Multi users support

[Magissia]

Xprivacy could get an extended multi users support :

The owner (admin) could force a rule on other users (for example, blocking localisation info for facebook for every users)
The owner (admin) could force a default state for a permission (admin could force block localisation by default for every users)
The owner (admin) could apply rules on apps other user have but admin don't.

Non admin users could check or uncheck whatever it want and have it applied, but if an admin checked something it would apply even if the user uncheck it, the user can know it becaus the checkmark would be grey instaed of empty when uncheking.

On the other side, i don't think the admin should be able to force uncheck an option but the options that can make an app force close (remove internet/storage permission)

[M66B]

See the FAQ about multi-user support.

[Magissia]

Hello, with android 4.3 android added additional support for multi user with example of a game that is user aware and remove the possibility to buy new levels on the said games when a restricted user runs it. Plus since the owner user have root most of the time, it's possible to use roots rights to look at XPrivacy settings for other users than the current one.

[M66B]

I am fully aware of this, since I have already updated XPrivacy for Android 4.3.

[Magissia]

Okay so no plan to support this i guess. Could be a nice feature. Thanks for reading.

[M66B]

Multi-user support will work the exact same way as multi-user support works for Android.

[johnwmail]

Can I logon to primary user, and config the restriction user settings?
When I logon to primary user, the apps id is run as 10xxx, and the restriction user apps id is run as 1010xxx.
Can I still config those uid settings?

What happen, if I remove some app inet permission (gid 3003) with primary user, and then logon to restriction user to enable this app inet permission?
(I don't want let those restriction user, config xprivacy settings)

When I use iptables, I can config any uid.
Can I do that with xprivacy like iptables?

Thank you.

[M66B]

@johnwmail could you please provide some screenshots?

[johnwmail]

Unn. maybe I misunderstand how XPrivacy work, or my bad english.
But provide screenshots? for what?
Thanks.

[johnwmail]

OK, I upload the pic to "http://postimg.org/image/d3jiivzkt/"

I config AndFTP network permission with restriction user(uid 1110108),
After that, AndFTP still can connect the network.

I config AndFTP with primary user(uid 10108) WITH network permission,
and config AndFTP with restriction user(uid 1110108) WITHOUT network permission,
but AndFTP still can connect the network with restriction user(uid 1110108).

Thanks.

[M66B]

The reason I asked for screenshots is that I don't have devices that support multiple users.
You can help me by providing a logcat with XPrivacy debugging enabled for the last case:

I config AndFTP with primary user(uid 10108) WITH network permission,
and config AndFTP with restriction user(uid 1110108) WITHOUT network permission,
but AndFTP still can connect the network with restriction user(uid 1110108).

[M66B]

BTW, if you want to prevent internet access, you will have to restrict the internet category, not the network category and restart the application (or reboot your device).

Also, make sure you have 'inet' in the internet category restricted.

[johnwmail]

HI, the screenshots which I uploaded show you, I already restrict the internet category with 'inet' item.

Sorry, can you tell me the debug procedure? <-- maybe it should add to FAQ (debug procedure)
(should I open XPrivacy? or just open AndFTP ?)

Anyway, here is what I did.
I enable debug option in XPrivacy, then reboot.
then login the shell, then run AndFTP app (uid: 1110108)
shell# logcat -f log "*:D"
then I get the log file, I post it to "http://pastebin.com/GRyatBAP"

Thank you.

[jpeg729]

Running through grep '10108/'
I/XPrivacy( 642): Load fallback restrictions uid=10108/10108 1 ms
I/XPrivacy/XPackageManagerService( 642): get 10108/sdcard storage=!restricted (file) 4 ms
I/XPrivacy/XPackageManagerService( 642): get 10108/media storage=!restricted (file)
I/XPrivacy/XPackageManagerService( 642): get 10108/inet internet=!restricted (file)
I/XPrivacy( 4583): Load fallback restrictions uid=1110108/1110108 0 ms
I/XPrivacy( 4583): Queue usage data=1110108/identification/SERIAL=false size=1
I/XPrivacy( 4583): get 1110108/SERIAL identification=!restricted (file)
I/XPrivacy/XActivity( 4583): Sending usage data=1110108/identification/SERIAL=false size=0 uid=1110108
I/XPrivacy( 4503): Update usage data 1110108/identification/SERIAL=false

1110108 is only asking for identification/SERIAL
10108 asks for inet, and storage stuff.

All of those requests are pretty close together towards the end of the log.

[johnwmail]

Yes, I saw it (grep 10108 | grep -v 1110108)

I/XPrivacy( 642): Load fallback restrictions uid=10108/10108 1 ms
I/XPrivacy/XPackageManagerService( 642): get 10108/sdcard storage=!restricted (file) 4 ms
I/XPrivacy/XPackageManagerService( 642): get 10108/media storage=!restricted (file)
I/XPrivacy/XPackageManagerService( 642): get 10108/inet internet=!restricted (file)

Why will that? any idea?
But when I use iptables to drop uid 1110108 connection,
AndFTP/1110108 can not make the connection,
iptables -I OUTPUT -m owner --uid-owner 1110108 -j DROP

Thank you.

[M66B]

@johnwmail thanks for the logcat! I was able to pinpoint the problem. Could you please try if this version restricts internet (inet) and storage (media and sdcard) correctly on your device? http://d-h.st/pJg

[johnwmail]

Hi, the new version(1.2) does not fix this issues, AndFTP still can make connection.
But now the logcat show me, the connection is make by 1110108.
logcat file: "http://pastebin.com/3nYxn4dq"
Thanks all.

[M66B]

I/XPrivacy(  639): Load fallback restrictions uid=1110108/1110108 0 ms
I/XPrivacy/XProcess(  639): get 1110108/inet internet=!restricted (file) 3 ms
I/XPrivacy/XProcess(  639): get 1110108/media storage=!restricted (file)
I/XPrivacy/XProcess(  639): get 1110108/sdcard storage=!restricted (file) 2 ms

The fix is working, but nothing is restricted for 1110108.
Can you try to restrict the app for the secondary user?

[johnwmail]

Yes, I already did it (restricted inet for 1110108).

maybe XPrivacy only/will use the primary user (10108) restriction setting for secondary user.
now the setting like this:
Primary user(10108): is no restriction for internet category.
Secondary user(1110108): is restricted for all internet category item(include inet).
And I noticed, when I enable debug option on primary user,
the secondary user will also enabled debug option. (look like secondary user will follow primary user setting)
Thank you.

[M66B]

I/XPrivacy(  639): Load fallback restrictions uid=1110108/1110108 0 ms
I/XPrivacy/XProcess(  639): get 1110108/inet internet=!restricted (file) 3 ms
I/XPrivacy/XProcess(  639): get 1110108/media storage=!restricted (file)
I/XPrivacy/XProcess(  639): get 1110108/sdcard storage=!restricted (file) 2 ms

internet and storage are not restricted (!restricted) for 1110108.
So, check your restriction settings for 1110108 (your secondary user).
Make sure the category internet and storage are checked and the functions inet, media and sdcard are checked.

[M66B]

Don't forget to restart the app (kill) or reboot your device.

[johnwmail]

OMG, why you don't trust me already did it?
Please read this "http://postimg.org/image/d3jiivzkt/".

[M66B]

@johnwmail it isn't that I trust you ;-)
It is just what the log file says.

Can you please post a listing of /data/data/biz.bokhorst.xprivacy/shared_prefs

And the contents of:

• biz.bokhorst.xprivacy.provider.10108.xml
• biz.bokhorst.xprivacy.provider.1110108.xml
  (if existing)

[M66B]

This is the relevant part of the log file:

I/XPrivacy(  639): Load fallback restrictions uid=1110108/1110108 0 ms
I/XPrivacy/XProcess(  639): Queue usage data=1110108/internet/inet=false size=225
I/XPrivacy/XProcess(  639): get 1110108/inet internet=!restricted (file) 3 ms
I/XPrivacy/XProcess(  639): Queue usage data=1110108/storage/media=false size=226
I/XPrivacy/XProcess(  639): get 1110108/media storage=!restricted (file)
D/dalvikvm( 3371): GC_CONCURRENT freed 387K, 21% free 9614K/12092K, paused 3ms+3ms, total 37ms
I/XPrivacy/XProcess(  639): Queue usage data=1110108/storage/sdcard=false size=227
I/XPrivacy/XProcess(  639): get 1110108/sdcard storage=!restricted (file) 2 ms
I/ActivityManager(  639): Start proc lysesoft.andftp for activity lysesoft.andftp/.SplashActivity: pid=3549 uid=1110108 gids={50108, 3003, 1028, 1015}

The settings are loaded for the correct uid 1110108.
I can only image that the load silently failed or that the settings weren't saved correctly.
Will further investigate later.

[M66B]

If the settings file load failed, then this would have been logged.
So, the only option that remains is that the settings file doesn't have the correct settings.
I will wait @johnwmail for the contents of

/data/data/biz.bokhorst.xprivacy/shared_prefs/biz.bokhorst.xprivacy.provider.1110108.xml

[M66B]

I/XPrivacy/XProcess( 639): Queue usage data=1110108/storage/sdcard=false size=227
The queue size is quite big, so did you really kill and restart the app?
Enable the experimental functions in the main XPrivacy settings and you will be able to kill the app from the application details view by pressing on the application icon.

[johnwmail]

http://pastebin.com/rHTrkgr8 <-- 10108

http://pastebin.com/xvycsqUe <-- 1110108

http://pastebin.com/mzXWEq3k 〈-- diff -u 10108 1110108

Secondary user directory is: /data/user/11/some-apps
And /data/user/0 is softlink, link to /data/data/

Thanks all.

[M66B]

The settings file for 1110108 confirms that internet should be restricted.

    <boolean name="Method.internet.getActiveNetworkInfo" value="false" />
    <boolean name="Method.internet.inet" value="false" />
    <boolean name="Method.internet.getNetworkInfo" value="false" />
    <boolean name="Restricted.internet" value="true" />

However, the logcat says something else.
So, I am wondering if the same settings file is read.

Can you please execute:

su
cd /
find | grep 10108

and post the output?

[M66B]

I also like to see the file permissions of the found files.

[johnwmail]

root@grouper:/ # find / |grep 10108
find: /proc/645/task/746/fd/256: No such file or directory
find: /proc/3560: No such file or directory
find: /proc/3561: No such file or directory
find: /proc/3562: No such file or directory
find: /proc/3563: No such file or directory
find: /proc/3564: No such file or directory
/data/data/biz.bokhorst.xprivacy/shared_prefs/biz.bokhorst.xprivacy.provider.10108.xml
/data/user/11/biz.bokhorst.xprivacy/shared_prefs/biz.bokhorst.xprivacy.provider.1110108.xml

root@grouper:/ # ls -l /data/data/biz.bokhorst.xprivacy/shared_prefs/biz.bokhorst.xprivacy.provider.10108.xml
-rw-rw-r-- u0_a138 u0_a138 4433 2013-12-18 16:14 biz.bokhorst.xprivacy.provider.10108.xml
root@grouper:/ # ls -l /data/user/11/biz.bokhorst.xprivacy/shared_prefs/biz.bokhorst.xprivacy.provider.1110108.xml
-rw-rw-r-- u11_a138 u11_a138 4437 2013-12-24 23:30 biz.bokhorst.xprivacy.provider.1110108.xml

Thanks.

[M66B]

It took quite some research, but this version should provide working multi-user support: http://d-h.st/33y
Please clear XPrivacy data as described in the FAQ before testing.
If it doesn't work, I like to see the output of the following commands:

su
cd /
find | grep 10108

and again the file permissions.

At least three minutes after boot:

ps | grep xpri

Thanks for your patience!

[johnwmail]

When apply rules to secondary user, xprivacy forceclose.

[M66B]

That is too bad.
Could you please provide a logcat of the FC?

[johnwmail]

logcat "http://pastebin.com/SJaQKFv3"

[johnwmail]

root@grouper:/sdcard/tmp # ps |grep xpri
u0_a138 3763 123 697260 29824 ffffffff 4016f7f4 S biz.bokhorst.xprivacy:provider

root@grouper:/sdcard/tmp # find / -name '10108' | xargs ls -l
-rw-r--r-- root u0_a108 0 2013-12-26 23:34 cgroup.clone_children
--w--w--w- root u0_a108 0 2013-12-26 23:34 cgroup.event_control
-rw-r--r-- root u0_a108 0 2013-12-26 23:34 cgroup.procs
-r--r--r-- root u0_a108 0 2013-12-26 23:34 cpuacct.cpufreq
-r--r--r-- root u0_a108 0 2013-12-26 23:34 cpuacct.power
-r--r--r-- root u0_a108 0 2013-12-26 23:34 cpuacct.stat
-rw-r--r-- root u0_a108 0 2013-12-26 23:34 cpuacct.usage
-r--r--r-- root u0_a108 0 2013-12-26 23:34 cpuacct.usage_percpu
-rw-r--r-- root u0_a108 0 2013-12-26 23:34 notify_on_release
-rw-r--r-- root u0_a108 0 2013-12-26 23:34 tasks
-r--r--r-- root root 0 2013-12-26 23:45 tcp_rcv
-r--r--r-- root root 0 2013-12-26 23:45 tcp_snd
-rw-rw-r-- u0_a138 u0_a138 4501 2013-12-26 23:35 biz.bokhorst.xprivacy.provider.10108.xml

[johnwmail]

root@grouper:/sdcard/tmp # find / |grep 10108
/acct/uid/10108
/acct/uid/10108/cpuacct.power
/acct/uid/10108/cpuacct.cpufreq
/acct/uid/10108/cpuacct.stat
/acct/uid/10108/cpuacct.usage_percpu
/acct/uid/10108/cpuacct.usage
/acct/uid/10108/cgroup.clone_children
/acct/uid/10108/cgroup.event_control
/acct/uid/10108/notify_on_release
/acct/uid/10108/cgroup.procs
/acct/uid/10108/tasks
/proc/uid_stat/10108
/proc/uid_stat/10108/tcp_rcv
/proc/uid_stat/10108/tcp_snd
/data/data/biz.bokhorst.xprivacy/shared_prefs/biz.bokhorst.xprivacy.provider.10108.xml

[M66B]

I managed to enabled multi-user on my phone using these instructions:
http://www.pocketables.com/2013/03/how-to-enable-multiple-user-mode-on-cyanogenmod-10-1-and-some-other-android-4-2-2-roms.html

Thanks @jpeg729 !

[M66B]

Switching users (normally done on the lock screen, but this doesn't work on phones):

adb shell am switch-user <user-number>

[M66B]

Since I got multi-user support enabled on my device the chance is a lot bigger this test version will work for you: http://d-h.st/elS

[johnwmail]

Still not work, this version just like the normal version, no force close, but the inet restriction not work on secondary user.
logcat: http://pastebin.com/0zmiZqvG
Thanks.

[M66B]

The logcat seems to be removed ...

[johnwmail]

logcat: http://pastebin.com/Rwf1rEZw
biz.bokhorst.xprivacy.provider.10108.xml: http://pastebin.com/DNeNgyb4
biz.bokhorst.xprivacy.provider.1110108.xml: http://pastebin.com/vYqH6bAX

root@grouper:/sdcard/tmp # ps |grep xpri
u0_a138 4043 123 696212 29204 ffffffff 401097f4 S biz.bokhorst.xprivacy:provider
u11_a138 5286 123 695144 28276 ffffffff 401097f4 S biz.bokhorst.xprivacy:provider

root@grouper:/sdcard/tmp # find / -name '10108' | xargs ls -l
-rw-r--r-- root u11_a108 0 2013-12-27 18:12 cgroup.clone_children
--w--w--w- root u11_a108 0 2013-12-27 18:12 cgroup.event_control
-rw-r--r-- root u11_a108 0 2013-12-27 18:12 cgroup.procs
-r--r--r-- root u11_a108 0 2013-12-27 18:12 cpuacct.cpufreq
-r--r--r-- root u11_a108 0 2013-12-27 18:12 cpuacct.power
-r--r--r-- root u11_a108 0 2013-12-27 18:12 cpuacct.stat
-rw-r--r-- root u11_a108 0 2013-12-27 18:12 cpuacct.usage
-r--r--r-- root u11_a108 0 2013-12-27 18:12 cpuacct.usage_percpu
-rw-r--r-- root u11_a108 0 2013-12-27 18:12 notify_on_release
-rw-r--r-- root u11_a108 0 2013-12-27 18:12 tasks
-r--r--r-- root root 0 2013-12-27 18:45 tcp_rcv
-r--r--r-- root root 0 2013-12-27 18:45 tcp_snd
-rw-rw-r-- u0_a138 u0_a138 4433 2013-12-18 16:14 biz.bokhorst.xprivacy.provider.10108.xml
-rw-rw-r-- u11_a138 u11_a138 4505 2013-12-27 18:10 biz.bokhorst.xprivacy.provider.1110108.xml

[M66B]

I should work now, really ;-)
http://d-h.st/Tib

[johnwmail]

Yeah, this one work with multi user now.
Thank all, thank developers.

[M66B]

Thanks for reporting back!
I am glad it works now.
A nice side effect is that I have multi-user support on my phone now.
BTW, I discovered that rotating the screen 90 degrees allows me to switch users on the lock screen.