883fcfcfcf
The deprecated/deleted usbfs kernel driver gets really unhappy when
SELinux denies it access to directories. On flo (3.4.0 kernel), this
comes across as an SELinux denial followed by a kernel panic.
Steps to reproduce:
1. plug in a USB device.
2. notice nothing happens.
3. unplug the USB device
4. plug it in again, watch for restart.
Expected:
USB device works
Actual:
[329180.030242] Host mode: Set DC level as 0x68 for flo.
[329180.030395] msm_hsusb_host msm_hsusb_host: Qualcomm On-Chip EHCI Host Controller
[329180.030639] Unable to create devices usbfs file
[329180.030944] type=1400 audit(1425327845.292:12): avc: denied { search } for pid=24033 comm="kworker/0:1" name="/" dev="usbfs" ino=291099 scontext=u:r:kernel:s0 tcontext=u:object_r:usbfs:s0 tclass=dir
[329180.060394] msm_hsusb_host msm_hsusb_host: new USB bus registered, assigned bus number 1
[329180.091583] msm_hsusb_host msm_hsusb_host: irq 132, io mem 0x12500000
[deleted]
[329180.120178] hub 1-0:1.0: USB hub found
[329180.120452] hub 1-0:1.0: 1 port detected
[329180.123199] Unable to handle kernel NULL pointer dereference at virtual address 00000070
[329180.123443] pgd = c0004000
[329180.123809] [00000070] *pgd=00000000
[329180.124206] Internal error: Oops: 17 [#1] PREEMPT SMP ARM
[329180.124481] CPU: 0 Tainted: G W (3.4.0-g2e8a935 #1)
[329180.124908] PC is at mutex_lock+0xc/0x48
[329180.125122] LR is at fs_create_file+0x4c/0x128
[329180.125518] pc : [<c0916708>] lr : [<c0440ec4>] psr: a0000013
[deleted]
[329180.281005] [<c0916708>] (mutex_lock+0xc/0x48) from [<c0440ec4>] (fs_create_file+0x4c/0x128)
[329180.281280] [<c0440ec4>] (fs_create_file+0x4c/0x128) from [<c04410c8>] (usbfs_notify+0x84/0x2a8)
[329180.281738] [<c04410c8>] (usbfs_notify+0x84/0x2a8) from [<c009c3b8>] (notifier_call_chain+0x38/0x68)
[329180.282257] [<c009c3b8>] (notifier_call_chain+0x38/0x68) from [<c009c600>] (__blocking_notifier_call_chain+0x44/0x58)
[329180.282745] [<c009c600>] (__blocking_notifier_call_chain+0x44/0x58) from [<c009c628>] (blocking_notifier_call_chain+0x14/0x18)
[329180.283264] [<c009c628>] (blocking_notifier_call_chain+0x14/0x18) from [<c043ef8c>] (generic_probe+0x74/0x84)
[329180.283752] [<c043ef8c>] (generic_probe+0x74/0x84) from [<c04387c4>] (usb_probe_device+0x58/0x68)
[329180.284240] [<c04387c4>] (usb_probe_device+0x58/0x68) from [<c03adc78>] (driver_probe_device+0x148/0x360)
[329180.284576] [<c03adc78>] (driver_probe_device+0x148/0x360) from [<c03ac76c>] (bus_for_each_drv+0x4c/0x84)
[329180.285034] [<c03ac76c>] (bus_for_each_drv+0x4c/0x84) from [<c03adfc8>] (device_attach+0x74/0xa0)
[329180.285522] [<c03adfc8>] (device_attach+0x74/0xa0) from [<c03ac94c>] (bus_probe_device+0x28/0x98)
[329180.286041] [<c03ac94c>] (bus_probe_device+0x28/0x98) from [<c03ab014>] (device_add+0x444/0x5e4)
[329180.286529] [<c03ab014>] (device_add+0x444/0x5e4) from [<c042f180>] (usb_new_device+0x248/0x2e4)
[329180.286804] [<c042f180>] (usb_new_device+0x248/0x2e4) from [<c043472c>] (usb_add_hcd+0x420/0x64c)
[329180.287292] [<c043472c>] (usb_add_hcd+0x420/0x64c) from [<c044600c>] (msm_otg_sm_work+0xe74/0x1774)
[329180.287811] [<c044600c>] (msm_otg_sm_work+0xe74/0x1774) from [<c0091d8c>] (process_one_work+0x280/0x488)
[329180.288299] [<c0091d8c>] (process_one_work+0x280/0x488) from [<c00921a8>] (worker_thread+0x214/0x3b4)
[329180.288787] [<c00921a8>] (worker_thread+0x214/0x3b4) from [<c0096b14>] (kthread+0x84/0x90)
[329180.289276] [<c0096b14>] (kthread+0x84/0x90) from [<c000f3c8>] (kernel_thread_exit+0x0/0x8)
Allow the usbfs operation.
Bug: 19568950
Change-Id: Iffdc7bd93ebde8bb75c57a324b996e1775a0fd1e
81 lines
3.1 KiB
Plaintext
81 lines
3.1 KiB
Plaintext
# Life begins with the kernel.
|
|
type kernel, domain, mlstrustedsubject;
|
|
|
|
allow kernel self:capability sys_nice;
|
|
|
|
# Run /init before we have switched domains.
|
|
allow kernel rootfs:file execute_no_trans;
|
|
|
|
# /dev/__null__ node created by init prior to policy load.
|
|
allow kernel tmpfs:chr_file rw_file_perms;
|
|
|
|
# setcon to init domain.
|
|
allow kernel self:process setcurrent;
|
|
allow kernel init:process dyntransition;
|
|
|
|
# cgroup filesystem initialization prior to setting the cgroup root directory label.
|
|
allow kernel unlabeled:dir search;
|
|
|
|
# Mount usbfs.
|
|
allow kernel usbfs:filesystem mount;
|
|
allow kernel usbfs:dir search;
|
|
|
|
# init direct restorecon calls prior to switching to init domain
|
|
# /dev and /dev/socket
|
|
allow kernel tmpfs:dir relabelfrom;
|
|
allow kernel { device socket_device }:dir relabelto;
|
|
# /dev/__properties__
|
|
allow kernel tmpfs:file relabelfrom;
|
|
allow kernel properties_device:file relabelto;
|
|
# /sys
|
|
allow kernel sysfs:{ dir file lnk_file } relabelfrom;
|
|
allow kernel sysfs_type:{ dir file lnk_file } relabelto;
|
|
allow kernel sysfs_type:dir r_dir_perms;
|
|
|
|
# Initial setenforce by init prior to switching to init domain.
|
|
# We use dontaudit instead of allow to prevent a kernel spawned userspace
|
|
# process from turning off SELinux once enabled.
|
|
dontaudit kernel self:security setenforce;
|
|
|
|
# Write to /proc/1/oom_adj prior to switching to init domain.
|
|
allow kernel self:capability sys_resource;
|
|
|
|
# Set checkreqprot by init.rc prior to switching to init domain.
|
|
allow kernel selinuxfs:file write;
|
|
allow kernel self:security setcheckreqprot;
|
|
|
|
# MTP sync (b/15835289)
|
|
# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
|
|
allow kernel untrusted_app:fd use;
|
|
allow kernel sdcard_type:file { read write };
|
|
|
|
# Allow the kernel to read OBB files from app directories. (b/17428116)
|
|
# Kernel thread "loop0" reads a vold supplied file descriptor.
|
|
# Fixes CTS tests:
|
|
# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountObbNormal
|
|
# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountTwoObbs
|
|
allow kernel vold:fd use;
|
|
allow kernel app_data_file:file read;
|
|
allow kernel asec_image_file:file read;
|
|
|
|
###
|
|
### neverallow rules
|
|
###
|
|
|
|
# The initial task starts in the kernel domain (assigned via
|
|
# initial_sid_contexts), but nothing ever transitions to it.
|
|
neverallow domain kernel:process { transition dyntransition };
|
|
|
|
# The kernel domain is never entered via an exec, nor should it
|
|
# ever execute a program outside the rootfs without changing to another domain.
|
|
# If you encounter an execute_no_trans denial on the kernel domain, then
|
|
# possible causes include:
|
|
# - The program is a kernel usermodehelper. In this case, define a domain
|
|
# for the program and domain_auto_trans() to it.
|
|
# - You failed to setcon u:r:init:s0 in your init.rc and thus your init
|
|
# program was left in the kernel domain and is now trying to execute
|
|
# some other program. Fix your init.rc file.
|
|
# - You are running an exploit which switched to the init task credentials
|
|
# and is then trying to exec a shell or other program. You lose!
|
|
neverallow kernel { file_type fs_type -rootfs }:file { entrypoint execute_no_trans };
|