ProcessBuilder.start

The ProcessBuilder.start and Runtime.exec* hooks allow you to filter which commands Android apps are allowed to run. By default, once installed, the hooks will not allow apps to run any commands (except for the Maps-related getprop command described below). The hooks will prevent apps from running or detecting su unless the su command is whitelisted. You can whitelist some commands by changing the "Allowed commands (Java regex)" custom value. It is recommended to use these hooks from the Fif collection without also using the original hooks with the exact same names from M66B which are in the Privacy collection. The Fif hooks supersedes the M66B ones and the M66B hooks should be removed if you have downloaded them from the repo before. Instructions: 1. Download these 7 hooks in the Fif collection: - ProcessBuilder.start - Runtime.exec/array - Runtime.exec/array/env - Runtime.exec/array/env/file - Runtime.exec/cmd - Runtime.exec/cmd/env - Runtime.exec/cmd/env/file 2. Make sure that the Fif collection is enabled in XPL Pro. 3.a. In XPL, enable the (new) "Use.Shell" collection for apps for which you want to filter shell commands. 3.b. Or, in XPL Pro, enable the seven hooks listed above. 4. If needed, configure a regular expression matching commands to be allowed in XPL Pro, Custom values, "Allowed commands (Java regex)". By default, and unless you configure a regular expression (either globally or on a per-app basis), all commands will be denied and logged to the XPL Pro log. The regular expression will always automatically include commands of the form "getprop debug.mapview..." to not break Maps. The regular expression language is described at https://developer.android.com/reference/java/util/regex/Pattern.html For example "(/system/bin/)getprop oem\.somestring\..*" will allow all commands starting with "/system/bin/getprop oem.sometring." or with "getprop oem.somestring.". To whitelist the su command for root apps, you can use the following regular expression: "su(\s.*)?". Changelog: v1a - 2020-02-18 Documentation fixes (no code changes). v1 - 2020-02-17 First public release.

CollectionFif
GroupUse.Shell
NameProcessBuilder.start
AuthorM66B, Fif_
Version1
Updated (UTC)2020-02-18 17:01:19
Created (UTC)2020-02-18 06:53:18
Downloads794
Class namejava.lang.ProcessBuilder
Method namestart
Parameter types
Return typejava.lang.Process
Min SDK1
Max SDK999
Min APK0
Max APK2147483647
Excluded packages-
EnabledYes
OptionalNo
UsageYes
NotifyNo
SettingsAllowed commands (Java regex)
-- Fif.Runtime.exec* and Fif.ProcessBuilder.start are a set of Lua 
-- hook definition designed to work with XPrivacyLua.

-- Fif.Runtime.exec* and Fif.ProcessBuilder.start are free software: 
-- you can redistribute it and/or modify
-- it under the terms of the GNU General Public License as published by
-- the Free Software Foundation, either version 3 of the License, or
-- (at your option) any later version.

-- Fif.Runtime.exec* and Fif.ProcessBuilder.start are distributed in 
-- the hope that it will be useful,
-- but WITHOUT ANY WARRANTY; without even the implied warranty of
-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-- GNU General Public License for more details.

-- Copyright 2017-2018 Marcel Bokhorst (M66B)
-- Copyright 2020 Philippe Troin (Fif_ on XDA)

function before(hook, param)
    local name = hook:getName()
    local command
    local commandline = ''
    local commandlog = nil

    if name == 'ProcessBuilder.start' then
        local this = param:getThis()
        local commandList = this:command()
        command = commandList:toArray()
    else
        command = param:getArgument(0)
    end

    if command == nil then
        commandlog = 'null'
    elseif type(command) == 'string' then
        commandline = command
    else
        local index
        local length = command['length']
        for index = 1, length do
            if index ~= 1 then
                commandline = commandline .. ' '
            end
            commandline = commandline .. command[index]
        end
    end
    if commandlog == nil then
        commandlog = commandline
    end

    local scope = param:getApplicationContext()
    local regexObj = param:getValue('Fif.Runtime.exec.allowedCommandsRegex', scope)
    if regexObj == nil then
        local regexString = param:getSetting("Allowed commands (Java regex)")
        if regexString == nil then
            regexString = ''
        end
        local clsPattern = luajava.bindClass('java.util.regex.Pattern')
        local pattern = '^(?:(?:/system/bin/)?getprop debug\\.mapview\\..*|(?:' .. regexString .. '))$'
        log('Compiling pattern: ' .. pattern)
        regexObj = clsPattern:compile(pattern)
        param:putValue('Fif.Runtime.exec.allowedCommandsRegex', regexObj, scope)
    end

    local matcher = regexObj:matcher(commandline)
    if matcher:matches() then
        log('Allow ' .. commandlog)
        return false
    else
        log('Deny ' .. commandlog)
        local clsIoException = luajava.bindClass('java.io.IOException')
        local fake = luajava.new(clsIoException, 'Privacy')
        param:setResult(fake)
        return true, commandlog
    end
end