From a9c0409cd9dee025f787fbec46ceb53defbee146 Mon Sep 17 00:00:00 2001 From: vvb2060 Date: Mon, 19 Jul 2021 03:34:36 +0800 Subject: [PATCH] [core] Move signature verification to lspd (#822) --- .../lspd/service/ILSPApplicationService.aidl | 12 ++++++------ .../lspd/config/ApplicationServiceClient.java | 2 +- .../config/LSPApplicationServiceClient.java | 6 +++--- .../lspd/hooker/LoadedApkGetCLHooker.java | 19 ++++++++++++------- .../lsposed/lspd/service/ConfigManager.java | 9 +++++++-- .../lspd/service/LSPApplicationService.java | 12 ++++++++---- .../lsposed/lspd/service/PackageService.java | 5 +---- .../lsposed/lspd/util/InstallerVerifier.java | 4 ++-- 8 files changed, 40 insertions(+), 29 deletions(-) diff --git a/core/src/main/aidl/org/lsposed/lspd/service/ILSPApplicationService.aidl b/core/src/main/aidl/org/lsposed/lspd/service/ILSPApplicationService.aidl index 3c8707ee..f64c5e09 100644 --- a/core/src/main/aidl/org/lsposed/lspd/service/ILSPApplicationService.aidl +++ b/core/src/main/aidl/org/lsposed/lspd/service/ILSPApplicationService.aidl @@ -1,15 +1,15 @@ package org.lsposed.lspd.service; interface ILSPApplicationService { - IBinder requestModuleBinder() = 2; + IBinder requestModuleBinder(); - IBinder requestManagerBinder(String packageName) = 3; + boolean requestManagerBinder(String packageName, String path, out IBinder[] binder); - boolean isResourcesHookEnabled() = 5; + boolean isResourcesHookEnabled(); - Map getModulesList(String processName) = 6; + Map getModulesList(String processName); - String getPrefsPath(String packageName) = 7; + String getPrefsPath(String packageName); - ParcelFileDescriptor getModuleLogger() = 9; + ParcelFileDescriptor getModuleLogger(); } diff --git a/core/src/main/java/org/lsposed/lspd/config/ApplicationServiceClient.java b/core/src/main/java/org/lsposed/lspd/config/ApplicationServiceClient.java index a77f240d..034e9525 100644 --- a/core/src/main/java/org/lsposed/lspd/config/ApplicationServiceClient.java +++ b/core/src/main/java/org/lsposed/lspd/config/ApplicationServiceClient.java @@ -15,7 +15,7 @@ abstract public class ApplicationServiceClient implements ILSPApplicationService abstract public IBinder requestModuleBinder(); @Override - abstract public IBinder requestManagerBinder(String packageName); + abstract public boolean requestManagerBinder(String packageName, String path, IBinder[] binder); @Override abstract public boolean isResourcesHookEnabled(); diff --git a/core/src/main/java/org/lsposed/lspd/config/LSPApplicationServiceClient.java b/core/src/main/java/org/lsposed/lspd/config/LSPApplicationServiceClient.java index c388735c..0cf8cf89 100644 --- a/core/src/main/java/org/lsposed/lspd/config/LSPApplicationServiceClient.java +++ b/core/src/main/java/org/lsposed/lspd/config/LSPApplicationServiceClient.java @@ -68,12 +68,12 @@ public class LSPApplicationServiceClient extends ApplicationServiceClient { } @Override - public IBinder requestManagerBinder(String packageName) { + public boolean requestManagerBinder(String packageName, String path, IBinder[] binder) { try { - return service.requestManagerBinder(packageName); + return service.requestManagerBinder(packageName, path, binder); } catch (RemoteException | NullPointerException ignored) { } - return null; + return false; } @Override diff --git a/core/src/main/java/org/lsposed/lspd/hooker/LoadedApkGetCLHooker.java b/core/src/main/java/org/lsposed/lspd/hooker/LoadedApkGetCLHooker.java index 00e7066d..e090db02 100644 --- a/core/src/main/java/org/lsposed/lspd/hooker/LoadedApkGetCLHooker.java +++ b/core/src/main/java/org/lsposed/lspd/hooker/LoadedApkGetCLHooker.java @@ -90,13 +90,18 @@ public class LoadedApkGetCLHooker extends XC_MethodHook { hookNewXSP(lpparam); } - IBinder binder = loadedApk.getApplicationInfo() != null ? serviceClient.requestManagerBinder(loadedApk.getApplicationInfo().packageName) : null; - if (binder != null) { - if (InstallerVerifier.verifyInstallerSignature(loadedApk.getApplicationInfo())) { - InstallerVerifier.hookXposedInstaller(lpparam.classLoader, binder); - } else { - InstallerVerifier.hookXposedInstaller(classLoader); - } + var binder = new IBinder[1]; + var blocked = false; + var info = loadedApk.getApplicationInfo(); + if (info != null) { + var packageName = info.packageName; + var path = info.sourceDir; + blocked = serviceClient.requestManagerBinder(packageName, path, binder); + } + if (binder[0] != null) { + InstallerVerifier.hookXposedInstaller(lpparam.classLoader, binder[0]); + } else if (blocked) { + InstallerVerifier.hookXposedInstaller(classLoader); } else { XC_LoadPackage.callAll(lpparam); } diff --git a/core/src/main/java/org/lsposed/lspd/service/ConfigManager.java b/core/src/main/java/org/lsposed/lspd/service/ConfigManager.java index b6822de3..34144012 100644 --- a/core/src/main/java/org/lsposed/lspd/service/ConfigManager.java +++ b/core/src/main/java/org/lsposed/lspd/service/ConfigManager.java @@ -77,14 +77,14 @@ public class ConfigManager { "android.permission.WRITE_SECURE_SETTINGS" }; - static ConfigManager instance = null; + private static ConfigManager instance = null; private static final File basePath = new File("/data/adb/lspd"); private static final File configPath = new File(basePath, "config"); private static final File lockPath = new File(basePath, "lock"); private static final SQLiteDatabase db = SQLiteDatabase.openOrCreateDatabase(new File(configPath, "modules_config.db"), null); - boolean packageStarted = false; + private boolean packageStarted = false; private static final File resourceHookSwitch = new File(configPath, "enable_resources"); private boolean resourceHook = false; @@ -734,6 +734,11 @@ public class ConfigManager { return uid == managerUid; } + public boolean shouldBlock(String packageName) { + return packageName.equals("io.github.lsposed.manager") || + packageName.equals(BuildConfig.DEFAULT_MANAGER_PACKAGE_NAME); + } + public String getPrefsPath(String fileName, int uid) { int userId = uid / PER_USER_RANGE; return miscPath + File.separator + "prefs" + (userId == 0 ? "" : String.valueOf(userId)) + File.separator + fileName; diff --git a/core/src/main/java/org/lsposed/lspd/service/LSPApplicationService.java b/core/src/main/java/org/lsposed/lspd/service/LSPApplicationService.java index 75c04ab8..9ac4b10b 100644 --- a/core/src/main/java/org/lsposed/lspd/service/LSPApplicationService.java +++ b/core/src/main/java/org/lsposed/lspd/service/LSPApplicationService.java @@ -27,6 +27,7 @@ import android.os.RemoteException; import android.util.Log; import android.util.Pair; +import org.lsposed.lspd.util.InstallerVerifier; import org.lsposed.lspd.util.Utils; import java.util.Map; @@ -101,16 +102,19 @@ public class LSPApplicationService extends ILSPApplicationService.Stub { } @Override - public IBinder requestManagerBinder(String packageName) throws RemoteException { + public boolean requestManagerBinder(String packageName, String path, IBinder[] binder) throws RemoteException { ensureRegistered(); - if (ConfigManager.getInstance().isManager(getCallingUid()) && ConfigManager.getInstance().isManager(packageName)) { + if (ConfigManager.getInstance().isManager(getCallingUid()) && + ConfigManager.getInstance().isManager(packageName) && + InstallerVerifier.verifyInstallerSignature(path)) { var service = ServiceManager.getManagerService(); if (Utils.isMIUI) { service.new ManagerGuard(handles.get(getCallingPid())); } - return service; + binder[0] = service; + return false; } - return null; + return ConfigManager.getInstance().shouldBlock(packageName); } public boolean hasRegister(int uid, int pid) { diff --git a/core/src/main/java/org/lsposed/lspd/service/PackageService.java b/core/src/main/java/org/lsposed/lspd/service/PackageService.java index cf56cadf..5182c856 100644 --- a/core/src/main/java/org/lsposed/lspd/service/PackageService.java +++ b/core/src/main/java/org/lsposed/lspd/service/PackageService.java @@ -279,11 +279,8 @@ public class PackageService { // Uninstall manager when needed PackageInfo pkgInfo = pm.getPackageInfo(packageName, 0, 0); if (pkgInfo != null && pkgInfo.versionName != null && pkgInfo.applicationInfo != null) { - if ((pkgInfo.applicationInfo.flags & ApplicationInfo.FLAG_TEST_ONLY) != 0) { - return false; - } boolean versionMatch = pkgInfo.versionName.equals(BuildConfig.VERSION_NAME); - boolean signatureMatch = InstallerVerifier.verifyInstallerSignature(pkgInfo.applicationInfo); + boolean signatureMatch = InstallerVerifier.verifyInstallerSignature(pkgInfo.applicationInfo.sourceDir); if (versionMatch && signatureMatch && pkgInfo.versionCode >= BuildConfig.VERSION_CODE) return false; if (!signatureMatch || !versionMatch && pkgInfo.versionCode > BuildConfig.VERSION_CODE) diff --git a/core/src/main/java/org/lsposed/lspd/util/InstallerVerifier.java b/core/src/main/java/org/lsposed/lspd/util/InstallerVerifier.java index f384ff3a..98cc62bb 100644 --- a/core/src/main/java/org/lsposed/lspd/util/InstallerVerifier.java +++ b/core/src/main/java/org/lsposed/lspd/util/InstallerVerifier.java @@ -38,8 +38,8 @@ import de.robv.android.xposed.XC_MethodHook; import de.robv.android.xposed.XposedHelpers; public class InstallerVerifier { - public static boolean verifyInstallerSignature(ApplicationInfo appInfo) { - ApkVerifier verifier = new ApkVerifier.Builder(new File(appInfo.sourceDir)) + public static boolean verifyInstallerSignature(String path) { + ApkVerifier verifier = new ApkVerifier.Builder(new File(path)) .setMinCheckedPlatformVersion(27) .build(); try {