TheArchive/Magisk
1
0
Fork 0
mirror of https://github.com/topjohnwu/Magisk.git synced 2024-12-22 16:07:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

Tighten rules for tmpfs file

Browse Source 
Before magiskd is executed, all files in magisk tmpfs still shares
tmpfs label. This commit tightens the rule to only allow init, zygote
and shell to access magisk tmpfs files. Zygotes rules is needed
because lower Android versions don't have rule for zygote itself
using memfd even memfd is supported in kernel.
This commit is contained in:
Wang Han 2024-07-07 13:34:03 +08:00 committed by John Wu
parent 648e3ee36b
commit b11b81122a
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
native/src/sepolicy/rules.rs
View File

@ -100,8 +100,9 @@ impl SepolicyMagisk for sepolicy {
"system_app", "priv_app", "untrusted_app", "untrusted_app_all"], "system_app", "priv_app", "untrusted_app", "untrusted_app_all"],
[proc], ["unix_stream_socket"], ["connectto", "getopt"]); [proc], ["unix_stream_socket"], ["connectto", "getopt"]);
// Let everyone access tmpfs files (for SAR sbin overlay) // Let selected domains access tmpfs files
allow(["domain"], ["tmpfs"], ["file"], all); // For tmpfs overlay on 2SI, Zygisk on lower Android versions and AVD scripts
allow(["init", "zygote", "shell"], ["tmpfs"], ["file"], all);
// Allow magiskinit daemon to handle mock selinuxfs // Allow magiskinit daemon to handle mock selinuxfs
allow(["kernel"], ["tmpfs"], ["fifo_file"], ["write"]); allow(["kernel"], ["tmpfs"], ["fifo_file"], ["write"]);