search

guardianproject / orbot

The Github home of Orbot: Tor on Android (Also available on gitlab!)
https://gitlab.com/guardianproject/orbot
Other
2.12k stars 329 forks source link

SELinux policy breaks VPN functionality #763

Open BoBeR182 opened 1 year ago

BoBeR182 commented 1 year ago

SELinux breaks VPN functionality Apps that set socks proxy or have Tor support built in still work. Those that rely on VPN to be proxied show error of DNS could not resolve.

Logcat shows selinux stopping activities

[11-20 17:06:13.388 2458:2458 W/tor]
type=1400 audit(0.0:585): avc: denied { ioctl } for path="socket:[138253]" dev="sockfs" ino=138253 ioctlcmd=0x894b scontext=u:r:untrusted_app:s0:c181,c256,c512,c768 tcontext=u:r:untrusted_app:s0:c181,c256,c512,c768 tclass=tcp_socket permissive=0 app=org.torproject.android

[11-20 17:06:13.768 2458:2458 W/tor]
type=1400 audit(0.0:586): avc: denied { ioctl } for path="socket:[138253]" dev="sockfs" ino=138253 ioctlcmd=0x894b scontext=u:r:untrusted_app:s0:c181,c256,c512,c768 tcontext=u:r:untrusted_app:s0:c181,c256,c512,c768 tclass=tcp_socket permissive=0 app=org.torproject.android

[11-20 17:06:13.778 2458:2458 W/tor]
type=1400 audit(0.0:587): avc: denied { ioctl } for path="socket:[138253]" dev="sockfs" ino=138253 ioctlcmd=0x894b scontext=u:r:untrusted_app:s0:c181,c256,c512,c768 tcontext=u:r:untrusted_app:s0:c181,c256,c512,c768 tclass=tcp_socket permissive=0 app=org.torproject.android

[11-20 17:06:14.388 2458:2458 W/tor]
type=1400 audit(0.0:588): avc: denied { ioctl } for path="socket:[138253]" dev="sockfs" ino=138253 ioctlcmd=0x894b scontext=u:r:untrusted_app:s0:c181,c256,c512,c768 tcontext=u:r:untrusted_app:s0:c181,c256,c512,c768 tclass=tcp_socket permissive=0 app=org.torproject.android

[11-20 17:06:14.868 2458:2458 W/tor]
type=1400 audit(0.0:589): avc: denied { ioctl } for path="socket:[138253]" dev="sockfs" ino=138253 ioctlcmd=0x894b scontext=u:r:untrusted_app:s0:c181,c256,c512,c768 tcontext=u:r:untrusted_app:s0:c181,c256,c512,c768 tclass=tcp_socket permissive=0 app=org.torproject.android

[11-20 17:06:15.308 2458:2458 W/tor]
type=1400 audit(0.0:590): avc: denied { ioctl } for path="socket:[138253]" dev="sockfs" ino=138253 ioctlcmd=0x894b scontext=u:r:untrusted_app:s0:c181,c256,c512,c768 tcontext=u:r:untrusted_app:s0:c181,c256,c512,c768 tclass=tcp_socket permissive=0 app=org.torproject.android

Workaround: setting selinux to permissive solves this.

syphyr commented 1 year ago

Could you give more info about what ROM you are using?

BoBeR182 commented 1 year ago

LineageOS fork with microg. Specifically https://download.lineage.microg.org/guacamole/lineage-18.1-20221002-microG-guacamole.zip

syphyr commented 1 year ago

Access to tcp_socket ioctl for untrusted apps seems to be denied for all ROMs. I'm not sure if that is the actual problem. But, obviously the issue is related to sepolicy somehow if setting to permissive fixes the problem.

SkewedZeppelin commented 1 year ago

Where did you get Orbot from? Have you made any other changes to the system?

Permissive should never be used.

syphyr commented 1 year ago

It's possible that Magisk can break sepolicy

BoBeR182 commented 1 year ago

Orbot from fdroid, Magisk is installed and used to be used to provide root for Orbot

SkewedZeppelin commented 1 year ago

Orbot doesn't use root for anything

There are few reasons to keep a rooted device regardless

BoBeR182 commented 1 year ago

Currently no, but it used to for expert mode, before being replaced with VPN functionality.

ghost commented 12 months ago

I'm also curious as to what the source of these log message are, although it seems unlikely that they'd break anything.

SkewedZeppelin commented 1 month ago

@NepNep21 You shouldn't have to disable Private DNS. And I personally recommend you do use eg. Quad9 or DNS0 over the random exit node resolvers for the benefit of blocking and DNSSEC enforcement at the slight cost of disclosing to an extra party.

Disabling Private DNS while using a VPN on DivestOS will also bypass the built-in content blocker.

https://divestos.org/pages/faq#privateDNS https://divestos.org/pages/faq#privateDNSwVPN https://divestos.org/pages/faq#contentBlockerEnabled

SkewedZeppelin commented 1 month ago

@NepNep21 But I cannot reproduce this issue on any of my devices.

Did you make any system changes? Magisk? via adb?

trexx commented 1 month ago

I get these errors on my Nvidia Shield when I sideload the APK via adb (Unrooted and original firmware).

Proxy modes or VPN do not work and I get different denied messages for each.

SELinux : avc: denied { find } for pid=26989 uid=10103 name=tethering scontext=u:r:permissioncontroller_app:s0:c103,c256,c512,c768 tcontext=u:object_r:tethering_service:s0 tclass=service_manager permissive=0

tor : type=1400 audit(0.0:3047): avc: denied { ioctl } for path="socket:[1679969]" dev="sockfs" ino=1679969 ioctlcmd=0x894b scontext=u:r:untrusted_app:s0:c113,c256,c512,c768 tcontext=u:r:untrusted_app:s0:c113,c256,c512,c768 tclass=tcp_socket permissive=0 app=org.torproject.android

Interestingly if I sideload the Cloudflare 1.1.1.1 + WARP VPN app via the same way, there are no problems.