can I add a native code service as root user
3,413 views
Skip to first unread message
Change
Jul 13, 2010, 4:32:36 AM7/13/10
to android-ndk
I have root access to my android device, i want to run a native code
service as root (for some privileged HW access) and have my APK to
access the service. How can I add the service without having to change
Android source code (e.g., by modifying service_manager.c)? thanks.
service as root (for some privileged HW access) and have my APK to
access the service. How can I add the service without having to change
Android source code (e.g., by modifying service_manager.c)? thanks.
David Turner
Jul 13, 2010, 11:59:10 AM7/13/10
to andro...@googlegroups.com
Applications are installed/run as non-privileged users on Android, and I don't think there is anything in the default system that allows you to raise privileges automatically (i.e. without manual intervention or modifying the system).
You should probably ask on android-porting though.
--
You received this message because you are subscribed to the Google Groups "android-ndk" group.
To post to this group, send email to andro...@googlegroups.com.
To unsubscribe from this group, send email to android-ndk...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/android-ndk?hl=en.
Dianne Hackborn
Jul 13, 2010, 10:03:07 PM7/13/10
to andro...@googlegroups.com
Nothing running Java code can get root in the standard platform implementation. This includes both .apk apps, as well as core processes such as the system process.
--
Dianne Hackborn
Android framework engineer
hac...@android.com
Note: please don't send private questions to me, as I don't have time to provide private support, and so won't reply to such e-mails. All such questions should be posted on public forums, where I and others can see and answer them.
On Tue, Jul 13, 2010 at 1:32 AM, Change <cf0...@gmail.com> wrote:
--
You received this message because you are subscribed to the Google Groups "android-ndk" group.
To post to this group, send email to andro...@googlegroups.com.
To unsubscribe from this group, send email to android-ndk...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/android-ndk?hl=en.
--
Dianne Hackborn
Android framework engineer
hac...@android.com
Note: please don't send private questions to me, as I don't have time to provide private support, and so won't reply to such e-mails. All such questions should be posted on public forums, where I and others can see and answer them.
cf0...@gmail.com
Jul 14, 2010, 12:46:05 AM7/14/10
to andro...@googlegroups.com
Thanks for the reply.
My executable is in c code and put in /system/bin (since I have root access on this device). The code implements cetain services with elevated access to hw resources on one side and on the other side binder interfaces for user space app to access such services. In a way similar to say the android media server. The issue is right now calling defaultServiceManager->addService would fail without adding a corresponding line into service_manager.c source file which means I have to recompile the entire android image - something I would like to avoid if possible.
Thanks for your help
Chang
My executable is in c code and put in /system/bin (since I have root access on this device). The code implements cetain services with elevated access to hw resources on one side and on the other side binder interfaces for user space app to access such services. In a way similar to say the android media server. The issue is right now calling defaultServiceManager->addService would fail without adding a corresponding line into service_manager.c source file which means I have to recompile the entire android image - something I would like to avoid if possible.
Thanks for your help
Chang
Sent via BlackBerry by AT&T
From: Dianne Hackborn <hac...@android.com>
Sender: andro...@googlegroups.com
Date: Tue, 13 Jul 2010 19:03:07 -0700
ReplyTo: andro...@googlegroups.com
Subject: Re: can I add a native code service as root user
Onur Cinar
Jul 14, 2010, 1:22:22 AM7/14/10
to andro...@googlegroups.com
Hi Chang,
Instead of making changes in Android code, I would recommend you to only modify the permissions on the hardware devices.
Unfortunately, modifying the Android code is outside the NDK's scope, so I believe that you may get more help from android-platform group.
By the way, which hardware device you are trying to access?
Regards,
-onur
www.zdo.com
cf0...@gmail.com
Jul 14, 2010, 1:24:31 AM7/14/10
to andro...@googlegroups.com
I am trying to access hw codec which are exposed via device driver which limites access to only users with elevated previlege. Are you suggesting that as root I should just change permission of those devices to allow access by any user?
Thanks
Chang
Thanks
Chang
Sent via BlackBerry by AT&T
From: Onur Cinar <onur....@gmail.com>
Sender: andro...@googlegroups.com
Date: Tue, 13 Jul 2010 22:22:22 -0700
Onur Cinar
Jul 14, 2010, 1:54:32 AM7/14/10
to andro...@googlegroups.com
Hi Chang,
Yes, I believe that it would be an easier solution. How kind of codec is that?
Regards,
-onur
Yes, I believe that it would be an easier solution. How kind of codec is that?
Regards,
-onur
David Turner
Jul 14, 2010, 2:13:06 AM7/14/10
to andro...@googlegroups.com
On Tue, Jul 13, 2010 at 10:24 PM, <cf0...@gmail.com> wrote:
I am trying to access hw codec which are exposed via device driver which limites access to only users with elevated previlege. Are you suggesting that as root I should just change permission of those devices to allow access by any user?
That's really a bad bad idea. No matter what you do, you'll end up being bitten one way or the other by this.
If you are root, modify the /dev/<device> permissions to allow access only from a certain group, then in your program launched as root, changed all three uids/gids to this specific group before accessing the device. That should be sufficient and will protect you from a lot of bad things.
Of course, launching a binary as root is already pretty bad in the general case.
Chang Feng
Jul 14, 2010, 2:51:49 AM7/14/10
to andro...@googlegroups.com
understood. this is why my initial question/approach was to try to launch my service from /system/bin as one of the previleged user (for example as user "media") that do have proper access to the hardware. the problem as i stated before is that addService() fails without modifying service_manager.c to sort of pre-register my service with the android default service manager. I am wondering if there is a way to add a service (native code, not java layer) at run time without a corresponding entry in the service_manager.c source file.
thanks
Chang
charles
Jul 14, 2010, 5:19:18 AM7/14/10
to android-ndk
Yes, running a command as root (or starting some binary) is entirely
possible using NDK.
It basically amounts to a single line of C code which makes a call to
system(const char *) and runs your command through the shell. ;)
Also make sure that your binary is in fact ARM executable.
(1) Write a Java program <your_package_name>/src/NativeCommand.java
which contains some code like this:
public class NativeCommand {
// Be sure to declare your package name at the top of the file!
// Make some call to System.loadLibrary("mylib") and so on and so
forth...see NDK examples.
public static native void runCommand();
// This defines some native function that we intend to implement in
native code, compile using NDK, and use in the Android app
}
(2) Build your application as usual with ant. If everything compiles
successfully, you should get /bin/classes directory which contains all
of your .class files.
Navigate to this directory and
$ javah -jni <your_package_name>.NativeCommand
if this is successful, you should now have some file like
your_package_name_NativeCommand.h -- this is a C header file. Now
$ mv your_package_name_NativeCommand.h ../../jni
Bring this over into the JNI subdir to your application.
(3) Write a C function something like this in a file called
your_package_name_NativeCommand.c (why not?):
#include <unistd.h>
#include "your_package_name_NativeCommand.h"
void run_command()
{
system("su -c some_binary_file");
}
NOTE THAT YOU WILL HAVE TO DEAL WITH ALL OF THE JNI MESS HERE!! There
are plenty of examples in NDK documentation for more on implementing
your C functions with JNI.
(4) Add the following your /jni/Android.mk file:
LOCAL_C_INCLUDES := your_package_name_NativeCommand.c
Again, there is plenty of documentation in NDK to explain more on
this.
(5) Navigate to the top of your app and run ndk-build with whatever
options you like, and hope everything compiles. Now any time you want
to run this binary in your Android app, just make a call to your
public static native void runCommand() method.
You can find a good working example here: http://code.google.com/p/android-wifi-tether/
In particular, you should look at how they run commands as root using
these files:
http://code.google.com/p/android-wifi-tether/source/browse/trunk/src/android/tether/system/NativeTask.java
[How we define callbacks to native code]
http://code.google.com/p/android-wifi-tether/source/browse/trunk/src/android/tether/system/CoreTask.java
[See the RunCommandAsRoot() method).
All of the native C code is located in the /jni directory, and the
Android.mk file would be good to examine as well to learn how to do
NDK hacks like this.
It is possible to do this entirely in Java using the Process() and
Runtime() classes provided by Android, and not touch NDK at all. ;)
For instance, you could also try doing something like this:
http://www.stealthcopter.com/blog/2010/01/android-requesting-root-access-in-your-app/
Anyway, I hope this answers your question!
BTW -- I would *really* encourage you to use one of the several
Superuser Whitelist apps if you are not doing so already and making
nandroid backups religiously. I am just giving two general ways of
running a command through the shell as root through an Android app and
have no idea what you are actually trying to do with this -- but it
sounds like you could seriously mess up your system if you are not
careful.
If you go for it, tell about your results and let us see your code!
I'm interested to see how this works out.
- Charles
On Jul 14, 1:51 am, Chang Feng <cf08...@gmail.com> wrote:
> understood. this is why my initial question/approach was to try to launch my
> service from /system/bin as one of the previleged user (for example as
> user "media") that do have proper access to the hardware. the problem as i
> stated before is that addService() fails without modifying service_manager.c
> to sort of pre-register my service with the android default service
> manager. I am wondering if there is a way to add a service (native code, not
> java layer) at run time without a corresponding entry in the
> service_manager.c source file.
> thanks
> Chang
>
>
>
> On Wed, Jul 14, 2010 at 2:13 AM, David Turner <di...@android.com> wrote:
>
> >> *From: *Onur Cinar <onur.ci...@gmail.com>
> >> *Sender: *andro...@googlegroups.com
> >> *Date: *Tue, 13 Jul 2010 22:22:22 -0700
> >> *To: *<andro...@googlegroups.com>
> >> *ReplyTo: *andro...@googlegroups.com
> >> *Subject: *Re: can I add a native code service as root user
> >>> *From: *Dianne Hackborn <hack...@android.com>
> >>> *Sender: *andro...@googlegroups.com
> >>> *Date: *Tue, 13 Jul 2010 19:03:07 -0700
> >>> *To: *<andro...@googlegroups.com>
> >>> *ReplyTo: *andro...@googlegroups.com
> >>> *Subject: *Re: can I add a native code service as root user
> >>>> .
> >>> .
> >>> .
> >> .
> >> .
> > .
possible using NDK.
It basically amounts to a single line of C code which makes a call to
system(const char *) and runs your command through the shell. ;)
Also make sure that your binary is in fact ARM executable.
(1) Write a Java program <your_package_name>/src/NativeCommand.java
which contains some code like this:
public class NativeCommand {
// Be sure to declare your package name at the top of the file!
// Make some call to System.loadLibrary("mylib") and so on and so
forth...see NDK examples.
public static native void runCommand();
// This defines some native function that we intend to implement in
native code, compile using NDK, and use in the Android app
}
(2) Build your application as usual with ant. If everything compiles
successfully, you should get /bin/classes directory which contains all
of your .class files.
Navigate to this directory and
$ javah -jni <your_package_name>.NativeCommand
if this is successful, you should now have some file like
your_package_name_NativeCommand.h -- this is a C header file. Now
$ mv your_package_name_NativeCommand.h ../../jni
Bring this over into the JNI subdir to your application.
(3) Write a C function something like this in a file called
your_package_name_NativeCommand.c (why not?):
#include <unistd.h>
#include "your_package_name_NativeCommand.h"
void run_command()
{
system("su -c some_binary_file");
}
NOTE THAT YOU WILL HAVE TO DEAL WITH ALL OF THE JNI MESS HERE!! There
are plenty of examples in NDK documentation for more on implementing
your C functions with JNI.
(4) Add the following your /jni/Android.mk file:
LOCAL_C_INCLUDES := your_package_name_NativeCommand.c
Again, there is plenty of documentation in NDK to explain more on
this.
(5) Navigate to the top of your app and run ndk-build with whatever
options you like, and hope everything compiles. Now any time you want
to run this binary in your Android app, just make a call to your
public static native void runCommand() method.
You can find a good working example here: http://code.google.com/p/android-wifi-tether/
In particular, you should look at how they run commands as root using
these files:
http://code.google.com/p/android-wifi-tether/source/browse/trunk/src/android/tether/system/NativeTask.java
[How we define callbacks to native code]
http://code.google.com/p/android-wifi-tether/source/browse/trunk/src/android/tether/system/CoreTask.java
[See the RunCommandAsRoot() method).
All of the native C code is located in the /jni directory, and the
Android.mk file would be good to examine as well to learn how to do
NDK hacks like this.
It is possible to do this entirely in Java using the Process() and
Runtime() classes provided by Android, and not touch NDK at all. ;)
For instance, you could also try doing something like this:
http://www.stealthcopter.com/blog/2010/01/android-requesting-root-access-in-your-app/
Anyway, I hope this answers your question!
BTW -- I would *really* encourage you to use one of the several
Superuser Whitelist apps if you are not doing so already and making
nandroid backups religiously. I am just giving two general ways of
running a command through the shell as root through an Android app and
have no idea what you are actually trying to do with this -- but it
sounds like you could seriously mess up your system if you are not
careful.
If you go for it, tell about your results and let us see your code!
I'm interested to see how this works out.
- Charles
On Jul 14, 1:51 am, Chang Feng <cf08...@gmail.com> wrote:
> understood. this is why my initial question/approach was to try to launch my
> service from /system/bin as one of the previleged user (for example as
> user "media") that do have proper access to the hardware. the problem as i
> stated before is that addService() fails without modifying service_manager.c
> to sort of pre-register my service with the android default service
> manager. I am wondering if there is a way to add a service (native code, not
> java layer) at run time without a corresponding entry in the
> service_manager.c source file.
> thanks
> Chang
>
>
>
> On Wed, Jul 14, 2010 at 2:13 AM, David Turner <di...@android.com> wrote:
>
> > On Tue, Jul 13, 2010 at 10:24 PM, <cf08...@gmail.com> wrote:
>
> >> I am trying to access hw codec which are exposed via device driver which
> >> limites access to only users with elevated previlege. Are you suggesting
> >> that as root I should just change permission of those devices to allow
> >> access by any user?
>
> > That's really a bad bad idea. No matter what you do, you'll end up being
> > bitten one way or the other by this.
>
> > If you are root, modify the /dev/<device> permissions to allow access only
> > from a certain group, then in your program launched as root, changed all
> > three uids/gids to this specific group before accessing the device. That
> > should be sufficient and will protect you from a lot of bad things.
>
> > Of course, launching a binary as root is already pretty bad in the general
> > case.
>
> >> Thanks
>
> >> Chang
>
> >> Sent via BlackBerry by AT&T
> >> ------------------------------
>
> >> I am trying to access hw codec which are exposed via device driver which
> >> limites access to only users with elevated previlege. Are you suggesting
> >> that as root I should just change permission of those devices to allow
> >> access by any user?
>
> > That's really a bad bad idea. No matter what you do, you'll end up being
> > bitten one way or the other by this.
>
> > If you are root, modify the /dev/<device> permissions to allow access only
> > from a certain group, then in your program launched as root, changed all
> > three uids/gids to this specific group before accessing the device. That
> > should be sufficient and will protect you from a lot of bad things.
>
> > Of course, launching a binary as root is already pretty bad in the general
> > case.
>
> >> Thanks
>
> >> Chang
>
> >> Sent via BlackBerry by AT&T
> >> *From: *Onur Cinar <onur.ci...@gmail.com>
> >> *Sender: *andro...@googlegroups.com
> >> *Date: *Tue, 13 Jul 2010 22:22:22 -0700
> >> *To: *<andro...@googlegroups.com>
> >> *ReplyTo: *andro...@googlegroups.com
> >> *Subject: *Re: can I add a native code service as root user
>
> >> Hi Chang,
>
> >> Instead of making changes in Android code, I would recommend you to only
> >> modify the permissions on the hardware devices.
>
> >> Unfortunately, modifying the Android code is outside the NDK's scope, so I
> >> believe that you may get more help from android-platform group.
>
> >> By the way, which hardware device you are trying to access?
>
> >> Regards,
>
> >> -onur
>
> >> Hi Chang,
>
> >> Instead of making changes in Android code, I would recommend you to only
> >> modify the permissions on the hardware devices.
>
> >> Unfortunately, modifying the Android code is outside the NDK's scope, so I
> >> believe that you may get more help from android-platform group.
>
> >> By the way, which hardware device you are trying to access?
>
> >> Regards,
>
> >> -onur
>
> >> On Tue, Jul 13, 2010 at 9:46 PM, <cf08...@gmail.com> wrote:
>
> >>> Thanks for the reply.
> >>> My executable is in c code and put in /system/bin (since I have root
> >>> access on this device). The code implements cetain services with elevated
> >>> access to hw resources on one side and on the other side binder interfaces
> >>> for user space app to access such services. In a way similar to say the
> >>> android media server. The issue is right now calling
> >>> defaultServiceManager->addService would fail without adding a corresponding
> >>> line into service_manager.c source file which means I have to recompile the
> >>> entire android image - something I would like to avoid if possible.
> >>> Thanks for your help
> >>> Chang
>
> >>> Sent via BlackBerry by AT&T
> >>> ------------------------------
>
> >>> Thanks for the reply.
> >>> My executable is in c code and put in /system/bin (since I have root
> >>> access on this device). The code implements cetain services with elevated
> >>> access to hw resources on one side and on the other side binder interfaces
> >>> for user space app to access such services. In a way similar to say the
> >>> android media server. The issue is right now calling
> >>> defaultServiceManager->addService would fail without adding a corresponding
> >>> line into service_manager.c source file which means I have to recompile the
> >>> entire android image - something I would like to avoid if possible.
> >>> Thanks for your help
> >>> Chang
>
> >>> Sent via BlackBerry by AT&T
> >>> *From: *Dianne Hackborn <hack...@android.com>
> >>> *Sender: *andro...@googlegroups.com
> >>> *Date: *Tue, 13 Jul 2010 19:03:07 -0700
> >>> *To: *<andro...@googlegroups.com>
> >>> *ReplyTo: *andro...@googlegroups.com
> >>> *Subject: *Re: can I add a native code service as root user
>
> >>> Nothing running Java code can get root in the standard platform
> >>> implementation. This includes both .apk apps, as well as core processes
> >>> such as the system process.
>
> >>> Nothing running Java code can get root in the standard platform
> >>> implementation. This includes both .apk apps, as well as core processes
> >>> such as the system process.
>
> >>> On Tue, Jul 13, 2010 at 1:32 AM, Change <cf08...@gmail.com> wrote:
>
> >>>> I have root access to my android device, i want to run a native code
> >>>> service as root (for some privileged HW access) and have my APK to
> >>>> access the service. How can I add the service without having to change
> >>>> Android source code (e.g., by modifying service_manager.c)? thanks.
>
> >>>> --
> >>>> You received this message because you are subscribed to the Google
> >>>> Groups "android-ndk" group.
> >>>> To post to this group, send email to andro...@googlegroups.com.
> >>>> To unsubscribe from this group, send email to
> >>>> android-ndk...@googlegroups.com<android-ndk%2Bunsubscribe@googlegr oups.com>
>
> >>>> I have root access to my android device, i want to run a native code
> >>>> service as root (for some privileged HW access) and have my APK to
> >>>> access the service. How can I add the service without having to change
> >>>> Android source code (e.g., by modifying service_manager.c)? thanks.
>
> >>>> --
> >>>> You received this message because you are subscribed to the Google
> >>>> Groups "android-ndk" group.
> >>>> To post to this group, send email to andro...@googlegroups.com.
> >>>> To unsubscribe from this group, send email to
> >>>> .
> >>>> For more options, visit this group at
> >>>>http://groups.google.com/group/android-ndk?hl=en.
>
> >>> --
> >>> Dianne Hackborn
> >>> Android framework engineer
> >>> hack...@android.com
> >>>>http://groups.google.com/group/android-ndk?hl=en.
>
> >>> --
> >>> Dianne Hackborn
> >>> Android framework engineer
>
> >>> Note: please don't send private questions to me, as I don't have time to
> >>> provide private support, and so won't reply to such e-mails. All such
> >>> questions should be posted on public forums, where I and others can see and
> >>> answer them.
>
> >>> --
> >>> You received this message because you are subscribed to the Google Groups
> >>> "android-ndk" group.
> >>> To post to this group, send email to andro...@googlegroups.com.
> >>> To unsubscribe from this group, send email to
> >>> android-ndk...@googlegroups.com<android-ndk%2Bunsubscribe@googlegr oups.com>
> >>> Note: please don't send private questions to me, as I don't have time to
> >>> provide private support, and so won't reply to such e-mails. All such
> >>> questions should be posted on public forums, where I and others can see and
> >>> answer them.
>
> >>> --
> >>> You received this message because you are subscribed to the Google Groups
> >>> "android-ndk" group.
> >>> To post to this group, send email to andro...@googlegroups.com.
> >>> To unsubscribe from this group, send email to
> >>> .
> >>> For more options, visit this group at
> >>>http://groups.google.com/group/android-ndk?hl=en.
>
> >>> --
> >>> You received this message because you are subscribed to the Google
> >>> Groups "android-ndk" group.
> >>> To post to this group, send email to andro...@googlegroups.com.
> >>> To unsubscribe from this group, send email to
> >>> android-ndk...@googlegroups.com<android-ndk%2Bunsubscribe@googlegr oups.com>
> >>>http://groups.google.com/group/android-ndk?hl=en.
>
> >>> --
> >>> You received this message because you are subscribed to the Google
> >>> Groups "android-ndk" group.
> >>> To post to this group, send email to andro...@googlegroups.com.
> >>> To unsubscribe from this group, send email to
> >>> .
> >>> For more options, visit this group at
> >>>http://groups.google.com/group/android-ndk?hl=en.
>
> >> ---
> >>www.zdo.com
>
> >> --
> >> You received this message because you are subscribed to the Google Groups
> >> "android-ndk" group.
> >> To post to this group, send email to andro...@googlegroups.com.
> >> To unsubscribe from this group, send email to
> >> android-ndk...@googlegroups.com<android-ndk%2Bunsubscribe@googlegr oups.com>
> >>>http://groups.google.com/group/android-ndk?hl=en.
>
> >> ---
> >>www.zdo.com
>
> >> --
> >> You received this message because you are subscribed to the Google Groups
> >> "android-ndk" group.
> >> To post to this group, send email to andro...@googlegroups.com.
> >> To unsubscribe from this group, send email to
> >> .
> >> For more options, visit this group at
> >>http://groups.google.com/group/android-ndk?hl=en.
>
> >> --
> >> You received this message because you are subscribed to the Google
> >> Groups "android-ndk" group.
> >> To post to this group, send email to andro...@googlegroups.com.
> >> To unsubscribe from this group, send email to
> >> android-ndk...@googlegroups.com<android-ndk%2Bunsubscribe@googlegr oups.com>
> >>http://groups.google.com/group/android-ndk?hl=en.
>
> >> --
> >> You received this message because you are subscribed to the Google
> >> Groups "android-ndk" group.
> >> To post to this group, send email to andro...@googlegroups.com.
> >> To unsubscribe from this group, send email to
> >> .
> >> For more options, visit this group at
> >>http://groups.google.com/group/android-ndk?hl=en.
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "android-ndk" group.
> > To post to this group, send email to andro...@googlegroups.com.
> > To unsubscribe from this group, send email to
> > android-ndk...@googlegroups.com<android-ndk%2Bunsubscribe@googlegr oups.com>
> >>http://groups.google.com/group/android-ndk?hl=en.
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "android-ndk" group.
> > To post to this group, send email to andro...@googlegroups.com.
> > To unsubscribe from this group, send email to
> > .
Dianne Hackborn
Jul 14, 2010, 12:55:01 PM7/14/10
to andro...@googlegroups.com
(1) You are not using the NDK; you are using non-supported APIs like shell commands.
--
Dianne Hackborn
Android framework engineer
(2) The standard su command does not allow applications to get root... and doesn't even exist on production devices. (And honestly... anyone who is walking around with their phone configured so that su will blindly allow any app to get root is just plain dumb.)
Note that all of the links you reference specifically say they are only for "rooted" phones.
To unsubscribe from this group, send email to android-ndk...@googlegroups.com.
--
Dianne Hackborn
Android framework engineer
Reply all
Reply to author
Forward
0 new messages