Remove Samsung sepcific patches and small refactoring

This commit is contained in:
topjohnwu 2017-11-29 06:09:35 +08:00
parent 8ee9984e4e
commit d7a6127273
4 changed files with 87 additions and 120 deletions

View File

@ -58,14 +58,15 @@ static void statements() {
static void usage(char *arg0) { static void usage(char *arg0) {
fprintf(stderr, fprintf(stderr,
"MagiskPolicy v" xstr(MAGISK_VERSION) "(" xstr(MAGISK_VER_CODE) ") (by topjohnwu & phh) - sepolicy Modification Tool\n\n" "MagiskPolicy v" xstr(MAGISK_VERSION) "(" xstr(MAGISK_VER_CODE) ") (by topjohnwu)\n\n"
"Usage: %s [--options...] [policystatements...]\n\n" "Usage: %s [--options...] [policystatements...]\n\n"
"Options:\n" "Options:\n"
" --live directly load patched policy to device\n" " --live directly apply patched policy live\n"
" --minimal minimal patches, used for boot image patches\n" " --magisk built-in rules for a Magisk selinux environment\n"
" --load <infile> load policies from <infile>\n" " --load FILE load policies from <infile>\n"
" (load from live policies if not specified)\n" " --save FILE save policies to <outfile>\n\n"
" --save <outfile> save policies to <outfile>\n\n" "If no input file is specified, it will load from current policies\n"
"If neither --live nor --save is specified, nothing will happen\n\n"
, arg0); , arg0);
statements(); statements();
exit(1); exit(1);
@ -381,7 +382,7 @@ static void syntax_error_msg() {
int magiskpolicy_main(int argc, char *argv[]) { int magiskpolicy_main(int argc, char *argv[]) {
char *infile = NULL, *outfile = NULL, *tok, *saveptr; char *infile = NULL, *outfile = NULL, *tok, *saveptr;
int live = 0, minimal = 0; int live = 0, magisk = 0;
struct vector rules; struct vector rules;
vec_init(&rules); vec_init(&rules);
@ -391,8 +392,8 @@ int magiskpolicy_main(int argc, char *argv[]) {
if (argv[i][0] == '-' && argv[i][1] == '-') { if (argv[i][0] == '-' && argv[i][1] == '-') {
if (strcmp(argv[i], "--live") == 0) if (strcmp(argv[i], "--live") == 0)
live = 1; live = 1;
else if (strcmp(argv[i], "--minimal") == 0) else if (strcmp(argv[i], "--magisk") == 0)
minimal = 1; magisk = 1;
else if (strcmp(argv[i], "--load") == 0) { else if (strcmp(argv[i], "--load") == 0) {
if (i + 1 >= argc) usage(argv[0]); if (i + 1 >= argc) usage(argv[0]);
infile = argv[i + 1]; infile = argv[i + 1];
@ -403,9 +404,10 @@ int magiskpolicy_main(int argc, char *argv[]) {
i += 1; i += 1;
} else } else
usage(argv[0]); usage(argv[0]);
} else } else {
vec_push_back(&rules, argv[i]); vec_push_back(&rules, argv[i]);
} }
}
// Use current policy if not specified // Use current policy if not specified
if(!infile) if(!infile)
@ -416,8 +418,8 @@ int magiskpolicy_main(int argc, char *argv[]) {
return 1; return 1;
} }
if (minimal) if (magisk)
sepol_min_rules(); sepol_magisk_rules();
for (int i = 0; i < rules.size; ++i) { for (int i = 0; i < rules.size; ++i) {
// Since strtok will modify the origin string, copy the policy for error messages // Since strtok will modify the origin string, copy the policy for error messages
@ -472,8 +474,7 @@ int magiskpolicy_main(int argc, char *argv[]) {
if (live) if (live)
outfile = SELINUX_LOAD; outfile = SELINUX_LOAD;
if (outfile) if (outfile && dump_policydb(outfile)) {
if (dump_policydb(outfile)) {
fprintf(stderr, "Cannot dump policy to %s\n", outfile); fprintf(stderr, "Cannot dump policy to %s\n", outfile);
return 1; return 1;
} }

34
magiskpolicy.h Normal file
View File

@ -0,0 +1,34 @@
/* magiskpolicy.h - Public API for policy patching
*/
#ifndef _MAGISKPOLICY_H
#define _MAGISKPOLICY_H
#include <stdlib.h>
#define ALL NULL
// policydb functions
int load_policydb(const char *filename);
int dump_policydb(const char *filename);
void destroy_policydb();
// Handy functions
int sepol_allow(char *s, char *t, char *c, char *p);
int sepol_deny(char *s, char *t, char *c, char *p);
int sepol_auditallow(char *s, char *t, char *c, char *p);
int sepol_auditdeny(char *s, char *t, char *c, char *p);
int sepol_typetrans(char *s, char *t, char *c, char *d, char *o);
int sepol_allowxperm(char *s, char *t, char *c, char *range);
int sepol_auditallowxperm(char *s, char *t, char *c, char *range);
int sepol_dontauditxperm(char *s, char *t, char *c, char *range);
int sepol_create(char *s);
int sepol_permissive(char *s);
int sepol_enforce(char *s);
int sepol_attradd(char *s, char *a);
int sepol_exists(char *source);
// Built in rules
void sepol_magisk_rules();
#endif

136
rules.c
View File

@ -1,70 +1,6 @@
#include "magiskpolicy.h" #include "magiskpolicy.h"
#include "sepolicy.h" #include "sepolicy.h"
void samsung() {
sepol_deny("init", "kernel", "security", "load_policy");
sepol_deny("policyloader_app", "security_spota_file", "dir", "read");
sepol_deny("policyloader_app", "security_spota_file", "dir", "write");
sepol_deny("policyloader_app", "security_spota_file", "file", "read");
sepol_deny("policyloader_app", "security_spota_file", "file", "write");
sepol_deny("system_server", "security_spota_file", "dir", "read");
sepol_deny("system_server", "security_spota_file", "dir", "write");
sepol_deny("system_server", "security_spota_file", "file", "read");
sepol_deny("system_server", "security_spota_file", "file", "write");
sepol_deny("system_app", "security_spota_file", "dir", "read");
sepol_deny("system_app", "security_spota_file", "dir", "write");
sepol_deny("system_app", "security_spota_file", "file", "read");
sepol_deny("system_app", "security_spota_file", "file", "write");
sepol_deny("installd", "security_spota_file", "dir", "read");
sepol_deny("installd", "security_spota_file", "dir", "write");
sepol_deny("installd", "security_spota_file", "file", "read");
sepol_deny("installd", "security_spota_file", "file", "write");
sepol_deny("init", "security_spota_file", "dir", "read");
sepol_deny("init", "security_spota_file", "dir", "write");
sepol_deny("init", "security_spota_file", "file", "read");
sepol_deny("init", "security_spota_file", "file", "write");
sepol_deny("ueventd", "security_spota_file", "dir", "read");
sepol_deny("ueventd", "security_spota_file", "dir", "write");
sepol_deny("ueventd", "security_spota_file", "file", "read");
sepol_deny("ueventd", "security_spota_file", "file", "write");
sepol_deny("runas", "security_spota_file", "dir", "read");
sepol_deny("runas", "security_spota_file", "dir", "write");
sepol_deny("runas", "security_spota_file", "file", "read");
sepol_deny("runas", "security_spota_file", "file", "write");
sepol_deny("drsd", "security_spota_file", "dir", "read");
sepol_deny("drsd", "security_spota_file", "dir", "write");
sepol_deny("drsd", "security_spota_file", "file", "read");
sepol_deny("drsd", "security_spota_file", "file", "write");
sepol_deny("debuggerd", "security_spota_file", "dir", "read");
sepol_deny("debuggerd", "security_spota_file", "dir", "write");
sepol_deny("debuggerd", "security_spota_file", "file", "read");
sepol_deny("debuggerd", "security_spota_file", "file", "write");
sepol_deny("vold", "security_spota_file", "dir", "read");
sepol_deny("vold", "security_spota_file", "dir", "write");
sepol_deny("vold", "security_spota_file", "file", "read");
sepol_deny("vold", "security_spota_file", "file", "write");
sepol_deny("zygote", "security_spota_file", "dir", "read");
sepol_deny("zygote", "security_spota_file", "dir", "write");
sepol_deny("zygote", "security_spota_file", "file", "read");
sepol_deny("zygote", "security_spota_file", "file", "write");
sepol_deny("auditd", "security_spota_file", "dir", "read");
sepol_deny("auditd", "security_spota_file", "dir", "write");
sepol_deny("auditd", "security_spota_file", "file", "read");
sepol_deny("auditd", "security_spota_file", "file", "write");
sepol_deny("servicemanager", "security_spota_file", "dir", "read");
sepol_deny("servicemanager", "security_spota_file", "dir", "write");
sepol_deny("servicemanager", "security_spota_file", "file", "read");
sepol_deny("servicemanager", "security_spota_file", "file", "write");
sepol_deny("itsonbs", "security_spota_file", "dir", "read");
sepol_deny("itsonbs", "security_spota_file", "dir", "write");
sepol_deny("itsonbs", "security_spota_file", "file", "read");
sepol_deny("itsonbs", "security_spota_file", "file", "write");
sepol_deny("commonplatformappdomain", "security_spota_file", "dir", "read");
sepol_deny("commonplatformappdomain", "security_spota_file", "dir", "write");
sepol_deny("commonplatformappdomain", "security_spota_file", "file", "read");
sepol_deny("commonplatformappdomain", "security_spota_file", "file", "write");
}
void allowSuClient(char *target) { void allowSuClient(char *target) {
sepol_allow(target, "rootfs", "file", ALL); sepol_allow(target, "rootfs", "file", ALL);
sepol_allow(target, "rootfs", "lnk_file", ALL); sepol_allow(target, "rootfs", "lnk_file", ALL);
@ -149,10 +85,19 @@ void otherToSU() {
sepol_allow("surfaceflinger", "su", "binder", "call"); sepol_allow("surfaceflinger", "su", "binder", "call");
sepol_allow("surfaceflinger", "su", "fd", "use"); sepol_allow("surfaceflinger", "su", "fd", "use");
sepol_allow("debuggerd", "su", "process", "ptrace"); sepol_allow("debuggerd", "su", "process", "ptrace");
// dumpsys
sepol_allow(ALL, "su", "fd", "use");
sepol_allow(ALL, "su", "fifo_file", "write");
sepol_allow(ALL, "su", "fifo_file", "read");
sepol_allow(ALL, "su", "fifo_file", "open");
sepol_allow(ALL, "su", "fifo_file", "getattr");
} }
// Minimal boot image patch, Samsung requires these patches void sepol_magisk_rules() {
void sepol_min_rules() { // First prevent anything to change sepolicy except ourselves
sepol_deny(ALL, "kernel", "security", "load_policy");
if (!sepol_exists("su")) if (!sepol_exists("su"))
sepol_create("su"); sepol_create("su");
if (!sepol_exists("su_device")) if (!sepol_exists("su_device"))
@ -163,7 +108,7 @@ void sepol_min_rules() {
sepol_attradd("su", "mlstrustedsubject"); sepol_attradd("su", "mlstrustedsubject");
sepol_attradd("su_device", "mlstrustedobject"); sepol_attradd("su_device", "mlstrustedobject");
// Let magiskinit daemon monitor and transit to su // Allow magiskinit daemon to run and run in su context
sepol_allow("kernel", "device", "dir", ALL); sepol_allow("kernel", "device", "dir", ALL);
sepol_allow("kernel", "device", "file", ALL); sepol_allow("kernel", "device", "file", ALL);
sepol_allow("kernel", "su", "unix_stream_socket", "connectto"); sepol_allow("kernel", "su", "unix_stream_socket", "connectto");
@ -177,11 +122,6 @@ void sepol_min_rules() {
sepol_allow("init", "system_file", "lnk_file", ALL); sepol_allow("init", "system_file", "lnk_file", ALL);
sepol_allow("init", "system_file", "file", ALL); sepol_allow("init", "system_file", "file", ALL);
// Samsung specific
// Prevent system from loading policy
if(sepol_exists("knox_system_app"))
samsung();
// Shell, prop management, simple su rights, logs // Shell, prop management, simple su rights, logs
sepol_allow("su", "property_socket", "sock_file", "write"); sepol_allow("su", "property_socket", "sock_file", "write");
sepol_allow("su", "properties_device", "file", "write"); sepol_allow("su", "properties_device", "file", "write");
@ -228,12 +168,34 @@ void sepol_min_rules() {
sepol_allow("su", "selinuxfs", "file", "open"); sepol_allow("su", "selinuxfs", "file", "open");
sepol_allow("su", "selinuxfs", "file", "write"); sepol_allow("su", "selinuxfs", "file", "write");
// Allow these client to access su
allowSuClient("shell");
allowSuClient("untrusted_app");
allowSuClient("system_app");
allowSuClient("platform_app");
if (sepol_exists("priv_app"))
allowSuClient("priv_app");
if (sepol_exists("ssd_tool"))
allowSuClient("ssd_tool");
if (sepol_exists("untrusted_app_25"))
allowSuClient("untrusted_app_25");
// Some superuser stuffs
suRights();
otherToSU();
// For mounting loop devices and mirrors // For mounting loop devices and mirrors
sepol_allow("su", "kernel", "process", "setsched"); sepol_allow("su", "kernel", "process", "setsched");
sepol_allow("su", "labeledfs", "filesystem", "mount"); sepol_allow("su", "labeledfs", "filesystem", "mount");
sepol_allow("su", "labeledfs", "filesystem", "unmount"); sepol_allow("su", "labeledfs", "filesystem", "unmount");
sepol_allow("kernel", ALL, "file", "read"); sepol_allow("kernel", ALL, "file", "read");
// Allow su to do anything to any files/dir/links
sepol_allow("su", ALL, "file", ALL);
sepol_allow("su", ALL, "dir", ALL);
sepol_allow("su", ALL, "lnk_file", ALL);
sepol_allow("su", ALL, "blk_file", ALL);
// For changing attributes // For changing attributes
sepol_allow("rootfs", "tmpfs", "filesystem", "associate"); sepol_allow("rootfs", "tmpfs", "filesystem", "associate");
@ -248,33 +210,3 @@ void sepol_min_rules() {
} }
} }
void sepol_med_rules() {
sepol_min_rules();
// Allow su to do anything to any files/dir/links
sepol_allow("su", ALL, "file", ALL);
sepol_allow("su", ALL, "dir", ALL);
sepol_allow("su", ALL, "lnk_file", ALL);
sepol_allow("su", ALL, "blk_file", ALL);
// Allow these client to access su
allowSuClient("shell");
allowSuClient("untrusted_app");
allowSuClient("system_app");
allowSuClient("platform_app");
if (sepol_exists("priv_app"))
allowSuClient("priv_app");
if (sepol_exists("ssd_tool"))
allowSuClient("ssd_tool");
if (sepol_exists("untrusted_app_25"))
allowSuClient("untrusted_app_25");
suRights();
otherToSU();
}
void sepol_full_rules() {
// Patch su to everything
sepol_allow("su", ALL, ALL, ALL);
}

View File

@ -255,7 +255,7 @@ int dump_policydb(const char *filename) {
return 1; return 1;
} }
fd = open(filename, O_RDWR | O_CREAT, 0644); fd = creat(filename, 0644);
if (fd < 0) { if (fd < 0) {
fprintf(stderr, "Can't open '%s': %s\n", fprintf(stderr, "Can't open '%s': %s\n",
filename, strerror(errno)); filename, strerror(errno));