206 lines
8.4 KiB
C++
Raw Normal View History

2020-03-09 01:50:30 -07:00
#include <logging.hpp>
2019-06-30 19:09:31 -07:00
#include <flags.h>
2020-03-09 01:50:30 -07:00
#include <magiskpolicy.hpp>
2019-02-10 03:57:51 -05:00
2017-04-20 04:28:56 +08:00
#include "sepolicy.h"
2016-09-13 06:19:07 +08:00
2018-11-08 04:20:16 -05:00
static void allowSuClient(const char *target) {
2018-03-11 07:23:30 +08:00
if (!sepol_exists(target))
return;
2018-04-15 03:13:01 +08:00
sepol_allow(target, SEPOL_PROC_DOMAIN, "unix_stream_socket", "connectto");
sepol_allow(target, SEPOL_PROC_DOMAIN, "unix_stream_socket", "getopt");
sepol_allow(SEPOL_PROC_DOMAIN, target, "fd", "use");
sepol_allow(SEPOL_PROC_DOMAIN, target, "fifo_file", ALL);
2018-09-20 16:55:16 -04:00
// Allow binder service
sepol_allow(target, SEPOL_PROC_DOMAIN, "binder", "call");
sepol_allow(target, SEPOL_PROC_DOMAIN, "binder", "transfer");
2019-04-29 21:25:57 -04:00
// Allow termios ioctl
sepol_allow(target, "devpts", "chr_file", "ioctl");
sepol_allow(target, "untrusted_app_devpts", "chr_file", "ioctl");
sepol_allow(target, "untrusted_app_25_devpts", "chr_file", "ioctl");
sepol_allow(target, "untrusted_app_all_devpts", "chr_file", "ioctl");
2019-11-19 05:20:18 -05:00
if (magisk_policydb->policyvers >= POLICYDB_VERSION_XPERMS_IOCTL) {
2019-04-29 21:25:57 -04:00
sepol_allowxperm(target, "devpts", "chr_file", "0x5400-0x54FF");
sepol_allowxperm(target, "untrusted_app_devpts", "chr_file", "0x5400-0x54FF");
sepol_allowxperm(target, "untrusted_app_25_devpts", "chr_file", "0x5400-0x54FF");
sepol_allowxperm(target, "untrusted_app_all_devpts", "chr_file", "0x5400-0x54FF");
}
2016-09-13 06:19:07 +08:00
}
2018-09-20 16:55:16 -04:00
void sepol_magisk_rules() {
// Temp suppress warnings
auto bak = log_cb.w;
log_cb.w = nop_log;
2018-09-20 16:55:16 -04:00
// First prevent anything to change sepolicy except ourselves
sepol_deny(ALL, "kernel", "security", "load_policy");
if (!sepol_exists(SEPOL_PROC_DOMAIN))
sepol_create(SEPOL_PROC_DOMAIN);
if (!sepol_exists(SEPOL_FILE_DOMAIN))
sepol_create(SEPOL_FILE_DOMAIN);
sepol_permissive(SEPOL_PROC_DOMAIN);
sepol_attradd(SEPOL_PROC_DOMAIN, "mlstrustedsubject");
sepol_attradd(SEPOL_PROC_DOMAIN, "netdomain");
sepol_attradd(SEPOL_PROC_DOMAIN, "bluetoothdomain");
sepol_attradd(SEPOL_FILE_DOMAIN, "mlstrustedobject");
2019-06-25 23:31:59 -07:00
// Let everyone access tmpfs files (for SAR sbin overlay)
sepol_allow(ALL, "tmpfs", "file", ALL);
// For normal rootfs file/directory operations when rw (for SAR / overlay)
sepol_allow("rootfs", "labeledfs", "filesystem", "associate");
2019-04-29 20:26:51 -04:00
// Let init transit to SEPOL_PROC_DOMAIN
sepol_allow("kernel", "kernel", "process", "setcurrent");
sepol_allow("kernel", SEPOL_PROC_DOMAIN, "process", "dyntransition");
2018-09-20 16:55:16 -04:00
// Let init run stuffs
sepol_allow("kernel", SEPOL_PROC_DOMAIN, "fd", "use");
sepol_allow("init", SEPOL_PROC_DOMAIN, "process", ALL);
sepol_allow("init", "tmpfs", "file", "getattr");
sepol_allow("init", "tmpfs", "file", "execute");
2018-09-20 16:55:16 -04:00
// Shell, properties, logs
if (sepol_exists("default_prop"))
sepol_allow(SEPOL_PROC_DOMAIN, "default_prop", "property_service", "set");
sepol_allow(SEPOL_PROC_DOMAIN, "init", "unix_stream_socket", "connectto");
sepol_allow(SEPOL_PROC_DOMAIN, "rootfs", "filesystem", "remount");
if (sepol_exists("logd"))
sepol_allow(SEPOL_PROC_DOMAIN, "logd", "unix_stream_socket", "connectto");
sepol_allow(SEPOL_PROC_DOMAIN, SEPOL_PROC_DOMAIN, ALL, ALL);
// For sepolicy live patching
sepol_allow(SEPOL_PROC_DOMAIN, "kernel", "security", "read_policy");
sepol_allow(SEPOL_PROC_DOMAIN, "kernel", "security", "load_policy");
// Allow these processes to access MagiskSU
allowSuClient("init");
allowSuClient("shell");
allowSuClient("system_app");
allowSuClient("priv_app");
allowSuClient("platform_app");
allowSuClient("untrusted_app");
allowSuClient("untrusted_app_25");
allowSuClient("untrusted_app_27");
allowSuClient("update_engine");
2018-07-20 22:22:49 +08:00
// suRights
2018-04-15 03:13:01 +08:00
sepol_allow("servicemanager", SEPOL_PROC_DOMAIN, "dir", "search");
sepol_allow("servicemanager", SEPOL_PROC_DOMAIN, "dir", "read");
sepol_allow("servicemanager", SEPOL_PROC_DOMAIN, "file", "open");
sepol_allow("servicemanager", SEPOL_PROC_DOMAIN, "file", "read");
sepol_allow("servicemanager", SEPOL_PROC_DOMAIN, "process", "getattr");
sepol_allow("servicemanager", SEPOL_PROC_DOMAIN, "binder", "transfer");
sepol_allow(SEPOL_PROC_DOMAIN, "servicemanager", "dir", "search");
sepol_allow(SEPOL_PROC_DOMAIN, "servicemanager", "dir", "read");
sepol_allow(SEPOL_PROC_DOMAIN, "servicemanager", "file", "open");
sepol_allow(SEPOL_PROC_DOMAIN, "servicemanager", "file", "read");
sepol_allow(SEPOL_PROC_DOMAIN, "servicemanager", "process", "getattr");
sepol_allow(SEPOL_PROC_DOMAIN, "servicemanager", "binder", "transfer");
sepol_allow(SEPOL_PROC_DOMAIN, "servicemanager", "binder", "call");
sepol_allow(ALL, SEPOL_PROC_DOMAIN, "process", "sigchld");
2016-09-13 06:19:07 +08:00
// allowLog
2018-04-15 03:13:01 +08:00
sepol_allow("logd", SEPOL_PROC_DOMAIN, "dir", "search");
sepol_allow("logd", SEPOL_PROC_DOMAIN, "file", "read");
sepol_allow("logd", SEPOL_PROC_DOMAIN, "file", "open");
sepol_allow("logd", SEPOL_PROC_DOMAIN, "file", "getattr");
2016-09-13 06:19:07 +08:00
// suBackL0
2018-04-15 03:13:01 +08:00
sepol_allow("system_server", SEPOL_PROC_DOMAIN, "binder", "call");
sepol_allow("system_server", SEPOL_PROC_DOMAIN, "binder", "transfer");
2018-09-20 16:55:16 -04:00
sepol_allow(SEPOL_PROC_DOMAIN, "system_server", "binder", "call");
sepol_allow(SEPOL_PROC_DOMAIN, "system_server", "binder", "transfer");
2016-09-13 06:19:07 +08:00
// suBackL6
2017-04-15 19:26:29 +08:00
sepol_allow("surfaceflinger", "app_data_file", "dir", ALL);
sepol_allow("surfaceflinger", "app_data_file", "file", ALL);
sepol_allow("surfaceflinger", "app_data_file", "lnk_file", ALL);
sepol_attradd("surfaceflinger", "mlstrustedsubject");
2016-11-03 01:20:35 +08:00
// suMiscL6
2017-04-15 19:26:29 +08:00
if (sepol_exists("audioserver"))
sepol_allow("audioserver", "audioserver", "process", "execmem");
2017-06-07 11:42:51 +08:00
// Liveboot
2018-04-15 03:13:01 +08:00
sepol_allow("surfaceflinger", SEPOL_PROC_DOMAIN, "process", "ptrace");
sepol_allow("surfaceflinger", SEPOL_PROC_DOMAIN, "binder", "transfer");
sepol_allow("surfaceflinger", SEPOL_PROC_DOMAIN, "binder", "call");
sepol_allow("surfaceflinger", SEPOL_PROC_DOMAIN, "fd", "use");
sepol_allow("debuggerd", SEPOL_PROC_DOMAIN, "process", "ptrace");
// dumpsys
2018-04-15 03:13:01 +08:00
sepol_allow(ALL, SEPOL_PROC_DOMAIN, "fd", "use");
sepol_allow(ALL, SEPOL_PROC_DOMAIN, "fifo_file", "write");
sepol_allow(ALL, SEPOL_PROC_DOMAIN, "fifo_file", "read");
sepol_allow(ALL, SEPOL_PROC_DOMAIN, "fifo_file", "open");
sepol_allow(ALL, SEPOL_PROC_DOMAIN, "fifo_file", "getattr");
2018-07-20 22:22:49 +08:00
// bootctl
sepol_allow("hwservicemanager", SEPOL_PROC_DOMAIN, "dir", "search");
sepol_allow("hwservicemanager", SEPOL_PROC_DOMAIN, "file", "read");
sepol_allow("hwservicemanager", SEPOL_PROC_DOMAIN, "file", "open");
sepol_allow("hwservicemanager", SEPOL_PROC_DOMAIN, "process", "getattr");
sepol_allow("hwservicemanager", SEPOL_PROC_DOMAIN, "binder", "transfer");
2017-12-31 19:20:49 +08:00
// For mounting loop devices, mirrors, tmpfs
2018-04-15 03:13:01 +08:00
sepol_allow(SEPOL_PROC_DOMAIN, "kernel", "process", "setsched");
sepol_allow(SEPOL_PROC_DOMAIN, "labeledfs", "filesystem", "mount");
sepol_allow(SEPOL_PROC_DOMAIN, "labeledfs", "filesystem", "unmount");
sepol_allow(SEPOL_PROC_DOMAIN, "tmpfs", "filesystem", "mount");
sepol_allow(SEPOL_PROC_DOMAIN, "tmpfs", "filesystem", "unmount");
2017-11-22 16:03:57 +08:00
sepol_allow("kernel", ALL, "file", "read");
sepol_allow("kernel", ALL, "file", "write");
2017-03-30 02:02:39 +08:00
2019-04-29 20:26:51 -04:00
// Allow us to do anything to any files/dir/links
2018-04-15 03:13:01 +08:00
sepol_allow(SEPOL_PROC_DOMAIN, ALL, "file", ALL);
sepol_allow(SEPOL_PROC_DOMAIN, ALL, "dir", ALL);
sepol_allow(SEPOL_PROC_DOMAIN, ALL, "lnk_file", ALL);
sepol_allow(SEPOL_PROC_DOMAIN, ALL, "blk_file", ALL);
sepol_allow(SEPOL_PROC_DOMAIN, ALL, "sock_file", ALL);
sepol_allow(SEPOL_PROC_DOMAIN, ALL, "chr_file", ALL);
sepol_allow(SEPOL_PROC_DOMAIN, ALL, "fifo_file", ALL);
2019-04-29 20:26:51 -04:00
// Allow us to do any ioctl on all block devices
2019-11-19 05:20:18 -05:00
if (magisk_policydb->policyvers >= POLICYDB_VERSION_XPERMS_IOCTL)
2019-04-29 20:26:51 -04:00
sepol_allowxperm(SEPOL_PROC_DOMAIN, ALL, "blk_file", "0x0000-0xFFFF");
// Allow all binder transactions
sepol_allow(ALL, SEPOL_PROC_DOMAIN, "binder", ALL);
// Super files
sepol_allow(ALL, SEPOL_FILE_DOMAIN, "file", ALL);
sepol_allow(ALL, SEPOL_FILE_DOMAIN, "dir", ALL);
sepol_allow(ALL, SEPOL_FILE_DOMAIN, "fifo_file", ALL);
sepol_allow(ALL, SEPOL_FILE_DOMAIN, "chr_file", ALL);
sepol_allow(SEPOL_FILE_DOMAIN, ALL, "filesystem", "associate");
2017-07-14 00:49:40 +08:00
// For changing attributes
sepol_allow("rootfs", "tmpfs", "filesystem", "associate");
2016-10-02 22:48:49 +08:00
// Xposed
2017-04-15 19:26:29 +08:00
sepol_allow("untrusted_app", "untrusted_app", "capability", "setgid");
sepol_allow("system_server", "dex2oat_exec", "file", ALL);
2018-07-07 01:36:57 +08:00
// Support deodexed ROM on Oreo
sepol_allow("zygote", "dalvikcache_data_file", "file", "execute");
2018-08-03 22:40:49 +08:00
// Support deodexed ROM on Pie (Samsung)
sepol_allow("system_server", "dalvikcache_data_file", "file", "write");
sepol_allow("system_server", "dalvikcache_data_file", "file", "execute");
magiskpolicy: rules: standardize update_engine sepolicy when rooted The state of ROM A/B OTA addon.d-v2 support is an inconsistent mess currently: - LineageOS builds userdebug with permissive update_engine domain, OmniROM builds userdebug with a more restricted update_engine domain, and CarbonROM builds user with a hybrid closer to Omni's - addon.d-v2 scripts cannot function to the full extent they should when there is a more restricted update_engine domain sepolicy in place, which is likely why Lineage made update_engine completely permissive Evidence for the above: - many addon.d-v2 scripts only work (or fully work) on Lineage, see below - Magisk's addon.d-v2 script would work on Lineage without issue, but would work on Carbon and Omni only if further allow rules were added for basic things like "file read" and "dir search" suggesting these ROMs' addon.d-v2 is severely limited - Omni includes a /system/addon.d/69-gapps.sh script with the ROM itself (despite shipping without GApps), and with Magisk's more permissive sepolicy and no GApps installed it will remove important ROM files during OTA, resulting in a bootloop; the issue with shipping this script was therefore masked by Omni's overly restrictive update_engine sepolicy not allowing the script to function as intended The solution: - guarantee a consistent addon.d-v2 experience for users across ROMs when rooted with Magisk by making update_engine permissive as Lineage has - hopefully ROMs can work together to come up with something standard for unrooted addon.d-v2 function
2019-09-19 11:53:05 -03:00
// Allow update_engine/addon.d-v2 to run permissive on all ROMs
sepol_permissive("update_engine");
2018-11-29 06:28:37 -05:00
2019-11-23 17:18:55 -05:00
#if 0
2019-04-29 20:26:51 -04:00
// Remove all dontaudit in debug mode
2019-11-19 05:20:18 -05:00
strip_dontaudit();
2019-04-29 20:26:51 -04:00
#endif
log_cb.w = bak;
2017-04-16 02:29:42 +08:00
}