Separate hide policies

2019-05-26 02:47:57 -07:00 · 2019-05-26 02:47:57 -07:00 · 8b7b05da68
commit 8b7b05da68
parent 92400ebcab
5 changed files with 109 additions and 101 deletions
--- a/native/jni/Android.mk
+++ b/native/jni/Android.mk
@ -41,6 +41,7 @@ LOCAL_SRC_FILES := \
 	magiskhide/magiskhide.cpp \
 	magiskhide/proc_monitor.cpp \
 	magiskhide/hide_utils.cpp \
+	magiskhide/hide_policy.cpp \
 	resetprop/persist_properties.cpp \
 	resetprop/resetprop.cpp \
 	resetprop/system_property_api.cpp \
--- a/native/jni/magiskhide/hide_policy.cpp
+++ b/native/jni/magiskhide/hide_policy.cpp
@ -0,0 +1,103 @@
+#include <sys/mount.h>
+
+#include <magisk.h>
+#include <utils.h>
+#include <selinux.h>
+#include <resetprop.h>
+
+#include "magiskhide.h"
+
+using namespace std;
+
+static const char *prop_key[] =
+		{ "ro.boot.vbmeta.device_state", "ro.boot.verifiedbootstate", "ro.boot.flash.locked",
+		  "ro.boot.veritymode", "ro.boot.warranty_bit", "ro.warranty_bit", "ro.debuggable",
+		  "ro.secure", "ro.build.type", "ro.build.tags", "ro.build.selinux", nullptr };
+
+static const char *prop_value[] =
+		{ "locked", "green", "1",
+		  "enforcing", "0", "0", "0",
+		  "1", "user", "release-keys", "0", nullptr };
+
+void manage_selinux() {
+	char val;
+	int fd = xopen(SELINUX_ENFORCE, O_RDONLY);
+	xxread(fd, &val, sizeof(val));
+	close(fd);
+	// Permissive
+	if (val == '0') {
+		chmod(SELINUX_ENFORCE, 0640);
+		chmod(SELINUX_POLICY, 0440);
+	}
+}
+
+void hide_sensitive_props() {
+	LOGI("hide_policy: Hiding sensitive props\n");
+
+	// Hide all sensitive props
+	for (int i = 0; prop_key[i]; ++i) {
+		auto value = getprop(prop_key[i]);
+		if (!value.empty() && value != prop_value[i])
+			setprop(prop_key[i], prop_value[i], false);
+	}
+}
+
+static inline void clean_magisk_props() {
+	getprop([](const char *name, auto, auto) -> void {
+		if (strstr(name, "magisk"))
+			deleteprop(name);
+	}, nullptr, false);
+}
+
+static inline void lazy_unmount(const char* mountpoint) {
+	if (umount2(mountpoint, MNT_DETACH) != -1)
+		LOGD("hide_policy: Unmounted (%s)\n", mountpoint);
+}
+
+void hide_daemon(int pid) {
+	RunFinally fin([=]() -> void {
+		// Send resume signal
+		tgkill(pid, pid, SIGCONT);
+		_exit(0);
+	});
+
+	if (switch_mnt_ns(pid))
+		return;
+
+	LOGD("hide_policy: handling PID=[%d]\n", pid);
+	manage_selinux();
+	clean_magisk_props();
+
+	vector<string> targets;
+
+	// Unmount dummy skeletons and /sbin links
+	file_readline("/proc/self/mounts", [&](string_view s) -> bool {
+		if (str_contains(s, "tmpfs /system/") || str_contains(s, "tmpfs /vendor/") ||
+			str_contains(s, "tmpfs /sbin")) {
+			char *path = (char *) s.data();
+			// Skip first token
+			strtok_r(nullptr, " ", &path);
+			targets.emplace_back(strtok_r(nullptr, " ", &path));
+		}
+		return true;
+	});
+
+	for (auto &s : targets)
+		lazy_unmount(s.data());
+	targets.clear();
+
+	// Unmount all Magisk created mounts
+	file_readline("/proc/self/mounts", [&](string_view s) -> bool {
+		if (str_contains(s, BLOCKDIR)) {
+			char *path = (char *) s.data();
+			// Skip first token
+			strtok_r(nullptr, " ", &path);
+			targets.emplace_back(strtok_r(nullptr, " ", &path));
+		}
+		return true;
+	});
+
+	for (auto &s : targets)
+		lazy_unmount(s.data());
+}
+
--- a/native/jni/magiskhide/hide_utils.cpp
+++ b/native/jni/magiskhide/hide_utils.cpp
@ -1,6 +1,5 @@
 #include <sys/types.h>
 #include <sys/stat.h>
-#include <sys/mount.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <unistd.h>
@ -11,9 +10,7 @@

 #include <magisk.h>
 #include <utils.h>
-#include <resetprop.h>
 #include <db.h>
-#include <selinux.h>

 #include "magiskhide.h"

@ -21,39 +18,6 @@ using namespace std;

 static pthread_t proc_monitor_thread;

-static const char *prop_key[] =
-	{ "ro.boot.vbmeta.device_state", "ro.boot.verifiedbootstate", "ro.boot.flash.locked",
-	  "ro.boot.veritymode", "ro.boot.warranty_bit", "ro.warranty_bit", "ro.debuggable",
-	  "ro.secure", "ro.build.type", "ro.build.tags", "ro.build.selinux", nullptr };
-
-static const char *prop_value[] =
-	{ "locked", "green", "1",
-	  "enforcing", "0", "0", "0",
-	  "1", "user", "release-keys", "0", nullptr };
-
-void manage_selinux() {
-	char val;
-	int fd = xopen(SELINUX_ENFORCE, O_RDONLY);
-	xxread(fd, &val, sizeof(val));
-	close(fd);
-	// Permissive
-	if (val == '0') {
-		chmod(SELINUX_ENFORCE, 0640);
-		chmod(SELINUX_POLICY, 0440);
-	}
-}
-
-static void hide_sensitive_props() {
-	LOGI("hide_utils: Hiding sensitive props\n");
-
-	// Hide all sensitive props
-	for (int i = 0; prop_key[i]; ++i) {
-		auto value = getprop(prop_key[i]);
-		if (!value.empty() && value != prop_value[i])
-			setprop(prop_key[i], prop_value[i], false);
-	}
-}
-
 // Leave /proc fd opened as we're going to read from it repeatedly
 static DIR *procfp;
 void crawl_procfs(const function<bool (int)> &fn) {
@ -117,13 +81,6 @@ static void kill_process(const char *name) {
 	});
 }

-void clean_magisk_props() {
-	getprop([](const char *name, auto, auto) -> void {
-		if (strstr(name, "magisk"))
-			deleteprop(name);
-	}, nullptr, false);
-}
-
 static int add_list(const char *pkg, const char *proc = "") {
 	if (proc[0] == '\0')
 		proc = pkg;
--- a/native/jni/magiskhide/magiskhide.h
+++ b/native/jni/magiskhide/magiskhide.h
@ -32,11 +32,14 @@ void proc_monitor();
 void update_uid_map();

 // Utility functions
-void manage_selinux();
-void clean_magisk_props();
 void crawl_procfs(const std::function<bool (int)> &fn);
 void crawl_procfs(DIR *dir, const std::function<bool (int)> &fn);

+// Hide policies
+void hide_daemon(int pid);
+void hide_sensitive_props();
+void manage_selinux();
+
 extern bool hide_enabled;
 extern pthread_mutex_t monitor_lock;
 extern std::set<std::pair<std::string, std::string>> hide_set;
--- a/native/jni/magiskhide/proc_monitor.cpp
+++ b/native/jni/magiskhide/proc_monitor.cpp
@ -49,11 +49,6 @@ static inline int read_ns(const int pid, struct stat *st) {
 	return stat(path, st);
 }

-static inline void lazy_unmount(const char* mountpoint) {
-	if (umount2(mountpoint, MNT_DETACH) != -1)
-		LOGD("hide_daemon: Unmounted (%s)\n", mountpoint);
-}
-
 static int parse_ppid(int pid) {
 	char path[32];
 	int ppid;
@ -177,57 +172,6 @@ static void setup_inotify() {
 	}
 }

-/*************************
- * The actual hide daemon
- *************************/
-
-static void hide_daemon(int pid) {
-	RunFinally fin([=]() -> void {
-		// Send resume signal
-		tgkill(pid, pid, SIGCONT);
-		_exit(0);
-	});
-
-	if (switch_mnt_ns(pid))
-		return;
-
-	LOGD("hide_daemon: handling PID=[%d]\n", pid);
-	manage_selinux();
-	clean_magisk_props();
-
-	vector<string> targets;
-
-	// Unmount dummy skeletons and /sbin links
-	file_readline("/proc/self/mounts", [&](string_view s) -> bool {
-		if (str_contains(s, "tmpfs /system/") || str_contains(s, "tmpfs /vendor/") ||
-			str_contains(s, "tmpfs /sbin")) {
-			char *path = (char *) s.data();
-			// Skip first token
-			strtok_r(nullptr, " ", &path);
-			targets.emplace_back(strtok_r(nullptr, " ", &path));
-		}
-		return true;
-	});
-
-	for (auto &s : targets)
-		lazy_unmount(s.data());
-	targets.clear();
-
-	// Unmount all Magisk created mounts
-	file_readline("/proc/self/mounts", [&](string_view s) -> bool {
-		if (str_contains(s, BLOCKDIR)) {
-			char *path = (char *) s.data();
-			// Skip first token
-			strtok_r(nullptr, " ", &path);
-			targets.emplace_back(strtok_r(nullptr, " ", &path));
-		}
-		return true;
-	});
-
-	for (auto &s : targets)
-		lazy_unmount(s.data());
-}
-
 /************************
 * Async signal handlers
 ************************/