search

microg / RemoteDroidGuard

Service to run Google's DroidGuard binary in an isolated environment
99 stars 29 forks source link

DroidGuard Helper do not work #7

Closed ale5000-git closed 7 years ago

ale5000-git commented 7 years ago

I get Response validation: fail. Logcat: DroidGuard-log.txt

ROM: LineageOS based on Android 7.1.1 with su binary removed.

be-neth commented 7 years ago

Hi,

I am facing the same issue with Android 7.1 from a custom build. It seems related to SELinux policy.

From your log:

[ 12-03 01:26:29.548 10399:10399 W/Thread-5 ]
type=1400 audit(0.0:347): avc: denied { read } for name="/" dev=tmpfs ino=1092 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:device:s0 tclass=dir permissive=0

[ 12-03 01:26:29.583 10399:10399 W/Thread-5 ]
type=1400 audit(0.0:348): avc: denied { read } for name="net" dev=sysfs ino=3156 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=0

[ 12-03 01:26:29.818 10399:10399 W/Thread-5 ]
type=1400 audit(0.0:349): avc: denied { read } for name="/" dev=rootfs ino=1 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=0

[ 12-03 01:26:29.853 10399:10399 W/Thread-5 ]
type=1400 audit(0.0:350): avc: denied { search } for name="1996" dev=proc ino=1730 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:r:zygote:s0 tclass=dir permissive=0

Try setting Selinux to permissive with: (Enabled ADB root in Developper settings)

$ adb root
$ adb shell setenforce 0

I will try to investigate on that...

ale5000-git commented 7 years ago

@be-neth: I'm almost sure that the Google binary check SELinux status and fail if it isn't enforcing.

be-neth commented 7 years ago

You are right but this is the only way to get: Response validation: success.

But as you guess:

D SafetyNetResponse: decodedJWTPayload
json:
{
  "basicIntegrity": false,
  "apkCertificateDigestSha256": [
    "MZNsDhz8VAJMmFxPPso38ZRvZE6r7VIyzUqypkakG8E="
  ],
  "extension": "CZjdzImgHaTh",
  "ctsProfileMatch": false,
  "apkDigestSha256": "4DxDh8CqEXxv7rxqsixmtrKq+1IxRmnP8XJ2lVFd26A=",
  "apkPackageName": "com.scottyab.safetynet.sample",
  "timestampMs": 1485265315067,
  "nonce": "\/VJuFmsr8Y4Lm4e7ZeyGkhf+Xr88kBS3vCd4+vEBovI="
}

That why I think we need to write selinux rules.

ale5000-git commented 7 years ago

@mar-v-in: Do you have some ideas?

mar-v-in commented 7 years ago

I can reproduce this on my device, will check the selinux rule if I find a reason or a work-around, maybe an additional permission can solve this.

mar-v-in commented 7 years ago

Do you have DroidGuard Helper on /system? If not, try if once it's in /system/priv-app it still shows this audit logs.

be-neth commented 7 years ago

No, I install DroidGuard from Fdroid on /data partition.

@mar-v-in: I did not suceed to build properly RemodeDroidGuard apk from the gradle script (gradlew Assemble). I do not understand all the build process, but it seems that aar library from remote-droid-guard-lib is not embeded into the final apk.

I build my own ROM with micro-g built-in and I need an Android.mk file for RemoteDroidGuard to do that. Is it easy to do it ?

Thanks.

mar-v-in commented 7 years ago

You should be able to just use the Android.mk from GmsCore and update names and paths.

The build process should work fine, remember that you need Java 8 for compilation. If you receive any errors during the build process, please post them so I can check what might be the problem.

be-neth commented 7 years ago

Ok so maybe the Android.mk that i have made is fine.

But I have the following error when trying a safetynet request: (microG DroidGuard exit with error)

8100  8100 D SafetyNetHelperSAMPLE: SafetyNet start request
8100  8100 D SafetyNetHelper: apkCertificateDigests:[MZNsDhz8VAJMmFxPPso38ZRvZE6r7VIyzUqypkakG8E=]
5345  5345 D GmsSafetyNetClientSvc: onBind: Intent { act=com.google.android.gms.safetynet.service.Sandroid.gms }
8100  8100 D SafetyNetHelper: apkDigest:4DxDh8CqEXxv7rxqsixmtrKq+1IxRmnP8XJ2lVFd26A=
5345  5358 D SafeParcel: Unknown field num 9 in com.google.android.gms.common.internal.GetServiceRe
5345  5358 D GmsSafetyNetClientSvc: bound by: GetServiceRequest{serviceId=SAFETY_NET_CLIENT, gmsVereName='com.scottyab.safetynet.sample', extras=Bundle[{}]}
8100  8100 V SafetyNetHelper: Google play services connected
8100  8100 V SafetyNetHelper: running SafetyNet.API Test
3199  4731 I ActivityManager: Start proc 8129:com.google.android.gms.unstable/u0a76 for service org.microg.gms.droidguard/.RemoteDroidGuardService
8129  8129 I art     : Starting a blocking GC AddRemoveAppImageSpace
**8129  8129 W System  : ClassLoader referenced unknown path: /system/priv-app/RemoteDroidGuard/lib/arm64**
8129  8144 D NetworkSecurityConfig: No Network Security Config specified, using platform default
8129  8144 I DpmTcmClient: RegisterTcmMonitor from: com.android.okhttp.TcmIdleTimerMonitor
8129  8144 D GmsDroidguardHelper: -- Request --
8129  8144 D GmsDroidguardHelper: DGRequest{usage=DGUsage{<HIDDEN>}
8129  8144 D GmsDroidguardHelper: Using provided response data for /data/user/0/org.microg.gms.droidguard/app_dg_cache/2d364a8debc6bb15f8d5d4aa969c3122f84d224d.apk
8148  8148 I dex2oat : /system/bin/dex2oat --dex-file=/data/user/0/org.microg.gms.droidguard/app_dg_cache/2d364a8debc6bb15f8d5d4aa969c3122f84d224d/the.apk --oat-fd=42 --oat-location=/data/user/0/org.microg.gms.droidguard/app_dg_cache/2d364a8debc6bb15f8d5d4aa969c3122f84d224d/opt/the.dex --compiler-filter=speed
8148  8148 I dex2oat : dex2oat took 91.125ms (threads: 4) arena alloc=170KB (174992B) java alloc=32KB (33136B) native alloc=965KB (988672B) free=1594KB (1632768B)
8144  8144 W Thread-2: type=1400 audit(0.0:18): avc: denied { execute } for path="/data/data/org.microg.gms.droidguard/app_dg_cache/2d364a8debc6bb15f8d5d4aa969c3122f84d224d/opt/the.dex" dev="dm-0" ino=32366 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=0
8144  8144 W Thread-2: type=1400 audit(0.0:19): avc: denied { execute } for path="/data/data/org.microg.gms.droidguard/app_dg_cache/2d364a8debc6bb15f8d5d4aa969c3122f84d224d/opt/the.dex" dev="dm-0" ino=32366 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=0
8144  8144 W Thread-2: type=1400 audit(0.0:20): avc: denied { execute } for path="/data/data/org.microg.gms.droidguard/app_dg_cache/2d364a8debc6bb15f8d5d4aa969c3122f84d224d/lib/libd770FCE0684F7.so" dev="dm-0" ino=32363 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=0
of crash
8129  8144 E AndroidRuntime: FATAL EXCEPTION: Thread-2
8129  8144 E AndroidRuntime: Process: com.google.android.gms.unstable, PID: 8129
8129  8144 E AndroidRuntime: java.lang.UnsatisfiedLinkError: dlopen failed: couldn't map "/data/data/org.microg.gms.droidguard/app_dg_cache/2d364a8debc6bb15f8d5d4aa969c3122f84d224d/lib/libd770FCE0684F7.so" segment 1: Permission denied
8129  8144 E AndroidRuntime:        at java.lang.Runtime.loadLibrary0(Runtime.java:989)
8129  8144 E AndroidRuntime:        at java.lang.System.loadLibrary(System.java:1530)
8129  8144 E AndroidRuntime:        at com.google.ccc.abuse.droidguard.DroidGuard.<clinit>(Unknown Source)
8129  8144 E AndroidRuntime:        at java.lang.reflect.Constructor.newInstance0(Native Method)
8129  8144 E AndroidRuntime:        at java.lang.reflect.Constructor.newInstance(Constructor.java:430)
8129  8144 E AndroidRuntime:        at org.microg.gms.droidguard.DroidguardHelper.invoke(DroidguardHelper.java:95)
8129  8144 E AndroidRuntime:        at org.microg.gms.droidguard.DroidguardHelper.guard(DroidguardHelper.java:89)
8129  8144 E AndroidRuntime:        at org.microg.gms.droidguard.RemoteDroidGuardService$1$1.run(RemoteDroidGuardService.java:23)

ho, it seems another issue whith SELinux. Why a system app have permission denied to access /data/data/org.microg.gms.droidguard/app_dg_cache/2d364a8debc6bb15f8d5d4aa969c3122f84d224d/lib/libd770FCE0684F7.so" ?

Also, I have mentionned in my earlier post that I have maybe a building issue because of this log:

W System  : ClassLoader referenced unknown path: /system/priv-app/RemoteDroidGuard/lib/arm64

Thanks for your help.

mar-v-in commented 7 years ago

The problem now is that the app is in the platform_app context, that does not have execute permission on /data files. The priv_app context grants this permission. platform_app is used for apps that are signed with the platform key, priv_app is for other apps that reside in /system/priv-app.

I think it might be possible to use the LOCAL_CERTIFICATE option inside Android.mk to solve this problem, you might want to check http://source.android.com/devices/tech/ota/sign_builds.html#certificates-keys for details.

be-neth commented 7 years ago

As you can see in my pull request I have set: LOCAL_CERTIFICATE := platform So that why I have scontext=u:r:platform_app:s0:c512,c768 ?

The priv_app context grants this permission. platform_app is used for apps that are signed with the platform key, priv_app is for other apps that reside in /system/priv-app.

But I have set also: LOCAL_PRIVILEGED_MODULE := true

Which result my app to be stored in /system/priv-app. But I do not have the priv_app context.

be-neth commented 7 years ago

Ok, I did not understand your answer regarding the exclusivity between platform certificate and priv-apps.

For Reference: http://stackoverflow.com/questions/39387078/android-n-priv-app-application

I have sign DroidGuard with "shared" key, install it to priv-app and it seems to work !

I will confirm with a fresh install.

mar-v-in commented 7 years ago

seems to work as in, safetynet succeeded?

be-neth commented 7 years ago

No, Safetynet does not succeed but the request works:

{
  "nonce": "7m+xM/KYCyyfQAl/Qw8EsfUPgXHTV6Y6TefflORB3zw=",
  "timestampMs": 1485451999092,
  "apkPackageName": "com.scottyab.safetynet\n.sample",
  "apkDigestSha256": "4DxDh8CqEXxv7rxqsixmtrKq+1IxRmnP8XJ2lVFd26A=",
  "ctsProfileMatch": false,
  "extension": "CRAywSDC6k3v",
  "apkCertificateDigestSha256": [
    "MZNsDhz8VAJMmFxPPso38ZRvZE6r7VIyzUqypkakG8E\n="
  ],
  "basicIntegrity": false
}
be-neth commented 7 years ago

Succeed !

I forget to remount the system partition read-only on my first attempt :)

Json:

 {
  "nonce": "w4BV+51NmVgAxDqxzaLbyDp+qEJCmlXWF2Ae4bUDq6Q=",
  "timestampMs": 1485455454890,
  "apkPackageName": "com.scottyab.safetynet.sample",
  "apkDigestSha256": "4DxDh8CqEXxv7rxqsixmtrKq+1IxRmnP8XJ2lVFd26A=",
  "ctsProfileMatch": true,
  "extension": "CZzQJMOcPmeN",
  "apkCertificateDigestSha256": [
    "MZNsDhz8VAJMmFxPPso38ZRvZE6r7VIyzUqypkakG8E="
  ],
  "basicIntegrity": true
}

Screenshot:

screenshot_20170126-193219

Thanks @mar-v-in !

ale5000-git commented 7 years ago

I have updated both my ROM and GmsCore and now I pass all checks including CTS profile match.

I'm not sure what is happened but I suppose it is the recent change in GmsCore (Spoof chimera provider). Thanks :)