Device-info:
Phone: Sony Xperia Z1
Model number: C6903
Android version: 5.1.1
Build Number: 14.6.A.1.236
Rooted and BusyBox installed (Play Store Version!!!)
I have formatted an SD-Card to an ext4-filesystem and put another Linux on it.
After mounting the filesystem and files without problems I want to execute:
Code:
chroot /data/local/mnt /bin/bash
with /data/local/mnt is the Linux root-folder.
Execute the line above leads to the message:
Code:
chroot: can't execute '/bin/bash': Permission denied
I have checked the permission of /bin/bash and also of /data/local/mnt and remounted nearly every path which are related to that folder with exec and rw permission. So maybe you know some special rights-associated files or folders I forgot, but I think the problem is something else...
After readed that some of the Linux-on-Android project-users had some trouble with executing the init.sh because of selinux I set it to permissive:
Code:
setenforce 0
and checked it:
Code:
[email protected]:/ # getenforce
Permissive
(Of course) chroot does not work. So I checked the message buffer of the kernel for selinux-avc-deny-messages and BINGO:
Code:
[email protected]:/ # dmesg | grep denied
...
<36>[58575.652383] type=1400 audit(1470337082.042:10188): avc: denied { read } for pid=18553 comm="busybox" name="mmcblk0p23" dev="tmpfs" ino=9821 scontext=u:r:ric:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file op_res=0 ppid=4602 pcomm="ric" tgid=4602 tgcomm="ric"
<36>[58575.653740] type=1400 audit(1470337082.042:10189): avc: denied { open } for pid=18553 comm="busybox" name="mmcblk0p23" dev="tmpfs" ino=9821 scontext=u:r:ric:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file op_res=0 ppid=4602 pcomm="ric" tgid=4602 tgcomm="ric"
<36>[58575.655002] type=1400 audit(1470337082.042:10190): avc: denied { ioctl } for pid=18553 comm="busybox" path="/dev/block/mmcblk0p23" dev="tmpfs" ino=9821 scontext=u:r:ric:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file op_res=0 ppid=4602 pcomm="ric" tgid=4602 tgcomm="ric"
These are just 3. You can have some more if you want! So 1. QUESTION:
Why does selinux denies something when getenforce returns Permissive???
But I thought first that could be fixed anyway by allowing all these denied permissions with:
Code:
supolicy --live "allow source_class target_class permission_class permission"
FOR EXAMPLE:
Code:
supolicy --live "allow ric rootfs file execute_no_trans"
which returns:
Code:
Patching policy ...
-allow:ric:rootfs:file:execute_no_trans=ok
- Success
Well (of course) it did not work AND I get a denied message for the exact same case for a bunch of cases.
So 2. QUESTION:
Why does allowing policies not change policies to be allowed???
(Of course) I am not 100% sure if the denial of executing chroot is related to selinux and it would be very easy to find it out if I could just set it to permissive.... So 3. QUESTION:
How to solve this problem?
Well (Of course) I could take a hammer smash my device... I think that works well.
I appreciate your Help!
Related
Hi!
I want to create a script that runs during boot without the need of SManager.
I want to run this command at boot:
Code:
mount -o bind /storage/sdcard1/data/com.google.android.music/ /storage/sdcard0/Android/data/com.google.android.music/
That's what I think I should do:
I put this code in a file called "99userinit" and then push it via adb to "/system/etc/init.d" and then set the permissions of "99userinit" to 755. That's it.
1) Will this script work as expected in CyanogenMod 10.1?
2) Will it survive when I update my nightly?
I am currently running stock 10.1-20130603-NIGHTLY-i9100. No mods whatsoever.
Thank you!
My progress report
So I just tried to do it by myself, here's what happened:
This is what my "99userinit" script looks like:
Code:
#!/system/bin/sh
mount -o bind /storage/sdcard1/data/com.google.android.music/ /storage/sdcard0/Android/data/com.google.android.music/
Did not work as planned, so I went to the teamhacksung irc channel and got some help.
I put it in "/system/etc/init.d/" and restarted the phone. Here's what I got:
Code:
127|[email protected]:/proc $ /system/xbin/run-parts -l /system/etc/init.d
/system/xbin/run-parts -l /system/etc/init.d
/system/etc/init.d/00banner
/system/etc/init.d/90userinit
/system/etc/init.d/99userinit
I/run-parts( 1871): mount: No such file or directory
I/run-parts( 1871): run-parts: /system/etc/init.d/99userinit exited with code 255
I/logwrapper( 1871): /system/xbin/run-parts terminated by exit(1)
Then I put my script to /data/local/userinit.d/" and restarted the phone. Here's what I got:
Code:
[email protected]:/ # /system/xbin/run-parts -l /data/local/userinit.d
/system/xbin/run-parts -l /data/local/userinit.d
/data/local/userinit.d/99userinit
I/busybox ( 1941): mount: No such file or directory
I/busybox ( 1941): run-parts: /data/local/userinit.d/99userinit exited with code 255
I/logwrapper( 1941): busybox terminated by exit(1)
I will update this thread, as I progress further.
Problem solved!
The script now works fine, here's what it looks like:
Code:
#!/system/bin/sh
sleep 50s
mount -o bind /storage/sdcard1/data/com.google.android.music/ /storage/sdcard0/Android/data/com.google.android.music/
Why wait 50 seconds you ask? Because 40 seconds are too short. :-/
Because I am not very satisfied with the sleep command, I will look a bit further into shell scripting and the "ACTION_MEDIA_SCANNER_FINISHED". But seeing this as my first programming project ever, it's going to take me a while
I have an app, pushing it to in /data/local/tmp/myapp
I have root access for a while in exploit, so my goal is to setup "privileges" to /data/local/tmp/myapp, so it will be running as root even if was called from sh ( sh is running with shell privilleges )
_________________________________
BEFORE 4.3. code works fine ( executing in a context of process with root privileges ):
Code:
chown( "/data/local/tmp/myapp", 0 , 0); //owner to root
chmod("/data/local/tmp/myapp" 06777); //chmod myapp to suid
ls shows cute output after that:
-rwxrwxrwx root root myapp
Click to expand...
Click to collapse
Thats enough so myapp starts with uid == 0 even when was launched from "sh" with shell's uid.
4.3 this is NOT ENOUGH. Additional SE policies comes here ...
ls -Z shows the next output:
-rwxrwxrwx root root u: object_r:shell_data_file:s0 myapp
Click to expand...
Click to collapse
When i'm starting myapp from sh BEFORE 4.3 everything goes fine, but on 4.3 myapp launches with uid != 0.
PS: modifying context through chcon to u: object_r:system_file:s0 of myapp didnt help
_________________________________
Maybe someone have some ideas where i can continue research? :crying:
Hi . I need a little help with this.
I modified some apks (systmeui, home-reléase, services.jar) with apktool in Windows 8.1, after that i had some problems to run the rom (bootloops), but at the end i ve got it setting byeselinux on the dualrecovery as "true" so with selinux deactivated. Nut point me that the trouble probably is because the selinux context is been broken because the use of the Windows machine to decompile this files and suggest me to used "restorecon" to relabel de context.
I don know very much about this, and i tryed to do it by terminal command on the device but i ve got this message.
Code:
[email protected]:/ $ su
[email protected]:/ # restorecon -R -v /system/app
SELinux: Loaded file_contexts from /file_contexts
SELinux: Relabeling /system/app/home-release/home-release.apk from u:object_r:unlabeled:s0 to u:object_r:system_file:s0.
SELinux: Could not set context for /system/app/home-release/home-release.apk: Read-only file system
Could not restorecon /system/app: Success
[email protected]:/ # restorecon -R /system/app
SELinux: Loaded file_contexts from /file_contexts
SELinux: Could not set context for /system/app/home-release/home-release.apk: Read-only file system
Could not restorecon /system/app: Success
[email protected]:/ #
I dont know why i get the message home-reléase is read only file system.
Any help will be really apreciatted. Cheers.
Hi everyone (and sorry, can't post proper links yet),
I'm a security/pentester looking for a generic way of circumventing root detection. Only thing I'm usually interested is to have full filesystem access (check how apps encrypt their data), start a couple of execs with root (eg. frida-server) and have a root shell in general. I have a Nexus 5 "hammerhead", installed full stock image MOB30Y, then checked the kernel and downloaded the kernel source code for the matchin 3.4.0-gcef4f17. I added a backdoor to the kernel code, similar to this backdoor: github.com/allwinner-zh/linux-3.4-sunxi/blob/bd5637f7297c6abf78f93b31fc1dd33f2c1a9f76/arch/arm/mach-sunxi/sunxi-debug.c#L41 , then recompiled the kernel, and booted the device with that kernel. So far so good:
Code:
[email protected]:/ $ id
uid=2000(shell) gid=2000(shell) groups=2000(shell),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:shell:s0
*trigger the backdoor*
Code:
[email protected]:/ $ id
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:shell:s0
So I'm uid 0 now. Now I just need to get around the SELinux mess. Problem:
Code:
[email protected]erhead:/data/data $ ls /data/data
opendir failed, Permission denied
My question: Anybody knows how I can call functions from android.googlesource.com/platform/external/libselinux/+/jb-mr1-dev-plus-aosp/include/selinux/selinux.h so I get the init context?
I'm not too familiar with these calls.... I think something along:
Code:
#include <selinux/selinux.h>
if is_selinux_enabled(){
struct security_context_t *cont;
getcon(cont); //This should get the kernel's context
//How do I assign the kernel's context to the "current" process context?
//?
freecon(cont);
}
Hi all,
Trying to build CM 12.1 for the old otter2. Everything works but the previous developers has a shell script that runs from init.d that remounts system as rw, calibrates the wifi adapter then remounts as ro.
Im having issues with selinux allowing me to do this. I've added the appropriate sepolicy to the .te but this is in violation of a global denyall.
Code:
allow fixmac labeledfs:filesystem remount;
So when I build i get this:
Code:
libsepol.report_failure: neverallow on line 268 of external/sepolicy/domain.te (or line 8279 of policy.conf) violated by allow fixmac labeledfs:filesystem { remount };
libsepol.check_assertions: 1 neverallow failures occurred
This is the offending policy:
Code:
neverallow { domain -kernel -init -recovery -vold -zygote } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
And the offedning mount point:
Code:
/dev/block/platform/omap/omap_hsmmc.1/by-name/system /system ext4 ro,seclabel,relatime,user_xattr,barrier=1,data=ordered 0 0
Whats the right way to allow me to mount the fs rw so I can write the calibration file? As far as I can tell it needs to be done at boot for each device. I could add the firmware to the image but then everyone would have the same mac address.
I can run the script without issue via an adb shell, but I assume root doesn't care about selinux policies?