a question on the security of NativeActivity

[Tez]

Since the NDK allows Native Activities and the ability to perform
certain operations that require permissions, like record audio
(android.permission.RECORD_AUDIO), how are these permissions enforced
on native code?

[Dianne Hackborn]

Native code is no different from code running under the Dalvik VM.  All security in Android is enforced at the kernel level through processes and uids.

--
You received this message because you are subscribed to the Google Groups "android-ndk" group.
To post to this group, send email to andro...@googlegroups.com.
To unsubscribe from this group, send email to android-ndk...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/android-ndk?hl=en.

--
Dianne Hackborn
Android framework engineer
hac...@android.com

Note: please don't send private questions to me, as I don't have time to provide private support, and so won't reply to such e-mails.  All such questions should be posted on public forums, where I and others can see and answer them.

[Tez]

process isolation with unique uids is fine.
but permissions are related to package manifests and are verified by
checkPermission at the framework level.
What would be the permission verification mechanism for native code
that wants to perform a sensitive operation?
(I think i;'ve missed a crucial part in my understanding somewhere)

On Dec 18, 10:58 pm, Dianne Hackborn <hack...@android.com> wrote:
> Native code is no different from code running under the Dalvik VM.  All
> security in Android is enforced at the kernel level through processes and
> uids.
>
>
>
> On Sat, Dec 18, 2010 at 1:12 PM, Tez <earlencefe...@gmail.com> wrote:
> > Since the NDK allows Native Activities and the ability to perform
> > certain operations that require permissions, like record audio
> > (android.permission.RECORD_AUDIO), how are these permissions enforced
> > on native code?
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "android-ndk" group.
> > To post to this group, send email to andro...@googlegroups.com.
> > To unsubscribe from this group, send email to

> > android-ndk...@googlegroups.com<android-ndk%2Bunsu...@googlegroups.com>
> > .

> > For more options, visit this group at
> >http://groups.google.com/group/android-ndk?hl=en.
>
> --
> Dianne Hackborn
> Android framework engineer

> hack...@android.com

[Tim Mensch]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/18/2010 3:10 PM, Tez wrote:
> process isolation with unique uids is fine.
> but permissions are related to package manifests and are verified by
> checkPermission at the framework level.
> What would be the permission verification mechanism for native code
> that wants to perform a sensitive operation?
> (I think i;'ve missed a crucial part in my understanding somewhere)

The existence of checkPermission() doesn't contradict what Dianne said;
it's just a way to query at the application level what permissions are
set for you or for a package.

Imagine that the framework queries all possible permissions before
running your app, and then sets kernel flags on a structure passed as
part of some_kernel_exec_call() that enables, for that child process,
the permissions your application has requested. Then the kernel can
enforce those permissions, right? Which is what Dianne just told you?

I haven't looked to see how things work, but that's at least one path
those permissions could take from the framework into the kernel. There
could be others.

Tim
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJNDTcPAAoJENSbqLBCyKKsdpAH/Ajwvtw3NW8xuRgkbzcbH0ba
+EPsaWtr1AH+x9skOwDXOKnBL5e181tGWTIRmwKnSk3h1RISihtsO73AoR8br/dv
luGDoFzMPlnkBQL7GndgPcIqMkvwyr45TWyiFSgfoZpmywpG7WkGO0EVHLHqyR3T
5J1hWJRb6uOYTUrekUdqBIk/zE0vxri4roFcAApCqBjhCutH+CQki8CkXn7Brx2R
zJdnTKOD3RLt8KDBlJ24m1C2g7SOwAniGMkrnbnXc3PoCjrp4hZUUbwpAjY549YA
0TX6yYN4eTVtHXWL6GU5MOlVk1hvjGpDwMlJw10PgjV134OS/upQdnhhCzh1wHU=
=+PDz
-----END PGP SIGNATURE-----

[Tez]

But, since the checkPermission is called during the operation of the
application/components of the process that hosts it, I am inclined to
think that
permission is verified DURING an attempt to perform a sensitive
operation.
From the code, I see checks performed that would be called just before
a sensitive operation is performed.
In the case of native code, how will this happen?

On Dec 18, 11:34 pm, Tim Mensch <tim.men...@gmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 12/18/2010 3:10 PM, Tez wrote:
>
> > process isolation with unique uids is fine.
> > but permissions are related to package manifests and are verified by
> > checkPermission at the framework level.
> > What would be the permission verification mechanism for native code
> > that wants to perform a sensitive operation?
> > (I think i;'ve missed a crucial part in my understanding somewhere)
>
> The existence of checkPermission() doesn't contradict what Dianne said;
> it's just a way to query at the application level what permissions are
> set for you or for a package.
>
> Imagine that the framework queries all possible permissions before
> running your app, and then sets kernel flags on a structure passed as
> part of some_kernel_exec_call() that enables, for that child process,
> the permissions your application has requested. Then the kernel can
> enforce those permissions, right? Which is what Dianne just told you?
>
> I haven't looked to see how things work, but that's at least one path
> those permissions could take from the framework into the kernel. There
> could be others.
>
> Tim
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (MingW32)

> Comment: Using GnuPG with Mozilla -http://enigmail.mozdev.org/

[Dianne Hackborn]

It will happen wherever a permission check needs to be done, where it is safe to do so.  (Or in many places security is enforced through uids or gids.)

Native code is as secure as code running in the Dalvik VM.  If there is something specific you are wondering about, you can go look at the code for it to see what it does.

--
You received this message because you are subscribed to the Google Groups "android-ndk" group.
To post to this group, send email to andro...@googlegroups.com.

To unsubscribe from this group, send email to android-ndk...@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/android-ndk?hl=en.

--
Dianne Hackborn
Android framework engineer

hac...@android.com

[David Turner]

I believe permissions are checked in the VM to generate user-friendly exceptions that will tell the developer why they can't do something.

Otherwise, all you'll get is a simple EPERM error from the kernel, which won't be very helpful to understand the root cause of the problem.

> --
> You received this message because you are subscribed to the Google Groups "android-ndk" group.
> To post to this group, send email to andro...@googlegroups.com.

> To unsubscribe from this group, send email to android-ndk...@googlegroups.com.

[Chen Yang]

One related question,

how does NativeActivity process creae? Also derived from zygote?

Thanks.

--

Chen

[Dianne Hackborn]

There is nothing special about NativeActivity.  It is just a helper for taking care of all of the JNI to interact with native code.

Dianne Hackborn
Android framework engineer

hac...@android.com

[Tez]

aah okay...so it functions just by proxying calls of the lifecycle
methods in java to C?

On Dec 21, 12:01 am, Dianne Hackborn <hack...@android.com> wrote:
> There is nothing special about NativeActivity.  It is just a helper for
> taking care of all of the JNI to interact with native code.
>
>
>
> On Sun, Dec 19, 2010 at 6:23 AM, Chen Yang <sunsety...@gmail.com> wrote:
> > One related question,
> > how does NativeActivity process creae? Also derived from zygote?
> > Thanks.
> > --
> > Chen
>
> > On Sun, Dec 19, 2010 at 3:33 PM, David Turner <di...@android.com> wrote:
>
> >> I believe permissions are checked in the VM to generate user-friendly
> >> exceptions that will tell the developer why they can't do something.
>
> >> Otherwise, all you'll get is a simple EPERM error from the kernel, which
> >> won't be very helpful to understand the root cause of the problem.

> >> android-ndk...@googlegroups.com<android-ndk%2Bunsu...@googlegroups.com>
> >> .

> >> > For more options, visit this group at
> >>http://groups.google.com/group/android-ndk?hl=en.
>
> >> --
> >> You received this message because you are subscribed to the Google Groups
> >> "android-ndk" group.
> >> To post to this group, send email to andro...@googlegroups.com.
> >> To unsubscribe from this group, send email to

> >> android-ndk...@googlegroups.com<android-ndk%2Bunsu...@googlegroups.com>
> >> .

> >> For more options, visit this group at
> >>http://groups.google.com/group/android-ndk?hl=en.
>
> >  --
> > You received this message because you are subscribed to the Google Groups
> > "android-ndk" group.
> > To post to this group, send email to andro...@googlegroups.com.
> > To unsubscribe from this group, send email to

> > android-ndk...@googlegroups.com<android-ndk%2Bunsu...@googlegroups.com>
> > .

> > For more options, visit this group at
> >http://groups.google.com/group/android-ndk?hl=en.
>
> --
> Dianne Hackborn
> Android framework engineer

> hack...@android.com

[Dianne Hackborn]

Basically, yes.  The GB code is available -- have a look at it if you want to see exactly how it is implemented.

To unsubscribe from this group, send email to android-ndk...@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/android-ndk?hl=en.

--
Dianne Hackborn
Android framework engineer

hac...@android.com