Use ContentProvider call method for communication

Previously, we use either BroadcastReceivers or Activities to receive
messages from our native daemon, but both have their own downsides.
Some OEMs blocks broadcasts if the app is not running in the background,
regardless of who the caller is. Activities on the other hand, despite
working 100% of the time, will steal the focus of the current foreground
app, even though we are just doing some logging and showing a toast.
In addition, since stubs for hiding Magisk Manager is introduced, our
only communication method is left with the broadcast option, as
only broadcasting allows targeting a specific package name, not a
component name (which will be obfuscated in the case of stubs).

To make sure root requests will work on all devices, Magisk had to do
some experiments every boot to test whether broadcast is deliverable or
not. This makes the whole thing even more complicated then ever.

So lets take a look at another kind of component in Android apps:
ContentProviders. It is a vital part of Android's ecosystem, and as far
as I know no OEMs will block requests to ContentProviders (or else
tons of functionality will break catastrophically). Starting at API 11,
the system supports calling a specific method in ContentProviders,
optionally sending extra data along with the method call. This is
perfect for the native daemon to start a communication with Magisk
Manager. Another cool thing is that we no longer need to know the
component name of the reciever, as ContentProviders identify themselves
with an "authority" name, which in Magisk Manager's case is tied to the
package name. We already have a mechanism to keep track of our current
manager package name, so this works out of the box.

So yay! No more flaky broadcast tests, no more stupid OEMs blocking
broadcasts for some bizzare reasons. This method should in theory
work on almost all devices and situations.

native/jni/core/bootstages.cpp

@@ -800,7 +800,4 @@ void boot_complete(int client) {
 			install_apk("/data/magisk.apk");
 		}
 	}
-
-	// Test whether broadcast can be used or not
-	broadcast_test();
 }

native/jni/core/daemon.cpp

@@ -46,8 +46,6 @@ static void *request_handler(void *args) {
 	case LATE_START:
 	case BOOT_COMPLETE:
 	case SQLITE_CMD:
-	case BROADCAST_ACK:
-	case BROADCAST_TEST:
 		if (credential.uid != 0) {
 			write_int(client, ROOT_REQUIRED);
 			close(client);
@@ -84,12 +82,6 @@ static void *request_handler(void *args) {
 	case SQLITE_CMD:
 		exec_sql(client);
 		break;
-	case BROADCAST_ACK:
-		broadcast_ack(client);
-		break;
-	case BROADCAST_TEST:
-		broadcast_test(client);
-		break;
 	case REMOVE_MODULES:
 		if (credential.uid == UID_SHELL || credential.uid == UID_ROOT) {
 			remove_modules();

native/jni/core/magisk.cpp

@@ -35,8 +35,6 @@ Advanced Options (Internal APIs):
    --clone-attr SRC DEST     clone permission, owner, and selinux context
    --clone SRC DEST          clone SRC to DEST
    --sqlite SQL              exec SQL commands to Magisk database
-   --connect-mode [MODE]     get/set connect mode for su request and notify
-   --broadcast-test          manually trigger broadcast tests
 
 Supported init triggers:
    post-fs-data, service, boot-complete
@@ -113,23 +111,10 @@ int magisk_main(int argc, char *argv[]) {
 			printf("%s\n", res);
 			free(res);
 		}
-	} else if (argv[1] == "--connect-mode"sv) {
-		int fd = connect_daemon();
-		write_int(fd, BROADCAST_ACK);
-		if (argc >= 3) {
-			write_int(fd, parse_int(argv[2]));
-		} else {
-			write_int(fd, -1);
-		}
-		return read_int(fd);
 	} else if (argv[1] == "--remove-modules"sv) {
 		int fd = connect_daemon();
 		write_int(fd, REMOVE_MODULES);
 		return read_int(fd);
-	} else if (argv[1] == "--broadcast-test"sv) {
-		int fd = connect_daemon();
-		write_int(fd, BROADCAST_TEST);
-		return read_int(fd);
 	}
 #if 0
 	/* Entry point for testing stuffs */

native/jni/include/daemon.h

@@ -17,9 +17,7 @@ enum {
 	BOOT_COMPLETE,
 	MAGISKHIDE,
 	SQLITE_CMD,
-	BROADCAST_ACK,
 	REMOVE_MODULES,
-	BROADCAST_TEST,
 };
 
 // Return codes for daemon
@@ -84,8 +82,6 @@ void magiskhide_handler(int client);
  *************/
 
 void su_daemon_handler(int client, struct ucred *credential);
-void broadcast_test(int client = -1);
-void broadcast_ack(int client);
 
 /*********************
  * Daemon Global Vars

native/jni/su/connect.cpp

@@ -13,46 +13,28 @@
 
 using namespace std;
 
-enum connect_mode {
-	UNINITIALIZED = 0,
-	MODE_ACTIVITY,
-	MODE_BROADCAST_COMPONENT,
-	MODE_BROADCAST_PACKAGE
-};
+#define CALL_PROVIDER \
+"/system/bin/app_process", "/system/bin", "com.android.commands.content.Content", \
+"call", "--uri", nullptr, "--user", nullptr, "--method"
 
-static connect_mode current_mode = UNINITIALIZED;
-
-#define START_ACTIVITY \
-"/system/bin/app_process", "/system/bin", "com.android.commands.am.Am", \
-"start", "-n", nullptr, "--user", nullptr, "-f", "0x18000020", "-a"
-
-// 0x18000020 = FLAG_ACTIVITY_NEW_TASK|FLAG_ACTIVITY_MULTIPLE_TASK|FLAG_INCLUDE_STOPPED_PACKAGES
-
-#define START_BROADCAST \
-"/system/bin/app_process", "/system/bin", "com.android.commands.am.Am", \
-"broadcast", "-n", nullptr, "--user", nullptr, "-f", "0x00000020", \
-"-a", "android.intent.action.REBOOT", "--es", "action"
-
-#define START_BROADCAST_PKG \
-"/system/bin/app_process", "/system/bin", "com.android.commands.am.Am", \
-"broadcast", "-p", nullptr, "--user", nullptr, "-f", "0x00000020", \
-"-a", "android.intent.action.REBOOT", "--es", "action"
-
-// 0x00000020 = FLAG_INCLUDE_STOPPED_PACKAGES
-
-#define am_app_info(info, ...) \
-if (current_mode == MODE_BROADCAST_PACKAGE) { \
-	const char *cmd[] = { START_BROADCAST_PKG, __VA_ARGS__, nullptr }; \
-	exec_am_cmd(cmd, info); \
-} else if (current_mode == MODE_BROADCAST_COMPONENT) { \
-	const char *cmd[] = { START_BROADCAST, __VA_ARGS__, nullptr }; \
-	exec_am_cmd(cmd, info); \
-} else { \
-	const char *cmd[] = { START_ACTIVITY, __VA_ARGS__, nullptr }; \
-	exec_am_cmd(cmd, info); \
+#define content_exec_info(info, ...) {\
+	const char *cmd[] = { CALL_PROVIDER, __VA_ARGS__, nullptr }; \
+	exec_content_cmd(cmd, info); \
 }
 
-#define am_app(...) am_app_info(ctx.info.get(), __VA_ARGS__)
+#define content_exec(...) content_exec_info(ctx.info.get(), __VA_ARGS__)
+
+#define ex(s) "--extra", s
+
+#define get_user(info) \
+(info->cfg[SU_MULTIUSER_MODE] == MULTIUSER_MODE_USER \
+? info->uid / 100000 \
+: 0)
+
+#define get_uid(info) \
+(info->cfg[SU_MULTIUSER_MODE] == MULTIUSER_MODE_OWNER_MANAGED \
+? info->uid % 100000 \
+: info->uid)
 
 static const char *get_command(const su_request *to) {
 	if (to->command[0])
@@ -62,48 +44,22 @@ static const char *get_command(const su_request *to) {
 	return DEFAULT_SHELL;
 }
 
-static void get_user(char *user, const su_info *info) {
-	sprintf(user, "%d",
-			info->cfg[SU_MULTIUSER_MODE] == MULTIUSER_MODE_USER
-			? info->uid / 100000
-			: 0);
-}
-
-static void get_uid(char *uid, const su_info *info) {
-	sprintf(uid, "%d",
-			info->cfg[SU_MULTIUSER_MODE] == MULTIUSER_MODE_OWNER_MANAGED
-			? info->uid % 100000
-			: info->uid);
-}
-
-static void exec_am_cmd(const char **args, const su_info *info) {
+static void exec_content_cmd(const char **args, const su_info *info) {
 	char target[128];
-	if (args[3][0] == 'b') {
-		// Broadcast
-		if (args[4][1] == 'p') {
-			// Broadcast to package (receiver can be obfuscated)
-			strcpy(target, info->str[SU_MANAGER].data());
-		} else {
-			// a.h is the broadcast receiver
-			sprintf(target, "%s/a.h", info->str[SU_MANAGER].data());
-		}
-	} else {
-		// a.m is the activity
-		sprintf(target, "%s/a.m", info->str[SU_MANAGER].data());
-	}
-	char user[8];
-	get_user(user, info);
+	sprintf(target, "content://%s.provider", info->str[SU_MANAGER].data());
+	char user[4];
+	sprintf(user, "%d", get_user(info));
 
 	// Fill in non static arguments
 	args[5] = target;
 	args[7] = user;
 
 	exec_t exec {
-		.pre_exec = []() -> void {
+		.pre_exec = [] {
 			int null = xopen("/dev/null", O_WRONLY | O_CLOEXEC);
 			dup2(null, STDOUT_FILENO);
 			dup2(null, STDERR_FILENO);
-			setenv("CLASSPATH", "/system/framework/am.jar", 1);
+			setenv("CLASSPATH", "/system/framework/content.jar", 1);
 		},
 		.fork = fork_dont_care,
 		.argv = args
@@ -113,94 +69,51 @@ static void exec_am_cmd(const char **args, const su_info *info) {
 
 #define LOG_BODY \
 "log", \
-"--ei", "from.uid", fromUid, \
-"--ei", "to.uid", toUid, \
-"--ei", "pid", pid, \
-"--ei", "policy", policy, \
-"--es", "command", get_command(&ctx.req), \
-"--ez", "notify", ctx.info->access.notify ? "true" : "false"
+ex(fromUid), ex(toUid), ex(pid), ex(policy), \
+ex(command.data()), ex(notify)
 
 void app_log(const su_context &ctx) {
-	char fromUid[8];
-	get_uid(fromUid, ctx.info.get());
+	char fromUid[16];
+	sprintf(fromUid, "from.uid:i:%d", get_uid(ctx.info));
 
-	char toUid[8];
-	sprintf(toUid, "%d", ctx.req.uid);
+	char toUid[16];
+	sprintf(toUid, "to.uid:i:%d", ctx.req.uid);
 
-	char pid[8];
-	sprintf(pid, "%d", ctx.pid);
+	char pid[16];
+	sprintf(pid, "pid:i:%d", ctx.pid);
 
-	char policy[2];
-	sprintf(policy, "%d", ctx.info->access.policy);
+	char policy[16];
+	sprintf(policy, "policy:i:%d", ctx.info->access.policy);
 
-	am_app(LOG_BODY)
+	string command("command:s:");
+	command += get_command(&ctx.req);
+
+	char notify[16];
+	sprintf(notify, "notify:b:%s", ctx.info->access.notify ? "true" : "false");
+
+	content_exec(LOG_BODY)
 }
 
 #define NOTIFY_BODY \
-"notify", \
-"--ei", "from.uid", fromUid, \
-"--ei", "policy", policy
+"notify", ex(fromUid), ex(policy)
 
 void app_notify(const su_context &ctx) {
-	char fromUid[8];
-	get_uid(fromUid, ctx.info.get());
+	char fromUid[16];
+	sprintf(fromUid, "from.uid:i:%d", get_uid(ctx.info));
 
-	char policy[2];
-	sprintf(policy, "%d", ctx.info->access.policy);
+	char policy[16];
+	sprintf(policy, "policy:i:%d", ctx.info->access.policy);
 
-	am_app(NOTIFY_BODY)
+	content_exec(NOTIFY_BODY)
 }
 
 #define SOCKET_BODY \
-"request", \
-"--es", "socket", socket
+"request", ex(sock)
 
 void app_socket(const char *socket, const shared_ptr<su_info> &info) {
-	am_app_info(info.get(), SOCKET_BODY)
-}
-
-#define TEST_BODY \
-"test", "--ei", "mode", mode, nullptr
-
-void broadcast_test(int client) {
-	if (client >= 0) {
-		// Make it not uninitialized
-		current_mode = MODE_ACTIVITY;
-		write_int(client, 0);
-		close(client);
-	}
-
-	su_info info;
-	get_db_settings(info.cfg);
-	get_db_strings(info.str);
-	validate_manager(info.str[SU_MANAGER], 0, &info.mgr_st);
-
-	char mode[2];
-	{
-		sprintf(mode, "%d", MODE_BROADCAST_PACKAGE);
-		const char *cmd[] = { START_BROADCAST_PKG, TEST_BODY };
-		exec_am_cmd(cmd, &info);
-	}
-	{
-		sprintf(mode, "%d", MODE_BROADCAST_COMPONENT);
-		const char *cmd[] = { START_BROADCAST, TEST_BODY };
-		exec_am_cmd(cmd, &info);
-	}
-}
-
-void broadcast_ack(int client) {
-	int mode = read_int(client);
-	if (mode < 0) {
-		// Return connection mode to client
-		write_int(client, current_mode);
-	} else {
-		if (mode > current_mode) {
-			LOGD("* Use connect mode [%d] for su request and notify\n", mode);
-			current_mode = static_cast<connect_mode>(mode);
-		}
-		write_int(client, 0);
-	}
-	close(client);
+	char sock[128];
+	sprintf(sock, "socket:s:%s", socket);
+	content_exec_info(info.get(), SOCKET_BODY)
 }
 
 void socket_send_request(int fd, const shared_ptr<su_info> &info) {