mirror of
https://github.com/topjohnwu/Magisk.git
synced 2024-12-03 15:05:32 +00:00
Fix restorecon
This commit is contained in:
parent
a18a440236
commit
69529ac59c
@ -18,10 +18,12 @@
|
||||
|
||||
// Unconstrained domain the daemon and root processes run in
|
||||
#define SEPOL_PROC_DOMAIN "magisk"
|
||||
#define MAGISK_PROC_CON "u:r:" SEPOL_PROC_DOMAIN ":s0"
|
||||
// Highly constrained domain, sole purpose is to connect to daemon
|
||||
#define SEPOL_CLIENT_DOMAIN "magisk_client"
|
||||
// Unconstrained file type that anyone can access
|
||||
#define SEPOL_FILE_TYPE "magisk_file"
|
||||
#define MAGISK_FILE_CON "u:object_r:" SEPOL_FILE_TYPE ":s0"
|
||||
// Special file type to allow clients to transit to client domain automatically
|
||||
#define SEPOL_EXEC_TYPE "magisk_exec"
|
||||
|
||||
@ -40,4 +42,3 @@ bool selinux_enabled();
|
||||
void enable_selinux();
|
||||
void restorecon();
|
||||
void restore_tmpcon();
|
||||
void restore_databincon();
|
||||
|
@ -57,7 +57,6 @@ static void mount_mirrors() {
|
||||
xmount(nullptr, dest.data(), nullptr, MS_REMOUNT | MS_BIND | MS_RDONLY, nullptr);
|
||||
xmount(nullptr, dest.data(), nullptr, MS_PRIVATE, nullptr);
|
||||
chmod(SECURE_DIR, 0700);
|
||||
restorecon();
|
||||
}
|
||||
|
||||
// Check and mount preinit mirror
|
||||
@ -233,8 +232,7 @@ static bool magisk_env() {
|
||||
xmkdir(DATABIN, 0755);
|
||||
xmkdir(SECURE_DIR "/post-fs-data.d", 0755);
|
||||
xmkdir(SECURE_DIR "/service.d", 0755);
|
||||
|
||||
restore_databincon();
|
||||
restorecon();
|
||||
|
||||
if (access(DATABIN "/busybox", X_OK))
|
||||
return false;
|
||||
|
@ -317,7 +317,7 @@ static void daemon_entry() {
|
||||
close(fd);
|
||||
|
||||
setsid();
|
||||
setcon("u:r:" SEPOL_PROC_DOMAIN ":s0");
|
||||
setcon(MAGISK_PROC_CON);
|
||||
|
||||
start_log_daemon();
|
||||
|
||||
|
@ -10,10 +10,9 @@ using namespace std;
|
||||
#define SYSTEM_CON "u:object_r:system_file:s0"
|
||||
#define ADB_CON "u:object_r:adb_data_file:s0"
|
||||
#define ROOT_CON "u:object_r:rootfs:s0"
|
||||
#define MAGISK_CON "u:object_r:" SEPOL_FILE_TYPE ":s0"
|
||||
#define EXEC_CON "u:object_r:" SEPOL_EXEC_TYPE ":s0"
|
||||
|
||||
static void restore_syscon(int dirfd) {
|
||||
static void restore_syscon_from_null(int dirfd) {
|
||||
struct dirent *entry;
|
||||
char *con;
|
||||
|
||||
@ -27,7 +26,7 @@ static void restore_syscon(int dirfd) {
|
||||
while ((entry = xreaddir(dir.get()))) {
|
||||
int fd = openat(dirfd, entry->d_name, O_RDONLY | O_CLOEXEC);
|
||||
if (entry->d_type == DT_DIR) {
|
||||
restore_syscon(fd);
|
||||
restore_syscon_from_null(fd);
|
||||
continue;
|
||||
} else if (entry->d_type == DT_REG) {
|
||||
if (fgetfilecon(fd, &con) >= 0) {
|
||||
@ -45,20 +44,20 @@ static void restore_syscon(int dirfd) {
|
||||
}
|
||||
}
|
||||
|
||||
static void restore_magiskcon(int dirfd) {
|
||||
static void restore_syscon(int dirfd) {
|
||||
struct dirent *entry;
|
||||
|
||||
fsetfilecon(dirfd, MAGISK_CON);
|
||||
fsetfilecon(dirfd, SYSTEM_CON);
|
||||
fchown(dirfd, 0, 0);
|
||||
|
||||
auto dir = xopen_dir(dirfd);
|
||||
while ((entry = xreaddir(dir.get()))) {
|
||||
int fd = xopenat(dirfd, entry->d_name, O_RDONLY | O_CLOEXEC);
|
||||
if (entry->d_type == DT_DIR) {
|
||||
restore_magiskcon(fd);
|
||||
restore_syscon(fd);
|
||||
continue;
|
||||
} else if (entry->d_type) {
|
||||
fsetfilecon(fd, MAGISK_CON);
|
||||
fsetfilecon(fd, SYSTEM_CON);
|
||||
fchown(fd, 0, 0);
|
||||
}
|
||||
close(fd);
|
||||
@ -73,11 +72,8 @@ void restorecon() {
|
||||
lsetfilecon(SECURE_DIR, ADB_CON);
|
||||
close(fd);
|
||||
lsetfilecon(MODULEROOT, SYSTEM_CON);
|
||||
restore_syscon(xopen(MODULEROOT, O_RDONLY | O_CLOEXEC));
|
||||
}
|
||||
|
||||
void restore_databincon() {
|
||||
restore_magiskcon(xopen(DATABIN, O_RDONLY | O_CLOEXEC));
|
||||
restore_syscon_from_null(xopen(MODULEROOT, O_RDONLY | O_CLOEXEC));
|
||||
restore_syscon(xopen(DATABIN, O_RDONLY | O_CLOEXEC));
|
||||
}
|
||||
|
||||
void restore_tmpcon() {
|
||||
|
@ -159,7 +159,7 @@ rm -f $APK
|
||||
)EOF";
|
||||
|
||||
void install_apk(const char *apk) {
|
||||
setfilecon(apk, "u:object_r:" SEPOL_FILE_TYPE ":s0");
|
||||
setfilecon(apk, MAGISK_FILE_CON);
|
||||
exec_t exec {
|
||||
.fork = fork_no_orphan
|
||||
};
|
||||
|
@ -72,7 +72,7 @@ on property:init.svc.zygote=restarting
|
||||
|
||||
on property:init.svc.zygote=stopped
|
||||
exec %2$s 0 0 -- %1$s/magisk --zygote-restart
|
||||
)EOF", tmp_dir, "u:r:" SEPOL_PROC_DOMAIN ":s0");
|
||||
)EOF", tmp_dir, MAGISK_PROC_CON);
|
||||
|
||||
fclose(rc);
|
||||
clone_attr(src, dest);
|
||||
|
@ -197,7 +197,7 @@ int app_request(const su_context &ctx) {
|
||||
gen_rand_str(fifo + 12, 32);
|
||||
mkfifo(fifo, 0600);
|
||||
chown(fifo, ctx.info->mgr_uid, ctx.info->mgr_uid);
|
||||
setfilecon(fifo, "u:object_r:" SEPOL_FILE_TYPE ":s0");
|
||||
setfilecon(fifo, MAGISK_FILE_CON);
|
||||
|
||||
// Send request
|
||||
vector<Extra> extras;
|
||||
|
@ -266,7 +266,7 @@ static void setup_files(int client, const sock_cred *cred) {
|
||||
string ld_data = read_string(client);
|
||||
xwrite(ld_fd, ld_data.data(), ld_data.size());
|
||||
close(ld_fd);
|
||||
setfilecon(mbin.data(), "u:object_r:" SEPOL_FILE_TYPE ":s0");
|
||||
setfilecon(mbin.data(), MAGISK_FILE_CON);
|
||||
xmount(mbin.data(), hbin, nullptr, MS_BIND, nullptr);
|
||||
|
||||
send_fd(client, app_fd);
|
||||
|
Loading…
Reference in New Issue
Block a user