Android 11: avc: denied { read } for name="sdcard" - android-permissions

After upgrading to Android 11, access to my app’s files under /sdcard/Android/data/<packageId>/files is no longer possible. I get the following error:
type=1400 audit(0.0:672): avc: denied { read } for name="sdcard" dev="tmpfs" ino=6474 scontext=u:r:untrusted_app_29:s0:c244,c256,c512,c768 tcontext=u:object_r:mnt_sdcard_file:s0 tclass=lnk_file permissive=0 app=com.example.myapp
This behavior presists even after I request MANAGE_EXTERNAL_STORAGE in the manifest and grant it to the app.
I understand that, even with maximum storage permissions, Android 11 restricts access to certain paths, including /sdcard/Android/data. However, the directory I am trying to access is the app’s own data dir.
How do I get access to this path while using File and the like, rather than SAF?

Closer examination of the issue revealed that the app tried to access its own data dir through /mnt/sdcard/Android/data/<packageId>/files. While (on my device) /mnt/sdcard and /sdcard are both symlinks pointing to the same target, apparently they are not created equal.
Removing the path setting, causing the app to fall back to the data dir as reported by the API, fixed things for me.
I ran some more tests and found the following:
path as reported by the API: works
/sdcard/Android/data/<packageId>/files: works
/mnt/sdcard/Android/data/<packageId>/files: does not work
/storage/emulated/0/Android/data/<packageId>/files (replacing /sdcard with its symlink target): works
It is also worth noting that the docs mention /sdcard specifically.
Conclusion: App access to their external private storage area depends on the path used. Different ways of addressing the same path may yield different results.

I tried disabling hermes in build.gradle and it worked just fine.

Related

Azure batch Application package not getting copied to Working Directory of Task

I have created Azure Batch pool with Linux Machine and specified Application Package for the Pool.
My command line is
command='python $AZ_BATCH_APP_PACKAGE_scriptv1_1/tasks/XXX/get_XXXXX_data.py',
python3: can't open file '$AZ_BATCH_APP_PACKAGE_scriptv1_1/tasks/XXX/get_XXXXX_data.py':
[Errno 2] No such file or directory
when i connect to node and look at working directory non of the Application Package files are present there.
How do i make sure that files from Application Package are available in working directory or I can invoke/execute files under Application Package from command line ?
Make sure that your async operation have proper await in place before you start using the package in your code.
Also please share your design \ pseudo-code scenario and how you are approaching it as a design?
Further to add:
Seems like this one is pool level package.
The error seems like that the application env variable is either incorrectly used or there is some other user level issue. Please checkout linmk below and specially the section where use of env variable is mentioned.
This seems like user level issue because In case of downloading the package resource, if there will be an error it will be visible to you via exception handler or at the tool level is you are using batch explorer \ Batch-labs or code level exception handling.
https://learn.microsoft.com/en-us/azure/batch/batch-application-packages
Reason \ Rationale:
If the pool level or the task application has error, an error-list will come back if there was an error in the application package then it will be returned as the UserError or and AppPackageError which will be visible in the exception handle of the code.
Key you can always RDP into your node and checkout the package availability: information here: https://learn.microsoft.com/en-us/azure/batch/batch-api-basics#connecting-to-compute-nodes
I once created a small sample to help peeps around so this resource might help you to checkeout the use here.
Hope rest helps.
On Linux, the application package with version string is formatted as:
AZ_BATCH_APP_PACKAGE_{0}_{1}
On Windows it is formatted as:
AZ_BATCH_APP_PACKAGE_APPLICATIONID#version
Where 0 is the application name and 1 is the version.
$AZ_BATCH_APP_PACKAGE_scriptv1_1 will take you to the root folder where the application was unzipped.
Does this "exact" path exist in that location?
tasks/XXX/get_XXXXX_data.py
You can see more information here:
https://learn.microsoft.com/en-us/azure/batch/batch-application-packages
Edit: Just saw this question: "or can I invoke/execute files under Application Package from command line"
Yes you can invoke and execute files from the application package directory with the environment variable above.
If you type env on the node you will see the environment variables that have been set.

gsutil acl set command AccessDeniedException: 403 Forbidden

I am following the steps of setting up Django on Google App Engine, and since Gunicorn does not serve static files, I have to store my static files to Google Cloud Storage.
I am at the line with "Create a Cloud Storage bucket and make it publically readable." on https://cloud.google.com/python/django/flexible-environment#run_the_app_on_your_local_computer. I ran the following commands as suggested:
$ gsutil mb gs://your-gcs-bucket
$ gsutil defacl set public-read gs://your-gcs-bucket
The first command is supposed to create a new storage bucket, and the second line sets its default ACL. When I type in the command, the second line returns an error.
Setting default object ACL on gs://your-gcs-bucket/...
AccessDeniedException: 403 Forbidden
I also tried other commands setting or getting acl, but all returns the same error, with no additional information.
I am a newbie with google cloud services, could anyone point out what is the problem?
I figured it out myself, and it is kind of silly. I didn't notice if the first command is successful or not. And apparently it did not.
For a newbie like me, it is important to note that things like bucket name and project name are global across its space. And what happened was that the name I used to create a new bucket is already used by other people. And no wonder that I do not have permission to access that bucket.
A better way to work with this is to name the bucket name wisely, like prefixing project name and application name.

Munin custom plugin Permission Denied

My tomcat application writes some value in a file under /usr/share/tomcat6/webapps/myApp/munin/. Permissions on this file are default (tomcat:tomcat ownership) 644. I wrote a very simple munin plugin to read those value, and it stands in /usr/share/munin/plugins/. Permissions there are (root:root) 755, like the other plugins. I also made a symlink in /etc/munin/plugins/.
If I use munin-run myApp_lookuptime, I get proper output for values, config and --debug.
However, if I telnet, it gives me "Bad exit".
munin-node.log says:
2013/05/03-14:35:08 [30657] Error output from myApp_lookuptime:
2013/05/03-14:35:08 [30657] /etc/munin/plugins/myApp_lookuptime: line 15: /usr/share/tomcat6/webapps/myApp/munin/myApp.LookupTime.log: Permission denied
2013/05/03-14:35:08 [30657] Service 'myApp_lookuptime' exited with status 1/0.
In /etc/munin/plugin-conf.d/munin-node, I wrote:
[myApp*]
user root
group root
But it still fails. From any dummy account on this server, I'm able to read that log, but still munin fails with "Permission Denied" error. What am I doing wrong?
Well, it was simple really. SELinux was blocking my plugins. So, either turn it off if your server is not public or learn to make rules if the server is public.
Here is a guide for CentOS: http://www.centos.org/docs/5/html/5.2/Deployment_Guide/sec-sel-enable-disable.html
After that, I rebooted, and my plugins worked like a charm.
Thank you, me.
Setting env.PATH variable for your plugin in /etc/munin/plugin-conf.d/munin-node so it can find all executables did the trick for me.
See
http://munin-monitoring.org/wiki/faq#Q:Whydoesapluginworkwithmunin-runbutnotinmunin-node

Enterprise Library for Logging to Flat File Trace Listener

What kind of permission needs to be given to the Error.log file in the server (running IIS 7.5) so that errors are written to the Error.log file?
I have created a directory named ErrorLog and set up the listener in web.config like below.
The windows identity in play (depends on how you authenticate)
var principal = ClaimsPrincipal.Current; //normally this reverts to Thread.CurrentPrincipal, but can be changed
return principal.Identity.Name;
or
var windowsIdentity = WindowsIdentity.GetCurrent();
if (windowsIdentity != null)
{
return windowsIdentity.Name;
}
The Executing windows identity Will need create permission in directory and write permission to the file specified in your EL config.
You can place file anywhere you like using config. Default for file without path is Start project directory containing assembly dll.
See In IIS the Application Pool used by the website. The pool determines the windows Identity. See the advanced settings tab for the Pool. The identity approach to be used is defined here.
I don't see your configuration example, but..
I find that it is best not to use Flat File outside of development. The Event Log or Database listeners are more suitable for a web application in production.
If you must use Flat File, you will need to give the account (for the application pool that is assigned to the web application) write access to the directory that the file should be created in. By default I think that is the web application's bin directory, unless you include a path in the file name in your configuration.
It probably depends on what context your app in operating in. The app pool thread is responsible for writing the log so give the read/write folder permissions for the same identity as your app pool. I think this is NETWORKSERVICE by default.

Shared hosting error on my Zend based Application

I have just sucessfully tested my Zend based application on the localhost.When I deployed it on a shared hosting site I got the error below.It happens whenever I try navigate to protected pages of my application.
Warning: include(/home/davidkag/public_html/prototype/application/models/DbTable//Users.php) [function.include]: failed to open stream: No such file or directory in /home/davidkag/public_html/prototype/library/Zend/Loader/Autoloader/Resource.php on line 176
I have a feeling that the double slashes
models/DbTable//Users.php)
are causing this problem.
The error is caused at this particular line in my code:
Fatal error: Class 'Model_DbTable_Users' not found in /home/davidkag/public_html/prototype/application/controllers/AuthController.php on line 24
How do I trouble shoot this problem.Keep in mind that on my localhost machine its working fine.
I would start by creating a new test script, with one line, and see what you get:
include '/home/davidkag/public_html/prototype/application/models/DbTable//Users.php';
Then, remove the double slashes:
include '/home/davidkag/public_html/prototype/application/models/DbTable/Users.php';
If it's still giving you that warning, then either your path is wrong or your file permissions need to be eased.
P.S. You said 'protected pages' -- are those perhaps not in public_html?
I finally found my problem.It was a case issue.Talk of developing on windows and deploying on linux