orbot
orbot copied to clipboard
guardianproject
SELinux policy breaks VPN functionality
SELinux breaks VPN functionality Apps that set socks proxy or have Tor support built in still work. Those that rely on VPN to be proxied show error of DNS could not resolve.
Logcat shows selinux stopping activities
[11-20 17:06:13.388 2458:2458 W/tor]
type=1400 audit(0.0:585): avc: denied { ioctl } for path="socket:[138253]" dev="sockfs" ino=138253 ioctlcmd=0x894b scontext=u:r:untrusted_app:s0:c181,c256,c512,c768 tcontext=u:r:untrusted_app:s0:c181,c256,c512,c768 tclass=tcp_socket permissive=0 app=org.torproject.android
[11-20 17:06:13.768 2458:2458 W/tor]
type=1400 audit(0.0:586): avc: denied { ioctl } for path="socket:[138253]" dev="sockfs" ino=138253 ioctlcmd=0x894b scontext=u:r:untrusted_app:s0:c181,c256,c512,c768 tcontext=u:r:untrusted_app:s0:c181,c256,c512,c768 tclass=tcp_socket permissive=0 app=org.torproject.android
[11-20 17:06:13.778 2458:2458 W/tor]
type=1400 audit(0.0:587): avc: denied { ioctl } for path="socket:[138253]" dev="sockfs" ino=138253 ioctlcmd=0x894b scontext=u:r:untrusted_app:s0:c181,c256,c512,c768 tcontext=u:r:untrusted_app:s0:c181,c256,c512,c768 tclass=tcp_socket permissive=0 app=org.torproject.android
[11-20 17:06:14.388 2458:2458 W/tor]
type=1400 audit(0.0:588): avc: denied { ioctl } for path="socket:[138253]" dev="sockfs" ino=138253 ioctlcmd=0x894b scontext=u:r:untrusted_app:s0:c181,c256,c512,c768 tcontext=u:r:untrusted_app:s0:c181,c256,c512,c768 tclass=tcp_socket permissive=0 app=org.torproject.android
[11-20 17:06:14.868 2458:2458 W/tor]
type=1400 audit(0.0:589): avc: denied { ioctl } for path="socket:[138253]" dev="sockfs" ino=138253 ioctlcmd=0x894b scontext=u:r:untrusted_app:s0:c181,c256,c512,c768 tcontext=u:r:untrusted_app:s0:c181,c256,c512,c768 tclass=tcp_socket permissive=0 app=org.torproject.android
[11-20 17:06:15.308 2458:2458 W/tor]
type=1400 audit(0.0:590): avc: denied { ioctl } for path="socket:[138253]" dev="sockfs" ino=138253 ioctlcmd=0x894b scontext=u:r:untrusted_app:s0:c181,c256,c512,c768 tcontext=u:r:untrusted_app:s0:c181,c256,c512,c768 tclass=tcp_socket permissive=0 app=org.torproject.android
Workaround: setting selinux to permissive solves this.
LineageOS fork with microg. Specifically https://download.lineage.microg.org/guacamole/lineage-18.1-20221002-microG-guacamole.zip
Access to tcp_socket ioctl for untrusted apps seems to be denied for all ROMs. I'm not sure if that is the actual problem. But, obviously the issue is related to sepolicy somehow if setting to permissive fixes the problem.
Where did you get Orbot from? Have you made any other changes to the system?
Permissive should never be used.
Orbot from fdroid, Magisk is installed and used to be used to provide root for Orbot
Orbot doesn't use root for anything
There are few reasons to keep a rooted device regardless
Currently no, but it used to for expert mode, before being replaced with VPN functionality.
I'm also curious as to what the source of these log message are, although it seems unlikely that they'd break anything.
@BoBeR182 Does the DNS error also occur with android's Private DNS feature off? I (on DivestOS, a fork of LineageOS) get the same logcat messages and originally domain resolution also failed but disabling Private DNS seems to be a workaround.
Private DNS is unnecessary while using tor, but having to toggle them together can be annoying, so this is more of a clue to find what the root problem is than anything else.
@NepNep21 You shouldn't have to disable Private DNS. And I personally recommend you do use eg. Quad9 or DNS0 over the random exit node resolvers for the benefit of blocking and DNSSEC enforcement at the slight cost of disclosing to an extra party.
Disabling Private DNS while using a VPN on DivestOS will also bypass the built-in content blocker.
https://divestos.org/pages/faq#privateDNS https://divestos.org/pages/faq#privateDNSwVPN https://divestos.org/pages/faq#contentBlockerEnabled
@NepNep21 You shouldn't have to disable Private DNS. And I personally recommend you do use eg. Quad9 or DNS0 over the random exit node resolvers for the benefit of blocking and DNSSEC enforcement at the slight cost of disclosing to an extra party.
Disabling Private DNS while using a VPN on DivestOS will also bypass the built-in content blocker.
https://divestos.org/pages/faq#privateDNS https://divestos.org/pages/faq#privateDNSwVPN https://divestos.org/pages/faq#contentBlockerEnabled
You shouldn't have to, and that's why my comment is on the issue tracker. Resolving clearnet domains (not just .onion as stated in https://divestos.org/pages/faq#privateDNSwVPN) does exhibit the behavior initially described (tested on Mull and Brave).
@NepNep21 But I cannot reproduce this issue on any of my devices.
Did you make any system changes? Magisk? via adb?
No Magisk, I am not aware of changing any properties with adb, and the only other system change I can think of was installing microG.
I get these errors on my Nvidia Shield when I sideload the APK via adb (Unrooted and original firmware).
Proxy modes or VPN do not work and I get different denied messages for each.
SELinux : avc: denied { find } for pid=26989 uid=10103 name=tethering scontext=u:r:permissioncontroller_app:s0:c103,c256,c512,c768 tcontext=u:object_r:tethering_service:s0 tclass=service_manager permissive=0
tor : type=1400 audit(0.0:3047): avc: denied { ioctl } for path="socket:[1679969]" dev="sockfs" ino=1679969 ioctlcmd=0x894b scontext=u:r:untrusted_app:s0:c113,c256,c512,c768 tcontext=u:r:untrusted_app:s0:c113,c256,c512,c768 tclass=tcp_socket permissive=0 app=org.torproject.android
Interestingly if I sideload the Cloudflare 1.1.1.1 + WARP VPN app via the same way, there are no problems.
