Android SELinux denial: avc: denied { read } for pid=2740 comm="DnsConfigServic" name="/" dev="rootfs" ino=2 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=1 |
||||||
Issue descriptionCopied from http://b/27928431 === Comment #2 Apps are not allowed to read the contents of the root directory. === Comment #5 Actually it happens with usual Chrome browser as well: <36>[ 432.473310] type=1400 audit(1459381562.973:22): avc: denied { read } for pid=2722 comm="DnsConfigServic" name="/" dev="rootfs" ino=2 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=0 === Comment #11 strace shows this thread is making a bunch of inotify_add_watch() calls on startup: [pid 22016] inotify_add_watch(65, "/", IN_ATTRIB|IN_CLOSE_WRITE|IN_MOVED_FROM|IN_MOVED_TO|IN_CREATE|IN_DELETE|IN_ONLYDIR) = -1 EACCES (Permission denied) [pid 22016] inotify_add_watch(65, "/system", IN_ATTRIB|IN_CLOSE_WRITE|IN_MOVED_FROM|IN_MOVED_TO|IN_CREATE|IN_DELETE|IN_ONLYDIR) = 1 [pid 22016] inotify_add_watch(65, "/system/etc", IN_ATTRIB|IN_CLOSE_WRITE|IN_MOVED_FROM|IN_MOVED_TO|IN_CREATE|IN_DELETE|IN_ONLYDIR) = 2 [pid 22016] inotify_add_watch(65, "/system/etc/hosts", IN_ATTRIB|IN_CLOSE_WRITE|IN_MOVED_FROM|IN_MOVED_TO|IN_CREATE|IN_DELETE|IN_ONLYDIR) = -1 ENOTDIR (Not a directory) Note the first one show it's being set up for "/" and rejected with EACCES. I don't know for 100% sure that that's the call SELinux is rejecting, but it definitely seems suspicious. (To reproduce this, run: adb root adb wait-for-device adb shell strace -e trace=inotify_add_watch -p \`pidof zygote\`,\`pidof zygote64\` -f === Comment #18 The DnsConfigServicePosix sets up a FilePathWatcher for /system/etc/hosts: https://code.google.com/p/chromium/codesearch#chromium/src/net/dns/dns_config_service_posix.cc&sq=package:chromium&dr=C&l=96 The FilePathWatcherLinux splits the path components and adds a watcher for each subcomponent: https://code.google.com/p/chromium/codesearch#chromium/src/base/files/file_path_watcher_linux.cc&rcl=1459768633&l=466 It looks like that originated with this CL to watch directories: https://chromium.googlesource.com/chromium/src/+/5199d74e9d09b9a0b3ab9f600fcc96a54a5902ba. I'm not sure why it adds recursive watchers when the file is not a directory. Definitely seems like a Chrome issue.
,
Apr 4 2016
This is a silly question, but why are you watching /system at all? Those files never change.
,
Apr 4 2016
It's an artifact of the way our abstraction on inotify, FilePathWatcher, works. It appears to add an inotify watch on each subpath leading to the leaf file. In #11 above, the list of inotify_add_watch show this happening (/system/etc/hosts gets watchers for each parent, grandparent, grand-grandparent, etc.). The code that does this is the second link in the #18, which was added by the third link in #18. Also, I should correct #18: it's not actually using recursive inotify; it's just building up inotify watchers for each sub-path element.
,
Apr 4 2016
,
Apr 5 2016
Even before I implemented recursive FilePathWatcher for Linux, FilePathWatcher had its current behavior of splitting up a watched path to its components and adding watches for each component. nnk@ says /system never changes, so it seems the issue here is why Chromium bothers to add the watch at all. It looks like r246101 added the code that calls into FilePathWatcher, so punting this to that CL's author.
,
Apr 5 2016
Is this a regression or something discovered recently?
,
Apr 5 2016
I haven't confirmed myself, but there are articles talking about modifying /system/etc/hosts on rooted devices. It's probably OK for us to remove the FilePathWatcher in that case. However - wouldn't any recursive FilePathWatcher end up trying to watch / and running into the same problem? Happy to move that to a separate bug.
,
Apr 5 2016
I think this is a new restriction in N. I agree there are two issues here, 1) if /system/etc/hosts doesn't change, there's no point in watching it; 2) other users of FilePathWatcher will trigger this issue as well.
,
Apr 5 2016
AFAICT, there's no other uses of FilePathWatcher::Watch() on Android. The only other Android use in my week old checkout is from component/drive/ and that was recently removed in r384242.
,
Apr 5 2016
OK. julia, can you remove the use of this soon? Thanks
,
May 5 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a2e7ea61ce75af85c4479c5af292383e3cf08341 commit a2e7ea61ce75af85c4479c5af292383e3cf08341 Author: juliatuttle <juliatuttle@chromium.org> Date: Thu May 05 13:56:36 2016 Async DNS: Don't watch hosts file on Android The hosts file on Android should never change (it's on the read-only /system partition), and attempting to watch it also tries to watch /, which triggers a SELinux denial in Android N. Therefore, don't watch it on Android. BUG= 600442 Review-Url: https://codereview.chromium.org/1906573002 Cr-Commit-Position: refs/heads/master@{#391799} [modify] https://crrev.com/a2e7ea61ce75af85c4479c5af292383e3cf08341/net/dns/dns_config_service_posix.cc [modify] https://crrev.com/a2e7ea61ce75af85c4479c5af292383e3cf08341/net/dns/dns_config_service_posix_unittest.cc
,
May 5 2016
,
May 5 2016
Your change meets the bar and is auto-approved for M51 (branch: 2704)
,
May 9 2016
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 10 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/8118cdeafceca82dcff6e180ea9b35f674563fb7 commit 8118cdeafceca82dcff6e180ea9b35f674563fb7 Author: Julia Tuttle <juliatuttle@chromium.org> Date: Tue May 10 17:42:39 2016 Async DNS: Don't watch hosts file on Android The hosts file on Android should never change (it's on the read-only /system partition), and attempting to watch it also tries to watch /, which triggers a SELinux denial in Android N. Therefore, don't watch it on Android. BUG= 600442 Review-Url: https://codereview.chromium.org/1906573002 Cr-Commit-Position: refs/heads/master@{#391799} (cherry picked from commit a2e7ea61ce75af85c4479c5af292383e3cf08341) Review URL: https://codereview.chromium.org/1965553005 . Cr-Commit-Position: refs/branch-heads/2704@{#478} Cr-Branched-From: 6e53600def8f60d8c632fadc70d7c1939ccea347-refs/heads/master@{#386251} [modify] https://crrev.com/8118cdeafceca82dcff6e180ea9b35f674563fb7/net/dns/dns_config_service_posix.cc [modify] https://crrev.com/8118cdeafceca82dcff6e180ea9b35f674563fb7/net/dns/dns_config_service_posix_unittest.cc |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by amin...@google.com
, Apr 4 2016Owner: thestig@chromium.org
Status: Assigned (was: Untriaged)