neurodroid / cryptonite

EncFS and TrueCrypt on Android
GNU General Public License v2.0
205 stars 49 forks source link

AOSP now has Position Independent Executables on by default (Cannot mount encFS due to it) #83

Open ShadowEO opened 9 years ago

ShadowEO commented 9 years ago

With the release of 5.0, Google has made Position Independent Executables a mandatory item. It does not seem to run them without them being compiled for PIE.

There's an issue ticket on the Android google code page found here: https://code.google.com/p/android-developer-preview/issues/detail?id=888

Regarding the issue, because of this, when I attempt to mount my encFS volume in Cryptonite I get "could not mount: Only Position Independent Executables are supported."

neurodroid commented 9 years ago

Please test v0.7.12, available here: https://github.com/neurodroid/cryptonite/releases/tag/v0.7.12 The binaries were compiled with PIE flags.

vvampirius commented 9 years ago

With this version I didn't receive "Only Position Independent Executables are supported" error. But I still can't mount.

I/ActivityManager(  768): START u0 {act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] flg=0x10200000 cmp=csh.cryptonite/.Cryptonite bnds=[276,871][540,1167] (has extras)} from uid 10022 on display 0
I/ActivityManager(  768): Start proc csh.cryptonite for activity csh.cryptonite/.Cryptonite: pid=8797 uid=10139 gids={50139, 9997, 1028, 1015, 3003} abi=armeabi-v7a
V/cryptonite( 8797): EncFS 1.7.5 OpenSSL 1.0.0q 15 Jan 2015
E/cryptonite( 8797): Couldn't decrypt DB access keys
I/cryptonite-jni( 8797): checkGRoot(): Root volume is NULL
I/cryptonite-jni( 8797): checkGRoot(): Root volume is NULL
I/cryptonite-jni( 8797): checkGRoot(): Root volume is NULL
I/cryptonite-jni( 8797): checkGRoot(): Root volume is NULL
I/cryptonite-jni( 8797): checkGRoot(): Root volume is NULL
V/cryptonite( 8797): EncFS mount state: false; FUSE support: true
I/cryptonite-jni( 8797): checkGRoot(): Root volume is NULL
V/cryptonite( 8797): EncFS mount state: false; FUSE support: true
I/ActivityManager(  768): Displayed csh.cryptonite/.Cryptonite: +805ms
I/cryptonite-jni( 8797): checkGRoot(): Root volume is NULL
I/cryptonite-jni( 8797): checkGRoot(): Root volume is NULL
I/cryptonite-jni( 8797): checkGRoot(): Root volume is NULL
V/cryptonite( 8797): EncFS mount state: false; FUSE support: true
I/ActivityManager(  768): START u0 {cmp=csh.cryptonite/.FileDialog (has extras)} from uid 10139 on display 0
I/ActivityManager(  768): Displayed csh.cryptonite/.FileDialog: +116ms
E/AmanattoDataUpdaterHelper( 1125): package name: csh.cryptonite
V/cryptonite( 8797): Running encfs with /sdcard/cryptonite/2 /sdcard/csh.cryptonite/mnt
E/cryptonite( 8797): Unknown request code
I/cryptonite-jni( 8797): checkGRoot(): Root volume is NULL
I/cryptonite-jni( 8797): checkGRoot(): Root volume is NULL
I/cryptonite-jni( 8797): checkGRoot(): Root volume is NULL
V/cryptonite( 8797): EncFS mount state: false; FUSE support: true
xmikos commented 9 years ago

encfs from v0.7.12 works for me without problems, but only if I run it manually from shell (like encfs /sdcard/encrypted /sdcard/decrypted). Mount from Cryptonite app doesn't work. So this is problem with Cryptonite, not with encfs build. This is on Android 5.0 (rooted with SuperSU).

neurodroid commented 9 years ago

@xmikos Are you seeing issue #85 with v0.7.12 on Android 5.0?

xmikos commented 9 years ago

@neurodroid I didn't tested it for issue #85 yet. I have only copied some small files and this worked without problems, but not big files. encfs from v0.7.13 doesn't work at all in Android 5.0 (you absolutely need PIE there). encfs from v0.7.12 works, but only if I mount it manually from shell. Mount in Cryptonite app doesn't work (and the error message is empty, so unfortunately I can't tell you what is wrong).

neurodroid commented 9 years ago

@xmikos There's a new option at the bottom of the preferences page, "Hijack system process...". Try enabling or disabling it to see if it helps mounting from the app.

xmikos commented 9 years ago

@neurodroid which process does it exactly hijack? Is it really needed? If SELinux is the problem, right answer is to update SELinux policy at runtime. You can use sepolicy-inject utility for that, here is the code: https://github.com/xmikos/setools-android/

xmikos commented 9 years ago

@neurodroid OK, I have tried this "Hijack system process" option, but mount still doesn't work

xmikos commented 9 years ago

@neurodroid I was wrong, it said "Failed to mount volume", but volume is actually mounted (I can see it if I exit app and start it again. I see it as mounted after this)

xmikos commented 9 years ago

@neurodroid But there must be some better way than hijacking system process... do you know what is exactly the problem why you need to hijack it?

xmikos commented 9 years ago

@neurodroid I have tried injecting SELinux policies, according to dmesg those were missing:

avc: denied { mounton } for pid=16850 comm="encfs" path="/storage/emulated/legacy/encfs/decrypted" dev="fuse" ino=3096235160 scontext=u:r:init:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { getattr } for pid=13617 comm="csh.cryptonite" path="/persist" dev="mmcblk0p20" ino=2 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:persist_file:s0 tclass=dir

Now I don't get any other SELinux related errors, but mount still doesn't work. Now it tells me:

Failed to mount volume: fuse: mountpoint is not empty

But the mountpoint is empty. There must be something wrong in how encfs is invoked from your app (because from root shell, it works without problems, even if I don't inject SELinux policies and without that debuggerd hijack hack).