Force app version not lower than daemon

2024-11-24 02:25:28 +00:00 · 2022-06-09 12:23:49 +08:00 · 2022-06-09 12:23:49 +08:00 · b9c93c66f6
commit b9c93c66f6
parent a250e2b56c
3 changed files with 18 additions and 4 deletions
--- a/native/jni/core/cert.cpp
+++ b/native/jni/core/cert.cpp
@ -1,4 +1,5 @@
 #include <base.hpp>
+#include <flags.h>

 using namespace std;

@ -95,7 +96,7 @@ struct EOCD {
 * This method extracts the first certificate of the first signer
 * within the APK v2 signature block.
 */
-string read_certificate(int fd) {
+string read_certificate(int fd, bool check_version) {
    uint32_t size4;
    uint64_t size8;

@ -129,6 +130,19 @@ string read_certificate(int fd) {
    }
    read(fd, &central_dir_off, sizeof(central_dir_off));

+    // Read comment
+    if (check_version) {
+        uint16_t comment_sz = 0;
+        read(fd, &comment_sz, sizeof(comment_sz));
+        string comment;
+        comment.resize(comment_sz);
+        read(fd, comment.data(), comment_sz);
+        if (MAGISK_VER_CODE > parse_int(comment)) {
+            // Older version of magisk app is not supported
+            return {};
+        }
+    }
+
    // Next, find the start of the APK signing block
    {
        constexpr int off = sizeof(signing_block::block_sz_) + sizeof(signing_block::magic);
--- a/native/jni/core/core.hpp
+++ b/native/jni/core/core.hpp
@ -21,7 +21,7 @@ void reboot();
 void start_log_daemon();
 void setup_logfile(bool reset);
 void magisk_logging();
-std::string read_certificate(int fd);
+std::string read_certificate(int fd, bool check_version = false);

 // Module stuffs
 void handle_modules();
--- a/native/jni/core/package.cpp
+++ b/native/jni/core/package.cpp
@ -105,7 +105,7 @@ int get_manager(int user_id, string *pkg, bool install) {
        int dyn = open(app_path, O_RDONLY | O_CLOEXEC);
        if (dyn < 0)
            return false;
-        bool mismatch = default_cert && read_certificate(dyn) != *default_cert;
+        bool mismatch = default_cert && read_certificate(dyn, true) != *default_cert;
        close(dyn);
        if (mismatch) {
            LOGE("pkg: dyn APK signature mismatch: %s\n", app_path);
@ -226,7 +226,7 @@ int get_manager(int user_id, string *pkg, bool install) {
 #if ENFORCE_SIGNATURE
                string apk = find_apk_path(JAVA_PACKAGE_NAME);
                int fd = xopen(apk.data(), O_RDONLY | O_CLOEXEC);
-                string cert = read_certificate(fd);
+                string cert = read_certificate(fd, true);
                close(fd);
                if (default_cert && cert != *default_cert) {
                    // Found APK with invalid signature, force replace with stub