search

termux / termux-x11

Termux X11 add-on application.
https://termux.dev
GNU General Public License v3.0
2.14k stars 314 forks source link

Running with chroot? #427

Closed Roxve closed 1 year ago

Roxve commented 1 year ago

I have been trying to run termux-x11 using archlinux chroot and no clear tutorial explains how to do it; here is a script i made to try and run it:

export TMPDIR=/data/arch/tmp
export XKB_CONFIG_ROOT=/data/arch/usr/share/X11/xkb
export CLASSPATH=$(/system/bin/pm path com.termux.x11 | cut -d: -f2)
/system/bin/app_process / com.termux.x11.CmdEntryPoint :0

I ran this using the tsu command which runs termux in root mode than i did termux-x11 :1 -ac & Then i ran chroot and did 

sudo chmod -R 777 /tmp
export DISPLAY=:0
dbus-launch --exit-with-session xfce4-session &

Which returns

xfce4-session: Cannot open display: .
Type 'xfce4-session --help' for usage.

What am I doing wrong? (Don't know if i should report this here but i really need help 🙏🙏🙏)

twaik commented 1 year ago
  1. setenforce 0.
  2. XKB_CONFIG_ROOT can be deduced from TMPDIR so it is not necessary.
  3. tsu does not fit in this case, use raw su.
  4. If it still does not work post logs.
Roxve commented 1 year ago
  1. setenforce 0.
  2. XKB_CONFIG_ROOT can be deduced from TMPDIR so it is not necessary.
  3. tsu does not fit in this case, use raw su.
  4. If it still does not work post logs.

setenforce 0 doesn't work in my kernel, I tried to run this in su shell using only these

export TMPDIR=/data/arch/tmp
export CLASSPATH=$(/system/bin/pm path com.termux.x11 | cut -d: -f2)
/system/bin/app_process / com.termux.x11.CmdEntryPoint :0

And then i ran the same commands in chroot and it kept repeating

Gdk-CRITICAL **: 23:52:29.444: gdk_window_is_visible: assertion 'GDK_IS_WINDOW (window)' failed

And termux-x11 didn't display anything (except preferences and help buttons)

twaik commented 1 year ago

Termux:X11 can not work with enabled selinux. You can try mount-binding $PREFIX/.X11-unix folder to your distro's /tmp/.X11-unix and starting termux-x11 in termux without root.

Roxve commented 1 year ago

Termux:X11 can not work with enabled selinux. You can try mount-binding $PREFIX/.X11-unix folder to your distro's /tmp/.X11-unix and starting termux-x11 in termux without root.

I did this and when i try to run both (termux-x11 and dbus-launch in chroot) the terminal outputs a number that starts with the same number from the other one

termux-x11 :1 &
=> 2 [9180]
# In the other terminal (chroot):
export DISPLAY=:0 
dbus-launch --exit-with-session xfce4-session &
=>
[2] 9276
[xfce4-session: Cannot open display: .
Type 'xfce4-session --help' for usage.

I tried this multiple times and the same thing happens with other numbers like 7

I mounted both $PREFIX/tmp/.X11-unix on $DISTRO/tmp/. X11-unix and $DISTRO/tmp/. X11-unix on $PREFIX/tmp/.X11-unix

Roxve commented 1 year ago

I guess i am stuck with proot and vnc, thanks 🙏 sorry for wasting your time

twaik commented 1 year ago

https://github.com/termux/termux-x11/blob/master/README.md#logs

romanovj commented 1 year ago
  1. setenforce 0.
  2. XKB_CONFIG_ROOT can be deduced from TMPDIR so it is not necessary.
  3. tsu does not fit in this case, use raw su.
  4. If it still does not work post logs.

setenforce 0 doesn't work in my kernel, I tried to run this in su shell using only these

export TMPDIR=/data/arch/tmp
export CLASSPATH=$(/system/bin/pm path com.termux.x11 | cut -d: -f2)
/system/bin/app_process / com.termux.x11.CmdEntryPoint :0

And then i ran the same commands in chroot and it kept repeating

Gdk-CRITICAL **: 23:52:29.444: gdk_window_is_visible: assertion 'GDK_IS_WINDOW (window)' failed

And termux-x11 didn't display anything (except preferences and help buttons)

You shouldn't see any text in termux:x11 right after executing /system/bin/app_process / com.termux.x11.CmdEntryPoint :0

looks likeyou didn't disable selinux

romanovj commented 1 year ago

you can add rules with magiskpolicy

magiskpolicy --live "allow untrusted_app *"

romanovj commented 1 year ago

also look into others issues https://github.com/termux/termux-x11/issues/45 https://github.com/termux/termux-x11/issues/279

twaik commented 1 year ago

also look into others issues #45 #279

Other issues you mentiomed are not really relevant. Termux-x11 changed its internal architecture since these issues were solved.

Roxve commented 1 year ago

you can add rules with magiskpolicy

magiskpolicy --live "allow untrusted_app *"

Thank you so much this worked!

twaik commented 1 year ago

magiskpolicy --live "allow untrusted_app *"

@romanovj It is not really secure. Is it possible to be more precise and allow this only for specific app? Or specific uid?

romanovj commented 1 year ago

magiskpolicy --live "allow untrusted_app *"

@romanovj It is not really secure. Is it possible to be more precise and allow this only for specific app? Or specific uid?

slightly more secure than setenforce 0

most dumb way - systemise x11 and allow everything for priv_app/platform_app

I will try to do something, but not now

Roxve commented 1 year ago

you can add rules with magiskpolicy

magiskpolicy --live "allow untrusted_app *"

I am curious what does this command do? As i think it looks it looks like it gives root or some sort of terminal or limited system access for untrusted apps why not make termux-x11 request root for chroot users instead?

romanovj commented 1 year ago

you can add rules with magiskpolicy magiskpolicy --live "allow untrusted_app *"

I am curious what does this command do? As i think it looks it looks like it gives root or some sort of terminal or limited system access for untrusted apps why not make termux-x11 request root for chroot users instead?

this command disable seelinux checks for untrusted_app (installed by user)

Alt. commands with minimum permissions magiskpolicy --live "allow untrusted_app {magisk} fd {use}" magiskpolicy --live "allow untrusted_app {magisk} unix_stream_socket {read write}"

twaik commented 1 year ago

slightly more secure than setenforce 0

most dumb way - systemise x11 and allow everething for priv_app/platform_app

I will try to do something, but not now

I can try to get calling process pid and ensure it is termux-x11 (to make sure I am not disable selinux restrictions of some other, potentially malicious application). After this I can invoke something like magiskpolicy --live 'allow untrusted_app:s0:c243,c256,c512,c768 * * *'. As far as I understand the first category specifier c243 is related to the uid (it equals to uid of every package I checked). So it should much more secure than setenforce 0.

romanovj commented 1 year ago

slightly more secure than setenforce 0 most dumb way - systemise x11 and allow everething for priv_app/platform_app I will try to do something, but not now

I can try to get calling process pid and ensure it is termux-x11 (to make sure I am not disable selinux restrictions of some other, potentially malicious application). After this I can invoke something like magiskpolicy --live 'allow untrusted_app:s0:c243,c256,c512,c768 * * *'. As far as I understand the first category specifier c243 is related to the uid (it equals to uid of every package I checked). So it should much more secure than setenforce 0.

you can't do it that way, you can't add level (c243) to scontext untrusted_app

romanovj commented 1 year ago

I did weird thing.

disable selinux for runas_app (no one should be runas except us) and become runas with adb help (I have segfault from root user)

magiskpolicy --live "allow runas_app * * *"

adb shell run-as com.termux.x11

also copy xkb folder from chroot to termux:x11 dir

Start server

export XKB_CONFIG_ROOT=/data/data/com.termux.x11/files/xkb
export TMPDIR=/data/data/com.termux.x11/files/tmp
export CLASSPATH=$(/system/bin/pm path com.termux.x11 | cut -d: -f2)
/system/bin/app_process / com.termux.x11.CmdEntryPoint :1

mount x11 tmp to chroot tmp before chroot

umount tmp
mount /data/data/com.termux.x11/files/tmp tmp
chroot . /bin/su -

some info

/data/user/0/com.termux.x11/files $ id

uid=10202(u0_a202) gid=10202(u0_a202) groups=10202(u0_a202),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),1078(ext_data_rw),1079(ext_obb_rw),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid),3012(readtracefs),50202(all_a202) context=u:r:runas_app:s0:c202,c256,c512,c768
Xynonners commented 1 year ago

I did weird thing.

disable selinux for runas_app (no one should be runas except us) and become runas with adb help (I have segfault from root user)

magiskpolicy --live "allow runas_app * * *"

adb shell run-as com.termux.x11

also copy xkb folder from chroot to termux:x11 dir

Start server

export XKB_CONFIG_ROOT=/data/data/com.termux.x11/files/xkb
export TMPDIR=/data/data/com.termux.x11/files/tmp
export CLASSPATH=$(/system/bin/pm path com.termux.x11 | cut -d: -f2)
/system/bin/app_process / com.termux.x11.CmdEntryPoint :1

mount x11 tmp to chroot tmp before chroot

umount tmp
mount /data/data/com.termux.x11/files/tmp tmp
chroot . /bin/su -

some info

/data/user/0/com.termux.x11/files $ id

uid=10202(u0_a202) gid=10202(u0_a202) groups=10202(u0_a202),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),1078(ext_data_rw),1079(ext_obb_rw),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid),3012(readtracefs),50202(all_a202) context=u:r:runas_app:s0:c202,c256,c512,c768

to get around the fact that run-as segfaults on root user, I made a tool to fake adb via su. https://github.com/Xynonners/psu

the group id's though are hardcoded currently, so it may be required to replace them (you can find gid via id -G YOUR_GROUP_HERE).