AdguardTeam / adguardcert

Magisk module that allows using AdGuard's HTTPS filtering for all apps
https://adguard.com/
MIT License
336 stars 22 forks source link

Adguard complaining cert needs moved after updating/overwriting from Stable #47

Closed privacyguy123 closed 10 months ago

privacyguy123 commented 1 year ago

Updated to Nightly from Stable to check this new feature out.

image

image

privacyguy123 commented 1 year ago

Removed certs manually, uninstalled and reinstalled module and still this error.

Ironically older versions worked just fine. On Samsung S20 FE 5G Snapdragon Android 13.

sfionov commented 1 year ago

@privacyguy123 Does your device has multiple users?

Do you have adb shell access to your device?

If yes, can you provide output of these commands?

su
ls /data/misc/user/*/cacerts-added/0f4ed297.*
privacyguy123 commented 1 year ago

@privacyguy123 Does your device has multiple users?

Do you have adb shell access to your device?

If yes, can you provide output of these commands?

su
ls /data/misc/user/*/cacerts-added/0f4ed297.*

No I don't think so ... pm list users shows just one.

image

sfionov commented 1 year ago

@privacyguy123 Thank you!

I need a log of adguardcert module then, can you do cat /data/local/tmp/adguardcert.log in terminal?

privacyguy123 commented 1 year ago

@privacyguy123 Thank you!

I need a log of adguardcert module then, can you do cat /data/local/tmp/adguardcert.log in terminal?

Sure, I had a look my self and can't see anything wrong.

at /data/local/tmp/adguardcert.log                              <
+ MODDIR=/data/adb/modules/adguardcert
+ AG_CERT_HASH=0f4ed297
+ IFS=.
+ read -r left right
+ read -r left right
+ sort -nr
+ ls /data/misc/user/0/cacerts-added/0f4ed297.0
+ echo 0 /data/misc/user/0/cacerts-added/0f4ed297.0
+ read -r left right
+ echo /data/misc/user/0/cacerts-added/0f4ed297.0
+ AG_CERT_FILE=/data/misc/user/0/cacerts-added/0f4ed297.0
+ '[' -e /data/misc/user/0/cacerts-added/0f4ed297.0 ]
+ rm -f '/data/misc/user/*/cacerts-removed/0f4ed297.*'
+ cp -f /data/misc/user/0/cacerts-added/0f4ed297.0 /data/adb/modules/adguardcert/system/etc/security/cacerts/0f4ed297.0
+ chown -R 0:0 /data/adb/modules/adguardcert/system/etc/security/cacerts
+ set_context /system/etc/security/cacerts /data/adb/modules/adguardcert/system/etc/security/cacerts
+ getenforce
+ '[' Enforcing '=' Enforcing ]
+ default_selinux_context=u:object_r:system_file:s0
+ ls -Zd /system/etc/security/cacerts
+ awk '{print $1}'
+ selinux_context=u:object_r:system_security_cacerts_file:s0
+ '[' -n u:object_r:system_security_cacerts_file:s0 ]
+ '[' u:object_r:system_security_cacerts_file:s0 '!=' '?' ]
+ chcon -R u:object_r:system_security_cacerts_file:s0 /data/adb/modules/adguardcert/system/etc/security/cacerts
+ '[' -d /apex/com.android.conscrypt/cacerts ]
+ rm -f /data/local/tmp/adg-ca-copy
+ mkdir -p /data/local/tmp/adg-ca-copy
+ mount -t tmpfs tmpfs /data/local/tmp/adg-ca-copy
+ cp -f /apex/com.android.conscrypt/cacerts/01419da9.0 /apex/com.android.conscrypt/cacerts/04f60c28.0 /apex/com.android.conscrypt/cacerts/0d69c7e1.0 /apex/com.android.conscrypt/cacerts/10531352.0 /apex/com.android.conscrypt/cacerts/1ae85e5e.0 /apex/com.android.conscrypt/cacerts/1b0f7e5c.0 /apex/com.android.conscrypt/cacerts/1df5a75f.0 /apex/com.android.conscrypt/cacerts/1e1eab7c.0 /apex/com.android.conscrypt/cacerts/1e8e7201.0 /apex/com.android.conscrypt/cacerts/1ec40989.0 /apex/com.android.conscrypt/cacerts/1f58a078.0 /apex/com.android.conscrypt/cacerts/219d9499.0 /apex/com.android.conscrypt/cacerts/23f4c490.0 /apex/com.android.conscrypt/cacerts/252252d2.0 /apex/com.android.conscrypt/cacerts/2add47b6.0 /apex/com.android.conscrypt/cacerts/2d9dafe4.0 /apex/com.android.conscrypt/cacerts/302904dd.0 /apex/com.android.conscrypt/cacerts/304d27c3.0 /apex/com.android.conscrypt/cacerts/31188b5e.0 /apex/com.android.conscrypt/cacerts/33ee480d.0 /apex/com.android.conscrypt/cacerts/35105088.0 /apex/com.android.conscrypt/cacerts/399e7759.0 /apex/com.android.conscrypt/cacerts/3ad48a91.0 /apex/com.android.conscrypt/cacerts/3c860d51.0 /apex/com.android.conscrypt/cacerts/3c899c73.0 /apex/com.android.conscrypt/cacerts/3c9a4d3b.0 /apex/com.android.conscrypt/cacerts/3e7271e8.0 /apex/com.android.conscrypt/cacerts/41a3f684.0 /apex/com.android.conscrypt/cacerts/455f1b52.0 /apex/com.android.conscrypt/cacerts/48a195d8.0 /apex/com.android.conscrypt/cacerts/4be590e0.0 /apex/com.android.conscrypt/cacerts/4c3982f2.0 /apex/com.android.conscrypt/cacerts/5046c355.0 /apex/com.android.conscrypt/cacerts/52b525c7.0 /apex/com.android.conscrypt/cacerts/53a1b57a.0 /apex/com.android.conscrypt/cacerts/583d0756.0 /apex/com.android.conscrypt/cacerts/5a3f0ff8.0 /apex/com.android.conscrypt/cacerts/5acf816d.0 /apex/com.android.conscrypt/cacerts/5f47b495.0 /apex/com.android.conscrypt/cacerts/5f9a69fa.0 /apex/com.android.conscrypt/cacerts/5fdd185d.0 /apex/com.android.conscrypt/cacerts/60afe812.0 /apex/com.android.conscrypt/cacerts/6187b673.0 /apex/com.android.conscrypt/cacerts/63a2c897.0 /apex/com.android.conscrypt/cacerts/69105f4f.0 /apex/com.android.conscrypt/cacerts/6b03dec0.0 /apex/com.android.conscrypt/cacerts/6f7454b3.0 /apex/com.android.conscrypt/cacerts/75680d2e.0 /apex/com.android.conscrypt/cacerts/76579174.0 /apex/com.android.conscrypt/cacerts/7892ad52.0 /apex/com.android.conscrypt/cacerts/7a7c655d.0 /apex/com.android.conscrypt/cacerts/7a819ef2.0 /apex/com.android.conscrypt/cacerts/81b9768f.0 /apex/com.android.conscrypt/cacerts/82223c44.0 /apex/com.android.conscrypt/cacerts/83e9984f.0 /apex/com.android.conscrypt/cacerts/85cde254.0 /apex/com.android.conscrypt/cacerts/86212b19.0 /apex/com.android.conscrypt/cacerts/869fbf79.0 /apex/com.android.conscrypt/cacerts/8794b4e3.0 /apex/com.android.conscrypt/cacerts/882de061.0 /apex/com.android.conscrypt/cacerts/88950faa.0 /apex/com.android.conscrypt/cacerts/89c02a45.0 /apex/com.android.conscrypt/cacerts/8d6437c3.0 /apex/com.android.conscrypt/cacerts/9282e51c.0 /apex/com.android.conscrypt/cacerts/9339512a.0 /apex/com.android.conscrypt/cacerts/93851c9e.0 /apex/com.android.conscrypt/cacerts/9479c8c3.0 /apex/com.android.conscrypt/cacerts/9576d26b.0 /apex/com.android.conscrypt/cacerts/9591a472.0 /apex/com.android.conscrypt/cacerts/95aff9e3.0 /apex/com.android.conscrypt/cacerts/9685a493.0 /apex/com.android.conscrypt/cacerts/985c1f52.0 /apex/com.android.conscrypt/cacerts/99e1b953.0 /apex/com.android.conscrypt/cacerts/9aef356c.0 /apex/com.android.conscrypt/cacerts/9d6523ce.0 /apex/com.android.conscrypt/cacerts/a2c66da8.0 /apex/com.android.conscrypt/cacerts/a3896b44.0 /apex/com.android.conscrypt/cacerts/a716d4ed.0 /apex/com.android.conscrypt/cacerts/a81e292b.0 /apex/com.android.conscrypt/cacerts/a9d40e02.0 /apex/com.android.conscrypt/cacerts/ab5346f4.0 /apex/com.android.conscrypt/cacerts/ab59055e.0 /apex/com.android.conscrypt/cacerts/b0ed035a.0 /apex/com.android.conscrypt/cacerts/b0f3e76e.0 /apex/com.android.conscrypt/cacerts/b30d5fda.0 /apex/com.android.conscrypt/cacerts/b3fb433b.0 /apex/com.android.conscrypt/cacerts/b74d2bd5.0 /apex/com.android.conscrypt/cacerts/b7db1890.0 /apex/com.android.conscrypt/cacerts/b872f2b4.0 /apex/com.android.conscrypt/cacerts/b92fd57f.0 /apex/com.android.conscrypt/cacerts/b936d1c6.0 /apex/com.android.conscrypt/cacerts/bc3f2570.0 /apex/com.android.conscrypt/cacerts/bd43e1dd.0 /apex/com.android.conscrypt/cacerts/bdacca6f.0 /apex/com.android.conscrypt/cacerts/bf64f35b.0 /apex/com.android.conscrypt/cacerts/c44cc0c0.0 /apex/com.android.conscrypt/cacerts/c491639e.0 /apex/com.android.conscrypt/cacerts/c559d742.0 /apex/com.android.conscrypt/cacerts/c7f1359b.0 /apex/com.android.conscrypt/cacerts/c90bc37d.0 /apex/com.android.conscrypt/cacerts/cb1c3204.0 /apex/com.android.conscrypt/cacerts/ccc52f49.0 /apex/com.android.conscrypt/cacerts/cf701eeb.0 /apex/com.android.conscrypt/cacerts/d06393bb.0 /apex/com.android.conscrypt/cacerts/d16a5865.0 /apex/com.android.conscrypt/cacerts/d16a5865.1 /apex/com.android.conscrypt/cacerts/d18e9066.0 /apex/com.android.conscrypt/cacerts/d39b0a2c.0 /apex/com.android.conscrypt/cacerts/d41b5e2a.0 /apex/com.android.conscrypt/cacerts/d4c339cb.0 /apex/com.android.conscrypt/cacerts/d59297b8.0 /apex/com.android.conscrypt/cacerts/d7746a63.0 /apex/com.android.conscrypt/cacerts/d96b65e2.0 /apex/com.android.conscrypt/cacerts/da7377f6.0 /apex/com.android.conscrypt/cacerts/dbc54cab.0 /apex/com.android.conscrypt/cacerts/dbff3a01.0 /apex/com.android.conscrypt/cacerts/dc99f41e.0 /apex/com.android.conscrypt/cacerts/dfc0fe80.0 /apex/com.android.conscrypt/cacerts/e13665f9.0 /apex/com.android.conscrypt/cacerts/e442e424.0 /apex/com.android.conscrypt/cacerts/e48193cf.0 /apex/com.android.conscrypt/cacerts/e7c037b4.0 /apex/com.android.conscrypt/cacerts/e8651083.0 /apex/com.android.conscrypt/cacerts/ed39abd0.0 /apex/com.android.conscrypt/cacerts/edcbddb5.0 /apex/com.android.conscrypt/cacerts/ee532fd5.0 /apex/com.android.conscrypt/cacerts/f013ecaf.0 /apex/com.android.conscrypt/cacerts/f058632f.0 /apex/com.android.conscrypt/cacerts/f0cd152c.0 /apex/com.android.conscrypt/cacerts/f459871d.0 /apex/com.android.conscrypt/cacerts/f8fc53da.0 /apex/com.android.conscrypt/cacerts/fb5fa911.0 /apex/com.android.conscrypt/cacerts/fd08c599.0 /apex/com.android.conscrypt/cacerts/fde84897.0 /data/local/tmp/adg-ca-copy/
+ cp -f /data/misc/user/0/cacerts-added/0f4ed297.0 /data/local/tmp/adg-ca-copy
+ chown -R 0:0 /data/local/tmp/adg-ca-copy
+ set_context /apex/com.android.conscrypt/cacerts /data/local/tmp/adg-ca-copy
+ getenforce
+ '[' Enforcing '=' Enforcing ]
+ default_selinux_context=u:object_r:system_file:s0
+ ls -Zd /apex/com.android.conscrypt/cacerts
+ awk '{print $1}'
+ selinux_context=u:object_r:system_security_cacerts_file:s0
+ '[' -n u:object_r:system_security_cacerts_file:s0 ]
+ '[' u:object_r:system_security_cacerts_file:s0 '!=' '?' ]
+ chcon -R u:object_r:system_security_cacerts_file:s0 /data/local/tmp/adg-ca-copy
+ ls -1 /data/local/tmp/adg-ca-copy
+ wc -l
+ CERTS_NUM=135
+ '[' 135 -gt 10 ]
+ mount --bind /data/local/tmp/adg-ca-copy /apex/com.android.conscrypt/cacerts
+ umount /data/local/tmp/adg-ca-copy
+ rmdir /data/local/tmp/adg-ca-copy
privacyguy123 commented 1 year ago

Keep in mind 1.2 with Adguard Stable moved the certs fine.

sfionov commented 1 year ago

@privacyguy123 Can you please enable debug logging in AdGuard, restart it, go to HTTPS filtering settings page, then save logs and send them to devteam@adguard.com?

https://adguard.com/kb/adguard-for-android/solving-problems/log/

privacyguy123 commented 1 year ago

Still an issue, everything updated to latest stable

image

Seems to be visual bug at least, Internet browsing in Brave working showing cert fine in url bar. Would still be nice if it could be fixed.

image

privacyguy123 commented 1 year ago

Problem is Magisk Alpha specific

sfionov commented 1 year ago

@privacyguy123 What "mount namespace mode" do you have in Settings -> Superuser?

privacyguy123 commented 1 year ago

Root sessions will inherit their requester's namespace

privacyguy123 commented 1 year ago

I moved back to Magisk Delta 26301 and I don't see this issue any longer however:

To be honest HTTPS Filtering is such a high level of extremely unstable I've had to disable it completely - too many strange issues with apps that have it on by default (for some reason almost every app?) And I fly swat bugs all day only to learn that apps aren't connecting to the Internet right with HTTPS Filtering even with user certs in the system store with the Magisk module. I think there should be a much more complex warning before allowing users to turn this option on - tbh it breaks fucking everything.

privacyguy123 commented 1 year ago

@sfionov someone pointed out to me that it could be how "Unmount By Default" works on Magisk Delta. Could you comment on this? Is there files that Adguard needs mounted with root capabilities for this https filtering to work properly?

privacyguy123 commented 1 year ago

@sfionov someone pointed out to me that it could be how "Unmount By Default" works on Magisk Delta. Could you comment on this? Is there files that Adguard needs mounted with root capabilities for this https filtering to work properly?

I have no idea, surely a dev of the app/module would know better?

I've noticed that VPN mode (non root, ironically) works much better so it certainly seems like it's a problem with this "Automatic Proxy Routes" option which is one of the reasons I even rooted in the first place ...

EDIT: com.android.proxyhandler - perhaps some component like this needs mounted by root?

sfionov commented 10 months ago

Sorry, I missed the last reply.

I think #52 is duplicate of this issue, so this issue should also be closed.

The problem with new Magisk is that post_fs_data.sh is executed on separate mount namespace, thus namespace patched in script is not namespace of init(1).