| Maxdamantus | Hmm.. Seems to be working fine the second day, though my connection is now going through `nc` rather than a silly localhost ssh socks proxy. | 02:01 |
|---|---|---|
| Maxdamantus | (I noticed that I wasn't actually able to use mobile data as my non-root debian user, so I just ran `ssh 127.1 -D1080` as root and connected through that instead) | 02:03 |
| Maxdamantus | Now I'm just using some sudo script that connects using `nc` (as root, so I can still do it over cellular) | 02:04 |
| Maxdamantus | Wonder if ProxyUseFdpass works over sudo (to avoid needing the `nc` process running. I imagine it should, will try later) | 02:12 |
| Maxdamantus | Actually, now that I think about it, the question will be whether my traffic on the socket will be allowed, since it was created by root, but used by a different user. | 02:18 |
| Maxdamantus | Seems like some of the Android things are based on UID restrictions instead of following a unix fd capability model. | 02:19 |
| bencoh | Maxdamantus: a lot of it is selinux-based | 10:46 |
| Maxdamantus | Yes, that too, which is a similar model. | 10:47 |
| Maxdamantus | Though I've got that part under control at least. | 10:47 |
| Maxdamantus | (similar in that it's not based on a capability model, which is cleaner) | 10:48 |
| Maxdamantus | (namespaces would be the way to do things based on capabilities instead of using selinux; namespaces would be a lot cleaner and easier to understand imo, but I guess they started doing this stuff before namespaces seemed like a viable option) | 10:50 |
| bencoh | I think namespaces were a thing, but far less powerful | 10:52 |
| bencoh | and namespaces aren't exactly bullet-proof anyway, especially non-root ones | 10:52 |
| bencoh | (see all the security issues/bugs that were reported over time regarding non-root containers and the likes) | 10:53 |
| Maxdamantus | You mean root ones? | 10:53 |
| bencoh | iirc I'm referring to user_namespaces | 10:53 |
| Maxdamantus | Ah, you mean issues around unprivileged namespaces. | 10:53 |
| bencoh | yeah | 10:53 |
| Maxdamantus | Sure, that's one of the reasons why they might not have seemed viable at the time. | 10:54 |
| Maxdamantus | (though practically speaking you shouldn't actually have needed unprivileged namespaces to achieve what they needed) | 10:54 |
| bencoh | (they could get around it, but it sounds even more like a pain) | 10:55 |
| Maxdamantus | I think unpriveleged namespaces are considered fairly safe nowadays. Even Redhat has them enabled now by default. | 10:55 |
| bencoh | oh? interesting | 10:55 |
| Maxdamantus | actually, maybe Redhat isn't a very good example, because of podman. | 10:55 |
| Maxdamantus | but Debian also enabled them recently. | 10:55 |
| Maxdamantus | I guess to some extent it's a question of what provides more security: keeping unprivileged namespaces disabled because of potential exploits, or enabling it so that non-root users can run programs in isolated environments. | 10:56 |
| Maxdamantus | so eg, podman is what Redhat now encourages people to use instead of docker, and it's basically just a "rootless" docker. | 10:57 |
| Maxdamantus | if you want to run some random stack of software, you can do it securely using podman: podman run --rm -it "$(podman build .)" | 10:58 |
| Maxdamantus | Just run that in a directory with a Dockerfile, and you'll end up running some random software in such a way that it can't mess with your computer. | 10:59 |
| Maxdamantus | anyway, the fd passing does work, so the permissibility of the socket must just be decided either at `socket()` or `connect()` time. | 11:14 |
| Maxdamantus | Will probably try to figure out later how it decides which UIDs are allowed to create those sockets when using mobile data. | 11:16 |
| bencoh | wait, did that cause your disconnection issues? | 11:20 |
| Maxdamantus | No. | 11:20 |
| bencoh | you might want to have a look at CONFIG_ANDROID_PARANOID_NETWORK btw | 11:21 |
| Maxdamantus | Yes, I'm aware of that. That restricts general network access to certain GIDs, which my user has (without those GIDs, it can't access the network on WiFi either) | 11:22 |
| Maxdamantus | WiFi works fine. It's just mobile that's restricted. | 11:23 |
| Maxdamantus | Actually, mobile works too if I disable data saver, but I'd like to keep that enabled and just figure out to put myself on that whitelist. | 11:26 |
| Maxdamantus | $ cmd netpolicy add restrict-background-whitelist 31000 | 11:39 |
| Maxdamantus | java.lang.IllegalArgumentException: cannot apply policy to UID 31000 at com.android.server.net.NetworkPolicyManagerService.setUidPolicy(NetworkPolicyManagerService.java:2646) | 11:39 |
| Maxdamantus | Need to make it get past that condition that checks that the UID corresponds with an app. | 11:40 |
| Maxdamantus | Okay, so that Java code ultimately just updates a "/data/system/netpolicy.xml" file which contains some whitelists and blacklists of UIDs, and it notifies something else that it's changed, so something else must read that file and do something to the kernel. | 11:43 |
Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!