178 Commits

Author SHA1 Message Date
topjohnwu
1e2f776b83 Move logging.hpp 2020-06-17 01:17:28 -07:00
topjohnwu
ec3705f2ed Redesign of MagiskSU's sepolicy model
Introduce new domain `magisk_client` and new file type `magisk_exec`.

Connection to magiskd's always-on socket is restricted to magisk_client
only. Whitelisted process domains can transit to magisk_client through
executing files labelled magisk_exec. The main magisk binary shall be
the only file labelled as magisk_exec throughout the whole system.
All processes thus are no longer allowed to connect to magiskd directly
without going through the proper magisk binary.

Connection failures are silenced from audit logs with dontaudit rules,
so crazy processes which traverse through all unix domain sockets to try
connection can no longer check logcat to know the actual reason behind
EACCES, leaking the denied process policy (which is u:r:magisk:s0).

This also allows us to remove many rules that open up holes in
untrusted_app domains that were used to make remote shell work properly.
Since all processes establishing the remote shell are now restricted to
the magisk_client domain, all these rules are moved to magisk_client.
This makes Magisk require fewer compromises in Android's security model.

Note: as of this commit, requesting new root access via Magisk Manager
will stop working as Magisk Manager can no longer communicate with
magiskd directly. This will be addressed in a future commit that
involves changes in both native and application side.
2020-06-03 23:29:42 -07:00
topjohnwu
2f824f59dc Better logging system
Use C++ magic to strip out debug logs at compile time
2020-06-01 04:15:37 -07:00
topjohnwu
e02e46d0fc Detect volume down key combo for safe mode
It is possible that a module is breaking the device so bad that zygote
cannot even be started. In this case, system_server cannot start and
detect the safe mode key combo, set the persist property, and reboot.

Also on old Android versions, the system directly goes to safe mode
after detecting a key combo without rebooting, defeating the purpose of
Magisk's safe mode protection if we only check for the persist property.

Directly adding key combo check natively in magiskd allows us to enter
Magisk safe mode before the system is even aware of it.
2020-05-19 04:57:47 -07:00
topjohnwu
99ef20627a Remove unused code 2020-05-18 05:45:08 -07:00
topjohnwu
122b4d66b6 Move Android logging out of libutils 2020-05-10 00:48:41 -07:00
topjohnwu
c113f854a2 Fix overlay.d on SAR again 2020-05-07 02:30:43 -07:00
topjohnwu
0c99c4d93f More complete support for fstab in dt 2020-05-03 22:49:54 -07:00
topjohnwu
8ab045331b Workaround realpath FORTIFY crashes 2020-05-03 22:11:39 -07:00
topjohnwu
947e3b06b4 Use template to get lambda for RAII 2020-04-30 01:27:48 -07:00
topjohnwu
c7ed0ef5eb Fix SAR support for overlay.d 2020-04-25 23:19:36 -07:00
topjohnwu
43029f37b1 Cleanup our tracks 2020-04-19 04:57:18 -07:00
topjohnwu
4c959cd983 Support cases when /sbin does not exist 2020-04-18 23:19:19 -07:00
topjohnwu
dcf07ad8c7 Directly filter '.' and '..' in xreaddir 2020-04-18 04:20:21 -07:00
topjohnwu
ed6cdb2eb4 Rename file 2020-04-18 04:10:19 -07:00
topjohnwu
ab853e1fcf Update dir traversal code 2020-04-12 13:38:57 -07:00
topjohnwu
d739dcac2b Remove dependency on magisk.hpp in libutils 2020-04-11 04:40:40 -07:00
topjohnwu
93ef90cd24 Fix FORTIFY crashes 2020-04-11 04:05:34 -07:00
topjohnwu
4066e5bf14 Update Makefiles 2020-04-06 22:45:08 -07:00
topjohnwu
9820296e92 Update files.cpp in libutils 2020-04-02 02:17:45 -07:00
topjohnwu
dbfde74c1e Clean rootfs in switch_root 2020-04-01 23:37:11 -07:00
topjohnwu
5f1174de27 Introduce new boot flow to handle SAR 2SI
The existing method for handling legacy SAR is:
1. Mount /sbin tmpfs overlay
2. Dump all patched/new files into /sbin
3. Magic mount root dir and re-exec patched stock init

With Android 11 removing the /sbin folder, it is quite obvious that
things completely break down right in step 1.

To overcome this issue, we have to find a way to swap out the init
binary AFTER we re-exec stock init. This is where 2SI comes to rescue!

2SI normal boot procedure is:
1st stage -> Load sepolicy -> 2nd stage -> boot continue...

2SI Magisk boot procedure is:
MagiskInit 1st stage -> Stock 1st stage -> MagiskInit 2nd Stage ->
-> Stock init load sepolicy -> Stock 2nd stage -> boot continue...

As you can see, the trick is to make stock 1st stage init re-exec back
into MagiskInit so we can do our setup. This is possible by manipulating
some ramdisk files on initramfs based 2SI devices (old ass non SAR
devices AND super modern devices like Pixel 3/4), but not possible
on device that are stuck using legacy SAR (device that are not that
modern but not too old, like Pixel 1/2. Fucking Google logic!!)

This commit introduces a new way to intercept stock init re-exec flow:
ptrace init with forked tracer, monitor PTRACE_EVENT_EXEC, then swap
out the init file with bind mounts right before execv returns!

Going through this flow however will lose some necessary backup files,
so some bookkeeping has to be done by making the tracer hold these
files in memory and act as a daemon. 2nd stage MagiskInit will ack the
daemon to release these files at the correct time.

It just works™  ¯\_(ツ)_/¯
2020-04-01 04:39:28 -07:00
topjohnwu
a0998009c1 Small native code reorganization 2020-03-09 01:50:30 -07:00
topjohnwu
0d229dac3b Support Android 11 SELinux paths
This is NOT proper Android 11 support
2020-02-21 00:49:33 -08:00
topjohnwu
84e4bd3d41 Move readlinkat fix into xwrap 2020-02-03 13:24:02 +08:00
topjohnwu
af060b3132 General QoL changes 2019-12-13 00:37:06 -05:00
topjohnwu
11b7076a43 Fix broken getxattr calls 2019-12-05 17:34:50 -05:00
topjohnwu
8cc5f096a2 Some minor changes 2019-12-05 17:20:32 -05:00
topjohnwu
34bb18448c Fix compile errors 2019-11-23 17:18:55 -05:00
topjohnwu
01253f050a Use smart pointers 2019-11-23 04:57:52 -05:00
topjohnwu
5bee1c56a9 Properly use RAII to reduce complication 2019-11-22 03:01:49 -05:00
topjohnwu
bffdedddb4 Fix fwrite/fread params 2019-11-21 17:43:31 -05:00
topjohnwu
d3b5cf82d8 Small adjustments 2019-11-21 06:17:28 -05:00
topjohnwu
d26d804cc2 Migrate to generic stream implementation 2019-11-21 06:08:02 -05:00
topjohnwu
4f9a25ee89 Create generic streams on top of stdio
WIP
2019-11-20 21:48:49 -05:00
topjohnwu
bb9ce0e897 Make sepolicy dump more efficient 2019-11-20 03:47:15 -05:00
topjohnwu
9aff1a57d3 Cleanup headers 2019-11-19 02:04:47 -05:00
topjohnwu
7681fde4d0 Record mounts to be cleaned up in a vector 2019-11-19 00:16:20 -05:00
topjohnwu
d952cc2327 Properly solve the connection problem 2019-11-07 17:41:59 -05:00
topjohnwu
8277896ca1 Make sure uninstall.sh is executed on remove 2019-11-01 03:07:12 -04:00
topjohnwu
75306f658f Revert "Drop API 17 (Android 4.2) support"
Turns out that we cannot use AndroidKeystore anyways, so we don't
actually need to drop API 17. Revert this change.
2019-10-20 07:13:03 -04:00
topjohnwu
9c27d691dd Drop API 17 (Android 4.2) support 2019-10-19 03:11:54 -04:00
topjohnwu
e0927cd763 Add support to patch QCDT
Old Qualcomn devices have their own special QC table of DTB to
store device trees. Since patching fstab is now mandatory on Android 10,
and for older devices all early mount devices have to be included into
the fstab in DTBs, patching QCDT is crucial for rooting Android 10
on legacy devices.

Close #1876 (Thanks for getting me aware of this issue!)
2019-10-07 00:38:02 -04:00
topjohnwu
64113a69b4 Remove unused warnings 2019-09-26 13:54:40 -04:00
topjohnwu
947dae4900 Rename classes and small adjustments 2019-09-25 23:55:39 -04:00
topjohnwu
f109038d12 Hardcode shell uid to 2000 2019-09-13 03:14:58 -04:00
topjohnwu
7ba8202af5 Introduce new root overlay system 2019-07-16 01:08:28 -07:00
topjohnwu
d7b691cf59 Move libutil internal headers out of include path 2019-07-14 23:55:52 -07:00
topjohnwu
52fd508fea Do not use std::random_device
Directly read from urandom instead of using std::random_device.
libc++ will use iostream under-the-hood, which brings significant
binary size increase that is not welcomed, especially in magiskinit.
2019-07-14 21:56:21 -07:00
topjohnwu
41045b62dc Introduce more randomness
- Use C++ random generator instead of old and broken rand()
- Randomize string length to piss off stupid detectors
2019-07-14 17:42:49 -07:00