Permission issue on sysfs access from android application ( .java source code )
4,979 views
Skip to first unread message
himanshu
Apr 3, 2017, 12:00:05 PM4/3/17
to android-porting
Android application in java having permission issues when accessing sysfs entry.
try{
FileOutputStream fos = new FileOutputStream("/sys/class/shift_reg/shift_reg/value");
byte mybyte = 1;
fos.write(mybyte);
fos.close();
} catch ( Exception e) {
Log.d(TAG, "Failed in writing to Shift Register"); <------- I am always getting this exception.
}1) Have tried putting 'setenforce 0'. Does't work. Even though enforce level is permissive.
2) Do I have to access using JNI way: ( android-app -> jni -> driver )
3) I have set file permission as 0777 for the sysfs node file.
Dmesg Error message:
[ 417.176302] type=1400 audit(418.589:63): avc: denied { write } for pid=3164 comm="com.android.cam" name="value" dev="sysfs" ino=9749 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
ps -Z
u:r:untrusted_app:s0 u0_a67 4360 333
com.android.cam
Mayuresh...@cirrus.com
Mar 26, 2018, 11:08:53 AM3/26/18
to android-porting
Android does not allow apps to access the hardware directly.
The error you see is SE Linux filtering out the access since the sys-fs you are trying to access is not allowed to access.
You will need to modify the SE Linux policy for the device you are using and ensure it allows access to below sys-fs.
Renjith Rajagopal
May 21, 2018, 10:56:43 AM5/21/18
to android-porting
You need .te file for your module even though it is permissive mode.
Also try move app to /system/priv-app/ which will remove untrusted_app erro
r.qu...@gmail.com
May 23, 2018, 10:18:15 AM5/23/18
to android-porting
Hi all.
I'm in the same boat as himanshu but with serial port /dev/ttyXXX. Although I'm able to use the uart with setenfoce 0, I can't get rid of the sysfs prohibition.
AOSP wouldn't build if I permit untrusted_app (app running trough android studio/pushed trough adb) or priv_app (apk included in the aosp build).
What I've done (not in order... I think):
- registered ttyXXX as my_device in "file_contexts":
- I even manage to create a new group/permission to android so the app and the file belong to the same group:
This step get rid of the need of making a chmod 777 on the device to make the avc_ denied to appear in the logcat but it does not get rid of the problem.
All the above is useless in the end.
I do have managed to create a system service for an i2c test, so I can make that now too, but making the app "independent" of the custom framework is a nice way to get rid of the lib dependencies.
I know that the security is really important, but man... making something as easy as an UART comm work is a pain in the ass with all the shackles the OS chains you with.
Have a nice day guys.
Thank you in advance.
I'm in the same boat as himanshu but with serial port /dev/ttyXXX. Although I'm able to use the uart with setenfoce 0, I can't get rid of the sysfs prohibition.
AOSP wouldn't build if I permit untrusted_app (app running trough android studio/pushed trough adb) or priv_app (apk included in the aosp build).
(I still can't manage to make the source of the app compile within AOSP build. Maybe that's the only step missing)
AOSP 7.12
What I've done (not in order... I think):
- defined the device for the uart, on "device.te":
type my_device, dev_type;- registered ttyXXX as my_device in "file_contexts":
/dev/ttyXXX u:object_r:my_device:s0
- created the permissions for untrusted_app.te or priv_app.te (xxxx on the lines below) with the help of "
audit2allow"
allow xxxx my_device:chr_file {read write} # this do not pose a problem but it does not solve it either
#allow xxxx sysfs:file {read write} # -> AOSP do not permit those apps to write on sysfs. error in compilation (neverallow rule) (commented out)- I even manage to create a new group/permission to android so the app and the file belong to the same group:
This step get rid of the need of making a chmod 777 on the device to make the avc_ denied to appear in the logcat but it does not get rid of the problem.
* in "frameworks/base/core/res/AndroidManifest.xml": ... "permission android:name="android.permission.UART_PERMISSION" ... etc, etc
* in "frameworks/base/data/etc/platform.xml": ... "<permission name="android.permission.UART_PERMISSION" > \ <group gid="uart_grp" />... etc, etc...
* in "system/core/include/private/android_filesystem_config.h": ... "#define AID_UART_GRP 2901"... ..." { "uart_grp", AID_UART_GRP, },
* in "system/core/rootdir/ueventd.rx": ... "/dev/ttyXXX 0660 system uart_grp" # tried with uart_grp:uart_grp too = same luck
* in the manifest of the app: ... "<uses-permission android:name="android.permission.UART_PERMISSION"/>All the above is useless in the end.
I do have managed to create a system service for an i2c test, so I can make that now too, but making the app "independent" of the custom framework is a nice way to get rid of the lib dependencies.
I know that the security is really important, but man... making something as easy as an UART comm work is a pain in the ass with all the shackles the OS chains you with.
Have a nice day guys.
Thank you in advance.
Sooraj Sizon
May 24, 2018, 11:20:09 AM5/24/18
to android-porting
Hello all,
Here is how i was able to access , read , write to sysfs from an android application .
Ramdisk / device specific changes
Then using JNI i was able to access uart and gpio pin .
Here are both application source code
UART: https://github.com/sooorajjj/BluemoonUART
GPIO: https://github.com/sooorajjj/BluemoonGPIO
Note these application were not created by me , its available as example on google i just had to make a few changes for it to work on my device .
GPIO led blink example and reading input from button is what i have tested and works.
UART reading and writing using serial console works .
Here is how i was able to access , read , write to sysfs from an android application .
Ramdisk / device specific changes
#init.{hardware}.rc
on property:sys.boot_completed=1#UART5 on my device
chown root root /dev/ttymxc4
chmod 0777 /dev/ttymxc4
#GPIO5_IO14 (gpio_bank - 1) * 32 + gpio_bitwrite /sys/class/gpio/export 142
write /sys/class/gpio/gpio142/edge "both"
#ueventd.{hardware}.rc
+/dev/ttymxc* 0666 system system
Then using JNI i was able to access uart and gpio pin .
Here are both application source code
UART: https://github.com/sooorajjj/BluemoonUART
GPIO: https://github.com/sooorajjj/BluemoonGPIO
Note these application were not created by me , its available as example on google i just had to make a few changes for it to work on my device .
GPIO led blink example and reading input from button is what i have tested and works.
UART reading and writing using serial console works .
r.qu...@gmail.com
May 25, 2018, 10:48:48 AM5/25/18
to android-porting
Hi Sooraj. Thanks for sharing your codes.
I think your code just need the uevent.{hardware}.rc part:
/dev/ttymxc* 0666 root rootwhich its the same as:
adb shell
su
chown root:root /dev/ttyXXX
chmod +rw /dev/ttyXXXexcept that the .rc part is permanent after each reboot.
So the init.{hardware}.rc part is not necessary. Besides, your chown is wrong, it should be with "root:root" instead of "root root".
Anyway, the problem persist if you don't put "setenforce 0" as you mentioned me in your gtalk msg: "Though i did set selinux to permissive for testing".
Thanks for the example apps too.
Have a nice day all.
Rolando.
Rolando Quivira
Jun 6, 2018, 3:32:43 PM6/6/18
to android-porting
For anyone wondering the thing that was missing in my case was to add ", mlstrustedobject;" to the device.te line. AOSP 7:
type my_device, dev_type, mlstrustedobject;Besides, in my previous post declared that the sooraj chown was wrong, but I think in the .rc file that syntaxis is ok so I apologize for the worng correction.
In AOSP7 that .rc part is not needed anyway.
Have a nice day all.
Jerry Naidoo
Mar 10, 2020, 10:47:15 AM3/10/20
to android-porting
Hello,
Are these changes made in the init.rc file? Also how do I set SELinux to permissive mode during build instead of through ADB Shell? Thanks
Jerry
Reply all
Reply to author
Forward
0 new messages