TheArchive/Magisk
1
0
Fork 0
mirror of https://github.com/topjohnwu/Magisk.git synced 2025-12-02 20:31:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

New method of communication

Browse Source 
Introduce a new communication method between Magisk and Magisk Manager.

Magisk used to hardcode classnames and send broadcast/start activities to
specific components. This new method makes no assumption of any class names,
so Magisk Manager can easily be fully obfuscated.

In addition, the new method connects Magisk and Magisk Manager with random
abstract Linux sockets instead of socket files in filesystems, bypassing
file system complexities (selinux, permissions and such)
This commit is contained in:
topjohnwu
2018-09-16 04:16:18 -04:00
parent 4cf8d41f6a
commit 906b4aad9e
21 changed files with 655 additions and 705 deletions
Download Patch File Download Diff File Expand all files Collapse all files

141
native/jni/su/activity.c
View File

@@ -1,141 +0,0 @@
/*
** Copyright 2017, John Wu (@topjohnwu)
** Copyright 2010, Adam Shanks (@ChainsDD)
** Copyright 2008, Zinx Verituse (@zinxv)
**
*/
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <stdio.h>
#include "magisk.h"
#include "su.h"
/* intent actions */
#define ACTION_REQUEST "%s/" REQUESTOR_PREFIX ".RequestActivity"
#define ACTION_RESULT "%s/" REQUESTOR_PREFIX ".SuReceiver"
#define AM_PATH "/system/bin/app_process", "/system/bin", "com.android.commands.am.Am"
static char *get_command(const struct su_request *to) {
if (to->command)
return to->command;
if (to->shell)
return to->shell;
return DEFAULT_SHELL;
}
static void silent_run(char* const args[]) {
set_identity(0);
if (fork())
return;
int zero = open("/dev/zero", O_RDONLY | O_CLOEXEC);
dup2(zero, 0);
int null = open("/dev/null", O_WRONLY | O_CLOEXEC);
dup2(null, 1);
dup2(null, 2);
setenv("CLASSPATH", "/system/framework/am.jar", 1);
execv(args[0], args);
PLOGE("exec am");
_exit(EXIT_FAILURE);
}
static int setup_user(struct su_context *ctx, char* user) {
switch (ctx->info->dbs.v[SU_MULTIUSER_MODE]) {
case MULTIUSER_MODE_OWNER_ONLY: /* Should already be denied if not owner */
case MULTIUSER_MODE_OWNER_MANAGED:
sprintf(user, "%d", 0);
return ctx->info->uid / 100000;
case MULTIUSER_MODE_USER:
sprintf(user, "%d", ctx->info->uid / 100000);
break;
}
return 0;
}
void app_send_result(struct su_context *ctx, policy_t policy) {
char fromUid[16];
if (ctx->info->dbs.v[SU_MULTIUSER_MODE] == MULTIUSER_MODE_OWNER_MANAGED)
sprintf(fromUid, "%d", ctx->info->uid % 100000);
else
sprintf(fromUid, "%d", ctx->info->uid);
char toUid[16];
sprintf(toUid, "%d", ctx->to.uid);
char pid[16];
sprintf(pid, "%d", ctx->pid);
char user[16];
int notify = setup_user(ctx, user);
char activity[128];
sprintf(activity, ACTION_RESULT, ctx->info->str.s[SU_MANAGER]);
// Send notice to manager, enable logging
char *result_command[] = {
AM_PATH, "broadcast", "-n",
activity,
"--user", user,
"--ei", "mode", "0",
"--ei", "from.uid", fromUid,
"--ei", "to.uid", toUid,
"--ei", "pid", pid,
"--es", "command", get_command(&ctx->to),
"--es", "action", policy == ALLOW ? "allow" : "deny",
NULL
};
silent_run(result_command);
// Send notice to user (if needed) to create toasts
if (notify) {
sprintf(fromUid, "%d", ctx->info->uid);
sprintf(user, "%d", notify);
char *notify_command[] = {
AM_PATH, "broadcast", "-n",
activity,
"--user", user,
"--ei", "mode", "1",
"--ei", "from.uid", fromUid,
"--es", "action", policy == ALLOW ? "allow" : "deny",
NULL
};
silent_run(notify_command);
}
}
void app_send_request(struct su_context *ctx) {
char user[16];
int notify = setup_user(ctx, user);
char activity[128];
sprintf(activity, ACTION_REQUEST, ctx->info->str.s[SU_MANAGER]);
char *request_command[] = {
AM_PATH, "start", "-n",
activity,
"--user", user,
"--es", "socket", ctx->sock_path,
"--ez", "timeout", notify ? "false" : "true",
NULL
};
silent_run(request_command);
// Send notice to user to tell them root is managed by owner
if (notify) {
sprintf(user, "%d", notify);
sprintf(activity, ACTION_RESULT, ctx->info->str.s[SU_MANAGER]);
char *notify_command[] = {
AM_PATH, "broadcast", "-n",
activity,
"--user", user,
"--ei", "mode", "2",
NULL
};
silent_run(notify_command);
}
}

109
native/jni/su/connect.c Normal file
View File

@@ -0,0 +1,109 @@
/*
** Copyright 2018, John Wu (@topjohnwu)
** Copyright 2010, Adam Shanks (@ChainsDD)
** Copyright 2008, Zinx Verituse (@zinxv)
**
*/
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <stdio.h>
#include "magisk.h"
#include "daemon.h"
#include "su.h"
#define AM_PATH "/system/bin/app_process", "/system/bin", "com.android.commands.am.Am"
static char *get_command(const struct su_request *to) {
if (to->command)
return to->command;
if (to->shell)
return to->shell;
return DEFAULT_SHELL;
}
static void silent_run(char * const args[]) {
set_identity(0);
if (fork())
return;
int zero = open("/dev/zero", O_RDONLY | O_CLOEXEC);
dup2(zero, 0);
int null = open("/dev/null", O_WRONLY | O_CLOEXEC);
dup2(null, 1);
dup2(null, 2);
setenv("CLASSPATH", "/system/framework/am.jar", 1);
execv(args[0], args);
PLOGE("exec am");
_exit(EXIT_FAILURE);
}
static void setup_user(char *user) {
switch (su_ctx->info->dbs.v[SU_MULTIUSER_MODE]) {
case MULTIUSER_MODE_OWNER_ONLY:
case MULTIUSER_MODE_OWNER_MANAGED:
sprintf(user, "%d", 0);
break;
case MULTIUSER_MODE_USER:
sprintf(user, "%d", su_ctx->info->uid / 100000);
break;
}
}
void app_log() {
char user[8];
setup_user(user);
char fromUid[8];
sprintf(fromUid, "%d",
su_ctx->info->dbs.v[SU_MULTIUSER_MODE] == MULTIUSER_MODE_OWNER_MANAGED ?
su_ctx->info->uid % 100000 : su_ctx->info->uid);
char toUid[8];
sprintf(toUid, "%d", su_ctx->to.uid);
char pid[8];
sprintf(pid, "%d", su_ctx->pid);
char policy[2];
sprintf(policy, "%d", su_ctx->info->access.policy);
char *cmd[] = {
AM_PATH, "broadcast",
"-a", "android.intent.action.BOOT_COMPLETED",
"-p", su_ctx->info->str.s[SU_MANAGER],
"--user", user,
"--es", "action", "log",
"--ei", "from.uid", fromUid,
"--ei", "to.uid", toUid,
"--ei", "pid", pid,
"--ei", "policy", policy,
"--es", "command", get_command(&su_ctx->to),
NULL
};
silent_run(cmd);
}
void app_connect(const char *socket) {
char user[8];
setup_user(user);
char *cmd[] = {
AM_PATH, "broadcast",
"-a", "android.intent.action.BOOT_COMPLETED",
"-p", su_ctx->info->str.s[SU_MANAGER],
"--user", user,
"--es", "action", "request",
"--es", "socket", (char *) socket,
NULL
};
silent_run(cmd);
}
void socket_send_request(int fd) {
write_key_token(fd, "uid", su_ctx->info->uid);
write_string_be(fd, "eof");
}

75
native/jni/su/su.c
View File

@@ -25,6 +25,7 @@
#include <selinux/selinux.h>
#include "magisk.h"
#include "daemon.h"
#include "utils.h"
#include "su.h"
@@ -44,11 +45,9 @@ static void usage(int status) {
" --preserve-environment preserve the entire environment\n"
" -s, --shell SHELL use SHELL instead of the default " DEFAULT_SHELL "\n"
" -v, --version display version number and exit\n"
" -V display version code and exit,\n"
" this is used almost exclusively by Superuser.apk\n"
" -V display version code and exit\n"
" -mm, -M,\n"
" --mount-master run in the global mount namespace,\n"
" use if you need to publicly apply mounts\n");
" --mount-master force run in the global mount namespace\n");
exit2(status);
}
@@ -64,20 +63,20 @@ static char *concat_commands(int argc, char *argv[]) {
return strdup(command);
}
static void populate_environment(const struct su_context *ctx) {
static void populate_environment() {
struct passwd *pw;
if (ctx->to.keepenv)
if (su_ctx->to.keepenv)
return;
pw = getpwuid(ctx->to.uid);
pw = getpwuid(su_ctx->to.uid);
if (pw) {
setenv("HOME", pw->pw_dir, 1);
if (ctx->to.shell)
setenv("SHELL", ctx->to.shell, 1);
if (su_ctx->to.shell)
setenv("SHELL", su_ctx->to.shell, 1);
else
setenv("SHELL", DEFAULT_SHELL, 1);
if (ctx->to.login || ctx->to.uid) {
if (su_ctx->to.login || su_ctx->to.uid) {
setenv("USER", pw->pw_name, 1);
setenv("LOGNAME", pw->pw_name, 1);
}
@@ -103,9 +102,6 @@ void set_identity(unsigned uid) {
static __attribute__ ((noreturn)) void allow() {
char* argv[] = { NULL, NULL, NULL, NULL };
if (su_ctx->info->access.notify || su_ctx->info->access.log)
app_send_result(su_ctx, ALLOW);
if (su_ctx->to.login)
argv[0] = "-";
else
@@ -118,9 +114,12 @@ static __attribute__ ((noreturn)) void allow() {
// Setup shell
umask(022);
populate_environment(su_ctx);
populate_environment();
set_identity(su_ctx->to.uid);
if (su_ctx->info->access.notify || su_ctx->info->access.log)
app_log();
execvp(su_ctx->to.shell, argv);
fprintf(stderr, "Cannot execute %s: %s\n", su_ctx->to.shell, strerror(errno));
PLOGE("exec");
@@ -129,25 +128,13 @@ static __attribute__ ((noreturn)) void allow() {
static __attribute__ ((noreturn)) void deny() {
if (su_ctx->info->access.notify || su_ctx->info->access.log)
app_send_result(su_ctx, DENY);
app_log();
LOGW("su: request rejected (%u->%u)", su_ctx->info->uid, su_ctx->to.uid);
fprintf(stderr, "%s\n", strerror(EACCES));
exit(EXIT_FAILURE);
}
static void socket_cleanup() {
if (su_ctx && su_ctx->sock_path[0]) {
unlink(su_ctx->sock_path);
su_ctx->sock_path[0] = '\0';
}
}
static void cleanup_signal(int sig) {
socket_cleanup();
exit2(EXIT_FAILURE);
}
__attribute__ ((noreturn)) void exit2(int status) {
// Handle the pipe, or the daemon will get stuck
if (su_ctx->pipefd[0] >= 0) {
@@ -159,8 +146,7 @@ __attribute__ ((noreturn)) void exit2(int status) {
}
int su_daemon_main(int argc, char **argv) {
int c, socket_serv_fd, fd;
char result[64];
int c;
struct option long_opts[] = {
{ "command", required_argument, NULL, 'c' },
{ "help", no_argument, NULL, 'h' },
@@ -247,28 +233,20 @@ int su_daemon_main(int argc, char **argv) {
// Change directory to cwd
chdir(su_ctx->cwd);
// New request or no db exist, notify user for response
if (su_ctx->pipefd[0] >= 0) {
socket_serv_fd = socket_create_temp(su_ctx->sock_path, sizeof(su_ctx->sock_path));
setup_sighandlers(cleanup_signal);
// Create random socket
struct sockaddr_un addr;
int sockfd = create_rand_socket(&addr);
// Start activity
app_send_request(su_ctx);
// Connect Magisk Manager
app_connect(addr.sun_path + 1);
int fd = socket_accept(sockfd, 60);
atexit(socket_cleanup);
fd = socket_accept(socket_serv_fd);
socket_send_request(fd, su_ctx);
socket_receive_result(fd, result, sizeof(result));
socket_send_request(fd);
su_ctx->info->access.policy = read_int_be(fd);
close(fd);
close(socket_serv_fd);
socket_cleanup();
if (strcmp(result, "socket:ALLOW") == 0)
su_ctx->info->access.policy = ALLOW;
else
su_ctx->info->access.policy = DENY;
close(sockfd);
// Report the policy to main daemon
xwrite(su_ctx->pipefd[1], &su_ctx->info->access.policy, sizeof(policy_t));
@@ -276,9 +254,6 @@ int su_daemon_main(int argc, char **argv) {
close(su_ctx->pipefd[1]);
}
if (su_ctx->info->access.policy == ALLOW)
allow();
else
deny();
su_ctx->info->access.policy == ALLOW ? allow() : deny();
}

19
native/jni/su/su.h
View File

@@ -12,11 +12,6 @@
#include "list.h"
#define MAGISKSU_VER_STR xstr(MAGISK_VERSION) ":MAGISKSU (topjohnwu)"
// This is used if wrapping the fragment classes and activities
// with classes in another package.
#define REQUESTOR_PREFIX JAVA_PACKAGE_NAME ".superuser"
#define DEFAULT_SHELL "/system/bin/sh"
struct su_info {
@@ -49,7 +44,6 @@ struct su_context {
struct su_request to;
pid_t pid;
char cwd[PATH_MAX];
char sock_path[PATH_MAX];
int pipefd[2];
};
@@ -61,16 +55,11 @@ int su_daemon_main(int argc, char **argv);
__attribute__ ((noreturn)) void exit2(int status);
void set_identity(unsigned uid);
// su_client.c
// connect.c
int socket_create_temp(char *path, size_t len);
int socket_accept(int serv_fd);
void socket_send_request(int fd, const struct su_context *ctx);
void socket_receive_result(int fd, char *result, ssize_t result_len);
void app_log();
// activity.c
void app_send_result(struct su_context *ctx, policy_t policy);
void app_send_request(struct su_context *ctx);
void app_connect(const char *socket);
void socket_send_request(int fd);
#endif

108
native/jni/su/su_socket.c
View File

@@ -1,108 +0,0 @@
/* su_socket.c - Functions for communication to client
*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>
#include <endian.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <selinux/selinux.h>
#include "magisk.h"
#include "utils.h"
#include "su.h"
#include "magiskpolicy.h"
int socket_create_temp(char *path, size_t len) {
int fd;
struct sockaddr_un sun;
fd = xsocket(AF_LOCAL, SOCK_STREAM | SOCK_CLOEXEC, 0);
if (fcntl(fd, F_SETFD, FD_CLOEXEC)) {
PLOGE("fcntl FD_CLOEXEC");
}
memset(&sun, 0, sizeof(sun));
sun.sun_family = AF_LOCAL;
snprintf(path, len, "/dev/.socket%d", getpid());
strcpy(sun.sun_path, path);
/*
* Delete the socket to protect from situations when
* something bad occured previously and the kernel reused pid from that process.
* Small probability, isn't it.
*/
unlink(path);
xbind(fd, (struct sockaddr*) &sun, sizeof(sun));
xlisten(fd, 1);
// Set attributes so requester can access it
setfilecon(path, "u:object_r:"SEPOL_FILE_DOMAIN":s0");
chown(path, su_ctx->info->manager_stat.st_uid, su_ctx->info->manager_stat.st_gid);
return fd;
}
int socket_accept(int serv_fd) {
struct timeval tv;
fd_set fds;
int rc;
/* Wait 60 seconds for a connection, then give up. */
tv.tv_sec = 60;
tv.tv_usec = 0;
FD_ZERO(&fds);
FD_SET(serv_fd, &fds);
do {
rc = select(serv_fd + 1, &fds, NULL, NULL, &tv);
} while (rc < 0 && errno == EINTR);
if (rc < 1) {
PLOGE("select");
}
return xaccept4(serv_fd, NULL, NULL, SOCK_CLOEXEC);
}
#define write_data(fd, data, data_len) \
do { \
uint32_t __len = htonl(data_len); \
__len = write((fd), &__len, sizeof(__len)); \
if (__len != sizeof(__len)) { \
PLOGE("write(" #data ")"); \
} \
__len = write((fd), data, data_len); \
if (__len != data_len) { \
PLOGE("write(" #data ")"); \
} \
} while (0)
#define write_string_data(fd, name, data) \
do { \
write_data(fd, name, strlen(name)); \
write_data(fd, data, strlen(data)); \
} while (0)
// stringify everything.
#define write_token(fd, name, data) \
do { \
char buf[16]; \
snprintf(buf, sizeof(buf), "%d", data); \
write_string_data(fd, name, buf); \
} while (0)
void socket_send_request(int fd, const struct su_context *ctx) {
write_token(fd, "uid", ctx->info->uid);
write_token(fd, "eof", 1);
}
void socket_receive_result(int fd, char *result, ssize_t result_len) {
ssize_t len;
len = xread(fd, result, result_len - 1);
result[len] = '\0';
}