MarcoBuster/Magisk
1
1
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
8d68ebb074
Magisk/native/jni/su/connect.cpp

120 lines
2.7 KiB
C++
Raw Normal View History

New method of communication Introduce a new communication method between Magisk and Magisk Manager. Magisk used to hardcode classnames and send broadcast/start activities to specific components. This new method makes no assumption of any class names, so Magisk Manager can easily be fully obfuscated. In addition, the new method connects Magisk and Magisk Manager with random abstract Linux sockets instead of socket files in filesystems, bypassing file system complexities (selinux, permissions and such)
2018-09-16 10:16:18 +02:00
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <stdio.h>
Clean/refactor includes
2019-02-10 09:57:51 +01:00
#include <magisk.h>
#include <daemon.h>
#include <utils.h>
New method of communication Introduce a new communication method between Magisk and Magisk Manager. Magisk used to hardcode classnames and send broadcast/start activities to specific components. This new method makes no assumption of any class names, so Magisk Manager can easily be fully obfuscated. In addition, the new method connects Magisk and Magisk Manager with random abstract Linux sockets instead of socket files in filesystems, bypassing file system complexities (selinux, permissions and such)
2018-09-16 10:16:18 +02:00
#include "su.h"
Directly communicate with Activity Since Android Q does not allow launching activities from the background (Services/BroadcastReceivers) and our native process is root, directly launch activities and use it for communication between native and app. The target activity is not exported, so non-root apps cannot send an intent to fool Magisk Manager. This is as safe as the previous implementation, which uses protected system broadcasts. This also workaround broadcast limitations in many ROMs (especially in Chinese ROMs) which blocks the su request dialog if the app is frozen/force stopped by the system. Close #1326
2019-04-11 05:35:31 +02:00
#define START_ACTIVITY \
Update native su connect broadcast code Use -p <pkg> for supported platforms
2019-01-26 20:53:49 +01:00
"/system/bin/app_process", "/system/bin", "com.android.commands.am.Am", \
Directly communicate with Activity Since Android Q does not allow launching activities from the background (Services/BroadcastReceivers) and our native process is root, directly launch activities and use it for communication between native and app. The target activity is not exported, so non-root apps cannot send an intent to fool Magisk Manager. This is as safe as the previous implementation, which uses protected system broadcasts. This also workaround broadcast limitations in many ROMs (especially in Chinese ROMs) which blocks the su request dialog if the app is frozen/force stopped by the system. Close #1326
2019-04-11 05:35:31 +02:00
"start", "-n", nullptr, "--user", nullptr, "-f", "0x18000020", "-a"
// 0x18000020 = FLAG_ACTIVITY_NEW_TASK|FLAG_ACTIVITY_MULTIPLE_TASK|FLAG_INCLUDE_STOPPED_PACKAGES
New method of communication Introduce a new communication method between Magisk and Magisk Manager. Magisk used to hardcode classnames and send broadcast/start activities to specific components. This new method makes no assumption of any class names, so Magisk Manager can easily be fully obfuscated. In addition, the new method connects Magisk and Magisk Manager with random abstract Linux sockets instead of socket files in filesystems, bypassing file system complexities (selinux, permissions and such)
2018-09-16 10:16:18 +02:00
Official KitKat support
2018-12-28 09:03:23 +01:00
static inline const char *get_command(const struct su_request *to) {
Rewrite su daemon and client
2018-10-04 10:59:51 +02:00
if (to->command[0])
New method of communication Introduce a new communication method between Magisk and Magisk Manager. Magisk used to hardcode classnames and send broadcast/start activities to specific components. This new method makes no assumption of any class names, so Magisk Manager can easily be fully obfuscated. In addition, the new method connects Magisk and Magisk Manager with random abstract Linux sockets instead of socket files in filesystems, bypassing file system complexities (selinux, permissions and such)
2018-09-16 10:16:18 +02:00
return to->command;
Rewrite su daemon and client
2018-10-04 10:59:51 +02:00
if (to->shell[0])
New method of communication Introduce a new communication method between Magisk and Magisk Manager. Magisk used to hardcode classnames and send broadcast/start activities to specific components. This new method makes no assumption of any class names, so Magisk Manager can easily be fully obfuscated. In addition, the new method connects Magisk and Magisk Manager with random abstract Linux sockets instead of socket files in filesystems, bypassing file system complexities (selinux, permissions and such)
2018-09-16 10:16:18 +02:00
return to->shell;
return DEFAULT_SHELL;
}
Directly communicate with Activity Since Android Q does not allow launching activities from the background (Services/BroadcastReceivers) and our native process is root, directly launch activities and use it for communication between native and app. The target activity is not exported, so non-root apps cannot send an intent to fool Magisk Manager. This is as safe as the previous implementation, which uses protected system broadcasts. This also workaround broadcast limitations in many ROMs (especially in Chinese ROMs) which blocks the su request dialog if the app is frozen/force stopped by the system. Close #1326
2019-04-11 05:35:31 +02:00
static inline void get_user(char *user, struct su_info *info) {
sprintf(user, "%d",
info->cfg[SU_MULTIUSER_MODE] == MULTIUSER_MODE_USER
? info->uid / 100000
: 0);
}
static inline void get_uid(char *uid, struct su_info *info) {
sprintf(uid, "%d",
info->cfg[SU_MULTIUSER_MODE] == MULTIUSER_MODE_OWNER_MANAGED
? info->uid % 100000
: info->uid);
}
Update native su connect broadcast code Use -p <pkg> for supported platforms
2019-01-26 20:53:49 +01:00
static void silent_run(const char **args, struct su_info *info) {
char component[128];
Directly communicate with Activity Since Android Q does not allow launching activities from the background (Services/BroadcastReceivers) and our native process is root, directly launch activities and use it for communication between native and app. The target activity is not exported, so non-root apps cannot send an intent to fool Magisk Manager. This is as safe as the previous implementation, which uses protected system broadcasts. This also workaround broadcast limitations in many ROMs (especially in Chinese ROMs) which blocks the su request dialog if the app is frozen/force stopped by the system. Close #1326
2019-04-11 05:35:31 +02:00
sprintf(component, "%s/a.m", info->str[SU_MANAGER].data());
char user[8];
get_user(user, info);
/* Fill in dynamic arguments */
Use REBOOT foreground broadcast
2019-02-01 18:27:51 +01:00
args[5] = component;
Directly communicate with Activity Since Android Q does not allow launching activities from the background (Services/BroadcastReceivers) and our native process is root, directly launch activities and use it for communication between native and app. The target activity is not exported, so non-root apps cannot send an intent to fool Magisk Manager. This is as safe as the previous implementation, which uses protected system broadcasts. This also workaround broadcast limitations in many ROMs (especially in Chinese ROMs) which blocks the su request dialog if the app is frozen/force stopped by the system. Close #1326
2019-04-11 05:35:31 +02:00
args[7] = user;
Update native su connect broadcast code Use -p <pkg> for supported platforms
2019-01-26 20:53:49 +01:00
exec_t exec {
.pre_exec = []() -> void {
int null = xopen("/dev/null", O_WRONLY | O_CLOEXEC);
dup2(null, STDOUT_FILENO);
dup2(null, STDERR_FILENO);
setenv("CLASSPATH", "/system/framework/am.jar", 1);
},
.fork = fork_dont_care,
.argv = args
};
exec_command(exec);
New method of communication Introduce a new communication method between Magisk and Magisk Manager. Magisk used to hardcode classnames and send broadcast/start activities to specific components. This new method makes no assumption of any class names, so Magisk Manager can easily be fully obfuscated. In addition, the new method connects Magisk and Magisk Manager with random abstract Linux sockets instead of socket files in filesystems, bypassing file system complexities (selinux, permissions and such)
2018-09-16 10:16:18 +02:00
}
Rewrite su daemon and client
2018-10-04 10:59:51 +02:00
void app_log(struct su_context *ctx) {
New method of communication Introduce a new communication method between Magisk and Magisk Manager. Magisk used to hardcode classnames and send broadcast/start activities to specific components. This new method makes no assumption of any class names, so Magisk Manager can easily be fully obfuscated. In addition, the new method connects Magisk and Magisk Manager with random abstract Linux sockets instead of socket files in filesystems, bypassing file system complexities (selinux, permissions and such)
2018-09-16 10:16:18 +02:00
char fromUid[8];
Directly communicate with Activity Since Android Q does not allow launching activities from the background (Services/BroadcastReceivers) and our native process is root, directly launch activities and use it for communication between native and app. The target activity is not exported, so non-root apps cannot send an intent to fool Magisk Manager. This is as safe as the previous implementation, which uses protected system broadcasts. This also workaround broadcast limitations in many ROMs (especially in Chinese ROMs) which blocks the su request dialog if the app is frozen/force stopped by the system. Close #1326
2019-04-11 05:35:31 +02:00
get_uid(fromUid, ctx->info);
New method of communication Introduce a new communication method between Magisk and Magisk Manager. Magisk used to hardcode classnames and send broadcast/start activities to specific components. This new method makes no assumption of any class names, so Magisk Manager can easily be fully obfuscated. In addition, the new method connects Magisk and Magisk Manager with random abstract Linux sockets instead of socket files in filesystems, bypassing file system complexities (selinux, permissions and such)
2018-09-16 10:16:18 +02:00
char toUid[8];
Rewrite su daemon and client
2018-10-04 10:59:51 +02:00
sprintf(toUid, "%d", ctx->req.uid);
New method of communication Introduce a new communication method between Magisk and Magisk Manager. Magisk used to hardcode classnames and send broadcast/start activities to specific components. This new method makes no assumption of any class names, so Magisk Manager can easily be fully obfuscated. In addition, the new method connects Magisk and Magisk Manager with random abstract Linux sockets instead of socket files in filesystems, bypassing file system complexities (selinux, permissions and such)
2018-09-16 10:16:18 +02:00
char pid[8];
Rewrite su daemon and client
2018-10-04 10:59:51 +02:00
sprintf(pid, "%d", ctx->pid);
New method of communication Introduce a new communication method between Magisk and Magisk Manager. Magisk used to hardcode classnames and send broadcast/start activities to specific components. This new method makes no assumption of any class names, so Magisk Manager can easily be fully obfuscated. In addition, the new method connects Magisk and Magisk Manager with random abstract Linux sockets instead of socket files in filesystems, bypassing file system complexities (selinux, permissions and such)
2018-09-16 10:16:18 +02:00
char policy[2];
Rewrite su daemon and client
2018-10-04 10:59:51 +02:00
sprintf(policy, "%d", ctx->info->access.policy);
New method of communication Introduce a new communication method between Magisk and Magisk Manager. Magisk used to hardcode classnames and send broadcast/start activities to specific components. This new method makes no assumption of any class names, so Magisk Manager can easily be fully obfuscated. In addition, the new method connects Magisk and Magisk Manager with random abstract Linux sockets instead of socket files in filesystems, bypassing file system complexities (selinux, permissions and such)
2018-09-16 10:16:18 +02:00
Fully migrate Magisk to C++
2018-11-04 09:38:06 +01:00
const char *cmd[] = {
Directly communicate with Activity Since Android Q does not allow launching activities from the background (Services/BroadcastReceivers) and our native process is root, directly launch activities and use it for communication between native and app. The target activity is not exported, so non-root apps cannot send an intent to fool Magisk Manager. This is as safe as the previous implementation, which uses protected system broadcasts. This also workaround broadcast limitations in many ROMs (especially in Chinese ROMs) which blocks the su request dialog if the app is frozen/force stopped by the system. Close #1326
2019-04-11 05:35:31 +02:00
START_ACTIVITY, "log",
New method of communication Introduce a new communication method between Magisk and Magisk Manager. Magisk used to hardcode classnames and send broadcast/start activities to specific components. This new method makes no assumption of any class names, so Magisk Manager can easily be fully obfuscated. In addition, the new method connects Magisk and Magisk Manager with random abstract Linux sockets instead of socket files in filesystems, bypassing file system complexities (selinux, permissions and such)
2018-09-16 10:16:18 +02:00
"--ei", "from.uid", fromUid,
"--ei", "to.uid", toUid,
"--ei", "pid", pid,
"--ei", "policy", policy,
Rewrite su daemon and client
2018-10-04 10:59:51 +02:00
"--es", "command", get_command(&ctx->req),
Optimize logging in Magisk Manager
2018-10-28 03:06:24 +01:00
"--ez", "notify", ctx->info->access.notify ? "true" : "false",
Fully migrate Magisk to C++
2018-11-04 09:38:06 +01:00
nullptr
New method of communication Introduce a new communication method between Magisk and Magisk Manager. Magisk used to hardcode classnames and send broadcast/start activities to specific components. This new method makes no assumption of any class names, so Magisk Manager can easily be fully obfuscated. In addition, the new method connects Magisk and Magisk Manager with random abstract Linux sockets instead of socket files in filesystems, bypassing file system complexities (selinux, permissions and such)
2018-09-16 10:16:18 +02:00
};
Update native su connect broadcast code Use -p <pkg> for supported platforms
2019-01-26 20:53:49 +01:00
silent_run(cmd, ctx->info);
New method of communication Introduce a new communication method between Magisk and Magisk Manager. Magisk used to hardcode classnames and send broadcast/start activities to specific components. This new method makes no assumption of any class names, so Magisk Manager can easily be fully obfuscated. In addition, the new method connects Magisk and Magisk Manager with random abstract Linux sockets instead of socket files in filesystems, bypassing file system complexities (selinux, permissions and such)
2018-09-16 10:16:18 +02:00
}
Optimize logging in Magisk Manager
2018-10-28 03:06:24 +01:00
void app_notify(struct su_context *ctx) {
char fromUid[8];
Directly communicate with Activity Since Android Q does not allow launching activities from the background (Services/BroadcastReceivers) and our native process is root, directly launch activities and use it for communication between native and app. The target activity is not exported, so non-root apps cannot send an intent to fool Magisk Manager. This is as safe as the previous implementation, which uses protected system broadcasts. This also workaround broadcast limitations in many ROMs (especially in Chinese ROMs) which blocks the su request dialog if the app is frozen/force stopped by the system. Close #1326
2019-04-11 05:35:31 +02:00
get_uid(fromUid, ctx->info);
Optimize logging in Magisk Manager
2018-10-28 03:06:24 +01:00
char policy[2];
sprintf(policy, "%d", ctx->info->access.policy);
Fully migrate Magisk to C++
2018-11-04 09:38:06 +01:00
const char *cmd[] = {
Directly communicate with Activity Since Android Q does not allow launching activities from the background (Services/BroadcastReceivers) and our native process is root, directly launch activities and use it for communication between native and app. The target activity is not exported, so non-root apps cannot send an intent to fool Magisk Manager. This is as safe as the previous implementation, which uses protected system broadcasts. This also workaround broadcast limitations in many ROMs (especially in Chinese ROMs) which blocks the su request dialog if the app is frozen/force stopped by the system. Close #1326
2019-04-11 05:35:31 +02:00
START_ACTIVITY, "notify",
Update native su connect broadcast code Use -p <pkg> for supported platforms
2019-01-26 20:53:49 +01:00
"--ei", "from.uid", fromUid,
"--ei", "policy", policy,
nullptr
Optimize logging in Magisk Manager
2018-10-28 03:06:24 +01:00
};
Update native su connect broadcast code Use -p <pkg> for supported platforms
2019-01-26 20:53:49 +01:00
silent_run(cmd, ctx->info);
Optimize logging in Magisk Manager
2018-10-28 03:06:24 +01:00
}
Rewrite su daemon and client
2018-10-04 10:59:51 +02:00
void app_connect(const char *socket, struct su_info *info) {
Fully migrate Magisk to C++
2018-11-04 09:38:06 +01:00
const char *cmd[] = {
Directly communicate with Activity Since Android Q does not allow launching activities from the background (Services/BroadcastReceivers) and our native process is root, directly launch activities and use it for communication between native and app. The target activity is not exported, so non-root apps cannot send an intent to fool Magisk Manager. This is as safe as the previous implementation, which uses protected system broadcasts. This also workaround broadcast limitations in many ROMs (especially in Chinese ROMs) which blocks the su request dialog if the app is frozen/force stopped by the system. Close #1326
2019-04-11 05:35:31 +02:00
START_ACTIVITY, "request",
Fully migrate Magisk to C++
2018-11-04 09:38:06 +01:00
"--es", "socket", socket,
nullptr
New method of communication Introduce a new communication method between Magisk and Magisk Manager. Magisk used to hardcode classnames and send broadcast/start activities to specific components. This new method makes no assumption of any class names, so Magisk Manager can easily be fully obfuscated. In addition, the new method connects Magisk and Magisk Manager with random abstract Linux sockets instead of socket files in filesystems, bypassing file system complexities (selinux, permissions and such)
2018-09-16 10:16:18 +02:00
};
Update native su connect broadcast code Use -p <pkg> for supported platforms
2019-01-26 20:53:49 +01:00
silent_run(cmd, info);
New method of communication Introduce a new communication method between Magisk and Magisk Manager. Magisk used to hardcode classnames and send broadcast/start activities to specific components. This new method makes no assumption of any class names, so Magisk Manager can easily be fully obfuscated. In addition, the new method connects Magisk and Magisk Manager with random abstract Linux sockets instead of socket files in filesystems, bypassing file system complexities (selinux, permissions and such)
2018-09-16 10:16:18 +02:00
}
Rewrite su daemon and client
2018-10-04 10:59:51 +02:00
void socket_send_request(int fd, struct su_info *info) {
write_key_token(fd, "uid", info->uid);
New method of communication Introduce a new communication method between Magisk and Magisk Manager. Magisk used to hardcode classnames and send broadcast/start activities to specific components. This new method makes no assumption of any class names, so Magisk Manager can easily be fully obfuscated. In addition, the new method connects Magisk and Magisk Manager with random abstract Linux sockets instead of socket files in filesystems, bypassing file system complexities (selinux, permissions and such)
2018-09-16 10:16:18 +02:00
write_string_be(fd, "eof");
}
Reference in New Issue Copy Permalink