From 66788dc58c06b81cc28114e3764c2c2e2b2e6d61 Mon Sep 17 00:00:00 2001
From: topjohnwu <topjohnwu@gmail.com>
Date: Mon, 16 Oct 2023 17:38:44 -0700
Subject: [PATCH] Cleanup SELinux support

---
 native/src/Android.mk                         |   2 +-
 native/src/base/Android.mk                    |   1 -
 native/src/base/files.cpp                     |   1 -
 native/src/base/include/selinux.hpp           |  39 ------
 native/src/base/lib.rs                        |   2 +-
 native/src/base/selinux.cpp                   | 114 ------------------
 .../src/core/{restorecon.cpp => selinux.cpp}  |  72 ++++++++++-
 native/src/include/magisk.hpp                 |   7 ++
 native/src/include/selinux.hpp                |  16 +++
 native/src/init/mount.cpp                     |   1 -
 native/src/init/rootdir.cpp                   |   2 +-
 native/src/sepolicy/include/sepolicy.hpp      |  15 ++-
 native/src/sepolicy/rules.cpp                 |   1 +
 13 files changed, 110 insertions(+), 163 deletions(-)
 delete mode 100644 native/src/base/include/selinux.hpp
 delete mode 100644 native/src/base/selinux.cpp
 rename native/src/core/{restorecon.cpp => selinux.cpp} (57%)
 create mode 100644 native/src/include/selinux.hpp

diff --git a/native/src/Android.mk b/native/src/Android.mk
index 0b7ef2d60..1bb0c2d99 100644
--- a/native/src/Android.mk
+++ b/native/src/Android.mk
@@ -24,7 +24,7 @@ LOCAL_SRC_FILES := \
     core/db.cpp \
     core/package.cpp \
     core/scripting.cpp \
-    core/restorecon.cpp \
+    core/selinux.cpp \
     core/module.cpp \
     core/thread.cpp \
     core/resetprop/resetprop.cpp \
diff --git a/native/src/base/Android.mk b/native/src/base/Android.mk
index 32491495b..b34312c57 100644
--- a/native/src/base/Android.mk
+++ b/native/src/base/Android.mk
@@ -17,7 +17,6 @@ LOCAL_SRC_FILES := \
     new.cpp \
     files.cpp \
     misc.cpp \
-    selinux.cpp \
     logging.cpp \
     stream.cpp \
     base-rs.cpp \
diff --git a/native/src/base/files.cpp b/native/src/base/files.cpp
index 3cb989875..f1476c716 100644
--- a/native/src/base/files.cpp
+++ b/native/src/base/files.cpp
@@ -7,7 +7,6 @@
 #include <libgen.h>
 
 #include <base.hpp>
-#include <selinux.hpp>
 
 using namespace std;
 
diff --git a/native/src/base/include/selinux.hpp b/native/src/base/include/selinux.hpp
deleted file mode 100644
index 3d783ea3d..000000000
--- a/native/src/base/include/selinux.hpp
+++ /dev/null
@@ -1,39 +0,0 @@
-#pragma once
-
-// selinuxfs paths
-#define SELINUX_MNT         "/sys/fs/selinux"
-#define SELINUX_ENFORCE     SELINUX_MNT "/enforce"
-#define SELINUX_POLICY      SELINUX_MNT "/policy"
-#define SELINUX_LOAD        SELINUX_MNT "/load"
-#define SELINUX_CONTEXT     SELINUX_MNT "/context"
-#define SELINUX_VERSION     SELINUX_MNT "/policyvers"
-
-// sepolicy paths
-#define PLAT_POLICY_DIR     "/system/etc/selinux/"
-#define VEND_POLICY_DIR     "/vendor/etc/selinux/"
-#define PROD_POLICY_DIR     "/product/etc/selinux/"
-#define ODM_POLICY_DIR      "/odm/etc/selinux/"
-#define SYSEXT_POLICY_DIR   "/system_ext/etc/selinux/"
-#define SPLIT_PLAT_CIL      PLAT_POLICY_DIR "plat_sepolicy.cil"
-
-// Unconstrained domain the daemon and root processes run in
-#define SEPOL_PROC_DOMAIN   "magisk"
-#define MAGISK_PROC_CON     "u:r:" SEPOL_PROC_DOMAIN ":s0"
-// Unconstrained file type that anyone can access
-#define SEPOL_FILE_TYPE     "magisk_file"
-#define MAGISK_FILE_CON     "u:object_r:" SEPOL_FILE_TYPE ":s0"
-
-extern void (*freecon)(char *con);
-extern int (*setcon)(const char *con);
-extern int (*getfilecon)(const char *path, char **con);
-extern int (*lgetfilecon)(const char *path, char **con);
-extern int (*fgetfilecon)(int fd, char **con);
-extern int (*setfilecon)(const char *path, const char *con);
-extern int (*lsetfilecon)(const char *path, const char *con);
-extern int (*fsetfilecon)(int fd, const char *con);
-void getfilecon_at(int dirfd, const char *name, char **con);
-void setfilecon_at(int dirfd, const char *name, const char *con);
-
-void enable_selinux();
-void restorecon();
-void restore_tmpcon();
diff --git a/native/src/base/lib.rs b/native/src/base/lib.rs
index 58e533360..d3888db17 100644
--- a/native/src/base/lib.rs
+++ b/native/src/base/lib.rs
@@ -44,6 +44,7 @@ pub mod ffi {
         fn set_log_level_state_cxx(level: LogLevelCxx, enabled: bool);
         fn exit_on_error(b: bool);
         fn cmdline_logging();
+        fn enable_selinux();
     }
 
     #[namespace = "rust"]
@@ -55,7 +56,6 @@ pub mod ffi {
         fn map_file_for_cxx(path: &[u8], rw: bool) -> &'static mut [u8];
         #[cxx_name = "map_fd"]
         fn map_fd_for_cxx(fd: i32, sz: usize, rw: bool) -> &'static mut [u8];
-        fn enable_selinux();
     }
 }
 
diff --git a/native/src/base/selinux.cpp b/native/src/base/selinux.cpp
deleted file mode 100644
index 0905bbba9..000000000
--- a/native/src/base/selinux.cpp
+++ /dev/null
@@ -1,114 +0,0 @@
-#include <unistd.h>
-#include <sys/syscall.h>
-#include <sys/xattr.h>
-
-#include <base.hpp>
-#include <selinux.hpp>
-#include <flags.h>
-
-using namespace std;
-
-// Stub implementation
-
-static int stub(const char *) { return 0; }
-
-static int stub(const char *, const char *) { return 0; }
-
-static int stub(const char *, char **ctx) {
-    *ctx = strdup("");
-    return 0;
-}
-
-static int stub(int, const char *) { return 0; }
-
-static int stub(int, char **ctx) {
-    *ctx = strdup("");
-    return 0;
-}
-
-// Builtin implementation
-
-static void __freecon(char *s) {
-    free(s);
-}
-
-static int __setcon(const char *ctx) {
-    int fd = open("/proc/self/attr/current", O_WRONLY | O_CLOEXEC);
-    if (fd < 0)
-        return fd;
-    size_t len = strlen(ctx) + 1;
-    int rc = write(fd, ctx, len);
-    close(fd);
-    return rc != len;
-}
-
-static int __getfilecon(const char *path, char **ctx) {
-    char buf[1024];
-    int rc = syscall(__NR_getxattr, path, XATTR_NAME_SELINUX, buf, sizeof(buf) - 1);
-    if (rc >= 0)
-        *ctx = strdup(buf);
-    return rc;
-}
-
-static int __lgetfilecon(const char *path, char **ctx) {
-    char buf[1024];
-    int rc = syscall(__NR_lgetxattr, path, XATTR_NAME_SELINUX, buf, sizeof(buf) - 1);
-    if (rc >= 0)
-        *ctx = strdup(buf);
-    return rc;
-}
-
-static int __fgetfilecon(int fd, char **ctx) {
-    char buf[1024];
-    int rc = syscall(__NR_fgetxattr, fd, XATTR_NAME_SELINUX, buf, sizeof(buf) - 1);
-    if (rc >= 0)
-        *ctx = strdup(buf);
-    return rc;
-}
-
-static int __setfilecon(const char *path, const char *ctx) {
-    return syscall(__NR_setxattr, path, XATTR_NAME_SELINUX, ctx, strlen(ctx) + 1, 0);
-}
-
-static int __lsetfilecon(const char *path, const char *ctx) {
-    return syscall(__NR_lsetxattr, path, XATTR_NAME_SELINUX, ctx, strlen(ctx) + 1, 0);
-}
-
-static int __fsetfilecon(int fd, const char *ctx) {
-    return syscall(__NR_fsetxattr, fd, XATTR_NAME_SELINUX, ctx, strlen(ctx) + 1, 0);
-}
-
-// Function pointers
-
-void (*freecon)(char *) = __freecon;
-int (*setcon)(const char *) = stub;
-int (*getfilecon)(const char *, char **) = stub;
-int (*lgetfilecon)(const char *, char **) = stub;
-int (*fgetfilecon)(int, char **) = stub;
-int (*setfilecon)(const char *, const char *) = stub;
-int (*lsetfilecon)(const char *, const char *) = stub;
-int (*fsetfilecon)(int, const char *) = stub;
-
-void getfilecon_at(int dirfd, const char *name, char **con) {
-    char path[4096];
-    fd_pathat(dirfd, name, path, sizeof(path));
-    if (lgetfilecon(path, con))
-        *con = strdup("");
-}
-
-void setfilecon_at(int dirfd, const char *name, const char *con) {
-    char path[4096];
-    fd_pathat(dirfd, name, path, sizeof(path));
-    lsetfilecon(path, con);
-}
-
-void enable_selinux() {
-    rust::enable_selinux();
-    setcon = __setcon;
-    getfilecon = __getfilecon;
-    lgetfilecon = __lgetfilecon;
-    fgetfilecon = __fgetfilecon;
-    setfilecon = __setfilecon;
-    lsetfilecon = __lsetfilecon;
-    fsetfilecon = __fsetfilecon;
-}
diff --git a/native/src/core/restorecon.cpp b/native/src/core/selinux.cpp
similarity index 57%
rename from native/src/core/restorecon.cpp
rename to native/src/core/selinux.cpp
index 3494cffa8..474e5f190 100644
--- a/native/src/core/restorecon.cpp
+++ b/native/src/core/selinux.cpp
@@ -1,11 +1,77 @@
-#include <string_view>
+#include <unistd.h>
+#include <sys/syscall.h>
+#include <sys/xattr.h>
 
 #include <magisk.hpp>
-#include <selinux.hpp>
 #include <base.hpp>
+#include <selinux.hpp>
+#include <flags.h>
 
 using namespace std;
 
+void freecon(char *s) {
+    free(s);
+}
+
+int setcon(const char *ctx) {
+    int fd = open("/proc/self/attr/current", O_WRONLY | O_CLOEXEC);
+    if (fd < 0)
+        return fd;
+    size_t len = strlen(ctx) + 1;
+    int rc = write(fd, ctx, len);
+    close(fd);
+    return rc != len;
+}
+
+int getfilecon(const char *path, char **ctx) {
+    char buf[1024];
+    int rc = syscall(__NR_getxattr, path, XATTR_NAME_SELINUX, buf, sizeof(buf) - 1);
+    if (rc >= 0)
+        *ctx = strdup(buf);
+    return rc;
+}
+
+int lgetfilecon(const char *path, char **ctx) {
+    char buf[1024];
+    int rc = syscall(__NR_lgetxattr, path, XATTR_NAME_SELINUX, buf, sizeof(buf) - 1);
+    if (rc >= 0)
+        *ctx = strdup(buf);
+    return rc;
+}
+
+int fgetfilecon(int fd, char **ctx) {
+    char buf[1024];
+    int rc = syscall(__NR_fgetxattr, fd, XATTR_NAME_SELINUX, buf, sizeof(buf) - 1);
+    if (rc >= 0)
+        *ctx = strdup(buf);
+    return rc;
+}
+
+int setfilecon(const char *path, const char *ctx) {
+    return syscall(__NR_setxattr, path, XATTR_NAME_SELINUX, ctx, strlen(ctx) + 1, 0);
+}
+
+int lsetfilecon(const char *path, const char *ctx) {
+    return syscall(__NR_lsetxattr, path, XATTR_NAME_SELINUX, ctx, strlen(ctx) + 1, 0);
+}
+
+int fsetfilecon(int fd, const char *ctx) {
+    return syscall(__NR_fsetxattr, fd, XATTR_NAME_SELINUX, ctx, strlen(ctx) + 1, 0);
+}
+
+void getfilecon_at(int dirfd, const char *name, char **con) {
+    char path[4096];
+    fd_pathat(dirfd, name, path, sizeof(path));
+    if (lgetfilecon(path, con))
+        *con = strdup("");
+}
+
+void setfilecon_at(int dirfd, const char *name, const char *con) {
+    char path[4096];
+    fd_pathat(dirfd, name, path, sizeof(path));
+    lsetfilecon(path, con);
+}
+
 #define UNLABEL_CON "u:object_r:unlabeled:s0"
 #define SYSTEM_CON  "u:object_r:system_file:s0"
 #define ADB_CON     "u:object_r:adb_data_file:s0"
@@ -64,7 +130,7 @@ static void restore_syscon(int dirfd) {
 }
 
 void restorecon() {
-    int fd = xopen(SELINUX_CONTEXT, O_WRONLY | O_CLOEXEC);
+    int fd = xopen("/sys/fs/selinux/context", O_WRONLY | O_CLOEXEC);
     if (write(fd, ADB_CON, sizeof(ADB_CON)) >= 0)
         lsetfilecon(SECURE_DIR, ADB_CON);
     close(fd);
diff --git a/native/src/include/magisk.hpp b/native/src/include/magisk.hpp
index 3b7fcb3b1..9010aab2c 100644
--- a/native/src/include/magisk.hpp
+++ b/native/src/include/magisk.hpp
@@ -33,6 +33,13 @@ constexpr const char *applet_names[] = { "su", "resetprop", nullptr };
 #define POST_FS_DATA_WAIT_TIME       40
 #define POST_FS_DATA_SCRIPT_MAX_TIME 35
 
+// Unconstrained domain the daemon and root processes run in
+#define SEPOL_PROC_DOMAIN   "magisk"
+#define MAGISK_PROC_CON     "u:r:" SEPOL_PROC_DOMAIN ":s0"
+// Unconstrained file type that anyone can access
+#define SEPOL_FILE_TYPE     "magisk_file"
+#define MAGISK_FILE_CON     "u:object_r:" SEPOL_FILE_TYPE ":s0"
+
 extern int SDK_INT;
 #define APP_DATA_DIR (SDK_INT >= 24 ? "/data/user_de" : "/data/user")
 
diff --git a/native/src/include/selinux.hpp b/native/src/include/selinux.hpp
new file mode 100644
index 000000000..2fec2109f
--- /dev/null
+++ b/native/src/include/selinux.hpp
@@ -0,0 +1,16 @@
+#pragma once
+
+void freecon(char *con);
+int setcon(const char *con);
+int getfilecon(const char *path, char **con);
+int lgetfilecon(const char *path, char **con);
+int fgetfilecon(int fd, char **con);
+int setfilecon(const char *path, const char *con);
+int lsetfilecon(const char *path, const char *con);
+int fsetfilecon(int fd, const char *con);
+void getfilecon_at(int dirfd, const char *name, char **con);
+void setfilecon_at(int dirfd, const char *name, const char *con);
+
+//void enable_selinux();
+void restorecon();
+void restore_tmpcon();
diff --git a/native/src/init/mount.cpp b/native/src/init/mount.cpp
index e8b3c171b..04e82dc87 100644
--- a/native/src/init/mount.cpp
+++ b/native/src/init/mount.cpp
@@ -5,7 +5,6 @@
 
 #include <base.hpp>
 #include <flags.h>
-#include <selinux.hpp>
 #include <magisk.hpp>
 
 #include "init.hpp"
diff --git a/native/src/init/rootdir.cpp b/native/src/init/rootdir.cpp
index 9761d6b92..79b22b419 100644
--- a/native/src/init/rootdir.cpp
+++ b/native/src/init/rootdir.cpp
@@ -2,9 +2,9 @@
 #include <libgen.h>
 #include <sys/sysmacros.h>
 
+#include <sepolicy.hpp>
 #include <magisk.hpp>
 #include <base.hpp>
-#include <selinux.hpp>
 #include <flags.h>
 
 #include "init.hpp"
diff --git a/native/src/sepolicy/include/sepolicy.hpp b/native/src/sepolicy/include/sepolicy.hpp
index d0c727d9d..29e95b166 100644
--- a/native/src/sepolicy/include/sepolicy.hpp
+++ b/native/src/sepolicy/include/sepolicy.hpp
@@ -3,7 +3,20 @@
 #include <stdlib.h>
 #include <string>
 
-#include <selinux.hpp>
+// sepolicy paths
+#define PLAT_POLICY_DIR     "/system/etc/selinux/"
+#define VEND_POLICY_DIR     "/vendor/etc/selinux/"
+#define PROD_POLICY_DIR     "/product/etc/selinux/"
+#define ODM_POLICY_DIR      "/odm/etc/selinux/"
+#define SYSEXT_POLICY_DIR   "/system_ext/etc/selinux/"
+#define SPLIT_PLAT_CIL      PLAT_POLICY_DIR "plat_sepolicy.cil"
+
+// selinuxfs paths
+#define SELINUX_MNT         "/sys/fs/selinux"
+#define SELINUX_ENFORCE     SELINUX_MNT "/enforce"
+#define SELINUX_POLICY      SELINUX_MNT "/policy"
+#define SELINUX_LOAD        SELINUX_MNT "/load"
+#define SELINUX_VERSION     SELINUX_MNT "/policyvers"
 
 using token_list = std::vector<const char *>;
 using argument = std::pair<token_list, bool>;
diff --git a/native/src/sepolicy/rules.cpp b/native/src/sepolicy/rules.cpp
index 2f57a863f..46be64f5f 100644
--- a/native/src/sepolicy/rules.cpp
+++ b/native/src/sepolicy/rules.cpp
@@ -1,3 +1,4 @@
+#include <magisk.hpp>
 #include <base.hpp>
 
 #include "policy.hpp"