Magisk/native/jni/core/daemon.cpp

232 lines
5.0 KiB
C++
Raw Normal View History

2017-04-08 07:37:43 +08:00
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <string.h>
#include <pthread.h>
#include <signal.h>
2017-04-08 07:37:43 +08:00
#include <sys/un.h>
#include <sys/types.h>
2017-11-28 04:43:46 +08:00
#include <sys/mount.h>
2017-04-08 07:37:43 +08:00
2019-02-10 03:57:51 -05:00
#include <magisk.h>
#include <utils.h>
#include <daemon.h>
#include <selinux.h>
#include <db.h>
#include <resetprop.h>
#include <flags.h>
2019-01-20 17:52:19 -05:00
int SDK_INT = -1;
bool RECOVERY_MODE = false;
static struct stat self_st;
2019-01-20 17:52:19 -05:00
static void verify_client(int client, pid_t pid) {
// Verify caller is the same as server
char path[32];
sprintf(path, "/proc/%d/exe", pid);
struct stat st;
if (stat(path, &st) || st.st_dev != self_st.st_dev || st.st_ino != self_st.st_ino) {
close(client);
pthread_exit(nullptr);
}
2018-10-12 21:46:09 -04:00
}
static void remove_modules() {
LOGI("* Remove all modules and reboot");
rm_rf(MODULEROOT);
rm_rf(MODULEUPGRADE);
reboot();
}
2017-04-22 00:54:08 +08:00
static void *request_handler(void *args) {
2019-09-19 00:13:42 -04:00
int client = reinterpret_cast<intptr_t>(args);
2017-05-05 16:13:26 +08:00
struct ucred credential;
get_client_cred(client, &credential);
if (credential.uid != 0)
verify_client(client, credential.pid);
2017-05-05 16:13:26 +08:00
int req = read_int(client);
2017-05-05 16:13:26 +08:00
switch (req) {
case MAGISKHIDE:
2017-05-05 16:13:26 +08:00
case POST_FS_DATA:
case LATE_START:
2018-08-09 14:52:44 +08:00
case BOOT_COMPLETE:
case SQLITE_CMD:
case BROADCAST_ACK:
Introduce component agnostic communication Usually, the communication between native and the app is done via sending intents to either broadcast or activity. These communication channels are for launching root requests dialogs, sending root request notifications (the toast you see when an app gained root access), and root request logging. Sending intents by am (activity manager) usually requires specifying the component name in the format of <pkg>/<class name>. This means parts of Magisk Manager cannot be randomized or else the native daemon is unable to know where to send data to the app. On modern Android (not sure which API is it introduced), it is possible to send broadcasts to a package, not a specific component. Which component will receive the intent depends on the intent filter declared in AndroidManifest.xml. Since we already have a mechanism in native code to keep track of the package name of Magisk Manager, this makes it perfect to pass intents to Magisk Manager that have components being randomly obfuscated (stub APKs). There are a few caveats though. Although this broadcasting method works perfectly fine on AOSP and most systems, there are OEMs out there shipping ROMs blocking broadcasts unexpectedly. In order to make sure Magisk works in all kinds of scenarios, we run actual tests every boot to determine which communication method should be used. We have 3 methods in total, ordered in preference: 1. Broadcasting to a package 2. Broadcasting to a specific component 3. Starting a specific activity component Method 3 will always work on any device, but the downside is anytime a communication happens, Magisk Manager will steal foreground focus regardless of whether UI is drawn. Method 1 is the only way to support obfuscated stub APKs. The communication test will test method 1 and 2, and if Magisk Manager is able to receive the messages, it will then update the daemon configuration to use whichever is preferable. If none of the broadcasts can be delivered, then the fallback method 3 will be used.
2019-10-21 13:59:04 -04:00
case BROADCAST_TEST:
if (credential.uid != 0) {
2017-05-05 16:13:26 +08:00
write_int(client, ROOT_REQUIRED);
close(client);
2019-01-20 17:52:19 -05:00
return nullptr;
2017-05-05 16:13:26 +08:00
}
default:
break;
}
switch (req) {
case MAGISKHIDE:
magiskhide_handler(client);
break;
case SUPERUSER:
2018-10-04 04:59:51 -04:00
su_daemon_handler(client, &credential);
2017-04-15 03:23:09 +08:00
break;
case CHECK_VERSION:
2019-02-12 05:17:02 -05:00
write_string(client, MAGISK_VERSION ":MAGISK");
2017-04-15 03:23:09 +08:00
close(client);
break;
case CHECK_VERSION_CODE:
2017-04-18 21:31:12 +08:00
write_int(client, MAGISK_VER_CODE);
2017-04-15 03:23:09 +08:00
close(client);
break;
2017-04-15 19:02:07 +08:00
case POST_FS_DATA:
post_fs_data(client);
2017-04-15 19:02:07 +08:00
break;
case LATE_START:
late_start(client);
2017-04-15 19:02:07 +08:00
break;
2018-08-09 14:52:44 +08:00
case BOOT_COMPLETE:
boot_complete(client);
break;
case SQLITE_CMD:
exec_sql(client);
2019-03-04 16:45:18 -05:00
break;
case BROADCAST_ACK:
Introduce component agnostic communication Usually, the communication between native and the app is done via sending intents to either broadcast or activity. These communication channels are for launching root requests dialogs, sending root request notifications (the toast you see when an app gained root access), and root request logging. Sending intents by am (activity manager) usually requires specifying the component name in the format of <pkg>/<class name>. This means parts of Magisk Manager cannot be randomized or else the native daemon is unable to know where to send data to the app. On modern Android (not sure which API is it introduced), it is possible to send broadcasts to a package, not a specific component. Which component will receive the intent depends on the intent filter declared in AndroidManifest.xml. Since we already have a mechanism in native code to keep track of the package name of Magisk Manager, this makes it perfect to pass intents to Magisk Manager that have components being randomly obfuscated (stub APKs). There are a few caveats though. Although this broadcasting method works perfectly fine on AOSP and most systems, there are OEMs out there shipping ROMs blocking broadcasts unexpectedly. In order to make sure Magisk works in all kinds of scenarios, we run actual tests every boot to determine which communication method should be used. We have 3 methods in total, ordered in preference: 1. Broadcasting to a package 2. Broadcasting to a specific component 3. Starting a specific activity component Method 3 will always work on any device, but the downside is anytime a communication happens, Magisk Manager will steal foreground focus regardless of whether UI is drawn. Method 1 is the only way to support obfuscated stub APKs. The communication test will test method 1 and 2, and if Magisk Manager is able to receive the messages, it will then update the daemon configuration to use whichever is preferable. If none of the broadcasts can be delivered, then the fallback method 3 will be used.
2019-10-21 13:59:04 -04:00
broadcast_ack(client);
break;
case BROADCAST_TEST:
broadcast_test(client);
break;
case REMOVE_MODULES:
if (credential.uid == UID_SHELL || credential.uid == UID_ROOT) {
remove_modules();
write_int(client, 0);
} else {
write_int(client, 1);
}
close(client);
break;
2017-05-05 16:13:26 +08:00
default:
2018-07-02 22:11:28 +08:00
close(client);
2017-05-08 03:11:14 +08:00
break;
}
2018-11-07 02:10:38 -05:00
return nullptr;
2017-04-08 07:37:43 +08:00
}
2018-10-12 00:50:47 -04:00
static void main_daemon() {
2018-09-27 03:11:10 -04:00
android_logging();
2017-11-22 16:12:08 +08:00
setsid();
2018-11-04 03:38:06 -05:00
setcon("u:r:" SEPOL_PROC_DOMAIN ":s0");
restore_rootcon();
2019-06-25 23:31:59 -07:00
// Unmount pre-init patches
if (access(ROOTMNT, F_OK) == 0) {
file_readline(ROOTMNT, [](auto line) -> bool {
umount2(line.data(), MNT_DETACH);
return true;
}, true);
}
2019-06-25 23:31:59 -07:00
int fd = xopen("/dev/null", O_RDWR | O_CLOEXEC);
xdup2(fd, STDOUT_FILENO);
xdup2(fd, STDERR_FILENO);
close(fd);
2018-07-02 22:11:28 +08:00
fd = xopen("/dev/zero", O_RDWR | O_CLOEXEC);
xdup2(fd, STDIN_FILENO);
close(fd);
2017-04-08 07:37:43 +08:00
2019-02-12 05:17:02 -05:00
LOGI(SHOW_VER(Magisk) " daemon started\n");
// Get server stat
stat("/proc/self/exe", &self_st);
2019-01-20 17:52:19 -05:00
// Get API level
parse_prop_file("/system/build.prop", [](auto key, auto val) -> bool {
2019-03-05 20:27:09 -05:00
if (key == "ro.build.version.sdk") {
LOGI("* Device API level: %s\n", val.data());
2019-03-07 20:31:35 -05:00
SDK_INT = parse_int(val);
2019-01-20 17:52:19 -05:00
return false;
}
return true;
});
// Load config status
parse_prop_file(MAGISKTMP "/config", [](auto key, auto val) -> bool {
if (key == "RECOVERYMODE" && val == "true")
RECOVERY_MODE = true;
return true;
});
struct sockaddr_un sun;
2018-10-12 00:50:47 -04:00
socklen_t len = setup_sockaddr(&sun, MAIN_SOCKET);
fd = xsocket(AF_LOCAL, SOCK_STREAM | SOCK_CLOEXEC, 0);
if (xbind(fd, (struct sockaddr*) &sun, len))
2017-11-28 03:42:48 +08:00
exit(1);
xlisten(fd, 10);
2017-04-08 07:37:43 +08:00
// Change process name
2019-02-15 04:31:39 -05:00
set_nice_name("magiskd");
2019-02-10 04:18:50 -05:00
// Block all signals
sigset_t block_set;
2019-02-10 04:18:50 -05:00
sigfillset(&block_set);
2019-01-20 17:52:19 -05:00
pthread_sigmask(SIG_SETMASK, &block_set, nullptr);
2017-05-08 03:11:14 +08:00
// Loop forever to listen for requests
for (;;) {
2019-09-19 00:13:42 -04:00
int client = xaccept4(fd, nullptr, nullptr, SOCK_CLOEXEC);
new_daemon_thread(request_handler, reinterpret_cast<void*>(client));
2017-04-08 07:37:43 +08:00
}
}
void reboot() {
if (RECOVERY_MODE)
exec_command_sync("/system/bin/reboot", "recovery");
else
exec_command_sync("/system/bin/reboot");
}
2018-11-13 02:07:02 -05:00
int switch_mnt_ns(int pid) {
char mnt[32];
snprintf(mnt, sizeof(mnt), "/proc/%d/ns/mnt", pid);
if (access(mnt, R_OK) == -1) return 1; // Maybe process died..
2018-11-13 02:07:02 -05:00
int fd, ret;
fd = xopen(mnt, O_RDONLY);
if (fd < 0) return 1;
// Switch to its namespace
ret = xsetns(fd, 0);
close(fd);
return ret;
}
2019-03-04 16:45:18 -05:00
int connect_daemon(bool create) {
2017-04-08 07:37:43 +08:00
struct sockaddr_un sun;
2018-10-12 00:50:47 -04:00
socklen_t len = setup_sockaddr(&sun, MAIN_SOCKET);
int fd = xsocket(AF_LOCAL, SOCK_STREAM | SOCK_CLOEXEC, 0);
if (connect(fd, (struct sockaddr*) &sun, len)) {
2019-03-04 16:45:18 -05:00
if (!create || getuid() != UID_ROOT || getgid() != UID_ROOT) {
LOGE("No daemon is currently running!\n");
2017-10-14 00:08:12 +08:00
exit(1);
}
int ppid = getpid();
2018-10-12 00:50:47 -04:00
LOGD("client: launching new main daemon process\n");
2018-04-29 12:17:28 +08:00
if (fork_dont_care() == 0) {
2018-10-12 00:50:47 -04:00
close(fd);
// Make sure ppid is not in acct
char src[64], dest[64];
sprintf(src, "/acct/uid_0/pid_%d", ppid);
sprintf(dest, "/acct/uid_0/pid_%d", getpid());
rename(src, dest);
2018-10-12 00:50:47 -04:00
main_daemon();
}
2018-10-12 00:50:47 -04:00
while (connect(fd, (struct sockaddr*) &sun, len))
2017-11-28 03:42:48 +08:00
usleep(10000);
2017-04-08 07:37:43 +08:00
}
return fd;
}