Android Read file denied by SELinux

Question

I recently tried to read a file /system/bin/debuggerd in Android.I can install app or use adb commands but this error:

Unfortunately I was denied by SELinux

 [105336.331813] type=1400 audit(8732769.717:226): avc: denied { read } for pid=17773 comm="ServiceHandlerB" name="debuggerd" dev="dm-0" ino=279 scontext
 =u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:debuggerd_exec:s0 tclass=file permissive=0

I can't root this device by rule,so is it possible to read this file? this troubles me for a whole day,thx for help.

Answer 1

If you can't 'root' the device, than no.

The details are as follows. debuggerd_exec file is declared as:

type debuggerd_exec, exec_type, file_type;

This means that a processes attempting to read the file would need read permission on either the type debuggerd_exec or on the attributes exec_type or file_type.

Using the current tip of AOSP master at the time of this reply and the lunch target aosp_x86_64-eng, we can see what "source domains" can actually read this file with the following sesearch command:

$ sesearch -A -t debuggerd_exec -c file -p read $OUT/root/sepolicy 
allow debuggerd debuggerd_exec:file { read open getattr entrypoint execute };
allow debuggerd exec_type:file { read lock ioctl open getattr };
allow init debuggerd_exec:file { read getattr open execute };
allow perfprofd exec_type:file { read lock ioctl open getattr };

If you notice the source domains (the first thing after the allow), none of them are shell or untrusted_app. On non-rooted user builds, without an exploit, one can only run code in the untrusted_app or shell domains (that isn't exactly true, but the details are not really important).

Additionally, even if untrusted_app did have access, you need to be aware that MLS can sometimes prevent access even when sesearch shows that you have access. SE Linux on Android is using both Type Enforcement (allow rules) and MLS (mls_constrain rules) to provide isolation and sandbox reinforcement.