Permission denied on exec() from a binary running as root

Question

I have a C binary that I run using root user (su -c binary_path) in Android.

Everything works fine until the binary tries to exec*() another binary. It actually works on most devices, however on some I get EACCES error.

The C binary is actually started using this:

execlp("su","su","-c",binary_path,NULL);

At some point, the binary will try to make those calls (simplified):

fork();

...

// child here

execlp("sh","sh","-c",script,NULL);

Actually tested on different Android 6.0 devices, a Nexus 9 and a S7. Nexus 9 ok, S7 fails.

So I checked all permissions and security context of the following, found no difference:

/system/bin
/system/bin/sh
/system/bin/ls
<library_path>
/su/bin/su

Also checked the binary was running with UID/GID = 0, true on both devices.

In logcat, I don't see any audit for a missing permission or secure policy violation.

EDIT: Just verified the security context the binary is running under:

$ps -Z
u:r:init:s0          root ...

Same for both devices whether exec() works or not.

EDIT2: On the device it fails, /proc/kmsg contains this when trying to exec():

Restricted making process. PID = 8868(<binary>) PPID = 8340(<binary>)

No avc from selinux, and this text cannot be found in AOSP source code.

Answer 1

After searching for "Restricted making process" on Google, I stumbled across Samsung kernels for the S5 and S6 (not the S7).

if(CHECK_ROOT_UID(current))
    if(sec_restrict_fork())
    {
        PRINT_LOG("Restricted making process. PID = %d(%s) "
                        "PPID = %d(%s)\n",
            current->pid, current->comm,
            current->parent->pid, current->parent->comm);
        return -EACCES;
    }

And the sec_restrict_fork() contains this:

if (sec_check_execpath(current->mm, "/data/")) {
    ret = 1;
    goto out;
}

Hence the failure on Samsung devices and no others.