FORUMS
Remove All Ads from XDA

[APP][2.2+] [v.1.5+] Wakelock Detector- What keeps your phone awake when it sleeps?

223 posts
Thanks Meter: 679
 
By ahikmat, Senior Member on 7th March 2013, 03:27 AM
Post Reply Email Thread
15th November 2014, 01:36 PM |#561  
XDAMaxe's Avatar
Senior Member
Thanks Meter: 849
 
More
Quote:
Originally Posted by EP2008

I keep always scanning off, timer off, notify open network off.

I only see those high wakelocks on the Note 4 and not my Note 2.

try to check with bbs - partial wl
 
 
15th November 2014, 01:43 PM |#562  
Senior Member
Toronto, Ontario, Canada
Thanks Meter: 576
 
More
Quote:
Originally Posted by XDAMaxe

try to check with bbs - partial wl

Nothing out of the ordinary with partial wake locks. If I refresh the kernel stats while the screen is on, I see them jump up on those really high ones right before my eyes.

I was hoping a new firmware for my device would come out so I can just start from scratch and see if anything I install causes it.

Sent from my SM-N910U
15th November 2014, 02:06 PM |#563  
pikachukaki's Avatar
Senior Member
Flag Thessaloníki, Greece
Thanks Meter: 2,730
 
Donate to Me
More
What's that?? I can't find it anywhere..

16th November 2014, 12:14 PM |#564  
Rimher's Avatar
Senior Member
Flag Rome
Thanks Meter: 63
 
More
Quote:
Originally Posted by AA1973

- Nexus 5
- Android L
- Chainfires kernel flashable-nexus5-hammerhead-lpx13d-kernel.zip
- SuperSU 2.14
- Superuser access has been granted to Wakelock Detector, but this is how it looks like in SELinux "Enforcing Mode", which is standard mode with chainfire's kernel

And this is in SELinux "permissive mode"

I used SELinux Mode changer from the PlayStore to change the mode on the go.
https://play.google.com/store/apps/d...mrbimc.selinux

More info by chainfire on L, SELinux and root


On LPX13D, SELinux, and root

As promised, here are some more details about the current situation.

Why it breaks

Google has really put some effort into better securing Android, and we've seen a lot of SELinux related commits to the AOSP tree over the past months. There is some disconnect between the AOSP tree and actual L preview builds, some things from AOSP are not in the L preview build, and vice versa. Ultimately, it's a pretty good bet these things will mostly align, though.

On most devices and firmwares, SuperSU's daemon is started by the install-recovery.sh service script that runs at system boot time, as user root with the init context. This is what the daemon needs to function.

Recently, they've started requiring all started services to run in their own SELinux context, instead of init. Developers and security guys following AOSP have known this was coming; AOSP builds have been logging complaints about this specific service not having its own context for a while now.

Now this script runs as root, but as the install_recovery context, which breaks SuperSU's operation, as it is a very restrictive context.

In the last AOSP build I have tried (a few weeks old), there were a fair number of other holes that we could use to launch the daemon. At first glance(!), it seems those have all been closed. An impressive feat by the guys working on this, if it proves true.

How to fix it

To fix root, all that really had to be done was ensure the daemon's startup script is run at boot as the root user with the init context.

There are multiple ways to do this, but unfortunately for now it seems that it does require a modified kernel package (changing the ramdisk).

In the modified kernel packages I've posted for the Nexus 5 and Nexus 7, the daemon's startup is fixed by commenting out the line in init.rc that forces the install-recovery.sh script to run as the install_recovery context, so now it runs as init again, and all is well.

Repercussions

As stated above, it seems for now that modifications to the kernel package are required to have root, we cannot attain it with only modifications to the system partition.

Combine that with a locked bootloader (and optionally dm-verity) and a device becomes nigh unrootable - exactly as intended by the security guys.

Exploit-based roots are already harder to do thanks to SELinux, and now because of the kernel requirements for persistent root, these exploits will need to be run at every boot. Exploits that make the system unstable (as many do) are thus out as well.

Of course, this is all dependent on OEMs implementing everything exactly right. If a certain OEM doesn't protect one of their services correctly, then we can leverage that to launch the daemon without kernel modifications. While I'm fairly certain this will be the case for a bunch of devices and firmwares, especially the earlier L firmwares, this is not something you should expect or base decisions on. It is now thus more important than ever to buy unlocked devices if you want root.

It might also mean that every firmware update will require re-rooting, and OTA survival mode will be broken. For many (but far from all) devices we can probably automate patching the kernel package right in the SuperSU installer ZIP. We can try to keep it relatively easy, but updating stock firmwares while maintaining root is probably not going to work as easy and fast as it did until now.

Apps need updates

Unsurprisingly, with a new major Android release, apps will need updates. None more so than apps that go beyond the Android API, as root apps do, but even some non-root apps will be affected by the security changes.

As one example, someone posted in the SuperSU thread of a kernel flashing app that didn't work. From the logcat you could see that it was looking for partitions in /dev/block from its normal non-root user and non-init context. That used to be possible, but now it is restricted: normal apps no longer have read access there.*

The solution for that app is actually quite simple: list the /dev/block contents using root instead. But simple solution or not, the app will still need to be updated.

By far most root apps should be updateable for L without too much issue. There are indeed exceptions that will need some special care, but those are rare.

Permissive vs enforcing

The kernel packages I posted for the Nexus 5 and 7 LPX13D *firmware keep SELinux mostly set to enforcing. I say mostly, because SuperSU actually switches a small part of the system to permissive, so apps calling su can do most things without much interference. The details on this are lengthy (yes, your apps will be able to modify policies as well if needed, which should be rare), and I will document these for other developers after L retail release, assuming it will all still work at that time.

Alternatively, you can set the whole system to permissive or otherwise disable SELinux. There are other kernel packages released that indeed do this. The advantage here is that it instantly fixes some apps' issues, as the SELinux based restrictions have all gone the way of the dodo. The disadvantage here is that you've just shut down a major part of the security system of the device.

Some would argue that a device with an unlocked bootloader, root, encrypted modem firmwares of which nobody really knows what they're doing, etc, is inherently insecure, and thus disabling SELinux doesn't make much difference.

I personally disagree with this. While I do agree that these things weaken security down from the ideal level, I would still not disable more security features than I absolutely need to. Just because you cannot eliminate all attack vectors, is no reason to just completely give up on defending against them.

It is of course your own choice if you want to run a permissive system or not. I will strive to keep everything working in enforcing mode though, and I hope other root app developers will do the same - as stated earlier in the post, I believe this is still possible.

(everything in this post is subject to change for retail L release, obviously)


Source:
https://plus.google.com/113517319477...ts/VxjfYJnZAXP

Great, thanks a lot for the heads up, using permissive mode indeed works!
I was wondering, since Chainfire seemed quite skeptical about this workaround, how insecure would our phones become using this mode??
16th November 2014, 12:47 PM |#565  
lucianus_luciferus's Avatar
Senior Member
Flag London
Thanks Meter: 53
 
More
Quote:
Originally Posted by pikachukaki

What's that?? I can't find it anywhere..

go to settings - my device - display - daydream and disable it
16th November 2014, 05:20 PM |#566  
pikachukaki's Avatar
Senior Member
Flag Thessaloníki, Greece
Thanks Meter: 2,730
 
Donate to Me
More
Quote:
Originally Posted by lucianus_luciferus

go to settings - my device - display - daydream and disable it

it was the ambient screen of n6 for n5.....
18th November 2014, 07:14 PM |#567  
Senior Member
Thanks Meter: 178
 
More
Is the dev active still? Haven't seen an update from him in ages.
19th November 2014, 08:39 AM |#568  
OP Senior Member
Seoul
Thanks Meter: 679
 
More
I am back and working on this lollipop issue
Thank you everyone for supporting WLD,
Sorry for being off for sometime.
it is great to know that many of you using it in Lollipop with your own fix.(SeLinux)

I am getting lollipop now,
hopefully i will fix this very soon.
The Following 17 Users Say Thank You to ahikmat For This Useful Post: [ View ] Gift ahikmat Ad-Free
19th November 2014, 08:48 AM |#569  
Senior Member
Thanks Meter: 120
 
More
Quote:
Originally Posted by Smultie

Is the dev active still? Haven't seen an update from him in ages.

I'm wondering the same... I would love to see WD working with SELinux in Enforcing mode (if that's possible).

bye!
20th November 2014, 04:22 PM |#570  
Senior Member
Thanks Meter: 7
 
More
Quote:
Originally Posted by ahikmat

Thank you everyone for supporting WLD,
Sorry for being off for sometime.
it is great to know that many of you using it in Lollipop with your own fix.(SeLinux)

I am getting lollipop now,
hopefully i will fix this very soon.

Eagerly awaiting the new update!!
20th November 2014, 06:46 PM |#571  
Senior Member
Thanks Meter: 178
 
More
Quote:
Originally Posted by ahikmat

Thank you everyone for supporting WLD,
Sorry for being off for sometime.
it is great to know that many of you using it in Lollipop with your own fix.(SeLinux)

I am getting lollipop now,
hopefully i will fix this very soon.

That's absolutely wonderful news!! Thanks!!
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes