I'm implementing a new feature on Android 10(10.0.0_r30) that has to copy files from the data folder to the system folder at runtime. I've tried to do it via 'su cp' in Zygote, since Zygote runs as root, but then I get this error:
type=1400 audit(0.0:61): avc: denied { getattr } for name="su" dev="dm-0" ino=3160 scontext=u:r:zygote:s0 tcontext=u:object_r:su_exec:s0 tclass=file permissive=1
SELinux is disabled and I have no clue where else to look for the resolution of this error. Also, the system folder is writeable(parameter given to the emulator)
Besides that, can anyone tell me how else I could implement this particular task without rooting?
Related
My Android application is saving data on SQLite and working fine on various android versions, but when installed from playstore some users cannot use the application, after debugging I get this error
type=1400 audit: avc: denied { read write }
I have added permissions for WRITE EXTERNAL STORAGE, READ EXTERNAL STORAGE but has not solved
I'm trying to use pstore logs on my Poco M3. I tried everything. PSTORE configs are activated on the kernel, pstore module is loaded on the phone, phone is rooted, /sys/fs/pstore is mounted automatically but never contains anything.
130|citrus:/ # dmesg | grep pstore
[ 0.094327] console [pstore-1] enabled
[ 0.094468] pstore: Registered ramoops as persistent store backend
[ 1.065975] pstore: Using compression: deflate
[ 98.052156] type=1400 audit(1654268897.690:3752): avc: denied { read } for comm="ls" name="/" dev="pstore" ino=1197 scontext=u:r:shell:s0 tcontext=u:object_r:pstorefs:s0 tclass=dir permissive=1
[ 98.052450] type=1400 audit(1654268897.690:3753): avc: denied { open } for comm="ls" path="/sys/fs/pstore" dev="pstore" ino=1197 scontext=u:r:shell:s0 tcontext=u:object_r:pstorefs:s0 tclass=dir permissive=1
it looks like selinux is blocking ls on /sys/fs/pstore. Is there a way to make it always allow ls on /sys/fs/pstore, even after reboot?
I already added androidboot.selinux=permissive to my boot command line and it's recognized on the phone:
130|citrus:/ # getenforce
Permissive
UPDATE: I just learned that permissive means just logging without blocking, so this is not blocking, my pstore is indeed empty. Am I right?
/sys/fs/pstore is used very specifically - to persistently store crash files - kernel oops and last RAM console. So the fact it doesn't contain anything is actually good, in a way.
To see for yourself - simulate a panic. That'd require writing 'c' to /proc/sysrq_trigger (and possibly enabling that via /proc/sys/kernel/sysrq mask). The device will reboot, and on the boot you will see that the store files appear. (Note this has to be the boot immediately following the crash, because the files are cleared thereafter.
Incidentally - Re:SELinux , those AVC logs you showed are because SELinux denied the "ls" operation itself. That is a mandatory access control protection, which prevents reading the directory (even when it is empty). So that wouldn't change much.
When I sign my app with the system certificate, I can no longer use an SDK that comes with a custom native library. The SDK executes code from that native library. All works fine when my app is not signed as a system app, but when signed, I get an error.
The error appears to come from an SELinux policy with this log message:
type=1400 audit(0.0:22): avc: denied { execute } for
comm=4173796E635461736B202331
path="/data/data/myapp/cache/librs.bitmap_to_argb.so" dev="mmcblk0p22"
ino=16791 scontext=u:r:system_app:s0
tcontext=u:object_r:system_app_data_file:s0 tclass=file permissive=0
Why would my app not be able to execute a library like this that is located in the app's internal storage?
System apps expect their native libraries to be in /system/lib or lib64 directory. Maybe you can avoid this if you set android:extractNativeLibs="false" in the application manifest.
I am developing an app for the custom device. My app run from /system/priv-apps
I need to access /data/data for other apps to give a cloud backup functionality.
While searching I came across "android.permission.CONFIRM_FULL_BACKUP" permission but I couldn't find a way to get the content of that particular "/data/data/pkg_name".
I don't think that system apps have su permission so I can't call cp -R src dest
Can anyone tell me regarding this?
Being in the same scenario as you fellow, my system app cant read nothing inside /data/data
Logcat:
W type=1400 audit(0.0:121): avc: denied { read } for name="data" dev="vdc" ino=122881 scontext=u:r:system_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0
I wrote a daemon, running as system.
When it tries to open some /proc//stat entry of process PID which using its library, I get this error of SELinux:
type=1400 audit(1464247244.561:530): avc: denied { search } for pid=22968 comm="Binder_3" name="22899" dev="proc" ino=71342 scontext=u:r:system_app:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=dir permissive=0
Do I miss some “allow” rule to my daemon?
The error seems unrelated to it (as if ‘system_app’ domain lack permissions, and not my daemon).
How can I fix it?
You should execute
adb shell ps -eZ | grep 22968
command to find the problematic service or app from command line as your app running at the same time. After you find the victim(app) you have to add /external/sepolicy/service_contexts file a SELinux rule for handling the access violation.