Error on Android L

[insanum]

I was playing around with the latest developer preview of Android L and noticed that Tinc is broken. When I start the service I see the following error:

error: only position independent executables (PIE) are supported
tincd terminated

[Vilbrekin]

Thanks for the report. This is annoying however, as PIE had to be removed to allow compatibility with some devices (see #8 and #9)... Not sure how to handle this one.

[luckyhacky]

I think Android L isn't quite finished, so we should wait until it is stable and specs are finalized.
If you want to play with Android L and Tinc you can compile a specialized version.
But thanks for information!

@Vilbrekin crash isn't good - perhabs we can show an info box and deny the start of tinc?

[Vilbrekin]

Well, I guess he means tincd process can't start, and the error is displayed in the log. I don't think the android application itself crashes in such case.

Then the question is :is it linked to android L, or the device itself?

[bahbka]

Same problem on Nexus 4 with released Android 5.0 :(

[luckyhacky]

I have updated to Lollipop also. Same issue here.
Android up to 4.1 can only execute binaries without PIE
Android 3.1 to 4.4.4 can handle both
Android 5.x can only execute binaries with PIE

I think we have to compile both versions and install the right one.

Other option is to download a signed version of tinc from http or release the binaries in a separate product in google play store where user is prompted to install this binary. This can solve another issue with beta releases of tinc (see #25 )

[Vilbrekin]

Thanks for the recap. I think we'll si,ply use multiple APKs support on the play store to leave current version for legacy devices, and require Android 4.1+ for new Tinc GUI releases.
Looking at the stats for my app, less than 15% of the users are stuck with old Android versions (I guess people using P2P VPN are rather techy and bleeding edge).

I'll enable back PIE for next Tinc GUI release.

Some interesting reading: http://stackoverflow.com/questions/24818902/running-a-native-library-on-android-l-error-only-position-independent-executab

[Vilbrekin]

I've just built a testing 0.9.12 release (https://github.com/Vilbrekin/tinc_gui/releases/tag/RELEASE_0.9.12).
Could you please test it and advise if it's working properly with Android 5?

[bahbka]

Does not work for me with same error "only PIE are supported"

[Vilbrekin]

Indeed, did a stupid typo yesterday. I just updated the 0.9.12 release. Could you please retry? (Sorry, I d'ont have L on my OPO yet, and the simulator doesn't highlight the bug).

[bahbka]

tincd now starts, trying to connect, connects, but terminated without any error even with debugging level 5. Sorry, don't have experience with android debugging, but I'll try provide logcat logs.

[bahbka]

Hmmm, it seems, something wrong with SELinux :(

I/tinc_gui(10829): Shell: su; command: id
I/tinc_gui(10829): Received START intent for tincd service
D/tinc_gui(10829): Service started
D/tinc_gui(10829): Returning PID 10334
I/tinc_gui(10829): Shell: su; command: kill 10334 || rm /data/data/org.poirsouille.tinc_gui/files/tinc.pid
I/tinc_gui(10829): Shell: su; command: umask 022; exec /data/data/org.poirsouille.tinc_gui/files/tincd -D -d5 -c /sdcard/share/phone/tinc --pidfile=/data/data/org.poirsouille.tinc_gui/files/tinc.pid
W/tincd   (10971): type=1400 audit(0.0:105): avc: denied { create } for scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=tcp_socket
W/tincd   (10971): type=1400 audit(0.0:106): avc: denied { setopt } for scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=tcp_socket
W/tincd   (10971): type=1400 audit(0.0:107): avc: denied { bind } for scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=tcp_socket
W/tincd   (10971): type=1400 audit(0.0:108): avc: denied { listen } for lport=655 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=tcp_socket
W/tincd   (10971): type=1400 audit(0.0:109): avc: denied { setopt } for scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=udp_socket
W/tincd   (10971): type=1400 audit(0.0:110): avc: denied { bind } for scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=udp_socket
W/tincd   (10971): type=1400 audit(0.0:111): avc: denied { getattr } for lport=655 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=udp_socket
W/tincd   (10971): type=1400 audit(0.0:112): avc: denied { connect } for scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=tcp_socket
W/tincd   (10971): type=1400 audit(0.0:114): avc: denied { getopt } for laddr=10.202.218.96 lport=50487 faddr=xxx.xxx.xxx.xxx fport=655 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=tcp_socket
W/tincd   (10971): type=1400 audit(0.0:115): avc: denied { write } for laddr=10.202.218.96 lport=50487 faddr=xxx.xxx.xxx.xxx fport=655 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=tcp_socket
W/tincd   (10971): type=1400 audit(0.0:116): avc: denied { read } for laddr=10.202.218.96 lport=50487 faddr=xxx.xxx.xxx.xxx fport=655 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=tcp_socket
E/NetlinkEvent(  183): Unknown ifindex 36 in RTM_DELADDR
D/tinc_gui(10829): End of tincd thread

[Vilbrekin]

Guess we'll have to understand how to work with SELinux then.
Some interesting reading for later:
http://su.chainfire.eu/#selinux
https://source.android.com/devices/tech/security/se-linux.html

[bahbka]

If I run daemon from root adb shell - it works! But there is hell with routing :)

root@mako:/ # ip ro sh
default via 10.87.122.245 dev rmnet_usb0 
10.87.122.244/30 dev rmnet_usb0  proto kernel  scope link  src 10.87.122.244 
192.168.88.0/24 dev tun0  scope link 
192.168.89.1 dev tun0  scope link 
192.168.89.2 dev tun0  scope link 
192.168.89.3 dev tun0  scope link 
192.168.89.11 dev tun0  scope link 
root@mako:/ # ip ro get 192.168.88.11
192.168.88.11 via 10.87.122.245 dev rmnet_usb0  src 10.87.122.244  uid 0 
    cache 
root@mako:/ # ip ro flush cache
root@mako:/ # ip ro get 192.168.88.11                                          
192.168.88.11 via 10.87.122.245 dev rmnet_usb0  src 10.87.122.244  uid 0 
    cache 
root@mako:/ # 

There are many ip rules with fwmarks, iptables, etc, but tincd works!

root@mako:/ # ping 192.168.89.11                                               
PING 192.168.89.11 (192.168.89.11) 56(84) bytes of data.
^C
--- 192.168.89.11 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2004ms

1|root@mako:/ # ping -I tun0 192.168.89.11                                     
PING 192.168.89.11 (192.168.89.11) from 192.168.89.15 tun0: 56(84) bytes of data.
64 bytes from 192.168.89.11: icmp_seq=1 ttl=64 time=385 ms
64 bytes from 192.168.89.11: icmp_seq=2 ttl=64 time=552 ms
^C
--- 192.168.89.11 ping statistics ---
3 packets transmitted, 2 received, 33% packet loss, time 2000ms
rtt min/avg/max/mdev = 385.838/469.403/552.968/83.565 ms

Stay tuned :)

[bahbka]

Okay, I solved my routing problems with adding routes to table local_network in subnet-{up,down}, but this is offtopic.
Resultion: tincd binary works, even with rare audit messages in log, like this:

W/tincd   (24948): type=1400 audit(0.0:182): avc: denied { write } for lport=655 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=udp_socket
W/tincd   (24948): type=1400 audit(0.0:183): avc: denied { read } for lport=655 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=udp_socket
W/tincd   (24948): type=1400 audit(0.0:184): avc: denied { read } for laddr=10.184.243.90 lport=45644 faddr=aaa.aaa.aaa.aaa fport=443 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=tcp_socket
W/tincd   (24948): type=1400 audit(0.0:185): avc: denied { write } for laddr=10.184.243.90 lport=53867 faddr=bbb.bbb.bbb.bbb fport=655 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=tcp_socket

Something wrong with tinc_gui, it seems tinc_gui kills tincd. When I push start button and before tincd terminated, tincd works for less then one second, even pings works :)

[insanum]

I see the same issue with tincd getting killed. Status says connected and the it's killed immediately thereafter. Here in s the logcat:

11-27 08:38:38.501 D/tinc_gui(15031): Refreshing preferences for key
11-27 08:38:38.532 D/tinc_gui(15031): Service connected
11-27 08:38:54.899 I/tinc_gui(15031): Shell: su; command: ip route
11-27 08:38:55.190 I/tinc_gui(15031): Shell: su; command: /data/data/org.poirsouille.tinc_gui/files/tincd --version
11-27 08:38:55.737 I/tinc_gui(15031): Shell: su; command: ip route
11-27 08:38:56.024 I/tinc_gui(15031): Shell: su; command: /data/data/org.poirsouille.tinc_gui/files/tincd --version
11-27 08:38:57.938 I/tinc_gui(15031): Shell: su; command: id
11-27 08:38:58.220 I/tinc_gui(15031): Received START intent for tincd service
11-27 08:38:58.221 D/tinc_gui(15031): Service started
11-27 08:38:58.254 D/tinc_gui(15031): Returning PID 15930
11-27 08:38:58.279 I/tinc_gui(15031): Shell: su; command: kill 15930 || rm /data/data/org.poirsouille.tinc_gui/files/tinc.pid
11-27 08:38:59.072 I/tinc_gui(15031): Shell: su; command: umask 022; exec /data/data/org.poirsouille.tinc_gui/files/tincd -D -d2 -c /sdcard/tinc --pidfile=/data/data/org.poirsouille.tinc_gui/files/tinc.pid
11-27 08:39:00.396 D/tinc_gui(15031): End of tincd thread
11-27 08:39:03.015 W/PackageManager(971): Failure retrieving resources for org.poirsouille.tinc_gui: Resource ID #0x0
11-27 08:39:03.077 W/PackageManager(971): Failure retrieving resources for org.poirsouille.tinc_gui: Resource ID #0x0
11-27 08:39:03.092 D/tinc_gui(15031): Service destroyed

[Vilbrekin]

Concerning the autokill issue, it should occur only if/when tincd process releases its standard output. The simplest explanation would be process was already finished (because it couldn't map the TAP interface due to SELinux for example).
Kind of hard to debug this one, as I can't reproduce it...

[kjansik]

Any news? Do anybody see the silver lining on the horizon?

[bahbka]

You can launch tincd from local console without GUI for now. It's little uncomfortable, but it works.

[insanum]

How do you launch tincd via the console? Can it be automated using tasker?

[bahbka]

You can use JuiceSSH (for example) to lauch local console, then run commands like:

$ su
# /data/data/org.poirsuille.tinc_gui/files/tincd -D -d2 -c /sdcard/tinc --pidfile=/data/data/org.porsouille.tinc_gui/files/tinc.pid

You can find tincd path with adb logcat while using tincd_gui.

[kjansik]

many thanks Ivan, I did try via terminal, but unsuccsefull, need read and
google more...

2014-12-06 0:00 GMT+01:00 Ivan Strokanev [email protected]:

You can launch tincd from local console without GUI for now. It's little
uncomfortable, but it works.

—
Reply to this email directly or view it on GitHub
#26 (comment).

[Vilbrekin]

I've been able to reproduce the issue inside Android emulator. tincd is not terminated by the GUI, but because it gets denied all access by SELinux policy, and thus kills itself.

12-14 23:38:43.942    4062-4062/? I/tincd﹕ type=1400 audit(0.0:9): avc: denied { create } for scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=tcp_socket permissive=1
12-14 23:38:43.942    4062-4062/? I/tincd﹕ type=1400 audit(0.0:10): avc: denied { setopt } for scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=tcp_socket permissive=1
12-14 23:38:43.942    4062-4062/? I/tincd﹕ type=1400 audit(0.0:11): avc: denied { bind } for scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=tcp_socket permissive=1
12-14 23:38:43.942    4062-4062/? I/tincd﹕ type=1400 audit(0.0:12): avc: denied { listen } for lport=655 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=tcp_socket permissive=1
12-14 23:38:43.972    4062-4062/? I/tincd﹕ type=1400 audit(0.0:13): avc: denied { setopt } for scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=udp_socket permissive=1
12-14 23:38:43.972    4062-4062/? I/tincd﹕ type=1400 audit(0.0:14): avc: denied { bind } for scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=udp_socket permissive=1
12-14 23:38:44.012    4062-4062/? I/tincd﹕ type=1400 audit(0.0:15): avc: denied { getattr } for lport=655 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=udp_socket permissive=1
12-14 23:38:44.180    3932-3932/? I/Choreographer﹕ Skipped 36 frames!  The application may be doing too much work on its main thread.
12-14 23:38:44.192    4062-4062/? I/tincd﹕ type=1400 audit(0.0:16): avc: denied { connect } for scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=tcp_socket permissive=1
12-14 23:38:44.222    4062-4062/? I/tincd﹕ type=1400 audit(0.0:17): avc: denied { getopt } for laddr=10.0.2.15 lport=49371 faddr=x.x.x.x fport=655 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=tcp_socket permissive=1
12-14 23:38:44.242    4062-4062/? I/tincd﹕ type=1400 audit(0.0:18): avc: denied { write } for laddr=10.0.2.15 lport=49371 faddr=x.x.x.x fport=655 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=tcp_socket permissive=1
12-14 23:38:44.282    4062-4062/? I/tincd﹕ type=1400 audit(0.0:19): avc: denied { read } for laddr=10.0.2.15 lport=49371 faddr=x.x.x.x fport=655 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=tcp_socket permissive=1
12-14 23:38:44.694    4053-4053/? D/AndroidRuntime﹕ Calling main entry com.android.commands.am.Am
12-14 23:38:45.812    4062-4062/? I/tincd﹕ type=1400 audit(0.0:20): avc: denied { write } for lport=655 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=udp_socket permissive=1

I can also confirms it's working fine when launched manually from terminal. I need to figure out why SElinux behaves differently in both cases.

[Vilbrekin]

Got it. Seems like the context used when calling su from the app is "u:r:init:s0" (which gets restricted by selinux), while the context from adb shell is "u:r:su:s0".
Using Chainfire's advice to fork a subshell (using su -c inside su) allows switching to "u:r:init_shell:s0", which seems to have proper access for tincd.

[Vilbrekin]

Built a new beta release. Feedback would be appreciated.
https://github.com/Vilbrekin/tinc_gui/releases/tag/RELEASE_0.9.12

[bahbka]

It works very good, thank you very much! :)

[kjansik]

It works now! but I am still experiencing problems: configuration working
fine on my android 4.0.4 doesn't work on my Lollipop - connection is
established, but I am not able to ping the nodes... For some reason the
subnet is not added.

2014-12-15 2:32 GMT+01:00 Vilbrekin [email protected]:

Build a new beta release. Feedback would be appreciated.
https://github.com/Vilbrekin/tinc_gui/releases/tag/RELEASE_0.9.12

—
Reply to this email directly or view it on GitHub
#26 (comment).

[Vilbrekin]

When trying in the emulator, I saw my -up scripts got their ip commands rejected. Is it the same for you? Could be that ip binary is not in the same path on lollipop.

[calisro]

Getting closer for me. tinc now runs in the gui but selinux still blocks the up/down scripts from running. Same as earlier issue reported:

#28

The context is still being blocked. Perhaps if you execute the scripts in a subshell with the right context.

[kjansik]

How can I check it? I am novice [?], don't forget it... Script started, but
I am not sure if ip command is done.

2014-12-15 23:35 GMT+01:00 Vilbrekin [email protected]:

When trying in the emulator, I saw my -up scripts got their ip commands
rejected. Is it the same for you? Could be that ip binary is not in the
same path on lollipop.

—
Reply to this email directly or view it on GitHub
#26 (comment).

[luckyhacky]

working for me with SELINUX and Android 5.0

[luckyhacky]

@kjansik you cant check it with standard android and your mobil phone. you need a pc an use console tools. you connect over adb to your phone and act as if you are on a linux station.
It's not so simple, but there are many tutorials.

[kjansik]

No problem with adb for me. Just don't know what to look for in iptables...
clearly subnet is not set. I do not see any difference in debug, just
need some hint where should I look.
On Dec 26, 2014 8:44 PM, "B. S." [email protected] wrote:

@kjansik https://github.com/kjansik you cant check it with standard
android and your mobil phone. you need a pc an use console tools. you
connect over adb to your phone and act as if you are on a linux station.
It's not so simple, but there are many tutorials.

—
Reply to this email directly or view it on GitHub
#26 (comment).

[ghost]

Hi.
In tinc gui after START, dont work button STOP.
Script tinc-down:
`ifconfig $INTERFACE down

VPN_GATEWAY=192.168.6.30

ip rule del from all lookup 100
ip route del table 100 $REMOTEADDRESS
ip route del table 100 $VPN_GATEWAY dev $INTERFACE
ip route del table 100 192.168.5.0/27 via $VPN_GATEWAY dev $INTERFACE
ip route del table 100 192.168.6.0/27 via $VPN_GATEWAY dev $INTERFACE
`

[ghost]

OS Android 6.0.1 (CM13)
Since the removal of daemon tincd, automate kill file 'tinc.pid'
Fix this problem:
public void stopTincd()
{
if (_started)
{
run("pkill tincd", null);
// int aPid = getPid();
// if (aPid != 0)
// {
// run("kill " + aPid + " || rm " + getFileStreamPath(PIDFILE), null);
// Log.d(Tools.TAG, "killed");
// }
}
_debug = false;
stopForeground(true);
// Do not call stopSelf(), in order to keep any unflushed logs until GUI activity is back
checkAndStopSelf();
// Ensure GUI is updated
call("tincd terminated.");
}