Skip to content

Instantly share code, notes, and snippets.

@xwjqv
Last active January 29, 2025 15:20
Show Gist options
  • Save xwjqv/35179d08df60648dd4f2dbceac40444b to your computer and use it in GitHub Desktop.
Save xwjqv/35179d08df60648dd4f2dbceac40444b to your computer and use it in GitHub Desktop.
Nix-on-droid login without proot but with chroot and root
#!/system/bin/sh
uid=$(stat -c %u /data/data/com.termux.nix)
pid=$(pidof -s com.termux.nix)
if test -z $pid; then
which -a pidof
pgrep com.termux.nix
echo Nix on Droid App process not found
exit
fi
label=$(cat /proc/$pid/attr/current)
pol_target=$(echo $label | sed 's/.*:\([untrusted_app_[1-9]*\):.*/\1/')
supolicy --live "allow $pol_target shell_exec file entrypoint"
groups="3003,3004,2000,9997,20166,50166" #used setpriv -d to copy from app
#export LD_LIBRARY_PATH=/data/data/com.termux/files/usr/lib
#exec nsenter -t $pid -m setpriv --reuid $uid --regid $uid --groups $groups --bounding-set -all --selinux-label $label -- /system/bin/sh -c 'exec /data/data/com.termux/files/usr/bin/bash'
#busybox setpriv does not have enough features
#nix-shell -p util-linux --run "setpriv --reuid $uid --regid $uid --groups $groups --bounding-set -all --selinux-label $label -- /system/bin/sh -c 'exec /data/data/com.termux.nix/files/usr/usr/lib/login-inner'"
#change path to executable on your system
setpriv="/nix/store/flkd9iwf9mq3lpyz4d519g23nv1b349m-util-linux-2.39.2-bin/bin/setpriv"
echo setpriving
$setpriv --reuid $uid --regid $uid --groups $groups --bounding-set -all --selinux-label $label -- /system/bin/sh -c 'exec sh /data/data/com.termux.nix/files/usr/usr/lib/login-inner'
#!/system/bin/sh
# I modified /data/data/com.termux.nix/files/usr/bin/login
# for this file, some old stuff is left here
set -eu -o pipefail
#This is i lie if we keep root privs
export USER="nix-on-droid"
export HOME="/data/data/com.termux.nix/files/home"
export PROOT_TMP_DIR=/data/data/com.termux.nix/files/usr/tmp
export PROOT_L2S_DIR=/data/data/com.termux.nix/files/usr/.l2s
export PATH=$PATH:/system/bin/
export TMPDIR=/data/data/com.termux.nix/files/usr/tmp
#change root_login.sh to this file
test $(/system/bin/whoami) != root \
&& echo 'use root? [y/N]' && read x && [[ "$x" == "y" ]] \
&& /system/bin/su -c /system/bin/unshare -m $HOME/root_login.sh \
&& exit
if ! /system/bin/pgrep proot-static > /dev/null; then
if test -e /data/data/com.termux.nix/files/usr/bin/.proot-static.new; then
echo "Installing new proot-static..."
/system/bin/mv /data/data/com.termux.nix/files/usr/bin/.proot-static.new /data/data/com.termux.nix/files/usr/bin/proot-static
fi
if test -e /data/data/com.termux.nix/files/usr/usr/lib/.login-inner.new; then
echo "Installing new login-inner..."
/system/bin/mv /data/data/com.termux.nix/files/usr/usr/lib/.login-inner.new /data/data/com.termux.nix/files/usr/usr/lib/login-inner
fi
fi
#Script ignores fakeProcStat and fakeProcUptime
CHROOT_PATH=/data/data/com.termux.nix/files/chroot
WORKDIR_PATH=/data/data/com.termux.nix/files/overlayfs_workdirs
mkdir -p $CHROOT_PATH
NOD_DIRS="nix bin etc tmp usr dev/shm"
FILES_USR=/data/data/com.termux.nix/files/usr
#toybox does not have this feature
busybox mount --make-rslave /
for DIR in /*/ ; do
mkdir -p $CHROOT_PATH/$DIR
for DIR2 in $NOD_DIRS; do
if test $DIR == $DIR2 ; then continue 2; fi
done
mount --rbind $DIR $CHROOT_PATH/$DIR
done
for DIR in $NOD_DIRS; do
mkdir -p $CHROOT_PATH/$DIR
##somehow mounting overlayfs returns error EINVAL
#if echo /*/ | grep $DIR;
#then #merge dirs
# mkdir -p $WORKDIR_PATH/$DIR
# strace mount -t overlay \
# -o lowerdir=/$DIR,upperdir=$FILES_USR/$DIR,workdir=$WORKDIR_PATH/$DIR \
# overlay $CHROOT_PATH
#else
# mount --rbind $FILES_USR/$DIR $CHROOT_PATH/$DIR
#fi
mount --rbind $FILES_USR/$DIR $CHROOT_PATH/$DIR
done
echo "Keep root? [y/N]"
read x
if [[ "$x" == "y" ]]; then
exec chroot $CHROOT_PATH sh /data/data/com.termux.nix/files/usr/usr/lib/login-inner "$@"
else
#magisk su changes mount namespace so we have to use something else
exec chroot $CHROOT_PATH \
sh /data/data/com.termux.nix/files/home/drop_root.sh "$@"
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment