mirror of
https://github.com/topjohnwu/Magisk.git
synced 2024-12-04 15:35:27 +00:00
Fix restorecon
This commit is contained in:
vvb2060
John Wu
parent
a18a440236
commit
69529ac59c
@ -18,10 +18,12 @@
|
|||||||
|
|
||||||
// Unconstrained domain the daemon and root processes run in
|
// Unconstrained domain the daemon and root processes run in
|
||||||
#define SEPOL_PROC_DOMAIN "magisk"
|
#define SEPOL_PROC_DOMAIN "magisk"
|
||||||
|
#define MAGISK_PROC_CON "u:r:" SEPOL_PROC_DOMAIN ":s0"
|
||||||
// Highly constrained domain, sole purpose is to connect to daemon
|
// Highly constrained domain, sole purpose is to connect to daemon
|
||||||
#define SEPOL_CLIENT_DOMAIN "magisk_client"
|
#define SEPOL_CLIENT_DOMAIN "magisk_client"
|
||||||
// Unconstrained file type that anyone can access
|
// Unconstrained file type that anyone can access
|
||||||
#define SEPOL_FILE_TYPE "magisk_file"
|
#define SEPOL_FILE_TYPE "magisk_file"
|
||||||
|
#define MAGISK_FILE_CON "u:object_r:" SEPOL_FILE_TYPE ":s0"
|
||||||
// Special file type to allow clients to transit to client domain automatically
|
// Special file type to allow clients to transit to client domain automatically
|
||||||
#define SEPOL_EXEC_TYPE "magisk_exec"
|
#define SEPOL_EXEC_TYPE "magisk_exec"
|
||||||
|
|
||||||
@ -40,4 +42,3 @@ bool selinux_enabled();
|
|||||||
void enable_selinux();
|
void enable_selinux();
|
||||||
void restorecon();
|
void restorecon();
|
||||||
void restore_tmpcon();
|
void restore_tmpcon();
|
||||||
void restore_databincon();
|
|
||||||
|
|||||||
@ -57,7 +57,6 @@ static void mount_mirrors() {
|
|||||||
xmount(nullptr, dest.data(), nullptr, MS_REMOUNT | MS_BIND | MS_RDONLY, nullptr);
|
xmount(nullptr, dest.data(), nullptr, MS_REMOUNT | MS_BIND | MS_RDONLY, nullptr);
|
||||||
xmount(nullptr, dest.data(), nullptr, MS_PRIVATE, nullptr);
|
xmount(nullptr, dest.data(), nullptr, MS_PRIVATE, nullptr);
|
||||||
chmod(SECURE_DIR, 0700);
|
chmod(SECURE_DIR, 0700);
|
||||||
restorecon();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Check and mount preinit mirror
|
// Check and mount preinit mirror
|
||||||
@ -233,8 +232,7 @@ static bool magisk_env() {
|
|||||||
xmkdir(DATABIN, 0755);
|
xmkdir(DATABIN, 0755);
|
||||||
xmkdir(SECURE_DIR "/post-fs-data.d", 0755);
|
xmkdir(SECURE_DIR "/post-fs-data.d", 0755);
|
||||||
xmkdir(SECURE_DIR "/service.d", 0755);
|
xmkdir(SECURE_DIR "/service.d", 0755);
|
||||||
|
restorecon();
|
||||||
restore_databincon();
|
|
||||||
|
|
||||||
if (access(DATABIN "/busybox", X_OK))
|
if (access(DATABIN "/busybox", X_OK))
|
||||||
return false;
|
return false;
|
||||||
|
|||||||
@ -317,7 +317,7 @@ static void daemon_entry() {
|
|||||||
close(fd);
|
close(fd);
|
||||||
|
|
||||||
setsid();
|
setsid();
|
||||||
setcon("u:r:" SEPOL_PROC_DOMAIN ":s0");
|
setcon(MAGISK_PROC_CON);
|
||||||
|
|
||||||
start_log_daemon();
|
start_log_daemon();
|
||||||
|
|
||||||
|
|||||||
@ -10,10 +10,9 @@ using namespace std;
|
|||||||
#define SYSTEM_CON "u:object_r:system_file:s0"
|
#define SYSTEM_CON "u:object_r:system_file:s0"
|
||||||
#define ADB_CON "u:object_r:adb_data_file:s0"
|
#define ADB_CON "u:object_r:adb_data_file:s0"
|
||||||
#define ROOT_CON "u:object_r:rootfs:s0"
|
#define ROOT_CON "u:object_r:rootfs:s0"
|
||||||
#define MAGISK_CON "u:object_r:" SEPOL_FILE_TYPE ":s0"
|
|
||||||
#define EXEC_CON "u:object_r:" SEPOL_EXEC_TYPE ":s0"
|
#define EXEC_CON "u:object_r:" SEPOL_EXEC_TYPE ":s0"
|
||||||
|
|
||||||
static void restore_syscon(int dirfd) {
|
static void restore_syscon_from_null(int dirfd) {
|
||||||
struct dirent *entry;
|
struct dirent *entry;
|
||||||
char *con;
|
char *con;
|
||||||
|
|
||||||
@ -27,7 +26,7 @@ static void restore_syscon(int dirfd) {
|
|||||||
while ((entry = xreaddir(dir.get()))) {
|
while ((entry = xreaddir(dir.get()))) {
|
||||||
int fd = openat(dirfd, entry->d_name, O_RDONLY | O_CLOEXEC);
|
int fd = openat(dirfd, entry->d_name, O_RDONLY | O_CLOEXEC);
|
||||||
if (entry->d_type == DT_DIR) {
|
if (entry->d_type == DT_DIR) {
|
||||||
restore_syscon(fd);
|
restore_syscon_from_null(fd);
|
||||||
continue;
|
continue;
|
||||||
} else if (entry->d_type == DT_REG) {
|
} else if (entry->d_type == DT_REG) {
|
||||||
if (fgetfilecon(fd, &con) >= 0) {
|
if (fgetfilecon(fd, &con) >= 0) {
|
||||||
@ -45,20 +44,20 @@ static void restore_syscon(int dirfd) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
static void restore_magiskcon(int dirfd) {
|
static void restore_syscon(int dirfd) {
|
||||||
struct dirent *entry;
|
struct dirent *entry;
|
||||||
|
|
||||||
fsetfilecon(dirfd, MAGISK_CON);
|
fsetfilecon(dirfd, SYSTEM_CON);
|
||||||
fchown(dirfd, 0, 0);
|
fchown(dirfd, 0, 0);
|
||||||
|
|
||||||
auto dir = xopen_dir(dirfd);
|
auto dir = xopen_dir(dirfd);
|
||||||
while ((entry = xreaddir(dir.get()))) {
|
while ((entry = xreaddir(dir.get()))) {
|
||||||
int fd = xopenat(dirfd, entry->d_name, O_RDONLY | O_CLOEXEC);
|
int fd = xopenat(dirfd, entry->d_name, O_RDONLY | O_CLOEXEC);
|
||||||
if (entry->d_type == DT_DIR) {
|
if (entry->d_type == DT_DIR) {
|
||||||
restore_magiskcon(fd);
|
restore_syscon(fd);
|
||||||
continue;
|
continue;
|
||||||
} else if (entry->d_type) {
|
} else if (entry->d_type) {
|
||||||
fsetfilecon(fd, MAGISK_CON);
|
fsetfilecon(fd, SYSTEM_CON);
|
||||||
fchown(fd, 0, 0);
|
fchown(fd, 0, 0);
|
||||||
}
|
}
|
||||||
close(fd);
|
close(fd);
|
||||||
@ -73,11 +72,8 @@ void restorecon() {
|
|||||||
lsetfilecon(SECURE_DIR, ADB_CON);
|
lsetfilecon(SECURE_DIR, ADB_CON);
|
||||||
close(fd);
|
close(fd);
|
||||||
lsetfilecon(MODULEROOT, SYSTEM_CON);
|
lsetfilecon(MODULEROOT, SYSTEM_CON);
|
||||||
restore_syscon(xopen(MODULEROOT, O_RDONLY | O_CLOEXEC));
|
restore_syscon_from_null(xopen(MODULEROOT, O_RDONLY | O_CLOEXEC));
|
||||||
}
|
restore_syscon(xopen(DATABIN, O_RDONLY | O_CLOEXEC));
|
||||||
|
|
||||||
void restore_databincon() {
|
|
||||||
restore_magiskcon(xopen(DATABIN, O_RDONLY | O_CLOEXEC));
|
|
||||||
}
|
}
|
||||||
|
|
||||||
void restore_tmpcon() {
|
void restore_tmpcon() {
|
||||||
|
|||||||
@ -159,7 +159,7 @@ rm -f $APK
|
|||||||
)EOF";
|
)EOF";
|
||||||
|
|
||||||
void install_apk(const char *apk) {
|
void install_apk(const char *apk) {
|
||||||
setfilecon(apk, "u:object_r:" SEPOL_FILE_TYPE ":s0");
|
setfilecon(apk, MAGISK_FILE_CON);
|
||||||
exec_t exec {
|
exec_t exec {
|
||||||
.fork = fork_no_orphan
|
.fork = fork_no_orphan
|
||||||
};
|
};
|
||||||
|
|||||||
@ -72,7 +72,7 @@ on property:init.svc.zygote=restarting
|
|||||||
|
|
||||||
on property:init.svc.zygote=stopped
|
on property:init.svc.zygote=stopped
|
||||||
exec %2$s 0 0 -- %1$s/magisk --zygote-restart
|
exec %2$s 0 0 -- %1$s/magisk --zygote-restart
|
||||||
)EOF", tmp_dir, "u:r:" SEPOL_PROC_DOMAIN ":s0");
|
)EOF", tmp_dir, MAGISK_PROC_CON);
|
||||||
|
|
||||||
fclose(rc);
|
fclose(rc);
|
||||||
clone_attr(src, dest);
|
clone_attr(src, dest);
|
||||||
|
|||||||
@ -197,7 +197,7 @@ int app_request(const su_context &ctx) {
|
|||||||
gen_rand_str(fifo + 12, 32);
|
gen_rand_str(fifo + 12, 32);
|
||||||
mkfifo(fifo, 0600);
|
mkfifo(fifo, 0600);
|
||||||
chown(fifo, ctx.info->mgr_uid, ctx.info->mgr_uid);
|
chown(fifo, ctx.info->mgr_uid, ctx.info->mgr_uid);
|
||||||
setfilecon(fifo, "u:object_r:" SEPOL_FILE_TYPE ":s0");
|
setfilecon(fifo, MAGISK_FILE_CON);
|
||||||
|
|
||||||
// Send request
|
// Send request
|
||||||
vector<Extra> extras;
|
vector<Extra> extras;
|
||||||
|
|||||||
@ -266,7 +266,7 @@ static void setup_files(int client, const sock_cred *cred) {
|
|||||||
string ld_data = read_string(client);
|
string ld_data = read_string(client);
|
||||||
xwrite(ld_fd, ld_data.data(), ld_data.size());
|
xwrite(ld_fd, ld_data.data(), ld_data.size());
|
||||||
close(ld_fd);
|
close(ld_fd);
|
||||||
setfilecon(mbin.data(), "u:object_r:" SEPOL_FILE_TYPE ":s0");
|
setfilecon(mbin.data(), MAGISK_FILE_CON);
|
||||||
xmount(mbin.data(), hbin, nullptr, MS_BIND, nullptr);
|
xmount(mbin.data(), hbin, nullptr, MS_BIND, nullptr);
|
||||||
|
|
||||||
send_fd(client, app_fd);
|
send_fd(client, app_fd);
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user