Update to release v7

zip_static/common/init.magisk.rc

@@ -2,57 +2,38 @@
 
 on post-fs
     # Paths
-    export PATH /sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin:/su/bin:/magisk/.core/bin:/magisk/busybox/bin:/data/magisk
-
-    # Start root
-    start phhsu
-    wait /dev/su 1
+    export PATH /magisk/.core/bin:/sbin:/vendor/bin:/system/sbin:/system/bin:/magisk/.core/busybox:/system/xbin
 
     start magisk_pfs
-    wait /dev/unblock 20
-    rmdir /dev/unblock
+    wait /dev/.magisk.unblock 20
+    rm /dev/.magisk.unblock
 
 on post-fs-data
 
-    # Try to start root again in case post-fs failed
-    start phhsu
-    wait /dev/su 1
-
     start magisk_pfsd
-    wait /dev/unblock 20
-    rmdir /dev/unblock
+    wait /dev/.magisk.unblock 40
+    rm /dev/.magisk.unblock
 
 on property:magisk.root=*
     start magisk_root
 
 # Services
 
-service phhsu /sbin/magisk_wrapper.sh phhsu
-    user root
-    seclabel u:r:su_daemon:s0
-    oneshot
-
 # launch post-fs script
-service magisk_pfs /sbin/magisk_wrapper.sh post-fs
+service magisk_pfs /sbin/magic_mask.sh post-fs
     user root
-    seclabel u:r:init:s0
+    seclabel u:r:su:s0
     oneshot
 
 # launch post-fs-data script
-service magisk_pfsd /sbin/magisk_wrapper.sh post-fs-data
+service magisk_pfsd /sbin/magic_mask.sh post-fs-data
     user root
-    seclabel u:r:init:s0
+    seclabel u:r:su:s0
     oneshot
 
 # launch late_start script
-service magisk_service /sbin/magisk_wrapper.sh service
+service magisk_service /sbin/magic_mask.sh service
     class late_start
     user root
-    seclabel u:r:init:s0
+    seclabel u:r:su:s0
     oneshot
-
-# root handling
-service magisk_root /sbin/magisk_wrapper.sh root
-    user root
-    seclabel u:r:init:s0
-    oneshot

zip_static/common/magic_mask.sh

@@ -8,13 +8,14 @@ COREDIR=/magisk/.core
 DUMMDIR=$COREDIR/dummy
 MIRRDIR=$COREDIR/mirror
 
-TMPDIR=/cache/tmp
+TMPDIR=/dev/tmp
 
-# Use the included busybox to do everything in all scripts for maximum compatibility
+# Use the included busybox to do everything for maximum compatibility
 # We also do so because we rely on the option "-c" for cp (reserve contexts)
+
+# Reserve the original PATH
+export OLDPATH=$PATH
 export PATH="/data/busybox:$PATH"
-# Version info
-setprop magisk.version 7
 
 log_print() {
   echo $1
@@ -32,7 +33,7 @@ mktouch() {
 }
 
 unblock() {
-  mkdir -p /dev/unblock
+  touch /dev/.magisk.unblock
   exit
 }
 
@@ -185,9 +186,12 @@ merge_image() {
 
           if ($OK); then
             # Merge (will reserve selinux contexts)
-            if [ `cp -afc /cache/merge_img/. /cache/data_img >/dev/null 2>&1; echo $?` -eq 0 ]; then
-              log_print "Merge complete"
-            fi
+            cd /cache/merge_img
+            for MOD in *; do
+              rm -rf /cache/data_img/$MOD
+              cp -afc $MOD /cache/data_img/
+            done
+            log_print "Merge complete"
           fi
 
           umount /cache/data_img
@@ -215,6 +219,15 @@ case $1 in
     chmod 644 $LOGFILE
     log_print "Magisk post-fs mode running..."
 
+    if [ -d "/cache/magisk_merge" ]; then
+      cd /cache/magisk_merge
+      for MOD in *; do
+        rm -rf /cache/magisk/$MOD
+        cp -afc $MOD /cache/magisk/
+      done 
+      rm -rf /cache/magisk_merge
+    fi
+
     for MOD in /cache/magisk/* ; do
       if [ -f "$MOD/remove" ]; then
         log_print "Remove module: $MOD"
@@ -244,6 +257,10 @@ case $1 in
 
     log_print "Magisk post-fs-data mode running..."
 
+    # Live patch sepolicy
+    /data/magisk/sepolicy-inject --live -s su
+
+    # Cache support
     if [ -d "/cache/data_bin" ]; then
       rm -rf /data/busybox /data/magisk
       mkdir -p /data/busybox
@@ -254,14 +271,15 @@ case $1 in
       # Prevent issues
       rm -f /data/busybox/su /data/busybox/sh
     fi
-
     mv /cache/stock_boot.img /data 2>/dev/null
+    
+    chmod 644 $IMG /cache/magisk.img /data/magisk_merge.img 2>/dev/null
 
     # Handle image merging
     merge_image /cache/magisk.img
     merge_image /data/magisk_merge.img
 
-    # Mount /data image
+    # Mount magisk.img
     if [ `cat /proc/mounts | grep /magisk >/dev/null 2>&1; echo $?` -ne 0 ]; then
       loopsetup $IMG
       if [ ! -z "$LOOPDEVICE" ]; then
@@ -274,13 +292,14 @@ case $1 in
       unblock
     fi
 
-    mkdir -p $DUMMDIR
-    mkdir -p $MIRRDIR/system
-
     log_print "Preparing modules"
     # First do cleanups
-    rm -rf $DUMMDIR/*
+    rm -rf $DUMMDIR
     rmdir $(find /magisk -type d -depth ! -path "*core*" ) 2>/dev/null
+    rm -rf $COREDIR/bin
+
+    mkdir -p $DUMMDIR
+    mkdir -p $MIRRDIR/system
 
     # Travel through all mods
     for MOD in /magisk/* ; do
@@ -292,9 +311,11 @@ case $1 in
       fi
     done
 
-    # Proper permissions
-    find $DUMMDIR -type d -exec chmod 755 {} \;
-    find $DUMMDIR -type f -exec chmod 644 {} \;
+    # Proper permissions for generated items
+    chmod 755 $(find $COREDIR -type d)
+    chmod 644 $(find $COREDIR -type f)
+    find $COREDIR -type d -exec chmod 755 {} \;
+    find $COREDIR -type f -exec chmod 644 {} \;
 
     # linker(64), t*box, and app_process* are required if we need to dummy mount bin folder
     if [ -f "$TMPDIR/dummy/system/bin" ]; then
@@ -303,7 +324,7 @@ case $1 in
       cp -afc linker* t*box app_process* $DUMMDIR/system/bin/
     fi
 
-    # Shrink the image if possible
+    # Unmount, shrink, remount
     if [ `umount /magisk >/dev/null 2>&1; echo $?` -eq 0 ]; then
       losetup -d $LOOPDEVICE
       target_size_check $IMG
@@ -323,8 +344,7 @@ case $1 in
       unblock
     fi
 
-    # Remove legacy phh root and crap folder
-    rm -rf /magisk/phh
+    # Remove crap folder
     rm -rf /magisk/lost+found
     
     # Start doing tasks
@@ -350,9 +370,7 @@ case $1 in
     run_scripts post-fs-data
 
     # Bind hosts for Adblock apps
-    if [ ! -f "$COREDIR/hosts" ]; then
-      cp -afc /system/etc/hosts $COREDIR/hosts
-    fi
+    [ ! -f "$COREDIR/hosts" ] && cp -afc /system/etc/hosts $COREDIR/hosts
     log_print "Enabling systemless hosts file support"
     bind_mount $COREDIR/hosts /system/etc/hosts
 
@@ -363,7 +381,7 @@ case $1 in
     # Stage 4
     log_print "Bind mount mirror items"
     # Find all empty directores and dummy files, they should be mounted by original files in /system
-    find $DUMMDIR -type d -exec sh -c 'if [ -z "$(ls -A $1)" ]; then echo $1; fi' -- {} \; -o \( -type f -size 0 -print \) | while read ITEM ; do
+    find $DUMMDIR -type d -exec sh -c '[ -z "$(ls -A $1)" ] && echo $1' -- {} \; -o \( -type f -size 0 -print \) | while read ITEM ; do
       ORIG=${ITEM/dummy/mirror}
       TARGET=${ITEM#$DUMMDIR}
       bind_mount $ORIG $TARGET
@@ -372,17 +390,13 @@ case $1 in
     # All done
     rm -rf $TMPDIR
 
-    if [ ! -f "/supersu" ]; then
-      # Expose root path
-      setprop magisk.supath /magisk/.core/bin
-      setprop magisk.root 1
-    fi
-
     unblock
     ;;
 
   service )
-    rm -rf /cache/unblock
+    # Version info
+    setprop magisk.version 7
+    rm -rf /dev/unblock*
     log_print "Magisk late_start service mode running..."
     run_scripts service
     ;;
@@ -392,11 +406,10 @@ case $1 in
     ROOT=$(getprop magisk.root)
     if [ "$ROOT" -eq "1" ]; then
       log_print "Enabling root"
-      rm -f SUPATH
-      ln -s /data/magisk $SUPATH
+      ln -s $SUPATH /magisk/.core/bin
     else
       log_print "Disabling root"
-      rm -f SUPATH
+      rm -f /magisk/.core/bin
     fi
     ;;
 esac

zip_static/common/magisk_wrapper.sh

@@ -1,42 +0,0 @@
-#!/system/bin/sh
-
-BINDIR=/magisk/.core/bin
-
-# Find where's su binary
-for DIR in /magisk /data/magisk /cache/magisk /su/bin; do
-  [ -f "$DIR/su" ] && break
-done
-
-case $1 in
-  phhsu )
-    if [ ! -d "/dev/su" ]; then
-      $DIR/sepolicy-inject --live --auto -s su
-      exec $DIR/su --daemon
-    fi
-    ;;
-  post-fs )
-    # If su call fails, temporary switch to permissive (workaround)
-    # This workaround will not always work (e.g. Samsung stock boot images)
-    if [ `$DIR/su -c "/sbin/magic_mask.sh post-fs" >/dev/null 2>&1; echo $?` -ne 0 ]; then
-      echo 0 > /sys/fs/selinux/enforce
-      /sbin/magic_mask.sh post-fs
-      echo 1 > /sys/fs/selinux/enforce
-    fi
-    ;;
-  post-fs-data )
-    # su call shall always work
-    if [ `$DIR/su -c "/sbin/magic_mask.sh post-fs-data" >/dev/null 2>&1; echo $?` -ne 0 ]; then
-      /sbin/magic_mask.sh post-fs-data
-    fi
-    ;;
-  service )
-    # su call shall always work
-    if [ `$DIR/su -c "/sbin/magic_mask.sh service" >/dev/null 2>&1; echo $?` -ne 0 ]; then
-      /sbin/magic_mask.sh service
-    fi
-    ;;
-  root )
-    # This will only be used in phh root
-    $DIR/su -c "/sbin/magic_mask.sh root"
-    ;;
-esac

zip_static/common/supatch.sh

@@ -1,226 +0,0 @@
-#Extracted from global_macros
-rw_socket_perms="ioctl read getattr write setattr lock append bind connect getopt setopt shutdown"
-create_socket_perms="create $rw_socket_perms"
-rw_stream_socket_perms="$rw_socket_perms listen accept"
-create_stream_socket_perms="create $rw_stream_socket_perms"
-
-# bootimg.sh
-
-#allow <list of scontext> <list of tcontext> <class> <list of perm>
-allow() {
-  [ -z "$1" -o -z "$2" -o -z "$3" ] && false
-  for s in $1;do
-    for t in $2;do
-      for c in $3;do
-        echo "allow ($s) ($t) ($c) ($4)"
-        if [ "$4" = "*" ]; then
-          $BINDIR/sepolicy-inject -s $s -t $t -c $c -P sepolicy >/dev/null 2>&1
-        else
-          $BINDIR/sepolicy-inject -s $s -t $t -c $3 -p $(echo $4|tr ' ' ',') -P sepolicy 2>/dev/null 2>&1
-        fi
-      done
-    done
-  done
-}
-
-noaudit() {
-  for s in $1;do
-    for t in $2;do
-      for p in $4;do
-        $BINDIR/sepolicy-inject -s $s -t $t -c $3 -p $p -P sepolicy 2>/dev/null 2>&1
-      done
-    done
-  done
-}
-
-# su-communication
-
-#allowSuClient <scontext>
-allowSuClient() {
-  #All domain-s already have read access to rootfs
-  allow $1 rootfs file "execute_no_trans execute" #TODO: Why do I need execute?!? (on MTK 5.1, kernel 3.10)
-  allow $1 su_daemon unix_stream_socket "connectto getopt"
-
-  allow $1 su_device dir "search read"
-  allow $1 su_device sock_file "read write"
-  allow su_daemon $1 "fd" "use"
-
-  allow su_daemon $1 fifo_file "read write getattr ioctl"
-
-  #Read /proc/callerpid/cmdline in from_init, drop?
-  #Requiring sys_ptrace sucks
-  allow su_daemon "$1" "dir" "search"
-  allow su_daemon "$1" "file" "read open"
-  allow su_daemon "$1" "lnk_file" "read"
-  allow su_daemon su_daemon "capability" "sys_ptrace"
-}
-
-suDaemonTo() {
-  allow su_daemon $1 "process" "transition"
-  noaudit su_daemon $1 "process" "siginh rlimitinh noatsecure"
-}
-
-suDaemonRights() {
-  allow su_daemon rootfs file "entrypoint"
-
-  allow su_daemon su_daemon "dir" "search read"
-  allow su_daemon su_daemon "file" "read write open"
-  allow su_daemon su_daemon "lnk_file" "read"
-  allow su_daemon su_daemon "unix_dgram_socket" "create connect write"
-  allow su_daemon su_daemon "unix_stream_socket" "$create_stream_socket_perms"
-
-  allow su_daemon devpts chr_file "read write open getattr"
-  #untrusted_app_devpts not in Android 4.4
-  allow su_daemon untrusted_app_devpts chr_file "read write open getattr" || true
-
-  allow su_daemon su_daemon "capability" "setuid setgid"
-
-  #Access to /data/data/me.phh.superuser/xxx
-  allow su_daemon app_data_file "dir" "getattr search write add_name"
-  allow su_daemon app_data_file "file" "getattr read open lock"
-
-  #FIXME: This shouldn't exist
-  #dac_override can be fixed by having pts_slave's fd forwarded over socket
-  #Instead of forwarding the name
-  allow su_daemon su_daemon "capability" "dac_override"
-
-  allow su_daemon su_daemon "process" "fork sigchld"
-
-  #toolbox needed for log
-  allow su_daemon toolbox_exec "file" "execute read open execute_no_trans" || true
-
-  #Create /dev/me.phh.superuser. Could be done by init
-  allow su_daemon device "dir" "write add_name"
-  allow su_daemon su_device "dir" "create setattr remove_name add_name"
-  allow su_daemon su_device "sock_file" "create unlink"
-
-  #Allow su daemon to start su apk
-  allow su_daemon zygote_exec "file" "execute read open execute_no_trans"
-  allow su_daemon zygote_exec "lnk_file" "read getattr"
-
-  #Send request to APK
-  allow su_daemon su_device dir "search write add_name"
-
-  #Allow su_daemon to switch to su or su_sensitive
-  allow su_daemon su_daemon "process" "setexec"
-
-  #Allow su_daemon to execute a shell (every commands are supposed to go through a shell)
-  allow su_daemon shell_exec file "execute read open"
-
-  allow su_daemon su_daemon "capability" "chown"
-
-  suDaemonTo su
-}
-
-# rights
-
-#In this file lies the real permissions of a process running in su
-
-suBind() {
-  #Allow to override /system/xbin/su
-  allow su_daemon su_exec "file" "mounton read"
-
-  #We will create files in /dev/su/, they will be marked as su_device
-  allow su_daemon su_device "dir file lnk_file" "*"
-  allow su_daemon su_device "file" "relabelfrom"
-  allow su_daemon system_file "file" "relabelto"
-}
-
-#This is the vital minimum for su to open a uid 0 shell
-suRights() {
-
-  #Admit su_daemon is meant to be god.
-  allow su_daemon su_daemon "capability" "sys_admin"
-
-  allow servicemanager su "dir" "search read"
-  allow servicemanager su "file" "open read"
-  allow servicemanager su "process" "getattr"
-  allow servicemanager su "binder" "transfer"
-  [ "$API" -ge 20 ] && allow system_server su binder "call"
-}
-
-suL9() {
-  allow su_daemon su_daemon "dir file lnk_file" "*"
-  allow su_daemon system_data_file "dir file lnk_file" "*"
-  allow su_daemon "labeledfs" filesystem "associate"
-  allow su_daemon su_daemon process setfscreate
-  allow su_daemon tmpfs filesystem associate
-  allow su_daemon su_daemon file relabelfrom
-  allow su_daemon system_file file mounton
-}
-
-otherToSU() {
-  # allowLog
-  if allow su logd unix_dgram_socket "sendto";then
-    allow logd su dir "search"
-    allow logd su file "read open getattr"
-  fi
-
-  # suBackL0
-  [ "$API" -ge 20 ] && allow system_server su binder "call transfer"
-  #ES Explorer opens a sokcet
-  allow untrusted_app su unix_stream_socket "$rw_socket_perms connectto"
-  #Any domain is allowed to send su "sigchld"
-  #TODO: Have sepolicy-inject handle that
-  #allow "=domain" su process "sigchld"
-  allow surfaceflinger su "process" "sigchld"
-
-  # suNetworkL0
-  $BINDIR/sepolicy-inject -a netdomain -s su -P sepolicy
-  $BINDIR/sepolicy-inject -a bluetoothdomain -s su -P sepolicy
-
-  # suBackL6
-  #Used by CF.lumen (restarts surfaceflinger, and communicates with it)
-  #TODO: Add a rule to enforce surfaceflinger doesn't have dac_override
-  allow surfaceflinger app_data_file "dir file lnk_file" "*"
-  $BINDIR/sepolicy-inject -a mlstrustedsubject -s surfaceflinger -P sepolicy
-}
-
-#Samsung specific
-#Prevent system from loading policy
-if $BINDIR/sepolicy-inject -e -s knox_system_app -P sepolicy;then
-  $BINDIR/sepolicy-inject --not -s init -t kernel -c security -p load_policy -P sepolicy
-  for i in policyloader_app system_server system_app installd init ueventd runas drsd debuggerd vold zygote auditd servicemanager itsonbs commonplatformappdomain;do
-    $BINDIR/sepolicy-inject --not -s "$i" -t security_spota_file -c dir -p read,write -P sepolicy
-    $BINDIR/sepolicy-inject --not -s "$i" -t security_spota_file -c file -p read,write -P sepolicy
-  done
-fi
-
-#Create domains if they don't exist
-$BINDIR/sepolicy-inject -z su -P sepolicy
-$BINDIR/sepolicy-inject -z su_device -P sepolicy
-$BINDIR/sepolicy-inject -z su_daemon -P sepolicy
-
-#Autotransition su's socket to su_device
-$BINDIR/sepolicy-inject -s su_daemon -f device -c file -t su_device -P sepolicy
-$BINDIR/sepolicy-inject -s su_daemon -f device -c dir -t su_device -P sepolicy
-allow su_device tmpfs filesystem "associate"
-
-#Transition from untrusted_app to su_client
-#TODO: other contexts want access to su?
-allowSuClient shell
-allowSuClient untrusted_app
-allowSuClient platform_app
-allowSuClient su
-
-#HTC Debug context requires SU
-$BINDIR/sepolicy-inject -e -s ssd_tool -P sepolicy && allowSuClient ssd_tool
-
-#Allow init to execute su daemon/transition
-allow init su_daemon process "transition"
-noaudit init su_daemon process "rlimitinh siginh noatsecure"
-suDaemonRights
-suBind
-
-suRights
-otherToSU
-
-#Need to set su_device/su as trusted to be accessible from other categories
-$BINDIR/sepolicy-inject -a mlstrustedobject -s su_device -P sepolicy
-$BINDIR/sepolicy-inject -a mlstrustedsubject -s su_daemon -P sepolicy
-$BINDIR/sepolicy-inject -a mlstrustedsubject -s su -P sepolicy
-
-suL9
-
-# Just in case :)
-$BINDIR/sepolicy-inject -Z su -P sepolicy