Why are mounts only visible to root (Android 4.4 KitKat KRT16M - on Nexus 5)

[zc]

Environment:

• Android-Build: 4.4 KitKat (KRT16M) - Google Factory Image
• Device: Nexus 5
• Shell: ADB

Problem:

When I mount a new Filesystem in the "adb shell" as root, the mountpoint is only visible to root (the user/process who created it).

Question:

Does anyone know why and how to workaround it?

Example:

user@ubuntu:~$ android/android-sdk-linux/platform-tools/adb shell

shell@hammerhead:/ $ su

root@hammerhead:/ # mount -o rw,remount /

root@hammerhead:/ # mkdir /mnt/test

root@hammerhead:/ # chown media_rw:media_rw /mnt/test/

root@hammerhead:/ # chmod 777 /mnt/test/

root@hammerhead:/ # busybox mount --bind /mnt/sdcard/ /mnt/test

root@hammerhead:/ # ls /mnt/test/ -la

drwxrwx--- root sdcard_r 2013-11-06 14:10 .MySecurityData

-rw-rw---- root sdcard_r 33 2013-11-20 18:17 .bugsense

drwxrwx--- root sdcard_r 2013-11-21 14:00 .estrongs

drwxrwx--- root sdcard_r 1970-01-02 01:01 Alarms

drwxrwx--x root sdcard_r 2013-11-06 01:12 Android

drwxrwx--- root sdcard_r 2013-11-12 18:10 DCIM

drwxrwx--- root sdcard_r 2013-11-18 23:38 Download

...

root@hammerhead:/ # exit

shell@hammerhead:/ $ ls /mnt/test -la

shell@hammerhead:/ $ 

[zc]

I've also tried this with an AVD ("Android 4.4 - API Level 19"), but since "adb shell" is only possible as "root" on an AVD I installed a FileManager APK to verify the result.

So I did the following:

user@ubuntu:~$ emulator -avd KitKat

user@ubuntu:~$ adb install <a FileManager APK>

user@ubuntu:~$ adb shell

root@generic:/ # mount -o rw,remount /

root@generic:/ # mkdir /mnt/test

root@generic:/ # chown media_rw:media_rw /mnt/test/

root@generic:/ # chmod 777 /mnt/test

root@generic:/ # mount -o bind /mnt/sdcard/ /mnt/test/

The files in "/mnt/test/" show up in the FileManager.

So is this a "Problem" specific to the Kernel running on Nexus5?

[mark gross]

I have not actually looked at the issue so I really should keep my mouth shut but, I can't help myself sometimes.

Could this be a SE-linux configuration setting deployed with the N5?  What do the dmesg's / logs say when you attempt to access the mount points?

Do we know its actually a "problem" and not a security enhancement?

--mark

--
--
unsubscribe: android-kerne...@googlegroups.com
website: http://groups.google.com/group/android-kernel
---
You received this message because you are subscribed to the Google Groups "Android Linux Kernel Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-kerne...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
create interesting things.

[z.c]

Hi Mark,

thank you for the reply and no you shouldn't keep your mouth shut, I appreciate every discussion because I'am really stuck with this.

I've thought about this myself and actually think that you are right, it's proppably not a "problem" but an securtiy enhancement. But this is security I would like to disable.

I've also digged as far as I can in SElinux and tried to understand whats happening there. But the reason why I think, that if this is because of the SElinux implementation it could Bug, is when I set SElinux to "permissive" ("setenforce 0") it still does not work.

It also could involve Mount Namespaces (another Security Feature) but every documentation says that "/" is mounted as shared and remounted as slaved only for each forked Dalvik-Process and ADB is no Dalvik-Child.

thx z.c

2013/12/3 mark gross <mark...@gmail.com>

You received this message because you are subscribed to a topic in the Google Groups "Android Linux Kernel Development" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/android-kernel/JeY_u-pHcxQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to android-kerne...@googlegroups.com.

[zc]

Finally I got a step further!

The "Problem" really seams to be with SElinux, because when I mount using a shell-script (masked as a system-service like /system/bin/debuggerd) with "/system/bin/start" the mount is visible systemwide.

So the remaining question is how to change the responsible SElinux directive?

As I said before "setenforce 0" does not seam to help when executed in a su-shell, but it would be overkill anyway since disabling SElinux completely can't be the only solution.

[zc]

I've tried to debug the problem as best as I could, but I still don't have an idea how to fix this.

The main problem seams to be with the "ssh"-process (started by sshfs) which terminates without response.

Since I didn't want to replace "/system/bin/debuggerd", I was looking around in "init.rc" and found the sshd-service ("/system/bin/start-ssh") which was not present on my device. So I created an shell-script in its place that suits my needs.

root@hammerhead:/ # cat /system/bin/start-ssh

#!/system/bin/sh

umount /data/media/0/server

/system/xbin/sshfs user@server:/ /data/media/0/server -o allow_other -o StrictHostKeyChecking=no -o reconnect -o IdentityFile=/data/.ssh/id_rsa

Now let "init" execute my script:

root@hammerhead:/ # start sshd

Verify it is running with:

root@hammerhead:/ # ps | grep ssh

root      6064  6060  2068   608   c0904218 b6e532c8 S /system/xbin/sshfs

root      6066  1     2584   1072  c027636c b6dd16d8 S ssh

root@hammerhead:/ # mount

...

sshfs#user@server:/ /data/media/0/server fuse rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other 0 0

 

Verify it fails:

root@hammerhead:/ # cat /proc/kmsg

...

<7>[ 9113.605760] SELinux: initialized (dev fuse, type fuse), uses genfs_contexts

<3>[ 9125.443482] init: untracked pid 6066 exited

<3>[ 9125.454009] init: untracked pid 6175 exited

...

When I modify "/system/bin/start-ssh" to call ssh directly and issue an command on the server, I can log and verify that it is working:

root@hammerhead:/ # cat /system/bin/start-ssh                                  

#!/system/bin/sh

ssh user@server -o StrictHostKeyChecking=no -o IdentityFile=/data/.ssh/id_rsa "ls /" 2>&1 >> /sdcard/ssh.log

 

root@hammerhead:/ # cat /sdcard/ssh.log                                        

bin

boot

dev

etc

home

...

 

Questions:

• What could Process 6175 be and why does it exit with the ssh-process (6066)?
• Why does ssh fail when started by sshfs and succeed when started directly?

[zc]

Stupid ME !

The Problem was that "/system/bin/start-ssh" exits after executing sshfs and then "init" kills every child-process and executes "/system/bin/start-ssh" again.

So a simple Solution is to do an endless loop at the end of "/system/bin/start-ssh".

[noktilux]

sorry to be a nuissance here, but i've tried positing something, got a message about it being "reviewed" and a day later nothing is showing up.  just tried this as a test now.

[noktilux]

when I mount using a shell-script (masked as a system-service like /system/bin/debuggerd) with "/system/bin/start" the mount is visible systemwide.

it seems my reply/question from yesterday got lost.  so, here we go again...

zc:  can you please explain how you did this?  i have the same problem:  i am able to mount an external NAS share, but only root sees it.  the folder mounted to appears blank to others (apps, users, etc).  i tried replacing /system/bin/debuggerd with a shell script, but this is not a service that seems to load automatically on start. can you please give an account of exactly what you did?  i, at least, want to get this working before opting for a less "hacky" approach.  thanks.

[zc]

I guess it depends on your version of android, which services are availabe and on the policys of SElinux what they can do.

But basicly you can do the following:

Find out what services init knows:

# grep "service " /init*rc

Start the Service manually:

# start <servicename>

Stop the Service manually:

# stop <servicename>

[noktilux]

zc:

to keep things simple, i used the start-ssh service (which is part of my init.rc).  i created /system/bin/start-ssh q=which consisted of a test ssh script.  i changed the permissions so that it would be executable, but when i do...

# start start-ssh,

...nothing happens.  i tried rebooting, still nothing.  if if i try...

# busybox start start-ssh

... the reply is:  "start: applet not found"

tried the same with debuggerd and no luck either.   i have a feeling i am overlooking something simply.  sorry, very new to this.

perhaps i should also state what i am trying to accomplish.  i have written a music player application in javascript and i wish to run it off the local file system without need for a web server.  so, in the address you would see something like:

 file:///sdcard/player/index.html

to play the music, it has to be on the file system too, or you will get cross server restrictions.  the music is sitting on a NAS and if i mount it then the browser will accept src references to file there, for example:

src="file:///system/my_nas/beethoven/symphony_9_furtwangler.mp3"

there is actually another way--that is to place the html and javascript files on the NAS and use smb:// in stead of file:/// but bloody chrome browser doesn't understand smb:// references, which i just discovered recently.   i am about to try with firefox on the nexus, but it won't play mp3. 

note--all of this works on a regular computer (i am running ubuntu).

[zc]

Sorry but I can't teach you everthing you need to know to get this working. I haven't my self unterstood those things to the end and since this is all very dependent on your particular device, no one can give you a guide that will explain everything you need to know. Like me, you have a leak of basic knowlege, thats simply needed to work with this kind of stuff.

But it seams clear to me that you should use another approch, if all this is just for a "In Browser Music-Player" you should host everthing on a webserver, music and player.

I think this would be more your domain.

The approch you are trying right now is like to take down a dove with an rpg.

[noktilux]

Sorry but I can't teach you everthing you need to know to get this working.

my apologies if it seemed that way.  my simple question at this point is how to start the service in question.  "start servicename" is clearly not correct on my device.

as for doing this on a webserver.that is actually the more heavy/complicated thing because a webserver on another powered-up machine has to be running.  with what i am doing (and which works on a regular computer), all you need is NAS.

cheers.

[z.c]

if your device is using init and start can be executed. "start <servicename>" is correct. "start-ssh" is just not a service name, it's the executable, the service name can be found with the "grep..." command from my previous post. in my case its "sshd".

2013/12/6 noktilux <choose....@gmail.com>

--

[noktilux]

On Friday, December 6, 2013 10:27:10 AM UTC-5, z.c wrote:

if your device is using init and start can be executed. "start <servicename>" is correct. "start-ssh" is just not a service name, it's the executable, the service name can be found with the "grep..." command from my previous post. in my case its "sshd".

hey, it worked!!!   my first mistake was using the wrong service name, but then i also did not check in the correct spot that my script had executed. 

thanks for hanging in there with me.

[noktilux]

\o/ yay

here is a screen shot of a little test (the NAS is mounted to /sdcard/NAS):

http://qstatistic.com/00/mounted_nas.png