409 lines
11 KiB
C++
Raw Normal View History

#include <sys/types.h>
#include <sys/stat.h>
2021-09-20 04:42:06 -07:00
#include <sys/inotify.h>
2017-04-20 22:45:56 +08:00
#include <unistd.h>
2018-07-13 22:14:32 +08:00
#include <fcntl.h>
2017-07-03 00:57:20 +08:00
#include <dirent.h>
2021-01-10 19:27:54 -08:00
#include <set>
2017-04-20 22:45:56 +08:00
2020-03-09 01:50:30 -07:00
#include <magisk.hpp>
#include <utils.hpp>
#include <db.hpp>
2021-09-12 12:40:34 -07:00
#include "deny.hpp"
2018-11-01 13:23:12 -04:00
2019-01-19 23:59:37 -05:00
using namespace std;
2021-09-20 05:08:25 -07:00
static set<pair<string, string>> *deny_set; /* set of <pkg, process> pair */
static map<int, vector<string_view>> *app_id_proc_map; /* app ID -> list of process */
2021-09-20 04:42:06 -07:00
static int inotify_fd = -1;
// Locks the variables above
2021-09-12 12:40:34 -07:00
static pthread_mutex_t data_lock = PTHREAD_MUTEX_INITIALIZER;
2022-01-17 19:54:33 -08:00
atomic<bool> denylist_enforced = false;
2022-01-17 19:54:33 -08:00
#define do_kill (zygisk_enabled && denylist_enforced)
2021-09-20 05:08:25 -07:00
static void rebuild_map() {
app_id_proc_map->clear();
string data_path(APP_DATA_DIR);
size_t len = data_path.length();
2021-09-20 05:08:25 -07:00
// Collect all user IDs
vector<string> users;
if (auto dir = open_dir(APP_DATA_DIR)) {
for (dirent *entry; (entry = xreaddir(dir.get()));) {
users.emplace_back(entry->d_name);
}
} else {
return;
}
string_view prev_pkg;
struct stat st;
for (const auto &target : *deny_set) {
if (target.first == ISOLATED_MAGIC) {
// Isolated process
(*app_id_proc_map)[-1].emplace_back(target.second);
} else if (prev_pkg == target.first) {
// Optimize the case when it's the same package as previous iteration
(*app_id_proc_map)[to_app_id(st.st_uid)].emplace_back(target.second);
} else {
// Traverse the filesystem to find app ID
for (const auto &user_id : users) {
data_path.resize(len);
data_path += '/';
data_path += user_id;
data_path += '/';
data_path += target.first;
if (stat(data_path.data(), &st) == 0) {
prev_pkg = target.first;
(*app_id_proc_map)[to_app_id(st.st_uid)].emplace_back(target.second);
break;
}
}
}
}
}
2017-07-03 00:57:20 +08:00
// Leave /proc fd opened as we're going to read from it repeatedly
static DIR *procfp;
template<class F>
static void crawl_procfs(F &&fn) {
rewinddir(procfp);
dirent *dp;
int pid;
while ((dp = readdir(procfp))) {
pid = parse_int(dp->d_name);
if (pid > 0 && !fn(pid))
break;
}
2018-10-12 21:46:09 -04:00
}
template <bool str_op(string_view, string_view)>
static bool proc_name_match(int pid, const char *name) {
char buf[4019];
sprintf(buf, "/proc/%d/cmdline", pid);
if (auto fp = open_file(buf, "re")) {
fgets(buf, sizeof(buf), fp.get());
if (str_op(buf, name)) {
2021-09-12 12:40:34 -07:00
LOGD("denylist: kill PID=[%d] (%s)\n", pid, buf);
return true;
}
}
return false;
2018-10-12 21:46:09 -04:00
}
static inline bool str_eql(string_view a, string_view b) { return a == b; }
template<bool str_op(string_view, string_view) = &str_eql>
static void kill_process(const char *name, bool multi = false) {
crawl_procfs([=](int pid) -> bool {
if (proc_name_match<str_op>(pid, name)) {
kill(pid, SIGKILL);
return multi;
}
return true;
});
}
static bool validate(const char *pkg, const char *proc) {
bool pkg_valid = false;
bool proc_valid = true;
if (str_eql(pkg, ISOLATED_MAGIC)) {
pkg_valid = true;
for (char c; (c = *proc); ++proc) {
if (isalnum(c) || c == '_' || c == '.')
continue;
if (c == ':')
break;
proc_valid = false;
break;
}
} else {
for (char c; (c = *pkg); ++pkg) {
if (isalnum(c) || c == '_')
continue;
if (c == '.') {
pkg_valid = true;
continue;
}
pkg_valid = false;
break;
}
for (char c; (c = *proc); ++proc) {
if (isalnum(c) || c == '_' || c == ':' || c == '.')
continue;
proc_valid = false;
break;
}
}
return pkg_valid && proc_valid;
2019-09-01 14:16:12 +08:00
}
static void add_hide_set(const char *pkg, const char *proc) {
2021-09-12 12:40:34 -07:00
LOGI("denylist add: [%s/%s]\n", pkg, proc);
deny_set->emplace(pkg, proc);
if (!do_kill)
2021-09-24 00:22:19 -07:00
return;
if (str_eql(pkg, ISOLATED_MAGIC)) {
// Kill all matching isolated processes
kill_process<&str_starts>(proc, true);
} else {
kill_process(proc);
}
}
static void clear_data() {
delete deny_set;
delete app_id_proc_map;
deny_set = nullptr;
app_id_proc_map = nullptr;
unregister_poll(inotify_fd, true);
inotify_fd = -1;
}
static void inotify_handler(pollfd *pfd) {
union {
inotify_event event;
char buf[512];
} u{};
read(pfd->fd, u.buf, sizeof(u.buf));
if (u.event.name == "packages.xml"sv) {
cached_manager_app_id = -1;
exec_task([] {
mutex_guard lock(data_lock);
rebuild_map();
});
}
}
static bool ensure_data() {
if (app_id_proc_map)
return true;
LOGI("denylist: initializing internal data structures\n");
default_new(deny_set);
char *err = db_exec("SELECT * FROM denylist", [](db_row &row) -> bool {
add_hide_set(row["package_name"].data(), row["process"].data());
return true;
});
db_err_cmd(err, goto error);
default_new(app_id_proc_map);
rebuild_map();
inotify_fd = xinotify_init1(IN_CLOEXEC);
if (inotify_fd < 0) {
goto error;
} else {
// Monitor packages.xml
inotify_add_watch(inotify_fd, "/data/system", IN_CLOSE_WRITE);
pollfd inotify_pfd = { inotify_fd, POLLIN, 0 };
register_poll(&inotify_pfd, inotify_handler);
}
return true;
error:
clear_data();
return false;
}
static int add_list(const char *pkg, const char *proc) {
if (proc[0] == '\0')
proc = pkg;
if (!validate(pkg, proc))
2021-09-12 12:40:34 -07:00
return DENYLIST_INVALID_PKG;
{
2021-09-12 12:40:34 -07:00
mutex_guard lock(data_lock);
if (!ensure_data())
return DAEMON_ERROR;
2021-09-12 12:40:34 -07:00
for (const auto &hide : *deny_set)
if (hide.first == pkg && hide.second == proc)
2021-09-12 12:40:34 -07:00
return DENYLIST_ITEM_EXIST;
add_hide_set(pkg, proc);
2021-09-20 05:08:25 -07:00
rebuild_map();
}
// Add to database
char sql[4096];
snprintf(sql, sizeof(sql),
2021-09-12 12:40:34 -07:00
"INSERT INTO denylist (package_name, process) VALUES('%s', '%s')", pkg, proc);
char *err = db_exec(sql);
db_err_cmd(err, return DAEMON_ERROR);
return DAEMON_SUCCESS;
2017-04-20 22:45:56 +08:00
}
int add_list(int client) {
2021-01-12 00:07:48 -08:00
string pkg = read_string(client);
string proc = read_string(client);
return add_list(pkg.data(), proc.data());
}
2017-04-20 22:45:56 +08:00
static int rm_list(const char *pkg, const char *proc) {
{
2021-09-12 12:40:34 -07:00
mutex_guard lock(data_lock);
if (!ensure_data())
return DAEMON_ERROR;
bool remove = false;
2021-09-12 12:40:34 -07:00
for (auto it = deny_set->begin(); it != deny_set->end();) {
if (it->first == pkg && (proc[0] == '\0' || it->second == proc)) {
remove = true;
2021-09-12 12:40:34 -07:00
LOGI("denylist rm: [%s/%s]\n", it->first.data(), it->second.data());
it = deny_set->erase(it);
} else {
++it;
}
}
if (!remove)
2021-09-12 12:40:34 -07:00
return DENYLIST_ITEM_NOT_EXIST;
2021-09-20 05:08:25 -07:00
rebuild_map();
}
char sql[4096];
if (proc[0] == '\0')
2021-09-12 12:40:34 -07:00
snprintf(sql, sizeof(sql), "DELETE FROM denylist WHERE package_name='%s'", pkg);
else
snprintf(sql, sizeof(sql),
2021-09-12 12:40:34 -07:00
"DELETE FROM denylist WHERE package_name='%s' AND process='%s'", pkg, proc);
char *err = db_exec(sql);
db_err_cmd(err, return DAEMON_ERROR);
return DAEMON_SUCCESS;
2017-04-20 22:45:56 +08:00
}
int rm_list(int client) {
2021-01-12 00:07:48 -08:00
string pkg = read_string(client);
string proc = read_string(client);
return rm_list(pkg.data(), proc.data());
}
void ls_list(int client) {
{
2021-09-12 12:40:34 -07:00
mutex_guard lock(data_lock);
if (!ensure_data()) {
write_int(client, DAEMON_ERROR);
return;
}
write_int(client, DAEMON_SUCCESS);
2021-09-12 12:40:34 -07:00
for (const auto &hide : *deny_set) {
write_int(client, hide.first.size() + hide.second.size() + 1);
xwrite(client, hide.first.data(), hide.first.size());
xwrite(client, "|", 1);
xwrite(client, hide.second.data(), hide.second.size());
}
2021-01-12 00:07:48 -08:00
}
write_int(client, 0);
close(client);
}
2018-11-16 01:15:34 -05:00
static bool str_ends_safe(string_view s, string_view ss) {
// Never kill webview zygote
if (s == "webview_zygote")
return false;
return str_ends(s, ss);
}
2021-09-16 05:27:34 -07:00
static void update_deny_config() {
char sql[64];
sprintf(sql, "REPLACE INTO settings (key,value) VALUES('%s',%d)",
2022-01-17 19:54:33 -08:00
DB_SETTING_KEYS[DENYLIST_CONFIG], denylist_enforced.load());
char *err = db_exec(sql);
db_err(err);
2018-11-16 01:15:34 -05:00
}
2021-09-16 05:27:34 -07:00
int enable_deny() {
2022-01-17 19:54:33 -08:00
if (denylist_enforced) {
2021-09-16 05:27:34 -07:00
return DAEMON_SUCCESS;
} else {
mutex_guard lock(data_lock);
2018-11-16 01:15:34 -05:00
2021-09-16 05:27:34 -07:00
if (access("/proc/self/ns/mnt", F_OK) != 0) {
LOGW("The kernel does not support mount namespace\n");
return DENY_NO_NS;
}
2021-09-16 05:27:34 -07:00
if (procfp == nullptr && (procfp = opendir("/proc")) == nullptr)
return DAEMON_ERROR;
2021-09-16 05:27:34 -07:00
LOGI("* Enable DenyList\n");
2018-11-16 01:15:34 -05:00
2022-01-17 19:54:33 -08:00
denylist_enforced = true;
if (!ensure_data()) {
2022-01-17 19:54:33 -08:00
denylist_enforced = false;
return DAEMON_ERROR;
}
2021-09-20 04:42:06 -07:00
// On Android Q+, also kill blastula pool and all app zygotes
if (SDK_INT >= 29 && zygisk_enabled) {
kill_process("usap32", true);
kill_process("usap64", true);
kill_process<&str_ends_safe>("_zygote", true);
2021-09-20 04:42:06 -07:00
}
2021-09-16 05:27:34 -07:00
}
2021-01-12 00:07:48 -08:00
2021-09-16 05:27:34 -07:00
update_deny_config();
return DAEMON_SUCCESS;
2018-11-16 01:15:34 -05:00
}
2021-09-12 12:40:34 -07:00
int disable_deny() {
2022-01-17 19:54:33 -08:00
if (denylist_enforced) {
denylist_enforced = false;
2021-09-12 12:40:34 -07:00
LOGI("* Disable DenyList\n");
2021-09-16 05:27:34 -07:00
mutex_guard lock(data_lock);
clear_data();
}
2021-09-16 05:27:34 -07:00
update_deny_config();
return DAEMON_SUCCESS;
2018-11-16 01:15:34 -05:00
}
2021-09-16 05:27:34 -07:00
void initialize_denylist() {
2022-01-17 19:54:33 -08:00
if (!denylist_enforced) {
db_settings dbs;
2021-09-12 12:40:34 -07:00
get_db_settings(dbs, DENYLIST_CONFIG);
if (dbs[DENYLIST_CONFIG])
2021-09-16 05:27:34 -07:00
enable_deny();
}
2018-11-16 01:15:34 -05:00
}
2021-09-12 12:40:34 -07:00
bool is_deny_target(int uid, string_view process) {
mutex_guard lock(data_lock);
if (!ensure_data())
return false;
2021-09-20 05:08:25 -07:00
int app_id = to_app_id(uid);
if (app_id >= 90000) {
// Isolated processes
2021-09-20 05:08:25 -07:00
auto it = app_id_proc_map->find(-1);
if (it == app_id_proc_map->end())
return false;
2021-09-20 05:08:25 -07:00
for (const auto &s : it->second) {
if (str_starts(process, s))
return true;
}
} else {
2021-09-20 05:08:25 -07:00
auto it = app_id_proc_map->find(app_id);
if (it == app_id_proc_map->end())
return false;
2021-09-20 05:08:25 -07:00
for (const auto &s : it->second) {
if (s == process)
return true;
}
}
return false;
}