Closed ale5000-git closed 7 years ago
Hi,
I am facing the same issue with Android 7.1 from a custom build. It seems related to SELinux policy.
From your log:
[ 12-03 01:26:29.548 10399:10399 W/Thread-5 ]
type=1400 audit(0.0:347): avc: denied { read } for name="/" dev=tmpfs ino=1092 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:device:s0 tclass=dir permissive=0
[ 12-03 01:26:29.583 10399:10399 W/Thread-5 ]
type=1400 audit(0.0:348): avc: denied { read } for name="net" dev=sysfs ino=3156 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=0
[ 12-03 01:26:29.818 10399:10399 W/Thread-5 ]
type=1400 audit(0.0:349): avc: denied { read } for name="/" dev=rootfs ino=1 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=0
[ 12-03 01:26:29.853 10399:10399 W/Thread-5 ]
type=1400 audit(0.0:350): avc: denied { search } for name="1996" dev=proc ino=1730 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:r:zygote:s0 tclass=dir permissive=0
Try setting Selinux to permissive with: (Enabled ADB root in Developper settings)
$ adb root
$ adb shell setenforce 0
I will try to investigate on that...
@be-neth: I'm almost sure that the Google binary check SELinux status and fail if it isn't enforcing.
You are right but this is the only way to get: Response validation: success.
But as you guess:
D SafetyNetResponse: decodedJWTPayload
json:
{
"basicIntegrity": false,
"apkCertificateDigestSha256": [
"MZNsDhz8VAJMmFxPPso38ZRvZE6r7VIyzUqypkakG8E="
],
"extension": "CZjdzImgHaTh",
"ctsProfileMatch": false,
"apkDigestSha256": "4DxDh8CqEXxv7rxqsixmtrKq+1IxRmnP8XJ2lVFd26A=",
"apkPackageName": "com.scottyab.safetynet.sample",
"timestampMs": 1485265315067,
"nonce": "\/VJuFmsr8Y4Lm4e7ZeyGkhf+Xr88kBS3vCd4+vEBovI="
}
That why I think we need to write selinux rules.
@mar-v-in: Do you have some ideas?
I can reproduce this on my device, will check the selinux rule if I find a reason or a work-around, maybe an additional permission can solve this.
Do you have DroidGuard Helper on /system? If not, try if once it's in /system/priv-app it still shows this audit logs.
No, I install DroidGuard from Fdroid on /data partition.
@mar-v-in: I did not suceed to build properly RemodeDroidGuard apk from the gradle script (gradlew Assemble). I do not understand all the build process, but it seems that aar library from remote-droid-guard-lib is not embeded into the final apk.
I build my own ROM with micro-g built-in and I need an Android.mk file for RemoteDroidGuard to do that. Is it easy to do it ?
Thanks.
You should be able to just use the Android.mk from GmsCore and update names and paths.
The build process should work fine, remember that you need Java 8 for compilation. If you receive any errors during the build process, please post them so I can check what might be the problem.
Ok so maybe the Android.mk that i have made is fine.
But I have the following error when trying a safetynet request: (microG DroidGuard exit with error)
8100 8100 D SafetyNetHelperSAMPLE: SafetyNet start request
8100 8100 D SafetyNetHelper: apkCertificateDigests:[MZNsDhz8VAJMmFxPPso38ZRvZE6r7VIyzUqypkakG8E=]
5345 5345 D GmsSafetyNetClientSvc: onBind: Intent { act=com.google.android.gms.safetynet.service.Sandroid.gms }
8100 8100 D SafetyNetHelper: apkDigest:4DxDh8CqEXxv7rxqsixmtrKq+1IxRmnP8XJ2lVFd26A=
5345 5358 D SafeParcel: Unknown field num 9 in com.google.android.gms.common.internal.GetServiceRe
5345 5358 D GmsSafetyNetClientSvc: bound by: GetServiceRequest{serviceId=SAFETY_NET_CLIENT, gmsVereName='com.scottyab.safetynet.sample', extras=Bundle[{}]}
8100 8100 V SafetyNetHelper: Google play services connected
8100 8100 V SafetyNetHelper: running SafetyNet.API Test
3199 4731 I ActivityManager: Start proc 8129:com.google.android.gms.unstable/u0a76 for service org.microg.gms.droidguard/.RemoteDroidGuardService
8129 8129 I art : Starting a blocking GC AddRemoveAppImageSpace
**8129 8129 W System : ClassLoader referenced unknown path: /system/priv-app/RemoteDroidGuard/lib/arm64**
8129 8144 D NetworkSecurityConfig: No Network Security Config specified, using platform default
8129 8144 I DpmTcmClient: RegisterTcmMonitor from: com.android.okhttp.TcmIdleTimerMonitor
8129 8144 D GmsDroidguardHelper: -- Request --
8129 8144 D GmsDroidguardHelper: DGRequest{usage=DGUsage{<HIDDEN>}
8129 8144 D GmsDroidguardHelper: Using provided response data for /data/user/0/org.microg.gms.droidguard/app_dg_cache/2d364a8debc6bb15f8d5d4aa969c3122f84d224d.apk
8148 8148 I dex2oat : /system/bin/dex2oat --dex-file=/data/user/0/org.microg.gms.droidguard/app_dg_cache/2d364a8debc6bb15f8d5d4aa969c3122f84d224d/the.apk --oat-fd=42 --oat-location=/data/user/0/org.microg.gms.droidguard/app_dg_cache/2d364a8debc6bb15f8d5d4aa969c3122f84d224d/opt/the.dex --compiler-filter=speed
8148 8148 I dex2oat : dex2oat took 91.125ms (threads: 4) arena alloc=170KB (174992B) java alloc=32KB (33136B) native alloc=965KB (988672B) free=1594KB (1632768B)
8144 8144 W Thread-2: type=1400 audit(0.0:18): avc: denied { execute } for path="/data/data/org.microg.gms.droidguard/app_dg_cache/2d364a8debc6bb15f8d5d4aa969c3122f84d224d/opt/the.dex" dev="dm-0" ino=32366 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=0
8144 8144 W Thread-2: type=1400 audit(0.0:19): avc: denied { execute } for path="/data/data/org.microg.gms.droidguard/app_dg_cache/2d364a8debc6bb15f8d5d4aa969c3122f84d224d/opt/the.dex" dev="dm-0" ino=32366 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=0
8144 8144 W Thread-2: type=1400 audit(0.0:20): avc: denied { execute } for path="/data/data/org.microg.gms.droidguard/app_dg_cache/2d364a8debc6bb15f8d5d4aa969c3122f84d224d/lib/libd770FCE0684F7.so" dev="dm-0" ino=32363 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=0
of crash
8129 8144 E AndroidRuntime: FATAL EXCEPTION: Thread-2
8129 8144 E AndroidRuntime: Process: com.google.android.gms.unstable, PID: 8129
8129 8144 E AndroidRuntime: java.lang.UnsatisfiedLinkError: dlopen failed: couldn't map "/data/data/org.microg.gms.droidguard/app_dg_cache/2d364a8debc6bb15f8d5d4aa969c3122f84d224d/lib/libd770FCE0684F7.so" segment 1: Permission denied
8129 8144 E AndroidRuntime: at java.lang.Runtime.loadLibrary0(Runtime.java:989)
8129 8144 E AndroidRuntime: at java.lang.System.loadLibrary(System.java:1530)
8129 8144 E AndroidRuntime: at com.google.ccc.abuse.droidguard.DroidGuard.<clinit>(Unknown Source)
8129 8144 E AndroidRuntime: at java.lang.reflect.Constructor.newInstance0(Native Method)
8129 8144 E AndroidRuntime: at java.lang.reflect.Constructor.newInstance(Constructor.java:430)
8129 8144 E AndroidRuntime: at org.microg.gms.droidguard.DroidguardHelper.invoke(DroidguardHelper.java:95)
8129 8144 E AndroidRuntime: at org.microg.gms.droidguard.DroidguardHelper.guard(DroidguardHelper.java:89)
8129 8144 E AndroidRuntime: at org.microg.gms.droidguard.RemoteDroidGuardService$1$1.run(RemoteDroidGuardService.java:23)
ho, it seems another issue whith SELinux. Why a system app have permission denied to access /data/data/org.microg.gms.droidguard/app_dg_cache/2d364a8debc6bb15f8d5d4aa969c3122f84d224d/lib/libd770FCE0684F7.so" ?
Also, I have mentionned in my earlier post that I have maybe a building issue because of this log:
W System : ClassLoader referenced unknown path: /system/priv-app/RemoteDroidGuard/lib/arm64
Thanks for your help.
The problem now is that the app is in the platform_app
context, that does not have execute permission on /data
files. The priv_app
context grants this permission. platform_app
is used for apps that are signed with the platform key, priv_app
is for other apps that reside in /system/priv-app
.
I think it might be possible to use the LOCAL_CERTIFICATE
option inside Android.mk
to solve this problem, you might want to check http://source.android.com/devices/tech/ota/sign_builds.html#certificates-keys for details.
As you can see in my pull request I have set:
LOCAL_CERTIFICATE := platform
So that why I have scontext=u:r:platform_app:s0:c512,c768
?
The priv_app context grants this permission. platform_app is used for apps that are signed with the platform key, priv_app is for other apps that reside in /system/priv-app.
But I have set also:
LOCAL_PRIVILEGED_MODULE := true
Which result my app to be stored in /system/priv-app. But I do not have the priv_app context.
Ok, I did not understand your answer regarding the exclusivity between platform certificate and priv-apps.
For Reference: http://stackoverflow.com/questions/39387078/android-n-priv-app-application
I have sign DroidGuard with "shared" key, install it to priv-app and it seems to work !
I will confirm with a fresh install.
seems to work as in, safetynet succeeded?
No, Safetynet does not succeed but the request works:
{
"nonce": "7m+xM/KYCyyfQAl/Qw8EsfUPgXHTV6Y6TefflORB3zw=",
"timestampMs": 1485451999092,
"apkPackageName": "com.scottyab.safetynet\n.sample",
"apkDigestSha256": "4DxDh8CqEXxv7rxqsixmtrKq+1IxRmnP8XJ2lVFd26A=",
"ctsProfileMatch": false,
"extension": "CRAywSDC6k3v",
"apkCertificateDigestSha256": [
"MZNsDhz8VAJMmFxPPso38ZRvZE6r7VIyzUqypkakG8E\n="
],
"basicIntegrity": false
}
Succeed !
I forget to remount the system partition read-only on my first attempt :)
Json:
{
"nonce": "w4BV+51NmVgAxDqxzaLbyDp+qEJCmlXWF2Ae4bUDq6Q=",
"timestampMs": 1485455454890,
"apkPackageName": "com.scottyab.safetynet.sample",
"apkDigestSha256": "4DxDh8CqEXxv7rxqsixmtrKq+1IxRmnP8XJ2lVFd26A=",
"ctsProfileMatch": true,
"extension": "CZzQJMOcPmeN",
"apkCertificateDigestSha256": [
"MZNsDhz8VAJMmFxPPso38ZRvZE6r7VIyzUqypkakG8E="
],
"basicIntegrity": true
}
Screenshot:
Thanks @mar-v-in !
I have updated both my ROM and GmsCore and now I pass all checks including CTS profile match.
I'm not sure what is happened but I suppose it is the recent change in GmsCore (Spoof chimera provider). Thanks :)
I get
Response validation: fail
. Logcat: DroidGuard-log.txtROM: LineageOS based on Android 7.1.1 with su binary removed.