[Discussion] Magisk - The Age of Zygisk.

[Lughnasadh]

What's interesting here is John's response in the screenshot below about whether Google should do something about this...

(The screenshot John originally quote tweeted is from appdome dot com)

https://twitter.com/i/web/status/1618116841645445121

 

[HippoMan]

[ ... ] Read Permissive ROM = experimental, insecure, half-baked ROM not fit for daily use [ ... ]

Actually, that is perfectly fit for my own daily use, and I doubt that I'm the only person who has this preference.

I want to be able to turn permissive mode on and off as part of my own ROM usage, depending upon the tasks I want to perform and the software I wish to run. In the past, I was able to do this in one or more ROMs, and there was nothing half-baked about my user experience.

I'm willing to take the associated risks, and I don't want to be paternally "protected" against those things against my will. Again, I'm sure I'm not the only Android user who feels this way.

 

[pndwal]

Yes, I would just like to find such a ROM. But as I understand it, at the moment there are no such ones on s8+.(
Or I didn't search well.

This is the problem, that I plan to use banking applications. And it's a matter of honor to bring everything to perfect condition.
But apparently on this phone it will not work. Now I will try to do it on google pixel...

That is the problem. Official LOS is not available for my device.

What about debloated stock?... Plenty of guides for that... PW

 

[pndwal]

[ ... ] Read Permissive ROM = experimental, insecure, half-baked ROM not fit for daily use [ ... ]

Actually, that is perfectly fit for my own daily use, and I doubt that I'm the only person who has this preference.

But it's NOT a preference! ... It's a fact!

... I know you're no noob, but you may be developing a knack for confusing issues mate!

FWIW, John's technical explanation on Reddit: SELinux Permissive ROMs/Kernels are VERY BAD

Spoiler: More relevant comments from John on twitter

https://twitter.com/i/web/status/1318841119942168576

https://twitter.com/i/web/status/1359054106019565571

https://twitter.com/i/web/status/1359307457986654209

I want to be able to turn permissive mode on and off as part of my own ROM usage, depending upon the tasks I want to perform and the software I wish to run. In the past, I was able to do this in one or more ROMs, and there was nothing half-baked about my user experience.

So you're talking about something completely different!
www.youtube.com/watch?v=K2P86C-1x3o

... That's NOT a permissive ROM!... That's likely a perfectly stable SE enforcing ROM that you choose to disable 'enhanced security' on... And that's your business...

Like the ROM discussed here, many find the simply cannot switch a permissive ROM to SE enforcing w/o breaking stuff... cos it's still half baked/not properly implemented... BUT permissive just breaks security in exchange for accessing ROM functions that simply won't work as they should...

... Bit like the builder in such a rush to list a house on the market that he hasn't fixed the doors that jam on their jambs... So he says "oh well... Who needs doors?"... And then someone buys it!... And they think "what a bargain!"... And they sleep soundly... Cos they got a bargain... Who needs doors, right?

However here's something more those switching even stable enforcing ROMs to permissive might want to to consider:
https://www.xda-developers.com/permissive-selinux-dangers-exploits/

I'm willing to take the associated risks, and I don't want to be paternally "protected" against those things against my will. Again, I'm sure I'm not the only Android user who feels this way.

Sure you're not... Point is, You don't need a permissive ROM to do that...

And of course ROM/Kernel Devs do that all the time to test fixes (you'll appreciate @arter97's response to this
www.twitter.com/topjohnwu/status/1194574073017167877
if you know who he is...), but it's actually far more likely that switching between modes will simply work on an enforcing ROM...

Thing is, it may be fine to leave your doors open while you're home and awake... But would you be happy with no doors when you go out or Sleep? ... And really, any builder should put doors on houses he builds... unless it's for the Korowai people of West Papua... or in a gated hippie commune... PW

 

[HippoMan]

... That's NOT a permissive ROM!... That's likely a perfectly stable SE enforcing ROM that you choose to disable 'enhanced security' on... And that's your business...

Yes, I did confuse the issue. I misread the previous discussion and incorrectly came to the conclusion that it wasn't talking about SE enforcing ROMs per se, but rather, simply the ability to disable SE.

I stand corrected.

Thing is, it may be fine to leave your doors open while you're home and awake... But would you be happy with no doors when you go out or Sleep? ... And really, any builder should put doors on houses he builds... unless it's for the Korowai people of West Papua... or in a gated hippie commune... PW

As for my actual domicile, I indeed prefer to have doors and windows that can be closed ... and I'm the one who makes the decisions as to when I open or close them.

Likewise, when it comes to my Android device, I want to be the one who can decide when to open and close the doors and windows, and I'm glad and willing to take responsibility for any adverse consequences which might ensue due to faulty judgment.

And in any case, I'm generally more similar to an outdoor camping enthusiast when it comes to my device's security.

 

[pndwal]

Yes, I did confuse the issue. I misread the previous discussion and incorrectly came to the conclusion that it wasn't talking about SE enforcing ROMs per se, but rather, simply the ability to disable SE.

I stand corrected.

As for my actual domicile, I indeed prefer to have doors and windows that can be closed ... and I'm the one who makes the decisions as to when I open or close them.

Likewise, when it comes to my Android device, I want to be the one who can decide when to open and close the doors and windows,

... So you do prefer an enforcing ROM. (Of course only permissive ROMs = house sold with no doors in openings, or at least no back door; generally they simply can't run enforcing, at least without breaking important functions...)

and I'm glad and willing to take responsibility for any adverse consequences which might ensue due to faulty judgment.

Sure... You want a secure ROM that can be un-securred...

And in any case, I'm generally more similar to an outdoor camping enthusiast when it comes to my device's security.

My case too!... But I still want a house that hasn't been trashed to return to when I'm done camping! PW

 

[HippoMan]

... So you do prefer an enforcing ROM. (Of course only permissive ROMs = house sold with no doors in openings, or at least no back door; generally they simply can't run enforcing, at least without breaking important functions...)

Sure... You want a secure ROM that can be un-securred...

My case too!... But I still want a house that hasn't been trashed to return to when I'm done camping! PW

I don't mind an enforcing ROM as long as I can turn off the enforcement whenever I want to, and as long it doesn't prevent me from doing the things I want with my device, and as long as I don't have to jump through crazy, convoluted, headache-producing hoops in order to do any of those things. My current enforcing ROM is OK in these regards.

However, I probably wouldn't mind a non-enforcing ROM, either.

 

[pndwal]

I don't mind an enforcing ROM as long as I can turn off the enforcement whenever I want to, and as long it doesn't prevent me from doing the things I want with my device, and as long as I don't have to jump through crazy, convoluted, headache-producing hoops in order to do any of those things. My current enforcing ROM is OK in these regards.

However, I probably wouldn't mind a non-enforcing ROM, either.

Just need to understand that properly implemented ROMs, ie. enforcing, can generally be switched w/ no dramas (for those happy to take the risks)... 'non-enforcing' (permissive) ROMs are the ones you'll generally have issues with;
they're inherently buggy for starters, and either won't boot w/ enforcing or critical functions will fail... You're usually stuck with permissive (read House with no doors) I'm afraid!...

That's because they are 'experimental, insecure, half-baked and not fit for daily use' as I originally said, and they've generally been set to permissive simply to allow broken stuff to function...

There's really no other good reason for a dev to set permissive... And as experts like John are pointing out, doing this simply to release ROMs is NOT good enough... It may be considered "really bad", "LITERALLY BACKDOORING YOUR USERS!", "dubious", "just shooting at your own foot", "nuking a SIGNIFICANT portion of modern Android's security"...

https://twitter.com/i/web/status/1318839675180625921

https://twitter.com/i/web/status/1359054108339040261

PW

 

[HippoMan]

Just need to understand that properly implemented ROMs, ie. enforcing, can generally be switched w/ no dramas (for those happy to take the risks)... 'non-enforcing' (permissive) ROMs are the ones you'll generally have issues with;
they're inherently buggy for starters, and either won't boot w/ enforcing or critical functions will fail... You're usually stuck with permissive (read House with no doors) I'm afraid!...

That's because they are 'experimental, insecure, half-baked and not fit for daily use' as I originally said, and they've generally been set to permissive simply to allow broken stuff to function...

There's really no other good reason for a dev to set permissive... And as experts like John are pointing out, doing this simply to release ROMs is NOT good enough... It may be considered "really bad", "LITERALLY BACKDOORING YOUR USERS!", "dubious", "just shooting at your own foot", "nuking a SIGNIFICANT portion of modern Android's security"...

https://twitter.com/i/web/status/1318839675180625921

https://twitter.com/i/web/status/1359054108339040261

PW

Back in the Stone Age, ROMs for Android were released in SE permissive mode. At some point, that changed, and now, the default is to release the ROMs in SE enforcing mode. I never had any problems with those earlier ROMs that were released in permissive mode.

But perhaps with all the changes in Android since those antediluvian days, SE permissive ROMs might now cause failures.

As for me, running a ROM on my device in which "a SIGNIFICANT portion of modern Android's security" has been nuked actually might be a blessing. Of course, that would not be the case if, as you mention, it's not possible in such ROMs to turn SE enforcing ON when desired. In that case, I agree with you that such a ROM would not be desirable.

In other words, if a permissive ROM wouldn't let me change SE to "enforcing" when I choose to do it, then such a ROM would be a "no no" for me. Otherwise, I'm open for such a ROM.

PS: Every linux OS I've ever run on my rooted desktop machine has never had SE enabled. By "rooted", I mean that the "sudo" command and other similar facilities are readily available on my linux box. I'd be perfectly happy for my Android device to have no more built-in security than my desktop box, and for me to be the one to manage the security protocols on these systems.

 

[pndwal]

Back in the Stone Age, ROMs for Android were released in SE permissive mode. At some point, that changed, and now, the default is to release the ROMs in SE enforcing mode. I never had any problems with those earlier ROMs that were released in permissive mode.

Many changes/challenges... Originally no AVB or even locked bootloaders, no SafetyNet, Play Protect, Play Integrity checks either, no Widevine DRM, etc etc... An age where we could leave our houses unlocked and our grandma's would sleep on the porch all night when the weather was to hot...

But perhaps with all the changes in Android since those antediluvian days, SE permissive ROMs might now cause failures.

... Well I think you're still refusing to register what I've been trying to tell you (although you may have gotten it subconsciously by now)...

It may be a technicality, but it's an important concept to grasp: SE permissive ROMs don't cause failures (unless by that you mean 'trip device integrity/security detections)... It's the failure of code to run w/ enforcing set that causes Devs to release ROMs set to permissive! ... and such ROMs do this simply because fixing the code either to hard, the ROM is just an amateurish port, or the Dev doesn't care...

These days all Android code is supposed to run with SE enforcing... ROMs aren't meeting protocol (defined clearly/extensively in Google CDD, VSR, VTS and CTS documents) if they don't... In fact you may no longer be able to set permissive on stock ROMs for that reason:

• Caution: Permissive mode is not supported on production devices. CTS tests confirm enforcing mode is enabled.

SELinux enforcement can be disabled via ADB on userdebug or eng builds...

https://source.android.com/docs/security/features/selinux/validate#switching_to_permissive

From the above it is also evident that permissive now breaks ctsProfileMatch at least without spoofing...

As for me, running a ROM on my device in which "a SIGNIFICANT portion of modern Android's security" has been nuked actually might be a blessing. Of course, that would not be the case if, as you mention, it's not possible in such ROMs to turn SE enforcing ON when desired. In that case, I agree with you that such a ROM would not be desirable.

In other words, if a permissive ROM wouldn't let me change SE to "enforcing" when I choose to do it, then such a ROM would be a "no no" for me. Otherwise, I'm open for such a ROM.

So I've been trying to tell you that ability to switch should NOT be your primary concern!... While that may well be possible with some custom permissive ROMs you'll be very lucky to find a ROM set to permissive that doesn't break important functions when set to enforcing!...

Isn't having a stable, functional ROM more important, especially when you can easily set an enforcing (read stable, fully baked ROM with doors, oiled hinges and well aligned locks) custom ROM to permissive if you are bent on doing so?!!

What you want to do doesn't change the fact that custom ROM Devs should NOT be releasing permissive ROMs in the first place...

PS: Every linux OS I've ever run on my rooted desktop machine has never had SE enabled. By "rooted", I mean that the "sudo" command and other similar facilities are readily available on my linux box. I'd be perfectly happy for my Android device to have no more built-in security than my desktop box, and for me to be the one to manage the security protocols on these systems.

I can't sum this up better than Bob, even if you may think he's from an antediluvian era:

PW

 

[meric57]

Hello, concern with magisk writing in flash memory remains blocked on copyring: systeme.img.lz4.
Do you know the reason for this blocking thank you

modification of the ap for root my s10 firmware A12 G973FOXMGHWA3

solved

 

[HippoMan]

It may be a technicality, but it's an important concept to grasp: SE permissive ROMs don't cause failures (unless by that you mean 'trip device integrity/security detections)... It's the failure of code to run w/ enforcing set that causes Devs to release ROMs set to permissive! ...

Yes, that's what I meant, and you stated it more clearly than I did when you wrote, "unless by that you mean 'trip device integrity/security detections'". This clarifying distinction doesn't change my point in the least.

PW

Yep, the fact that these times have been a-changin' (Android-wise) is why I prefer to use an older, post-diluvian-but-still-pre-cutting-edge version of Android (A11) with TWRP and with a very pleasingly antiquated version of Magisk (v23.0). And I wouldn't have minded in the least if my ROM happened to have been shipped with permissive SE. In that case, I would accomodate.

The "evolution" of Android's security model and of some of the characteristics of many Android apps and utilities is no more desirable for me than the "evolution" of a number of other trends that is currently taking place in our "modern" world.

 

[meric57]

Hello, LSPosed-v1.8.6-6712-zygisk-release why is there a problem in magisk. error restarts then magisk apk jumps must reflash with odin, is it mandatory to install this module or not if it works with the main ones from magisk.

 

[martyfender]

Hello, LSPosed-v1.8.6-6712-zygisk-release why is there a problem in magisk. error restarts then magisk apk jumps must reflash with odin, is it mandatory to install this module or not if it works with the main ones from magisk.

? There is a big problem with your translation.

 

[huskydg]

Hello, LSPosed-v1.8.6-6712-zygisk-release why is there a problem in magisk. error restarts then magisk apk jumps must reflash with odin, is it mandatory to install this module or not if it works with the main ones from magisk.

Your question is not clear

 

[J.Michael]

Hello, LSPosed-v1.8.6-6712-zygisk-release why is there a problem in magisk. error restarts then magisk apk jumps must reflash with odin, is it mandatory to install this module or not if it works with the main ones from magisk.

Explain "error restarts"
Explain "magisk apk jumps"
Explain "it works"
Use separate sentences.

You do not "flash" apk with Odin.

If Magisk app is disappearing: search carefully full app drawer -- maybe app was renamed. If app has really been uninstalled, try to post log file. (Search for @Didgeridoohan HOW-TO)

 

[huskydg]

(Maybe off-topic) Now we have an app that detect bootloader unlocked :v

[Suggestion] Workaround for apps detect bootloader unlocked through hardware attestation · Issue #252 · kdrag0n/safetynet-fix

Now we have few apps that use hardware attestion to detect bootloader status no matter SafetyNet or Device Integrity pass. We have tested with few good guys on Telegram and it's only working on...

github.com

 

[meric57]

Hello sorry about the irritation I explained myself badly as I solved for the root with magisk.
My concern comes from the LSPosed apk version 1.8.6-6712 -zygisk-release .APK when I install it via magisk module I get an error I don't know if I should install the lower version or not.
Also as it asks to restart once restart in magisk.apk no more instalation just the application, so I have to reflash with odin the 4 BL-AP files patched_magisk -CP -and home CSC to find my root.
Just to know whether to install LSPosed or not.
I hope it's clearer for sure

attempt to install LSPosed v 1.8.4 zygisk see screenshot
On the magisk interface as soon as I restart my s10 I find myself without root see screenshot

 

[zgfg]

Hello sorry about the irritation I explained myself badly as I solved for the root with magisk.
My concern comes from the LSPosed apk version 1.8.6-6712 -zygisk-release .APK when I install it via magisk module I get an error I don't know if I should install the lower version or not.
Also as it asks to restart once restart in magisk.apk no more instalation just the application, so I have to reflash with odin the 4 BL-AP files patched_magisk -CP -and home CSC to find my root.
Just to know whether to install LSPosed or not.
I hope it's clearer for sure

attempt to install LSPosed v 1.8.4 zygisk see screenshot

I don't know about the APK version of Zygisk-LSposed installation?
Pls provide the link where you downloaded and the file name (with extension)

Anyway, if it is really APK file then you have to install as any other APK file - by application installer, not through Magisk app

I use Zygisk LSPosed, downloaded from below, Zygisk_-_LSPosed-v1.8.6(6712).zip and that one (zip) has to be installed through the Magisk app:

Release 1.8.6 · LSPosed/LSPosed

New Xposed API proposal As Android version iterates, the original Xposed API by rovo89 reaches its limits. Now we are working on the new modern Xposed API with features of application scope managem...

github.com

Also, for Zygisk module, Zygisk must be enabled but on your screenshot it looks like not enabled.
Make sure you do not use Riru, since Riru is not compatible with Zygisk

 

[meric57]

Bonjour zgfg, sur le même site que vous avez mis sur github, magisk installe également zigisk avant d'installer le module LSPosed. APK du même site.

at least as I am winrar by default is 7zip not by default, as you can see on screenshot error these when I launch the installation in magisk