mirror of
https://github.com/topjohnwu/Magisk.git
synced 2024-11-24 02:25:28 +00:00
Prevent any SELinux issues of root shell streams
This commit is contained in:
parent
38fcc57bbf
commit
762b678d24
@ -10,10 +10,6 @@ static void allowSuClient(const char *target) {
|
||||
sepol_allow(SEPOL_PROC_DOMAIN, target, "fd", "use");
|
||||
sepol_allow(SEPOL_PROC_DOMAIN, target, "fifo_file", ALL);
|
||||
|
||||
// Allow access to magisk files
|
||||
sepol_allow(target, SEPOL_FILE_DOMAIN, "file", ALL);
|
||||
sepol_allow(target, SEPOL_FILE_DOMAIN, "dir", ALL);
|
||||
|
||||
// Allow binder service
|
||||
sepol_allow(target, SEPOL_PROC_DOMAIN, "binder", "call");
|
||||
sepol_allow(target, SEPOL_PROC_DOMAIN, "binder", "transfer");
|
||||
@ -150,10 +146,15 @@ void sepol_magisk_rules() {
|
||||
sepol_allow(SEPOL_PROC_DOMAIN, ALL, "chr_file", ALL);
|
||||
sepol_allow(SEPOL_PROC_DOMAIN, ALL, "fifo_file", ALL);
|
||||
|
||||
// Super files
|
||||
sepol_allow(ALL, SEPOL_FILE_DOMAIN, "file", ALL);
|
||||
sepol_allow(ALL, SEPOL_FILE_DOMAIN, "dir", ALL);
|
||||
sepol_allow(ALL, SEPOL_FILE_DOMAIN, "fifo_file", ALL);
|
||||
sepol_allow(ALL, SEPOL_FILE_DOMAIN, "chr_file", ALL);
|
||||
sepol_allow(SEPOL_FILE_DOMAIN, ALL, "filesystem", "associate");
|
||||
|
||||
// For changing attributes
|
||||
sepol_allow("rootfs", "tmpfs", "filesystem", "associate");
|
||||
sepol_allow(SEPOL_FILE_DOMAIN, "labeledfs", "filesystem", "associate");
|
||||
sepol_allow(SEPOL_FILE_DOMAIN, "tmpfs", "filesystem", "associate");
|
||||
|
||||
// Xposed
|
||||
sepol_allow("untrusted_app", "untrusted_app", "capability", "setgid");
|
||||
|
@ -267,7 +267,6 @@ void su_daemon_handler(int client, struct ucred *credential) {
|
||||
int infd = recv_fd(client);
|
||||
int outfd = recv_fd(client);
|
||||
int errfd = recv_fd(client);
|
||||
int ptsfd = -1;
|
||||
|
||||
if (pts_slave[0]) {
|
||||
LOGD("su: pts_slave=[%s]\n", pts_slave);
|
||||
@ -279,13 +278,10 @@ void su_daemon_handler(int client, struct ucred *credential) {
|
||||
if(st.st_uid != info->uid && info->uid != 0)
|
||||
LOGE("su: Wrong permission of pts_slave");
|
||||
|
||||
// Set our pts_slave to devpts, same restriction as adb shell
|
||||
lsetfilecon(pts_slave, "u:object_r:devpts:s0");
|
||||
|
||||
// Opening the TTY has to occur after the
|
||||
// fork() and setsid() so that it becomes
|
||||
// our controlling TTY and not the daemon's
|
||||
ptsfd = xopen(pts_slave, O_RDWR);
|
||||
int ptsfd = xopen(pts_slave, O_RDWR);
|
||||
|
||||
if (infd < 0)
|
||||
infd = ptsfd;
|
||||
@ -302,7 +298,14 @@ void su_daemon_handler(int client, struct ucred *credential) {
|
||||
xdup2(outfd, STDOUT_FILENO);
|
||||
xdup2(errfd, STDERR_FILENO);
|
||||
|
||||
close(ptsfd);
|
||||
// Unleash all streams from SELinux hell
|
||||
setfilecon("/proc/self/fd/0", "u:object_r:" SEPOL_FILE_DOMAIN ":s0");
|
||||
setfilecon("/proc/self/fd/1", "u:object_r:" SEPOL_FILE_DOMAIN ":s0");
|
||||
setfilecon("/proc/self/fd/2", "u:object_r:" SEPOL_FILE_DOMAIN ":s0");
|
||||
|
||||
close(infd);
|
||||
close(outfd);
|
||||
close(errfd);
|
||||
close(client);
|
||||
|
||||
// Handle namespaces
|
||||
|
Loading…
Reference in New Issue
Block a user