Android 11 SELinux policy denies netlink_route_socket
niccellular opened this issue · comments
Hi I've written an App that uses NORM (and thus protolib) and in testing I've come across this error.
app: type=1400 audit(0.0:1715): avc: denied { bind } for scontext=u:r:untrusted_app:s0:c4,c256,c512,c768 tcontext=u:r:untrusted_app:s0:c4,c256,c512,c768 tclass=netlink_route_socket permissive=0 b/155595000 app=app
protolib: ProtoNetlink::Open() bind() error: Permission denied
protolib: ProtoNet::GetInterfaceAddressList() error: unable to open netlink socket
The Android developer docs here https://developer.android.com/training/articles/user-data-ids#mac-11-plus state that Apps are unable to call bind on netlink_route sockets.
The selinux policy regarding this change is here https://android.googlesource.com/platform/external/sepolicy/+/6937aa93ac0a36f19cb13b81a282dedcad324be5/app.te#274
Is there anyway around this or is it that protolib/norm will never work on modern Android (without root)?
Are you trying to use the NORM ECN-based congestion control option? That seems to be the only NORM code path that I see at a glance that should invoke the netlink code. However, use of the ECN option does require root privilege because when the ECN option is invoked, the NORM code uses a pcap socket to read the raw packets from the interface so it can see and set the ECN bits in the IP packet header. I have looked into options to get/set these bits without the process needing to root privileges, but haven’t identified a specific approach or implemented anything yet. There may be an option for Linux/Android but this approach was most straightforward for cross-platform builds. If you require the ECN-based congestion control for your purposes, I can dig into that more. But for more typical NORM usage, that code path doesn’t come into play.
If you are not using ECN, it would be useful to see the call stack to see when this comes into play and there would likely be a way for that to be mitigated.
I've basically implemented whats in https://github.com/USNavalResearchLaboratory/norm/blob/master/examples/java/NormFileSendRecv.java. So its starts from the call to startReceiver. I don't think this is using ECN-based congestion control. It works as expected on Android 9 and 10 without root but on 11 I believe that change I mentioned in the developer notes is the culprit.
01-20 20:58:15.049 13205 13205 I NORMDropDownReceiver: Turning receiver on
01-20 20:58:15.052 13205 13205 E protolib: ProtoNetlink::Open() bind() error: Permission denied
01-20 20:58:15.052 13205 13205 E protolib: ProtoNet::GetInterfaceAddressList() error: unable to open netlink socket
01-20 20:58:15.052 13205 13205 E protolib: ProtoSocket::SetMulticastInterface() invalid interface name: wlan0
01-20 20:58:15.052 13205 13205 E protolib: ProtoNetlink::Open() bind() error: Permission denied
01-20 20:58:15.052 13205 13205 E protolib: ProtoNet::GetInterfaceAddressList() error: unable to open netlink socket
01-20 20:58:15.052 13205 13205 E protolib: ProtoSocket::SetMulticastInterface() invalid interface name: wlan0
01-20 20:58:15.052 13205 13205 F protolib: NormSession::Open() tx_socket::SetMulticastInterface() error
01-20 20:58:15.052 13205 13205 E protolib: ProtoNetlink::Open() bind() error: Permission denied
01-20 20:58:15.052 13205 13205 E protolib: ProtoNet::GetInterfaceAddressList() error: unable to open netlink socket
01-20 20:58:15.052 13205 13205 E protolib: ProtoSocket::LeaveGroup() invalid interface name
01-20 20:58:15.053 13205 13205 W System.err: java.io.IOException: Failed to start receiver
01-20 20:58:15.040 13205 13205 W atakmap.app.civ: type=1400 audit(0.0:1198): avc: denied { bind } for scontext=u:r:untrusted_app:s0:c157,c258,c512,c768 tcontext=u:r:untrusted_app:s0:c157,c258,c512,c768 tclass=netlink_route_socket permissive=0 b/155595000 app=com.atakmap.app.civ
01-20 20:58:15.040 13205 13205 I chatty : uid=10669(com.atakmap.app.civ) identical 1 line
01-20 20:58:15.040 13205 13205 W atakmap.app.civ: type=1400 audit(0.0:1200): avc: denied { bind } for scontext=u:r:untrusted_app:s0:c157,c258,c512,c768 tcontext=u:r:untrusted_app:s0:c157,c258,c512,c768 tclass=netlink_route_socket permissive=0 b/155595000 app=com.atakmap.app.civ
01-20 20:58:15.053 13205 13205 W System.err: at mil.navy.nrl.norm.NormSession.startReceiver(Native Method)
01-20 20:58:15.053 13205 13205 W System.err: at atakplugin.NORM.d.onClick(SourceFile:184)
01-20 20:58:15.053 13205 13205 W System.err: at android.view.View.performClick(View.java:7520)
01-20 20:58:15.053 13205 13205 W System.err: at android.view.View.performClickInternal(View.java:7489)
01-20 20:58:15.053 13205 13205 W System.err: at android.view.View.access$3600(View.java:826)
01-20 20:58:15.054 13205 13205 W System.err: at android.view.View$PerformClick.run(View.java:28555)
01-20 20:58:15.054 13205 13205 W System.err: at android.os.Handler.handleCallback(Handler.java:938)
01-20 20:58:15.054 13205 13205 W System.err: at android.os.Handler.dispatchMessage(Handler.java:99)
01-20 20:58:15.054 13205 13205 W System.err: at android.os.Looper.loop(Looper.java:233)
01-20 20:58:15.054 13205 13205 W System.err: at android.app.ActivityThread.main(ActivityThread.java:8068)
01-20 20:58:15.054 13205 13205 W System.err: at java.lang.reflect.Method.invoke(Native Method)
01-20 20:58:15.054 13205 13205 W System.err: at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:631)
01-20 20:58:15.054 13205 13205 W System.err: at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:978)
$ ifconfig wlan0
wlan0 Link encap:UNSPEC Driver icnss
inet addr:172.30.254.196 Bcast:172.30.254.255 Mask:255.255.255.0
inet6 addr: fe80::580a:4dff:fe0c:3302/64 Scope: Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:83985 errors:0 dropped:0 overruns:0 frame:0
TX packets:17816 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3000
RX bytes:111435006 TX bytes:3334118
From looking at the call stack here, you are trying to set your multicast interface to "wlan0". The IPv4 IP_MULTICAST_IF ioctl wants a local interface IP address. So, when you pass in the interface name, the Protolib code (on Android) uses netlink to find an IP address associated with the given interface name. That is now failing due to the newer Android pollicy on netlink use. I need to investigate what mechanism may be available as an alternate for getting that information. I have tended to use the most common solution for cross-platform support and fetching the addresses associated with an interface to find one worked. I think at the time I did the code, getifaddrs() was not supported on Android at all. From the notes your links above led me to, it looks like that may work for IP (but not MAC) address info ... so I may be able to have a strategy that uses netlink only as a last resort which work for non-privileged apps on Android while privileged apps (and those are the ones that generally need it) can get MAC addr info when needed.
Meanwhlle, a work-around for you would be to pass the IP address (e.g. "192.168.1.1") as your interface name because the protolib code first checks if the string is already an IP address and only does the interface name->address lookup (which involves the problematic call to netlink) when an IP address is not already provided.
Thank you for the work-around I will give that a shot. I appreciate your help on the weekend!
Looks like it didn't work?
01-22 14:28:01.096 10467 14924 V NetworkUtils: checked interface: wlan0 ip address remains the same: 172.30.254.196
01-22 14:28:02.037 10467 10467 I NORMDropDownReceiver: Turning receiver on
01-22 14:28:02.039 10467 10467 E protolib: ProtoNetlink::Open() bind() error: Permission denied
01-22 14:28:02.039 10467 10467 E protolib: ProtoNet::GetInterfaceAddressList() error: unable to open netlink socket
01-22 14:28:02.039 10467 10467 E protolib: ProtoNetlink::Open() bind() error: Permission denied
01-22 14:28:02.039 10467 10467 E protolib: ProtoNet::GetInterfaceAddressList() error: unable to open netlink socket
01-22 14:28:02.039 10467 10467 E protolib: ProtoNetlink::Open() bind() error: Permission denied
01-22 14:28:02.039 10467 10467 E protolib: ProtoNet::GetInterfaceAddressList() error: unable to open netlink socket
01-22 14:28:02.039 10467 10467 E protolib: ProtoNetlink::Open() bind() error: Permission denied
01-22 14:28:02.039 10467 10467 E protolib: ProtoNet::GetInterfaceAddressList() error: unable to open netlink socket
01-22 14:28:02.040 10467 10467 E protolib: ProtoNetlink::Open() bind() error: Permission denied
01-22 14:28:02.040 10467 10467 E protolib: ProtoNet::GetInterfaceAddressList() error: unable to open netlink socket
01-22 14:28:02.040 10467 10467 E protolib: ProtoNetlink::Open() bind() error: Permission denied
01-22 14:28:02.040 10467 10467 E protolib: ProtoNet::GetInterfaceAddressList() error: unable to open netlink socket
01-22 14:28:02.040 10467 10467 E protolib: ProtoNet::GetInterfaceAddressList() error: invalid interface name
01-22 14:28:02.040 10467 10467 E protolib: ProtoSocket::SetMulticastInterface() invalid interface name: 172.30.254.196
01-22 14:28:02.040 10467 10467 E protolib: ProtoNetlink::Open() bind() error: Permission denied
01-22 14:28:02.040 10467 10467 E protolib: ProtoNet::GetInterfaceAddressList() error: unable to open netlink socket
01-22 14:28:02.040 10467 10467 E protolib: ProtoNetlink::Open() bind() error: Permission denied
01-22 14:28:02.040 10467 10467 E protolib: ProtoNet::GetInterfaceAddressList() error: unable to open netlink socket
01-22 14:28:02.040 10467 10467 E protolib: ProtoNetlink::Open() bind() error: Permission denied
01-22 14:28:02.040 10467 10467 E protolib: ProtoNet::GetInterfaceAddressList() error: unable to open netlink socket
01-22 14:28:02.041 10467 10467 E protolib: ProtoNetlink::Open() bind() error: Permission denied
01-22 14:28:02.041 10467 10467 E protolib: ProtoNet::GetInterfaceAddressList() error: unable to open netlink socket
01-22 14:28:02.041 10467 10467 E protolib: ProtoNetlink::Open() bind() error: Permission denied
01-22 14:28:02.041 10467 10467 E protolib: ProtoNet::GetInterfaceAddressList() error: unable to open netlink socket
01-22 14:28:02.041 10467 10467 E protolib: ProtoNetlink::Open() bind() error: Permission denied
01-22 14:28:02.041 10467 10467 E protolib: ProtoNet::GetInterfaceAddressList() error: unable to open netlink socket
01-22 14:28:02.041 10467 10467 E protolib: ProtoNet::GetInterfaceAddressList() error: invalid interface name
01-22 14:28:02.041 10467 10467 E protolib: ProtoSocket::SetMulticastInterface() invalid interface name: 172.30.254.196
01-22 14:28:02.041 10467 10467 F protolib: NormSession::Open() tx_socket::SetMulticastInterface() error
01-22 14:28:02.041 10467 10467 E protolib: ProtoNetlink::Open() bind() error: Permission denied
01-22 14:28:02.041 10467 10467 E protolib: ProtoNet::GetInterfaceAddressList() error: unable to open netlink socket
01-22 14:28:02.025 10467 10467 W atakmap.app.civ: type=1400 audit(0.0:840): avc: denied { bind } for scontext=u:r:untrusted_app:s0:c157,c258,c512,c768 tcontext=u:r:untrusted_app:s0:c157,c258,c512,c768 tclass=netlink_route_socket permissive=0 b/155595000 app=com.atakmap.app.civ
01-22 14:28:02.041 10467 10467 E protolib: ProtoNetlink::Open() bind() error: Permission denied
01-22 14:28:02.041 10467 10467 E protolib: ProtoNet::GetInterfaceAddressList() error: unable to open netlink socket
01-22 14:28:02.041 10467 10467 E protolib: ProtoNetlink::Open() bind() error: Permission denied
01-22 14:28:02.041 10467 10467 E protolib: ProtoNet::GetInterfaceAddressList() error: unable to open netlink socket
01-22 14:28:02.042 10467 10467 E protolib: ProtoNetlink::Open() bind() error: Permission denied
01-22 14:28:02.042 10467 10467 E protolib: ProtoNet::GetInterfaceAddressList() error: unable to open netlink socket
01-22 14:28:02.042 10467 10467 E protolib: ProtoNetlink::Open() bind() error: Permission denied
01-22 14:28:02.042 10467 10467 E protolib: ProtoNet::GetInterfaceAddressList() error: unable to open netlink socket
01-22 14:28:02.042 10467 10467 E protolib: ProtoNetlink::Open() bind() error: Permission denied
01-22 14:28:02.042 10467 10467 E protolib: ProtoNet::GetInterfaceAddressList() error: unable to open netlink socket
01-22 14:28:02.042 10467 10467 E protolib: ProtoNet::GetInterfaceAddressList() error: invalid interface name
01-22 14:28:02.042 10467 10467 E protolib: ProtoSocket::LeaveGroup() invalid interface name
01-22 14:28:02.042 10467 10467 W System.err: java.io.IOException: Failed to start receiver
01-22 14:28:02.042 10467 10467 W System.err: at mil.navy.nrl.norm.NormSession.startReceiver(Native Method)
01-22 14:28:02.043 10467 10467 W System.err: at atakplugin.NORM.d.onClick(SourceFile:190)
01-22 14:28:02.043 10467 10467 W System.err: at android.view.View.performClick(View.java:7520)
01-22 14:28:02.043 10467 10467 W System.err: at android.view.View.performClickInternal(View.java:7489)
01-22 14:28:02.043 10467 10467 W System.err: at android.view.View.access$3600(View.java:826)
01-22 14:28:02.043 10467 10467 W System.err: at android.view.View$PerformClick.run(View.java:28555)
01-22 14:28:02.043 10467 10467 W System.err: at android.os.Handler.handleCallback(Handler.java:938)
01-22 14:28:02.043 10467 10467 W System.err: at android.os.Handler.dispatchMessage(Handler.java:99)
01-22 14:28:02.043 10467 10467 W System.err: at android.os.Looper.loop(Looper.java:233)
01-22 14:28:02.043 10467 10467 W System.err: at android.app.ActivityThread.main(ActivityThread.java:8068)
01-22 14:28:02.043 10467 10467 W System.err: at java.lang.reflect.Method.invoke(Native Method)
01-22 14:28:02.043 10467 10467 W System.err: at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:631)
01-22 14:28:02.043 10467 10467 W System.err: at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:978)
01-22 14:28:02.035 10467 10467 W atakmap.app.civ: type=1400 audit(0.0:841): avc: denied { bind } for scontext=u:r:untrusted_app:s0:c157,c258,c512,c768 tcontext=u:r:untrusted_app:s0:c157,c258,c512,c768 tclass=netlink_route_socket permissive=0 b/155595000 app=com.atakmap.app.civ
01-22 14:28:02.035 10467 10467 I chatty : uid=10669(com.atakmap.app.civ) identical 6 lines
If I am reading the code correctly, the work-around of using the IP address as the interface name would only work on Win32?
protolib/src/common/protoSocket.cpp
Line 2644 in 6a9e709
You are correct - I just pushed an update that will now actually enable this "work around" to work (I added "|| defined(ANDROID) to places in code like above). I also noted this needed to be done in the ProtocSocket JoinGroup() and LeaveGroup() methods. Note this is an interim update. I plan to update the code so that it uses getifaddrs() on Android to be able to get at least interface name and IP address associations that seem to be still allowed.
OK - I went ahead and took this a step further and you should now also be able to use interface names for setting the multicast interface. I changed the Android #ifdefs such that getifaddrs() is used instead of netlink where possible on Android API 24 and greater where getifaddrs() is supported. I think Protolib apps that use MAC address information will still work on Android with these changes but need to fully test that. Let me know if this works. Thanks for finding and reporting the issue.
Tested and working! Thank you for the quick turnaround.
Hello, I've recently tested NORM on more modern Samsung devices, Galaxy S20 running Android 12, and I am seeing the same behavior again. The same app runs flawlessly on a OnePlus 6+ running Android 11. So my gut says its some Samsung custom SELinux policy?
I've done a fresh build of the AAR for NORM with the latest source and I have tried using both the IP Address and the Interface Name. Both fail similarly though the errors are slightly different. Interestingly though the call to startReceiver doesn't throw an error and it appears NORM startSender and fileEnqueue both seem to work (though no files are actually received since the receiver errors on bind)
I've attached the logcat output from the moment startReceiver is called from Java.
Context appContext = mapView.getContext().getApplicationContext();
WifiManager wm = (WifiManager) appContext.getSystemService(Context.WIFI_SERVICE);
ip = Formatter.formatIpAddress(wm.getConnectionInfo().getIpAddress());
Log.d(TAG, "Using interface with IP: " + ip);
try {
instance = new NormInstance();
session = instance.createSession("224.1.2.3", 6003, NormNode.NORM_NODE_ANY);
session.setMulticastInterface(ip); // also have tried "wlan0"
session.startReceiver(bufferSize);
...
I am looking at the issue and will follow up as I dig in more.
At first glance at the logs you posted, it looks like there is still some attempt to invoke Netlink calls that should have been covered by the #ifdef blocks put in place to not use those calls for ANDROID_API > 24 (i.e., only use netlink for older ANDROID_API versions where the getifaddrs() call was not yet supported).
So, are you sure the protolib code is being built with the proper definition of the ANDROID_API version for your target? Are you using Android Studio to do that? I notice the CMakelists define an older ANDROID_API version so unless Android Studio is overriding that, it is possible your build isn’t targeting the newer ANDROID_API where the #ifdef then avoids the use of the netlink calls that cause a permissions problem with new Android policies. The “-DANDROID_API_VERSION=15” that I see in the “norm/android/CMakelists.txt file” and “norm/protolib/android/CMakelist.txt” file makes me nervous that your library is being built incorrectly for your target. You could try changing that to 24 or greater and see if that helps in any way?
Meanwhile, I am going to do a little more review to see if there is somehow a code path I overlooked or something else. I will also try to crack open Android Studio and see if I can emulate something that approximates your phone configurations. Are you able to do that with the Android Studio emulator? If you have a specific emulator configuration I should use, that would save me time in trying to replicate your problem if I can.
In a nutshell, your log files show calls to ProtoNetlink::Open() being attempted which I thought the #ifdefs put it into place that solved the issue for you previously should not be occurring.
I believe you are correct regarding the API version flag, however when I make the changes to the two CMake files, the build system still does not build with the correct function. The resulting binaries always use the ProtoNet::GetInterfaceName from linuxNet.cpp
I verified this by comparing the PLOG strings in the built libraries.
~/norm/android/lib/build/intermediates$ strings ./merged_native_libs/debug_Debug/out/lib/x86/libmil_navy_nrl_norm.so | grep GetInterfaceName
...
ProtoNet::GetInterfaceName() warning: no interfaces?!
ProtoNet::GetInterfaceName() new ifIndices[] error: %s
ProtoNet::GetInterfaceName() no name for interface index %u?
How are you building the NORM library? Are you using Android Studio or are you building it from the command-line? One thing I noted in the CMakelists files it references a macro ANDROID_API_VERSION while the linuxNet.cpp file references a macro ANDROID_API. I inserted a "pragma message (ANDROID_API) code into the linuxNet.cpp file and its value was 16 even though I set the ANDROID_API_VERSION to 24. Since I don't do a lot of Android development, I am trying to figure out how the build works. It ma be selecting the ANDROID_API value based on what Android SDK I have installed
So after looking into it further, it seems the key is to have the ANDROID_PLATFORM set properly in the "build.gradle" files. I went ahead and committed updated versions of these that have this updated to "-DANDROID_PLATFORM=android-24". Note this is set down in the "externalNativeBuild" which provides definitions for building the native code (C++) library used by the .jar file created.
I build NORM via command-line. I've attached a notes.txt of my build process. Two "bugs" in the build process I've noticed are that the output AAR's classes.jar file is empty (I just copy the norm-1.0.0.jar over it) and that I have to actually run the build task three times before it makes a well formed AAR.
I just tried your new commit and it builds correctly with the right GetInterfaceName however, it appears to fail on nlmsg_readpriv? It seems this is blocked by SELinux for all untrusted_apps https://android.googlesource.com/platform/system/sepolicy/+/2ae45c5766bfdce08ebfdb86493b1b8566e01211/private/net.te#6
09-03 09:43:36.538 17757 17757 W protolib: ProtoNet::GetHostAddressList() warning: no interfaces?!
09-03 09:43:36.538 17757 17757 W protolib: ProtoNet::GetHostAddressList() warning: no interfaces?!
09-03 09:43:36.538 17757 17757 W protolib: ProtoAddress::ResolveLocalAddress() warning: no assigned addresses found
09-03 09:43:36.539 804 804 E audit : type=1400 audit(1693759416.532:379): avc: denied { nlmsg_readpriv } for pid=17757 comm="atakmap.app.civ" scontext=u:r:untrusted_app:s0:c25,c257,c512,c768 tcontext=u:r:untrusted_app:s0:c25,c257,c512,c768 tclass=netlink_route_socket permissive=0 SEPF_SM-G981V_11_0010 audit_filtered
09-03 09:43:36.539 804 804 E audit : type=1300 audit(1693759416.532:379): arch=c00000b7 syscall=206 success=no exit=-13 a0=7f a1=7fd46cb760 a2=14 a3=0 items=0 ppid=824 pid=17757 auid=4294967295 uid=10281 gid=10281 euid=10281 suid=10281 fsuid=10281 egid=10281 sgid=10281 fsgid=10281 tty=(none) ses=4294967295 comm="atakmap.app.civ" exe="/system/bin/app_process64" subj=u:r:untrusted_app:s0:c25,c257,c512,c768 key=(null)
09-03 09:43:36.539 804 804 E audit : type=1327 audit(1693759416.532:379): proctitle="com.atakmap.app.civ"
09-03 09:43:36.539 804 804 E audit : type=1400 audit(1693759416.532:380): avc: denied { nlmsg_readpriv } for pid=17757 comm="atakmap.app.civ" scontext=u:r:untrusted_app:s0:c25,c257,c512,c768 tcontext=u:r:untrusted_app:s0:c25,c257,c512,c768 tclass=netlink_route_socket permissive=0 SEPF_SM-G981V_11_0010 audit_filtered
09-03 09:43:36.539 804 804 E audit : type=1300 audit(1693759416.532:380): arch=c00000b7 syscall=206 success=no exit=-13 a0=7f a1=7fd46cb760 a2=14 a3=0 items=0 ppid=824 pid=17757 auid=4294967295 uid=10281 gid=10281 euid=10281 suid=10281 fsuid=10281 egid=10281 sgid=10281 fsgid=10281 tty=(none) ses=4294967295 comm="atakmap.app.civ" exe="/system/bin/app_process64" subj=u:r:untrusted_app:s0:c25,c257,c512,c768 key=(null)
09-03 09:43:36.539 804 804 E audit : type=1327 audit(1693759416.532:380): proctitle="com.atakmap.app.civ"
09-03 09:43:36.539 17757 17757 W protolib: ProtoSocket::EnableRecvDstAddr() setsocktopt(IPV6_PKTINFO) error: Protocol not available
Is the EnableRecvDstAddr() call above the source of this issue? (that is called from normSession.cpp and is not really needed). If so, that call could be omitted or #ifdef'd out for ANDROID.
Or is it due the GetHostAddressList() call that in turn calls GetInterfaceIndices() that makes a call to if_nameindex() ... If calling this system call is problematic, this code could be changed to get the same info using "getifaddrs()" instead ... I can't tell from the above exactly which call is causing your failure problem
I'm not sure to be honest. I am invoking it from Java and this log is what is being printed to logcat in Android.
I can try putting a #ifdef ANDROID in protolib/src/common/protoSocket.cpp around the EnableRecvDstAddr
That could be helpful to pinpoint the problem. Also adding an extra PLOG statement to the GetInterfaceIndices() code to see if that is creating the problem instead. I would think if the getidaddrs() call is allowed, then the if_nameindex() would also be allowed, but perhaps that's the issue with these newer policies.
Ok I #if !defined(ANDROID) the EnableRecvDstAddr which removed it from the logcat output so I assume its the GetInterfaceIndicies() call and if_nameindex() is returning NULL
09-03 11:02:00.408 14856 14856 W protolib: Calling if_nameindex()
09-03 11:02:00.408 14856 14856 W protolib: if_nameindex() returned null? NULL == 1
09-03 11:02:00.408 14856 14856 W protolib: ProtoNet::GetHostAddressList() warning: no interfaces?!
09-03 11:02:00.408 14856 14856 W protolib: Calling if_nameindex()
09-03 11:02:00.408 14856 14856 W protolib: if_nameindex() returned null? NULL == 1
09-03 11:02:00.408 14856 14856 W protolib: ProtoNet::GetHostAddressList() warning: no interfaces?!
09-03 11:02:00.408 14856 14856 W protolib: ProtoAddress::ResolveLocalAddress() warning: no assigned addresses found
09-03 11:02:00.408 803 803 E audit : type=1400 audit(1693764120.405:366): avc: denied { nlmsg_readpriv } for pid=14856 comm="atakmap.app.civ" scontext=u:r:untrusted_app:s0:c25,c257,c512,c768 tcontext=u:r:untrusted_app:s0:c25,c257,c512,c768 tclass=netlink_route_socket permissive=0 SEPF_SM-G981V_11_0010 audit_filtered
09-03 11:02:00.408 803 803 E audit : type=1300 audit(1693764120.405:366): arch=c00000b7 syscall=206 success=no exit=-13 a0=218 a1=7fee8d4950 a2=14 a3=0 items=0 ppid=823 pid=14856 auid=4294967295 uid=10281 gid=10281 euid=10281 suid=10281 fsuid=10281 egid=10281 sgid=10281 fsgid=10281 tty=(none) ses=4294967295 comm="atakmap.app.civ" exe="/system/bin/app_process64" subj=u:r:untrusted_app:s0:c25,c257,c512,c768 key=(null)
09-03 11:02:00.408 803 803 E audit : type=1327 audit(1693764120.405:366): proctitle="com.atakmap.app.civ"
09-03 11:02:00.408 803 803 E audit : type=1400 audit(1693764120.405:367): avc: denied { nlmsg_readpriv } for pid=14856 comm="atakmap.app.civ" scontext=u:r:untrusted_app:s0:c25,c257,c512,c768 tcontext=u:r:untrusted_app:s0:c25,c257,c512,c768 tclass=netlink_route_socket permissive=0 SEPF_SM-G981V_11_0010 audit_filtered
PLOG(PL_WARN, "Calling if_nameindex()\n");
struct if_nameindex* ifdx = if_nameindex();
PLOG(PL_WARN, "if_nameindex() returned null? NULL == %d\n", ifdx == NULL);I have a question. Are you trying to use the ECN congestion control option with NORM in your application? Looking at the code, I don't think the GetHostAddressList() method is called unless that is used.
That is not a option I explicitly set. I use fileEnqueue() but I don't know if that does ECN underneath the hood.
Nevermind that question. Upon a deeper look, GetHostAddressList() is called indirectly through the FindLocalAddress() method that is called by the ResolveLocalAddress() call. I am about to push a commit that has something else to try where, for ANDROID, if_nametoindex() is used instead of if_nameindex() ... although it's not clear that call will work if that general family of if_ system calls is disabled by the newer Android policies. There is a way to rework the protoNet, unixNet, and linuxNet code so if the GetHostAddressList() call is related only to IP addressing and not MAC addressing (which seems to be the fundamental point of the security policy for some reason ... likely because MAC addresses can be used to pinpoint/track a specific hardware device). However that will be a little more involved.
OK - I just pushed that update. If that doesn't work, I will need to tackle the more involved change so that "getifaddrs()" is more exclusively used on Android wherever possible, teasing apart the case where MAC address info is fetched versus when IP-only info is fetched
I will attempt to build it now.
Your latest update works! At least on Android 11 and 12, I don't have an Android 13 device to test with right now, but a plan to change to getifaddrs() method would likely be a good effort. I still get that EnableRecvDstAddr error but it doesn't seem to effect the ability to use fileEnqueue to transfer files.
Yes that EnableRecvDstAddr() issue is really just a completely benign warning. I am actually surprised this worked, but I guess the policy allows the if_nametoindex() to work while the if_nameindex() doesn't (perhaps because of the information it reveals?). I agree that having the getifaddrs() being the defacto approach for getting IP-related addressing and separating the MAC stuff from that. A lot of the "ProtoNet" related code carries a lot of cruft (e.g., support for some fairly defunct operating systems) that could be eliminated and the code simplified. Hopefully the Android 13, etc devices will work with this change for the moment