• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[MODULE] Privileged Permission Whitelist (Oreo)

Search This thread

yochananmarqos

Recognized Contributor

Zackptg5

Recognized Developer
Sep 18, 2014
4,108
6,840
zackptg5.com
Google Pixel 4a
Google Pixel 5a
Most apps? I only have ims & TimeService in /vendor/app on my 6P.

Nothing is mentioned on the Privileged Permission Whitelist Requirement page about vendor apps.
That's what I was wondering. I mean OEM apps. It seems like it may be related to project treble or something (just taking a guess here) but oems are moving more of their stuff to vendor so I've been thinking that custom apps should go there too
 

erickxd

Senior Member
Aug 12, 2012
66
3
Maringa
Hello guys. First, sorry for my english.. I'm learning...
My real objetive is give to Cerberus app all functionalities that the root can give.
I read that it would be necessary to install the "Terminal" and "App systemizer", and from what I understand, I need to grant permissions to them, following this topic. Was that right? How do I give permissions to the App systemizer ??? Or am I wrong and do not need it?
(My device is a Xiaomi Mi A1 running Oreo)
Thank you very much!
 

yochananmarqos

Recognized Contributor
Dis you have the new one with the new template? 15.3?

Hello guys. First, sorry for my english.. I'm learning...
My real objetive is give to Cerberus app all functionalities that the root can give.
I read that it would be necessary to install the "Terminal" and "App systemizer", and from what I understand, I need to grant permissions to them, following this topic. Was that right? How do I give permissions to the App systemizer ??? Or am I wrong and do not need it?
(My device is a Xiaomi Mi A1 running Oreo)
Thank you very much!

This module is now obsolete as privapp permissions are now granted automatically when systemizing apps with Terminal App Systemizer. Please use that from now on.
 
  • Like
Reactions: erickxd and nisavid

arcanjope

Member
Apr 12, 2013
6
0
This way, the app I release permissions resists a wipe?
I use Cerberus, I wanted to know if the access stays after a Hard reset.
 

Hanwie88

Member
Aug 5, 2018
6
0
**** This module is now obsolete as privapp permissions are now granted automatically when systemizing apps with Terminal App Systemizer. Please use that from now on. ****

In Android 8.0 Oreo, permissions are not automatically granted to system privileged apps. This is automatically done by apps where the root method allows system modifications, but with systemless root that has to be done in a different way.

Therefore, apps systemized into /system/priv-app using App Systemizer or Terminal App Systemizer will not be granted some permissions. All privileged apps must be whitelisted in system configuration files in the /etc/permissions directory.

Entries can either be appended to /etc/permissions/privapp-permissions-platform.xml or separate files can be created for each package; i.e., /etc/permissions/privapp-permisisons-com.package.name.xml. The latter is easier and more modular (pun intended :laugh: ).

This module is more of a template. I've included XML files for BetterBatteryStats, Cerberus, F-Droid Privileged Extension, Greenify and Wakelock Detector Free. Before flashing it, you will want to add or remove XML files according to your needs.

Example XML file:

/etc/permissions/privapp-permisisons-com.package.name.xml
Code:
<?xml version="1.0" encoding="utf-8"?>
<permissions>
  <privapp-permissions package="com.package.name">
	<permission name="android.permission.WRITE_A_SETTING" />
	<permission name="android.permission.WRITE_ANOTHER_SETTING" />
  </privapp-permissions>
</permissions>

In order to determine what permissions are missing from your systemized app, you can compare the requested permissions and install permissions by running:

Code:
adb shell dumpsys package com.package.name

However, not every permission missing from the install permissions section needs to be granted in this manner. If you're not sure, contact the app developer for clarification.

A better version of this module would generate the permissions configuration XML file without having to get your hands dirty. However, that would require including aapt and I haven't figured out how to do it yet. Perhaps @stangri or @veez21 could help with that. :cool:

Download:
Module removed, please use Terminal App Systemizer

How could restrict some app to read phone state,id and imei ?
 

1xdroid

Member
Feb 11, 2011
35
2
Hello. Thanks for this thread. I'm trying to install fakegpsgoandroutes as system app and this systemizer did it for me. I just had to delete the apk and folder from data/app. I changed permissions on apk to rw-r-r. The faqs for app says rx-r-r, but i can't find a way to change it to that. Also it says i need to change the xml, but from what i'm reading that's no longer needed? Here is the link i'm referring http://incorporateapps.com/fake_gps_route_faq.html. This is what they want me to edit in xml
This process is only for Android Oreo 8.0 or newer. On older versions moving the app to system/priv-app, deleting the /data/app/com.incorporateapps.fakegps_route folder and restarting is enough.

To make the app system on Android 8 Oreo at the time of writing you will need Magisk root method to pass SafetyNet and the app moved manually to system/priv-app (on Oreo and above you need to put the whole folder com.incorporateapps.fakegps_route, not just the base.apk, to system/priv-app and check the permissions. Delete all characters after ".fakegps_route". In addition you need to follow these steps.
You will then need to browse to /etc/permissions/ and add these lines to the file privapp-permissions-platform.xml before this closing TAG inside the file:
</permissions>
(file needs to be saved with 0644 or -rw-r-r-- and owner and group need to be "root")

<privapp-permissions package="com.incorporateapps.fakegps_route">
<permission name="android.permission.INSTALL_LOCATION_PROVIDER"/>
<permission name="android.permission.UPDATE_APP_OPS_STATS"/>
<permission name="android.permission.WRITE_SECURE_SETTINGS"/>
<permission name="android.permission.CHANGE_COMPONENT_ENABLED_STATE"/>
<permission name="android.permission.ACCESS_MOCK_LOCATION"/>
</privapp-permissions>


On stock Android, according to Google, you have to use (instead of the privapp-permissions-platform.xml) the /etc/permissions/privapp-permissions-DEVICE_NAME.xml Google permissions whitelisting blog
For pixel this should be privapp-permissions-wahoo.xml. But in our tests the -platform.xml works too. Don't forget to set the proper permissions, owner and group after saving!

Next create a file called /etc/permissions/privapp-permissions-com.incorporateapps.fakegps_route.xml and add the following code to the file save it with permissions 0644 (checkbox on Owner: Read Write, Group: Read and Others: Read or -rw-r-r--) and restart the phone

<?xml version="1.0" encoding="utf-8"?>
<permissions>
<privapp-permissions package="com.incorporateapps.fakegps_route">
<permission name="android.permission.INSTALL_LOCATION_PROVIDER"/>
<permission name="android.permission.UPDATE_APP_OPS_STATS"/>
<permission name="android.permission.WRITE_SECURE_SETTINGS"/>
<permission name="android.permission.CHANGE_COMPONENT_ENABLED_STATE"/>
<permission name="android.permission.ACCESS_MOCK_LOCATION"/>
</privapp-permissions>
</permissions>
I have a Pixel Xl btw
Could i please get some help on how to complete this i would really appreciate it. Thanks
 

yochananmarqos

Recognized Contributor
Hello. Thanks for this thread. I'm trying to install fakegpsgoandroutes as system app and this systemizer did it for me. I just had to delete the apk and folder from data/app. I changed permissions on apk to rw-r-r. The faqs for app says rx-r-r, but i can't find a way to change it to that. Also it says i need to change the xml, but from what i'm reading that's no longer needed? Here is the link i'm referring http://incorporateapps.com/fake_gps_route_faq.html. This is what they want me to edit in xml
This process is only for Android Oreo 8.0 or newer. On older versions moving the app to system/priv-app, deleting the /data/app/com.incorporateapps.fakegps_route folder and restarting is enough.

To make the app system on Android 8 Oreo at the time of writing you will need Magisk root method to pass SafetyNet and the app moved manually to system/priv-app (on Oreo and above you need to put the whole folder com.incorporateapps.fakegps_route, not just the base.apk, to system/priv-app and check the permissions. Delete all characters after ".fakegps_route". In addition you need to follow these steps.
You will then need to browse to /etc/permissions/ and add these lines to the file privapp-permissions-platform.xml before this closing TAG inside the file:
</permissions>
(file needs to be saved with 0644 or -rw-r-r-- and owner and group need to be "root")

<privapp-permissions package="com.incorporateapps.fakegps_route">
<permission name="android.permission.INSTALL_LOCATION_PROVIDER"/>
<permission name="android.permission.UPDATE_APP_OPS_STATS"/>
<permission name="android.permission.WRITE_SECURE_SETTINGS"/>
<permission name="android.permission.CHANGE_COMPONENT_ENABLED_STATE"/>
<permission name="android.permission.ACCESS_MOCK_LOCATION"/>
</privapp-permissions>


On stock Android, according to Google, you have to use (instead of the privapp-permissions-platform.xml) the /etc/permissions/privapp-permissions-DEVICE_NAME.xml Google permissions whitelisting blog
For pixel this should be privapp-permissions-wahoo.xml. But in our tests the -platform.xml works too. Don't forget to set the proper permissions, owner and group after saving!

Next create a file called /etc/permissions/privapp-permissions-com.incorporateapps.fakegps_route.xml and add the following code to the file save it with permissions 0644 (checkbox on Owner: Read Write, Group: Read and Others: Read or -rw-r-r--) and restart the phone

<?xml version="1.0" encoding="utf-8"?>
<permissions>
<privapp-permissions package="com.incorporateapps.fakegps_route">
<permission name="android.permission.INSTALL_LOCATION_PROVIDER"/>
<permission name="android.permission.UPDATE_APP_OPS_STATS"/>
<permission name="android.permission.WRITE_SECURE_SETTINGS"/>
<permission name="android.permission.CHANGE_COMPONENT_ENABLED_STATE"/>
<permission name="android.permission.ACCESS_MOCK_LOCATION"/>
</privapp-permissions>
</permissions>
I have a Pixel Xl btw
Could i please get some help on how to complete this i would really appreciate it. Thanks
If it doesn't work with Terminal App Systemizer, I suggest asking the app developer to create a Magisk module for it. Either that or you could make one yourself. :)

Sent from my Pixel using XDA Labs
 

Top Liked Posts

  • There are no posts matching your filters.
  • 25
    **** This module is now obsolete as privapp permissions are now granted automatically when systemizing apps with Terminal App Systemizer. Please use that from now on. ****

    In Android 8.0 Oreo, permissions are not automatically granted to system privileged apps. This is automatically done by apps where the root method allows system modifications, but with systemless root that has to be done in a different way.

    Therefore, apps systemized into /system/priv-app using App Systemizer or Terminal App Systemizer will not be granted some permissions. All privileged apps must be whitelisted in system configuration files in the /etc/permissions directory.

    Entries can either be appended to /etc/permissions/privapp-permissions-platform.xml or separate files can be created for each package; i.e., /etc/permissions/privapp-permisisons-com.package.name.xml. The latter is easier and more modular (pun intended :laugh: ).

    This module is more of a template. I've included XML files for BetterBatteryStats, Cerberus, F-Droid Privileged Extension, Greenify and Wakelock Detector Free. Before flashing it, you will want to add or remove XML files according to your needs.

    Example XML file:

    /etc/permissions/privapp-permisisons-com.package.name.xml
    Code:
    <?xml version="1.0" encoding="utf-8"?>
    <permissions>
      <privapp-permissions package="com.package.name">
    	<permission name="android.permission.WRITE_A_SETTING" />
    	<permission name="android.permission.WRITE_ANOTHER_SETTING" />
      </privapp-permissions>
    </permissions>

    In order to determine what permissions are missing from your systemized app, you can compare the requested permissions and install permissions by running:

    Code:
    adb shell dumpsys package com.package.name

    However, not every permission missing from the install permissions section needs to be granted in this manner. If you're not sure, contact the app developer for clarification.

    A better version of this module would generate the permissions configuration XML file without having to get your hands dirty. However, that would require including aapt and I haven't figured out how to do it yet. Perhaps @stangri or @veez21 could help with that. :cool:

    Download:
    Module removed, please use Terminal App Systemizer
    4
    Would you believe I didn't notice BetterBatteryStats was missing permissions? :silly: I thought it was no longer necessary as the How-to & FAQ in the main BBS thread states it does not require the system app anymore.

    However, it turns out (at least on Oreo) it is still necessary. I noticed these required permissions are not being granted:

    android.permission.DUMP
    android.permission.READ_LOGS
    android.permission.DEVICE_POWER

    You can verify the permissions are granted (or not) by going to BBS Settings > Advanced > Install as system app.

    I updated the module to support the Play Store version and the XDA Edition. Download in the OP.

    @chamonix The above permissions will also need to be granted via adb for those running BBS on a non-rooted device.

    Thanks to @kd- for figuring this out :good:
    2
    I fought with this forever, especially after 7.1 it became a real hassle. I feel your pain. But I think I've gotten it figured out at this point and happy to help. My use case is for my in-dash Nexus 7 tablet. I leave BT on, and anytime I get in my car it connects to my car stereo, and Tasker turns on my hotspot when it sees I connect to that BT device.

    Start with the Tasker plugin "Nougat+ Tasker Tethering Control". This will show up in Tasker under plugins. First time you add it to a task, when you go to configuration you'll see a request to install it to system - do that and reboot.

    Now go back to Tasker and and test run the task. If you get an error about "android.permission.TETHER_PRIVILEGED", then flash the attached module in Magisk and reboot. This should give Tasker Tether the permissions it needs to turn hotspot on/off. It worked perfectly for me.

    Let me know if you have any issues and I'll help if at all possible. Also this assumes that you can turn on hotspot manually and it works.... this is not a way to get hotspot working if your carrier is blocking it, this just allows Tasker to automate the process.
    2
    Dis you have the new one with the new template? 15.3?

    Hello guys. First, sorry for my english.. I'm learning...
    My real objetive is give to Cerberus app all functionalities that the root can give.
    I read that it would be necessary to install the "Terminal" and "App systemizer", and from what I understand, I need to grant permissions to them, following this topic. Was that right? How do I give permissions to the App systemizer ??? Or am I wrong and do not need it?
    (My device is a Xiaomi Mi A1 running Oreo)
    Thank you very much!

    This module is now obsolete as privapp permissions are now granted automatically when systemizing apps with Terminal App Systemizer. Please use that from now on.
    1
    Cool, I'll try to use it for Mi Fit app that seems to be kicked by Oreo. But right now, ADB seems broken on my device.
    If someone kind enought could help me for the list of autorisation to give, I'd be very gratefull !
    How would Mi Fit benefit from being a system app? I used it with my Mi Band 2 (before I lost it) on Oreo with no issues.

    Sent from my LG G5 using XDA Labs