Significantly broaden sepolicy.rule compatibility

Previously, Magisk uses persist or cache for storing modules' custom sepolicy rules. In this commit, we significantly broaden its compatibility and also prevent mounting errors. The persist partition is non-standard and also critical for Snapdragon devices, so we prefer not to use it by default. We will go through the following logic to find the best suitable non-volatile, writable location to store and load sepolicy.rule files: Unencrypted data -> FBE data unencrypted dir -> cache -> metadata -> persist This should cover almost all possible cases: very old devices have cache partitions; newer devices will use FBE; latest devices will use metadata FBE (which guarantees a metadata parition); and finally, all Snapdragon devices have the persist partition (as a last resort). Fix #3179
2025-12-02 19:01:52 +00:00 · 2020-11-02 23:20:38 -08:00
parent cf47214ee4
commit 16e4c67992
9 changed files with 237 additions and 105 deletions
--- a/native/jni/core/bootstages.cpp
+++ b/native/jni/core/bootstages.cpp
@@ -22,14 +22,15 @@ static bool safe_mode = false;
 * Setup *
 *********/

-#define DIR_IS(part)      (me->mnt_dir == "/" #part ""sv)
+#define MNT_DIR_IS(dir)   (me->mnt_dir == string_view(dir))
 #define SETMIR(b, part)   sprintf(b, "%s/" MIRRDIR "/" #part, MAGISKTMP.data())
 #define SETBLK(b, part)   sprintf(b, "%s/" BLOCKDIR "/" #part, MAGISKTMP.data())

 #define mount_mirror(part, flag) \
-else if (DIR_IS(part) && me->mnt_type != "tmpfs"sv && lstat(me->mnt_dir, &st) == 0) { \
+else if (MNT_DIR_IS("/" #part) && me->mnt_type != "tmpfs"sv && lstat(me->mnt_dir, &st) == 0) { \
 	SETMIR(buf1, part); \
 	SETBLK(buf2, part); \
+	unlink(buf2); \
 	mknod(buf2, S_IFBLK | 0600, st.st_dev); \
 	xmkdir(buf1, 0755); \
 	xmount(buf2, buf1, me->mnt_type, flag, nullptr); \
@@ -43,6 +44,16 @@ if (access("/system/" #part, F_OK) == 0 && access(buf1, F_OK) != 0) { \
 	LOGI("link: %s\n", buf1); \
 }

+#define link_orig_dir(dir, part) \
+else if (MNT_DIR_IS(dir) && me->mnt_type != "tmpfs"sv) { \
+	SETMIR(buf1, part); \
+	rmdir(buf1); \
+	xsymlink(dir, buf1); \
+	LOGI("link: %s\n", buf1); \
+}
+
+#define link_orig(part) link_orig_dir("/" #part, part)
+
 static bool magisk_env() {
 	LOGI("* Initializing Magisk environment\n");

@@ -98,7 +109,11 @@ static bool magisk_env() {
 		mount_mirror(product, MS_RDONLY)
 		mount_mirror(system_ext, MS_RDONLY)
 		mount_mirror(data, 0)
-		else if (SDK_INT >= 24 && DIR_IS(proc) && !strstr(me->mnt_opts, "hidepid=2")) {
+		link_orig(cache)
+		link_orig(metadata)
+		link_orig(persist)
+		link_orig_dir("/mnt/vendor/persist", persist)
+		else if (SDK_INT >= 24 && MNT_DIR_IS("/proc") && !strstr(me->mnt_opts, "hidepid=2")) {
 			xmount(nullptr, "/proc", nullptr, MS_REMOUNT, "hidepid=2,gid=3009");
 		}
 		return true;
@@ -109,9 +124,9 @@ static bool magisk_env() {
 		xsymlink("./system_root/system", buf1);
 		LOGI("link: %s\n", buf1);
 	}
-	link_mirror(vendor);
-	link_mirror(product);
-	link_mirror(system_ext);
+	link_mirror(vendor)
+	link_mirror(product)
+	link_mirror(system_ext)

 	// Disable/remove magiskhide, resetprop
 	if (SDK_INT < 19) {