/* * Copyright 2017, John Wu (@topjohnwu) * Copyright 2015, Pierre-Hugues Husson * Copyright 2010, Adam Shanks (@ChainsDD) * Copyright 2008, Zinx Verituse (@zinxv) */ /* su.c - The main function running in the daemon */ #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "magisk.h" #include "utils.h" #include "su.h" struct su_context *su_ctx; static void usage(int status) { FILE *stream = (status == EXIT_SUCCESS) ? stdout : stderr; fprintf(stream, "MagiskSU v" xstr(MAGISK_VERSION) "(" xstr(MAGISK_VER_CODE) ")\n\n" "Usage: su [options] [-] [user [argument...]]\n\n" "Options:\n" " -c, --command COMMAND pass COMMAND to the invoked shell\n" " -h, --help display this help message and exit\n" " -, -l, --login pretend the shell to be a login shell\n" " -m, -p,\n" " --preserve-environment preserve the entire environment\n" " -s, --shell SHELL use SHELL instead of the default " DEFAULT_SHELL "\n" " -v, --version display version number and exit\n" " -V display version code and exit,\n" " this is used almost exclusively by Superuser.apk\n" " -mm, -M,\n" " --mount-master run in the global mount namespace,\n" " use if you need to publicly apply mounts\n"); exit2(status); } static char *concat_commands(int argc, char *argv[]) { char command[ARG_MAX]; command[0] = '\0'; for (int i = optind - 1; i < argc; ++i) { if (command[0]) sprintf(command, "%s %s", command, argv[i]); else strcpy(command, argv[i]); } return strdup(command); } static void populate_environment(const struct su_context *ctx) { struct passwd *pw; if (ctx->to.keepenv) return; pw = getpwuid(ctx->to.uid); if (pw) { setenv("HOME", pw->pw_dir, 1); if (ctx->to.shell) setenv("SHELL", ctx->to.shell, 1); else setenv("SHELL", DEFAULT_SHELL, 1); if (ctx->to.login || ctx->to.uid) { setenv("USER", pw->pw_name, 1); setenv("LOGNAME", pw->pw_name, 1); } } } void set_identity(unsigned uid) { /* * Set effective uid back to root, otherwise setres[ug]id will fail * if uid isn't root. */ if (seteuid(0)) { PLOGE("seteuid (root)"); } if (setresgid(uid, uid, uid)) { PLOGE("setresgid (%u)", uid); } if (setresuid(uid, uid, uid)) { PLOGE("setresuid (%u)", uid); } } static __attribute__ ((noreturn)) void allow() { char* argv[] = { NULL, NULL, NULL, NULL }; if (su_ctx->notify) app_send_result(su_ctx, ALLOW); if (su_ctx->to.login) argv[0] = "-"; else argv[0] = basename(su_ctx->to.shell); if (su_ctx->to.command) { argv[1] = "-c"; argv[2] = su_ctx->to.command; } // Setup shell umask(022); populate_environment(su_ctx); set_identity(su_ctx->to.uid); setexeccon("u:r:su:s0"); execvp(su_ctx->to.shell, argv); fprintf(stderr, "Cannot execute %s: %s\n", su_ctx->to.shell, strerror(errno)); PLOGE("exec"); exit(EXIT_FAILURE); } static __attribute__ ((noreturn)) void deny() { if (su_ctx->notify) app_send_result(su_ctx, DENY); LOGW("su: request rejected (%u->%u)", su_ctx->info->uid, su_ctx->to.uid); fprintf(stderr, "%s\n", strerror(EACCES)); exit(EXIT_FAILURE); } static void socket_cleanup() { if (su_ctx && su_ctx->sock_path[0]) { unlink(su_ctx->sock_path); su_ctx->sock_path[0] = 0; } } static void cleanup_signal(int sig) { socket_cleanup(); exit2(EXIT_FAILURE); } __attribute__ ((noreturn)) void exit2(int status) { // Handle the pipe, or the daemon will get stuck if (su_ctx->info->policy == QUERY) { xwrite(su_ctx->pipefd[1], &su_ctx->info->policy, sizeof(su_ctx->info->policy)); close(su_ctx->pipefd[0]); close(su_ctx->pipefd[1]); } exit(status); } int su_daemon_main(int argc, char **argv) { // Sanitize all secure environment variables (from linker_environ.c in AOSP linker). /* The same list than GLibc at this point */ static const char* const unsec_vars[] = { "GCONV_PATH", "GETCONF_DIR", "HOSTALIASES", "LD_AUDIT", "LD_DEBUG", "LD_DEBUG_OUTPUT", "LD_DYNAMIC_WEAK", "LD_LIBRARY_PATH", "LD_ORIGIN_PATH", "LD_PRELOAD", "LD_PROFILE", "LD_SHOW_AUXV", "LD_USE_LOAD_BIAS", "LOCALDOMAIN", "LOCPATH", "MALLOC_TRACE", "MALLOC_CHECK_", "NIS_PATH", "NLSPATH", "RESOLV_HOST_CONF", "RES_OPTIONS", "TMPDIR", "TZDIR", "LD_AOUT_LIBRARY_PATH", "LD_AOUT_PRELOAD", // not listed in linker, used due to system() call "IFS", NULL }; if (getauxval(AT_SECURE)) for (int i = 0; unsec_vars[i]; ++i) unsetenv(unsec_vars[i]); int c, socket_serv_fd, fd; char result[64]; struct option long_opts[] = { { "command", required_argument, NULL, 'c' }, { "help", no_argument, NULL, 'h' }, { "login", no_argument, NULL, 'l' }, { "preserve-environment", no_argument, NULL, 'p' }, { "shell", required_argument, NULL, 's' }, { "version", no_argument, NULL, 'v' }, { "context", required_argument, NULL, 'z' }, { "mount-master", no_argument, NULL, 'M' }, { NULL, 0, NULL, 0 }, }; while ((c = getopt_long(argc, argv, "c:hlmps:Vvuz:M", long_opts, NULL)) != -1) { switch (c) { case 'c': su_ctx->to.command = concat_commands(argc, argv); optind = argc; su_ctx->notify = 1; break; case 'h': usage(EXIT_SUCCESS); break; case 'l': su_ctx->to.login = 1; break; case 'm': case 'p': su_ctx->to.keepenv = 1; break; case 's': su_ctx->to.shell = optarg; break; case 'V': printf("%d\n", MAGISK_VER_CODE); exit2(EXIT_SUCCESS); case 'v': printf("%s\n", MAGISKSU_VER_STR); exit2(EXIT_SUCCESS); case 'z': // Do nothing, placed here for legacy support :) break; case 'M': su_ctx->info->mnt_ns = NAMESPACE_MODE_GLOBAL; break; default: /* Bionic getopt_long doesn't terminate its error output by newline */ fprintf(stderr, "\n"); usage(2); } } if (optind < argc && strcmp(argv[optind], "-") == 0) { su_ctx->to.login = 1; optind++; } /* username or uid */ if (optind < argc) { struct passwd *pw; pw = getpwnam(argv[optind]); if (pw) su_ctx->to.uid = pw->pw_uid; else su_ctx->to.uid = atoi(argv[optind]); optind++; } // Handle namespaces switch (su_ctx->info->mnt_ns) { case NAMESPACE_MODE_GLOBAL: LOGD("su: use global namespace\n"); break; case NAMESPACE_MODE_REQUESTER: LOGD("su: use namespace of pid=[%d]\n", su_ctx->pid); if (switch_mnt_ns(su_ctx->pid)) { LOGD("su: setns failed, fallback to isolated\n"); unshare(CLONE_NEWNS); } break; case NAMESPACE_MODE_ISOLATE: LOGD("su: use new isolated namespace\n"); unshare(CLONE_NEWNS); break; } // Change directory to cwd chdir(su_ctx->cwd); // Check root_access configuration switch (su_ctx->info->root_access) { case ROOT_ACCESS_DISABLED: LOGE("Root access is disabled!\n"); exit(EXIT_FAILURE); case ROOT_ACCESS_APPS_ONLY: if (su_ctx->info->uid == UID_SHELL) { LOGE("Root access is disabled for ADB!\n"); exit(EXIT_FAILURE); } break; case ROOT_ACCESS_ADB_ONLY: if (su_ctx->info->uid != UID_SHELL) { LOGE("Root access limited to ADB only!\n"); exit(EXIT_FAILURE); } break; case ROOT_ACCESS_APPS_AND_ADB: default: break; } // New request or no db exist, notify user for response if (su_ctx->info->policy == QUERY && su_ctx->info->st.st_uid != 0) { socket_serv_fd = socket_create_temp(su_ctx->sock_path, sizeof(su_ctx->sock_path)); setup_sighandlers(cleanup_signal); // Start activity app_send_request(su_ctx); atexit(socket_cleanup); fd = socket_accept(socket_serv_fd); socket_send_request(fd, su_ctx); socket_receive_result(fd, result, sizeof(result)); close(fd); close(socket_serv_fd); socket_cleanup(); if (strcmp(result, "socket:ALLOW") == 0) su_ctx->info->policy = ALLOW; else su_ctx->info->policy = DENY; // Report the policy to main daemon xwrite(su_ctx->pipefd[1], &su_ctx->info->policy, sizeof(su_ctx->info->policy)); close(su_ctx->pipefd[0]); close(su_ctx->pipefd[1]); } if (su_ctx->info->policy == ALLOW) allow(); else deny(); }