setools-android with sepolicy-inject

Search This thread

Mikos

Member
Jul 22, 2009
16
22
Introduction
In Android 5.0, SELinux is in enforcing mode and sometimes you (or some root application) need to change SELinux policy. There has been only one tool capable of this at runtime - Chainfire's supolicy (part of SuperSU). But this tool is closed source and closed source root apps are great security risk. So I have fixed and enhanced sepolicy-inject from Joshua Brindle and combined it with setools-android by Dmitry Podgorny (pasis) to make it buildable with Android NDK.

Installation instructions
You must have android-ndk installed. Then run:

Code:
git clone https://github.com/xmikos/setools-android.git
cd setools-android
ndk-build

Now you can copy executables from libs/armeabi directory (sepolicy-inject, sesearch and seinfo) to /system/xbin directory on your device.

Usage
Code:
sepolicy-inject -s <source type> -t <target type> -c <class> -p <perm>[,<perm2>,<perm3>,...] [-P <policy file>] [-o <output file>] [-l|--load]
sepolicy-inject -Z type_to_make_permissive [-P <policy file>] [-o <output file>] [-l|--load]
sepolicy-inject -z type_to_make_nonpermissive [-P <policy file>] [-o <output file>] [-l|--load]

For example if you want to allow vdc to write to pseudo-terminal (so you can see replies from vdc command):

Code:
sepolicy-inject -s vdc -t devpts -c chr_file -p read,write -l

Download
Latest binaries for all architectures
Project on GitHub


XDA:DevDB Information
setools-android with sepolicy-inject, Tool/Utility for all devices (see above for details)

Contributors
Mikos, joshua_brindle, Dmitry Podgorny (pasis)
Source Code: https://github.com/xmikos/setools-android


Version Information
Status: Stable
Current Stable Version: 1.3
Stable Release Date: 2017-08-22

Created 2014-12-19
Last Updated 2017-08-22
 
Last edited:
M

moonbutt74

Guest
Mikos,

hi,

i was wondering if you would go further into depth on the command line options,
specifically can i "piggy-back" supolicy onto sepolicy or can you provide a non-generic example of
how to inject say a static su binary with the proper context [seapp_context,file_context,property_context,service_context]

i would be doing this in a debian arm chroot,
the policy is for samsung galaxy tab 4 8.0 sm-t330nu LP 5.1.1 firmware release.

i'm battling apparently selinux AND knox

my current adventure is outlined here..,
http://forum.xda-developers.com/tab-4/general/sm-lp-5-1-1-supersu-t3160110

i have clone your repo and am downloading either ndk or studio.

thanks

m
 

Mikos

Member
Jul 22, 2009
16
22
Mikos,
i was wondering if you would go further into depth on the command line options,
specifically can i "piggy-back" supolicy onto sepolicy or can you provide a non-generic example of
how to inject say a static su binary with the proper context [seapp_context,file_context,property_context,service_context]

Hello, the syntax is simple, if you want comparison with supolicy, here is one example (taken from my SnooperStopper app):

Code:
supolicy --live 'allow vdc init fifo_file {read write getattr}'

is equivalent to:

Code:
sepolicy-inject -s vdc -t init -c fifo_file -p read,write,getattr -l
 
M

moonbutt74

Guest
Mikos,

thanks i got your toolkit built API 19 armeabi-v7a
seinfo is neat.
okay so i am a bit of a dumb dumb, would be up for jumping in on my thread and helping out.
the problem with supersu seems to be at app_process -> /system/xbin/daemonsu
Code:
F/appproc (  305): Error changing dalvik-cache ownership : Permission denied
F/libc    (  305): Fatal signal 6 (SIGABRT), code -6 in tid 305 (app_process32_o)

and that's where i'm stuck,
also how do i build these tools fully static if possible ? the deb arm chroot doesn't seem to like them :eek:

thanks

m
 
Last edited:

Mikos

Member
Jul 22, 2009
16
22
I have released version 1.1 (with support for allowing multiple SELinux permissions at once). I have also updated binaries (now built for armeabi, armeabi-v7a, mips and x86). You can download them from XDA Developers or GitHub.
 
Last edited:

Mikos

Member
Jul 22, 2009
16
22
okay so i am a bit of a dumb dumb, would be up for jumping in on my thread and helping out.
the problem with supersu seems to be at app_process -> /system/xbin/daemonsu
Code:
F/appproc (  305): Error changing dalvik-cache ownership : Permission denied
F/libc    (  305): Fatal signal 6 (SIGABRT), code -6 in tid 305 (app_process32_o)

Sorry, I don't know what can be your problem. But have you looked at logcat? You should see exact missing SELinux permissions there...

also how do i build these tools fully static if possible ? the deb arm chroot doesn't seem to like them :eek:

These binaries are built static. Or at least static for Android (standard NDK build). Debian in chroot may use different libc or something like that.
 
M

moonbutt74

Guest
Mikos,

hi , thanks again i got sorted on working with the toolkit :good:

i am 33 permissive domains and numerous modified permissions in and still haven't hit on the right one yet, but i'm having fun.
i am guessing file_lnk or a trans permission is what i should be focusing on ?

a quick question, the policy injection is permanent or do i need to script out an init.rc or init.d function ?

i ask because i did an experiment while in recovery with system mounted to restrict/remove a permission/permissive domain and on rebooting to recovery the change stuck, i modified access to sbin and sure enough after rebooting to recovery i could not run the custom utillities i have installed even with root access.

also i can not access allow/neverallow [av rules] rules when using sesearch, is this an intended limitation, or is there some additional code/patching required?

thanks.

m
 
Last edited:
M

moonbutt74

Guest
Nice tool, thanks. Is there a way to inject new source and target types or is it only possible to expand existing contexts?

C,
hi, you can only work with what's in the policy if i'm doing the following correctly

for -s <source type>
Code:
sepolicy-inject -s [COLOR="Red"]hack[/COLOR] -t system -c process -p write -P sepolicy -o sepolicy-UNdead                                                                                             
libsepol.policydb_index_others: security:  1 users, 2 roles, 1331 types, 0 bools                                                                                                                                                 
libsepol.policydb_index_others: security: 1 sens, 1024 cats                                                                                                                                                                      
libsepol.policydb_index_others: security:  86 classes, 15661 rules, 0 cond rules                                                                                                                                                 
source type hack does not exist                                                                                                                                                                                                  
Could not add rule

same for -t <target type>
Code:
sepolicy-inject -s shell -t [COLOR="Red"]hack[/COLOR] -c process -p write -P sepolicy -o sepolicy-UNdead
"blah blah"
target type hack does not exist                                                                                                                                                                                                  
Could not add rule

NOT the same for -c <class> , with class i was looking through external/sepolicy/security_classes to find a valid class not in policy
# More SE-X Windows stuff
class x_resource # userspace
so

Code:
sepolicy-inject -s shell -t system -c [COLOR="Red"]x_resource[/COLOR] -p write -P sepolicy -o sepolicy-UNdead
libsepol.policydb_index_others: security:  1 users, 2 roles, 1331 types, 0 bools
libsepol.policydb_index_others: security: 1 sens, 1024 cats
libsepol.policydb_index_others: security:  86 classes, 15661 rules, 0 cond rules

sesearch -A -c x_resource sepolicy-UNdead
Found 1 semantic av rules:
   allow shell system_server : [COLOR="Red"]x_resource[/COLOR] write ;

so, again i am probably doing the first two wrong but i'm having a difficult time finding out what valid entries i can attempt
for <source> and <target> that aren't in the policy. <class> was easier as i figured there would be any x_window stuff.

m
 

zombiegoaste

Senior Member
Mar 28, 2012
54
11
In Android 5.0, SELinux is in enforcing mode and sometimes you (or some root application) need to change SELinux policy. There has been only one tool capable of this at runtime - Chainfire's supolicy (part of SuperSU). But this tool is closed source and closed source root apps are great security risk. So I have fixed and enhanced sepolicy-inject from Joshua Brindle and combined it with setools-android by Dmitry Podgorny (pasis) to make it buildable with Android NDK.

Hi and thank you for the awesome tool!

A little question (probably also a dumb one) - will it work if called for init service, user root group root, default init service context?

Something like

Code:
service humble_sepatcher /system/bin/sh /system/xbin/sepolicy-inject "[ [I]parameters go here I suppose ;)[/I] ]"
    user root
    group root
    class core
     oneshot

Usecase:
I want to temporarily switch Selinux to Permissive mode very early in the init sequence (adding early initd to a ROM I don't have sources for)

setenforce and "write /sys/fs/selinux/enforce 0" do not work during init (but after the system boots completely and SUperSu finally does its deed, I can do setenforce 0 and enter permissive mode)

Also, since I am rather lame when it comes to Selinux :( what would be the best way to go about it ? (I suspect that allowing /system/bin/sh and echo to write to /sys/fs/selinux/enforce might be enough, but so far I can't even think of where to start)
 
Last edited:

pittvandewitt

Senior Member
Mar 11, 2012
163
349
Nijmegen
Hello @Mikos,
I was wondering if your tool would get an update to support android 6 and policydb version 30. In the attachment is the error I receive.
 

Attachments

  • Screenshot_20151213-133659.png
    Screenshot_20151213-133659.png
    155 KB · Views: 1,235

brymaster5000

Inactive Recognized Contributor
Jan 9, 2012
2,382
3,138
New Hampshire
Is there anywhere that explains the usage of the injection tools - specifically how to manipulate the commands to achieve your intent? The instructions are limited and my time with selinux has only just begun and I am having a difficult time getting good search results on making the sepolicy changes I need. I specifically need to create an allowance to let a kernel script run at boot. I currently have a kernel script that gets pushed to the system partition during the flash and runs on boot without superSU installed in marshmallow, but on N-preview it does not run and I get sepolicy denials. If anyone can either give me a few pointers on using this tool, or knows of a good guide somewhere for me to get going - it would be much appreciated. TIA.
 
  • Like
Reactions: LilAnt530

darkmen

Member
Jul 20, 2007
22
10
Hy, everyone
This tool is musthave for the root\kernel devs, but it is so "unfinished"
I have added a few lines of code to make it powerfull and understand tool.
(#) Usage:
Injecting a rule:
./sepolicy-inject -s <source>[,...] -t <target>[,...] -c <class> -p <perm>[,...] [-N] -P <input> [-o <output>] [-v]
Injecting a rule no-audit (AUDITDENY):
./sepolicy-inject -s <source>[,...] -t <target>[,...] -c <class> -p <perm>[,...] -n [-N] -P <inpit> [-o <output>] [-v]
Change a permissive domain to non-permissive:
./sepolicy-inject -z <type> -P <input> [-o <output>] [-v]
Injecting a permissive domain, create new if missing:
./sepolicy-inject -Z <type> -P <input> [-o <output>] [-v]
Add a type attribute to a domain:
./sepolicy-inject -s <type>[,...] -a <attribute>[,...] -P <input> [-o <output>] [-v]
Remove a type attribute from a domain:
./sepolicy-inject -s <type>[,...] -A <attribute>[,...] -P <input> [-o <output>] [-v]
Add a transition source-->target (class) [new]:
./sepolicy-inject -s <source> -t <target> -c <class> -f <new> -P <input> [-o <output>] [-v]
Test a SELinux type exists:
./sepolicy-inject -e -s <type> -P <input> [-v]
Test a SELinux class exists:
./sepolicy-inject -e -c <class> -P <input> [-v]
Test a SELinux type has attribute:
./sepolicy-inject -e -s <type> -a <attribute> -P <input> [-v]
Test a SELinux type missing attribute:
./sepolicy-inject -e -s <type> -A <attribute> -P <input> [-v]
Use -v for verbose
Use -o for output file, rewriting the input file otherwise

This way it can work lke this:
.
/sepolicy-inject -s system_server,system_app,untrusted_app -t logd -c dir -p search,add_name,remove_name,open,read,write,getattr,setattr,relabelfrom,relabelto -P sepolicy
./sepolicy-inject -n -s shell -t kernel -c system -p module_request,ipc_info,syslog_console -N -P sepolicy
./sepolicy-inject -s shell -a system_domain,mlstrustedsubject -P sepolicy
./sepolicy-inject -s shell -A trstdomain_no_access_subject -P sepolicy
Attaching the source and precompiled cygwin and android binaries
 

Attachments

  • sepolicy-inject.exe.zip
    112.2 KB · Views: 204
  • sepolicy-inject.c
    21.9 KB · Views: 196
  • sepolicy-inject.zip
    231.7 KB · Views: 331
Last edited:
  • Like
Reactions: difr and E:V:A
Hy, everyone
This tool is musthave for the root\kernel devs, but it is so "unfinished"
I have added a few lines of code to make it powerfull and understand tool.


This way it can work lke this:
.
Attaching the source and precompiled cygwin and android binaries

Hi, I'm using CM14.1 right now, I am having issue modifying system files, for examples, I am using FasterGPS to modify /system/etc/gps.conf, but FasterGPS failed to modify that file because of selinux is enforcing, because FasterGPS is working normally if I set set selinux is permissive using command setenforce=0 from root shell...

Can I use this setools-android to add rule(s) to selinux policy to allow some certain apps to modify system files without have to manually set selinux as permissive first?
If I can do that using this tool, how do I do it?

I have logcat from the app with selinux=enforce and selinux=policy to compare:

selinux=enforce
Code:
12-10 20:02:49.309 15389 15389 I FasterGPS: Loading /system/etc/gps.conf...
12-10 20:02:49.336  4598  4598 I MicroDetector: Keeping mic open: false
12-10 20:02:49.336  4598 16532 I DeviceStateChecker: DeviceStateChecker cancelled
12-10 20:02:49.337  4598 16514 I AudioController: internalShutdown
12-10 20:02:49.337  4598 16514 I MicrophoneInputStream: mic_close [email protected]
12-10 20:02:49.337  4598  9769 I MicroRecognitionRunner: Stopping hotword detection.
12-10 20:02:49.341  4598  4598 W SearchService: Abort, client detached.
12-10 20:02:49.353   369   369 I MSM-irqbalance: Decided to move IRQ128 from CPU5 to CPU4
12-10 20:02:49.357  1128 16590 D audio_hw_primary: in_standby: enter: stream (0xf6351f80) usecase(7: audio-record)
12-10 20:02:49.390  1128 16590 D audio_hw_primary: disable_audio_route: reset and update mixer path: audio-record
12-10 20:02:49.391  1128 16590 D hardware_info: hw_info_append_hw_type : device_name = voice-rec-mic
12-10 20:02:49.391  1128 16590 D audio_hw_primary: disable_snd_device: snd_device(66: voice-rec-mic)
12-10 20:02:49.394  1128 16590 D audio_hw_primary: in_set_parameters: enter: kvpairs=routing=0
12-10 20:02:49.397  1981  2106 I ActivityManager: Displayed org.fastergps/.ui.BaseActivity: +189ms
12-10 20:02:49.403  4598 16533 I MicroRecognitionRunner: Detection finished
12-10 20:02:49.406  1128  1326 D audio_hw_primary: adev_close_input_stream: enter:stream_handle(0xf6351f80)
12-10 20:02:49.406  1128  1326 D audio_hw_primary: in_standby: enter: stream (0xf6351f80) usecase(7: audio-record)
12-10 20:02:49.651   372   372 W SurfaceFlinger: couldn't log to binary event log: overflow.
12-10 20:02:49.883 16740 16740 D AndroidRuntime: >>>>>> START com.android.internal.os.RuntimeInit uid 0 <<<<<<
12-10 20:02:49.887 16740 16740 D AndroidRuntime: CheckJNI is OFF
12-10 20:02:49.976 16740 16740 D ICU     : No timezone override file found: /data/misc/zoneinfo/current/icu/icu_tzdata.dat
12-10 20:02:49.975 16740 16740 W main    : type=1400 audit(0.0:207): avc: denied { write } for name="arm64" dev="mmcblk0p31" ino=278530 scontext=u:r:shell:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir permissive=0
12-10 20:02:49.975 16740 16740 W main    : type=1400 audit(0.0:208): avc: denied { write } for name="arm64" dev="mmcblk0p31" ino=278530 scontext=u:r:shell:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=dir permissive=0
12-10 20:02:50.025 16740 16740 I Radio-JNI: register_android_hardware_Radio DONE
12-10 20:02:50.042 16740 16740 D AndroidRuntime: Calling main entry com.android.commands.am.Am
12-10 20:02:50.045 16757 16757 W main    : type=1400 audit(0.0:209): avc: denied { dac_override } for capability=1 scontext=u:r:shell:s0 tcontext=u:r:shell:s0 tclass=capability permissive=0
12-10 20:02:50.045 16757 16757 W main    : type=1400 audit(0.0:210): avc: denied { dac_override } for capability=1 scontext=u:r:shell:s0 tcontext=u:r:shell:s0 tclass=capability permissive=0
12-10 20:02:50.045 16757 16757 W main    : type=1400 audit(0.0:211): avc: denied { dac_override } for capability=1 scontext=u:r:shell:s0 tcontext=u:r:shell:s0 tclass=capability permissive=0
12-10 20:02:50.045 16757 16757 W main    : type=1400 audit(0.0:212): avc: denied { dac_override } for capability=1 scontext=u:r:shell:s0 tcontext=u:r:shell:s0 tclass=capability permissive=0
12-10 20:02:50.081 16740 16740 D AndroidRuntime: Shutting down VM
12-10 20:02:52.089  1981  1981 W WindowManager: Attempted to remove non-existing token: [email protected]
12-10 20:02:53.159  3698  3698 W InputMethodService: Window size has been changed. This may cause jankiness of resizing window: -1 -> -2
12-10 20:02:53.197  3698  3698 I LatinIME: Starting input. Cursor position = 0,0
12-10 20:02:53.333   379   379 E VM_BMS  : failed to set wake_lock rc=-13
12-10 20:02:53.333   379   379 D VM_BMS  : New BMS data - Size=56
12-10 20:02:53.333   379   379 D VM_BMS  : Start process_bms_data
12-10 20:02:53.337   379   379 D VM_BMS  : For batt_temp=338 fcc_mah=4032
12-10 20:02:53.337   379   379 D VM_BMS  : For ocv=4196145 batt_temp=338 soc=86
12-10 20:02:53.337   379   379 D VM_BMS  : fifo_count=5 acc_count=0
12-10 20:02:53.337   379   379 D VM_BMS  : INIT: ocv=4196145 last_ocv=4196145 batt_temp=338 soc=86
12-10 20:02:53.337   379   379 D VM_BMS  : For soc=86 batt_temp=338 slope=11600
12-10 20:02:53.337   379   379 D VM_BMS  : For soc=86 batt_temp=338 rbatt_sf=92
12-10 20:02:53.337   379   379 D VM_BMS  : rbatt_mohm_default=120, rbatt_mohm=110, sf=92 batt_temp=338
12-10 20:02:53.337   379   379 D VM_BMS  : For ocv=4195968 batt_temp=338 soc=85
12-10 20:02:53.337   379   379 D VM_BMS  : FIFO=0 fifo_avg=4.166385 rbatt=0.120000 slope=1.160000 ibatt=0.247261 ocv=4.195968 soc=85 fcc_ah=4.032000 sample_count=128 sample_interval=70 seq_num=80
12-10 20:02:53.337   379   379 D VM_BMS  : For soc=85 batt_temp=338 slope=11600
12-10 20:02:53.337   379   379 D VM_BMS  : For soc=85 batt_temp=338 rbatt_sf=93
12-10 20:02:53.337   379   379 D VM_BMS  : rbatt_mohm_default=120, rbatt_mohm=111, sf=93 batt_temp=338
12-10 20:02:53.337   379   379 D VM_BMS  : For ocv=4195738 batt_temp=338 soc=85
12-10 20:02:53.337   379   379 D VM_BMS  : FIFO=1 fifo_avg=4.156925 rbatt=0.121000 slope=1.160000 ibatt=0.321717 ocv=4.195738 soc=85 fcc_ah=4.032000 sample_count=128 sample_interval=70 seq_num=80
12-10 20:02:53.337   379   379 D VM_BMS  : For soc=85 batt_temp=338 slope=11600
12-10 20:02:53.337   379   379 D VM_BMS  : For soc=85 batt_temp=338 rbatt_sf=93
12-10 20:02:53.338   379   379 D VM_BMS  : rbatt_mohm_default=120, rbatt_mohm=111, sf=93 batt_temp=338
12-10 20:02:53.338   379   379 D VM_BMS  : For ocv=4195592 batt_temp=338 soc=85
12-10 20:02:53.338   379   379 D VM_BMS  : FIFO=2 fifo_avg=4.171121 rbatt=0.121000 slope=1.160000 ibatt=0.202844 ocv=4.195592 soc=85 fcc_ah=4.032000 sample_count=128 sample_interval=70 seq_num=80
12-10 20:02:53.338   379   379 D VM_BMS  : For soc=85 batt_temp=338 slope=11600
12-10 20:02:53.338   379   379 D VM_BMS  : For soc=85 batt_temp=338 rbatt_sf=93
12-10 20:02:53.338   379   379 D VM_BMS  : rbatt_mohm_default=120, rbatt_mohm=111, sf=93 batt_temp=338
12-10 20:02:53.338   379   379 D VM_BMS  : For ocv=4195721 batt_temp=338 soc=85
12-10 20:02:53.338   379   379 D VM_BMS  : FIFO=3 fifo_avg=4.217594 rbatt=0.121000 slope=1.160000 ibatt=-0.181300 ocv=4.195722 soc=85 fcc_ah=4.032000 sample_count=128 sample_interval=70 seq_num=80
12-10 20:02:53.338   379   379 D VM_BMS  : For soc=85 batt_temp=338 slope=11600
12-10 20:02:53.338   379   379 D VM_BMS  : For soc=85 batt_temp=338 rbatt_sf=93
12-10 20:02:53.338   379   379 D VM_BMS  : rbatt_mohm_default=120, rbatt_mohm=111, sf=93 batt_temp=338
12-10 20:02:53.338   379   379 D VM_BMS  : For ocv=4195817 batt_temp=338 soc=85
12-10 20:02:53.338   379   379 D VM_BMS  : FIFO=4 fifo_avg=4.211973 rbatt=0.121000 slope=1.160000 ibatt=-0.133918 ocv=4.195817 soc=85 fcc_ah=4.032000 sample_count=128 sample_interval=70 seq_num=80
12-10 20:02:53.338   379   379 I VM_BMS  : power_supply_update: ocv_uv=4195817 ibatt=-133918 soc=85 seq_num=80
12-10 20:02:53.338   379   379 D VM_BMS  : End process_bms_data
12-10 20:02:53.338   379   379 E VM_BMS  : failed to wake_unlock rc=-13
12-10 20:02:53.540   380   498 I ThermalEngine: TM Id 'CHARGING_MONITOR' Sensor 'pop_mem' - alarm raised 1 at 43.0 degC
12-10 20:02:53.540   380   498 E ThermalEngine: Unable to set battery charging mitigation to 1
12-10 20:02:54.353   369   369 I MSM-irqbalance: Decided to move IRQ166 from CPU5 to CPU4
12-10 20:02:54.359 11980 13827 I PlayCommon: [497] com.google.android.play.a.g.e(900): Preparing logs for uploading
12-10 20:02:54.360 11980 13827 I PlayCommon: [497] com.google.android.play.a.g.e(902): No file ready to send
12-10 20:02:54.803 11980 12020 I PlayCommon: [444] com.google.android.play.a.g.e(900): Preparing logs for uploading
12-10 20:02:54.804 11980 12020 I PlayCommon: [444] com.google.android.play.a.g.e(902): No file ready to send
12-10 20:02:55.638 15389 15389 W IInputConnectionWrapper: finishComposingText on inactive InputConnection
12-10 20:02:55.638 15389 15389 W IInputConnectionWrapper: finishComposingText on inactive InputConnection
12-10 20:02:55.639  3698  3698 W InputMethodService: Window size has been changed. This may cause jankiness of resizing window: -1 -> -2
12-10 20:02:55.640 15389 15389 W IInputConnectionWrapper: finishComposingText on inactive InputConnection
12-10 20:02:58.920  1981  4461 W InputMethodManagerService: Window already focused, ignoring focus gain of: [email protected] attribute=null, token = [email protected]
12-10 20:02:59.354   369   369 I MSM-irqbalance: Decided to move IRQ155 from CPU7 to CPU4
12-10 20:03:04.353   369   369 I MSM-irqbalance: Decided to move IRQ215 from CPU7 to CPU6
12-10 20:03:06.102 15389 15389 W InputEventReceiver: Attempted to finish an input event but the input event receiver has already been disposed.
12-10 20:03:06.102 15389 15389 I FasterGPS: Writing gps.conf to private files...
12-10 20:03:06.108 16797 16797 E linker  : normalize_path - invalid input: "null", the input path should be absolute
12-10 20:03:06.108 16797 16797 W linker  : Warning: unable to normalize "null"
12-10 20:03:06.145 15389 15389 I FasterGPS: Remounting for RW...
12-10 20:03:06.149 16807 16807 E linker  : normalize_path - invalid input: "null", the input path should be absolute
12-10 20:03:06.149 16807 16807 W linker  : Warning: unable to normalize "null"
12-10 20:03:06.215 15389 15389 W org.fastergps: type=1400 audit(0.0:213): avc: denied { read } for name="RootToolsMounts" dev="mmcblk0p31" ino=565251 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=0
12-10 20:03:06.225 15389 15389 E RootCommands: Exception
12-10 20:03:06.225 15389 15389 E RootCommands: java.io.FileNotFoundException: /data/local/RootToolsMounts (Permission denied)
12-10 20:03:06.225 15389 15389 E RootCommands: 	at java.io.FileInputStream.open(Native Method)
12-10 20:03:06.225 15389 15389 E RootCommands: 	at java.io.FileInputStream.<init>(FileInputStream.java:146)
12-10 20:03:06.225 15389 15389 E RootCommands: 	at java.io.FileInputStream.<init>(FileInputStream.java:99)
12-10 20:03:06.225 15389 15389 E RootCommands: 	at java.io.FileReader.<init>(FileReader.java:58)
12-10 20:03:06.225 15389 15389 E RootCommands: 	at org.sufficientlysecure.rootcommands.Remounter.getMounts(Remounter.java:173)
12-10 20:03:06.225 15389 15389 E RootCommands: 	at org.sufficientlysecure.rootcommands.Remounter.remount(Remounter.java:66)
12-10 20:03:06.225 15389 15389 E RootCommands: 	at org.sufficientlysecure.rootcommands.Toolbox.remount(Toolbox.java:733)
12-10 20:03:06.225 15389 15389 E RootCommands: 	at org.fastergps.util.Utils.writeConfig(Utils.java:241)
12-10 20:03:06.225 15389 15389 E RootCommands: 	at org.fastergps.ui.BaseActivity$2.onPreferenceChange(BaseActivity.java:250)
12-10 20:03:06.225 15389 15389 E RootCommands: 	at android.preference.Preference.callChangeListener(Preference.java:939)
12-10 20:03:06.225 15389 15389 E RootCommands: 	at android.preference.ListPreference.onDialogClosed(ListPreference.java:282)
12-10 20:03:06.225 15389 15389 E RootCommands: 	at android.preference.DialogPreference.onDismiss(DialogPreference.java:402)
12-10 20:03:06.225 15389 15389 E RootCommands: 	at android.app.Dialog$ListenersHandler.handleMessage(Dialog.java:1343)
12-10 20:03:06.225 15389 15389 E RootCommands: 	at android.os.Handler.dispatchMessage(Handler.java:102)
12-10 20:03:06.225 15389 15389 E RootCommands: 	at android.os.Looper.loop(Looper.java:154)
12-10 20:03:06.225 15389 15389 E RootCommands: 	at android.app.ActivityThread.main(ActivityThread.java:6126)
12-10 20:03:06.225 15389 15389 E RootCommands: 	at java.lang.reflect.Method.invoke(Native Method)
12-10 20:03:06.225 15389 15389 E RootCommands: 	at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:886)
12-10 20:03:06.225 15389 15389 E RootCommands: 	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:776)
12-10 20:03:06.225 15389 15389 E FasterGPS: remount failed!


selinux=permissive
Code:
12-10 20:19:13.707  9292  9292 I FasterGPS: Loading /system/etc/gps.conf...
12-10 20:19:13.774  9292  9324 I Adreno  : QUALCOMM build                   : d842ad3, Ia10634f51b
12-10 20:19:13.774  9292  9324 I Adreno  : Build Date                       : 01/04/16
12-10 20:19:13.774  9292  9324 I Adreno  : OpenGL ES Shader Compiler Version: XE031.06.00.05
12-10 20:19:13.774  9292  9324 I Adreno  : Local Branch                     : mybranch17585849
12-10 20:19:13.774  9292  9324 I Adreno  : Remote Branch                    : quic/LA.BR.1.2.6_rb1.7
12-10 20:19:13.774  9292  9324 I Adreno  : Remote Branch                    : NONE
12-10 20:19:13.774  9292  9324 I Adreno  : Reconstruct Branch               : NOTHING
12-10 20:19:13.780  9292  9324 I OpenGLRenderer: Initialized EGL, version 1.4
12-10 20:19:13.780  9292  9324 D OpenGLRenderer: Swap behavior 1
12-10 20:19:13.851  1277  1305 I ActivityManager: Displayed org.fastergps/.ui.BaseActivity: +459ms
12-10 20:19:13.886   371   371 W SurfaceFlinger: couldn't log to binary event log: overflow.
12-10 20:19:13.919   388   511 I ThermalEngine: TM Id 'CHARGING_MONITOR' Sensor 'pop_mem' - alarm raised 2 at 45.0 degC
12-10 20:19:13.920   388   511 E ThermalEngine: Unable to set battery charging mitigation to 2
12-10 20:19:14.273  9322  9322 D AndroidRuntime: >>>>>> START com.android.internal.os.RuntimeInit uid 0 <<<<<<
12-10 20:19:14.277  9322  9322 D AndroidRuntime: CheckJNI is OFF
12-10 20:19:14.422  9322  9322 I main    : type=1400 audit(0.0:26): avc: denied { execmem } for scontext=u:r:zygote:s0 tcontext=u:r:zygote:s0 tclass=process permissive=1
12-10 20:19:14.422  9322  9322 I main    : type=1400 audit(0.0:27): avc: denied { execute } for path="/dev/ashmem" dev="tmpfs" ino=5858 scontext=u:r:zygote:s0 tcontext=u:object_r:ashmem_device:s0 tclass=chr_file permissive=1
12-10 20:19:14.422  9322  9322 I main    : type=1400 audit(0.0:28): avc: denied { execute } for path=2F6465762F6173686D656D2F64616C76696B2D6A69742D636F64652D6361636865202864656C6574656429 dev="tmpfs" ino=85393 scontext=u:r:zygote:s0 tcontext=u:object_r:zygote_tmpfs:s0 tclass=file permissive=1
12-10 20:19:14.448  9322  9322 D ICU     : No timezone override file found: /data/misc/zoneinfo/current/icu/icu_tzdata.dat
--------- beginning of crash
12-10 20:19:14.471  9328  9328 F libc    : CANNOT LINK EXECUTABLE "/system/bin/dex2oat": "/system/lib64/libsigchain.so" is 64-bit instead of 32-bit
12-10 20:19:14.471  9328  9328 F libc    : Fatal signal 6 (SIGABRT), code -6 in tid 9328 (dex2oat)
12-10 20:19:14.478   243   243 W         : debuggerd: handling request: pid=9328 uid=0 gid=0 tid=9328
12-10 20:19:14.544  9329  9329 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
12-10 20:19:14.544  9329  9329 F DEBUG   : CM Version: '14.1-20161210-NIGHTLY-ido'
12-10 20:19:14.544  9329  9329 F DEBUG   : Build fingerprint: 'Xiaomi/cm_ido/ido:7.1.1/NMF26O/40801d0bc7:userdebug/test-keys'
12-10 20:19:14.544  9329  9329 F DEBUG   : Revision: '0'
12-10 20:19:14.544  9329  9329 F DEBUG   : ABI: 'arm'
12-10 20:19:14.545  9329  9329 F DEBUG   : pid: 9328, tid: 9328, name: dex2oat  >>> /system/bin/dex2oat <<<
12-10 20:19:14.545  9329  9329 F DEBUG   : signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr --------
12-10 20:19:14.545  9329  9329 F DEBUG   :     r0 00000000  r1 00002470  r2 00000006  r3 00000008
12-10 20:19:14.545  9329  9329 F DEBUG   :     r4 f744258c  r5 00000006  r6 f7442534  r7 0000010c
12-10 20:19:14.545  9329  9329 F DEBUG   :     r8 fff2ea58  r9 00000001  sl fff2ea80  fp f73d0010
12-10 20:19:14.545  9329  9329 F DEBUG   :     ip 00000002  sp fff2e9f0  lr f7422d5f  pc f7423778  cpsr 200f0010
12-10 20:19:14.559  9329  9329 F DEBUG   : 
12-10 20:19:14.559  9329  9329 F DEBUG   : backtrace:
12-10 20:19:14.562  9329  9329 F DEBUG   :     #00 pc 00046778  /system/bin/linker (__dl_tgkill+12)
12-10 20:19:14.562  9329  9329 F DEBUG   :     #01 pc 00045d5b  /system/bin/linker (__dl_pthread_kill+34)
12-10 20:19:14.562  9329  9329 F DEBUG   :     #02 pc 0003e0ff  /system/bin/linker (__dl_raise+10)
12-10 20:19:14.562  9329  9329 F DEBUG   :     #03 pc 0003cbbb  /system/bin/linker (__dl___libc_android_abort+34)
12-10 20:19:14.562  9329  9329 F DEBUG   :     #04 pc 0003bb18  /system/bin/linker (__dl_abort+4)
12-10 20:19:14.563  9329  9329 F DEBUG   :     #05 pc 0003dbfb  /system/bin/linker (__dl___libc_fatal+22)
12-10 20:19:14.563  9329  9329 F DEBUG   :     #06 pc 00009c47  /system/bin/linker (__dl__ZL29__linker_init_post_relocationR19KernelArgumentBlockj+3146)
12-10 20:19:14.563  9329  9329 F DEBUG   :     #07 pc 00008f67  /system/bin/linker (__dl___linker_init+358)
12-10 20:19:14.563  9329  9329 F DEBUG   :     #08 pc 000027c0  /system/bin/linker (_start+4)
12-10 20:19:14.604  1277  2062 W NativeCrashListener: Couldn't find ProcessRecord for pid 9328
12-10 20:19:14.607   243   243 W         : debuggerd: resuming target 9328
12-10 20:19:14.607   243   243 E         : debuggerd: failed to send signal 18 to target: No such process
12-10 20:19:14.614  1277  1302 I BootReceiver: Copying /data/tombstones/tombstone_01 to DropBox (SYSTEM_TOMBSTONE)
12-10 20:19:14.622  9322  9322 W art     : Failed execv(/system/bin/dex2oat --runtime-arg -classpath --runtime-arg /system/framework/am.jar --instruction-set=arm64 --instruction-set-features=smp,a53 --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=cortex-a53 --instruction-set-features=default --no-watch-dog --dex-file=/system/framework/am.jar --oat-fd=11 --oat-location=/data/dalvik-cache/arm64/[email protected]@[email protected] --compiler-filter=speed) because non-0 exit status
12-10 20:19:14.690  9322  9322 I Radio-JNI: register_android_hardware_Radio DONE
12-10 20:19:14.715  9322  9322 D AndroidRuntime: Calling main entry com.android.commands.am.Am
12-10 20:19:14.733   370   370 E SELinux : avc:  denied  { find } for service=activity pid=9322 uid=0 scontext=u:r:zygote:s0 tcontext=u:object_r:activity_service:s0 tclass=service_manager permissive=1
12-10 20:19:14.734   370   370 E SELinux : avc:  denied  { find } for service=package pid=9322 uid=0 scontext=u:r:zygote:s0 tcontext=u:object_r:package_service:s0 tclass=service_manager permissive=1
12-10 20:19:14.732  9322  9322 I main    : type=1400 audit(0.0:29): avc: denied { call } for scontext=u:r:zygote:s0 tcontext=u:r:system_server:s0 tclass=binder permissive=1
12-10 20:19:14.732  9322  9322 I main    : type=1400 audit(0.0:30): avc: denied { transfer } for scontext=u:r:zygote:s0 tcontext=u:r:system_server:s0 tclass=binder permissive=1
12-10 20:19:14.762  3169  3169 I Binder:1277_7: type=1400 audit(0.0:31): avc: denied { call } for scontext=u:r:system_server:s0 tcontext=u:r:zygote:s0 tclass=binder permissive=1
12-10 20:19:14.774  9322  9322 D AndroidRuntime: Shutting down VM
12-10 20:19:16.169   368   368 I MSM-irqbalance: Decided to move IRQ166 from CPU7 to CPU6
12-10 20:19:16.789  1277  1277 W WindowManager: Attempted to remove non-existing token: [email protected]
12-10 20:19:16.979   388   511 I ThermalEngine: TM Id 'CHARGING_MONITOR' Sensor 'pop_mem' - alarm cleared 2 at 43.0 degC
12-10 20:19:16.979   388   511 E ThermalEngine: Unable to set battery charging mitigation to 1
12-10 20:19:18.558  3073  3497 E ctxmgr  : [ProducerActiveIntervalImpl]closeActiveInterval: Error: ongoing, trying to close
12-10 20:19:18.593  3073  5394 I PlaceInferenceEngine: [anon] Setup for configuration 105:[]
12-10 20:19:18.593  3073  5394 I PlaceInferenceEngine: [anon] Active modules after start(): 0
12-10 20:19:21.168   368   368 I MSM-irqbalance: Decided to move IRQ155 from CPU7 to CPU6
12-10 20:19:22.869  9292  9292 W InputEventReceiver: Attempted to finish an input event but the input event receiver has already been disposed.
12-10 20:19:22.878  1277  6085 W InputMethodManagerService: Window already focused, ignoring focus gain of: [email protected] attribute=null, token = [email protected]
12-10 20:19:26.168   368   368 I MSM-irqbalance: Decided to move IRQ57 from CPU7 to CPU6
12-10 20:19:27.781   388   513 I ThermalEngine: Mitigation:CLUSTER[1]:1459200 Khz
12-10 20:19:28.486  9292  9292 W InputEventReceiver: Attempted to finish an input event but the input event receiver has already been disposed.
12-10 20:19:28.486  9292  9292 I FasterGPS: Writing gps.conf to private files...
12-10 20:19:28.493  9371  9371 E linker  : normalize_path - invalid input: "null", the input path should be absolute
12-10 20:19:28.493  9371  9371 W linker  : Warning: unable to normalize "null"
12-10 20:19:28.529  9292  9292 I FasterGPS: Remounting for RW...
12-10 20:19:28.532  9381  9381 E linker  : normalize_path - invalid input: "null", the input path should be absolute
12-10 20:19:28.532  9381  9381 W linker  : Warning: unable to normalize "null"
12-10 20:19:28.602  9292  9292 I org.fastergps: type=1400 audit(0.0:32): avc: denied { read } for name="RootToolsMounts" dev="mmcblk0p31" ino=565251 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=1
12-10 20:19:28.602  9292  9292 I org.fastergps: type=1400 audit(0.0:33): avc: denied { getattr } for path="/data/local/RootToolsMounts" dev="mmcblk0p31" ino=565251 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=1
12-10 20:19:28.612  9394  9394 E linker  : normalize_path - invalid input: "null", the input path should be absolute
12-10 20:19:28.613  9394  9394 W linker  : Warning: unable to normalize "null"
12-10 20:19:28.702   388   511 I ThermalEngine: TM Id 'CHARGING_MONITOR' Sensor 'pop_mem' - alarm raised 2 at 45.0 degC
12-10 20:19:28.702   388   511 E ThermalEngine: Unable to set battery charging mitigation to 2
12-10 20:19:28.715  9407  9407 E linker  : normalize_path - invalid input: "null", the input path should be absolute
12-10 20:19:28.715  9407  9407 W linker  : Warning: unable to normalize "null"
12-10 20:19:28.815  9421  9421 E linker  : normalize_path - invalid input: "null", the input path should be absolute
12-10 20:19:28.815  9421  9421 W linker  : Warning: unable to normalize "null"
12-10 20:19:29.039  9438  9438 E linker  : normalize_path - invalid input: "null", the input path should be absolute
12-10 20:19:29.039  9438  9438 W linker  : Warning: unable to normalize "null"
12-10 20:19:29.122  9292  9292 I FasterGPS: Copying gps.conf from private files to system partition...
12-10 20:19:29.124  9378  9378 D AndroidRuntime: >>>>>> START com.android.internal.os.RuntimeInit uid 0 <<<<<<
12-10 20:19:29.128  9378  9378 D AndroidRuntime: CheckJNI is OFF
12-10 20:19:29.161  9292  9292 I FasterGPS: Remounting back to RO...


--------------------- update ---------------------

I try one of your example command I get this error:
Code:
1|ido:/system/xbin # ./sepolicy-inject -e -c untrusted_app -P /sepolicy -v                                                                           
libsepol.avtab_read_item: more than one specifier
libsepol.avtab_read: failed on entry 100 of 19609
error(s) encountered while parsing configuration
Could not load policy
Failed
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 14
    Introduction
    In Android 5.0, SELinux is in enforcing mode and sometimes you (or some root application) need to change SELinux policy. There has been only one tool capable of this at runtime - Chainfire's supolicy (part of SuperSU). But this tool is closed source and closed source root apps are great security risk. So I have fixed and enhanced sepolicy-inject from Joshua Brindle and combined it with setools-android by Dmitry Podgorny (pasis) to make it buildable with Android NDK.

    Installation instructions
    You must have android-ndk installed. Then run:

    Code:
    git clone https://github.com/xmikos/setools-android.git
    cd setools-android
    ndk-build

    Now you can copy executables from libs/armeabi directory (sepolicy-inject, sesearch and seinfo) to /system/xbin directory on your device.

    Usage
    Code:
    sepolicy-inject -s <source type> -t <target type> -c <class> -p <perm>[,<perm2>,<perm3>,...] [-P <policy file>] [-o <output file>] [-l|--load]
    sepolicy-inject -Z type_to_make_permissive [-P <policy file>] [-o <output file>] [-l|--load]
    sepolicy-inject -z type_to_make_nonpermissive [-P <policy file>] [-o <output file>] [-l|--load]

    For example if you want to allow vdc to write to pseudo-terminal (so you can see replies from vdc command):

    Code:
    sepolicy-inject -s vdc -t devpts -c chr_file -p read,write -l

    Download
    Latest binaries for all architectures
    Project on GitHub


    XDA:DevDB Information
    setools-android with sepolicy-inject, Tool/Utility for all devices (see above for details)

    Contributors
    Mikos, joshua_brindle, Dmitry Podgorny (pasis)
    Source Code: https://github.com/xmikos/setools-android


    Version Information
    Status: Stable
    Current Stable Version: 1.3
    Stable Release Date: 2017-08-22

    Created 2014-12-19
    Last Updated 2017-08-22
    2
    Hy, everyone
    This tool is musthave for the root\kernel devs, but it is so "unfinished"
    I have added a few lines of code to make it powerfull and understand tool.
    (#) Usage:
    Injecting a rule:
    ./sepolicy-inject -s <source>[,...] -t <target>[,...] -c <class> -p <perm>[,...] [-N] -P <input> [-o <output>] [-v]
    Injecting a rule no-audit (AUDITDENY):
    ./sepolicy-inject -s <source>[,...] -t <target>[,...] -c <class> -p <perm>[,...] -n [-N] -P <inpit> [-o <output>] [-v]
    Change a permissive domain to non-permissive:
    ./sepolicy-inject -z <type> -P <input> [-o <output>] [-v]
    Injecting a permissive domain, create new if missing:
    ./sepolicy-inject -Z <type> -P <input> [-o <output>] [-v]
    Add a type attribute to a domain:
    ./sepolicy-inject -s <type>[,...] -a <attribute>[,...] -P <input> [-o <output>] [-v]
    Remove a type attribute from a domain:
    ./sepolicy-inject -s <type>[,...] -A <attribute>[,...] -P <input> [-o <output>] [-v]
    Add a transition source-->target (class) [new]:
    ./sepolicy-inject -s <source> -t <target> -c <class> -f <new> -P <input> [-o <output>] [-v]
    Test a SELinux type exists:
    ./sepolicy-inject -e -s <type> -P <input> [-v]
    Test a SELinux class exists:
    ./sepolicy-inject -e -c <class> -P <input> [-v]
    Test a SELinux type has attribute:
    ./sepolicy-inject -e -s <type> -a <attribute> -P <input> [-v]
    Test a SELinux type missing attribute:
    ./sepolicy-inject -e -s <type> -A <attribute> -P <input> [-v]
    Use -v for verbose
    Use -o for output file, rewriting the input file otherwise

    This way it can work lke this:
    .
    /sepolicy-inject -s system_server,system_app,untrusted_app -t logd -c dir -p search,add_name,remove_name,open,read,write,getattr,setattr,relabelfrom,relabelto -P sepolicy
    ./sepolicy-inject -n -s shell -t kernel -c system -p module_request,ipc_info,syslog_console -N -P sepolicy
    ./sepolicy-inject -s shell -a system_domain,mlstrustedsubject -P sepolicy
    ./sepolicy-inject -s shell -A trstdomain_no_access_subject -P sepolicy
    Attaching the source and precompiled cygwin and android binaries
    2
    I have published new version 1.3 which should now work without problems on Android N (and hopefully also on Android O, but I haven't tested it yet).
    1
    @pittvandewitt I have uploaded new version 1.2 which does support policydb version 30 (Android 6) and also supports 64-bit architectures (arm64-v8a, mips64, x86_64).
    1
    Is there anywhere that explains the usage of the injection tools - specifically how to manipulate the commands to achieve your intent? The instructions are limited and my time with selinux has only just begun and I am having a difficult time getting good search results on making the sepolicy changes I need. I specifically need to create an allowance to let a kernel script run at boot. I currently have a kernel script that gets pushed to the system partition during the flash and runs on boot without superSU installed in marshmallow, but on N-preview it does not run and I get sepolicy denials. If anyone can either give me a few pointers on using this tool, or knows of a good guide somewhere for me to get going - it would be much appreciated. TIA.
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone