
398 lines
12 KiB
Raw Normal View History

#include <libgen.h>
#include <dlfcn.h>
2021-01-06 23:41:37 -08:00
#include <sys/prctl.h>
2021-08-21 03:52:59 -07:00
#include <android/log.h>
#include <utils.hpp>
2021-08-18 03:44:32 -07:00
#include <daemon.hpp>
#include <magisk.hpp>
2021-09-18 02:38:53 -07:00
#include <db.hpp>
2021-10-05 03:53:11 -07:00
#include "zygisk.hpp"
2021-09-18 14:50:11 -07:00
#include "deny/deny.hpp"
using namespace std;
static void *self_handle = nullptr;
2021-08-21 03:52:59 -07:00
static int zygisk_log(int prio, const char *fmt, va_list ap);
#define zlog(prio) [](auto fmt, auto ap){ return zygisk_log(ANDROID_LOG_##prio, fmt, ap); }
static void zygisk_logging() {
log_cb.d = zlog(DEBUG);
log_cb.i = zlog(INFO);
log_cb.w = zlog(WARN);
log_cb.e = zlog(ERROR);
log_cb.ex = nop_ex;
2021-01-08 00:53:24 -08:00
void self_unload() {
2021-10-14 02:13:23 -07:00
ZLOGD("Request to self unload\n");
2021-09-22 02:46:07 -07:00
// If unhooking failed, do not unload or else it will cause SIGSEGV
2021-01-08 00:53:24 -08:00
if (!unhook_functions())
new_daemon_thread(reinterpret_cast<thread_entry>(&dlclose), self_handle);
2021-09-22 02:46:07 -07:00
static void unload_first_stage(int, siginfo_t *info, void *) {
auto path = static_cast<char *>(info->si_value.sival_ptr);
2021-08-18 03:44:32 -07:00
2021-09-22 02:46:07 -07:00
struct sigaction action{};
action.sa_handler = SIG_DFL;
sigaction(SIGUSR1, &action, nullptr);
2021-09-18 05:11:10 -07:00
// Make sure /proc/self/environ is sanitized
// Filter env and reset MM_ENV_END
2021-01-06 23:41:37 -08:00
static void sanitize_environ() {
2021-09-18 05:11:10 -07:00
char *cur = environ[0];
2021-01-06 23:41:37 -08:00
for (int i = 0; environ[i]; ++i) {
2021-09-22 00:14:22 -07:00
// Copy all env onto the original stack
2021-09-18 05:11:10 -07:00
int len = strlen(environ[i]);
memmove(cur, environ[i], len + 1);
environ[i] = cur;
cur += len + 1;
2021-01-06 23:41:37 -08:00
2021-09-18 05:11:10 -07:00
prctl(PR_SET_MM, PR_SET_MM_ENV_END, cur, 0, 0);
2021-01-06 23:41:37 -08:00
2021-09-22 00:14:22 -07:00
static void zygisk_cleanup_wait() {
2021-09-22 02:52:33 -07:00
if (self_handle) {
// Wait 10us to make sure none of our code is executing
timespec ts = { .tv_sec = 0, .tv_nsec = 10000L };
nanosleep(&ts, nullptr);
2021-09-22 00:14:22 -07:00
2021-10-27 03:25:54 -07:00
static void second_stage_entry(void *handle, const char *tmp, char *path) {
2021-09-22 00:14:22 -07:00
self_handle = handle;
2021-10-27 03:25:54 -07:00
2021-09-22 00:14:22 -07:00
2021-10-14 02:13:23 -07:00
ZLOGD("inject 2nd stage\n");
2021-09-22 00:14:22 -07:00
// Register signal handler to unload 1st stage
struct sigaction action{};
action.sa_sigaction = unload_first_stage;
sigaction(SIGUSR1, &action, nullptr);
// Schedule to unload 1st stage 10us later
timer_t timer;
sigevent_t event{};
event.sigev_notify = SIGEV_SIGNAL;
event.sigev_signo = SIGUSR1;
event.sigev_value.sival_ptr = path;
timer_create(CLOCK_MONOTONIC, &event, &timer);
itimerspec time{};
time.it_value.tv_nsec = 10000L;
timer_settime(&timer, 0, &time, nullptr);
2021-09-22 00:14:22 -07:00
static void first_stage_entry() {
2021-10-14 02:13:23 -07:00
ZLOGD("inject 1st stage\n");
2021-09-22 00:14:22 -07:00
char *ld = getenv("LD_PRELOAD");
2021-10-27 03:25:54 -07:00
char tmp[128];
strlcpy(tmp, getenv("MAGISKTMP"), sizeof(tmp));
2021-09-22 00:14:22 -07:00
char *path;
if (char *c = strrchr(ld, ':')) {
*c = '\0';
setenv("LD_PRELOAD", ld, 1); // Restore original LD_PRELOAD
path = strdup(c + 1);
} else {
path = strdup(ld);
2021-10-27 03:25:54 -07:00
2021-09-22 00:14:22 -07:00
// Update path to 2nd stage lib
*(strrchr(path, '.') - 1) = '2';
2021-09-22 00:14:22 -07:00
// Load second stage
setenv(INJECT_ENV_2, "1", 1);
void *handle = dlopen(path, RTLD_LAZY);
2021-08-18 03:44:32 -07:00
2021-09-22 00:14:22 -07:00
// Revert path to 1st stage lib
*(strrchr(path, '.') - 1) = '1';
// Run second stage entry
char *env = getenv(SECOND_STAGE_PTR);
decltype(&second_stage_entry) second_stage;
sscanf(env, "%p", &second_stage);
2021-10-27 03:25:54 -07:00
second_stage(handle, tmp, path);
2021-09-22 00:14:22 -07:00
static void zygisk_init() {
if (getenv(INJECT_ENV_2)) {
// Return function pointer to first stage
char buf[128];
snprintf(buf, sizeof(buf), "%p", &second_stage_entry);
setenv(SECOND_STAGE_PTR, buf, 1);
2021-08-18 03:44:32 -07:00
} else if (getenv(INJECT_ENV_1)) {
2021-09-22 00:14:22 -07:00
// The following code runs in zygote/app process
2021-08-18 03:44:32 -07:00
2021-08-21 03:52:59 -07:00
static int zygisk_log(int prio, const char *fmt, va_list ap) {
// If we don't have log pipe set, ask magiskd for it
// This could happen multiple times in zygote because it was closed to prevent crashing
if (logd_fd < 0) {
// Change logging temporarily to prevent infinite recursion and stack overflow
if (int fd = connect_daemon(); fd >= 0) {
write_int(fd, ZYGISK_REQUEST);
write_int(fd, ZYGISK_GET_LOG_PIPE);
if (read_int(fd) == 0) {
logd_fd = recv_fd(fd);
sigset_t mask;
sigset_t orig_mask;
bool sig = false;
// Make sure SIGPIPE won't crash zygote
if (logd_fd >= 0) {
sig = true;
sigaddset(&mask, SIGPIPE);
pthread_sigmask(SIG_BLOCK, &mask, &orig_mask);
int ret = magisk_log(prio, fmt, ap);
if (sig) {
timespec ts{};
sigtimedwait(&mask, nullptr, &ts);
pthread_sigmask(SIG_SETMASK, &orig_mask, nullptr);
return ret;
2021-10-13 04:52:02 -07:00
std::vector<int> remote_get_info(int uid, const char *process, AppInfo *info) {
vector<int> fds;
2021-08-19 04:55:17 -07:00
if (int fd = connect_daemon(); fd >= 0) {
write_int(fd, ZYGISK_REQUEST);
2021-10-13 04:52:02 -07:00
write_int(fd, ZYGISK_GET_INFO);
2021-09-18 02:38:53 -07:00
write_int(fd, uid);
write_string(fd, process);
xxread(fd, info, sizeof(*info));
2021-10-13 04:52:02 -07:00
if (!info->on_denylist) {
fds = recv_fds(fd);
2021-08-19 04:55:17 -07:00
2021-10-13 04:52:02 -07:00
return fds;
2021-08-19 04:55:17 -07:00
2021-08-18 03:44:32 -07:00
// The following code runs in magiskd
2021-10-23 14:38:30 -07:00
static bool get_exe(int pid, char *buf, size_t sz) {
snprintf(buf, sz, "/proc/%d/exe", pid);
return xreadlink(buf, buf, sz) > 0;
static int zygiskd_sockets[] = { -1, -1 };
#define zygiskd_socket zygiskd_sockets[is_64_bit]
static void connect_companion(int client, bool is_64_bit) {
if (zygiskd_socket >= 0) {
// Make sure the socket is still valid
pollfd pfd = { zygiskd_socket, 0, 0 };
poll(&pfd, 1, 0);
if (pfd.revents) {
// Any revent means error
zygiskd_socket = -1;
if (zygiskd_socket < 0) {
int fds[2];
socketpair(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0, fds);
zygiskd_socket = fds[0];
if (fork_dont_care() == 0) {
string exe = MAGISKTMP + "/magisk" + (is_64_bit ? "64" : "32");
// This fd has to survive exec
fcntl(fds[1], F_SETFD, 0);
char buf[16];
snprintf(buf, sizeof(buf), "%d", fds[1]);
execl(, "zygisk", "companion", buf, (char *) nullptr);
vector<int> module_fds = zygisk_module_fds(is_64_bit);
send_fds(zygiskd_socket,, module_fds.size());
// Wait for ack
if (read_int(zygiskd_socket) != 0) {
send_fd(zygiskd_socket, client);
static timespec last_zygote_start;
static int zygote_start_counts[] = { 0, 0 };
#define zygote_start_count zygote_start_counts[is_64_bit]
#define zygote_started (zygote_start_counts[0] + zygote_start_counts[1])
#define zygote_start_reset(val) { zygote_start_counts[0] = val; zygote_start_counts[1] = val; }
2021-10-19 23:46:38 -07:00
static void setup_files(int client, const sock_cred *cred) {
2021-08-22 02:11:48 -07:00
LOGD("zygisk: setup files for pid=[%d]\n", cred->pid);
2021-08-18 03:44:32 -07:00
2021-08-22 02:11:48 -07:00
char buf[256];
2021-10-23 14:38:30 -07:00
if (!get_exe(cred->pid, buf, sizeof(buf))) {
2021-08-18 03:44:32 -07:00
write_int(client, 1);
bool is_64_bit = str_ends(buf, "64");
if (!zygote_started) {
// First zygote launch, record time
clock_gettime(CLOCK_MONOTONIC, &last_zygote_start);
if (zygote_start_count) {
// This zygote ABI had started before, kill existing zygiskd
zygiskd_sockets[0] = -1;
zygiskd_sockets[1] = -1;
if (zygote_start_count >= 5) {
// Bootloop prevention
timespec ts;
clock_gettime(CLOCK_MONOTONIC, &ts);
if (ts.tv_sec - last_zygote_start.tv_sec > 60) {
// This is very likely manual soft reboot
memcpy(&last_zygote_start, &ts, sizeof(ts));
} else {
// If any zygote relaunched more than 5 times within a minute,
// don't do any setups further to prevent bootloop.
write_int(client, 1);
2021-08-18 03:44:32 -07:00
write_int(client, 0);
send_fd(client, is_64_bit ? app_process_64 : app_process_32);
2021-08-18 03:44:32 -07:00
2021-09-15 01:59:43 -07:00
string path = MAGISKTMP + "/" ZYGISKBIN "/zygisk." + basename(buf);
2021-08-18 03:44:32 -07:00
cp_afc(buf, (path + "").data());
cp_afc(buf, (path + "").data());
2021-10-27 03:25:54 -07:00
write_string(client, MAGISKTMP);
2021-08-18 03:44:32 -07:00
static void magiskd_passthrough(int client) {
bool is_64_bit = read_int(client);
write_int(client, 0);
send_fd(client, is_64_bit ? app_process_64 : app_process_32);
2021-09-20 05:47:15 -07:00
int cached_manager_app_id = -1;
static time_t last_modified = 0;
2021-10-19 23:46:38 -07:00
static void get_process_info(int client, const sock_cred *cred) {
2021-09-18 02:38:53 -07:00
AppInfo info{};
2021-08-19 04:55:17 -07:00
int uid = read_int(client);
string process = read_string(client);
2021-09-20 05:47:15 -07:00
2021-10-13 04:52:02 -07:00
// This function is called on every single zygote process specialization,
2021-09-20 05:47:15 -07:00
// so performance is critical. get_manager_app_id() is expensive as it goes
// through a SQLite query and potentially multiple filesystem stats, so we
// really want to cache the app ID value. Check the last modify timestamp of
// packages.xml and only re-fetch the manager app ID if something changed since
// we last checked. Granularity in seconds is good enough.
// If denylist is enabled, inotify will invalidate the app ID cache for us.
// In this case, we can skip the timestamp check all together.
2021-10-13 04:52:02 -07:00
if (uid != 1000) {
int manager_app_id = cached_manager_app_id;
2021-09-20 05:47:15 -07:00
2021-10-13 04:52:02 -07:00
// Denylist not enabled, check packages.xml timestamp
if (!denylist_enabled && manager_app_id > 0) {
struct stat st{};
stat("/data/system/packages.xml", &st);
if (st.st_atim.tv_sec > last_modified) {
manager_app_id = -1;
last_modified = st.st_atim.tv_sec;
2021-09-20 05:47:15 -07:00
2021-10-13 04:52:02 -07:00
if (manager_app_id < 0) {
manager_app_id = get_manager_app_id();
cached_manager_app_id = manager_app_id;
2021-09-20 05:47:15 -07:00
2021-10-13 04:52:02 -07:00
if (to_app_id(uid) == manager_app_id) {
info.is_magisk_app = true;
} else if (denylist_enabled) {
info.on_denylist = is_deny_target(uid, process);
2021-09-18 02:38:53 -07:00
2021-10-13 04:52:02 -07:00
2021-09-18 02:38:53 -07:00
xwrite(client, &info, sizeof(info));
2021-10-13 04:52:02 -07:00
if (!info.on_denylist) {
char buf[256];
2021-10-23 14:38:30 -07:00
get_exe(cred->pid, buf, sizeof(buf));
2021-10-13 04:52:02 -07:00
vector<int> fds = zygisk_module_fds(str_ends(buf, "64"));
send_fds(client,, fds.size());
2021-08-19 04:55:17 -07:00
2021-08-21 03:52:59 -07:00
static void send_log_pipe(int fd) {
// There is race condition here, but we can't really do much about it...
2021-08-22 02:11:48 -07:00
if (logd_fd >= 0) {
2021-08-21 03:52:59 -07:00
write_int(fd, 0);
send_fd(fd, logd_fd);
} else {
write_int(fd, 1);
2021-10-19 23:46:38 -07:00
void zygisk_handler(int client, const sock_cred *cred) {
2021-08-18 03:44:32 -07:00
int code = read_int(client);
2021-10-23 14:38:30 -07:00
char buf[256];
2021-08-18 03:44:32 -07:00
switch (code) {
setup_files(client, cred);
2021-10-13 04:52:02 -07:00
get_process_info(client, cred);
2021-08-19 04:55:17 -07:00
2021-08-21 03:52:59 -07:00
2021-10-23 14:38:30 -07:00
get_exe(cred->pid, buf, sizeof(buf));
connect_companion(client, str_ends(buf, "64"));
2021-10-17 04:36:18 -07:00
2021-08-18 03:44:32 -07:00