diff --git a/native/jni/magiskpolicy/rules.cpp b/native/jni/magiskpolicy/rules.cpp index 5e1addea5..e8126cfb9 100644 --- a/native/jni/magiskpolicy/rules.cpp +++ b/native/jni/magiskpolicy/rules.cpp @@ -30,6 +30,7 @@ void sepolicy::magisk_rules() { if (db->policyvers >= POLICYDB_VERSION_XPERMS_IOCTL) { allowxperm(SEPOL_PROC_DOMAIN, ALL, "blk_file", ALL); allowxperm(SEPOL_PROC_DOMAIN, ALL, "fifo_file", ALL); + allowxperm(SEPOL_PROC_DOMAIN, ALL, "chr_file", ALL); } // Create unconstrained file type @@ -61,6 +62,7 @@ void sepolicy::magisk_rules() { allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "read"); allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "write"); allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "ioctl"); + allowxperm(SEPOL_CLIENT_DOMAIN, type, "chr_file", "0x5404"); } // Allow these processes to access MagiskSU @@ -174,13 +176,16 @@ void sepolicy::magisk_rules() { // For changing file context allow("rootfs", "tmpfs", "filesystem", "associate"); - // Allow Zygisk to prctl PR_SET_MM - allow("zygote", "zygote", "capability", "sys_resource"); - - // Allow hook + // Zygisk rules + allow("zygote", "zygote", "capability", "sys_resource"); // prctl PR_SET_MM allow("zygote", "zygote", "process", "execmem"); + allow("zygote", "fs_type", "filesystem", "unmount"); allow("system_server", "system_server", "process", "execmem"); + // Shut llkd up + dontaudit("llkd", SEPOL_PROC_DOMAIN, "process", "ptrace"); + dontaudit("llkd", SEPOL_CLIENT_DOMAIN, "process", "ptrace"); + // Allow update_engine/addon.d-v2 to run permissive on all ROMs permissive("update_engine");