[Question] Enable file access services

[Firefds]

I am trying to give and access file preferences, but it doesn't seem to work. I see that file access services are not implemented yet and I should use magiskpolicy to enable needed SELinux policies. Any quick guide on how I should to that? I can't find anything explaning this.

[solohsu]

Seems like same problem with this https://github.com/ElderDrivers/EdXposed/commit/8c4682e2b3e908c4aa42cd4a0ebd18edb90345ca#comments

[solohsu]

Usage of magiskpolicy: https://github.com/topjohnwu/Magisk/blob/master/docs/tools.md#magiskpolicy SELinux policy related files placed under /system/etc/selinux/ on device, while main content is in /system/etc/selinux/plat_sepolicy.cil

[solohsu]

I have added some rules here and thought it should be sufficient.

[C3C0]

SystemUI is considered to be part of "coredomain"? I don't see into these things so sorry for asking.

[solohsu]

(typeattributeset coredomain (adbd audioserver blkid blkid_untrusted bluetooth bootanim bootstat bufferhubd cameraserver charger clatd cppreopts crash_dump dex2oat dhcp dnsmasq drmserver dumpstate e2fs ephemeral_app fingerprintd fsck fsck_untrusted gatekeeperd healthd hwservicemanager idmap incident incident_helper incidentd init inputflinger install_recovery installd isolated_app kernel keystore lmkd logd logpersist mdnsd mediadrmserver mediaextractor mediametrics mediaprovider mediaserver modprobe mtp netd netutils_wrapper nfc otapreopt_chroot otapreopt_slot performanced platform_app postinstall postinstall_dexopt ppp preopt2cachename priv_app profman racoon radio recovery recovery_persist recovery_refresh runas sdcardd secure_element servicemanager sgdisk shared_relro shell slideshow surfaceflinger system_app system_server thermalserviced tombstoned toolbox traced_probes traceur_app tzdatacheck ueventd uncrypt untrusted_app untrusted_app_27 untrusted_app_25 untrusted_v2_app update_engine update_verifier usbd vdc virtual_touchpad vold vold_prepare_subdirs vr_hwc watchdogd webview_zygote wificond wpantund zygote dataservice_app dpmd dun-server mirrorlink vendor_mmi_sys perfservice qtelephony qvrd wfdservice atrace blank_screen bpfloader dexoptanalyzer hal_allocator_default perfetto stats statsd storaged traced wait_for_keymaster bt_logger seempd smcinvoke_daemon ))

You can find one line like above in /system/etc/selinux/plat_sepolicy.cil, where defines coredomain contains platform_app, to which SystemUI belongs I think. Or maybe I got it wrong?

[C3C0]

SystemUI is priv_app but that's in coredomain as well...

[solohsu]

u:r:platform_app:s0:c512,c768 u0_a25 2942 707 4078900 184128 SyS_epoll_wait 7a9994e8e8 S com.android.systemui Yes, all appdomain should be inclued in coredomain, maybe you should try domain?...

[C3C0]

I only have these files in /system/etc/selinux: plat_mac_permisdions.xml selinux_denial_metadata The latter one contains: ''' cppreopts cppreopts capability 79414024 dexoptanalyzer apk_data_file file 77853712 dexoptanalyzer app_data_file file 77853712 dexoptanalyzer app_data_file lnk_file 77853712 dexoptanalyzer system_data_file lnk_file 77853712 dnsmasq netd fifo_file 77868789 dnsmasq netd unix_stream_socket 77868789 init app_data_file file 77873135 init cache_file blk_file 77873135 init logpersist file 77873135 init nativetest_data_file dir 77873135 init pstorefs dir 77873135 init shell_data_file dir 77873135 init shell_data_file file 77873135 init shell_data_file lnk_file 77873135 init shell_data_file sock_file 77873135 init system_data_file chr_file 77873135 mediaextractor app_data_file file 77923736 mediaextractor radio_data_file file 77923736 mediaprovider cache_file blk_file 77925342 mediaprovider mnt_media_rw_file dir 77925342 mediaprovider shell_data_file dir 77925342 netd priv_app unix_stream_socket 77870037 netd untrusted_app unix_stream_socket 77870037 netd untrusted_app_25 unix_stream_socket 77870037 netd untrusted_app_27 unix_stream_socket 77870037 otapreopt_chroot postinstall_file lnk_file 75287236 platform_app nfc_data_file dir 74331887 postinstall postinstall capability 77958490 postinstall_dexopt postinstall_dexopt capability 77958490 postinstall_dexopt user_profile_data_file file 77958490 priv_app system_data_file dir 72811052 profman apk_data_file dir 77922323 radio statsdw_socket sock_file 78456764 statsd hal_health_default binder 77919007 storaged storaged capability 77634061 surfaceflinger mediacodec binder 77924251 system_server crash_dump process 73128755 system_server logd_socket sock_file 64734187 system_server sdcardfs file 77856826 system_server zygote process 77856826 untrusted_app_25 system_data_file dir 72550646 untrusted_app_27 system_data_file dir 72550646 usbd usbd capability 72472544 zygote untrusted_app_25 process 77925912 '''

[Firefds]

I dont have the plat_sepolicy.cil file as well. Is there a way to get this list using terminal commands?

Edit: Extracting the boot.img I got this file: plat_seapp_contexts.txt

Does this help in any way?

[solohsu]

@Firefds Need .te files, rules are defined there. Can you execute magiskpolicy --live "allow coredomain app_data_file * *" in device's shell to see if it prompts an error?

[Firefds]

@solohsu no error message prompt

[solohsu]

magisk-EdXposed-v0.2.9.9_beta2-SNAPSHOT.zip @Firefds @C3C0 Please check this build. I replaced supolicy --live "allow coredomain app_data_file * *" with supolicy --live "allow {zygote system_server} app_data_file * *".

[C3C0]

The same. Nothing changed for me.

[Firefds]

@solohsu I used https://github.com/xmikos/setools-android to get some selinux info from my device. here are some files that may be interesting:

All info not expanded all.txt

All info expanded - this could be what you need all-expanded.txt

coredomain attribute expanded coredomain.txt

if you need any other info please update

[Firefds]

@solohsu actually, I tested the snapshot again, this time by deleting the previous version and re installing the module. This time xposed was still active, but I couldn't hook methods, at least methods inside /data/app apks

[C3C0]

I believe it has something to do with mls constrains. For example, access to folders within app_data_file is defined as:

mlsconstrain { dir } { read getattr search  } 
(  t2 app_data_file ==  l1 l2  dom  ||  t1 { adbd audioserver bufferhubd cppreopts drmserver dumpstate pdx_display_client_endpoint_socket pdx_display_manager_endpoint_socket pdx_display_screenshot_endpoint_socket pdx_display_vsync_endpoint_socket pdx_performance_client_endpoint_socket pdx_bufferhub_client_endpoint_socket hwservicemanager incidentd init installd kernel keystore lmkd logd mdnsd mediacodec mediadrmserver mediaextractor mediaserver netd otapreopt_slot performanced racoon radio runas servicemanager shell surfaceflinger system_server tee tombstoned traced_probes uncrypt vdc vendor_init vold webview_zygote zygote dexoptanalyzer statsd storaged traced hal_audio_default hal_drm_default rild apaservice at_distributor dmb epmlogd eris gpsd hal_sbtvd_default hal_wsm_default jackservice mobicore multiclientd oneseg_mw otp_server pa_daemon pageboostd remotedisplay sechcserver secure_storage ss_conn_daemon ssud sysmon tlc_server tsdaemon visiond wsmd gllogd attiqi_app mmb_mw magisk } ==  ||  t2 { alarm_device ashmem_device binder_device hwbinder_device pmsg_device gpu_device graphics_device mtp_device ptmx_device null_device random_device owntty_device tty_device zero_device fuse_device ion_device qtaguid_device uhid_device tun_device usbaccessory_device usb_device qtaguid_proc proc_qtaguid_stat proc_bluetooth_writable selinuxfs cgroup sysfs sysfs_bluetooth_writable sysfs_kernel_notes sysfs_nfc_power_writable inotify devpts fuse sdcardfs vfat exfat debugfs_trace_marker debugfs_tracing debugfs_tracing_debug functionfs system_data_file anr_data_file tombstone_data_file apk_tmp_file apk_private_tmp_file ota_package_file user_profile_data_file shell_data_file heapdump_data_file ringtone_file bluetooth_data_file media_rw_data_file radio_data_file trace_data_file perfprofd_data_file method_trace_data_file system_app_data_file cache_file cache_backup_file cache_recovery_file wallpaper_file shortcut_manager_icons asec_apk_file backup_data_file bluetooth_efs_file app_fuse_file dnsproxyd_socket dumpstate_socket fwmarkd_socket logd_socket logdr_socket logdw_socket mdnsd_socket property_socket system_ndebug_socket tombstoned_crash_socket tombstoned_java_trace_socket traced_producer_socket pdx_display_client_endpoint_socket pdx_display_manager_endpoint_socket pdx_display_screenshot_endpoint_socket pdx_display_vsync_endpoint_socket pdx_performance_client_endpoint_socket pdx_bufferhub_client_endpoint_socket statsdw_socket priv_app_tmpfs traced_tmpfs kgsl_device sec_poc_file stitch_device pa_daemon_device mobicore_user_device tz_user_device secure_storage_device carrier_file tdmb_device playready_file napproxyd_socket tz_socket bsd_socket uibc_socket mobicore_file vendor_mobicore_data_file mobicore_data_file omr_file sec_data_file sysfs_lcd_writable sysfs_mdnie_writable wifi_efs_file snap_efs_file knoxcore_data_file snap_data_file localtm_data_file arcounter_data_file genlock_device ovr_device system_fifo tz_device url_device usb_bus_device knox_dar_device knox_dar_shared_device mst_ctrl_device m2m1shot_device pvrsync_device uart_device dri_device retailmode_efs_file sysfs_app_writable sysfs_exynos_writable sysfs_sec knox_clipboard_file app_fonts_data_file dumplog_data_file fido_data_file smartcard_data_file users_system_data_file tunman_data_file app_efs_file carrier_efs_file imei_efs_file sec_efs_file pfw_efs_file downfilters_lib_file frigate_socket imsd_socket jack_socket msockets_socket mtp_socket ss_conn_daemon_socket tunman_socket container_data_file mmb_data_file oneseg_data_file itsonapp_data_file sprintitson_file wsm_socket lgt_contents_file lxd_data_file lxd_run_file lxd_share_data_file nfcfelica_device felica_device felicashell_device securityfs felica_data_file magisk_file } ==  || );

If we could adjust that using supolicy or magiskpolicy to add platform_app it should do the trick.

Btw, I tried to make platorm_app class permissive by adding:

supolicy --live "permissive platform_app" 

to post-fs-data.sh and reading prefs from SystemUI started to work. But this is not ideal since it makes everything in platform_app class running in permissive mode.

[Firefds]

@C3C0 unfortunately, adding supolicy --live "permissive platform_app" doesn't seem to work for me. Maybe I"m missing something.

[solohsu]

@Firefds Have you tried adding platform_app to mlstrustedsubject?

[Firefds]

@solohsu I just built the latest commit from @C3C0 , and I can't make it work. The odd thing that when I pull the seinfo again, I see no change from the older info. To be fair - I have a Samsung device, so maybe it's different, or my module isn't working correctly.

[C3C0]

Did you check logcat? There should be auditing info when access gets denied. Also make sure your full app data file hierarchy has correct permissions. Even root folder (package name) should be rx for all.

[Firefds]

file permissions:

/data/data/sb.firefds.pie.firefdskit:
drwxrwxr-x   5 u0_a824 u0_a824        4096 2019-02-23 18:33 .
drwxrwx--x 478 system  system        20480 2019-02-23 21:35 ..
drwxrws--x   2 u0_a824 u0_a824_cache  4096 2019-02-24 01:40 cache
drwxrws--x   2 u0_a824 u0_a824_cache  4096 2019-02-23 18:33 code_cache
drwxrwxr-x   2 u0_a824 u0_a824        4096 2019-02-24 00:57 shared_prefs
./shared_prefs:
-rwxrwxr-x 1 u0_a824 u0_a824 2122 2019-02-24 00:57 sb.firefds.pie.firefdskit_preferences.xml

regarding logcat:

2019-02-24 01:49:46.950 3223-3223/? E/audit: type=1400 audit(1550965786.946:35998): avc:  denied  { search } for  pid=13222 comm="XSharedPreferen" name="sb.firefds.pie.firefdskit" dev="sda24" ino=2015802 scontext=u:r:system_app:s0 tcontext=u:object_r:app_data_file:s0:c56,c259,c512,c768 tclass=dir permissive=0 SEPF_SM-G950F_9_0001 unfiltered
2019-02-24 01:49:46.951 3223-3223/? E/audit: type=1300 audit(1550965786.946:35998): arch=c00000b7 syscall=79 success=no exit=-13 a0=ffffff9c a1=7eff2f7760 a2=7ee4e4ae18 a3=0 items=0 ppid=3396 pid=13222 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="XSharedPreferen" exe="/system/bin/app_process64" subj=u:r:system_app:s0 key=(null)
2019-02-24 01:49:46.952 3223-3223/? E/audit: type=1400 audit(1550965786.946:35999): avc:  denied  { search } for  pid=13222 comm="XSharedPreferen" name="sb.firefds.pie.firefdskit" dev="sda24" ino=2015802 scontext=u:r:system_app:s0 tcontext=u:object_r:app_data_file:s0:c56,c259,c512,c768 tclass=dir permissive=0 SEPF_SM-G950F_9_0001 unfiltered
2019-02-24 01:49:46.952 3223-3223/? E/audit: type=1300 audit(1550965786.946:35999): arch=c00000b7 syscall=56 success=no exit=-13 a0=ffffff9c a1=7eff2f7760 a2=0 a3=0 items=0 ppid=3396 pid=13222 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="XSharedPreferen" exe="/system/bin/app_process64" subj=u:r:system_app:s0 key=(null)

There are a bunch more of denied stuff, so I'm not sure what is relevant

[solohsu]

@Firefds The logcat indicates that you are accessing app_data_file from a system_app. What app you are testing against? You can try to add supolicy --live "attradd system_app mlstrustedsubject" or use supolicy --live "attradd {system_app platform_app} mlstrustedsubject" to cover both @C3C0 and your need.

[Firefds]

@solohsu I was testing on both SystemUI and Settings. It seems that on Samsung device it's system_app, which worked

[solohsu]

@Firefds If it worked, please create a pull request, I'll merge it. :)

[solohsu]

https://github.com/ElderDrivers/EdXposed/pull/109