I have a valid manifest file with the right permission & "exported" set as well. But, I still get the below error:
Error: Requires permission android.permission.BIND_JOB_SERVICE
The command (initiated over adb) is a running a service (via "am startservice") & the manifest file has these details:
<service
android:name=".MyService"
android:enabled="true"
android:exported="true"
android:permission="android.permission.BIND_JOB_SERVICE" />
Logcat doesn't have anything useful, just throws the permission required error (which the APK already has). This seems like a sepolicy restriction since if I remove the policy (by running "setenforce 0"), then the command works fine (no errors seen as well)
I've tried running in "permissive" mode but it doesn't show any useful messages. Is there any way to figure out what policy needs to be turned on?
Here's the actual error from logcat:
05-16 14:03:32.892 566 897 W ActivityManager: Permission Denial: Accessing service com.abc.def/.MyService from pid=6757, uid=2000 requires android.permission.BIND_JOB_SERVICE
What I found was, putting the same command in a bash script and sourcing it works fine!!
Related
I'm trying to install the app on my Samsung M31s phone, but every time I'm getting the following error -
Error: INSTALL_FAILED_DUPLICATE_PERMISSION: Package com.glance.tv.internal attempting to redeclare permission glance.sdk.api.status.permission.READ already owned by com.samsung.android.dynamiclock'
Is there any way to bypass this permission?
I tried removing it from the manifesto, but it is still not working.
<permission
android:name="com.glance.PERMISSION_READ"
android:protectionLevel="normal" />
A user asked me about a crash while using the app on the sd card. My app was not movable to the sdcard so I added to the manifest android:installLocation="auto" and tried to move it to the external memory. Using it on my real device (34 gb/ 47 gb free on internal/external memory) I get the space not sufficient error. I understood that this is a generic error used for other issues so I fired up the emulator and checked the logcat.
Partial manifest:
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.github.user.app"
android:installLocation="auto"
>
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.FOREGROUND_SERVICE" />
<uses-permission android:name="android.permission.VIBRATE" />
<queries>
<package android:name="org...." />
</queries>
On my device with android 11 I get
D/PackageManager: START MOVE PACKAGE: pkg{com.github.user.app.debug}
volumeUuid{3231-6462}
I/ActivityTaskManager: START u0 {flg=0x24000000 cmp=com.android.settings/.deviceinfo.StorageWizardMoveProgress (has extras)} from uid 1000
D/RestrictionPolicy: isSettingsChangesAllowedAsUser, userId 0 : true
E/LockGuard: Calling thread PackageManager is holding PACKAGES while trying to acquire DPMS
java.lang.RuntimeException: Calling thread PackageManager is holding PACKAGES while trying to acquire DPMS
at com.android.server.LockGuard.doLog(LockGuard.java:179)
at com.android.server.LockGuard.guard(LockGuard.java:166)
at com.android.server.devicepolicy.DevicePolicyManagerService.getLockObject(DevicePolicyManagerService.java:779)
at com.android.server.devicepolicy.DevicePolicyManagerService.packageHasActiveAdmins(DevicePolicyManagerService.java:5158)
at com.android.server.pm.PackageManagerService.isPackageDeviceAdmin(PackageManagerService.java:22599)
at com.android.server.pm.PackageManagerService.isPackageDeviceAdminOnAnyUser(PackageManagerService.java:22572)
at com.android.server.pm.PackageManagerService.movePackageInternal(PackageManagerService.java:28919)
at com.android.server.pm.PackageManagerService.lambda$movePackage$45$PackageManagerService(PackageManagerService.java:28837)
at com.android.server.pm.-$$Lambda$PackageManagerService$fXZo1oAlF-92gGHcSdrHuC0WLPc.run(Unknown Source:12)
at android.os.Handler.handleCallback(Handler.java:938)
at android.os.Handler.dispatchMessage(Handler.java:99)
at android.os.Looper.loop(Looper.java:246)
at android.os.HandlerThread.run(HandlerThread.java:67)
at com.android.server.ServiceThread.run(ServiceThread.java:44)
...
V/PackageManager: Move 6 created Bundle[{android.intent.extra.PACKAGE_NAME=com.github.user.app.debug, android.intent.extra.TITLE=App-dev}]
I/PackageManager: measurePath: /storage/3231-6462
...
V/PackageManager: Move 6 status 53
...
D/PackageManager: result of install: -15{120868786}
V/PackageManager: Move 6 status -6
On an android api 30 emulator
W/PackageManager: Failed to move com.github.user.app.debug
com.android.server.pm.PackageManagerException: Move only supported for modern cluster style installs
at com.android.server.pm.PackageManagerService.movePackageInternal(PackageManagerService.java:23180)
at com.android.server.pm.PackageManagerService.lambda$movePackage$41$PackageManagerService(PackageManagerService.java:23125)
at com.android.server.pm.-$$Lambda$PackageManagerService$ECakc05vOVsUm8ydpi2Z-HghH4w.run(Unknown Source:12)
at android.os.Handler.handleCallback(Handler.java:938)
at android.os.Handler.dispatchMessage(Handler.java:99)
at android.os.Looper.loop(Looper.java:223)
at android.os.HandlerThread.run(HandlerThread.java:67)
at com.android.server.ServiceThread.run(ServiceThread.java:44)
This is the interested part in PackageManager:
final File probe = new File(pkg.codePath);
final File probeOat = new File(probe, "oat");
if (!probe.isDirectory() || !probeOat.isDirectory()) {
throw new PackageManagerException(MOVE_FAILED_INTERNAL_ERROR,
"Move only supported for modern cluster style installs");
}
I tried again on a fresh api 25 emulator and I get the same error, different exception:
W/installd: type=1400 audit(0.0:879): avc: denied { sys_admin } for capability=21 scontext=u:r:installd:s0 tcontext=u:r:installd:s0 tclass=capability permissive=0
D/installd: Detected label change from u:object_r:system_data_file:s0 to u:object_r:app_data_file:s0:c512,c768 at /mnt/expand/2e6f3762-8f82-4c9f-9633-f74b10070b25/user/0/com.github. user.app.debug; running recursive restorecon
D/installd: Detected label change from u:object_r:system_data_file:s0 to u:object_r:app_data_file:s0:c512,c768 at /mnt/expand/2e6f3762-8f82-4c9f-9633-f74b10070b25/user_de/0/com.github. user.app.debug; running recursive restorecon
D/installd: Copying /data/user_de/0/com.github. user.app.debug to /mnt/expand/2e6f3762-8f82-4c9f-9633-f74b10070b25/user_de/0
D/installd: Copying /data/data/com.github. user.app.debug to /mnt/expand/2e6f3762-8f82-4c9f-9633-f74b10070b25/user/0
W/PackageParser: Unknown element under <manifest>: queries at /mnt/expand/2e6f3762-8f82-4c9f-9633-f74b10070b25/app/com.github.user.app.debug-1/base.apk Binary XML file line #18
W/PackageManager: installPackageLI
D/PackageManager: Cleaning up com.github.user.app.debug on 2e6f3762-8f82-4c9f-9633-f74b10070b25
V/PackageManager: Move 0 status -6
D/StorageSettings: Finished with status -6
W/ActivityManager: Duplicate finish request
I tried to upload an apk instead of letting Android Studio do it but it did not work. Googling the errors only brought me to the soure code links. Any help is appreciated.
I experienced the same issue on an APK installed from Android Studio. Switching between debug and release did not make a difference.
My goal was to install the app onto external to test it, which I was finally able to do under Run/Debug Configurations > Installation Options > Install Flags by adding --install-location 2
I'm working on a system level app for Android (minSdk=20, targetSdk=22).
I need to grant the android.permission.MODIFY_AUDIO_ROUTING permission, which I add to my manifest. However, at runtime I get an error:
06-30 03:33:45.972 W/ServiceManager( 237): Permission failure: android.permission.MODIFY_AUDIO_ROUTING from uid=10004 pid=15076
06-30 03:33:45.972 E/empty ( 237): android.permission.MODIFY_AUDIO_ROUTING
I tried modifying the permission's android:protectionLevel to use signature|privileged as seen here, but that didn't compile. So I changed it to signatureOrSystem (which is the new API) described here. This builds, but still doesn't work. Is there some other magic I need to get this permission?
You need to reboot the device if you change a system level permission like this.
I am trying to add a native service written in C++ to the AOSP build.
The first thing I did was to create a native service and client to the AOSP build.
This worked as expected. I could start the service within an adb shell and call it via binder on a adb shell.
The trouble started when I wanted to start my service with init.
I added a .rc file to my build
service myp /system/bin/myp_service
class main
This did the the trick so that init tried to start it but it failed because of SELinux policies.
So I added a file_contexts to my device tree and added:
/system/bin/myp_service u:object_r:myp_exec:s0
Next I added a myp.te file and added:
type myp, domain;
type myp_exec, exec_type, file_type;
type myp_service, service_manager_type;
init_daemon_domain(myp)
net_domain(myp)
binder_use(myp)
binder_service(myp)
add_service(myp, myp_service)
binder_call(myp, binderservicedomain)
binder_call(myp, appdomain)
allow myp myp_service:service_manager add;
And finally I added a service_contexts file with:
myp u:object_r:myp_service:s0
This finally made my service successfully start at boot time.
Unfortunalty I cannot use binder against this service. When I try to connect to the service with my client the call
defaultServiceManager()->getService(String16("Demo"))
returns a null pointer.
I cannot find any hints in the dmesg.
So I assume I am still missing something for the SElinux but I have no clue what I am missing.
If I shutdown the SELinux with setenforce and restart the service then it works fine.
Can anyone give me a hint what I am missing for SELinux or where I can get more information about which policy blocked something?
You could see the denials like this:
adb logcat | grep "SELinux : avc" > /tmp/logs
Get sepolicy current file. (Can be taken from device this way adb pull sepolicy.
Using audit2allow (located in AOSP source code: external/selinux/prebuilts/bin/audit2allow or in SDK tools. Do this: cat /tmp/logs | .external/selinux/prebuilts/bin/audit2allow -p sepolicy
The audit2allow tool will tell you what permission you are missing for the logcat extracted and the current sepolicy file, watch-out because you could need to do this several times since fixing some permissions will show the next ones required.
If you have a userdebug kind of build you could get setenforce 0, logcat with it and all the denials will be in logcat even if you will be permited to do the operation desired. This will leave the audit2allow iterations required in 1.
For anyone who came across this problem, please make sure your service_contexts file is successfully merged with stock service_contexts file. If you're building your service for Android O or later, please put this file inside a folder and refer to it in your Makefile by BOARD_PLAT_PRIVATE_SEPOLICY_DIR1. And you don't need to add allow myp default_android_service:service_manager add if the build system does pick up your service_contexts.
Also, about the domain.te violation problem, you probably want to attach one of the coredomain or appdomain attribute to your domain 2 with typeattribute <your_domain> <attribute>;.
Finally, please double check the following built files to make sure you don't leave any sepolicy configurations out in the final build:
$(AOSP_ROOT)/out/target/product//obj/ETC/file_contexts.bin_intermediates/file_contexts.*
$(AOSP_ROOT)/out/target/product/potter/obj/ETC/plat_service_contexts_intermediates/service_contexts.*
$(AOSP_ROOT)/out/target/product/potter/obj/ETC/sepolicy_neverallows_intermediates/policy.conf
I am working on a android VOIP Dialer. I unable to install my current app along with old app in a device.
01-07 12:05:05.115: E/Finsky(28214): [1] PackageInstallerImpl$2.onReceive: Error -505 while installing com.current.app: INSTALL_FAILED_DUPLICATE_PERMISSION: Package com.current.app attempting to redeclare permission android.permission.CONFIGURE_SIP already owned by com.old.app
the permission in manifest.
<permission
android:name="android.permission.CONFIGURE_SIP"
android:permissionGroup="android.permission-group.COST_MONEY"
android:protectionLevel="signature" />
I have tried protectionLevel both signature and dangerous.
How can I solve this issue.
It seems you are trying to declare same permission in two applications.
In order to keep both application installed, common solution for this problem is to use a dynamic prefix for your permission, preventing conflicts with other apps (as it happens for GCM configuration too):
<permission
android:name="${applicationId}.permission.CONFIGURE_SIP"
android:permissionGroup="${applicationId}.permission-group.COST_MONEY"
android:protectionLevel="signature" />
Be careful to have applicationId value assigned in your Gradle configuration under android > defaultConfig.