From 69529ac59cd645d99aa5bcc22da268e9ea63bcfd Mon Sep 17 00:00:00 2001 From: vvb2060 Date: Wed, 15 Mar 2023 00:24:33 +0800 Subject: [PATCH] Fix restorecon --- native/src/base/include/selinux.hpp | 3 ++- native/src/core/bootstages.cpp | 4 +--- native/src/core/daemon.cpp | 2 +- native/src/core/restorecon.cpp | 20 ++++++++------------ native/src/core/scripting.cpp | 2 +- native/src/init/rootdir.cpp | 2 +- native/src/su/connect.cpp | 2 +- native/src/zygisk/entry.cpp | 2 +- 8 files changed, 16 insertions(+), 21 deletions(-) diff --git a/native/src/base/include/selinux.hpp b/native/src/base/include/selinux.hpp index bc31ed213..87e77b85f 100644 --- a/native/src/base/include/selinux.hpp +++ b/native/src/base/include/selinux.hpp @@ -18,10 +18,12 @@ // Unconstrained domain the daemon and root processes run in #define SEPOL_PROC_DOMAIN "magisk" +#define MAGISK_PROC_CON "u:r:" SEPOL_PROC_DOMAIN ":s0" // Highly constrained domain, sole purpose is to connect to daemon #define SEPOL_CLIENT_DOMAIN "magisk_client" // Unconstrained file type that anyone can access #define SEPOL_FILE_TYPE "magisk_file" +#define MAGISK_FILE_CON "u:object_r:" SEPOL_FILE_TYPE ":s0" // Special file type to allow clients to transit to client domain automatically #define SEPOL_EXEC_TYPE "magisk_exec" @@ -40,4 +42,3 @@ bool selinux_enabled(); void enable_selinux(); void restorecon(); void restore_tmpcon(); -void restore_databincon(); diff --git a/native/src/core/bootstages.cpp b/native/src/core/bootstages.cpp index 590b7b9e3..c4b0ddda2 100644 --- a/native/src/core/bootstages.cpp +++ b/native/src/core/bootstages.cpp @@ -57,7 +57,6 @@ static void mount_mirrors() { xmount(nullptr, dest.data(), nullptr, MS_REMOUNT | MS_BIND | MS_RDONLY, nullptr); xmount(nullptr, dest.data(), nullptr, MS_PRIVATE, nullptr); chmod(SECURE_DIR, 0700); - restorecon(); } // Check and mount preinit mirror @@ -233,8 +232,7 @@ static bool magisk_env() { xmkdir(DATABIN, 0755); xmkdir(SECURE_DIR "/post-fs-data.d", 0755); xmkdir(SECURE_DIR "/service.d", 0755); - - restore_databincon(); + restorecon(); if (access(DATABIN "/busybox", X_OK)) return false; diff --git a/native/src/core/daemon.cpp b/native/src/core/daemon.cpp index e7b5092fd..4dee0fb13 100644 --- a/native/src/core/daemon.cpp +++ b/native/src/core/daemon.cpp @@ -317,7 +317,7 @@ static void daemon_entry() { close(fd); setsid(); - setcon("u:r:" SEPOL_PROC_DOMAIN ":s0"); + setcon(MAGISK_PROC_CON); start_log_daemon(); diff --git a/native/src/core/restorecon.cpp b/native/src/core/restorecon.cpp index b18dbd91e..8bdd7b6ff 100644 --- a/native/src/core/restorecon.cpp +++ b/native/src/core/restorecon.cpp @@ -10,10 +10,9 @@ using namespace std; #define SYSTEM_CON "u:object_r:system_file:s0" #define ADB_CON "u:object_r:adb_data_file:s0" #define ROOT_CON "u:object_r:rootfs:s0" -#define MAGISK_CON "u:object_r:" SEPOL_FILE_TYPE ":s0" #define EXEC_CON "u:object_r:" SEPOL_EXEC_TYPE ":s0" -static void restore_syscon(int dirfd) { +static void restore_syscon_from_null(int dirfd) { struct dirent *entry; char *con; @@ -27,7 +26,7 @@ static void restore_syscon(int dirfd) { while ((entry = xreaddir(dir.get()))) { int fd = openat(dirfd, entry->d_name, O_RDONLY | O_CLOEXEC); if (entry->d_type == DT_DIR) { - restore_syscon(fd); + restore_syscon_from_null(fd); continue; } else if (entry->d_type == DT_REG) { if (fgetfilecon(fd, &con) >= 0) { @@ -45,20 +44,20 @@ static void restore_syscon(int dirfd) { } } -static void restore_magiskcon(int dirfd) { +static void restore_syscon(int dirfd) { struct dirent *entry; - fsetfilecon(dirfd, MAGISK_CON); + fsetfilecon(dirfd, SYSTEM_CON); fchown(dirfd, 0, 0); auto dir = xopen_dir(dirfd); while ((entry = xreaddir(dir.get()))) { int fd = xopenat(dirfd, entry->d_name, O_RDONLY | O_CLOEXEC); if (entry->d_type == DT_DIR) { - restore_magiskcon(fd); + restore_syscon(fd); continue; } else if (entry->d_type) { - fsetfilecon(fd, MAGISK_CON); + fsetfilecon(fd, SYSTEM_CON); fchown(fd, 0, 0); } close(fd); @@ -73,11 +72,8 @@ void restorecon() { lsetfilecon(SECURE_DIR, ADB_CON); close(fd); lsetfilecon(MODULEROOT, SYSTEM_CON); - restore_syscon(xopen(MODULEROOT, O_RDONLY | O_CLOEXEC)); -} - -void restore_databincon() { - restore_magiskcon(xopen(DATABIN, O_RDONLY | O_CLOEXEC)); + restore_syscon_from_null(xopen(MODULEROOT, O_RDONLY | O_CLOEXEC)); + restore_syscon(xopen(DATABIN, O_RDONLY | O_CLOEXEC)); } void restore_tmpcon() { diff --git a/native/src/core/scripting.cpp b/native/src/core/scripting.cpp index 4c46717b5..28080be3a 100644 --- a/native/src/core/scripting.cpp +++ b/native/src/core/scripting.cpp @@ -159,7 +159,7 @@ rm -f $APK )EOF"; void install_apk(const char *apk) { - setfilecon(apk, "u:object_r:" SEPOL_FILE_TYPE ":s0"); + setfilecon(apk, MAGISK_FILE_CON); exec_t exec { .fork = fork_no_orphan }; diff --git a/native/src/init/rootdir.cpp b/native/src/init/rootdir.cpp index ed651477f..d187f4ad1 100644 --- a/native/src/init/rootdir.cpp +++ b/native/src/init/rootdir.cpp @@ -72,7 +72,7 @@ on property:init.svc.zygote=restarting on property:init.svc.zygote=stopped exec %2$s 0 0 -- %1$s/magisk --zygote-restart -)EOF", tmp_dir, "u:r:" SEPOL_PROC_DOMAIN ":s0"); +)EOF", tmp_dir, MAGISK_PROC_CON); fclose(rc); clone_attr(src, dest); diff --git a/native/src/su/connect.cpp b/native/src/su/connect.cpp index cc36c9422..4d01aec71 100644 --- a/native/src/su/connect.cpp +++ b/native/src/su/connect.cpp @@ -197,7 +197,7 @@ int app_request(const su_context &ctx) { gen_rand_str(fifo + 12, 32); mkfifo(fifo, 0600); chown(fifo, ctx.info->mgr_uid, ctx.info->mgr_uid); - setfilecon(fifo, "u:object_r:" SEPOL_FILE_TYPE ":s0"); + setfilecon(fifo, MAGISK_FILE_CON); // Send request vector extras; diff --git a/native/src/zygisk/entry.cpp b/native/src/zygisk/entry.cpp index aed9a7fb3..10bf019fc 100644 --- a/native/src/zygisk/entry.cpp +++ b/native/src/zygisk/entry.cpp @@ -266,7 +266,7 @@ static void setup_files(int client, const sock_cred *cred) { string ld_data = read_string(client); xwrite(ld_fd, ld_data.data(), ld_data.size()); close(ld_fd); - setfilecon(mbin.data(), "u:object_r:" SEPOL_FILE_TYPE ":s0"); + setfilecon(mbin.data(), MAGISK_FILE_CON); xmount(mbin.data(), hbin, nullptr, MS_BIND, nullptr); send_fd(client, app_fd);