New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A11 broke boldbeast callrecorder, not working even with canary #3264
Comments
Previously I think the line [allow(SEPOL_CLIENT_DOMAIN, SEPOL_PROC_DOMAIN, "unix_stream_socket", ALL);] is used to allow apps to connect to the magisk domain, but actually it's not. My fault, sorry. Indeed it seems Magisk V21 completely banned apps to connect to a magisk daemon via unix_stream_socket. Only the magisk_client process can connect, but an app can't. |
You're on github too? Nice. So can you work around this? Can it be fixed. Really need my call recorder back :) |
If you claim it's an SELinux issue, then it is very easily identifiable by showing audit logs from logcat when callrecording failed. Please record full logcat and provide it to prove the claim, and also that is the only way I can fix it (so I can add additional rules by looking at audit logs.) |
It fails at the moment because I can't enable the root requiring options it needs for 2-way recording. Without 2 way recording, I can't get your those logs (if they works be needed). The request for root never reaches Magisk I'm assume. The best log I could possibly get your au this point would be to try and enable them and then grab logs. Corona Unless boldbeast can work around this change |
@topjohnwu thank you for your rely. At this moment I don't have the phone environment myself. |
If I knew how, but I only have 1 phone. I can't call myself and in order to provide accurate logs I guess the root options need to be enabled. I as you are aware, I can't enable the root options because the prompt doesn't reach Magisk, which is something only you can fix. If I were to guess, if the root request would reach Magisk on android 11, I would be able to enable the root requiring options and recording would work just fine. Normally: Boldbeast setting 'enable rooted options' gets activated > sends root request > Magisk 'receives' request and asks for approval > approval granted > root options enabled Current situation on A11 Boldbeast sends root request > root request does NOT reach Magisk > no Magisk approval request > root options can't get enabled > boldbeast errors out with error '-3 ...' as you are aware. The only way I were to see this fixed at the moment is a new boldbeast version that fixes that root request. You said it yourself
|
@WimVDK Can you please:
Thank you. |
@WimVDK Thank you for the logcat file. The related line is this: |
@topjohnwu any news? |
Hope @topjohnwu have time to check the logcat file. |
@boldbeastsoft what are you trying to do here? Why do you need to read files from the magisk client process? |
@topjohnwu Now on Magisk 21 our app fails to connect to the daemon by unix_stream_socket because of the new selinux policies in Magisk. If we set selinux to permissive it works at once. According to the Magisk document, our app is supposed to connect to the "magisk" domain. But from the logcat file we saw the app actually is trying to connect to the "magisk_client" domain on Magisk 21. Don't know why. We changed nothing to the app. App JavaProcess process = Runtime.getRuntime().exec("su"); Daemon (bbrecserver)main() { App Nativeint socketfd = socket(AF_UNIX, SOCK_STREAM, 0); On Magisk 20 it works well.
|
And just for the sake of being thorough here. I'm not going to set my SELinux to permissive. That's too big of a security risk. |
@topjohnwu any update? |
@boldbeastsoft What is your |
@boldbeastsoft Maybe the only possible situation is that something makes the context of You can run to check the context of
|
When i try that over adb shell i get
Recorded files of pervious android (working recorder) are stored in /storage/com.boldbeast.recorder/rec |
@RikkaW ps -AZ | grep bbrecserver The daemon bbrecserver is in the "magisk" domain, just as expected. I investigated it further more. Calling connect() from the app failed, but the system actually generated no logs. Then the app tried to detect whether or not the daemon was running but blocked by selinux policies. It iterated pids in the /proc folder to open the file /proc/pid/cmdline and seach the string "bbrecserver" in the file to achieve the goal. This made the system generating the log "avc: denied { read } for comm=4173796E635461736B202332 scontext=u:r:untrusted_app:s0:c179,c256,c512,c768 tcontext=u:r:magisk_client:s0:c179,c256,c512,c768 tclass=file permissive=0". So,
|
The SELinux changes from Magisk are to prevent crazy apps that detect root by scanning all sockets. So it cannot be changed from Magisk side. If you want to unix socket from "app" to "magisk", the simplest way is to use
Replace Note this will not work on some devices (e.g., Huawei device does not allow any SELinux policy change after boot). So it's better to do with Magisk module, you can read the document of Magisk. Furthermore, the best way should be to use binder which have no SELinux issue (and binder is the best IPC method when communicating with Android app process). You can see topjohnwu/libsu or Chainfire/librootjava. Behind them, a Java class specified by you is started by
|
Thanks for the information. However using magiskpolicy to change selinux policies is not so good, because Google Play store will ban the app. We dare not to do so in the app. And it seems Magisk Repo stopped accepting modules for a long time. Switching to binder needs a lot of work to change the code. Now that the new policies have this line inside: |
checking logs is another way to detect Magisk. |
Magisk v21 added the ability to install modules directly ( About the policy change, it seems you have some misunderstanding, John Wu's commit (ec3705f) has super detailed message about it. |
Play store version is irrelevant to me, I'm using the non-play version so calls are still labelled with nrs/names |
Yes, I read the page ec3705f. The daemon "magiskd" uses the magisk domain, maybe all other child processes created by magiskd should not use the magisk domain, instead they should use another domain like magisk2, and set different rules for it? I think this is reasonable. |
@boldbeastsoft please check out my Twitter thread explaining this change. It also has a solution that most likely will work in your case. Please do not go through the |
@boldbeastsoft I hope you can fix this then because I want/need the only working good call recorder back. |
@boldbeastsoft can you provide fixed selinux policies in your magisk module? I was using it on my previous phone and it worked fine. |
Please see [163] in this page http://www.boldbeast.com/android/call_recorder_troubleshooting.html |
The problem with using modules (from my end) is that when an Android updates comes along, installed modules can prevent the os from booting if something in the module causes a conflict. This needs to be fixed OUTSIDE of using a module, OUTSIDE of using an outdated Magisk you're recommending, OUTSIDE of recommending permissive selinux. You need to fix the app to use the proper IPC calls. |
We'll change the app to use new IPC calls. A lot of work to do. |
Excellent! Any ETA? Are we talking a few weeks, a few months? I don't suppose v14 uses them? You have my username on the boldbeast forums, I'll be happy to test versions prior to play store or public site release. |
Maybe a few weeks. |
it seems to be solved |
What boldbeast version? |
Please update Boldbeast Recorder in your phone to the latest version (currently V14.3). The problem has been fixed. Now just install the app and go, no need to touch any selinux policies. |
will do! |
After updating to A11 my call recorder (boldbeast call recorder) was no longer able to record calls even while having rooted options enabled. After talking with the developer it seems 4dacffd this commit should fix that problem. However i'm running the latest canary (64effe9) magisk and manager, patched but still no go.
Just contacted boldbeast dev again yesterday, and they said the SElinux problem is still there.
Any idea how i can see if this commit has been merged? Kinda need my recorder back as i use it to keep track of job interview calls etc...
boldbeast dev when i first made contact (Sept 11th oddly enough) said the following
The text was updated successfully, but these errors were encountered: