Routing: process supports UID on Android#5915
Conversation
|
这接口还要远程地址啊?这个GetTargetIPs可能不干净 它可能是真实的target可能被有人用destoverride重置成域名然后被解析回的IP 虽然可以通过客户端作者手动禁用 |
|
有什么方法能获取到真的 Target IP 吗,就是 tun inbound 拿到的 Target IP |
|
你可以先开着routeonly自己试一下这玩意能不能用再说 毕竟其他平台的tun上这玩意好像都是坏的没法用 |
|
|
|
可以定位到app吗 |
|
还有我发现 ipv6 有问题
|
routeonly=true 的情况下 findprocess 能用 |
|
这destination类型扔了吧 签名改成 network srcIP srcPort destIP destPort |
|
改完了 |
|
你后来弄的 parseDestination 还没删呢 我就是看这个太碍眼了 |
|
删了 |
|
不太清楚,安卓上一个 APP 可以起多个 UID 还是说一个非多开的 APP 就是一个 UID,路由中填的是包名还是?
|
|
一般情况下每一个安卓 app 对应一个 uid,某些系统应用可能会共享 uid。 |
|
那这里路由的填法是填包名还是说(举个例子?),实际实现是拿到 UID 后通过一个表(有实现吗)匹配到包名?
|
|
这个API是java的 必须外部让v2rayng之类的客户端实现然后注册到核心里用 |
Xray core 拿到的配置 
客户端存储的配置 
FindProcess 返回 UID |
@RPRX please consider using TUN mode in the official Xray client by default with per-UID routing also enabled by default. It's unclear now whether this will hide VPN from Russian domestic apps, but it seems to be the best that can be done for users without root. You have probably already seen many people in Russian community frustrated with Xray clients because of an open socks5 port and unprotected TUN. |
|
@Exclude0122 我查了下原来安卓上 UID 是每个 APP 固定的, @hippo2025 我是打算官方客户端全平台默认自启+自动更新的,安卓上可以默认分应用代理不过 iOS 上做不到这点
|
RPRX
changed the title
process supports UID on Android
Yes, on Android all apps can detect TUN even in Shelter or System clone (like in Oppo device). I hope that if spy apps can't send traffic to TUN or if TUN just gives direct outbound for them, they will give up and conclude this is not VPN, rather something else. It seems this is the best that can be done on Android. It's better to do something than nothing even if the result is not complete. On desktop the need for spy apps is much smaller, I think most users can avoid having them installed. |
|
Thank you for this PR! I tried to study it and didn't understand one part. Does this one cover cases, where proccess UID is unknown? On Android, using SO_BINDTODEVICE allows any app to bind to any interface. When that happens, the proccess UID is unknown. That is a possible leak, where app sent to direct can still forcibly go through proxy. Some catch rule needed to send such procceses to block or direct. I assume, this one doesnt allow to create such rule? It was mentioned and recently fixed on singbox. SagerNet/sing-box#4009 UPDATE: It looks like I was wrong as I do not have appropriate device to conclude full tests, and information I found before was incomplete (+AI is idiotic). It seems when SO_BINDTODEVICE is used, the proccess UID is -1, not null or something. Current PR seems to accept UID -1 no problem. So the task at hand has to be solved by xray clients, not core. |
5 participants
ConnectivityManager#getConnectionOwnerUid
Android 根据连接获取进程 UID 的 API 需要同时提供本地和远程的IP+端口,所以我把
func FindProcess(dest Destination)改成func FindProcess(src Destination, dest Destination)了。同时还增加了
AndroidFindProcessImpl变量,Xray 客户端可以自行实现 FindProcess 的逻辑。