Hi,
These days many systems are multi-homed in the sense that they have more than one IP address bound at the same time. I.e. Wifi and VPN,
There are are at least 3 solutions to help bind an application to a specific ip.
1) Lennart Poettering has a IPv4 only version of a shim and a rather good readme available at his site.
2) Catalin M. Boie wrote another LD_PRELOAD shim, force_bind. I have not tested this one. It's capable of handling IPv6 binds.
3) Daniel Ryde has solved the problem via a LD_PRELOAD shim. With his code you can run
$ BIND_ADDR="192.0.2.100" LD_PRELOAD=/usr/lib/bind.so firefox (*)
and happily surf away.
Sorry for not providing direct links but "ALL new users prevented from posting outside links in their messages."
However a faked url with all relevant information is here:
Start by http then add daniel-lange.com/archives/53-Binding-applications-to-a-specific-IP add .html to the end of the url
Can someone provide instructions on how to build an android version of any of the given solutions (or a binary maybe) ??
Thank you
Has anyone successfully established a bridge mode VPN connection (using TAP) in any version of Jellybean, stock or custom?
It seems that every vpn app in the play store suggests that this can't be done in JB. I'd really like to upgrade to JB, but I really don't feel like reconfiguring my whole VPN setup, just to log on to my home server every once in awhile.
Hoping I'm wrong about this...
ushlambad said:
Has anyone successfully established a bridge mode VPN connection (using TAP) in any version of Jellybean, stock or custom?
It seems that every vpn app in the play store suggests that this can't be done in JB. I'd really like to upgrade to JB, but I really don't feel like reconfiguring my whole VPN setup, just to log on to my home server every once in awhile.
Hoping I'm wrong about this...
Click to expand...
Click to collapse
Yes all you need to do is search Open VPN Tun [short for tunnel and the name OpenVPN gives the setting] in the Android Play Store to find the Open VPN Settings app created by: Friedrich Schäuffelhut
[Found Here: Open VPN Settings]
When you run it it will run some checks and may ask you to download the following to install the ifconfig binary and the Open VPN binaries in to the system [ifconfig is installed as part of busybox so you maybe good may not but app checks and runs well].
Installer Link [which can also be run on it's own and also checks things and will tell you if you are good to go or if it needs to install things for you.
Open VPN Settings Installer
IF UNSURE USE /system/xbin for install location [first question] and accept defaults or the rest.
THIS WILL REQUIRE A ROOTED ANDROID DEVICE [due to it being a tunnel and not a tap interface you need root to set the connection up and make it usable within android the android VPN client itself only accepts TAP style interfaces due to possible security risks "casual" or "non-technical" users may not understand and thus to protect you from yourself it doesn't do TUN interfaces.
You can use either blah.ovpn OR blah.cfg [Windows servers use .ovpn as extension whereas Linux favors .cfg but both are the same text based profile file]. if I remember right just create /sdcard/openvpn/<whatever> [whatever is whatever directory name [if you want one] I use the client name that way all the keys and profiles are organized and not all jumbled in one folder [or if files have same name or different content then you will be forced to do this for something like multiple OpenVPN server profiles]. THE OpenVPN app tells you this if you open it and there is no /sdcard/openvpn folder found it says to create it in the middle of the main window area]
Also, it is easiest to edit your profiles so there is no absolute directory structure pointing to the files [the ca.crt, client.crt and client.key files].
This is very easy just remove all directories so the line ONLY has the filenames [See example profile in code box below].
Here to make this easy here is an example profile file I use [your server and port as well as if you choose to have it persist the IP addresses of clients across multiple connections may be different, up to you].
Code:
.
# Specify that this is a client
client
# Bridge device setting
dev tun
# Host name and port for the server (default port is 1194)
# note: replace with the correct values your server set up
remote some.domain.or.IP.address.here <whatever port you use here>
# Client does not need to bind to a specific local port
nobind
# Keep trying to resolve the host name of OpenVPN server.
## The windows GUI seems to dislike the following rule.
## You may need to comment it out.
## This MAY NOT be a good choice
## for most folks I use a private server
## without many clients so it doesn't
## affect me if they connect a bunch of times but any security systems
## may not like it if you connect too many times to quickly and you don't
## want your own server blocking your IP when you want to connect now do you :)
resolv-retry infinite
# Preserve state across restarts
persist-key
persist-tun
# SSL/TLS parameters - files created previously
ca ca.crt
cert client.crt
key client.key
# Specify same cipher as server
cipher <choose your cipher>
# [same as you set on your server don't make it different]
## Default here is usually BF-CBC if I remember right
# Use compression
## again make sure you enabled compression in the server profile or comment it out here
comp-lzo
# Log verbosity (to help if there are problems)
## I set it a little higher but not totally verbose
## I like a little info when there are problems
## to help fix them, up to you what you choose
## Can be different from server setting
verb 3
Hopefully this helps. I am unsure of your or anyone else who may like this posts technical skills so trying to be thorough. You could also use this profile to work backward filling in the same settings asked for in the server profile.
ONCE YOU GET THE profile on to the SDCARD and connect the first time the app will always bring it up and all you have to do is tap a checkbox to turn on the VPN Settings app and then once more to enable the profile you want [yes even if just one you have to check it, BUT, IF YOU uncheck the OpenVPN enable/disable checkbox at top the next time you enable it it will auto enable last used connection !
IT REALLY IS A VERY EASY TO USE AN NICE APP [AND ONLY ONE TO SUPPORT OPEN VPN TUN [TUNNEL] INTERFACE SETUPS!
Android's netd daemon, by default, enables something known as "IPv6 privacy extensions" (this means that the IPv6 address, instead of being generated from the device's MAC address, will be randomized — but this is irrelevant for my question).
In a nutshell, my problem is this: how can I hack, or communicate with, the netd daemon to force it to disable this feature?
(Android offers no configuration for this. I bug-reported the issue to Google ad android bug #31102 aka http : / / code.google.com/p/android/issues/detail?id=31102 (sorry I'm not allowed to post links) but they, of course, ignored it. Please note that there are lots of pages dealing with the question of how to enable IPv6 privacy extensions, because old versions of Android did not enable them: my question is how to disable them, permanently.)
What the netd daemon actually does is that when a network interface $IFACE is brought up, it opens the file /proc/sys/net/ipv6/conf/$IFACE/use_tempaddr and writes "2" there (this asks the Linux kernel to enable the feature). Up to Android 4.2, what I did was binary patch netd to replace the string "/proc/sys/net/ipv6/conf/%s/use_tempaddr" by "/dev/null\000" so the daemon would simply write that "2" to /dev/null and nothing would happen. But in Android 4.3 that part of the code has been slightly refactored, see InterfaceController.cpp from the netd source code, around line 134 (https : / / android.googlesource.com/platform/system/netd/+/android-4.3.1_r1/InterfaceController.cpp — again I'm not allowed to put links, what a pain), so a binary patch is not so trivial. (I could probably replace "use_tempaddr" by "hfr_grzcnqqe", but it would cause an error message in the logs and I'd like to avoid that.)
(Changing netd's source would be absolutely trivial. But I want to avoid recompiling it, because I'd probably spend many sleepless nights getting the correct native toolchain and convincing the Android makefiles to recompile just this bit: I don't have the resources to do a full Android build. Maybe I'm being pessimistic.)
In principle, it seems that netd reacts to commands that are sent to it (see https : / / android.googlesource.com/platform/system/netd/+/android-4.3.1_r1/CommandListener.cpp starting from around line 434). What I don't know is how to communicate with it to send it such commands, let alone do it precisely when a new interface is brought up. I know that at the other end of the line there is, for example, android.net.wifi.WifiStateMachine (see https : / / android.googlesource.com/platform/frameworks/base/+/android-4.3.1_r1/wifi/java/android/net/wifi/WifiStateMachine.java around line 2104). I'm a Linux dev, not so familiar with the Android IPC mechanisms or daemons, so I was hoping someone more knowledgeable could think of a way to pass a command at the right time.
PS: I'm aware that there's an app called to.doc.android.ipv6config which claims to solve the problem I'm talking about. But, looking at the code (https : / / gitorious.org/android-ipv6config/android-ipv6config/source/58e2060162485b54d4f8c147a558aeed708fa4b4:src/to/doc/android/ipv6config/LinuxIPCommandHelper.java around line 103), it's obvious that it does so in a completely wrong way, namely by talking to the kernel, bypassing netd's role as the network gatekeeper altogether.
PPS: I'm using CyanogenMod (currently 10.1.3, and this issue is preventing me from upgrading to 10.2), but I don't think this is relevant at all (I must admit I didn't check to see if CyanogenMod patched netd and/or android.net.wifi.WifiStateMachine in any way).
Meta-question: Is this the right place to ask? Apparently I have to ask 10 stupid questions before I'm allowed to post anywhere else.
Did you ever find a permanent solution? I've been tackling the issue on my new Galaxy S6 using the steps as outlined in this link:
https://www.reddit.com/r/Android/comments/2z1gyo/fix_lollipop_wifi_issues_and_coincidentally_the/
On the chance that someone has this issue and finds this thread ..
As far as I have seen (< 5.0), communication with the network daemon, netd, is done through unix-domain socket IPC on /dev/socket/netd. The commands are of the form:
Code:
interface setcfg [iface name] [options]
Where 'options' includes 'up' and 'down', among others. I have not verified this, but you may be able to do this from the console -- see 'netcfg'. As far as the specific command to do what you are requesting, I would either pull the netcfg executable into IDA or start by looking at the WifiStateMachine. The state machine set sets this option at line 2092 in the source:
Code:
mNwService.setInterfaceIpv6PrivacyExtensions(mInterfaceName, true);
Additionally, you could just pull in the apk for the WifiStateMachine and modify the smali to send false, rather than true, at the line above and you'll have your permanent disable. For this, see /system/framework/*.apk, or equivalent. The WSM implementation should be there somewhere.
-----------
From the source you posted, I found this too ..
Code:
"Usage: interface ipv6privacyextensions <interface> <enable|disable>"
Hi all,
The Scenario
We have a bluetooth hardware device that needs to be accessed from a box (owned by client) running Android 5.1.
Box will run a customized version of Android 5.1.
The device works with vendor specific HID reports.
Changes to ROM to allow device to work are allowable.
Attempt 1:
BluetoothInputDevice + HidService
This is a hidden interface in AOSP that can provide raw hid access to bluetooth hid devices. HidService should throw intents containing received reports, and accepts reports through a "Send report" method.
Unfortunately, it didn't work for me at all. I was unable to receive any HID reports.
Attempt 2:
/dev/hidraw0 + /system/bin/hidrawservice + /system/lib/libhidrawservice.so + external/HidRawAccess/HidRawAccess.java
Here, I thought to create a native executable service hidrawservice called from init.rc with elevated privilege to access /dev/hidraw0
hidrawservice exposes its own interface for /dev/hidraw0 (maybe through a unix socket)
A java + native android service comprising libhidrawservice.so and HidRawAccess.java that exposes direct methods for hidrawservice to android java apps.
The Problems:
for 1, I could never receive any HID reports at all in my app. More details: [I cannot post links here, Sorry. Please search stackoverflow with bluetooth hid host. ]
Specifically, I observe Bluedroid doesn't call any callbacks in jni code of HidService when reports are received.
for 2, I am stuck with SELinux. I can verify that through /dev/hidraw0 the HID reports are accessible. hidrawservice when run from adb shell captures reports. But when I start it from init.rc, Its not able to access /dev/hidraw0
I don't have any prior experience on SELinux policies so if anyone could guide me, would be extremely helpful.
I am seeking community help for either of those. I am also open to any suggestions towards this. I am not seeking to disable SELinux.
If it helps, for now, I am developing with a Nexus 7 2013 tablet, And AOSP is 5.1.1_r14, LMY48G.
I am trying to build a custom ROM for Android that has a built in firewall. In doing this I want to allow my Settings app to block different apps from using mobile data and/or wifi.
My approach so far has been to add new selinux policy rules to allow system level apps to interact with iptables. I have tried multiple different policies, but here is what I currently have.
file_contexts
Code:
/system/bin/iptables u:object_r:iptables_exec:s0
system_app.te
Code:
type iptables_exec;
allow system_app iptables_exec:file { rx_file_perms };
I didn't define a new "domain" for iptables and I wasn't sure if I needed to declare the system_app domain again, or if this would just be appended to that.
Thanks in advance for any help. If anyone has any pointers on where to look to get a better understanding of SELinux inside of android, please let me know.