Update spolicy rules

This commit is contained in:
topjohnwu 2021-10-29 03:12:48 -07:00
parent 8bd0c44e83
commit 6c5b261804

View File

@ -30,6 +30,7 @@ void sepolicy::magisk_rules() {
if (db->policyvers >= POLICYDB_VERSION_XPERMS_IOCTL) { if (db->policyvers >= POLICYDB_VERSION_XPERMS_IOCTL) {
allowxperm(SEPOL_PROC_DOMAIN, ALL, "blk_file", ALL); allowxperm(SEPOL_PROC_DOMAIN, ALL, "blk_file", ALL);
allowxperm(SEPOL_PROC_DOMAIN, ALL, "fifo_file", ALL); allowxperm(SEPOL_PROC_DOMAIN, ALL, "fifo_file", ALL);
allowxperm(SEPOL_PROC_DOMAIN, ALL, "chr_file", ALL);
} }
// Create unconstrained file type // Create unconstrained file type
@ -61,6 +62,7 @@ void sepolicy::magisk_rules() {
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "read"); allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "read");
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "write"); allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "write");
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "ioctl"); allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "ioctl");
allowxperm(SEPOL_CLIENT_DOMAIN, type, "chr_file", "0x5404");
} }
// Allow these processes to access MagiskSU // Allow these processes to access MagiskSU
@ -174,13 +176,16 @@ void sepolicy::magisk_rules() {
// For changing file context // For changing file context
allow("rootfs", "tmpfs", "filesystem", "associate"); allow("rootfs", "tmpfs", "filesystem", "associate");
// Allow Zygisk to prctl PR_SET_MM // Zygisk rules
allow("zygote", "zygote", "capability", "sys_resource"); allow("zygote", "zygote", "capability", "sys_resource"); // prctl PR_SET_MM
// Allow hook
allow("zygote", "zygote", "process", "execmem"); allow("zygote", "zygote", "process", "execmem");
allow("zygote", "fs_type", "filesystem", "unmount");
allow("system_server", "system_server", "process", "execmem"); allow("system_server", "system_server", "process", "execmem");
// Shut llkd up
dontaudit("llkd", SEPOL_PROC_DOMAIN, "process", "ptrace");
dontaudit("llkd", SEPOL_CLIENT_DOMAIN, "process", "ptrace");
// Allow update_engine/addon.d-v2 to run permissive on all ROMs // Allow update_engine/addon.d-v2 to run permissive on all ROMs
permissive("update_engine"); permissive("update_engine");