Closed Bug 1398902 Opened 7 years ago Closed 3 years ago

Validate SELinux with Fennec (AVC analysis)

Categories

(Firefox for Android Graveyard :: General, enhancement, P5)

enhancement

Tracking

(Not tracked)

RESOLVED INCOMPLETE

People

(Reporter: mkaply, Unassigned)

References

()

Details

We received a report from a partner that Firefox produces an SELinux error:

AVC analysis is done for every device, that they reflect any permission denials thrown in kernel logs by standard Android SELinux security module. 

for firefox we got this denial after sanity test performed

<36>[ 5364.753481,1] type=1400 audit(1491465095.203:177): avc: denied { unlink } for pid=5708 comm="GeckoBackground" uid=10118 name="lib" dev="dm-2" ino=5523 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0 tclass=lnk_file permissive=0

The reason request for above operation(unlink/delete) is denied is because Android do not allow apps to create/delete data files outside of their specific allocated storage area. below is the policy enforced by Android on all devices.

# Do not allow untrusted_app to create/unlink files outside of its sandbox,
# internal storage or sdcard.
# World accessible data locations allow application to fill the device
# with unaccounted for data. This data will not get removed during
# application un-installation.

neverallow untrusted_app {
  file_type
  -app_data_file            # The apps sandbox itself
}:dir_file_class_set { create unlink };

so it looks to be genuine denial


We should be doing AVC analysis on Firefox. See:

https://source.android.com/security/selinux/validate


Here are some steps from the partner:


AVC analysis can be done on any process by whitebox testing, means you need to take the particular usecase to cover the path in code.

Follow this steps if you need to analyze particular case 

Capture any bootup/initialization error

1.       Reboot device and wait for adb detection (use ‘adb wait-for-any’ to return on command line)
2.       Run this command without doing anything on device, just wait for it to come to idle/home screen (cmd=adb shell su -c dmesg | grep 'avc: '”)

Capture any usecase error

1.       Run any functional usecase (remember the timestamp)
2.       Again run same command as #2 above (cmd=adb shell su -c dmesg | grep 'avc: '”)

You may need to use https://source.android.com/security/selinux/validate help to understand the message from above commands, check if the message is from your module, on subsequent pages it guides you about if its any fixing, but mostly preloaded apps don’t need them
Re-triaging per https://bugzilla.mozilla.org/show_bug.cgi?id=1473195

Needinfo :susheel if you think this bug should be re-triaged.
Priority: P3 → P5
We have completed our launch of our new Firefox on Android. The development of the new versions use GitHub for issue tracking. If the bug report still reproduces in a current version of [Firefox on Android nightly](https://play.google.com/store/apps/details?id=org.mozilla.fenix) an issue can be reported at the [Fenix GitHub project](https://github.com/mozilla-mobile/fenix/). If you want to discuss your report please use [Mozilla's chat](https://wiki.mozilla.org/Matrix#Connect_to_Matrix) server https://chat.mozilla.org and join the [#fenix](https://chat.mozilla.org/#/room/#fenix:mozilla.org) channel.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INCOMPLETE
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in before you can comment on or make changes to this bug.