nix-on-droid
nix-on-droid copied to clipboard
Startup fails on GrapheneOS due to seccomp kernel bug
proot error: ptrace(TRACEME): Operation not permitted
proot error: execve("/system/bin/sh"): Operation not permitted
proot info: It seems your kernel contains this bug: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1202161
To workaround it, set the env. variable PROOT_NO_SECCOMP to 1.
fatal error: see `proot-static --help`.
proot error: can't chmod '/data/data/com.termux.nix/files/usr/tmp/proot-24400-UqyK5X': No such file or directory
[Process completed (code 1) - press Enter]
Bit strange, should I start a binary in failsafe with that env or is there a better fix?
Interesting. nix-on-droid currently relies heavily on proot/ptrace, not sure what to do on an OS that blocks it. Probably not much.
What happens if you use the suggested workaround? Try using either a regular terminal or the failsafe shell to add export PROOT_NO_SECCOMP=1
to the other exports in /data/data/com.termux.nix/files/usr/bin/login
and re-starting Nix-on-Droid? I haven't looked into what exactly does this control, but if it's suggested, why not try it, right...
Ptrace can be used by a malicious process to read the data of another proccess. I suspect graphene may set kernel.yama.ptrace_scope
to 2(only privileged users can ptrace) or 3 no ptrace at all
It's unclear to me what do would they gain from banning ptrace of the process' own offspring when there are so many ways to hijack a process that you yourself are spawning.
Its more it can be abused by a malicious process hence graphene disables it. Ghraphene is not regular android but rather ultra hardended even breaking userspace. Even malloc is different on graphene, its made for security and hence if it can be exploited, it goes out.
Is the upshot that Nix-on-Droid is not usable on GrapheneOS or is there a working workaround?
I'm not aware how GrapheneOS blocks ptrace and how to unblock it. For Nix-on-Droid the usage of proot and thus ptrace is pretty much central and unsidesteppable in its current form.
There is no way to disable the ptrace blocking on stock GrapheneOS
I'm assuming the older project https://github.com/t184256/nix-in-termux also relies on proot.
There is no way to disable the ptrace blocking on stock GrapheneOS
GrapheneOS doesn't restrict access to ptrace by default and never uses ptrace scoping. There's an optional security settings toggle for disabling native debugging in Settings -> Security. It's not disabled by default.
Only users who have explicitly disabled ptrace (which is referred to as native debugging in the UI) have it disabled. The setting exists for reducing kernel attack surface.
We have no real use for ptrace scoping since the strict whole system SELinux policies / domains do a great job handling all that and far more already. The use for ptrace scoping is in a system where you have far weaker security properties and lack of proper separation between processes, but still enough isolation that restricting the ptrace permission checks protects them from each other. We don't think that's particularly relevant on modern Android. All we provide is a toggle to reduce kernel attack surface.
We don't break app compatibility with apps using ptrace by default for usability reasons since a lot of banking apps do really sketchy / useless self checks with ptrace and wouldn't work (they should just use hardware-based attestation but it's probably a good thing they don't know that since they wouldn't do https://grapheneos.org/articles/attestation-compatibility-guide in practice).