Fix restorecon

This commit is contained in:
vvb2060 2023-03-15 00:24:33 +08:00 committed by John Wu
parent a18a440236
commit 69529ac59c
8 changed files with 16 additions and 21 deletions

View File

@ -18,10 +18,12 @@
// Unconstrained domain the daemon and root processes run in
#define SEPOL_PROC_DOMAIN "magisk"
#define MAGISK_PROC_CON "u:r:" SEPOL_PROC_DOMAIN ":s0"
// Highly constrained domain, sole purpose is to connect to daemon
#define SEPOL_CLIENT_DOMAIN "magisk_client"
// Unconstrained file type that anyone can access
#define SEPOL_FILE_TYPE "magisk_file"
#define MAGISK_FILE_CON "u:object_r:" SEPOL_FILE_TYPE ":s0"
// Special file type to allow clients to transit to client domain automatically
#define SEPOL_EXEC_TYPE "magisk_exec"
@ -40,4 +42,3 @@ bool selinux_enabled();
void enable_selinux();
void restorecon();
void restore_tmpcon();
void restore_databincon();

View File

@ -57,7 +57,6 @@ static void mount_mirrors() {
xmount(nullptr, dest.data(), nullptr, MS_REMOUNT | MS_BIND | MS_RDONLY, nullptr);
xmount(nullptr, dest.data(), nullptr, MS_PRIVATE, nullptr);
chmod(SECURE_DIR, 0700);
restorecon();
}
// Check and mount preinit mirror
@ -233,8 +232,7 @@ static bool magisk_env() {
xmkdir(DATABIN, 0755);
xmkdir(SECURE_DIR "/post-fs-data.d", 0755);
xmkdir(SECURE_DIR "/service.d", 0755);
restore_databincon();
restorecon();
if (access(DATABIN "/busybox", X_OK))
return false;

View File

@ -317,7 +317,7 @@ static void daemon_entry() {
close(fd);
setsid();
setcon("u:r:" SEPOL_PROC_DOMAIN ":s0");
setcon(MAGISK_PROC_CON);
start_log_daemon();

View File

@ -10,10 +10,9 @@ using namespace std;
#define SYSTEM_CON "u:object_r:system_file:s0"
#define ADB_CON "u:object_r:adb_data_file:s0"
#define ROOT_CON "u:object_r:rootfs:s0"
#define MAGISK_CON "u:object_r:" SEPOL_FILE_TYPE ":s0"
#define EXEC_CON "u:object_r:" SEPOL_EXEC_TYPE ":s0"
static void restore_syscon(int dirfd) {
static void restore_syscon_from_null(int dirfd) {
struct dirent *entry;
char *con;
@ -27,7 +26,7 @@ static void restore_syscon(int dirfd) {
while ((entry = xreaddir(dir.get()))) {
int fd = openat(dirfd, entry->d_name, O_RDONLY | O_CLOEXEC);
if (entry->d_type == DT_DIR) {
restore_syscon(fd);
restore_syscon_from_null(fd);
continue;
} else if (entry->d_type == DT_REG) {
if (fgetfilecon(fd, &con) >= 0) {
@ -45,20 +44,20 @@ static void restore_syscon(int dirfd) {
}
}
static void restore_magiskcon(int dirfd) {
static void restore_syscon(int dirfd) {
struct dirent *entry;
fsetfilecon(dirfd, MAGISK_CON);
fsetfilecon(dirfd, SYSTEM_CON);
fchown(dirfd, 0, 0);
auto dir = xopen_dir(dirfd);
while ((entry = xreaddir(dir.get()))) {
int fd = xopenat(dirfd, entry->d_name, O_RDONLY | O_CLOEXEC);
if (entry->d_type == DT_DIR) {
restore_magiskcon(fd);
restore_syscon(fd);
continue;
} else if (entry->d_type) {
fsetfilecon(fd, MAGISK_CON);
fsetfilecon(fd, SYSTEM_CON);
fchown(fd, 0, 0);
}
close(fd);
@ -73,11 +72,8 @@ void restorecon() {
lsetfilecon(SECURE_DIR, ADB_CON);
close(fd);
lsetfilecon(MODULEROOT, SYSTEM_CON);
restore_syscon(xopen(MODULEROOT, O_RDONLY | O_CLOEXEC));
}
void restore_databincon() {
restore_magiskcon(xopen(DATABIN, O_RDONLY | O_CLOEXEC));
restore_syscon_from_null(xopen(MODULEROOT, O_RDONLY | O_CLOEXEC));
restore_syscon(xopen(DATABIN, O_RDONLY | O_CLOEXEC));
}
void restore_tmpcon() {

View File

@ -159,7 +159,7 @@ rm -f $APK
)EOF";
void install_apk(const char *apk) {
setfilecon(apk, "u:object_r:" SEPOL_FILE_TYPE ":s0");
setfilecon(apk, MAGISK_FILE_CON);
exec_t exec {
.fork = fork_no_orphan
};

View File

@ -72,7 +72,7 @@ on property:init.svc.zygote=restarting
on property:init.svc.zygote=stopped
exec %2$s 0 0 -- %1$s/magisk --zygote-restart
)EOF", tmp_dir, "u:r:" SEPOL_PROC_DOMAIN ":s0");
)EOF", tmp_dir, MAGISK_PROC_CON);
fclose(rc);
clone_attr(src, dest);

View File

@ -197,7 +197,7 @@ int app_request(const su_context &ctx) {
gen_rand_str(fifo + 12, 32);
mkfifo(fifo, 0600);
chown(fifo, ctx.info->mgr_uid, ctx.info->mgr_uid);
setfilecon(fifo, "u:object_r:" SEPOL_FILE_TYPE ":s0");
setfilecon(fifo, MAGISK_FILE_CON);
// Send request
vector<Extra> extras;

View File

@ -266,7 +266,7 @@ static void setup_files(int client, const sock_cred *cred) {
string ld_data = read_string(client);
xwrite(ld_fd, ld_data.data(), ld_data.size());
close(ld_fd);
setfilecon(mbin.data(), "u:object_r:" SEPOL_FILE_TYPE ":s0");
setfilecon(mbin.data(), MAGISK_FILE_CON);
xmount(mbin.data(), hbin, nullptr, MS_BIND, nullptr);
send_fd(client, app_fd);