On Mon, Apr 2, 2018 at 7:37 AM, HAN <kk...@naver.com> wrote: > Hi Jeffrey, thanks for your quick response. > > > > My system_app is used to test some components with python script. > > This app is not pre-loaded and be installed to test and will be > uninstalled after all the test-cases are done. > > So I have to put my python binary in runtime but dm-verity doesn't allow > to copy my binary into system partition. > > That's why I'm looking for the other partitions to do it. > > The python binary shouldn't be pre-loaded on the device. > > I would recommend one of these approaches, assuming your testing on userdebug or eng variants: 1. Add the testing components to the build 2. adb remount and then push the binaries to system 3. Disable selinux with adb shell setenforce 0
If your testing on user, and have a custom signed testing app, just be prudent on what keys are being used to sign that user image. A source of issues have been leaked system apps signed with production keys, which is bad! > > > Thanks > > HAN > > > > -----Original Message----- > *From:* "Jeffrey Vander Stoep"<je...@google.com> > *To:* "HAN"<kk...@naver.com>; > *Cc:* <seandroid-list@tycho.nsa.gov>; > *Sent:* 2018-04-02 (월) 23:14:09 > *Subject:* Re: Questions about execution binary from /data. > > Hi Han, > > Privileged system components such as system_app are disallowed from > executing content off the read-write /data partition because it is less > trusted than dm-verity protected read-only partitions such as /system. I > recommend you put your python binary on the system partition. > > On Mon, Apr 2, 2018 at 6:10 AM HAN <kk...@naver.com> wrote: > > Hi everone, > > > > My system_app needs to execute python binary to run python script. > > So I copied the binary into a path "/data/misc/user/0/python" > > but execution is blocked by below neverallow. > > > > Where should I put my python binary into? > > Are there any areas that are most commonly used in this case? > > > > > > http://androidxref.com/8.0.0_r4/xref/system/sepolicy/private/app.te#497 > > ------------------------------------------------------------ > ------------------ > > # Blacklist app domains not allowed to execute from /data > > neverallow { > > bluetooth > > isolated_app > > nfc > > radio > > shared_relro > > system_app > > } { > > data_file_type > > -dalvikcache_data_file > > -system_data_file # shared libs in apks > > -apk_data_file > > }:file no_x_file_perms; > > ------------------------------------------------------------ > ------------------ > > > > Thanks. > > HAN > >