TheArchive/Magisk
1
0
Fork 0
mirror of https://github.com/topjohnwu/Magisk.git synced 2024-12-22 16:07:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

Optimize sepolicy rules

Browse Source 
Close #7916

Co-authored-by: vvb2060 <vvb2060@gmail.com>
This commit is contained in:
topjohnwu 2024-03-21 01:51:35 -07:00
parent 6b4baa3bcd
commit 865fca71a5
1 changed files with 38 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
native/src/sepolicy/rules.rs
View File

@ -9,6 +9,9 @@ macro_rules! rules {
(@args xall) => { (@args xall) => {
vec![Xperm { low: 0x0000, high: 0xFFFF, reset: false }] vec![Xperm { low: 0x0000, high: 0xFFFF, reset: false }]
}; };
(@args svcmgr) => {
vec!["servicemanager", "vndservicemanager", "hwservicemanager"]
};
(@args [proc]) => { (@args [proc]) => {
vec!["magisk"] vec!["magisk"]
}; };
@ -51,41 +54,60 @@ impl SepolicyMagisk for sepolicy {
use self; use self;
allow(all, ["kernel"], ["security"], ["load_policy"]); allow(all, ["kernel"], ["security"], ["load_policy"]);
type_(proc, ["domain"]); type_(proc, ["domain"]);
permissive([proc]); typeattribute([proc], ["mlstrustedsubject", "netdomain", "appdomain"]);
typeattribute([proc], ["mlstrustedsubject", "netdomain", "bluetoothdomain"]);
type_(file, ["file_type"]); type_(file, ["file_type"]);
typeattribute([file], ["mlstrustedobject"]); typeattribute([file], ["mlstrustedobject"]);
type_(log, ["file_type"]); type_(log, ["file_type"]);
typeattribute([log], ["mlstrustedobject"]); typeattribute([log], ["mlstrustedobject"]);
// Make our root domain unconstrained
allow([proc], all, all, all);
// Allow us to do any ioctl
allowxperm(["magisk"], all, ["blk_file", "fifo_file", "chr_file"], xall);
// Create unconstrained file type // Create unconstrained file type
allow(all, [file], ["file", "dir", "fifo_file", "chr_file", "lnk_file", "sock_file"], all); allow(["domain"], [file],
["file", "dir", "fifo_file", "chr_file", "lnk_file", "sock_file"], all);
// Only allow zygote to open log pipe // Only allow zygote to open log pipe
allow(["zygote"], [log], ["fifo_file"], ["open", "read"]); allow(["zygote"], [log], ["fifo_file"], ["open", "read"]);
// Allow all processes to output logs // Allow all processes to output logs
allow(["domain"], [log], ["fifo_file"], ["write"]); allow(["domain"], [log], ["fifo_file"], ["write"]);
// Make our root domain unconstrained
allow([proc], [
"fs_type", "dev_type", "file_type", "domain",
"service_manager_type", "hwservice_manager_type", "vndservice_manager_type",
"port_type", "node_type", "property_type"
], all, all);
// Just in case, make the domain permissive
permissive([proc]);
// Allow us to do any ioctl
allowxperm([proc], ["fs_type", "dev_type", "file_type", "domain"],
["blk_file", "fifo_file", "chr_file"], xall);
allowxperm([proc], [proc], ["tcp_socket", "udp_socket", "rawip_socket"], xall);
// Let binder work with our processes
allow(svcmgr, [proc], ["dir"], ["search"]);
allow(svcmgr, [proc], ["file"], ["open", "read", "map"]);
allow(svcmgr, [proc], ["process"], ["getattr"]);
allow(["domain"], [proc], ["binder"], ["call", "transfer"]);
// Other common IPC
allow(["domain"], [proc], ["process"], ["sigchld"]);
allow(["domain"], [proc], ["fd"], ["use"]);
allow(["domain"], [proc], ["fifo_file"], ["write", "read", "open", "getattr"]);
// Allow these processes to access MagiskSU and output logs // Allow these processes to access MagiskSU and output logs
allow(["zygote", "shell", "system_app", "priv_app", "untrusted_app", "untrusted_app_all"], allow(["zygote", "shell",
"system_app", "priv_app", "untrusted_app", "untrusted_app_all"],
[proc], ["unix_stream_socket"], ["connectto", "getopt"]); [proc], ["unix_stream_socket"], ["connectto", "getopt"]);
// Let everyone access tmpfs files (for SAR sbin overlay) // Let everyone access tmpfs files (for SAR sbin overlay)
allow(all, ["tmpfs"], ["file"], all); allow(["domain"], ["tmpfs"], ["file"], all);
// Allow magiskinit daemon to handle mock selinuxfs // Allow magiskinit daemon to handle mock selinuxfs
allow(["kernel"], ["tmpfs"], ["fifo_file"], ["write"]); allow(["kernel"], ["tmpfs"], ["fifo_file"], ["write"]);
// For relabelling files // For relabelling files
allow(["rootfs"], ["labeledfs"], ["filesystem"], ["associate"]); allow(["rootfs"], ["labeledfs", "tmpfs"], ["filesystem"], ["associate"]);
allow([file], ["pipefs", "devpts"], ["filesystem"], ["associate"]); allow([file], ["pipefs", "devpts"], ["filesystem"], ["associate"]);
// Let init transit to SEPOL_PROC_DOMAIN // Let init transit to SEPOL_PROC_DOMAIN
@ -93,36 +115,10 @@ impl SepolicyMagisk for sepolicy {
allow(["kernel"], [proc], ["process"], ["dyntransition"]); allow(["kernel"], [proc], ["process"], ["dyntransition"]);
// Let init run stuffs // Let init run stuffs
allow(["kernel"], [proc], ["fd"], ["use"]);
allow(["init"], [proc], ["process"], all); allow(["init"], [proc], ["process"], all);
// suRights
allow(["servicemanager"], [proc], ["dir"], ["search", "read"]);
allow(["servicemanager"], [proc], ["file"], ["open", "read"]);
allow(["servicemanager"], [proc], ["process"], ["getattr"]);
allow(all, [proc], ["process"], ["sigchld"]);
// allowLog
allow(["logd"], [proc], ["dir"], ["search"]);
allow(["logd"], [proc], ["file"], ["read", "open", "getattr"]);
// dumpsys
allow(all, [proc], ["fd"], ["use"]);
allow(all, [proc], ["fifo_file"], ["write", "read", "open", "getattr"]);
// bootctl
allow(["hwservicemanager"], [proc], ["dir"], ["search"]);
allow(["hwservicemanager"], [proc], ["file"], ["read", "open"]);
allow(["hwservicemanager"], [proc], ["process"], ["getattr"]);
// For mounting loop devices, mirrors, tmpfs // For mounting loop devices, mirrors, tmpfs
allow(["kernel"], all, ["file"], ["read", "write"]); allow(["kernel"], ["fs_type", "dev_type", "file_type"], ["file"], ["read", "write"]);
// Allow all binder transactions
allow(all, [proc], ["binder"], all);
// For changing file context
allow(["rootfs"], ["tmpfs"], ["filesystem"], ["associate"]);
// Zygisk rules // Zygisk rules
allow(["zygote"], ["zygote"], ["process"], ["execmem"]); allow(["zygote"], ["zygote"], ["process"], ["execmem"]);