Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752639AbdGFNaP (ORCPT <rfc822;w@1wt.eu>);
        Thu, 6 Jul 2017 09:30:15 -0400
Received: from mail-lf0-f52.google.com ([209.85.215.52]:34747 "EHLO
        mail-lf0-f52.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752068AbdGFNaO (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 6 Jul 2017 09:30:14 -0400
MIME-Version: 1.0
X-Originating-IP: [108.49.102.27]
In-Reply-To: <CALAqxLUoN5tkqBwQVMrFDxDuqJATsj583UGB2xKNbrOHsdwXtg@mail.gmail.com>
References: <CALAqxLUoN5tkqBwQVMrFDxDuqJATsj583UGB2xKNbrOHsdwXtg@mail.gmail.com>
From: Paul Moore <paul@paul-moore.com>
Date: Thu, 6 Jul 2017 09:30:11 -0400
Message-ID: <CAHC9VhQk1BYzoBvKLEukHcgdpFjUeXTE2PVU_2yz1fcV5O4Phw@mail.gmail.com>
Subject: Re: [Regression?] "selinux: add a map permission check for mmap"
 causing AOSP to fail booting
To: John Stultz <john.stultz@linaro.org>
Cc: Stephen Smalley <sds@tycho.nsa.gov>,
        Jeffrey Vander Stoep <jeffv@google.com>,
        lkml <linux-kernel@vger.kernel.org>,
        Android Kernel Team <kernel-team@android.com>,
        Nick Kralevich <nnk@google.com>, Kees Cook <keescook@google.com>,
        Dmitry Shmidt <dimitrysh@google.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 3510
Lines: 77

On Thu, Jul 6, 2017 at 1:32 AM, John Stultz <john.stultz@linaro.org> wrote:
> Hey folks,
>    I updated my HiKey kernel tree to linus/master today and it stopped
> booting (hitting errors at init and reseting immediately into
> bootloader mode):
>
> [    5.289827] init: Skipped setting INIT_AVB_VERSION (not in recovery mode)
> [    5.296709] init: Loading SELinux policy
> [    5.334521] SELinux:  Permission validate_trans in class security
> not defined in policy.
> [    5.342828] SELinux:  Permission map in class file not defined in policy.
> [    5.349690] SELinux:  Permission map in class dir not defined in policy.
> [    5.356464] SELinux:  Permission map in class lnk_file not defined in policy.
> [    5.363666] SELinux:  Permission map in class chr_file not defined in policy.
> [    5.370870] SELinux:  Permission map in class blk_file not defined in policy.
> [    5.378070] SELinux:  Permission map in class sock_file not defined
> in policy.
> [    5.385351] SELinux:  Permission map in class fifo_file not defined
> in policy.
> [    5.392647] SELinux:  Permission map in class socket not defined in policy.
> [    5.399670] SELinux:  Permission map in class tcp_socket not
> defined in policy.
> [    5.407042] SELinux:  Permission map in class udp_socket not
> defined in policy.
> [    5.414415] SELinux:  Permission map in class rawip_socket not
> defined in policy.
> [    5.421969] SELinux:  Permission map in class netlink_socket not
> defined in policy.
> ...
> [    5.850590] SELinux: the above unknown classes and permissions will be denied
> [    5.892283] audit: type=1403 audit(104.182:2): policy loaded
> auid=4294967295 ses=4294967295
> [    5.892510] selinux: SELinux: Loaded policy from /sepolicy
> [    5.892510]
> [    5.907690] audit: type=1404 audit(104.183:3): enforcing=1
> old_enforcing=0 auid=4294967295 ses=4294967295
> [    5.911853] selinux: selinux_android_file_context: Error getting
> file context handle (Permission denied)
> [    5.911853]
> [    5.911968] init: execv("/init") failed: Permission denied
> [    5.911987] init: Security failure...
> [    5.912008] init: panic: rebooting to bootloader
> [    5.912034] init: Reboot start, reason: reboot, rebootTarget: bootloader
>
>
> I bisected the issue down to 3ba4bf5f1e2c (selinux: add a map
> permission check for mmap).
>
> It seems every -rc1 I hit something like this w/ selinux, and
> sometimes it is just that I need to fix my sepolicy files, but I'm not
> really sure which this one is.
>
> Reverting the identified commit allows things to boot normally.

Hello,

The short version is that this is the expected behavior given your
SELinux policy configuration and isn't a regression; your SELinux
policy is configured to not be overly permissive when new access
control points are introduced and that is what it is doing.

The slightly longer version is that your SELinux policy is set to deny
access to any new object classes or permissions that are not defined
in the policy, and we can see from your boot output your SELinux
policy does not define the new "map" permission for a number of object
classes.  The solution is to either update your SELinux policy to
include the SELinux policy, or to allow unknown object classes and
permissions.

What distribution are you running (where are you getting your SELinux
policy and userspace)?  I would suggest starting a conversation there,
I'm happy to lend a hand if you need some help explaining the
situation.

-- 
paul moore
www.paul-moore.com