From 5f53cfb4a9420c0fa2f3e0201a05411a0f50daed Mon Sep 17 00:00:00 2001
From: topjohnwu <topjohnwu@gmail.com>
Date: Mon, 29 Apr 2019 20:26:51 -0400
Subject: [PATCH] Update sepolicy rules

---
 native/jni/magiskpolicy/rules.cpp | 25 ++++++++++---------------
 1 file changed, 10 insertions(+), 15 deletions(-)

diff --git a/native/jni/magiskpolicy/rules.cpp b/native/jni/magiskpolicy/rules.cpp
index ee9d96a46..929c44b6d 100644
--- a/native/jni/magiskpolicy/rules.cpp
+++ b/native/jni/magiskpolicy/rules.cpp
@@ -2,6 +2,7 @@
 
 #include "magiskpolicy.h"
 #include "sepolicy.h"
+#include "flags.h"
 
 static void allowSuClient(const char *target) {
 	if (!sepol_exists(target))
@@ -14,18 +15,6 @@ static void allowSuClient(const char *target) {
 	// Allow binder service
 	sepol_allow(target, SEPOL_PROC_DOMAIN, "binder", "call");
 	sepol_allow(target, SEPOL_PROC_DOMAIN, "binder", "transfer");
-
-	// Allow termios ioctl
-	sepol_allow(target, "devpts", "chr_file", "ioctl");
-	sepol_allow(target, "untrusted_app_devpts", "chr_file", "ioctl");
-	sepol_allow(target, "untrusted_app_25_devpts", "chr_file", "ioctl");
-	sepol_allow(target, "untrusted_app_all_devpts", "chr_file", "ioctl");
-	if (policydb->policyvers >= POLICYDB_VERSION_XPERMS_IOCTL) {
-		sepol_allowxperm(target, "devpts", "chr_file", "0x5400-0x54FF");
-		sepol_allowxperm(target, "untrusted_app_devpts", "chr_file", "0x5400-0x54FF");
-		sepol_allowxperm(target, "untrusted_app_25_devpts", "chr_file", "0x5400-0x54FF");
-		sepol_allowxperm(target, "untrusted_app_all_devpts", "chr_file", "0x5400-0x54FF");
-	}
 }
 
 void sepol_magisk_rules() {
@@ -47,7 +36,7 @@ void sepol_magisk_rules() {
 	sepol_attradd(SEPOL_PROC_DOMAIN, "bluetoothdomain");
 	sepol_attradd(SEPOL_FILE_DOMAIN, "mlstrustedobject");
 
-	// Let init daemon transit context
+	// Let init transit to SEPOL_PROC_DOMAIN
 	sepol_allow("kernel", "kernel", "process", "setcurrent");
 	sepol_allow("kernel", SEPOL_PROC_DOMAIN, "process", "dyntransition");
 
@@ -148,7 +137,7 @@ void sepol_magisk_rules() {
 	sepol_allow(SEPOL_PROC_DOMAIN, "tmpfs", "filesystem", "unmount");
 	sepol_allow("kernel", ALL, "file", "read");
 
-	// Allow su to do anything to any files/dir/links
+	// Allow us to do anything to any files/dir/links
 	sepol_allow(SEPOL_PROC_DOMAIN, ALL, "file", ALL);
 	sepol_allow(SEPOL_PROC_DOMAIN, ALL, "dir", ALL);
 	sepol_allow(SEPOL_PROC_DOMAIN, ALL, "lnk_file", ALL);
@@ -157,6 +146,10 @@ void sepol_magisk_rules() {
 	sepol_allow(SEPOL_PROC_DOMAIN, ALL, "chr_file", ALL);
 	sepol_allow(SEPOL_PROC_DOMAIN, ALL, "fifo_file", ALL);
 
+	// Allow us to do any ioctl on all block devices
+	if (policydb->policyvers >= POLICYDB_VERSION_XPERMS_IOCTL)
+		sepol_allowxperm(SEPOL_PROC_DOMAIN, ALL, "blk_file", "0x0000-0xFFFF");
+
 	// Allow all binder transactions
 	sepol_allow(ALL, SEPOL_PROC_DOMAIN, "binder", ALL);
 
@@ -184,12 +177,14 @@ void sepol_magisk_rules() {
 	// Allow update engine to source addon.d.sh
 	sepol_allow("update_engine", "adb_data_file", "dir", ALL);
 
-	// Remove all dontaudit
+#ifdef MAGISK_DEBUG
+	// Remove all dontaudit in debug mode
 	avtab_ptr_t av;
 	avtab_for_each(&policydb->te_avtab, av, {
 		if (av->key.specified == AVTAB_AUDITDENY || av->key.specified == AVTAB_XPERMS_DONTAUDIT)
 			avtab_remove_node(&policydb->te_avtab, av);
 	})
+#endif
 
 	log_cb.w = bak;
 }