Hi, Stephen Thanks for the information.
After I commented out that NO_NEW_PRIVS lines in frameworks/base/cmds/app_process/app_main.cpp, I can see the euid is changed to 0 now. but I still get the Operation not permitted error for setgid. shell@flounder:/ $ su current_uid=2000, current_euid=0, current_gid=2000, current_egid=2000 su: setgid failed: Operation not permitted 1|shell@flounder:/ $ I set to Permissive mode, and can not see any avc denial message from dmesg and logcat. Any idea where makes the guard now? Thanks, Yongqin Liu On 17 February 2016 at 22:48, Stephen Smalley <[email protected]> wrote: > On 02/17/2016 07:25 AM, YongQin Liu wrote: > >> HI, ALL >> >> I want to run su command from an Application(the AndroidTerm >> application) which is specified to run with the shell user, but I found >> it failed to the su command because the euid is not change to the owner >> of the su command. >> >> Here is the output: >> shell@flounder:/ $ ls -Z /system/xbin/s >> sane_schedstat showmap showslab simpleperf sqlite3 >> strace stringbench stringbench64 su >> shell@flounder:/ $ ls -Z /system/xbin/su >> -rwsr-x--- root shell u:object_r:su_exec:s0 su >> shell@flounder:/ $ ls -l /system/xbin/su >> -rwsr-x--- root shell 10232 2016-02-14 17:05 su >> shell@flounder:/ $ id >> uid=2000(shell) gid=2000(shell) >> >> groups=2000(shell),1015(sdcard_rw),1023(media_rw),3002(net_bt),3003(inet),3008(net_bt_stack),9997(everybody),42000(u0_a32000) >> context=u:r:shell:s0 >> shell@flounder:/ $ su >> current_uid=2000, current_euid=2000, current_gid=2000, current_egid=2000 >> su: setgid failed: Operation not permitted >> 1|shell@flounder:/ $ >> >> from the above, you can see the euid output from su command is shell >> user id, not the root user id. >> >> If I run su from adb shell, it will work, The output is like following: >> shell@flounder:/ $ id >> uid=2000(shell) gid=2000(shell) >> >> groups=2000(shell),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) >> context=u:r:su:s0 >> shell@flounder:/ $ su >> current_uid=2000, current_euid=0, current_gid=2000, current_egid=2000 >> root@flounder:/ # >> >> I guess the failure from APP has something related SELinux, but I can >> not find out where makes the euid not chnaged. >> I tried from APP with Permissive mode, it still fails. >> >> Anyone has any idea why the euid is not change when I run from APP? >> Which source should I check? >> > > Use of setuid/setgid programs from Android apps hasn't been supported > since Android 4.3; see "Restrict Setuid from Android Apps" and > "NO_NEW_PRIVS" in > https://source.android.com/security/enhancements/enhancements43.html. > That predated making SELinux enforcing. > > When Android switched from Dalvik to ART, they seem to have dropped the > nosuid mount of /system and are relying entirely on NO_NEW_PRIVS AFAICS. > > SELinux would prevent the app from using any superuser capabilities even > if these restrictions were not in effect (see the neverallow > self:capability rules in app.te), but you aren't even getting that far due > to NO_NEW_PRIVS. > > The relevant code for NO_NEW_PRIVS is in > frameworks/base/cmds/app_process/app_main.cpp. > -- Best Regards, Yongqin Liu --------------------------------------------------------------- #mailing list [email protected] <[email protected]> http://lists.linaro.org/mailman/listinfo/linaro-android
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
