Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Native Method Problems #28

Closed
dk-zero-cool opened this issue Mar 9, 2015 · 5 comments

Comments

@dk-zero-cool
Copy link

commented Mar 9, 2015

When I first added this small hook back in earlier versions of Android, I was not sure that it would work, since it is basically a Native method referenced from Java, But it did. But now in ART it seams that this is no longer possible and I was wondering if this would be easy to fix.

I/Xposed  ( 1955): Not hooking native method int android.util.Log.println_native(int, int, java.lang.String, java.lang.String) 

In my case it can be easily overcome by adding a hook to each of the normal log methods like d(), e() and so on, this was just a simpler way to get them all at once. But there might be other places where this type of hook would be more useful, so I thought that I would report it.

And since I am here anyway, I have a quick question.

E/SELinux ( 1939): avc:  denied  { add } for service=com.spazedog.xposed.additionsgb.service.XSERVICE scontext=u:r:system_server:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager

When you added services for Xposed, did you ever cross path with this issue? Before I start investigating it, I thought I would see if you already know this problem since you have already successfully added a couple of services that seams to get past SELinux in Lollipop.

@dk-zero-cool

This comment has been minimized.

Copy link
Author

commented Mar 9, 2015

Changed the service hook to use SystemService instead of ActivityThread, but no go. Has Google added binder checks through SELinux in Lollipop? I cannot get past it in Enforcing mode regardless of where I try. SystemService should have access to add services, since it is the one adding most of Android's services.

@rovo89

This comment has been minimized.

Copy link
Owner

commented Mar 9, 2015

Hooking native methods is currently disabled:
https://github.com/rovo89/android_art/blob/xposed-lollipop/runtime/mirror/art_method.cc#L400
As the comment says, it needs to be tested before releasing it "into the wild".

About registering services: Check http://forum.xda-developers.com/xposed/devs-how-to-selinux-restrictions-t2775101/
My main finding was that you need to use an existing service's name as a prefix for your own service to work around SELinux.

@dk-zero-cool

This comment has been minimized.

Copy link
Author

commented Mar 9, 2015

Okay, like I said there is no rush on this. I just wanted to point out that native hooking did not work, just in case that you did not know.

So Google has added service name checks to SELinux? I really don't see a point to this, unless this would be an explicit response to Xposed Framework. Without Xposed, there would be no point in apps adding Services with their own Context in their own process and so it would not make sense to add additional restrictions to it.

@rovo89

This comment has been minimized.

Copy link
Owner

commented Mar 9, 2015

Their SELinux policy is pretty tight now. I don't think their approach was focused on "what could we prevent", but more on "what do we need to allow". Basically, everything that isn't required was restricted. It's good from a security perspective, whitelisting is more secure than blacklisting. From a modding perspective, it's obviously making things harder. I'm not even sure how long the "hole" to use the service name as a prefix will stay available.

@dk-zero-cool

This comment has been minimized.

Copy link
Author

commented Mar 9, 2015

Yes it is getting difficult, especially since SELinux is quite good at what it does. I have it enabled on my own Linux machines as well. So on one hand I like the security it offers, but on the other I would very much like to find some holes in it.

Anyways, thanks for the prefix trick. The solution works for now. But yes at some point Google might add a more specific list of names, in which case this will no longer work. But at least it helps while investigating other options.

@rovo89 rovo89 added the bug label Jun 12, 2015
C3C0 added a commit to C3C0/android_art that referenced this issue Jun 13, 2015
B--B added a commit to AOSP-JF/platform_art that referenced this issue Sep 15, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.