Android's Logcat spammed with selinux avc denials on tmpfs, type 1400 by kworker/kernel
Question
I am getting my android's logcat spammed with these warnings.(rooted with magisk)
10-15 22:02:29.039 12944 12944 W kworker/0:4: type=1400 audit(0.0:87190): avc: denied { read write } for name="sde73" dev="tmpfs" ino=28978 scontext=u:r:kernel:s0 tcontext=u:object_r:oem_device:s0 tclass=blk_file permissive=0
I was looking into the following doc to see how could i fix this issue, but cannot figure it out.
https://source.android.com/security/selinux/device-policy
https://source.android.com/security/selinux/validate
https://source.android.com/security/selinux/concepts
https://source.android.com/security/selinux/implement
https://gist.github.com/msfjarvis/ec52b48eb2df1688b7cbe32bcd39ee5f
https://source.android.com/security/selinux/customize#android-o
https://topjohnwu.github.io/Magisk/tools.html#magiskpolicy
https://topjohnwu.github.io/Magisk/details.html#magisk-booting-process
https://topjohnwu.github.io/Magisk/guides.html#boot-scripts
I looked in /dev , but i do not have anything similar.
android# ls -l /dev/ | grep sd
#returns nothing
The inode resolves to this file:
find /sys -xdev -inum 28978
/sys/firmware/devicetree/base/__symbols__/sb_7_tx
However on next reboot resolves to other file but the errors are always related to one single inode.
I suppose i should add this rule in a .te file
allow kernel oem_device:blk_file {read write};
adb pull /sys/fs/selinux/policy
adb logcat -b all -d | audit2allow -p policy
#this confirms the rule
I found some related files to selinux in this dump:
but i am not very sure where should i add the rule..possibly somewhere in /vendor/etc/selinux..
Does anyone know which are the steps to fix these warnings and maybe further dig into the investigation why they occur in the first place?
Thanks
2 answers
solution1
0 2020-10-17 18:10:52
The reason why it shows is straightforward from the error. kernel is trying to read/write a blk_file labeled with oem_device type.
At this point you have couple of options:
- Add
allowrule if you want to allow the access to happen. - Add
dontauditrule, if you want to just suppres the log. See here
The rule should be added into kernel.te .
Usually these custom things go into device/XXXXXX , depending on the vendor. For example in my tree, for a rockchip device, I'd modify /device/rockchip/common/sepolicy/vendor/kernel.te
To rebuild policies you would:
source build/envsetup.sh
lunch-yourTarget
mmm system/sepolicy
And to flash them into the system ( if you're userdebug and can remount it ):
adb root
adb remount
adb push out/target/product/YOUR_DEVICE/vendor/etc/selinux /vendor/etc/
adb push out/target/product/YOUR_DEVICE/system/etc/selinux /system/etc/
adb shell sync
adb reboot
If you can't push them, you'll need to rebuild and flash the system
solution2
0 ACCPTED 2020-10-17 22:49:41
I managed to fix the warnings with this command:
magiskpolicy --live 'allow kernel oem_device blk_file {read write open}'
'open' right was also granted because another warning related to it would appear after allowing only read/write.
Still I cannot understand:
- why is kernel trying to access this
- what exactly is trying to access
- shouldn't magisk take care of the selinux policies related to such low level grants such as kernel
- not sure how can i make this fix permanent (to persist upon reboot). From my research it looks like i have to modify a certain file in boot.img, repack it and push it back to android.
On this page: https://topjohnwu.github.io/Magisk/tools.html
it's specified a tool magiskboot which should be used for such patching but I do not have it.
A tool to unpack / repack boot images, parse / patch / extract cpio, patch dtb, hex patch binaries, and compress / decompress files with multiple algorithms.
I will come back with any findings..
UPDATE: I managed to permanently add the fixes at boottime with a post-fs-data script that runs during booting process. It might not be 100% fix because, the boot image should be patched instead so that magiskinit loads the policies even before init is executed, but it still however fixes the warnings in logcat after the boot process ended
REF:
https://topjohnwu.github.io/Magisk/details.html#magisk-booting-process https://topjohnwu.github.io/Magisk/guides.html#boot-scripts
su -
cd /data/adb/post-fs-data.d
touch fix_selinux.sh
chmod +x fix_selinux.sh
vi fix_selinux.sh #add this line (and any other rules you need):
/sbin/magiskpolicy --live 'allow kernel oem_device blk_file {read write open}'
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.