[Bug]: Open file before executing can break exec

[aviraxp]

Problem description

In (1), if an executable file does not have -r attributes, it cannot be executed even if it is executable. We discovered this when debugging the issue that KernelSU(2) does not work with new termux (su command returns "required file not found"), because KernelSU doesn't actually place su file in /system/bin, but hook execve(2) call in kernel to redirect it to kernel impl when executing /system/bin/su. But in fact, it will affect every binary without -r permission.

(1) https://github.com/termux-play-store/termux-exec/blob/56629c46a09c26ac595a6809051b8422d279a338/src/termux-exec.c#L261 (2) https://github.com/tiann/KernelSU/blob/main/kernel/sucompat.c#L140

Steps to reproduce the behavior.

Run su command in termux with KernelSU.

What is the expected behavior?

One solution will be only open file (and continue later logic) to paths which may be blocked by the execute_no_trans sepolicy.

System information

• Termux application version: 0.125
• Android OS version: 14
• Device model: Oneplus PJA110

[fornwall]

Thanks for reaching out with clear information! I think it could be resolved by early opting out and exec() passthrough when executing a file outside of the Termux prefix - I'll provide an update that I would be happy for you to check!

Btw, is this when going through the $TERMUX_PREFIX/bin/su wrapper script? If so, do you also hook so the if [ -x $p ]; check there works?

But in fact, it will affect every binary without -r permission.

As I understand this is also the case on "normal" Linux, that you can't execute a file you cannot read - from a stock ubuntu 24.04 installation:

$ echo 'echo hi' > script.sh
$ chmod u+x script.sh 
$ ./script.sh 
hi
$ chmod u-r script.sh
$ ./script.sh 
zsh: permission denied: ./script.sh
$ eza -l script.sh 
.-wx------ 8 fornwall 14 Jun 17:02 script.sh

[fornwall]

@aviraxp I made a change to the Termux su wrapper script in https://github.com/termux-play-store/termux-tools/commit/9187cfa169cc64861a0fc7e98a01b9c78eb1634d and released that as version 3.0.6 of the termux-tools package.

Can you verify that it works by upgrading the package with pkg up and then running su?

Will fix termux-exec to not mess with files outside of the termux prefix as well, but good to verify the above as a first step!

[aviraxp]

It is fixed, thx!

[dyhkwong]

Only su was fixed, things like tsu (sudo) are still broken. Can you keep this issue open until a more general fix?

[fornwall]

@dyhkwong Sure, thanks for the report!

[fornwall]

@aviraxp & @dyhkwong The termux-exec package has just been updated to 1.3, which should fix this issue (tsu should work, as well as executing /system/bin/su directly in the shell).

Can you run pkg up and verify that it works as expected?

Have updated the bootstrap packages included in the app starting from app version 0.129 so that it will work out of the box for new installations.

[dyhkwong]

It works on my device, thanks!

The termux-exec package has just been updated to 1.3, which should fix this issue (tsu should work, as well as executing /system/bin/su directly in the shell).

Can you run pkg up and verify that it works as expected?

Will update the bootstrap packages included in the app so that it will work out of the box for new installations.

[fornwall]

@dyhkwong Great! Thanks for the help here 🙇 .