avc: denied {execute} in files directory

[jikerseven]

Chaquopy version
10.0.1

Hi ! I got an error while starting the app (Python.start)

type=1400 audit(0.0:189): avc: denied { execute } for path="/data/data/com.example.app/files/chaquopy/bootstrap-native/armeabi-v7a/zlib.so" tclass=file permissive=0

This makes my app crashes(on Python.start) but only when signed with my company certificate, which contains 3 extensions(BasicConstraints, AuthorityKeyIdentifier, SubjectKeyIdentifier)
When I generate my own Key with only the SubjectKeyIdentifier, I don't have the issue.

Do you got any idea why I get the crash with the first one?

Thanks !

[mhsmith]

Which devices and Android versions does the problem happen on? And do you have any other devices where the problem does not occur?

[jikerseven]

Android 8.1
And no I haven't test it on other versions.

[mhsmith]

If your company certificate gives the app special privileges on the device, then this problem is probably caused by the SELinux policy blocking privileged apps from loading native code from app data directories. See here for discussion.

The easiest way to work around this would be to sign the app with an unprivileged certificate, as you've discovered.

Alternatively, if you have root access to the device, you could try changing the device's SELinux policy. I don't know exactly how to do this, and I can't advise you on what the security implications would be. But the relevant section which applies to unprivileged apps is here. You would have to copy that and make it apply to privileged apps as well.

[mhsmith]

I'll leave this issue open, because some people have speculated that this restriction may be extended to all apps in the future. If that happens, we'll have to move all of Chaquopy's native Python modules to the APK's libs directory, as discussed in #1198.