Cannot read system files even after obtaining platform signature

Question

I've build a custom android ROM. I've signed my application with platform signature and have added android:sharedUserId="android.uid.system" in the manifest file. My app is granted all "signature" and "system" level permission but access to system files are not granted.

    Log.w("PC", String.valueOf(checkCallingOrSelfPermission("android.permission.ACCESS_SURFACE_FLINGER")== PackageManager.PERMISSION_GRANTED)); // true
    Log.w("PC", String.valueOf(checkCallingOrSelfPermission("android.permission.READ_FRAME_BUFFER")== PackageManager.PERMISSION_GRANTED));      // true
    Log.w("PC", String.valueOf(checkCallingOrSelfPermission("android.permission.INJECT_EVENTS")== PackageManager.PERMISSION_GRANTED));          // true

    Log.w("PC", String.valueOf(new File("/dev/graphics/fb0").canRead()));                      // false
    Log.w("PC", String.valueOf(new File("/data/misc/wifi/wpa_supplicant.conf").canRead()));   // false

permissions of the files are:

ls -l /dev/graphics/fb0
crw-rw---- root     graphics  29,   0 2014-02-12 09:43 fb0

ls -l /data/misc/wifi/wpa_supplicant.conf
-rwxrwx--- wifi     wifi          282 2014-02-11 19:04 wpa_supplicant.conf

Is there any way to get the access to these files?

Answer 1

I've found the solution to this. Along with the platform signature and android:sharedUserId="android.uid.system" you also need to add android:process="system" in the <application /> section of the manifest file.

Answer 2

Android apps are each run with a unique Linux UID/GID. Obviously you are not the owner nor in the group for those files. The easiest thing to do would be to change the file permissions to world readable. Not sure what the security implications are for those files in that scenario. You should be able to do it via su in adb shell. The permanent way is to change the file permissions when doing a build. If your app is something that you are including with your custom rom, you may be able to set the GID. Take a look at system/core/include/ private/android_filesystem_config.h for default UID/GID permissions.

Answer 3

Your system user is not does not have graphics/wifi group rights. System user is not a superuser, there are limitations.

I don't know what platform you are building, but in my platform I don't have the possibility to ask for wifi and graphics permissions by default. You need to create permissions.

In your android_filesystem_config.h you can see that AID_GRAPHICS and AID_WIFI are already defined, which means that half the work is already done (if you would like to create completely new permissions, you would have to add them to this file). The AID definition is also mapped to a "variable" in a struct in the same file. Here is a snippet of my code:

static const struct android_id_info android_ids[] = {
{ "root",          AID_ROOT, },

{ "system",        AID_SYSTEM, },

{ "radio",         AID_RADIO, },
{ "bluetooth",     AID_BLUETOOTH, },
{ "graphics",      AID_GRAPHICS, },

The second step is to add them to platform.xml. Could be platform dependent, but I can find my platform.xml in /frameworks/base/data/etc. Here is an example of what a permission definition would look like

<permission name="android.permission.GRAPHICS" >
    <group gid="graphics" />
</permission>

The android.permission.GRAPHICS is just an example, you can call it whatever you want. Inside of the permission resource, you define the gid that you want to give to whoever calls this permission. The gid that you use here needs to be identical to the one that is defined in the android_filesystem_config.h file.

Now that you have created a permission, you can call it in your applications AndroidManifest.xml

<uses-permission android:name="android.permission.GRAPHICS" />

You should now have graphics group permissions and be able to read /dev/graphics/fb0