From 68442f38acaaa06ad4fe2845a6122eae9c4d9d52 Mon Sep 17 00:00:00 2001 From: canyie Date: Mon, 13 Nov 2023 19:11:24 +0800 Subject: [PATCH] Misc changes - actions: Update all actions/checkout references to v4 - magiskboot: Add missing new line to dtb help message - docs: Update documents, fix some errors and remove outdated info --- .github/workflows/build.yml | 2 +- docs/details.md | 2 +- docs/guides.md | 2 +- docs/tools.md | 53 +++++++++++++++++++++++++++---------- native/src/boot/dtb.rs | 3 ++- 5 files changed, 44 insertions(+), 18 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a8b3541ad..d2c0bc9ca 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -107,7 +107,7 @@ jobs: steps: - name: Check out - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 diff --git a/docs/details.md b/docs/details.md index e149e9948..1256bc1ad 100644 --- a/docs/details.md +++ b/docs/details.md @@ -110,4 +110,4 @@ Before Android 8.0, all allowed su client domains are allowed to directly connec After Android 8.0, to reduce relaxation of rules in Android's sandbox, a new SELinux model is deployed. The `magisk` binary is labelled with `magisk_exec` file type, and processes running as allowed su client domains executing the `magisk` binary (this includes the `su` command) will transit to `magisk_client` by using a `type_transition` rule. Rules strictly restrict that only `magisk` domain processes are allowed to attribute files to `magisk_exec`. Direct connection to sockets of `magiskd` are not allowed; the only way to access the daemon is through a `magisk_client` process. These changes allow us to keep the sandbox intact, and keep Magisk specific rules separated from the rest of the policies. -The full set of rules can be found in `magiskpolicy/rules.cpp`. +The full set of rules can be found in `sepolicy/rules.cpp`. diff --git a/docs/guides.md b/docs/guides.md index e810e7274..6bd7e5c84 100644 --- a/docs/guides.md +++ b/docs/guides.md @@ -265,7 +265,7 @@ Overlay files shall be placed in the `overlay.d` folder in boot image ramdisk, a To add additional files which you can refer to in your custom `*.rc` scripts, add them into `overlay.d/sbin`. The 3 rules above do not apply to anything in this folder; instead, they will be directly copied to Magisk's internal `tmpfs` directory (which used to always be `/sbin`). -Starting from Android 11, the `/sbin` folder may no longer exists, and in that scenario, Magisk randomly generates a different `tmpfs` folder each boot. Every occurrence of the pattern `${MAGISKTMP}` in your `*.rc` scripts will be replaced with the Magisk `tmpfs` folder when `magiskinit` injects it into `init.rc`. On pre Android 11 devices, `${MAGISKTMP}` will simply be replaced with `/sbin`, so **NEVER** hardcode `/sbin` in the `*.rc` scripts when referencing these additional files. +Starting from Android 11, the `/sbin` folder may no longer exists, and in that scenario, Magisk uses `/debug_ramdisk` instead. Every occurrence of the pattern `${MAGISKTMP}` in your `*.rc` scripts will be replaced with the Magisk `tmpfs` folder when `magiskinit` injects it into `init.rc`. On pre Android 11 devices, `${MAGISKTMP}` will simply be replaced with `/sbin`, so **NEVER** hardcode `/sbin` in the `*.rc` scripts when referencing these additional files. Here is an example of how to setup `overlay.d` with a custom `*.rc` script: diff --git a/docs/tools.md b/docs/tools.md index 27cdc2420..3d2448ffe 100644 --- a/docs/tools.md +++ b/docs/tools.md @@ -16,7 +16,7 @@ su -> magisk A tool to unpack / repack boot images, parse / patch / extract cpio, patch dtb, hex patch binaries, and compress / decompress files with multiple algorithms. -`magiskboot` natively supports (which means it does not rely on external tools) common compression formats including `gzip`, `lz4`, `lz4_legacy` ([only used on LG](https://events.static.linuxfound.org/sites/events/files/lcjpcojp13_klee.pdf)), `lzma`, `xz`, and `bzip2`. +`magiskboot` natively supports (which means it does not rely on external tools) common compression formats including `gzip`, `lz4`, `lz4_legacy` , `lz4_lg` ([the LG edition](https://events.static.linuxfound.org/sites/events/files/lcjpcojp13_klee.pdf) of `lz4_legacy`, only used on LG), `lzma`, `xz`, and `bzip2`. The concept of `magiskboot` is to make boot image modification simpler. For unpacking, it parses the header and extracts all sections in the image, decompressing on-the-fly if compression is detected in any sections. For repacking, the original boot image is required so the original headers can be used, changing only the necessary entries such as section sizes and checksum. All sections will be compressed back to the original format if required. The tool also supports many CPIO and DTB operations. @@ -51,6 +51,28 @@ Supported actions: If env variable PATCHVBMETAFLAG is set to true, all disable flags in the boot image's vbmeta header will be set. + verify [x509.pem] + Check whether the boot image is signed with AVB 1.0 signature. + Optionally provide a certificate to verify whether the image is + signed by the public key certificate. + Return value: + 0:valid 1:error + + sign [name] [x509.pem pk8] + Sign with AVB 1.0 signature. + Optionally provide the name of the image (default: '/boot'). + Optionally provide the certificate/private key pair for signing. + If the certificate/private key pair is not provided, the AOSP + verity key bundled in the executable will be used. + + extract [partition] [outfile] + Extract [partition] from to [outfile]. + If [outfile] is not specified, then output to '[partition].img'. + If [partition] is not specified, then attempt to extract either + 'init_boot' or 'boot'. Which partition was chosen can be determined + by whichever 'init_boot.img' or 'boot.img' exists. + can be '-' to be STDIN. + hexpatch Search in , and replace it with @@ -83,8 +105,6 @@ Supported actions: Create ramdisk backups from ORIG restore Restore ramdisk from ramdisk backup stored within incpio - sha1 - Print stock boot SHA1 if previously backed up in ramdisk dtb [args...] Do dtb related actions to @@ -222,7 +242,7 @@ Options: -v print running daemon version -V print running daemon version code --list list all available applets - --remove-modules remove all modules and reboot + --remove-modules [-n] remove all modules, reboot if -n is not provided --install-module ZIP install a module zip file Advanced Options (Internal APIs): @@ -237,6 +257,7 @@ Advanced Options (Internal APIs): --sqlite SQL exec SQL commands to Magisk database --path print Magisk tmpfs mount path --denylist ARGS denylist config CLI + --preinit-device resolve a device to store preinit files Available applets: su, resetprop @@ -261,20 +282,24 @@ An applet of `magisk`, the MagiskSU entry point. Good old `su` command. Usage: su [options] [-] [user [argument...]] Options: - -c, --command COMMAND pass COMMAND to the invoked shell - -h, --help display this help message and exit - -, -l, --login pretend the shell to be a login shell + -c, --command COMMAND Pass COMMAND to the invoked shell + -g, --group GROUP Specify the primary group + -G, --supp-group GROUP Specify a supplementary group. + The first specified supplementary group is also used + as a primary group if the option -g is not specified. + -Z, --context CONTEXT Change SELinux context + -t, --target PID PID to take mount namespace from + -h, --help Display this help message and exit + -, -l, --login Pretend the shell to be a login shell -m, -p, - --preserve-environment preserve the entire environment - -s, --shell SHELL use SHELL instead of the default /system/bin/sh - -v, --version display version number and exit - -V display version code and exit + --preserve-environment Preserve the entire environment + -s, --shell SHELL Use SHELL instead of the default /system/bin/sh + -v, --version Display version number and exit + -V Display version code and exit -mm, -M, - --mount-master force run in the global mount namespace + --mount-master Force run in the global mount namespace ``` -Note: even though the `-Z, --context` option is not listed above, the option still exists for CLI compatibility with apps designed for SuperSU. However the option is silently ignored since it's no longer relevant. - ### resetprop An applet of `magisk`. An advanced system property manipulation utility. Check the [Resetprop Details](details.md#resetprop) for more background information. diff --git a/native/src/boot/dtb.rs b/native/src/boot/dtb.rs index 7ec6eb9f3..371a80404 100644 --- a/native/src/boot/dtb.rs +++ b/native/src/boot/dtb.rs @@ -49,7 +49,8 @@ fn print_dtb_usage() { Do dtb related actions to . Supported actions: - print [-f] Print all contents of dtb for debugging + print [-f] + Print all contents of dtb for debugging Specify [-f] to only print fstab nodes patch Search for fstab and remove verity/avb