I work on android 11 device and got below avc denial:
avc: denied { write } for name="wake_lock" dev="sysfs" ino=15207 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file permissive=0 app=com.sample.demo
I add below rule to pri_app.te:
allow priv_app sysfs_wake_lock:file { write };
But it doesn't work, then I search it from google and someone said need to add mlstrustedsubject attribute since it's a MLS rulte!
But aosp code add a neverallow rule in system priv_app.te so build will failure:
neverallow priv_app mlstrustedsubject:process fork;
What's correct way to fix this selinux issue?
add mlstrustedobject check for sysfs_wake_lock;
type sysfs_wake_lock, fs_type, sysfs_type,mlstrustedobject;
or
typeattribute sysfs_wake_lock mlstrustedobject;
Related
I am writing daemon for LineageOS which must be able to monitor running processes. But when I have started build I have run into SEPolicy neverallows. Investigating further sepolicy I have found the following rule in system/sepolicy/private/domain.te:
neverallow {
domain
-vold
userdebug_or_eng(`-llkd')
-dumpstate
userdebug_or_eng(`-incidentd')
-storaged
-system_server
} self:global_capability_class_set sys_ptrace;
Is it possible to somehow bypass this rule without changing code of LineageOS system sepolicy. I have tried the following:
type valord, coredomain, domain;
type valor_db, file_type;
type valord_exec, exec_type, file_type;
init_daemon_domain(valord)
domain_auto_trans(init, valord_exec, valord)
# NOFIX: The valord do not detects proccess when it
# is not given sys_ptrace capability. Since is is
# in neverallow's we have no way but to rewrite neverallow
neverallow {
domain
-valord
-vold
userdebug_or_eng(`-llkd')
-dumpstate
userdebug_or_eng(`-incidentd')
-storaged
-system_server
} self:global_capability_class_set sys_ptrace;
# ...
# Some allow's that are verified to pass
# ..
allow valord self:global_capability_class_set sys_ptrace;
but it still failed with the error that my policy violates above mentioned neverallow in system/sepolicy/private/domain.te
P.S.: The denial message is: 11-12 01:06:22.582 3369 3369 W valord : type=1400 audit(0.0:71): avc: denied { sys_ptrace } for capability=19 scontext=u:r:valord:s0 tcontext=u:r:valord:s0 tclass=capability permissive=0
i have a bespoke deamon i am adding to my android 8.1 source tree.
but i keep getting the error:
type=1400 audit(21.610:3): avc: denied { transition } for pid=217 comm="init" path="/system/bin/rfidmanagerd" dev="dm-1" ino=293 scontext=u:r:init:s0 tcontext=u:object_r:rfidmanager_exec:s0 tclass=process permissive=1
here is my rfidmanager.te file:
# RFID manager process
type rfidmanager, coredomain;
type rfidmanager_exec, exec_type, file_type;
init_daemon_domain(rfidmanager)
domain_auto_trans(init, rfidmanager_exec, rfidmanager)
# Access system/etc/rfid
allow rfidmanager sysfs:file rw_file_perms;
allow rfidmanager tmpfs:chr_file { read write };
allow rfidmanager sysfs:file write;
allow rfidmanager system_file:file r_file_perms;
# Access /data/misc/rfid.
allow rfidmanager misc_rfid_file:dir create_dir_perms;
allow rfidmanager misc_rfid_file:file create_file_perms;
allow rfidmanager misc_rfid_file:file rw_file_perms;
allow rfidmanager misc_rfid_file:file { read write setattr append unlink link rename };
allow rfidmanager misc_rfid_file:fifo_file { create open read write };
# Access /dev/circchar
allow rfidmanager rfidhal_device:chr_file r_file_perms;
allow rfidmanager rfidhal_device:chr_file { read write };
# Access serial ports
allow rfidmanager tty_device:chr_file r_file_perms;
here is my file_contexts:
/system/bin/rfidmanagerd u:object_r:rfidmanager_exec:s0
in my init.te file for the denial i have :
allow init rfidmanager_exec:process {transition};
the device needs to have SELinux on enforcing mode. and here is how i start my service in the init.rc file
service rfidmanagerd /system/bin/rfidmanagerd -c /system/etc/rfid/rfidmanagerd.conf
class core
seclabel u:object_r:rfidmanager_exec:s0
user root
group root system
oneshot
start rfidmanagerd
when i try and start the service manually i.e
su system
./system/bin/rfidmanagerd
it starts, but using ps -eZ i see the service is as follows:
u:r:su:s0 system 859 1 4524 360 poll_schedule_timeout 0 S rfidmanagerd
it should however be with the u:object_r:rfidmanager_exec:s0 as i have defined in my contexts.
it does not start automatically which is understandable via the SELinux denial error, however any combination of allow rules for this particular denial seem to be ignored.
when i try and do start rfidmanagerd (as root)in the terminal i get
[ 474.879385] init: starting service 'rfidmanagerd'...
[ 474.885868] init: property_set("ro.boottime.rfidmanagerd", "474879774055") failed: property already set
[ 474.915929] init: cannot execve('/system/bin/rfidmanagerd'): Permission denied
[ 474.925563] type=1400 audit(480.580:9): avc: denied { transition } for pid=998 comm="init" path="/system/bin/rfidmanagerd" dev="dm-1" ino=381 scontext=u:r:init:s0 tcontext=u:object_r:rfidmanager_exec:s0 tclass=process permissive=0
I understand the denial, but dont understand why my allow rule is not fixing this...
everything runs fine when i am in permissive mode, but as i said i cannot have it in permissive.
Any help would be greatly appreciated!
Thanks
UPDATE -- I HAVE HAD THIS MIGRATED FROM ANDROID ENTHUSIASTS TO STACKEXCHANGE BACK TO ANDROID ENTHUSIASTS - it keeps getting moved, can someone please help me!
for anyone who is having a similar issue....Android 8.1 needs the coredomain to not have a neverallow rule, when compiling the selinux!
However, this has some issues with selinux resolving the setexeccontext.
so the first line in my .te file should read -
type rfidmanager, coredomain, domain;
instead of just
type rfidmanager, coredomain;
i hope this helps anyone.
Hope this will help somebody to save time in future.
You should use this secable in service definition:
seclabel u:r:rfidmanager:s0
I have a unix socket daemon in my audio HAL, which I need to connect to from my app.
I get SELinux denied log as follows:
08-08 10:38:01.939 2622-2622/com.xxx.xxx.xxx W/ksetsdk.xxx: type=1400 audit(0.0:511): avc: denied { connectto } for path=0023xxx scontext=u:r:system_app:s0 tcontext=u:r:audioserver:s0 tclass=unix_stream_socket permissive=0
This is printed even though my app is signed with platform key, is installed in system.img and runs as system:
root#hikey:/ # ps | grep xxx
system 2619 1893 1561788 86956 SyS_epoll_ 0000000000 S com.xxx.xxx.xxx
root#hikey:/ # ps -Z | grep xxx
u:r:system_app:s0 system 2619 1893 1561788 86736 SyS_epoll_ 0000000000 S com.xxx.xxx.xxx
root#hikey:/ #
And I have added SEPolicy as follows:
auditallow system_app audioserver:unix_stream_socket { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown connectto };
Can anyone guide me on what I missed? Is there any rule in AOSP SEPolicy that contradicts with this one? How do I get it to work?
There must've been some sync issue in my building aosp and changing SEPolicy rules.
I did more exhaustive testing and found:
(1) When app is signed by platform key, and requests system uid in manifest, it runs as system_app and following rule works:
auditallow system_app audioserver:unix_stream_socket { connectto };
(2) When app is signed by platform key, but doesn't request system uid in manifest, it runs as platform_app but following rule doesn't work:
auditallow platform_app audioserver:unix_stream_socket { connectto };
(3) If App is not signed by platform key, it runs as priv_app, and following rule doesn't work:
auditallow priv_app audioserver:unix_stream_socket { connectto };
I must've mixed up what rule was built into AOSP when I tested it.
It is still a mystery to me why priv_app or platform_app won't work, but system_app would with similar rule.
I am unable to make sense of this message which I get on my android application. Any experts in the house ?
type=1400 audit(0.0:2233): avc: denied { create } for name="access_control.new_commit.cv" scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:fuse:s0:c512,c768 tclass=fifo_file permissive=0
The given SELinux violation:
type=1400 audit(0.0:2233): avc: denied { create } for name="access_control.new_commit.cv" scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:fuse:s0:c512,c768 tclass=fifo_file permissive=0
Below I'll try to give explanation of important parts of above violation:
denied { create } : Operation Permission State : The denied permission that was requested / executed. In this case, it is a create operation. SELinux denying permission to execute create dir/file operation.
name="access_control.new_commit.cv": Target name : The name of the target (in this case, the file/dir name) which your application, probably, trying to create.
scontext=u:r:untrusted_app:s0 : Source Context : The Source Context for this security violation. This indicates which domain/process is trying to execute create functionality. Here, untrusted_app applications are those which are launched by zygote
tcontext=u:object_r:fuse:s0 : Target Context : The security context of the target resource (in this case the file). Here, the source tried to create file in Fuse file system which has been denied.
tclass=fifo_file : Target Class : The class of the target.
In one sentence, SELinux denied the permission to untrusted_app to create the access_control.new_commit.cv file in fuse.
From Google source, check SEPolicy file untrusted_app.te how the permission has been denied.
NB: If you any suggestion with the answer, let me know.
According to Validating SELinux | Android Open Source Project, for message:
type=1400 audit(0.0:2233): avc: denied { create } for name="access_control.new_commit.cv" scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:fuse:s0:c512,c768 tclass=fifo_file permissive=0
the key info is:
Action: create
Actor=scontext=source context: untrusted_app
Object=tcontext=target context: fuse
object_r=object read ?
Result=tclass=target class: fifo_file=FIFO file
permissive=permissive mode: 0 -> NOT permissive mode
-> is Enforce mode ?
translated to human readable sentence:
untrusted_app want to create a fifo_file for fuse
(But enforce mode of Android SELinux STOP it for no permission, so you see above logcat log info)
I could add that running audit2allow on the error message will give you a suggestion on how to update the untrusted_app.te file.
Dump dmesg to text file:
dmesg > /sdcard/dmesg.txt
cat dmesg.txt | grep avc | audit2allow
will give you the following result in this case:
#============= untrusted_app ==============
allow untrusted_app fuse:fifo_file create;
Add this line to untrusted_app.te and rebuild the Android kernel!
Im having an issue allowing an untrusted app in Android 6 to access the /dev/HSL1 serial interface. This is the error im getting:
[ 757.742286] type=1400 audit(156811.349:149): avc: denied { write } for pid=6422 comm="port_api.sample" name="ttyHSL1" dev="tmpfs" ino=7287 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=0
The file in question is /dev/ttyHSL1:
1|root#msm8909:/dev # ls -alZ ttyHSL1
crwxrwxrwx root root u:object_r:tty_device:s0 ttyHSL1
The external/sepolicy/untrusted_app.te has the following at the very end of the file:
allow untrusted_app tty_device:chr_file rw_file_perms;
allow untrusted_app device:dir r_dir_perms;
allow untrusted_app tty_device:chr_file write;
I would assume the rw_file_perms macro gives the rw access to the ttyHSL1 file, however its not so from the dmesg output (above). Also app fails with "You do not have r/w permissions on the serial port".
Additionally a snippet from global_macros:
#####################################
# Common groupings of permissions.
#
define(`x_file_perms', `{ getattr execute execute_no_trans }')
define(`r_file_perms', `{ getattr open read ioctl lock }')
define(`w_file_perms', `{ open append write }')
define(`rx_file_perms', `{ r_file_perms x_file_perms }')
define(`ra_file_perms', `{ r_file_perms append }')
define(`rw_file_perms', `{ r_file_perms w_file_perms }')
define(`rwx_file_perms', `{ rw_file_perms x_file_perms }')
define(`create_file_perms', `{ create rename setattr unlink rw_file_perms }')
Am I missing something very obvious here?
I have had a similiar issue and belief I have the solution to your problem.
Posting it here, even if your question is quiet old at this point so that others having the same problem may be helped.
The issue is that untrusted apps also have a MSL tag your avc error:
scontext=u:r:untrusted_app:s0:c512,c768
Notice that after the "normal" se-linux staff you have :c512,c768, this seems to be a MLS "tag".
Your untrusted_app.te/tty_device does not handle this - as usual in SELinux by default the app is not allowed to access objects, even though the rest of the rule is ok.
You have three options at this point:
Write rules which allows MLS tagged subjects to your device
Write rules which targets your app and strips the MLS tag
Write rules which leaves the MLS tag but allows access to the device. (Probably the most secure)
I went the first (1) way and added two files under device/manufacturer/device/sepolicy:
file_contexts
/dev/ttyHSL1 u:object_r:arendi_device:s0
serialports.te
type arendi_device, dev_type, mlstrustedobject;
allow untrusted_app_all arendi_device:chr_file rw_file_perms;
Notice the mlstrustedobject tag - this tells SEAndroid that it should ignore MLS tags from subjects wanting access to this label.
There's also mlstrustedsubject which you could add to your app by rules.
My BoardConfig.mk tells Android to look for these new files by adding this line:
BOARD_SEPOLICY_DIRS += device/manufacturer/device/sepolicy
This now allows me access to my serialport under Android Oreo 8.1.
This answer pointed me to this solution:
My custom selinux policies seem to be ignored by android system