Support SELinux disabled on debug builds

This commit is contained in:
topjohnwu 2022-05-31 22:24:13 -07:00
parent d7776f6597
commit d4fe8632ec
6 changed files with 40 additions and 8 deletions

View File

@ -36,6 +36,7 @@ extern int (*fsetfilecon)(int fd, const char *con);
void getfilecon_at(int dirfd, const char *name, char **con); void getfilecon_at(int dirfd, const char *name, char **con);
void setfilecon_at(int dirfd, const char *name, const char *con); void setfilecon_at(int dirfd, const char *name, const char *con);
bool selinux_enabled();
void enable_selinux(); void enable_selinux();
void restorecon(); void restorecon();
void restore_tmpcon(); void restore_tmpcon();

View File

@ -4,6 +4,7 @@
#include <base.hpp> #include <base.hpp>
#include <selinux.hpp> #include <selinux.hpp>
#include <flags.h>
using namespace std; using namespace std;
@ -101,7 +102,23 @@ void setfilecon_at(int dirfd, const char *name, const char *con) {
lsetfilecon(path, con); lsetfilecon(path, con);
} }
#if MAGISK_DEBUG
static bool se_state = false;
bool selinux_enabled() {
return se_state;
}
#else
bool selinux_enabled() {
return true;
}
#endif
void enable_selinux() { void enable_selinux() {
#if MAGISK_DEBUG
if (access(SELINUX_MNT, F_OK) != 0)
return;
se_state = true;
#endif
setcon = __setcon; setcon = __setcon;
getfilecon = __getfilecon; getfilecon = __getfilecon;
lgetfilecon = __lgetfilecon; lgetfilecon = __lgetfilecon;

View File

@ -257,7 +257,7 @@ static void handle_request(pollfd *pfd) {
} }
break; break;
case MainRequest::ZYGISK: case MainRequest::ZYGISK:
if (!is_zygote) { if (!is_zygote && selinux_enabled()) {
// Invalid client context // Invalid client context
write_int(client, MainResponse::ACCESS_DENIED); write_int(client, MainResponse::ACCESS_DENIED);
goto done; goto done;

View File

@ -66,6 +66,8 @@ static void restore_magiskcon(int dirfd) {
} }
void restorecon() { void restorecon() {
if (!selinux_enabled())
return;
int fd = xopen(SELINUX_CONTEXT, O_WRONLY | O_CLOEXEC); int fd = xopen(SELINUX_CONTEXT, O_WRONLY | O_CLOEXEC);
if (write(fd, ADB_CON, sizeof(ADB_CON)) >= 0) if (write(fd, ADB_CON, sizeof(ADB_CON)) >= 0)
lsetfilecon(SECURE_DIR, ADB_CON); lsetfilecon(SECURE_DIR, ADB_CON);
@ -76,6 +78,8 @@ void restorecon() {
} }
void restore_tmpcon() { void restore_tmpcon() {
if (!selinux_enabled())
return;
if (MAGISKTMP == "/sbin") if (MAGISKTMP == "/sbin")
setfilecon(MAGISKTMP.data(), ROOT_CON); setfilecon(MAGISKTMP.data(), ROOT_CON);
else else

View File

@ -6,6 +6,7 @@
#include <base.hpp> #include <base.hpp>
#include <socket.hpp> #include <socket.hpp>
#include <daemon.hpp> #include <daemon.hpp>
#include <selinux.hpp>
#include "zygisk.hpp" #include "zygisk.hpp"
@ -17,7 +18,14 @@ int app_process_main(int argc, char *argv[]) {
char buf[PATH_MAX]; char buf[PATH_MAX];
bool zygote = false; bool zygote = false;
if (auto fp = open_file("/proc/self/attr/current", "r")) { if (!selinux_enabled()) {
for (int i = 0; i < argc; ++i) {
if (argv[i] == "--zygote"sv) {
zygote = true;
break;
}
}
} else if (auto fp = open_file("/proc/self/attr/current", "r")) {
fscanf(fp.get(), "%s", buf); fscanf(fp.get(), "%s", buf);
zygote = (buf == "u:r:zygote:s0"sv); zygote = (buf == "u:r:zygote:s0"sv);
} }

View File

@ -69,12 +69,14 @@ if [ -d /dev/avd-magisk ]; then
fi fi
# SELinux stuffs # SELinux stuffs
if [ -f /vendor/etc/selinux/precompiled_sepolicy ]; then if [ -d /sys/fs/selinux ]; then
./magiskpolicy --load /vendor/etc/selinux/precompiled_sepolicy --live --magisk 2>&1 if [ -f /vendor/etc/selinux/precompiled_sepolicy ]; then
elif [ -f /sepolicy ]; then ./magiskpolicy --load /vendor/etc/selinux/precompiled_sepolicy --live --magisk 2>&1
./magiskpolicy --load /sepolicy --live --magisk 2>&1 elif [ -f /sepolicy ]; then
else ./magiskpolicy --load /sepolicy --live --magisk 2>&1
./magiskpolicy --live --magisk 2>&1 else
./magiskpolicy --live --magisk 2>&1
fi
fi fi
MAGISKTMP=/sbin MAGISKTMP=/sbin