Magisk/native/jni/magiskpolicy/rules.cpp

#include <utils.hpp>
#include <magiskpolicy.hpp>

#include "sepolicy.hpp"

using namespace std;

void sepolicy::magisk_rules() {
    // Temp suppress warnings
    auto bak = log_cb.w;
    log_cb.w = nop_log;

    // This indicates API 26+
    bool new_rules = exists("untrusted_app_25");

    // Prevent anything to change sepolicy except ourselves
    deny(ALL, "kernel", "security", "load_policy");

    type(SEPOL_PROC_DOMAIN, "domain");
    permissive(SEPOL_PROC_DOMAIN);  /* Just in case something is missing */
    typeattribute(SEPOL_PROC_DOMAIN, "mlstrustedsubject");
    typeattribute(SEPOL_PROC_DOMAIN, "netdomain");
    typeattribute(SEPOL_PROC_DOMAIN, "bluetoothdomain");
    type(SEPOL_FILE_TYPE, "file_type");
    typeattribute(SEPOL_FILE_TYPE, "mlstrustedobject");

    // Make our root domain unconstrained
    allow(SEPOL_PROC_DOMAIN, ALL, ALL, ALL);
    // Allow us to do any ioctl
    if (db->policyvers >= POLICYDB_VERSION_XPERMS_IOCTL) {
        allowxperm(SEPOL_PROC_DOMAIN, ALL, "blk_file", ALL);
        allowxperm(SEPOL_PROC_DOMAIN, ALL, "fifo_file", ALL);
        allowxperm(SEPOL_PROC_DOMAIN, ALL, "chr_file", ALL);
    }

    // Create unconstrained file type
    allow(ALL, SEPOL_FILE_TYPE, "file", ALL);
    allow(ALL, SEPOL_FILE_TYPE, "dir", ALL);
    allow(ALL, SEPOL_FILE_TYPE, "fifo_file", ALL);
    allow(ALL, SEPOL_FILE_TYPE, "chr_file", ALL);
    allow(ALL, SEPOL_FILE_TYPE, "lnk_file", ALL);
    allow(ALL, SEPOL_FILE_TYPE, "sock_file", ALL);

    if (new_rules) {
        // Make client type literally untrusted_app
        type(SEPOL_CLIENT_DOMAIN, "domain");
        typeattribute(SEPOL_CLIENT_DOMAIN, "coredomain");
        typeattribute(SEPOL_CLIENT_DOMAIN, "appdomain");
        typeattribute(SEPOL_CLIENT_DOMAIN, "untrusted_app_all");
        typeattribute(SEPOL_CLIENT_DOMAIN, "netdomain");
        typeattribute(SEPOL_CLIENT_DOMAIN, "bluetoothdomain");

        type(SEPOL_EXEC_TYPE, "file_type");
        typeattribute(SEPOL_EXEC_TYPE, "exec_type");

        // Basic su client needs
        allow(SEPOL_CLIENT_DOMAIN, SEPOL_EXEC_TYPE, "file", ALL);
        allow(SEPOL_CLIENT_DOMAIN, SEPOL_CLIENT_DOMAIN, ALL, ALL);

        const char *pts[]{"devpts", "untrusted_app_devpts", "untrusted_app_25_devpts"};
        for (auto type : pts) {
            allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "getattr");
            allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "read");
            allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "write");
            allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "ioctl");
        }

        // Allow these processes to access MagiskSU
        vector<const char *> clients{ "init", "shell", "update_engine", "appdomain" };
        for (auto type : clients) {
            if (!exists(type))
                continue;
            // exec magisk
            allow(type, SEPOL_EXEC_TYPE, "file", "read");
            allow(type, SEPOL_EXEC_TYPE, "file", "open");
            allow(type, SEPOL_EXEC_TYPE, "file", "getattr");
            allow(type, SEPOL_EXEC_TYPE, "file", "execute");
            allow(SEPOL_CLIENT_DOMAIN, type, "process", "sigchld");

            // Auto transit to client domain
            allow(type, SEPOL_CLIENT_DOMAIN, "process", "transition");
            dontaudit(type, SEPOL_CLIENT_DOMAIN, "process", "siginh");
            dontaudit(type, SEPOL_CLIENT_DOMAIN, "process", "rlimitinh");
            dontaudit(type, SEPOL_CLIENT_DOMAIN, "process", "noatsecure");

            // Kill client process
            allow(type, SEPOL_CLIENT_DOMAIN, "process", "signal");
        }

        // type transition require actual types, not attributes
        const char *app_types[]{
            "system_app", "priv_app", "platform_app", "untrusted_app", "untrusted_app_25",
            "untrusted_app_27", "untrusted_app_29", "untrusted_app_30"};
        clients.pop_back();
        clients.insert(clients.end(), app_types, app_types + std::size(app_types));
        for (auto type : clients) {
            // Auto transit to client domain
            type_transition(type, SEPOL_EXEC_TYPE, "process", SEPOL_CLIENT_DOMAIN);
        }

        // Allow system_server to manage magisk_client
        allow("system_server", SEPOL_CLIENT_DOMAIN, "process", "getpgid");
        allow("system_server", SEPOL_CLIENT_DOMAIN, "process", "sigkill");

        // Don't allow pesky processes to monitor audit deny logs when poking magisk daemon socket
        dontaudit(ALL, SEPOL_PROC_DOMAIN, "unix_stream_socket", ALL);

        // Only allow client processes and zygote to connect to magisk daemon socket
        allow(SEPOL_CLIENT_DOMAIN, SEPOL_PROC_DOMAIN, "unix_stream_socket", ALL);
        allow("zygote", SEPOL_PROC_DOMAIN, "unix_stream_socket", ALL);
    } else {
        // Fallback to poking holes in sandbox as Android 4.3 to 7.1 set PR_SET_NO_NEW_PRIVS

        // Allow these processes to access MagiskSU
        const char *clients[] { "init", "shell", "appdomain", "zygote" };
        for (auto type : clients) {
            if (!exists(type))
                continue;
            allow(type, SEPOL_PROC_DOMAIN, "unix_stream_socket", "connectto");
            allow(type, SEPOL_PROC_DOMAIN, "unix_stream_socket", "getopt");
        }
    }

    // Let everyone access tmpfs files (for SAR sbin overlay)
    allow(ALL, "tmpfs", "file", ALL);

    // For relabelling files
    allow("rootfs", "labeledfs", "filesystem", "associate");
    allow(SEPOL_FILE_TYPE, "pipefs", "filesystem", "associate");
    allow(SEPOL_FILE_TYPE, "devpts", "filesystem", "associate");

    // Let init transit to SEPOL_PROC_DOMAIN
    allow("kernel", "kernel", "process", "setcurrent");
    allow("kernel", SEPOL_PROC_DOMAIN, "process", "dyntransition");

    // Let init run stuffs
    allow("kernel", SEPOL_PROC_DOMAIN, "fd", "use");
    allow("init", SEPOL_PROC_DOMAIN, "process", ALL);
    allow("init", "tmpfs", "file", "getattr");
    allow("init", "tmpfs", "file", "execute");

    // suRights
    allow("servicemanager", SEPOL_PROC_DOMAIN, "dir", "search");
    allow("servicemanager", SEPOL_PROC_DOMAIN, "dir", "read");
    allow("servicemanager", SEPOL_PROC_DOMAIN, "file", "open");
    allow("servicemanager", SEPOL_PROC_DOMAIN, "file", "read");
    allow("servicemanager", SEPOL_PROC_DOMAIN, "process", "getattr");
    allow(ALL, SEPOL_PROC_DOMAIN, "process", "sigchld");

    // allowLog
    allow("logd", SEPOL_PROC_DOMAIN, "dir", "search");
    allow("logd", SEPOL_PROC_DOMAIN, "file", "read");
    allow("logd", SEPOL_PROC_DOMAIN, "file", "open");
    allow("logd", SEPOL_PROC_DOMAIN, "file", "getattr");

    // dumpsys
    allow(ALL, SEPOL_PROC_DOMAIN, "fd", "use");
    allow(ALL, SEPOL_PROC_DOMAIN, "fifo_file", "write");
    allow(ALL, SEPOL_PROC_DOMAIN, "fifo_file", "read");
    allow(ALL, SEPOL_PROC_DOMAIN, "fifo_file", "open");
    allow(ALL, SEPOL_PROC_DOMAIN, "fifo_file", "getattr");

    // bootctl
    allow("hwservicemanager", SEPOL_PROC_DOMAIN, "dir", "search");
    allow("hwservicemanager", SEPOL_PROC_DOMAIN, "file", "read");
    allow("hwservicemanager", SEPOL_PROC_DOMAIN, "file", "open");
    allow("hwservicemanager", SEPOL_PROC_DOMAIN, "process", "getattr");

    // For mounting loop devices, mirrors, tmpfs
    allow("kernel", ALL, "file", "read");
    allow("kernel", ALL, "file", "write");

    // Allow all binder transactions
    allow(ALL, SEPOL_PROC_DOMAIN, "binder", ALL);

    // For changing file context
    allow("rootfs", "tmpfs", "filesystem", "associate");

    // Zygisk rules
    allow("zygote", "zygote", "capability", "sys_resource");  // prctl PR_SET_MM
    allow("zygote", "zygote", "process", "execmem");
    allow("zygote", "fs_type", "filesystem", "unmount");
    allow("system_server", "system_server", "process", "execmem");

    // Shut llkd up
    dontaudit("llkd", SEPOL_PROC_DOMAIN, "process", "ptrace");
    dontaudit("llkd", SEPOL_CLIENT_DOMAIN, "process", "ptrace");

    // Allow update_engine/addon.d-v2 to run permissive on all ROMs
    permissive("update_engine");

#if 0
    // Remove all dontaudit in debug mode
    impl->strip_dontaudit();
#endif

    log_cb.w = bak;
}
Move logging.hpp 2020-06-17 08:17:28 +00:00			`#include <utils.hpp>`
Small native code reorganization 2020-03-09 08:50:30 +00:00			`#include <magiskpolicy.hpp>`
Clean/refactor includes 2019-02-10 08:57:51 +00:00
Rewrite sepolicy.c in C++ 2020-05-23 07:18:25 +00:00			`#include "sepolicy.hpp"`
Add built-in rules 2016-09-12 22:19:07 +00:00
Fix some issues with selinux rules 2020-09-04 07:03:24 +00:00			`using namespace std;`

Modernize magiskpolicy 2020-05-21 13:48:02 +00:00			`void sepolicy::magisk_rules() {`
Convert indentation to spaces The tab war is lost 2020-12-31 06:11:24 +00:00			`// Temp suppress warnings`
			`auto bak = log_cb.w;`
			`log_cb.w = nop_log;`

			`// This indicates API 26+`
			`bool new_rules = exists("untrusted_app_25");`

			`// Prevent anything to change sepolicy except ourselves`
			`deny(ALL, "kernel", "security", "load_policy");`

			`type(SEPOL_PROC_DOMAIN, "domain");`
			`permissive(SEPOL_PROC_DOMAIN); /* Just in case something is missing */`
			`typeattribute(SEPOL_PROC_DOMAIN, "mlstrustedsubject");`
			`typeattribute(SEPOL_PROC_DOMAIN, "netdomain");`
			`typeattribute(SEPOL_PROC_DOMAIN, "bluetoothdomain");`
			`type(SEPOL_FILE_TYPE, "file_type");`
			`typeattribute(SEPOL_FILE_TYPE, "mlstrustedobject");`

			`// Make our root domain unconstrained`
			`allow(SEPOL_PROC_DOMAIN, ALL, ALL, ALL);`
			`// Allow us to do any ioctl`
			`if (db->policyvers >= POLICYDB_VERSION_XPERMS_IOCTL) {`
			`allowxperm(SEPOL_PROC_DOMAIN, ALL, "blk_file", ALL);`
			`allowxperm(SEPOL_PROC_DOMAIN, ALL, "fifo_file", ALL);`
Update spolicy rules 2021-10-29 10:12:48 +00:00			`allowxperm(SEPOL_PROC_DOMAIN, ALL, "chr_file", ALL);`
Convert indentation to spaces The tab war is lost 2020-12-31 06:11:24 +00:00			`}`

			`// Create unconstrained file type`
			`allow(ALL, SEPOL_FILE_TYPE, "file", ALL);`
			`allow(ALL, SEPOL_FILE_TYPE, "dir", ALL);`
			`allow(ALL, SEPOL_FILE_TYPE, "fifo_file", ALL);`
			`allow(ALL, SEPOL_FILE_TYPE, "chr_file", ALL);`
Add rule: `allow * magisk_file lnk_file { * }` 2021-10-25 15:40:25 +00:00			`allow(ALL, SEPOL_FILE_TYPE, "lnk_file", ALL);`
Update rules again 2021-10-29 10:37:14 +00:00			`allow(ALL, SEPOL_FILE_TYPE, "sock_file", ALL);`
Convert indentation to spaces The tab war is lost 2020-12-31 06:11:24 +00:00
			`if (new_rules) {`
			`// Make client type literally untrusted_app`
			`type(SEPOL_CLIENT_DOMAIN, "domain");`
			`typeattribute(SEPOL_CLIENT_DOMAIN, "coredomain");`
			`typeattribute(SEPOL_CLIENT_DOMAIN, "appdomain");`
			`typeattribute(SEPOL_CLIENT_DOMAIN, "untrusted_app_all");`
			`typeattribute(SEPOL_CLIENT_DOMAIN, "netdomain");`
			`typeattribute(SEPOL_CLIENT_DOMAIN, "bluetoothdomain");`

			`type(SEPOL_EXEC_TYPE, "file_type");`
			`typeattribute(SEPOL_EXEC_TYPE, "exec_type");`

			`// Basic su client needs`
			`allow(SEPOL_CLIENT_DOMAIN, SEPOL_EXEC_TYPE, "file", ALL);`
			`allow(SEPOL_CLIENT_DOMAIN, SEPOL_CLIENT_DOMAIN, ALL, ALL);`

Fix terminal on android 8 No need to handle untrusted_app_all_devpts on modern devices, but devpts policy is different for older devices. 2021-09-24 15:56:36 +00:00			`const char *pts[]{"devpts", "untrusted_app_devpts", "untrusted_app_25_devpts"};`
			`for (auto type : pts) {`
			`allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "getattr");`
			`allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "read");`
			`allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "write");`
			`allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "ioctl");`
			`}`

Convert indentation to spaces The tab war is lost 2020-12-31 06:11:24 +00:00			`// Allow these processes to access MagiskSU`
			`vector<const char *> clients{ "init", "shell", "update_engine", "appdomain" };`
			`for (auto type : clients) {`
			`if (!exists(type))`
			`continue;`
			`// exec magisk`
			`allow(type, SEPOL_EXEC_TYPE, "file", "read");`
			`allow(type, SEPOL_EXEC_TYPE, "file", "open");`
			`allow(type, SEPOL_EXEC_TYPE, "file", "getattr");`
			`allow(type, SEPOL_EXEC_TYPE, "file", "execute");`
			`allow(SEPOL_CLIENT_DOMAIN, type, "process", "sigchld");`

			`// Auto transit to client domain`
			`allow(type, SEPOL_CLIENT_DOMAIN, "process", "transition");`
			`dontaudit(type, SEPOL_CLIENT_DOMAIN, "process", "siginh");`
			`dontaudit(type, SEPOL_CLIENT_DOMAIN, "process", "rlimitinh");`
			`dontaudit(type, SEPOL_CLIENT_DOMAIN, "process", "noatsecure");`

			`// Kill client process`
			`allow(type, SEPOL_CLIENT_DOMAIN, "process", "signal");`
			`}`

			`// type transition require actual types, not attributes`
Add new targetSdk domain https://android-review.googlesource.com/c/platform/system/sepolicy/+/1752122 2021-07-22 08:20:36 +00:00			`const char *app_types[]{`
			`"system_app", "priv_app", "platform_app", "untrusted_app", "untrusted_app_25",`
			`"untrusted_app_27", "untrusted_app_29", "untrusted_app_30"};`
Convert indentation to spaces The tab war is lost 2020-12-31 06:11:24 +00:00			`clients.pop_back();`
			`clients.insert(clients.end(), app_types, app_types + std::size(app_types));`
			`for (auto type : clients) {`
			`// Auto transit to client domain`
			`type_transition(type, SEPOL_EXEC_TYPE, "process", SEPOL_CLIENT_DOMAIN);`
			`}`

			`// Allow system_server to manage magisk_client`
			`allow("system_server", SEPOL_CLIENT_DOMAIN, "process", "getpgid");`
			`allow("system_server", SEPOL_CLIENT_DOMAIN, "process", "sigkill");`

			`// Don't allow pesky processes to monitor audit deny logs when poking magisk daemon socket`
			`dontaudit(ALL, SEPOL_PROC_DOMAIN, "unix_stream_socket", ALL);`

Implement MagiskHide through code injection 2021-01-12 11:28:00 +00:00			`// Only allow client processes and zygote to connect to magisk daemon socket`
Convert indentation to spaces The tab war is lost 2020-12-31 06:11:24 +00:00			`allow(SEPOL_CLIENT_DOMAIN, SEPOL_PROC_DOMAIN, "unix_stream_socket", ALL);`
Implement MagiskHide through code injection 2021-01-12 11:28:00 +00:00			`allow("zygote", SEPOL_PROC_DOMAIN, "unix_stream_socket", ALL);`
Convert indentation to spaces The tab war is lost 2020-12-31 06:11:24 +00:00			`} else {`
			`// Fallback to poking holes in sandbox as Android 4.3 to 7.1 set PR_SET_NO_NEW_PRIVS`

			`// Allow these processes to access MagiskSU`
Implement MagiskHide through code injection 2021-01-12 11:28:00 +00:00			`const char *clients[] { "init", "shell", "appdomain", "zygote" };`
Convert indentation to spaces The tab war is lost 2020-12-31 06:11:24 +00:00			`for (auto type : clients) {`
			`if (!exists(type))`
			`continue;`
			`allow(type, SEPOL_PROC_DOMAIN, "unix_stream_socket", "connectto");`
			`allow(type, SEPOL_PROC_DOMAIN, "unix_stream_socket", "getopt");`
			`}`
			`}`

			`// Let everyone access tmpfs files (for SAR sbin overlay)`
			`allow(ALL, "tmpfs", "file", ALL);`

			`// For relabelling files`
			`allow("rootfs", "labeledfs", "filesystem", "associate");`
			`allow(SEPOL_FILE_TYPE, "pipefs", "filesystem", "associate");`
			`allow(SEPOL_FILE_TYPE, "devpts", "filesystem", "associate");`

			`// Let init transit to SEPOL_PROC_DOMAIN`
			`allow("kernel", "kernel", "process", "setcurrent");`
			`allow("kernel", SEPOL_PROC_DOMAIN, "process", "dyntransition");`

			`// Let init run stuffs`
			`allow("kernel", SEPOL_PROC_DOMAIN, "fd", "use");`
			`allow("init", SEPOL_PROC_DOMAIN, "process", ALL);`
			`allow("init", "tmpfs", "file", "getattr");`
			`allow("init", "tmpfs", "file", "execute");`

			`// suRights`
			`allow("servicemanager", SEPOL_PROC_DOMAIN, "dir", "search");`
			`allow("servicemanager", SEPOL_PROC_DOMAIN, "dir", "read");`
			`allow("servicemanager", SEPOL_PROC_DOMAIN, "file", "open");`
			`allow("servicemanager", SEPOL_PROC_DOMAIN, "file", "read");`
			`allow("servicemanager", SEPOL_PROC_DOMAIN, "process", "getattr");`
			`allow(ALL, SEPOL_PROC_DOMAIN, "process", "sigchld");`

			`// allowLog`
			`allow("logd", SEPOL_PROC_DOMAIN, "dir", "search");`
			`allow("logd", SEPOL_PROC_DOMAIN, "file", "read");`
			`allow("logd", SEPOL_PROC_DOMAIN, "file", "open");`
			`allow("logd", SEPOL_PROC_DOMAIN, "file", "getattr");`

			`// dumpsys`
			`allow(ALL, SEPOL_PROC_DOMAIN, "fd", "use");`
			`allow(ALL, SEPOL_PROC_DOMAIN, "fifo_file", "write");`
			`allow(ALL, SEPOL_PROC_DOMAIN, "fifo_file", "read");`
			`allow(ALL, SEPOL_PROC_DOMAIN, "fifo_file", "open");`
			`allow(ALL, SEPOL_PROC_DOMAIN, "fifo_file", "getattr");`

			`// bootctl`
			`allow("hwservicemanager", SEPOL_PROC_DOMAIN, "dir", "search");`
			`allow("hwservicemanager", SEPOL_PROC_DOMAIN, "file", "read");`
			`allow("hwservicemanager", SEPOL_PROC_DOMAIN, "file", "open");`
			`allow("hwservicemanager", SEPOL_PROC_DOMAIN, "process", "getattr");`

			`// For mounting loop devices, mirrors, tmpfs`
			`allow("kernel", ALL, "file", "read");`
			`allow("kernel", ALL, "file", "write");`

			`// Allow all binder transactions`
			`allow(ALL, SEPOL_PROC_DOMAIN, "binder", ALL);`

			`// For changing file context`
			`allow("rootfs", "tmpfs", "filesystem", "associate");`

Update spolicy rules 2021-10-29 10:12:48 +00:00			`// Zygisk rules`
			`allow("zygote", "zygote", "capability", "sys_resource"); // prctl PR_SET_MM`
Add execmem to allow hook 2021-09-18 16:38:33 +00:00			`allow("zygote", "zygote", "process", "execmem");`
Update spolicy rules 2021-10-29 10:12:48 +00:00			`allow("zygote", "fs_type", "filesystem", "unmount");`
Add execmem to allow hook 2021-09-18 16:38:33 +00:00			`allow("system_server", "system_server", "process", "execmem");`

Update spolicy rules 2021-10-29 10:12:48 +00:00			`// Shut llkd up`
			`dontaudit("llkd", SEPOL_PROC_DOMAIN, "process", "ptrace");`
			`dontaudit("llkd", SEPOL_CLIENT_DOMAIN, "process", "ptrace");`

Convert indentation to spaces The tab war is lost 2020-12-31 06:11:24 +00:00			`// Allow update_engine/addon.d-v2 to run permissive on all ROMs`
			`permissive("update_engine");`
Remove all dontaudit in magisk rules 2018-11-29 11:28:37 +00:00
Fix compile errors 2019-11-23 22:18:55 +00:00			`#if 0`
Convert indentation to spaces The tab war is lost 2020-12-31 06:11:24 +00:00			`// Remove all dontaudit in debug mode`
			`impl->strip_dontaudit();`
Update sepolicy rules 2019-04-30 00:26:51 +00:00			`#endif`
Temporarily suppress warnings when applying Magisk rules 2018-11-29 11:31:05 +00:00
Convert indentation to spaces The tab war is lost 2020-12-31 06:11:24 +00:00			`log_cb.w = bak;`
Integrate with unified daemon 2017-04-15 18:29:42 +00:00			`}`