Discussion:
dlopen fails to open library from /data/data/<package> folder
Tomas Dirvanauskas
2018-09-25 13:53:17 UTC
Permalink
(posting from android-security-discussions, maybe this group is more
relevent)

Hey,

let me shortly explain what I am trying to achieve.

For development purposes, I want to perform quick iteration during my app
development. So instead of doing:

* Change some native code
* Compile library
* Package apk
* Install apk
* Run apk

I want to do:

* Change some native code
* Compile library
* Send .so file to the device
* Restart the app


After doing initial apk installation, I push only single .so file to the
device (/data/data/com.Tomas.MyApplication/cache/) and instruct the app to
check that location first, if it finds a library there it will try to load
that library instead of the one from /data/app folder.

I am loading the library like this -
dlopen("/data/data/com.Tomas.MyApplication/files/libmylibrary.so",
RTLD_NOW);

And it works fine on Android 6.0, but doesn't work on Android 8.0, dlopen
returns 0.

The error is:
09-25 10:11:04.395 23925 23925 W Main: type=1400 audit(0.0:49): avc: denied
{ open } for path="/data/data/com.Tomas.MyApplication/cache/libmylibrary.so"
dev="dm-0" ino=112773 scontext=u:r:untrusted_app:s0:c512,c768
tcontext=u:object_r:app_data_file:s0 tclass=file permissive=0

I assume this is somehow related to this -
https://developer.android.com/about/versions/nougat/android-7.0-changes#ndk-errors

Is there any way to workaround this? Like I said this is strictly for
development purposes to speed up iteration time.

P.S I also tried putting libmylibrary.so file to
/storage/emulated/0/Android/data/com.Tomas.MyApplication/cache//libmylibrary
.so" , and tried using dlopen, but that fails both on Android 6.0 and
Android 8.0
--
You received this message because you are subscribed to the Google Groups "android-ndk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-ndk+***@googlegroups.com.
To post to this group, send email to android-***@googlegroups.com.
Visit this group at https://groups.google.com/group/android-ndk.
To view this discussion on the web visit https://groups.google.com/d/msgid/android-ndk/2fdd2136-0648-4faf-8a26-452f78127972%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Alex Cohn
2018-09-25 19:15:46 UTC
Permalink
I believe that your assumption is correct, and no, there is no easy
workaround. You can continue with your development technique if you use a
device with Android 6.0 or earlier, or a rooted device with Android 7.0 or
higher, or an emulator (which is rooted for you). On a rooted device you
can replace the shared library in the *trusted *location; on an older
device, location /data/data/app is "trusted".

BR,
Alex

On Tuesday, September 25, 2018 at 7:29:06 PM UTC+3, Tomas Dirvanauskas
Post by Tomas Dirvanauskas
(posting from android-security-discussions, maybe this group is more
relevent)
Hey,
let me shortly explain what I am trying to achieve.
For development purposes, I want to perform quick iteration during my app
* Change some native code
* Compile library
* Package apk
* Install apk
* Run apk
* Change some native code
* Compile library
* Send .so file to the device
* Restart the app
After doing initial apk installation, I push only single .so file to the
device (/data/data/com.Tomas.MyApplication/cache/) and instruct the app to
check that location first, if it finds a library there it will try to load
that library instead of the one from /data/app folder.
I am loading the library like this -
dlopen("/data/data/com.Tomas.MyApplication/files/libmylibrary.so",
RTLD_NOW);
And it works fine on Android 6.0, but doesn't work on Android 8.0, dlopen
returns 0.
denied { open } for path="/data/data/com.Tomas.MyApplication/cache/
libmylibrary.so" dev="dm-0" ino=112773
scontext=u:r:untrusted_app:s0:c512,c768
tcontext=u:object_r:app_data_file:s0 tclass=file permissive=0
I assume this is somehow related to this -
https://developer.android.com/about/versions/nougat/android-7.0-changes#ndk-errors
Is there any way to workaround this? Like I said this is strictly for
development purposes to speed up iteration time.
P.S I also tried putting libmylibrary.so file to
/storage/emulated/0/Android/data/com.Tomas.MyApplication/cache//
libmylibrary.so" , and tried using dlopen, but that fails both on Android
6.0 and Android 8.0
--
You received this message because you are subscribed to the Google Groups "android-ndk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-ndk+***@googlegroups.com.
To post to this group, send email to android-***@googlegroups.com.
Visit this group at https://groups.google.com/group/android-ndk.
To view this discussion on the web visit https://groups.google.com/d/msgid/android-ndk/b6dc18be-2b16-477c-9c57-fb40d6858727%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Tomas Dirvanauskas
2018-09-26 13:18:33 UTC
Permalink
Got the answer here
- https://groups.google.com/forum/#!topic/android-security-discuss/M5H0MzC3edA
, apparently I had 'SELinux label of the file' incorrect on the so file,
that's why the application refused it to load it.

Cheers
Post by Alex Cohn
I believe that your assumption is correct, and no, there is no easy
workaround. You can continue with your development technique if you use a
device with Android 6.0 or earlier, or a rooted device with Android 7.0 or
higher, or an emulator (which is rooted for you). On a rooted device you
can replace the shared library in the *trusted *location; on an older
device, location /data/data/app is "trusted".
BR,
Alex
On Tuesday, September 25, 2018 at 7:29:06 PM UTC+3, Tomas Dirvanauskas
Post by Tomas Dirvanauskas
(posting from android-security-discussions, maybe this group is more
relevent)
Hey,
let me shortly explain what I am trying to achieve.
For development purposes, I want to perform quick iteration during my app
* Change some native code
* Compile library
* Package apk
* Install apk
* Run apk
* Change some native code
* Compile library
* Send .so file to the device
* Restart the app
After doing initial apk installation, I push only single .so file to the
device (/data/data/com.Tomas.MyApplication/cache/) and instruct the app to
check that location first, if it finds a library there it will try to load
that library instead of the one from /data/app folder.
I am loading the library like this -
dlopen("/data/data/com.Tomas.MyApplication/files/libmylibrary.so",
RTLD_NOW);
And it works fine on Android 6.0, but doesn't work on Android 8.0, dlopen
returns 0.
denied { open } for path="/data/data/com.Tomas.MyApplication/cache/
libmylibrary.so" dev="dm-0" ino=112773
scontext=u:r:untrusted_app:s0:c512,c768
tcontext=u:object_r:app_data_file:s0 tclass=file permissive=0
I assume this is somehow related to this -
https://developer.android.com/about/versions/nougat/android-7.0-changes#ndk-errors
Is there any way to workaround this? Like I said this is strictly for
development purposes to speed up iteration time.
P.S I also tried putting libmylibrary.so file to
/storage/emulated/0/Android/data/com.Tomas.MyApplication/cache//
libmylibrary.so" , and tried using dlopen, but that fails both on
Android 6.0 and Android 8.0
--
You received this message because you are subscribed to the Google Groups "android-ndk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-ndk+***@googlegroups.com.
To post to this group, send email to android-***@googlegroups.com.
Visit this group at https://groups.google.com/group/android-ndk.
To view this discussion on the web visit https://groups.google.com/d/msgid/android-ndk/093cf1e9-4023-4e94-b06b-6c653b824ae0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Loading...