-
-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature]: Plugins without shared UID #2654
Comments
Yeah, signature level permission and I was reviewing the |
Can I start working on the plugin system from the |
If you plan on working on it, I can try to work on the fixes/changes today. Need it for |
I did a little bit more planning, let me know if you see any issues:
When I implement the system I'll add tests to check if the system is secure, e.g. trying to connect to the plugin receiver from an external app, trying to call an app without the plugin permission, ... . |
Another thing I'll look into is a dummy bound service that Termux can bind to, so plugins get a lower oom_adj score but don't have to make their own foreground services for that. |
Not necessary really. A function like Moreover, permissions should start with
Any app that does not have a https://man7.org/linux/man-pages/man7/unix.7.html
Any app would be able to send the broadcast, you can't verify sender identity in
The https://developer.android.com/guide/topics/manifest/receiver-element#prmsn Look into Shizuku, possibly binder AIDL APIs can be added in termux app that can be used by plugin apps. Would be much simpler probably and APIs itself would be nice, better interaction between apps, specially with custom java objects instead of just intents. https://github.com/RikkaApps/Shizuku-API#using-shizuku-apisuserservice
Plugins should have their own foreground services, there are app specific restrictions even with https://developer.android.com/about/versions/11/privacy/foreground-services I also don't really like the idea of dummy bound services to force lower p.s I got caught up on socket programming basics again, found some more issues, will start work on the changes today/tomorrow. |
The socket is for a program in Termux to connect to a plugin, not the other way around. The program runs as the Termux uid and can access the socket. If a plugin needs to connect by itself,
That's what the signature permission is for, to make the android system able to do that check. Quoting the Android docs:
That specifies the permission the receiving app must have to receive the broadcast. com.termux.app is the permission Termux has itself and doesn't need to be declared. Again quoting the Android docs:
Binder is nice to use from an app perspective, but binder support is not included in the NDK and is unavailable to the programms running in Termux. Using services instead of a broadcast to connect to plugins is also possible though. |
Ah, sorry, We can use dedicated
The
I assumed that by receiver it meant the receiver Basically, your proposal is that But I am not satisfied with just signature based permissions, the plugins should ensure that command came from The pending intent should have And we necessarily don't need to send to a
That's not gonna work. You can't send
I also forgot that abstract unix sockets across apps won't work if using https://developer.android.com/about/versions/pie/android-9.0-changes-28 https://stackoverflow.com/questions/63806516/avc-denied-connectto-when-using-uds-on-android-10 Since the above won't work, the solution that was suggested by @twaik here was using termux So how this would work would be that when native process calls When the plugin has successfully created all sockets pairs, then it calls May need to call This is currently working on Android 11 with plugin using
Another way could be to send intents to plugin with
Well, there is https://developer.android.com/ndk/reference/group/ndk-binder https://android.googlesource.com/platform/frameworks/native/+/master/libs/binder/ndk/tests https://github.com/lakinduboteju/AndroidNdkBinderExamples For your use case, not using AIDL APIs may suffice probably, what protocol are you thinking? For plugin java stuff, can just bind to services and use AIDL APIs. |
About that. I have no much time but I have already ported jekstrand's sources which will allow us to use Wayland in You can try to play with sources I have ported. But there is no protocol I have implemented. |
Usually the Android docs are really good, but it seems that fact wasn't put in.
Yeah, a service is probably better.
We should have a system that works on all API versions supported by Termux, so NdkBinder isn't usable.
I would also like to have something like lower-privilege plugins that don't need
Having the ability to create multiple socket connections would be nice, but can always be made manually by creating a socket pair and sending one of the fds through the existing socket. My new idea:
After this connection, the initial socket connection from the program to Termux could be closed, or you could keep it open in case it's needed in future improvements. The same for the Binder, maybe new calls could be added in the future. This method doesn't need the A plugin wants to connect to Termux: Sending fds over a socket needs some additions to |
I already achieved this in Lorie. It is true that it is impossible to send fd using intent, but we can send IBinder. This IBinder will be connected to interface (aidl or raw binder) which requests needed file descriptor. One or many. |
Looks like there are no options.
Is there anyone who has any idea how to handle this? |
@agnostic-apollo I finished a first version of the plugin system. It's in my Termux fork. Plugin directories: Each plugin gets its own directory under The plugin service: A bound service in Termux that is protected by the new TERMUX_PLUGIN permission. The interface to the service is defined in AIDL in a new module that can be published separately on Jitpack, so plugins don't have to include all the Termux libraries. After connecting a plugin has to provide the service with a Binder that can be used for callbacks: Either provide a Binder directly or specify a component name for a service to bind to. The binder is also used to listen for the process death of the plugin to discard any state for the plugin in the service. I also added Utilities to I also made a new plugin-template repo that will contain a library for plugins and a template plugin to expand from for your own plugin. The library contains utilities to verify the Termux app signature and constants meaningful for plugins copied from TermuxConstants. A better solution would be to make The current AIDL methods are:
For For There are still some design decisions left:
|
I have some notes about using Java in C/C++ apps. termux/termux-packages#9100 (reply in thread) |
I will get back to you guys after the bootstrap scripts fixes/updates. Again, apologies for the delays. |
Thanks
El lun., 9 de mayo de 2022 19:21, agnostic-apollo ***@***.***>
escribió:
… I will get back to you guys after the bootstrap scripts fixes/updates.
Again, apologies for the delays.
—
Reply to this email directly, view it on GitHub
<#2654 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AY6O2TGUENTTAC2EZ5S4743VJGTZXANCNFSM5QQJ356A>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
@agnostic-apollo I fixed Do you have time to look at it now? Also: Are the FIleUtils methods and other parts of termux-shared thread safe? Binder transactions are processed from other threads and if the methods aren't thread safe, I'd have to schedule that on the main thread instead. |
Hi guys. |
Some changes are required and I need to look more into it. I am working on other higher priority stuff for next release, will get to it soon "hopefully". |
Maybe I can help with it? |
How about you review the code from a security perspective as well and also test the APIs and socket listening, etc, specially for your use case and on Android 12/13 and with |
I am not good enough to review something from a security perspective... But can test something if you need. |
It's fine, I'll do it. |
I also tried to implement the runTask API myself, but somehow the started process is killed with a segfault. It's in the plugin-system-nativeshell branch. |
If you are talking about If talking about the
No, they are not, other than I guess
I'll take a look. You can too, check https://source.android.com/devices/tech/debug and https://source.android.com/devices/tech/debug/native-crash If exception is in |
I fixed |
Great.
The functions itself don't use external variables, so should be safe, I meant you were asking thread safe from a filesystem perspective.
Cool, will take a look. Your turn is almost here now I think, after I mainly write some docs. ;) |
So what is happening? Can it be merged or it still should be reviewed? |
Likely some time next week. Finishing up docs. |
@agnostic-apollo |
Call
|
@agnostic-apollo
You can add something like this code to |
Yeah, I didn't do it the way you are suggesting cause would have required modifying |
Thank you. |
Actually I found a bit simpler way to make Termux plugin without making lots of changes to termux-app codebase. It is possible to simply send command to termux to run
To interact with
In my code class This way I will be able to work it with the following code.
For some reason sending Also both regular and reverse channel But there will be a problem of making it work without
This way you will be able to get rid of |
Feature description
For security reasons (privilege separation) and because f-droid seems to be slow when it comes to setting up signing apps with the same key (see Termux:GUI) it could be useful to have a plugin that doesn't share the same UID. The main problem with that would be security: If the apps are different users, they cannot call not exported components of each other, and completely open components are a security risk.
My idea is: Create a new signature-level permission for Termux and have the plugins BroadcastReceiver or Service require that permission to get called. That way only Termux can call these components.
To establish a 2-way communication between a plugin and a program you could make Termux expose another unix socket to programs like for the
am
integration. The program sends Termux the component it would like to call and if successful Termux sends a file descriptor for a unix socket pair to the program and the other end is send in the Intent via ParcelFileDescriptor to the plugin. If more connections are needed, the program or plugin can then send more file descriptors over the connection they have already.Additional information
Create a ParcelFileDescriptor socket pair.
Getting a FileDescriptor from a ParcelFileDescriptor.
Sending a FileDescriptor over a LocalSocket.
Putting a Parcelable into an Intent.
The text was updated successfully, but these errors were encountered: