[Android Q Beta] Apps can no longer execute binaries in their home directory (execute_no_trans) [128554619]

WAI

Bug

Platform

Status Update

No update yet.

Description

d4...@gmail.com

created issue #1

Mar 14, 2019 08:23AM

* Which Android Beta build are you using? See Settings > About phone > Build number (for example PPP5.180610.010).
QPP1.190205.018.B3

* Is this a regression from P to Q?
Yes, worked on P, doesn't work on Q, change is undocumented.

* What device are you using? (for example, Pixel XL)
Emulator

* What are the steps to reproduce the problem? (Please provide the minimal reproducible test case.)
Try to run a binary from the apps private data dir (e.g. /data/data/<pkg/files).

* Issue Category e.g. Framework (platform), NDK (platform), Hardware (CPU, GPU, Sensor, Camera), ART (platform), Runtime Permissions etc
Framework (platform) / SELinux, Policy

* What was the expected result?
That I can run the binary.

* What was the actual result?
sh: <stdin>[31]: ./data/user/0/<pkg>/files/toybox: Permission denied

* Relevant logcat output.
W/sh: type=1400 audit(0.0:6585): avc: denied { execute_no_trans } for path="/data/data/eu.thedarken.sdm/files/toybox_sdm" dev="vdc" ino=115932 scontext=u:r:untrusted_app:s0:c110,c256,c512,c768 tcontext=u:object_r:app_data_file:s0:c110,c256,c512,c768 tclass=file permissive=0

* Link to captured Android bug report (shared privately in Drive.)

https://drive.google.com/file/d/1njyfPuwloEGmwCbwnTjsx2hbFMvPG3fU/view?usp=sharing

Previous APIs seem to have this explicitly enabled, but it's missing for API29?

https://android.googlesource.com/platform/system/sepolicy/+/master/private/untrusted_app_27.te

Being allowed to execute your own binaries, e.g. a toybox is necessary for a lot of apps.

Comments

am...@google.com <am...@google.com> #2Mar 15, 2019 07:55AM

Assigned to am...@google.com.

You need to temporarily add following to your build.gradle:

tasks.withType(KotlinCompile).configureEach {
    kotlinOptions {
        freeCompilerArgs += [
                "-Xjvm-default=all",
        ]
    }
}

Note that in certain circumstances you may want to use all-compatibility instead of all, learn more about that in Jebrain's blogpost.

Starting with kotlin 1.6.20 you won't need touch build.gradle for more information see KT-47000

am...@google.com <am...@google.com> #3Mar 15, 2019 08:00AM

Which of the build.gradle files am I to add the code above as there are 2 build.gradle files

am...@google.com <am...@google.com> #4Mar 18, 2019 12:11PM

Status: Won't Fix (Intended Behavior)

en el Module.

ta...@gmail.com <ta...@gmail.com> #5Mar 23, 2019 01:36PM

I have tried adding the code in various places in my Module level build.gradle but keep receiving the error

Caused by: groovy.lang.MissingPropertyException: Could not get unknown property 'KotlinCompile' for extension 'android' of type com.android.build.gradle.internal.dsl.BaseAppModuleExtension.
	at org.gradle.internal.metaobject.AbstractDynamicObject.getMissingProperty(AbstractDynamicObject.java:85)
	at org.gradle.internal.metaobject.ConfigureDelegate.getProperty(ConfigureDelegate.java:130)

Can you please provide a more detailed example of how to use the temporary code within a Module level build.gradle file?

za...@gmail.com <za...@gmail.com> #6Apr 2, 2019 02:13PM

This is what worked for me. Try adding the code to app level build.gradle file:

android {
   ...
   kotlinOptions {
       ...
       freeCompilerArgs += [
                "-Xjvm-default=all",
        ]
   }
}

al...@gmail.com <al...@gmail.com> #7Apr 4, 2019 12:50AM

deleted

al...@gmail.com <al...@gmail.com> #8Apr 4, 2019 01:27AM

deleted