16

If I call socket() function in JNI C methods, the application will still fail with a permission error. And if I put a uses-permission line in AndroidManifest.xml, the problem is fixed.

So it seems Android permission check is not implemented in Dalvik virtual machine since I'm calling a native C function and still gets checked. I would like to know how where check is performed, in Android kernel, or the application is traced with something like ptrace to intercept every system call, or any other way. Many thanks.

ZelluX
  • 69,107
  • 19
  • 71
  • 104
  • 1
    Technically, this is only true of internet domain sockets. Unix domain sockets, which use the same socket() call with a different constant do not have group ID enforcement via the android "paranoid networking" kernel modification. – Chris Stratton Jan 22 '13 at 23:00

2 Answers2

19

The checks are performed by the Linux kernel, using group membership to determine access rights.

If you look in the zygote fork code in the VM you can see it using setgroups() to set the supplementary groups IDs. If you chase it around a bit in the app framework code you can see where it determines the permissions and passes them down to forkAndSpecialize().

fadden
  • 51,356
  • 5
  • 116
  • 166
  • The link in the answer is broken. I think this is the equivalent file: https://github.com/android/platform_dalvik/blob/master/vm/native/dalvik_system_Zygote.cpp – CommonsWare Jan 22 '13 at 21:55
5

Native code runs in the same sandbox that SDK apps use and are therefore subject to the same security model as SDK apps.

See Download the Android NDK:

If you write native code, your applications are still packaged into an .apk file and they still run inside of a virtual machine on the device. The fundamental Android application model does not change.

RivieraKid
  • 5,923
  • 4
  • 38
  • 47
  • 2
    The comment refers to the application model, not the security model. The native code is not virtualized. – fadden Mar 01 '11 at 20:25
  • 1
    While native apps are not run directly on the Dalvik virtual machine, they still run within the security sandbox inherited from the Dalvik virtual machine that starts them - otherwise, you'd be able to slip any malicious code onto somebody's device and so long as the SDK app was able to run, it could spawn your malicious native payload. The crucial point is that the security model still applies - as demonstrated by @ZelluX when it was necessary to add the relevant uses-permission to the manifest. – RivieraKid Mar 01 '11 at 22:05
  • 6
    Strictly speaking, that's true, but the "sandbox" is the Linux kernel, and it applies equally to all user-space processes running on the device. Your answer implies that the security mechanism is a per-process sandbox used for SDK apps, which is not the case. – fadden Mar 02 '11 at 20:36