Re: Questions about execution binary from /data.
On Mon, Apr 2, 2018 at 7:37 AM, HANwrote: > Hi Jeffrey, thanks for your quick response. > > > > My system_app is used to test some components with python script. > > This app is not pre-loaded and be installed to test and will be > uninstalled after all the test-cases are done. > > So I have to put my python binary in runtime but dm-verity doesn't allow > to copy my binary into system partition. > > That's why I'm looking for the other partitions to do it. > > The python binary shouldn't be pre-loaded on the device. > > I would recommend one of these approaches, assuming your testing on userdebug or eng variants: 1. Add the testing components to the build 2. adb remount and then push the binaries to system 3. Disable selinux with adb shell setenforce 0 If your testing on user, and have a custom signed testing app, just be prudent on what keys are being used to sign that user image. A source of issues have been leaked system apps signed with production keys, which is bad! > > > Thanks > > HAN > > > > -Original Message- > *From:* "Jeffrey Vander Stoep" > *To:* "HAN" ; > *Cc:* ; > *Sent:* 2018-04-02 (월) 23:14:09 > *Subject:* Re: Questions about execution binary from /data. > > Hi Han, > > Privileged system components such as system_app are disallowed from > executing content off the read-write /data partition because it is less > trusted than dm-verity protected read-only partitions such as /system. I > recommend you put your python binary on the system partition. > > On Mon, Apr 2, 2018 at 6:10 AM HAN wrote: > > Hi everone, > > > > My system_app needs to execute python binary to run python script. > > So I copied the binary into a path "/data/misc/user/0/python" > > but execution is blocked by below neverallow. > > > > Where should I put my python binary into? > > Are there any areas that are most commonly used in this case? > > > > > > http://androidxref.com/8.0.0_r4/xref/system/sepolicy/private/app.te#497 > > > -- > > # Blacklist app domains not allowed to execute from /data > > neverallow { > > bluetooth > > isolated_app > > nfc > > radio > > shared_relro > > system_app > > } { > > data_file_type > > -dalvikcache_data_file > > -system_data_file # shared libs in apks > > -apk_data_file > > }:file no_x_file_perms; > > > -- > > > > Thanks. > > HAN > >
Re: Questions about execution binary from /data.
Hi Jeffrey, thanks for your quick response. My system_app is used to test some components with python script. This app is not pre-loaded and be installed to test and will be uninstalled after all the test-cases are done. So I have to put my python binary in runtime but dm-verity doesn't allow to copy my binary into system partition. That's why I'm looking for the other partitions to do it. The python binary shouldn't be pre-loaded on the device. Thanks HAN -Original Message- From: "Jeffrey Vander Stoep"To: "HAN" ; Cc: ; Sent: 2018-04-02 (월) 23:14:09 Subject: Re: Questions about execution binary from /data. Hi Han, Privileged system components such as system_app are disallowed from executing content off the read-write /data partition because it is less trusted than dm-verity protected read-only partitions such as /system. I recommend you put your python binary on the system partition. On Mon, Apr 2, 2018 at 6:10 AM HAN wrote: Hi everone, My system_app needs to execute python binary to run python script. So I copied the binary into a path "/data/misc/user/0/python" but execution is blocked by below neverallow. Where should I put my python binary into? Are there any areas that are most commonly used in this case? http://androidxref.com/8.0.0_r4/xref/system/sepolicy/private/app.te#497 -- # Blacklist app domains not allowed to execute from /data neverallow { bluetooth isolated_app nfc radio shared_relro system_app } { data_file_type -dalvikcache_data_file -system_data_file # shared libs in apks -apk_data_file }:file no_x_file_perms; -- Thanks. HAN
Re: Questions about execution binary from /data.
Hi Han, Privileged system components such as system_app are disallowed from executing content off the read-write /data partition because it is less trusted than dm-verity protected read-only partitions such as /system. I recommend you put your python binary on the system partition. On Mon, Apr 2, 2018 at 6:10 AM HANwrote: > Hi everone, > > > > My system_app needs to execute python binary to run python script. > > So I copied the binary into a path "/data/misc/user/0/python" > > but execution is blocked by below neverallow. > > > > Where should I put my python binary into? > > Are there any areas that are most commonly used in this case? > > > > > > http://androidxref.com/8.0.0_r4/xref/system/sepolicy/private/app.te#497 > > > -- > > # Blacklist app domains not allowed to execute from /data > > neverallow { > > bluetooth > > isolated_app > > nfc > > radio > > shared_relro > > system_app > > } { > > data_file_type > > -dalvikcache_data_file > > -system_data_file # shared libs in apks > > -apk_data_file > > }:file no_x_file_perms; > > > -- > > > > Thanks. > > HAN >
Questions about execution binary from /data.
Hi everone, My system_app needs to execute python binary to run python script. So I copied the binary into a path "/data/misc/user/0/python" but execution is blocked by below neverallow. Where should I put my python binary into? Are there any areas that are most commonly used in this case? http://androidxref.com/8.0.0_r4/xref/system/sepolicy/private/app.te#497 -- # Blacklist app domains not allowed to execute from /data neverallow { bluetooth isolated_app nfc radio shared_relro system_app } { data_file_type -dalvikcache_data_file -system_data_file # shared libs in apks -apk_data_file }:file no_x_file_perms; -- Thanks. HAN