Add built-in procfs protection on SDK 24+

More information in the Medium Post: https://medium.com/@topjohnwu/from-anime-game-to-android-system-security-vulnerability-9b955a182f20
2018-11-28 01:27:32 -05:00 · 2018-11-28 01:27:32 -05:00 · f723427b8b
commit f723427b8b
parent f69a004c1c
1 changed files with 6 additions and 0 deletions
--- a/native/jni/daemon/bootstages.cpp
+++ b/native/jni/daemon/bootstages.cpp
@ -432,6 +432,9 @@ static bool magisk_env() {
 	xmkdir(SECURE_DIR "/post-fs-data.d", 0755);
 	xmkdir(SECURE_DIR "/service.d", 0755);

+	CharArray sdk_prop = getprop("ro.build.version.sdk");
+	int sdk = sdk_prop.empty() ? -1 : atoi(sdk_prop);
+
 	LOGI("* Mounting mirrors");
 	Vector<CharArray> mounts;
 	file_to_vector("/proc/mounts", mounts);
@ -462,6 +465,9 @@ static bool magisk_env() {
 #else
 			LOGI("mount: %s\n", MIRRDIR "/vendor");
 #endif
+		} else if (sdk >= 24 && line.contains(" /proc ") && !line.contains("hidepid=2")) {
+			// Enforce hidepid
+			xmount(nullptr, "/proc", nullptr, MS_REMOUNT, "hidepid=2,gid=3009");
 		}
 	}
 	if (!seperate_vendor) {