Documentation about installing on Android

[emanruse]

Here is my experience with 'dnscrypt-proxy' on Android (I use Replicant. Replicant has root and init.d support "out of the box".

To start off, I have spent more than a week digging the web for information on how to do it. I have read many many discussions, questions and answers (including issues here). The official documentation didn't really help. In the very beginning it says:

If you want to change the DNSCrypt resolver, unzip the downloaded archive, edit the RESOLVER_NAME variable in system/etc/init.d/99dnscrypt. Keep the content as a ZIP file, with the original structure.

I have downloaded and unzipped every single release since 2.0.6 (the first one introducing Android binaries). There is no 99dnscrypt in any of them. Neither there is such file in the source code in git. So, my next step was to search the web, read issues here and there, a lot of time and effort.

What I found:

• @Quindecim's repo - it seems made for some software called Magisk. I don't want to install additional software which I don't need, give it permissions etc. I just want dnscrypt-proxy.
• There are some solutions for creating a boot service using init.rc. This process seems to involve unpacking the boot image, editing init.rc, and repacking it. This is new to someone like me. I found several softwares/versions which unpack and repack but when testing unpacking and repacking with no modification whatsoever the repacked image is always quite smaller than the original. I decided not to risk bricking my phone, so I stopped exploring this route.
• Researching further, I found this issue and from it - @uzen's repo. Unfortunately, it seems to include a binary with unknown source code in src/META-INF/com/google/android, so I won't run it. Instead of putting that blindly on my phone, I looked into the 99dnscrypt it includes and the two sub-scripts it calls. My impression: the author has spent quite some time on that. Shellcheck complains about so many problems though. Regardless of that, I decided to give these 3 scripts a try but unfortunately the result wasn't satisfactory. I couldn't get things to work as expected, so after many hours of digging into that obviusly old shell script code, I decided to return to simplicity and start from scratch.
• Then I found this. The init.d script used by the questioner is pretty much the same one which I tried myself initially. The difference is that I don't get the errors he gets - there are no such selinux messages in my logcat.

The official documentation also suggests installing one of "four (paid) apps" to switch currently running DNS settings to DNSCrypt. That is another thing I don't want to do. Installing additional (especially non-free) software for the sake of improving security through a software like dnscrypt-proxy, thus increasing attack surface and so on, is a logical contradiction.

So, in my search for a simple, clean, and working FOSS solution I used the same steps as in the Stackexchange question. In my dnscrypt-proxy.toml I enable blocked_names and put only one line in it for testing:

*.fsf.org

My findings:

I notice that 'dnscrypt-proxy' is started twice on boot:

$ adb shell logcat | grep dns
12-29 19:25:23.100  1993  1993 I sysinit : Running /system/etc/init.d/99dnscrypt 
12-29 19:25:23.290  2006  2006 I dnscrypt: Starting dnscrypt-proxy... 
12-29 19:25:23.315  2010  2010 I dnscrypt: Changing dns with iptables... 
12-29 19:27:38.500  3459  3459 I sysinit : Running /system/etc/init.d/99dnscrypt 
12-29 19:27:38.550  3464  3464 I dnscrypt: Starting dnscrypt-proxy... 
12-29 19:27:38.595  3467  3467 I dnscrypt: Changing dns with iptables...

$ adb shell ps | grep dns
root      2009  1     813640 6500  futex_wait 40103db0 S dnscrypt-proxy
root      3466  1     808256 7628  futex_wait 4016fdb0 S dnscrypt-proxy

The 'iptables' rules are not applied:

root@i9300:/ # iptables -L | grep 53                                               
1|root@i9300:/ # iptables -t nat -L | grep 53                                      
1|root@i9300:/ # 

I kill 'dnscrypt-proxy' manually:

$ adb shell
root@i9300:/ # killall dnscrypt-proxy                                              
root@i9300:/ # killall dnscrypt-proxy                                              
killall: dnscrypt-proxy: No such process

Then I start the service manually (cellular data is not enabled):

root@i9300:/ # /etc/init.d/99dnscrypt                                            
root@i9300:/ # [2022-12-29 19:36:20] [NOTICE] dnscrypt-proxy 2.1.2
[2022-12-29 19:36:20] [NOTICE] Network not available yet -- waiting...

Now, 'logcat' and 'ps' show there is only one runnig process:

12-29 19:36:19.860  5209  5209 I dnscrypt: Starting dnscrypt-proxy... 
12-29 19:36:19.970  5213  5213 I dnscrypt: Changing dns with iptables...

$ adb shell ps | grep dns
root      5212  1     812096 7604  futex_wait 401c4db0 S dnscrypt-proxy

The firewall rule is applied correctly too:

root@i9300:/ # iptables -t nat -L | grep 53                                      
DNAT       udp  --  anywhere             anywhere             udp dpt:domain to:127.0.0.1:53

Enable cellular data and watch what is happening in 'adb shell':

root@i9300:/ # [2022-12-29 20:08:31] [NOTICE] Network connectivity detected
[2022-12-29 20:08:31] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
[2022-12-29 20:08:31] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
...
// many other regular notices
...
[2022-12-29 20:09:45] [NOTICE] dnscrypt-proxy is ready - live servers: 32

Everything seems to work. Testing to confirm:

root@i9300:/ # host fsf.org
host: Host not found.
1|root@i9300:/ # host gnu.org
gnu.org has address 209.51.188.116

So, the blocked_names section works and resolving works.

Next, I disabled cellular data, unplugged the USB cable connected to the computer and connected the external WiFi adapter (Replicant needs an external RYF adapter as the phone's built in one won't work without proprietary software). So, I could not test with ADB any more but only using the limited "Terminal" application in Replicant and using the browser that comes with Replicant (no idea what its name is).

In that terminal (rewriting manually here):

host -v fsf.org
host: Host not found.
host -v gnu.org
host: Host not found.

and so on - it seem nothing resolved.

In the browser I see a different result though:

• fsf.org works (although it must not resolve)
• gnu.org works
• other sites work

Obviously, things don't work as expected when using WiFi.

Connecting the phone to the computer again I see that 'dnscrypt-proxy' process is still active. Re-testing with cellular data again shows the same result as above: fsf.org is not resolved, other domains are.

The questions are:

1. Why only the logging commands of the init.d script work, considering that the script is ran by root at boot time?

2. Why (even with manual starting of the service) the behavior is different when using WiFi?

3. How to make this service work on boot with all connections (cellular, WiFi, reverse USB tethering, etc) without requiring manual starting through ADB or additional apps (assuming one already has root and init.d support)?

It would be really great if someone can update the documentation.

Best wishes for the new year!

[jedisct1]

Thanks for your input!

The documentation is a Wiki, so anybody can update it, including you :)

Unfortunately I don't have an Android device, so I have no idea about how this works.

[emanruse]

The documentation is a Wiki, so anybody can update it, including you :)

If I knew the answers to my questions, I could probably do it. Unfortunately, I don't - hence the current issue. As you can see, I have researched quite a lot and didn't find them. So, my last hope is to ask the experts here directly.

Unfortunately I don't have an Android device, so I have no idea about how this works.

Who builds the Android binaries? I suppose they have an Android device and know how to do it.

[jedisct1]

Android binaries are built automatically by the CI system, like all other binaries.

[emanruse]

But that automation must have been configured by somebody in order to work properly, right? Doesn't that mean that the person who did that understands how Android works? If I am not asking the right questions at the right place, could you kindly suggest where one can ask the dnscrypt-proxy questions about Android?

[jedisct1]

But that automation must have been configured by somebody in order to work properly, right? Doesn't that mean that the person who did that understands how Android works?

The beauty of languages such as Go and Zig is that the only thing it takes to build a binary for a given target is to specify the name of the target.

So, that's what I did for different flavors of Linux, Windows, Android, etc. even though I only have a Mac and have no idea how Windows and Android work.

[syphyr]

I did this to add dnscrypt to cm14:
https://github.com/syphyr/dnscrypt_proxy_prebuilt

Additional commits:

syphyr/android_packages_apps_Settings@6f4e60e

syphyr/android_packages_apps_Settings@5064ace

syphyr/android_packages_apps_Settings@786c32c

syphyr/android_system_sepolicy@580f2ab

syphyr/android_system_sepolicy@11c3cf4

syphyr/android_system_sepolicy@20af525

syphyr/android_system_sepolicy@9717a0f

To enable:

syphyr/android_vendor_cm-1@8aeb773

Add to local manifest:

syphyr/cm_build_scripts@59b1738

[MF-Debug]

@emanruse I suggest you to use Invizible Pro. It's much simpler to use imo.

[emanruse]

@syphyr OK, I cloned your repo and looked at each and every file in the resulting tree. Now I wonder: 1. Why did I have to download 1.2 GB and why >99% of that size is in .git directory? 2. Looking at the essential content, I see 4 files (20Kb total) containing the customizations you made: ``` . ├── Android.mk ├── dnscrypt ├── dnscrypt-iptables ├── dnscrypt_proxy.rc └── etc └── dnscrypt-proxy // this as this is standard config stuff ``` - Your `dnscrypt` and `dnscrypt-iptabes` are quite similar to @uzen's scripts. So, I still wonder - how can I use them? Your `dnscrypt_proxy.rc` suggests that those should be placed in `/system/bin`. I am not an Android expert but from what I have read this is the directory for system binaries. Other binaries should go to `/system/xbin` and start up scripts should be placed in `/etc/init.d` with a proper prefix (e.g. 99). - In `dnscrypt_proxy.rc` you start the service as root. Why? On my Linux systems I see the service runs as user named `dnscrypt`. Is it not appropriate to have the same on Android and how can it be done? - Could you please explain how the `on property:` lines of `dnscrypt_proxy.rc` work? - What is `Android.mk` and how do I use it?

Additional commits:

How do I use those? And why? As you understand, I am definitely not an Android developer. I only know how to do things on Linux. I would really appreciate if you can elaborate on my initial questions, as well as the ones in the current post. @MF-Debug I know about this app, thanks. As stated in my initial question #3 - I don't want to install additional apps. Just `dnscrypt-proxy`.

[syphyr]

@emanruse

1. the repo is large because it is storing prebuilt binaries of dnscrypt-proxy. The older android build environment does not support new versions of go, so I am using prebuilt dnscrypt binaries.

2. getting it to work with my repo will require building the rom. There are required changes to the sepolicy and I added a switch in the developer options to turn dnscrypt off/on and also the ability to enable all traffic through tor. So, those additional commits are for the needed changes to other android repos used to build the rom.

3. I am using root to run dnscrypt because the older version of android (cm-14.1) did not seem to work right when changing the user to anything other than root. Although, I have read people using newer versions of android can change the user to something with less privileges. I couldn't get it to work with other users on cm-14.1, but the added sepolicy domain should help prevent dnscrypt from doing anything it is not supposed to do.

4. "on property" is looking for changes in the android props and performs actions when the props change. That is how the settings work to turn dnscrypt off/on.

5. the method I am using adds dnscrypt as a service to android so that it gets special system privileges and does not get killed under low memory situations, which will happen if you start dnscrypt any other way on android. Using init.d is not the correct way to add a service, that is what the .rc file is for.

6. Android.mk is what the android build system uses to know where to copy the files

[emanruse]

@syphyr Thank you for this info. I hope you can answer my initial questions too. Perhaps I didn't stress enough what I mentioned in the initial post, so it seems a good time to do it to avoid further complication and confusion (quoting myself):

So, in my search for a **simple, clean, and working FOSS solution**

Rebuilding the OS, downloading git-versioned binaries several times bigger than the OS itself, and becoming an Android developer to understand all the intricacies of a complicated process is not suitable for a non-expert. What I am looking for is something similar to what one does on Linux: 1. Download the latest release from current repo (without having to use other repos or apps) 2. Customize config files 3. Have a working init script for the purpose of dnscrypt-proxy only 4. Push the proper files to their proper places using `adb` 5. Reboot and have everything working as expected Can you help with that?

[syphyr]

@emanruse

If you look at https://github.com/uzen/dnscrypt-android , this repo will help create a zip file which can be installed from recovery. This is probably the closest you can get to installing dnscrypt-proxy without building the ROM. This repo uses init.d, but it requires a helper application (Afwall) to launch dnscrypt-proxy with root privileges. So, if you use this method, you will need to have root installed on your ROM and you will also need to install Afwall in order to start dnscrypt to get around the sepolicy that would normally prevent dnscrypt from starting up.

[syphyr]

I have created some dnscrypt-proxy installation packages to be installed from the recovery, so you can take a look at the file structure. But in order for this to work, you would also need to update the selinux policy and build your device's boot.img, or this will not work. The selinux policy is contained within your boot.img. Another way to fix the sepolicy is to use Magisk, but I have not tried using that. The changes required to the sepolicy for dnscrypt can be found in my first post.

NOTE: These zip packages do not support installing on A/B file systems

dnscrypt-proxy-arm64-20221231-1-signed.zip:
https://www.androidfilehost.com/?fid=4279422670115706958

dnscrypt-proxy-arm-20221231-1-signed.zip
https://www.androidfilehost.com/?fid=4279422670115706960

[syphyr]

This is a good reference for launching dnscrypt-proxy at boot:
https://android.stackexchange.com/questions/207484/how-to-fix-selinux-avc-denied-errors-when-launching-dnscrypt-as-init-d-script/207647#207647

[syphyr]

BTW, upon further investigation on running dnscrypt-proxy as a non-privileged user, I finally was able to get it working like this:
syphyr/dnscrypt_proxy_prebuilt@8e58401

[emanruse]

@syphyr Thank you.

If you look at https://github.com/uzen/dnscrypt-android , this repo will help create a zip file which can be installed from recovery.

I have looked. I have linked to that repo in my initial post and shared my experience with it. Regardless of that, could you please explain: - Why make a zip file? Why not push files using `adb`? What's the difference? - How do you "install from recovery"? What does this actually do and how does it work? So far, I have used the recovery mode only to install Replicant itself and hence I have always assumed that it is only for this purpose. So, could you elaborate? Won't that overwrite the OS itself with the contents of the zip file? - What must the structure of such zip file be? Any official documentation on the subject?

This repo uses init.d, but it requires a helper application (Afwall) to launch dnscrypt-proxy with root privileges. So, if you use this method, you will need to have root installed on your ROM and you will also need to install Afwall in order to start dnscrypt to get around the sepolicy that would normally prevent dnscrypt from starting up.

As per my initial post - I do have root. Re. Afwall - why should I need that? From what I understand Afwall is pretty much a convenient GUI for handling `iptables` rules. Considering I have root and can run `iptables` directly, why should I install other apps? I don' want to install anything except `dnscrypt-proxy`.

Here are some examples of what the dnscrypt-proxy installation zips look like. These packages contain dnscrypt binaries built from latest source code.

This website requires from me to run proprietary JavaSript. Could you please share the URLs of the actual zip files for direct downloading?

I have created some dnscrypt-proxy installation packages to be installed from the recovery, so you can take a look at the file structure. But in order for this to work, you would also need to update the selinux policy

I have zero experience with selinux administering. Some day I will educate myself on the subject more thoroughly. Or must I do it now? Or is the step required for `dnscrypt-proxy` simple enough to grasp it from an example?

and build your device's boot.img, or this will not work.

That is a big concern to me. Again, as explained in my initial post, I researched into that and the process of unpacking and repacking the boot.img **with no modification whatsoever** always results in a smaller image file. During my research, I have read stories about people uploading such "unmodified, just repacked" image back to their device resulting in a boot loop. I don't know if this will happen with my device. What is worse - I don't know how to restore the previous working state of the device if this happens. In short, I am cautious not to damage/brick the device or its OS. Your input on the subject will be much appreciated.

This is a good reference for launching dnscrypt-proxy at boot: https://android.stackexchange.com/questions/207484/how-to-fix-selinux-avc-denied-errors-when-launching-dnscrypt-as-init-d-script/207647#207647

I have shared the same link in my initial post and shared my own result following the steps of the questioner. My result is different. Again - your clarifications are welcome.

BTW, upon further investigation on running dnscrypt-proxy as a non-privileged user, I finally was able to get it working like this:

That's good. I would be glad to try it if I know how. Looking forward to your clarifications!

[GNUtoo]

Apparently I need a space after the quotes, otherwise it takes the next line in the quote. Because of that some of my answers ended up in the quote.

[emanruse]

@GNUtoo Thank you for this info. Much appreciated. From your reply I understand it is possible and fairly easy to restore the original boot.img in case something goes wrong. That is great. Re. zip signing - I am leaving this aside for the moment because, IIUC, the zip installation is really just an alternative to pushing the necessary files through adb. So, I guess the whole additional complexity of the zip-related process can be skipped. Now, the essential question here seems to be SELinux, more specifically - the sepolicy file inside boot.img. Obviously, to run dnscrypt-proxy (or any other similar service) one must modify the sepolicy in a way giving the proper permissions. That is understood. The problem is - how does one do this? So far, in my ongoing research I found there are the following ways: - use `supolicy` tool from Magisk This means installing Magisk which I don't want to do for security reasons. - use `sepolicy-inject` Although I was able to build a fork of this tool from source, as mentioned, it cannot the a new domain to sepolicy as required for dnscrypt-proxy service to run: xmikos/setools-android#17 After digging into that for days, I was unable to make it work. I tried cloning libsepol directly from the SELinux project: https://github.com/SELinuxProject/selinux and replacing the files in @xmikos `jni/libsepol` (which is version 2.7-r4), hoping that a different version of the library may have the issue fixed. Unfortunately, that didn't work either. Newer `libsepol` versions cause build errors and versions 2.7-r* don't fix the issue. What is more interesting is that libsepol 2.7-r4 from @SELinuxProject is not identical to libsepol 2.7-r4 used in setools-android. Although that same version, taken from SELinux project results in a successful build, the creation of a new context still doesn't work. It shows some other errors. In short, I am hitting a wall here too. The next option, as suggested by @syphyr: - Set up a build environment and build Replicant from source code (at least the boot.img) Although I didn't want to do that, it seems to be the only remaining option. So, I followed the instructions given here: https://redmine.replicant.us/projects/replicant/wiki/GenericReplicant60Build In dependencies installation: https://redmine.replicant.us/projects/replicant/wiki/Replicant60BuildDependenciesInstallation I see Debian 9 (stretch) - an old, discontinued OS. I used Debian 11 in a VM. The `repo sync` took many many hours - a whole 34 GiB were downloaded. Unfortunately, some of the dependency packages don't seem to exist on Debian 11: eclipse-jdt, libandroidsdk-ddmlib-java, libandroidsdk-sdklib-java and one more. Also, there is no 'llvm-defaults', there is llvm. I think there were some other differences too. The given commands also don't work literally - I had to install the packages one by one. Pasting the whole lines from the doc didn't work. Anyway, I tried my best to set up this environment. Then, in step 'Building the toolchain': https://redmine.replicant.us/projects/replicant/wiki/GenericReplicant60Build#Building-the-toolchain I ran: ``` ./vendor/replicant/build-toolchain ``` The process starts but fails with a linker error somewhere at 4% (something related to LLVM, IIRC). I looked all over the web for this error but couldn't find a way to fix it. The "self-contained version or repo" didn't work either. Even `make clobber`, `make clean` and `make tcclean` don't work (errors). Is the documentation for building Replicant outdated? I don't know. The fact is, it is not possible to simply follow the instruction and get a working build on an up-to-date OS. Additionally, it is not clear how to build just the boot.img as @syphyr suggests. So, I have exhausted every possible option I could find. Nothing works. Since opening this issue on 29.Dec.2022, I have been researching and trying for many hours each and every day, without exception, gathering and correlating info scattered all over the web. There is no clarity and completeness. For an expert, this may be easy but for a non-developer like me, it is a tremendous effort without success. My last hope is someone who has the expertise to kindly provide proper, working steps to modify sepolicy correctly.

[emanruse]

@syphyr Can you help?

[syphyr]

@emanruse

I've never built Replicant, but most likely the toolchain is prebuilt when you setup the android build environment. I've never had to build the toolchain when compiling a ROM.

Use the recommended version of Linux when setting up your Android build environment. If you try to use a new version of Linux, there will most likely be conflicts and problems.

Building the boot.img is as simple as "mka bootimage" when building AOSP. I am unfamiliar with Replicant sources but I would assume it is very similar to AOSP.

Perhaps there is a help channel for Replicant development that can assist you with the details of building their ROM.

[emanruse]

Thanks @syphyr.

Use the recommended version of Linux when setting up your Android build environment.

It is not recommended. I don't know if a discontinued release can even be considered as a recommendation. It is just mentioned in the build docs as one of the two options (the second one is documented as unconfirmed and most likely not working). Although it is possible to download and install Debian 9 (which I have done too), I have no experience with Debian and I could not find info whether it is even possible to install packages on a discontinued release, i.e. whether the repo of the release is functional at all. So, this whole thing becomes an academic quest quite far away from dnscrypt-proxy.

Perhaps there is a help channel for Replicant development that can assist you with the details of building their ROM.

I have used all available channels but it seems there isn't significant activity in that community. Latest topics have answers from many months and years ago. But let's please focus on sepolicy. I understand that this must be modified. Is it possible to somehow rebuild only the sepolicy itself (not the whole OS or the boot.img)? IOW, is it possible to somehow "decompile", modify and "recompile" the sepolicy file? Could you also answer the previously asked:

…

I had a look at your .te file but it seems to contain additional rules which I can't relate to anything in Irfan's answer on SO. As a whole - please explain each detail of the selinux changes you make (incl. how do you know the particular rule is necessary) [...] Perhaps you can include this explanation in your own repo - that would be beneficial for both projects.

[syphyr]

@emanruse

As you have already mentioned, there are tools to manually unpack/repack the boot.img, but I do not have any knowledge of changing the sepolicy without building the boot.img from source. Perhaps there is something on XDA that would help?

As for creating the rules on the .te file, this is done by reading the selinux denial errors in dmesg and fixing each error until they are gone. Tools like audit2allow can be useful for translating the selinux errors from dmesg. This is a good guide for fixing selinux denials: https://source.android.com/docs/security/features/selinux/validate

[emanruse]

Thanks @syphyr. What Linux distro and which release do you use to build the boot.img (for CM 14.1 which you say you use)? What is your complete procedure regarding that?

Perhaps there is something on XDA that would help?

Only old threads. I have read them all and the info from there is summarized in my previous reply here.

As for creating the rules on the .te file, this is done by reading the selinux denial errors in dmesg and fixing each error until they are gone.

Are you saying that what you did was: a. notice a denial error b. add a rule to fix it c. rebuild boot.img g. repeat a-c until there are no more errors?

[syphyr]

@emanruse

I used Google's official documentation on how to setup an android build environment. Google uses Ubuntu. The cm-14.1 branch (LineageOS) that I am using recommends Ubuntu 18.04 Bionic. You will have to see if your device is supported by LineageOS, perhaps only on an older branch.

Are you saying that what you did was:

Correct.

[emanruse]

@syphyr I finally found the time to return to this. I worked to set up a build environment as per your advice. I have built successfully the original full Replicant OS, as well as just the boot.img. Could you advise on the specific steps which are necessary to modify the sepolicy for the purpose of running the dnscrypt-proxy service? Which files do I have to modify and how before rebuilding?

[syphyr]

Could you advise on the specific steps which are necessary to modify the sepolicy for the purpose of running the dnscrypt-proxy service? Which files do I have to modify and how before rebuilding?

I'm not familiar with Replicant OS, but the changes to selinux that I gave is for Android 7 (Nougat). It should not be too difficult to use the selinux changes I posted as an example and port them to your specific OS.

[1alexman1]

Why dnscrypt cannot be found in Fdroid? Are you intend to do it?Thx

[karolyi]

FWIW: #2328 (comment)

[emanruse]

I know about that InviZible app. I wonder how much it can be trusted long term though (considering app updates too). I am still planning to continue fighting the current issue. Just paused for a long time due to other unrelated things.

[karolyi]

You can install it from F-Droid which means it's open source and can be maintained even after its current maintainer stops.

But in the end, it's up to you.

[elovin]

I use the arm64 build with lineageOS 20 (Android 13) at the moment.

Although I run the service as root on system start without SELINUX which is fine for me since I do not do online banking on my phone.

In case it helps someone here is the link to the repo:
https://github.com/elovin/lineageos-clean-browsing

[elovin]

Also works with lineageOS 22.1 (Android 15)