Hi Jeffrey, thanks for your quick response. My system_app is used to test some components with python script. This app is not pre-loaded and be installed to test and will be uninstalled after all the test-cases are done. So I have to put my python binary in runtime but dm-verity doesn't allow to copy my binary into system partition. That's why I'm looking for the other partitions to do it. The python binary shouldn't be pre-loaded on the device. Thanks HAN -----Original Message----- From: "Jeffrey Vander Stoep"<[email protected]> To: "HAN"<[email protected]>; Cc: <[email protected]>; Sent: 2018-04-02 (월) 23:14:09 Subject: Re: Questions about execution binary from /data. Hi Han, Privileged system components such as system_app are disallowed from executing content off the read-write /data partition because it is less trusted than dm-verity protected read-only partitions such as /system. I recommend you put your python binary on the system partition.
On Mon, Apr 2, 2018 at 6:10 AM HAN <[email protected]> wrote: Hi everone, My system_app needs to execute python binary to run python script. So I copied the binary into a path "/data/misc/user/0/python" but execution is blocked by below neverallow. Where should I put my python binary into? Are there any areas that are most commonly used in this case? http://androidxref.com/8.0.0_r4/xref/system/sepolicy/private/app.te#497 ------------------------------------------------------------------------------ # Blacklist app domains not allowed to execute from /data neverallow { bluetooth isolated_app nfc radio shared_relro system_app } { data_file_type -dalvikcache_data_file -system_data_file # shared libs in apks -apk_data_file }:file no_x_file_perms; ------------------------------------------------------------------------------ Thanks. HAN
