On 05/04/2018 09:56 AM, Yongqin Liu wrote: > Hi, All > > When I run "mkfs.ext2 /dev/block/loop7" with 4.14 kernel on AOSP master > build, i got the following denials: > > [ 3004.028178] type=1400 audit(1525358655.127:5624): avc: denied { read } for > pid=2868 comm="loop7" path="/data/local/tmp/fstest/fstest.img" > dev="mmcblk0p10" ino=130561 scontext=u:r:kernel:s0 > tcontext=u:object_r:shell_data_file:s0 > tclass=file permissive=0 > > > but not get such denials with 4.9 kernel. > > The only change is the kernel version, the userspace of Android is the same. > > For details, please check the links here: > > 4.14-mkfs.ext2 https://pastebin.ubuntu.com/p/yBzz7TXjGy/ > 4.9-mkfs.ext2 https://pastebin.ubuntu.com/p/JCHYznxHww/ > > > I guess there is more strict check related to the mkfs operation in kernel > side, > but I could not find out which operation yet. > not sure if anyone knows any clues about this problem. > > Thanks in advance! > > BTW, mkfs.vfat does not have this problem with 4.14, mkfs.ext4 has the same > problem.
I see the following in system/sepolicy/public/kernel.te: # Allow reading loop device in update_engine_unittests. (b/28319454) # and for LTP kernel tests (b/73220071) userdebug_or_eng(` allow kernel update_engine_data_file:file read; allow kernel nativetest_data_file:file read; ') It seems like you could add another rule there for shell_data_file, as long as it remains bracketed by userdebug_or_eng(). This obviously is not something that should happen on user builds. As to why the kernel changed, I would speculate that some refactoring of the vfs code has caused this check to be triggered (via the security_file_permission hook). We didn't specifically change anything in SELinux in this area as far as I recall.