Accessing kernel module from an app
926 views
Skip to first unread message
Bob Taylor
Apr 9, 2011, 10:20:16 AM4/9/11
to android-platform
[moving this to android-platform from android-ndk per moderator's
request]
Original message:
Hello Guys,
I have a problem accessing a kernel module: if I run an executable
with root privileges I can read/write/ioctl to dev nodes without
problems. But if I swap this into a shared libary and access from a
Android app via JNI I get problems with the permissions - because the
Android app itself does not run as root user...
Which is the "offical" way to communicate with a kernel module from an
Android app?
Greetz Dudero
Reply:
If you want everyone to be able to communicate with the kernel module,
set appropriate permissions on the device file. If you want only a
specific group to be able to, patch the platform to reserve that
group, assign it on basis of an android permission, and then give the
group permissions to the device file.
Or you can have a service that runs as a specific hard coded user
which is granted access and talks to the kernel module on behalf of
android apps after checking the appropriate android permission of the
calling process.
My question:
There seems to be two problems with the approach outlined above. The
reserved group solution gives access to any app that gains access to
that group. This seems to be a security risk. Nothing really
prevents an app from requesting access to a group. The hard-coded UID
restricts access to the app, locking out other trusted apps.
Why not set the permission for the device to "system" in ueventd and
then set the app's android:sharedUserId="android.uid.system"?
My understanding is that setting an app's shared UID to system will
require the "LOCAL_CERTIFICATE := platform" directive which restricts
access to trusted apps created at platform build time. This seems to
solve the security issue.
Can anyone comment on this?
Thank you.
request]
Original message:
Hello Guys,
I have a problem accessing a kernel module: if I run an executable
with root privileges I can read/write/ioctl to dev nodes without
problems. But if I swap this into a shared libary and access from a
Android app via JNI I get problems with the permissions - because the
Android app itself does not run as root user...
Which is the "offical" way to communicate with a kernel module from an
Android app?
Greetz Dudero
Reply:
If you want everyone to be able to communicate with the kernel module,
set appropriate permissions on the device file. If you want only a
specific group to be able to, patch the platform to reserve that
group, assign it on basis of an android permission, and then give the
group permissions to the device file.
Or you can have a service that runs as a specific hard coded user
which is granted access and talks to the kernel module on behalf of
android apps after checking the appropriate android permission of the
calling process.
My question:
There seems to be two problems with the approach outlined above. The
reserved group solution gives access to any app that gains access to
that group. This seems to be a security risk. Nothing really
prevents an app from requesting access to a group. The hard-coded UID
restricts access to the app, locking out other trusted apps.
Why not set the permission for the device to "system" in ueventd and
then set the app's android:sharedUserId="android.uid.system"?
My understanding is that setting an app's shared UID to system will
require the "LOCAL_CERTIFICATE := platform" directive which restricts
access to trusted apps created at platform build time. This seems to
solve the security issue.
Can anyone comment on this?
Thank you.
Dianne Hackborn
Apr 9, 2011, 2:18:28 PM4/9/11
to android-...@googlegroups.com, Bob Taylor
The correct way to do this is with filesystem permissions and Android permissions, like other drivers and kernel facilities are controlled. Basically:
--
Dianne Hackborn
Android framework engineer
hac...@android.com
Note: please don't send private questions to me, as I don't have time to provide private support, and so won't reply to such e-mails. All such questions should be posted on public forums, where I and others can see and answer them.
- Define a new user/group ID for your module, which it publishes itself under in the fs.
- In frameworks/base/data/etc/permissions/ add a .xml file that associates a permission name with the new uid, like other permissions that are declared in permissions.xml.
- In frameworks/base/core/res/AndroidManifest.xml declare your permission as done with other permissions. Here you can set the protectionLevel to what you'd like: signature so only .apks signed with the platform cert can get it, signatureOrSystem to also allow an app installed in /system to get it, etc.
--
You received this message because you are subscribed to the Google Groups "android-platform" group.
To post to this group, send email to android-...@googlegroups.com.
To unsubscribe from this group, send email to android-platfo...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/android-platform?hl=en.
--
Dianne Hackborn
Android framework engineer
hac...@android.com
Note: please don't send private questions to me, as I don't have time to provide private support, and so won't reply to such e-mails. All such questions should be posted on public forums, where I and others can see and answer them.
Bob Taylor
Apr 12, 2011, 10:19:42 AM4/12/11
to android-platform
Thank you Dianne. Here's a summary of the changes I made that have
been tested and work to allow access of the app to the driver.
Haven't finished testing to check access denial. My understanding is
this is a generic process that can be adapted for establishing
restricted access to any device. Comments welcome.
Define AID_NEWGROUP and associated group tag "newgroup" in system/core/
include/private/android_filesystem_config.h
Add entry associating the target device with "newgroup" in vendor/XXX/
YYY/rootdir/ueventd.rc: /dev/targetdev 0660 system newgroup
Add definition of NEW_PERMISSION permission and set its protection
level to signature" in frameworks/base/core/res/AndroidManifest.xml
<permission android:name="android.permission.NEW_PERMISSION"
android:protectionLevel="signature" />
Associate permission NEW_PERMISSION and with group tag "newgroup" in a
new xml file in frameworks/base/data/etc
android.hardware.targetdev.xml:
<permission name="android.permission.NEW_PERMISSION" >
<group gid="newgroup" />
</permission>
Add shared user ID of system which will require platform signing and
uses permission to app AndroidManifest.xml.
android:sharedUserId="android.uid.system"
<uses-permission android:name="android.permission.NEW_PERMISSION"></
uses-permission>
Platform signing is established in the app's Android.mk file.
LOCAL_CERTIFICATE := platform
been tested and work to allow access of the app to the driver.
Haven't finished testing to check access denial. My understanding is
this is a generic process that can be adapted for establishing
restricted access to any device. Comments welcome.
Define AID_NEWGROUP and associated group tag "newgroup" in system/core/
include/private/android_filesystem_config.h
Add entry associating the target device with "newgroup" in vendor/XXX/
YYY/rootdir/ueventd.rc: /dev/targetdev 0660 system newgroup
Add definition of NEW_PERMISSION permission and set its protection
level to signature" in frameworks/base/core/res/AndroidManifest.xml
<permission android:name="android.permission.NEW_PERMISSION"
android:protectionLevel="signature" />
Associate permission NEW_PERMISSION and with group tag "newgroup" in a
new xml file in frameworks/base/data/etc
android.hardware.targetdev.xml:
<permission name="android.permission.NEW_PERMISSION" >
<group gid="newgroup" />
</permission>
Add shared user ID of system which will require platform signing and
uses permission to app AndroidManifest.xml.
android:sharedUserId="android.uid.system"
<uses-permission android:name="android.permission.NEW_PERMISSION"></
uses-permission>
Platform signing is established in the app's Android.mk file.
LOCAL_CERTIFICATE := platform
Dianne Hackborn
Apr 12, 2011, 12:36:39 PM4/12/11
to android-...@googlegroups.com, Bob Taylor
One thing, you don't need to use android:sharedUserId for this. I strongly recommend staying away from shared user IDs unless you absolutely need them.
--
You received this message because you are subscribed to the Google Groups "android-platform" group.
To post to this group, send email to android-...@googlegroups.com.
To unsubscribe from this group, send email to android-platfo...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/android-platform?hl=en.
Reply all
Reply to author
Forward
0 new messages