kernel: prune redundant avtab nodes after deny rules#3439
Merged
Conversation
Runtime deny rules clear permission bits from AVTAB_ALLOWED entries. When all permissions are removed from an existing entry, the update can leave an AVTAB_ALLOWED node with data == 0. Such zero-permission avtab nodes are redundant and can make external policy parsers, such as sepatch, reject /sys/fs/selinux/policy with errors like: Invalid access vector Invalid avtab Invalid policydb policy image is invalid This was observed when applying: deny appdomain cgroup_v2 dir search The rule itself is valid, but the runtime patch left a redundant avtab entry behind. Avoid creating new entries for deny updates when the target entry does not exist, and prune redundant nodes after access-vector rule updates by rebuilding the avtab and destroying the old table through avtab_destroy(). This preserves deny semantics while keeping the live policy parseable by policydb-based tools.
Contributor
Author
|
Modules that use sepatch, such as https://github.com/chenxiaolong/MSD, can trigger this issue. |
Contributor
Author
|
Magisk's sepolicy implementation appears to handle this case as well: it defines redundant avtab node detection and removes such nodes after rule updates when necessary. See: |
backslashxx
pushed a commit
to backslashxx/KernelSU
that referenced
this pull request
May 2, 2026
Runtime deny rules clear permission bits from AVTAB_ALLOWED entries. When all permissions are removed from an existing entry, the update can leave an AVTAB_ALLOWED node with data == 0. Such zero-permission avtab nodes are redundant and can make external policy parsers, such as sepatch, reject /sys/fs/selinux/policy with errors like: Invalid access vector Invalid avtab Invalid policydb policy image is invalid This was observed when applying: deny appdomain cgroup_v2 dir search The rule itself is valid, but the runtime patch left a redundant avtab entry behind. Avoid creating new entries for deny updates when the target entry does not exist, and prune redundant nodes after access-vector rule updates by rebuilding the avtab and destroying the old table through avtab_destroy(). This preserves deny semantics while keeping the live policy parseable by policydb-based tools.
backslashxx
pushed a commit
to backslashxx/KernelSU
that referenced
this pull request
May 2, 2026
Runtime deny rules clear permission bits from AVTAB_ALLOWED entries. When all permissions are removed from an existing entry, the update can leave an AVTAB_ALLOWED node with data == 0. Such zero-permission avtab nodes are redundant and can make external policy parsers, such as sepatch, reject /sys/fs/selinux/policy with errors like: Invalid access vector Invalid avtab Invalid policydb policy image is invalid This was observed when applying: deny appdomain cgroup_v2 dir search The rule itself is valid, but the runtime patch left a redundant avtab entry behind. Avoid creating new entries for deny updates when the target entry does not exist, and prune redundant nodes after access-vector rule updates by rebuilding the avtab and destroying the old table through avtab_destroy(). This preserves deny semantics while keeping the live policy parseable by policydb-based tools.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates KernelSU's live SELinux policy patching so runtime deny-style AV rule changes do not leave redundant zero-permission AVTAB entries behind, which helps keep the in-kernel policy export parseable by policydb-based tools.
Changes:
- add helpers to detect and remove redundant AVTAB nodes after access-vector updates
- change inverted rule handling so missing target entries are not created for deny-style updates
- add failure checks when inserting AVTAB nodes for normal and type-rule updates
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Prune redundant avtab nodes by detaching the target node and releasing it through a temporary avtab with avtab_destroy(), instead of rebuilding the entire te_avtab. Propagate add_rule_raw() and avtab removal failures to callers so failed insertions or prune operations are not reported as successful updates. Keep AVTAB_AUDITDENY updates able to create missing entries, while missing deny-style AVTAB_ALLOWED entries remain no-ops.
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
5ec1cff
approved these changes
May 2, 2026
AlexLiuDev233
pushed a commit
to ReSukiSU/ReSukiSU
that referenced
this pull request
May 2, 2026
…3439) Runtime deny rules clear permission bits from AVTAB_ALLOWED entries. When all permissions are removed from an existing entry, the update can leave an AVTAB_ALLOWED node with data == 0. Such zero-permission avtab nodes are redundant and can make external policy parsers, such as sepatch, reject /sys/fs/selinux/policy with errors like: Invalid access vector Invalid avtab Invalid policydb policy image is invalid This was observed when applying: deny appdomain cgroup_v2 dir search The rule itself is valid, but the runtime patch left a redundant avtab entry behind. Avoid creating new entries for deny updates when the target entry does not exist, and prune redundant nodes after access-vector rule updates by rebuilding the avtab and destroying the old table through avtab_destroy(). This preserves deny semantics while keeping the live policy parseable by policydb-based tools. AlexLiuDev233: Compatible with 5.1- avtab torvalds/linux@acdf52d [cherry-picked from upstream commit tiann/KernelSU@cc83433] Signed-off-by: AlexLiuDev233 <wzylin11@outlook.com>
pershoot
pushed a commit
to KernelSU-Next/KernelSU-Next
that referenced
this pull request
May 2, 2026
…3439) Runtime deny rules clear permission bits from AVTAB_ALLOWED entries. When all permissions are removed from an existing entry, the update can leave an AVTAB_ALLOWED node with data == 0. Such zero-permission avtab nodes are redundant and can make external policy parsers, such as sepatch, reject /sys/fs/selinux/policy with errors like: Invalid access vector Invalid avtab Invalid policydb policy image is invalid This was observed when applying: deny appdomain cgroup_v2 dir search The rule itself is valid, but the runtime patch left a redundant avtab entry behind. Avoid creating new entries for deny updates when the target entry does not exist, and prune redundant nodes after access-vector rule updates by rebuilding the avtab and destroying the old table through avtab_destroy(). This preserves deny semantics while keeping the live policy parseable by policydb-based tools.
Contributor
Author
Thanks to @Xieansecn for discovering this issue (chenxiaolong/MSD#90). |
Flopster101
added a commit
to FlopKernel-Series/flop_s5e8825_kernel
that referenced
this pull request
May 10, 2026
0d096be05c40 docs: Add contributing guidelines to CONTRIBUTING.md (#176) d4513aed447c manager: fix ScalePredictiveBackAnimation's clip & fix background color 51574f260ef8 manager: Restrict blur to Android version >= S f417f72a9d7f manager: custom predictive back animation api & switch to miuix blur 7ac0a90f98f1 manager: remove selinux config & dynamic manager config dialog 1b64087165fc kernel: backport remove_avtab_node for 4.1- cd4e3f1f779b kernel: fix kernel panic when sel_mutex not exported 71b1ae6176dc kernel: pr_alart -> pr_alert 1d822af2b8af kernel: fix klog.h not include 1ccbf7b64146 kernel: impl non-exported selinux lock warning (#175) 99ab70fe9cf7 ci: inital CodeQL check (#172) de9409dc7aed manager: fix HighContrastMode x2 7c8c92f8fbd2 manager: remove force fontSize for LabelText & fix HighContrastMode 2ef5d9d199bf kernel: GFP_ATOMIC -> GFP_KERNEL a7bd8e928da9 kernel: simpler copy policydb implementation 16d2976ed806 manager: fix sort settings are not persistent (#174) f2625dcce3da kernel: use GFP_ATOMIC for remove_avtab_node 47a539401c0c kernel: prune redundant avtab nodes after deny rules (tiann/KernelSU#3439) 185fa768e9c2 manager: fix wrongly alpha for TopBar/BottomBar again 3c969278a56f manager: fix wrongly alpha for TopBar/BottomBar fe387831a28b manager: standalone haze config & high contrast mode & useBackgroundSeedColor config 639e2e36b756 kernel: sync with latest susfs 8bcd0ab35bdf kernel: Replace bunch of if clauses with switch case in ksu_handle_sys_reboot() e767e59543aa manager: Close temp shell after module action (tiann/KernelSU#3438) 542cd2bce96b docs: revive features, compatibility status, add hook mode, fix license badge (#171) d7b47c0d1d26 ci: always do PR checks e274ccf68b37 docs: revive metamodule notice 24bede663d9a kernel: cleanup kernel compat checks 6c094b50ead8 manager: sync translation from Crowdin (#166) 130744ccfc6c kernel: add -dirty endfix on version if has untracked change (#169) aa9b043bac0c kernel: perf opt for throne_tracker & ensure syscalls.h only include in 5.9- git-subtree-dir: drivers/sukisu git-subtree-split: 0d096be05c40338205bc183f5ec072233e15f9c0
jinetty
pushed a commit
to jinetty/android_kernel_xiaomi_sm8450
that referenced
this pull request
May 10, 2026
…3439) Runtime deny rules clear permission bits from AVTAB_ALLOWED entries. When all permissions are removed from an existing entry, the update can leave an AVTAB_ALLOWED node with data == 0. Such zero-permission avtab nodes are redundant and can make external policy parsers, such as sepatch, reject /sys/fs/selinux/policy with errors like: Invalid access vector Invalid avtab Invalid policydb policy image is invalid This was observed when applying: deny appdomain cgroup_v2 dir search The rule itself is valid, but the runtime patch left a redundant avtab entry behind. Avoid creating new entries for deny updates when the target entry does not exist, and prune redundant nodes after access-vector rule updates by rebuilding the avtab and destroying the old table through avtab_destroy(). This preserves deny semantics while keeping the live policy parseable by policydb-based tools.
Flopster101
added a commit
to FlopKernel-Series/flop_trinket-mi_kernel
that referenced
this pull request
May 15, 2026
3d790eaaabe9 ksud: su: support parsing arguments after user (tiann/KernelSU#3464) f36096a1c897 kernel: handle backport for policydb b09af429463d kernel: ensure session_keyring install only when CONFIG_KEYS enable 0d096be05c40 docs: Add contributing guidelines to CONTRIBUTING.md (#176) d4513aed447c manager: fix ScalePredictiveBackAnimation's clip & fix background color 51574f260ef8 manager: Restrict blur to Android version >= S f417f72a9d7f manager: custom predictive back animation api & switch to miuix blur 7ac0a90f98f1 manager: remove selinux config & dynamic manager config dialog 1b64087165fc kernel: backport remove_avtab_node for 4.1- cd4e3f1f779b kernel: fix kernel panic when sel_mutex not exported 71b1ae6176dc kernel: pr_alart -> pr_alert 1d822af2b8af kernel: fix klog.h not include 1ccbf7b64146 kernel: impl non-exported selinux lock warning (#175) 99ab70fe9cf7 ci: inital CodeQL check (#172) de9409dc7aed manager: fix HighContrastMode x2 7c8c92f8fbd2 manager: remove force fontSize for LabelText & fix HighContrastMode 2ef5d9d199bf kernel: GFP_ATOMIC -> GFP_KERNEL a7bd8e928da9 kernel: simpler copy policydb implementation 16d2976ed806 manager: fix sort settings are not persistent (#174) f2625dcce3da kernel: use GFP_ATOMIC for remove_avtab_node 47a539401c0c kernel: prune redundant avtab nodes after deny rules (tiann/KernelSU#3439) 185fa768e9c2 manager: fix wrongly alpha for TopBar/BottomBar again 3c969278a56f manager: fix wrongly alpha for TopBar/BottomBar fe387831a28b manager: standalone haze config & high contrast mode & useBackgroundSeedColor config 639e2e36b756 kernel: sync with latest susfs 8bcd0ab35bdf kernel: Replace bunch of if clauses with switch case in ksu_handle_sys_reboot() e767e59543aa manager: Close temp shell after module action (tiann/KernelSU#3438) 542cd2bce96b docs: revive features, compatibility status, add hook mode, fix license badge (#171) d7b47c0d1d26 ci: always do PR checks e274ccf68b37 docs: revive metamodule notice 24bede663d9a kernel: cleanup kernel compat checks 6c094b50ead8 manager: sync translation from Crowdin (#166) 130744ccfc6c kernel: add -dirty endfix on version if has untracked change (#169) aa9b043bac0c kernel: perf opt for throne_tracker & ensure syscalls.h only include in 5.9- 23675f295fa2 Revert "kernel: increase base.apk test performance" 2556a41d06b6 ci: Maximize the optimization of Rust cache (#168) d857f65728fc kernel: increase base.apk test performance cb0000a70e21 kernel: use flags for throne_tracker b16b25040801 ci: Delete gradle build artifacts after repack 7f9e2d4e9c85 ci: let pull request checks always trigger (#167) 1580d3d10797 kernel: fix base.apk mismatch 82d85024e4eb kernel: minor performance opt for install session keyring 74b9b48bc67d manager: bump androidx.compose.foundation:foundation from 1.10.6 to 1.11.0 in /manager in the maven group (#163) f067fdbb675e kernel: use static_key for sucompat if possible 2997fdd849de manager: fix restore-boot failed 10d73d2f1108 build(deps): bump the crates group in /userspace/ksuinit with 2 updates (#162) e269ad3d05c8 build(deps): bump the crates group in /userspace/ksud with 21 updates (#164) edd9f2fde8f7 kernel: lsm_hook: introduce selinux_ops LSM tampering for <4.2 196b75753912 ci: refactor manager type 2a7903624390 ci: Rename to EXPECTED_PR_BUILD_{SIZE|HASH} 4f7b76a40dfc ci: clean up code cb7126948195 ci: sign and upload manager when pr (tiann/KernelSU#3269) 2110e7fe0bea ci: parallel build manager and other components to reduce build time (tiann/KernelSU#3393) a4812466a7d8 kernel: fix include change (tiann/KernelSU#3428) git-subtree-dir: drivers/sukisu git-subtree-split: 3d790eaaabe9e7e33d938bbf836e0f247121e79e
Flopster101
added a commit
to FlopKernel-Series/flop_exynos2100_kernel
that referenced
this pull request
May 26, 2026
6ee2f7fd5b3f manager: fix crash in terminal screen (tiann/KernelSU#3474) 01f5b1408ca0 manager: sync translation from Crowdin (#196) 8a13b7e84d70 ci: let crowdin action use custom PAT (#194) 52368fb6b81a ksud: make cargo clippy 4137a56416ec ksud: cleanup f43736f4566a ksud: fix build on not aarch64/x86_64/arm android (#193) 6cf9d65b4a1f manager: refactor and modularize settings UI components dee5e2eba874 kernel: symbol_resolver: resolve symbol suffix starts with '$' 0309ffef8f29 ksud: make cargo clippy happy 3765c0d7dbff ksud: simplify dynamic_manager errors handler and hash parser 62976fbb6f68 manager: fix crash on rapid refresh button clicks (#190) 5f702753cf3d ksud: fix some module scripts won't add KSU_MODULE environment var (tiann/KernelSU#3445) a39b46869fd8 kernel: Prefer hashed .cfi_jt variants before bare symbols (tiann/KernelSU#3475) f6eba76f12df mamager: add KsuFullversion to basic.txt (#189) 7d41ac68c5e3 manager: Add kallsyms in bugreport (tiann/KernelSU#3479) fab88d00ddc6 kernel: handle backport for setprocattr and lsm name(#188) 8f2e7c387282 ci: fix upload mappings (#185) 1a2db2e96ff1 adbroot: support statically-linked GetProperty (tiann/KernelSU#3470) b9d44a338226 kernel: refine symbol_resolver (tiann/KernelSU#3469) c5002f5199d4 ksud: fix vendor_boot patch (#181) b6706363b955 kernel: fix double free when policydb_write failed ddcf5d77c3a1 kernel, ksud, manager: implement selinux_hide feature (#179) 3d790eaaabe9 ksud: su: support parsing arguments after user (tiann/KernelSU#3464) f36096a1c897 kernel: handle backport for policydb b09af429463d kernel: ensure session_keyring install only when CONFIG_KEYS enable 0d096be05c40 docs: Add contributing guidelines to CONTRIBUTING.md (#176) d4513aed447c manager: fix ScalePredictiveBackAnimation's clip & fix background color 51574f260ef8 manager: Restrict blur to Android version >= S f417f72a9d7f manager: custom predictive back animation api & switch to miuix blur 7ac0a90f98f1 manager: remove selinux config & dynamic manager config dialog 1b64087165fc kernel: backport remove_avtab_node for 4.1- cd4e3f1f779b kernel: fix kernel panic when sel_mutex not exported 71b1ae6176dc kernel: pr_alart -> pr_alert 1d822af2b8af kernel: fix klog.h not include 1ccbf7b64146 kernel: impl non-exported selinux lock warning (#175) 99ab70fe9cf7 ci: inital CodeQL check (#172) de9409dc7aed manager: fix HighContrastMode x2 7c8c92f8fbd2 manager: remove force fontSize for LabelText & fix HighContrastMode 2ef5d9d199bf kernel: GFP_ATOMIC -> GFP_KERNEL a7bd8e928da9 kernel: simpler copy policydb implementation 16d2976ed806 manager: fix sort settings are not persistent (#174) f2625dcce3da kernel: use GFP_ATOMIC for remove_avtab_node 47a539401c0c kernel: prune redundant avtab nodes after deny rules (tiann/KernelSU#3439) 185fa768e9c2 manager: fix wrongly alpha for TopBar/BottomBar again 3c969278a56f manager: fix wrongly alpha for TopBar/BottomBar fe387831a28b manager: standalone haze config & high contrast mode & useBackgroundSeedColor config 639e2e36b756 kernel: sync with latest susfs 8bcd0ab35bdf kernel: Replace bunch of if clauses with switch case in ksu_handle_sys_reboot() e767e59543aa manager: Close temp shell after module action (tiann/KernelSU#3438) 542cd2bce96b docs: revive features, compatibility status, add hook mode, fix license badge (#171) d7b47c0d1d26 ci: always do PR checks e274ccf68b37 docs: revive metamodule notice 24bede663d9a kernel: cleanup kernel compat checks 6c094b50ead8 manager: sync translation from Crowdin (#166) 130744ccfc6c kernel: add -dirty endfix on version if has untracked change (#169) aa9b043bac0c kernel: perf opt for throne_tracker & ensure syscalls.h only include in 5.9- 23675f295fa2 Revert "kernel: increase base.apk test performance" 2556a41d06b6 ci: Maximize the optimization of Rust cache (#168) d857f65728fc kernel: increase base.apk test performance cb0000a70e21 kernel: use flags for throne_tracker b16b25040801 ci: Delete gradle build artifacts after repack 7f9e2d4e9c85 ci: let pull request checks always trigger (#167) 1580d3d10797 kernel: fix base.apk mismatch 82d85024e4eb kernel: minor performance opt for install session keyring 74b9b48bc67d manager: bump androidx.compose.foundation:foundation from 1.10.6 to 1.11.0 in /manager in the maven group (#163) f067fdbb675e kernel: use static_key for sucompat if possible 2997fdd849de manager: fix restore-boot failed 10d73d2f1108 build(deps): bump the crates group in /userspace/ksuinit with 2 updates (#162) e269ad3d05c8 build(deps): bump the crates group in /userspace/ksud with 21 updates (#164) edd9f2fde8f7 kernel: lsm_hook: introduce selinux_ops LSM tampering for <4.2 196b75753912 ci: refactor manager type 2a7903624390 ci: Rename to EXPECTED_PR_BUILD_{SIZE|HASH} 4f7b76a40dfc ci: clean up code cb7126948195 ci: sign and upload manager when pr (tiann/KernelSU#3269) 2110e7fe0bea ci: parallel build manager and other components to reduce build time (tiann/KernelSU#3393) a4812466a7d8 kernel: fix include change (tiann/KernelSU#3428) git-subtree-dir: drivers/sukisu git-subtree-split: 6ee2f7fd5b3ff0a936cd39f88c9eacab698afc29
rsuntk
pushed a commit
to rsuntk/KernelSU
that referenced
this pull request
May 29, 2026
Runtime deny rules clear permission bits from AVTAB_ALLOWED entries. When all permissions are removed from an existing entry, the update can leave an AVTAB_ALLOWED node with data == 0. Such zero-permission avtab nodes are redundant and can make external policy parsers, such as sepatch, reject /sys/fs/selinux/policy with errors like: Invalid access vector Invalid avtab Invalid policydb policy image is invalid This was observed when applying: deny appdomain cgroup_v2 dir search The rule itself is valid, but the runtime patch left a redundant avtab entry behind. Avoid creating new entries for deny updates when the target entry does not exist, and prune redundant nodes after access-vector rule updates by rebuilding the avtab and destroying the old table through avtab_destroy(). This preserves deny semantics while keeping the live policy parseable by policydb-based tools. AlexLiuDev233: Compatible with 5.1- avtab torvalds/linux@acdf52d [cherry-picked from upstream commit tiann@cc83433] Signed-off-by: AlexLiuDev233 <wzylin11@outlook.com>
ShirkNeko
pushed a commit
to SukiSU-Ultra/SukiSU-Ultra
that referenced
this pull request
May 29, 2026
…3439) Runtime deny rules clear permission bits from AVTAB_ALLOWED entries. When all permissions are removed from an existing entry, the update can leave an AVTAB_ALLOWED node with data == 0. Such zero-permission avtab nodes are redundant and can make external policy parsers, such as sepatch, reject /sys/fs/selinux/policy with errors like: Invalid access vector Invalid avtab Invalid policydb policy image is invalid This was observed when applying: deny appdomain cgroup_v2 dir search The rule itself is valid, but the runtime patch left a redundant avtab entry behind. Avoid creating new entries for deny updates when the target entry does not exist, and prune redundant nodes after access-vector rule updates by rebuilding the avtab and destroying the old table through avtab_destroy(). This preserves deny semantics while keeping the live policy parseable by policydb-based tools. AlexLiuDev233: Compatible with 5.1- avtab torvalds/linux@acdf52d [cherry-picked from upstream commit tiann/KernelSU@cc83433] Signed-off-by: AlexLiuDev233 <wzylin11@outlook.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Runtime deny rules clear permission bits from AVTAB_ALLOWED entries. When all permissions are removed from an existing entry, the update can leave an AVTAB_ALLOWED node with data == 0.
Such zero-permission avtab nodes are redundant and can make external policy parsers, such as sepatch, reject /sys/fs/selinux/policy with errors like:
Invalid access vector
Invalid avtab
Invalid policydb
policy image is invalid
This was observed when applying:
deny appdomain cgroup_v2 dir search
The rule itself is valid, but the runtime patch left a redundant avtab entry behind.
Avoid creating new entries for deny updates when the target entry does not exist, and prune redundant nodes after access-vector rule updates by rebuilding the avtab and destroying the old table through avtab_destroy().
This preserves deny semantics while keeping the live policy parseable by policydb-based tools.
Thanks to @Xieansecn for discovering this issue (chenxiaolong/MSD#90).