From: russell@coker.com.au (Russell Coker)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] udisks2 and /dev/mem
Date: Thu, 15 Feb 2018 23:36:51 +1100 [thread overview]
Message-ID: <2164891.hfskaxh8Hi@liv> (raw)
In-Reply-To: <CAJfZ7==rZfDkbOm1iUGbhVsy9CLOaLQAg3ajk8+LYKVUnH0=sQ@mail.gmail.com>
On Thursday, 15 February 2018 10:40:34 PM AEDT Nicolas Iooss wrote:
> On Wed, Feb 14, 2018 at 5:03 AM, Russell Coker via refpolicy
>
> <refpolicy@oss.tresys.com> wrote:
> > type=AVC msg=audit(1518580690.273:39): avc: denied { read } for pid=566
> > comm="udisksd" name="mem" dev="devtmpfs" ino=1027
> > scontext=system_u:system_r:devicekit_disk_t:s0
> > tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file permissive=0
> >
> > Does anyone know why udisksd from the udisks2 package needs to access
> > /dev/
> > mem?
>
> Hi,
> I quickly searched the package source and grepped the libraries used
> by udisksd in order to find which one would access /dev/mem and found
> nothing. When I install udisks2 in a simple virtual machine which has
> /dev/mem (the kernels I use are built without CONFIG_DEVMEM), this AVC
> does not appear.
This currently only happens on my laptop. I haven't seen it happen on a VM.
It might be related to some aspect of the configuration of my laptop,
encrypted disks or something. Although it doesn't occur on my workstation
with encrypted disks.
> Therefore I can only make a blind guess that a udisksd component is
> crawling /dev and performs a call to access("/dev/mem") to test
> whether this file is readable. Did you have a "type=SYSCALL" entry
> next to the AVC in audit.log, which would tell whether the denied
> access was caused by access() or open()?
It's openat. Thanks for suggesting looking for the syscall, it explains why
my grep for /dev/mem in udisks2 and all the shared objects it loads didn't
turn up any matches. I'll try and get udisks2 to run under gdb and see what
that reveals.
# ausearch --format interpret -a 39
----
type=PROCTITLE msg=audit(14/02/18 14:58:10.273:39) : proctitle=/usr/lib/
udisks2/udisksd
type=SYSCALL msg=audit(14/02/18 14:58:10.273:39) : arch=x86_64 syscall=openat
success=no exit=EACCES(Permission denied) a0=0xffffffffffffff9c
a1=0x7fd666a6bc29 a2=O_RDONLY a3=0x0 items=0 ppid=1 pid=566 auid=unset
uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
fsgid=root tty=(none) ses=unset comm=udisksd exe=/usr/lib/udisks2/udisksd
subj=system_u:system_r:devicekit_disk_t:s0 key=(null)
type=AVC msg=audit(14/02/18 14:58:10.273:39) : avc: denied { read } for
pid=566 comm=udisksd name=mem dev="devtmpfs" ino=1027
scontext=system_u:system_r:devicekit_disk_t:s0
tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file permissive=0
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
next prev parent reply other threads:[~2018-02-15 12:36 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-14 4:03 [refpolicy] udisks2 and /dev/mem Russell Coker
2018-02-15 11:40 ` Nicolas Iooss
2018-02-15 12:36 ` Russell Coker [this message]
2018-02-16 5:59 ` Russell Coker
2018-02-16 10:04 ` Nicolas Iooss
2018-02-16 11:05 ` Russell Coker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2164891.hfskaxh8Hi@liv \
--to=russell@coker.com.au \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.