Is Android M not allowing hard links? - security

I have an Android app with some C code that uses the link(2) system call to create a hard link to an existing file. When I execute the app on Android 5.0.2, this part of the app works. When I execute the exact same app on an Android-M device the link() system call returns -1 "permission denied".
I notice in my log getting messages like this:
09-02 17:10:34.222 5291 5291 W ona.crackerjack: type=1400 audit(0.0:59): avc: denied { link } for name="fixed28" dev="mmcblk0p28" ino=82829 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=lnk_file permissive=0
This message appears nearby my app's log message that link() returned -1 "permission denied", sometimes earlier, sometimes later.
Is creating a hard link considered unsecure? I notice the "scontext=u:r:untrusted_app". Is there a way to make the app trusted and if so, would that let the link() system call work?

Apparently there are new SELinux rules, which forbid making hard links (or maybe accessing the folder or file).
Normal users cannot alter SELinux rules and even with root permissions this is not straightforward.
More on SELinux: https://source.android.com/devices/tech/security/selinux/

It looks like this is "by design".
At https://code.google.com/p/android-developer-preview/issues/detail?id=3150 , a member of the project explains that:
Hard linking files is blocked and an attempt to call link() on a file will return
EACCES.

Related

.Net Maui - LocationWhenInUse permissions using Windows simulator

I am making use of the following code:
status = await Permissions.RequestAsync<Permissions.LocationWhenInUse>();
... before trying to make a call to:
Geolocation.Default.GetLocationAsync()
... when run using the Windows simulator the following exception was raised:
An exception of type 'Microsoft.Maui.ApplicationModel.PermissionException' occurred in System.Private.CoreLib.dll but was not handled in user code
You need to declare the capability `location` in your AppxManifest.xml file
... ok, so I add the following to the file: Platforms\Windows\Package.appxmanifest
<Capabilities>
...
<DeviceCapability Name="location"/>
</Capabilities>
... run again using the Windows simulator and status always returns with a value of PermissionStatus.Denied.
According to the documentation regarding permissions on Windows states:
Permissions must have matching capabilities declared in the package
manifest. Permission status defaults to Unknown in most instances.
Question:
How (and where) does one change the "Permission status defaults"?
Thanks in advance.
When using the Windows simulator, you need to change the App Permissions / Location settings on your development machine, as follows:
In the Windows taskbar use the Search option and enter "Location".
Select "Location privacy settings" (system settings). Make the following changes:
You can also enable or disable Location permissions for your app as shown below:
When the above settings are changed to an "on" state, calls to Geolocation.Default.GetLocationAsync() will complete successfully.
Hope that helps anyone else as green as me!
Update: 21-Sep-2022 - another Gotcha!:
The above will allow Geolocation.Default.GetLocationAsync() to complete successfuly when using the Windows Simulator ONLY if the request is made on the MainThread (it works on the Android simulator without having to be on the MainThread).
See my other post regarding this issue for further details.

no such repository on migrating to a new cvs server

I am moving from cvsserv1 to cvsserv2. I am running cvs1.11 on current server on RHEL. I am moving to cvsserv2 which is running ubuntu 12. This is my procedure to port cvs:
zip entire repository on cvsserv1
move zip to cvsserv2
extract zip to /home/users on cvsserv2.
setup cvs service on cvsserve2 in pserver mode.
initialize repository on /home/users/cvsroot by using "cvs -d /home/users/cvsroot init"
connect to cvsserv2 from eclipse using anonymous access to do a test checkout.
I am failing on step6 with the error message "no such repository". What am I doing wrong?
UPDATE
I tried to change the above method, by adopting this http://mazanatti.info/archives/67/ and I was partially successful.
At step 3 (as in that link), after initializing repo on cvsserv2, I copied my repository to /var/lib/cvsd/project1, overwriting CVSROOT folder. Now, after finishing all steps, I was able to connect successfully. However, when I try to check out, I don't see any branches. When I tried to Refresh Tags, I receive the following error:
What is going wrong?
Ok. I figured this one out. For those who might encounter this issue again, here's how I managed to identify and fix it:
Eclipse's cvs client sucks - it doesn't give you much information. (I could be wrong, may be it writes some debug info to eclipse log file - still, I think that error message should have been more descriptive). Anyway, I obtained TortoiseCVS and attempted a checkout and it failed with an error message on the lines of -"failed to obtain dir lock in repository `/home/cvsroot/foo'. This is not the exact message, but it was something like that.
So, all I had to do, was go into my cvs dump from cvsserv1, look for references to that directory (which is a valid path on cvsserv1 but not cvsserv2). I found a reference to it in config file under CVSROOT folder. It was assigned to a property called LockDir. This property was referring to a /home/cvsroot/foo on the older server as a lock directory. All I had to do was comment out this property and restart cvsd. Everything started working just fine after this!

Cannot query Active Directory using ServerBind on non-domain computer in Windows PE

I have a need to write a .NET application which will query Active Directory while running in Windows PE on a computer which is not yet a member of the domain.
We are running this during a Microsoft Deployment Toolkit task sequence (note that MDT 2012 has been configured to load support for .NET into the WinPE environment - the .NET application is starting without any problems).
I am using the code below to bind to the domain:
DirectoryEntry entry = new DirectoryEntry(
path,
username,
password,
AuthenticationTypes.ServerBind | AuthenticationTypes.Secure);
I have tried a path both of the form:
LDAP://domainServer/dc=domain,dc=name
And also without a domain controller name as
LDAP://dc=domain,dc=name
I have also tried using a username both of the form domain\username and also just username.
The DirectoryEntry object seems to be constructed okay, but when I try to execute Console.Writeline(entry.Name) to confirm a valid connection has been made, I get the following exception:
System.Runtime.InteropServices.COMException (0x80005000): Unknown
error (0x80005000) at
System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind() at
System.DirectoryServices.DirectoryEntry.get_Name()
I have tried other variations on this code, trying to execute LDAP queries with various filters, trying to rewrite it in VBScript, etc... but the code posted above is the simplest example I could come up with which reproduces the problem.
From what I have read, in a scenario like this you would always need to use AuthenticationTypes.ServerBind and that is why I am trying to specify the code within the ADSI LDAP path. But what is wrong with the code above? To me, it looks like it is passing all needed information in the parameters to the DirectoryEntry constructor.
There is a way to get it work, but it's not supported by Microsoft. This post helped me a lot. It works, tested and approved for a deployment of new computers :)
Get the ADSIxXX.inf from the zip file to C:\ADSI
Copy the following files from a Windows/System32 to C:\ADSI. Carefull of Architecture
x86 x64 -
adsldp.dll
adsmsext.dll
adsnt.dll
mscoree.dll
mscorier.dll
mscories.dll
Mount the bootimage.wim
No need to load Package (Your WinPE is already configured to load .NET API), juste add ADSI driver:
Dism /Image:C:\Mount /Add-Driver /Driver:C:\ADSI\ADSIxXX.inf /forceunsigned
No need to load his script
Unmount the bootimage.wim
Then it's done, if your .NET application is well implement ;)
I'm not sur the PIPE | is supported as an argument too, just set to AuthenticationTypes.Secure -
DirectoryEntry entry = new DirectoryEntry(
path,
username,
password,
AuthenticationTypes.ServerBind | AuthenticationTypes.Secure);
Link: http://www.deploymentresearch.com/Research/tabid/62/EntryId/74/ADSI-plugin-for-WinPE-4-0.aspx#AddComment

class not registered vfp web service

I'm following the vfp web service walk-trough. But when I test the result in the task pane i receive an error. It was :
Error: 1429 - OLE IDispatch exception code 0 from WSDLOperation: WSDLOperation:Instantiating the dispatch object for method xxxx failed HRESULT=0x80040154: Class not registered.
xxxx is my method.
I've registered the dll and set the authorisation in IIS.
Any suggestion?
sounds like when the VFP module was compiled, the "OlePublic" class instance never was properly put into the Windows Registry. Sometimes VFP will NOT register if you not in an administrative level to allow writing to the registry. If that is the case, make sure you start VFP as "Admin" user before compiling the app.
Also, are you building it as a single or multithreaded DLL instance. In addition, if you right-click / "Project Info" of your project, and click on the "Servers" tab, it should show all your OlePublic classes. What is the "Instancing" setting... single / multi?
Additionally, it could be a "permissions" thing. If the service you are trying to load it as (ie: ASP.NET user account or similar) and that user doesn't have permissions and/or access to the file, then it won't allow the object to be created.
To just TEST if the object is in the registry or not, you could always just start an instance of VFP, and from the command window, try to do a
objTesting = CREATEOBJECT( "YourClass.YourObject" )
if it works that way, then I would look more into the permissions avenue.
FOLLOW-UP
#wongchungyie, I'm not sure of if that was the problem or not, but more likely permissions. One time, when changing development machines, I too had a problem trying to create an instance of my OlePublic COM server class. TO ENSURE what the problem was, I started a simple program in VFP that did nothing BUT
set procedure to YourClassThatHasOlePublic
set step on
o = createObject( "YourOlePublicClass" )
Then, as the "CreateObject" is going through all the initialization, you might find some "path" is not available, or permissions, or whatever... Find and fix that element and I was able to continue work for my client.
Hope this gives you something to work with.

Policy Exception SharePoint

I have a web part and the dll is deployed to the bin of the web application.I have created a custom cas policy and deployed( wss_custom). Just for the sake of testing i have given Unrestricted access to whatever IPermission i knew (around 10). Most of the IPermissions i got is from the PermCalc.exe. Yet i get the following error generated by the web part:
System.Security.Policy.PolicyException
The problem is that i am not able to determine as to what permission is required to be given in the custom cas file.
Appreciate your suggestions.
Thanks
My general advice to find which CAS permissions you need are:
Give your dll SecurityPermission(ControlEvidence = true, ControlPolicy = true) (and of cause also Execution = true and what else you might need)
Catch the Exception and output Exception.ToString() not only Exception.Message
Then you should get a precise listing of the first Permission that failed, add that and try again.
Try to enable logging of .net assembly loader and see what happens with "fuslogvw.exe" tool (see http://msdn.microsoft.com/en-us/library/e74a18c4(VS.80).aspx for more details)

Resources