstest/fstest.img"
> dev="mmcblk0p10" ino=130561 scontext=u:r:kernel:s0
> tcontext=u:object_r:shell_data_file:s0
> tclass=file permissive=0
>
>
> but not get such denials with 4.9 kernel.
>
> The only change is the kernel version, the userspace of Android is the same.
>
> For details, please check the links here:
>
> 4.14-mkfs.ext2 https://pastebin.ubuntu.com/p/yBzz7TXjGy/
> 4.9-mkfs.ext2 https://pastebin.ubuntu.com/p/JCHYznxHww/
>
>
> I guess there is more strict check related to the mkfs operation in kernel
> side,
> but I could not find out which operation yet.
> not sure if anyone knows any clues about this problem.
>
> Thanks in advance!
>
> BTW, mkfs.vfat does not have this problem with 4.14, mkfs.ext4 has the same
> problem.
I see the following in system/sepolicy/public/kernel.te:
# Allow reading loop device in update_engine_unittests. (b/28319454)
# and for LTP kernel tests (b/73220071)
userdebug_or_eng(`
allow kernel update_engine_data_file:file read;
allow kernel nativetest_data_file:file read;
')
It seems like you could add another rule there for shell_data_file, as long as
it remains bracketed
by userdebug_or_eng(). This obviously is not something that should happen on
user builds.
As to why the kernel changed, I would speculate that some refactoring of the
vfs code has caused
this check to be triggered (via the security_file_permission hook). We didn't
specifically change
anything in SELinux in this area as far as I recall.