You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Affected versions: all versions before 27.0, and all versions after 27003 in special cases
Affected devices: Android11+ devices
Details
Since Android 11, the system restricts user apps from using netlink's RTM_GETLINK to read network interface MAC addresses. This is achieved by adding a flag bit to custom SELinux. This modification was rejected by the Linux upstream and is an Android-specific patch.
Before 27.0, Magisk used the upstream libselinux library, so the Android-specific flag was lost when patching sepolicy, thus failing to enforce the restriction. As a result, any app could read the MAC address.
After 27.0, Magisk enforces this restriction unconditionally on all devices. However, some devices with upgraded new kernels support this flag, but the sepolicy in user-space is not prepared, causing all processes to be restricted and WiFi not working.
Since 27003, Magisk parses the old sepolicy flags and copies them into the new sepolicy, resolving the issue.
Magisk's sepolicy live patching feature(magiskpolicy --live) reads the current sepolicy from the kernel, patches the rules and reloads the sepolicy. Due to a kernel bug, the Android-specific flag is not reported to user space, so the current sepolicy as read by Magisk never has this specific flag. Therefore, after sepolicy live patching, the restriction is disabled and all apps can read the MAC address.
This kernel bug can be fixed with this patch, but Google requires that the patch should be submitted to the Linux upstream for unknown reasons, and then said that this Android-specific feature should be removed. In short, the patch is rejected by Google, and we can't do anything. Compared with being unable to connect to WiFi, the MAC address leak after sepolicy live patching seems acceptable.
Exploitation
We have observed popular apps using RTMGETLINK to read device MAC addresses. At least one app detects Magisk by checking if it can still read the MAC address on Android 11+.
Recommendation
Devices before Android 11 are not affected. Other devices should upgrade to Magisk 27.0. If WiFi is not working, upgrade to 27003. On 27003+, do not use sepolicy live patching, check all modules and root apps, and ask their developers to switch to sepolicy.rule.
Affected versions: all versions before 27.0, and all versions after 27003 in special cases
Affected devices: Android11+ devices
Details
Since Android 11, the system restricts user apps from using netlink's RTM_GETLINK to read network interface MAC addresses. This is achieved by adding a flag bit to custom SELinux. This modification was rejected by the Linux upstream and is an Android-specific patch.
Before 27.0, Magisk used the upstream libselinux library, so the Android-specific flag was lost when patching sepolicy, thus failing to enforce the restriction. As a result, any app could read the MAC address.
After 27.0, Magisk enforces this restriction unconditionally on all devices. However, some devices with upgraded new kernels support this flag, but the sepolicy in user-space is not prepared, causing all processes to be restricted and WiFi not working.
Since 27003, Magisk parses the old sepolicy flags and copies them into the new sepolicy, resolving the issue.
Magisk's sepolicy live patching feature(
magiskpolicy --live
) reads the current sepolicy from the kernel, patches the rules and reloads the sepolicy. Due to a kernel bug, the Android-specific flag is not reported to user space, so the current sepolicy as read by Magisk never has this specific flag. Therefore, after sepolicy live patching, the restriction is disabled and all apps can read the MAC address.This kernel bug can be fixed with this patch, but Google requires that the patch should be submitted to the Linux upstream for unknown reasons, and then said that this Android-specific feature should be removed. In short, the patch is rejected by Google, and we can't do anything. Compared with being unable to connect to WiFi, the MAC address leak after sepolicy live patching seems acceptable.
Exploitation
We have observed popular apps using RTMGETLINK to read device MAC addresses. At least one app detects Magisk by checking if it can still read the MAC address on Android 11+.
Recommendation
Devices before Android 11 are not affected. Other devices should upgrade to Magisk 27.0. If WiFi is not working, upgrade to 27003. On 27003+, do not use sepolicy live patching, check all modules and root apps, and ask their developers to switch to sepolicy.rule.
Related Links
Acknowledgement
@aviraxp https://t.me/qianqianzhuang/33
The text was updated successfully, but these errors were encountered: