More MagiskHide optimizations

- Use a general procfs traversal function with callbacks
- Much better functions for killing processes
This commit is contained in:
topjohnwu 2019-02-13 20:16:26 -05:00
parent c66cabd80f
commit 4eed6794c7
4 changed files with 164 additions and 190 deletions

View File

@ -20,7 +20,7 @@ using namespace std;
// Protect access to both hide_list and hide_uid
pthread_mutex_t list_lock;
vector<string> hide_list;
set<uid_t> hide_uid;
set<int> hide_uid;
// Treat GMS separately as we're only interested in one component
int gms_uid = -1;
@ -37,11 +37,6 @@ static const char *prop_value[] =
"enforcing", "0", "0", "0",
"1", "user", "release-keys", "0", nullptr };
struct ps_arg {
const char *name;
uid_t uid;
};
void manage_selinux() {
char val;
int fd = xopen(SELINUX_ENFORCE, O_RDONLY);
@ -54,7 +49,7 @@ void manage_selinux() {
}
}
void hide_sensitive_props() {
static void hide_sensitive_props() {
LOGI("hide_utils: Hiding sensitive props\n");
// Hide all sensitive props
@ -65,27 +60,32 @@ void hide_sensitive_props() {
}
}
static bool is_digits(const char *s) {
for (const char *c = s; *c; ++c) {
if (*c < '0' || *c > '9')
return false;
/*
* Bionic's atoi runs through strtol().
* Use our own implementation for faster conversion.
*/
static inline int parse_int(const char *s) {
int val = 0;
char c;
while ((c = *(s++))) {
if (c > '9' || c < '0')
return -1;
val = val * 10 + c - '0';
}
return true;
return val;
}
static void ps(void (*cb)(int, void*), void *arg) {
DIR *dir;
struct dirent *entry;
if (!(dir = xopendir("/proc")))
return;
while ((entry = xreaddir(dir))) {
if (entry->d_type == DT_DIR && is_digits(entry->d_name))
cb(atoi(entry->d_name), arg);
// Leave /proc fd opened as we're going to read from it repeatedly
static DIR *procfp;
void crawl_procfs(const function<bool (int)> &fn) {
struct dirent *dp;
int pid;
rewinddir(procfp);
while ((dp = readdir(procfp))) {
pid = parse_int(dp->d_name);
if (pid > 0 && !fn(pid))
break;
}
closedir(dir);
}
static bool proc_name_match(int pid, const char *name) {
@ -94,24 +94,24 @@ static bool proc_name_match(int pid, const char *name) {
sprintf(buf, "/proc/%d/comm", pid);
if ((f = fopen(buf, "re"))) {
fgets(buf, sizeof(buf), f);
fclose(f);
if (strcmp(buf, name) == 0)
return true;
} else {
// The PID is already killed
return false;
}
fclose(f);
sprintf(buf, "/proc/%d/cmdline", pid);
if ((f = fopen(buf, "re"))) {
fgets(buf, sizeof(buf), f);
fclose(f);
if (strcmp(basename(buf), name) == 0)
return true;
} else {
// The PID is already killed
return false;
}
fclose(f);
sprintf(buf, "/proc/%d/exe", pid);
ssize_t len;
@ -121,52 +121,38 @@ static bool proc_name_match(int pid, const char *name) {
return strcmp(basename(buf), name) == 0;
}
static void kill_proc_cb(int pid, void *v) {
auto args = static_cast<ps_arg *>(v);
if (proc_name_match(pid, args->name))
kill(pid, SIGTERM);
else if (args->uid > 0) {
char buf[64];
struct stat st;
sprintf(buf, "/proc/%d", pid);
stat(buf, &st);
if (args->uid == st.st_uid)
kill(pid, SIGTERM);
}
}
static void kill_process(const char *name) {
ps_arg args;
char *slash = nullptr;
if (strcmp(name, SAFETYNET_COMPONENT) == 0) {
// We do NOT want to kill gms, it will cause massive system crashes
args.name = SAFETYNET_PROCESS;
} else {
// Only leave the package name part of component name temporarily
slash = strchr((char *)name, '/');
if (slash)
*slash = '\0';
args.name = name;
}
struct stat st;
int fd = xopen("/data/data", O_RDONLY | O_CLOEXEC);
if (fstatat(fd, args.name, &st, 0) == 0)
args.uid = st.st_uid;
else
args.uid = 0;
close(fd);
ps(kill_proc_cb, &args);
// Revert back to component name
if (slash)
*slash = '/';
// We do NOT want to kill GMS itself
if (strcmp(name, SAFETYNET_PKG) == 0)
name = SAFETYNET_PROCESS;
crawl_procfs([=](int pid) -> bool {
if (proc_name_match(pid, name)) {
if (kill(pid, SIGTERM) == 0)
LOGD("hide_utils: killed PID=[%d] (%s)\n", pid, name);
return false;
}
return true;
});
}
static int add_pkg_uid(const char *proc) {
static void kill_process(int uid) {
// We do NOT want to kill all GMS processes
if (uid == gms_uid) {
kill_process(SAFETYNET_PROCESS);
return;
}
crawl_procfs([=](int pid) -> bool {
if (get_uid(pid) == uid && kill(pid, SIGTERM) == 0)
LOGD("hide_utils: killed PID=[%d]\n", pid);
return true;
});
}
static int add_pkg_uid(const char *pkg) {
char path[4096];
struct stat st;
const char *data = SDK_INT >= 24 ? "/data/user_de/0" : "/data/data";
sprintf(path, "%s/%s", data, proc);
sprintf(path, "%s/%s", data, pkg);
if (xstat(path, &st) == 0) {
hide_uid.insert(st.st_uid);
return st.st_uid;
@ -181,53 +167,52 @@ void refresh_uid() {
}
void clean_magisk_props() {
LOGD("hide_utils: Cleaning magisk props\n");
getprop([](const char *name, auto, auto) -> void {
if (strstr(name, "magisk"))
deleteprop(name);
}, nullptr, false);
}
int add_list(const char *proc) {
int add_list(const char *pkg) {
for (auto &s : hide_list) {
if (s == proc)
if (s == pkg)
return HIDE_ITEM_EXIST;
}
// Add to database
char sql[4096];
snprintf(sql, sizeof(sql), "INSERT INTO hidelist (process) VALUES('%s')", proc);
snprintf(sql, sizeof(sql), "INSERT INTO hidelist (process) VALUES('%s')", pkg);
char *err = db_exec(sql);
db_err_cmd(err, return DAEMON_ERROR);
LOGI("hide_list add: [%s]\n", proc);
LOGI("hide_list add: [%s]\n", pkg);
// Critical region
pthread_mutex_lock(&list_lock);
hide_list.emplace_back(proc);
add_pkg_uid(proc);
hide_list.emplace_back(pkg);
int uid = add_pkg_uid(pkg);
pthread_mutex_unlock(&list_lock);
kill_process(proc);
kill_process(uid);
return DAEMON_SUCCESS;
}
int add_list(int client) {
char *proc = read_string(client);
int ret = add_list(proc);
free(proc);
char *pkg = read_string(client);
int ret = add_list(pkg);
free(pkg);
update_inotify_mask();
return ret;
}
static int rm_list(const char *proc) {
static int rm_list(const char *pkg) {
// Critical region
bool remove = false;
pthread_mutex_lock(&list_lock);
for (auto it = hide_list.begin(); it != hide_list.end(); ++it) {
if (*it == proc) {
if (*it == pkg) {
remove = true;
LOGI("hide_list rm: [%s]\n", proc);
LOGI("hide_list rm: [%s]\n", pkg);
hide_list.erase(it);
break;
}
@ -238,7 +223,7 @@ static int rm_list(const char *proc) {
if (remove) {
char sql[4096];
snprintf(sql, sizeof(sql), "DELETE FROM hidelist WHERE process='%s'", proc);
snprintf(sql, sizeof(sql), "DELETE FROM hidelist WHERE process='%s'", pkg);
char *err = db_exec(sql);
db_err(err);
return DAEMON_SUCCESS;
@ -248,14 +233,14 @@ static int rm_list(const char *proc) {
}
int rm_list(int client) {
char *proc = read_string(client);
int ret = rm_list(proc);
free(proc);
char *pkg = read_string(client);
int ret = rm_list(pkg);
free(pkg);
update_inotify_mask();
return ret;
}
int init_list(void *, int, char **data, char**) {
static int init_list(void *, int, char **data, char**) {
LOGI("hide_list init: [%s]\n", *data);
hide_list.emplace_back(*data);
kill_process(*data);
@ -265,8 +250,8 @@ int init_list(void *, int, char **data, char**) {
return 0;
}
void init_list(const char *proc) {
init_list(nullptr, 0, (char **) &proc, nullptr);
static void init_list(const char *pkg) {
init_list(nullptr, 0, (char **) &pkg, nullptr);
}
#define LEGACY_LIST MODULEROOT "/.core/hidelist"
@ -311,17 +296,36 @@ static void set_hide_config() {
db_err(err);
}
int launch_magiskhide(int client) {
static inline void launch_err(int client, int code = DAEMON_ERROR) {
if (code == DAEMON_ERROR)
hide_enabled = false;
if (client >= 0) {
write_int(client, code);
close(client);
}
pthread_exit(nullptr);
}
#define LAUNCH_ERR launch_err(client)
void launch_magiskhide(int client) {
if (SDK_INT < 19)
goto error;
LAUNCH_ERR;
if (hide_enabled)
return HIDE_IS_ENABLED;
launch_err(client, HIDE_IS_ENABLED);
hide_enabled = true;
set_hide_config();
LOGI("* Starting MagiskHide\n");
if (procfp == nullptr) {
int fd = xopen("/proc", O_RDONLY | O_CLOEXEC);
if (fd < 0)
LAUNCH_ERR;
procfp = fdopendir(fd);
}
hide_sensitive_props();
// Initialize the mutex lock
@ -329,20 +333,20 @@ int launch_magiskhide(int client) {
// Initialize the hide list
if (!init_list())
goto error;
LAUNCH_ERR;
// Get thread reference
proc_monitor_thread = pthread_self();
if (client >= 0) {
write_int(client, DAEMON_SUCCESS);
close(client);
client = -1;
}
// Start monitoring
proc_monitor();
error:
hide_enabled = false;
return DAEMON_ERROR;
// proc_monitor should not return
LAUNCH_ERR;
}
int stop_magiskhide() {

View File

@ -52,8 +52,8 @@ void magiskhide_handler(int client) {
switch (req) {
case LAUNCH_MAGISKHIDE:
res = launch_magiskhide(client);
break;
launch_magiskhide(client);
return;
case STOP_MAGISKHIDE:
res = stop_magiskhide();
break;

View File

@ -2,9 +2,13 @@
#define MAGISK_HIDE_H
#include <pthread.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <vector>
#include <string>
#include <set>
#include <functional>
#include "daemon.h"
@ -15,7 +19,7 @@
#define SAFETYNET_PKG "com.google.android.gms"
// Daemon entries
int launch_magiskhide(int client);
void launch_magiskhide(int client);
int stop_magiskhide();
int add_list(int client);
int rm_list(int client);
@ -29,14 +33,26 @@ void proc_monitor();
// Utility functions
void manage_selinux();
void hide_sensitive_props();
void clean_magisk_props();
void refresh_uid();
void crawl_procfs(const std::function<bool (int)> &fn);
static inline int get_uid(const int pid) {
char path[16];
struct stat st;
sprintf(path, "/proc/%d", pid);
if (stat(path, &st) == -1)
return -1;
// We don't care about multiuser
return st.st_uid % 100000;
}
extern bool hide_enabled;
extern pthread_mutex_t list_lock;
extern std::vector<std::string> hide_list;
extern std::set<uid_t> hide_uid;
extern std::set<int> hide_uid;
extern int gms_uid;
enum {

View File

@ -11,7 +11,6 @@
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <ctype.h>
#include <fcntl.h>
#include <signal.h>
#include <pthread.h>
@ -21,7 +20,7 @@
#include <sys/mount.h>
#include <vector>
#include <string>
#include <unordered_map>
#include <map>
#include <magisk.h>
#include <utils.h>
@ -62,6 +61,9 @@ static inline void lazy_unmount(const char* mountpoint) {
LOGD("hide_daemon: Unmounted (%s)\n", mountpoint);
}
/* APK monitoring doesn't seem to require checking namespace
* separation from PPID. Preserve this function just in case */
#if 0
static inline int parse_ppid(const int pid) {
char path[32];
int ppid;
@ -77,17 +79,7 @@ static inline int parse_ppid(const int pid) {
return ppid;
}
static inline uid_t get_uid(const int pid) {
char path[16];
struct stat st;
sprintf(path, "/proc/%d", pid);
if (stat(path, &st) == -1)
return -1;
return st.st_uid;
}
#endif
static bool is_pid_safetynet_process(const int pid) {
char path[32];
@ -109,7 +101,7 @@ static bool is_pid_safetynet_process(const int pid) {
}
static void hide_daemon(int pid) {
LOGD("hide_daemon: handling pid=[%d]\n", pid);
LOGD("hide_daemon: handling PID=[%d]\n", pid);
char buffer[4096];
vector<string> mounts;
@ -151,80 +143,49 @@ exit:
_exit(0);
}
/*
* Bionic's atoi runs through strtol() and fault-tolerence checkings.
* Since we don't need it, use our own implementation of atoi()
* for faster conversion.
*/
static inline int fast_atoi(const char *str) {
int val = 0;
// A mapping from pid to namespace inode to avoid time-consuming GC
static map<int, uint64_t> pid_ns_map;
while (*str)
val = val * 10 + (*str++ - '0');
static bool process_pid(int pid) {
// We're only interested in PIDs > 1000
if (pid <= 1000)
return true;
return val;
}
struct stat ns;
int uid = get_uid(pid);
if (hide_uid.count(uid)) {
// Make sure we can read mount namespace
if (read_ns(pid, &ns))
return true;
// Leave /proc fd opened as we're going to read from it repeatedly
static DIR *dfd;
// Use unordered map with pid and namespace inode number to avoid time-consuming GC
static unordered_map<int, uint64_t> pid_ns_map;
// Check if it's a process we haven't already hijacked
auto pos = pid_ns_map.find(pid);
if (pos != pid_ns_map.end() && pos->second == ns.st_ino)
return true;
static void detect_new_processes() {
struct dirent *dp;
struct stat ns, pns;
int pid, ppid;
uid_t uid;
if (uid == gms_uid) {
// Check /proc/uid/cmdline to see if it's SAFETYNET_PROCESS
if (!is_pid_safetynet_process(pid))
return true;
// Iterate through /proc and get a process that reads the target APK
rewinddir(dfd);
pthread_mutex_lock(&list_lock);
while ((dp = readdir(dfd))) {
if (!isdigit(dp->d_name[0]))
continue;
// dp->d_name is now the pid
pid = fast_atoi(dp->d_name);
// We're only interested in PIDs > 1000
if (pid <= 1000)
continue;
uid = get_uid(pid) % 100000; // Handle multiuser
bool is_target = hide_uid.count(uid) != 0;
if (is_target) {
// Make sure our target is alive
if ((ppid = parse_ppid(pid)) < 0 || read_ns(ppid, &pns) || read_ns(pid, &ns))
continue;
// Check if it's a process we haven't already hijacked
auto pos = pid_ns_map.find(pid);
if (pos == pid_ns_map.end() || pos->second != ns.st_ino) {
pid_ns_map[pid] = ns.st_ino;
if (uid == gms_uid) {
// Check /proc/uid/cmdline to see if it's SAFETYNET_PROCESS
if (!is_pid_safetynet_process(pid))
continue;
LOGI("proc_monitor: found %s\n", SAFETYNET_PROCESS);
}
// Send pause signal ASAP
if (kill(pid, SIGSTOP) == -1)
continue;
/*
* The setns system call do not support multithread processes
* We have to fork a new process, setns, then do the unmounts
*/
LOGI("proc_monitor: UID=[%ju] PID=[%d] ns=[%llu]\n",
(uintmax_t)uid, pid, ns.st_ino);
if (fork_dont_care() == 0)
hide_daemon(pid);
}
LOGD("proc_monitor: " SAFETYNET_PROCESS "\n");
}
// Send pause signal ASAP
if (kill(pid, SIGSTOP) == -1)
return true;
pid_ns_map[pid] = ns.st_ino;
LOGI("proc_monitor: UID=[%d] PID=[%d] ns=[%llu]\n", uid, pid, ns.st_ino);
/*
* The setns system call do not support multithread processes
* We have to fork a new process, setns, then do the unmounts
*/
if (fork_dont_care() == 0)
hide_daemon(pid);
}
pthread_mutex_unlock(&list_lock);
return true;
}
static void listdir_apk(const char *name) {
@ -310,14 +271,6 @@ void proc_monitor() {
term_thread(TERM_THREAD);
}
if ((dfd = opendir("/proc")) == NULL) {
LOGE("proc_monitor: Unable to open /proc\n");
term_thread(TERM_THREAD);
}
// Detect existing processes for the first time
detect_new_processes();
// Read inotify events
struct inotify_event *event;
ssize_t len;
@ -337,8 +290,9 @@ void proc_monitor() {
if (event->mask & IN_OPEN) {
// Since we're just watching files,
// extracting file name is not possible from querying event
// LOGI("proc_monitor: inotify: APK opened\n");
detect_new_processes();
pthread_mutex_lock(&list_lock);
crawl_procfs(process_pid);
pthread_mutex_unlock(&list_lock);
} else {
LOGI("proc_monitor: inotify: /data/app change detected\n");
pthread_mutex_lock(&list_lock);