2022-05-12 02:03:42 -07:00
|
|
|
#include <base.hpp>
|
2019-02-10 03:57:51 -05:00
|
|
|
|
2022-03-29 22:26:38 -07:00
|
|
|
#include "policy.hpp"
|
2016-09-13 06:19:07 +08:00
|
|
|
|
2020-09-04 00:03:24 -07:00
|
|
|
using namespace std;
|
|
|
|
|
2020-05-21 06:48:02 -07:00
|
|
|
void sepolicy::magisk_rules() {
|
2020-12-30 22:11:24 -08:00
|
|
|
// Temp suppress warnings
|
2022-07-06 01:16:08 -07:00
|
|
|
set_log_level_state(LogLevel::Warn, false);
|
2020-12-30 22:11:24 -08:00
|
|
|
|
|
|
|
// This indicates API 26+
|
|
|
|
bool new_rules = exists("untrusted_app_25");
|
|
|
|
|
|
|
|
// Prevent anything to change sepolicy except ourselves
|
|
|
|
deny(ALL, "kernel", "security", "load_policy");
|
|
|
|
|
|
|
|
type(SEPOL_PROC_DOMAIN, "domain");
|
|
|
|
permissive(SEPOL_PROC_DOMAIN); /* Just in case something is missing */
|
|
|
|
typeattribute(SEPOL_PROC_DOMAIN, "mlstrustedsubject");
|
|
|
|
typeattribute(SEPOL_PROC_DOMAIN, "netdomain");
|
|
|
|
typeattribute(SEPOL_PROC_DOMAIN, "bluetoothdomain");
|
|
|
|
type(SEPOL_FILE_TYPE, "file_type");
|
|
|
|
typeattribute(SEPOL_FILE_TYPE, "mlstrustedobject");
|
|
|
|
|
|
|
|
// Make our root domain unconstrained
|
|
|
|
allow(SEPOL_PROC_DOMAIN, ALL, ALL, ALL);
|
|
|
|
// Allow us to do any ioctl
|
2022-03-29 22:26:38 -07:00
|
|
|
if (impl->db->policyvers >= POLICYDB_VERSION_XPERMS_IOCTL) {
|
2020-12-30 22:11:24 -08:00
|
|
|
allowxperm(SEPOL_PROC_DOMAIN, ALL, "blk_file", ALL);
|
|
|
|
allowxperm(SEPOL_PROC_DOMAIN, ALL, "fifo_file", ALL);
|
2021-10-29 03:12:48 -07:00
|
|
|
allowxperm(SEPOL_PROC_DOMAIN, ALL, "chr_file", ALL);
|
2020-12-30 22:11:24 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
// Create unconstrained file type
|
|
|
|
allow(ALL, SEPOL_FILE_TYPE, "file", ALL);
|
|
|
|
allow(ALL, SEPOL_FILE_TYPE, "dir", ALL);
|
|
|
|
allow(ALL, SEPOL_FILE_TYPE, "fifo_file", ALL);
|
|
|
|
allow(ALL, SEPOL_FILE_TYPE, "chr_file", ALL);
|
2021-10-25 23:40:25 +08:00
|
|
|
allow(ALL, SEPOL_FILE_TYPE, "lnk_file", ALL);
|
2021-10-29 03:37:14 -07:00
|
|
|
allow(ALL, SEPOL_FILE_TYPE, "sock_file", ALL);
|
2020-12-30 22:11:24 -08:00
|
|
|
|
|
|
|
if (new_rules) {
|
|
|
|
// Make client type literally untrusted_app
|
|
|
|
type(SEPOL_CLIENT_DOMAIN, "domain");
|
|
|
|
typeattribute(SEPOL_CLIENT_DOMAIN, "coredomain");
|
|
|
|
typeattribute(SEPOL_CLIENT_DOMAIN, "appdomain");
|
|
|
|
typeattribute(SEPOL_CLIENT_DOMAIN, "untrusted_app_all");
|
|
|
|
typeattribute(SEPOL_CLIENT_DOMAIN, "netdomain");
|
|
|
|
typeattribute(SEPOL_CLIENT_DOMAIN, "bluetoothdomain");
|
|
|
|
|
|
|
|
type(SEPOL_EXEC_TYPE, "file_type");
|
|
|
|
typeattribute(SEPOL_EXEC_TYPE, "exec_type");
|
|
|
|
|
|
|
|
// Basic su client needs
|
|
|
|
allow(SEPOL_CLIENT_DOMAIN, SEPOL_EXEC_TYPE, "file", ALL);
|
|
|
|
allow(SEPOL_CLIENT_DOMAIN, SEPOL_CLIENT_DOMAIN, ALL, ALL);
|
|
|
|
|
2021-09-24 23:56:36 +08:00
|
|
|
const char *pts[]{"devpts", "untrusted_app_devpts", "untrusted_app_25_devpts"};
|
|
|
|
for (auto type : pts) {
|
|
|
|
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "getattr");
|
|
|
|
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "read");
|
|
|
|
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "write");
|
|
|
|
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "ioctl");
|
|
|
|
}
|
|
|
|
|
2020-12-30 22:11:24 -08:00
|
|
|
// Allow these processes to access MagiskSU
|
|
|
|
vector<const char *> clients{ "init", "shell", "update_engine", "appdomain" };
|
|
|
|
for (auto type : clients) {
|
|
|
|
if (!exists(type))
|
|
|
|
continue;
|
|
|
|
// exec magisk
|
|
|
|
allow(type, SEPOL_EXEC_TYPE, "file", "read");
|
|
|
|
allow(type, SEPOL_EXEC_TYPE, "file", "open");
|
|
|
|
allow(type, SEPOL_EXEC_TYPE, "file", "getattr");
|
|
|
|
allow(type, SEPOL_EXEC_TYPE, "file", "execute");
|
|
|
|
allow(SEPOL_CLIENT_DOMAIN, type, "process", "sigchld");
|
|
|
|
|
|
|
|
// Auto transit to client domain
|
|
|
|
allow(type, SEPOL_CLIENT_DOMAIN, "process", "transition");
|
|
|
|
dontaudit(type, SEPOL_CLIENT_DOMAIN, "process", "siginh");
|
|
|
|
dontaudit(type, SEPOL_CLIENT_DOMAIN, "process", "rlimitinh");
|
|
|
|
dontaudit(type, SEPOL_CLIENT_DOMAIN, "process", "noatsecure");
|
|
|
|
|
|
|
|
// Kill client process
|
|
|
|
allow(type, SEPOL_CLIENT_DOMAIN, "process", "signal");
|
|
|
|
}
|
|
|
|
|
|
|
|
// type transition require actual types, not attributes
|
2021-07-22 16:20:36 +08:00
|
|
|
const char *app_types[]{
|
|
|
|
"system_app", "priv_app", "platform_app", "untrusted_app", "untrusted_app_25",
|
|
|
|
"untrusted_app_27", "untrusted_app_29", "untrusted_app_30"};
|
2020-12-30 22:11:24 -08:00
|
|
|
clients.pop_back();
|
|
|
|
clients.insert(clients.end(), app_types, app_types + std::size(app_types));
|
|
|
|
for (auto type : clients) {
|
|
|
|
// Auto transit to client domain
|
|
|
|
type_transition(type, SEPOL_EXEC_TYPE, "process", SEPOL_CLIENT_DOMAIN);
|
|
|
|
}
|
|
|
|
|
|
|
|
// Allow system_server to manage magisk_client
|
|
|
|
allow("system_server", SEPOL_CLIENT_DOMAIN, "process", "getpgid");
|
|
|
|
allow("system_server", SEPOL_CLIENT_DOMAIN, "process", "sigkill");
|
|
|
|
|
|
|
|
// Don't allow pesky processes to monitor audit deny logs when poking magisk daemon socket
|
|
|
|
dontaudit(ALL, SEPOL_PROC_DOMAIN, "unix_stream_socket", ALL);
|
|
|
|
|
2021-01-12 03:28:00 -08:00
|
|
|
// Only allow client processes and zygote to connect to magisk daemon socket
|
2020-12-30 22:11:24 -08:00
|
|
|
allow(SEPOL_CLIENT_DOMAIN, SEPOL_PROC_DOMAIN, "unix_stream_socket", ALL);
|
2021-01-12 03:28:00 -08:00
|
|
|
allow("zygote", SEPOL_PROC_DOMAIN, "unix_stream_socket", ALL);
|
2020-12-30 22:11:24 -08:00
|
|
|
} else {
|
|
|
|
// Fallback to poking holes in sandbox as Android 4.3 to 7.1 set PR_SET_NO_NEW_PRIVS
|
|
|
|
|
|
|
|
// Allow these processes to access MagiskSU
|
2021-01-12 03:28:00 -08:00
|
|
|
const char *clients[] { "init", "shell", "appdomain", "zygote" };
|
2020-12-30 22:11:24 -08:00
|
|
|
for (auto type : clients) {
|
|
|
|
if (!exists(type))
|
|
|
|
continue;
|
|
|
|
allow(type, SEPOL_PROC_DOMAIN, "unix_stream_socket", "connectto");
|
|
|
|
allow(type, SEPOL_PROC_DOMAIN, "unix_stream_socket", "getopt");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Let everyone access tmpfs files (for SAR sbin overlay)
|
|
|
|
allow(ALL, "tmpfs", "file", ALL);
|
|
|
|
|
Introduce new sepolicy injection mechanism
In the current implementation, Magisk will either have to recreate
all early mount implementation (for legacy SAR and rootfs devices) or
delegate early mount to first stage init (for 2SI devices) to access
required partitions for loading sepolicy. It then has to recreate the
split sepolicy loading implementation in-house, apply patches, then
dump the compiled + patched policies into monolithic format somewhere.
Finally, it patches the original init to force it to load the sepolicy
file we just created.
With the increasing complexity involved in early mount and split
sepolicy (there is even APEX module involved in the future!),
it is about time to rethink Magisk's sepolicy strategy as rebuilding
init's functionality is not scalable and easy to maintain.
In this commit, instead of building sepolicy ourselves, we mock
selinuxfs with FIFO files connected to a pre-init daemon, waiting
for the actual init process to directly write the sepolicy file into
MagiskInit. We then patch the file and load it into the kernel. Some
FIFO tricks has to be used to hijack the original init process's
control flow and prevent race conditions, details are directly in the
comments in code.
At the moment, only system-as-root (read-only root) support is added.
Support for legacy rootfs devices will come with a follow up commit.
2022-03-16 00:31:53 -07:00
|
|
|
// Allow magiskinit daemon to handle mock selinuxfs
|
|
|
|
allow("kernel", "tmpfs", "fifo_file", "write");
|
|
|
|
|
2020-12-30 22:11:24 -08:00
|
|
|
// For relabelling files
|
|
|
|
allow("rootfs", "labeledfs", "filesystem", "associate");
|
|
|
|
allow(SEPOL_FILE_TYPE, "pipefs", "filesystem", "associate");
|
|
|
|
allow(SEPOL_FILE_TYPE, "devpts", "filesystem", "associate");
|
|
|
|
|
|
|
|
// Let init transit to SEPOL_PROC_DOMAIN
|
|
|
|
allow("kernel", "kernel", "process", "setcurrent");
|
|
|
|
allow("kernel", SEPOL_PROC_DOMAIN, "process", "dyntransition");
|
|
|
|
|
|
|
|
// Let init run stuffs
|
|
|
|
allow("kernel", SEPOL_PROC_DOMAIN, "fd", "use");
|
|
|
|
allow("init", SEPOL_PROC_DOMAIN, "process", ALL);
|
|
|
|
allow("init", "tmpfs", "file", "getattr");
|
|
|
|
allow("init", "tmpfs", "file", "execute");
|
|
|
|
|
|
|
|
// suRights
|
|
|
|
allow("servicemanager", SEPOL_PROC_DOMAIN, "dir", "search");
|
|
|
|
allow("servicemanager", SEPOL_PROC_DOMAIN, "dir", "read");
|
|
|
|
allow("servicemanager", SEPOL_PROC_DOMAIN, "file", "open");
|
|
|
|
allow("servicemanager", SEPOL_PROC_DOMAIN, "file", "read");
|
|
|
|
allow("servicemanager", SEPOL_PROC_DOMAIN, "process", "getattr");
|
|
|
|
allow(ALL, SEPOL_PROC_DOMAIN, "process", "sigchld");
|
|
|
|
|
|
|
|
// allowLog
|
|
|
|
allow("logd", SEPOL_PROC_DOMAIN, "dir", "search");
|
|
|
|
allow("logd", SEPOL_PROC_DOMAIN, "file", "read");
|
|
|
|
allow("logd", SEPOL_PROC_DOMAIN, "file", "open");
|
|
|
|
allow("logd", SEPOL_PROC_DOMAIN, "file", "getattr");
|
|
|
|
|
|
|
|
// dumpsys
|
|
|
|
allow(ALL, SEPOL_PROC_DOMAIN, "fd", "use");
|
|
|
|
allow(ALL, SEPOL_PROC_DOMAIN, "fifo_file", "write");
|
|
|
|
allow(ALL, SEPOL_PROC_DOMAIN, "fifo_file", "read");
|
|
|
|
allow(ALL, SEPOL_PROC_DOMAIN, "fifo_file", "open");
|
|
|
|
allow(ALL, SEPOL_PROC_DOMAIN, "fifo_file", "getattr");
|
|
|
|
|
|
|
|
// bootctl
|
|
|
|
allow("hwservicemanager", SEPOL_PROC_DOMAIN, "dir", "search");
|
|
|
|
allow("hwservicemanager", SEPOL_PROC_DOMAIN, "file", "read");
|
|
|
|
allow("hwservicemanager", SEPOL_PROC_DOMAIN, "file", "open");
|
|
|
|
allow("hwservicemanager", SEPOL_PROC_DOMAIN, "process", "getattr");
|
|
|
|
|
|
|
|
// For mounting loop devices, mirrors, tmpfs
|
|
|
|
allow("kernel", ALL, "file", "read");
|
|
|
|
allow("kernel", ALL, "file", "write");
|
|
|
|
|
|
|
|
// Allow all binder transactions
|
|
|
|
allow(ALL, SEPOL_PROC_DOMAIN, "binder", ALL);
|
|
|
|
|
|
|
|
// For changing file context
|
|
|
|
allow("rootfs", "tmpfs", "filesystem", "associate");
|
|
|
|
|
2021-10-29 03:12:48 -07:00
|
|
|
// Zygisk rules
|
|
|
|
allow("zygote", "zygote", "capability", "sys_resource"); // prctl PR_SET_MM
|
2021-09-19 00:38:33 +08:00
|
|
|
allow("zygote", "zygote", "process", "execmem");
|
2021-10-29 03:12:48 -07:00
|
|
|
allow("zygote", "fs_type", "filesystem", "unmount");
|
2021-09-19 00:38:33 +08:00
|
|
|
allow("system_server", "system_server", "process", "execmem");
|
|
|
|
|
2021-10-29 03:12:48 -07:00
|
|
|
// Shut llkd up
|
|
|
|
dontaudit("llkd", SEPOL_PROC_DOMAIN, "process", "ptrace");
|
|
|
|
dontaudit("llkd", SEPOL_CLIENT_DOMAIN, "process", "ptrace");
|
|
|
|
|
2020-12-30 22:11:24 -08:00
|
|
|
// Allow update_engine/addon.d-v2 to run permissive on all ROMs
|
|
|
|
permissive("update_engine");
|
2018-11-29 06:28:37 -05:00
|
|
|
|
2019-11-23 17:18:55 -05:00
|
|
|
#if 0
|
2020-12-30 22:11:24 -08:00
|
|
|
// Remove all dontaudit in debug mode
|
|
|
|
impl->strip_dontaudit();
|
2019-04-29 20:26:51 -04:00
|
|
|
#endif
|
2018-11-29 06:31:05 -05:00
|
|
|
|
2022-07-06 01:16:08 -07:00
|
|
|
set_log_level_state(LogLevel::Warn, true);
|
2017-04-16 02:29:42 +08:00
|
|
|
}
|