Fix some issues with selinux rules

This commit is contained in:
topjohnwu 2020-09-04 00:03:24 -07:00
parent 61599059d5
commit 4dacffd7a1

View File

@ -3,6 +3,8 @@
#include "sepolicy.hpp" #include "sepolicy.hpp"
using namespace std;
void sepolicy::magisk_rules() { void sepolicy::magisk_rules() {
// Temp suppress warnings // Temp suppress warnings
auto bak = log_cb.w; auto bak = log_cb.w;
@ -24,9 +26,11 @@ void sepolicy::magisk_rules() {
// Make our root domain unconstrained // Make our root domain unconstrained
allow(SEPOL_PROC_DOMAIN, ALL, ALL, ALL); allow(SEPOL_PROC_DOMAIN, ALL, ALL, ALL);
// Allow us to do any ioctl on all block devices // Allow us to do any ioctl
if (db->policyvers >= POLICYDB_VERSION_XPERMS_IOCTL) if (db->policyvers >= POLICYDB_VERSION_XPERMS_IOCTL) {
allowxperm(SEPOL_PROC_DOMAIN, ALL, "blk_file", ALL); allowxperm(SEPOL_PROC_DOMAIN, ALL, "blk_file", ALL);
allowxperm(SEPOL_PROC_DOMAIN, ALL, "fifo_file", ALL);
}
// Create unconstrained file type // Create unconstrained file type
allow(ALL, SEPOL_FILE_TYPE, "file", ALL); allow(ALL, SEPOL_FILE_TYPE, "file", ALL);
@ -35,34 +39,31 @@ void sepolicy::magisk_rules() {
allow(ALL, SEPOL_FILE_TYPE, "chr_file", ALL); allow(ALL, SEPOL_FILE_TYPE, "chr_file", ALL);
if (new_rules) { if (new_rules) {
// Make client type literally untrusted_app
type(SEPOL_CLIENT_DOMAIN, "domain"); type(SEPOL_CLIENT_DOMAIN, "domain");
typeattribute(SEPOL_CLIENT_DOMAIN, "coredomain");
typeattribute(SEPOL_CLIENT_DOMAIN, "appdomain");
typeattribute(SEPOL_CLIENT_DOMAIN, "untrusted_app_all");
typeattribute(SEPOL_CLIENT_DOMAIN, "netdomain");
typeattribute(SEPOL_CLIENT_DOMAIN, "bluetoothdomain");
type(SEPOL_EXEC_TYPE, "file_type"); type(SEPOL_EXEC_TYPE, "file_type");
typeattribute(SEPOL_EXEC_TYPE, "exec_type");
// Basic su client needs // Basic su client needs
allow(SEPOL_CLIENT_DOMAIN, ALL, "fd", "use");
allow(SEPOL_CLIENT_DOMAIN, SEPOL_CLIENT_DOMAIN, ALL, ALL);
allow(SEPOL_CLIENT_DOMAIN, SEPOL_EXEC_TYPE, "file", ALL); allow(SEPOL_CLIENT_DOMAIN, SEPOL_EXEC_TYPE, "file", ALL);
allow(SEPOL_CLIENT_DOMAIN, SEPOL_PROC_DOMAIN, "unix_stream_socket", "connectto"); allow(SEPOL_CLIENT_DOMAIN, SEPOL_CLIENT_DOMAIN, ALL, ALL);
allow(SEPOL_CLIENT_DOMAIN, SEPOL_PROC_DOMAIN, "unix_stream_socket", "getopt");
// Allow su client termios ioctl // Allow su client termios ioctl
const char *pts[] { const char *pts[] {
"devpts", "untrusted_app_devpts", "devpts", "untrusted_app_devpts",
"untrusted_app_25_devpts", "untrusted_app_all_devpts" }; "untrusted_app_25_devpts", "untrusted_app_all_devpts" };
for (auto type : pts) { for (auto type : pts) {
if (!exists(type))
continue;
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "read");
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "write");
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "getattr");
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "ioctl");
allowxperm(SEPOL_CLIENT_DOMAIN, type, "chr_file", "0x5400-0x54FF"); allowxperm(SEPOL_CLIENT_DOMAIN, type, "chr_file", "0x5400-0x54FF");
} }
// Allow these processes to access MagiskSU // Allow these processes to access MagiskSU
const char *clients[] { vector<const char *> clients{ "init", "shell", "update_engine", "appdomain" };
"init", "shell", "system_app", "priv_app", "platform_app", "untrusted_app",
"untrusted_app_25", "untrusted_app_27", "untrusted_app_29", "update_engine" };
for (auto type : clients) { for (auto type : clients) {
if (!exists(type)) if (!exists(type))
continue; continue;
@ -73,30 +74,40 @@ void sepolicy::magisk_rules() {
allow(type, SEPOL_EXEC_TYPE, "file", "execute"); allow(type, SEPOL_EXEC_TYPE, "file", "execute");
// Auto transit to client domain // Auto transit to client domain
type_transition(type, SEPOL_EXEC_TYPE, "process", SEPOL_CLIENT_DOMAIN);
allow(type, SEPOL_CLIENT_DOMAIN, "process", "transition"); allow(type, SEPOL_CLIENT_DOMAIN, "process", "transition");
dontaudit(type, SEPOL_CLIENT_DOMAIN, "process", "siginh"); dontaudit(type, SEPOL_CLIENT_DOMAIN, "process", "siginh");
dontaudit(type, SEPOL_CLIENT_DOMAIN, "process", "rlimitinh"); dontaudit(type, SEPOL_CLIENT_DOMAIN, "process", "rlimitinh");
dontaudit(type, SEPOL_CLIENT_DOMAIN, "process", "noatsecure"); dontaudit(type, SEPOL_CLIENT_DOMAIN, "process", "noatsecure");
allow(SEPOL_CLIENT_DOMAIN, type, "process", "sigchld"); // Kill client process
allow(SEPOL_CLIENT_DOMAIN, type, "fifo_file", "read"); allow(type, SEPOL_CLIENT_DOMAIN, "process", "signal");
allow(SEPOL_CLIENT_DOMAIN, type, "fifo_file", "write"); }
allow(SEPOL_CLIENT_DOMAIN, type, "fifo_file", "ioctl");
// type transition require actual types, not attributes
const char *app_types[] {
"system_app", "priv_app", "platform_app", "untrusted_app",
"untrusted_app_25", "untrusted_app_27", "untrusted_app_29" };
clients.pop_back();
clients.insert(clients.end(), app_types, app_types + std::size(app_types));
for (auto type : clients) {
// Auto transit to client domain
type_transition(type, SEPOL_EXEC_TYPE, "process", SEPOL_CLIENT_DOMAIN);
} }
// Allow system_server to manage magisk_client // Allow system_server to manage magisk_client
allow("system_server", SEPOL_CLIENT_DOMAIN, "process", "getpgid"); allow("system_server", SEPOL_CLIENT_DOMAIN, "process", "getpgid");
allow("system_server", SEPOL_CLIENT_DOMAIN, "process", "sigkill"); allow("system_server", SEPOL_CLIENT_DOMAIN, "process", "sigkill");
// Don't allow pesky processes to monitor audit deny logs when poking magisk daemon sockets // Don't allow pesky processes to monitor audit deny logs when poking magisk daemon socket
dontaudit(ALL, SEPOL_PROC_DOMAIN, "unix_stream_socket", ALL); dontaudit(ALL, SEPOL_PROC_DOMAIN, "unix_stream_socket", ALL);
// Only allow client processes to connect to magisk daemon socket
allow(SEPOL_CLIENT_DOMAIN, SEPOL_PROC_DOMAIN, "unix_stream_socket", ALL);
} else { } else {
// Fallback to poking holes in sandbox as Android 4.3 to 7.1 set PR_SET_NO_NEW_PRIVS // Fallback to poking holes in sandbox as Android 4.3 to 7.1 set PR_SET_NO_NEW_PRIVS
// Allow these processes to access MagiskSU // Allow these processes to access MagiskSU
const char *clients[] { const char *clients[] { "init", "shell", "appdomain" };
"init", "shell", "system_app", "priv_app", "platform_app", "untrusted_app" };
for (auto type : clients) { for (auto type : clients) {
if (!exists(type)) if (!exists(type))
continue; continue;