see the adb boot debug guide
See the selinux guide
see the adb boot debug guide
See the selinux guide
SELinux is a security enhancement to Linux which allows users and administrators more control over access control.
Access can be constrained on such variables as which users and applications can access which resources. These resources may take the form of files. Standard Linux access controls, such as file modes (-rwxr-xr-x) are modifiable by the user and the applications which the user runs. Conversely, SELinux access controls are determined by a policy loaded on the system which may not be changed by careless users or misbehaving applications.
SELinux also adds finer granularity to access controls. Instead of only being able to specify who can read, write or execute a file, for example, SELinux lets you specify who can unlink, append only, move a file and so on. SELinux allows you to specify access to many resources other than files as well, such as network resources and interprocess communication (IPC).
frameworks/base/services/core/java/com/android/server/wm/AppWarnings.java | |
/** | |
* Shows the "deprecated abi" warning, if necessary. | |
* | |
* @param r activity record for which the warning may be displayed | |
*/ | |
public void showDeprecatedAbiDialogIfNeeded(ActivityRecord r) { | |
final String appAbi = r.info.applicationInfo.primaryCpuAbi; |
Here are 3 ways to allow debugging on boot by connecting to adb. This is often called "insecure adb" - while it is not as "insecure" as you might think 😉
Since A7 you have to authorize your adb server which either requires to add your adb pub key into the ramdisk (directly on /
) or you must put it in /data/misc/adb/adb_keys
, e.g when in recovery. Details here. This method will not work on FDE encrypted devices though. for this you need to mod the boot.img (see "Option A: Modding an existing boot.img").
important is that it has to have proper label and permission set. e.g when in recovery:
################################################## | |
# tracing process(es) | |
# (scroll down for tracing a service) | |
################################################## | |
-------------------------------------------------- | |
the following is assumed for all commands before: | |
-------------------------------------------------- | |
adb shell |
If it is required to debug a service from its very start, the sigstop service option is added. | |
This option will send SIGSTOP to a service immediately before calling exec. | |
This gives a window where developers can attach a debugger, strace, etc before continuing the service with SIGCONT. | |
This flag can also be dynamically controlled via the ctl.sigstop_on and ctl.sigstop_off properties. | |
Below is an example of dynamically debugging logd via the above: | |
# prepare service, yes even start it! | |
stop <service-name> | |
setprop ctl.sigstop_on <service-name> | |
start <service-name> |
# Instructions: | |
# 1. Go to https://[yourdomain].slack.com/services/new | |
# 2. Configure a new Incoming WebHook and paste the URL below on Line 14 | |
# 3. Copy this file into $SPLUNK_HOME$/bin/scripts | |
# 4. Configure your saved search to run slack_alert.py | |
from time import gmtime, strftime | |
import httplib, json | |
import getopt, sys, os | |
import subprocess |
rem Autorun script needed to run on every boot with admin perms! | |
rem Important: you need to use hideVBoxVM.py <name> on your VM as well, this cmd alone is not enough | |
@echo off | |
set TARGET="HPE" | |
@reg copy HKLM\HARDWARE\ACPI\DSDT\VBOX__ HKLM\HARDWARE\ACPI\DSDT\%TARGET%__ /s /f | |
@reg delete HKLM\HARDWARE\ACPI\DSDT\VBOX__ /f |
adb logcat -b kernel |grep avc: | |
> 05-12 20:10:27.665 0 0 E [ 16.154118 / 05-12 18:10:27.658][1] selinux: avc: denied { set } for | |
property=ro.bluetooth.sap pid=3540 uid=0 gid=0 scontext=u:r:qti_init_shell:s0 tcontext=u:object_r:default_prop:s0 | |
tclass=property_service permissive=1 | |
-------------------------- | |
adb shell getenforce |
adb shell find system -name nfc_nci.msm8992.so | |
------------------------------------------------------------------- | |
> system/vendor/lib64/hw/nfc_nci.msm8992.so | |
> system/vendor/lib/hw/nfc_nci.msm8992.so | |
product/nfc.mk | |
------------------------------------------------------------------- | |
PRODUCT_PACKAGES += \ |