phhusson
commented
1 year ago It's likely that the kernel provided by your device doesn't allow doing this
Closed ED4free closed 1 year ago
phhusson
commented
1 year ago It's likely that the kernel provided by your device doesn't allow doing this
ED4free
commented
1 year ago Thanks a lot @phhusson,
In fact, perhaps what I want to do does not require setenforce permissive.
I want to make that, when I turn on wifi hotspot, dnsmasq resolve the address "edphone.org" with the IP address of the ap0 interface, this IP address change every time. Here is how I do on other on other devices :
Another way, on other smartphone is :
So, if you have an idea about how I could make that the wifi hotspot resolve a domain with ap0 address, it would be welcome.
Thierry
phhusson
commented
1 year ago I took a quick look, and no I have no reasonably simple idea on how to do that better
What you can do to fix your method is to append this to system/etc/selinux/plat_sepolicy.cil:
(typepermissive dnsmasq)
You'll need to ensure that when doing ls -lZ /system/bin/dnsmasq it says u:object_r:dnsmasq_exec:s0 like /system/bin/dnsmasq did before you changed it
If it still fails, you can try to add:
(typepermissive netd)
ED4free
commented
1 year ago Thanks a lot @phhusson ,
Unfortunately, it still not work after I append /system/etc/selinux/plat_sepolicy.cil first with (typepermissive dnsmasq) then with (typepermissive netd).
Here is the result of commands :
:/system/bin # ls -lZ /system/bin/dnsmasq -rwxrwx--x 1 root root u:object_r:system_file:s0 552 2023-05-19 16:50 /system/bin/dnsmasq
:/system/bin # logcat | grep dnsmasq [when I start the hotspot which launch shell]
05-19 17:12:38.357 5577 5577 W dnsmasq : type=1400 audit(0.0:269): avc: denied { getattr } for path="/system/bin/toybox" dev="overlay" ino=9684 scontext=u:r:netd:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=0 05-19 17:12:38.357 5577 5577 W dnsmasq : type=1400 audit(0.0:270): avc: denied { getattr } for path="/vendor/bin/toybox_vendor" dev="overlay" ino=53469 scontext=u:r:netd:s0 tcontext=u:object_r:vendor_toolbox_exec:s0 tclass=file permissive=0 05-19 17:12:38.357 5578 5578 W dnsmasq : type=1400 audit(0.0:271): avc: denied { getattr } for path="/system/bin/toybox" dev="overlay" ino=9684 scontext=u:r:netd:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=0 05-19 17:12:38.357 5578 5578 W dnsmasq : type=1400 audit(0.0:272): avc: denied { getattr } for path="/vendor/bin/toybox_vendor" dev="overlay" ino=53469 scontext=u:r:netd:s0 tcontext=u:object_r:vendor_toolbox_exec:s0 tclass=file permissive=0 05-19 17:12:38.357 5579 5579 W dnsmasq : type=1400 audit(0.0:273): avc: denied { getattr } for path="/system/bin/toybox" dev="overlay" ino=9684 scontext=u:r:netd:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=0 05-19 17:12:38.357 5579 5579 W dnsmasq : type=1400 audit(0.0:274): avc: denied { getattr } for path="/vendor/bin/toybox_vendor" dev="overlay" ino=53469 scontext=u:r:netd:s0 tcontext=u:object_r:vendor_toolbox_exec:s0 tclass=file permissive=0 05-19 17:12:38.357 5576 5576 W dnsmasq : type=1400 audit(0.0:275): avc: denied { getattr } for path="/system/bin/toybox" dev="overlay" ino=9684 scontext=u:r:netd:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=0 05-19 17:12:38.357 5580 5580 W dnsmasq : type=1400 audit(0.0:276): avc: denied { getattr } for path="/system/bin/toybox" dev="overlay" ino=9684 scontext=u:r:netd:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=0 05-19 17:12:38.357 5580 5580 W dnsmasq : type=1400 audit(0.0:277): avc: denied { getattr } for path="/vendor/bin/toybox_vendor" dev="overlay" ino=53469 scontext=u:r:netd:s0 tcontext=u:object_r:vendor_toolbox_exec:s0 tclass=file permissive=0 05-19 17:12:38.385 5575 5575 E dnsmasq : bad command line options: try --help 05-19 17:12:38.385 5575 5575 E dnsmasq : FAILED to start up
ED4free
commented
1 year ago Something is strange, even if I keep initial dnsmasq binary, when i start the hotspot then logcat says : 05-19 17:16:17.889 5617 5617 W dnsmasq : type=1400 audit(0.0:280): avc: denied { net_bind_service } for capability=10 scontext=u:r:netd:s0 tcontext=u:r:netd:s0 tclass=capability permissive=0 05-19 17:16:17.895 5617 5617 E dnsmasq : FAILED to start up
But the hotspot is working.
phhusson
commented
1 year ago k so you need to keep original dnsmasq's context, do:
chcon u:object_r:dnsmasq_exec:s0 /system/bin/dnsmasq
the result of ls -lz will change. Then try again.
ED4free
commented
1 year ago Less error in logcat, only 05-19 17:43:05.177 5749 5749 W dnsmasq : type=1400 audit(0.0:289): avc: denied { map } for path="/system/bin/sh" dev="overlay" ino=9638 scontext=u:r:dnsmasq:s0 tcontext=u:object_r:shell_exec:s0 tclass=file permissive=0
I notice that the dnsmasq's context change after I edit it with toybox vi, now I change it after with chcon. So : :/system/bin # ls -lZ /system/bin/dnsmasq -rwxrwx--x 1 root root u:object_r:dnsmasq_exec:s0 210 2023-05-19 17:50 /system/bin/dnsmasq
FYI, here is the shell
#!/system/bin/sh
HOST=$(/bin/ifconfig | grep Bcast | sed -e 's/ //g' |cut -d':' -f2- | cut -dB -f1 )
echo "Lancement de dnsmasq" >> /data/edphone/log
OPT="--address=/edphone.org/$HOST"
exec dnsmasq.bin $OPT $@k, it's possible your kernel also disallows selinux permissive contexts. I doubt it, but still, it needs to be checked
In adb shell, do su then run lshal (ignore its output), and check logcat -b events -s auditd -d that there are some lines with u:r:su:s0, but that those lines have permissive=1
ED4free
commented
1 year ago After runing lshal in su,
logcat -b events -s auditd -d | grep "u:r:su:s0" => No line
logcat -b events -s auditd -d | grep "permissive=1" 05-19 07:52:43.896 549 549 I auditd : type=1400 audit(0.0:8): avc: denied { fsetid } for comm="cp" capability=4 scontext=u:r:phhsu_daemon:s0 tcontext=u:r:phhsu_daemon:s0 tclass=capability permissive=1 05-19 07:52:46.148 705 705 I auditd : type=1400 audit(0.0:9): avc: denied { syslog_console } for comm="dmesg" scontext=u:r:phhsu_daemon:s0 tcontext=u:r:kernel:s0 tclass=system permissive=1 05-19 07:53:12.648 2403 2403 I auditd : type=1400 audit(0.0:75): avc: denied { fsetid } for comm="chmod" capability=4 scontext=u:r:phhsu_daemon:s0 tcontext=u:r:phhsu_daemon:s0 tclass=capability permissive=1 05-19 07:53:12.740 2433 2433 I auditd : type=1400 audit(0.0:76): avc: denied { fsetid } for comm="chmod" capability=4 scontext=u:r:phhsu_daemon:s0 tcontext=u:r:phhsu_daemon:s0 tclass=capability permissive=1 05-19 16:57:13.933 5405 5405 I auditd : type=1400 audit(0.0:240): avc: denied { link } for comm="sh" name="#48128" dev="dm-3" ino=48128 scontext=u:r:phhsu_daemon:s0 tcontext=u:object_r:sepolicy_file:s0 tclass=file permissive=1
phhusson
commented
1 year ago Ok so that means permissive contexts are ok.
Double check that the change you wrote to system/etc/selinux/plat_sepolicy.cil stick? You did those change on the system.img itself from a computer then flashed it, correct?
ED4free
commented
1 year ago Yes, on command "tail /system/etc/selinux/plat_sepolicy.cil " the result is (typeattribute system_and_vendor_property_type) (typeattributeset system_and_vendor_property_type ((and (system_property_type) (vendor_property_type)))) (typepermissive dnsmasq) (typepermissive netd)
Even after reboot
I did these change directly on the system, with adb, then su, then 'echo "(typepermissive dnsmasq)" >> /system/etc/selinux/plat_sepolicy.cil' I don't know how to make these changes on system.img, if you give me a link explining how to do I can try.
ED4free
commented
1 year ago OK I understand, I work on Windows. But on my Linux PC I could mount the system.img, make the modification, then flash it.
ED4free
commented
1 year ago I made several tests, here what I see
When I don't execute "chcon u:object_r:dnsmasq_exec:s0 /system/bin/dnsmasq" after modifying dnsmasq as root, so context is : -rwxrwx--x 1 root root u:object_r:system_file:s0 536 2023-05-19 22:30 dnsmasq then, each line of this shell make an error : denied { getattr } for path="/system/bin/toybox", but the shell succeed in launching dnsmasq.bin at the end. But as the variable is not properly set it crash. => The problem seems to be that it has no access to toybox for commands sed, ifconfig, etc. Direct access to shell is ok.
When execute "chcon u:object_r:dnsmasq_exec:s0 /system/bin/dnsmasq", there is only one error, when executing dnsmasq.bin avc: denied { map } for path="/system/bin/sh" dev="overlay" ino=13655 scontext=u:r:dnsmasq:s0 tcontext=u:object_r:shell_exec:s0 tclass=file permissive=0 => The problem is that it has not access to shell, access to toybox is ok.
ED4free
commented
1 year ago Hello @phhusson ,
It seems that my shell called dnsmasq
The problem is that the commands it needs (ifconfig, grep, etc.) go through toybox which does work for it. On the other hand, command like "ip addr show ap0" works.
IT WORKS !
I installed the busybox from Meefic and it works with it. I directly copy busybox in /system/bin (because /system/xbin is erased at each boot), and in my shell dnsmasq I call system function like that "busybox ifconfig".
Thanks a lot for your support !
Thierry
Hello,
I use this system : https://github.com/TrebleDroid/treble_experimentations/releases/download/ci-20230330/system-td-arm64-ab-vanilla.img.xz
On a Blackview BV4900 Pro
Everything works perfectly, but the command "setenforce 0" fail with this message : setenforce: Couldn't set enforcing status to '0': Invalid argument
Result of "setenforce --help" : Toybox 0.8.6-android multicall binary (see toybox --help) usage: setenforce [enforcing|permissive|1|0] Sets whether SELinux is enforcing (1) or permissive (0).
Thank you for your help
Thierry