Android 4.5: there may be much breakage for root apps

First things first
If you're a root app dev, I have updated the How-To SU guide with information regarding SELinux/SEAndoid, including some more details about this issue. libsuperuser example code has also been slightly updated. Link in the box below.

4.5 ?
Take that with a grain of salt. It may well end up being 4.4.3 or 5.0 or whatever. I just mean the next version of Android, and only if the current changes are not reverted (again!) before it's released.

The issue
A recent commit to the AOSP master tree prevents the unconfined domain (everything you run through su by default) from executing files located on the /data partition.

A lot of root apps (though by no means all of them) include binaries or scripts that they extract to their app-specific files or lib directory (located on the /data partition) and execute from there as root. This will no longer work out-of-the-box, and generate an access denied error.

Though there are certainly several ways around the issue for the affected apps, there doesn't seem to be a single generic solution that would work for all cases and can be implemented in the su command itself (though of course if you can come up with one, I'm all ears).

For now it appears that a fair share of root apps will need to be updated to work with Android '4.5'. As it has not actually been released, nothing is for sure yet, but work to bypass this issue in your favorite root app could start today. It may be prudent to inform your favorite root app authors of this potential problem.

Potential work-arounds (depending on what your app does) include extracting and running from memory or rootfs (mount namespace separation for the win), piping commands directly to su instead of writing to a .sh first (which was a bad practise anyway), forcing a context switch to a non-unconfined domain by way of su parameter or runcon, etc.

As the commits are readily available in AOSP master ( and ), if you have a recent Nexus device you can just compile AOSP, flash it to your device, and start playing with it. If SuperSU is your Superuser solution of choice, I would recommend updating it to v1.91 on the test device.

(Thanks to Justin Case and pulser for pointing out the commits to me)
Shared publiclyView activity