Skip to content
Snippets Groups Projects
New look: Off

ANDROID_PARANOID_NETWORK restricts network access to users who are member of specific groups

    • Closed Imported Issue created by Administrator @root

    Created by: bhuvi8

    when non root user tries to access network they get permission denied errors

    To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

    Child items 0

    • No child items are currently assigned. Use child items to break down this issue into smaller parts.

    Activity

    • Administrator
      Administrator @root · Imported
      Author Owner

      Created by: bhuvi8

      did a strace and found that permission denied error occurs when a socket is created using socket() system call

      By * postmarketOS Bot on 2017-10-10T15:31:27

    • Administrator
      Administrator @root · Imported
      Author Owner

      Created by: bhuvi8

      on further investigation found that it is an android security feature

      verified it by creating groups with ids 3003 and 3004 and assigned user to group and user is now able to access network

      apk add shadow

      groupadd -g 3003 aid_inet

      groupadd -g 3004 aid_inet_raw

      usermod -G aid_inet user

      usermod -G aid_inet_raw user

      $ ping 8.8.8.8 now works as user

      By * postmarketOS Bot on 2017-10-10T15:37:01

    • Administrator
      Administrator @root · Imported
      Author Owner

      Created by: bhuvi8

      Additional reference https://groups.google.com/forum/#!topic/sluggers/g0XY-Qk5C3w

      Most other devices having android kernels have this option set...This needs to be disabled for network features in non android OS'es to work properly

      By * postmarketOS Bot on 2017-10-10T15:53:24

    • Administrator
      Administrator @root · Imported
      Author Owner

      Created by: bhuvi8

      created a pull request https://github.com/postmarketOS/pmbootstrap/pull/738 to fix this in samsung-i9100

      By * postmarketOS Bot on 2017-10-10T15:54:06

    • Administrator
      Administrator @root · Imported
      Author Owner

      Better reference: https://elinux.org/Android_Security#Paranoid_network-ing :wink:

      By Luca Weiss on 2017-10-10T18:46:20

    • Administrator
      Administrator @root · Imported
      Author Owner

      Created by: bhuvi8

      Modified the title to better reflect this issue

      By * postmarketOS Bot on 2017-10-10T19:01:00

    • Administrator
      Administrator @root · Imported
      Author Owner

      I would edit it to something like "ANDROID_PARANOID_NETWORK restricts network access to root user"

      By Luca Weiss on 2017-10-10T19:12:08

    • Administrator
      Administrator @root · Imported
      Author Owner

      Created by: bhuvi8

      Done Edited again to fix typos

      By * postmarketOS Bot on 2017-10-10T19:24:32

      Edited by Ghost User
    • Administrator
      Administrator @root · Imported
      Author Owner

      Created by: ollieparanoid

      We should add this to our pmbootstrap kconfig_check code, so we can fix it for all devices (and warn the user when it is enabled). Thanks for reporting! (If someone wants to take a shot at this, please go ahead :thumbsup: )

      By * postmarketOS Bot on 2017-10-10T19:19:54

      Edited by Ghost User
    • Administrator
      Administrator @root · Imported
      Author Owner

      Am doing it right now. EDIT: Done. See #742

      By Luca Weiss on 2017-10-10T21:23:05

      Edited by Ghost User
    • Administrator
      Administrator @root · Imported
      Author Owner

      Created by: bhuvi8

      @z3ntu nice job fixing it for all devices and nice work with the script :-)

      By * postmarketOS Bot on 2017-10-11T01:50:30

    Please register or sign in to reply