2019-02-07 00:09:53 8 Comments
I've installed an unofficial lineage OS 14.1 ROM on my phone and i want to have dnscrypt used on boot by default.
There is what i have done:
- Download arm binaries from: https://github.com/jedisct1/dnscrypt-proxy/releases
- Push dnscrypt-proxy in /system/xbin
- Push dnscrypt-proxy.toml in /etc/dnscrypt-proxy/
Created the following script: /etc/init.d/99dnscrypt
#!/system/bin/sh log -p i -t dnscrypt "Starting dnscrypt-proxy..." dnscrypt-proxy -config /system/etc/dnscrypt-proxy/dnscrypt-proxy.toml & log -p i -t dnscrypt "Changing dns with iptables..." iptables -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination 127.0.0.1:53
Reboot
Now if i launch 99dnscrypt as root from adb it works like a charm
But on boot it does not.
On logcat i see this errors:
02-07 01:00:22.369 267 267 I sysinit : Running /system/etc/init.d/99dnscrypt
02-07 01:00:22.540 275 275 I dnscrypt: Starting dnscrypt-proxy...
02-07 01:00:22.878 278 278 I dnscrypt: Changing dns with iptables...
02-07 01:00:23.236 277 277 W dnscrypt-proxy: type=1400 audit(0.0:28): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:23.236 277 277 W dnscrypt-proxy: type=1300 audit(0.0:28): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=274 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:24.238 277 277 W dnscrypt-proxy: type=1400 audit(0.0:45): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:24.238 277 277 W dnscrypt-proxy: type=1300 audit(0.0:45): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:28.242 277 277 W dnscrypt-proxy: type=1400 audit(0.0:82): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:28.242 277 277 W dnscrypt-proxy: type=1300 audit(0.0:82): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:29.233 277 277 W dnscrypt-proxy: type=1400 audit(0.0:94): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:29.233 277 277 W dnscrypt-proxy: type=1300 audit(0.0:94): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:30.234 277 277 W dnscrypt-proxy: type=1400 audit(0.0:105): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:30.234 277 277 W dnscrypt-proxy: type=1300 audit(0.0:105): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:31.235 277 277 W dnscrypt-proxy: type=1400 audit(0.0:121): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:31.235 277 277 W dnscrypt-proxy: type=1300 audit(0.0:121): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:32.236 277 277 W dnscrypt-proxy: type=1400 audit(0.0:145): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:32.236 277 277 W dnscrypt-proxy: type=1300 audit(0.0:145): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:33.247 458 458 W dnscrypt-proxy: type=1400 audit(0.0:146): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:33.247 458 458 W dnscrypt-proxy: type=1300 audit(0.0:146): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:34.248 458 458 W dnscrypt-proxy: type=1400 audit(0.0:147): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:34.248 458 458 W dnscrypt-proxy: type=1300 audit(0.0:147): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:35.249 458 458 W dnscrypt-proxy: type=1400 audit(0.0:148): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:35.249 458 458 W dnscrypt-proxy: type=1300 audit(0.0:148): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:36.250 458 458 W dnscrypt-proxy: type=1400 audit(0.0:149): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:36.250 458 458 W dnscrypt-proxy: type=1300 audit(0.0:149): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:37.251 458 458 W dnscrypt-proxy: type=1400 audit(0.0:150): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:37.251 458 458 W dnscrypt-proxy: type=1300 audit(0.0:150): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:38.242 458 458 W dnscrypt-proxy: type=1400 audit(0.0:151): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:38.242 458 458 W dnscrypt-proxy: type=1300 audit(0.0:151): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:39.244 458 458 W dnscrypt-proxy: type=1400 audit(0.0:152): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:39.244 458 458 W dnscrypt-proxy: type=1300 audit(0.0:152): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:40.245 458 458 W dnscrypt-proxy: type=1400 audit(0.0:153): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:40.245 458 458 W dnscrypt-proxy: type=1300 audit(0.0:153): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:41.246 458 458 W dnscrypt-proxy: type=1400 audit(0.0:154): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:41.246 458 458 W dnscrypt-proxy: type=1300 audit(0.0:154): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:42.247 458 458 W dnscrypt-proxy: type=1400 audit(0.0:155): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:42.247 458 458 W dnscrypt-proxy: type=1300 audit(0.0:155): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:43.248 458 458 W dnscrypt-proxy: type=1400 audit(0.0:156): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:43.248 458 458 W dnscrypt-proxy: type=1300 audit(0.0:156): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:44.249 458 458 W dnscrypt-proxy: type=1400 audit(0.0:157): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:44.249 458 458 W dnscrypt-proxy: type=1300 audit(0.0:157): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:46.251 458 458 W dnscrypt-proxy: type=1400 audit(0.0:185): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:46.251 458 458 W dnscrypt-proxy: type=1300 audit(0.0:185): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:47.252 458 458 W dnscrypt-proxy: type=1400 audit(0.0:186): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:47.252 458 458 W dnscrypt-proxy: type=1300 audit(0.0:186): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:48.243 458 458 W dnscrypt-proxy: type=1400 audit(0.0:187): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:48.243 458 458 W dnscrypt-proxy: type=1300 audit(0.0:187): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:49.254 458 458 W dnscrypt-proxy: type=1400 audit(0.0:188): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:49.254 458 458 W dnscrypt-proxy: type=1300 audit(0.0:188): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:50.255 458 458 W dnscrypt-proxy: type=1400 audit(0.0:189): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:50.255 458 458 W dnscrypt-proxy: type=1300 audit(0.0:189): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:51.256 458 458 W dnscrypt-proxy: type=1400 audit(0.0:190): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:51.256 458 458 W dnscrypt-proxy: type=1300 audit(0.0:190): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:52.257 458 458 W dnscrypt-proxy: type=1400 audit(0.0:191): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:52.257 458 458 W dnscrypt-proxy: type=1300 audit(0.0:191): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:53.259 458 458 W dnscrypt-proxy: type=1400 audit(0.0:192): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:53.259 458 458 W dnscrypt-proxy: type=1300 audit(0.0:192): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:54.260 458 458 W dnscrypt-proxy: type=1400 audit(0.0:193): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:54.260 458 458 W dnscrypt-proxy: type=1300 audit(0.0:193): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:55.261 458 458 W dnscrypt-proxy: type=1400 audit(0.0:194): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:55.261 458 458 W dnscrypt-proxy: type=1300 audit(0.0:194): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:56.262 458 458 W dnscrypt-proxy: type=1400 audit(0.0:195): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:56.262 458 458 W dnscrypt-proxy: type=1300 audit(0.0:195): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:57.253 458 458 W dnscrypt-proxy: type=1400 audit(0.0:196): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:57.253 458 458 W dnscrypt-proxy: type=1300 audit(0.0:196): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:58.254 458 458 W dnscrypt-proxy: type=1400 audit(0.0:197): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:58.254 458 458 W dnscrypt-proxy: type=1300 audit(0.0:197): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:00:59.255 458 458 W dnscrypt-proxy: type=1400 audit(0.0:198): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:00:59.255 458 458 W dnscrypt-proxy: type=1300 audit(0.0:198): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:01:00.256 458 458 W dnscrypt-proxy: type=1400 audit(0.0:203): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:01:00.256 458 458 W dnscrypt-proxy: type=1300 audit(0.0:203): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:01:01.257 458 458 W dnscrypt-proxy: type=1400 audit(0.0:204): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:01:01.257 458 458 W dnscrypt-proxy: type=1300 audit(0.0:204): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
02-07 01:01:02.258 458 458 W dnscrypt-proxy: type=1400 audit(0.0:207): avc: denied { create } for scontext=u:r:sysinit:s0 tcontext=u:r:sysinit:s0 tclass=udp_socket permissive=0
02-07 01:01:02.258 458 458 W dnscrypt-proxy: type=1300 audit(0.0:207): arch=40000028 syscall=281 per=800008 success=no exit=-13 a0=2 a1=80802 a2=0 a3=b674a934 items=0 ppid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 exe="/system/bin/dnscrypt-proxy" subj=u:r:sysinit:s0 key=(null)
What is the difference between executing this as root after boot and launch it from init.d? Any idea how i can solve this?
Related Questions
Sponsored Content
3 Answered Questions
1 Answered Questions
Init.d Script won't work to keep value
- 2017-11-07 17:28:31
- user243084
- 96 View
- 0 Score
- 1 Answer
- Tags: android-emulator init.d
1 Answered Questions
Fix SELinux contexts for a SU binary
- 2017-05-22 14:00:45
- nom
- 1130 View
- 0 Score
- 1 Answer
- Tags: 6.0-marshmallow root-access selinux supersu
1 Answered Questions
Init.d script trouble shooting
- 2016-12-08 00:36:32
- user199849
- 753 View
- 3 Score
- 1 Answer
- Tags: root-access lg-g3 disable-app init.d
1 Answered Questions
Link2SD Mount Script Error. [4]: can't create /system/etc/init.d/11link2sd: > Not a directory
- 2016-06-07 14:23:40
- 7_R3X
- 1029 View
- 0 Score
- 1 Answer
- Tags: internal-storage external-sd init.d
0 Answered Questions
Fix SELinux labels after restoring /data on CM 12.1
- 2016-01-05 01:07:38
- Isgar
- 135 View
- 1 Score
- 0 Answer
- Tags: cyanogenmod backup selinux rsync
1 Answered Questions
[SOLVED] How SElinux protects android from rooting
- 2015-08-23 09:00:38
- DevUt
- 1127 View
- 2 Score
- 1 Answer
- Tags: rooting root-access selinux
0 Answered Questions
SELinux context init_shell in boot.img permission denied with Android 5.0.2
- 2015-07-27 08:20:13
- Mr. Fish
- 1307 View
- 2 Score
- 0 Answer
- Tags: 5.0-lollipop permissions selinux
1 Answered Questions
[SOLVED] remove the script in init.d
- 2015-06-04 07:53:37
- anindyo
- 4988 View
- 0 Score
- 1 Answer
- Tags: init.d
1 comments
@Irfan Latif 2019-02-10 18:31:48
Pardon me if I fail to sum up the wast subject in a brief answer :)
SELINUX AND AVC DENIALS
Android is based on Linux kernel that makes use of Discretionary and Mandatory Access Controls (DAC, MAC) to restrict access to system resources such as files on a certain filesystem. DAC includes classic UNIX
RWX
file modes, owner/group or UID/GID, Extended Attributes and Access Control Lists. XATTR and ACL are rarely used filesystem related attributes, though MAC also makes use of XATTRs. Root user (UID: 0) is thesuper user
(administrator) within DAC mechanism which can bypass all permission checks imposed by kernel. To make controls more fine-grained, authorities of root user are further divided in subgroups called capabilities.Coming to MAC, SELinux and AppArmor are commonly used Mandatory Access Control mechanisms. In SELinux model, every file/process is labeled with a context and rules are defined to allow a context access the other.
Say, we want to run command
ls
with contextmy_process
on a file with contextmy_file
, rule must be defined to allow this access:Otherwise access will be denied with error something like:
* File SELinux labels can be changed with
chcon
while processes can be started with a given context usingruncon
command.SELINUX ON ANDROID
Android uses SELinux as part of its security implementations. When a ROM is compiled for a specific device, thousands of SE Policy rules are defined to allow all possible desired accesses. These rules are compiled into a binary file
/sepolicy
which is placed at root of initramfs inboot.img
. This file is loaded during early boot process byinit
; the very first process that starts all other processes.Init also starts different processes/services with different contexts as defined in their init *.rc files.
All filesystem labels are stored in multiple files saved in rootfs or at
/system/etc/selinux/*_contexts
,/vendor/etc/selinux/*_contexts
etc. These labels can be restored byrestorecon
command.ROOTING AND SELINUX
Now if you want to start a process with different context that hasn't been explicitly allowed in SE Policy, you need to define new rules. However that's not possible under normal circumstances as DAC, MAC and capabilities together won't let you do that. Here comes rooting the phone; let's take example of Magisk.
Magisk starts a daemon as an init service that lets any non-privileged process ask for super user rights. So the problem of UID 0 and lack of capabilities is resolved. In order to address SELinux denials, Magisk defines two new contexts:
magisk
for proccesses andmagisk_file
for filesystem. Then rules are defined to allow all access attempts from/to these contexts and/sepolicy
is replaced with modified policy file. From now onward any processes running with Magisk rights won't be disallowed from doing anything. This could be really dangerous.Now coming to your question,
You are starting a process with context
u:r:sysinit:s0
which isn't allowed in policy to access all resources it needs. So what you can do is:OPTION 1:
Run init.d scripts with root's privileges and forget about denials; DAC or MAC. Magisk, for instance, executes scripts placed in
/data/adb/*.d
directories on boot.But as a common practice, processes shouldn't be given unnecessary privileges.
OPTION 2:
Set SELinux permissive:
But it disables SELinux for whole device which isn't recommended. So instead:
OPTION 3:
Set only
sysinit
topermissive
:* supolicy tool is part of Magisk to manipulate SELinux policy. You can also use sepolicy-inject or similar tool.
All of the above solutions are a quick workaround but if you don't want to leave anything loose, go ahead.
OPTION 4:
We can define SEPolicy rules for
sysinit
context and save that as our default policy to be loaded on boot. For instance, avc denial in your log:can be converted to an SEPolicy rule:
sysinit
is an init service added to some custom ROMs that executes scripts under/system/etc/init.d/
, but it's not a standard AOSP service and the UID, GID, supplementary groups, capabilities and SELinux contexts that this service runs with may differ on different devices.So in a more general perspective, let's create a new
dnscrypt-proxy
init service with desired context and additionally with desired UID/GID/groups/capabilities to grant least required privileges.HOW TO ADD CUSTOM INIT SERVICE TO ANDROID?
/system/xbin/dnscrypt-proxy
Create directory
/etc/dnscrypt-proxy
, configuration file/etc/dnscrypt-proxy/dnscrypt-proxy.toml
and optionally/etc/dnscrypt-proxy/blacklist.txt
if needed.dnsmasq
server will fail to listen on pre-occupied port 53 when tethering is turned on, causing hotspot to fail.dnscrypt-proxy
, Private DNS should be disabled.Create
/etc/init/dnscrypt-proxy.rc
.socket
), and should have capability NET_BIND_SERVICE (bind
to socket).If you are using a firewall (like AFWall+) to block outbound traffic, you need to explicitly allow UID 999 on every boot:
Define SEPolicy rules:
In the same way:
That's what works for me on AEX Pie ROM. However the labels and contexts may slightly differ on different Android versions and on different phones.
For testing, you can set SELinux permissive on boot by adding a line temporarily to
dnscrypt-proxy.rc
file:Then use
dmesg
to see avc denials and define any further rules.Save and load policy file.
Live injecting a large number of rules to policy takes longer. Since these rules need to be loaded on every boot, save them as default sepolicy file.
boot.img
and replace the/sepolicy
file with yours. In this way the service will work even if the phone is not rooted.However if you don't want to modify
boot.img
, you can take support from Magisk to load custom policy on boot before thednscrypt-proxy
service is started. It's because eveninit
on its own can't load any custom policy once SELinux is set enforcing after loading default policy.Set permissions and fix contexts:
Reboot.
You have a harmless, innocent-looking
dnscrypt-proxy
service running on your device.@beeshyams 2019-02-10 19:56:34
+1. As ever very detailed :)
@wellsaid 2019-02-13 12:03:34
Hi, this seems very promising! however in my rom (based on lineage OS 14.1) adding /etc/init/dnscrypt-proxy.rc does not seem to start the process (file permissions seem right). How can i verify its working? Furthermore i have no supolicy command.
@Irfan Latif 2019-02-13 12:52:43
Set SELinux permissive for testing initially. May be you need to define extra AVC rules. Once everything is in place, switch to enforcing mode.
logwrapper
writes to Android's logcat, so you can confirm bylogcat | grep dnscrypt
.supolicy
comes with Magisk.@wellsaid 2019-02-14 14:20:26
Thanks for all the help, i will give it a shot when i have time. In the mean time i have installed magisk and i have found this module: github.com/Magisk-Modules-Repo/dnscrypt-proxy. It does exactly what we are trying to accomplish right?
@Irfan Latif 2019-02-14 15:12:41
Yeah seems so, but I haven't given it a try.