TheArchive/Magisk
1
0
Fork 0
mirror of https://github.com/topjohnwu/Magisk.git synced 2024-11-24 02:25:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

Simplify sepolicy rules

Browse Source
This commit is contained in:
topjohnwu 2020-05-25 02:30:39 -07:00
parent 4499cebcd9
commit 599ee57d39
2 changed files with 15 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
native/jni/init/rootdir.cpp
View File

@ -152,7 +152,6 @@ bool MagiskInit::patch_sepolicy(const char *file) {
sepol = sepolicy::from_split(); sepol = sepolicy::from_split();
sepol->magisk_rules(); sepol->magisk_rules();
sepol->allow(SEPOL_PROC_DOMAIN, ALL, ALL, ALL);
// Custom rules // Custom rules
if (auto dir = open_dir(persist_dir.data()); dir) { if (auto dir = open_dir(persist_dir.data()); dir) {

73
native/jni/magiskpolicy/rules.cpp
View File

@ -11,8 +11,6 @@ void sepol_impl::allow_su_client(const char *type) {
return; return;
allow(type, SEPOL_PROC_DOMAIN, "unix_stream_socket", "connectto"); allow(type, SEPOL_PROC_DOMAIN, "unix_stream_socket", "connectto");
allow(type, SEPOL_PROC_DOMAIN, "unix_stream_socket", "getopt"); allow(type, SEPOL_PROC_DOMAIN, "unix_stream_socket", "getopt");
allow(SEPOL_PROC_DOMAIN, type, "fd", "use");
allow(SEPOL_PROC_DOMAIN, type, "fifo_file", ALL);
// Allow binder service // Allow binder service
allow(type, SEPOL_PROC_DOMAIN, "binder", "call"); allow(type, SEPOL_PROC_DOMAIN, "binder", "call");
@ -36,15 +34,12 @@ void sepolicy::magisk_rules() {
auto bak = log_cb.w; auto bak = log_cb.w;
log_cb.w = nop_log; log_cb.w = nop_log;
// First prevent anything to change sepolicy except ourselves // Prevent anything to change sepolicy except ourselves
deny(ALL, "kernel", "security", "load_policy"); deny(ALL, "kernel", "security", "load_policy");
if (!exists(SEPOL_PROC_DOMAIN)) type(SEPOL_PROC_DOMAIN, "domain");
create(SEPOL_PROC_DOMAIN); type(SEPOL_FILE_DOMAIN, "file_type");
if (!exists(SEPOL_FILE_DOMAIN))
create(SEPOL_FILE_DOMAIN);
permissive(SEPOL_PROC_DOMAIN); permissive(SEPOL_PROC_DOMAIN);
typeattribute(SEPOL_PROC_DOMAIN, "mlstrustedsubject"); typeattribute(SEPOL_PROC_DOMAIN, "mlstrustedsubject");
typeattribute(SEPOL_PROC_DOMAIN, "netdomain"); typeattribute(SEPOL_PROC_DOMAIN, "netdomain");
typeattribute(SEPOL_PROC_DOMAIN, "bluetoothdomain"); typeattribute(SEPOL_PROC_DOMAIN, "bluetoothdomain");
@ -66,18 +61,17 @@ void sepolicy::magisk_rules() {
allow("init", "tmpfs", "file", "getattr"); allow("init", "tmpfs", "file", "getattr");
allow("init", "tmpfs", "file", "execute"); allow("init", "tmpfs", "file", "execute");
// Shell, properties, logs // Make our domain unconstrained
if (exists("default_prop")) allow(SEPOL_PROC_DOMAIN, ALL, ALL, ALL);
allow(SEPOL_PROC_DOMAIN, "default_prop", "property_service", "set"); // Allow us to do any ioctl on all block devices
allow(SEPOL_PROC_DOMAIN, "init", "unix_stream_socket", "connectto"); if (db->policyvers >= POLICYDB_VERSION_XPERMS_IOCTL)
allow(SEPOL_PROC_DOMAIN, "rootfs", "filesystem", "remount"); allowxperm(SEPOL_PROC_DOMAIN, ALL, "blk_file", ALL);
if (exists("logd"))
allow(SEPOL_PROC_DOMAIN, "logd", "unix_stream_socket", "connectto");
allow(SEPOL_PROC_DOMAIN, SEPOL_PROC_DOMAIN, ALL, ALL);
// For sepolicy live patching // Make our file type unconstrained
allow(SEPOL_PROC_DOMAIN, "kernel", "security", "read_policy"); allow(ALL, SEPOL_FILE_DOMAIN, "file", ALL);
allow(SEPOL_PROC_DOMAIN, "kernel", "security", "load_policy"); allow(ALL, SEPOL_FILE_DOMAIN, "dir", ALL);
allow(ALL, SEPOL_FILE_DOMAIN, "fifo_file", ALL);
allow(ALL, SEPOL_FILE_DOMAIN, "chr_file", ALL);
// Allow these processes to access MagiskSU // Allow these processes to access MagiskSU
std::initializer_list<const char *> clients { std::initializer_list<const char *> clients {
@ -93,13 +87,6 @@ void sepolicy::magisk_rules() {
allow("servicemanager", SEPOL_PROC_DOMAIN, "file", "read"); allow("servicemanager", SEPOL_PROC_DOMAIN, "file", "read");
allow("servicemanager", SEPOL_PROC_DOMAIN, "process", "getattr"); allow("servicemanager", SEPOL_PROC_DOMAIN, "process", "getattr");
allow("servicemanager", SEPOL_PROC_DOMAIN, "binder", "transfer"); allow("servicemanager", SEPOL_PROC_DOMAIN, "binder", "transfer");
allow(SEPOL_PROC_DOMAIN, "servicemanager", "dir", "search");
allow(SEPOL_PROC_DOMAIN, "servicemanager", "dir", "read");
allow(SEPOL_PROC_DOMAIN, "servicemanager", "file", "open");
allow(SEPOL_PROC_DOMAIN, "servicemanager", "file", "read");
allow(SEPOL_PROC_DOMAIN, "servicemanager", "process", "getattr");
allow(SEPOL_PROC_DOMAIN, "servicemanager", "binder", "transfer");
allow(SEPOL_PROC_DOMAIN, "servicemanager", "binder", "call");
allow(ALL, SEPOL_PROC_DOMAIN, "process", "sigchld"); allow(ALL, SEPOL_PROC_DOMAIN, "process", "sigchld");
// allowLog // allowLog
@ -108,12 +95,6 @@ void sepolicy::magisk_rules() {
allow("logd", SEPOL_PROC_DOMAIN, "file", "open"); allow("logd", SEPOL_PROC_DOMAIN, "file", "open");
allow("logd", SEPOL_PROC_DOMAIN, "file", "getattr"); allow("logd", SEPOL_PROC_DOMAIN, "file", "getattr");
// suBackL0
allow("system_server", SEPOL_PROC_DOMAIN, "binder", "call");
allow("system_server", SEPOL_PROC_DOMAIN, "binder", "transfer");
allow(SEPOL_PROC_DOMAIN, "system_server", "binder", "call");
allow(SEPOL_PROC_DOMAIN, "system_server", "binder", "transfer");
// suBackL6 // suBackL6
allow("surfaceflinger", "app_data_file", "dir", ALL); allow("surfaceflinger", "app_data_file", "dir", ALL);
allow("surfaceflinger", "app_data_file", "file", ALL); allow("surfaceflinger", "app_data_file", "file", ALL);
@ -121,7 +102,6 @@ void sepolicy::magisk_rules() {
typeattribute("surfaceflinger", "mlstrustedsubject"); typeattribute("surfaceflinger", "mlstrustedsubject");
// suMiscL6 // suMiscL6
if (exists("audioserver"))
allow("audioserver", "audioserver", "process", "execmem"); allow("audioserver", "audioserver", "process", "execmem");
// Liveboot // Liveboot
@ -146,38 +126,13 @@ void sepolicy::magisk_rules() {
allow("hwservicemanager", SEPOL_PROC_DOMAIN, "binder", "transfer"); allow("hwservicemanager", SEPOL_PROC_DOMAIN, "binder", "transfer");
// For mounting loop devices, mirrors, tmpfs // For mounting loop devices, mirrors, tmpfs
allow(SEPOL_PROC_DOMAIN, "kernel", "process", "setsched");
allow(SEPOL_PROC_DOMAIN, "labeledfs", "filesystem", "mount");
allow(SEPOL_PROC_DOMAIN, "labeledfs", "filesystem", "unmount");
allow(SEPOL_PROC_DOMAIN, "tmpfs", "filesystem", "mount");
allow(SEPOL_PROC_DOMAIN, "tmpfs", "filesystem", "unmount");
allow("kernel", ALL, "file", "read"); allow("kernel", ALL, "file", "read");
allow("kernel", ALL, "file", "write"); allow("kernel", ALL, "file", "write");
// Allow us to do anything to any files/dir/links
allow(SEPOL_PROC_DOMAIN, ALL, "file", ALL);
allow(SEPOL_PROC_DOMAIN, ALL, "dir", ALL);
allow(SEPOL_PROC_DOMAIN, ALL, "lnk_file", ALL);
allow(SEPOL_PROC_DOMAIN, ALL, "blk_file", ALL);
allow(SEPOL_PROC_DOMAIN, ALL, "sock_file", ALL);
allow(SEPOL_PROC_DOMAIN, ALL, "chr_file", ALL);
allow(SEPOL_PROC_DOMAIN, ALL, "fifo_file", ALL);
// Allow us to do any ioctl on all block devices
if (db->policyvers >= POLICYDB_VERSION_XPERMS_IOCTL)
allowxperm(SEPOL_PROC_DOMAIN, ALL, "blk_file", "0x0000-0xFFFF");
// Allow all binder transactions // Allow all binder transactions
allow(ALL, SEPOL_PROC_DOMAIN, "binder", ALL); allow(ALL, SEPOL_PROC_DOMAIN, "binder", ALL);
// Super files // For changing file context
allow(ALL, SEPOL_FILE_DOMAIN, "file", ALL);
allow(ALL, SEPOL_FILE_DOMAIN, "dir", ALL);
allow(ALL, SEPOL_FILE_DOMAIN, "fifo_file", ALL);
allow(ALL, SEPOL_FILE_DOMAIN, "chr_file", ALL);
allow(SEPOL_FILE_DOMAIN, ALL, "filesystem", "associate");
// For changing attributes
allow("rootfs", "tmpfs", "filesystem", "associate"); allow("rootfs", "tmpfs", "filesystem", "associate");
// Xposed // Xposed