'SELinux blocks execution of native executable on Android

I am trying to run my own native executable. The code looks like this:

String[] command = {"/data/user/0/org.smowsoft.systeminformation.nativelib.test/files/smoproc"};
ProcessBuilder builder = new ProcessBuilder(command);
Process process = builder.start();

I am getting this error:

java.io.IOException: Cannot run program "/data/user/0/org.smowsoft.systeminformation.nativelib.test/files/smoproc": error=13, Permission denied
    at java.lang.ProcessBuilder.start(ProcessBuilder.java:1050)
    at org.smowsoft.systeminformation.ExampleInstrumentedTest.testRun(ExampleInstrumentedTest.java:113)
    ... 29 trimmed
Caused by: java.io.IOException: error=13, Permission denied
    at java.lang.UNIXProcess.forkAndExec(Native Method)
    at java.lang.UNIXProcess.<init>(UNIXProcess.java:133)
    at java.lang.ProcessImpl.start(ProcessImpl.java:141)
    at java.lang.ProcessBuilder.start(ProcessBuilder.java:1029)
    ... 31 more

I also tried to run the executable from native code like this:

char* lArgs[] = {0, 0};
lArgs[0] = new char[8];
strcpy(lArgs[0], "smoproc");
int result = execv("/data/user/0/org.smowsoft.systeminformation.nativelib.test/files/smoproc", lArgs);

But execv() returns -1 and errno is set to 13 (EACCESS).

The mode of the executable is set to 0777.

Wher I run dmesg from shell I can see that SELinux blocks the execution:

[15194.067480] type=1400 audit(1649841626.956:417509): avc: granted { execute } for comm="roidJUnitRunner" name="smoproc" dev="dm-5" ino=131258 scontext=u:r:untrusted_app:s0:c134,c256,c512,c768 tcontext=u:object_r:app_data_file:s0 tclass=file app=org.smowsoft.systeminformation.nativelib.test
[15194.070245] type=1400 audit(1649841626.956:417510): avc: denied { execute_no_trans } for comm="roidJUnitRunner" path="/data/data/org.smowsoft.systeminformation.nativelib.test/files/smoproc" dev="dm-5" ino=131258 scontext=u:r:untrusted_app:s0:c134,c256,c512,c768 tcontext=u:object_r:app_data_file:s0 tclass=file permissive=0 app=org.smowsoft.systeminformation.nativelib.test

API level is 30. I tried it on multiple devices. Does this mean it is not possible to run native executables on API level 30 and higher?



Solution 1:[1]

TL;DR : by order of preference, you could try the following :

  • The best policy would probably be to put your executable in the standard location on your device ;
  • Else, you can try telling selinux to allow executing things from wherever your binary currently is ;
  • If this fails, you can try running audit2why to get a suggestion from selinux on how to allow your program to run ;
  • If security is not a concern, maybe just set selinux to permissive while you try running your program.

The long version :

Selinux adds a layer of security over your filesystem, so if you want your program to work with selinux, at some point you will have to deal with it directly.

This article on serverfault seems like it might be related to your problem. If your executable is not located in a "standard" place (where your system expects to find binaries), then selinux is likely to prevent execution. The serverfault source explains this can be fixed either with the following selinux command (if I read your path to your application correctly) :

chcon -R -t bin_t /data/local/tmp

or by putting your application wherever your other binaries are stored.

If the above command solves your problem, you can update the policy permanently by running (still adapted from serverfault) :

semanage fcontext -a -t bin_t "/data/local/tmp(/.*)?"
restorecon -r -v /data/local/tmp

If the above does not work, selinux comes with an audit tool that gives reasons for the denials and that is called audit2why. Running :

audit2why -a

will usually provide you with a solution to allow that specific thing that was denied. It is not always a good idea to try and implement those solutions, though.

Finally, if security is not a concern, you can always set selinux to permissive on your device (even temporarily to get your program to run) :

semanage permissive -a bin_t

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Betebizarre