Move all permission check into daemon.cpp

This commit is contained in:
topjohnwu 2022-03-01 02:58:39 -08:00 committed by John Wu
parent be7586137c
commit 9968af0785
5 changed files with 30 additions and 24 deletions

View File

@ -160,6 +160,7 @@ static void handle_request_async(int client, int code, const sock_cred &cred) {
reboot(); reboot();
break; break;
case MainRequest::ZYGISK: case MainRequest::ZYGISK:
case MainRequest::ZYGISK_PASSTHROUGH:
zygisk_handler(client, &cred); zygisk_handler(client, &cred);
break; break;
default: default:
@ -208,18 +209,24 @@ static void handle_request(pollfd *pfd) {
bool is_zygote; bool is_zygote;
int code; int code;
if (!get_client_cred(client, &cred)) if (!get_client_cred(client, &cred)) {
// Client died
goto done; goto done;
}
is_root = cred.uid == UID_ROOT; is_root = cred.uid == UID_ROOT;
is_zygote = cred.context == "u:r:zygote:s0"; is_zygote = cred.context == "u:r:zygote:s0";
if (!is_root && !is_zygote && !is_client(cred.pid)) if (!is_root && !is_zygote && !is_client(cred.pid)) {
// Unsupported client state
write_int(client, MainResponse::ACCESS_DENIED);
goto done; goto done;
}
code = read_int(client); code = read_int(client);
if (code < 0 || code >= MainRequest::END || code == MainRequest::_SYNC_BARRIER_) {
if (code < 0 || code >= MainRequest::END || code == MainRequest::_SYNC_BARRIER_) // Unknown request code
goto done; goto done;
}
// Check client permissions // Check client permissions
switch (code) { switch (code) {
@ -237,7 +244,14 @@ static void handle_request(pollfd *pfd) {
break; break;
case MainRequest::REMOVE_MODULES: case MainRequest::REMOVE_MODULES:
if (!is_root && cred.uid != UID_SHELL) { if (!is_root && cred.uid != UID_SHELL) {
write_int(client, MainResponse::ROOT_REQUIRED); write_int(client, MainResponse::ACCESS_DENIED);
goto done;
}
break;
case MainRequest::ZYGISK:
if (!is_zygote) {
// Invalid client context
write_int(client, MainResponse::ACCESS_DENIED);
goto done; goto done;
} }
break; break;
@ -252,7 +266,7 @@ static void handle_request(pollfd *pfd) {
goto done; goto done;
} }
// Handle complex requests in another thread // Handle async requests in another thread
exec_task([=] { handle_request_async(client, code, cred); }); exec_task([=] { handle_request_async(client, code, cred); });
return; return;
@ -422,8 +436,8 @@ int connect_daemon(int req, bool create) {
case MainResponse::ROOT_REQUIRED: case MainResponse::ROOT_REQUIRED:
LOGE("Root is required for this operation\n"); LOGE("Root is required for this operation\n");
exit(-1); exit(-1);
case MainResponse::INVALID_REQUEST: case MainResponse::ACCESS_DENIED:
LOGE("Invalid request\n"); LOGE("Access denied\n");
exit(-1); exit(-1);
default: default:
__builtin_unreachable(); __builtin_unreachable();

View File

@ -28,6 +28,7 @@ enum : int {
SQLITE_CMD, SQLITE_CMD,
REMOVE_MODULES, REMOVE_MODULES,
ZYGISK, ZYGISK,
ZYGISK_PASSTHROUGH,
END, END,
}; };
} }
@ -38,7 +39,7 @@ enum : int {
ERROR = -1, ERROR = -1,
OK = 0, OK = 0,
ROOT_REQUIRED, ROOT_REQUIRED,
INVALID_REQUEST, ACCESS_DENIED,
END END
}; };
} }

View File

@ -35,10 +35,6 @@ void denylist_handler(int client, const sock_cred *cred) {
int req = read_int(client); int req = read_int(client);
int res = DenyResponse::ERROR; int res = DenyResponse::ERROR;
if (req < 0 || req >= DenyRequest::END) {
goto done;
}
switch (req) { switch (req) {
case DenyRequest::ENFORCE: case DenyRequest::ENFORCE:
res = enable_deny(); res = enable_deny();
@ -60,9 +56,9 @@ void denylist_handler(int client, const sock_cred *cred) {
? DenyResponse::ENFORCED : DenyResponse::NOT_ENFORCED; ? DenyResponse::ENFORCED : DenyResponse::NOT_ENFORCED;
break; break;
default: default:
__builtin_unreachable(); // Unknown request code
break;
} }
done:
write_int(client, res); write_int(client, res);
close(client); close(client);
} }

View File

@ -401,13 +401,6 @@ static void get_moddir(int client) {
void zygisk_handler(int client, const sock_cred *cred) { void zygisk_handler(int client, const sock_cred *cred) {
int code = read_int(client); int code = read_int(client);
char buf[256]; char buf[256];
if (code < ZygiskRequest::SETUP || code >= ZygiskRequest::END) {
write_int(client, -1);
return;
}
if (code != ZygiskRequest::PASSTHROUGH && cred->context != "u:r:zygote:s0") {
return;
}
switch (code) { switch (code) {
case ZygiskRequest::SETUP: case ZygiskRequest::SETUP:
setup_files(client, cred); setup_files(client, cred);
@ -429,7 +422,8 @@ void zygisk_handler(int client, const sock_cred *cred) {
get_moddir(client); get_moddir(client);
break; break;
default: default:
__builtin_unreachable(); // Unknown code
break;
} }
close(client); close(client);
} }

View File

@ -173,7 +173,8 @@ int zygisk_main(int argc, char *argv[]) {
int is_64_bit = parse_int(argv[3]); int is_64_bit = parse_int(argv[3]);
if (fcntl(client, F_GETFD) < 0) if (fcntl(client, F_GETFD) < 0)
return 1; return 1;
if (int magiskd = zygisk_request(ZygiskRequest::PASSTHROUGH); magiskd >= 0) { if (int magiskd = connect_daemon(MainRequest::ZYGISK_PASSTHROUGH); magiskd >= 0) {
write_int(magiskd, ZygiskRequest::PASSTHROUGH);
write_int(magiskd, is_64_bit); write_int(magiskd, is_64_bit);
if (read_int(magiskd) != 0) { if (read_int(magiskd) != 0) {