Validate SELinux with Fennec (AVC analysis)

NEW
Unassigned

Status

()

P5
normal
a year ago
15 days ago

People

(Reporter: mkaply, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

We received a report from a partner that Firefox produces an SELinux error:

AVC analysis is done for every device, that they reflect any permission denials thrown in kernel logs by standard Android SELinux security module. 

for firefox we got this denial after sanity test performed

<36>[ 5364.753481,1] type=1400 audit(1491465095.203:177): avc: denied { unlink } for pid=5708 comm="GeckoBackground" uid=10118 name="lib" dev="dm-2" ino=5523 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0 tclass=lnk_file permissive=0

The reason request for above operation(unlink/delete) is denied is because Android do not allow apps to create/delete data files outside of their specific allocated storage area. below is the policy enforced by Android on all devices.

# Do not allow untrusted_app to create/unlink files outside of its sandbox,
# internal storage or sdcard.
# World accessible data locations allow application to fill the device
# with unaccounted for data. This data will not get removed during
# application un-installation.

neverallow untrusted_app {
  file_type
  -app_data_file            # The apps sandbox itself
}:dir_file_class_set { create unlink };

so it looks to be genuine denial


We should be doing AVC analysis on Firefox. See:

https://source.android.com/security/selinux/validate


Here are some steps from the partner:


AVC analysis can be done on any process by whitebox testing, means you need to take the particular usecase to cover the path in code.

Follow this steps if you need to analyze particular case 

Capture any bootup/initialization error

1.       Reboot device and wait for adb detection (use ‘adb wait-for-any’ to return on command line)
2.       Run this command without doing anything on device, just wait for it to come to idle/home screen (cmd=adb shell su -c dmesg | grep 'avc: '”)

Capture any usecase error

1.       Run any functional usecase (remember the timestamp)
2.       Again run same command as #2 above (cmd=adb shell su -c dmesg | grep 'avc: '”)

You may need to use https://source.android.com/security/selinux/validate help to understand the message from above commands, check if the message is from your module, on subsequent pages it guides you about if its any fixing, but mostly preloaded apps don’t need them
Priority: -- → P3
Re-triaging per https://bugzilla.mozilla.org/show_bug.cgi?id=1473195

Needinfo :susheel if you think this bug should be re-triaged.
Priority: P3 → P5
You need to log in before you can comment on or make changes to this bug.