On 02/17/2016 07:25 AM, YongQin Liu wrote:
HI, ALLI want to run su command from an Application(the AndroidTerm application) which is specified to run with the shell user, but I found it failed to the su command because the euid is not change to the owner of the su command. Here is the output: shell@flounder:/ $ ls -Z /system/xbin/s sane_schedstat showmap showslab simpleperf sqlite3 strace stringbench stringbench64 su shell@flounder:/ $ ls -Z /system/xbin/su -rwsr-x--- root shell u:object_r:su_exec:s0 su shell@flounder:/ $ ls -l /system/xbin/su -rwsr-x--- root shell 10232 2016-02-14 17:05 su shell@flounder:/ $ id uid=2000(shell) gid=2000(shell) groups=2000(shell),1015(sdcard_rw),1023(media_rw),3002(net_bt),3003(inet),3008(net_bt_stack),9997(everybody),42000(u0_a32000) context=u:r:shell:s0 shell@flounder:/ $ su current_uid=2000, current_euid=2000, current_gid=2000, current_egid=2000 su: setgid failed: Operation not permitted 1|shell@flounder:/ $ from the above, you can see the euid output from su command is shell user id, not the root user id. If I run su from adb shell, it will work, The output is like following: shell@flounder:/ $ id uid=2000(shell) gid=2000(shell) groups=2000(shell),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:su:s0 shell@flounder:/ $ su current_uid=2000, current_euid=0, current_gid=2000, current_egid=2000 root@flounder:/ # I guess the failure from APP has something related SELinux, but I can not find out where makes the euid not chnaged. I tried from APP with Permissive mode, it still fails. Anyone has any idea why the euid is not change when I run from APP? Which source should I check?
Use of setuid/setgid programs from Android apps hasn't been supported since Android 4.3; see "Restrict Setuid from Android Apps" and "NO_NEW_PRIVS" in https://source.android.com/security/enhancements/enhancements43.html. That predated making SELinux enforcing.
When Android switched from Dalvik to ART, they seem to have dropped the nosuid mount of /system and are relying entirely on NO_NEW_PRIVS AFAICS.
SELinux would prevent the app from using any superuser capabilities even if these restrictions were not in effect (see the neverallow self:capability rules in app.te), but you aren't even getting that far due to NO_NEW_PRIVS.
The relevant code for NO_NEW_PRIVS is in frameworks/base/cmds/app_process/app_main.cpp.
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
