Added: Re-add system_linker_exec support initially added in 5ea25ee and removed in xxxxx

agnostic-apollo · agnostic-apollo · commit 9f26d30b1498 · 2025-03-05T08:50:23.000+05:00
- `lib/termux-exec_c/src/termux/api/termux_exec/exec/ExecIntercept.c` from `libtermux-exec_c` handles the `system_linker_exec` now.
- Added the `string` `TERMUX_EXEC__SYSTEM_LINKER_EXEC` environment variable for whether to use `system_linker_exec` if `TERMUX_EXEC__INTERCEPT_EXECVE` is enabled. If set to `disable`, `system_linker_exec` will be disabled. If set to `enable`, then `system_linker_exec` will be enabled but only if required. If set to `force`, then `system_linker_exec` will be force enabled even if not required and is supported. The default value is `enable`. Check `shouldSystemLinkerExec()` in `ExecIntercept.h` and `ExecIntercept.c` for more info and how its handled. Docs will be added in a later commit. The `system_linker_exec` will now engage for executable or interpreter paths that are under `TERMUX_APP__DATA_DIR` or `TERMUX_APP__LEGACY_DATA_DIR` instead of `TERMUX__ROOTFS` (`TERMUX_BASE_DIR`).
- Use `getAndroidBuildVersionSdk()` from `libtermux-core_c` library to read `ANDROID__BUILD_VERSION_SDK` environment variable exported by Termux app to get Android build version sdk, and if its not set, then from the `android_get_device_api_level()` call provided by `&lt;android/api-level.h&gt;`, which gets it from the system properties, which should be slower.
- Fix the environment `envp` being copied twice during `execve` for system bin paths, once for unsetting `LD_` variables and then to set `TERMUX_EXEC__PROC_SELF_EXE`. The `modifyExecEnv()` function now handles all changes to environment with a single copy.
- Fix `TERMUX_EXEC__PROC_SELF_EXE` being set even if `system_linker_exec` is not being used on `targetSdkVersion &lt;= 28`, etc, and also not being unset when going from `system_linker_exec` to direct execution like system binaries. Packages will be patched to detect if `system_linker_exec` is being used to modify their behaviour, which shouldn't be modified for direct execution.
diff --git a/lib/termux-exec_c/include/termux/termux_exec__c/v1/termux/api/termux_exec/exec/ExecIntercept.h b/lib/termux-exec_c/include/termux/termux_exec__c/v1/termux/api/termux_exec/exec/ExecIntercept.h
@@ -195,6 +195,51 @@ int inspectFileHeader(const char *termuxPrefixDir, char *header, size_t headerLe
     struct FileHeaderInfo *info);
 
 
+/**
+ * Whether to use `system_linker_exec`, like to bypass app data file
+ * execute restrictions.
+ *
+ * A call is made to `getTermuxExecSystemLinkerExecConfig()` to
+ * get the config for using `system_linker_exec`.
+ *
+ * If `disable` is set, then `system_linker_exec` should not be used
+ * and the default `direct` execution type should be used.
+ *
+ * If `enable` is set, then `system_linker_exec` should only be used if:
+ * - `system_linker_exec` is required to bypass app data file execute
+ *   restrictions, i.e device is running on Android `>= 10`.
+ * - Effective user does not equal root (`0`) and shell (`2000`) user (used for
+ *   [`adb`](https://developer.android.com/tools/adb)).
+ * - `TERMUX__SE_PROCESS_CONTEXT` or its fallback `/proc/self/attr/current`
+ *    does not start with `PROCESS_CONTEXT_PREFIX__UNTRUSTED_APP_25` and
+ *   `PROCESS_CONTEXT_PREFIX__UNTRUSTED_APP_27` for which restrictions
+ *   are exempted.
+ * - `isPathUnderTermuxAppDataDir()` returns `true` for the `executablePath`.
+ *
+ * If `force` is set, then `system_linker_exec` should only be used if:
+ * - `system_linker_exec` is supported, i.e device is running on Android `>= 10`.
+ * - `isPathUnderTermuxAppDataDir()` returns `true` for the `executablePath`.
+ * This can be used if running in an untrusted app with `targetSdkVersion` `<= 28`.
+ *
+ * The executable or interpreter paths are checked under
+ * `TERMUX_APP__DATA_DIR` or `TERMUX_APP__LEGACY_DATA_DIR` instead of
+ * `TERMUX__ROOTFS` as files could be executed from `TERMUX__APPS_DIR`
+ * and `TERMUX__CACHE_DIR`, which are not under the Termux rootfs.
+ * Additionally, Termux rootfs may not exist under app data directory
+ * at all and could be under another directory under Android rootfs `/`,
+ * like if compiling packages for `shell` user for the `com.android.shell`
+ * package with the Termux rootfs under `/data/local/tmp` instead of
+ * `/data/data/com.android.shell` (and using `force` mode) or
+ * compiling packages for `/system` directory.
+ *
+ * @param executablePath The **normalized** executable or interpreter
+ *                        path that will actually be executed.
+ * @return Returns `0` if `system_linker_exec` should not be used,
+ * `1` if `system_linker_exec` should be used, otherwise `-1` on failures.
+ */
+int shouldSystemLinkerExec(const char *executablePath);
+
+
 
 /**
  * Whether variables in `LD_VARS_TO_UNSET` should be unset before `exec()`
@@ -237,6 +282,9 @@ int modifyExecEnv(char *const *envp, char ***newEnvpPointer,
  * `FileHeaderInfo.origInterpreterPath`, otherwise the original
  * `argv[0]` passed to `execve()` will be preserved.
  *
+ * If `systemLinkerExec` is `true`, then `argv[1]` will be set
+ * to `executablePath` to be executed by the linker.
+ *
  * If `interpreterSet` is set, then `FileHeaderInfo.interpreterArg`
  * will be appended if set, followed by the `origExecutablePath`
  * passed to `execve()`.
@@ -251,14 +299,15 @@ int modifyExecEnv(char *const *envp, char ***newEnvpPointer,
  *                        path that will actually be executed.
  * @param interpreterSet Whether a interpreter is set in the executable
  *                        file.
+ * @param systemLinkerExec Whether `system_linker_exec` is enabled.
  * @param info The `FileHeaderInfo` for the executable file.
  * @return Returns `0` if successfully modified the args, otherwise
  * `-1` on failures. Its the callers responsibility to call `free()`
  * on the `newArgvPointer` passed.
  */
 int modifyExecArgs(char *const *argv, const char ***newArgvPointer,
     const char *origExecutablePath, const char *executablePath,
-    bool interpreterSet, struct FileHeaderInfo *info);
+    bool interpreterSet, bool systemLinkerExec, struct FileHeaderInfo *info);
 
 
 
diff --git a/lib/termux-exec_c/include/termux/termux_exec__c/v1/termux/shell/command/environment/termux_exec/TermuxExecShellEnvironment.h b/lib/termux-exec_c/include/termux/termux_exec__c/v1/termux/shell/command/environment/termux_exec/TermuxExecShellEnvironment.h
@@ -44,6 +44,42 @@ extern "C" {
 #define ENV__TERMUX_EXEC__INTERCEPT_EXECVE TERMUX_ENV__S_TERMUX_EXEC "INTERCEPT_EXECVE"
 static const bool E_DEF_VAL__TERMUX_EXEC__INTERCEPT_EXECVE = true;
 
+/**
+ * Environment variable for whether use System Linker Exec Solution,
+ * like to bypass App Data File Execute Restrictions.
+ *
+ * See also `shouldSystemLinkerExec()`
+ *
+ * Type: `string`
+ * Default key: `TERMUX_EXEC__SYSTEM_LINKER_EXEC`
+ * Default value: E_DEF_VAL__TERMUX_EXEC__SYSTEM_LINKER_EXEC
+ * Values:
+ * - `disable` - The `system_linker_exec` will be disabled.
+ * - `enable` - The `system_linker_exec` will be enabled but only if required.
+ * - `force` - The `system_linker_exec` will be force enabled even if not required.
+ */
+#define ENV__TERMUX_EXEC__SYSTEM_LINKER_EXEC TERMUX_ENV__S_TERMUX_EXEC "SYSTEM_LINKER_EXEC"
+static const int E_DEF_VAL__TERMUX_EXEC__SYSTEM_LINKER_EXEC = 1;
+
+
+
+/**
+ * Environment variable for the path to the executable file is being
+ * executed by `execve()` is using `system_linker_exec`.
+ *
+ * Type: `string`
+ * Default key: `TERMUX_EXEC__PROC_SELF_EXE`
+ * Values:
+ * - The normalized, absolutized and prefixed path for the executable
+ * file is being executed by `execve()` if `system_linker_exec` is
+ * being used.
+ */
+#define ENV__TERMUX_EXEC__PROC_SELF_EXE TERMUX_ENV__S_TERMUX_EXEC "PROC_SELF_EXE"
+#define ENV_PREFIX__TERMUX_EXEC__PROC_SELF_EXE ENV__TERMUX_EXEC__PROC_SELF_EXE "="
+
+
+
+
 
 /**
  * Returns the `termux-exec` config for `Logger` log level
@@ -66,6 +102,19 @@ int getTermuxExecLogLevel();
  * bool enabled, `false` if bool disabled, otherwise defaults to `true`.
  */
 bool isTermuxExecExecveInterceptEnabled();
+
+/**
+ * Returns the `termux-exec` config for `system_linker_exec` based on
+ * the `ENV__TERMUX_EXEC__SYSTEM_LINKER_EXEC` env variable.
+ *
+ * @return Return `0` if `ENV__TERMUX_EXEC__SYSTEM_LINKER_EXEC` is set
+ * to `disable`, `1` if set to `enable`, `2` if set to `force`,
+ * otherwise defaults to `1` (`enable`).
+ */
+int getTermuxExecSystemLinkerExecConfig();
+
+
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/lib/termux-exec_c/src/termux/api/termux_exec/exec/ExecIntercept.c b/lib/termux-exec_c/src/termux/api/termux_exec/exec/ExecIntercept.c
@@ -223,6 +223,15 @@ int execveInterceptInternal(const char *origExecutablePath, char *const argv[],
 
 
 
+
+    // Check if `system_linker_exec` is required.
+    int systemLinkerExec = shouldSystemLinkerExec(executablePath);
+    if (systemLinkerExec < 0) {
+        return -1;
+    }
+
+
+
     bool modifyEnv = false;
     bool unsetLdVarsFromEnv = shouldUnsetLDVarsFromEnv(info.isNonNativeElf, executablePath);
     logErrorVVerbose(LOG_TAG, "unset_ld_vars_from_env: '%d'", unsetLdVarsFromEnv);
@@ -231,6 +240,29 @@ int execveInterceptInternal(const char *origExecutablePath, char *const argv[],
         modifyEnv = true;
     }
 
+
+
+    // If `system_linker_exec` is going to be used, then set `TERMUX_EXEC__PROC_SELF_EXE`
+    // environment variable to `processedExecutablePath`, otherwise
+    // unset it if it is already set.
+    char *envTermuxProcSelfExe = NULL;
+    if (systemLinkerExec) {
+        modifyEnv = true;
+        logErrorVVerbose(LOG_TAG, "set_proc_self_exe_var_in_env: '%d'", true);
+
+        if (asprintf(&envTermuxProcSelfExe, "%s%s", ENV_PREFIX__TERMUX_EXEC__PROC_SELF_EXE, processedExecutablePath) == -1) {
+            errno = ENOMEM;
+            logStrerrorDebug(LOG_TAG, "asprintf failed for '%s%s'", ENV_PREFIX__TERMUX_EXEC__PROC_SELF_EXE, processedExecutablePath);
+            return -1;
+        }
+    } else {
+        const char *proc_self_exe_var[] = { ENV_PREFIX__TERMUX_EXEC__PROC_SELF_EXE };
+        if (areVarsInEnv(envp, proc_self_exe_var, 1)) {
+            logErrorVVerbose(LOG_TAG, "unset_proc_self_exe_var_from_env: '%d'", true);
+            modifyEnv = true;
+        }
+    }
+
     logErrorVVerbose(LOG_TAG, "modify_env: '%d'", modifyEnv);
 
 
@@ -249,20 +281,25 @@ int execveInterceptInternal(const char *origExecutablePath, char *const argv[],
 
 
 
-    const bool modifyArgs = interpreterSet;
+    const bool modifyArgs = systemLinkerExec || interpreterSet;
     logErrorVVerbose(LOG_TAG, "modify_args: '%d'", modifyArgs);
 
     const char **newArgv = NULL;
     if (modifyArgs) {
         if (modifyExecArgs(argv, &newArgv, origExecutablePath, executablePath,
-            interpreterSet, &info) != 0 ||
+            interpreterSet, systemLinkerExec, &info) != 0 ||
             newArgv == NULL) {
             logErrorDebug(LOG_TAG, "Failed to create modified exec args");
             free(envTermuxProcSelfExe);
             free(newEnvp);
             return -1;
         }
 
+        // Replace executable path if wrapping with linker.
+        if (systemLinkerExec) {
+            executablePath = SYSTEM_LINKER_PATH;
+        }
+
         argv = (char **) newArgv;
     }
 
@@ -468,6 +505,97 @@ int inspectFileHeader(const char *termuxPrefixDir, char *header, size_t headerLe
 
 
 
+int shouldSystemLinkerExec(const char *executablePath) {
+    int systemLinkerExecConfig = getTermuxExecSystemLinkerExecConfig();
+    logErrorVVerbose(LOG_TAG, "system_linker_exec_config: '%d'", systemLinkerExecConfig);
+
+    bool systemLinkerExec = false;
+    if (systemLinkerExecConfig == 0) { // disable
+        systemLinkerExec = false;
+
+    } else if (systemLinkerExecConfig == 2) { // force
+            bool systemLinkerExecAvailable = false;
+            systemLinkerExecAvailable = getAndroidBuildVersionSdk() >= 29;
+            logErrorVVerbose(LOG_TAG, "system_linker_exec_available: '%d'", systemLinkerExecAvailable);
+
+            if (systemLinkerExecAvailable) {
+                int isExecutableUnderTermuxAppDataDir = isPathUnderTermuxAppDataDir(LOG_TAG,
+                    executablePath, NULL, NULL);
+                if (isExecutableUnderTermuxAppDataDir < 0) {
+                    return -1;
+                }
+                logErrorVVerbose(LOG_TAG, "isExecutableUnderTermuxAppDataDir: '%d'",
+                    isExecutableUnderTermuxAppDataDir == 0 ? true : false);
+
+                systemLinkerExec = isExecutableUnderTermuxAppDataDir == 0;
+            }
+
+    } else { // enable
+        if (systemLinkerExecConfig != 1) {
+            logErrorDebug(LOG_TAG, "Warning: Ignoring invalid system_linker_exec_config value and using '1' instead");
+        }
+
+        bool appDataFileExecExempted = false;
+        (void)appDataFileExecExempted;
+
+        if (getAndroidBuildVersionSdk() >= 29) {
+            // If running as root or shell user, then the process will
+            // be assigned a different process context like
+            // `PROCESS_CONTEXT__AOSP_SU`,
+            // `PROCESS_CONTEXT__MAGISK_SU` or
+            // `PROCESS_CONTEXT__SHELL`, which will not be the same
+            // as the one that's exported in
+            // `ENV__TERMUX__SE_PROCESS_CONTEXT`, so we need to check
+            // effective uid equals `0` or `2000` instead. Moreover,
+            // other su providers may have different contexts, so we
+            // cannot just check AOSP or MAGISK contexts.
+            // - https://man7.org/linux/man-pages/man2/getuid.2.html
+            uid_t uid = geteuid();
+            if (uid == 0 || uid == 2000) {
+                logErrorVVerbose(LOG_TAG, "uid: '%d'", uid);
+                appDataFileExecExempted = true;
+            } else {
+                char seProcessContext[80];
+                bool getSeProcessContextSuccess = false;
+
+                if (getSeProcessContextFromEnv(LOG_TAG, ENV__TERMUX__SE_PROCESS_CONTEXT,
+                    seProcessContext, sizeof(seProcessContext))) {
+                    logErrorVVerbose(LOG_TAG, "se_process_context_from_env: '%s'", seProcessContext);
+                    getSeProcessContextSuccess = true;
+                } else if (getSeProcessContextFromFile(LOG_TAG,
+                    seProcessContext, sizeof(seProcessContext))) {
+                    logErrorVVerbose(LOG_TAG, "se_process_context_from_file: '%s'", seProcessContext);
+                    getSeProcessContextSuccess = true;
+                }
+
+                if (getSeProcessContextSuccess) {
+                    appDataFileExecExempted = stringStartsWith(seProcessContext, PROCESS_CONTEXT_PREFIX__UNTRUSTED_APP_25) ||
+                        stringStartsWith(seProcessContext, PROCESS_CONTEXT_PREFIX__UNTRUSTED_APP_27);
+                }
+            }
+
+            logErrorVVerbose(LOG_TAG, "app_data_file_exec_exempted: '%d'", appDataFileExecExempted);
+
+            if (!appDataFileExecExempted) {
+                int isExecutableUnderTermuxAppDataDir = isPathUnderTermuxAppDataDir(LOG_TAG,
+                    executablePath, NULL, NULL);
+                if (isExecutableUnderTermuxAppDataDir < 0) {
+                    return -1;
+                }
+
+                systemLinkerExec = isExecutableUnderTermuxAppDataDir == 0;
+                logErrorVVerbose(LOG_TAG, "is_executable_under_termux_app_data_dir: '%d'", systemLinkerExec);
+            }
+        }
+    }
+
+    logErrorVVerbose(LOG_TAG, "system_linker_exec: '%d'", systemLinkerExec);
+
+    return 1 ? systemLinkerExec : 0;
+}
+
+
+
 bool shouldUnsetLDVarsFromEnv(bool isNonNativeElf, const char *executablePath) {
     return isNonNativeElf ||
         (stringStartsWith(executablePath, "/system/") &&
@@ -553,7 +681,7 @@ int modifyExecEnv(char *const *envp, char ***newEnvpPointer,
 
 int modifyExecArgs(char *const *argv, const char ***newArgvPointer,
     const char *origExecutablePath, const char *executablePath,
-    bool interpreterSet, struct FileHeaderInfo *info) {
+    bool interpreterSet, bool systemLinkerExec, struct FileHeaderInfo *info) {
     int argsCount = 0;
     while (argv[argsCount] != NULL) {
         argsCount++;
@@ -579,6 +707,11 @@ int modifyExecArgs(char *const *argv, const char ***newArgvPointer,
         newArgv[index++] = argv[0];
     }
 
+    // Add executable path if wrapping with linker.
+    if (systemLinkerExec) {
+        newArgv[index++] = executablePath;
+    }
+
     // Add interpreter argument and script path if executing a script with shebang.
     if (interpreterSet) {
         if (info->interpreterArg != NULL) {
diff --git a/lib/termux-exec_c/src/termux/shell/command/environment/termux_exec/TermuxExecShellEnvironment.c b/lib/termux-exec_c/src/termux/shell/command/environment/termux_exec/TermuxExecShellEnvironment.c
@@ -21,3 +21,18 @@ int getTermuxExecLogLevel() {
 bool isTermuxExecExecveInterceptEnabled() {
     return getBoolEnvValue(ENV__TERMUX_EXEC__INTERCEPT_EXECVE, E_DEF_VAL__TERMUX_EXEC__INTERCEPT_EXECVE);
 }
+
+int getTermuxExecSystemLinkerExecConfig() {
+    int def = E_DEF_VAL__TERMUX_EXEC__SYSTEM_LINKER_EXEC;
+    const char* value = getenv(ENV__TERMUX_EXEC__SYSTEM_LINKER_EXEC);
+    if (value == NULL || strlen(value) < 1) {
+        return def;
+    } else if (strcmp(value, "disable") == 0) {
+        return 0;
+    } else if (strcmp(value, "enable") == 0) {
+        return 1;
+    } else if (strcmp(value, "force") == 0) {
+        return 2;
+    }
+    return def;
+}
