ROM - selinux disable or create new rules - Android Software/Hacking General [Developers Only]

I am trying to modify my phone rom to fit it with microg and I have successfully deodexed it and applied signature spoofing patch. But it started to go into bootloop, after adding some logging I have figured out that patched services.jar is triggering selinux protection. Normally on linux it is quite simple to disable but on android I am unable to find a way to disable it without recompiling kernel, where I feel too much of a greenhorn to do it.
Is there a "simple" way to modify system.img (android 9) to disable or put selinux into permissive mode or change selinux rules?

Related

iSu [V7.6][5.1+] Simple app to deactivate activate LineageOS SU at will

{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
I know that there is many tools apps etc to disable or hide SU.
I decide to make this just because those did't work on my device back in 2016 and or CyanogenMod/LineageOS ROM that I use, so I assume this happens to other in CyanogenMod/LineageOS users too, I start this thread and made this app that can help to pass a safety net test on any rooted device (hide SU only when using Lineage add on SU) as it is no longer just a SU hider app is little more.
​
This is only to CyanogenMod/LineageOS SU binary aka CM-SU, the CM-SU only works with CyanogenMod/LineageOS ROM's and ROM that use they source code as base
That can be Download from Lineageos download page click here to see
No it doesn't work with SUPERSU or any other SU that is not base on CM-SU
No it doesn't support Xposed Hide, if you use Xposed you can't pass safety net with CM-SU.
No it doesn't support AB devices (devices with two system partition) that can't be mounted as rw dynamically in android.
What is iSu?
A simple app to help the user to pass safety net test on CyanogenMod/LineageOS or any CyanogenMod/LineageOS base ROM's.
I personally test this on Marshmallow and Nougat CM base ROM's it works 100%, it also Supports Lollipop but Kit Kat and older OS's are not supported.
How To use it?
read Installation instructions, download Folder with instructions on the bottom of the post
Download and Install the app as a normal app, if you wanna the full app support, use a ROM with the supported SU version (CM-SU), download Folder with instructions on the bottom of the post
if on Marshmallow or Lollipop flash the zip (iSu_kernel_Reboot_Support), download Folder with instructions on the bottom of the post
Learn how to use the app, below instructions
How To pass safety net?
Su deactivated (demanding)
SELinux enforced (demanding)
Android debugging deactivated (not demanding for all devices)
Props known props or special props can't have a red warning (demanding)
Below are some samples of fails or pass:
PASS
*Android debugging only affects some devices, disable if you don't need it.
*In props if there is props with a red warning that may be the reason of the fail if SU and SELinux is set as the above.
If you have SU active you will always fail
FAIL everything
*Fail because SU is Activated
If you have SU deactivate you will not always pass
FAIL everything 2
*Fail because SELinux is in Permissive
If you have SU and SELinux on a correct position you may not always PASS, because some props cause fail of ctsProfile
FAIL ctsProfile
*The above fail because ro.boot.verifiedbootstate
*Some props may or may not cause full FAILS or a FAIL of ctsProfile
Detailed app function description?
The app is divided in 5 tabs (Checks, Controls, Monitor, Props and settings), plus widgets and tiles, bellow a detailed description:
Checks
Basic information about the application, the main start tab if it show a red warning on the SU state options because yours current SU is not supported and the app will work with limited functionality.
SU State, current user SU version and reboot support status
Update, Check for iSu updates
Safety Net test, Let the user try the safety net status, in case of fail it will tell what fail and current SU, SELinux and ADB state as those if on wrong position will cause the fail
Log, Generate a full logs of information about the device and how the app is running, in case of a problem share the log.zip on the thread and explain the problem
Controls
The main control tab, be aware there is extras actions for this controllers in settings tab
SU, Changes and show SU state. This function only works with CM-SU
SELinux, Changes and show SELinux state, plus allow user to fake enforce Selinux for devices that have problems when running with SELinux enforced
Android debugging, Changes and show Android debugging state
Tasker, Info about how to control the app using Tasker
Monitor
This tab only works with CM-SU
A Service to monitor when foreground app starts then, activate or deactivate SU and SELinux or ADB (base on settings options).
App monitor, Status and access to accessibility service.
Don't Care List, Select the apps that will not have effect to App monitor, when a foreground app start.
Deactivate SU, Select the apps that will deactivate SU when started
Automatic Re-Activate SU, If this switch is on, will automatic active SU when leave the app that deactivated SU
Activated SU, Select the apps that will activate SU when started
Automatic Re-Deactivate SU, If this switch is on, will automatic deactivate SU when leave the app that activated SU
Props
A tab to change the value of any ro.prop or read only prop, using the resetprop applets from magisk to make a tool to modify on the go any ro.prop, there is also a list of known props that can cause safety net fail they safe or unsafe value
Read Only editor, List of ro props and the ro props changed by the user
Special Props, Known props that has a complicated value that can't be define as OK or NOK
Known props list, just explanation about safe, unsafe or unknow values
Force set all Known props, Click to force all Known Props to the chosen value
Known props, the real list of known props and they current value click to change
Settings
Basic application setting, extra controls and notifications
Application, Allow to force language to English
SU, Extra SU options allow to deactivate it on boot This function only works with CM-SU
App monitor, Allow delays to app monitor This function only works with CM-SU
Props, Allow to apply props changes on boot
Notifications, Enable disable notifications or toast's of SU state This function only works with CM-SU
SELinux, Extra control of SELinux state base on SU is state changes This function only works with CM-SU
Android debugging, Extra control of Android debugging state base on SU is state changes This function only works with CM-SU
Widgets and tiles
The app has widget and tiles that can be used to control the app Controls
Widgets They only work with CM-SU for SU changes
Mono Widget, Allow to change and read SU state, it also work with Settings extra controls (Notifications, SELinux and Android debugging)
Dual Widget, Allow to change and read SU or SELinux state, it also work with Settings extra controls (Notifications, SELinux and Android debugging)
Tiles Only visible on Nougat
SU tile, Allow to change and read SU state, it also work with Settings extra controls (Notifications, SELinux and Android debugging)
iSu tile, Click to open the app
Installation instructions:
Download Folder: Click Here
There is three files, description:
iSu_X_x.apk Install the apk as a normal app.
iSu_kernel_Reboot_Support_V_X_x_and_up.zip Flashable zip, flash only if you are running Marshmallow or Lollipop
Explanation of the above, iSu only need flashable reboot support for Marshmallow or older OS.
The kernel reboot support , this files prevents from losing SU access after a reboot with SU deactivated.
Old reboot support, in case the current fail
Old reboot support download Folder: Click Here[/B]
iSu_kernel_Reboot_Support_V_X_x_and_up_Enforcing.zip Flashable zip, use only one zip, if running Marshmallow or older
iSu_kernel_Reboot_Support_V_X_x_and_up_Permissive.zip Flashable zip, use only one zip, if running Marshmallow or older
Explanation of the above, iSu only need flashable reboot support for Marshmallow or older OS.
The kernel reboot support use only one(enforcing or permissive), this files prevents from losing SU access after a reboot with SU deactivated.
Use the one base on yours current Selinux status to check on your device look in settings > About a phone > SELinux Status if is enforcing or permissive, some CM ROM Run with selinux in Permissive so check yours.
Be aware!!
Updating CM/Los nightly or any ROM update of any CM/Los base ROM will remove the changes made by the zip, so is need to re-flash those .zip after any ROM update, may be need to do it also with some custom kernel from developer that use a boot.img to share the kernel(check yours kernel zip content to know).
If you forget to flash the .zip in a update and have lost ROOT don't worry just go back to recovery and flash it after the reboot all will be good.
The below are obsolete after V3.6 of the app, see old_version folder in main download folder for those files just reference no longer supported
iSu_kernel_cmdline_Patch_V_X_x_and_up.zip
The kernel_cmdline is only need to some devices that after deactivating SU with the app still can't pass the safety check, Google is using kernel and bootloader arguments to determined that the user modify the stock SW(AKA is using custom ROM) and prevent from passing as "safe", this add extra safe arguments to cmline and help to achieve the pass current it only support some device (Nexus and Motorola, maybe other post on the thread device/vendor if the zip help you)
iSu_kernel_defaultprop_Patch_V_X_x_and_up.zip
This is only for those that have apps that use rootbeer SU detection...
explain in this post (Click here).
After flashing defaultprop_Patch zip the user will no longer have access to the option in Settings > Developer options > Root access
But that is not a problem as the same zip will enable root by default so you can use without changing that option.
XDA:DevDB Information
iSu, App for all CyanogenMod/LineageOS devices (see above for details)
Developer donation link:
To donate via paypal click here
No other donation option is available.
Contributors
All Contributors can be see in github click here
fgl27, I use osm0sis Anykernel2 for the kernel zip
App Source Code: https://github.com/fgl27/isu
Extra App credits: iSu readme credits
Version Information
Status: Stable
Current Stable Version: Check latest version in Download folder
Changelog
Created 2016-Oct-03
Last Updated Check latest version
Changelog
Last app version Click to Download
Awesome work! Glad I accidentally stumbled on to this. Magisk stopped working to hide root but this is still good. Woot!:good:
edit: In your isu.sh, shouldn't the end of the script be:
Code:
mount -o ro,remount /system
# instead of
umount /system;
edit 2: For anyone who wants to build their device/kernel with support baked in, so they don't have to patch, I distilled the changes down from your git and created this patch:
https://github.com/blastagator/cm_d...mmit/79118c58fee32d10aa75464ee95751c7e6b8fdc5
This should be a good basis for others to manually patch in support. Working well on my custom cm13 builds.
blastagator said:
Awesome work! Glad I accidentally stumbled on to this. Magisk stopped working to hide root but this is still good. Woot!:good:
edit: In your isu.sh, shouldn't the end of the script be:
Code:
mount -o ro,remount /system
# instead of
umount /system;
edit 2: For anyone who wants to build their device/kernel with support baked in, so they don't have to patch, I distilled the changes down from your git and created this patch:
https://github.com/blastagator/cm_d...mmit/79118c58fee32d10aa75464ee95751c7e6b8fdc5
This should be a good basis for others to manually patch in support. Working well on my custom cm13 builds.
Click to expand...
Click to collapse
Thanks. For me was similar, magisk did not support my device so user complain to me about support as I did not manage to make magisk to work on my device I manage to make this that seems to be 100% for the most none rooted app.
regards the RW/RO
Theoretically yes but things was a little odd when I first start test for this... for simple reason if we don't mount system as RW we can "hide" or "un-hide" SU because is need to move it and system boot in RO, and if leave it mounted as RW safety net check will not be successful even if SU is hide, but after some safety net update on the google side mount it as RO at the end was not working in the .sh and the unmout was, maybe was some other related problem but it work so I did not change...
So I keep the unmount did not test any more after, and in the java code every time the switch is use it start with RW and ends with RO and that does the trick...
I have update the reboot support and the app for Nougat, Selinux is a little more restricted on N and I did not had the time to test a universal .zip to support N as the changes I did in the ROM I build are a little more time demanding to make it right, or not I really only have my build to test on my devices as N is just starting there is no other ROM, I really need another ROM that doesn't have any of my changes to test and really make it fully work with a simple .zip
But every things is also fully working on N CM did not change the SU binary, safety net, pokemon and payment app are all good, at least for know...
:good:
I update the project for N but I only manage to fully test on my ROM so if any one try and have problem read #3 post and report on the thread.
Hey guys, just tried out this in my Redmi Note 2 Prime with Bule's (cleaned) MoKee ROM CM12.1, and worked great, until now, because says, when I'm going to "hide" su, that the "su state change fail" Don't know for what it was, but if you can help me solving this, I would be grateful
Bhb thank you, using on my daughter's xt1254 phone now which runs cm 13.
---------- Post added at 03:16 AM ---------- Previous post was at 03:12 AM ----------
Shadow646 said:
Hey guys, just tried out this in my Redmi Note 2 Prime with Bule's (cleaned) MoKee ROM CM12.1, and worked great, until now, because says, when I'm going to "hide" su, that the "su state change fail" Don't know for what it was, but if you can help me solving this, I would be grateful
Click to expand...
Click to collapse
This is the reason for the kernel hack.
Without it you can lose root.
Dirty flash your ROM and if the kernel hack won't work
Then just be sure to set everything back to normal before any reboots.
I "THINK" then you would be okay.
mrkhigh said:
Bhb thank you, using on my daughter's xt1254 phone now which runs cm 13.
---------- Post added at 03:16 AM ---------- Previous post was at 03:12 AM ----------
This is the reason for the kernel hack.
Without it you can lose root.
Dirty flash your ROM and if the kernel hack won't work
Then just be sure to set everything back to normal before any reboots.
I "THINK" then you would be okay.
Click to expand...
Click to collapse
Yeah, I did that, but dunno if was because of that it failed, or not... I'm fine for now, reverting it whenever I close the game, I put su back Maybe it was because I was trying to cheat on PoGO, and didn't work with Fly GPS, and uninstalling the app in a bad way provoked that I will do a nandroid and try again
Edit
Shadow646 said:
Yeah, I did that, but dunno if was because of that it failed, or not... I'm fine for now, reverting it whenever I close the game, I put su back Maybe it was because I was trying to cheat on PoGO, and didn't work with Fly GPS, and uninstalling the app in a bad way provoked that I will do a nandroid and try again
Click to expand...
Click to collapse
Are you using the kernel support, have you flash it in TWRP?
The app work in CM under 13 is ok, but the kernel support I have not tested in older them CM13, so I'm curious to know if it works, the only way to really test is to deactivate SU and then reboot if you have SU active after or if the app can activate SU after then is all good if you don't have and or can't activate in the app there is a problem...
the basic function of the kernel support is to have no problem after a reboot when you had disable SU, just like @mrkhigh point it out
So if you reboot with that off let me know the behavior if you can use and activate SU will be need a dirty flash of the ROM you are using...
When I have some time I will do some proper test in cm12.1 and only cm12.1 because my devices can only run that there is no older OS for me...
:good:
I update the app and kernel support to 1.5
Changelog and Download link first page post 2 and 3
In Downloads I add two kernel support one with selinux after boot in Permissive and other with Enforcing just check the zip name and check your device in settings > About a phone SELinux Status is using enforcing or permissive, this is need as some CM ROM Run with selinux in Permissive.
Any problem let me know.
bhb27 said:
Are you using the kernel support, have you flash it in TWRP?
The app work in CM under 13 is ok, but the kernel support I have not tested in older them CM13, so I'm curious to know if it works, the only way to really test is to deactivate SU and then reboot if you have SU active after or if the app can activate SU after then is all good if you don't have and or can't activate in the app there is a problem...
the basic function of the kernel support is to have no problem after a reboot when you had disable SU, just like @mrkhigh point it out
So if you reboot with that off let me know the behavior if you can use and activate SU will be need a dirty flash of the ROM you are using...
When I have some time I will do some proper test in cm12.1 and only cm12.1 because my devices can only run that there is no older OS for me...
:good:
Click to expand...
Click to collapse
Well, now I reinstalled all just because I messed all up, again.
Turned off the phone with root of and no kernel support, tried to flash kernel support, and that would be ok, if I didn't "flash SuperSu" stuff when rebooting :silly:. That made the switch work, but didn't pass validation when using PoGO.
Then, had to reflash ROM, delete chinese stuff, reinstall all of my apps, and iSu, of course, while noticing that there was an update; installed the app and new permissive kernel, and from now, so far so good
Hope that I will keep it clean and working. Thanks for the suggestions btw
@bhb27 Installed and working on sprint htc m8 cm13. The kernel mod is installed but untested.
Great work! I can confirm it worked in my moto g 2014 running cyanogenmod 14.1 official. Pokémon go worked!
Thanks dev!
At last something that works! Running CM14.1 rom on my OnePlus 3 and it works!
Pokémon Go go go...
Thx dev!
HC4Life said:
At last something that works! Running CM14.1 rom on my OnePlus 3 and it works!
Pokémon Go go go...
Thx dev!
Click to expand...
Click to collapse
Now go find that ditto.
Would there be anyway to automatically trigger this for certain apps? This is the first root hiding method i've found that actually tricks Barclays Mobile Banking. Great work
LJAM96 said:
Would there be anyway to automatically trigger this for certain apps? This is the first root hiding method i've found that actually tricks Barclays Mobile Banking. Great work
Click to expand...
Click to collapse
:good:
No there isn't yet, is not all that hard to make but is timing I had no time for the last week to start the implementation, but is in my plans, probably still do this year.
BTW is always nice to be remember that the app can be used for other then to catch monsters :laugh:
You might want to consider removing selinux enforce from the kernel service script. If the ROM doesn't have proper SE policy, it could gum things up. I think the switch in the app is probably sufficient in the event user needs to toggle Enforcing to run an app. I don't believe enforcing on boot toggles anything, but I could be wrong since my ROM boots enforcing. Safety Net actually keeps working for me if I toggle to permissive.

Disable SELinux Module during Kernel Compile

I want to set SELinux to disabled or permissive (either one) when I compile my custom kernel. I have tried a few things:
1) setting DECONFIG_ALWAYS_ENFORCE to false
2) changing CONFIG_SECURITY_SELINUX=n to CONFIG_SECURITY_SELINUX=y in the /arch/arm/configs/XXX_defconfig file
3) removing references to SELinux in init.rc (I edited my ramdisk)
How do I set SELinux to disabled or permissive? I am on Marshmallow 6.0.1. Thanks!

Can anyone with Magisk test this module? (Samsung 7.0/Nougat)

I'm having an issue with a Magisk module that I've created for my Galaxy S6 Edge (G925T) to systemlessly replace the fonts. The module replaces most of the system fonts with a font called Arsenal, as well as changes emoji to Emoji One and the monospace font to Monoid. When I have it enabled, SafetyNet fails even with MagiskHide enabled (it didn't used to up until recently). I need anybody willing to test, running a Samsung-based ROM with Magisk and MagiskHide enabled, to do the following so that I can determine whether it's just an issue with my device, or if there may be new SafetyNet checks in place:
- Take a full backup with TWRP (just to be on the safe side)
- Ensure that SafetyNet is FULLY PASSING on your device before installing this module (both basicIntegrity and ctsProfile)
- Flash the zip attached in TWRP
- Ensure that the fonts have changed on your device
- Check SafetyNet again.
Then, answer the following questions:
What phone model do you have?
What ROM are you on?
What security patch are you on?
What kernel are you using?
Is SELinux/SE for Android Enforcing or Permissive?
What version of Magisk are you using?
Does SafetyNet pass?

Deodex stock oreo (signature spoofing)

Hello,
I want to use microg but I need to enable signature spoofing (don't want to use xposed). When deoxing my services.jar I get stuck at Samsung logo. Doesn't matter if manual with smali or nanodroid patcher.
My setup is s7 with twrp, no verity dm script and stock oreo with magisk root.
Is there something special I need to do? Remove knox? Selinux permissive?
Hope you can help me
FIY or other people with same problem
I found a magisk module to do it for me: https://forum.xda-developers.com/apps/magisk/module-smali-patcher-0-7-t3680053
Just activated signature spoofing systemless. Now everything is working. Safety net passes when you hide magisk for micro g helper

custom kernel and private data

Is secure for my personnal data to install a custom kernel ?
If the kernel you are installing is not permissive selinux then I would say yes it's secure and safe to use. Kernels are built many different ways, depending on how whatever developer compiles them and they have different things in them. Some focus on features, others speed, other kernels main focus may be battery life or security. Just read the kernel changelog and search for things that you don't know and bookmark everything so you can return later and read more... That's what I do. But the answer to your question I'd say is as long as the kernel you install is not permissive selinux then yes it's safe to use a custom kernel.
flash713 said:
this message was translated with Google translation I apologize in advance if there will be any mistakes:
thank you for your answer i would just like to know how can we know if the custom kernel is selinux permissive.
Click to expand...
Click to collapse
getenforce command is a Linux Commnand for quick confirmation of the current SELinux mode. Used without any command line parameters, getenforce reports SELinux status with just one word.
This can be done using termux app from your phone if you are rooted. Just type su (push enter) then grant root when it pops up on phone screen and then type: getenforce the reply will be what the kernel is. Example: Nowadays the most common are Enforcing selinux. If it's enforcing it will reply: enforcing after running those commands.
Edit added: The kernel log and usually the op or first post of the xda thread where the kernel is will say what it is.

Categories

Resources