I want to write test file to SDCard with Android 11, I close selinux with "adb shell setenforce 0", but fopen() will give errno 13 error,how to fix it? Thanks.
With selinux as permissive, you also need to check if the HAL executable has appropriate permissions to be able to create a file in the destination path. Check username and group name for HAL executable and the destination path.
For example: if HAL executable has 'system' user, /data/<file-name.extn> can be used as destination which has both user and group as 'system'.
Related
I am getting my android's logcat spammed with these warnings.(rooted with magisk)
10-15 22:02:29.039 12944 12944 W kworker/0:4: type=1400 audit(0.0:87190): avc: denied { read write } for name="sde73" dev="tmpfs" ino=28978 scontext=u:r:kernel:s0 tcontext=u:object_r:oem_device:s0 tclass=blk_file permissive=0
I was looking into the following doc to see how could i fix this issue, but cannot figure it out.
https://source.android.com/security/selinux/device-policy
https://source.android.com/security/selinux/validate
https://source.android.com/security/selinux/concepts
https://source.android.com/security/selinux/implement
https://gist.github.com/msfjarvis/ec52b48eb2df1688b7cbe32bcd39ee5f
https://android.stackexchange.com/questions/207484/how-to-fix-selinux-avc-denied-errors-when-launching-dnscrypt-as-init-d-script
https://source.android.com/security/selinux/customize#android-o
https://android.stackexchange.com/questions/218911/how-to-add-selinux-policy-on-a-user-debug-rom-that-has-split-policy-scheme
https://android.stackexchange.com/questions/214839/how-to-run-an-android-init-service-with-superuser-selinux-context
https://topjohnwu.github.io/Magisk/tools.html#magiskpolicy
https://topjohnwu.github.io/Magisk/details.html#magisk-booting-process
https://topjohnwu.github.io/Magisk/guides.html#boot-scripts
I looked in /dev, but i do not have anything similar.
android# ls -l /dev/ | grep sd
#returns nothing
The inode resolves to this file:
find /sys -xdev -inum 28978
/sys/firmware/devicetree/base/__symbols__/sb_7_tx
However on next reboot resolves to other file but the errors are always related to one single inode.
I suppose i should add this rule in a .te file
allow kernel oem_device:blk_file {read write};
adb pull /sys/fs/selinux/policy
adb logcat -b all -d | audit2allow -p policy
#this confirms the rule
I found some related files to selinux in this dump:
https://git.rip/dumps/oneplus/oneplus7tpro/-/find_file/hotdog-user-10-QKQ1.190716.003-2009281542-release-keys
but i am not very sure where should i add the rule..possibly somewhere in /vendor/etc/selinux..
Does anyone know which are the steps to fix these warnings and maybe further dig into the investigation why they occur in the first place?
Thanks
The reason why it shows is straightforward from the error. kernel is trying to read/write a blk_file labeled with oem_device type.
At this point you have couple of options:
Add allow rule if you want to allow the access to happen.
Add dontaudit rule, if you want to just suppres the log. See
here
The rule should be added into kernel.te.
Usually these custom things go into device/XXXXXX, depending on the vendor. For example in my tree, for a rockchip device, I'd modify /device/rockchip/common/sepolicy/vendor/kernel.te
To rebuild policies you would:
source build/envsetup.sh
lunch-yourTarget
mmm system/sepolicy
And to flash them into the system ( if you're userdebug and can remount it ):
adb root
adb remount
adb push out/target/product/YOUR_DEVICE/vendor/etc/selinux /vendor/etc/
adb push out/target/product/YOUR_DEVICE/system/etc/selinux /system/etc/
adb shell sync
adb reboot
If you can't push them, you'll need to rebuild and flash the system
I managed to fix the warnings with this command:
magiskpolicy --live 'allow kernel oem_device blk_file {read write open}'
'open' right was also granted because another warning related to it would appear after allowing only read/write.
Still I cannot understand:
why is kernel trying to access this
what exactly is trying to access
shouldn't magisk take care of the selinux policies related to such low level grants such as kernel
not sure how can i make this fix permanent (to persist upon reboot). From my research it looks like i have to modify a certain file in boot.img, repack it and push it back to android.
On this page:
https://topjohnwu.github.io/Magisk/tools.html
it's specified a tool magiskboot which should be used for such patching but I do not have it.
A tool to unpack / repack boot images, parse / patch / extract cpio, patch dtb, hex patch binaries, and compress / decompress files with multiple algorithms.
I will come back with any findings..
UPDATE:
I managed to permanently add the fixes at boottime with a post-fs-data script that runs during booting process. It might not be 100% fix because, the boot image should be patched instead so that magiskinit loads the policies even before init is executed, but it still however fixes the warnings in logcat after the boot process ended
REF:
https://topjohnwu.github.io/Magisk/details.html#magisk-booting-process
https://topjohnwu.github.io/Magisk/guides.html#boot-scripts
su -
cd /data/adb/post-fs-data.d
touch fix_selinux.sh
chmod +x fix_selinux.sh
vi fix_selinux.sh #add this line (and any other rules you need):
/sbin/magiskpolicy --live 'allow kernel oem_device blk_file {read write open}'
I am trying to implement OTA functionality for a msm8998 board running Android 8.1.
I've generated the OTA file and followed the standard way of doing it,
I've run into two problems, solving either one would solve the issue:
OTA size is bigger than /cache, therefore even though recovery can mount /cache, the image cannot fit there. How would I increase the /cache size, and is it a good idea to do so?
If I put the OTA zip in /data/ or /sdcard/, I have an error during recovery, seemingly it can't mount it. How would I make /data/ mountable?
...
Finding update package...
I:Update location: /data/update.zip
Opening update package...
E:Failed to mount /data: Invalid argument
E:Unable to open '/data/update.zip': No such file or directory
E:failed to map file
W:failed to read uncrypt status: No such file or directory
W:Failed to read /sys/class/thermal/thermal_zone28/temp: Invalid argument
W:Failed to read /sys/class/thermal/thermal_zone27/temp: Invalid argument
I:current maximum temperature: 44756
I:/data/update.zip
I:0
I:time_total: 0
I:retry: 0
I:temperature_start: 44814
I:temperature_end: 44756
I:temperature_max: 44814
I:
Installation aborted.
Turns out you have to use RecoverySystem.installPackage(...) method AND have the OTA file be in /data/.
Previously I had tried RecoverySystem.installPackage(...) method but with file in /sdcard/, and separately by setting /cache/recovery/command myself and using /data/
When using RecoverySystem.installPackage(...) and the file in /data/, seems uncrypt is run on it before reboot, and that makes the update accessible to the recovery.
I am trying to edit the handheld_core_hardware.xml in `system/etc/permissions
when i push the file after editing it gives that error
adb: error: failed to copy 'handheld_core_hardware.xml' to '/system/etc/permissions/handheld_core_hardware.xml': remote Permission denied
handheld_core_hardware.xml: 0 files pushed. 0.8 MB/s (4027 bytes in 0.005s)
even that i have changed the file to read-write not read-only
Is your device rooted ? I think in order to manipulate those files you have root permissions.
I am developing several AudioEffect subclasses that are being compiled into Android 4.0.3 ICS... I am trying to dump raw PCM data to files, but because the AudioEffects run in the context of the mediaserver process it seems there is no file writing permissions available.
fopen("/data/local/tmp/pcm_in.pcm", "w");
is returning a NULL pointer and errno 13 (permission denied).
Any ideas how I can grant mediaserver this permission, or write to a folder I can access? I'm compiling the OS, so anything goes...
More specifically: How are permissions for these native/system services determined? I don't suppose they have a AndroidManifest.xml...
I suspect the problem is that you don't have permissions to create a file at /data/local/tmp. In fact i'm not even sure that directory exists on Android.
Instead you should either use the private storage for an app or save the files to the SD card. See this for more information: http://developer.android.com/guide/topics/data/data-storage.html
Maybe you can just create a folder with permission.
root#android:/mount -o remount,rw /
root#android:/mkdir test
root#android:/chown media:media test
root#android:/chmod 777 test
Then you can do whatever you want.
z.B.
fopen("/test/pcm_in.pcm", "w");
I want to create a file in the /system directory. I think that directory is "protected" and the phone must be rooted to access and create to it.
I used this simple code to create a file in /system but nothing is created:
File file = new File("/system", "test.prop");
How can i solve that problem?
Thank you for your help.
I can't tell how to implement the following steps but I think it's not too hard to find a solution on the net:
acquire root-access for your application
check if /system is mounted with option rw, if not, remount it so
hint: use the "adb shell" and check if the upper steps can lead to success
(su && remount -o remount,rw /system && touch /system/test)
On some devices there's the unlucky chance that the internal memory is in protected mode (google S-ON / S-OFF). If this is the case for you it will not be that easy like I imagined.
But even than it must be possible, since the market is installing files there. This would be the last hint, to look at the market source-code ;/
You need to call following method on file object
file.createNewFile();
On executing this following error comes because of read-only directory
11-09 19:45:15.136: E/VideoSample(4245): java.io.IOException: open failed: EROFS
(Read-only file system)
11-09 19:45:15.136: E/VideoSample(4245): at
java.io.File.createNewFile(File.java:940)