Running with chroot?

[Roxve]

I have been trying to run termux-x11 using archlinux chroot and no clear tutorial explains how to do it; here is a script i made to try and run it:

export TMPDIR=/data/arch/tmp
export XKB_CONFIG_ROOT=/data/arch/usr/share/X11/xkb
export CLASSPATH=$(/system/bin/pm path com.termux.x11 | cut -d: -f2)
/system/bin/app_process / com.termux.x11.CmdEntryPoint :0

I ran this using the tsu command which runs termux in root mode than i did termux-x11 :1 -ac &
Then i ran chroot and did

sudo chmod -R 777 /tmp
export DISPLAY=:0
dbus-launch --exit-with-session xfce4-session &

Which returns

xfce4-session: Cannot open display: .
Type 'xfce4-session --help' for usage.

What am I doing wrong? (Don't know if i should report this here but i really need help 🙏🙏🙏)

[twaik]

1. setenforce 0.
2. XKB_CONFIG_ROOT can be deduced from TMPDIR so it is not necessary.
3. tsu does not fit in this case, use raw su.
4. If it still does not work post logs.

[Roxve]

1. setenforce 0.
2. XKB_CONFIG_ROOT can be deduced from TMPDIR so it is not necessary.
3. tsu does not fit in this case, use raw su.
4. If it still does not work post logs.

setenforce 0 doesn't work in my kernel,
I tried to run this in su shell using only these

export TMPDIR=/data/arch/tmp
export CLASSPATH=$(/system/bin/pm path com.termux.x11 | cut -d: -f2)
/system/bin/app_process / com.termux.x11.CmdEntryPoint :0

And then i ran the same commands in chroot and it kept repeating

Gdk-CRITICAL **: 23:52:29.444: gdk_window_is_visible: assertion 'GDK_IS_WINDOW (window)' failed

And termux-x11 didn't display anything (except preferences and help buttons)

[twaik]

Termux:X11 can not work with enabled selinux. You can try mount-binding $PREFIX/.X11-unix folder to your distro's /tmp/.X11-unix and starting termux-x11 in termux without root.

[Roxve]

Termux:X11 can not work with enabled selinux. You can try mount-binding $PREFIX/.X11-unix folder to your distro's /tmp/.X11-unix and starting termux-x11 in termux without root.

I did this and when i try to run both (termux-x11 and dbus-launch in chroot) the terminal outputs a number that starts with the same number from the other one

termux-x11 :1 &
=> 2 [9180]
# In the other terminal (chroot):
export DISPLAY=:0 
dbus-launch --exit-with-session xfce4-session &
=>
[2] 9276
[xfce4-session: Cannot open display: .
Type 'xfce4-session --help' for usage.

I tried this multiple times and the same thing happens with other numbers like 7

I mounted both $PREFIX/tmp/.X11-unix on $DISTRO/tmp/. X11-unix and $DISTRO/tmp/. X11-unix on $PREFIX/tmp/.X11-unix

[Roxve]

I guess i am stuck with proot and vnc, thanks 🙏 sorry for wasting your time

[twaik]

https://github.com/termux/termux-x11/blob/master/README.md#logs

[romanovj]

1. setenforce 0.
2. XKB_CONFIG_ROOT can be deduced from TMPDIR so it is not necessary.
3. tsu does not fit in this case, use raw su.
4. If it still does not work post logs.

setenforce 0 doesn't work in my kernel, I tried to run this in su shell using only these

export TMPDIR=/data/arch/tmp
export CLASSPATH=$(/system/bin/pm path com.termux.x11 | cut -d: -f2)
/system/bin/app_process / com.termux.x11.CmdEntryPoint :0

And then i ran the same commands in chroot and it kept repeating

Gdk-CRITICAL **: 23:52:29.444: gdk_window_is_visible: assertion 'GDK_IS_WINDOW (window)' failed

And termux-x11 didn't display anything (except preferences and help buttons)

You shouldn't see any text in termux:x11 right after executing /system/bin/app_process / com.termux.x11.CmdEntryPoint :0

looks likeyou didn't disable selinux

[romanovj]

you can add rules with magiskpolicy

magiskpolicy --live "allow untrusted_app * * *"

[romanovj]

also look into others issues
#45
#279

[twaik]

also look into others issues #45 #279

Other issues you mentiomed are not really relevant. Termux-x11 changed its internal architecture since these issues were solved.

[Roxve]

you can add rules with magiskpolicy

magiskpolicy --live "allow untrusted_app * * *"

Thank you so much this worked!

[twaik]

magiskpolicy --live "allow untrusted_app * * *"

@romanovj It is not really secure. Is it possible to be more precise and allow this only for specific app? Or specific uid?

[romanovj]

magiskpolicy --live "allow untrusted_app * * *"

@romanovj It is not really secure. Is it possible to be more precise and allow this only for specific app? Or specific uid?

slightly more secure than setenforce 0

most dumb way - systemise x11 and allow everything for priv_app/platform_app

I will try to do something, but not now

[Roxve]

you can add rules with magiskpolicy

magiskpolicy --live "allow untrusted_app * * *"

I am curious what does this command do? As i think it looks it looks like it gives root or some sort of terminal or limited system access for untrusted apps why not make termux-x11 request root for chroot users instead?

[romanovj]

you can add rules with magiskpolicy
magiskpolicy --live "allow untrusted_app * * *"

I am curious what does this command do? As i think it looks it looks like it gives root or some sort of terminal or limited system access for untrusted apps why not make termux-x11 request root for chroot users instead?

this command disable seelinux checks for untrusted_app (installed by user)

Alt. commands with minimum permissions
magiskpolicy --live "allow untrusted_app {magisk} fd {use}"
magiskpolicy --live "allow untrusted_app {magisk} unix_stream_socket {read write}"

[twaik]

slightly more secure than setenforce 0

most dumb way - systemise x11 and allow everething for priv_app/platform_app

I will try to do something, but not now

I can try to get calling process pid and ensure it is termux-x11 (to make sure I am not disable selinux restrictions of some other, potentially malicious application).
After this I can invoke something like magiskpolicy --live 'allow untrusted_app:s0:c243,c256,c512,c768 * * *'.
As far as I understand the first category specifier c243 is related to the uid (it equals to uid of every package I checked).
So it should much more secure than setenforce 0.

[romanovj]

slightly more secure than setenforce 0
most dumb way - systemise x11 and allow everething for priv_app/platform_app
I will try to do something, but not now

I can try to get calling process pid and ensure it is termux-x11 (to make sure I am not disable selinux restrictions of some other, potentially malicious application). After this I can invoke something like magiskpolicy --live 'allow untrusted_app:s0:c243,c256,c512,c768 * * *'. As far as I understand the first category specifier c243 is related to the uid (it equals to uid of every package I checked). So it should much more secure than setenforce 0.

you can't do it that way, you can't add level (c243) to scontext untrusted_app

[romanovj]

I did weird thing.

disable selinux for runas_app (no one should be runas except us) and become runas with adb help (I have segfault from root user)

magiskpolicy --live "allow runas_app * * *"

adb shell run-as com.termux.x11

also copy xkb folder from chroot to termux:x11 dir

Start server

export XKB_CONFIG_ROOT=/data/data/com.termux.x11/files/xkb
export TMPDIR=/data/data/com.termux.x11/files/tmp
export CLASSPATH=$(/system/bin/pm path com.termux.x11 | cut -d: -f2)
/system/bin/app_process / com.termux.x11.CmdEntryPoint :1

mount x11 tmp to chroot tmp before chroot

umount tmp
mount /data/data/com.termux.x11/files/tmp tmp
chroot . /bin/su -

some info

/data/user/0/com.termux.x11/files $ id

uid=10202(u0_a202) gid=10202(u0_a202) groups=10202(u0_a202),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),1078(ext_data_rw),1079(ext_obb_rw),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid),3012(readtracefs),50202(all_a202) context=u:r:runas_app:s0:c202,c256,c512,c768

[Xynonners]

I did weird thing.

disable selinux for runas_app (no one should be runas except us) and become runas with adb help (I have segfault from root user)

magiskpolicy --live "allow runas_app * * *"

adb shell run-as com.termux.x11

also copy xkb folder from chroot to termux:x11 dir

Start server

export XKB_CONFIG_ROOT=/data/data/com.termux.x11/files/xkb
export TMPDIR=/data/data/com.termux.x11/files/tmp
export CLASSPATH=$(/system/bin/pm path com.termux.x11 | cut -d: -f2)
/system/bin/app_process / com.termux.x11.CmdEntryPoint :1

mount x11 tmp to chroot tmp before chroot

umount tmp
mount /data/data/com.termux.x11/files/tmp tmp
chroot . /bin/su -

some info

/data/user/0/com.termux.x11/files $ id

uid=10202(u0_a202) gid=10202(u0_a202) groups=10202(u0_a202),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),1078(ext_data_rw),1079(ext_obb_rw),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid),3012(readtracefs),50202(all_a202) context=u:r:runas_app:s0:c202,c256,c512,c768

to get around the fact that run-as segfaults on root user, I made a tool to fake adb via su.
https://github.com/Xynonners/psu

the group id's though are hardcoded currently, so it may be required to replace them (you can find gid via id -G YOUR_GROUP_HERE).