2019-03-15 06:17:37 -04:00
|
|
|
#include <sys/types.h>
|
|
|
|
#include <sys/stat.h>
|
|
|
|
#include <fcntl.h>
|
|
|
|
#include <unistd.h>
|
|
|
|
|
|
|
|
#include <cil/cil.h>
|
|
|
|
|
2022-05-12 02:03:42 -07:00
|
|
|
#include <base.hpp>
|
2020-03-09 01:50:30 -07:00
|
|
|
#include <stream.hpp>
|
2019-03-15 06:17:37 -04:00
|
|
|
|
2022-03-29 22:26:38 -07:00
|
|
|
#include "policy.hpp"
|
2019-03-15 06:17:37 -04:00
|
|
|
|
|
|
|
#define SHALEN 64
|
|
|
|
static bool cmp_sha256(const char *a, const char *b) {
|
2020-12-30 22:11:24 -08:00
|
|
|
char id_a[SHALEN] = {0};
|
|
|
|
char id_b[SHALEN] = {0};
|
|
|
|
if (int fd = xopen(a, O_RDONLY | O_CLOEXEC); fd >= 0) {
|
|
|
|
xread(fd, id_a, SHALEN);
|
|
|
|
close(fd);
|
|
|
|
} else {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (int fd = xopen(b, O_RDONLY | O_CLOEXEC); fd >= 0) {
|
|
|
|
xread(fd, id_b, SHALEN);
|
|
|
|
close(fd);
|
|
|
|
} else {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
LOGD("%s=[%.*s]\n", a, SHALEN, id_a);
|
|
|
|
LOGD("%s=[%.*s]\n", b, SHALEN, id_b);
|
|
|
|
return memcmp(id_a, id_b, SHALEN) == 0;
|
2019-03-15 06:17:37 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
static bool check_precompiled(const char *precompiled) {
|
2020-12-30 22:11:24 -08:00
|
|
|
bool ok = false;
|
|
|
|
const char *actual_sha;
|
|
|
|
char compiled_sha[128];
|
|
|
|
|
|
|
|
actual_sha = PLAT_POLICY_DIR "plat_and_mapping_sepolicy.cil.sha256";
|
|
|
|
if (access(actual_sha, R_OK) == 0) {
|
|
|
|
ok = true;
|
|
|
|
sprintf(compiled_sha, "%s.plat_and_mapping.sha256", precompiled);
|
|
|
|
if (!cmp_sha256(actual_sha, compiled_sha))
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
actual_sha = PLAT_POLICY_DIR "plat_sepolicy_and_mapping.sha256";
|
|
|
|
if (access(actual_sha, R_OK) == 0) {
|
|
|
|
ok = true;
|
|
|
|
sprintf(compiled_sha, "%s.plat_sepolicy_and_mapping.sha256", precompiled);
|
|
|
|
if (!cmp_sha256(actual_sha, compiled_sha))
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
actual_sha = PROD_POLICY_DIR "product_sepolicy_and_mapping.sha256";
|
|
|
|
if (access(actual_sha, R_OK) == 0) {
|
|
|
|
ok = true;
|
|
|
|
sprintf(compiled_sha, "%s.product_sepolicy_and_mapping.sha256", precompiled);
|
|
|
|
if (!cmp_sha256(actual_sha, compiled_sha) != 0)
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
actual_sha = SYSEXT_POLICY_DIR "system_ext_sepolicy_and_mapping.sha256";
|
|
|
|
if (access(actual_sha, R_OK) == 0) {
|
|
|
|
ok = true;
|
|
|
|
sprintf(compiled_sha, "%s.system_ext_sepolicy_and_mapping.sha256", precompiled);
|
|
|
|
if (!cmp_sha256(actual_sha, compiled_sha) != 0)
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
return ok;
|
2019-03-15 06:17:37 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
static void load_cil(struct cil_db *db, const char *file) {
|
2023-06-03 03:16:03 -07:00
|
|
|
mmap_data d(file);
|
|
|
|
cil_add_file(db, file, (const char *) d.buf(), d.sz());
|
2020-12-30 22:11:24 -08:00
|
|
|
LOGD("cil_add [%s]\n", file);
|
2019-03-15 06:17:37 -04:00
|
|
|
}
|
|
|
|
|
Introduce new sepolicy injection mechanism
In the current implementation, Magisk will either have to recreate
all early mount implementation (for legacy SAR and rootfs devices) or
delegate early mount to first stage init (for 2SI devices) to access
required partitions for loading sepolicy. It then has to recreate the
split sepolicy loading implementation in-house, apply patches, then
dump the compiled + patched policies into monolithic format somewhere.
Finally, it patches the original init to force it to load the sepolicy
file we just created.
With the increasing complexity involved in early mount and split
sepolicy (there is even APEX module involved in the future!),
it is about time to rethink Magisk's sepolicy strategy as rebuilding
init's functionality is not scalable and easy to maintain.
In this commit, instead of building sepolicy ourselves, we mock
selinuxfs with FIFO files connected to a pre-init daemon, waiting
for the actual init process to directly write the sepolicy file into
MagiskInit. We then patch the file and load it into the kernel. Some
FIFO tricks has to be used to hijack the original init process's
control flow and prevent race conditions, details are directly in the
comments in code.
At the moment, only system-as-root (read-only root) support is added.
Support for legacy rootfs devices will come with a follow up commit.
2022-03-16 00:31:53 -07:00
|
|
|
sepolicy *sepolicy::from_data(char *data, size_t len) {
|
|
|
|
LOGD("Load policy from data\n");
|
|
|
|
|
|
|
|
policy_file_t pf;
|
|
|
|
policy_file_init(&pf);
|
|
|
|
pf.data = data;
|
|
|
|
pf.len = len;
|
|
|
|
pf.type = PF_USE_MEMORY;
|
|
|
|
|
2022-08-08 22:53:37 -07:00
|
|
|
auto db = static_cast<policydb_t *>(malloc(sizeof(policydb_t)));
|
Introduce new sepolicy injection mechanism
In the current implementation, Magisk will either have to recreate
all early mount implementation (for legacy SAR and rootfs devices) or
delegate early mount to first stage init (for 2SI devices) to access
required partitions for loading sepolicy. It then has to recreate the
split sepolicy loading implementation in-house, apply patches, then
dump the compiled + patched policies into monolithic format somewhere.
Finally, it patches the original init to force it to load the sepolicy
file we just created.
With the increasing complexity involved in early mount and split
sepolicy (there is even APEX module involved in the future!),
it is about time to rethink Magisk's sepolicy strategy as rebuilding
init's functionality is not scalable and easy to maintain.
In this commit, instead of building sepolicy ourselves, we mock
selinuxfs with FIFO files connected to a pre-init daemon, waiting
for the actual init process to directly write the sepolicy file into
MagiskInit. We then patch the file and load it into the kernel. Some
FIFO tricks has to be used to hijack the original init process's
control flow and prevent race conditions, details are directly in the
comments in code.
At the moment, only system-as-root (read-only root) support is added.
Support for legacy rootfs devices will come with a follow up commit.
2022-03-16 00:31:53 -07:00
|
|
|
if (policydb_init(db) || policydb_read(db, &pf, 0)) {
|
|
|
|
LOGE("Fail to load policy from data\n");
|
|
|
|
free(db);
|
|
|
|
return nullptr;
|
|
|
|
}
|
|
|
|
|
2022-03-29 22:26:38 -07:00
|
|
|
auto sepol = new sepol_impl(db);
|
Introduce new sepolicy injection mechanism
In the current implementation, Magisk will either have to recreate
all early mount implementation (for legacy SAR and rootfs devices) or
delegate early mount to first stage init (for 2SI devices) to access
required partitions for loading sepolicy. It then has to recreate the
split sepolicy loading implementation in-house, apply patches, then
dump the compiled + patched policies into monolithic format somewhere.
Finally, it patches the original init to force it to load the sepolicy
file we just created.
With the increasing complexity involved in early mount and split
sepolicy (there is even APEX module involved in the future!),
it is about time to rethink Magisk's sepolicy strategy as rebuilding
init's functionality is not scalable and easy to maintain.
In this commit, instead of building sepolicy ourselves, we mock
selinuxfs with FIFO files connected to a pre-init daemon, waiting
for the actual init process to directly write the sepolicy file into
MagiskInit. We then patch the file and load it into the kernel. Some
FIFO tricks has to be used to hijack the original init process's
control flow and prevent race conditions, details are directly in the
comments in code.
At the moment, only system-as-root (read-only root) support is added.
Support for legacy rootfs devices will come with a follow up commit.
2022-03-16 00:31:53 -07:00
|
|
|
return sepol;
|
|
|
|
}
|
|
|
|
|
2020-05-21 06:48:02 -07:00
|
|
|
sepolicy *sepolicy::from_file(const char *file) {
|
2020-12-30 22:11:24 -08:00
|
|
|
LOGD("Load policy from: %s\n", file);
|
|
|
|
|
|
|
|
policy_file_t pf;
|
|
|
|
policy_file_init(&pf);
|
|
|
|
auto fp = xopen_file(file, "re");
|
|
|
|
pf.fp = fp.get();
|
|
|
|
pf.type = PF_USE_STDIO;
|
|
|
|
|
2022-08-08 22:53:37 -07:00
|
|
|
auto db = static_cast<policydb_t *>(malloc(sizeof(policydb_t)));
|
2020-12-30 22:11:24 -08:00
|
|
|
if (policydb_init(db) || policydb_read(db, &pf, 0)) {
|
|
|
|
LOGE("Fail to load policy from %s\n", file);
|
|
|
|
free(db);
|
|
|
|
return nullptr;
|
|
|
|
}
|
|
|
|
|
2022-03-29 22:26:38 -07:00
|
|
|
auto sepol = new sepol_impl(db);
|
2020-12-30 22:11:24 -08:00
|
|
|
return sepol;
|
2020-05-21 06:48:02 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
sepolicy *sepolicy::compile_split() {
|
2020-12-30 22:11:24 -08:00
|
|
|
char path[128], plat_ver[10];
|
|
|
|
cil_db_t *db = nullptr;
|
|
|
|
sepol_policydb_t *pdb = nullptr;
|
|
|
|
FILE *f;
|
|
|
|
int policy_ver;
|
|
|
|
const char *cil_file;
|
2022-01-06 13:25:21 +08:00
|
|
|
#if MAGISK_DEBUG
|
|
|
|
cil_set_log_level(CIL_INFO);
|
|
|
|
#endif
|
2022-01-30 08:18:04 -08:00
|
|
|
cil_set_log_handler(+[](int lvl, const char *msg) {
|
2022-01-06 13:25:21 +08:00
|
|
|
if (lvl == CIL_ERR) {
|
|
|
|
LOGE("cil: %s", msg);
|
|
|
|
} else if (lvl == CIL_WARN) {
|
|
|
|
LOGW("cil: %s", msg);
|
|
|
|
} else if (lvl == CIL_INFO) {
|
|
|
|
LOGI("cil: %s", msg);
|
|
|
|
} else {
|
|
|
|
LOGD("cil: %s", msg);
|
|
|
|
}
|
|
|
|
});
|
2020-12-30 22:11:24 -08:00
|
|
|
|
|
|
|
cil_db_init(&db);
|
|
|
|
run_finally fin([db_ptr = &db]{ cil_db_destroy(db_ptr); });
|
|
|
|
cil_set_mls(db, 1);
|
|
|
|
cil_set_multiple_decls(db, 1);
|
|
|
|
cil_set_disable_neverallow(db, 1);
|
|
|
|
cil_set_target_platform(db, SEPOL_TARGET_SELINUX);
|
2022-01-06 13:25:21 +08:00
|
|
|
cil_set_attrs_expand_generated(db, 1);
|
2020-12-30 22:11:24 -08:00
|
|
|
|
|
|
|
f = xfopen(SELINUX_VERSION, "re");
|
|
|
|
fscanf(f, "%d", &policy_ver);
|
|
|
|
fclose(f);
|
|
|
|
cil_set_policy_version(db, policy_ver);
|
|
|
|
|
|
|
|
// Get mapping version
|
|
|
|
f = xfopen(VEND_POLICY_DIR "plat_sepolicy_vers.txt", "re");
|
|
|
|
fscanf(f, "%s", plat_ver);
|
|
|
|
fclose(f);
|
|
|
|
|
|
|
|
// plat
|
|
|
|
load_cil(db, SPLIT_PLAT_CIL);
|
|
|
|
|
|
|
|
sprintf(path, PLAT_POLICY_DIR "mapping/%s.cil", plat_ver);
|
|
|
|
load_cil(db, path);
|
|
|
|
|
|
|
|
sprintf(path, PLAT_POLICY_DIR "mapping/%s.compat.cil", plat_ver);
|
|
|
|
if (access(path, R_OK) == 0)
|
|
|
|
load_cil(db, path);
|
|
|
|
|
|
|
|
// system_ext
|
|
|
|
sprintf(path, SYSEXT_POLICY_DIR "mapping/%s.cil", plat_ver);
|
|
|
|
if (access(path, R_OK) == 0)
|
|
|
|
load_cil(db, path);
|
|
|
|
|
2021-10-06 17:02:00 +08:00
|
|
|
sprintf(path, SYSEXT_POLICY_DIR "mapping/%s.compat.cil", plat_ver);
|
|
|
|
if (access(path, R_OK) == 0)
|
|
|
|
load_cil(db, path);
|
|
|
|
|
2020-12-30 22:11:24 -08:00
|
|
|
cil_file = SYSEXT_POLICY_DIR "system_ext_sepolicy.cil";
|
|
|
|
if (access(cil_file, R_OK) == 0)
|
|
|
|
load_cil(db, cil_file);
|
|
|
|
|
|
|
|
// product
|
|
|
|
sprintf(path, PROD_POLICY_DIR "mapping/%s.cil", plat_ver);
|
|
|
|
if (access(path, R_OK) == 0)
|
|
|
|
load_cil(db, path);
|
|
|
|
|
|
|
|
cil_file = PROD_POLICY_DIR "product_sepolicy.cil";
|
|
|
|
if (access(cil_file, R_OK) == 0)
|
|
|
|
load_cil(db, cil_file);
|
|
|
|
|
|
|
|
// vendor
|
|
|
|
cil_file = VEND_POLICY_DIR "nonplat_sepolicy.cil";
|
|
|
|
if (access(cil_file, R_OK) == 0)
|
|
|
|
load_cil(db, cil_file);
|
|
|
|
|
|
|
|
cil_file = VEND_POLICY_DIR "plat_pub_versioned.cil";
|
|
|
|
if (access(cil_file, R_OK) == 0)
|
|
|
|
load_cil(db, cil_file);
|
|
|
|
|
|
|
|
cil_file = VEND_POLICY_DIR "vendor_sepolicy.cil";
|
|
|
|
if (access(cil_file, R_OK) == 0)
|
|
|
|
load_cil(db, cil_file);
|
|
|
|
|
|
|
|
// odm
|
|
|
|
cil_file = ODM_POLICY_DIR "odm_sepolicy.cil";
|
|
|
|
if (access(cil_file, R_OK) == 0)
|
|
|
|
load_cil(db, cil_file);
|
|
|
|
|
|
|
|
if (cil_compile(db))
|
|
|
|
return nullptr;
|
|
|
|
if (cil_build_policydb(db, &pdb))
|
|
|
|
return nullptr;
|
|
|
|
|
2022-03-29 22:26:38 -07:00
|
|
|
auto sepol = new sepol_impl(&pdb->p);
|
2020-12-30 22:11:24 -08:00
|
|
|
return sepol;
|
2020-05-21 06:48:02 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
sepolicy *sepolicy::from_split() {
|
2020-12-30 22:11:24 -08:00
|
|
|
const char *odm_pre = ODM_POLICY_DIR "precompiled_sepolicy";
|
|
|
|
const char *vend_pre = VEND_POLICY_DIR "precompiled_sepolicy";
|
|
|
|
if (access(odm_pre, R_OK) == 0 && check_precompiled(odm_pre))
|
|
|
|
return sepolicy::from_file(odm_pre);
|
|
|
|
else if (access(vend_pre, R_OK) == 0 && check_precompiled(vend_pre))
|
|
|
|
return sepolicy::from_file(vend_pre);
|
|
|
|
else
|
|
|
|
return sepolicy::compile_split();
|
2020-05-21 06:48:02 -07:00
|
|
|
}
|
|
|
|
|
2022-03-29 22:26:38 -07:00
|
|
|
sepol_impl::~sepol_impl() {
|
2020-12-30 22:11:24 -08:00
|
|
|
policydb_destroy(db);
|
|
|
|
free(db);
|
2019-03-15 06:17:37 -04:00
|
|
|
}
|
|
|
|
|
2020-05-24 04:16:40 -07:00
|
|
|
bool sepolicy::to_file(const char *file) {
|
2022-03-29 22:26:38 -07:00
|
|
|
// No partial writes are allowed to /sys/fs/selinux/load, thus the reason why we
|
|
|
|
// first dump everything into memory, then directly call write system call
|
2023-05-20 14:19:40 -07:00
|
|
|
heap_data data;
|
|
|
|
auto fp = make_channel_fp<byte_channel>(data);
|
2020-12-30 22:11:24 -08:00
|
|
|
|
|
|
|
policy_file_t pf;
|
|
|
|
policy_file_init(&pf);
|
|
|
|
pf.type = PF_USE_STDIO;
|
|
|
|
pf.fp = fp.get();
|
2022-03-29 22:26:38 -07:00
|
|
|
if (policydb_write(impl->db, &pf)) {
|
2020-12-30 22:11:24 -08:00
|
|
|
LOGE("Fail to create policy image\n");
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2023-05-21 12:09:20 +08:00
|
|
|
int fd = xopen(file, O_WRONLY | O_CREAT | O_CLOEXEC, 0644);
|
2020-12-30 22:11:24 -08:00
|
|
|
if (fd < 0)
|
|
|
|
return false;
|
2023-05-21 12:09:20 +08:00
|
|
|
if (struct stat st{}; xfstat(fd, &st) == 0 && st.st_size > 0) {
|
|
|
|
ftruncate(fd, 0);
|
|
|
|
}
|
2023-06-03 03:16:03 -07:00
|
|
|
xwrite(fd, data.buf(), data.sz());
|
2020-12-30 22:11:24 -08:00
|
|
|
|
|
|
|
close(fd);
|
|
|
|
return true;
|
2019-03-15 06:17:37 -04:00
|
|
|
}
|