A11 broke boldbeast callrecorder, not working even with canary

[WimVDK]

After updating to A11 my call recorder (boldbeast call recorder) was no longer able to record calls even while having rooted options enabled. After talking with the developer it seems 4dacffd this commit should fix that problem. However i'm running the latest canary (64effe9) magisk and manager, patched but still no go.

Just contacted boldbeast dev again yesterday, and they said the SElinux problem is still there.
Any idea how i can see if this commit has been merged? Kinda need my recorder back as i use it to keep track of job interview calls etc...

boldbeast dev when i first made contact (Sept 11th oddly enough) said the following

Hi,

I have just investigated it.
Your Magisk version has wrong selinux policies inside, and that made the problem.
I saw topjohnwu changed the selinux policies 7 days ago:
4dacffd

He added this new line in the policies:
allow(SEPOL_CLIENT_DOMAIN, SEPOL_PROC_DOMAIN, "unix_stream_socket", ALL);

[boldbeastsoft]

Previously I think the line [allow(SEPOL_CLIENT_DOMAIN, SEPOL_PROC_DOMAIN, "unix_stream_socket", ALL);] is used to allow apps to connect to the magisk domain, but actually it's not. My fault, sorry.

Indeed it seems Magisk V21 completely banned apps to connect to a magisk daemon via unix_stream_socket. Only the magisk_client process can connect, but an app can't.

[WimVDK]

You're on github too? Nice. So can you work around this? Can it be fixed. Really need my call recorder back :)

[topjohnwu]

If you claim it's an SELinux issue, then it is very easily identifiable by showing audit logs from logcat when callrecording failed. Please record full logcat and provide it to prove the claim, and also that is the only way I can fix it (so I can add additional rules by looking at audit logs.)

[WimVDK]

It fails at the moment because I can't enable the root requiring options it needs for 2-way recording. Without 2 way recording, I can't get your those logs (if they works be needed). The request for root never reaches Magisk I'm assume.

The best log I could possibly get your au this point would be to try and enable them and then grab logs. Corona
Hoping they'll have what you're looking for.

Unless boldbeast can work around this change

[boldbeastsoft]

@topjohnwu thank you for your rely.

At this moment I don't have the phone environment myself.
@WimVDK Can you please provide the logcat file? Thanks.

[WimVDK]

If I knew how, but I only have 1 phone. I can't call myself and in order to provide accurate logs I guess the root options need to be enabled. I as you are aware, I can't enable the root options because the prompt doesn't reach Magisk, which is something only you can fix. If I were to guess, if the root request would reach Magisk on android 11, I would be able to enable the root requiring options and recording would work just fine.

Normally:

Boldbeast setting 'enable rooted options' gets activated > sends root request > Magisk 'receives' request and asks for approval > approval granted > root options enabled

Current situation on A11

Boldbeast sends root request > root request does NOT reach Magisk > no Magisk approval request > root options can't get enabled > boldbeast errors out with error '-3 ...' as you are aware.

The only way I were to see this fixed at the moment is a new boldbeast version that fixes that root request. You said it yourself

Previously I think the line [allow(SEPOL_CLIENT_DOMAIN, SEPOL_PROC_DOMAIN, "unix_stream_socket", ALL);] is used to allow apps to connect to the magisk domain, but actually it's not. My fault, sorry.

[boldbeastsoft]

@WimVDK Can you please:

1. Install the app Logcat Extreme: https://play.google.com/store/apps/details?id=scd.lcex
2. Open Logcat Extreme to start reading all system logs (give it root access when asked).
3. Open Boldbeast Recorder, tap "Call Settings > Fix Recording Issues > Enable Rooted Options".
4. The app will display a message that says it fails. Don't care about it.
5. Switch to Logcat Extreme, stop reading logs, save the logs to a file.
6. Upload the file here to let topjohnwu to check it.

Thank you.

[WimVDK]

Attached https://drive.google.com/file/d/1baxqo_8zBWQtjZUWI21NYXFkDYH7xCAX/view?usp=drivesdk

[boldbeastsoft]

@WimVDK Thank you for the logcat file.
@topjohnwu Can you please check the file? Thanks.

The related line is this:
10-06 07:28:54.372 11026 11026 W com.boldbeast.recorder: type=1400 audit(0.0:63360): avc: denied { read } for comm=4173796E635461736B202331 scontext=u:r:untrusted_app_27:s0:c31,c257,c512,c768 tcontext=u:r:magisk_client:s0:c31,c257,c512,c768 tclass=file permissive=0 app=com.boldbeast.recorder

[WimVDK]

@topjohnwu any news?

[boldbeastsoft]

Hope @topjohnwu have time to check the logcat file.

[topjohnwu]

@boldbeastsoft what are you trying to do here? Why do you need to read files from the magisk client process?

[boldbeastsoft]

@topjohnwu
We start up a daemon by MagiskSU, then our app connects to the daemon by unix_stream_socket to do things needed. It works great in the past several years with Magsk 20 and older versions.

Now on Magisk 21 our app fails to connect to the daemon by unix_stream_socket because of the new selinux policies in Magisk. If we set selinux to permissive it works at once.

According to the Magisk document, our app is supposed to connect to the "magisk" domain. But from the logcat file we saw the app actually is trying to connect to the "magisk_client" domain on Magisk 21. Don't know why. We changed nothing to the app.

App Java

Process process = Runtime.getRuntime().exec("su");
process.getOutputStream().writeBytes("/data/data/com.boldbeast.recorder/bbrecserver");
process.getInputStream().read(buf);

Daemon (bbrecserver)

main() {
printf("flag1\n");
int serverSocketfd = socket(AF_UNIX, SOCK_STREAM, 0);
bind(serverSocketfd, ServerSocketAddress, AddressLen);
listen(serverSocketfd, 200);
printf("flag2\n");
while (1) {
int client_socket_fd = accept(serverSocketfd, ClientSocketAddress, &addresssize);
...
}
}

App Native

int socketfd = socket(AF_UNIX, SOCK_STREAM, 0);
connect(socketfd, SocketAddress, AddressLen);

On Magisk 20 it works well.
On Magisk 21 the daemon is started with no problem, but when calling connect() above from the app,

• If selinux is permissive, it works.
• If selinux is enforced, it fails.

[WimVDK]

And just for the sake of being thorough here. I'm not going to set my SELinux to permissive. That's too big of a security risk.

[WimVDK]

@topjohnwu any update?

[vvb2060]

/system/bin/ps=/data/data/com.boldbeast.recorder/bbrecserver, so why your daemon context is magisk_client?

[RikkaW]

@boldbeastsoft What is your ServerSocketAddress and what is the SELinux context of /data/data/com.boldbeast.recorder/bbrecserver? This may explain why the context of your socket is magisk_client.

[boldbeastsoft]

@vvb2060 You asked "why your daemon context is magisk_client?" I don't know. I just use MagiskSU to start the daemon, then MagiskSU does everything related to context transition.

@RikkaW ServerSocketAddress is "BBRecServer".

[RikkaW]

@boldbeastsoft Maybe the only possible situation is that something makes the context of /data/data/com.boldbeast.recorder/bbrecserver becomes magisk_exec, then the context of the daemon process and the socket file becomes magisk_client.

You can run to check the context of bbrecserver.

su
ls -lZ /data/data/com.boldbeast.recorder/bbrecserver

[WimVDK]

When i try that over adb shell i get

ls: /data/data/com.boldbeast.recorder/bbrecserver: No such file or directory

Recorded files of pervious android (working recorder) are stored in /storage/com.boldbeast.recorder/rec

[boldbeastsoft]

@RikkaW
Thank you for your suggestion.

ps -AZ | grep bbrecserver
u:r:magisk:s0 root 9426 9408 8524 4696 __skb_wait_for_more_packets 0 S bbrecserver

The daemon bbrecserver is in the "magisk" domain, just as expected. I investigated it further more. Calling connect() from the app failed, but the system actually generated no logs. Then the app tried to detect whether or not the daemon was running but blocked by selinux policies. It iterated pids in the /proc folder to open the file /proc/pid/cmdline and seach the string "bbrecserver" in the file to achieve the goal. This made the system generating the log "avc: denied { read } for comm=4173796E635461736B202332 scontext=u:r:untrusted_app:s0:c179,c256,c512,c768 tcontext=u:r:magisk_client:s0:c179,c256,c512,c768 tclass=file permissive=0".

So,

• The daemon bbrecserver is running as expected, very good.
• The app can't connect to the daemon because of selinux policies in Magisk. The system generates no logs. If Magisk changes the selinux policies to fix the problem, we'll appreciate it.
• The app can't open the /proc/pid/cmdline files and the system generates the "magisk_client" log. It is not important because in this case the app will just ignore it. Here we also just ignore the log.

[RikkaW]

The SELinux changes from Magisk are to prevent crazy apps that detect root by scanning all sockets. So it cannot be changed from Magisk side.

If you want to unix socket from "app" to "magisk", the simplest way is to use magiskpolicy tool.

magiskpolicy --live "allow <s> magisk unix_stream_socket *"

Replace <s> with the context of your app's process, read /proc/self/attr/current from your app's process.

Note this will not work on some devices (e.g., Huawei device does not allow any SELinux policy change after boot). So it's better to do with Magisk module, you can read the document of Magisk.

Furthermore, the best way should be to use binder which have no SELinux issue (and binder is the best IPC method when communicating with Android app process). You can see topjohnwu/libsu or Chainfire/librootjava. Behind them, a Java class specified by you is started by app_process, you can use all Android classes (such as Binder) and your native libraries (System.load/LoadLibrary).

By the way, it's actually possible to use binder with pure native codes 😶🏃‍♂️.

[boldbeastsoft]

Thanks for the information.

However using magiskpolicy to change selinux policies is not so good, because Google Play store will ban the app. We dare not to do so in the app. And it seems Magisk Repo stopped accepting modules for a long time.

Switching to binder needs a lot of work to change the code. Now that the new policies have this line inside:
dontaudit(ALL, SEPOL_PROC_DOMAIN, "unix_stream_socket", ALL);
Actually crazy apps are not able to detect root by checking logs. For this reason there is no need to ban apps to connect to the magisk domain by unix_stream_socket. Do I understand right?

[vvb2060]

checking logs is another way to detect Magisk.
It's probably safe to use magiskpolicy, Play store only scans for setenforce.

[RikkaW]

Magisk v21 added the ability to install modules directly (magisk --install-module). And don't download the module from the Internet, it's safe enought.

About the policy change, it seems you have some misunderstanding, John Wu's commit (ec3705f) has super detailed message about it.

[WimVDK]

Play store version is irrelevant to me, I'm using the non-play version so calls are still labelled with nrs/names

[boldbeastsoft]

Yes, I read the page ec3705f.
It says the daemon "magiskd" allows only magisk_client to connect to it. I believe it's necessary, and it's good.
But the daemon "bbrecserver" doesn't need the same rules. Obviously they are different, and they need different rules. Force them to use the same rules are simple, but not right.

The daemon "magiskd" uses the magisk domain, maybe all other child processes created by magiskd should not use the magisk domain, instead they should use another domain like magisk2, and set different rules for it? I think this is reasonable.

[topjohnwu]

@boldbeastsoft please check out my Twitter thread explaining this change. It also has a solution that most likely will work in your case. Please do not go through the magiskpolicy route as it is unnecessary and opens up holes in the user's system. https://twitter.com/topjohnwu/status/1318838609189900288

[WimVDK]

@boldbeastsoft I hope you can fix this then because I want/need the only working good call recorder back.

[QkiZMR]

@boldbeastsoft can you provide fixed selinux policies in your magisk module? I was using it on my previous phone and it worked fine.

[boldbeastsoft]

Please see [163] in this page http://www.boldbeast.com/android/call_recorder_troubleshooting.html

[WimVDK]

The problem with using modules (from my end) is that when an Android updates comes along, installed modules can prevent the os from booting if something in the module causes a conflict.

This needs to be fixed OUTSIDE of using a module, OUTSIDE of using an outdated Magisk you're recommending, OUTSIDE of recommending permissive selinux.

You need to fix the app to use the proper IPC calls.

[boldbeastsoft]

We'll change the app to use new IPC calls. A lot of work to do.
At this moment please see the link above to know how to let it work.

[WimVDK]

Excellent! Any ETA? Are we talking a few weeks, a few months? I don't suppose v14 uses them?

You have my username on the boldbeast forums, I'll be happy to test versions prior to play store or public site release.

[boldbeastsoft]

Maybe a few weeks.

[henk-jan]

it seems to be solved

[WimVDK]

What boldbeast version?

[boldbeastsoft]

Please update Boldbeast Recorder in your phone to the latest version (currently V14.3). The problem has been fixed. Now just install the app and go, no need to touch any selinux policies.

[WimVDK]

will do!