selinux labels are not properly set on symlinks |
|||||||||||||||
Issue descriptionI cannot move or remove symbollic links inside termux after migration. Not sure if this is due to migration or not. [17:15:20] localhost ~/git/nlp-study/hoge/cxx11 $ ls -la mmap_file.h lrwxrwxrwx 1 u0_a27 u0_a27 30 May 3 10:20 mmap_file.h -> ../../aptindex/mmap_file.h [17:15:46] localhost ~/git/nlp-study/hoge/cxx11 $ touch unko [17:16:42] localhost ~/git/nlp-study/hoge/cxx11 $ ls -l unko -rw------- 1 u0_a27 u0_a27 0 Jun 16 17:16 unko [17:16:46] localhost ~/git/nlp-study/hoge/cxx11 $ [17:16:46] localhost ~/git/nlp-study/hoge/cxx11 $ rm mmap_file.h rm: cannot remove 'mmap_file.h': Permission denied [17:17:17] localhost ~/git/nlp-study/hoge/cxx11 $ mv mmap_file.h hoge mv: cannot move 'mmap_file.h' to 'hoge': Permission denied [17:17:21] localhost ~/git/nlp-study/hoge/cxx11 $
,
Jun 16 2017
For old symlinks that existed before migration that I cannot access: security.selinux u:object_r:app_data_file:s0� For other files and new symlinks that I can access: security.selinux u:object_r:app_data_file:s0:c512,c768
,
Jun 16 2017
,
Jun 16 2017
git status reports symlinks as modified, reading the file content is possible renaming or removing the file is not possible.
,
Jun 18 2017
Sorry, my fault. The docs I read on this just said that xattrs weren't supported on symlinks, and my testing seemed to indicate that was true. However it appears that only user xattrs aren't supported, and selinux and other secure xattrs are.
,
Jun 19 2017
output of $ find /data -type l | xargs ls -lZ doesn't seem to show discrepancies, I am guessing if system files have selinux labels relabeled on boot (they probably are, I seem to recall restorecon is called).
,
Jun 19 2017
Yea, that's why I didn't catch it in my testing (none of the apps I tested against created symlinks). Still worth fixing as some apps may create symlinks. Should also look in to whether we can re-create the selinux labels for users that have already migrated.
,
Jun 19 2017
feedback report: https://feedback.corp.google.com/#/Report/65742053067
,
Jun 23 2017
Requesting merge of https://chromium-review.googlesource.com/c/538403/ to copy xattrs (in particular selinux labels) on symlinks.
,
Jun 23 2017
This bug requires manual review: M60 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), josafat@(ChromeOS), bustamante@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 24 2017
,
Jun 26 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/e5c8f072ca2379879da1f5e6e94accb775eddd99 commit e5c8f072ca2379879da1f5e6e94accb775eddd99 Author: Dan Spaid <dspaid@google.com> Date: Mon Jun 26 02:47:09 2017 cryptohome: Add symlink support to xattr methods. The Dircrypto migration needs to migrate system xattrs from symlinks. Add support for symlinks to the Platform xattr wrappers and use them in the migration. TEST=cros_workon_make --board=samus --test cryptohome BUG= chromium:733979 Change-Id: I1984dcc3cede5100526e2b9911e5b37b9a3b0a08 Reviewed-on: https://chromium-review.googlesource.com/538403 Commit-Ready: Dan Spaid <dspaid@chromium.org> Tested-by: Dan Spaid <dspaid@chromium.org> Reviewed-by: Ryo Hashimoto <hashimoto@chromium.org> (cherry picked from commit 061b848e75ce5ac5ccce28c275c2264cd46a6c75) Reviewed-on: https://chromium-review.googlesource.com/547815 Reviewed-by: Dan Spaid <dspaid@chromium.org> Commit-Queue: Dan Spaid <dspaid@chromium.org> [modify] https://crrev.com/e5c8f072ca2379879da1f5e6e94accb775eddd99/cryptohome/dircrypto_data_migrator/migration_helper.cc [modify] https://crrev.com/e5c8f072ca2379879da1f5e6e94accb775eddd99/cryptohome/platform.cc [modify] https://crrev.com/e5c8f072ca2379879da1f5e6e94accb775eddd99/cryptohome/platform.h
,
Jun 26 2017
,
Jul 4 2017
,
Jul 5 2017
Is this critical for 59? We're already halfway through stable period and only taking critical fixes.
,
Jul 6 2017
,
Jul 7 2017
,
Jul 10 2017
,
Jul 11 2017
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 16 2017
This seems to break any upgrade of app inside termux with a shared library. Unpacking apt (1.2.12-3) over (1.2.12-2) ... dpkg: warning: symbolic link '/data/data/com.termux/files/usr/lib/libapt-pkg.so' size has changed from 22 to 19 dpkg: warning: symbolic link '/data/data/com.termux/files/usr/lib/apt/methods/xz' size has changed from 18 to 4 dpkg: warning: symbolic link '/data/data/com.termux/files/usr/lib/apt/methods/ssh' size has changed from 18 to 3 dpkg: warning: symbolic link '/data/data/com.termux/files/usr/lib/libapt-pkg.so.5.0' size has changed from 22 to 19 dpkg: error processing archive /data/data/com.termux/files/usr/var/cache/apt/archives/apt_1.2.12-3_arm.deb (--unpack): unable to install new version of '/data/data/com.termux/files/usr/lib/libapt-pkg.so': Permission denied dpkg: error while cleaning up: unable to restore backup version of '/data/data/com.termux/files/usr/lib/libapt-pkg.so.5.0': Permission denied dpkg: error while cleaning up: unable to restore backup version of '/data/data/com.termux/files/usr/lib/apt/methods/ssh': Permission denied dpkg: error while cleaning up: unable to restore backup version of '/data/data/com.termux/files/usr/lib/apt/methods/xz': Permission denied dpkg: error while cleaning up: unable to restore backup version of '/data/data/com.termux/files/usr/lib/libapt-pkg.so': Permission denied Errors were encountered while processing: /data/data/com.termux/files/usr/var/cache/apt/archives/apt_1.2.12-3_arm.deb E: Sub-process /data/data/com.termux/files/usr/bin/dpkg returned an error code (1) 19:06:08 ~$ I think this manifests as https://github.com/termux/termux-packages/issues/1086
,
Jul 17 2017
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 22 2018
|
|||||||||||||||
►
Sign in to add a comment |
|||||||||||||||
Comment 1 by uekawa@google.com
, Jun 16 2017newly created symlinks can be manipulated, the files already existed before started failing. In dmesg, I have error message like this: [ 6836.490091] audit: type=1400 audit(1497601428.357:346): avc: denied { rename } for pid=4083 comm="mv" name="scoped_timer.h" dev="mmcblk0p1" ino=1443871 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0 tclass=lnk_file permissive=0 [ 6445.853001] audit: type=1400 audit(1497601037.720:335): avc: denied { unlink } for pid=2441 comm="rm" name="mmap_file.h" dev="mmcblk0p1" ino=2738 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0 tclass=lnk_file permissive=0 [ 6449.826341] audit: type=1400 audit(1497601041.693:336): avc: denied { rename } for pid=2444 comm="mv" name="mmap_file.h" dev="mmcblk0p1" ino=2738 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0 tclass=lnk_file permissive=0