问题描述
收到CTS 测试fail报告,如:
| Module | Passed | Failed | Assumption Failure | Ignored | Total Tests | Done |
|---|---|---|---|---|---|---|
| armeabi-v7a CtsSecurityHostTestCases | 0 | 1 | 0 | 0 | 1 | true |
这是因为从Android Q开始 Google 新增了对dumpstate denials 的检查(AOSP/667966, AOSP/742461), 如果在执行Bugreport命令后,有出现dumpstate 的avc denied log,该测项就会fail.
Add CTS test to ensure bugreports don't generate SELinux denials.
This test takes a bugreport on the device and ensures that it does not
generate any dumpstate-related denials.
/cts/hostsidetests/security/src/android/cts/security/SELinuxHostTest.java
953 public void testNoBugreportDenials() throws Exception {
954 // Take a bugreport and get its logcat output.
955 mDevice.executeAdbCommand("logcat", "-c");
956 mDevice.getBugreport();
957 String log = mDevice.executeAdbCommand("logcat", "-d");
958 // Find all the dumpstate-related types and make a regex that will match them.
959 Set types = sepolicyAnalyzeGetTypesAssociatedWithAttribute("hal_dumpstate_server");
960 types.add("dumpstate");
961 String typeRegex = types.stream().collect(Collectors.joining("|"));
962 Pattern p = Pattern.compile("avc: *denied.*scontext=u:(?:r|object_r):(?:" + typeRegex + "):s0.*");
963 // Fail if logcat contains such a denial.
964 Matcher m = p.matcher(log);
965 StringBuilder errorString = new StringBuilder();
966 while (m.find()) {
967 errorString.append(m.group());
968 errorString.append("\n");
969 }
970 assertTrue("Found illegal SELinux denial(s): " + errorString, errorString.length() == 0);
971 }
954 // Take a bugreport and get its logcat output.
955 mDevice.executeAdbCommand("logcat", "-c");
956 mDevice.getBugreport();
957 String log = mDevice.executeAdbCommand("logcat", "-d");
958 // Find all the dumpstate-related types and make a regex that will match them.
959 Set types = sepolicyAnalyzeGetTypesAssociatedWithAttribute("hal_dumpstate_server");
960 types.add("dumpstate");
961 String typeRegex = types.stream().collect(Collectors.joining("|"));
962 Pattern p = Pattern.compile("avc: *denied.*scontext=u:(?:r|object_r):(?:" + typeRegex + "):s0.*");
963 // Fail if logcat contains such a denial.
964 Matcher m = p.matcher(log);
965 StringBuilder errorString = new StringBuilder();
966 while (m.find()) {
967 errorString.append(m.group());
968 errorString.append("\n");
969 }
970 assertTrue("Found illegal SELinux denial(s): " + errorString, errorString.length() == 0);
971 }
dumpstate 作为AOSP自带的process,我们一般不会改到它的源码。此类问题的出现,一般是因为新增了一些目录/文件,而没有给dumpstate添加allow rules 或者dontaudit rules, 操作有被触发时就会出现avc denied log,引起测项fail。
解决方案
解决方法(步骤):
1. 确认相关目录/文件是Google原生的还是MTK的还是客制化的,找对应owner确认相关目录/文件是否有在使用,若没有在使用,则移除之。若有在使用,则要确认它的SELinux context 是否有正确配置。若context未正确配置,请在file.te和file_contexts中分别做定义和绑定操作。
2. 评估dumpstate对它的访问是否是合理的/预期的,如不需要授权(即不需要加allow rules),则需要添加对应的dontaudit rule来避免印出avc denied log。
如:
|
1 |
<span style="font-size: 10pt;">dontaudit dumpstate apex_mnt_dir:dir getattr;</span> |
3. 若确实需要允许给dumpstate对它的访问,则需要添加对应的allow rule。
如:
|
1 |
<span style="font-size: 10pt;">allow dumpstate mnt_expand_file:dir getattr;</span> |