Android Oreo restricts the use of DNSResolver giving rise to re-connection attempts failed

cmeng · May 3, 2018, 12:31am

aTalk starts failing in network re-connection attempts when my Samsung Note 8 OS was recently being upgraded to Oreo (android 8.0). The problem appears to happen only when aTalk is running in background. Connection is still OK during launch and is able to connect to the server. The log is captured below while atalk is in background mode:

Since this problem is pertaining to android OS, not sure if Smack will consider to offer a fix, or to provide a hook for callback implementation in OS specific application.

The observed problem seems to be same (with solution) as reported in the links below:

05-03 06:53:19.744 4478-13079/org.atalk.android D/SMACK: XMPPConnection (XMPPTCPConnection[swordfish@atalk.org/atalk] (0)) will reconnect in 2
05-03 06:53:20.746 4478-13079/org.atalk.android D/SMACK: XMPPConnection (XMPPTCPConnection[swordfish@atalk.org/atalk] (0)) will reconnect in 1
05-03 06:53:21.747 4478-13079/org.atalk.android D/SMACK: XMPPConnection (XMPPTCPConnection[swordfish@atalk.org/atalk] (0)) will reconnect in 0
05-03 06:53:21.752 4478-13079/org.atalk.android I/aTalk: [8211] impl.protocol.jabber.ProtocolProviderServiceJabberImpl.reconnectingIn().1299 ReconnectionManager starting connection attempt...
05-03 06:53:21.753 4478-13079/org.atalk.android D/SMACK: XMPPConnection (XMPPTCPConnection[swordfish@atalk.org/atalk] (0)) will reconnect in 0
05-03 06:53:21.758 4478-13079/org.atalk.android I/aTalk: [8211] impl.protocol.jabber.ProtocolProviderServiceJabberImpl.reconnectingIn().1299 ReconnectionManager starting connection attempt..
05-03 06:53:21.832 3466-3466/? E/audit: type=1400 audit(1525301601.825:130053): avc:  denied  { read } for  pid=13079 comm=536D61636B205265636F6E6E656374 name="u:object_r:net_dns_prop:s0" dev="tmpfs" ino=2408 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:net_dns_prop:s0 tclass=file permissive=0 SEPF_SM-N950F_8.0.0_0002 audit_filtered
    type=1300 audit(1525301601.825:130053): arch=40000028 syscall=322 per=8 success=no exit=-13 a0=ffffff9c a1=c8580fa0 a2=a8000 a3=0 items=0 ppid=4054 pid=13079 auid=4294967295 uid=10272 gid=10272 euid=10272 suid=10272 fsuid=10272 egid=10272 sgid=10272 fsgid=10272 tty=(none) ses=4294967295 comm=536D61636B205265636F6E6E656374 exe="/system/bin/app_process32" subj=u:r:untrusted_app:s0:c512,c768 key=(null)
    type=1327 audit(1525301601.825:130053): proctitle="org.atalk.android"
05-03 06:53:21.833 4478-13079/org.atalk.android E/libc: Access denied finding property "net.dns1"
    Access denied finding property "net.dns2"
05-03 06:53:21.834 3466-3466/? E/audit: type=1300 audit(1525301601.829:130054): arch=40000028 syscall=322 per=8 success=no exit=-13 a0=ffffff9c a1=c8580fa0 a2=a8000 a3=0 items=0 ppid=4054 pid=13079 auid=4294967295 uid=10272 gid=10272 euid=10272 suid=10272 fsuid=10272 egid=10272 sgid=10272 fsgid=10272 tty=(none) ses=4294967295 comm=536D61636B205265636F6E6E656374 exe="/system/bin/app_process32" subj=u:r:untrusted_app:s0:c512,c768 key=(null)
    type=1327 audit(1525301601.829:130054): proctitle="org.atalk.android"
05-03 06:53:21.834 4478-13079/org.atalk.android E/libc: Access denied finding property "net.dns3"
05-03 06:53:21.834 3466-3466/? E/audit: type=1400 audit(1525301601.829:130055): avc:  denied  { read } for  pid=13079 comm=536D61636B205265636F6E6E656374 name="u:object_r:net_dns_prop:s0" dev="tmpfs" ino=2408 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:net_dns_prop:s0 tclass=file permissive=0 SEPF_SM-N950F_8.0.0_0002 audit_filtered
    type=1300 audit(1525301601.829:130055): arch=40000028 syscall=322 per=8 success=no exit=-13 a0=ffffff9c a1=c8580fa0 a2=a8000 a3=0 items=0 ppid=4054 pid=13079 auid=4294967295 uid=10272 gid=10272 euid=10272 suid=10272 fsuid=10272 egid=10272 sgid=10272 fsgid=10272 tty=(none) ses=4294967295 comm=536D61636B205265636F6E6E656374 exe="/system/bin/app_process32" subj=u:r:untrusted_app:s0:c512,c768 key=(null)
    type=1327 audit(1525301601.829:130055): proctitle="org.atalk.android"
05-03 06:53:21.834 4478-13079/org.atalk.android E/libc: Access denied finding property "net.dns4"
05-03 06:53:21.835 3466-3466/? E/audit: type=1300 audit(1525301601.829:130056): arch=40000028 syscall=322 per=8 success=no exit=-13 a0=ffffff9c a1=c8580fa0 a2=a8000 a3=0 items=0 ppid=4054 pid=13079 auid=4294967295 uid=10272 gid=10272 euid=10272 suid=10272 fsuid=10272 egid=10272 sgid=10272 fsgid=10272 tty=(none) ses=4294967295 comm=536D61636B205265636F6E6E656374 exe="/system/bin/app_process32" subj=u:r:untrusted_app:s0:c512,c768 key=(null)
    type=1327 audit(1525301601.829:130056): proctitle="org.atalk.android"
05-03 06:53:41.930 4478-13079/org.atalk.android D/SMACK: Reconnection failed due to an exception (XMPPTCPConnection[swordfish@atalk.org/atalk] (0))
    org.jivesoftware.smack.SmackException$ConnectionException: The following addresses failed: 'atalk.sytes.net:5222' failed because: de.measite.minidns.util.MultipleIoException: sendto failed: EPERM (Operation not permitted), failed to connect to /8.8.8.8 (port 53) from /10.139.187.212 (port 59514) after 5000ms, sendto failed: EPERM (Operation not permitted), failed to connect to /2001:4860:4860::8888 (port 53) from /2401:7400:4001:e8f6:1:2:bf29:9a89 (port 39822) after 5000ms, sendto failed: EPERM (Operation not permitted), failed to connect to b.root-servers.net/192.228.79.201 (port 53) from /10.139.187.212 (port 52300) after 5000ms, sendto failed: EPERM (Operation not permitted), failed to connect to l.root-servers.net/2001:500:3::42 (port 53) from /2401:7400:4001:e8f6:1:2:bf29:9a89 (port 42182) after 5000ms
        at org.jivesoftware.smack.tcp.XMPPTCPConnection.connectUsingConfiguration(XMPPTCPConnection.java:619)
        at org.jivesoftware.smack.tcp.XMPPTCPConnection.connectInternal(XMPPTCPConnection.java:902)
        at org.jivesoftware.smack.AbstractXMPPConnection.connect(AbstractXMPPConnection.java:383)
        at org.jivesoftware.smack.ReconnectionManager$2.run(ReconnectionManager.java:289)
        at java.lang.Thread.run(Thread.java:764)
05-03 06:53:42.942 4478-13079/org.atalk.android D/SMACK: XMPPConnection (XMPPTCPConnection[swordfish@atalk.org/atalk] (0)) will reconnect in 389
05-03 06:53:43.943 4478-13079/org.atalk.android D/SMACK: XMPPConnection (XMPPTCPConnection[swordfish@atalk.org/atalk] (0)) will reconnect in 388

Flow · May 3, 2018, 7:19am

You do want to declare a dependency to minidns-android21, create an instance of AndroidUsingLinkProperties and register it as DNS server lookup mechanism. But be aware, it looks like AndroidUsingLinkProperties constructor has errornously only protected visibility (this is likely going to change in newer MiniDNS versions).

Flow · May 3, 2018, 7:26am

cmeng:

org.jivesoftware.smack.SmackException$ConnectionException: The following addresses failed: ‘atalk.sytes.net:5222’ failed because: de.measite.minidns.util.MultipleIoException: sendto failed: EPERM (Operation not permitted), failed to connect to /8.8.8.8 (port 53) from /10.139.187.212 (port 59514) after 5000ms, sendto failed: EPERM (Operation not permitted), failed to connect to /2001:4860:4860::8888 (port 53) from /2401:7400:4001:e8f6:1:2:bf29:9a89 (port 39822) after 5000ms, sendto failed: EPERM (Operation not permitted), failed to connect to b.root-servers.net/192.228.79.201 (port 53) from /10.139.187.212 (port 52300) after 5000ms, sendto failed: EPERM (Operation not permitted), failed to connect to l.root-servers.net/2001:500:3::42 (port 53) from /2401:7400:4001:e8f6:1:2:bf29:9a89 (port 42182) after 5000ms

That is what would worry me more, it looks like you are even unable to query the fallback last-resort DNS servers because of EPERM.

Flow · May 3, 2018, 8:41am

For the record: This has been already reported as https://github.com/MiniDNS/minidns/issues/74

cmeng · May 5, 2018, 10:31am

Thanks for the guidance. I have implemented as recommended. However I use the two sources from conversation instead of the one from minidns-android21 also to take care of android-23 requirements etc i.e…
AndroidUsingLinkProperties and AndroidUsingExecLowPriority.

Not sure I have done it correctly, I init the Resolver with the above two files using DNSClient.addDnsServerLookupMechanism during aTalk startup stage, and not when setting up xmppConnection. With this, I see at least android does not throw aTalk out and ReconnectionManager can proceed successfully.

However android 8 also turns off all network access during device standby. The ReconnectionManager actually get triggered only at the time when aTalk is sending keep alive ping. So on android 8 device, aTalk is unable to receive any message while the device is in standby mode. I need to find a way how to resolve this as well.

Inherited from Jitis which implements ParallelResolver using dnsjava, also facing the similar problem.

05-05 18:02:09.037 23302-23370/org.atalk.android E/libc: Access denied finding property "net.dns1"
05-05 18:02:09.038 23302-23370/org.atalk.android E/libc: Access denied finding property "net.dns2"
05-05 18:02:09.038 23302-23370/org.atalk.android E/libc: Access denied finding property "net.dns3"
05-05 18:02:09.039 23302-23370/org.atalk.android E/libc: Access denied finding property "net.dns4"

I try to switch to use minidns, but seems unable to locate DNS.Resolver which is sub-classed by the Jitsi ParallelResolver. Need more investigation on how to migrate to minidns.

Thanks again for your help

[20180522]
aTalk v1.3.0 has fully migrated to use miniDNS and dropped dnsjava library.