app_process can't create file in /system - SEED Android Device Rooting Lab

Issue

I've been doing the SEED Android Device Rooting Lab to understand a little bit more about Android rooting, and it has gone well so far.

But I've encountered a problem when trying to execute code as root via switching the app_process program for one coded by me that simply writes a dummy file to the /system directory and executes the real app_process64.

The problem that I'm encountering is that with this code, the dummy file is not being created. I have compiled this code with NDK:

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

extern char** environ;

int main(int argc, char** argv) {
    //Write the dummy file
    FILE* f = fopen("/system/dummy2", "w");
    if (f == NULL) {
        printf("Permission Denied.\n");
        exit(EXIT_FAILURE);
    }
    fclose(f);
    //Launch the original binary
    char* cmd = "/system/bin/app_process_original";
    execve(cmd, argv, environ);
    //execve() returns only if it fails
    return EXIT_FAILURE;
}

I can't quite understand why it wouldn't work. I have the file structure as follows: Symlink with name app_process that points to this program, a symlink called app_process_original that points to the app_process64 which is the one that has to run.

The system boots as per usual, but the file does not show up. I think that app_process is not running as root. The lab uses Android 7.1. If I execute the program under root once Android has started, the file appears, so it seems to be a permissions issue, but the lab is about acquiring root permissions through this program, so I'm really confused.

Does anyone see what the problem is here? Is app_process not running as root?

Thank you in advance.

Solution

/system is usually mounted as read-only. Even if it were writeable, SELinux would probably not allow your process to write that file.

You should try to find out what actually prevents your process from creating that file:

• Check if /system is writable with adb shell mount.
• Check the error message by evaluating errno with strerror(errno).
• Check SELinux messages with adb logcat | grep avc.

Answered By - Simpl