need solution for sys_rawio AVC denial error in Android

Question

I am creating native HAL service in android and provides an interface to read information's from SCSI devices. In-order to read information's form the SCSI devices, i used ioctl with SG_IO request to send commands to device from user space.

But, when execute execute it in Android, facing “AVC denial for sys_rawio” for this IOCTL.

01-01 00:57:50.227  1110  1110 I [email protected]: type=1400 audit(0.0:332): avc: denied { sys_rawio } for capability=17 scontext=u:r:hal_Diag_default:s0 tcontext=u:r:hal_Diag_default:s0 tclass=capability permissive=1

IOCTL used to send command from user space: (/dev/block/sda is used for fd)

ret = ioctl(fd, SG_IO, &io_hdr_v4);

But, when I use the same device node (/dev/block/sda) for difference IOCTL’s, the “AVC denial for sys_rawio” is not seen;

int ret = 0
int fd;
unsigned long long int range[2];   
const char *device_path = "/dev/block/sda31";

// Open the device file
fd = open(device_path, O_RDWR);
if (fd == -1) {
    ALOGD("Failed to open the device");
}
else {
// Issue the BLKDISCARD ioctl command
if (ioctl(fd, BLKDISCARD, &range) == -1) {
    ALOGD("BLKDISCARD ioctl failed");
}
else
    ALOGD("BLKDISCARD operation on %s successful.\n", device_path);

// Close the device file
close(fd);
}

Also, sys_rawio is added in the neverallow rule in the private/domain.te, i am unable to allow rule in the sepolicy. Can someone help me to solve

Facing the AVC denial for the bellow code.

 int32_t send_scsi_cmd_upiu (_Uint8t *cdb,
                            _Uint8t cdb_len,
                            int32_t fd,
                            _Uint8t *data_ptr,
                            int32_t data_len,
                            int32_t timeout,
                            _Uint8t write)
{
    int             k,ret=0;
    sg_io_hdr_t     hp;
    unsigned char   sense_buffer[32]={0};   
    
    timeout = 60000;
    memset(&hp,0,sizeof(sg_io_hdr_t));
    hp.interface_id='S';
    hp.cmd_len=cdb_len;
    hp.cmdp=cdb;
    hp.mx_sb_len=sizeof(sense_buffer);
    hp.dxfer_len=data_len;
    hp.timeout=60000;
    hp.sbp=sense_buffer;
    hp.iovec_count=0;   
    hp.flags=0;
    hp.dxferp=data_ptr;
    hp.status=0;        
    hp.masked_status=0;
    hp.msg_status=0;
    hp.sb_len_wr=0;
    hp.host_status=0;
    hp.driver_status=0;
    hp.resid=0;
    hp.duration=0;
    hp.info=0;

    if ( write )
    {
        hp.dxfer_direction= SG_DXFER_TO_DEV;
    }
    else
    {
        hp.dxfer_direction= SG_DXFER_FROM_DEV;
    }

    if (ioctl(fd,SG_IO,&hp) == -1)
    {
        __android_log_print(ANDROID_LOG_ERROR,"DIAG","IOCTl SCSI Failed %s\n",strerror(errno));
        ret=-1;
    }
    else
    {       
        if (hp.info != 0) 
        {
            ret = -1;
            if (hp.sb_len_wr > 0) {
                __android_log_print(ANDROID_LOG_INFO,"DIAG","INQUIRY sense data: \n ");
                for (k = 0; k < hp.sb_len_wr; ++k) {
                    if ((k > 0) && (0 == (k % 10)))
                        __android_log_print(ANDROID_LOG_ERROR,"DIAG","\n    ");
                    __android_log_print(ANDROID_LOG_ERROR,"DIAG","0x%02x ", sense_buffer[k]);
                }
                __android_log_print(ANDROID_LOG_ERROR,"DIAG","\n");
            }
            if (hp.masked_status)
                __android_log_print(ANDROID_LOG_ERROR,"DIAG","INQUIRY SCSI status=0x%x\n", hp.status);
            if (hp.host_status)
                __android_log_print(ANDROID_LOG_ERROR,"DIAG","INQUIRY host_status=0x%x\n", hp.host_status);
            if (hp.driver_status)
                __android_log_print(ANDROID_LOG_ERROR,"DIAG","INQUIRY driver_status=0x%x\n", hp.driver_status);
        }
    }   
    return ret;
}

Answer 1

since the sys_rawio is a neverallow in domain.te except for the few domains in allowlist , you could explore changing your utility to be in the allowed domain , e.g. tee

seems a good candidate to change domain to , and it has sys_rawio permission too