[FEATURE] Run iptables binary from AfWall prebuilt as the system app without "su"/"magisk" binaries?

[LuigiVampa92]

Hi, first of all thanks for an amazing app. I have noticed some time ago that AfWall is actually the only root-app that I use. So it made me think about one thing. I personally convinced that having a rooted device isn't great from security perspective. And since AfWall is the only reason I might like to have magisk/su on my phone, why wouldn't I try to make my own system build of AOSP or LOS with AfWall embedded as the system app and get rid of magisk/su?

Now, this is area that I have quite a poor knowledge about, so I decided to ask you if that is technically possible.

I have took a look at my device (I have OnePlus 5T) and found out that iptables and ip6tables in /system/bin are not owned by root:root, but rather owned by root:shell. So they belong to "shell" group, just like the adbd for example.

Technically I can execute iptables binary from adb shell or even from an unpriviledged app "sh" shell because it has 755 permission. However I tried to do so and this did not succeeded. In case of unprivileged app I get error "Can't lock /system/etc/xtables.lock. Another app is currently holding the xtables lock" and when I try to execute it from adb shell I get "Can't initialize iptables table 'filter': Permission denied (you must be root)". I do realise that unprivileged user should not have an ability to alter firewall rules, and this is the same behaviour that we have on "big" linux like Ubuntu, we have to call sudo to make iptables apply the rules.

But what if I would have AfWall built together with system, signed with the same key and installed in /system/priv-app? I know that when the app is built together with system it has sharedUserId set to "android.uid.system" in manifest, but I'm afraid that it will still not be enough to do the trick, because system apps have "system" uid/gid 1000/1000 and I guess would need "root"'s 0/0 to call iptables binary. The 2000/2000 of "shell" wasn't able to apply iptables rules from adb process shell, so I am afraid that if I set sharedUserId to shell during the build I will still not be able to succeed.

So, what do you think about this idea? Maybe someone tried to do the same thing? Maybe I can play around with setting some extra permissions for the system app or add new SELinux contexts and rules to achieve that?

I will be very grateful to @ukanth or anyone from the community for any comments, suggestions and any useful information. Thank you!

[ukanth]

Thanks for your analysis and feedback. I remembered someone was trying to build afwall as system app. But it didn't work due to the way the current builds(ndk) works in afwall. But certainly that's possible if we tweak the build scripts and decouple the su dependency out of afwall.

Regarding running as non-root might not work since it won't be just uid but also SELinux policies. I'm not sure if it's worth to look into it tweaking SELinux policies. Unfortunately I'm not familiar with it.

[LuigiVampa92]

Thank you for reply. Well, I will try to tinker with that and will reply to this thread if I manage to get some success

[konkav-js]

While I am not too knowledgeable in Android, I have an idea from Linux.

So if I understand correctly, iptables has a root:shell owner, and apps in priv-app are system:system. Now, if the system user is in, or could be added to the, shell group, then making the iptables binary have a setuid bit set, could in theory, made this working. And, of course, the permissions changed to 750. At least it sound plausibile for me 😃