nix-on-droid icon indicating copy to clipboard operation
nix-on-droid copied to clipboard

Startup fails on GrapheneOS due to seccomp kernel bug

Open danwdart opened this issue 3 years ago • 10 comments

proot error: ptrace(TRACEME): Operation not permitted
proot error: execve("/system/bin/sh"): Operation not permitted
proot info: It seems your kernel contains this bug: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1202161
To workaround it, set the env. variable PROOT_NO_SECCOMP to 1.
fatal error: see `proot-static --help`.
proot error: can't chmod '/data/data/com.termux.nix/files/usr/tmp/proot-24400-UqyK5X': No such file or directory

[Process completed (code 1) - press Enter]

Bit strange, should I start a binary in failsafe with that env or is there a better fix?

danwdart avatar Aug 24 '21 10:08 danwdart

Interesting. nix-on-droid currently relies heavily on proot/ptrace, not sure what to do on an OS that blocks it. Probably not much.

What happens if you use the suggested workaround? Try using either a regular terminal or the failsafe shell to add export PROOT_NO_SECCOMP=1 to the other exports in /data/data/com.termux.nix/files/usr/bin/login and re-starting Nix-on-Droid? I haven't looked into what exactly does this control, but if it's suggested, why not try it, right...

t184256 avatar Aug 24 '21 10:08 t184256

Ptrace can be used by a malicious process to read the data of another proccess. I suspect graphene may set kernel.yama.ptrace_scope to 2(only privileged users can ptrace) or 3 no ptrace at all

Lunarequest avatar Apr 14 '22 06:04 Lunarequest

It's unclear to me what do would they gain from banning ptrace of the process' own offspring when there are so many ways to hijack a process that you yourself are spawning.

t184256 avatar Apr 14 '22 06:04 t184256

Its more it can be abused by a malicious process hence graphene disables it. Ghraphene is not regular android but rather ultra hardended even breaking userspace. Even malloc is different on graphene, its made for security and hence if it can be exploited, it goes out.

Lunarequest avatar Apr 14 '22 06:04 Lunarequest

Is the upshot that Nix-on-Droid is not usable on GrapheneOS or is there a working workaround?

emacsomancer avatar May 09 '22 14:05 emacsomancer

I'm not aware how GrapheneOS blocks ptrace and how to unblock it. For Nix-on-Droid the usage of proot and thus ptrace is pretty much central and unsidesteppable in its current form.

t184256 avatar May 09 '22 14:05 t184256

There is no way to disable the ptrace blocking on stock GrapheneOS

Lunarequest avatar May 09 '22 15:05 Lunarequest

I'm assuming the older project https://github.com/t184256/nix-in-termux also relies on proot.

emacsomancer avatar May 09 '22 15:05 emacsomancer

There is no way to disable the ptrace blocking on stock GrapheneOS

GrapheneOS doesn't restrict access to ptrace by default and never uses ptrace scoping. There's an optional security settings toggle for disabling native debugging in Settings -> Security. It's not disabled by default.

thestinger avatar May 09 '22 18:05 thestinger

Only users who have explicitly disabled ptrace (which is referred to as native debugging in the UI) have it disabled. The setting exists for reducing kernel attack surface.

We have no real use for ptrace scoping since the strict whole system SELinux policies / domains do a great job handling all that and far more already. The use for ptrace scoping is in a system where you have far weaker security properties and lack of proper separation between processes, but still enough isolation that restricting the ptrace permission checks protects them from each other. We don't think that's particularly relevant on modern Android. All we provide is a toggle to reduce kernel attack surface.

We don't break app compatibility with apps using ptrace by default for usability reasons since a lot of banking apps do really sketchy / useless self checks with ptrace and wouldn't work (they should just use hardware-based attestation but it's probably a good thing they don't know that since they wouldn't do https://grapheneos.org/articles/attestation-compatibility-guide in practice).

thestinger avatar May 09 '22 18:05 thestinger