Closed Bug 1212252 Opened 9 years ago Closed 7 years ago

Fix SE policy violation 'b2g unlabeled:dir'

Categories

(Firefox OS Graveyard :: General, defect)

Product:
Firefox OS Graveyard
Component:
General
Platform:
ARM
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: tzimmermann, Unassigned)

References

Details

Attachments

(1 file)

Github tree for gonk-misc
80 bytes, text/plain
tedd
: feedback+
Details 
The logcat on aries-l contains

> I/b2g     (  359): type=1400 audit(0.0:4): avc: denied { write } for name="/" dev="mmcblk0p22" ino=2 scontext=u:r:b2g:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1
> I/b2g     (  359): type=1400 audit(0.0:5): avc: denied { add_name } for name="svoperapps" scontext=u:r:b2g:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1
> I/b2g     (  359): type=1400 audit(0.0:6): avc: denied { create } for name="svoperapps" scontext=u:r:b2g:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1

but the respective SE policy

> allow b2g unlabeled:dir { write create add_name };

doesn't build:

> libsepol.report_failure: neverallow on line 174 of external/sepolicy/domain.te (or line 8672 of policy.conf) violated by allow b2g unlabeled:dir { create };
> libsepol.check_assertions: 1 neverallow failures occurred
I assume partition 22 is /data, so how is "svoperapps" directory used by B2G?

trying to set "unlabeled" is not a smart idea, the whole point of selinux is to label files and directories, and allow only certain services access to that directory.

you need to start with something like this:
https://github.com/mozilla-b2g/device-qcom-sepolicy/blob/master/common/file_contexts#L244

I haven't looked at sepolicy for a long while, but if it is a high priority task I can dive back in.
Hi Adam

Thank you for your reply. It's not an urgent issue, it just showed up when I was looking for SElinux errors.

(In reply to Adam Farden from comment #1)
> I assume partition 22 is /data, so how is "svoperapps" directory used by B2G?

Grep'ing Gecko's source code returned 

  b2g/app/b2g.js:pref("dom.mozApps.single_variant_sourcedir", "/persist/svoperapps");

which is used in

  dom/apps/OperatorApps.jsm

It seems like '/persistent' is not yet there and created by Gecko.

> trying to set "unlabeled" is not a smart idea, the whole point of selinux is
> to label files and directories, and allow only certain services access to
> that directory.

So 'unlabeled' means that it's not know to SElinux, right?

> you need to start with something like this:
> https://github.com/mozilla-b2g/device-qcom-sepolicy/blob/master/common/
> file_contexts#L244

It looks like '/persist/svoperapps' is not listed in this file.

> I haven't looked at sepolicy for a long while, but if it is a high priority
> task I can dive back in.

I'll try adding the directory to 'file_contexts' and see what happens.
I added the rules in this commit, but it's still 'unlabeled'.

There's nothing else called 'svoperapps' in Gecko, so I'm surprised that neither the rule for /persist nor for /persist/svoperapps catch this. Any ideas?
Attachment #8670806 - Flags: feedback?(julian.r.hector)
Attachment #8670806 - Flags: feedback?(adam)
Comment on attachment 8670806 [details]
Github tree for gonk-misc

/persist/svoperapps seems to be the correct directory, but the

> persist_svoperapps_file

domain doesn't exist (at least not in my tree), so you would probably have to create that first. Something like this in for example gonk-misc/sepolicy/file.te:

> type persist_svoperapps_file, file_type, data_file_type;

This will probably allow you to label those files accordingly.
I will give it a try and comment again.
Attachment #8670806 - Flags: feedback?(julian.r.hector) → feedback+
Summary: Fix SE policy violation 'b2g unlabed:dir' → Fix SE policy violation 'b2g unlabeled:dir'
Ok I think I know why your labeling doesn't work.

The directory /persist/svoperapps is created on the fly by b2g (probbaly) so when the files are labeled during the boot process of the phone, the directory doesn't exist yet.

SELinux allows to apply a default label to files when they are created by a process, for example like this:

> file_type_auto_trans(b2g, persist_file, persist_svoperapps_file)

This means, that when a process running in the b2g domain, creates a file inside a directory which is labeled persist_file, than the resulting file will be labeled with persist_svoperapps_file.

Inside the file_contexts file (device/sony/shinano/sepolicy/file_contexts), I found the following:

> /persist(/.*)?        u:object_r:persist_file:s0

the strange thing is that on the running the device, the directory is labeled completely different:

> drwxrwx--x system   system            u:object_r:idd_root_dir:s0     /persist

When I tried:

> file_type_auto_trans(b2g, idd_root_dir, persist_svoperapps_file)

I got an error, that 'idd_root_dir' domain doesn't exist.

I will investigate it further and try to figure out where this is coming from.
Attachment #8670806 - Flags: feedback?(adam)
I took a look at this again and pulled /dev/block/mmcblk0p22 from the device, which is according to 'mount' mapped to /persist on the device (Z3C).

I mounted it locally and took a look at the default file attributes (my local mount point is /mnt/mmcblk):

> # getfattr -m . -d /mnt/mmcblk 
> getfattr: Removing leading '/' from absolute path names
> # file: mnt/mmcblk
> security.restorecon_last=0sMGZXu8HZeCsaZo7U+N5Q7V90o00=
> security.selinux="u:object_r:idd_root_dir:s0"

as a comparison, this is what it looks like on the nexus-5

> # getfattr -m . -d /mnt/mmcblk        
> getfattr: Removing leading '/' from absolute path names
> # file: mnt/mmcblk
> security.restorecon_last=0siNo4OWkosz0CL0kpCZH4Rre5EBo=
> security.selinux="u:object_r:persist_file:s0"

so even though the /file_contexts file, says to label /persist with 'persist_file' it seems that this is ignored and in case of the nexus-5 it is already labeled with 'presist_file'

I think to fix this we would have to change the file attributes, but I don't know how we can do that in our build system.
After some more testing and trying to figure out how to solve the problem, I came up with two solutions.

Solution 1:
This involves changing how the partition is mounted using the fstab file (device/sony/shinano/rootdir/fstab.shinano) by adding the following to the mount options:

> context=u:object_r:persist_file:s0

This results in the entire /persist directory and its files to be labeled with 'persist_file' and b2g would require some allow rules to interact with 'persist_file'

But this also requires additional changes to the 'init' domain rules as well as the 'persist_file' domain, as follows:

> allow init persist_file:filesystem { relabelfrom relabelto };
> allow persist_file self:filesystem associate;

otherwise the init script can't relabel the files during mount.

Solution 2:
For solution two, we would work with the fact that the files are labeled with 'idd_root_dir', first of all the type 'idd_root_dir' would have to be created in order to work with it (it doesn't exist yet).
This would be device specific, by adding the file device/sony/shinano/sepolicy/b2g-file.te, and define the type inside:

> type idd_root_dir, file_type;

After this is done we would need to make a transition for newly created files/directories by b2g inside /persist to label them with 'persist_svoperapps_file' (the file type for svoperapps)

> file_type_auto_trans(b2g, idd_root_dir, persist_svoperapps_file)

The file type on the other hand is created by the generic rules, inside gonk-misc/sepolicy/file.te, by adding:

> type persist_svoperapps_file, file_type;

We do this inside the generic set of policies because svoperapps is also used on other devices.
Additionally to that we add a file type transition to the generic rules:

> file_type_auto_trans(b2g, persist_file, persist_svoperapps_file)

This transition would apply on devices where /persist is labeled with 'persist_file', but in case of the Z3C (and other shinano based devices) this rule would simply be ignored and the idd_root_dir rule would apply.

I would personally prefer solution 2, this way we wouldn't mess with the mount options and we would avoid changing permissions for the 'init' domain.

:kang I would like your opinion on that :)
Flags: needinfo?(gdestuynder)
Assignee: nobody → julian.r.hector
Apparently, the /persist mount was introduced in Bug 1163550 Comment 94, at least that's where I think the discussion started what to use for /persist.

tl;dr on Android L there was no mount for /persist, so a partition was needed that fulfilled some requirements such as not being formatted on wipe, which lead to the decision to mount apps_log to /persist

I think changing the filesystem of the partition is not an option since it comes with the eMMC and we don't even build an image that is used to flash the partition. 

So far I think we only have the two above mentioned solutions. Unless someone has a different idea.
i'd always go on the side of not changing mount options because its more pain when porting devices than copying the selinux files over. Mainly because one doesn't expect that it has to be modified otherwise.
Flags: needinfo?(gdestuynder)
Assignee: julian.r.hector → nobody
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: