From 3726eb6032b24b4574eae9037fa927e838a6e731 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=8D=97=E5=AE=AB=E9=9B=AA=E7=8F=8A?= <vvb2060@gmail.com>
Date: Thu, 2 Mar 2023 18:20:38 +0800
Subject: [PATCH] Deny init relabel to adb_data_file
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: 残页 <a1364259@163.com>
Co-authored-by: LoveSy <shana@zju.edu.cn>
---
 native/src/core/restorecon.cpp | 6 +++---
 native/src/sepolicy/rules.cpp  | 6 ++++--
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/native/src/core/restorecon.cpp b/native/src/core/restorecon.cpp
index bab2df857..b18dbd91e 100644
--- a/native/src/core/restorecon.cpp
+++ b/native/src/core/restorecon.cpp
@@ -18,7 +18,7 @@ static void restore_syscon(int dirfd) {
     char *con;
 
     if (fgetfilecon(dirfd, &con) >= 0) {
-        if (strlen(con) == 0 || strcmp(con, UNLABEL_CON) == 0 || strcmp(con, ADB_CON) == 0)
+        if (strlen(con) == 0 || strcmp(con, UNLABEL_CON) == 0)
             fsetfilecon(dirfd, SYSTEM_CON);
         freecon(con);
     }
@@ -31,13 +31,13 @@ static void restore_syscon(int dirfd) {
             continue;
         } else if (entry->d_type == DT_REG) {
             if (fgetfilecon(fd, &con) >= 0) {
-                if (con[0] == '\0' || strcmp(con, UNLABEL_CON) == 0 || strcmp(con, ADB_CON) == 0)
+                if (con[0] == '\0' || strcmp(con, UNLABEL_CON) == 0)
                     fsetfilecon(fd, SYSTEM_CON);
                 freecon(con);
             }
         } else if (entry->d_type == DT_LNK) {
             getfilecon_at(dirfd, entry->d_name, &con);
-            if (con[0] == '\0' || strcmp(con, UNLABEL_CON) == 0 || strcmp(con, ADB_CON) == 0)
+            if (con[0] == '\0' || strcmp(con, UNLABEL_CON) == 0)
                 setfilecon_at(dirfd, entry->d_name, con);
             freecon(con);
         }
diff --git a/native/src/sepolicy/rules.cpp b/native/src/sepolicy/rules.cpp
index 2bc300a7e..7c28613b8 100644
--- a/native/src/sepolicy/rules.cpp
+++ b/native/src/sepolicy/rules.cpp
@@ -137,8 +137,6 @@ void sepolicy::magisk_rules() {
     // Let init run stuffs
     allow("kernel", SEPOL_PROC_DOMAIN, "fd", "use");
     allow("init", SEPOL_PROC_DOMAIN, "process", ALL);
-    allow("init", "tmpfs", "file", "getattr");
-    allow("init", "tmpfs", "file", "execute");
 
     // suRights
     allow("servicemanager", SEPOL_PROC_DOMAIN, "dir", "search");
@@ -187,6 +185,10 @@ void sepolicy::magisk_rules() {
     dontaudit("llkd", SEPOL_PROC_DOMAIN, "process", "ptrace");
     dontaudit("llkd", SEPOL_CLIENT_DOMAIN, "process", "ptrace");
 
+    // Keep /data/adb/* context
+    deny("init", "adb_data_file", "dir", "search");
+    deny("vendor_init", "adb_data_file", "dir", "search");
+
     // Allow update_engine/addon.d-v2 to run permissive on all ROMs
     permissive("update_engine");