mirror of
https://github.com/topjohnwu/Magisk.git
synced 2024-11-27 12:05:30 +00:00
Deny init relabel to adb_data_file
Co-authored-by: 残页 <a1364259@163.com> Co-authored-by: LoveSy <shana@zju.edu.cn>
This commit is contained in:
parent
6e918ffd68
commit
3726eb6032
@ -18,7 +18,7 @@ static void restore_syscon(int dirfd) {
|
|||||||
char *con;
|
char *con;
|
||||||
|
|
||||||
if (fgetfilecon(dirfd, &con) >= 0) {
|
if (fgetfilecon(dirfd, &con) >= 0) {
|
||||||
if (strlen(con) == 0 || strcmp(con, UNLABEL_CON) == 0 || strcmp(con, ADB_CON) == 0)
|
if (strlen(con) == 0 || strcmp(con, UNLABEL_CON) == 0)
|
||||||
fsetfilecon(dirfd, SYSTEM_CON);
|
fsetfilecon(dirfd, SYSTEM_CON);
|
||||||
freecon(con);
|
freecon(con);
|
||||||
}
|
}
|
||||||
@ -31,13 +31,13 @@ static void restore_syscon(int dirfd) {
|
|||||||
continue;
|
continue;
|
||||||
} else if (entry->d_type == DT_REG) {
|
} else if (entry->d_type == DT_REG) {
|
||||||
if (fgetfilecon(fd, &con) >= 0) {
|
if (fgetfilecon(fd, &con) >= 0) {
|
||||||
if (con[0] == '\0' || strcmp(con, UNLABEL_CON) == 0 || strcmp(con, ADB_CON) == 0)
|
if (con[0] == '\0' || strcmp(con, UNLABEL_CON) == 0)
|
||||||
fsetfilecon(fd, SYSTEM_CON);
|
fsetfilecon(fd, SYSTEM_CON);
|
||||||
freecon(con);
|
freecon(con);
|
||||||
}
|
}
|
||||||
} else if (entry->d_type == DT_LNK) {
|
} else if (entry->d_type == DT_LNK) {
|
||||||
getfilecon_at(dirfd, entry->d_name, &con);
|
getfilecon_at(dirfd, entry->d_name, &con);
|
||||||
if (con[0] == '\0' || strcmp(con, UNLABEL_CON) == 0 || strcmp(con, ADB_CON) == 0)
|
if (con[0] == '\0' || strcmp(con, UNLABEL_CON) == 0)
|
||||||
setfilecon_at(dirfd, entry->d_name, con);
|
setfilecon_at(dirfd, entry->d_name, con);
|
||||||
freecon(con);
|
freecon(con);
|
||||||
}
|
}
|
||||||
|
@ -137,8 +137,6 @@ void sepolicy::magisk_rules() {
|
|||||||
// Let init run stuffs
|
// Let init run stuffs
|
||||||
allow("kernel", SEPOL_PROC_DOMAIN, "fd", "use");
|
allow("kernel", SEPOL_PROC_DOMAIN, "fd", "use");
|
||||||
allow("init", SEPOL_PROC_DOMAIN, "process", ALL);
|
allow("init", SEPOL_PROC_DOMAIN, "process", ALL);
|
||||||
allow("init", "tmpfs", "file", "getattr");
|
|
||||||
allow("init", "tmpfs", "file", "execute");
|
|
||||||
|
|
||||||
// suRights
|
// suRights
|
||||||
allow("servicemanager", SEPOL_PROC_DOMAIN, "dir", "search");
|
allow("servicemanager", SEPOL_PROC_DOMAIN, "dir", "search");
|
||||||
@ -187,6 +185,10 @@ void sepolicy::magisk_rules() {
|
|||||||
dontaudit("llkd", SEPOL_PROC_DOMAIN, "process", "ptrace");
|
dontaudit("llkd", SEPOL_PROC_DOMAIN, "process", "ptrace");
|
||||||
dontaudit("llkd", SEPOL_CLIENT_DOMAIN, "process", "ptrace");
|
dontaudit("llkd", SEPOL_CLIENT_DOMAIN, "process", "ptrace");
|
||||||
|
|
||||||
|
// Keep /data/adb/* context
|
||||||
|
deny("init", "adb_data_file", "dir", "search");
|
||||||
|
deny("vendor_init", "adb_data_file", "dir", "search");
|
||||||
|
|
||||||
// Allow update_engine/addon.d-v2 to run permissive on all ROMs
|
// Allow update_engine/addon.d-v2 to run permissive on all ROMs
|
||||||
permissive("update_engine");
|
permissive("update_engine");
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user