After playing around with the latest build of CM for my device (12.1), I decided to try and build my first ROM. So I got Linux, synced sources for 13, etc. (My device tree is here.)
I had to grapple with a few audio-related build errors before I finally got it to build. (If it makes any difference, all the commits I had to revert were related to PCM audio offloading.)
Now, when I try to boot the ROM, it immediately reboots to recovery without even displaying the boot animation. Looking at /proc/last_kmsg, the problem seems to be about SELinux:
...
[ 4.340084] init: (Initializing SELinux enforcing took 0.51s.)
[ 4.349071] type=1400 audit(1468237723.015:4): avc: denied { fowner } for pid=1 comm="init" capability=3 scontext=u:r:kernel:s0 tcontext=u:r:kernel:s0 tclass=capability permissive=0
[ 4.349387] init: SELinux: Could not set context for /init: Operation not permitted
[ 4.349506] init: restorecon failed: Operation not permitted
[ 4.349699] init: Security failure; rebooting into recovery mode...
[ 4.350353] SysRq : Emergency Remount R/O (triggered by init:1)
[ 4.350581] Emergency Remount complete
[ 4.350889] reboot - triggered with task: init (1:1)
...
I'm not familiar with SELinux apart from the fact that it makes system modifications a lot harder, but from what I've seen, both the device-specific and general init.te files in the Android source allow init to use the fowner capability.
I've tried:
Modifying the sepolicy file by making the init domain permissive
Rebuilding the entire ROM with permissive init; in init.te
Commenting out restorecon /adb_keys and restorecon_recursive /mnt in init.rc
Rebuilding the device kernel with EXTRA_CFLAGS += -DCONFIG_ALWAYS_ENFORCE=true
Searching for a solution on Google - a person on XDA had the exact same problem as me but subsequent posts from him/her did not yield any progress or solutions on the matter
None of them made any difference, so basically, I'm fresh out of ideas.
What am I doing wrong?
Related
I'm trying to use pstore logs on my Poco M3. I tried everything. PSTORE configs are activated on the kernel, pstore module is loaded on the phone, phone is rooted, /sys/fs/pstore is mounted automatically but never contains anything.
130|citrus:/ # dmesg | grep pstore
[ 0.094327] console [pstore-1] enabled
[ 0.094468] pstore: Registered ramoops as persistent store backend
[ 1.065975] pstore: Using compression: deflate
[ 98.052156] type=1400 audit(1654268897.690:3752): avc: denied { read } for comm="ls" name="/" dev="pstore" ino=1197 scontext=u:r:shell:s0 tcontext=u:object_r:pstorefs:s0 tclass=dir permissive=1
[ 98.052450] type=1400 audit(1654268897.690:3753): avc: denied { open } for comm="ls" path="/sys/fs/pstore" dev="pstore" ino=1197 scontext=u:r:shell:s0 tcontext=u:object_r:pstorefs:s0 tclass=dir permissive=1
it looks like selinux is blocking ls on /sys/fs/pstore. Is there a way to make it always allow ls on /sys/fs/pstore, even after reboot?
I already added androidboot.selinux=permissive to my boot command line and it's recognized on the phone:
130|citrus:/ # getenforce
Permissive
UPDATE: I just learned that permissive means just logging without blocking, so this is not blocking, my pstore is indeed empty. Am I right?
/sys/fs/pstore is used very specifically - to persistently store crash files - kernel oops and last RAM console. So the fact it doesn't contain anything is actually good, in a way.
To see for yourself - simulate a panic. That'd require writing 'c' to /proc/sysrq_trigger (and possibly enabling that via /proc/sys/kernel/sysrq mask). The device will reboot, and on the boot you will see that the store files appear. (Note this has to be the boot immediately following the crash, because the files are cleared thereafter.
Incidentally - Re:SELinux , those AVC logs you showed are because SELinux denied the "ls" operation itself. That is a mandatory access control protection, which prevents reading the directory (even when it is empty). So that wouldn't change much.
I am working on a "GNU/Linux on Android" type of project that is based on Mikael Q. Kuisma's work here .
I built a tool that downloads a toolchain, compiles the kernel, archives the custom ramdisk, and finally bundles them into a boot image.
Expected result:
Kernel boots.
Ramdisk gets loaded and /init is executed using /sbin/busybox.
Actual result:
Kernel does boot.
The kernel never seems to reach /init, and hangs without panicking.
I've tried adding calls to /sbin/busybox poweroff in the /init script to see if it was actually reaching execution, nothing changed.
I identified a few points that seemed problematic, one being this:
[ 3.880314] Warning: unable to open an initial console.
[ 3.880429] Waiting for root device ... # Might be the problem.
[ 4.882304] lct will vote for sdp current
[ 4.882437] pmi632_charger: smblib_update_usb_type: lct v02 battery charge APSD=SDP PD=0
[ 4.889933] msm-dwc3 7000000.ssusb: DWC3 exited from low power mode
[ 5.520181] of_batterydata_get_best_profile: light_4000mAh found
[ 8.760236] cfg_timer_func enter
[ 8.760267] cfg_work_routine enter
# Nothing appears after this point...
I have included the source code for my build tool with the kernel log buffer in this git repository. You can find the defconfig I used for the kernel build here.
Any help would be appreciated. :)
I am building LineageOS 18.1 for tecno kd7. I have system, system_ext, product & vendor paritions. The rom port I built is having a boot loop.
Here is the last_kmsg
What is causing the boot loop?
I am suspecting these lines
[ 1.802608] (0)[354:apexd]apexd: This device does not support updatable APEX. Exiting
[ 2.352523] (0)[1:init]reboot: Restarting system with command 'boringssl-self-check-failed'
I just need direction on what I need to what is causing the phone to bootloop
I also faced the same issue. The boringssl-self-test binary is using incorrect libcrypto.so library.
You can run the boringssl-self-test with strace and check for the issue.
In file : external/boringssl/selftest/boringssl_self_test.rc
service boringssl_self_test64_vendor /system/bin/strace -tt /vendor/bin/boringssl_self_test64
setenv BORINGSSL_SELF_TEST_CREATE_FLAG true # Any nonempty value counts as true
#reboot_on_failure reboot,boringssl-self-check-failed
stdio_to_kmsg
seclabel u:r:vendor_boringssl_self_test:s0
I am getting my android's logcat spammed with these warnings.(rooted with magisk)
10-15 22:02:29.039 12944 12944 W kworker/0:4: type=1400 audit(0.0:87190): avc: denied { read write } for name="sde73" dev="tmpfs" ino=28978 scontext=u:r:kernel:s0 tcontext=u:object_r:oem_device:s0 tclass=blk_file permissive=0
I was looking into the following doc to see how could i fix this issue, but cannot figure it out.
https://source.android.com/security/selinux/device-policy
https://source.android.com/security/selinux/validate
https://source.android.com/security/selinux/concepts
https://source.android.com/security/selinux/implement
https://gist.github.com/msfjarvis/ec52b48eb2df1688b7cbe32bcd39ee5f
https://android.stackexchange.com/questions/207484/how-to-fix-selinux-avc-denied-errors-when-launching-dnscrypt-as-init-d-script
https://source.android.com/security/selinux/customize#android-o
https://android.stackexchange.com/questions/218911/how-to-add-selinux-policy-on-a-user-debug-rom-that-has-split-policy-scheme
https://android.stackexchange.com/questions/214839/how-to-run-an-android-init-service-with-superuser-selinux-context
https://topjohnwu.github.io/Magisk/tools.html#magiskpolicy
https://topjohnwu.github.io/Magisk/details.html#magisk-booting-process
https://topjohnwu.github.io/Magisk/guides.html#boot-scripts
I looked in /dev, but i do not have anything similar.
android# ls -l /dev/ | grep sd
#returns nothing
The inode resolves to this file:
find /sys -xdev -inum 28978
/sys/firmware/devicetree/base/__symbols__/sb_7_tx
However on next reboot resolves to other file but the errors are always related to one single inode.
I suppose i should add this rule in a .te file
allow kernel oem_device:blk_file {read write};
adb pull /sys/fs/selinux/policy
adb logcat -b all -d | audit2allow -p policy
#this confirms the rule
I found some related files to selinux in this dump:
https://git.rip/dumps/oneplus/oneplus7tpro/-/find_file/hotdog-user-10-QKQ1.190716.003-2009281542-release-keys
but i am not very sure where should i add the rule..possibly somewhere in /vendor/etc/selinux..
Does anyone know which are the steps to fix these warnings and maybe further dig into the investigation why they occur in the first place?
Thanks
The reason why it shows is straightforward from the error. kernel is trying to read/write a blk_file labeled with oem_device type.
At this point you have couple of options:
Add allow rule if you want to allow the access to happen.
Add dontaudit rule, if you want to just suppres the log. See
here
The rule should be added into kernel.te.
Usually these custom things go into device/XXXXXX, depending on the vendor. For example in my tree, for a rockchip device, I'd modify /device/rockchip/common/sepolicy/vendor/kernel.te
To rebuild policies you would:
source build/envsetup.sh
lunch-yourTarget
mmm system/sepolicy
And to flash them into the system ( if you're userdebug and can remount it ):
adb root
adb remount
adb push out/target/product/YOUR_DEVICE/vendor/etc/selinux /vendor/etc/
adb push out/target/product/YOUR_DEVICE/system/etc/selinux /system/etc/
adb shell sync
adb reboot
If you can't push them, you'll need to rebuild and flash the system
I managed to fix the warnings with this command:
magiskpolicy --live 'allow kernel oem_device blk_file {read write open}'
'open' right was also granted because another warning related to it would appear after allowing only read/write.
Still I cannot understand:
why is kernel trying to access this
what exactly is trying to access
shouldn't magisk take care of the selinux policies related to such low level grants such as kernel
not sure how can i make this fix permanent (to persist upon reboot). From my research it looks like i have to modify a certain file in boot.img, repack it and push it back to android.
On this page:
https://topjohnwu.github.io/Magisk/tools.html
it's specified a tool magiskboot which should be used for such patching but I do not have it.
A tool to unpack / repack boot images, parse / patch / extract cpio, patch dtb, hex patch binaries, and compress / decompress files with multiple algorithms.
I will come back with any findings..
UPDATE:
I managed to permanently add the fixes at boottime with a post-fs-data script that runs during booting process. It might not be 100% fix because, the boot image should be patched instead so that magiskinit loads the policies even before init is executed, but it still however fixes the warnings in logcat after the boot process ended
REF:
https://topjohnwu.github.io/Magisk/details.html#magisk-booting-process
https://topjohnwu.github.io/Magisk/guides.html#boot-scripts
su -
cd /data/adb/post-fs-data.d
touch fix_selinux.sh
chmod +x fix_selinux.sh
vi fix_selinux.sh #add this line (and any other rules you need):
/sbin/magiskpolicy --live 'allow kernel oem_device blk_file {read write open}'
I have modified bluedroid to include a small unix socket server for reasons.
When client starts, I see that SElinux doesn't like it, and throws out this:
05-26 18:01:41.072 6248-6248/? I/com.gps.uclient: type=1400 audit(0.0:20): avc: denied { connectto } for path=00236264726F696468696472617773727663 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:r:bluetooth:s0 tclass=unix_stream_socket permissive=1
This socket does not have a real path. How do I add SELinux rule to allow this socket?
Update
Tried audit2allow as mentioned by Google here
Got errors.
gps#gps-HP-ProBook-4540s:~$ audit2allow -i sedeny.txt -p ./andsrc/android-6.0.1_r25/out/target/product/flo/root/sepolicy
libsepol.policydb_read: policydb version 30 does not match my version range 15-29
libsepol.context_from_record: user u is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert u:r:untrusted_app:s0:c512,c768 to sid
I have no real experience in SELinux, so I am pretty much stuck here.
The error was:
policydb version 30 does not match my version...
This error was generated by audit2allow installed with apt-get.
It is resolved by using audit2allow found in the AOSP.