Commit Graph

188 Commits

Author SHA1 Message Date
topjohnwu f008420891 Make magiskinit not magiskpolicy 2022-03-17 03:36:40 -07:00
topjohnwu 49f259065d Introduce new sepolicy injection mechanism
In the current implementation, Magisk will either have to recreate
all early mount implementation (for legacy SAR and rootfs devices) or
delegate early mount to first stage init (for 2SI devices) to access
required partitions for loading sepolicy. It then has to recreate the
split sepolicy loading implementation in-house, apply patches, then
dump the compiled + patched policies into monolithic format somewhere.
Finally, it patches the original init to force it to load the sepolicy
file we just created.

With the increasing complexity involved in early mount and split
sepolicy (there is even APEX module involved in the future!),
it is about time to rethink Magisk's sepolicy strategy as rebuilding
init's functionality is not scalable and easy to maintain.

In this commit, instead of building sepolicy ourselves, we mock
selinuxfs with FIFO files connected to a pre-init daemon, waiting
for the actual init process to directly write the sepolicy file into
MagiskInit. We then patch the file and load it into the kernel. Some
FIFO tricks has to be used to hijack the original init process's
control flow and prevent race conditions, details are directly in the
comments in code.

At the moment, only system-as-root (read-only root) support is added.
Support for legacy rootfs devices will come with a follow up commit.
2022-03-16 00:31:55 -07:00
topjohnwu 9968af0785 Move all permission check into daemon.cpp 2022-03-01 03:15:38 -08:00
topjohnwu be7586137c Reduce C++ wizardry 2022-03-01 03:15:38 -08:00
LoveSy 7999b66c3c Refactor daemon connection 2022-03-01 03:15:38 -08:00
topjohnwu bb7a74e4b4 Add Zygisk API getFlags() 2022-01-17 19:54:33 -08:00
topjohnwu 21d7db0959 Add new Zygisk API to get module dir 2022-01-14 03:10:02 -08:00
topjohnwu ea75a09f95 Make zygisk survive zygote restarts
Close #4777
2021-10-27 01:53:16 -07:00
topjohnwu 8d0dc37ec0 Use SO_PEERSEC to get client secontext 2021-10-19 23:46:38 -07:00
topjohnwu 6f54c57647 Allow fork in thread pool 2021-10-17 04:24:25 -07:00
topjohnwu c8ac6c07b0 Load Zygisk modules 2021-10-13 04:52:02 -07:00
topjohnwu f1b6c9f4aa Refresh uid_map on package.xml change 2021-09-20 04:42:06 -07:00
topjohnwu 3fb72a4d20 Support polling on multiple fds 2021-09-18 14:40:12 -07:00
topjohnwu db590091b3 Propagate Zygisk state to Magisk app 2021-09-18 02:38:53 -07:00
topjohnwu 7b25e74418 Simplify get manager app info logic 2021-09-17 02:07:32 -07:00
topjohnwu 706a492218 Update denylist config implementation 2021-09-16 05:27:34 -07:00
topjohnwu c0be5383de Support enable/disable Zygisk 2021-09-15 02:49:54 -07:00
topjohnwu 3b8ce85092 Enable Zygisk 2021-09-15 01:59:43 -07:00
topjohnwu 65b0ea792e MagiskHide is no more 2021-09-12 12:40:34 -07:00
topjohnwu de2306bd12 Proper incremental builds
Auto generate flag.h for precise rebuilding
2021-09-07 19:35:28 -07:00
LoveSy 117d1ed080 Fix always enter safe mode
`getprop("persist.sys.safemode", true) == "1"` -> `getprop("persist.sys.safemode", true) == ""`
2021-08-29 02:45:49 -07:00
vvb2060 f324252681 Use isolated devpts if kernel support
kernel version >= 4.7 or CONFIG_DEVPTS_MULTIPLE_INSTANCES=y
2021-08-29 02:45:49 -07:00
topjohnwu 5d162f81c4 Modernize db.hpp 2021-08-27 01:06:03 -07:00
topjohnwu 4771c2810b Significantly better AVD support 2021-08-26 03:09:56 -07:00
topjohnwu 171d68ca72 Connect to magiskd log daemon 2021-08-22 03:26:48 -07:00
topjohnwu bade4f2c6a Make xhook log as Magisk 2021-08-22 03:26:48 -07:00
topjohnwu ffe47300a1 Update recv/send fd function 2021-08-22 03:26:48 -07:00
topjohnwu 9b3efffba9 Use magiskd to setup files 2021-08-18 03:44:32 -07:00
topjohnwu 003fea52b1 Remove all non-Magisk hiding code
Magisk no longer interferes with any signals/info that were not created
or caused by Magisk itself.
2021-08-18 02:01:54 -07:00
topjohnwu 2b17c77195 Make Zygisk 1st class citizen 2021-08-17 23:57:49 -07:00
topjohnwu 20860da4b4 Cleaner daemon handlers 2021-08-11 22:57:08 -07:00
topjohnwu e8ba671fc2 Guard all injection features behind a global flag 2021-01-13 20:07:23 -08:00
topjohnwu 9a28dd4f6e Implement MagiskHide through code injection 2021-01-12 03:28:00 -08:00
topjohnwu d2acd59ea8 Minor code refactoring 2021-01-12 00:07:48 -08:00
topjohnwu eb21c8b42e Code cleanups 2021-01-11 02:19:10 -08:00
topjohnwu 4060c2107c Add preliminary zygote code injection support
Prototyping the injection setup and a clean "self unloading" mechanism.
2021-01-06 22:21:17 -08:00
topjohnwu f9bde347bc Convert indentation to spaces
The tab war is lost
2020-12-30 22:11:24 -08:00
topjohnwu eee7f097e3 Make post-fs-data scripts block at most 35 secs 2020-12-17 16:54:53 -08:00
topjohnwu 086059ec30 Make sure boot stages are mutually exclusive 2020-12-15 03:40:37 -08:00
topjohnwu dead74801d Setup log file when manually starting daemon 2020-12-04 01:07:47 -08:00
topjohnwu f152e8c33d Directly log to log file 2020-12-03 20:15:18 -08:00
topjohnwu 1e0f96d0fd Prefer platform implementation over internal 2020-11-04 04:42:02 -08:00
topjohnwu bf650332d8 Update nanopb 2020-11-04 01:56:49 -08:00
topjohnwu 16e4c67992 Significantly broaden sepolicy.rule compatibility
Previously, Magisk uses persist or cache for storing modules' custom
sepolicy rules. In this commit, we significantly broaden its
compatibility and also prevent mounting errors.

The persist partition is non-standard and also critical for Snapdragon
devices, so we prefer not to use it by default.

We will go through the following logic to find the best suitable
non-volatile, writable location to store and load sepolicy.rule files:

Unencrypted data -> FBE data unencrypted dir -> cache -> metadata -> persist

This should cover almost all possible cases: very old devices have
cache partitions; newer devices will use FBE; latest devices will use
metadata FBE (which guarantees a metadata parition); and finally,
all Snapdragon devices have the persist partition (as a last resort).

Fix #3179
2020-11-02 23:20:38 -08:00
topjohnwu d625beb7f3 Update --remove-modules implementation 2020-10-11 18:30:03 -07:00
topjohnwu 6abd9aa8a4 Add new --install-module command
Close #2253
2020-09-26 16:50:41 -07:00
topjohnwu 434efec860 Use FIFO for su request communication
Fix #3159
2020-09-10 00:38:29 -07:00
topjohnwu 43146b8316 Update su request process
Due to changes in ec3705f2ed, the app can
no longer communicate with the dameon through a socket opened on the
daemon side due to SELinux restrictions. The workaround here is to have
the daemon decide a socket name, send it to the app, have the app create
the socket server, then finally the daemon connects to the app through
the socket.
2020-06-19 03:52:25 -07:00
topjohnwu 1e2f776b83 Move logging.hpp 2020-06-17 01:17:28 -07:00
topjohnwu 2f824f59dc Better logging system
Use C++ magic to strip out debug logs at compile time
2020-06-01 04:15:37 -07:00