How to fix SELinuxHostTest#testNoBugreportDenials fail

问题描述

 收到CTS 测试fail报告,如:
Module Passed Failed Assumption Failure Ignored Total Tests Done
armeabi-v7a CtsSecurityHostTestCases 0 1 0 0 1 true


armeabi-v7a CtsSecurityHostTestCases
Test Result Details
android.security.cts.SELinuxHostTest#testNoBugreportDenials
fail
junit.framework.AssertionFailedError: Found illegal SELinux denial(s): avc: denied { getattr } for path="/mnt/expand" dev="tmpfs" ino=1586 scontext=u:r:dumpstate:s0 tcontext=u:object_r:mnt_expand_file:s0 tclass=dir permissive=0
这是因为从Android Q开始 Google 新增了对dumpstate denials 的检查(AOSP/667966, AOSP/742461), 如果在执行Bugreport命令后,有出现dumpstate 的avc denied log,该测项就会fail.
 
Add CTS test to ensure bugreports don't generate SELinux denials.

This test takes a bugreport on the device and ensures that it does not
generate any dumpstate-related denials.
 
/cts/hostsidetests/security/src/android/cts/security/SELinuxHostTest.java
953   public void testNoBugreportDenials() throws Exception {
954   // Take a bugreport and get its logcat output.
955   mDevice.executeAdbCommand("logcat", "-c");
956   mDevice.getBugreport();
957   String log = mDevice.executeAdbCommand("logcat", "-d");
958   // Find all the dumpstate-related types and make a regex that will match them.
959   Set types = sepolicyAnalyzeGetTypesAssociatedWithAttribute("hal_dumpstate_server");
960   types.add("dumpstate");
961   String typeRegex = types.stream().collect(Collectors.joining("|"));
962   Pattern p = Pattern.compile("avc: *denied.*scontext=u:(?:r|object_r):(?:" + typeRegex + "):s0.*");
963   // Fail if logcat contains such a denial.
964   Matcher m = p.matcher(log);
965   StringBuilder errorString = new StringBuilder();
966   while (m.find()) {
967   errorString.append(m.group());
968   errorString.append("\n");
969   }
970   assertTrue("Found illegal SELinux denial(s): " + errorString, errorString.length() == 0);
971   }
 
dumpstate 作为AOSP自带的process,我们一般不会改到它的源码。此类问题的出现,一般是因为新增了一些目录/文件,而没有给dumpstate添加allow rules 或者dontaudit rules, 操作有被触发时就会出现avc denied log,引起测项fail。

解决方案

 解决方法(步骤):
 
1. 确认相关目录/文件是Google原生的还是MTK的还是客制化的,找对应owner确认相关目录/文件是否有在使用,若没有在使用,则移除之。若有在使用,则要确认它的SELinux context 是否有正确配置。若context未正确配置,请在file.te和file_contexts中分别做定义和绑定操作。
 
2. 评估dumpstate对它的访问是否是合理的/预期的,如不需要授权(即不需要加allow rules),则需要添加对应的dontaudit rule来避免印出avc denied log。
如:
 
3. 若确实需要允许给dumpstate对它的访问,则需要添加对应的allow rule。
如:

微信扫码打赏

作者: RESSRC

个人资源站

发表评论

电子邮件地址不会被公开。 必填项已用*标注

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据