mirror of
https://github.com/topjohnwu/Magisk.git
synced 2024-12-25 07:07:39 +00:00
Update to release v7
This commit is contained in:
parent
88a97319cc
commit
e4ace49536
@ -1 +1 @@
|
|||||||
Subproject commit c69db035ee32e34256c3cd8562e28bc4f5fba2db
|
Subproject commit 3a0df56605bc9226b4c989979c1d4e9a8a565ad4
|
@ -8,19 +8,12 @@
|
|||||||
#
|
#
|
||||||
##########################################################################################
|
##########################################################################################
|
||||||
|
|
||||||
TMPDIR=/tmp
|
|
||||||
|
|
||||||
if [ -z "$BOOTMODE" ]; then
|
if [ -z "$BOOTMODE" ]; then
|
||||||
BOOTMODE=false
|
BOOTMODE=false
|
||||||
fi
|
fi
|
||||||
|
|
||||||
mount -o rw,remount rootfs /
|
TMPDIR=/tmp
|
||||||
mkdir /magisk 2>/dev/null
|
($BOOTMODE) && TMPDIR=/dev/tmp
|
||||||
|
|
||||||
if ($BOOTMODE); then
|
|
||||||
TMPDIR=/data/tmp
|
|
||||||
mount -o ro,remount rootfs /
|
|
||||||
fi
|
|
||||||
|
|
||||||
INSTALLER=$TMPDIR/magisk
|
INSTALLER=$TMPDIR/magisk
|
||||||
|
|
||||||
@ -87,6 +80,11 @@ find_boot_image() {
|
|||||||
if [ ! -z "$BOOTIMAGE" ]; then break; fi
|
if [ ! -z "$BOOTIMAGE" ]; then break; fi
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
if [ -z "$BOOTIMAGE" ]; then
|
||||||
|
FSTAB="/etc/recovery.fstab"
|
||||||
|
[ ! -f "$FSTAB" ] && FSTAB="/etc/recovery.fstab.bak"
|
||||||
|
BOOTIMAGE=$(grep -E '\b/boot\b' "$FSTAB" | grep -oE '/dev/[a-zA-Z0-9_./-]*')
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
is_mounted() {
|
is_mounted() {
|
||||||
@ -98,6 +96,40 @@ is_mounted() {
|
|||||||
return $?
|
return $?
|
||||||
}
|
}
|
||||||
|
|
||||||
|
mount_image() {
|
||||||
|
if [ ! -d "$2" ]; then
|
||||||
|
mount -o rw,remount rootfs /
|
||||||
|
mkdir -p $2 2>/dev/null
|
||||||
|
($BOOTMODE) && mount -o ro,remount rootfs /
|
||||||
|
[ ! -d "$2" ] && return 1
|
||||||
|
fi
|
||||||
|
if (! is_mounted $2); then
|
||||||
|
LOOPDEVICE=
|
||||||
|
for LOOP in 0 1 2 3 4 5 6 7; do
|
||||||
|
if (! is_mounted $2); then
|
||||||
|
LOOPDEVICE=/dev/block/loop$LOOP
|
||||||
|
if [ ! -f "$LOOPDEVICE" ]; then
|
||||||
|
mknod $LOOPDEVICE b 7 $LOOP
|
||||||
|
fi
|
||||||
|
losetup $LOOPDEVICE $1
|
||||||
|
if [ "$?" -eq "0" ]; then
|
||||||
|
mount -t ext4 -o loop $LOOPDEVICE $2
|
||||||
|
if (! is_mounted $2); then
|
||||||
|
/system/bin/toolbox mount -t ext4 -o loop $LOOPDEVICE $2
|
||||||
|
fi
|
||||||
|
if (! is_mounted $2); then
|
||||||
|
/system/bin/toybox mount -t ext4 -o loop $LOOPDEVICE $2
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
if (is_mounted $2); then
|
||||||
|
ui_print "- Mounting $1 to $2"
|
||||||
|
break;
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
grep_prop() {
|
grep_prop() {
|
||||||
REGEX="s/^$1=//p"
|
REGEX="s/^$1=//p"
|
||||||
shift
|
shift
|
||||||
@ -108,6 +140,22 @@ grep_prop() {
|
|||||||
cat $FILES 2>/dev/null | sed -n $REGEX | head -n 1
|
cat $FILES 2>/dev/null | sed -n $REGEX | head -n 1
|
||||||
}
|
}
|
||||||
|
|
||||||
|
unpack_boot() {
|
||||||
|
rm -rf $UNPACKDIR $RAMDISK 2>/dev/null
|
||||||
|
mkdir -p $UNPACKDIR
|
||||||
|
mkdir -p $RAMDISK
|
||||||
|
cd $UNPACKDIR
|
||||||
|
$BINDIR/bootimgtools --extract $1
|
||||||
|
|
||||||
|
find $TMPDIR/boottmp -type d -exec chmod 755 {} \;
|
||||||
|
find $TMPDIR/boottmp -type f -exec chmod 644 {} \;
|
||||||
|
chmod 755 $(find $TMPDIR/boottmp -type d)
|
||||||
|
chmod 644 $(find $TMPDIR/boottmp -type f)
|
||||||
|
|
||||||
|
cd $RAMDISK
|
||||||
|
gunzip -c < $UNPACKDIR/ramdisk.gz | cpio -i
|
||||||
|
}
|
||||||
|
|
||||||
repack_boot() {
|
repack_boot() {
|
||||||
cd $RAMDISK
|
cd $RAMDISK
|
||||||
find . | cpio -o -H newc 2>/dev/null | gzip -9 > $UNPACKDIR/ramdisk.gz
|
find . | cpio -o -H newc 2>/dev/null | gzip -9 > $UNPACKDIR/ramdisk.gz
|
||||||
@ -190,7 +238,7 @@ if [ -z "$NOOVERRIDE" ]; then
|
|||||||
# read override variables
|
# read override variables
|
||||||
getvar KEEPVERITY
|
getvar KEEPVERITY
|
||||||
getvar KEEPFORCEENCRYPT
|
getvar KEEPFORCEENCRYPT
|
||||||
getvar KEEPSUPERSU
|
getvar NORESTORE
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -z "$KEEPVERITY" ]; then
|
if [ -z "$KEEPVERITY" ]; then
|
||||||
@ -201,9 +249,9 @@ if [ -z "$KEEPFORCEENCRYPT" ]; then
|
|||||||
# we don't keep forceencrypt by default
|
# we don't keep forceencrypt by default
|
||||||
KEEPFORCEENCRYPT=false
|
KEEPFORCEENCRYPT=false
|
||||||
fi
|
fi
|
||||||
if [ -z "$KEEPSUPERSU" ]; then
|
if [ -z "$NORESTORE" ]; then
|
||||||
# we don't keep SuperSU by default
|
# we don't keep ramdisk by default
|
||||||
KEEPSUPERSU=false
|
NORESTORE=false
|
||||||
fi
|
fi
|
||||||
|
|
||||||
SAMSUNG=false
|
SAMSUNG=false
|
||||||
@ -212,10 +260,34 @@ if [ $? -eq 0 ]; then
|
|||||||
SAMSUNG=true
|
SAMSUNG=true
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
##########################################################################################
|
||||||
|
# Environment
|
||||||
|
##########################################################################################
|
||||||
|
|
||||||
|
ui_print "- Constructing environment"
|
||||||
|
|
||||||
|
if (is_mounted /data); then
|
||||||
|
rm -rf /data/busybox /data/magisk 2>/dev/null
|
||||||
|
mkdir -p /data/busybox
|
||||||
|
cp -af $BINDIR /data/magisk
|
||||||
|
chmod 755 /data/busybox /data/magisk /data/magisk/*
|
||||||
|
chcon 'u:object_r:system_file:s0' /data/busybox /data/magisk /data/magisk/*
|
||||||
|
/data/magisk/busybox --install -s /data/busybox
|
||||||
|
# Prevent issues
|
||||||
|
rm -f /data/busybox/su /data/busybox/sh
|
||||||
|
else
|
||||||
|
rm -rf /cache/data_bin 2>/dev/null
|
||||||
|
mkdir -p /cache/data_bin
|
||||||
|
cp -af $BINDIR /cache/data_bin
|
||||||
|
fi
|
||||||
|
|
||||||
##########################################################################################
|
##########################################################################################
|
||||||
# Image
|
# Image
|
||||||
##########################################################################################
|
##########################################################################################
|
||||||
|
|
||||||
|
# Fix SuperSU.....
|
||||||
|
($BOOTMODE) && /data/magisk/sepolicy-inject -s fsck --live
|
||||||
|
|
||||||
if (is_mounted /data); then
|
if (is_mounted /data); then
|
||||||
IMG=/data/magisk.img
|
IMG=/data/magisk.img
|
||||||
else
|
else
|
||||||
@ -230,55 +302,12 @@ else
|
|||||||
make_ext4fs -l 64M -a /magisk -S $INSTALLER/common/file_contexts_image $IMG
|
make_ext4fs -l 64M -a /magisk -S $INSTALLER/common/file_contexts_image $IMG
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
mount_image $IMG /magisk
|
||||||
if (! is_mounted /magisk); then
|
if (! is_mounted /magisk); then
|
||||||
ui_print "- Mounting $IMG to /magisk"
|
ui_print "! Image mount failed... abort"
|
||||||
LOOPDEVICE=
|
exit 1
|
||||||
for LOOP in 0 1 2 3 4 5 6 7; do
|
|
||||||
if (! is_mounted /magisk); then
|
|
||||||
LOOPDEVICE=/dev/block/loop$LOOP
|
|
||||||
if [ ! -f "$LOOPDEVICE" ]; then
|
|
||||||
mknod $LOOPDEVICE b 7 $LOOP
|
|
||||||
fi
|
|
||||||
losetup $LOOPDEVICE $IMG
|
|
||||||
if [ "$?" -eq "0" ]; then
|
|
||||||
mount -t ext4 -o loop $LOOPDEVICE /magisk
|
|
||||||
if (! is_mounted /magisk); then
|
|
||||||
/system/bin/toolbox mount -t ext4 -o loop $LOOPDEVICE /magisk
|
|
||||||
fi
|
|
||||||
if (! is_mounted /magisk); then
|
|
||||||
/system/bin/toybox mount -t ext4 -o loop $LOOPDEVICE /magisk
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
if (is_mounted /magisk); then
|
|
||||||
break;
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
|
|
||||||
rm -rf $COREDIR/bin 2>/dev/null
|
|
||||||
|
|
||||||
##########################################################################################
|
|
||||||
# Environment
|
|
||||||
##########################################################################################
|
|
||||||
|
|
||||||
ui_print "- Constructing environment"
|
|
||||||
|
|
||||||
if (is_mounted /data); then
|
|
||||||
rm -rf /data/busybox /data/magisk
|
|
||||||
mkdir -p /data/busybox
|
|
||||||
mkdir -p /data/magisk
|
|
||||||
cp -af $BINDIR/busybox $BINDIR/su $BINDIR/sepolicy-inject /data/magisk
|
|
||||||
chmod 755 /data/busybox /data/magisk /data/magisk/*
|
|
||||||
chcon 'u:object_r:system_file:s0' /data/busybox /data/magisk /data/magisk/*
|
|
||||||
/data/magisk/busybox --install -s /data/busybox
|
|
||||||
# Prevent issues
|
|
||||||
rm -f /data/busybox/su /data/busybox/sh
|
|
||||||
else
|
|
||||||
rm -rf /cache/data_bin
|
|
||||||
mkdir -p /cache/data_bin
|
|
||||||
cp -af $BINDIR/busybox $BINDIR/su $BINDIR/sepolicy-inject /cache/data_bin
|
|
||||||
fi
|
fi
|
||||||
|
MAGISKLOOP=$LOOPDEVICE
|
||||||
|
|
||||||
##########################################################################################
|
##########################################################################################
|
||||||
# Boot image patch
|
# Boot image patch
|
||||||
@ -294,8 +323,6 @@ ORIGBOOT=$TMPDIR/boottmp/boot.img
|
|||||||
NEWBOOT=$TMPDIR/boottmp/new-boot.img
|
NEWBOOT=$TMPDIR/boottmp/new-boot.img
|
||||||
UNPACKDIR=$TMPDIR/boottmp/bootunpack
|
UNPACKDIR=$TMPDIR/boottmp/bootunpack
|
||||||
RAMDISK=$TMPDIR/boottmp/ramdisk
|
RAMDISK=$TMPDIR/boottmp/ramdisk
|
||||||
mkdir -p $UNPACKDIR
|
|
||||||
mkdir -p $RAMDISK
|
|
||||||
|
|
||||||
chmod 777 $CHROMEDIR/futility $BINDIR/*
|
chmod 777 $CHROMEDIR/futility $BINDIR/*
|
||||||
|
|
||||||
@ -303,39 +330,63 @@ ui_print "- Dumping boot image"
|
|||||||
dd if=$BOOTIMAGE of=$ORIGBOOT
|
dd if=$BOOTIMAGE of=$ORIGBOOT
|
||||||
|
|
||||||
ui_print "- Unpacking boot image"
|
ui_print "- Unpacking boot image"
|
||||||
cd $UNPACKDIR
|
unpack_boot $ORIGBOOT
|
||||||
$BINDIR/bootimgtools --extract $ORIGBOOT
|
|
||||||
|
|
||||||
chmod 755 $(find $TMPDIR/boottmp -type d)
|
SUPERSU=false
|
||||||
chmod 644 $(find $TMPDIR/boottmp -type f)
|
|
||||||
|
|
||||||
cd $RAMDISK
|
if (! $NORESTORE); then
|
||||||
gunzip -c < $UNPACKDIR/ramdisk.gz | cpio -i
|
|
||||||
|
|
||||||
if [ -f "supersu" ]; then
|
|
||||||
KEEPSUPERSU=true
|
|
||||||
fi
|
|
||||||
|
|
||||||
if (! $KEEPSUPERSU); then
|
|
||||||
# Backups
|
# Backups
|
||||||
if [ -d ".backup" ]; then
|
if [ -d ".backup" ]; then
|
||||||
ui_print "- Reverting ramdisk backup"
|
ui_print "- Restoring ramdisk with backup"
|
||||||
cp -af .backup/* .
|
cp -af .backup/* .
|
||||||
rm -rf magisk init.magisk.rc sbin/magic_mask.sh sbin/magisk_wrapper.sh 2>/dev/null
|
rm -rf magisk init.magisk.rc sbin/magic_mask.sh sbin/magisk_wrapper.sh 2>/dev/null
|
||||||
else
|
else
|
||||||
if [ -d "magisk" -o -d "su" ]; then
|
if [ -f "sbin/launch_daemonsu.sh" ]; then
|
||||||
cp -af /data/stock_boot*.gz /data/stock_boot.img.gz 2>/dev/null
|
SUPERSU=true
|
||||||
gzip -d /data/stock_boot.img.gz 2>/dev/null
|
# Save it for helper module
|
||||||
if [ -f "/data/stock_boot.img" ]; then
|
cp -af sbin/launch_daemonsu.sh $INSTALLER/roothelper/launch_daemonsu.sh
|
||||||
ui_print "- Using boot image backup"
|
fi
|
||||||
cp -af /data/stock_boot.img $ORIGBOOT
|
# Non-standard boot image restores
|
||||||
rm -rf $RAMDISK $TMPDIR
|
if ($SUPERSU); then
|
||||||
mkdir -p $UNPACKDIR
|
ui_print "- SuperSU patched boot detected"
|
||||||
mkdir -p $RAMDISK
|
# Restore with SuperSU's backup
|
||||||
|
MOUNTSU=false
|
||||||
|
(! is_mounted /su) && (is_mounted /data) && mount_image /data/su.img /su && MOUNTSU=true
|
||||||
|
if (is_mounted /su); then
|
||||||
|
# Use sukernel's built-in functions
|
||||||
|
ui_print "- Using sukernel to restore boot image"
|
||||||
cd $UNPACKDIR
|
cd $UNPACKDIR
|
||||||
$BINDIR/bootimgtools --extract $ORIGBOOT
|
gunzip -c < $UNPACKDIR/ramdisk.gz > suramdisk
|
||||||
|
/su/bin/sukernel --restore suramdisk /data/stock_boot.img
|
||||||
|
if [ "$?" -ne "0" ]; then
|
||||||
|
# No boot backup found, use ramdisk backup
|
||||||
|
ui_print "- Restoring ramdisk with backup"
|
||||||
|
/su/bin/sukernel --cpio-restore suramdisk suramdisk
|
||||||
|
rm -rf $RAMDISK
|
||||||
|
mkdir -p $RAMDISK
|
||||||
cd $RAMDISK
|
cd $RAMDISK
|
||||||
gunzip -c < $UNPACKDIR/ramdisk.gz | cpio -i
|
cpio -i < $UNPACKDIR/suramdisk
|
||||||
|
rm -f $UNPACKDIR/suramdisk
|
||||||
|
else
|
||||||
|
ui_print "- Restoring boot image with backup"
|
||||||
|
cp -af /data/stock_boot.img $ORIGBOOT
|
||||||
|
unpack_boot $ORIGBOOT
|
||||||
|
fi
|
||||||
|
if ($MOUNTSU); then
|
||||||
|
ui_print "- Unmounting su.img"
|
||||||
|
umount /su
|
||||||
|
losetup -d $LOOPDEVICE
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
# Find the boot backup ourselves
|
||||||
|
ui_print "! su.img mount failed... find the backup ourselves"
|
||||||
|
cp -af /data/stock_boot_*.gz /data/stock_boot.img.gz 2>/dev/null
|
||||||
|
gzip -d /data/stock_boot.img.gz 2>/dev/null
|
||||||
|
rm -rf /data/stock_boot.img.gz 2>/dev/null
|
||||||
|
if [ -f "/data/stock_boot.img" ]; then
|
||||||
|
ui_print "- Restoring boot image with backup"
|
||||||
|
cp -af /data/stock_boot.img $ORIGBOOT
|
||||||
|
unpack_boot $ORIGBOOT
|
||||||
else
|
else
|
||||||
ui_print "! No backups found"
|
ui_print "! No backups found"
|
||||||
ui_print "! Installer will still proceed, but might cause issues"
|
ui_print "! Installer will still proceed, but might cause issues"
|
||||||
@ -344,6 +395,24 @@ if (! $KEEPSUPERSU); then
|
|||||||
rm -rf su init.supersu.rc sbin/launch_daemonsu.sh 2>/dev/null
|
rm -rf su init.supersu.rc sbin/launch_daemonsu.sh 2>/dev/null
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
else
|
||||||
|
# Magisk's own situation
|
||||||
|
if [ -d "magisk" ]; then
|
||||||
|
cp -af /data/stock_boot_*.gz /data/stock_boot.img.gz 2>/dev/null
|
||||||
|
gzip -d /data/stock_boot.img.gz 2>/dev/null
|
||||||
|
if [ -f "/data/stock_boot.img" ]; then
|
||||||
|
ui_print "- Restoring boot image with backup"
|
||||||
|
cp -af /data/stock_boot.img $ORIGBOOT
|
||||||
|
unpack_boot $ORIGBOOT
|
||||||
|
else
|
||||||
|
ui_print "! No backups found"
|
||||||
|
ui_print "! Installer will still proceed, but might cause issues"
|
||||||
|
ui_print "! If possible, please restore to stock boot then flash Magisk again"
|
||||||
|
# Removing other boot image modifications
|
||||||
|
rm -rf sbin/su init.xposed.rc sbin/mount_xposed.sh 2>/dev/null
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
ui_print "- Creating backups"
|
ui_print "- Creating backups"
|
||||||
mkdir .backup
|
mkdir .backup
|
||||||
cp -af init.rc *fstab* verity_key sepolicy .backup 2>/dev/null
|
cp -af init.rc *fstab* verity_key sepolicy .backup 2>/dev/null
|
||||||
@ -355,6 +424,10 @@ if (! $KEEPSUPERSU); then
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
ui_print "- Installing root helper module"
|
||||||
|
cp -af $INSTALLER/roothelper /magisk/00roothelper
|
||||||
|
chmod 755 /magisk/00roothelper/post-fs-data.sh
|
||||||
|
|
||||||
# Patch ramdisk
|
# Patch ramdisk
|
||||||
ui_print "- Patching ramdisk"
|
ui_print "- Patching ramdisk"
|
||||||
|
|
||||||
@ -362,9 +435,8 @@ if [ $(grep -c "import /init.magisk.rc" init.rc) -eq "0" ]; then
|
|||||||
sed -i "/import \/init\.environ\.rc/iimport /init.magisk.rc" init.rc
|
sed -i "/import \/init\.environ\.rc/iimport /init.magisk.rc" init.rc
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if (! $KEEPSUPERSU); then
|
sed -i "/selinux.reload_policy/d" init.rc
|
||||||
sed -i "/selinux.reload_policy/d" init.rc
|
find . -type f -name "*fstab*" 2>/dev/null | while read FSTAB ; do
|
||||||
find . -type f -name "*fstab*" 2>/dev/null | while read FSTAB ; do
|
|
||||||
if (! $KEEPVERITY); then
|
if (! $KEEPVERITY); then
|
||||||
sed -i "s/,support_scfs//g" $FSTAB
|
sed -i "s/,support_scfs//g" $FSTAB
|
||||||
sed -i 's;,\{0,1\}verify\(=[^,]*\)\{0,1\};;g' $FSTAB
|
sed -i 's;,\{0,1\}verify\(=[^,]*\)\{0,1\};;g' $FSTAB
|
||||||
@ -373,54 +445,19 @@ if (! $KEEPSUPERSU); then
|
|||||||
sed -i "s/forceencrypt/encryptable/g" $FSTAB
|
sed -i "s/forceencrypt/encryptable/g" $FSTAB
|
||||||
sed -i "s/forcefdeorfbe/encryptable/g" $FSTAB
|
sed -i "s/forcefdeorfbe/encryptable/g" $FSTAB
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
rm verity_key 2>/dev/null
|
rm verity_key 2>/dev/null
|
||||||
|
|
||||||
# sepolicy patches
|
# sepolicy patches
|
||||||
# LD_LIBRARY_PATH=$BINDIR $BINDIR/supolicy --file sepolicy sepolicy.patched
|
$BINDIR/sepolicy-inject --magisk -P sepolicy
|
||||||
# mv -f sepolicy.patched sepolicy
|
|
||||||
. $INSTALLER/common/supatch.sh
|
|
||||||
allow su_daemon "rootfs proc init system_file" "file dir lnk_file" "*"
|
|
||||||
allow init su_daemon unix_stream_socket connectto
|
|
||||||
allow su_daemon shell_exec file getattr
|
|
||||||
allow su_daemon tmpfs dir "*"
|
|
||||||
allow su_daemon selinuxfs file "read open write"
|
|
||||||
allow su_daemon kernel security "read_policy load_policy"
|
|
||||||
allow su_daemon toolbox_exec file "*"
|
|
||||||
allow kernel su fd use
|
|
||||||
allow init "rootfs system_file" file "*"
|
|
||||||
if $BINDIR/sepolicy-inject -e -s toolbox -P sepolicy; then
|
|
||||||
allow toolbox property_socket sock_file write
|
|
||||||
allow toolbox init unix_stream_socket connectto
|
|
||||||
allow toolbox init fifo_file "*"
|
|
||||||
allow toolbox default_prop property_service "*"
|
|
||||||
allow toolbox device dir "*"
|
|
||||||
fi
|
|
||||||
# Just in case
|
|
||||||
$BINDIR/sepolicy-inject -Z init -P sepolicy
|
|
||||||
$BINDIR/sepolicy-inject -Z toolbox -P sepolicy
|
|
||||||
$BINDIR/sepolicy-inject -Z su_daemon -P sepolicy
|
|
||||||
# Fix Xposed
|
|
||||||
allow zygote app_data_file "dir file" "*"
|
|
||||||
allow zygote input_device "dir chr_file" "*"
|
|
||||||
allow untrusted_app untrusted_app capability setgid
|
|
||||||
allow "system_server system_app" "app_data_file" "file dir" "*"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Add new items
|
# Add new items
|
||||||
mkdir -p magisk 2>/dev/null
|
mkdir -p magisk 2>/dev/null
|
||||||
cp -af $INSTALLER/common/init.magisk.rc init.magisk.rc
|
cp -af $INSTALLER/common/init.magisk.rc init.magisk.rc
|
||||||
cp -af $INSTALLER/common/magic_mask.sh sbin/magic_mask.sh
|
cp -af $INSTALLER/common/magic_mask.sh sbin/magic_mask.sh
|
||||||
cp -af $INSTALLER/common/magisk_wrapper.sh sbin/magisk_wrapper.sh
|
|
||||||
|
|
||||||
if (! $KEEPSUPERSU); then
|
chmod 0755 magisk
|
||||||
cp -af $BINDIR/su $BINDIR/sepolicy-inject magisk
|
chmod 0750 init.magisk.rc sbin/magic_mask.sh
|
||||||
else
|
|
||||||
touch supersu
|
|
||||||
fi
|
|
||||||
|
|
||||||
chmod 0755 magisk magisk/*
|
|
||||||
chmod 0750 init.magisk.rc sbin/magic_mask.sh sbin/magisk_wrapper.sh
|
|
||||||
|
|
||||||
ui_print "- Repacking boot image"
|
ui_print "- Repacking boot image"
|
||||||
repack_boot
|
repack_boot
|
||||||
@ -429,14 +466,8 @@ ORIGSIZE=$(ls -l $ORIGBOOT | awk '{print $5}')
|
|||||||
NEWSIZE=$(ls -l $NEWBOOT | awk '{print $5}')
|
NEWSIZE=$(ls -l $NEWBOOT | awk '{print $5}')
|
||||||
if [ "$NEWSIZE" -gt "$ORIGSIZE" ]; then
|
if [ "$NEWSIZE" -gt "$ORIGSIZE" ]; then
|
||||||
ui_print "! Boot partition space insufficient"
|
ui_print "! Boot partition space insufficient"
|
||||||
ui_print "! Remove ramdisk backups and binaries"
|
ui_print "! Try to remove ramdisk backups"
|
||||||
rm -rf $RAMDISK/.backup $NEWBOOT $RAMDISK/magisk/* 2>/dev/null
|
rm -rf $RAMDISK/.backup $NEWBOOT 2>/dev/null
|
||||||
if (! $KEEPSUPERSU); then
|
|
||||||
mkdir -p /cache/magisk
|
|
||||||
cp $BINDIR/su $BINDIR/sepolicy-inject /cache/magisk
|
|
||||||
chmod 755 /cache/magisk /cache/magisk/*
|
|
||||||
chcon 'u:object_r:system_file:s0' /cache/magisk /cache/magisk/*
|
|
||||||
fi
|
|
||||||
repack_boot
|
repack_boot
|
||||||
NEWSIZE=$(ls -l $NEWBOOT | awk '{print $5}')
|
NEWSIZE=$(ls -l $NEWBOOT | awk '{print $5}')
|
||||||
if [ "$NEWSIZE" -gt "$ORIGSIZE" ]; then
|
if [ "$NEWSIZE" -gt "$ORIGSIZE" ]; then
|
||||||
@ -448,13 +479,18 @@ fi
|
|||||||
|
|
||||||
chmod 644 $NEWBOOT
|
chmod 644 $NEWBOOT
|
||||||
|
|
||||||
|
if [ -L "$BOOTIMAGE" ]; then
|
||||||
|
ui_print "- Block symlink detected!"
|
||||||
|
else
|
||||||
|
dd if=/dev/zero of=$BOOTIMAGE bs=4096 2>/dev/null
|
||||||
|
fi
|
||||||
ui_print "- Flashing new boot image"
|
ui_print "- Flashing new boot image"
|
||||||
dd if=/dev/zero of=$BOOTIMAGE bs=4096 2>/dev/null
|
|
||||||
dd if=$NEWBOOT of=$BOOTIMAGE bs=4096
|
dd if=$NEWBOOT of=$BOOTIMAGE bs=4096
|
||||||
|
|
||||||
if (! $BOOTMODE); then
|
if (! $BOOTMODE); then
|
||||||
|
ui_print "- Unmounting partitions"
|
||||||
umount /magisk
|
umount /magisk
|
||||||
losetup -d $LOOPDEVICE
|
losetup -d $MAGISKLOOP
|
||||||
umount /system
|
umount /system
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -1 +1 @@
|
|||||||
# this is a dummy file, the magic is in update-binary
|
#MAGISK
|
Binary file not shown.
@ -2,57 +2,38 @@
|
|||||||
|
|
||||||
on post-fs
|
on post-fs
|
||||||
# Paths
|
# Paths
|
||||||
export PATH /sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin:/su/bin:/magisk/.core/bin:/magisk/busybox/bin:/data/magisk
|
export PATH /magisk/.core/bin:/sbin:/vendor/bin:/system/sbin:/system/bin:/magisk/.core/busybox:/system/xbin
|
||||||
|
|
||||||
# Start root
|
|
||||||
start phhsu
|
|
||||||
wait /dev/su 1
|
|
||||||
|
|
||||||
start magisk_pfs
|
start magisk_pfs
|
||||||
wait /dev/unblock 20
|
wait /dev/.magisk.unblock 20
|
||||||
rmdir /dev/unblock
|
rm /dev/.magisk.unblock
|
||||||
|
|
||||||
on post-fs-data
|
on post-fs-data
|
||||||
|
|
||||||
# Try to start root again in case post-fs failed
|
|
||||||
start phhsu
|
|
||||||
wait /dev/su 1
|
|
||||||
|
|
||||||
start magisk_pfsd
|
start magisk_pfsd
|
||||||
wait /dev/unblock 20
|
wait /dev/.magisk.unblock 40
|
||||||
rmdir /dev/unblock
|
rm /dev/.magisk.unblock
|
||||||
|
|
||||||
on property:magisk.root=*
|
on property:magisk.root=*
|
||||||
start magisk_root
|
start magisk_root
|
||||||
|
|
||||||
# Services
|
# Services
|
||||||
|
|
||||||
service phhsu /sbin/magisk_wrapper.sh phhsu
|
|
||||||
user root
|
|
||||||
seclabel u:r:su_daemon:s0
|
|
||||||
oneshot
|
|
||||||
|
|
||||||
# launch post-fs script
|
# launch post-fs script
|
||||||
service magisk_pfs /sbin/magisk_wrapper.sh post-fs
|
service magisk_pfs /sbin/magic_mask.sh post-fs
|
||||||
user root
|
user root
|
||||||
seclabel u:r:init:s0
|
seclabel u:r:su:s0
|
||||||
oneshot
|
oneshot
|
||||||
|
|
||||||
# launch post-fs-data script
|
# launch post-fs-data script
|
||||||
service magisk_pfsd /sbin/magisk_wrapper.sh post-fs-data
|
service magisk_pfsd /sbin/magic_mask.sh post-fs-data
|
||||||
user root
|
user root
|
||||||
seclabel u:r:init:s0
|
seclabel u:r:su:s0
|
||||||
oneshot
|
oneshot
|
||||||
|
|
||||||
# launch late_start script
|
# launch late_start script
|
||||||
service magisk_service /sbin/magisk_wrapper.sh service
|
service magisk_service /sbin/magic_mask.sh service
|
||||||
class late_start
|
class late_start
|
||||||
user root
|
user root
|
||||||
seclabel u:r:init:s0
|
seclabel u:r:su:s0
|
||||||
oneshot
|
|
||||||
|
|
||||||
# root handling
|
|
||||||
service magisk_root /sbin/magisk_wrapper.sh root
|
|
||||||
user root
|
|
||||||
seclabel u:r:init:s0
|
|
||||||
oneshot
|
oneshot
|
@ -8,13 +8,14 @@ COREDIR=/magisk/.core
|
|||||||
DUMMDIR=$COREDIR/dummy
|
DUMMDIR=$COREDIR/dummy
|
||||||
MIRRDIR=$COREDIR/mirror
|
MIRRDIR=$COREDIR/mirror
|
||||||
|
|
||||||
TMPDIR=/cache/tmp
|
TMPDIR=/dev/tmp
|
||||||
|
|
||||||
# Use the included busybox to do everything in all scripts for maximum compatibility
|
# Use the included busybox to do everything for maximum compatibility
|
||||||
# We also do so because we rely on the option "-c" for cp (reserve contexts)
|
# We also do so because we rely on the option "-c" for cp (reserve contexts)
|
||||||
|
|
||||||
|
# Reserve the original PATH
|
||||||
|
export OLDPATH=$PATH
|
||||||
export PATH="/data/busybox:$PATH"
|
export PATH="/data/busybox:$PATH"
|
||||||
# Version info
|
|
||||||
setprop magisk.version 7
|
|
||||||
|
|
||||||
log_print() {
|
log_print() {
|
||||||
echo $1
|
echo $1
|
||||||
@ -32,7 +33,7 @@ mktouch() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
unblock() {
|
unblock() {
|
||||||
mkdir -p /dev/unblock
|
touch /dev/.magisk.unblock
|
||||||
exit
|
exit
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -185,10 +186,13 @@ merge_image() {
|
|||||||
|
|
||||||
if ($OK); then
|
if ($OK); then
|
||||||
# Merge (will reserve selinux contexts)
|
# Merge (will reserve selinux contexts)
|
||||||
if [ `cp -afc /cache/merge_img/. /cache/data_img >/dev/null 2>&1; echo $?` -eq 0 ]; then
|
cd /cache/merge_img
|
||||||
|
for MOD in *; do
|
||||||
|
rm -rf /cache/data_img/$MOD
|
||||||
|
cp -afc $MOD /cache/data_img/
|
||||||
|
done
|
||||||
log_print "Merge complete"
|
log_print "Merge complete"
|
||||||
fi
|
fi
|
||||||
fi
|
|
||||||
|
|
||||||
umount /cache/data_img
|
umount /cache/data_img
|
||||||
umount /cache/merge_img
|
umount /cache/merge_img
|
||||||
@ -215,6 +219,15 @@ case $1 in
|
|||||||
chmod 644 $LOGFILE
|
chmod 644 $LOGFILE
|
||||||
log_print "Magisk post-fs mode running..."
|
log_print "Magisk post-fs mode running..."
|
||||||
|
|
||||||
|
if [ -d "/cache/magisk_merge" ]; then
|
||||||
|
cd /cache/magisk_merge
|
||||||
|
for MOD in *; do
|
||||||
|
rm -rf /cache/magisk/$MOD
|
||||||
|
cp -afc $MOD /cache/magisk/
|
||||||
|
done
|
||||||
|
rm -rf /cache/magisk_merge
|
||||||
|
fi
|
||||||
|
|
||||||
for MOD in /cache/magisk/* ; do
|
for MOD in /cache/magisk/* ; do
|
||||||
if [ -f "$MOD/remove" ]; then
|
if [ -f "$MOD/remove" ]; then
|
||||||
log_print "Remove module: $MOD"
|
log_print "Remove module: $MOD"
|
||||||
@ -244,6 +257,10 @@ case $1 in
|
|||||||
|
|
||||||
log_print "Magisk post-fs-data mode running..."
|
log_print "Magisk post-fs-data mode running..."
|
||||||
|
|
||||||
|
# Live patch sepolicy
|
||||||
|
/data/magisk/sepolicy-inject --live -s su
|
||||||
|
|
||||||
|
# Cache support
|
||||||
if [ -d "/cache/data_bin" ]; then
|
if [ -d "/cache/data_bin" ]; then
|
||||||
rm -rf /data/busybox /data/magisk
|
rm -rf /data/busybox /data/magisk
|
||||||
mkdir -p /data/busybox
|
mkdir -p /data/busybox
|
||||||
@ -254,14 +271,15 @@ case $1 in
|
|||||||
# Prevent issues
|
# Prevent issues
|
||||||
rm -f /data/busybox/su /data/busybox/sh
|
rm -f /data/busybox/su /data/busybox/sh
|
||||||
fi
|
fi
|
||||||
|
|
||||||
mv /cache/stock_boot.img /data 2>/dev/null
|
mv /cache/stock_boot.img /data 2>/dev/null
|
||||||
|
|
||||||
|
chmod 644 $IMG /cache/magisk.img /data/magisk_merge.img 2>/dev/null
|
||||||
|
|
||||||
# Handle image merging
|
# Handle image merging
|
||||||
merge_image /cache/magisk.img
|
merge_image /cache/magisk.img
|
||||||
merge_image /data/magisk_merge.img
|
merge_image /data/magisk_merge.img
|
||||||
|
|
||||||
# Mount /data image
|
# Mount magisk.img
|
||||||
if [ `cat /proc/mounts | grep /magisk >/dev/null 2>&1; echo $?` -ne 0 ]; then
|
if [ `cat /proc/mounts | grep /magisk >/dev/null 2>&1; echo $?` -ne 0 ]; then
|
||||||
loopsetup $IMG
|
loopsetup $IMG
|
||||||
if [ ! -z "$LOOPDEVICE" ]; then
|
if [ ! -z "$LOOPDEVICE" ]; then
|
||||||
@ -274,13 +292,14 @@ case $1 in
|
|||||||
unblock
|
unblock
|
||||||
fi
|
fi
|
||||||
|
|
||||||
mkdir -p $DUMMDIR
|
|
||||||
mkdir -p $MIRRDIR/system
|
|
||||||
|
|
||||||
log_print "Preparing modules"
|
log_print "Preparing modules"
|
||||||
# First do cleanups
|
# First do cleanups
|
||||||
rm -rf $DUMMDIR/*
|
rm -rf $DUMMDIR
|
||||||
rmdir $(find /magisk -type d -depth ! -path "*core*" ) 2>/dev/null
|
rmdir $(find /magisk -type d -depth ! -path "*core*" ) 2>/dev/null
|
||||||
|
rm -rf $COREDIR/bin
|
||||||
|
|
||||||
|
mkdir -p $DUMMDIR
|
||||||
|
mkdir -p $MIRRDIR/system
|
||||||
|
|
||||||
# Travel through all mods
|
# Travel through all mods
|
||||||
for MOD in /magisk/* ; do
|
for MOD in /magisk/* ; do
|
||||||
@ -292,9 +311,11 @@ case $1 in
|
|||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
# Proper permissions
|
# Proper permissions for generated items
|
||||||
find $DUMMDIR -type d -exec chmod 755 {} \;
|
chmod 755 $(find $COREDIR -type d)
|
||||||
find $DUMMDIR -type f -exec chmod 644 {} \;
|
chmod 644 $(find $COREDIR -type f)
|
||||||
|
find $COREDIR -type d -exec chmod 755 {} \;
|
||||||
|
find $COREDIR -type f -exec chmod 644 {} \;
|
||||||
|
|
||||||
# linker(64), t*box, and app_process* are required if we need to dummy mount bin folder
|
# linker(64), t*box, and app_process* are required if we need to dummy mount bin folder
|
||||||
if [ -f "$TMPDIR/dummy/system/bin" ]; then
|
if [ -f "$TMPDIR/dummy/system/bin" ]; then
|
||||||
@ -303,7 +324,7 @@ case $1 in
|
|||||||
cp -afc linker* t*box app_process* $DUMMDIR/system/bin/
|
cp -afc linker* t*box app_process* $DUMMDIR/system/bin/
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Shrink the image if possible
|
# Unmount, shrink, remount
|
||||||
if [ `umount /magisk >/dev/null 2>&1; echo $?` -eq 0 ]; then
|
if [ `umount /magisk >/dev/null 2>&1; echo $?` -eq 0 ]; then
|
||||||
losetup -d $LOOPDEVICE
|
losetup -d $LOOPDEVICE
|
||||||
target_size_check $IMG
|
target_size_check $IMG
|
||||||
@ -323,8 +344,7 @@ case $1 in
|
|||||||
unblock
|
unblock
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Remove legacy phh root and crap folder
|
# Remove crap folder
|
||||||
rm -rf /magisk/phh
|
|
||||||
rm -rf /magisk/lost+found
|
rm -rf /magisk/lost+found
|
||||||
|
|
||||||
# Start doing tasks
|
# Start doing tasks
|
||||||
@ -350,9 +370,7 @@ case $1 in
|
|||||||
run_scripts post-fs-data
|
run_scripts post-fs-data
|
||||||
|
|
||||||
# Bind hosts for Adblock apps
|
# Bind hosts for Adblock apps
|
||||||
if [ ! -f "$COREDIR/hosts" ]; then
|
[ ! -f "$COREDIR/hosts" ] && cp -afc /system/etc/hosts $COREDIR/hosts
|
||||||
cp -afc /system/etc/hosts $COREDIR/hosts
|
|
||||||
fi
|
|
||||||
log_print "Enabling systemless hosts file support"
|
log_print "Enabling systemless hosts file support"
|
||||||
bind_mount $COREDIR/hosts /system/etc/hosts
|
bind_mount $COREDIR/hosts /system/etc/hosts
|
||||||
|
|
||||||
@ -363,7 +381,7 @@ case $1 in
|
|||||||
# Stage 4
|
# Stage 4
|
||||||
log_print "Bind mount mirror items"
|
log_print "Bind mount mirror items"
|
||||||
# Find all empty directores and dummy files, they should be mounted by original files in /system
|
# Find all empty directores and dummy files, they should be mounted by original files in /system
|
||||||
find $DUMMDIR -type d -exec sh -c 'if [ -z "$(ls -A $1)" ]; then echo $1; fi' -- {} \; -o \( -type f -size 0 -print \) | while read ITEM ; do
|
find $DUMMDIR -type d -exec sh -c '[ -z "$(ls -A $1)" ] && echo $1' -- {} \; -o \( -type f -size 0 -print \) | while read ITEM ; do
|
||||||
ORIG=${ITEM/dummy/mirror}
|
ORIG=${ITEM/dummy/mirror}
|
||||||
TARGET=${ITEM#$DUMMDIR}
|
TARGET=${ITEM#$DUMMDIR}
|
||||||
bind_mount $ORIG $TARGET
|
bind_mount $ORIG $TARGET
|
||||||
@ -372,17 +390,13 @@ case $1 in
|
|||||||
# All done
|
# All done
|
||||||
rm -rf $TMPDIR
|
rm -rf $TMPDIR
|
||||||
|
|
||||||
if [ ! -f "/supersu" ]; then
|
|
||||||
# Expose root path
|
|
||||||
setprop magisk.supath /magisk/.core/bin
|
|
||||||
setprop magisk.root 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
unblock
|
unblock
|
||||||
;;
|
;;
|
||||||
|
|
||||||
service )
|
service )
|
||||||
rm -rf /cache/unblock
|
# Version info
|
||||||
|
setprop magisk.version 7
|
||||||
|
rm -rf /dev/unblock*
|
||||||
log_print "Magisk late_start service mode running..."
|
log_print "Magisk late_start service mode running..."
|
||||||
run_scripts service
|
run_scripts service
|
||||||
;;
|
;;
|
||||||
@ -392,11 +406,10 @@ case $1 in
|
|||||||
ROOT=$(getprop magisk.root)
|
ROOT=$(getprop magisk.root)
|
||||||
if [ "$ROOT" -eq "1" ]; then
|
if [ "$ROOT" -eq "1" ]; then
|
||||||
log_print "Enabling root"
|
log_print "Enabling root"
|
||||||
rm -f SUPATH
|
ln -s $SUPATH /magisk/.core/bin
|
||||||
ln -s /data/magisk $SUPATH
|
|
||||||
else
|
else
|
||||||
log_print "Disabling root"
|
log_print "Disabling root"
|
||||||
rm -f SUPATH
|
rm -f /magisk/.core/bin
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
@ -1,42 +0,0 @@
|
|||||||
#!/system/bin/sh
|
|
||||||
|
|
||||||
BINDIR=/magisk/.core/bin
|
|
||||||
|
|
||||||
# Find where's su binary
|
|
||||||
for DIR in /magisk /data/magisk /cache/magisk /su/bin; do
|
|
||||||
[ -f "$DIR/su" ] && break
|
|
||||||
done
|
|
||||||
|
|
||||||
case $1 in
|
|
||||||
phhsu )
|
|
||||||
if [ ! -d "/dev/su" ]; then
|
|
||||||
$DIR/sepolicy-inject --live --auto -s su
|
|
||||||
exec $DIR/su --daemon
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
post-fs )
|
|
||||||
# If su call fails, temporary switch to permissive (workaround)
|
|
||||||
# This workaround will not always work (e.g. Samsung stock boot images)
|
|
||||||
if [ `$DIR/su -c "/sbin/magic_mask.sh post-fs" >/dev/null 2>&1; echo $?` -ne 0 ]; then
|
|
||||||
echo 0 > /sys/fs/selinux/enforce
|
|
||||||
/sbin/magic_mask.sh post-fs
|
|
||||||
echo 1 > /sys/fs/selinux/enforce
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
post-fs-data )
|
|
||||||
# su call shall always work
|
|
||||||
if [ `$DIR/su -c "/sbin/magic_mask.sh post-fs-data" >/dev/null 2>&1; echo $?` -ne 0 ]; then
|
|
||||||
/sbin/magic_mask.sh post-fs-data
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
service )
|
|
||||||
# su call shall always work
|
|
||||||
if [ `$DIR/su -c "/sbin/magic_mask.sh service" >/dev/null 2>&1; echo $?` -ne 0 ]; then
|
|
||||||
/sbin/magic_mask.sh service
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
root )
|
|
||||||
# This will only be used in phh root
|
|
||||||
$DIR/su -c "/sbin/magic_mask.sh root"
|
|
||||||
;;
|
|
||||||
esac
|
|
@ -1,226 +0,0 @@
|
|||||||
#Extracted from global_macros
|
|
||||||
rw_socket_perms="ioctl read getattr write setattr lock append bind connect getopt setopt shutdown"
|
|
||||||
create_socket_perms="create $rw_socket_perms"
|
|
||||||
rw_stream_socket_perms="$rw_socket_perms listen accept"
|
|
||||||
create_stream_socket_perms="create $rw_stream_socket_perms"
|
|
||||||
|
|
||||||
# bootimg.sh
|
|
||||||
|
|
||||||
#allow <list of scontext> <list of tcontext> <class> <list of perm>
|
|
||||||
allow() {
|
|
||||||
[ -z "$1" -o -z "$2" -o -z "$3" ] && false
|
|
||||||
for s in $1;do
|
|
||||||
for t in $2;do
|
|
||||||
for c in $3;do
|
|
||||||
echo "allow ($s) ($t) ($c) ($4)"
|
|
||||||
if [ "$4" = "*" ]; then
|
|
||||||
$BINDIR/sepolicy-inject -s $s -t $t -c $c -P sepolicy >/dev/null 2>&1
|
|
||||||
else
|
|
||||||
$BINDIR/sepolicy-inject -s $s -t $t -c $3 -p $(echo $4|tr ' ' ',') -P sepolicy 2>/dev/null 2>&1
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
done
|
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
||||||
noaudit() {
|
|
||||||
for s in $1;do
|
|
||||||
for t in $2;do
|
|
||||||
for p in $4;do
|
|
||||||
$BINDIR/sepolicy-inject -s $s -t $t -c $3 -p $p -P sepolicy 2>/dev/null 2>&1
|
|
||||||
done
|
|
||||||
done
|
|
||||||
done
|
|
||||||
}
|
|
||||||
|
|
||||||
# su-communication
|
|
||||||
|
|
||||||
#allowSuClient <scontext>
|
|
||||||
allowSuClient() {
|
|
||||||
#All domain-s already have read access to rootfs
|
|
||||||
allow $1 rootfs file "execute_no_trans execute" #TODO: Why do I need execute?!? (on MTK 5.1, kernel 3.10)
|
|
||||||
allow $1 su_daemon unix_stream_socket "connectto getopt"
|
|
||||||
|
|
||||||
allow $1 su_device dir "search read"
|
|
||||||
allow $1 su_device sock_file "read write"
|
|
||||||
allow su_daemon $1 "fd" "use"
|
|
||||||
|
|
||||||
allow su_daemon $1 fifo_file "read write getattr ioctl"
|
|
||||||
|
|
||||||
#Read /proc/callerpid/cmdline in from_init, drop?
|
|
||||||
#Requiring sys_ptrace sucks
|
|
||||||
allow su_daemon "$1" "dir" "search"
|
|
||||||
allow su_daemon "$1" "file" "read open"
|
|
||||||
allow su_daemon "$1" "lnk_file" "read"
|
|
||||||
allow su_daemon su_daemon "capability" "sys_ptrace"
|
|
||||||
}
|
|
||||||
|
|
||||||
suDaemonTo() {
|
|
||||||
allow su_daemon $1 "process" "transition"
|
|
||||||
noaudit su_daemon $1 "process" "siginh rlimitinh noatsecure"
|
|
||||||
}
|
|
||||||
|
|
||||||
suDaemonRights() {
|
|
||||||
allow su_daemon rootfs file "entrypoint"
|
|
||||||
|
|
||||||
allow su_daemon su_daemon "dir" "search read"
|
|
||||||
allow su_daemon su_daemon "file" "read write open"
|
|
||||||
allow su_daemon su_daemon "lnk_file" "read"
|
|
||||||
allow su_daemon su_daemon "unix_dgram_socket" "create connect write"
|
|
||||||
allow su_daemon su_daemon "unix_stream_socket" "$create_stream_socket_perms"
|
|
||||||
|
|
||||||
allow su_daemon devpts chr_file "read write open getattr"
|
|
||||||
#untrusted_app_devpts not in Android 4.4
|
|
||||||
allow su_daemon untrusted_app_devpts chr_file "read write open getattr" || true
|
|
||||||
|
|
||||||
allow su_daemon su_daemon "capability" "setuid setgid"
|
|
||||||
|
|
||||||
#Access to /data/data/me.phh.superuser/xxx
|
|
||||||
allow su_daemon app_data_file "dir" "getattr search write add_name"
|
|
||||||
allow su_daemon app_data_file "file" "getattr read open lock"
|
|
||||||
|
|
||||||
#FIXME: This shouldn't exist
|
|
||||||
#dac_override can be fixed by having pts_slave's fd forwarded over socket
|
|
||||||
#Instead of forwarding the name
|
|
||||||
allow su_daemon su_daemon "capability" "dac_override"
|
|
||||||
|
|
||||||
allow su_daemon su_daemon "process" "fork sigchld"
|
|
||||||
|
|
||||||
#toolbox needed for log
|
|
||||||
allow su_daemon toolbox_exec "file" "execute read open execute_no_trans" || true
|
|
||||||
|
|
||||||
#Create /dev/me.phh.superuser. Could be done by init
|
|
||||||
allow su_daemon device "dir" "write add_name"
|
|
||||||
allow su_daemon su_device "dir" "create setattr remove_name add_name"
|
|
||||||
allow su_daemon su_device "sock_file" "create unlink"
|
|
||||||
|
|
||||||
#Allow su daemon to start su apk
|
|
||||||
allow su_daemon zygote_exec "file" "execute read open execute_no_trans"
|
|
||||||
allow su_daemon zygote_exec "lnk_file" "read getattr"
|
|
||||||
|
|
||||||
#Send request to APK
|
|
||||||
allow su_daemon su_device dir "search write add_name"
|
|
||||||
|
|
||||||
#Allow su_daemon to switch to su or su_sensitive
|
|
||||||
allow su_daemon su_daemon "process" "setexec"
|
|
||||||
|
|
||||||
#Allow su_daemon to execute a shell (every commands are supposed to go through a shell)
|
|
||||||
allow su_daemon shell_exec file "execute read open"
|
|
||||||
|
|
||||||
allow su_daemon su_daemon "capability" "chown"
|
|
||||||
|
|
||||||
suDaemonTo su
|
|
||||||
}
|
|
||||||
|
|
||||||
# rights
|
|
||||||
|
|
||||||
#In this file lies the real permissions of a process running in su
|
|
||||||
|
|
||||||
suBind() {
|
|
||||||
#Allow to override /system/xbin/su
|
|
||||||
allow su_daemon su_exec "file" "mounton read"
|
|
||||||
|
|
||||||
#We will create files in /dev/su/, they will be marked as su_device
|
|
||||||
allow su_daemon su_device "dir file lnk_file" "*"
|
|
||||||
allow su_daemon su_device "file" "relabelfrom"
|
|
||||||
allow su_daemon system_file "file" "relabelto"
|
|
||||||
}
|
|
||||||
|
|
||||||
#This is the vital minimum for su to open a uid 0 shell
|
|
||||||
suRights() {
|
|
||||||
|
|
||||||
#Admit su_daemon is meant to be god.
|
|
||||||
allow su_daemon su_daemon "capability" "sys_admin"
|
|
||||||
|
|
||||||
allow servicemanager su "dir" "search read"
|
|
||||||
allow servicemanager su "file" "open read"
|
|
||||||
allow servicemanager su "process" "getattr"
|
|
||||||
allow servicemanager su "binder" "transfer"
|
|
||||||
[ "$API" -ge 20 ] && allow system_server su binder "call"
|
|
||||||
}
|
|
||||||
|
|
||||||
suL9() {
|
|
||||||
allow su_daemon su_daemon "dir file lnk_file" "*"
|
|
||||||
allow su_daemon system_data_file "dir file lnk_file" "*"
|
|
||||||
allow su_daemon "labeledfs" filesystem "associate"
|
|
||||||
allow su_daemon su_daemon process setfscreate
|
|
||||||
allow su_daemon tmpfs filesystem associate
|
|
||||||
allow su_daemon su_daemon file relabelfrom
|
|
||||||
allow su_daemon system_file file mounton
|
|
||||||
}
|
|
||||||
|
|
||||||
otherToSU() {
|
|
||||||
# allowLog
|
|
||||||
if allow su logd unix_dgram_socket "sendto";then
|
|
||||||
allow logd su dir "search"
|
|
||||||
allow logd su file "read open getattr"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# suBackL0
|
|
||||||
[ "$API" -ge 20 ] && allow system_server su binder "call transfer"
|
|
||||||
#ES Explorer opens a sokcet
|
|
||||||
allow untrusted_app su unix_stream_socket "$rw_socket_perms connectto"
|
|
||||||
#Any domain is allowed to send su "sigchld"
|
|
||||||
#TODO: Have sepolicy-inject handle that
|
|
||||||
#allow "=domain" su process "sigchld"
|
|
||||||
allow surfaceflinger su "process" "sigchld"
|
|
||||||
|
|
||||||
# suNetworkL0
|
|
||||||
$BINDIR/sepolicy-inject -a netdomain -s su -P sepolicy
|
|
||||||
$BINDIR/sepolicy-inject -a bluetoothdomain -s su -P sepolicy
|
|
||||||
|
|
||||||
# suBackL6
|
|
||||||
#Used by CF.lumen (restarts surfaceflinger, and communicates with it)
|
|
||||||
#TODO: Add a rule to enforce surfaceflinger doesn't have dac_override
|
|
||||||
allow surfaceflinger app_data_file "dir file lnk_file" "*"
|
|
||||||
$BINDIR/sepolicy-inject -a mlstrustedsubject -s surfaceflinger -P sepolicy
|
|
||||||
}
|
|
||||||
|
|
||||||
#Samsung specific
|
|
||||||
#Prevent system from loading policy
|
|
||||||
if $BINDIR/sepolicy-inject -e -s knox_system_app -P sepolicy;then
|
|
||||||
$BINDIR/sepolicy-inject --not -s init -t kernel -c security -p load_policy -P sepolicy
|
|
||||||
for i in policyloader_app system_server system_app installd init ueventd runas drsd debuggerd vold zygote auditd servicemanager itsonbs commonplatformappdomain;do
|
|
||||||
$BINDIR/sepolicy-inject --not -s "$i" -t security_spota_file -c dir -p read,write -P sepolicy
|
|
||||||
$BINDIR/sepolicy-inject --not -s "$i" -t security_spota_file -c file -p read,write -P sepolicy
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
|
|
||||||
#Create domains if they don't exist
|
|
||||||
$BINDIR/sepolicy-inject -z su -P sepolicy
|
|
||||||
$BINDIR/sepolicy-inject -z su_device -P sepolicy
|
|
||||||
$BINDIR/sepolicy-inject -z su_daemon -P sepolicy
|
|
||||||
|
|
||||||
#Autotransition su's socket to su_device
|
|
||||||
$BINDIR/sepolicy-inject -s su_daemon -f device -c file -t su_device -P sepolicy
|
|
||||||
$BINDIR/sepolicy-inject -s su_daemon -f device -c dir -t su_device -P sepolicy
|
|
||||||
allow su_device tmpfs filesystem "associate"
|
|
||||||
|
|
||||||
#Transition from untrusted_app to su_client
|
|
||||||
#TODO: other contexts want access to su?
|
|
||||||
allowSuClient shell
|
|
||||||
allowSuClient untrusted_app
|
|
||||||
allowSuClient platform_app
|
|
||||||
allowSuClient su
|
|
||||||
|
|
||||||
#HTC Debug context requires SU
|
|
||||||
$BINDIR/sepolicy-inject -e -s ssd_tool -P sepolicy && allowSuClient ssd_tool
|
|
||||||
|
|
||||||
#Allow init to execute su daemon/transition
|
|
||||||
allow init su_daemon process "transition"
|
|
||||||
noaudit init su_daemon process "rlimitinh siginh noatsecure"
|
|
||||||
suDaemonRights
|
|
||||||
suBind
|
|
||||||
|
|
||||||
suRights
|
|
||||||
otherToSU
|
|
||||||
|
|
||||||
#Need to set su_device/su as trusted to be accessible from other categories
|
|
||||||
$BINDIR/sepolicy-inject -a mlstrustedobject -s su_device -P sepolicy
|
|
||||||
$BINDIR/sepolicy-inject -a mlstrustedsubject -s su_daemon -P sepolicy
|
|
||||||
$BINDIR/sepolicy-inject -a mlstrustedsubject -s su -P sepolicy
|
|
||||||
|
|
||||||
suL9
|
|
||||||
|
|
||||||
# Just in case :)
|
|
||||||
$BINDIR/sepolicy-inject -Z su -P sepolicy
|
|
9
zip_static/roothelper/phh.prop
Normal file
9
zip_static/roothelper/phh.prop
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
id=phh
|
||||||
|
name=phh's SuperUser
|
||||||
|
version=Root Helper
|
||||||
|
versionCode=1
|
||||||
|
author=phhusson, topjohnwu
|
||||||
|
description=This is a helper, please upgrade from downloads section :)
|
||||||
|
support=http://forum.xda-developers.com/showthread.php?t=3216394
|
||||||
|
donate=http://forum.xda-developers.com/donatetome.php?u=1915408
|
||||||
|
cacheModule=false
|
37
zip_static/roothelper/phh.sh
Normal file
37
zip_static/roothelper/phh.sh
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
#!/system/bin/sh
|
||||||
|
|
||||||
|
LOGFILE=/cache/magisk.log
|
||||||
|
|
||||||
|
log_print() {
|
||||||
|
echo $1
|
||||||
|
echo "phh: $1" >> $LOGFILE
|
||||||
|
log -p i -t phh "$1"
|
||||||
|
}
|
||||||
|
|
||||||
|
launch_daemonsu() {
|
||||||
|
export PATH=$OLDPATH
|
||||||
|
# Switch contexts
|
||||||
|
echo "u:r:su_daemon:s0" > /proc/self/attr/current
|
||||||
|
# Start daemon
|
||||||
|
exec /magisk/phh/bin/su --daemon
|
||||||
|
}
|
||||||
|
|
||||||
|
log_print "Live patching sepolicy"
|
||||||
|
/magisk/phh/bin/sepolicy-inject --live
|
||||||
|
|
||||||
|
# Expose the root path
|
||||||
|
log_print "Linking supath"
|
||||||
|
rm -rf /magisk/.core/bin
|
||||||
|
ln -s /magisk/phh/bin /magisk/.core/bin
|
||||||
|
|
||||||
|
# Run su.d
|
||||||
|
for script in /magisk/phh/su.d/* ; do
|
||||||
|
if [ -f "$script" ]; then
|
||||||
|
chmod 755 $script
|
||||||
|
log_print "su.d: $script"
|
||||||
|
$script
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
log_print "Starting su daemon"
|
||||||
|
(launch_daemonsu &)
|
29
zip_static/roothelper/post-fs-data.sh
Normal file
29
zip_static/roothelper/post-fs-data.sh
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
#!/system/bin/sh
|
||||||
|
|
||||||
|
cd /magisk/00roothelper
|
||||||
|
|
||||||
|
if [ -f "launch_daemonsu.sh" ]; then
|
||||||
|
# SuperSU mode
|
||||||
|
rm -rf /magisk/supersu /magisk/99supersu
|
||||||
|
mkdir -p /magisk/99supersu
|
||||||
|
cp supersu.sh /magisk/99supersu/post-fs-data.sh
|
||||||
|
cp supersu.prop /magisk/99supersu/module.prop
|
||||||
|
cp launch_daemonsu.sh /magisk/99supersu/launch_daemonsu.sh
|
||||||
|
chmod 755 /magisk/99supersu/*
|
||||||
|
else
|
||||||
|
# phh mode
|
||||||
|
if [ -f "/magisk/phh/su" ]]; then
|
||||||
|
# Old version detected
|
||||||
|
cp /magisk/phh/su su
|
||||||
|
rm -rf /magisk/phh
|
||||||
|
mkdir -p /magisk/phh/bin
|
||||||
|
mkdir -p /magisk/phh/su.d
|
||||||
|
cp su /magisk/phh/bin/su
|
||||||
|
cp /data/magisk/sepolicy-inject /magisk/phh/bin/sepolicy-inject
|
||||||
|
cp phh.sh /magisk/phh/post-fs-data.sh
|
||||||
|
cp phh.prop /magisk/phh/module.prop
|
||||||
|
chmod 755 /magisk/phh/* /magisk/phh/bin/*
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
rm -rf /magisk/00roothelper
|
7
zip_static/roothelper/supersu.prop
Normal file
7
zip_static/roothelper/supersu.prop
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
id=supersu
|
||||||
|
name=SuperSU Helper
|
||||||
|
version=v1
|
||||||
|
versionCode=1
|
||||||
|
author=topjohnwu
|
||||||
|
description=This is a helper module for Chainfire's SuperSU to work with Magisk
|
||||||
|
cacheModule=false
|
11
zip_static/roothelper/supersu.sh
Normal file
11
zip_static/roothelper/supersu.sh
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
#!/system/bin/sh
|
||||||
|
|
||||||
|
mount -o rw,remount rootfs /
|
||||||
|
mkdir /su 2>/dev/null
|
||||||
|
mount -o ro,remount rootfs /
|
||||||
|
|
||||||
|
chmod 755 /magisk/99supersu/launch_daemonsu.sh
|
||||||
|
/magisk/99supersu/launch_daemonsu.sh post-fs-data
|
||||||
|
|
||||||
|
rm -rf /magisk/.core/bin
|
||||||
|
ln -s /su/bin /magisk/.core/bin
|
Binary file not shown.
Loading…
x
Reference in New Issue
Block a user