Magisk/native/jni/su/su_daemon.cpp

354 lines
8.3 KiB
C++
Raw Normal View History

2017-04-14 21:21:31 +02:00
#include <unistd.h>
#include <pthread.h>
#include <stdlib.h>
#include <fcntl.h>
#include <string.h>
#include <signal.h>
2018-10-04 10:59:51 +02:00
#include <pwd.h>
2018-12-26 04:56:49 +01:00
#include <time.h>
2017-04-14 21:21:31 +02:00
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/wait.h>
2019-06-05 06:21:27 +02:00
#include <sys/mount.h>
2017-04-14 21:21:31 +02:00
2019-07-01 04:09:31 +02:00
#include <logging.h>
2019-02-10 09:57:51 +01:00
#include <daemon.h>
#include <utils.h>
#include <selinux.h>
2017-04-14 21:21:31 +02:00
#include "su.h"
#include "pts.h"
using namespace std;
static pthread_mutex_t cache_lock = PTHREAD_MUTEX_INITIALIZER;
static shared_ptr<su_info> cached;
2018-11-04 09:38:06 +01:00
su_info::su_info(unsigned uid) :
uid(uid), access(DEFAULT_SU_ACCESS), mgr_st({}),
2019-04-30 03:26:43 +02:00
timestamp(0), _lock(PTHREAD_MUTEX_INITIALIZER) {}
2018-11-04 09:38:06 +01:00
su_info::~su_info() {
pthread_mutex_destroy(&_lock);
}
2019-09-26 07:49:50 +02:00
mutex_guard su_info::lock() {
return mutex_guard(_lock);
2018-11-04 09:38:06 +01:00
}
bool su_info::is_fresh() {
timespec ts;
clock_gettime(CLOCK_MONOTONIC, &ts);
2019-07-07 21:20:47 +02:00
long current = ts.tv_sec * 1000L + ts.tv_nsec / 1000000L;
return current - timestamp < 3000; /* 3 seconds */
2018-12-26 04:56:49 +01:00
}
void su_info::refresh() {
timespec ts;
clock_gettime(CLOCK_MONOTONIC, &ts);
2019-07-07 21:20:47 +02:00
timestamp = ts.tv_sec * 1000L + ts.tv_nsec / 1000000L;
2017-05-07 21:08:34 +02:00
}
2017-04-15 20:28:12 +02:00
static void database_check(const shared_ptr<su_info> &info) {
int uid = info->uid;
2019-03-06 14:16:12 +01:00
get_db_settings(info->cfg);
get_db_strings(info->str);
// Check multiuser settings
switch (info->cfg[SU_MULTIUSER_MODE]) {
case MULTIUSER_MODE_OWNER_ONLY:
if (info->uid / 100000) {
uid = -1;
info->access = NO_SU_ACCESS;
}
break;
case MULTIUSER_MODE_OWNER_MANAGED:
uid = info->uid % 100000;
break;
case MULTIUSER_MODE_USER:
default:
break;
}
if (uid > 0)
get_uid_policy(info->access, uid);
// We need to check our manager
if (info->access.log || info->access.notify)
2018-11-05 00:24:08 +01:00
validate_manager(info->str[SU_MANAGER], uid / 100000, &info->mgr_st);
}
2019-09-13 20:05:28 +02:00
static shared_ptr<su_info> get_su_info(unsigned uid) {
2019-09-04 17:04:59 +02:00
LOGD("su: request from uid=[%d]\n", uid);
2019-09-13 20:05:28 +02:00
shared_ptr<su_info> info;
2019-09-04 17:04:59 +02:00
{
2019-09-26 05:55:39 +02:00
mutex_guard lock(cache_lock);
2019-09-04 17:04:59 +02:00
if (!cached || cached->uid != uid || !cached->is_fresh())
cached = make_shared<su_info>(uid);
2019-09-13 20:05:28 +02:00
cached->refresh();
info = cached;
2019-09-04 17:04:59 +02:00
}
2019-09-26 07:49:50 +02:00
auto g = info->lock();
2017-07-16 09:31:40 +02:00
2019-09-13 20:05:28 +02:00
if (info->access.policy == QUERY) {
// Not cached, get data from database
2019-09-13 20:05:28 +02:00
database_check(info);
2019-07-07 21:20:19 +02:00
// If it's root or the manager, allow it silently
2019-09-13 20:05:28 +02:00
if (info->uid == UID_ROOT || (info->uid % 100000) == (info->mgr_st.st_uid % 100000)) {
info->access = SILENT_SU_ACCESS;
return info;
2019-07-07 21:20:19 +02:00
}
// Check su access settings
2019-09-13 20:05:28 +02:00
switch (info->cfg[ROOT_ACCESS]) {
case ROOT_ACCESS_DISABLED:
2018-10-04 20:41:48 +02:00
LOGW("Root access is disabled!\n");
2019-09-13 20:05:28 +02:00
info->access = NO_SU_ACCESS;
break;
case ROOT_ACCESS_ADB_ONLY:
2019-09-13 20:05:28 +02:00
if (info->uid != UID_SHELL) {
2018-10-04 20:41:48 +02:00
LOGW("Root access limited to ADB only!\n");
2019-09-13 20:05:28 +02:00
info->access = NO_SU_ACCESS;
}
break;
case ROOT_ACCESS_APPS_ONLY:
2019-09-13 20:05:28 +02:00
if (info->uid == UID_SHELL) {
2018-10-04 20:41:48 +02:00
LOGW("Root access is disabled for ADB!\n");
2019-09-13 20:05:28 +02:00
info->access = NO_SU_ACCESS;
}
break;
case ROOT_ACCESS_APPS_AND_ADB:
default:
break;
}
2019-09-13 20:05:28 +02:00
if (info->access.policy != QUERY)
return info;
// If still not determined, check if manager exists
2019-09-13 20:05:28 +02:00
if (info->str[SU_MANAGER][0] == '\0') {
info->access = NO_SU_ACCESS;
return info;
2019-07-07 21:20:19 +02:00
}
2019-09-13 20:05:28 +02:00
} else {
return info;
}
2018-10-04 10:59:51 +02:00
// If still not determined, ask manager
2019-07-07 21:20:19 +02:00
struct sockaddr_un addr;
int sockfd = create_rand_socket(&addr);
// Connect manager
Introduce component agnostic communication Usually, the communication between native and the app is done via sending intents to either broadcast or activity. These communication channels are for launching root requests dialogs, sending root request notifications (the toast you see when an app gained root access), and root request logging. Sending intents by am (activity manager) usually requires specifying the component name in the format of <pkg>/<class name>. This means parts of Magisk Manager cannot be randomized or else the native daemon is unable to know where to send data to the app. On modern Android (not sure which API is it introduced), it is possible to send broadcasts to a package, not a specific component. Which component will receive the intent depends on the intent filter declared in AndroidManifest.xml. Since we already have a mechanism in native code to keep track of the package name of Magisk Manager, this makes it perfect to pass intents to Magisk Manager that have components being randomly obfuscated (stub APKs). There are a few caveats though. Although this broadcasting method works perfectly fine on AOSP and most systems, there are OEMs out there shipping ROMs blocking broadcasts unexpectedly. In order to make sure Magisk works in all kinds of scenarios, we run actual tests every boot to determine which communication method should be used. We have 3 methods in total, ordered in preference: 1. Broadcasting to a package 2. Broadcasting to a specific component 3. Starting a specific activity component Method 3 will always work on any device, but the downside is anytime a communication happens, Magisk Manager will steal foreground focus regardless of whether UI is drawn. Method 1 is the only way to support obfuscated stub APKs. The communication test will test method 1 and 2, and if Magisk Manager is able to receive the messages, it will then update the daemon configuration to use whichever is preferable. If none of the broadcasts can be delivered, then the fallback method 3 will be used.
2019-10-21 19:59:04 +02:00
app_socket(addr.sun_path + 1, info);
2019-07-07 21:20:19 +02:00
int fd = socket_accept(sockfd, 60);
if (fd < 0) {
2019-09-13 20:05:28 +02:00
info->access.policy = DENY;
2019-07-07 21:20:19 +02:00
} else {
2019-09-13 20:05:28 +02:00
socket_send_request(fd, info);
2019-07-07 21:20:19 +02:00
int ret = read_int_be(fd);
2019-09-13 20:05:28 +02:00
info->access.policy = ret < 0 ? DENY : static_cast<policy_t>(ret);
2019-07-07 21:20:19 +02:00
close(fd);
2018-10-04 10:59:51 +02:00
}
2019-07-07 21:20:19 +02:00
close(sockfd);
2019-09-13 20:05:28 +02:00
return info;
}
2018-10-04 10:59:51 +02:00
static void set_identity(unsigned uid) {
/*
* Set effective uid back to root, otherwise setres[ug]id will fail
* if uid isn't root.
*/
if (seteuid(0)) {
PLOGE("seteuid (root)");
}
if (setresgid(uid, uid, uid)) {
PLOGE("setresgid (%u)", uid);
}
if (setresuid(uid, uid, uid)) {
PLOGE("setresuid (%u)", uid);
}
}
void su_daemon_handler(int client, struct ucred *credential) {
2018-11-10 08:17:13 +01:00
LOGD("su: request from pid=[%d], client=[%d]\n", credential->pid, client);
2019-07-07 21:20:19 +02:00
su_context ctx = {
2019-09-13 20:05:28 +02:00
.info = get_su_info(credential->uid),
2019-07-07 21:20:19 +02:00
.req = su_request(true),
.pid = credential->pid
};
// Read su_request
xxread(client, &ctx.req, sizeof(su_req_base));
ctx.req.shell = read_string(client);
ctx.req.command = read_string(client);
if (ctx.info->access.log)
app_log(ctx);
else if (ctx.info->access.notify)
app_notify(ctx);
2018-10-04 10:59:51 +02:00
// Fail fast
2019-07-07 21:20:19 +02:00
if (ctx.info->access.policy == DENY) {
LOGW("su: request rejected (%u)", ctx.info->uid);
ctx.info.reset();
2018-10-04 10:59:51 +02:00
write_int(client, DENY);
2018-10-20 22:12:08 +02:00
close(client);
2018-10-04 10:59:51 +02:00
return;
2019-07-07 21:20:19 +02:00
} else if (int child = xfork(); child) {
ctx.info.reset();
2018-10-04 10:59:51 +02:00
// Wait result
2018-11-10 08:17:13 +01:00
LOGD("su: waiting child pid=[%d]\n", child);
2018-10-04 10:59:51 +02:00
int status, code;
if (waitpid(child, &status, 0) > 0)
code = WEXITSTATUS(status);
else
code = -1;
2018-11-10 08:17:13 +01:00
LOGD("su: return code=[%d]\n", code);
2018-10-04 10:59:51 +02:00
write(client, &code, sizeof(code));
close(client);
return;
}
2019-07-07 21:20:19 +02:00
/* The child process will need to setsid, open a pseudo-terminal
* if needed, and will eventually run exec.
* The parent process will wait for the result and
* send the return code back to our client
*/
2018-10-04 10:59:51 +02:00
LOGD("su: fork handler\n");
2018-11-20 07:47:17 +01:00
// Abort upon any error occurred
log_cb.ex = exit;
2018-10-20 22:12:08 +02:00
// ack
write_int(client, 0);
2017-04-14 21:21:31 +02:00
// Become session leader
xsetsid();
// Get pts_slave
char *pts_slave = read_string(client);
// The FDs for each of the streams
2017-04-15 20:28:12 +02:00
int infd = recv_fd(client);
int outfd = recv_fd(client);
int errfd = recv_fd(client);
if (pts_slave[0]) {
2018-06-26 12:45:51 +02:00
LOGD("su: pts_slave=[%s]\n", pts_slave);
// Check pts_slave file is owned by daemon_from_uid
struct stat st;
xstat(pts_slave, &st);
2017-04-15 20:28:12 +02:00
// If caller is not root, ensure the owner of pts_slave is the caller
2019-07-07 21:20:19 +02:00
if(st.st_uid != ctx.info->uid && ctx.info->uid != 0)
2017-04-15 20:28:12 +02:00
LOGE("su: Wrong permission of pts_slave");
// Opening the TTY has to occur after the
// fork() and setsid() so that it becomes
// our controlling TTY and not the daemon's
int ptsfd = xopen(pts_slave, O_RDWR);
2017-04-15 20:28:12 +02:00
2018-10-04 10:59:51 +02:00
if (infd < 0)
infd = ptsfd;
if (outfd < 0)
2017-04-15 20:28:12 +02:00
outfd = ptsfd;
2018-10-04 10:59:51 +02:00
if (errfd < 0)
2017-04-15 20:28:12 +02:00
errfd = ptsfd;
2017-04-14 21:21:31 +02:00
}
free(pts_slave);
// Swap out stdin, stdout, stderr
2017-04-15 20:28:12 +02:00
xdup2(infd, STDIN_FILENO);
xdup2(outfd, STDOUT_FILENO);
xdup2(errfd, STDERR_FILENO);
2017-04-14 21:21:31 +02:00
// Unleash all streams from SELinux hell
setfilecon("/proc/self/fd/0", "u:object_r:" SEPOL_FILE_DOMAIN ":s0");
setfilecon("/proc/self/fd/1", "u:object_r:" SEPOL_FILE_DOMAIN ":s0");
setfilecon("/proc/self/fd/2", "u:object_r:" SEPOL_FILE_DOMAIN ":s0");
close(infd);
close(outfd);
close(errfd);
close(client);
2018-10-04 10:59:51 +02:00
// Handle namespaces
2018-10-04 20:41:48 +02:00
if (ctx.req.mount_master)
2019-07-07 21:20:19 +02:00
ctx.info->cfg[SU_MNT_NS] = NAMESPACE_MODE_GLOBAL;
switch (ctx.info->cfg[SU_MNT_NS]) {
2018-10-04 10:59:51 +02:00
case NAMESPACE_MODE_GLOBAL:
LOGD("su: use global namespace\n");
break;
case NAMESPACE_MODE_REQUESTER:
LOGD("su: use namespace of pid=[%d]\n", ctx.pid);
2019-06-05 06:21:27 +02:00
if (switch_mnt_ns(ctx.pid))
LOGD("su: setns failed, fallback to global\n");
2018-10-04 10:59:51 +02:00
break;
case NAMESPACE_MODE_ISOLATE:
LOGD("su: use new isolated namespace\n");
xunshare(CLONE_NEWNS);
2019-06-05 06:21:27 +02:00
xmount(nullptr, "/", nullptr, MS_PRIVATE | MS_REC, nullptr);
2018-10-04 10:59:51 +02:00
break;
2018-06-26 12:45:51 +02:00
}
2019-07-07 21:20:19 +02:00
const char *argv[] = { nullptr, nullptr, nullptr, nullptr };
2018-06-26 12:45:51 +02:00
2019-07-07 21:20:19 +02:00
argv[0] = ctx.req.login ? "-" : ctx.req.shell;
2018-06-26 12:45:51 +02:00
2019-07-07 21:20:19 +02:00
if (ctx.req.command[0]) {
argv[1] = "-c";
argv[2] = ctx.req.command;
}
2017-04-14 21:21:31 +02:00
2019-07-07 21:20:19 +02:00
// Setup environment
umask(022);
char path[32];
2019-07-07 21:20:19 +02:00
snprintf(path, sizeof(path), "/proc/%d/cwd", ctx.pid);
chdir(path);
2019-07-07 21:20:19 +02:00
snprintf(path, sizeof(path), "/proc/%d/environ", ctx.pid);
char buf[4096] = { 0 };
int fd = xopen(path, O_RDONLY);
2019-07-07 21:20:19 +02:00
read(fd, buf, sizeof(buf));
close(fd);
clearenv();
for (size_t pos = 0; buf[pos];) {
putenv(buf + pos);
pos += strlen(buf + pos) + 1;
}
if (!ctx.req.keepenv) {
struct passwd *pw;
pw = getpwuid(ctx.req.uid);
if (pw) {
setenv("HOME", pw->pw_dir, 1);
setenv("USER", pw->pw_name, 1);
setenv("LOGNAME", pw->pw_name, 1);
2019-07-07 21:20:19 +02:00
setenv("SHELL", ctx.req.shell, 1);
2018-11-10 08:17:13 +01:00
}
2018-06-13 12:14:23 +02:00
}
const char *ld_path = getenv("LD_LIBRARY_PATH");
if (ld_path && strncmp(ld_path, ":/apex/com.android.runtime/lib", 30) == 0)
unsetenv("LD_LIBRARY_PATH");
2019-07-07 21:20:19 +02:00
// Unblock all signals
sigset_t block_set;
sigemptyset(&block_set);
sigprocmask(SIG_SETMASK, &block_set, nullptr);
2019-07-07 21:20:19 +02:00
set_identity(ctx.req.uid);
execvp(ctx.req.shell, (char **) argv);
fprintf(stderr, "Cannot execute %s: %s\n", ctx.req.shell, strerror(errno));
PLOGE("exec");
exit(EXIT_FAILURE);
2017-04-14 21:21:31 +02:00
}