Fix system certificate injection for Android 14

pimterry · pimterry · commit 965fd8d9b287 · 2023-09-14T13:10:50.000+02:00
diff --git a/src/interceptors/android/adb-commands.ts b/src/interceptors/android/adb-commands.ts
@@ -273,7 +273,11 @@ export async function injectSystemCertificate(
             mkdir -p -m 700 /data/local/tmp/htk-ca-copy
 
             # Copy out the existing certificates
-            cp /system/etc/security/cacerts/* /data/local/tmp/htk-ca-copy/
+            if [ -d "/apex/com.android.conscrypt/cacerts" ]; then
+                cp /apex/com.android.conscrypt/cacerts/* /data/local/tmp/htk-ca-copy/
+            else
+                cp /system/etc/security/cacerts/* /data/local/tmp/htk-ca-copy/
+            fi
 
             # Create the in-memory mount on top of the system certs folder
             mount -t tmpfs tmpfs /system/etc/security/cacerts
@@ -289,6 +293,50 @@ export async function injectSystemCertificate(
             chmod 644 /system/etc/security/cacerts/*
             chcon u:object_r:system_file:s0 /system/etc/security/cacerts/*
 
+            echo 'System cacerts setup completed'
+
+            # Deal with the APEX overrides in Android 14+, which need injecting into each namespace:
+            if [ -d "/apex/com.android.conscrypt/cacerts" ]; then
+                echo 'Injecting certificates into APEX cacerts'
+
+                # When the APEX manages cacerts, we need to mount them at that path too. We can't do
+                # this globally as APEX mounts are namespaced per process, so we need to inject a
+                # bind mount for this directory into every mount namespace.
+
+                # First we get the Zygote process(es), which launch each app
+                ZYGOTE_PID=$(pidof zygote || true)
+                ZYGOTE64_PID=$(pidof zygote64 || true)
+                # N.b. some devices appear to have both!
+
+                # Apps inherit the Zygote's mounts at startup, so we inject here to ensure all newly
+                # started apps will see these certs straight away:
+                for Z_PID in "$ZYGOTE_PID $ZYGOTE64_PID"; do
+                    # We use 'echo' below to trim spaces
+                    nsenter --mount=/proc/$(echo $Z_PID)/ns/mnt -- \
+                        /bin/mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts
+                done
+
+                echo 'Zygote APEX certificates remounted'
+
+                # Then we inject the mount into all already running apps, so they see these certs immediately.
+
+                # Get the PID of every process whose parent is one of the Zygotes:
+                APP_PIDS=$(
+                    echo "$ZYGOTE_PID $ZYGOTE64_PID" | \
+                    xargs -n1 ps -o 'PID' -P | \
+                    grep -v PID
+                )
+
+                # Inject into the mount namespace of each of those apps:
+                for PID in $APP_PIDS; do
+                    nsenter --mount=/proc/$PID/ns/mnt -- \
+                        /bin/mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts &
+                done
+                wait # Launched in parallel - wait for completion here
+
+                echo "APEX certificates remounted for $(echo $APP_PIDS | wc -w) apps"
+            fi
+
             # Delete the temp cert directory & this script itself
             rm -r /data/local/tmp/htk-ca-copy
             rm ${injectionScriptPath}
