mirror of
				https://github.com/topjohnwu/Magisk.git
				synced 2025-10-26 09:08:41 +00:00 
			
		
		
		
	Switch to DB based su config
This commit is contained in:
		| @@ -40,7 +40,7 @@ static void silent_run(char* const args[]) { | |||||||
| } | } | ||||||
|  |  | ||||||
| static int setup_user(struct su_context *ctx, char* user) { | static int setup_user(struct su_context *ctx, char* user) { | ||||||
| 	switch (ctx->user.multiuser_mode) { | 	switch (ctx->info->multiuser_mode) { | ||||||
| 	case MULTIUSER_MODE_OWNER_ONLY:   /* Should already be denied if not owner */ | 	case MULTIUSER_MODE_OWNER_ONLY:   /* Should already be denied if not owner */ | ||||||
| 	case MULTIUSER_MODE_OWNER_MANAGED: | 	case MULTIUSER_MODE_OWNER_MANAGED: | ||||||
| 		sprintf(user, "%d", 0); | 		sprintf(user, "%d", 0); | ||||||
| @@ -60,7 +60,7 @@ void app_send_result(struct su_context *ctx, policy_t policy) { | |||||||
| 	sprintf(toUid, "%d", ctx->to.uid); | 	sprintf(toUid, "%d", ctx->to.uid); | ||||||
|  |  | ||||||
| 	char pid[16]; | 	char pid[16]; | ||||||
| 	sprintf(pid, "%d", ctx->info->pid); | 	sprintf(pid, "%d", ctx->pid); | ||||||
|  |  | ||||||
| 	char user[16]; | 	char user[16]; | ||||||
| 	int notify = setup_user(ctx, user); | 	int notify = setup_user(ctx, user); | ||||||
|   | |||||||
							
								
								
									
										70
									
								
								db.c
									
									
									
									
									
								
							
							
						
						
									
										70
									
								
								db.c
									
									
									
									
									
								
							| @@ -1,4 +1,5 @@ | |||||||
| /* | /* | ||||||
|  | ** Copyright 2017, John Wu (@topjohnwu) | ||||||
| ** Copyright 2013, Koushik Dutta (@koush) | ** Copyright 2013, Koushik Dutta (@koush) | ||||||
| ** | ** | ||||||
| */ | */ | ||||||
| @@ -14,20 +15,15 @@ | |||||||
| #include "magisk.h" | #include "magisk.h" | ||||||
| #include "su.h" | #include "su.h" | ||||||
|  |  | ||||||
| static int database_callback(void *v, int argc, char **argv, char **azColName) { | static int policy_callback(void *v, int argc, char **argv, char **azColName) { | ||||||
| 	struct su_context *ctx = (struct su_context *) v; | 	struct su_context *ctx = (struct su_context *) v; | ||||||
| 	policy_t policy = QUERY; | 	policy_t policy = QUERY; | ||||||
| 	time_t until = 0; | 	time_t until = 0; | ||||||
| 	for(int i = 0; i < argc; i++) { | 	for (int i = 0; i < argc; i++) { | ||||||
| 		if (strcmp(azColName[i], "policy") == 0) { | 		if (strcmp(azColName[i], "policy") == 0) | ||||||
| 			if (argv[i] != NULL) { | 			policy = atoi(argv[i]); | ||||||
| 				policy = atoi(argv[i]); | 		else if (strcmp(azColName[i], "until") == 0) | ||||||
| 			} | 			until = atol(argv[i]); | ||||||
| 		} else if (strcmp(azColName[i], "until") == 0) { |  | ||||||
| 			if (argv[i] != NULL) { |  | ||||||
| 				until = atol(argv[i]); |  | ||||||
| 			} |  | ||||||
| 		} |  | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	if (policy == DENY) | 	if (policy == DENY) | ||||||
| @@ -35,18 +31,44 @@ static int database_callback(void *v, int argc, char **argv, char **azColName) { | |||||||
| 	else if (policy == ALLOW && (until == 0 || until > time(NULL))) | 	else if (policy == ALLOW && (until == 0 || until > time(NULL))) | ||||||
| 		ctx->info->policy = ALLOW; | 		ctx->info->policy = ALLOW; | ||||||
|  |  | ||||||
|  | 	LOGD("su_db: query policy=[%d]\n", ctx->info->policy); | ||||||
|  |  | ||||||
|  | 	return 0; | ||||||
|  | } | ||||||
|  |  | ||||||
|  | static int settings_callback(void *v, int argc, char **argv, char **azColName) { | ||||||
|  | 	struct su_context *ctx = (struct su_context *) v; | ||||||
|  | 	int *target, value; | ||||||
|  | 	char *entry; | ||||||
|  | 	for (int i = 0; i < argc; ++i) { | ||||||
|  | 		if (strcmp(azColName[i], "key") == 0) { | ||||||
|  | 			if (strcmp(argv[i], ROOT_ACCESS_ENTRY) == 0) | ||||||
|  | 				target = &ctx->info->root_access; | ||||||
|  | 			else if (strcmp(argv[i], MULTIUSER_MODE_ENTRY) == 0) | ||||||
|  | 				target = &ctx->info->multiuser_mode; | ||||||
|  | 			entry = argv[i]; | ||||||
|  | 		} else if (strcmp(azColName[i], "value") == 0) { | ||||||
|  | 			value = atoi(argv[i]); | ||||||
|  | 		} | ||||||
|  | 	} | ||||||
|  | 	LOGD("su_db: query %s=[%d]\n", entry, value); | ||||||
|  | 	*target = value; | ||||||
| 	return 0; | 	return 0; | ||||||
| } | } | ||||||
|  |  | ||||||
| void database_check(struct su_context *ctx) { | void database_check(struct su_context *ctx) { | ||||||
| 	sqlite3 *db = NULL; | 	sqlite3 *db = NULL; | ||||||
|  |  | ||||||
|  | 	// Set default values | ||||||
|  | 	ctx->info->root_access = ROOT_ACCESS_APPS_AND_ADB; | ||||||
|  | 	ctx->info->multiuser_mode = MULTIUSER_MODE_OWNER_ONLY; | ||||||
|  | 	ctx->info->policy = QUERY; | ||||||
|  |  | ||||||
| 	// Check if file is readable | 	// Check if file is readable | ||||||
| 	if (access(ctx->user.database_path, R_OK) == -1) | 	if (access(ctx->user.database_path, R_OK) == -1) | ||||||
| 		return; | 		return; | ||||||
|  |  | ||||||
| 	char query[512]; | 	// Open database | ||||||
| 	snprintf(query, sizeof(query), "SELECT policy, until FROM policies WHERE uid=%d", ctx->info->uid % 100000); |  | ||||||
| 	int ret = sqlite3_open_v2(ctx->user.database_path, &db, SQLITE_OPEN_READONLY, NULL); | 	int ret = sqlite3_open_v2(ctx->user.database_path, &db, SQLITE_OPEN_READONLY, NULL); | ||||||
| 	if (ret) { | 	if (ret) { | ||||||
| 		LOGD("sqlite3 open failure: %s\n", sqlite3_errstr(ret)); | 		LOGD("sqlite3 open failure: %s\n", sqlite3_errstr(ret)); | ||||||
| @@ -54,11 +76,21 @@ void database_check(struct su_context *ctx) { | |||||||
| 		return; | 		return; | ||||||
| 	} | 	} | ||||||
| 	 | 	 | ||||||
| 	char *err = NULL; | 	char query[512], *err = NULL; | ||||||
| 	ret = sqlite3_exec(db, query, database_callback, ctx, &err); |  | ||||||
| 	sqlite3_close(db); | 	// Query for policy | ||||||
| 	if (err != NULL) { | 	snprintf(query, sizeof(query), "SELECT policy, until FROM policies WHERE uid=%d", ctx->info->uid % 100000); | ||||||
|  | 	sqlite3_exec(db, query, policy_callback, ctx, &err); | ||||||
|  | 	if (err != NULL) | ||||||
| 		LOGE("sqlite3_exec: %s\n", err); | 		LOGE("sqlite3_exec: %s\n", err); | ||||||
| 		ctx->info->policy = DENY; |  | ||||||
| 	} | 	err = NULL; | ||||||
|  |  | ||||||
|  | 	// Query for settings | ||||||
|  | 	snprintf(query, sizeof(query), "SELECT key, value FROM settings"); | ||||||
|  | 	sqlite3_exec(db, query, settings_callback, ctx, &err); | ||||||
|  | 	if (err != NULL) | ||||||
|  | 		LOGE("sqlite3_exec: %s\n", err); | ||||||
|  |  | ||||||
|  | 	sqlite3_close(db); | ||||||
| } | } | ||||||
|   | |||||||
							
								
								
									
										46
									
								
								su.c
									
									
									
									
									
								
							
							
						
						
									
										46
									
								
								su.c
									
									
									
									
									
								
							| @@ -237,7 +237,7 @@ int su_daemon_main(int argc, char **argv) { | |||||||
| 			printf("%s\n", MAGISKSU_VER_STR); | 			printf("%s\n", MAGISKSU_VER_STR); | ||||||
| 			exit2(EXIT_SUCCESS); | 			exit2(EXIT_SUCCESS); | ||||||
| 		case 'u': | 		case 'u': | ||||||
| 			switch (su_ctx->user.multiuser_mode) { | 			switch (su_ctx->info->multiuser_mode) { | ||||||
| 			case MULTIUSER_MODE_USER: | 			case MULTIUSER_MODE_USER: | ||||||
| 				printf("Owner only: Only owner has root access\n"); | 				printf("Owner only: Only owner has root access\n"); | ||||||
| 				break; | 				break; | ||||||
| @@ -293,34 +293,26 @@ int su_daemon_main(int argc, char **argv) { | |||||||
| 	// Setup done, now every error leads to deny | 	// Setup done, now every error leads to deny | ||||||
| 	err_handler = deny; | 	err_handler = deny; | ||||||
|  |  | ||||||
| 	// Check property of root configuration | 	// Check root_access configuration | ||||||
| 	char *root_prop = getprop(ROOT_ACCESS_PROP); | 	switch (su_ctx->info->root_access) { | ||||||
| 	if (root_prop) { | 	case ROOT_ACCESS_DISABLED: | ||||||
| 		int prop_status = atoi(root_prop); | 		LOGE("Root access is disabled!\n"); | ||||||
| 		switch (prop_status) { | 		exit(EXIT_FAILURE); | ||||||
| 		case ROOT_ACCESS_DISABLED: | 	case ROOT_ACCESS_APPS_ONLY: | ||||||
| 			LOGE("Root access is disabled!\n"); | 		if (su_ctx->info->uid == UID_SHELL) { | ||||||
|  | 			LOGE("Root access is disabled for ADB!\n"); | ||||||
| 			exit(EXIT_FAILURE); | 			exit(EXIT_FAILURE); | ||||||
| 		case ROOT_ACCESS_APPS_ONLY: |  | ||||||
| 			if (su_ctx->info->uid == UID_SHELL) { |  | ||||||
| 				LOGE("Root access is disabled for ADB!\n"); |  | ||||||
| 				exit(EXIT_FAILURE); |  | ||||||
| 			} |  | ||||||
| 			break; |  | ||||||
| 		case ROOT_ACCESS_ADB_ONLY: |  | ||||||
| 			if (su_ctx->info->uid != UID_SHELL) { |  | ||||||
| 				LOGE("Root access limited to ADB only!\n"); |  | ||||||
| 				exit(EXIT_FAILURE); |  | ||||||
| 			} |  | ||||||
| 			break; |  | ||||||
| 		case ROOT_ACCESS_APPS_AND_ADB: |  | ||||||
| 		default: |  | ||||||
| 			break; |  | ||||||
| 		} | 		} | ||||||
| 		free(root_prop); | 		break; | ||||||
| 	} else { | 	case ROOT_ACCESS_ADB_ONLY: | ||||||
| 		// Not initialized yet, set the prop to allow everything by default | 		if (su_ctx->info->uid != UID_SHELL) { | ||||||
| 		setprop(ROOT_ACCESS_PROP, xstr(ROOT_ACCESS_APPS_AND_ADB)); | 			LOGE("Root access limited to ADB only!\n"); | ||||||
|  | 			exit(EXIT_FAILURE); | ||||||
|  | 		} | ||||||
|  | 		break; | ||||||
|  | 	case ROOT_ACCESS_APPS_AND_ADB: | ||||||
|  | 	default: | ||||||
|  | 		break; | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	// New request or no db exist, notify user for response | 	// New request or no db exist, notify user for response | ||||||
|   | |||||||
							
								
								
									
										14
									
								
								su.h
									
									
									
									
									
								
							
							
						
						
									
										14
									
								
								su.h
									
									
									
									
									
								
							| @@ -12,14 +12,14 @@ | |||||||
| #define MAGISKSU_VER_STR  xstr(MAGISK_VERSION) ":MAGISKSU (topjohnwu)" | #define MAGISKSU_VER_STR  xstr(MAGISK_VERSION) ":MAGISKSU (topjohnwu)" | ||||||
|  |  | ||||||
| // Property check for root access | // Property check for root access | ||||||
| #define ROOT_ACCESS_PROP          "persist.magisk.root" | #define ROOT_ACCESS_ENTRY         "root_access" | ||||||
| #define ROOT_ACCESS_DISABLED      0 | #define ROOT_ACCESS_DISABLED      0 | ||||||
| #define ROOT_ACCESS_APPS_ONLY     1 | #define ROOT_ACCESS_APPS_ONLY     1 | ||||||
| #define ROOT_ACCESS_ADB_ONLY      2 | #define ROOT_ACCESS_ADB_ONLY      2 | ||||||
| #define ROOT_ACCESS_APPS_AND_ADB  3 | #define ROOT_ACCESS_APPS_AND_ADB  3 | ||||||
|  |  | ||||||
| // Property for multiuser | // Property for multiuser | ||||||
| #define MULTIUSER_MODE_PROP             "persist.magisk.multiuser" | #define MULTIUSER_MODE_ENTRY            "multiuser_mode" | ||||||
| #define MULTIUSER_MODE_OWNER_ONLY       0 | #define MULTIUSER_MODE_OWNER_ONLY       0 | ||||||
| #define MULTIUSER_MODE_OWNER_MANAGED    1 | #define MULTIUSER_MODE_OWNER_MANAGED    1 | ||||||
| #define MULTIUSER_MODE_USER             2 | #define MULTIUSER_MODE_USER             2 | ||||||
| @@ -51,13 +51,14 @@ typedef enum { | |||||||
|     ALLOW = 2, |     ALLOW = 2, | ||||||
| } policy_t; | } policy_t; | ||||||
|  |  | ||||||
| struct su_initiator { | struct su_info { | ||||||
|     pid_t pid; |  | ||||||
|     unsigned uid; |     unsigned uid; | ||||||
|     policy_t policy; |     policy_t policy; | ||||||
|     pthread_mutex_t lock; |     pthread_mutex_t lock; | ||||||
|     int count; |     int count; | ||||||
|     int clock; |     int clock; | ||||||
|  |     int multiuser_mode; | ||||||
|  |     int root_access; | ||||||
|     struct list_head pos; |     struct list_head pos; | ||||||
| }; | }; | ||||||
|  |  | ||||||
| @@ -75,8 +76,6 @@ struct su_user_info { | |||||||
|     // the user in android userspace (multiuser) |     // the user in android userspace (multiuser) | ||||||
|     // that invoked this action. |     // that invoked this action. | ||||||
|     unsigned android_user_id; |     unsigned android_user_id; | ||||||
|     // how su behaves with multiuser. see enum below. |  | ||||||
|     int multiuser_mode; |  | ||||||
|     // path to superuser directory. this is populated according |     // path to superuser directory. this is populated according | ||||||
|     // to the multiuser mode. |     // to the multiuser mode. | ||||||
|     // this is used to check uid/gid for protecting socket. |     // this is used to check uid/gid for protecting socket. | ||||||
| @@ -89,9 +88,10 @@ struct su_user_info { | |||||||
| }; | }; | ||||||
|  |  | ||||||
| struct su_context { | struct su_context { | ||||||
|     struct su_initiator *info; |     struct su_info *info; | ||||||
|     struct su_request to; |     struct su_request to; | ||||||
|     struct su_user_info user; |     struct su_user_info user; | ||||||
|  |     pid_t pid; | ||||||
|     int notify; |     int notify; | ||||||
|     mode_t umask; |     mode_t umask; | ||||||
|     char sock_path[PATH_MAX]; |     char sock_path[PATH_MAX]; | ||||||
|   | |||||||
							
								
								
									
										37
									
								
								su_daemon.c
									
									
									
									
									
								
							
							
						
						
									
										37
									
								
								su_daemon.c
									
									
									
									
									
								
							| @@ -63,27 +63,16 @@ static void sigpipe_handler(int sig) { | |||||||
| 	LOGD("su: Client killed unexpectedly\n"); | 	LOGD("su: Client killed unexpectedly\n"); | ||||||
| } | } | ||||||
|  |  | ||||||
| static int get_multiuser_mode() { |  | ||||||
| 	char *prop = getprop(MULTIUSER_MODE_PROP); |  | ||||||
| 	if (prop) { |  | ||||||
| 		int ret = atoi(prop); |  | ||||||
| 		free(prop); |  | ||||||
| 		return ret; |  | ||||||
| 	} |  | ||||||
| 	return MULTIUSER_MODE_OWNER_ONLY; |  | ||||||
| } |  | ||||||
|  |  | ||||||
|  |  | ||||||
| // Maintain the lists periodically | // Maintain the lists periodically | ||||||
| static void *collector(void *args) { | static void *collector(void *args) { | ||||||
| 	LOGD("su: collector started\n"); | 	LOGD("su: collector started\n"); | ||||||
| 	struct list_head *pos, *temp; | 	struct list_head *pos, *temp; | ||||||
| 	struct su_initiator *node; | 	struct su_info *node; | ||||||
| 	while(1) { | 	while(1) { | ||||||
| 		sleep(1); | 		sleep(1); | ||||||
| 		pthread_mutex_lock(&list_lock); | 		pthread_mutex_lock(&list_lock); | ||||||
| 		list_for_each(pos, &active_list) { | 		list_for_each(pos, &active_list) { | ||||||
| 			node = list_entry(pos, struct su_initiator, pos); | 			node = list_entry(pos, struct su_info, pos); | ||||||
| 			--node->clock; | 			--node->clock; | ||||||
| 			// Timeout, move to waiting list | 			// Timeout, move to waiting list | ||||||
| 			if (node->clock == 0) { | 			if (node->clock == 0) { | ||||||
| @@ -94,7 +83,7 @@ static void *collector(void *args) { | |||||||
| 			} | 			} | ||||||
| 		} | 		} | ||||||
| 		list_for_each(pos, &waiting_list) { | 		list_for_each(pos, &waiting_list) { | ||||||
| 			node = list_entry(pos, struct su_initiator, pos); | 			node = list_entry(pos, struct su_info, pos); | ||||||
| 			// Nothing is using the info, remove it | 			// Nothing is using the info, remove it | ||||||
| 			if (node->count == 0) { | 			if (node->count == 0) { | ||||||
| 				temp = pos; | 				temp = pos; | ||||||
| @@ -111,7 +100,7 @@ static void *collector(void *args) { | |||||||
| void su_daemon_receiver(int client) { | void su_daemon_receiver(int client) { | ||||||
| 	LOGD("su: request from client: %d\n", client); | 	LOGD("su: request from client: %d\n", client); | ||||||
|  |  | ||||||
| 	struct su_initiator *info = NULL, *node; | 	struct su_info *info = NULL, *node; | ||||||
| 	struct list_head *pos; | 	struct list_head *pos; | ||||||
| 	int new_request = 0; | 	int new_request = 0; | ||||||
|  |  | ||||||
| @@ -129,7 +118,7 @@ void su_daemon_receiver(int client) { | |||||||
|  |  | ||||||
| 	// Search for existing in the active list | 	// Search for existing in the active list | ||||||
| 	list_for_each(pos, &active_list) { | 	list_for_each(pos, &active_list) { | ||||||
| 		node = list_entry(pos, struct su_initiator, pos); | 		node = list_entry(pos, struct su_info, pos); | ||||||
| 		if (node->uid == credential.uid) | 		if (node->uid == credential.uid) | ||||||
| 			info = node; | 			info = node; | ||||||
| 	} | 	} | ||||||
| @@ -154,8 +143,6 @@ void su_daemon_receiver(int client) { | |||||||
| 	// Lock before the policy is determined | 	// Lock before the policy is determined | ||||||
| 	pthread_mutex_lock(&info->lock); | 	pthread_mutex_lock(&info->lock); | ||||||
|  |  | ||||||
| 	info->pid = credential.pid; |  | ||||||
|  |  | ||||||
| 	// Default values | 	// Default values | ||||||
| 	struct su_context ctx = { | 	struct su_context ctx = { | ||||||
| 		.info = info, | 		.info = info, | ||||||
| @@ -168,8 +155,8 @@ void su_daemon_receiver(int client) { | |||||||
| 		}, | 		}, | ||||||
| 		.user = { | 		.user = { | ||||||
| 			.android_user_id = info->uid / 100000, | 			.android_user_id = info->uid / 100000, | ||||||
| 			.multiuser_mode = get_multiuser_mode(), |  | ||||||
| 		}, | 		}, | ||||||
|  | 		.pid = credential.pid, | ||||||
| 		.umask = 022, | 		.umask = 022, | ||||||
| 		.notify = new_request, | 		.notify = new_request, | ||||||
| 	}; | 	}; | ||||||
| @@ -191,8 +178,12 @@ void su_daemon_receiver(int client) { | |||||||
|  |  | ||||||
| 	// Not cached, do the checks | 	// Not cached, do the checks | ||||||
| 	if (info->policy == QUERY) { | 	if (info->policy == QUERY) { | ||||||
|  | 		// Get data from database | ||||||
|  | 		database_check(su_ctx); | ||||||
|  |  | ||||||
|  | 		// Handle multiuser denies | ||||||
| 		if (su_ctx->user.android_user_id && | 		if (su_ctx->user.android_user_id && | ||||||
| 			su_ctx->user.multiuser_mode == MULTIUSER_MODE_OWNER_ONLY) { | 			su_ctx->info->multiuser_mode == MULTIUSER_MODE_OWNER_ONLY) { | ||||||
| 			info->policy = DENY; | 			info->policy = DENY; | ||||||
| 			su_ctx->notify = 0; | 			su_ctx->notify = 0; | ||||||
| 		} | 		} | ||||||
| @@ -200,19 +191,17 @@ void su_daemon_receiver(int client) { | |||||||
| 		// always allow if this is Magisk Manager | 		// always allow if this is Magisk Manager | ||||||
| 		if (info->policy == QUERY && (info->uid % 100000) == (st.st_uid % 100000)) { | 		if (info->policy == QUERY && (info->uid % 100000) == (st.st_uid % 100000)) { | ||||||
| 			info->policy = ALLOW; | 			info->policy = ALLOW; | ||||||
|  | 			info->root_access = ROOT_ACCESS_APPS_AND_ADB; | ||||||
| 			su_ctx->notify = 0; | 			su_ctx->notify = 0; | ||||||
| 		} | 		} | ||||||
|  |  | ||||||
| 		// always allow if it's root | 		// always allow if it's root | ||||||
| 		if (info->uid == UID_ROOT) { | 		if (info->uid == UID_ROOT) { | ||||||
| 			info->policy = ALLOW; | 			info->policy = ALLOW; | ||||||
|  | 			info->root_access = ROOT_ACCESS_APPS_AND_ADB; | ||||||
| 			su_ctx->notify = 0; | 			su_ctx->notify = 0; | ||||||
| 		} | 		} | ||||||
|  |  | ||||||
| 		// If not determined, check database |  | ||||||
| 		if (info->policy == QUERY) |  | ||||||
| 			database_check(su_ctx); |  | ||||||
|  |  | ||||||
| 		// If still not determined, open a pipe and wait for results | 		// If still not determined, open a pipe and wait for results | ||||||
| 		if (info->policy == QUERY) | 		if (info->policy == QUERY) | ||||||
| 			pipe2(pipefd, O_CLOEXEC); | 			pipe2(pipefd, O_CLOEXEC); | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user
	 topjohnwu
					topjohnwu