search

meefik / linuxdeploy

Install and run GNU/Linux on Android
https://meefik.github.io/linuxdeploy
GNU General Public License v3.0
5.21k stars 680 forks source link

Firewall #201

Closed thegithub closed 6 years ago

thegithub commented 9 years ago

I would like to know what should be done in order for "Linux Deploy" to run properly with AFWall+ (android firewall). Is there any customized script that can make them both cooperate together? Problem is that there is no internet access for both root and android user in the chrooted linux, unless I turn off AFWall which is something I want to avoid at all cost.

lbdroid commented 9 years ago

afwall+ is just a frontend to iptables. You just need to add a rule that allows you to create an outbound connection. I won't go through that program to make you exact instructions, but based on the screenshots on play store, it looks like it will show you block events in the log and let you create rules based on the logs.

lulcat commented 8 years ago

not really great... iirc it is linux root which will call, so to enable that willeffectly render afwall useless in many ways (depending on your use case). So not really much of a proposal for a solution there ibdroid.

lbdroid commented 8 years ago

It doesn't matter what user account makes a network request. iptables will still follow its rules.

flying-sheep commented 8 years ago

that user looks like it’s probably a spambot…

thegithub commented 7 years ago

I didn't really understand what lulcat is discussing. I'll have a look at iptables though

lulcat commented 6 years ago

ye, flying-sheep is for sure a spambot.. anyway, my point way back then was that since you are in a chroot, to easily allow linux root outbound connections by some lenient (but convenient) manner, could lead to some unexpected security issues, but nevermind; it was clearly above and beyond for this discussion.

Dakkaron commented 3 years ago

It's a bit late, but if anyone has the same problem, here is a workaround:

Figure out the user ID of an app that you will always allow internet access for (e.g. your browser). To do so, head to that app's folder like so:

cd /data/data/org.mozilla/firefox
ls -lah

Each file should be owned by the same user (e.g. u0_148). Now figure out the user's ID:

id u0_148

In my case the ID is 10148.

Now open the linuxdeploy root shell from Android Terminal Emulator (important, don't use VNC or something else that accesses the non-root user).

/data/data/ru.meefik.linuxdeploy/files/bin/linuxdeploy shell -u root

First, get the regular user's id (my username is android):

id android

My old user id is 3009 Now you need to modify your regular user's uid:

usermod -u 10148 android

And now to clean up, find all files still belonging to the old user id and chown it to the new user id:

find / -user 3009 -exec chown -h android {} \;

Now internet access for Linuxdeploy is coupled to the app chosen in the beginning.

minkmank commented 2 years ago

@Dakkaron Your workaround is the only thing that helped for me in this issue (I spent hours on trying to find a way to solve this via iptables rules, in vane). It is worth noting that your procedure has to be applied to every user within the chrooted system that needs to pass Afwall. So in my case (chrooted Ubuntu Base), I needed to do the same thing with the _apt user, otherwise apt commands from within Ubuntu were blocked by Afwall (though apt is invoked by root, it internally runs its commands as _apt).