Something went wrong on our end
Select Git revision
-
Nick Kralevich authoredWhen vold mounts an OBB on behalf of another application, the kernel spins up the "loop0" thread to perform the mount operation. Grant the kernel thread the ability to read app data files, so the mount operation can succeed. Steps to reproduce: 1) Run: runtest --path cts/tests/tests/os/src/android/os/storage/cts/StorageManagerTest.java Expected: 1) All tests pass Actual: Test failure, with the following error message: loop0 : type=1400 audit(0.0:46): avc: denied { read } for path="/data/data/com.android.cts.stub/files/test1.obb" dev="mmcblk0p16" ino=115465 scontext=u:r:kernel:s0 tcontext=u:object_r:app_data_file:s0 tclass=file permissive=0 Vold : Image mount failed (I/O error) MountService: Couldn't mount OBB file: -1 StorageManager: Received message. path=/data/data/com.android.cts.stub/files/test1.obb, state=21 TestRunner: failed: testMountAndUnmountObbNormal(android.os.storage.cts.StorageManagerTest) TestRunner: ----- begin exception ----- TestRunner: junit.framework.AssertionFailedError: OBB should be mounted TestRunner: at junit.framework.Assert.fail(Assert.java:50) TestRunner: at junit.framework.Assert.assertTrue(Assert.java:20) TestRunner: at android.os.storage.cts.StorageManagerTest.mountObb(StorageManagerTest.java:235) Bug: 17428116 Change-Id: Id1a39a809b6c3942ff7e08884b40e3e4eec73b6aNick Kralevich authoredWhen vold mounts an OBB on behalf of another application, the kernel spins up the "loop0" thread to perform the mount operation. Grant the kernel thread the ability to read app data files, so the mount operation can succeed. Steps to reproduce: 1) Run: runtest --path cts/tests/tests/os/src/android/os/storage/cts/StorageManagerTest.java Expected: 1) All tests pass Actual: Test failure, with the following error message: loop0 : type=1400 audit(0.0:46): avc: denied { read } for path="/data/data/com.android.cts.stub/files/test1.obb" dev="mmcblk0p16" ino=115465 scontext=u:r:kernel:s0 tcontext=u:object_r:app_data_file:s0 tclass=file permissive=0 Vold : Image mount failed (I/O error) MountService: Couldn't mount OBB file: -1 StorageManager: Received message. path=/data/data/com.android.cts.stub/files/test1.obb, state=21 TestRunner: failed: testMountAndUnmountObbNormal(android.os.storage.cts.StorageManagerTest) TestRunner: ----- begin exception ----- TestRunner: junit.framework.AssertionFailedError: OBB should be mounted TestRunner: at junit.framework.Assert.fail(Assert.java:50) TestRunner: at junit.framework.Assert.assertTrue(Assert.java:20) TestRunner: at android.os.storage.cts.StorageManagerTest.mountObb(StorageManagerTest.java:235) Bug: 17428116 Change-Id: Id1a39a809b6c3942ff7e08884b40e3e4eec73b6a
kernel.te 2.58 KiB
# Life begins with the kernel.
type kernel, domain;
# Run /init before we have switched domains.
allow kernel rootfs:file execute_no_trans;
# setcon to init domain.
allow kernel self:process setcurrent;
allow kernel init:process dyntransition;
# The kernel is unconfined.
unconfined_domain(kernel)
# cgroup filesystem initialization prior to setting the cgroup root directory label.
allow kernel unlabeled:dir search;
# Mount usbfs.
allow kernel usbfs:filesystem mount;
# init direct restorecon calls prior to switching to init domain
# /dev and /dev/socket
allow kernel { device socket_device }:dir relabelto;
# /dev/__properties__
allow kernel properties_device:file relabelto;
# /sys
allow kernel sysfs:{ dir file lnk_file } relabelfrom;
allow kernel sysfs_type:{ dir file lnk_file } relabelto;
# Initial setenforce by init prior to switching to init domain.
# We use dontaudit instead of allow to prevent a kernel spawned userspace
# process from turning off SELinux once enabled.
dontaudit kernel self:security setenforce;
# Set checkreqprot by init.rc prior to switching to init domain.
allow kernel self:security setcheckreqprot;
# MTP sync (b/15835289)
# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
allow kernel sdcard_type:file { read write };
# Allow the kernel to read OBB files from app directories. (b/17428116)
# Kernel thread "loop0" reads a vold supplied file descriptor.
# Fixes CTS tests:
# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountObbNormal
# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountTwoObbs
allow kernel app_data_file:file read;
###
### neverallow rules
###
# The initial task starts in the kernel domain (assigned via
# initial_sid_contexts), but nothing ever transitions to it.
neverallow domain kernel:process { transition dyntransition };
# The kernel domain is never entered via an exec, nor should it
# ever execute a program outside the rootfs without changing to another domain.
# If you encounter an execute_no_trans denial on the kernel domain, then
# possible causes include:
# - The program is a kernel usermodehelper. In this case, define a domain
# for the program and domain_auto_trans() to it.
# - You failed to setcon u:r:init:s0 in your init.rc and thus your init
# program was left in the kernel domain and is now trying to execute
# some other program. Fix your init.rc file.
# - You are running an exploit which switched to the init task credentials
# and is then trying to exec a shell or other program. You lose!
neverallow kernel { file_type fs_type -rootfs }:file { entrypoint execute_no_trans };