Re: Questions about execution binary from /data.

2018-04-02 Thread William Roberts 
On Mon, Apr 2, 2018 at 7:37 AM, HAN  wrote:

> Hi Jeffrey, thanks for your quick response.
>
>
>
> My system_app is used to test some components with python script.
>
> This app is not pre-loaded and be installed to test and will be
> uninstalled after all the test-cases are done.
>
> So I have to put my python binary in runtime but dm-verity doesn't allow
> to copy my binary into system partition.
>
> That's why I'm looking for the other partitions to do it.
>
> The python binary shouldn't be pre-loaded on the device.
>
>
I would recommend one of these approaches, assuming your testing on
userdebug or eng variants:
1. Add the testing components to the build
2. adb remount and then push the binaries to system
3. Disable selinux with adb shell setenforce 0

If your testing on user, and have a custom signed testing app, just be
prudent on what keys are
being used to sign that user image. A source of issues have been leaked
system apps signed
with production keys, which is bad!


>
>
> Thanks
>
> HAN
>
>
>
> -Original Message-
> *From:* "Jeffrey Vander Stoep"
> *To:* "HAN";
> *Cc:* ;
> *Sent:* 2018-04-02 (월) 23:14:09
> *Subject:* Re: Questions about execution binary from /data.
>
> Hi Han,
>
> Privileged system components such as system_app are disallowed from
> executing content off the read-write /data partition because it is less
> trusted than dm-verity protected read-only partitions such as /system. I
> recommend you put your python binary on the system partition.
>
> On Mon, Apr 2, 2018 at 6:10 AM HAN  wrote:
>
> Hi everone,
>
>
>
> My system_app needs to execute python binary to run python script.
>
> So I copied the binary into a path "/data/misc/user/0/python"
>
> but execution is blocked by below neverallow.
>
>
>
> Where should I put my python binary into?
>
> Are there any areas that are most commonly used in this case?
>
>
>
>
>
> http://androidxref.com/8.0.0_r4/xref/system/sepolicy/private/app.te#497
>
> 
> --
>
> # Blacklist app domains not allowed to execute from /data
>
> neverallow {
>
>   bluetooth
>
>   isolated_app
>
>   nfc
>
>   radio
>
>   shared_relro
>
>   system_app
>
> } {
>
>   data_file_type
>
>   -dalvikcache_data_file
>
>   -system_data_file # shared libs in apks
>
>   -apk_data_file
>
> }:file no_x_file_perms;
>
> 
> --
>
>
>
> Thanks.
>
> HAN
>
>

Re: Questions about execution binary from /data.

2018-04-02 Thread HAN 
Hi Jeffrey, thanks for your quick response.
 
My system_app is used to test some components with python script.
This app is not pre-loaded and be installed to test and will be uninstalled 
after all the test-cases are done.
So I have to put my python binary in runtime but dm-verity doesn't allow to 
copy my binary into system partition. 
That's why I'm looking for the other partitions to do it.
The python binary shouldn't be pre-loaded on the device. 
 
Thanks 
HAN
 
-Original Message-
From: "Jeffrey Vander Stoep"
To: "HAN";
Cc: ;
Sent: 2018-04-02 (월) 23:14:09
Subject: Re: Questions about execution binary from /data.
 
Hi Han,
 
Privileged system components such as system_app are disallowed from executing 
content off the read-write /data partition because it is less trusted than 
dm-verity protected read-only partitions such as /system. I recommend you put 
your python binary on the system partition.

On Mon, Apr 2, 2018 at 6:10 AM HAN  wrote: 

Hi everone,
 
My system_app needs to execute python binary to run python script.
So I copied the binary into a path "/data/misc/user/0/python"
but execution is blocked by below neverallow.
 
Where should I put my python binary into?
Are there any areas that are most commonly used in this case?
 
 
http://androidxref.com/8.0.0_r4/xref/system/sepolicy/private/app.te#497
--
# Blacklist app domains not allowed to execute from /data
neverallow {
  bluetooth
  isolated_app
  nfc
  radio
  shared_relro
  system_app
} {
  data_file_type
  -dalvikcache_data_file
  -system_data_file # shared libs in apks
  -apk_data_file
}:file no_x_file_perms;
--
 
Thanks.
HAN

Re: Questions about execution binary from /data.

2018-04-02 Thread Jeffrey Vander Stoep via Seandroid-list 
Hi Han,

Privileged system components such as system_app are disallowed from
executing content off the read-write /data partition because it is less
trusted than dm-verity protected read-only partitions such as /system. I
recommend you put your python binary on the system partition.

On Mon, Apr 2, 2018 at 6:10 AM HAN  wrote:

> Hi everone,
>
>
>
> My system_app needs to execute python binary to run python script.
>
> So I copied the binary into a path "/data/misc/user/0/python"
>
> but execution is blocked by below neverallow.
>
>
>
> Where should I put my python binary into?
>
> Are there any areas that are most commonly used in this case?
>
>
>
>
>
> http://androidxref.com/8.0.0_r4/xref/system/sepolicy/private/app.te#497
>
>
> --
>
> # Blacklist app domains not allowed to execute from /data
>
> neverallow {
>
>   bluetooth
>
>   isolated_app
>
>   nfc
>
>   radio
>
>   shared_relro
>
>   system_app
>
> } {
>
>   data_file_type
>
>   -dalvikcache_data_file
>
>   -system_data_file # shared libs in apks
>
>   -apk_data_file
>
> }:file no_x_file_perms;
>
>
> --
>
>
>
> Thanks.
>
> HAN
>

Questions about execution binary from /data.

2018-04-02 Thread HAN 
Hi everone,
 
My system_app needs to execute python binary to run python script.
So I copied the binary into a path "/data/misc/user/0/python"
but execution is blocked by below neverallow.
 
Where should I put my python binary into?
Are there any areas that are most commonly used in this case?
 
 
http://androidxref.com/8.0.0_r4/xref/system/sepolicy/private/app.te#497
--
# Blacklist app domains not allowed to execute from /data
neverallow {
  bluetooth
  isolated_app
  nfc
  radio
  shared_relro
  system_app
} {
  data_file_type
  -dalvikcache_data_file
  -system_data_file # shared libs in apks
  -apk_data_file
}:file no_x_file_perms;
--
 
Thanks.
HAN