On 05/07/2018 12:51 PM, Stephen Smalley wrote: > On 05/07/2018 12:30 PM, Yongqin Liu wrote: >> I run the commands as root with userdebug build, after run su command. > > Can you run id -Z before and after running su? I'm trying to understand why > the scontext is u:r:kernel:s0 instead of e.g. u:r:shell:s0 (regular shell) or > u:r:su:s0 (su shell). Is it because it is a console rather than adb and > there is no domain transition defined for shell execution from the console? > Should there be a domain_auto_trans(kernel, shell_exec, shell) rule in policy?
Actually, we don't allow kernel domain to execute anything other than init, so I don't understand how you got a shell running in kernel domain (if that is in fact what you did). > >> >> >> It makes sense that you would need read and write permissions to the >> underlying storage. I am a little puzzled >> as to why it is showing up as a denial on a scontext of >> u:r:kernel:s0 unless your console shell is running in >> the kernel's context. >> >> I don't know what changed in the kernel but it seems correct that it >> is now making these checks. Possibly >> this was part of the changes to support mounting of filesystems from >> user namespaces, to ensure that the >> process was truly authorized to read/write the underlying storage. >> >> >> I think I found the change, it the change here: >> >> https://android.googlesource.com/kernel/hikey-linaro/+/abbb65899aecfc97bda64b6816d1e501754cfe1f%5E%21/#F3 >> >> <https://android.googlesource.com/kernel/hikey-linaro/+/abbb65899aecfc97bda64b6816d1e501754cfe1f%5E%21/#F3> >> >> In the change, it calls do_iter_write in vfs_iter_write, and that makes >> the vfs_iter_write call rw_verify_area in directly, >> >> https://android.googlesource.com/kernel/hikey-linaro/+/android-hikey-linaro-4.14/fs/read_write.c#938 >> >> <https://android.googlesource.com/kernel/hikey-linaro/+/android-hikey-linaro-4.14/fs/read_write.c#938> >> >> which calls security_file_permission for permission check. >> >> While the 4.9 vfs_iter_write does not security_file_permission in it's >> implementation here: >> >> https://android.googlesource.com/kernel/hikey-linaro/+/android-hikey-linaro-4.9/fs/read_write.c >> >> <https://android.googlesource.com/kernel/hikey-linaro/+/android-hikey-linaro-4.9/fs/read_write.c> >> >> I do not verify my thought with any build yet, but I think if I reverted >> the above change for 4.14 kernel, then the denials will go. >> >> Verified with the change >> https://android.googlesource.com/kernel/hikey-linaro/+/abbb65899aecfc97bda64b6816d1e501754cfe1f%5E%21/#F3 >> reverted, >> and no similar avc denials reported again. And the original failed VTS test >> cases passed now. >> >> Need to check on how to update the sepolicy rules on userspace side. > > Just make sure you wrap it with userdebug_or_eng() so it doesn't get included > in user builds. >
