TheArchive/Magisk
1
0
Fork 0
mirror of https://github.com/topjohnwu/Magisk.git synced 2024-11-24 02:25:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add built-in rules

Browse Source
This commit is contained in:
topjohnwu 2016-09-13 06:19:07 +08:00
parent 60a7eaf2bb
commit c69db035ee
2 changed files with 327 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

324
builtin_rules.c Normal file
View File

@ -0,0 +1,324 @@
#include <stdio.h>
#include <sepol/policydb/policydb.h>
#define ALL NULL
extern int add_rule(char *s, char *t, char *c, char *p, int effect, int not, policydb_t *policy);
extern void create_domain(char *d, policydb_t *policy);
extern int add_transition(char *srcS, char *origS, char *tgtS, char *c, policydb_t *policy);
extern int add_type(char *domainS, char *typeS, policydb_t *policy);
policydb_t *policy;
void allow(char *s, char *t, char *c, char *p) {
add_rule(s, t, c, p, AVTAB_ALLOWED, 0, policy);
}
void noaudit(char *s, char *t, char *c, char *p) {
add_rule(s, t, c, p, AVTAB_AUDITDENY, 0, policy);
}
void deny(char *s, char *t, char *c, char *p) {
add_rule(s, t, c, p, AVTAB_ALLOWED, 1, policy);
}
void setPermissive(char* permissive, int permissive_value) {
type_datum_t *type;
create_domain(permissive, policy);
type = hashtab_search(policy->p_types.table, permissive);
if (type == NULL) {
fprintf(stderr, "type %s does not exist\n", permissive);
return;
}
if (ebitmap_set_bit(&policy->permissive_map, type->s.value, permissive_value)) {
fprintf(stderr, "Could not set bit in permissive map\n");
return;
}
}
int exists(char* source) {
return (int) hashtab_search(policy->p_types.table, source);
}
void samsung() {
deny("init", "kernel", "security", "load_policy");
deny("policyloader_app", "security_spota_file", "dir", "read");
deny("policyloader_app", "security_spota_file", "dir", "write");
deny("policyloader_app", "security_spota_file", "file", "read");
deny("policyloader_app", "security_spota_file", "file", "write");
deny("system_server", "security_spota_file", "dir", "read");
deny("system_server", "security_spota_file", "dir", "write");
deny("system_server", "security_spota_file", "file", "read");
deny("system_server", "security_spota_file", "file", "write");
deny("system_app", "security_spota_file", "dir", "read");
deny("system_app", "security_spota_file", "dir", "write");
deny("system_app", "security_spota_file", "file", "read");
deny("system_app", "security_spota_file", "file", "write");
deny("installd", "security_spota_file", "dir", "read");
deny("installd", "security_spota_file", "dir", "write");
deny("installd", "security_spota_file", "file", "read");
deny("installd", "security_spota_file", "file", "write");
deny("init", "security_spota_file", "dir", "read");
deny("init", "security_spota_file", "dir", "write");
deny("init", "security_spota_file", "file", "read");
deny("init", "security_spota_file", "file", "write");
deny("ueventd", "security_spota_file", "dir", "read");
deny("ueventd", "security_spota_file", "dir", "write");
deny("ueventd", "security_spota_file", "file", "read");
deny("ueventd", "security_spota_file", "file", "write");
deny("runas", "security_spota_file", "dir", "read");
deny("runas", "security_spota_file", "dir", "write");
deny("runas", "security_spota_file", "file", "read");
deny("runas", "security_spota_file", "file", "write");
deny("drsd", "security_spota_file", "dir", "read");
deny("drsd", "security_spota_file", "dir", "write");
deny("drsd", "security_spota_file", "file", "read");
deny("drsd", "security_spota_file", "file", "write");
deny("debuggerd", "security_spota_file", "dir", "read");
deny("debuggerd", "security_spota_file", "dir", "write");
deny("debuggerd", "security_spota_file", "file", "read");
deny("debuggerd", "security_spota_file", "file", "write");
deny("vold", "security_spota_file", "dir", "read");
deny("vold", "security_spota_file", "dir", "write");
deny("vold", "security_spota_file", "file", "read");
deny("vold", "security_spota_file", "file", "write");
deny("zygote", "security_spota_file", "dir", "read");
deny("zygote", "security_spota_file", "dir", "write");
deny("zygote", "security_spota_file", "file", "read");
deny("zygote", "security_spota_file", "file", "write");
deny("auditd", "security_spota_file", "dir", "read");
deny("auditd", "security_spota_file", "dir", "write");
deny("auditd", "security_spota_file", "file", "read");
deny("auditd", "security_spota_file", "file", "write");
deny("servicemanager", "security_spota_file", "dir", "read");
deny("servicemanager", "security_spota_file", "dir", "write");
deny("servicemanager", "security_spota_file", "file", "read");
deny("servicemanager", "security_spota_file", "file", "write");
deny("itsonbs", "security_spota_file", "dir", "read");
deny("itsonbs", "security_spota_file", "dir", "write");
deny("itsonbs", "security_spota_file", "file", "read");
deny("itsonbs", "security_spota_file", "file", "write");
deny("commonplatformappdomain", "security_spota_file", "dir", "read");
deny("commonplatformappdomain", "security_spota_file", "dir", "write");
deny("commonplatformappdomain", "security_spota_file", "file", "read");
deny("commonplatformappdomain", "security_spota_file", "file", "write");
}
void allowSuClient(char *target) {
allow(target, "rootfs", "file", "execute_no_trans");
allow(target, "rootfs", "file", "execute");
allow(target, "su_daemon", "unix_stream_socket", "connectto");
allow(target, "su_daemon", "unix_stream_socket", "getopt");
allow(target, "su_device", "dir", "search");
allow(target, "su_device", "dir", "read");
allow(target, "su_device", "sock_file", "read");
allow(target, "su_device", "sock_file", "write");
allow("su_daemon", target, "fd", "use");
allow("su_daemon", target, "fifo_file", "read");
allow("su_daemon", target, "fifo_file", "write");
allow("su_daemon", target, "fifo_file", "getattr");
allow("su_daemon", target, "fifo_file", "ioctl");
allow("su_daemon", target, "dir", "search");
allow("su_daemon", target, "file", "read");
allow("su_daemon", target, "file", "open");
allow("su_daemon", target, "lnk_file", "read");
allow("su_daemon", "su_daemon", "capability", "sys_ptrace");
}
void suDaemonRights() {
allow("su_daemon", "rootfs", "file", "entrypoint");
allow("su_daemon", "su_daemon", "dir", "search");
allow("su_daemon", "su_daemon", "dir", "read");
allow("su_daemon", "su_daemon", "file", "read");
allow("su_daemon", "su_daemon", "file", "write");
allow("su_daemon", "su_daemon", "file", "open");
allow("su_daemon", "su_daemon", "lnk_file", "read");
allow("su_daemon", "su_daemon", "unix_dgram_socket", "create");
allow("su_daemon", "su_daemon", "unix_dgram_socket", "connect");
allow("su_daemon", "su_daemon", "unix_dgram_socket", "write");
allow("su_daemon", "su_daemon", "unix_stream_socket", "create");
allow("su_daemon", "su_daemon", "unix_stream_socket", "ioctl");
allow("su_daemon", "su_daemon", "unix_stream_socket", "read");
allow("su_daemon", "su_daemon", "unix_stream_socket", "getattr");
allow("su_daemon", "su_daemon", "unix_stream_socket", "write");
allow("su_daemon", "su_daemon", "unix_stream_socket", "setattr");
allow("su_daemon", "su_daemon", "unix_stream_socket", "lock");
allow("su_daemon", "su_daemon", "unix_stream_socket", "append");
allow("su_daemon", "su_daemon", "unix_stream_socket", "bind");
allow("su_daemon", "su_daemon", "unix_stream_socket", "connect");
allow("su_daemon", "su_daemon", "unix_stream_socket", "getopt");
allow("su_daemon", "su_daemon", "unix_stream_socket", "setopt");
allow("su_daemon", "su_daemon", "unix_stream_socket", "shutdown");
allow("su_daemon", "su_daemon", "unix_stream_socket", "listen");
allow("su_daemon", "su_daemon", "unix_stream_socket", "accept");
allow("su_daemon", "devpts", "chr_file", "read");
allow("su_daemon", "devpts", "chr_file", "write");
allow("su_daemon", "devpts", "chr_file", "open");
allow("su_daemon", "devpts", "chr_file", "getattr");
allow("su_daemon", "untrusted_app_devpts", "chr_file", "read");
allow("su_daemon", "untrusted_app_devpts", "chr_file", "write");
allow("su_daemon", "untrusted_app_devpts", "chr_file", "open");
allow("su_daemon", "untrusted_app_devpts", "chr_file", "getattr");
allow("su_daemon", "su_daemon", "capability", "setuid");
allow("su_daemon", "su_daemon", "capability", "setgid");
allow("su_daemon", "app_data_file", "dir", "getattr");
allow("su_daemon", "app_data_file", "dir", "search");
allow("su_daemon", "app_data_file", "dir", "write");
allow("su_daemon", "app_data_file", "dir", "add_name");
allow("su_daemon", "app_data_file", "file", "getattr");
allow("su_daemon", "app_data_file", "file", "read");
allow("su_daemon", "app_data_file", "file", "open");
allow("su_daemon", "app_data_file", "file", "lock");
allow("su_daemon", "su_daemon", "capability", "dac_override");
allow("su_daemon", "su_daemon", "process", "fork");
allow("su_daemon", "su_daemon", "process", "sigchld");
allow("su_daemon", "toolbox_exec", "file", "execute");
allow("su_daemon", "toolbox_exec", "file", "read");
allow("su_daemon", "toolbox_exec", "file", "open");
allow("su_daemon", "toolbox_exec", "file", "execute_no_trans");
allow("su_daemon", "device", "dir", "write");
allow("su_daemon", "device", "dir", "add_name");
allow("su_daemon", "su_device", "dir", "create");
allow("su_daemon", "su_device", "dir", "setattr");
allow("su_daemon", "su_device", "dir", "remove_name");
allow("su_daemon", "su_device", "dir", "add_name");
allow("su_daemon", "su_device", "sock_file", "create");
allow("su_daemon", "su_device", "sock_file", "unlink");
allow("su_daemon", "zygote_exec", "file", "execute");
allow("su_daemon", "zygote_exec", "file", "read");
allow("su_daemon", "zygote_exec", "file", "open");
allow("su_daemon", "zygote_exec", "file", "execute_no_trans");
allow("su_daemon", "zygote_exec", "lnk_file", "read");
allow("su_daemon", "zygote_exec", "lnk_file", "getattr");
allow("su_daemon", "su_device", "dir", "search");
allow("su_daemon", "su_device", "dir", "write");
allow("su_daemon", "su_device", "dir", "add_name");
allow("su_daemon", "su_daemon", "process", "setexec");
allow("su_daemon", "shell_exec", "file", "execute");
allow("su_daemon", "shell_exec", "file", "read");
allow("su_daemon", "shell_exec", "file", "open");
allow("su_daemon", "su_daemon", "capability", "chown");
allow("su_daemon", "su", "process", "transition");
noaudit("su_daemon", "su", "process", "siginh rlimitinh noatsecure");
}
void suBind() {
allow("su_daemon", "su_exec", "file", "mounton");
allow("su_daemon", "su_exec", "file", "read");
allow("su_daemon", "su_device", "dir", ALL);
allow("su_daemon", "su_device", "file", ALL);
allow("su_daemon", "su_device", "lnk_file", ALL);
allow("su_daemon", "system_file", "file", "relabelto");
}
void suRights() {
allow("su_daemon", "su_daemon", "capability", "sys_admin");
allow("servicemanager", "su", "dir", "search");
allow("servicemanager", "su", "dir", "read");
allow("servicemanager", "su", "file", "open");
allow("servicemanager", "su", "file", "read");
allow("servicemanager", "su", "process", "getattr");
allow("servicemanager", "su", "binder", "transfer");
allow("system_server", "su", "binder", "call");
}
void otherToSU() {
// allowLog
allow("logd", "su", "dir", "search");
allow("logd", "su", "file", "read");
allow("logd", "su", "file", "open");
allow("logd", "su", "file", "getattr");
// suBackL0
allow("system_server", "su", "binder", "call");
allow("system_server", "su", "binder", "transfer");
// ES Explorer opens a sokcet
allow("untrusted_app", "su", "unix_stream_socket", "ioctl");
allow("untrusted_app", "su", "unix_stream_socket", "read");
allow("untrusted_app", "su", "unix_stream_socket", "getattr");
allow("untrusted_app", "su", "unix_stream_socket", "write");
allow("untrusted_app", "su", "unix_stream_socket", "setattr");
allow("untrusted_app", "su", "unix_stream_socket", "lock");
allow("untrusted_app", "su", "unix_stream_socket", "append");
allow("untrusted_app", "su", "unix_stream_socket", "bind");
allow("untrusted_app", "su", "unix_stream_socket", "connect");
allow("untrusted_app", "su", "unix_stream_socket", "getopt");
allow("untrusted_app", "su", "unix_stream_socket", "setopt");
allow("untrusted_app", "su", "unix_stream_socket", "shutdown");
allow("untrusted_app", "su", "unix_stream_socket", "connectto");
// Any domain is allowed to send su "sigchld"
allow(ALL, "su", "process", "sigchld");
// uNetworkL0
add_type("su", "netdomain", policy);
add_type("su", "bluetoothdomain", policy);
// suBackL6
allow("surfaceflinger", "app_data_file", "dir", ALL);
allow("surfaceflinger", "app_data_file", "file", ALL);
allow("surfaceflinger", "app_data_file", "lnk_file", ALL);
add_type("surfaceflinger", "mlstrustedsubject", policy);
}
void suL9() {
allow("su_daemon", "su_daemon", "dir", ALL);
allow("su_daemon", "su_daemon", "file", ALL);
allow("su_daemon", "su_daemon", "lnk_file", ALL);
allow("su_daemon", "system_data_file", "dir", ALL);
allow("su_daemon", "system_data_file", "file", ALL);
allow("su_daemon", "system_data_file", "lnk_file", ALL);
allow("su_daemon", "labeledfs", "filesystem", "associate");
allow("su_daemon", "su_daemon", "process", "setfscreate");
allow("su_daemon", "tmpfs", "filesystem", "associate");
allow("su_daemon", "su_daemon", "file", "relabelfrom");
allow("su_daemon", "system_file", "file", "mounton");
}
void builtin_rules(policydb_t *policydb) {
policy = policydb;
// Samsung specific
// Prevent system from loading policy
if(exists("knox_system_app")) {
samsung();
}
// Create domains if they don't exist
setPermissive("su", 1);
setPermissive("su_device", 0);
setPermissive("su_daemon", 0);
// Autotransition su's socket to su_device
add_transition("su_daemon", "device", "su_device", "file", policy);
add_transition("su_daemon", "device", "su_device", "dir", policy);
allow("su_device", "tmpfs", "filesystem", "associate");
// Transition from untrusted_app to su_client
allowSuClient("shell");
allowSuClient("untrusted_app");
allowSuClient("platform_app");
allowSuClient("su");
if(exists("ssd_tool")) {
allowSuClient("ssd_tool");
}
// Allow init to execute su daemon/transition
allow("init", "su_daemon", "process", "transition");
noaudit("init", "su_daemon", "process", "rlimitinh");
noaudit("init", "su_daemon", "process", "siginh");
noaudit("init", "su_daemon", "process", "noatsecure");
suDaemonRights();
suBind();
suRights();
otherToSU();
// Need to set su_device/su as trusted to be accessible from other categories
add_type("su_device", "mlstrustedobject", policy);
add_type("su_daemon", "mlstrustedsubject", policy);
add_type("su", "mlstrustedsubject", policy);
suL9();
}

5
sepolicy-inject.c
View File

@ -23,6 +23,8 @@
#include <sepol/policydb/conditional.h> #include <sepol/policydb/conditional.h>
#include <sepol/policydb/constraint.h> #include <sepol/policydb/constraint.h>
extern void builtin_rules(policydb_t *policydb);
void usage(char *arg0) { void usage(char *arg0) {
fprintf(stderr, "%s -s <source type> -t <target type> -c <class> -p <perm_list> -P <policy file>\n", arg0); fprintf(stderr, "%s -s <source type> -t <target type> -c <class> -p <perm_list> -P <policy file>\n", arg0);
fprintf(stderr, "\tInject a rule\n\n"); fprintf(stderr, "\tInject a rule\n\n");
@ -651,8 +653,7 @@ int main(int argc, char **argv)
return 1; return 1;
if (builtin) { if (builtin) {
// TODO: Create builtin rules builtin_rules(&policydb);
// builtin(&policydb);
} }
else if (permissive) { else if (permissive) {
type_datum_t *type; type_datum_t *type;