public/vold.te · aadf611ed9fea53f5b4fe18d361795258ff00c3c · Werner Sembach / AndroidSystemSEPolicy

7 years ago

vold: temporarily re-grant access to default proc label · aadf611e

On Marlin/Sailfish, StorageManager tests in CTS are exposing a bug
where the /proc/<pid>/ns/mnt files for system_server are briefly
mislabeled as "proc" instead of "system_server". Resulting in the
tests failing. Temporarily re-granting access to the default label
until the labeling issue can be tracked down.

Repro steps:
cts-tradefed run commandAndExit cts-dev -m CtsOsTestCases \
-t android.os.storage.cts.StorageManagerTest

Failures:

android.os.storage.cts.StorageManagerTest#testOpenProxyFileDescriptor
fail: java.lang.IllegalStateException: command '58 appfuse mount 10065
959 0' failed with '400 58 Command failed'

android.os.storage.cts.StorageManagerTest#testOpenProxyFileDescriptor_async
fail: java.lang.IllegalStateException: command '59 appfuse mount 10065
959 1' failed with '400 59 Command failed'

android.os.storage.cts.StorageManagerTest#testOpenProxyFileDescriptor_error
fail: java.lang.IllegalStateException: command '60 appfuse mount 10065
959 2' failed with '400 60 Command failed'

From the log:

10-04 20:41:22.972   595   604 E vold    : Failed to open namespace for
/proc/959/ns/mnt: Permission denied
10-04 20:41:22.967   604   604 W vold    : type=1400 audit(0.0:90): avc:
denied { read } for dev="proc" ino=4026534249 scontext=u:r:vold:s0
tcontext=u:object_r:proc:s0 tclass=file permissive=0
10-04 20:41:23.051   604   604 W vold    : type=1400 audit(0.0:91): avc:
denied { read } for dev="proc" ino=4026534249 scontext=u:r:vold:s0
tcontext=u:object_r:proc:s0 tclass=file permissive=0
10-04 20:41:23.054   595   604 E vold    : Failed to open namespace for
/proc/959/ns/mnt: Permission denied
10-04 20:41:23.081   604   604 W vold    : type=1400 audit(0.0:92): avc:
denied { read } for dev="proc" ino=4026534249 scontext=u:r:vold:s0
tcontext=u:object_r:proc:s0 tclass=file permissive=0
10-04 20:41:23.086   595   604 E vold    : Failed to open namespace for
/proc/959/ns/mnt: Permission denied

sailfish:/ # ps -AZ | grep 959
u:r:system_server:s0           system         959   628 \
4557136 251500 SyS_epoll_wait 70e6df822c S system_server

The file labels appear to be correct when checked manually.

sailfish:/ # ls -lZ /proc/959/ns/
lrwxrwxrwx 1 system system u:r:system_server:s0 0 2017-10-04 17:19 mnt -> mnt:[4026534249]
lrwxrwxrwx 1 system system u:r:system_server:s0 0 2017-10-04 20:55 net -> net:[4026531906]

Bug: 67049235
Test: cts-tradefed run commandAndExit cts-dev -m CtsOsTestCases \
    -t android.os.storage.cts.StorageManagerTes

Change-Id: Id4d200856c02c023c6f516e3f3bfa060e100086c

aadf611e

History

vold: temporarily re-grant access to default proc label

Jeff Vander Stoep authored 7 years ago

On Marlin/Sailfish, StorageManager tests in CTS are exposing a bug
where the /proc/<pid>/ns/mnt files for system_server are briefly
mislabeled as "proc" instead of "system_server". Resulting in the
tests failing. Temporarily re-granting access to the default label
until the labeling issue can be tracked down.

Repro steps:
cts-tradefed run commandAndExit cts-dev -m CtsOsTestCases \
-t android.os.storage.cts.StorageManagerTest

Failures:

android.os.storage.cts.StorageManagerTest#testOpenProxyFileDescriptor
fail: java.lang.IllegalStateException: command '58 appfuse mount 10065
959 0' failed with '400 58 Command failed'

android.os.storage.cts.StorageManagerTest#testOpenProxyFileDescriptor_async
fail: java.lang.IllegalStateException: command '59 appfuse mount 10065
959 1' failed with '400 59 Command failed'

android.os.storage.cts.StorageManagerTest#testOpenProxyFileDescriptor_error
fail: java.lang.IllegalStateException: command '60 appfuse mount 10065
959 2' failed with '400 60 Command failed'

From the log:

10-04 20:41:22.972   595   604 E vold    : Failed to open namespace for
/proc/959/ns/mnt: Permission denied
10-04 20:41:22.967   604   604 W vold    : type=1400 audit(0.0:90): avc:
denied { read } for dev="proc" ino=4026534249 scontext=u:r:vold:s0
tcontext=u:object_r:proc:s0 tclass=file permissive=0
10-04 20:41:23.051   604   604 W vold    : type=1400 audit(0.0:91): avc:
denied { read } for dev="proc" ino=4026534249 scontext=u:r:vold:s0
tcontext=u:object_r:proc:s0 tclass=file permissive=0
10-04 20:41:23.054   595   604 E vold    : Failed to open namespace for
/proc/959/ns/mnt: Permission denied
10-04 20:41:23.081   604   604 W vold    : type=1400 audit(0.0:92): avc:
denied { read } for dev="proc" ino=4026534249 scontext=u:r:vold:s0
tcontext=u:object_r:proc:s0 tclass=file permissive=0
10-04 20:41:23.086   595   604 E vold    : Failed to open namespace for
/proc/959/ns/mnt: Permission denied

sailfish:/ # ps -AZ | grep 959
u:r:system_server:s0           system         959   628 \
4557136 251500 SyS_epoll_wait 70e6df822c S system_server

The file labels appear to be correct when checked manually.

sailfish:/ # ls -lZ /proc/959/ns/
lrwxrwxrwx 1 system system u:r:system_server:s0 0 2017-10-04 17:19 mnt -> mnt:[4026534249]
lrwxrwxrwx 1 system system u:r:system_server:s0 0 2017-10-04 20:55 net -> net:[4026531906]

Bug: 67049235
Test: cts-tradefed run commandAndExit cts-dev -m CtsOsTestCases \
    -t android.os.storage.cts.StorageManagerTes

Change-Id: Id4d200856c02c023c6f516e3f3bfa060e100086c