kernel: prune redundant avtab nodes after deny rules#3439
Open
XiaoTong6666 wants to merge 3 commits intotiann:mainfrom
Open
kernel: prune redundant avtab nodes after deny rules#3439XiaoTong6666 wants to merge 3 commits intotiann:mainfrom
XiaoTong6666 wants to merge 3 commits intotiann:mainfrom
Conversation
Runtime deny rules clear permission bits from AVTAB_ALLOWED entries. When all permissions are removed from an existing entry, the update can leave an AVTAB_ALLOWED node with data == 0. Such zero-permission avtab nodes are redundant and can make external policy parsers, such as sepatch, reject /sys/fs/selinux/policy with errors like: Invalid access vector Invalid avtab Invalid policydb policy image is invalid This was observed when applying: deny appdomain cgroup_v2 dir search The rule itself is valid, but the runtime patch left a redundant avtab entry behind. Avoid creating new entries for deny updates when the target entry does not exist, and prune redundant nodes after access-vector rule updates by rebuilding the avtab and destroying the old table through avtab_destroy(). This preserves deny semantics while keeping the live policy parseable by policydb-based tools.
Author
|
Modules that use sepatch, such as https://github.com/chenxiaolong/MSD, can trigger this issue. |
Author
|
Magisk's sepolicy implementation appears to handle this case as well: it defines redundant avtab node detection and removes such nodes after rule updates when necessary. See: |
backslashxx
pushed a commit
to backslashxx/KernelSU
that referenced
this pull request
May 2, 2026
Runtime deny rules clear permission bits from AVTAB_ALLOWED entries. When all permissions are removed from an existing entry, the update can leave an AVTAB_ALLOWED node with data == 0. Such zero-permission avtab nodes are redundant and can make external policy parsers, such as sepatch, reject /sys/fs/selinux/policy with errors like: Invalid access vector Invalid avtab Invalid policydb policy image is invalid This was observed when applying: deny appdomain cgroup_v2 dir search The rule itself is valid, but the runtime patch left a redundant avtab entry behind. Avoid creating new entries for deny updates when the target entry does not exist, and prune redundant nodes after access-vector rule updates by rebuilding the avtab and destroying the old table through avtab_destroy(). This preserves deny semantics while keeping the live policy parseable by policydb-based tools.
backslashxx
pushed a commit
to backslashxx/KernelSU
that referenced
this pull request
May 2, 2026
Runtime deny rules clear permission bits from AVTAB_ALLOWED entries. When all permissions are removed from an existing entry, the update can leave an AVTAB_ALLOWED node with data == 0. Such zero-permission avtab nodes are redundant and can make external policy parsers, such as sepatch, reject /sys/fs/selinux/policy with errors like: Invalid access vector Invalid avtab Invalid policydb policy image is invalid This was observed when applying: deny appdomain cgroup_v2 dir search The rule itself is valid, but the runtime patch left a redundant avtab entry behind. Avoid creating new entries for deny updates when the target entry does not exist, and prune redundant nodes after access-vector rule updates by rebuilding the avtab and destroying the old table through avtab_destroy(). This preserves deny semantics while keeping the live policy parseable by policydb-based tools.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates KernelSU's live SELinux policy patching so runtime deny-style AV rule changes do not leave redundant zero-permission AVTAB entries behind, which helps keep the in-kernel policy export parseable by policydb-based tools.
Changes:
- add helpers to detect and remove redundant AVTAB nodes after access-vector updates
- change inverted rule handling so missing target entries are not created for deny-style updates
- add failure checks when inserting AVTAB nodes for normal and type-rule updates
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Prune redundant avtab nodes by detaching the target node and releasing it through a temporary avtab with avtab_destroy(), instead of rebuilding the entire te_avtab. Propagate add_rule_raw() and avtab removal failures to callers so failed insertions or prune operations are not reported as successful updates. Keep AVTAB_AUDITDENY updates able to create missing entries, while missing deny-style AVTAB_ALLOWED entries remain no-ops.
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
5ec1cff
approved these changes
May 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Runtime deny rules clear permission bits from AVTAB_ALLOWED entries. When all permissions are removed from an existing entry, the update can leave an AVTAB_ALLOWED node with data == 0.
Such zero-permission avtab nodes are redundant and can make external policy parsers, such as sepatch, reject /sys/fs/selinux/policy with errors like:
Invalid access vector
Invalid avtab
Invalid policydb
policy image is invalid
This was observed when applying:
deny appdomain cgroup_v2 dir search
The rule itself is valid, but the runtime patch left a redundant avtab entry behind.
Avoid creating new entries for deny updates when the target entry does not exist, and prune redundant nodes after access-vector rule updates by rebuilding the avtab and destroying the old table through avtab_destroy().
This preserves deny semantics while keeping the live policy parseable by policydb-based tools.