search

realm / realm-java

Realm is a mobile database: a replacement for SQLite & ORMs
http://realm.io
Apache License 2.0
11.45k stars 1.75k forks source link

In a android platform app, Realm can not create a named pipe because of SELinux, and the app crashes. #7636

Closed hideie-hirata closed 2 years ago

hideie-hirata commented 2 years ago

How frequently does the bug occur?

All the time

Description

In a android platform app, Realm can not create a named pipe because of SELinux, and the app crashes. Please check the following error.

type=1400 audit(0.0:103): avc: denied { create } for name="access_control.new_commit.cv" scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=fifo_file permissive=0 app=****

Realm uses named pipes in JNI, but the android platform app can not create a named pipe at [Context.getFilesDir(](https://developer.android.com/reference/android/content/Context#getFilesDir())).

I checked the SELinux configuration of the AOSP environment. /system/etc/selinux/plat_sepolicy.cil (allow platform_app app_data_file (lnk_file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads))) A platform app does not have fifo_file SELinux permission, so it can not create a named pipe.

Is it possible to avoid using named pipes or local sockets in the next Realm version?

Stacktrace & log output

jni: ThrowingException 7, Permission denied in /tmp/realm-java/realm/realm-library/src/main/cpp/io_realm_internal_OsSharedRealm.cpp line 107, .
Exception has been thrown: Permission denied in /tmp/realm-java/realm/realm-library/src/main/cpp/io_realm_internal_OsSharedRealm.cpp line 107
type=1400 audit(0.0:103): avc: denied { create } for name="access_control.new_commit.cv" scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=fifo_file permissive=0 app=********
    at io.realm.internal.OsSharedRealm.<init>(OsSharedRealm.java:175)
    at io.realm.internal.OsSharedRealm.getInstance(OsSharedRealm.java:251)
    at io.realm.BaseRealm.<init>(BaseRealm.java:141)
    at io.realm.BaseRealm.<init>(BaseRealm.java:108)
    at io.realm.Realm.<init>(Realm.java:159)
    at io.realm.Realm.createInstance(Realm.java:495)
    at io.realm.RealmCache.createInstance(RealmCache.java:494)
    at io.realm.RealmCache.doCreateRealmOrGetFromCache(RealmCache.java:461)
    at io.realm.RealmCache.createRealmOrGetFromCache(RealmCache.java:422)
    at io.realm.Realm.getDefaultInstance(Realm.java:403)
...

Can you reproduce the bug?

Yes, always

Reproduction Steps

No response

Version

10.8.0

What SDK flavour are you using?

Local Database only

Are you using encryption?

No, not using encryption

Platform OS and version(s)

Android 11.0

Build environment

Android Studio version: 4.1.2 Android Build Tools version: Android SDK(Android 11.0) Gradle version: 6.5

cmelchior commented 2 years ago

Unfortunately not, named pipes are central to our notification mechanisms and that is unlikely to change. We do have some more documentation about system apps and how to work around the issue here: https://docs.mongodb.com/realm-legacy/docs/java/latest/index.html#how-to-use-realm-in-system-apps-on-custom-roms

hideie-hirata commented 2 years ago

Unfortunately not, named pipes are central to our notification mechanisms and that is unlikely to change. We do have some more documentation about system apps and how to work around the issue here: https://docs.mongodb.com/realm-legacy/docs/java/latest/index.html#how-to-use-realm-in-system-apps-on-custom-roms

Thank you for your reply. We are developing a app with the platform signature from the android tablet manufacturer. So, we can not build custom roms. We will ask the tablet manufacturer if the rom can be customized.

Thanks,