TheArchive/Magisk
1
0
Fork 0
mirror of https://github.com/topjohnwu/Magisk.git synced 2025-12-10 10:02:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

Introduce new sepolicy injection mechanism

Browse Source 
In the current implementation, Magisk will either have to recreate
all early mount implementation (for legacy SAR and rootfs devices) or
delegate early mount to first stage init (for 2SI devices) to access
required partitions for loading sepolicy. It then has to recreate the
split sepolicy loading implementation in-house, apply patches, then
dump the compiled + patched policies into monolithic format somewhere.
Finally, it patches the original init to force it to load the sepolicy
file we just created.

With the increasing complexity involved in early mount and split
sepolicy (there is even APEX module involved in the future!),
it is about time to rethink Magisk's sepolicy strategy as rebuilding
init's functionality is not scalable and easy to maintain.

In this commit, instead of building sepolicy ourselves, we mock
selinuxfs with FIFO files connected to a pre-init daemon, waiting
for the actual init process to directly write the sepolicy file into
MagiskInit. We then patch the file and load it into the kernel. Some
FIFO tricks has to be used to hijack the original init process's
control flow and prevent race conditions, details are directly in the
comments in code.

At the moment, only system-as-root (read-only root) support is added.
Support for legacy rootfs devices will come with a follow up commit.
This commit is contained in:
topjohnwu
2022-03-16 00:31:53 -07:00
parent b10379e700
commit 49f259065d
13 changed files with 244 additions and 90 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
native/jni/init/getinfo.cpp
View File

@@ -72,6 +72,7 @@ static kv_pairs parse_bootconfig(string_view str) {
#define test_bit(bit, array) (array[bit / 8] & (1 << (bit % 8)))
static bool check_key_combo() {
LOGD("Running in recovery mode, waiting for key...\n");
uint8_t bitmask[(KEY_MAX + 1) / 8];
vector<int> events;
constexpr const char *name = "/event";
@@ -226,7 +227,6 @@ void load_kernel_info(BootConfig *config) {
parse_prop_file("/.backup/.magisk", [=](auto key, auto value) -> bool {
if (key == "RECOVERYMODE" && value == "true") {
LOGD("Running in recovery mode, waiting for key...\n");
config->skip_initramfs = config->emulator || !check_key_combo();
return false;
}

1
native/jni/init/init.cpp
View File

@@ -109,7 +109,6 @@ static int test_main(int argc, char *argv[]) {
#endif // ENABLE_TEST
static int magisk_proxy_main(int argc, char *argv[]) {
setup_klog();
auto init = make_unique<MagiskProxy>(argv);
init->start();
return 1;

16
native/jni/init/init.hpp
View File

@@ -5,7 +5,7 @@ using kv_pairs = std::vector<std::pair<std::string, std::string>>;
// For API 28 AVD, it uses legacy SAR setup that requires
// special hacks in magiskinit to work properly. We do not
// necessarily want this enabled in production builds.
#define ENABLE_AVD_HACK 0
#define ENABLE_AVD_HACK 1
struct BootConfig {
bool skip_initramfs;
@@ -36,7 +36,6 @@ struct fstab_entry {
fstab_entry &operator=(fstab_entry&&) = default;
};
#define INIT_SOCKET "MAGISKINIT"
#define DEFAULT_DT_DIR "/proc/device-tree/firmware/android"
extern std::vector<std::string> mount_list;
@@ -57,7 +56,6 @@ protected:
char **argv = nullptr;
[[noreturn]] void exec_init();
void read_dt_fstab(std::vector<fstab_entry> &fstab);
public:
BaseInit(char *argv[], BootConfig *config = nullptr) : config(config), argv(argv) {}
virtual ~BaseInit() = default;
@@ -75,12 +73,12 @@ protected:
// running magiskinit on legacy SAR AVD emulator
bool avd_hack = false;
#else
// Make it const so compiler can optimize hacks out of the code
static const bool avd_hack = false;
// Make it constexpr so compiler can optimize hacks out of the code
static constexpr bool avd_hack = false;
#endif
void mount_with_dt();
bool patch_sepolicy(const char *file);
void hijack_sepolicy();
void setup_tmp(const char *path);
void mount_rules_dir(const char *dev_base, const char *mnt_base);
void patch_rw_root();
@@ -94,7 +92,6 @@ protected:
void backup_files();
void patch_ro_root();
void mount_system_root();
public:
using MagiskInit::MagiskInit;
};
@@ -140,14 +137,14 @@ public:
class LegacySARInit : public SARBase {
private:
bool early_mount();
bool mount_system_root();
void first_stage_prep();
public:
LegacySARInit(char *argv[], BootConfig *config) : SARBase(argv, config) {
LOGD("%s\n", __FUNCTION__);
};
void start() override {
if (early_mount())
if (mount_system_root())
first_stage_prep();
else
patch_ro_root();
@@ -176,6 +173,7 @@ public:
class MagiskProxy : public MagiskInit {
public:
explicit MagiskProxy(char *argv[]) : MagiskInit(argv) {
setup_klog();
LOGD("%s\n", __FUNCTION__);
}
void start() override;

71
native/jni/init/mount.cpp
View File

@@ -104,7 +104,7 @@ if (access(#val, F_OK) == 0) {\
entry.val = rtrim(full_read(#val)); \
}
void BaseInit::read_dt_fstab(vector<fstab_entry> &fstab) {
static void read_dt_fstab(BootConfig *config, vector<fstab_entry> &fstab) {
if (access(config->dt_dir, F_OK) != 0)
return;
@@ -152,13 +152,28 @@ void BaseInit::read_dt_fstab(vector<fstab_entry> &fstab) {
}
}
void MagiskInit::mount_with_dt() {
static void mount_with_dt(BootConfig *config) {
vector<fstab_entry> fstab;
read_dt_fstab(fstab);
read_dt_fstab(config, fstab);
for (const auto &entry : fstab) {
if (is_lnk(entry.mnt_point.data()))
continue;
if (avd_hack && entry.mnt_point == "/system") {
// Derive partname from dev
sprintf(blk_info.partname, "%s%s", basename(entry.dev.data()), config->slot);
setup_block(true);
xmkdir(entry.mnt_point.data(), 0755);
xmount(blk_info.block_dev, entry.mnt_point.data(), entry.type.data(), MS_RDONLY, nullptr);
mount_list.push_back(entry.mnt_point);
}
}
static void avd_hack_mount(BootConfig *config) {
vector<fstab_entry> fstab;
read_dt_fstab(config, fstab);
for (const auto &entry : fstab) {
if (is_lnk(entry.mnt_point.data()))
continue;
if (entry.mnt_point == "/system") {
// When we force AVD to disable SystemAsRoot, it will always add system
// to dt fstab. We actually already mounted it as root, so skip this one.
continue;
@@ -168,11 +183,8 @@ void MagiskInit::mount_with_dt() {
setup_block(true);
xmkdir(entry.mnt_point.data(), 0755);
xmount(blk_info.block_dev, entry.mnt_point.data(), entry.type.data(), MS_RDONLY, nullptr);
if (!avd_hack) {
// When avd_hack is true, do not add any early mount partitions to mount_list
// as we will actually forcefully disable original init's early mount
mount_list.push_back(entry.mnt_point);
}
// Do not add any early mount partitions to mount_list as we will
// actually forcefully disable original init's early mount.
}
}
@@ -300,7 +312,7 @@ void RootFSInit::early_mount() {
LOGD("Restoring /init\n");
rename(backup_init(), "/init");
mount_with_dt();
mount_with_dt(config);
}
void SARBase::backup_files() {
@@ -316,8 +328,10 @@ void SARBase::backup_files() {
magisk_cfg = mmap_data("/data/.backup/.magisk");
}
void SARBase::mount_system_root() {
LOGD("Early mount system_root\n");
bool LegacySARInit::mount_system_root() {
backup_files();
LOGD("Mounting system_root\n");
strcpy(blk_info.block_dev, "/dev/root");
do {
@@ -344,31 +358,36 @@ void SARBase::mount_system_root() {
// We don't really know what to do at this point...
LOGE("Cannot find root partition, abort\n");
exit(1);
mount_root:
xmkdir("/system_root", 0755);
if (xmount("/dev/root", "/system_root", "ext4", MS_RDONLY, nullptr))
xmount("/dev/root", "/system_root", "erofs", MS_RDONLY, nullptr);
}
bool LegacySARInit::early_mount() {
backup_files();
mount_system_root();
if (xmount("/dev/root", "/system_root", "ext4", MS_RDONLY, nullptr)) {
if (xmount("/dev/root", "/system_root", "erofs", MS_RDONLY, nullptr)) {
// We don't really know what to do at this point...
LOGE("Cannot mount root partition, abort\n");
exit(1);
}
}
switch_root("/system_root");
// Use the apex folder to determine whether 2SI (Android 10+)
bool is_two_stage = access("/apex", F_OK) == 0;
LOGD("is_two_stage: [%d]\n", is_two_stage);
if (!is_two_stage) {
// Make dev writable
xmkdir("/dev", 0755);
xmount("tmpfs", "/dev", "tmpfs", 0, "mode=755");
mount_list.emplace_back("/dev");
#if ENABLE_AVD_HACK
avd_hack = config->emulator;
#endif
mount_with_dt();
if (!is_two_stage) {
if (config->emulator) {
avd_hack = true;
// Make dev writable
xmkdir("/dev", 0755);
xmount("tmpfs", "/dev", "tmpfs", 0, "mode=755");
mount_list.emplace_back("/dev");
avd_hack_mount(config);
}
}
#endif
return is_two_stage;
}

138
native/jni/init/rootdir.cpp
View File

@@ -4,7 +4,7 @@
#include <magisk.hpp>
#include <magiskpolicy.hpp>
#include <utils.hpp>
#include <socket.hpp>
#include <stream.hpp>
#include "init.hpp"
#include "magiskrc.inc"
@@ -139,6 +139,94 @@ bool MagiskInit::patch_sepolicy(const char *file) {
return patch_init;
}
#define MOCK_LOAD SELINUXMOCK "/load"
#define MOCK_ENFORCE SELINUXMOCK "/enforce"
#define REAL_SELINUXFS SELINUXMOCK "/fs"
void MagiskInit::hijack_sepolicy() {
// Read all custom rules into memory
string rules;
if (!custom_rules_dir.empty()) {
if (auto dir = xopen_dir(custom_rules_dir.data())) {
for (dirent *entry; (entry = xreaddir(dir.get()));) {
auto rule_file = custom_rules_dir + "/" + entry->d_name + "/sepolicy.rule";
if (xaccess(rule_file.data(), R_OK) == 0) {
LOGD("Load custom sepolicy patch: [%s]\n", rule_file.data());
full_read(rule_file.data(), rules);
rules += '\n';
}
}
}
}
// Hijack the "load" and "enforce" node in selinuxfs to manipulate
// the actual sepolicy being loaded into the kernel
// We need to preserve sysfs and selinuxfs after re-exec
mount_list.erase(std::remove_if(
mount_list.begin(), mount_list.end(),
[](const string &s) { return s == "/sys"; }), mount_list.end());
if (access(SELINUX_ENFORCE, F_OK) != 0) {
// selinuxfs needs to be mounted
xmount("selinuxfs", SELINUX_MNT, "selinuxfs", 0, nullptr);
}
LOGD("Hijack [" SELINUX_LOAD "] and [" SELINUX_ENFORCE "]\n");
xmkdir(SELINUXMOCK, 0);
mkfifo(MOCK_LOAD, 0600);
mkfifo(MOCK_ENFORCE, 0644);
xmount(MOCK_LOAD, SELINUX_LOAD, nullptr, MS_BIND, nullptr);
xmount(MOCK_ENFORCE, SELINUX_ENFORCE, nullptr, MS_BIND, nullptr);
// Create a new process waiting for original init to load sepolicy into our fifo
if (xfork()) {
// In parent, return and continue boot process
return;
}
// Read full sepolicy
int fd = xopen(MOCK_LOAD, O_RDONLY);
string policy = fd_full_read(fd);
close(fd);
auto sepol = unique_ptr<sepolicy>(sepolicy::from_data(policy.data(), policy.length()));
sepol->magisk_rules();
sepol->load_rules(rules);
// Mount selinuxfs to another path
xmkdir(REAL_SELINUXFS, 0755);
xmount("selinuxfs", REAL_SELINUXFS, "selinuxfs", 0, nullptr);
// This open will block until the actual init calls security_getenforce
fd = xopen(MOCK_ENFORCE, O_WRONLY);
// Cleanup the hijacks
umount2("/init", MNT_DETACH);
xumount2(SELINUX_LOAD, MNT_DETACH);
xumount2(SELINUX_ENFORCE, MNT_DETACH);
// Load patched policy
sepol->to_file(REAL_SELINUXFS "/load");
// Write to mock "enforce" ONLY after sepolicy is loaded. We need to make sure
// the actual init process is blocked until sepolicy is loaded, or else
// restorecon will fail and re-exec won't change context, causing boot failure.
// We (ab)use the fact that security_getenforce reads the "enforce" file, and
// because it has been replaced with our FIFO file, init will block until we
// write something into the pipe, effectively hijacking its control flow.
xwrite(fd, "0", 1);
close(fd);
// At this point, the actual init process will be unblocked
// and continue on with restorecon + re-exec.
// Terminate process
exit(0);
}
static void recreate_sbin(const char *mirror, bool use_bind_mount) {
auto dp = xopen_dir(mirror);
int src = dirfd(dp.get());
@@ -199,22 +287,18 @@ static void patch_socket_name(const char *path) {
}
#define ROOTMIR MIRRDIR "/system_root"
#define MONOPOLICY "/sepolicy"
#define NEW_INITRC "/system/etc/init/hw/init.rc"
void SARBase::patch_ro_root() {
string tmp_dir;
const char *sepol;
if (access("/sbin", F_OK) == 0) {
tmp_dir = "/sbin";
sepol = "/sbin/.se";
} else {
char buf[8];
gen_rand_str(buf, sizeof(buf));
tmp_dir = "/dev/"s + buf;
xmkdir(tmp_dir.data(), 0);
sepol = "/dev/.se";
}
setup_tmp(tmp_dir.data());
@@ -231,20 +315,14 @@ void SARBase::patch_ro_root() {
if (tmp_dir == "/sbin")
recreate_sbin(ROOTMIR "/sbin", true);
// Patch init
int patch_count;
{
xmkdir(ROOTOVL, 0);
// Handle avd hack
if (avd_hack) {
int src = xopen("/init", O_RDONLY | O_CLOEXEC);
auto init = mmap_data("/init");
patch_count = init.patch({
make_pair(SPLIT_PLAT_CIL, "xxx"), /* Force loading monolithic sepolicy */
make_pair(MONOPOLICY, sepol) /* Redirect /sepolicy to custom path */
});
if (avd_hack) {
// Force disable early mount on original init
init.patch({ make_pair("android,fstab", "xxx") });
}
xmkdir(ROOTOVL, 0);
// Force disable early mount on original init
init.patch({ make_pair("android,fstab", "xxx") });
int dest = xopen(ROOTOVL "/init", O_CREAT | O_WRONLY | O_CLOEXEC, 0);
xwrite(dest, init.buf, init.sz);
fclone_attr(src, dest);
@@ -252,30 +330,6 @@ void SARBase::patch_ro_root() {
close(dest);
}
if (patch_count != 2) {
// init is dynamically linked, need to patch libselinux
const char *path = "/system/lib64/libselinux.so";
if (access(path, F_OK) != 0) {
path = "/system/lib/libselinux.so";
if (access(path, F_OK) != 0)
path = nullptr;
}
if (path) {
char ovl[128];
sprintf(ovl, ROOTOVL "%s", path);
auto lib = mmap_data(path);
lib.patch({ make_pair(MONOPOLICY, sepol) });
xmkdirs(dirname(ovl), 0755);
int dest = xopen(ovl, O_CREAT | O_WRONLY | O_CLOEXEC, 0);
xwrite(dest, lib.buf, lib.sz);
close(dest);
clone_attr(path, ovl);
}
}
// sepolicy
patch_sepolicy(sepol);
// Handle overlay.d
restore_folder(ROOTOVL, overlays);
overlays.clear();
@@ -321,6 +375,8 @@ void SARBase::patch_ro_root() {
write(dest, magic_mount_list.data(), magic_mount_list.length());
close(dest);
hijack_sepolicy();
chdir("/");
}