Magisk/native/jni/init/mount.cpp

311 lines
8.6 KiB
C++
Raw Normal View History

2020-12-06 03:07:47 -08:00
#include <sys/mount.h>
2019-05-27 00:29:43 -07:00
#include <sys/sysmacros.h>
2020-05-03 22:49:54 -07:00
#include <libgen.h>
2019-05-27 00:29:43 -07:00
2022-05-12 02:03:42 -07:00
#include <base.hpp>
2020-03-09 01:50:30 -07:00
#include <selinux.hpp>
#include <magisk.hpp>
2019-05-27 00:29:43 -07:00
2020-03-09 01:50:30 -07:00
#include "init.hpp"
2019-05-27 00:29:43 -07:00
using namespace std;
2019-05-27 02:55:46 -07:00
struct devinfo {
int major;
int minor;
char devname[32];
char partname[32];
char dmname[32];
2019-05-27 02:55:46 -07:00
};
static vector<devinfo> dev_list;
static void parse_device(devinfo *dev, const char *uevent) {
dev->partname[0] = '\0';
parse_prop_file(uevent, [=](string_view key, string_view value) -> bool {
if (key == "MAJOR")
dev->major = parse_int(value.data());
else if (key == "MINOR")
dev->minor = parse_int(value.data());
else if (key == "DEVNAME")
strcpy(dev->devname, value.data());
else if (key == "PARTNAME")
strcpy(dev->partname, value.data());
return true;
});
2019-05-27 02:55:46 -07:00
}
2019-05-27 00:29:43 -07:00
static void collect_devices() {
char path[128];
devinfo dev{};
if (auto dir = xopen_dir("/sys/dev/block"); dir) {
for (dirent *entry; (entry = readdir(dir.get()));) {
if (entry->d_name == "."sv || entry->d_name == ".."sv)
continue;
sprintf(path, "/sys/dev/block/%s/uevent", entry->d_name);
parse_device(&dev, path);
sprintf(path, "/sys/dev/block/%s/dm/name", entry->d_name);
if (access(path, F_OK) == 0) {
auto name = rtrim(full_read(path));
strcpy(dev.dmname, name.data());
}
dev_list.push_back(dev);
}
}
2019-05-27 00:29:43 -07:00
}
2020-05-03 22:49:54 -07:00
static struct {
char partname[32];
char block_dev[64];
2020-05-03 22:49:54 -07:00
} blk_info;
2022-03-16 21:31:22 -07:00
static int64_t setup_block() {
if (dev_list.empty())
collect_devices();
for (int tries = 0; tries < 3; ++tries) {
for (auto &dev : dev_list) {
if (strcasecmp(dev.partname, blk_info.partname) == 0)
LOGD("Setup %s: [%s] (%d, %d)\n", dev.partname, dev.devname, dev.major, dev.minor);
else if (strcasecmp(dev.dmname, blk_info.partname) == 0)
LOGD("Setup %s: [%s] (%d, %d)\n", dev.dmname, dev.devname, dev.major, dev.minor);
else
continue;
dev_t rdev = makedev(dev.major, dev.minor);
2021-01-25 00:19:10 -08:00
xmknod(blk_info.block_dev, S_IFBLK | 0600, rdev);
return rdev;
}
// Wait 10ms and try again
usleep(10000);
dev_list.clear();
collect_devices();
}
// The requested partname does not exist
return -1;
2019-05-27 00:29:43 -07:00
}
static void switch_root(const string &path) {
LOGD("Switch root to %s\n", path.data());
int root = xopen("/", O_RDONLY);
vector<string> mounts;
parse_mnt("/proc/mounts", [&](mntent *me) {
// Skip root and self
if (me->mnt_dir == "/"sv || me->mnt_dir == path)
return true;
// Do not include subtrees
for (const auto &m : mounts) {
if (strncmp(me->mnt_dir, m.data(), m.length()) == 0 && me->mnt_dir[m.length()] == '/')
return true;
}
mounts.emplace_back(me->mnt_dir);
return true;
});
for (auto &dir : mounts) {
auto new_path = path + dir;
2021-08-14 13:29:12 +08:00
xmkdir(new_path.data(), 0755);
xmount(dir.data(), new_path.data(), nullptr, MS_MOVE, nullptr);
}
chdir(path.data());
xmount(path.data(), "/", nullptr, MS_MOVE, nullptr);
chroot(".");
LOGD("Cleaning rootfs\n");
frm_rf(root);
}
2022-03-16 21:31:22 -07:00
void MagiskInit::mount_rules_dir() {
char path[128];
2022-03-16 21:31:22 -07:00
xrealpath(BLOCKDIR, blk_info.block_dev);
xrealpath(MIRRDIR, path);
char *b = blk_info.block_dev + strlen(blk_info.block_dev);
char *p = path + strlen(path);
auto do_mount = [&](const char *type) -> bool {
xmkdir(path, 0755);
bool success = xmount(blk_info.block_dev, path, type, 0, nullptr) == 0;
if (success)
mount_list.emplace_back(path);
return success;
};
// First try userdata
strcpy(blk_info.partname, "userdata");
strcpy(b, "/data");
strcpy(p, "/data");
2022-03-16 21:31:22 -07:00
if (setup_block() < 0) {
// Try NVIDIA naming scheme
strcpy(blk_info.partname, "UDA");
2022-03-16 21:31:22 -07:00
if (setup_block() < 0)
goto cache;
}
2021-01-15 02:23:53 -08:00
// WARNING: DO NOT ATTEMPT TO MOUNT F2FS AS IT MAY CRASH THE KERNEL
// Failure means either f2fs, FDE, or metadata encryption
if (!do_mount("ext4"))
goto cache;
strcpy(p, "/data/unencrypted");
2021-03-13 22:13:39 +08:00
if (xaccess(path, F_OK) == 0) {
// FBE, need to use an unencrypted path
custom_rules_dir = path + "/magisk"s;
} else {
// Skip if /data/adb does not exist
2021-03-13 22:13:39 +08:00
strcpy(p, SECURE_DIR);
if (xaccess(path, F_OK) != 0)
return;
2021-03-13 22:13:39 +08:00
strcpy(p, MODULEROOT);
if (xaccess(path, F_OK) != 0) {
goto cache;
}
// Unencrypted, directly use module paths
2021-03-13 22:13:39 +08:00
custom_rules_dir = string(path);
}
goto success;
cache:
// Fallback to cache
strcpy(blk_info.partname, "cache");
strcpy(b, "/cache");
strcpy(p, "/cache");
2022-03-16 21:31:22 -07:00
if (setup_block() < 0) {
// Try NVIDIA naming scheme
strcpy(blk_info.partname, "CAC");
2022-03-16 21:31:22 -07:00
if (setup_block() < 0)
goto metadata;
}
if (!do_mount("ext4"))
goto metadata;
custom_rules_dir = path + "/magisk"s;
goto success;
metadata:
// Fallback to metadata
strcpy(blk_info.partname, "metadata");
strcpy(b, "/metadata");
strcpy(p, "/metadata");
2022-03-16 21:31:22 -07:00
if (setup_block() < 0 || !do_mount("ext4"))
goto persist;
custom_rules_dir = path + "/magisk"s;
goto success;
persist:
// Fallback to persist
strcpy(blk_info.partname, "persist");
strcpy(b, "/persist");
strcpy(p, "/persist");
2022-03-16 21:31:22 -07:00
if (setup_block() < 0 || !do_mount("ext4"))
return;
custom_rules_dir = path + "/magisk"s;
success:
// Create symlinks so we don't need to go through this logic again
strcpy(p, "/sepolicy.rules");
xsymlink(custom_rules_dir.data(), path);
2020-01-08 22:42:54 +08:00
}
bool LegacySARInit::mount_system_root() {
backup_files();
LOGD("Mounting system_root\n");
strcpy(blk_info.block_dev, "/dev/root");
do {
// Try legacy SAR dm-verity
strcpy(blk_info.partname, "vroot");
2022-03-16 21:31:22 -07:00
auto dev = setup_block();
if (dev >= 0)
goto mount_root;
// Try NVIDIA naming scheme
strcpy(blk_info.partname, "APP");
2022-03-16 21:31:22 -07:00
dev = setup_block();
if (dev >= 0)
goto mount_root;
2021-10-26 00:35:55 -07:00
sprintf(blk_info.partname, "system%s", config->slot);
2022-03-16 21:31:22 -07:00
dev = setup_block();
if (dev >= 0)
goto mount_root;
// Poll forever if rootwait was given in cmdline
2021-10-26 00:35:55 -07:00
} while (config->rootwait);
// We don't really know what to do at this point...
LOGE("Cannot find root partition, abort\n");
exit(1);
mount_root:
xmkdir("/system_root", 0755);
Introduce new boot flow to handle SAR 2SI The existing method for handling legacy SAR is: 1. Mount /sbin tmpfs overlay 2. Dump all patched/new files into /sbin 3. Magic mount root dir and re-exec patched stock init With Android 11 removing the /sbin folder, it is quite obvious that things completely break down right in step 1. To overcome this issue, we have to find a way to swap out the init binary AFTER we re-exec stock init. This is where 2SI comes to rescue! 2SI normal boot procedure is: 1st stage -> Load sepolicy -> 2nd stage -> boot continue... 2SI Magisk boot procedure is: MagiskInit 1st stage -> Stock 1st stage -> MagiskInit 2nd Stage -> -> Stock init load sepolicy -> Stock 2nd stage -> boot continue... As you can see, the trick is to make stock 1st stage init re-exec back into MagiskInit so we can do our setup. This is possible by manipulating some ramdisk files on initramfs based 2SI devices (old ass non SAR devices AND super modern devices like Pixel 3/4), but not possible on device that are stuck using legacy SAR (device that are not that modern but not too old, like Pixel 1/2. Fucking Google logic!!) This commit introduces a new way to intercept stock init re-exec flow: ptrace init with forked tracer, monitor PTRACE_EVENT_EXEC, then swap out the init file with bind mounts right before execv returns! Going through this flow however will lose some necessary backup files, so some bookkeeping has to be done by making the tracer hold these files in memory and act as a daemon. 2nd stage MagiskInit will ack the daemon to release these files at the correct time. It just works™ ¯\_(ツ)_/¯
2020-04-01 04:39:28 -07:00
if (xmount("/dev/root", "/system_root", "ext4", MS_RDONLY, nullptr)) {
if (xmount("/dev/root", "/system_root", "erofs", MS_RDONLY, nullptr)) {
// We don't really know what to do at this point...
LOGE("Cannot mount root partition, abort\n");
exit(1);
}
}
switch_root("/system_root");
2022-03-18 04:58:37 -07:00
// Make dev writable
xmkdir("/dev", 0755);
xmount("tmpfs", "/dev", "tmpfs", 0, "mode=755");
mount_list.emplace_back("/dev");
// Use the apex folder to determine whether 2SI (Android 10+)
bool is_two_stage = access("/apex", F_OK) == 0;
LOGD("is_two_stage: [%d]\n", is_two_stage);
2022-01-19 20:28:01 -08:00
#if ENABLE_AVD_HACK
if (!is_two_stage) {
if (config->emulator) {
avd_hack = true;
2022-03-16 21:31:22 -07:00
// These values are hardcoded for API 28 AVD
xmkdir("/dev/block", 0755);
strcpy(blk_info.block_dev, "/dev/block/vde1");
strcpy(blk_info.partname, "vendor");
setup_block();
xmount(blk_info.block_dev, "/vendor", "ext4", MS_RDONLY, nullptr);
}
}
#endif
Logical Resizable Android Partitions support The way how logical partition, or "Logical Resizable Android Partitions" as they say in AOSP source code, is setup makes it impossible to early mount the partitions from the shared super partition with just a few lines of code; in fact, AOSP has a whole "fs_mgr" folder which consist of multiple complex libraries, with 15K lines of code just to deal with the device mapper shenanigans. In order to keep the already overly complicated MagiskInit more managable, I chose NOT to go the route of including fs_mgr directly into MagiskInit. Luckily, starting from Android Q, Google decided to split init startup into 3 stages, with the first stage doing _only_ early mount. This is great news, because we can simply let the stock init do its own thing for us, and we intercept the bootup sequence. So the workflow can be visualized roughly below: Magisk First Stage --> First Stage Mount --> Magisk Second Stage --+ (MagiskInit) (Original Init) (MagiskInit) + + + ...Rest of the boot... <-- Second Stage <-- Selinux Setup <--+ (__________________ Original Init ____________________) The catch here is that after doing all the first stage mounting, /init will pivot /system as root directory (/), leaving us impossible to regain control after we hand it over. So the solution here is to patch fstab in /first_stage_ramdisk on-the-fly to redirect /system to /system_root, making the original init do all the hard work for us and mount required early mount partitions, but skips the step of switching root directory. It will also conveniently hand over execution back to MagiskInit, which we will reuse the routine for patching root directory in normal system-as-root situations.
2019-06-29 00:47:29 -07:00
return is_two_stage;
Logical Resizable Android Partitions support The way how logical partition, or "Logical Resizable Android Partitions" as they say in AOSP source code, is setup makes it impossible to early mount the partitions from the shared super partition with just a few lines of code; in fact, AOSP has a whole "fs_mgr" folder which consist of multiple complex libraries, with 15K lines of code just to deal with the device mapper shenanigans. In order to keep the already overly complicated MagiskInit more managable, I chose NOT to go the route of including fs_mgr directly into MagiskInit. Luckily, starting from Android Q, Google decided to split init startup into 3 stages, with the first stage doing _only_ early mount. This is great news, because we can simply let the stock init do its own thing for us, and we intercept the bootup sequence. So the workflow can be visualized roughly below: Magisk First Stage --> First Stage Mount --> Magisk Second Stage --+ (MagiskInit) (Original Init) (MagiskInit) + + + ...Rest of the boot... <-- Second Stage <-- Selinux Setup <--+ (__________________ Original Init ____________________) The catch here is that after doing all the first stage mounting, /init will pivot /system as root directory (/), leaving us impossible to regain control after we hand it over. So the solution here is to patch fstab in /first_stage_ramdisk on-the-fly to redirect /system to /system_root, making the original init do all the hard work for us and mount required early mount partitions, but skips the step of switching root directory. It will also conveniently hand over execution back to MagiskInit, which we will reuse the routine for patching root directory in normal system-as-root situations.
2019-06-29 00:47:29 -07:00
}
2019-12-05 16:29:45 -05:00
2020-12-06 03:07:47 -08:00
void BaseInit::exec_init() {
// Unmount in reverse order
for (auto &p : reversed(mount_list)) {
2022-01-19 05:12:11 -08:00
if (xumount2(p.data(), MNT_DETACH) == 0)
LOGD("Unmount [%s]\n", p.data());
}
execv("/init", argv);
exit(1);
2019-12-05 16:29:45 -05:00
}
2020-10-26 20:46:15 -07:00
void MagiskInit::setup_tmp(const char *path) {
LOGD("Setup Magisk tmp at %s\n", path);
xmount("tmpfs", path, "tmpfs", 0, "mode=755");
chdir(path);
xmkdir(INTLROOT, 0755);
xmkdir(MIRRDIR, 0);
xmkdir(BLOCKDIR, 0);
2022-03-16 21:31:22 -07:00
mount_rules_dir();
int fd = xopen(INTLROOT "/config", O_WRONLY | O_CREAT, 0);
2022-03-14 04:22:09 -07:00
xwrite(fd, magisk_cfg.buf, magisk_cfg.sz);
close(fd);
// Create applet symlinks
for (int i = 0; applet_names[i]; ++i)
xsymlink("./magisk", applet_names[i]);
2022-03-17 03:15:39 -07:00
xsymlink("./magiskpolicy", "supolicy");
chdir("/");
}