Refactor sepolicy.rules resolve

We resolve available partitions for sepolicy.rules when patching boot and bind mount the partition by magiskinit. For older devices, the previous logic won't work because the part name is never readable. Co-authored-by: topjohnwu <topjohnwu@gmail.com>
2025-12-14 14:41:52 +00:00 · 2023-02-12 16:36:38 +08:00
parent 03418ddcbf
commit 9e8c68af12
11 changed files with 151 additions and 144 deletions
--- a/native/src/init/selinux.cpp
+++ b/native/src/init/selinux.cpp
@@ -15,14 +15,14 @@ void MagiskInit::patch_sepolicy(const char *in, const char *out) {
    sepol->magisk_rules();

    // Custom rules
-    if (!custom_rules_dir.empty()) {
-        if (auto dir = xopen_dir(custom_rules_dir.data())) {
-            for (dirent *entry; (entry = xreaddir(dir.get()));) {
-                auto rule = custom_rules_dir + "/" + entry->d_name + "/sepolicy.rule";
-                if (xaccess(rule.data(), R_OK) == 0) {
-                    LOGD("Loading custom sepolicy patch: [%s]\n", rule.data());
-                    sepol->load_rule_file(rule.data());
-                }
+    if (auto dir = xopen_dir(RULESDIR)) {
+        for (dirent *entry; (entry = xreaddir(dir.get()));) {
+            auto rule = RULESDIR "/"s + entry->d_name + "/sepolicy.rule";
+            if (xaccess(rule.data(), R_OK) == 0 &&
+                access((RULESDIR "/"s + entry->d_name + "/disable").data(), F_OK) != 0 &&
+                access((RULESDIR "/"s + entry->d_name + "/remove").data(), F_OK) != 0) {
+                LOGD("Loading custom sepolicy patch: [%s]\n", rule.data());
+                sepol->load_rule_file(rule.data());
            }
        }
    }
@@ -96,19 +96,18 @@ bool MagiskInit::hijack_sepolicy() {

    // Read all custom rules into memory
    string rules;
-    if (!custom_rules_dir.empty()) {
-        if (auto dir = xopen_dir(custom_rules_dir.data())) {
-            for (dirent *entry; (entry = xreaddir(dir.get()));) {
-                auto rule_file = custom_rules_dir + "/" + entry->d_name + "/sepolicy.rule";
-                if (xaccess(rule_file.data(), R_OK) == 0) {
-                    LOGD("Load custom sepolicy patch: [%s]\n", rule_file.data());
-                    full_read(rule_file.data(), rules);
-                    rules += '\n';
-                }
+    if (auto dir = xopen_dir(RULESDIR)) {
+        for (dirent *entry; (entry = xreaddir(dir.get()));) {
+            auto rule_file = RULESDIR "/"s + entry->d_name + "/sepolicy.rule";
+            if (xaccess(rule_file.data(), R_OK) == 0 &&
+                access((RULESDIR "/"s + entry->d_name + "/disable").data(), F_OK) != 0 &&
+                access((RULESDIR "/"s + entry->d_name + "/remove").data(), F_OK) != 0) {
+                LOGD("Load custom sepolicy patch: [%s]\n", rule_file.data());
+                full_read(rule_file.data(), rules);
+                rules += '\n';
            }
        }
    }
-
    // Create a new process waiting for init operations
    if (xfork()) {
        // In parent, return and continue boot process