Magisk may leak device unique identifier

[vvb2060]

Affected versions: all versions before 27.0, and all versions after 27003 in special cases
Affected devices: Android11+ devices

Details

Since Android 11, the system restricts user apps from using netlink's RTM_GETLINK to read network interface MAC addresses. This is achieved by adding a flag bit to custom SELinux. This modification was rejected by the Linux upstream and is an Android-specific patch.
Before 27.0, Magisk used the upstream libselinux library, so the Android-specific flag was lost when patching sepolicy, thus failing to enforce the restriction. As a result, any app could read the MAC address.
After 27.0, Magisk enforces this restriction unconditionally on all devices. However, some devices with upgraded new kernels support this flag, but the sepolicy in user-space is not prepared, causing all processes to be restricted and WiFi not working.
Since 27003, Magisk parses the old sepolicy flags and copies them into the new sepolicy, resolving the issue.

Magisk's sepolicy live patching feature(magiskpolicy --live) reads the current sepolicy from the kernel, patches the rules and reloads the sepolicy. Due to a kernel bug, the Android-specific flag is not reported to user space, so the current sepolicy as read by Magisk never has this specific flag. Therefore, after sepolicy live patching, the restriction is disabled and all apps can read the MAC address.
This kernel bug can be fixed with this patch, but Google requires that the patch should be submitted to the Linux upstream for unknown reasons, and then said that this Android-specific feature should be removed. In short, the patch is rejected by Google, and we can't do anything. Compared with being unable to connect to WiFi, the MAC address leak after sepolicy live patching seems acceptable.

Exploitation

We have observed popular apps using RTMGETLINK to read device MAC addresses. At least one app detects Magisk by checking if it can still read the MAC address on Android 11+.

Recommendation

Devices before Android 11 ​​are not affected. Other devices should upgrade to Magisk 27.0. If WiFi is not working, upgrade to 27003. On 27003+, do not use sepolicy live patching, check all modules and root apps, and ask their developers to switch to sepolicy.rule.

Related Links

• Magisk causing MAC address leak Magisk breaks security restrictions on getting MAC address #7636
• Magisk Breaking WiFi WiFi not working due to new sepolicy flag #7764
• Magisk copies Android specific flags to new sepolicy topjohnwu/selinux@48fcf8b
• Implementation of Android specific flags in kernel (only handles policydb_read() function, forgets to handle policydb_write() function) https://android.googlesource.com/kernel/common/+/dc34c9f193fd4e3476e0e9331f5fdacce6fbc6fc https://android.googlesource.com/kernel/common/+/bdf56fbea560eea1e9c2793d69ba13cca2596d7d
• Kernel patch, handles policydb_write() function https://android-review.googlesource.com/c/kernel/common/+/3009995

Acknowledgement

@aviraxp https://t.me/qianqianzhuang/33

[aviraxp]

@topjohnwu Can we store the flag when reading compiled policies by system, always use it and ignore the flag from kernel sepolicies?

[vvb2060]

https://github.com/SELinuxProject/selinux-notebook/blob/main/src/xperm_rules.md#nlmsg-operation-rules
torvalds/linux@d1d991e

[vvb2060]

aosp-mirror/kernel_common@f188471