Android's Logcat spammed with selinux avc denials on tmpfs, type 1400 by kworker/kernel

Question

I am getting my android's logcat spammed with these warnings.(rooted with magisk)

10-15 22:02:29.039 12944 12944 W kworker/0:4: type=1400 audit(0.0:87190): avc: denied { read write } for name="sde73" dev="tmpfs" ino=28978 scontext=u:r:kernel:s0 tcontext=u:object_r:oem_device:s0 tclass=blk_file permissive=0

I was looking into the following doc to see how could i fix this issue, but cannot figure it out.

https://source.android.com/security/selinux/device-policy

https://source.android.com/security/selinux/validate

https://source.android.com/security/selinux/concepts

https://source.android.com/security/selinux/implement

https://gist.github.com/msfjarvis/ec52b48eb2df1688b7cbe32bcd39ee5f

https://android.stackexchange.com/questions/207484/how-to-fix-selinux-avc-denied-errors-when-launching-dnscrypt-as-init-d-script

https://source.android.com/security/selinux/customize#android-o

https://android.stackexchange.com/questions/218911/how-to-add-selinux-policy-on-a-user-debug-rom-that-has-split-policy-scheme

https://android.stackexchange.com/questions/214839/how-to-run-an-android-init-service-with-superuser-selinux-context

https://topjohnwu.github.io/Magisk/tools.html#magiskpolicy

https://topjohnwu.github.io/Magisk/details.html#magisk-booting-process

https://topjohnwu.github.io/Magisk/guides.html#boot-scripts

I looked in /dev, but i do not have anything similar.

android# ls -l /dev/ | grep sd
#returns nothing

The inode resolves to this file:

find /sys -xdev -inum 28978
/sys/firmware/devicetree/base/__symbols__/sb_7_tx

However on next reboot resolves to other file but the errors are always related to one single inode.

I suppose i should add this rule in a .te file

allow kernel oem_device:blk_file {read write};

adb pull /sys/fs/selinux/policy
adb logcat -b all -d | audit2allow -p policy
#this confirms the rule

I found some related files to selinux in this dump:

https://git.rip/dumps/oneplus/oneplus7tpro/-/find_file/hotdog-user-10-QKQ1.190716.003-2009281542-release-keys

but i am not very sure where should i add the rule..possibly somewhere in /vendor/etc/selinux..

Does anyone know which are the steps to fix these warnings and maybe further dig into the investigation why they occur in the first place?

Thanks

Answer 1

I managed to fix the warnings with this command:

magiskpolicy --live 'allow kernel oem_device blk_file {read write open}'

'open' right was also granted because another warning related to it would appear after allowing only read/write.

Still I cannot understand:

1. why is kernel trying to access this
2. what exactly is trying to access
3. shouldn't magisk take care of the selinux policies related to such low level grants such as kernel
4. not sure how can i make this fix permanent (to persist upon reboot). From my research it looks like i have to modify a certain file in boot.img, repack it and push it back to android.

On this page: https://topjohnwu.github.io/Magisk/tools.html

it's specified a tool magiskboot which should be used for such patching but I do not have it.

A tool to unpack / repack boot images, parse / patch / extract cpio, patch dtb, hex patch binaries, and compress / decompress files with multiple algorithms.

I will come back with any findings..

UPDATE: I managed to permanently add the fixes at boottime with a post-fs-data script that runs during booting process. It might not be 100% fix because, the boot image should be patched instead so that magiskinit loads the policies even before init is executed, but it still however fixes the warnings in logcat after the boot process ended

REF:

https://topjohnwu.github.io/Magisk/details.html#magisk-booting-process https://topjohnwu.github.io/Magisk/guides.html#boot-scripts

su -
cd /data/adb/post-fs-data.d
touch fix_selinux.sh
chmod +x fix_selinux.sh
vi fix_selinux.sh #add this line (and any other rules you need):
/sbin/magiskpolicy --live 'allow kernel oem_device blk_file {read write open}'