iamCristYe · August 23, 2024 14:38
diff --git a/injectSystemCertificate.bash b/injectSystemCertificate.bash
 # https://github.com/httptoolkit/httptoolkit-server/blob/main/src/interceptors/android/adb-commands.ts#L393
    set -e # Fail on error

    echo "\n---\nInjecting certificate:"

    # Create a separate temp directory, to hold the current certificates
    # Without this, when we add the mount we can't read the current certs anymore.
    mkdir -p /data/local/tmp/htk-ca-copy
    chmod 700 /data/local/tmp/htk-ca-copy
    rm -rf /data/local/tmp/htk-ca-copy/*

    # Copy out the existing certificates
    if [ -d "/apex/com.android.conscrypt/cacerts" ]; then
        cp /apex/com.android.conscrypt/cacerts/* /data/local/tmp/htk-ca-copy/
    else
        cp /system/etc/security/cacerts/* /data/local/tmp/htk-ca-copy/
    fi

    # Create the in-memory mount on top of the system certs folder
    mount -t tmpfs tmpfs /system/etc/security/cacerts

    # Copy the existing certs back into the tmpfs mount, so we keep trusting them
    mv /data/local/tmp/htk-ca-copy/* /system/etc/security/cacerts/

    # Copy our new cert in, so we trust that too
    cp /sdcard/Download/mitmproxy-ca-cert.cer.crt /system/etc/security/cacerts/
    cp /sdcard/Download/charles-proxy-ssl-proxying-certificate.pem.crt /system/etc/security/cacerts/

    # Update the perms & selinux context labels, so everything is as readable as before
    chown root:root /system/etc/security/cacerts/*
    chmod 644 /system/etc/security/cacerts/*

    chcon u:object_r:system_file:s0 /system/etc/security/cacerts/
    chcon u:object_r:system_file:s0 /system/etc/security/cacerts/*

    echo 'System cacerts setup completed'

    # Deal with the APEX overrides in Android 14+, which need injecting into each namespace:
    if [ -d "/apex/com.android.conscrypt/cacerts" ]; then
        echo 'Injecting certificates into APEX cacerts'

        # When the APEX manages cacerts, we need to mount them at that path too. We can't do
        # this globally as APEX mounts are namespaced per process, so we need to inject a
        # bind mount for this directory into every mount namespace.

        # First we mount for the shell itself, for completeness and so we can see this
        # when we check for correct installation on later runs
        mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts

        # First we get the Zygote process(es), which launch each app
        ZYGOTE_PID=$(pidof zygote || true)
        ZYGOTE64_PID=$(pidof zygote64 || true)
        Z_PIDS="$ZYGOTE_PID $ZYGOTE64_PID"
        # N.b. some devices appear to have both, some have >1 of each (!)

        # Apps inherit the Zygote's mounts at startup, so we inject here to ensure all newly
        # started apps will see these certs straight away:
        for Z_PID in $Z_PIDS; do
            if [ -n "$Z_PID" ]; then
        nsenter --mount=/proc/$Z_PID/ns/mnt -- \
            /bin/mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts
            fi
        done

        echo 'Zygote APEX certificates remounted'

        # Then we inject the mount into all already running apps, so they see these certs immediately.

        # Get the PID of every process whose parent is one of the Zygotes:
        APP_PIDS=$(
            echo $Z_PIDS | \
            xargs -n1 ps -o 'PID' -P | \
            grep -v PID
        )

        # Inject into the mount namespace of each of those apps:
        for PID in $APP_PIDS; do
            nsenter --mount=/proc/$PID/ns/mnt -- \
        /bin/mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts &
        done
        wait # Launched in parallel - wait for completion here

        echo "APEX certificates remounted for $(echo $APP_PIDS | wc -w) apps"
    fi

    # Delete the temp cert directory & this script itself
    rm -r /data/local/tmp/htk-ca-copy
    rm ${injectionScriptPath}

    echo "System cert successfully injected\n---\n"
	# https://github.com/httptoolkit/httptoolkit-server/blob/main/src/interceptors/android/adb-commands.ts#L393
	set -e # Fail on error

	echo "\n---\nInjecting certificate:"

	# Create a separate temp directory, to hold the current certificates
	# Without this, when we add the mount we can't read the current certs anymore.
	mkdir -p /data/local/tmp/htk-ca-copy
	chmod 700 /data/local/tmp/htk-ca-copy
	rm -rf /data/local/tmp/htk-ca-copy/*

	# Copy out the existing certificates
	if [ -d "/apex/com.android.conscrypt/cacerts" ]; then
	cp /apex/com.android.conscrypt/cacerts/* /data/local/tmp/htk-ca-copy/
	else
	cp /system/etc/security/cacerts/* /data/local/tmp/htk-ca-copy/
	fi

	# Create the in-memory mount on top of the system certs folder
	mount -t tmpfs tmpfs /system/etc/security/cacerts

	# Copy the existing certs back into the tmpfs mount, so we keep trusting them
	mv /data/local/tmp/htk-ca-copy/* /system/etc/security/cacerts/

	# Copy our new cert in, so we trust that too
	cp /sdcard/Download/mitmproxy-ca-cert.cer.crt /system/etc/security/cacerts/
	cp /sdcard/Download/charles-proxy-ssl-proxying-certificate.pem.crt /system/etc/security/cacerts/

	# Update the perms & selinux context labels, so everything is as readable as before
	chown root:root /system/etc/security/cacerts/*
	chmod 644 /system/etc/security/cacerts/*

	chcon u:object_r:system_file:s0 /system/etc/security/cacerts/
	chcon u:object_r:system_file:s0 /system/etc/security/cacerts/*

	echo 'System cacerts setup completed'

	# Deal with the APEX overrides in Android 14+, which need injecting into each namespace:
	if [ -d "/apex/com.android.conscrypt/cacerts" ]; then
	echo 'Injecting certificates into APEX cacerts'

	# When the APEX manages cacerts, we need to mount them at that path too. We can't do
	# this globally as APEX mounts are namespaced per process, so we need to inject a
	# bind mount for this directory into every mount namespace.

	# First we mount for the shell itself, for completeness and so we can see this
	# when we check for correct installation on later runs
	mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts

	# First we get the Zygote process(es), which launch each app
	ZYGOTE_PID=$(pidof zygote \|\| true)
	ZYGOTE64_PID=$(pidof zygote64 \|\| true)
	Z_PIDS="$ZYGOTE_PID $ZYGOTE64_PID"
	# N.b. some devices appear to have both, some have >1 of each (!)

	# Apps inherit the Zygote's mounts at startup, so we inject here to ensure all newly
	# started apps will see these certs straight away:
	for Z_PID in $Z_PIDS; do
	if [ -n "$Z_PID" ]; then
	nsenter --mount=/proc/$Z_PID/ns/mnt -- \
	/bin/mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts
	fi
	done

	echo 'Zygote APEX certificates remounted'

	# Then we inject the mount into all already running apps, so they see these certs immediately.

	# Get the PID of every process whose parent is one of the Zygotes:
	APP_PIDS=$(
	echo $Z_PIDS \| \
	xargs -n1 ps -o 'PID' -P \| \
	grep -v PID
	)

	# Inject into the mount namespace of each of those apps:
	for PID in $APP_PIDS; do
	nsenter --mount=/proc/$PID/ns/mnt -- \
	/bin/mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts &
	done
	wait # Launched in parallel - wait for completion here

	echo "APEX certificates remounted for $(echo $APP_PIDS \| wc -w) apps"
	fi

	# Delete the temp cert directory & this script itself
	rm -r /data/local/tmp/htk-ca-copy
	rm ${injectionScriptPath}

	echo "System cert successfully injected\n---\n"