SELinux issue in Android 6

Question

Im having an issue allowing an untrusted app in Android 6 to access the /dev/HSL1 serial interface. This is the error im getting:

[  757.742286] type=1400 audit(156811.349:149): avc: denied { write } for pid=6422 comm="port_api.sample" name="ttyHSL1" dev="tmpfs" ino=7287 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:tty_device:s0 tclass=chr_file permissive=0

The file in question is /dev/ttyHSL1:

1|root@msm8909:/dev # ls -alZ ttyHSL1
crwxrwxrwx root     root              u:object_r:tty_device:s0 ttyHSL1

The external/sepolicy/untrusted_app.te has the following at the very end of the file:

allow untrusted_app tty_device:chr_file rw_file_perms;
allow untrusted_app device:dir r_dir_perms;
allow untrusted_app tty_device:chr_file write;

I would assume the rw_file_perms macro gives the rw access to the ttyHSL1 file, however its not so from the dmesg output (above). Also app fails with "You do not have r/w permissions on the serial port".

Additionally a snippet from global_macros:

#####################################
# Common groupings of permissions.
#
define(`x_file_perms', `{ getattr execute execute_no_trans }')
define(`r_file_perms', `{ getattr open read ioctl lock }')
define(`w_file_perms', `{ open append write }')
define(`rx_file_perms', `{ r_file_perms x_file_perms }')
define(`ra_file_perms', `{ r_file_perms append }')
define(`rw_file_perms', `{ r_file_perms w_file_perms }')
define(`rwx_file_perms', `{ rw_file_perms x_file_perms }')
define(`create_file_perms', `{ create rename setattr unlink rw_file_perms }')

Am I missing something very obvious here?

Answer 1

I have had a similiar issue and belief I have the solution to your problem. Posting it here, even if your question is quiet old at this point so that others having the same problem may be helped.

The issue is that untrusted apps also have a MSL tag your avc error:

scontext=u:r:untrusted_app:s0:c512,c768

Notice that after the "normal" se-linux staff you have :c512,c768 , this seems to be a MLS "tag". Your untrusted_app.te/tty_device does not handle this - as usual in SELinux by default the app is not allowed to access objects, even though the rest of the rule is ok. You have three options at this point:

1. Write rules which allows MLS tagged subjects to your device
2. Write rules which targets your app and strips the MLS tag
3. Write rules which leaves the MLS tag but allows access to the device. (Probably the most secure)

I went the first (1) way and added two files under device/ manufacturer / device /sepolicy:

file_contexts

/dev/ttyHSL1 u:object_r:arendi_device:s0

serialports.te

type arendi_device, dev_type, mlstrustedobject;

allow untrusted_app_all arendi_device:chr_file rw_file_perms;

Notice the mlstrustedobject tag - this tells SEAndroid that it should ignore MLS tags from subjects wanting access to this label. There's also mlstrustedsubject which you could add to your app by rules.

My BoardConfig.mk tells Android to look for these new files by adding this line:

BOARD_SEPOLICY_DIRS += device/manufacturer/device/sepolicy

This now allows me access to my serialport under Android Oreo 8.1.

This answer pointed me to this solution: My custom selinux policies seem to be ignored by android system