Closed mag01 closed 9 years ago
Thanks for pointing this out. Sounds like a pain. Here are some relevant links:
http://ausdroid.net/2014/10/22/lollipop-state-root/ http://www.androidpolice.com/2014/10/20/chainfire-explains-his-root-method-for-the-latest-lollipop-developer-preview-modified-kernels-may-become-a-requirement/
I think that what you need to do is to extend the su launching code in your com.elsdoerfer.android.autostarts.Utils class to launch it in the specific SELinux context, most likely "u:r:system_app:s0" (but maybe "u:r:platform_app:s0" will be enough, I don't know, better to try), via su --context
And wrap some SELinux policy (and perhaps also SDK version) detection around it so that it's only applied for Enforcing policy (/sys/fs/selinux/enforce exists and returns 1 - like it's done for example here https://android.googlesource.com/platform/cts/+/master/tests/tests/security/src/android/security/cts/KernelSettingsTest.java) and perhaps also SDK version 18 and higher (JELLY_BEAN_MR2 - first with SELInux). And from performance standpoint it's better to detect this on startup (or when needed for the 1st time) and then cache the result so that it doesn't have to be checked over and over again..
EDIT: It seems that context "u:r:untrusted_app:s0" may be enough here as the following command succeeds when executed from shell: su --context u:r:untrusted_app:s0 -c LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/system/lib" pm disable 'com.skype.raider/com.skype.android.push.DeviceBootReceiver'
If it won't work from the application, you may try one of the more privileged ones such as "u:r:platform_app:s0" or even "u:r:system_app:s0". But it's better to start with the least privileged one and see if that's enough.
Thanks a lot for your hints. I'm currently working on getting my hands on a 5.0 device so I can test.
Google Nexus 5 Android 5.0 (LRX21O) Rooted using current CF-Auto-Root (SuperSU 2.20) for Nexus 5/Android 5.0
Root can be obtained (other apps work fine and gain root as well), however getting SELinux denials for Autostarts, example for disabling Skype (check out the "avc: denied" line):