Apply all sepolicy patches pre-init

Boot services tend to fail in the middle when the kernel loads a sepolicy live. It seems that moving full patch (allow magisk * * *) to late_start is still not enough to fix service startup failures. So screw it, apply all patched in magiskinit, which makes sure that all rules are only loaded in a single step. The only down side is that some OEM with a HUGE set of secontexts (e.g. Samsung) might suffer a slightly longer boot time, which IS the reason why the rules are split to 2 parts in the first place.
2025-01-04 15:27:39 +00:00 · 2018-08-09 03:20:28 +08:00 · 2018-08-09 03:20:28 +08:00 · ada0f93686
commit ada0f93686
parent ff36f2ba17
5 changed files with 5 additions and 16 deletions
--- a/native/jni/core/bootstages.c
+++ b/native/jni/core/bootstages.c
@ -706,6 +706,8 @@ void startup() {
 		xsymlink(MIRRDIR "/bin/busybox", BBPATH "/busybox");
 	}

+	xmount(NULL, "/", NULL, MS_REMOUNT | MS_RDONLY, NULL);
+
 	// Start post-fs-data mode
 	execl("/sbin/magisk.bin", "magisk", "--post-fs-data", NULL);
 }
@ -720,10 +722,6 @@ void post_fs_data(int client) {

 	LOGI("** post-fs-data mode running\n");

-	xmount(NULL, "/", NULL, MS_REMOUNT | MS_RDONLY, NULL);
-	full_patch_pid = exec_command(0, NULL, NULL,
-		"/sbin/magiskpolicy", "--save", TMPSEPOLICY, "allow "SEPOL_PROC_DOMAIN" * * *", NULL);
-
 	// Allocate buffer
 	vec_init(&module_list);

@ -843,14 +841,6 @@ void late_start(int client) {

 	auto_start_magiskhide();

-	if (full_patch_pid > 0) {
-		// Wait till the full patch is done
-		waitpid(full_patch_pid, NULL, 0);
-		// Load the policy
-		exec_command_sync("/sbin/magiskpolicy", "--live", "--load", TMPSEPOLICY, NULL);
-		unlink(TMPSEPOLICY);
-	}
-
 	// Run scripts after full patch, most reliable way to run scripts
 	LOGI("* Running service.d scripts\n");
 	exec_common_script("service");
--- a/native/jni/core/daemon.c
+++ b/native/jni/core/daemon.c
@ -23,7 +23,6 @@

 int setup_done = 0;
 int seperate_vendor = 0;
-int full_patch_pid = -1;

 static void *request_handler(void *args) {
 	int client = *((int *) args);
--- a/native/jni/core/magiskinit.c
+++ b/native/jni/core/magiskinit.c
@ -220,6 +220,7 @@ static int patch_sepolicy() {
 	}

 	sepol_magisk_rules();
+	sepol_allow(SEPOL_PROC_DOMAIN, ALL, ALL, ALL);
 	dump_policydb("/sepolicy");

 	// Remove the stupid debug sepolicy and use our own
--- a/native/jni/include/daemon.h
+++ b/native/jni/include/daemon.h
@ -10,7 +10,6 @@

 extern int setup_done;
 extern int seperate_vendor;
-extern int full_patch_pid;

 // Commands require connecting to daemon
 enum {
--- a/native/jni/magiskpolicy/magiskpolicy.c
+++ b/native/jni/magiskpolicy/magiskpolicy.c
@ -66,8 +66,8 @@ static void usage(char *arg0) {
 		"\n"
 		"Options:\n"
 		"   --live            directly apply sepolicy live\n"
-		"   --magisk          inject built-in rules for a Magisk\n"
-		"                     selinux environment\n"
+		"   --magisk          inject built-in rules for a minimal\n"
+		"                     Magisk selinux environment\n"
 		"   --load FILE       load policies from FILE\n"
 		"   --compile-split   compile and load split cil policies\n"
 		"                     from system and vendor just like init\n"