mirror of
https://github.com/topjohnwu/Magisk.git
synced 2024-11-24 02:25:28 +00:00
parent
7922f65243
commit
97b72a5941
@ -156,6 +156,8 @@ static void daemon_entry(int ppid) {
|
|||||||
setsid();
|
setsid();
|
||||||
setcon("u:r:" SEPOL_PROC_DOMAIN ":s0");
|
setcon("u:r:" SEPOL_PROC_DOMAIN ":s0");
|
||||||
|
|
||||||
|
LOGI(NAME_WITH_VER(Magisk) " daemon started\n");
|
||||||
|
|
||||||
// Make sure ppid is not in acct
|
// Make sure ppid is not in acct
|
||||||
char src[64], dest[64];
|
char src[64], dest[64];
|
||||||
sprintf(src, "/acct/uid_0/pid_%d", ppid);
|
sprintf(src, "/acct/uid_0/pid_%d", ppid);
|
||||||
@ -167,20 +169,6 @@ static void daemon_entry(int ppid) {
|
|||||||
MAGISKTMP = dirname(src);
|
MAGISKTMP = dirname(src);
|
||||||
xstat("/proc/self/exe", &self_st);
|
xstat("/proc/self/exe", &self_st);
|
||||||
|
|
||||||
restore_tmpcon();
|
|
||||||
|
|
||||||
// SAR cleanups
|
|
||||||
auto mount_list = MAGISKTMP + "/" ROOTMNT;
|
|
||||||
if (access(mount_list.data(), F_OK) == 0) {
|
|
||||||
file_readline(true, mount_list.data(), [](string_view line) -> bool {
|
|
||||||
umount2(line.data(), MNT_DETACH);
|
|
||||||
return true;
|
|
||||||
});
|
|
||||||
}
|
|
||||||
unlink("/dev/.se");
|
|
||||||
|
|
||||||
LOGI(NAME_WITH_VER(Magisk) " daemon started\n");
|
|
||||||
|
|
||||||
// Get API level
|
// Get API level
|
||||||
parse_prop_file("/system/build.prop", [](auto key, auto val) -> bool {
|
parse_prop_file("/system/build.prop", [](auto key, auto val) -> bool {
|
||||||
if (key == "ro.build.version.sdk") {
|
if (key == "ro.build.version.sdk") {
|
||||||
@ -198,6 +186,18 @@ static void daemon_entry(int ppid) {
|
|||||||
}
|
}
|
||||||
LOGI("* Device API level: %d\n", SDK_INT);
|
LOGI("* Device API level: %d\n", SDK_INT);
|
||||||
|
|
||||||
|
restore_tmpcon();
|
||||||
|
|
||||||
|
// SAR cleanups
|
||||||
|
auto mount_list = MAGISKTMP + "/" ROOTMNT;
|
||||||
|
if (access(mount_list.data(), F_OK) == 0) {
|
||||||
|
file_readline(true, mount_list.data(), [](string_view line) -> bool {
|
||||||
|
umount2(line.data(), MNT_DETACH);
|
||||||
|
return true;
|
||||||
|
});
|
||||||
|
}
|
||||||
|
unlink("/dev/.se");
|
||||||
|
|
||||||
// Load config status
|
// Load config status
|
||||||
auto config = MAGISKTMP + "/" INTLROOT "/config";
|
auto config = MAGISKTMP + "/" INTLROOT "/config";
|
||||||
parse_prop_file(config.data(), [](auto key, auto val) -> bool {
|
parse_prop_file(config.data(), [](auto key, auto val) -> bool {
|
||||||
|
@ -1,6 +1,7 @@
|
|||||||
#include <string_view>
|
#include <string_view>
|
||||||
|
|
||||||
#include <magisk.hpp>
|
#include <magisk.hpp>
|
||||||
|
#include <daemon.hpp>
|
||||||
#include <selinux.hpp>
|
#include <selinux.hpp>
|
||||||
#include <utils.hpp>
|
#include <utils.hpp>
|
||||||
|
|
||||||
@ -87,7 +88,7 @@ void restore_tmpcon() {
|
|||||||
int dfd = dirfd(dir.get());
|
int dfd = dirfd(dir.get());
|
||||||
|
|
||||||
for (dirent *entry; (entry = xreaddir(dir.get()));) {
|
for (dirent *entry; (entry = xreaddir(dir.get()));) {
|
||||||
if (entry->d_name == "magisk"sv)
|
if (SDK_INT >= 26 && entry->d_name == "magisk"sv)
|
||||||
setfilecon_at(dfd, entry->d_name, EXEC_CON);
|
setfilecon_at(dfd, entry->d_name, EXEC_CON);
|
||||||
else
|
else
|
||||||
setfilecon_at(dfd, entry->d_name, SYSTEM_CON);
|
setfilecon_at(dfd, entry->d_name, SYSTEM_CON);
|
||||||
|
@ -8,17 +8,18 @@ void sepolicy::magisk_rules() {
|
|||||||
auto bak = log_cb.w;
|
auto bak = log_cb.w;
|
||||||
log_cb.w = nop_log;
|
log_cb.w = nop_log;
|
||||||
|
|
||||||
|
// This indicates API 26+
|
||||||
|
bool new_rules = exists("untrusted_app_25");
|
||||||
|
|
||||||
// Prevent anything to change sepolicy except ourselves
|
// Prevent anything to change sepolicy except ourselves
|
||||||
deny(ALL, "kernel", "security", "load_policy");
|
deny(ALL, "kernel", "security", "load_policy");
|
||||||
|
|
||||||
type(SEPOL_PROC_DOMAIN, "domain");
|
type(SEPOL_PROC_DOMAIN, "domain");
|
||||||
type(SEPOL_CLIENT_DOMAIN, "domain");
|
|
||||||
type(SEPOL_FILE_TYPE, "file_type");
|
|
||||||
type(SEPOL_EXEC_TYPE, "file_type");
|
|
||||||
permissive(SEPOL_PROC_DOMAIN); /* Just in case something is missing */
|
permissive(SEPOL_PROC_DOMAIN); /* Just in case something is missing */
|
||||||
typeattribute(SEPOL_PROC_DOMAIN, "mlstrustedsubject");
|
typeattribute(SEPOL_PROC_DOMAIN, "mlstrustedsubject");
|
||||||
typeattribute(SEPOL_PROC_DOMAIN, "netdomain");
|
typeattribute(SEPOL_PROC_DOMAIN, "netdomain");
|
||||||
typeattribute(SEPOL_PROC_DOMAIN, "bluetoothdomain");
|
typeattribute(SEPOL_PROC_DOMAIN, "bluetoothdomain");
|
||||||
|
type(SEPOL_FILE_TYPE, "file_type");
|
||||||
typeattribute(SEPOL_FILE_TYPE, "mlstrustedobject");
|
typeattribute(SEPOL_FILE_TYPE, "mlstrustedobject");
|
||||||
|
|
||||||
// Make our root domain unconstrained
|
// Make our root domain unconstrained
|
||||||
@ -33,6 +34,10 @@ void sepolicy::magisk_rules() {
|
|||||||
allow(ALL, SEPOL_FILE_TYPE, "fifo_file", ALL);
|
allow(ALL, SEPOL_FILE_TYPE, "fifo_file", ALL);
|
||||||
allow(ALL, SEPOL_FILE_TYPE, "chr_file", ALL);
|
allow(ALL, SEPOL_FILE_TYPE, "chr_file", ALL);
|
||||||
|
|
||||||
|
if (new_rules) {
|
||||||
|
type(SEPOL_CLIENT_DOMAIN, "domain");
|
||||||
|
type(SEPOL_EXEC_TYPE, "file_type");
|
||||||
|
|
||||||
// Basic su client needs
|
// Basic su client needs
|
||||||
allow(SEPOL_CLIENT_DOMAIN, ALL, "fd", "use");
|
allow(SEPOL_CLIENT_DOMAIN, ALL, "fd", "use");
|
||||||
allow(SEPOL_CLIENT_DOMAIN, SEPOL_CLIENT_DOMAIN, ALL, ALL);
|
allow(SEPOL_CLIENT_DOMAIN, SEPOL_CLIENT_DOMAIN, ALL, ALL);
|
||||||
@ -40,15 +45,17 @@ void sepolicy::magisk_rules() {
|
|||||||
allow(SEPOL_CLIENT_DOMAIN, SEPOL_PROC_DOMAIN, "unix_stream_socket", "connectto");
|
allow(SEPOL_CLIENT_DOMAIN, SEPOL_PROC_DOMAIN, "unix_stream_socket", "connectto");
|
||||||
allow(SEPOL_CLIENT_DOMAIN, SEPOL_PROC_DOMAIN, "unix_stream_socket", "getopt");
|
allow(SEPOL_CLIENT_DOMAIN, SEPOL_PROC_DOMAIN, "unix_stream_socket", "getopt");
|
||||||
|
|
||||||
// Allow su client to manipulate pts
|
// Allow su client termios ioctl
|
||||||
const char *pts[] {
|
const char *pts[] {
|
||||||
"devpts", "untrusted_app_devpts", "untrusted_app_25_devpts", "untrusted_app_all_devpts" };
|
"devpts", "untrusted_app_devpts",
|
||||||
|
"untrusted_app_25_devpts", "untrusted_app_all_devpts" };
|
||||||
for (auto type : pts) {
|
for (auto type : pts) {
|
||||||
|
if (!exists(type))
|
||||||
|
continue;
|
||||||
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "read");
|
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "read");
|
||||||
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "write");
|
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "write");
|
||||||
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "getattr");
|
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "getattr");
|
||||||
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "ioctl");
|
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "ioctl");
|
||||||
if (db->policyvers >= POLICYDB_VERSION_XPERMS_IOCTL)
|
|
||||||
allowxperm(SEPOL_CLIENT_DOMAIN, type, "chr_file", "0x5400-0x54FF");
|
allowxperm(SEPOL_CLIENT_DOMAIN, type, "chr_file", "0x5400-0x54FF");
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -84,6 +91,27 @@ void sepolicy::magisk_rules() {
|
|||||||
|
|
||||||
// Don't allow pesky processes to monitor audit deny logs when poking magisk daemon sockets
|
// Don't allow pesky processes to monitor audit deny logs when poking magisk daemon sockets
|
||||||
dontaudit(ALL, SEPOL_PROC_DOMAIN, "unix_stream_socket", ALL);
|
dontaudit(ALL, SEPOL_PROC_DOMAIN, "unix_stream_socket", ALL);
|
||||||
|
} else {
|
||||||
|
// Fallback to poking holes in sandbox as Android 4.3 to 7.1 set PR_SET_NO_NEW_PRIVS
|
||||||
|
|
||||||
|
// Allow these processes to access MagiskSU
|
||||||
|
const char *clients[] {
|
||||||
|
"init", "shell", "system_app", "priv_app", "platform_app", "untrusted_app" };
|
||||||
|
for (auto type : clients) {
|
||||||
|
if (!exists(type))
|
||||||
|
continue;
|
||||||
|
allow(type, SEPOL_PROC_DOMAIN, "unix_stream_socket", "connectto");
|
||||||
|
allow(type, SEPOL_PROC_DOMAIN, "unix_stream_socket", "getopt");
|
||||||
|
|
||||||
|
// Allow termios ioctl
|
||||||
|
const char *pts[] { "devpts", "untrusted_app_devpts" };
|
||||||
|
for (auto pts_type : pts) {
|
||||||
|
allow(type, pts_type, "chr_file", "ioctl");
|
||||||
|
if (db->policyvers >= POLICYDB_VERSION_XPERMS_IOCTL)
|
||||||
|
allowxperm(type, pts_type, "chr_file", "0x5400-0x54FF");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// Let everyone access tmpfs files (for SAR sbin overlay)
|
// Let everyone access tmpfs files (for SAR sbin overlay)
|
||||||
allow(ALL, "tmpfs", "file", ALL);
|
allow(ALL, "tmpfs", "file", ALL);
|
||||||
|
@ -57,7 +57,7 @@ pgrep magiskd >/dev/null && pkill -9 magiskd
|
|||||||
[ -e /sys/fs/selinux ] && SELINUX=true || SELINUX=false
|
[ -e /sys/fs/selinux ] && SELINUX=true || SELINUX=false
|
||||||
if $SELINUX; then
|
if $SELINUX; then
|
||||||
ln -sf ./magiskinit magiskpolicy
|
ln -sf ./magiskinit magiskpolicy
|
||||||
./magiskpolicy --live --magisk 'allow magisk * * *'
|
./magiskpolicy --live --magisk
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Setup sbin overlay
|
# Setup sbin overlay
|
||||||
@ -94,9 +94,6 @@ chmod 755 /sbin/magisk
|
|||||||
ln -s ./magisk /sbin/su
|
ln -s ./magisk /sbin/su
|
||||||
ln -s ./magisk /sbin/resetprop
|
ln -s ./magisk /sbin/resetprop
|
||||||
ln -s ./magisk /sbin/magiskhide
|
ln -s ./magisk /sbin/magiskhide
|
||||||
mkdir -p /sbin/.magisk/busybox
|
|
||||||
cp -af ./busybox /sbin/.magisk/busybox/busybox
|
|
||||||
/sbin/.magisk/busybox/busybox --install -s /sbin/.magisk/busybox
|
|
||||||
mkdir -p /data/adb/modules 2>/dev/null
|
mkdir -p /data/adb/modules 2>/dev/null
|
||||||
mkdir /data/adb/post-fs-data.d 2>/dev/null
|
mkdir /data/adb/post-fs-data.d 2>/dev/null
|
||||||
mkdir /data/adb/services.d 2>/dev/null
|
mkdir /data/adb/services.d 2>/dev/null
|
||||||
|
Loading…
Reference in New Issue
Block a user