TheArchive/Magisk
1
0
Fork 0
mirror of https://github.com/topjohnwu/Magisk.git synced 2024-11-27 20:15:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update sepolicy rules

Browse Source
This commit is contained in:
topjohnwu 2019-04-29 20:26:51 -04:00
parent a2fa8d8be1
commit 5f53cfb4a9
1 changed files with 10 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
native/jni/magiskpolicy/rules.cpp
View File

@ -2,6 +2,7 @@
#include "magiskpolicy.h"
#include "sepolicy.h"
#include "flags.h"
static void allowSuClient(const char *target) {
if (!sepol_exists(target))
@ -14,18 +15,6 @@ static void allowSuClient(const char *target) {
// Allow binder service
sepol_allow(target, SEPOL_PROC_DOMAIN, "binder", "call");
sepol_allow(target, SEPOL_PROC_DOMAIN, "binder", "transfer");
// Allow termios ioctl
sepol_allow(target, "devpts", "chr_file", "ioctl");
sepol_allow(target, "untrusted_app_devpts", "chr_file", "ioctl");
sepol_allow(target, "untrusted_app_25_devpts", "chr_file", "ioctl");
sepol_allow(target, "untrusted_app_all_devpts", "chr_file", "ioctl");
if (policydb->policyvers >= POLICYDB_VERSION_XPERMS_IOCTL) {
sepol_allowxperm(target, "devpts", "chr_file", "0x5400-0x54FF");
sepol_allowxperm(target, "untrusted_app_devpts", "chr_file", "0x5400-0x54FF");
sepol_allowxperm(target, "untrusted_app_25_devpts", "chr_file", "0x5400-0x54FF");
sepol_allowxperm(target, "untrusted_app_all_devpts", "chr_file", "0x5400-0x54FF");
}
}
void sepol_magisk_rules() {
@ -47,7 +36,7 @@ void sepol_magisk_rules() {
sepol_attradd(SEPOL_PROC_DOMAIN, "bluetoothdomain");
sepol_attradd(SEPOL_FILE_DOMAIN, "mlstrustedobject");
// Let init daemon transit context
// Let init transit to SEPOL_PROC_DOMAIN
sepol_allow("kernel", "kernel", "process", "setcurrent");
sepol_allow("kernel", SEPOL_PROC_DOMAIN, "process", "dyntransition");
@ -148,7 +137,7 @@ void sepol_magisk_rules() {
sepol_allow(SEPOL_PROC_DOMAIN, "tmpfs", "filesystem", "unmount");
sepol_allow("kernel", ALL, "file", "read");
// Allow su to do anything to any files/dir/links
// Allow us to do anything to any files/dir/links
sepol_allow(SEPOL_PROC_DOMAIN, ALL, "file", ALL);
sepol_allow(SEPOL_PROC_DOMAIN, ALL, "dir", ALL);
sepol_allow(SEPOL_PROC_DOMAIN, ALL, "lnk_file", ALL);
@ -157,6 +146,10 @@ void sepol_magisk_rules() {
sepol_allow(SEPOL_PROC_DOMAIN, ALL, "chr_file", ALL);
sepol_allow(SEPOL_PROC_DOMAIN, ALL, "fifo_file", ALL);
// Allow us to do any ioctl on all block devices
if (policydb->policyvers >= POLICYDB_VERSION_XPERMS_IOCTL)
sepol_allowxperm(SEPOL_PROC_DOMAIN, ALL, "blk_file", "0x0000-0xFFFF");
// Allow all binder transactions
sepol_allow(ALL, SEPOL_PROC_DOMAIN, "binder", ALL);
@ -184,12 +177,14 @@ void sepol_magisk_rules() {
// Allow update engine to source addon.d.sh
sepol_allow("update_engine", "adb_data_file", "dir", ALL);
// Remove all dontaudit
#ifdef MAGISK_DEBUG
// Remove all dontaudit in debug mode
avtab_ptr_t av;
avtab_for_each(&policydb->te_avtab, av, {
if (av->key.specified == AVTAB_AUDITDENY || av->key.specified == AVTAB_XPERMS_DONTAUDIT)
avtab_remove_node(&policydb->te_avtab, av);
})
#endif
log_cb.w = bak;
}