dac_read_search与规避neverallow
The dac_override denial issue means that the offending process is trying to access a file with the wrong user/group permissions.The correct solution almost never grants dac_override policy,
becasue if this process is not in "dac_override_allowed" white list which is defined in "system/sepolicy/private/domain.te", this will lead neverallow building issue. We can change the permissions
of the corresponding file or process. The solution is that we set the domain and file, keep them the same user/group permissions.
One example.
I subsystem_ramdump: Attemping to create /sdcard/ramdump
E subsystem_ramdump: Unable to create /sdcard/ramdump
E subsystem_ramdump: Unable to create /sdcard/ramdump
E subsystem_ramdump: Failed to initialize ramdump
I auditd : type=1400 audit(0.0:154): avc: denied { dac_read_search } for comm="subsystem_ramdu" capability=2 scontext=u:r:subsystem_ramdump_system:s0 tcontext=u:r:subsystem_ramdump_system:s0 tclass=capability permissive=0
1)最简单直接的分析方法就是添加相应的allow:
allow subsystem_ramdump_system self:capability { dac_read_search }
2)但是发现与neverallow冲突,无法编译通过
neverallow ~{
dac_override_allowed
traced_probes
userdebug_or_eng(`heapprofd')
} self:global_capability_class_set dac_read_search;
3)需要避开neverallow方法:
# ls -alZ /sdcard/ramdumpd
rwxrwx--- 2 root everybody u:object_r:fuse:s0 3488 2020-03-27 19:36 ramdump
# ps -Z -e |grep ramdump
u:r:subsystem_ramdump_system:s0 root 18391 1 10824200 2648 poll_schedule_timeout 0 S subsystem_ramdump_system
可以看到dac_read_search被拒绝是因为subsystem_ramdump_system 需要访问 /sdcard/ramdump. 他们有同样的用户USER:root
但是他们的群组不一样,/sdcard/ramdump需要everybody group
所以subsystem_ramdump_system也需要everybody group
4)修改如下:
service subsystem_ramdump_system /system/vendor/bin/subsystem_ramdump
class main
user root
- group system sdcard_rw
+ group system sdcard_rw everybody
disabled