Magisk/native/jni/su/su_daemon.cpp

350 lines
8.2 KiB
C++
Raw Normal View History

2017-04-14 19:21:31 +00:00
#include <unistd.h>
#include <pthread.h>
#include <stdlib.h>
#include <fcntl.h>
#include <string.h>
#include <signal.h>
2018-10-04 08:59:51 +00:00
#include <pwd.h>
2018-12-26 03:56:49 +00:00
#include <time.h>
2017-04-14 19:21:31 +00:00
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/wait.h>
2019-06-05 04:21:27 +00:00
#include <sys/mount.h>
2017-04-14 19:21:31 +00:00
2020-03-09 08:50:30 +00:00
#include <daemon.hpp>
#include <utils.hpp>
#include <selinux.hpp>
2019-02-10 08:57:51 +00:00
2020-03-09 08:50:30 +00:00
#include "su.hpp"
#include "pts.hpp"
2017-04-14 19:21:31 +00:00
using namespace std;
static pthread_mutex_t cache_lock = PTHREAD_MUTEX_INITIALIZER;
static shared_ptr<su_info> cached;
2018-11-04 08:38:06 +00:00
su_info::su_info(unsigned uid) :
uid(uid), access(DEFAULT_SU_ACCESS), mgr_st({}),
2019-04-30 01:26:43 +00:00
timestamp(0), _lock(PTHREAD_MUTEX_INITIALIZER) {}
2018-11-04 08:38:06 +00:00
su_info::~su_info() {
pthread_mutex_destroy(&_lock);
}
2019-09-26 05:49:50 +00:00
mutex_guard su_info::lock() {
return mutex_guard(_lock);
2018-11-04 08:38:06 +00:00
}
bool su_info::is_fresh() {
timespec ts;
clock_gettime(CLOCK_MONOTONIC, &ts);
2019-07-07 19:20:47 +00:00
long current = ts.tv_sec * 1000L + ts.tv_nsec / 1000000L;
return current - timestamp < 3000; /* 3 seconds */
2018-12-26 03:56:49 +00:00
}
void su_info::refresh() {
timespec ts;
clock_gettime(CLOCK_MONOTONIC, &ts);
2019-07-07 19:20:47 +00:00
timestamp = ts.tv_sec * 1000L + ts.tv_nsec / 1000000L;
2017-05-07 19:08:34 +00:00
}
2017-04-15 18:28:12 +00:00
static void database_check(const shared_ptr<su_info> &info) {
int uid = info->uid;
2019-03-06 13:16:12 +00:00
get_db_settings(info->cfg);
get_db_strings(info->str);
// Check multiuser settings
switch (info->cfg[SU_MULTIUSER_MODE]) {
case MULTIUSER_MODE_OWNER_ONLY:
if (info->uid / 100000) {
uid = -1;
info->access = NO_SU_ACCESS;
}
break;
case MULTIUSER_MODE_OWNER_MANAGED:
uid = info->uid % 100000;
break;
case MULTIUSER_MODE_USER:
default:
break;
}
if (uid > 0)
get_uid_policy(info->access, uid);
// We need to check our manager
if (info->access.log || info->access.notify)
2018-11-04 23:24:08 +00:00
validate_manager(info->str[SU_MANAGER], uid / 100000, &info->mgr_st);
}
2019-09-13 18:05:28 +00:00
static shared_ptr<su_info> get_su_info(unsigned uid) {
2019-09-04 15:04:59 +00:00
LOGD("su: request from uid=[%d]\n", uid);
2019-09-13 18:05:28 +00:00
shared_ptr<su_info> info;
2019-09-04 15:04:59 +00:00
{
2019-09-26 03:55:39 +00:00
mutex_guard lock(cache_lock);
2019-09-04 15:04:59 +00:00
if (!cached || cached->uid != uid || !cached->is_fresh())
cached = make_shared<su_info>(uid);
2019-09-13 18:05:28 +00:00
cached->refresh();
info = cached;
2019-09-04 15:04:59 +00:00
}
2019-09-26 05:49:50 +00:00
auto g = info->lock();
2017-07-16 07:31:40 +00:00
2019-09-13 18:05:28 +00:00
if (info->access.policy == QUERY) {
// Not cached, get data from database
2019-09-13 18:05:28 +00:00
database_check(info);
2019-07-07 19:20:19 +00:00
// If it's root or the manager, allow it silently
2019-09-13 18:05:28 +00:00
if (info->uid == UID_ROOT || (info->uid % 100000) == (info->mgr_st.st_uid % 100000)) {
info->access = SILENT_SU_ACCESS;
return info;
2019-07-07 19:20:19 +00:00
}
// Check su access settings
2019-09-13 18:05:28 +00:00
switch (info->cfg[ROOT_ACCESS]) {
case ROOT_ACCESS_DISABLED:
2018-10-04 18:41:48 +00:00
LOGW("Root access is disabled!\n");
2019-09-13 18:05:28 +00:00
info->access = NO_SU_ACCESS;
break;
case ROOT_ACCESS_ADB_ONLY:
2019-09-13 18:05:28 +00:00
if (info->uid != UID_SHELL) {
2018-10-04 18:41:48 +00:00
LOGW("Root access limited to ADB only!\n");
2019-09-13 18:05:28 +00:00
info->access = NO_SU_ACCESS;
}
break;
case ROOT_ACCESS_APPS_ONLY:
2019-09-13 18:05:28 +00:00
if (info->uid == UID_SHELL) {
2018-10-04 18:41:48 +00:00
LOGW("Root access is disabled for ADB!\n");
2019-09-13 18:05:28 +00:00
info->access = NO_SU_ACCESS;
}
break;
case ROOT_ACCESS_APPS_AND_ADB:
default:
break;
}
2019-09-13 18:05:28 +00:00
if (info->access.policy != QUERY)
return info;
// If still not determined, check if manager exists
2019-09-13 18:05:28 +00:00
if (info->str[SU_MANAGER][0] == '\0') {
info->access = NO_SU_ACCESS;
return info;
2019-07-07 19:20:19 +00:00
}
2019-09-13 18:05:28 +00:00
} else {
return info;
}
2018-10-04 08:59:51 +00:00
// If still not determined, ask manager
char socket_name[32];
gen_rand_str(socket_name, sizeof(socket_name));
int fd = app_socket(socket_name, info);
2019-07-07 19:20:19 +00:00
if (fd < 0) {
2019-09-13 18:05:28 +00:00
info->access.policy = DENY;
2019-07-07 19:20:19 +00:00
} else {
2019-09-13 18:05:28 +00:00
socket_send_request(fd, info);
2019-07-07 19:20:19 +00:00
int ret = read_int_be(fd);
2019-09-13 18:05:28 +00:00
info->access.policy = ret < 0 ? DENY : static_cast<policy_t>(ret);
2019-07-07 19:20:19 +00:00
close(fd);
2018-10-04 08:59:51 +00:00
}
2019-09-13 18:05:28 +00:00
return info;
}
2018-10-04 08:59:51 +00:00
static void set_identity(unsigned uid) {
/*
* Set effective uid back to root, otherwise setres[ug]id will fail
* if uid isn't root.
*/
if (seteuid(0)) {
PLOGE("seteuid (root)");
}
if (setresgid(uid, uid, uid)) {
PLOGE("setresgid (%u)", uid);
}
if (setresuid(uid, uid, uid)) {
PLOGE("setresuid (%u)", uid);
}
}
void su_daemon_handler(int client, struct ucred *credential) {
2018-11-10 07:17:13 +00:00
LOGD("su: request from pid=[%d], client=[%d]\n", credential->pid, client);
2019-07-07 19:20:19 +00:00
su_context ctx = {
2019-09-13 18:05:28 +00:00
.info = get_su_info(credential->uid),
2019-07-07 19:20:19 +00:00
.req = su_request(true),
.pid = credential->pid
};
// Read su_request
xxread(client, &ctx.req, sizeof(su_req_base));
ctx.req.shell = read_string(client);
ctx.req.command = read_string(client);
if (ctx.info->access.log)
app_log(ctx);
else if (ctx.info->access.notify)
app_notify(ctx);
2018-10-04 08:59:51 +00:00
// Fail fast
2019-07-07 19:20:19 +00:00
if (ctx.info->access.policy == DENY) {
LOGW("su: request rejected (%u)", ctx.info->uid);
ctx.info.reset();
2018-10-04 08:59:51 +00:00
write_int(client, DENY);
2018-10-20 20:12:08 +00:00
close(client);
2018-10-04 08:59:51 +00:00
return;
2019-07-07 19:20:19 +00:00
} else if (int child = xfork(); child) {
ctx.info.reset();
2018-10-04 08:59:51 +00:00
// Wait result
2018-11-10 07:17:13 +00:00
LOGD("su: waiting child pid=[%d]\n", child);
2018-10-04 08:59:51 +00:00
int status, code;
if (waitpid(child, &status, 0) > 0)
code = WEXITSTATUS(status);
else
code = -1;
2018-11-10 07:17:13 +00:00
LOGD("su: return code=[%d]\n", code);
2018-10-04 08:59:51 +00:00
write(client, &code, sizeof(code));
close(client);
return;
}
2019-07-07 19:20:19 +00:00
/* The child process will need to setsid, open a pseudo-terminal
* if needed, and will eventually run exec.
* The parent process will wait for the result and
* send the return code back to our client
*/
2018-10-04 08:59:51 +00:00
LOGD("su: fork handler\n");
2018-11-20 06:47:17 +00:00
// Abort upon any error occurred
log_cb.ex = exit;
2018-10-20 20:12:08 +00:00
// ack
write_int(client, 0);
2017-04-14 19:21:31 +00:00
// Become session leader
xsetsid();
// Get pts_slave
char *pts_slave = read_string(client);
// The FDs for each of the streams
2017-04-15 18:28:12 +00:00
int infd = recv_fd(client);
int outfd = recv_fd(client);
int errfd = recv_fd(client);
if (pts_slave[0]) {
2018-06-26 10:45:51 +00:00
LOGD("su: pts_slave=[%s]\n", pts_slave);
// Check pts_slave file is owned by daemon_from_uid
struct stat st;
xstat(pts_slave, &st);
2017-04-15 18:28:12 +00:00
// If caller is not root, ensure the owner of pts_slave is the caller
2019-07-07 19:20:19 +00:00
if(st.st_uid != ctx.info->uid && ctx.info->uid != 0)
2017-04-15 18:28:12 +00:00
LOGE("su: Wrong permission of pts_slave");
// Opening the TTY has to occur after the
// fork() and setsid() so that it becomes
// our controlling TTY and not the daemon's
int ptsfd = xopen(pts_slave, O_RDWR);
2017-04-15 18:28:12 +00:00
2018-10-04 08:59:51 +00:00
if (infd < 0)
infd = ptsfd;
if (outfd < 0)
2017-04-15 18:28:12 +00:00
outfd = ptsfd;
2018-10-04 08:59:51 +00:00
if (errfd < 0)
2017-04-15 18:28:12 +00:00
errfd = ptsfd;
2017-04-14 19:21:31 +00:00
}
free(pts_slave);
// Swap out stdin, stdout, stderr
2017-04-15 18:28:12 +00:00
xdup2(infd, STDIN_FILENO);
xdup2(outfd, STDOUT_FILENO);
xdup2(errfd, STDERR_FILENO);
2017-04-14 19:21:31 +00:00
// Unleash all streams from SELinux hell
setfilecon("/proc/self/fd/0", "u:object_r:" SEPOL_FILE_TYPE ":s0");
setfilecon("/proc/self/fd/1", "u:object_r:" SEPOL_FILE_TYPE ":s0");
setfilecon("/proc/self/fd/2", "u:object_r:" SEPOL_FILE_TYPE ":s0");
close(infd);
close(outfd);
close(errfd);
close(client);
2018-10-04 08:59:51 +00:00
// Handle namespaces
2018-10-04 18:41:48 +00:00
if (ctx.req.mount_master)
2019-07-07 19:20:19 +00:00
ctx.info->cfg[SU_MNT_NS] = NAMESPACE_MODE_GLOBAL;
switch (ctx.info->cfg[SU_MNT_NS]) {
2018-10-04 08:59:51 +00:00
case NAMESPACE_MODE_GLOBAL:
LOGD("su: use global namespace\n");
break;
case NAMESPACE_MODE_REQUESTER:
LOGD("su: use namespace of pid=[%d]\n", ctx.pid);
2019-06-05 04:21:27 +00:00
if (switch_mnt_ns(ctx.pid))
LOGD("su: setns failed, fallback to global\n");
2018-10-04 08:59:51 +00:00
break;
case NAMESPACE_MODE_ISOLATE:
LOGD("su: use new isolated namespace\n");
switch_mnt_ns(ctx.pid);
2018-10-04 08:59:51 +00:00
xunshare(CLONE_NEWNS);
2019-06-05 04:21:27 +00:00
xmount(nullptr, "/", nullptr, MS_PRIVATE | MS_REC, nullptr);
2018-10-04 08:59:51 +00:00
break;
2018-06-26 10:45:51 +00:00
}
2019-07-07 19:20:19 +00:00
const char *argv[] = { nullptr, nullptr, nullptr, nullptr };
2018-06-26 10:45:51 +00:00
2019-07-07 19:20:19 +00:00
argv[0] = ctx.req.login ? "-" : ctx.req.shell;
2018-06-26 10:45:51 +00:00
2019-07-07 19:20:19 +00:00
if (ctx.req.command[0]) {
argv[1] = "-c";
argv[2] = ctx.req.command;
}
2017-04-14 19:21:31 +00:00
2019-07-07 19:20:19 +00:00
// Setup environment
umask(022);
char path[32];
2019-07-07 19:20:19 +00:00
snprintf(path, sizeof(path), "/proc/%d/cwd", ctx.pid);
chdir(path);
2019-07-07 19:20:19 +00:00
snprintf(path, sizeof(path), "/proc/%d/environ", ctx.pid);
char buf[4096] = { 0 };
int fd = xopen(path, O_RDONLY);
2019-07-07 19:20:19 +00:00
read(fd, buf, sizeof(buf));
close(fd);
clearenv();
for (size_t pos = 0; buf[pos];) {
putenv(buf + pos);
pos += strlen(buf + pos) + 1;
}
if (!ctx.req.keepenv) {
struct passwd *pw;
pw = getpwuid(ctx.req.uid);
if (pw) {
setenv("HOME", pw->pw_dir, 1);
setenv("USER", pw->pw_name, 1);
setenv("LOGNAME", pw->pw_name, 1);
2019-07-07 19:20:19 +00:00
setenv("SHELL", ctx.req.shell, 1);
2018-11-10 07:17:13 +00:00
}
2018-06-13 10:14:23 +00:00
}
const char *ld_path = getenv("LD_LIBRARY_PATH");
if (ld_path && strncmp(ld_path, ":/apex/com.android.runtime/lib", 30) == 0)
unsetenv("LD_LIBRARY_PATH");
2019-07-07 19:20:19 +00:00
// Unblock all signals
sigset_t block_set;
sigemptyset(&block_set);
sigprocmask(SIG_SETMASK, &block_set, nullptr);
2019-07-07 19:20:19 +00:00
set_identity(ctx.req.uid);
execvp(ctx.req.shell, (char **) argv);
fprintf(stderr, "Cannot execute %s: %s\n", ctx.req.shell, strerror(errno));
PLOGE("exec");
exit(EXIT_FAILURE);
2017-04-14 19:21:31 +00:00
}