Unfortunately, you didn't include the SELinux denial message in your bug
report, so there's insufficient information to understand this problem. In
the future, please include the output of running "adb shell dmesg | grep
avc:" or "adb logcat -d | grep avc:" so that we can see the exact denial.
It would look something like this:
[10551.452724] type=1400 audit(1422936618.779:66): avc: denied { execute }
for pid=3373 comm="foo" name="foo" dev="dm-0" ino=4325
scontext=u:r:shell:s0 tcontext=u:object_r:app_data_file:s0 tclass=file
permissive=0
Most files in /data/data/packageName are labeled with "app_data_file"
SELinux label (see the "type=" field in /seapp_contexts). Currently,
SELinux policy only allows execute permissions to the following domains:
$ adb pull /sepolicy
1388 KB/s (149353 bytes in 0.105s)
$ sesearch --allow -t app_data_file -p execute sepolicy
Found 2 semantic av rules:
allow untrusted_app app_data_file : file { ioctl read getattr lock
execute execute_no_trans execmod open } ;
allow isolated_app app_data_file : file execute ;
Translating this into more understandable language, SELinux only allows
apps running as "untrusted_app" or "isolated_app" to load execute content
from /data/data/packageName. Other SELinux domains, such as system_server,
system_app (apps running with UID=system), platform_apps, vold, init, etc,
are *not* allowed to execute code from /data/data/packageName.
These protections are there for good reason. Cross domain code execution
(running code in a sandbox that comes from outside the sandbox or other
untrusted sources) is strongly frowned on. Apps or other privileged
processes shouldn't be loading untrustworthy executable code.
In the future, SELinux on Android questions are best handled by
[email protected]. Please see
http://seandroid.bitbucket.org/ForMoreInformation.html#for-more-information
for subscription information.
-- Nick
On Tue, Feb 3, 2015 at 5:38 AM, skore <[email protected]> wrote:
> Hi,
>
> I am checking on permissive and Enforcing mechanism of selinux(SE Linux)
> in Android 5.0. I have placed .so file in
> /data/data/packageName/files/libtestcalc.so.
>
> when the device is in permissive mode,
> System.load("/data/data/packageName/files/libtestcalc.so"); - works fine
> and I am able to access the methods of .so file with out any exceptions.
>
> The same, System.load("/data/data/packageName/files/libtestcalc.so"); is
> not working when the device is in Enforcing mode and I am getting exception
> as follows.
>
> java.lang.UnsatisfiedLinkError: dlopen failed: couldn't map
> "/data/data/packageName/files/libtestcalc.so" segment 1: Permission denied
>
> I guess in both the modes, same call flow will occur. I mean
> System.load(..)->Runtime.getRuntime().load(..)->Runtime.getRuntime(..).doload(..)->Runtime.getRuntime().nativeLoad(..)
>
> @Runtime.java->doLoad(..) documentation mentioned as "nativeLoad should be
> synchronized so there's only one LD_LIBRARY_PATH in use regardless..."
>
> When this LD_LIBRARY_PATH will get updated?
>
> How android is differentiating the load files by modes? Want to know other
> ways to load .so file from "/data/data/packageName/files/".
>
> Regards,
>
> Skore
>
> --
> You received this message because you are subscribed to the Google Groups
> "Android Security Discussions" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To post to this group, send email to
> [email protected].
> Visit this group at
> http://groups.google.com/group/android-security-discuss.
>
> For more options, visit https://groups.google.com/d/optout.
>
--
Nick Kralevich | Android Security | [email protected] | 650.214.4037
--
You received this message because you are subscribed to the Google Groups
"Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
