mirror of
https://github.com/topjohnwu/Magisk.git
synced 2024-11-24 18:45:28 +00:00
Separate public and private APIs
This commit is contained in:
parent
7bb8b9039c
commit
838b2757eb
@ -3,7 +3,7 @@ LOCAL_PATH := $(call my-dir)
|
|||||||
include $(CLEAR_VARS)
|
include $(CLEAR_VARS)
|
||||||
LOCAL_MODULE := magiskpolicy
|
LOCAL_MODULE := magiskpolicy
|
||||||
LOCAL_STATIC_LIBRARIES := libsepol
|
LOCAL_STATIC_LIBRARIES := libsepol
|
||||||
LOCAL_SRC_FILES := magiskpolicy.c sepolicy.c rules.c utils.c ../utils/vector.c
|
LOCAL_SRC_FILES := magiskpolicy.c sepolicy.c rules.c api.c ../utils/vector.c
|
||||||
LOCAL_C_INCLUDES := jni/selinux/libsepol/include jni/utils
|
LOCAL_C_INCLUDES := jni/selinux/libsepol/include jni/utils
|
||||||
LOCAL_CFLAGS := -DINDEP_BINARY
|
LOCAL_CFLAGS := -DINDEP_BINARY
|
||||||
include $(BUILD_EXECUTABLE)
|
include $(BUILD_EXECUTABLE)
|
||||||
|
@ -1,44 +1,45 @@
|
|||||||
#include "magiskpolicy.h"
|
#include "magiskpolicy.h"
|
||||||
|
#include "sepolicy.h"
|
||||||
|
|
||||||
int allow(char *s, char *t, char *c, char *p) {
|
int sepol_allow(char *s, char *t, char *c, char *p) {
|
||||||
return add_rule(s, t, c, p, AVTAB_ALLOWED, 0);
|
return add_rule(s, t, c, p, AVTAB_ALLOWED, 0);
|
||||||
}
|
}
|
||||||
|
|
||||||
int deny(char *s, char *t, char *c, char *p) {
|
int sepol_deny(char *s, char *t, char *c, char *p) {
|
||||||
return add_rule(s, t, c, p, AVTAB_ALLOWED, 1);
|
return add_rule(s, t, c, p, AVTAB_ALLOWED, 1);
|
||||||
}
|
}
|
||||||
|
|
||||||
int auditallow(char *s, char *t, char *c, char *p) {
|
int sepol_auditallow(char *s, char *t, char *c, char *p) {
|
||||||
return add_rule(s, t, c, p, AVTAB_AUDITALLOW, 0);
|
return add_rule(s, t, c, p, AVTAB_AUDITALLOW, 0);
|
||||||
}
|
}
|
||||||
|
|
||||||
int auditdeny(char *s, char *t, char *c, char *p) {
|
int sepol_auditdeny(char *s, char *t, char *c, char *p) {
|
||||||
return add_rule(s, t, c, p, AVTAB_AUDITDENY, 0);
|
return add_rule(s, t, c, p, AVTAB_AUDITDENY, 0);
|
||||||
}
|
}
|
||||||
|
|
||||||
int typetrans(char *s, char *t, char *c, char *d, char *o) {
|
int sepol_typetrans(char *s, char *t, char *c, char *d, char *o) {
|
||||||
if (o == NULL)
|
if (o == NULL)
|
||||||
return add_transition(s, t, c, d);
|
return add_transition(s, t, c, d);
|
||||||
else
|
else
|
||||||
return add_file_transition(s, t, c, d, o);
|
return add_file_transition(s, t, c, d, o);
|
||||||
}
|
}
|
||||||
|
|
||||||
int permissive(char *s) {
|
int sepol_permissive(char *s) {
|
||||||
return set_domain_state(s, 1);
|
return set_domain_state(s, 1);
|
||||||
}
|
}
|
||||||
|
|
||||||
int enforce(char *s) {
|
int sepol_enforce(char *s) {
|
||||||
return set_domain_state(s, 0);
|
return set_domain_state(s, 0);
|
||||||
}
|
}
|
||||||
|
|
||||||
int create(char *s) {
|
int sepol_create(char *s) {
|
||||||
return create_domain(s);
|
return create_domain(s);
|
||||||
}
|
}
|
||||||
|
|
||||||
int attradd(char *s, char *a) {
|
int sepol_attradd(char *s, char *a) {
|
||||||
return add_typeattribute(s, a);
|
return add_typeattribute(s, a);
|
||||||
}
|
}
|
||||||
|
|
||||||
int exists(char* source) {
|
int sepol_exists(char* source) {
|
||||||
return !! hashtab_search(policy->p_types.table, source);
|
return !! hashtab_search(policy->p_types.table, source);
|
||||||
}
|
}
|
@ -1,5 +1,7 @@
|
|||||||
#include "vector.h"
|
/* magiskpolicy.c - Main function for policy patching
|
||||||
#include "magiskpolicy.h"
|
*
|
||||||
|
* Includes all the parsing logic for the policy statements
|
||||||
|
*/
|
||||||
|
|
||||||
#ifdef INDEP_BINARY
|
#ifdef INDEP_BINARY
|
||||||
int magiskpolicy_main(int argc, char *argv[]);
|
int magiskpolicy_main(int argc, char *argv[]);
|
||||||
@ -10,6 +12,9 @@ int main(int argc, char *argv[]) {
|
|||||||
#include "magisk.h"
|
#include "magisk.h"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#include "magiskpolicy.h"
|
||||||
|
#include "sepolicy.h"
|
||||||
|
|
||||||
static int syntax_err = 0;
|
static int syntax_err = 0;
|
||||||
static char err_msg[ARG_MAX];
|
static char err_msg[ARG_MAX];
|
||||||
|
|
||||||
@ -112,19 +117,19 @@ static int parse_pattern_1(int action, char* statement) {
|
|||||||
for (int k = 0; k < permission.size; ++k)
|
for (int k = 0; k < permission.size; ++k)
|
||||||
switch (action) {
|
switch (action) {
|
||||||
case 0:
|
case 0:
|
||||||
if (allow(source.data[i], target.data[j], class, permission.data[k]))
|
if (sepol_allow(source.data[i], target.data[j], class, permission.data[k]))
|
||||||
fprintf(stderr, "Error in: allow %s %s %s %s\n", source.data[i], target.data[j], class, permission.data[k]);
|
fprintf(stderr, "Error in: allow %s %s %s %s\n", source.data[i], target.data[j], class, permission.data[k]);
|
||||||
break;
|
break;
|
||||||
case 1:
|
case 1:
|
||||||
if (deny(source.data[i], target.data[j], class, permission.data[k]))
|
if (sepol_deny(source.data[i], target.data[j], class, permission.data[k]))
|
||||||
fprintf(stderr, "Error in: deny %s %s %s %s\n", source.data[i], target.data[j], class, permission.data[k]);
|
fprintf(stderr, "Error in: deny %s %s %s %s\n", source.data[i], target.data[j], class, permission.data[k]);
|
||||||
break;
|
break;
|
||||||
case 2:
|
case 2:
|
||||||
if (auditallow(source.data[i], target.data[j], class, permission.data[k]))
|
if (sepol_auditallow(source.data[i], target.data[j], class, permission.data[k]))
|
||||||
fprintf(stderr, "Error in: auditallow %s %s %s %s\n", source.data[i], target.data[j], class, permission.data[k]);
|
fprintf(stderr, "Error in: auditallow %s %s %s %s\n", source.data[i], target.data[j], class, permission.data[k]);
|
||||||
break;
|
break;
|
||||||
case 3:
|
case 3:
|
||||||
if (auditdeny(source.data[i], target.data[j], class, permission.data[k]))
|
if (sepol_auditdeny(source.data[i], target.data[j], class, permission.data[k]))
|
||||||
fprintf(stderr, "Error in: auditdeny %s %s %s %s\n", source.data[i], target.data[j], class, permission.data[k]);
|
fprintf(stderr, "Error in: auditdeny %s %s %s %s\n", source.data[i], target.data[j], class, permission.data[k]);
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
@ -181,7 +186,7 @@ static int parse_pattern_2(int action, char* statement) {
|
|||||||
for (int j = 0; j < attribute.size; ++j)
|
for (int j = 0; j < attribute.size; ++j)
|
||||||
switch (action) {
|
switch (action) {
|
||||||
case 0:
|
case 0:
|
||||||
if (attradd(class.data[i], attribute.data[j]))
|
if (sepol_attradd(class.data[i], attribute.data[j]))
|
||||||
fprintf(stderr, "Error in: attradd %s %s\n", class.data[i], attribute.data[j]);
|
fprintf(stderr, "Error in: attradd %s %s\n", class.data[i], attribute.data[j]);
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
@ -206,15 +211,15 @@ static int parse_pattern_3(int action, char* statement) {
|
|||||||
for (int i = 0; i < classes.size; ++i) {
|
for (int i = 0; i < classes.size; ++i) {
|
||||||
switch (action) {
|
switch (action) {
|
||||||
case 0:
|
case 0:
|
||||||
if (create(classes.data[i]))
|
if (sepol_create(classes.data[i]))
|
||||||
fprintf(stderr, "Domain %s already exists\n", classes.data[i]);
|
fprintf(stderr, "Domain %s already exists\n", classes.data[i]);
|
||||||
break;
|
break;
|
||||||
case 1:
|
case 1:
|
||||||
if (permissive(classes.data[i]))
|
if (sepol_permissive(classes.data[i]))
|
||||||
fprintf(stderr, "Error in: permissive %s\n", classes.data[i]);
|
fprintf(stderr, "Error in: permissive %s\n", classes.data[i]);
|
||||||
break;
|
break;
|
||||||
case 2:
|
case 2:
|
||||||
if (enforce(classes.data[i]))
|
if (sepol_enforce(classes.data[i]))
|
||||||
fprintf(stderr, "Error in: enforce %s\n", classes.data[i]);
|
fprintf(stderr, "Error in: enforce %s\n", classes.data[i]);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
@ -253,7 +258,7 @@ static int parse_pattern_4(int action, char* statement) {
|
|||||||
++state;
|
++state;
|
||||||
}
|
}
|
||||||
if (state < 4) return 1;
|
if (state < 4) return 1;
|
||||||
if (typetrans(source, target, class, def, filename))
|
if (sepol_typetrans(source, target, class, def, filename))
|
||||||
fprintf(stderr, "Error in: typetrans %s %s %s %s %s\n", source, target, class, def, filename ? filename : "");
|
fprintf(stderr, "Error in: typetrans %s %s %s %s %s\n", source, target, class, def, filename ? filename : "");
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@ -313,8 +318,8 @@ int magiskpolicy_main(int argc, char *argv[]) {
|
|||||||
if (policydb_load_isids(&policydb, &sidtab))
|
if (policydb_load_isids(&policydb, &sidtab))
|
||||||
return 1;
|
return 1;
|
||||||
|
|
||||||
if (full) full_rules();
|
if (full) sepol_full_rules();
|
||||||
else if (minimal) min_rules();
|
else if (minimal) sepol_min_rules();
|
||||||
|
|
||||||
for (int i = 0; i < rules.size; ++i) {
|
for (int i = 0; i < rules.size; ++i) {
|
||||||
// Since strtok will modify the origin string, copy the policy for error messages
|
// Since strtok will modify the origin string, copy the policy for error messages
|
||||||
|
@ -1,61 +1,27 @@
|
|||||||
#ifndef MAGISKPOLICY_H
|
/* magiskpolicy.h - Public API for policy patching
|
||||||
#define MAGISKPOLICY_H
|
*/
|
||||||
|
|
||||||
|
#ifndef _MAGISKPOLICY_H
|
||||||
|
#define _MAGISKPOLICY_H
|
||||||
|
|
||||||
|
#include <stdlib.h>
|
||||||
|
|
||||||
#define ALL NULL
|
#define ALL NULL
|
||||||
|
|
||||||
#include <getopt.h>
|
|
||||||
#include <unistd.h>
|
|
||||||
#include <stdlib.h>
|
|
||||||
#include <sys/mman.h>
|
|
||||||
#include <sys/types.h>
|
|
||||||
#include <sys/stat.h>
|
|
||||||
#include <fcntl.h>
|
|
||||||
#include <stdio.h>
|
|
||||||
#include <limits.h>
|
|
||||||
#include <string.h>
|
|
||||||
#include <sepol/debug.h>
|
|
||||||
#include <sepol/policydb/policydb.h>
|
|
||||||
#include <sepol/policydb/expand.h>
|
|
||||||
#include <sepol/policydb/link.h>
|
|
||||||
#include <sepol/policydb/services.h>
|
|
||||||
#include <sepol/policydb/avrule_block.h>
|
|
||||||
#include <sepol/policydb/conditional.h>
|
|
||||||
#include <sepol/policydb/constraint.h>
|
|
||||||
|
|
||||||
#include "vector.h"
|
|
||||||
|
|
||||||
// hashtab traversal macro
|
|
||||||
#define hashtab_for_each(table, ptr) \
|
|
||||||
for (int _i = 0; _i < table->size; ++_i) \
|
|
||||||
for (*ptr = table->htable[_i]; *ptr != NULL; *ptr = (*ptr)->next)
|
|
||||||
|
|
||||||
// Global policydb
|
|
||||||
policydb_t *policy;
|
|
||||||
|
|
||||||
// sepolicy manipulation functions
|
|
||||||
int load_policy(const char *filename);
|
|
||||||
int dump_policy(const char *filename);
|
|
||||||
int create_domain(char *d);
|
|
||||||
int set_domain_state(char* s, int state);
|
|
||||||
int add_transition(char *s, char *t, char *c, char *d);
|
|
||||||
int add_file_transition(char *s, char *t, char *c, char *d, char* filename);
|
|
||||||
int add_typeattribute(char *domainS, char *attr);
|
|
||||||
int add_rule(char *s, char *t, char *c, char *p, int effect, int not);
|
|
||||||
|
|
||||||
// Handy functions
|
// Handy functions
|
||||||
int allow(char *s, char *t, char *c, char *p);
|
int sepol_allow(char *s, char *t, char *c, char *p);
|
||||||
int deny(char *s, char *t, char *c, char *p);
|
int sepol_deny(char *s, char *t, char *c, char *p);
|
||||||
int auditallow(char *s, char *t, char *c, char *p);
|
int sepol_auditallow(char *s, char *t, char *c, char *p);
|
||||||
int auditdeny(char *s, char *t, char *c, char *p);
|
int sepol_auditdeny(char *s, char *t, char *c, char *p);
|
||||||
int typetrans(char *s, char *t, char *c, char *d, char *o);
|
int sepol_typetrans(char *s, char *t, char *c, char *d, char *o);
|
||||||
int create(char *s);
|
int sepol_create(char *s);
|
||||||
int permissive(char *s);
|
int sepol_permissive(char *s);
|
||||||
int enforce(char *s);
|
int sepol_enforce(char *s);
|
||||||
int attradd(char *s, char *a);
|
int sepol_attradd(char *s, char *a);
|
||||||
int exists(char *source);
|
int sepol_exists(char *source);
|
||||||
|
|
||||||
// Built in rules
|
// Built in rules
|
||||||
void full_rules();
|
void sepol_full_rules();
|
||||||
void min_rules();
|
void sepol_min_rules();
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
316
rules.c
316
rules.c
@ -1,230 +1,230 @@
|
|||||||
#include "magiskpolicy.h"
|
#include "magiskpolicy.h"
|
||||||
|
|
||||||
void samsung() {
|
void samsung() {
|
||||||
deny("init", "kernel", "security", "load_policy");
|
sepol_deny("init", "kernel", "security", "load_policy");
|
||||||
deny("policyloader_app", "security_spota_file", "dir", "read");
|
sepol_deny("policyloader_app", "security_spota_file", "dir", "read");
|
||||||
deny("policyloader_app", "security_spota_file", "dir", "write");
|
sepol_deny("policyloader_app", "security_spota_file", "dir", "write");
|
||||||
deny("policyloader_app", "security_spota_file", "file", "read");
|
sepol_deny("policyloader_app", "security_spota_file", "file", "read");
|
||||||
deny("policyloader_app", "security_spota_file", "file", "write");
|
sepol_deny("policyloader_app", "security_spota_file", "file", "write");
|
||||||
deny("system_server", "security_spota_file", "dir", "read");
|
sepol_deny("system_server", "security_spota_file", "dir", "read");
|
||||||
deny("system_server", "security_spota_file", "dir", "write");
|
sepol_deny("system_server", "security_spota_file", "dir", "write");
|
||||||
deny("system_server", "security_spota_file", "file", "read");
|
sepol_deny("system_server", "security_spota_file", "file", "read");
|
||||||
deny("system_server", "security_spota_file", "file", "write");
|
sepol_deny("system_server", "security_spota_file", "file", "write");
|
||||||
deny("system_app", "security_spota_file", "dir", "read");
|
sepol_deny("system_app", "security_spota_file", "dir", "read");
|
||||||
deny("system_app", "security_spota_file", "dir", "write");
|
sepol_deny("system_app", "security_spota_file", "dir", "write");
|
||||||
deny("system_app", "security_spota_file", "file", "read");
|
sepol_deny("system_app", "security_spota_file", "file", "read");
|
||||||
deny("system_app", "security_spota_file", "file", "write");
|
sepol_deny("system_app", "security_spota_file", "file", "write");
|
||||||
deny("installd", "security_spota_file", "dir", "read");
|
sepol_deny("installd", "security_spota_file", "dir", "read");
|
||||||
deny("installd", "security_spota_file", "dir", "write");
|
sepol_deny("installd", "security_spota_file", "dir", "write");
|
||||||
deny("installd", "security_spota_file", "file", "read");
|
sepol_deny("installd", "security_spota_file", "file", "read");
|
||||||
deny("installd", "security_spota_file", "file", "write");
|
sepol_deny("installd", "security_spota_file", "file", "write");
|
||||||
deny("init", "security_spota_file", "dir", "read");
|
sepol_deny("init", "security_spota_file", "dir", "read");
|
||||||
deny("init", "security_spota_file", "dir", "write");
|
sepol_deny("init", "security_spota_file", "dir", "write");
|
||||||
deny("init", "security_spota_file", "file", "read");
|
sepol_deny("init", "security_spota_file", "file", "read");
|
||||||
deny("init", "security_spota_file", "file", "write");
|
sepol_deny("init", "security_spota_file", "file", "write");
|
||||||
deny("ueventd", "security_spota_file", "dir", "read");
|
sepol_deny("ueventd", "security_spota_file", "dir", "read");
|
||||||
deny("ueventd", "security_spota_file", "dir", "write");
|
sepol_deny("ueventd", "security_spota_file", "dir", "write");
|
||||||
deny("ueventd", "security_spota_file", "file", "read");
|
sepol_deny("ueventd", "security_spota_file", "file", "read");
|
||||||
deny("ueventd", "security_spota_file", "file", "write");
|
sepol_deny("ueventd", "security_spota_file", "file", "write");
|
||||||
deny("runas", "security_spota_file", "dir", "read");
|
sepol_deny("runas", "security_spota_file", "dir", "read");
|
||||||
deny("runas", "security_spota_file", "dir", "write");
|
sepol_deny("runas", "security_spota_file", "dir", "write");
|
||||||
deny("runas", "security_spota_file", "file", "read");
|
sepol_deny("runas", "security_spota_file", "file", "read");
|
||||||
deny("runas", "security_spota_file", "file", "write");
|
sepol_deny("runas", "security_spota_file", "file", "write");
|
||||||
deny("drsd", "security_spota_file", "dir", "read");
|
sepol_deny("drsd", "security_spota_file", "dir", "read");
|
||||||
deny("drsd", "security_spota_file", "dir", "write");
|
sepol_deny("drsd", "security_spota_file", "dir", "write");
|
||||||
deny("drsd", "security_spota_file", "file", "read");
|
sepol_deny("drsd", "security_spota_file", "file", "read");
|
||||||
deny("drsd", "security_spota_file", "file", "write");
|
sepol_deny("drsd", "security_spota_file", "file", "write");
|
||||||
deny("debuggerd", "security_spota_file", "dir", "read");
|
sepol_deny("debuggerd", "security_spota_file", "dir", "read");
|
||||||
deny("debuggerd", "security_spota_file", "dir", "write");
|
sepol_deny("debuggerd", "security_spota_file", "dir", "write");
|
||||||
deny("debuggerd", "security_spota_file", "file", "read");
|
sepol_deny("debuggerd", "security_spota_file", "file", "read");
|
||||||
deny("debuggerd", "security_spota_file", "file", "write");
|
sepol_deny("debuggerd", "security_spota_file", "file", "write");
|
||||||
deny("vold", "security_spota_file", "dir", "read");
|
sepol_deny("vold", "security_spota_file", "dir", "read");
|
||||||
deny("vold", "security_spota_file", "dir", "write");
|
sepol_deny("vold", "security_spota_file", "dir", "write");
|
||||||
deny("vold", "security_spota_file", "file", "read");
|
sepol_deny("vold", "security_spota_file", "file", "read");
|
||||||
deny("vold", "security_spota_file", "file", "write");
|
sepol_deny("vold", "security_spota_file", "file", "write");
|
||||||
deny("zygote", "security_spota_file", "dir", "read");
|
sepol_deny("zygote", "security_spota_file", "dir", "read");
|
||||||
deny("zygote", "security_spota_file", "dir", "write");
|
sepol_deny("zygote", "security_spota_file", "dir", "write");
|
||||||
deny("zygote", "security_spota_file", "file", "read");
|
sepol_deny("zygote", "security_spota_file", "file", "read");
|
||||||
deny("zygote", "security_spota_file", "file", "write");
|
sepol_deny("zygote", "security_spota_file", "file", "write");
|
||||||
deny("auditd", "security_spota_file", "dir", "read");
|
sepol_deny("auditd", "security_spota_file", "dir", "read");
|
||||||
deny("auditd", "security_spota_file", "dir", "write");
|
sepol_deny("auditd", "security_spota_file", "dir", "write");
|
||||||
deny("auditd", "security_spota_file", "file", "read");
|
sepol_deny("auditd", "security_spota_file", "file", "read");
|
||||||
deny("auditd", "security_spota_file", "file", "write");
|
sepol_deny("auditd", "security_spota_file", "file", "write");
|
||||||
deny("servicemanager", "security_spota_file", "dir", "read");
|
sepol_deny("servicemanager", "security_spota_file", "dir", "read");
|
||||||
deny("servicemanager", "security_spota_file", "dir", "write");
|
sepol_deny("servicemanager", "security_spota_file", "dir", "write");
|
||||||
deny("servicemanager", "security_spota_file", "file", "read");
|
sepol_deny("servicemanager", "security_spota_file", "file", "read");
|
||||||
deny("servicemanager", "security_spota_file", "file", "write");
|
sepol_deny("servicemanager", "security_spota_file", "file", "write");
|
||||||
deny("itsonbs", "security_spota_file", "dir", "read");
|
sepol_deny("itsonbs", "security_spota_file", "dir", "read");
|
||||||
deny("itsonbs", "security_spota_file", "dir", "write");
|
sepol_deny("itsonbs", "security_spota_file", "dir", "write");
|
||||||
deny("itsonbs", "security_spota_file", "file", "read");
|
sepol_deny("itsonbs", "security_spota_file", "file", "read");
|
||||||
deny("itsonbs", "security_spota_file", "file", "write");
|
sepol_deny("itsonbs", "security_spota_file", "file", "write");
|
||||||
deny("commonplatformappdomain", "security_spota_file", "dir", "read");
|
sepol_deny("commonplatformappdomain", "security_spota_file", "dir", "read");
|
||||||
deny("commonplatformappdomain", "security_spota_file", "dir", "write");
|
sepol_deny("commonplatformappdomain", "security_spota_file", "dir", "write");
|
||||||
deny("commonplatformappdomain", "security_spota_file", "file", "read");
|
sepol_deny("commonplatformappdomain", "security_spota_file", "file", "read");
|
||||||
deny("commonplatformappdomain", "security_spota_file", "file", "write");
|
sepol_deny("commonplatformappdomain", "security_spota_file", "file", "write");
|
||||||
}
|
}
|
||||||
|
|
||||||
void allowSuClient(char *target) {
|
void allowSuClient(char *target) {
|
||||||
allow(target, "rootfs", "file", "execute_no_trans");
|
sepol_allow(target, "rootfs", "file", "execute_no_trans");
|
||||||
allow(target, "rootfs", "file", "execute");
|
sepol_allow(target, "rootfs", "file", "execute");
|
||||||
allow(target, "su", "unix_stream_socket", "connectto");
|
sepol_allow(target, "su", "unix_stream_socket", "connectto");
|
||||||
allow(target, "su", "unix_stream_socket", "getopt");
|
sepol_allow(target, "su", "unix_stream_socket", "getopt");
|
||||||
allow(target, "su_device", "dir", "search");
|
sepol_allow(target, "su_device", "dir", "search");
|
||||||
allow(target, "su_device", "dir", "read");
|
sepol_allow(target, "su_device", "dir", "read");
|
||||||
allow(target, "su_device", "sock_file", "read");
|
sepol_allow(target, "su_device", "sock_file", "read");
|
||||||
allow(target, "su_device", "sock_file", "write");
|
sepol_allow(target, "su_device", "sock_file", "write");
|
||||||
}
|
}
|
||||||
|
|
||||||
void suRights() {
|
void suRights() {
|
||||||
allow("servicemanager", "su", "dir", "search");
|
sepol_allow("servicemanager", "su", "dir", "search");
|
||||||
allow("servicemanager", "su", "dir", "read");
|
sepol_allow("servicemanager", "su", "dir", "read");
|
||||||
allow("servicemanager", "su", "file", "open");
|
sepol_allow("servicemanager", "su", "file", "open");
|
||||||
allow("servicemanager", "su", "file", "read");
|
sepol_allow("servicemanager", "su", "file", "read");
|
||||||
allow("servicemanager", "su", "process", "getattr");
|
sepol_allow("servicemanager", "su", "process", "getattr");
|
||||||
allow("servicemanager", "su", "binder", "transfer");
|
sepol_allow("servicemanager", "su", "binder", "transfer");
|
||||||
allow("system_server", "su", "binder", "call");
|
sepol_allow("system_server", "su", "binder", "call");
|
||||||
}
|
}
|
||||||
|
|
||||||
void otherToSU() {
|
void otherToSU() {
|
||||||
// allowLog
|
// allowLog
|
||||||
allow("logd", "su", "dir", "search");
|
sepol_allow("logd", "su", "dir", "search");
|
||||||
allow("logd", "su", "file", "read");
|
sepol_allow("logd", "su", "file", "read");
|
||||||
allow("logd", "su", "file", "open");
|
sepol_allow("logd", "su", "file", "open");
|
||||||
allow("logd", "su", "file", "getattr");
|
sepol_allow("logd", "su", "file", "getattr");
|
||||||
|
|
||||||
// suBackL0
|
// suBackL0
|
||||||
allow("system_server", "su", "binder", "call");
|
sepol_allow("system_server", "su", "binder", "call");
|
||||||
allow("system_server", "su", "binder", "transfer");
|
sepol_allow("system_server", "su", "binder", "transfer");
|
||||||
|
|
||||||
// ES Explorer opens a sokcet
|
// ES Explorer opens a sokcet
|
||||||
allow("untrusted_app", "su", "unix_stream_socket", "ioctl");
|
sepol_allow("untrusted_app", "su", "unix_stream_socket", "ioctl");
|
||||||
allow("untrusted_app", "su", "unix_stream_socket", "read");
|
sepol_allow("untrusted_app", "su", "unix_stream_socket", "read");
|
||||||
allow("untrusted_app", "su", "unix_stream_socket", "getattr");
|
sepol_allow("untrusted_app", "su", "unix_stream_socket", "getattr");
|
||||||
allow("untrusted_app", "su", "unix_stream_socket", "write");
|
sepol_allow("untrusted_app", "su", "unix_stream_socket", "write");
|
||||||
allow("untrusted_app", "su", "unix_stream_socket", "setattr");
|
sepol_allow("untrusted_app", "su", "unix_stream_socket", "setattr");
|
||||||
allow("untrusted_app", "su", "unix_stream_socket", "lock");
|
sepol_allow("untrusted_app", "su", "unix_stream_socket", "lock");
|
||||||
allow("untrusted_app", "su", "unix_stream_socket", "append");
|
sepol_allow("untrusted_app", "su", "unix_stream_socket", "append");
|
||||||
allow("untrusted_app", "su", "unix_stream_socket", "bind");
|
sepol_allow("untrusted_app", "su", "unix_stream_socket", "bind");
|
||||||
allow("untrusted_app", "su", "unix_stream_socket", "connect");
|
sepol_allow("untrusted_app", "su", "unix_stream_socket", "connect");
|
||||||
allow("untrusted_app", "su", "unix_stream_socket", "getopt");
|
sepol_allow("untrusted_app", "su", "unix_stream_socket", "getopt");
|
||||||
allow("untrusted_app", "su", "unix_stream_socket", "setopt");
|
sepol_allow("untrusted_app", "su", "unix_stream_socket", "setopt");
|
||||||
allow("untrusted_app", "su", "unix_stream_socket", "shutdown");
|
sepol_allow("untrusted_app", "su", "unix_stream_socket", "shutdown");
|
||||||
allow("untrusted_app", "su", "unix_stream_socket", "connectto");
|
sepol_allow("untrusted_app", "su", "unix_stream_socket", "connectto");
|
||||||
|
|
||||||
// Any domain is allowed to send su "sigchld"
|
// Any domain is allowed to send su "sigchld"
|
||||||
allow(ALL, "su", "process", "sigchld");
|
sepol_allow(ALL, "su", "process", "sigchld");
|
||||||
|
|
||||||
// uNetworkL0
|
// uNetworkL0
|
||||||
attradd("su", "netdomain");
|
sepol_attradd("su", "netdomain");
|
||||||
attradd("su", "bluetoothdomain");
|
sepol_attradd("su", "bluetoothdomain");
|
||||||
|
|
||||||
// suBackL6
|
// suBackL6
|
||||||
allow("surfaceflinger", "app_data_file", "dir", ALL);
|
sepol_allow("surfaceflinger", "app_data_file", "dir", ALL);
|
||||||
allow("surfaceflinger", "app_data_file", "file", ALL);
|
sepol_allow("surfaceflinger", "app_data_file", "file", ALL);
|
||||||
allow("surfaceflinger", "app_data_file", "lnk_file", ALL);
|
sepol_allow("surfaceflinger", "app_data_file", "lnk_file", ALL);
|
||||||
attradd("surfaceflinger", "mlstrustedsubject");
|
sepol_attradd("surfaceflinger", "mlstrustedsubject");
|
||||||
|
|
||||||
// suMiscL6
|
// suMiscL6
|
||||||
if (exists("audioserver"))
|
if (sepol_exists("audioserver"))
|
||||||
allow("audioserver", "audioserver", "process", "execmem");
|
sepol_allow("audioserver", "audioserver", "process", "execmem");
|
||||||
}
|
}
|
||||||
|
|
||||||
void full_rules() {
|
void sepol_full_rules() {
|
||||||
// Samsung specific
|
// Samsung specific
|
||||||
// Prevent system from loading policy
|
// Prevent system from loading policy
|
||||||
if(exists("knox_system_app"))
|
if(sepol_exists("knox_system_app"))
|
||||||
samsung();
|
samsung();
|
||||||
|
|
||||||
// Min rules first
|
// Min rules first
|
||||||
min_rules();
|
sepol_min_rules();
|
||||||
|
|
||||||
// Create domains if they don't exist
|
// Create domains if they don't exist
|
||||||
if (!exists("su_device"))
|
if (!sepol_exists("su_device"))
|
||||||
create("su_device");
|
sepol_create("su_device");
|
||||||
enforce("su_device");
|
sepol_enforce("su_device");
|
||||||
|
|
||||||
// Patch su to everything
|
// Patch su to everything
|
||||||
allow("su", ALL, ALL, ALL);
|
sepol_allow("su", ALL, ALL, ALL);
|
||||||
|
|
||||||
// Autotransition su's socket to su_device
|
// Autotransition su's socket to su_device
|
||||||
add_transition("su", "device", "file", "su_device");
|
sepol_typetrans("su", "device", "file", "su_device", NULL);
|
||||||
add_transition("su", "device", "dir", "su_device");
|
sepol_typetrans("su", "device", "dir", "su_device", NULL);
|
||||||
allow("su_device", "tmpfs", "filesystem", "associate");
|
sepol_allow("su_device", "tmpfs", "filesystem", "associate");
|
||||||
|
|
||||||
// Transition from untrusted_app to su_client
|
// Transition from untrusted_app to su_client
|
||||||
allowSuClient("shell");
|
allowSuClient("shell");
|
||||||
allowSuClient("untrusted_app");
|
allowSuClient("untrusted_app");
|
||||||
allowSuClient("system_app");
|
allowSuClient("system_app");
|
||||||
allowSuClient("platform_app");
|
allowSuClient("platform_app");
|
||||||
if (exists("priv_app"))
|
if (sepol_exists("priv_app"))
|
||||||
allowSuClient("priv_app");
|
allowSuClient("priv_app");
|
||||||
if (exists("ssd_tool"))
|
if (sepol_exists("ssd_tool"))
|
||||||
allowSuClient("ssd_tool");
|
allowSuClient("ssd_tool");
|
||||||
|
|
||||||
// Allow init to execute su daemon/transition
|
// Allow init to execute su daemon/transition
|
||||||
allow("init", "su", "process", "transition");
|
sepol_allow("init", "su", "process", "transition");
|
||||||
allow("init", "su", "process", "rlimitinh");
|
sepol_allow("init", "su", "process", "rlimitinh");
|
||||||
allow("init", "su", "process", "siginh");
|
sepol_allow("init", "su", "process", "siginh");
|
||||||
allow("init", "su", "process", "noatsecure");
|
sepol_allow("init", "su", "process", "noatsecure");
|
||||||
suRights();
|
suRights();
|
||||||
otherToSU();
|
otherToSU();
|
||||||
|
|
||||||
// Need to set su_device/su as trusted to be accessible from other categories
|
// Need to set su_device/su as trusted to be accessible from other categories
|
||||||
attradd("su_device", "mlstrustedobject");
|
sepol_attradd("su_device", "mlstrustedobject");
|
||||||
attradd("su", "mlstrustedsubject");
|
sepol_attradd("su", "mlstrustedsubject");
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Minimal to run Magisk script before live patching
|
// Minimal to run Magisk script before live patching
|
||||||
void min_rules() {
|
void sepol_min_rules() {
|
||||||
|
|
||||||
if (!exists("su"))
|
if (!sepol_exists("su"))
|
||||||
create("su");
|
sepol_create("su");
|
||||||
permissive("su");
|
sepol_permissive("su");
|
||||||
permissive("init");
|
sepol_permissive("init");
|
||||||
|
|
||||||
attradd("su", "mlstrustedsubject");
|
sepol_attradd("su", "mlstrustedsubject");
|
||||||
|
|
||||||
// Let init run stuffs in su context
|
// Let init run stuffs in su context
|
||||||
allow("kernel", "su", "fd", "use");
|
sepol_allow("kernel", "su", "fd", "use");
|
||||||
allow("init", "su", "process", ALL);
|
sepol_allow("init", "su", "process", ALL);
|
||||||
allow("init", "system_file", "dir", ALL);
|
sepol_allow("init", "system_file", "dir", ALL);
|
||||||
allow("init", "system_file", "lnk_file", ALL);
|
sepol_allow("init", "system_file", "lnk_file", ALL);
|
||||||
allow("init", "system_file", "file", ALL);
|
sepol_allow("init", "system_file", "file", ALL);
|
||||||
|
|
||||||
// Misc: basic shell scripts, prop management etc.
|
// Misc: basic shell scripts, prop management etc.
|
||||||
allow("su", "property_socket", "sock_file", "write");
|
sepol_allow("su", "property_socket", "sock_file", "write");
|
||||||
if (exists("default_prop"))
|
if (sepol_exists("default_prop"))
|
||||||
allow("su", "default_prop", "property_service", "set");
|
sepol_allow("su", "default_prop", "property_service", "set");
|
||||||
allow("su", "init", "unix_stream_socket", "connectto");
|
sepol_allow("su", "init", "unix_stream_socket", "connectto");
|
||||||
allow("su", "su", "unix_dgram_socket", ALL);
|
sepol_allow("su", "su", "unix_dgram_socket", ALL);
|
||||||
allow("su", "su", "unix_stream_socket", ALL);
|
sepol_allow("su", "su", "unix_stream_socket", ALL);
|
||||||
allow("su", "su", "process", ALL);
|
sepol_allow("su", "su", "process", ALL);
|
||||||
allow("su", "su", "capability", ALL);
|
sepol_allow("su", "su", "capability", ALL);
|
||||||
allow("su", "su", "file", ALL);
|
sepol_allow("su", "su", "file", ALL);
|
||||||
allow("su", "su", "fifo_file", ALL);
|
sepol_allow("su", "su", "fifo_file", ALL);
|
||||||
allow("su", "su", "lnk_file", ALL);
|
sepol_allow("su", "su", "lnk_file", ALL);
|
||||||
allow("su", "su", "dir", ALL);
|
sepol_allow("su", "su", "dir", ALL);
|
||||||
|
|
||||||
// Allow su to do anything to files/dir/links
|
// Allow su to do anything to files/dir/links
|
||||||
allow("su", ALL, "file", ALL);
|
sepol_allow("su", ALL, "file", ALL);
|
||||||
allow("su", ALL, "dir", ALL);
|
sepol_allow("su", ALL, "dir", ALL);
|
||||||
allow("su", ALL, "lnk_file", ALL);
|
sepol_allow("su", ALL, "lnk_file", ALL);
|
||||||
|
|
||||||
// For sepolicy live patching
|
// For sepolicy live patching
|
||||||
allow("su", "kernel", "security", "read_policy");
|
sepol_allow("su", "kernel", "security", "read_policy");
|
||||||
allow("su", "kernel", "security", "load_policy");
|
sepol_allow("su", "kernel", "security", "load_policy");
|
||||||
|
|
||||||
// For mounting loop devices and mirrors
|
// For mounting loop devices and mirrors
|
||||||
allow("su", "kernel", "process", "setsched");
|
sepol_allow("su", "kernel", "process", "setsched");
|
||||||
allow("su", "labeledfs", "filesystem", "mount");
|
sepol_allow("su", "labeledfs", "filesystem", "mount");
|
||||||
allow("su", "labeledfs", "filesystem", "unmount");
|
sepol_allow("su", "labeledfs", "filesystem", "unmount");
|
||||||
allow("su", "loop_device", "blk_file", ALL);
|
sepol_allow("su", "loop_device", "blk_file", ALL);
|
||||||
allow("su", "block_device", "blk_file", ALL);
|
sepol_allow("su", "block_device", "blk_file", ALL);
|
||||||
allow("su", "system_block_device", "blk_file", ALL);
|
sepol_allow("su", "system_block_device", "blk_file", ALL);
|
||||||
|
|
||||||
// Xposed
|
// Xposed
|
||||||
allow("untrusted_app", "untrusted_app", "capability", "setgid");
|
sepol_allow("untrusted_app", "untrusted_app", "capability", "setgid");
|
||||||
allow("system_server", "dex2oat_exec", "file", ALL);
|
sepol_allow("system_server", "dex2oat_exec", "file", ALL);
|
||||||
|
|
||||||
}
|
}
|
||||||
|
@ -1,4 +1,5 @@
|
|||||||
#include "magiskpolicy.h"
|
#include "magiskpolicy.h"
|
||||||
|
#include "sepolicy.h"
|
||||||
|
|
||||||
static void *cmalloc(size_t s) {
|
static void *cmalloc(size_t s) {
|
||||||
void *t = malloc(s);
|
void *t = malloc(s);
|
||||||
|
48
sepolicy.h
Normal file
48
sepolicy.h
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
/* sepolicy.h - Header for magiskpolicy non-public APIs
|
||||||
|
*/
|
||||||
|
|
||||||
|
#ifndef _SEPOLICY_H
|
||||||
|
#define _SEPOLICY_H
|
||||||
|
|
||||||
|
#define ALL NULL
|
||||||
|
|
||||||
|
#include <getopt.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <sys/mman.h>
|
||||||
|
#include <sys/types.h>
|
||||||
|
#include <sys/stat.h>
|
||||||
|
#include <fcntl.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <limits.h>
|
||||||
|
#include <string.h>
|
||||||
|
#include <sepol/debug.h>
|
||||||
|
#include <sepol/policydb/policydb.h>
|
||||||
|
#include <sepol/policydb/expand.h>
|
||||||
|
#include <sepol/policydb/link.h>
|
||||||
|
#include <sepol/policydb/services.h>
|
||||||
|
#include <sepol/policydb/avrule_block.h>
|
||||||
|
#include <sepol/policydb/conditional.h>
|
||||||
|
#include <sepol/policydb/constraint.h>
|
||||||
|
|
||||||
|
#include "vector.h"
|
||||||
|
|
||||||
|
// hashtab traversal macro
|
||||||
|
#define hashtab_for_each(table, ptr) \
|
||||||
|
for (int _i = 0; _i < table->size; ++_i) \
|
||||||
|
for (*ptr = table->htable[_i]; *ptr != NULL; *ptr = (*ptr)->next)
|
||||||
|
|
||||||
|
// Global policydb
|
||||||
|
policydb_t *policy;
|
||||||
|
|
||||||
|
// sepolicy manipulation functions
|
||||||
|
int load_policy(const char *filename);
|
||||||
|
int dump_policy(const char *filename);
|
||||||
|
int create_domain(char *d);
|
||||||
|
int set_domain_state(char* s, int state);
|
||||||
|
int add_transition(char *s, char *t, char *c, char *d);
|
||||||
|
int add_file_transition(char *s, char *t, char *c, char *d, char* filename);
|
||||||
|
int add_typeattribute(char *domainS, char *attr);
|
||||||
|
int add_rule(char *s, char *t, char *c, char *p, int effect, int not);
|
||||||
|
|
||||||
|
#endif
|
Loading…
Reference in New Issue
Block a user