I need some help. I have an app that is mostly written in native C code. I use the __system_property_get(const char * name, char * value) method to read the serial nr. of the device at various points in my native code. With Android 8 I always get a "Access denied" message now.
libc: Access denied finding property "ro.serialno"
Is there a way for me to still be able to read the serial nr. in Android 8? I tried switching to targetSDKversion < 26 but it still gives me a "Access denied" message. I do get the correct values if I use Java with Build.SERIAL (regardless of SDK version) and Build.getSerial() in SDK version 26 if I grant the READ_PHONE_STATE permission. But I cannot read these values in Java and pass them to the native code without a huge rewrite of the native code.
Any help?
I met this problem too. Finally I find the root cause of the problem. In Android O, SELinux sets a lot of limitations in system property. In this case, There is a neverallow to limit read serial number except some domain in whitelist.
For more specific information, you can read code in system/sepolicy/public/domain.te:
neverallow {
domain
-adbd
-dumpstate
-hal_drm
-init
-mediadrmserver
-recovery
-shell
-system_server
} serialno_prop:file r_file_perms;
If you have the hand on AOSP:
Put android:sharedUserId="android.uid.system" to AdnroidMainfest
Run app like system_app.
Change in Android.mk. LOCAL_MODULE_PATH := $(TARGET_OUT)/app.
Or you can duplicate the property.
I think you did not call it on the UI thread, so this error occur.
If you call it on non-ui thread, you should create opengl context at first.
Related
Reading the ARP table and accessing the MAC address of devices on network is working just fine. But when I upgrade the targetSDK to 30, suddenly the "ip neigh" command won't return a value anymore.
I'm guessing this has something to do with the restrictions on android. Is there any way to fix this issue?
I see you've asked this before. Others have asked similar questions as well, and it seems that there is no real solution:
Android 10 introduces several privacy-related restrictions that disallow apps to access certain information that could be potentially misused for fingerprinting and data collection. One of among them is the restriction on access to /proc/net filesystem on devices that run Android 10 or higher, apps cannot access /proc/net, which includes information about a device's network state. Apps that need access to this information, such as VPNs, should use the NetworkStatsManager or ConnectivityManager class.
The current APIs in Android doesn't allow apps to access the ARP cache. I see a bug is raised in Google issue tracker that is currently in the below status - https://issuetracker.google.com/issues/130103885
Status: Won't Fix (Infeasible) We've passed along your input to our internal teams, who are evaluating it for a future release. We're closing this issue for now, and thanks for sending us your feedback!"
https://developer.android.com/about/versions/10/privacy/changes#proc-net-filesystem
Related thread [ Acccess to /proc/net/tcp in Android Q ] - https://stackoverflow.com/a/58501039/4694013
I cant get serial on android 10 device.
I know about everything(permission, runtime permissions, I get serial only after the permission is granted) from here
android Build.GetSerial() throwing exception
My code works on all android versions, except 10
Do you have any ideas?
If you follow the official documentation here: https://developer.android.com/reference/android/os/Build.html#getSerial(), more info on Android 10 changes here
You will notice that starting from Android 10 this method is returning Build.UNKNOWN. You can't use it to uniquely identify a single device anymore
You need to switch to the "less" persistent version called Settings.Secure.ANDROID_ID
The only ways to bypass this restriction are:
Create a system app to be able to get the READ_PRIVILEGED_PHONE_STATE system permission (a normal app can't get this).
Be registered as a carrier (which requires you to have built the Android ROM)
Have a custom "work profile" to set your own policies in the device.
As you can imagine, all those options are not meant to be used by standard android app developers
I'm looking into android HAL and try to understand how the apps grant permission to access the sensor or hardware. The case is, I do not root my device(I can, but I won't), so if you want to tell me root the device or modify init.rc file, please save your time, thanks.
I did some tests.
I tried to directly get access to some sensors or hardwares in JAVA code, like new FileOutputStream("/dev/XXX"), failed.
I tried to use JNI, like, fd = open("/dev/XXX", O_RDWR, 0), failed.
I guess both of them above are permission denied.
I used the sample named "native-activity" under NDK directory. It's a pure C code. And finally get the value from the sensors.
So I don't know in the case 3, how and when this "native-activity" app grant the permission, which is able to get the value from sensors.
I may misunderstand something. Correct me if you think there is something wrong. Thanks
What linux permissions are needed for SystemProperties.set to work? (android)
I am writing an app that runs in system/app on an android device.
It is running as
android:sharedUserId="android.uid.systemui"
in Android.mk
LOCAL_CERTIFICATE := platform
However, I am finding that I cannot create, write or set a property.
In the console, I can do a getprop, setprop.
However, my program cannot create it.
ls -l /data/property/
shows it does not exist.
Slog.d(TAG, "key is not set, will set APPLE");
SystemProperties.set(keyName, favorite);
if(SystemProperties.get(keyName).equals(favorite)) {
Slog.d(TAG, keyName + " = " + SystemProperties.get(keyName));
} else {
Slog.e(TAG, "setting SystemProperties failed. value written = " + SystemProperties.get(keyName));
}
logcat:
Line 1365: D/MyTag( 2593): keyName: persist.fruit.user.favorite
Line 1373: D/MyTag( 2593): keyName has value []
Line 1377: D/MyTag( 2593): key is not set, will set APPLE
Line 1381: E/MyTag( 2593): setting SystemProperties failed. value written =
evidently perhaps it is a matter of insufficient permissions - but which ones?
I had accepted fadden's answer but after more exploration, found it was incorrect though it was very helpful in reaching the correct answer.
step 1:
look at the array in https://android.googlesource.com/platform/system/core/+/kitkat-release/init/property_service.c
{ "persist.sys.", AID_SYSTEM, 0 },
the name of your property should begin with the same key string in the array.
thus I had to change my property name to "persist.sys.fruit.user.favorite"
step 2:
in your android manifest file, run as user id mentioned in the array above.
<manifest android:sharedUserId="android.uid.system" >
It depends. In the 4.4 "KitKat" release, the list was contained in init's property_service.c (look around line 65). You can see, for example, that properties named debug.* can be updated by the "system" or "shell" user. (The mapping of system-recognized user IDs to numeric values can be found in android_filesystem_config.h.)
Some properties, such as ro.*, persist.*, and ctl.*, have additional restrictions or special behaviors.
In Android 5.0 "Lollipop", the list moved, but the behavior is the same.
Use adb shell ps to see what user ID your app is running under. If it's not system or shell, it won't be able to set system properties.
TL;DR: The rules on Android 5+ are more or less the same as for Android 4.4. Check the whitelist from the accepted answer and use a system app for writing sysprops.
Since Android 5 access to system properties is controlled only by SELinux policies. Depending on source security context (where you're calling from) you will have access to different system properties, which live in a designated target security context. A system service running in system server has more access than an app running with shared system UID - a system app.
The rules consist of several files:
property_contexts - maps system property prefixes to SELinux contexts
shell.te - specifies (among other) which properties are settable by ADB shell (or an app with shell UID)
system_app.te - specifies which properties are settable by a system app (an app with system UID)
system_server.te - specifies which properties are accessible from the system server
Context files are available on the device in location that varies with system version. *.te files are compiled to a binary file.
The default values are stored in AOSP repositories and both the values and the location changed over the years.
Lollipop
https://android.googlesource.com/platform/external/sepolicy/+/lollipop-release/property_contexts
https://android.googlesource.com/platform/external/sepolicy/+/lollipop-release/system_app.te
https://android.googlesource.com/platform/external/sepolicy/+/lollipop-release/shell.te
Nougat
https://android.googlesource.com/platform/system/sepolicy/+/nougat-release/property_contexts
https://android.googlesource.com/platform/system/sepolicy/+/nougat-release/system-app.te
https://android.googlesource.com/platform/system/sepolicy/+/nougat-release/shell.te
Oreo
https://android.googlesource.com/platform/system/sepolicy/+/oreo-release/private/property_contexts
https://android.googlesource.com/platform/system/sepolicy/+/oreo-release/public/property.te
https://android.googlesource.com/platform/system/sepolicy/+/oreo-release/public/system_app.te
https://android.googlesource.com/platform/system/sepolicy/+/oreo-release/public/shell.te
Notes
Generally you'd want to set system properties as a system app with one exception. Only a shell UID app may write log.tag. until Pie. A system UID app may also write log.tag. since Pie.
seapp_contexts defines SELinux contexts for apps. On Pie you can't run an app with shell system UID.
For more information see https://source.android.com/security/selinux/images/SELinux_Treble.pdf
I am trying to open a socket in the android source code. Specifically, right now, I am in the DisplayDevice.cpp file, but the location of the socket code may change. Right now after I do:
int fd = socket(AF_INET, SOCK_STREAM, 0);
fd gets returned as -1, and when i check the error message it is listed as Permission Denied. I have looked around a lot for this, most answers involve adding the internet permission to the AndroidManifest file. This will not work for me as the code I am adding is inside of the android source code.
I was wondering if there is a way to bypass the permission denied. Or if there is a better way to do this/ a different type of socket to use(right now I am using sockets from
Thank you.
It is quite natural that you get Permission Denied error. This is simply because you don't have correct permission :). Check out android permission model!
Imagine a scenario like a normal user in an operating system and you write a program which tries to open a socket like yours. You would most probably face the same problem, depending on where the named socket is to be created.
As you are trying to create the socket in DisplayDevice.cpp (compiling android from the source), you may be interested in compiling the source as a superuser. Here is a solution posted by m-ric (I have never tested it).
Some useful pointers/references in similar direction and which I found useful during research on this enthralling topic are:
https://android.stackexchange.com/questions/18857/how-to-build-compile-su-from-source
execv command => http://code.google.com/p/superuser/source/browse/trunk/su/su.c?r=2#169
https://github.com/ChainsDD/su-binary
http://e2e.ti.com/support/omap/f/849/p/178679/648158.aspx#648158
A video from Google I/O 2011 http://www.youtube.com/watch?v=5yorhsSPFG4