Magisk/native/jni/magiskpolicy/rules.cpp

226 lines
8.2 KiB
C++
Raw Normal View History

2020-06-17 08:17:28 +00:00
#include <utils.hpp>
2020-03-09 08:50:30 +00:00
#include <magiskpolicy.hpp>
2019-02-10 08:57:51 +00:00
2020-05-23 07:18:25 +00:00
#include "sepolicy.hpp"
2016-09-12 22:19:07 +00:00
2020-09-04 07:03:24 +00:00
using namespace std;
2020-05-21 13:48:02 +00:00
void sepolicy::magisk_rules() {
// Temp suppress warnings
auto bak = log_cb.w;
log_cb.w = nop_log;
// This indicates API 26+
bool new_rules = exists("untrusted_app_25");
2020-05-25 09:30:39 +00:00
// Prevent anything to change sepolicy except ourselves
2020-05-21 13:48:02 +00:00
deny(ALL, "kernel", "security", "load_policy");
2018-09-20 20:55:16 +00:00
2020-05-25 09:30:39 +00:00
type(SEPOL_PROC_DOMAIN, "domain");
permissive(SEPOL_PROC_DOMAIN); /* Just in case something is missing */
2020-05-21 13:48:02 +00:00
typeattribute(SEPOL_PROC_DOMAIN, "mlstrustedsubject");
typeattribute(SEPOL_PROC_DOMAIN, "netdomain");
typeattribute(SEPOL_PROC_DOMAIN, "bluetoothdomain");
type(SEPOL_FILE_TYPE, "file_type");
typeattribute(SEPOL_FILE_TYPE, "mlstrustedobject");
// Make our root domain unconstrained
allow(SEPOL_PROC_DOMAIN, ALL, ALL, ALL);
2020-09-04 07:03:24 +00:00
// Allow us to do any ioctl
if (db->policyvers >= POLICYDB_VERSION_XPERMS_IOCTL) {
allowxperm(SEPOL_PROC_DOMAIN, ALL, "blk_file", ALL);
2020-09-04 07:03:24 +00:00
allowxperm(SEPOL_PROC_DOMAIN, ALL, "fifo_file", ALL);
}
// Create unconstrained file type
allow(ALL, SEPOL_FILE_TYPE, "file", ALL);
allow(ALL, SEPOL_FILE_TYPE, "dir", ALL);
allow(ALL, SEPOL_FILE_TYPE, "fifo_file", ALL);
allow(ALL, SEPOL_FILE_TYPE, "chr_file", ALL);
if (new_rules) {
2020-09-04 07:03:24 +00:00
// Make client type literally untrusted_app
type(SEPOL_CLIENT_DOMAIN, "domain");
2020-09-04 07:03:24 +00:00
typeattribute(SEPOL_CLIENT_DOMAIN, "coredomain");
typeattribute(SEPOL_CLIENT_DOMAIN, "appdomain");
typeattribute(SEPOL_CLIENT_DOMAIN, "untrusted_app_all");
typeattribute(SEPOL_CLIENT_DOMAIN, "netdomain");
typeattribute(SEPOL_CLIENT_DOMAIN, "bluetoothdomain");
type(SEPOL_EXEC_TYPE, "file_type");
2020-09-04 07:03:24 +00:00
typeattribute(SEPOL_EXEC_TYPE, "exec_type");
// Basic su client needs
allow(SEPOL_CLIENT_DOMAIN, SEPOL_EXEC_TYPE, "file", ALL);
2020-09-04 07:03:24 +00:00
allow(SEPOL_CLIENT_DOMAIN, SEPOL_CLIENT_DOMAIN, ALL, ALL);
const char *pts[] {
"devpts", "untrusted_app_devpts",
"untrusted_app_25_devpts", "untrusted_app_all_devpts" };
for (auto type : pts) {
2020-09-20 21:39:11 +00:00
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "open");
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "getattr");
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "read");
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "write");
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "ioctl");
allowxperm(SEPOL_CLIENT_DOMAIN, type, "chr_file", "0x5400-0x54FF");
}
// Allow these processes to access MagiskSU
2020-09-04 07:03:24 +00:00
vector<const char *> clients{ "init", "shell", "update_engine", "appdomain" };
for (auto type : clients) {
if (!exists(type))
continue;
// exec magisk
allow(type, SEPOL_EXEC_TYPE, "file", "read");
allow(type, SEPOL_EXEC_TYPE, "file", "open");
allow(type, SEPOL_EXEC_TYPE, "file", "getattr");
allow(type, SEPOL_EXEC_TYPE, "file", "execute");
allow(SEPOL_CLIENT_DOMAIN, type, "process", "sigchld");
// Auto transit to client domain
allow(type, SEPOL_CLIENT_DOMAIN, "process", "transition");
dontaudit(type, SEPOL_CLIENT_DOMAIN, "process", "siginh");
dontaudit(type, SEPOL_CLIENT_DOMAIN, "process", "rlimitinh");
dontaudit(type, SEPOL_CLIENT_DOMAIN, "process", "noatsecure");
2020-09-04 07:03:24 +00:00
// Kill client process
allow(type, SEPOL_CLIENT_DOMAIN, "process", "signal");
}
// type transition require actual types, not attributes
const char *app_types[] {
"system_app", "priv_app", "platform_app", "untrusted_app",
"untrusted_app_25", "untrusted_app_27", "untrusted_app_29" };
clients.pop_back();
clients.insert(clients.end(), app_types, app_types + std::size(app_types));
for (auto type : clients) {
// Auto transit to client domain
type_transition(type, SEPOL_EXEC_TYPE, "process", SEPOL_CLIENT_DOMAIN);
}
// Allow system_server to manage magisk_client
allow("system_server", SEPOL_CLIENT_DOMAIN, "process", "getpgid");
allow("system_server", SEPOL_CLIENT_DOMAIN, "process", "sigkill");
2020-09-04 07:03:24 +00:00
// Don't allow pesky processes to monitor audit deny logs when poking magisk daemon socket
dontaudit(ALL, SEPOL_PROC_DOMAIN, "unix_stream_socket", ALL);
2020-09-04 07:03:24 +00:00
// Only allow client processes to connect to magisk daemon socket
allow(SEPOL_CLIENT_DOMAIN, SEPOL_PROC_DOMAIN, "unix_stream_socket", ALL);
} else {
// Fallback to poking holes in sandbox as Android 4.3 to 7.1 set PR_SET_NO_NEW_PRIVS
// Allow these processes to access MagiskSU
2020-09-04 07:03:24 +00:00
const char *clients[] { "init", "shell", "appdomain" };
for (auto type : clients) {
if (!exists(type))
continue;
allow(type, SEPOL_PROC_DOMAIN, "unix_stream_socket", "connectto");
allow(type, SEPOL_PROC_DOMAIN, "unix_stream_socket", "getopt");
// Allow termios ioctl
const char *pts[] { "devpts", "untrusted_app_devpts" };
for (auto pts_type : pts) {
allow(type, pts_type, "chr_file", "ioctl");
if (db->policyvers >= POLICYDB_VERSION_XPERMS_IOCTL)
allowxperm(type, pts_type, "chr_file", "0x5400-0x54FF");
}
}
}
2019-06-26 06:31:59 +00:00
// Let everyone access tmpfs files (for SAR sbin overlay)
2020-05-21 13:48:02 +00:00
allow(ALL, "tmpfs", "file", ALL);
2019-06-26 06:31:59 +00:00
// For relabelling files
2020-05-21 13:48:02 +00:00
allow("rootfs", "labeledfs", "filesystem", "associate");
allow(SEPOL_FILE_TYPE, "pipefs", "filesystem", "associate");
allow(SEPOL_FILE_TYPE, "devpts", "filesystem", "associate");
2019-04-30 00:26:51 +00:00
// Let init transit to SEPOL_PROC_DOMAIN
2020-05-21 13:48:02 +00:00
allow("kernel", "kernel", "process", "setcurrent");
allow("kernel", SEPOL_PROC_DOMAIN, "process", "dyntransition");
2018-09-20 20:55:16 +00:00
// Let init run stuffs
2020-05-21 13:48:02 +00:00
allow("kernel", SEPOL_PROC_DOMAIN, "fd", "use");
allow("init", SEPOL_PROC_DOMAIN, "process", ALL);
allow("init", "tmpfs", "file", "getattr");
allow("init", "tmpfs", "file", "execute");
2018-09-20 20:55:16 +00:00
2018-07-20 14:22:49 +00:00
// suRights
2020-05-21 13:48:02 +00:00
allow("servicemanager", SEPOL_PROC_DOMAIN, "dir", "search");
allow("servicemanager", SEPOL_PROC_DOMAIN, "dir", "read");
allow("servicemanager", SEPOL_PROC_DOMAIN, "file", "open");
allow("servicemanager", SEPOL_PROC_DOMAIN, "file", "read");
allow("servicemanager", SEPOL_PROC_DOMAIN, "process", "getattr");
allow("servicemanager", SEPOL_PROC_DOMAIN, "binder", "transfer");
allow(ALL, SEPOL_PROC_DOMAIN, "process", "sigchld");
2016-09-12 22:19:07 +00:00
// allowLog
2020-05-21 13:48:02 +00:00
allow("logd", SEPOL_PROC_DOMAIN, "dir", "search");
allow("logd", SEPOL_PROC_DOMAIN, "file", "read");
allow("logd", SEPOL_PROC_DOMAIN, "file", "open");
allow("logd", SEPOL_PROC_DOMAIN, "file", "getattr");
2016-09-12 22:19:07 +00:00
// suBackL6
2020-05-21 13:48:02 +00:00
allow("surfaceflinger", "app_data_file", "dir", ALL);
allow("surfaceflinger", "app_data_file", "file", ALL);
allow("surfaceflinger", "app_data_file", "lnk_file", ALL);
typeattribute("surfaceflinger", "mlstrustedsubject");
2016-11-02 17:20:35 +00:00
// suMiscL6
2020-05-25 09:30:39 +00:00
allow("audioserver", "audioserver", "process", "execmem");
2017-06-07 03:42:51 +00:00
// Liveboot
2020-05-21 13:48:02 +00:00
allow("surfaceflinger", SEPOL_PROC_DOMAIN, "process", "ptrace");
allow("surfaceflinger", SEPOL_PROC_DOMAIN, "binder", "transfer");
allow("surfaceflinger", SEPOL_PROC_DOMAIN, "binder", "call");
allow("surfaceflinger", SEPOL_PROC_DOMAIN, "fd", "use");
allow("debuggerd", SEPOL_PROC_DOMAIN, "process", "ptrace");
// dumpsys
2020-05-21 13:48:02 +00:00
allow(ALL, SEPOL_PROC_DOMAIN, "fd", "use");
allow(ALL, SEPOL_PROC_DOMAIN, "fifo_file", "write");
allow(ALL, SEPOL_PROC_DOMAIN, "fifo_file", "read");
allow(ALL, SEPOL_PROC_DOMAIN, "fifo_file", "open");
allow(ALL, SEPOL_PROC_DOMAIN, "fifo_file", "getattr");
2018-07-20 14:22:49 +00:00
// bootctl
2020-05-21 13:48:02 +00:00
allow("hwservicemanager", SEPOL_PROC_DOMAIN, "dir", "search");
allow("hwservicemanager", SEPOL_PROC_DOMAIN, "file", "read");
allow("hwservicemanager", SEPOL_PROC_DOMAIN, "file", "open");
allow("hwservicemanager", SEPOL_PROC_DOMAIN, "process", "getattr");
allow("hwservicemanager", SEPOL_PROC_DOMAIN, "binder", "transfer");
2017-12-31 11:20:49 +00:00
// For mounting loop devices, mirrors, tmpfs
2020-05-21 13:48:02 +00:00
allow("kernel", ALL, "file", "read");
allow("kernel", ALL, "file", "write");
2017-03-29 18:02:39 +00:00
// Allow all binder transactions
2020-05-21 13:48:02 +00:00
allow(ALL, SEPOL_PROC_DOMAIN, "binder", ALL);
2020-05-25 09:30:39 +00:00
// For changing file context
2020-05-21 13:48:02 +00:00
allow("rootfs", "tmpfs", "filesystem", "associate");
2017-07-13 16:49:40 +00:00
2016-10-02 14:48:49 +00:00
// Xposed
2020-05-21 13:48:02 +00:00
allow("untrusted_app", "untrusted_app", "capability", "setgid");
allow("system_server", "dex2oat_exec", "file", ALL);
2018-07-06 17:36:57 +00:00
// Support deodexed ROM on Oreo
2020-05-21 13:48:02 +00:00
allow("zygote", "dalvikcache_data_file", "file", "execute");
2018-08-03 14:40:49 +00:00
// Support deodexed ROM on Pie (Samsung)
2020-05-21 13:48:02 +00:00
allow("system_server", "dalvikcache_data_file", "file", "write");
allow("system_server", "dalvikcache_data_file", "file", "execute");
magiskpolicy: rules: standardize update_engine sepolicy when rooted The state of ROM A/B OTA addon.d-v2 support is an inconsistent mess currently: - LineageOS builds userdebug with permissive update_engine domain, OmniROM builds userdebug with a more restricted update_engine domain, and CarbonROM builds user with a hybrid closer to Omni's - addon.d-v2 scripts cannot function to the full extent they should when there is a more restricted update_engine domain sepolicy in place, which is likely why Lineage made update_engine completely permissive Evidence for the above: - many addon.d-v2 scripts only work (or fully work) on Lineage, see below - Magisk's addon.d-v2 script would work on Lineage without issue, but would work on Carbon and Omni only if further allow rules were added for basic things like "file read" and "dir search" suggesting these ROMs' addon.d-v2 is severely limited - Omni includes a /system/addon.d/69-gapps.sh script with the ROM itself (despite shipping without GApps), and with Magisk's more permissive sepolicy and no GApps installed it will remove important ROM files during OTA, resulting in a bootloop; the issue with shipping this script was therefore masked by Omni's overly restrictive update_engine sepolicy not allowing the script to function as intended The solution: - guarantee a consistent addon.d-v2 experience for users across ROMs when rooted with Magisk by making update_engine permissive as Lineage has - hopefully ROMs can work together to come up with something standard for unrooted addon.d-v2 function
2019-09-19 14:53:05 +00:00
// Allow update_engine/addon.d-v2 to run permissive on all ROMs
2020-05-21 13:48:02 +00:00
permissive("update_engine");
2018-11-29 11:28:37 +00:00
2019-11-23 22:18:55 +00:00
#if 0
2019-04-30 00:26:51 +00:00
// Remove all dontaudit in debug mode
2020-05-23 07:18:25 +00:00
impl->strip_dontaudit();
2019-04-30 00:26:51 +00:00
#endif
log_cb.w = bak;
2017-04-15 18:29:42 +00:00
}