Checks: '-clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling,-clang-analyzer-security.insecureAPI.strcpy,-clang-analyzer-valist.Uninitialized'

name: CI

on:

push:

branches:

- '*'

pull_request:

jobs:

check:

runs-on: ubuntu-latest

steps:

- uses: actions/checkout@v4

- uses: Homebrew/actions/setup-homebrew@master

- run: brew install clang-format

- run: make

- run: make check

- run: make unit-test

actionlint:

runs-on: ubuntu-latest

steps:

- uses: actions/checkout@v4

- name: Download actionlint

id: get_actionlint

run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)

- name: Check workflow files

run: ${{ steps.get_actionlint.outputs.executable }} -color

TERMUX_BASE_DIR ?= /data/data/com.termux/files

CFLAGS += -Wall -Wextra -Werror -Wshadow -O2

C_SOURCE := termux-exec.c exec-variants.c

CLANG_FORMAT := clang-format --sort-includes --style="{ColumnLimit: 120}" $(C_SOURCE)

CLANG_TIDY ?= clang-tidy

libtermux-exec.so: $(C_SOURCE)

$(CC) $(CFLAGS) $(LDFLAGS) $(C_SOURCE) -DTERMUX_PREFIX=\"$(TERMUX_PREFIX)\" -DTERMUX_BASE_DIR=\"$(TERMUX_BASE_DIR)\" -shared -fPIC -o libtermux-exec.so

clean:

rm -f libtermux-exec.so tests/*-actual test-binary

on-device-tests: libtermux-exec.so

format:

$(CLANG_FORMAT) -i $(C_SOURCE)

check:

$(CLANG_FORMAT) --dry-run $(C_SOURCE)

$(CLANG_TIDY) -warnings-as-errors='*' $(C_SOURCE) -- -DTERMUX_BASE_DIR=\"$(TERMUX_BASE_DIR)\"

test-binary: $(C_SOURCE)

$(CC) $(CFLAGS) $(LDFLAGS) $(C_SOURCE) -g -fsanitize=address -fno-omit-frame-pointer -DUNIT_TEST=1 -DTERMUX_BASE_DIR=\"$(TERMUX_BASE_DIR)\" -o test-binary

unit-test: test-binary

./test-binary

.PHONY: clean install uninstall test format check-format test

A `execve()` wrapper to fix two problems with exec-ing files in Termux.

Android 10 started blocking executing files under the app data directory, as

that is a [W^X](https://en.wikipedia.org/wiki/W%5EX) violation - files should be either

writeable or executable, but not both. Resources:

- [Google Android issue](https://issuetracker.google.com/issues/128554619)

- [Termux: No more exec from data folder on targetAPI >= Android Q](https://github.com/termux/termux-app/issues/1072)

- [Termux: Revisit the Android W^X problem](https://github.com/termux/termux-app/issues/2155)

While there is merit in that general principle, this prevents using Termux and Android

as a general computing device, where it should be possible for users to create executable

scripts and binaries.

Create an `exec` interceptor using [LD_PRELOAD](https://en.wikipedia.org/wiki/DLL_injection#Approaches_on_Unix-like_systems),

that instead of executing an ELF file directly, executes `/system/bin/linker64 /path/to/elf`.

Explanation follows below.

On Linux, the kernel is normally responsible for loading both the executable and the

[dynamic linker](https://en.wikipedia.org/wiki/Dynamic_linker). The executable is invoked

by file path with the [execve system call](https://en.wikipedia.org/wiki/Exec_(system_call)).

The kernel loads the executable into the process, and looks for a `PT_INTERP` entry in

its [ELF program header table](https://en.wikipedia.org/wiki/Executable_and_Linkable_Format#Program_header)

of the file - this specifies the path to the dynamic linker (`/system/bin/linker64` for 64-bit Android).

There is another way to load the two ELF objects:

[since 2018](https://android.googlesource.com/platform/bionic/+/8f639a40966c630c64166d2657da3ee641303194)

the dynamic linker can be invoked directly with `exec`.

If passed the filename of an executable, the dynamic linker will load and run the executable itself.

So, instead of executing `path/to/mybinary`, it's possible to execute

`/system/bin/linker64 /absolute/path/to/mybinary` (the linker needs an absolute path).

This is what `termux-exec` does to circumvent the block on executing files in the data

directory - the kernel sees only `/system/bin/linker64` being executed.

This also means that we need to extract [shebangs](https://en.wikipedia.org/wiki/Shebang_(Unix)). So for example, a call to execute:

./path/to/myscript.sh <args>

where the script has a `#!/path/to/interpreter` shebang, is replaced with:

/system/bin/linker64 /path/to/interpreter ./path/to/myscript.sh <args>

Implications:

- It's important that `LD_PRELOAD` is kept - see e.g. [this change in sshd](https://github.com/termux/termux-packages/pull/18069).

We could also consider patching this exec interception into the build process of termux packages, so `LD_PRELOAD` would not be necessary for packages built by the termux-packages repository.

- The executable will be `/system/bin/linker64`. So some programs that inspects the executable name (on itself or other programs) using `/proc/${PID}/exec` or `/proc/${PID}/comm` (where `$(PID}` could be `self`, for the current process) needs to be changed to instead inspect `argv0` of the process instead. See [this llvm driver change](https://github.com/termux/termux-packages/pull/18074) and [this pgrep/pkill change](https://github.com/termux/termux-packages/pull/18075).

- Statically linked binaries will not work. These are rare in Android and Termux, but zig currently produces statically linked binaries against musl libc.

- The interception using `LD_PRELOAD` will only work for programs using the [C library wrappers](https://linux.die.net/man/3/execve) for executing a new process, not when using the `execve` system call directly. Luckily most programs do use this. Programs using raw system calls needs to be patched or be run under [proot](https://wiki.termux.com/wiki/PRoot).

**NOTE**: The above example used `/system/bin/linker64` - on 32-bit systems, the corresponding

path is `/system/bin/linker`.

**NOTE**: While this circumvents the technical restriction, it still might be considered

violating [Google Play policy](https://support.google.com/googleplay/android-developer/answer/9888379).

So this workaround is not guaranteed to enable Play store distribution of Termux - but it's

worth an attempt, and regardless of Play store distribution, updating the targetSdk is necessary.

Soon, when making a switch to target Android 10+, this will be setup by the Termux app even before

launching any process, as `LD_PRELOAD` will be necessary for anything non-system to execute.

#define _GNU_SOURCE

#include <errno.h>

#include <paths.h>

#include <stdarg.h>

#include <stdbool.h>

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <unistd.h>

enum { ExecL, ExecLE, ExecLP };

static int __exec_as_script(const char *buf, char *const *argv, char *const *envp) {

size_t arg_count = 1;

while (argv[arg_count] != NULL)

++arg_count;

const char *script_argv[arg_count + 2];

script_argv[0] = "sh";

script_argv[1] = buf;

memcpy(script_argv + 2, argv + 1, arg_count * sizeof(char *));

return execve(_PATH_BSHELL, (char **const)script_argv, envp);

}

int execv(const char *name, char *const *argv) { return execve(name, argv, environ); }

int execvp(const char *name, char *const *argv) { return execvpe(name, argv, environ); }

int execvpe(const char *name, char *const *argv, char *const *envp) {

// if (name == NULL || *name == '\0') { errno = ENOENT; return -1; }

// If it's an absolute or relative path name, it's easy.

if (strchr(name, '/') && execve(name, argv, envp) == -1) {

if (errno == ENOEXEC)

return __exec_as_script(name, argv, envp);

return -1;

}

// Get the path we're searching.

const char *path = getenv("PATH");

if (path == NULL)

path = _PATH_DEFPATH;

// Make a writable copy.

size_t len = strlen(path) + 1;

char writable_path[len];

memcpy(writable_path, path, len);

bool saw_EACCES = false;

// Try each element of $PATH in turn...

char *strsep_buf = writable_path;

const char *dir;

while ((dir = strsep(&strsep_buf, ":"))) {

// It's a shell path: double, leading and trailing colons

// mean the current directory.

if (*dir == '\0')

dir = ".";

size_t dir_len = strlen(dir);

size_t name_len = strlen(name);

char buf[dir_len + 1 + name_len + 1];

mempcpy(mempcpy(mempcpy(buf, dir, dir_len), "/", 1), name, name_len + 1);

execve(buf, argv, envp);

switch (errno) {

case EISDIR:

case ELOOP:

case ENAMETOOLONG:

case ENOENT:

case ENOTDIR:

break;

case ENOEXEC:

return __exec_as_script(buf, argv, envp);

return -1;

case EACCES:

saw_EACCES = true;

break;

default:

return -1;

}

}

if (saw_EACCES)

errno = EACCES;

return -1;

}

static int __execl(int variant, const char *name, const char *argv0, va_list ap) {

// Count the arguments.

va_list count_ap;

va_copy(count_ap, ap);

size_t n = 1;

while (va_arg(count_ap, char *) != NULL) {

++n;

}

va_end(count_ap);

// Construct the new argv.

char *argv[n + 1];

argv[0] = (char *)argv0;

n = 1;

while ((argv[n] = va_arg(ap, char *)) != NULL) {

++n;

}

// Collect the argp too.

char **argp = (variant == ExecLE) ? va_arg(ap, char **) : environ;

va_end(ap);

return (variant == ExecLP) ? execvp(name, argv) : execve(name, argv, argp);

}

int execl(const char *name, const char *arg, ...) {

va_list ap;

va_start(ap, arg);

int result = __execl(ExecL, name, arg, ap);

va_end(ap);

return result;

}

int execle(const char *name, const char *arg, ...) {

va_list ap;

va_start(ap, arg);

int result = __execl(ExecLE, name, arg, ap);

va_end(ap);

return result;

}

int execlp(const char *name, const char *arg, ...) {

va_list ap;

va_start(ap, arg);

int result = __execl(ExecLP, name, arg, ap);

va_end(ap);

return result;

}

int fexecve(int fd, char *const *argv, char *const *envp) {

char buf[40];

snprintf(buf, sizeof(buf), "/proc/self/fd/%d", fd);

execve(buf, argv, envp);

if (errno == ENOENT)

errno = EBADF;

return -1;

}