MuntashirAkon
AppManager works with Magisk but not with Phh SuperUser
- [x] I know what my device, OS and App Manager versions are
- [x] I know how to take logs
- [x] I know how to reproduce the issue which may not be specific to my device
Describe the bug AppManager does not work in root mode with Phh SuperUser
To Reproduce Steps to reproduce the behaviour:
- Install AM
- Make sure Phh SuperUser is enabled
- Open AM, grant root access
- It keeps showing "Initializing…" for a long time
- Sometimes it crashes, others it shows an empty list, others it shows only backed-up app, and a few times it offers to open in non-root mode
Expected behavior AM should open in root mode and display installed apps
Screenshots N/A
Crash logs Filtering logcat for "appmanager" does not seem to show an error most of the time, but once I caught this:
10-22 18:12:53.627 981 981 E WifiHAL : enter wifi_get_link_stats
10-22 18:12:56.157 1561 9129 E ActivityManager: Sending non-protected broadcast io.github.muntashirakon.AppManager.action.SERVER_STOPED from system uid 0 pkg null
10-22 18:12:56.157 1561 9129 E ActivityManager: java.lang.Throwable
10-22 18:12:56.157 1561 9129 E ActivityManager: at com.android.server.am.ActivityManagerService.checkBroadcastFromSystem(ActivityManagerService.java:15941)
10-22 18:12:56.157 1561 9129 E ActivityManager: at com.android.server.am.ActivityManagerService.broadcastIntentLocked(ActivityManagerService.java:16618)
10-22 18:12:56.157 1561 9129 E ActivityManager: at com.android.server.am.ActivityManagerService.broadcastIntentLocked(ActivityManagerService.java:15954)
10-22 18:12:56.157 1561 9129 E ActivityManager: at com.android.server.am.ActivityManagerService.broadcastIntentWithFeature(ActivityManagerService.java:16774)
10-22 18:12:56.157 1561 9129 E ActivityManager: at android.app.IActivityManager$Stub.onTransact(IActivityManager.java:2294)
10-22 18:12:56.157 1561 9129 E ActivityManager: at com.android.server.am.ActivityManagerService.onTransact(ActivityManagerService.java:2888)
10-22 18:12:56.157 1561 9129 E ActivityManager: at android.os.Binder.execTransactInternal(Binder.java:1154)
10-22 18:12:56.157 1561 9129 E ActivityManager: at android.os.Binder.execTransact(Binder.java:1123)
10-22 18:12:56.161 1561 1585 I DropBoxManagerService: add tag=system_server_wtf isTagEnabled=true flags=0x2
Device info
- Device: Huawei FIG-LX1
- OS Version: Android 11 (cdDRom11, based on Phhusson Treble GSI)
- App Manager Version: 2.6.4
- Mode: root/adb/no-root, problem happens in auto or root mode, of course
Additional context I was using AppManager with Magisk v23.0 without issues, but I had to remove it because an app I use started to complain about it being installed. Other apps seem to work fine with the built-in Phh SuperUser, but not AppManager. I tried to uninstall and install the app again, allow all permissions in settings, but it still refuses to work in root mode. Please feel free to ask for more logs. Thank you for making AppManager.
Filtering logcat for "appmanager" does not seem to show an error most of the time, but once I caught this:
10-22 18:12:53.627 981 981 E WifiHAL : enter wifi_get_link_stats 10-22 18:12:56.157 1561 9129 E ActivityManager: Sending non-protected broadcast io.github.muntashirakon.AppManager.action.SERVER_STOPED from system uid 0 pkg null 10-22 18:12:56.157 1561 9129 E ActivityManager: java.lang.Throwable 10-22 18:12:56.157 1561 9129 E ActivityManager: at com.android.server.am.ActivityManagerService.checkBroadcastFromSystem(ActivityManagerService.java:15941) 10-22 18:12:56.157 1561 9129 E ActivityManager: at com.android.server.am.ActivityManagerService.broadcastIntentLocked(ActivityManagerService.java:16618) 10-22 18:12:56.157 1561 9129 E ActivityManager: at com.android.server.am.ActivityManagerService.broadcastIntentLocked(ActivityManagerService.java:15954) 10-22 18:12:56.157 1561 9129 E ActivityManager: at com.android.server.am.ActivityManagerService.broadcastIntentWithFeature(ActivityManagerService.java:16774) 10-22 18:12:56.157 1561 9129 E ActivityManager: at android.app.IActivityManager$Stub.onTransact(IActivityManager.java:2294) 10-22 18:12:56.157 1561 9129 E ActivityManager: at com.android.server.am.ActivityManagerService.onTransact(ActivityManagerService.java:2888) 10-22 18:12:56.157 1561 9129 E ActivityManager: at android.os.Binder.execTransactInternal(Binder.java:1154) 10-22 18:12:56.157 1561 9129 E ActivityManager: at android.os.Binder.execTransact(Binder.java:1123) 10-22 18:12:56.161 1561 1585 I DropBoxManagerService: add tag=system_server_wtf isTagEnabled=true flags=0x2
These logs are normal. You can filter using IPC (with no PID filters) but logs without any filter are more useful.
A simple logcat while the problem happens is enough?
Yes, I think. It would, at least, help me find out what went wrong. Use a debug build if you can as they display better logs.
Sorry for the delay, I was not able to download artifacts from Actions using the mobile.
Logcat filtered by IPC (2.7.0 DEBUG, mode set to Root, AM showed Initializing for a long time, then offered to open in non root mode):
10-23 16:15:07.656 17446 17486 D IPCUtils: Launching service...
10-23 16:15:07.662 17446 17488 D IPC : Total bound services: 0
10-23 16:15:07.664 17446 17488 D IPC : Need to start a new connection.
10-23 16:15:07.671 17446 17488 E IPC : Running service starter script...
10-23 16:15:08.098 17446 17488 D SHELL_IN: ( [ -d /data/local/tmp ] || ( rm /data/local/tmp; mkdir /data/local/tmp && chmod 771 /data/local/tmp && chown 2000:2000 /data/local/tmp ) ) && cp /data/user_de/0/io.github.muntashirakon.AppManager.debug/main.jar /data/local/tmp && chmod 755 /data/local/tmp/main.jar && chown shell:shell /data/local/tmp/main.jar && (CLASSPATH=/data/local/tmp/main.jar /system/bin/app_process /system/bin io.github.muntashirakon.AppManager.server.IPCMain io.github.muntashirakon.AppManager.debug/io.github.muntashirakon.AppManager.ipc.AMService io.github.muntashirakon.AppManager.ipc.IPCServer)&
10-23 16:15:08.615 17534 17534 D AndroidRuntime: Calling main entry io.github.muntashirakon.AppManager.server.IPCMain
10-23 16:15:09.517 17534 17534 D IPC : Start monitoring: /data/app/~~HO3ef0UvE01P3XdGJ3UEXw==/io.github.muntashirakon.AppManager.debug-SeZnX8RLnEjknplAkeAt8w==
10-23 16:15:09.539 17446 17488 E IPC : null
10-23 16:15:09.539 17446 17488 E IPC : android.os.DeadObjectException: Transaction failed on small parcel; remote process probably died
10-23 16:15:09.539 17446 17488 E IPC : at android.os.BinderProxy.transactNative(Native Method)
10-23 16:15:09.539 17446 17488 E IPC : at android.os.BinderProxy.transact(BinderProxy.java:550)
10-23 16:15:09.539 17446 17488 E IPC : at io.github.muntashirakon.AppManager.server.common.IRootIPC$Stub$Proxy.bind(IRootIPC.java:151)
10-23 16:15:09.539 17446 17488 E IPC : at io.github.muntashirakon.AppManager.ipc.IPCClient.startRootServer(IPCClient.java:138)
10-23 16:15:09.539 17446 17488 E IPC : at io.github.muntashirakon.AppManager.ipc.IPCClient.<init>(IPCClient.java:64)
10-23 16:15:09.539 17446 17488 E IPC : at io.github.muntashirakon.AppManager.ipc.RootService.lambda$bind$0(RootService.java:98)
10-23 16:15:09.539 17446 17488 E IPC : at io.github.muntashirakon.AppManager.ipc.-$$Lambda$RootService$7xJKK_K-WgERmcXoflUMO4vr0N0.run(Unknown Source:6)
10-23 16:15:09.539 17446 17488 E IPC : at io.github.muntashirakon.AppManager.ipc.SerialExecutorService.call(SerialExecutorService.java:34)
10-23 16:15:09.539 17446 17488 E IPC : at io.github.muntashirakon.AppManager.ipc.SerialExecutorService.call(SerialExecutorService.java:19)
10-23 16:15:09.539 17446 17488 E IPC : at java.util.concurrent.FutureTask.run(FutureTask.java:266)
10-23 16:15:09.539 17446 17488 E IPC : at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
10-23 16:15:09.539 17446 17488 E IPC : at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
10-23 16:15:09.539 17446 17488 E IPC : at java.lang.Thread.run(Thread.java:923)
10-23 16:15:31.129 1491 2311 E IPCThreadState: binder thread pool (4 threads) starved for 256 ms
10-23 16:15:52.669 17446 17486 E ModeOfOps: at io.github.muntashirakon.AppManager.ipc.IPCUtils$AMServiceConnectionWrapper.getServiceSafe(IPCUtils.java:185)
10-23 16:15:52.669 17446 17486 E ModeOfOps: at io.github.muntashirakon.AppManager.ipc.IPCUtils$AMServiceConnectionWrapper.getAmService(IPCUtils.java:171)
10-23 16:15:52.669 17446 17486 E ModeOfOps: at io.github.muntashirakon.AppManager.ipc.IPCUtils.getAmService(IPCUtils.java:44)
Full log: https://zerobin.net/?6a43b07fafcc7cd3#A0SEYszRhAkGEXdZ68NhGhrV1LIB29N1JF+9DYHVVps=
Access to remote service via Binder has been denied by your OS. (See the bold-faced log entry.) I'm not sure why though.
17637 17678 D IPCUtils: Launching service...
17637 17680 D IPC : Total bound services: 0
17637 17680 D IPC : Need to start a new connection.
17637 17680 E IPC : Running service starter script...
17637 17680 D Runner : RootShellRunner
17637 17680 D SHELLIMPL: exec su --mount-master
17637 17680 D SHELLIMPL: exec su
17637 17680 D SHELL_IN: ( [ -d /data/local/tmp ] || ( rm /data/local/tmp; mkdir /data/local/tmp && chmod 771 /data/local/tmp && chown 2000:2000 /data/local/tmp ) ) && cp /data/user_de/0/io.github.muntashirakon.AppManager.debug/main.jar /data/local/tmp && chmod 755 /data/local/tmp/main.jar && chown shell:shell /data/local/tmp/main.jar && (CLASSPATH=/data/local/tmp/main.jar /system/bin/app_process /system/bin io.github.muntashirakon.AppManager.server.IPCMain io.github.muntashirakon.AppManager.debug/io.github.muntashirakon.AppManager.ipc.AMService io.github.muntashirakon.AppManager.ipc.IPCServer)&
17727 17727 D AndroidRuntime: Calling main entry io.github.muntashirakon.AppManager.server.IPCMain
17727 17727 D IPC : Start monitoring: /data/app/~~HO3ef0UvE01P3XdGJ3UEXw==/io.github.muntashirakon.AppManager.debug-SeZnX8RLnEjknplAkeAt8w==
17637 17680 E JavaBinder: !!! FAILED BINDER TRANSACTION !!! (parcel size = 484)
17637 17637 W pool-2-thread-1: type=1400 audit(0.0:13764): avc: denied { call } for scontext=u:r:untrusted_app:s0:c21,c258,c512,c768 tcontext=u:r:phhsu_daemon:s0 tclass=binder permissive=0 app=io.github.muntashirakon.AppManager.debug
17637 17680 E IPC : null
17637 17680 E IPC : android.os.DeadObjectException: Transaction failed on small parcel; remote process probably died
17637 17680 E IPC : at android.os.BinderProxy.transactNative(Native Method)
17637 17680 E IPC : at android.os.BinderProxy.transact(BinderProxy.java:550)
17637 17680 E IPC : at io.github.muntashirakon.AppManager.server.common.IRootIPC$Stub$Proxy.bind(IRootIPC.java:151)
17637 17680 E IPC : at io.github.muntashirakon.AppManager.ipc.IPCClient.startRootServer(IPCClient.java:138)
17637 17680 E IPC : at io.github.muntashirakon.AppManager.ipc.IPCClient.(IPCClient.java:64)
17637 17680 E IPC : at io.github.muntashirakon.AppManager.ipc.RootService.lambda$bind$0(RootService.java:98)
17637 17680 E IPC : at io.github.muntashirakon.AppManager.ipc.-$$Lambda$RootService$7xJKK_K-WgERmcXoflUMO4vr0N0.run(Unknown Source:6)
17637 17680 E IPC : at io.github.muntashirakon.AppManager.ipc.SerialExecutorService.call(SerialExecutorService.java:34)
17637 17680 E IPC : at io.github.muntashirakon.AppManager.ipc.SerialExecutorService.call(SerialExecutorService.java:19)
17637 17680 E IPC : at java.util.concurrent.FutureTask.run(FutureTask.java:266)
17637 17680 E IPC : at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
17637 17680 E IPC : at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
17637 17680 E IPC : at java.lang.Thread.run(Thread.java:923)
I see... I do not think it is the Android version/ROM as it worked while Magisk was installed. Maybe it is related to how it runs if Magisk is not installed (if it is different in any way)? Or maybe a SELINUX problem? Maybe something here helps (the device actually runs Android 11): https://source.android.com/devices/architecture/hidl/binder-ipc
Or maybe a SELINUX problem?
Sorry, I didn't make myself clear earlier. The logs clearly suggest that it's a problem with the SELinux policy. Maybe some kind of whitelist is needed for App Manager. But I'm too busy to look into this matter right now.
Magisk patches selinux automatically when it installing see:https://topjohnwu.github.io/Magisk/details.html
but phh's superuser is not if you are using it without eng option.
Try running su-->setenforce 0 on android shell(like termux)
Hmm, it makes sense... I checked phhsu_daemon policies and it seems that it was added to the binder group:
https://github.com/phhusson/device_phh_treble/blob/android-11.0/sepolicy/su.te
so I wonder I does not work...
setenforce 0 did not work here for some reason, it shows "invalid argument".
Did you try flashing it? https://github.com/AdrianDC/kernel_permissive_patcher/blob/master/release/kernel_permissive_patcher.zip
@gnuhead-chieb Thank you, but I don't want to change it to Permissive permanently. I will try to find a workaround, maybe setting AM as system app works...
Installing AM as system app has bug right now. https://github.com/MuntashirAkon/AppManager/issues/477 https://github.com/MuntashirAkon/AppManager/discussions/603 I didn't test myself but maybe you might face same problem.
Magisk has allow(ALL, SEPOL_PROC_DOMAIN, "binder", ALL); selinux policy to allow all binder transactions.
see here:https://github.com/topjohnwu/Magisk/blob/master/native/jni/magiskpolicy/rules.cpp
I think you have to repack boot.img to modify selinux rules to use AM. I also found tool named sepolicy-inject but I don't know how to use it.
You can take a look at @mirfatif's answer here: https://android.stackexchange.com/a/215395 (specifically at the bottom section).
but I had to remove it because an app I use started to complain about it being installed.
Magisk has feature Hide the Magisk app,that changes package name of magisk to hide Magisk app.
Magisk settings→App→Hide the Magisk app
Did you tried?
or it caused by safetynet, install and configure MagiskHide Props Config module to you can bypass safetynet.
@MuntashirAkon I will take a look at it later, thanks. But I do not know much about SELinux, only the basics. It is a Treble device with SaR (System as Root), I can see the policy files.
@gnuhead-chieb Yeah, I used everything I knew about Magisk to hide it, but the app would run only when Magisk wasn't loaded at boot (which caused many problems, of course, as the modules didn't load). Some new apps can find Magisk, even with SafetyNet and Riru installed: https://github.com/topjohnwu/Magisk/issues/3354
@lfom: Any updates on this? You might as well ask this with the logs I've shared in one of the Treble forums/groups. They might have a better solution to this problem.
@MuntashirAkon Nothing new. I was i contact with phhusson about another subject, I may contact him about it later. So far, I could not understand how to change the policy related to binder with his su, if it is possible...
We can add checks for this, similar to Shizuku's. It would display a warning to user if their root solution does not support Binder communication.
Implemented in 938d2c6b2b47dc019c48c5e2aca5f5f4ff5367ef. However, App Manager will not be displaying any warning because I haven't yet thought of a way to deliver this information to the app, and of course, this hasn't been tested because I cannot reproduce it myself.
This is great! I will report back once I update the app with a version that includes the new commit. Thanks.
This is great! I will report back once I update the app with a version that includes the new commit. Thanks.
This might also be a general issue with all the SuperUser-based implementations. In such cases, maybe implementing root over adb (think of it as adb shell su in desktop) is a better option which I am currently looking into. If this is feasible, I shall also implement such options.
If we have root with enough privileges to modify the live SELinux policy, why can't we simply inject a rule if it's found missing? Or it didn't work? Sorry I'm not clear on this.
Or if the problem is with the rooting solution's context, why don't we switch our own context to something else? E.g. ADB shell's context (u:r:shell:s0) seems to work quite good for binder communication.
If we have root with enough privileges to modify the live SELinux policy, why can't we simply inject a rule if it's found missing? Or it didn't work? Sorry I'm not clear on this.
Injecting rules depends on the implementations and platform version and is beyond a project like this where I already have to deal with many compatibility issues that will give most people a headache.
if the problem is with the rooting solution's context, why don't we switch our own context to something else? E.g. ADB shell's context (
u:r:shell:s0) seems to work quite good for binder communication.
What do you mean by "our own context"?
What do you mean by "our own context"?
Process running with context: u:r:phhsu_daemon:s0.
Process running with context:
u:r:phhsu_daemon:s0.
Doesn't that still require injecting a rule that would make SELinux change the context of a process to shell if an executable with a certain context is executed from phhsu_exec or phhsu_daemon?
Process running with context:
u:r:phhsu_daemon:s0.Doesn't that still require injecting a rule that would make SELinux change the context of a process to shell if an executable with a certain context is executed from phhsu_exec or phhsu_daemon?
Possible. On partially rooted devices SELinux policy can be limited in countless ways.
Possible. On partially rooted devices SELinux policy can be limited in countless ways.
If it's really possible, can you demonstrate with an example? We do not require the injected rules to be persisted, we only need them so long as App Manager runs.