Proc_monitor & different am_proc_start format with Phronesis 6.0.1 and lsskernel 3.4.113

[tamer-hassan]

First I remove the pre-installed system-mode SuperSU and reboot. Check with "Safetynet Helper sample" app, basic integrity check OK, but CTS profile mismatch, because SELinux is set to Permissive.
I can also pass both safetynet checks (basic and CTS profile matching) with RootSwitch-1.3.3.2 because it also toggles selinux to enforcing.

I install Magisk 11.6 (MagiskSU installed properly), latest Magisk manager from playstore, make sure MagiskHide is enabled, but the check in MagiskHide gives CTS Profile Mismatch.
"Safetynet Helper Sample" no longer passes even basic integrity check, even after I add the app in the MagiskHide list and toggle MagiskHide off/on. Log shows MagiskHide is working as it should, but it isn't passing.

[tamer-hassan]

Just to confirm, I unpacked original boot.img and changed selinux to enforcing, flashed new boot.img, and now I get both basic integrity & CTS profile match == true
Then re-installed Magisk 11.6, then latest MagiskManager, made sure MagiskHide is enabled (and verified in log), but still I gets CTS profile mismatch in Magisk, and basic integrity: false in SafetyNet attest, even after adding "SafetyNet Helper Sample" to MagiskHide list, and toggling MagiskHide off then back on in settings.

[tamer-hassan]

I think I found the issue.
With default selinux enforcing, after magisk 11.6 install, selinux shows permissive in settings -> software info
but, from a root terminal, getenforce shows enforcing.
closing as a duplicate of #125

[tamer-hassan]

Reopening
After following advice in #125 and disabling the chmod on /sys/fs/selinux/enforce and /sys/fs/selinux/policy in /magisk/.core/magiskhide/enable and rebooting, settings -> software info now reports selinux enforcing, as was the default.
However, still get safetynet failed cts profile mismatch in magisk, and also basic integrity false in safetynet attest.
So it must be something else...

[tamer-hassan]

I finally solved it, but had two issues:

1. Phronesis N7 v5.1 (Android 6.0.1) uses Phantom Kernel v1 which doesn't seem to enable logd (for logcat, which is used in the process monitor)
2. LSS Kernel (3.4.113-lsskernel-hlte-eur-3.8UX-mmport) , logcat works, but the format of am_proc_start is different, in that the processName is the 5th and not the 4th field as proccess monitor expects. So I had to patch proc_monitor.c
   Patch here: tamer-hassan@41dcaa8

Now Magisk passes all safetynet checks.

[CaptainThrowback]

Did you submit a pull request?

[tamer-hassan]

Latest Phantom 1.2d test v3 kernel allows for enabling logging by touch /data/.phantom.log and rebooting. Since it is based on lsskernel / idlekernel, it uses the same am_proc_start format (where processName is 5th field).

I can't yet find any documentation about this new format, so I don't know since which kernel version it has been, as to make if condition to not break compatibility with older kernel versions?

[tamer-hassan]

Ok.. According to: https://android.googlesource.com/platform/system/core/+/master/liblog/include/log/event_tag_map.h
#define EVENT_TAG_MAP_FILE "/system/etc/event-log-tags"
the logger should follow the format specified in that file. However, in my tests, this wasn't the case. The file shows processname as fourth field but actual logcat has processname as fifth field..
I'm very confused.

[tamer-hassan]

PR #142 sent

[tamer-hassan]

closing as PR has been merged upstream :)