Prevent any SELinux issues of root shell streams

This commit is contained in:
topjohnwu 2018-11-23 20:59:14 -05:00
parent 38fcc57bbf
commit 762b678d24
2 changed files with 16 additions and 12 deletions

View File

@ -10,10 +10,6 @@ static void allowSuClient(const char *target) {
sepol_allow(SEPOL_PROC_DOMAIN, target, "fd", "use"); sepol_allow(SEPOL_PROC_DOMAIN, target, "fd", "use");
sepol_allow(SEPOL_PROC_DOMAIN, target, "fifo_file", ALL); sepol_allow(SEPOL_PROC_DOMAIN, target, "fifo_file", ALL);
// Allow access to magisk files
sepol_allow(target, SEPOL_FILE_DOMAIN, "file", ALL);
sepol_allow(target, SEPOL_FILE_DOMAIN, "dir", ALL);
// Allow binder service // Allow binder service
sepol_allow(target, SEPOL_PROC_DOMAIN, "binder", "call"); sepol_allow(target, SEPOL_PROC_DOMAIN, "binder", "call");
sepol_allow(target, SEPOL_PROC_DOMAIN, "binder", "transfer"); sepol_allow(target, SEPOL_PROC_DOMAIN, "binder", "transfer");
@ -150,10 +146,15 @@ void sepol_magisk_rules() {
sepol_allow(SEPOL_PROC_DOMAIN, ALL, "chr_file", ALL); sepol_allow(SEPOL_PROC_DOMAIN, ALL, "chr_file", ALL);
sepol_allow(SEPOL_PROC_DOMAIN, ALL, "fifo_file", ALL); sepol_allow(SEPOL_PROC_DOMAIN, ALL, "fifo_file", ALL);
// Super files
sepol_allow(ALL, SEPOL_FILE_DOMAIN, "file", ALL);
sepol_allow(ALL, SEPOL_FILE_DOMAIN, "dir", ALL);
sepol_allow(ALL, SEPOL_FILE_DOMAIN, "fifo_file", ALL);
sepol_allow(ALL, SEPOL_FILE_DOMAIN, "chr_file", ALL);
sepol_allow(SEPOL_FILE_DOMAIN, ALL, "filesystem", "associate");
// For changing attributes // For changing attributes
sepol_allow("rootfs", "tmpfs", "filesystem", "associate"); sepol_allow("rootfs", "tmpfs", "filesystem", "associate");
sepol_allow(SEPOL_FILE_DOMAIN, "labeledfs", "filesystem", "associate");
sepol_allow(SEPOL_FILE_DOMAIN, "tmpfs", "filesystem", "associate");
// Xposed // Xposed
sepol_allow("untrusted_app", "untrusted_app", "capability", "setgid"); sepol_allow("untrusted_app", "untrusted_app", "capability", "setgid");

View File

@ -267,7 +267,6 @@ void su_daemon_handler(int client, struct ucred *credential) {
int infd = recv_fd(client); int infd = recv_fd(client);
int outfd = recv_fd(client); int outfd = recv_fd(client);
int errfd = recv_fd(client); int errfd = recv_fd(client);
int ptsfd = -1;
if (pts_slave[0]) { if (pts_slave[0]) {
LOGD("su: pts_slave=[%s]\n", pts_slave); LOGD("su: pts_slave=[%s]\n", pts_slave);
@ -279,13 +278,10 @@ void su_daemon_handler(int client, struct ucred *credential) {
if(st.st_uid != info->uid && info->uid != 0) if(st.st_uid != info->uid && info->uid != 0)
LOGE("su: Wrong permission of pts_slave"); LOGE("su: Wrong permission of pts_slave");
// Set our pts_slave to devpts, same restriction as adb shell
lsetfilecon(pts_slave, "u:object_r:devpts:s0");
// Opening the TTY has to occur after the // Opening the TTY has to occur after the
// fork() and setsid() so that it becomes // fork() and setsid() so that it becomes
// our controlling TTY and not the daemon's // our controlling TTY and not the daemon's
ptsfd = xopen(pts_slave, O_RDWR); int ptsfd = xopen(pts_slave, O_RDWR);
if (infd < 0) if (infd < 0)
infd = ptsfd; infd = ptsfd;
@ -302,7 +298,14 @@ void su_daemon_handler(int client, struct ucred *credential) {
xdup2(outfd, STDOUT_FILENO); xdup2(outfd, STDOUT_FILENO);
xdup2(errfd, STDERR_FILENO); xdup2(errfd, STDERR_FILENO);
close(ptsfd); // Unleash all streams from SELinux hell
setfilecon("/proc/self/fd/0", "u:object_r:" SEPOL_FILE_DOMAIN ":s0");
setfilecon("/proc/self/fd/1", "u:object_r:" SEPOL_FILE_DOMAIN ":s0");
setfilecon("/proc/self/fd/2", "u:object_r:" SEPOL_FILE_DOMAIN ":s0");
close(infd);
close(outfd);
close(errfd);
close(client); close(client);
// Handle namespaces // Handle namespaces