Reputation: 195
Android kernel run fanotify without rooting?
I would like to implement a fanotify (supported by kernel > 2.6.37 - shipped in Android 5+) interface for the Android x86 - at first for goldfish emulator. I like to use the tool fsmon to start the filesystem monitor (a C program with basic structure to use the fanotify syscalls fanotify_init(2) and fanotify_mark(2)). I extended the fsmon code by own access-permissions. This permissions should be able to edited later by an system app in Android. (For example: I can choose later, which file types are denied)
The problem is following:
"The other big drawback of fanotify is that it currently is root-only (CAP_SYS_ADMIN-only to be more specific). This means that only the root user can request to use the monitoring capabilities provided by fanotify [...]" [source]
A rooted phone is a must have? But is there not another way to run on/after kernel boot the fsmon binary without rooting the device?
My first thought was to execute a file/service after every boot by init.d. But to use it, you need a rooted phone. Then I found this: init.d scripts support:
"If your device is rooted the scripts can be executed using superuser permissions, but normal users can do also."
But I cant't understand how this can work (I didn't test it yet) Could this be a possible solution? For running it on other devices (without installing this app), I need to understand how the app bypass the problem. And init.d gets executed in the user-space, is it even possible to run the monitor there as root?
Next thought was to run a crontab, but same story - rooted phone.
Now I go one level deeper - linking/execute the binary (or the c code) in the kernel boot sequence.. I have to be honest - I'm not a professional kernel developer. I know, that I need the execve systemcall to run a file in kernel. But is my approach right? If this could be the right way, how can I communicate later with the system app? Do I need to create a small "database" from where both sides can access? Which way is the best to access the provided data from the system app? (kernel-userspace-communication: Procfs, Sysfs, Configfs, ...) Where is the right place to start the monitor? (sure - after setting up the filesystem)
Or is it absolutely not possible to use fanotify without rooting the phone?
I would be very happy if someone can give me some tips...
Upvotes: 0
Views: 1042
Answers (1)
Reputation: 2370
You are trying to use a feature that requires a permission (CAP_SYS_ADMIN or root) that is withheld from user and application processes by design. You either need a phone that provides this capability to designated applications or you need to root the phone. I do not know of any phones phones providing this capability, because it would enable an app to subvert the security of the system.
Upvotes: 1
Related Questions
- How do I program for Linux's new `fanotify` file system monitoring feature?
- Invoking the new NotifyOSD framework in C?
- Why the fanotify_fid Linux manpage example code fails (on open_by_handle_at())?
- fanotify - problem with new flags introduced in Kernel 5.1
- fanotify: is it possible to monitor whole filesystem and write few logs/config in monitored filesystem by same process?
- Linux - fanotify, but for exec()?
- How to find out whether CONFIG_FANOTIFY_ACCESS_PERMISSIONS is enabled?
- linux -c - notify the kernel from userspace as fast as possible and vice versa
- fanotify: monitor one specific folder - not the whole filesystem
- With root access, how do I access the OS-level notification system?