fornwall
commented
2 weeks ago Thanks for reaching out with clear information! I think it could be resolved by early opting out and exec() passthrough when executing a file outside of the Termux prefix - I'll provide an update that I would be happy for you to check!
Btw, is this when going through the $TERMUX_PREFIX/bin/su wrapper script? If so, do you also hook so the if [ -x $p ]; check there works?
But in fact, it will affect every binary without -r permission.
As I understand this is also the case on "normal" Linux, that you can't execute a file you cannot read - from a stock ubuntu 24.04 installation:
$ echo 'echo hi' > script.sh
$ chmod u+x script.sh
$ ./script.sh
hi
$ chmod u-r script.sh
$ ./script.sh
zsh: permission denied: ./script.sh
$ eza -l script.sh
.-wx------ 8 fornwall 14 Jun 17:02 script.sh
aviraxp
dyhkwong
Problem description
In (1), if an executable file does not have -r attributes, it cannot be executed even if it is executable. We discovered this when debugging the issue that KernelSU(2) does not work with new termux (su command returns "required file not found"), because KernelSU doesn't actually place su file in /system/bin, but hook execve(2) call in kernel to redirect it to kernel impl when executing /system/bin/su. But in fact, it will affect every binary without -r permission.
(1) https://github.com/termux-play-store/termux-exec/blob/56629c46a09c26ac595a6809051b8422d279a338/src/termux-exec.c#L261 (2) https://github.com/tiann/KernelSU/blob/main/kernel/sucompat.c#L140
Steps to reproduce the behavior.
Run su command in termux with KernelSU.
What is the expected behavior?
One solution will be only open file (and continue later logic) to paths which may be blocked by the execute_no_trans sepolicy.
System information