I am trying to run a shell script, which copies a file to a specific location, on phone power up and I added the following to my init.rc file:
service test_copy /system/bin/sh /system/bin/test_copy.sh
class pre-zygote_services
oneshot
user system
group system
When the service name (test_copy) is same as the script name, test_copy in this case, it doesn't execute the script but if I change the service name to a different one, like start_test_copy, it works. I am just eager to know the reason on why when service name is same as script name it doesn't work or am I wrong?
Try this one in your init.rc:
service test_copy /system/bin/test_copy.sh
user root
oneshot
Your test_copy.sh script must begin with:
#!/system/bin/sh
Always make sure use a different name for your service which Android init recommends.
Also, you can make your test_copy.sh into the executable by defining the Android Make file.
Related
I want to excute an executable on boot On a target board with Android 5.1 so I add this in init.rc:
on boot
start myservice
service myservice /system/bin/myservice
#class main
user root
group root
#oneshot
I did the unpack and repack job.
When changes are made, however, the screen keeps printing:
init warning: Service myservice needs a SELinux domain defined. Please fix.
type=1400 ... avc:denied ... scontext ... tcontext ... #some annoying warning messages like this
SELinux seems a huge project for me. I just want to avoid that. I tried two approaches:
1. setenv kernelargs 'console=ttyS0,115200n8 rootdelay=1 selinux=0' and saveenv
2. set enforce 0
For method 1, printenv gives the result:
kernelargs=console=ttyS0,115200n8 rootdelay=1 selinux=0
So you see, changes have been made. But the warning messages keeps printing after rebooting.
For method 2, it says:
Could not set enforce status. Permission denied.
So now I'm trapped in the dilema have no idea where to go. My questions:
Anyone knows how to disable or set permissive mode in android?
Which files should I modify if I want to define domain for the new service?
Besides, ls -Z /system/bin/myservice gives this:
u:object_r:system_file:s0
you need su to set permissive mode. Or you need source code to disable SELinux, such as disable SELinux in kernel config, or disable SELinux in BOARD_KERNEL_CMDLINE in device/vendor_name/product_name/BoardConfig.mk.
if you have the source code, you can define the new domain as you wish.
Please refer to the Android official documents: https://source.android.com/security/selinux/device-policy
section: Label new services and address denials
You have to add the seclabel attribute to the service in your init.rc file, but I don't know if your context will work. I just implemented it myself with the init_exec context:
$ grep yourservice system/sepolicy/file_contexts
/system/bin/vpd u:object_r:init_exec:s0
$ ls -Z path/to/system/bin/yourservice
u:object_r:init_exec:s0 path/to/system/bin/yourservice
$ grep yourservice device/brand/product/init.rc -A 5
service yourservice /system/bin/yourservice
seclabel u:r:init:s0
user root
group root
oneshot
Disabling SELinux on Android isn't hard and there are many threads treating the question. Just add either one of the following to your kernel command line parameters (i.e bootargs in U-Boot):
androidboot.selinux=permissive
androidboot.selinux=disabled
Run into a very similar problem myself, and here's what I've found:
When you run ls -Z /system/bin/myservice and get this:
u:object_r:system_file:s0
it means that your file is in the system_file domain. Now that's not good, as system files are not supposed to be executed, or at last not during init (you may still be able to execute it later from terminal the usual way).
In my case I was lucky, 'cause I was replacing an existing system service with a customised one that I've compiled from source. This means I was able to check the security context of the original file I was replacing and that was from ls -Z /system/bin/myservice.bak :
u:object_r:myservice_exec:s0
So I updated my new file to the same using chcon u:object_r:myservice_exec:s0 /system/bin/myservice
After that it was working fine.
If you want to create a brand new service you may need to use a domain that exists in your sepolicies already, as simply setting it to myservice_exec, won't help, as that would be a non-existing domain in your case.
If I were in your shoes and wanted to avoid defining custom policy I might try to find a service with similar security, check the domain on that and try to set the same to my service. init_exec may be a good candidate, but your mileage may vary...
I have a rooted phone and on it an application that I've built.
My application receives su powers from the superuser app and can call commands that require root, but the problem is that I have a piece of code that has to run from a process with root uid, and the file can't be compiled separately.
Now, is it possible to fork my process and run the child process as root:root? or somehow change the uid to root (I've tried with seteuid / setuid and it didn't work.. probably because the application's setuid flag is off).
I would like something like this:
fork process
if (child-process)
run_special_code()
else
wait_for_the_child_process_to_exit()
Thanks!
I have an app (service) that does not have an activity. I would like to start this app in init.rc like this:
service secret_service /system/bin/am startservice com.my.secret.service/com.my.secret.service.SecretService
class late_start
user root
group root
If run like above, this service runs in the "platform_app" security context. Howerver, I would like to run this in a different security context, such as "mysecurity". I have already tried using the seclabel like this:
service secret_service /system/bin/am startservice com.my.secret.service/com.my.secret.service.SecretService
class late_start
user root
group root
seclabel u:r:mysecurity:s0
But it does not work. Does anyone have an idea how to achieve this?
Thank you.
You should make an entry in mac_permissions.xml, which maps the app signing certificate to an seinfo value, and a corresponding entry in seapp_contexts, which maps the seinfo value to a domain. Also, if your domain isn't one of the standard ones, then you also have create the appropriate type enforcement file (e.g., mysecurity.te) in external/sepolicy for inclusion at policy build time.
in a monkeyrunner script while launching an activity, is there a way to mimic yourself having a certain permission that the starting activity requires?
I am using "device.startActivity(component='com.package/.MyActivity)" but the activity MyActivity requires a permission, and hence device.startActivity fails. Is there a way to give this permission to the script?
When I had this problem, I solved it by creating a very small application(with the correct permissions in the manifest) that I pushed to the phone. All the application did was re-send intents sent to it, but to a different destination. My application also had a gui for triggering events manually, but that's optional.
You can add permissions in AndroidManifest.xml file.
I don't know what monkeyRunner script is, and do we talk about the same permissions here, but in Android, all permissions you want to give to the app, you go to Manifest file.
Running an activity through monkeyrunner is not exactly different than running it manually. So, when it asks for permission, you can verify it right after installation by sending an extra command like:
device.press('KEYCODE_ENTER', MonkeyDevice.DOWN_AND_UP)
or
device.press('KEYCODE_BUTTON_SELECT', MonkeyDevice.DOWN_AND_UP)
You can also get your application have system privilages by pushing it into a special folder with these commands:
>adb remount
>adb push your\local\apk\path.apk system/priv-app
>adb shell stop
>adb shell start
Hope it works for you...
Before I start, this is meant for our own android based device and not for a phone nor for deployment elsewhere.
We have a service in init.rc that is a postgresql database server. This launches on startup and always runs in the background for the system. There's the possibility that it might close however and we would like to have a way to stop and start this service from the android side of the system.
Is there a way to send an init start command from an android Activity? From a root shell, this would be the equivalent of running "start servicename" and "stop servicename".
To start a service which is declared in the init.rc file, i think you must change the "ctl.start" system property with following commands :
In c file :
property_set("ctl.start", "<service_name>");
In java :
SystemProperties.set("ctl.start", "<service_name>");
This implies that your activity has system permissions (in the manifest) :
android:sharedUserId="android.uid.system"
and is signed by your system key (or put platform in the Android.mk)
As you can guess, to stop the service use following commands :
property_set("ctl.stop", "<service_name>");
or
SystemProperties.set("ctl.stop", "<service_name>");