Android SELinux的avc：denied log 是哪里打印的及关闭?
某些场景下并不需要打开SELinux,也就是SELinux设为Permissive，但如果程序设计不符合SELinux sepolicy，日志会频繁打印如下类似avc：denied 的 log。
如下：

[   24.018396] type=1400 audit(1622165470.867:666): avc: denied { read } for pid=2358 comm="testagent" name="ApkLife.data" dev="tmpfs" ino=28549 scontext=u:r:stbdetector:s0 tcontext=u:object_r:system_app_tmpfs:s0 tclass=file permissive=1
[   24.024144] type=1400 audit(1622165470.867:667): avc: denied { open } for pid=2358 comm="testagent" path="/data/local/vixtel/temp/ApkLife.data" dev="tmpfs" ino=28549 scontext=u:r:stbdetector:s0 tcontext=u:object_r:system_app_tmpfs:s0 tclass=file permissive=1

---

1. avc：denied log是哪里打印出来的？

Linux version 4.14：
在Linux kernel代码中，security/lsm_audit.c 中有common_lsm_audit函数，定义如下：

/**
* common_lsm_audit - generic LSM auditing function
* @a:  auxiliary audit data
* @pre_audit: lsm-specific pre-audit callback
* @post_audit: lsm-specific post-audit callback
*
* setup the audit buffer for common security information
* uses callback to print LSM specific information
*/
void common_lsm_audit(struct common_audit_data *a,void (*pre_audit)(struct audit_buffer *, void *),void (*post_audit)(struct audit_buffer *, void *))
{struct audit_buffer *ab;if (a == NULL)return;/* we use GFP_ATOMIC so we won't sleep */ab = audit_log_start(current->audit_context, GFP_ATOMIC | __GFP_NOWARN,AUDIT_AVC);if (ab == NULL)return;if (pre_audit)pre_audit(ab, a);dump_common_audit_data(ab, a);if (post_audit)post_audit(ab, a);audit_log_end(ab);
}

在这个函数中依次调用了 pre_audit ， dump_common_audit_data ，post_audit 三个函数来打印相关信息。
其中 pre_audit 和 post_audit定义如下：

// common_lsm_audit 的调用common_lsm_audit(a, avc_audit_pre_callback, avc_audit_post_callback);// 函数定义
static void avc_audit_pre_callback(struct audit_buffer *ab, void *a)
{struct common_audit_data *ad = a;audit_log_format(ab, "avc:  %s ",ad->selinux_audit_data->denied ? "denied" : "granted");avc_dump_av(ab, ad->selinux_audit_data->tclass,ad->selinux_audit_data->audited);audit_log_format(ab, " for ");
}/**
* avc_audit_post_callback - SELinux specific information
* will be called by generic audit code
* @ab: the audit buffer
* @a: audit_data
*/
static void avc_audit_post_callback(struct audit_buffer *ab, void *a)
{struct common_audit_data *ad = a;audit_log_format(ab, " ");avc_dump_query(ab, ad->selinux_audit_data->state,ad->selinux_audit_data->ssid,ad->selinux_audit_data->tsid,ad->selinux_audit_data->tclass);if (ad->selinux_audit_data->denied) {audit_log_format(ab, " permissive=%u",ad->selinux_audit_data->result ? 0 : 1);}
}

---

2. avc：denied log在不需要时如何关闭？

简单的方法就是把打印log的部分直接注释掉，如下：

void common_lsm_audit(struct common_audit_data *a,void (*pre_audit)(struct audit_buffer *, void *),void (*post_audit)(struct audit_buffer *, void *))
{struct audit_buffer *ab;if (a == NULL)return;
+#if 0 // 屏蔽代码/* we use GFP_ATOMIC so we won't sleep */ab = audit_log_start(current->audit_context, GFP_ATOMIC | __GFP_NOWARN,AUDIT_AVC);if (ab == NULL)return;if (pre_audit)pre_audit(ab, a);dump_common_audit_data(ab, a);if (post_audit)post_audit(ab, a);audit_log_end(ab);
+#endif // 屏蔽代码
}