mirror of
https://github.com/topjohnwu/Magisk.git
synced 2024-12-24 20:07:39 +00:00
Update SELinux policy
This commit is contained in:
parent
c0c9204848
commit
bc94ea4334
@ -19,13 +19,9 @@
|
||||
// Unconstrained domain the daemon and root processes run in
|
||||
#define SEPOL_PROC_DOMAIN "magisk"
|
||||
#define MAGISK_PROC_CON "u:r:" SEPOL_PROC_DOMAIN ":s0"
|
||||
// Highly constrained domain, sole purpose is to connect to daemon
|
||||
#define SEPOL_CLIENT_DOMAIN "magisk_client"
|
||||
// Unconstrained file type that anyone can access
|
||||
#define SEPOL_FILE_TYPE "magisk_file"
|
||||
#define MAGISK_FILE_CON "u:object_r:" SEPOL_FILE_TYPE ":s0"
|
||||
// Special file type to allow clients to transit to client domain automatically
|
||||
#define SEPOL_EXEC_TYPE "magisk_exec"
|
||||
|
||||
extern void (*freecon)(char *con);
|
||||
extern int (*setcon)(const char *con);
|
||||
|
@ -10,7 +10,6 @@ using namespace std;
|
||||
#define SYSTEM_CON "u:object_r:system_file:s0"
|
||||
#define ADB_CON "u:object_r:adb_data_file:s0"
|
||||
#define ROOT_CON "u:object_r:rootfs:s0"
|
||||
#define EXEC_CON "u:object_r:" SEPOL_EXEC_TYPE ":s0"
|
||||
|
||||
static void restore_syscon_from_null(int dirfd) {
|
||||
struct dirent *entry;
|
||||
@ -82,16 +81,11 @@ void restore_tmpcon() {
|
||||
if (MAGISKTMP == "/sbin")
|
||||
setfilecon(MAGISKTMP.data(), ROOT_CON);
|
||||
else
|
||||
chmod(MAGISKTMP.data(), 0700);
|
||||
chmod(MAGISKTMP.data(), 0711);
|
||||
|
||||
auto dir = xopen_dir(MAGISKTMP.data());
|
||||
int dfd = dirfd(dir.get());
|
||||
|
||||
for (dirent *entry; (entry = xreaddir(dir.get()));)
|
||||
setfilecon_at(dfd, entry->d_name, SYSTEM_CON);
|
||||
|
||||
if (SDK_INT >= 26) {
|
||||
string magisk = MAGISKTMP + "/magisk";
|
||||
setfilecon(magisk.data(), EXEC_CON);
|
||||
}
|
||||
}
|
||||
|
@ -8,9 +8,6 @@ void sepolicy::magisk_rules() {
|
||||
// Temp suppress warnings
|
||||
set_log_level_state(LogLevel::Warn, false);
|
||||
|
||||
// This indicates API 26+
|
||||
bool new_rules = exists("untrusted_app_25");
|
||||
|
||||
// Prevent anything to change sepolicy except ourselves
|
||||
deny(ALL, "kernel", "security", "load_policy");
|
||||
|
||||
@ -39,85 +36,16 @@ void sepolicy::magisk_rules() {
|
||||
allow(ALL, SEPOL_FILE_TYPE, "lnk_file", ALL);
|
||||
allow(ALL, SEPOL_FILE_TYPE, "sock_file", ALL);
|
||||
|
||||
if (new_rules) {
|
||||
// Make client type literally untrusted_app
|
||||
type(SEPOL_CLIENT_DOMAIN, "domain");
|
||||
typeattribute(SEPOL_CLIENT_DOMAIN, "coredomain");
|
||||
typeattribute(SEPOL_CLIENT_DOMAIN, "appdomain");
|
||||
typeattribute(SEPOL_CLIENT_DOMAIN, "untrusted_app_all");
|
||||
typeattribute(SEPOL_CLIENT_DOMAIN, "netdomain");
|
||||
typeattribute(SEPOL_CLIENT_DOMAIN, "bluetoothdomain");
|
||||
|
||||
type(SEPOL_EXEC_TYPE, "file_type");
|
||||
typeattribute(SEPOL_EXEC_TYPE, "exec_type");
|
||||
|
||||
// Basic su client needs
|
||||
allow(SEPOL_CLIENT_DOMAIN, SEPOL_EXEC_TYPE, "file", ALL);
|
||||
allow(SEPOL_CLIENT_DOMAIN, SEPOL_CLIENT_DOMAIN, ALL, ALL);
|
||||
|
||||
const char *pts[]{"devpts", "untrusted_app_devpts", "untrusted_app_25_devpts"};
|
||||
for (auto type : pts) {
|
||||
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "getattr");
|
||||
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "read");
|
||||
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "write");
|
||||
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "ioctl");
|
||||
}
|
||||
|
||||
// Allow these processes to access MagiskSU
|
||||
vector<const char *> clients{ "shell", "update_engine", "appdomain" };
|
||||
for (auto type : clients) {
|
||||
if (!exists(type))
|
||||
continue;
|
||||
// exec magisk
|
||||
allow(type, SEPOL_EXEC_TYPE, "file", "read");
|
||||
allow(type, SEPOL_EXEC_TYPE, "file", "open");
|
||||
allow(type, SEPOL_EXEC_TYPE, "file", "getattr");
|
||||
allow(type, SEPOL_EXEC_TYPE, "file", "execute");
|
||||
allow(SEPOL_CLIENT_DOMAIN, type, "process", "sigchld");
|
||||
|
||||
// Auto transit to client domain
|
||||
allow(type, SEPOL_CLIENT_DOMAIN, "process", "transition");
|
||||
dontaudit(type, SEPOL_CLIENT_DOMAIN, "process", "siginh");
|
||||
dontaudit(type, SEPOL_CLIENT_DOMAIN, "process", "rlimitinh");
|
||||
dontaudit(type, SEPOL_CLIENT_DOMAIN, "process", "noatsecure");
|
||||
|
||||
// Kill client process
|
||||
allow(type, SEPOL_CLIENT_DOMAIN, "process", "signal");
|
||||
}
|
||||
|
||||
// type transition require actual types, not attributes
|
||||
const char *app_types[]{
|
||||
"system_app", "priv_app", "platform_app", "untrusted_app", "untrusted_app_25",
|
||||
"untrusted_app_27", "untrusted_app_29", "untrusted_app_30", "untrusted_app_32"};
|
||||
clients.pop_back();
|
||||
clients.insert(clients.end(), app_types, app_types + std::size(app_types));
|
||||
for (auto type : clients) {
|
||||
// Auto transit to client domain
|
||||
type_transition(type, SEPOL_EXEC_TYPE, "process", SEPOL_CLIENT_DOMAIN);
|
||||
}
|
||||
|
||||
// Allow system_server to manage magisk_client
|
||||
allow("system_server", SEPOL_CLIENT_DOMAIN, "process", "getpgid");
|
||||
allow("system_server", SEPOL_CLIENT_DOMAIN, "process", "sigkill");
|
||||
|
||||
// Don't allow pesky processes to monitor audit deny logs when poking magisk daemon socket
|
||||
dontaudit(ALL, SEPOL_PROC_DOMAIN, "unix_stream_socket", ALL);
|
||||
|
||||
// Only allow client processes and zygote to connect to magisk daemon socket
|
||||
allow(SEPOL_CLIENT_DOMAIN, SEPOL_PROC_DOMAIN, "unix_stream_socket", ALL);
|
||||
allow("zygote", SEPOL_PROC_DOMAIN, "unix_stream_socket", ALL);
|
||||
} else {
|
||||
// Fallback to poking holes in sandbox as Android 4.3 to 7.1 set PR_SET_NO_NEW_PRIVS
|
||||
|
||||
// Allow these processes to access MagiskSU
|
||||
const char *clients[] { "init", "shell", "appdomain", "zygote" };
|
||||
const char *clients[]{"zygote", "shell",
|
||||
"system_app", "platform_app", "priv_app",
|
||||
"untrusted_app", "untrusted_app_all"};
|
||||
for (auto type: clients) {
|
||||
if (!exists(type))
|
||||
continue;
|
||||
allow(type, SEPOL_PROC_DOMAIN, "unix_stream_socket", "connectto");
|
||||
allow(type, SEPOL_PROC_DOMAIN, "unix_stream_socket", "getopt");
|
||||
}
|
||||
}
|
||||
|
||||
// Let everyone access tmpfs files (for SAR sbin overlay)
|
||||
allow(ALL, "tmpfs", "file", ALL);
|
||||
@ -137,10 +65,6 @@ void sepolicy::magisk_rules() {
|
||||
// Let init run stuffs
|
||||
allow("kernel", SEPOL_PROC_DOMAIN, "fd", "use");
|
||||
allow("init", SEPOL_PROC_DOMAIN, "process", ALL);
|
||||
allow("init", SEPOL_EXEC_TYPE, "file", "read");
|
||||
allow("init", SEPOL_EXEC_TYPE, "file", "open");
|
||||
allow("init", SEPOL_EXEC_TYPE, "file", "getattr");
|
||||
allow("init", SEPOL_EXEC_TYPE, "file", "execute");
|
||||
|
||||
// suRights
|
||||
allow("servicemanager", SEPOL_PROC_DOMAIN, "dir", "search");
|
||||
@ -187,7 +111,6 @@ void sepolicy::magisk_rules() {
|
||||
|
||||
// Shut llkd up
|
||||
dontaudit("llkd", SEPOL_PROC_DOMAIN, "process", "ptrace");
|
||||
dontaudit("llkd", SEPOL_CLIENT_DOMAIN, "process", "ptrace");
|
||||
|
||||
// Keep /data/adb/* context
|
||||
deny("init", "adb_data_file", "dir", "search");
|
||||
|
Loading…
x
Reference in New Issue
Block a user