Open BoBeR182 opened 1 year ago
Could you give more info about what ROM you are using?
LineageOS fork with microg. Specifically https://download.lineage.microg.org/guacamole/lineage-18.1-20221002-microG-guacamole.zip
Access to tcp_socket ioctl for untrusted apps seems to be denied for all ROMs. I'm not sure if that is the actual problem. But, obviously the issue is related to sepolicy somehow if setting to permissive fixes the problem.
Where did you get Orbot from? Have you made any other changes to the system?
Permissive should never be used.
It's possible that Magisk can break sepolicy
Orbot from fdroid, Magisk is installed and used to be used to provide root for Orbot
Orbot doesn't use root for anything
There are few reasons to keep a rooted device regardless
Currently no, but it used to for expert mode, before being replaced with VPN functionality.
I'm also curious as to what the source of these log message are, although it seems unlikely that they'd break anything.
@NepNep21 You shouldn't have to disable Private DNS. And I personally recommend you do use eg. Quad9 or DNS0 over the random exit node resolvers for the benefit of blocking and DNSSEC enforcement at the slight cost of disclosing to an extra party.
Disabling Private DNS while using a VPN on DivestOS will also bypass the built-in content blocker.
https://divestos.org/pages/faq#privateDNS https://divestos.org/pages/faq#privateDNSwVPN https://divestos.org/pages/faq#contentBlockerEnabled
@NepNep21 But I cannot reproduce this issue on any of my devices.
Did you make any system changes? Magisk? via adb?
I get these errors on my Nvidia Shield when I sideload the APK via adb (Unrooted and original firmware).
Proxy modes or VPN do not work and I get different denied messages for each.
SELinux : avc: denied { find } for pid=26989 uid=10103 name=tethering scontext=u:r:permissioncontroller_app:s0:c103,c256,c512,c768 tcontext=u:object_r:tethering_service:s0 tclass=service_manager permissive=0
tor : type=1400 audit(0.0:3047): avc: denied { ioctl } for path="socket:[1679969]" dev="sockfs" ino=1679969 ioctlcmd=0x894b scontext=u:r:untrusted_app:s0:c113,c256,c512,c768 tcontext=u:r:untrusted_app:s0:c113,c256,c512,c768 tclass=tcp_socket permissive=0 app=org.torproject.android
Interestingly if I sideload the Cloudflare 1.1.1.1 + WARP VPN app via the same way, there are no problems.
SELinux breaks VPN functionality Apps that set socks proxy or have Tor support built in still work. Those that rely on VPN to be proxied show error of DNS could not resolve.
Logcat shows selinux stopping activities
Workaround: setting selinux to permissive solves this.