From b11b81122a7c2e8ad2d8b7a2e66abf9816ff7796 Mon Sep 17 00:00:00 2001
From: Wang Han <1701210638@pku.edu.cn>
Date: Sun, 7 Jul 2024 13:34:03 +0800
Subject: [PATCH] Tighten rules for tmpfs file

Before magiskd is executed, all files in magisk tmpfs still shares
tmpfs label. This commit tightens the rule to only allow init, zygote
and shell to access magisk tmpfs files. Zygotes rules is needed
because lower Android versions don't have rule for zygote itself
using memfd even memfd is supported in kernel.
---
 native/src/sepolicy/rules.rs | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/native/src/sepolicy/rules.rs b/native/src/sepolicy/rules.rs
index df6715db4..9fe918dba 100644
--- a/native/src/sepolicy/rules.rs
+++ b/native/src/sepolicy/rules.rs
@@ -100,8 +100,9 @@ impl SepolicyMagisk for sepolicy {
                 "system_app", "priv_app", "untrusted_app", "untrusted_app_all"],
                 [proc], ["unix_stream_socket"], ["connectto", "getopt"]);
 
-            // Let everyone access tmpfs files (for SAR sbin overlay)
-            allow(["domain"], ["tmpfs"], ["file"], all);
+            // Let selected domains access tmpfs files
+            // For tmpfs overlay on 2SI, Zygisk on lower Android versions and AVD scripts
+            allow(["init", "zygote", "shell"], ["tmpfs"], ["file"], all);
 
             // Allow magiskinit daemon to handle mock selinuxfs
             allow(["kernel"], ["tmpfs"], ["fifo_file"], ["write"]);