I am developing an app for the custom device. My app run from /system/priv-apps
I need to access /data/data for other apps to give a cloud backup functionality.
While searching I came across "android.permission.CONFIRM_FULL_BACKUP" permission but I couldn't find a way to get the content of that particular "/data/data/pkg_name".
I don't think that system apps have su permission so I can't call cp -R src dest
Can anyone tell me regarding this?
Being in the same scenario as you fellow, my system app cant read nothing inside /data/data
Logcat:
W type=1400 audit(0.0:121): avc: denied { read } for name="data" dev="vdc" ino=122881 scontext=u:r:system_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0
Related
My Android application is saving data on SQLite and working fine on various android versions, but when installed from playstore some users cannot use the application, after debugging I get this error
type=1400 audit: avc: denied { read write }
I have added permissions for WRITE EXTERNAL STORAGE, READ EXTERNAL STORAGE but has not solved
I'm trying to use pstore logs on my Poco M3. I tried everything. PSTORE configs are activated on the kernel, pstore module is loaded on the phone, phone is rooted, /sys/fs/pstore is mounted automatically but never contains anything.
130|citrus:/ # dmesg | grep pstore
[ 0.094327] console [pstore-1] enabled
[ 0.094468] pstore: Registered ramoops as persistent store backend
[ 1.065975] pstore: Using compression: deflate
[ 98.052156] type=1400 audit(1654268897.690:3752): avc: denied { read } for comm="ls" name="/" dev="pstore" ino=1197 scontext=u:r:shell:s0 tcontext=u:object_r:pstorefs:s0 tclass=dir permissive=1
[ 98.052450] type=1400 audit(1654268897.690:3753): avc: denied { open } for comm="ls" path="/sys/fs/pstore" dev="pstore" ino=1197 scontext=u:r:shell:s0 tcontext=u:object_r:pstorefs:s0 tclass=dir permissive=1
it looks like selinux is blocking ls on /sys/fs/pstore. Is there a way to make it always allow ls on /sys/fs/pstore, even after reboot?
I already added androidboot.selinux=permissive to my boot command line and it's recognized on the phone:
130|citrus:/ # getenforce
Permissive
UPDATE: I just learned that permissive means just logging without blocking, so this is not blocking, my pstore is indeed empty. Am I right?
/sys/fs/pstore is used very specifically - to persistently store crash files - kernel oops and last RAM console. So the fact it doesn't contain anything is actually good, in a way.
To see for yourself - simulate a panic. That'd require writing 'c' to /proc/sysrq_trigger (and possibly enabling that via /proc/sys/kernel/sysrq mask). The device will reboot, and on the boot you will see that the store files appear. (Note this has to be the boot immediately following the crash, because the files are cleared thereafter.
Incidentally - Re:SELinux , those AVC logs you showed are because SELinux denied the "ls" operation itself. That is a mandatory access control protection, which prevents reading the directory (even when it is empty). So that wouldn't change much.
I'm implementing a new feature on Android 10(10.0.0_r30) that has to copy files from the data folder to the system folder at runtime. I've tried to do it via 'su cp' in Zygote, since Zygote runs as root, but then I get this error:
type=1400 audit(0.0:61): avc: denied { getattr } for name="su" dev="dm-0" ino=3160 scontext=u:r:zygote:s0 tcontext=u:object_r:su_exec:s0 tclass=file permissive=1
SELinux is disabled and I have no clue where else to look for the resolution of this error. Also, the system folder is writeable(parameter given to the emulator)
Besides that, can anyone tell me how else I could implement this particular task without rooting?
I'm running 2 applications on Android 10 device which communicate each other via uds. Everything worked fine until I changed the apps settings to target android 10. I get following error in logcat:
09-07 13:33:18.136 14573 14573 W <myapp_name>: type=1400 audit(0.0:1461891): avc: denied { connectto } for pid=14573 comm=474C546872656164203134353530 path=005368617265644D656D6F727953657276696365 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=unix_stream_socket permissive=0
After some digging I found neverallow SELinux policy:
neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto;
Is there a way I can make it work on applications targeting Android 10?
UDS with abstract path doesn't work for API>=28 due to the following changes.
Per-app SELinux domains
Apps that target Android 9 or higher cannot share data with other apps using world-accessible Unix permissions. This change improves the integrity of the Android Application Sandbox, particularly the requirement that an app's private data is accessible only by that app.
To share files with other apps, use a content provider.
https://developer.android.com/about/versions/pie/android-9.0-changes-28#framework-security-changes
I wrote a daemon, running as system.
When it tries to open some /proc//stat entry of process PID which using its library, I get this error of SELinux:
type=1400 audit(1464247244.561:530): avc: denied { search } for pid=22968 comm="Binder_3" name="22899" dev="proc" ino=71342 scontext=u:r:system_app:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=dir permissive=0
Do I miss some “allow” rule to my daemon?
The error seems unrelated to it (as if ‘system_app’ domain lack permissions, and not my daemon).
How can I fix it?
You should execute
adb shell ps -eZ | grep 22968
command to find the problematic service or app from command line as your app running at the same time. After you find the victim(app) you have to add /external/sepolicy/service_contexts file a SELinux rule for handling the access violation.