TheArchive/Magisk
1
0
Fork 0
mirror of https://github.com/topjohnwu/Magisk.git synced 2025-12-02 22:11:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

Convert indentation to spaces

Browse Source 
The tab war is lost
This commit is contained in:
topjohnwu
2020-12-30 22:11:24 -08:00
parent 947a7d6a2f
commit f9bde347bc
78 changed files with 10945 additions and 10945 deletions
Download Patch File Download Diff File Expand all files Collapse all files

158
native/jni/magiskpolicy/magiskpolicy.cpp
View File

@@ -6,7 +6,7 @@
using namespace std::literals;
[[noreturn]] static void usage(char *arg0) {
fprintf(stderr,
fprintf(stderr,
R"EOF(MagiskPolicy - Sepolicy Patch Tool
Usage: %s [--options...] [policy statements...]
@@ -28,93 +28,93 @@ If neither --load or --compile-split is specified, it will load
from current live policies (/sys/fs/selinux/policy)
)EOF", arg0);
exit(1);
exit(1);
}
int magiskpolicy_main(int argc, char *argv[]) {
cmdline_logging();
const char *out_file = nullptr;
const char *rule_file = nullptr;
sepolicy *sepol = nullptr;
bool magisk = false;
bool live = false;
cmdline_logging();
const char *out_file = nullptr;
const char *rule_file = nullptr;
sepolicy *sepol = nullptr;
bool magisk = false;
bool live = false;
if (argc < 2) usage(argv[0]);
int i = 1;
for (; i < argc; ++i) {
// Parse options
if (argv[i][0] == '-' && argv[i][1] == '-') {
auto option = argv[i] + 2;
if (option == "live"sv)
live = true;
else if (option == "magisk"sv)
magisk = true;
else if (option == "load"sv) {
if (argv[i + 1] == nullptr)
usage(argv[0]);
sepol = sepolicy::from_file(argv[i + 1]);
if (!sepol) {
fprintf(stderr, "Cannot load policy from %s\n", argv[i + 1]);
return 1;
}
++i;
} else if (option == "load-split"sv) {
sepol = sepolicy::from_split();
if (!sepol) {
fprintf(stderr, "Cannot load split cil\n");
return 1;
}
} else if (option == "compile-split"sv) {
sepol = sepolicy::compile_split();
if (!sepol) {
fprintf(stderr, "Cannot compile split cil\n");
return 1;
}
} else if (option == "save"sv) {
if (argv[i + 1] == nullptr)
usage(argv[0]);
out_file = argv[i + 1];
++i;
} else if (option == "apply"sv) {
if (argv[i + 1] == nullptr)
usage(argv[0]);
rule_file = argv[i + 1];
++i;
} else if (option == "help"sv) {
statement_help();
} else {
usage(argv[0]);
}
} else {
break;
}
}
if (argc < 2) usage(argv[0]);
int i = 1;
for (; i < argc; ++i) {
// Parse options
if (argv[i][0] == '-' && argv[i][1] == '-') {
auto option = argv[i] + 2;
if (option == "live"sv)
live = true;
else if (option == "magisk"sv)
magisk = true;
else if (option == "load"sv) {
if (argv[i + 1] == nullptr)
usage(argv[0]);
sepol = sepolicy::from_file(argv[i + 1]);
if (!sepol) {
fprintf(stderr, "Cannot load policy from %s\n", argv[i + 1]);
return 1;
}
++i;
} else if (option == "load-split"sv) {
sepol = sepolicy::from_split();
if (!sepol) {
fprintf(stderr, "Cannot load split cil\n");
return 1;
}
} else if (option == "compile-split"sv) {
sepol = sepolicy::compile_split();
if (!sepol) {
fprintf(stderr, "Cannot compile split cil\n");
return 1;
}
} else if (option == "save"sv) {
if (argv[i + 1] == nullptr)
usage(argv[0]);
out_file = argv[i + 1];
++i;
} else if (option == "apply"sv) {
if (argv[i + 1] == nullptr)
usage(argv[0]);
rule_file = argv[i + 1];
++i;
} else if (option == "help"sv) {
statement_help();
} else {
usage(argv[0]);
}
} else {
break;
}
}
// Use current policy if nothing is loaded
if (sepol == nullptr && !(sepol = sepolicy::from_file(SELINUX_POLICY))) {
fprintf(stderr, "Cannot load policy from " SELINUX_POLICY "\n");
return 1;
}
// Use current policy if nothing is loaded
if (sepol == nullptr && !(sepol = sepolicy::from_file(SELINUX_POLICY))) {
fprintf(stderr, "Cannot load policy from " SELINUX_POLICY "\n");
return 1;
}
if (magisk)
sepol->magisk_rules();
if (magisk)
sepol->magisk_rules();
if (rule_file)
sepol->load_rule_file(rule_file);
if (rule_file)
sepol->load_rule_file(rule_file);
for (; i < argc; ++i)
sepol->parse_statement(argv[i]);
for (; i < argc; ++i)
sepol->parse_statement(argv[i]);
if (live && !sepol->to_file(SELINUX_LOAD)) {
fprintf(stderr, "Cannot apply policy\n");
return 1;
}
if (live && !sepol->to_file(SELINUX_LOAD)) {
fprintf(stderr, "Cannot apply policy\n");
return 1;
}
if (out_file && !sepol->to_file(out_file)) {
fprintf(stderr, "Cannot dump policy to %s\n", out_file);
return 1;
}
if (out_file && !sepol->to_file(out_file)) {
fprintf(stderr, "Cannot dump policy to %s\n", out_file);
return 1;
}
delete sepol;
return 0;
delete sepol;
return 0;
}

326
native/jni/magiskpolicy/policydb.cpp
View File

@@ -13,218 +13,218 @@
#define SHALEN 64
static bool cmp_sha256(const char *a, const char *b) {
char id_a[SHALEN] = {0};
char id_b[SHALEN] = {0};
if (int fd = xopen(a, O_RDONLY | O_CLOEXEC); fd >= 0) {
xread(fd, id_a, SHALEN);
close(fd);
} else {
return false;
}
char id_a[SHALEN] = {0};
char id_b[SHALEN] = {0};
if (int fd = xopen(a, O_RDONLY | O_CLOEXEC); fd >= 0) {
xread(fd, id_a, SHALEN);
close(fd);
} else {
return false;
}
if (int fd = xopen(b, O_RDONLY | O_CLOEXEC); fd >= 0) {
xread(fd, id_b, SHALEN);
close(fd);
} else {
return false;
}
LOGD("%s=[%.*s]\n", a, SHALEN, id_a);
LOGD("%s=[%.*s]\n", b, SHALEN, id_b);
return memcmp(id_a, id_b, SHALEN) == 0;
if (int fd = xopen(b, O_RDONLY | O_CLOEXEC); fd >= 0) {
xread(fd, id_b, SHALEN);
close(fd);
} else {
return false;
}
LOGD("%s=[%.*s]\n", a, SHALEN, id_a);
LOGD("%s=[%.*s]\n", b, SHALEN, id_b);
return memcmp(id_a, id_b, SHALEN) == 0;
}
static bool check_precompiled(const char *precompiled) {
bool ok = false;
const char *actual_sha;
char compiled_sha[128];
bool ok = false;
const char *actual_sha;
char compiled_sha[128];
actual_sha = PLAT_POLICY_DIR "plat_and_mapping_sepolicy.cil.sha256";
if (access(actual_sha, R_OK) == 0) {
ok = true;
sprintf(compiled_sha, "%s.plat_and_mapping.sha256", precompiled);
if (!cmp_sha256(actual_sha, compiled_sha))
return false;
}
actual_sha = PLAT_POLICY_DIR "plat_and_mapping_sepolicy.cil.sha256";
if (access(actual_sha, R_OK) == 0) {
ok = true;
sprintf(compiled_sha, "%s.plat_and_mapping.sha256", precompiled);
if (!cmp_sha256(actual_sha, compiled_sha))
return false;
}
actual_sha = PLAT_POLICY_DIR "plat_sepolicy_and_mapping.sha256";
if (access(actual_sha, R_OK) == 0) {
ok = true;
sprintf(compiled_sha, "%s.plat_sepolicy_and_mapping.sha256", precompiled);
if (!cmp_sha256(actual_sha, compiled_sha))
return false;
}
actual_sha = PLAT_POLICY_DIR "plat_sepolicy_and_mapping.sha256";
if (access(actual_sha, R_OK) == 0) {
ok = true;
sprintf(compiled_sha, "%s.plat_sepolicy_and_mapping.sha256", precompiled);
if (!cmp_sha256(actual_sha, compiled_sha))
return false;
}
actual_sha = PROD_POLICY_DIR "product_sepolicy_and_mapping.sha256";
if (access(actual_sha, R_OK) == 0) {
ok = true;
sprintf(compiled_sha, "%s.product_sepolicy_and_mapping.sha256", precompiled);
if (!cmp_sha256(actual_sha, compiled_sha) != 0)
return false;
}
actual_sha = PROD_POLICY_DIR "product_sepolicy_and_mapping.sha256";
if (access(actual_sha, R_OK) == 0) {
ok = true;
sprintf(compiled_sha, "%s.product_sepolicy_and_mapping.sha256", precompiled);
if (!cmp_sha256(actual_sha, compiled_sha) != 0)
return false;
}
actual_sha = SYSEXT_POLICY_DIR "system_ext_sepolicy_and_mapping.sha256";
if (access(actual_sha, R_OK) == 0) {
ok = true;
sprintf(compiled_sha, "%s.system_ext_sepolicy_and_mapping.sha256", precompiled);
if (!cmp_sha256(actual_sha, compiled_sha) != 0)
return false;
}
actual_sha = SYSEXT_POLICY_DIR "system_ext_sepolicy_and_mapping.sha256";
if (access(actual_sha, R_OK) == 0) {
ok = true;
sprintf(compiled_sha, "%s.system_ext_sepolicy_and_mapping.sha256", precompiled);
if (!cmp_sha256(actual_sha, compiled_sha) != 0)
return false;
}
return ok;
return ok;
}
static void load_cil(struct cil_db *db, const char *file) {
char *addr;
size_t size;
mmap_ro(file, addr, size);
cil_add_file(db, (char *) file, addr, size);
LOGD("cil_add [%s]\n", file);
munmap(addr, size);
char *addr;
size_t size;
mmap_ro(file, addr, size);
cil_add_file(db, (char *) file, addr, size);
LOGD("cil_add [%s]\n", file);
munmap(addr, size);
}
sepolicy *sepolicy::from_file(const char *file) {
LOGD("Load policy from: %s\n", file);
LOGD("Load policy from: %s\n", file);
policy_file_t pf;
policy_file_init(&pf);
auto fp = xopen_file(file, "re");
pf.fp = fp.get();
pf.type = PF_USE_STDIO;
policy_file_t pf;
policy_file_init(&pf);
auto fp = xopen_file(file, "re");
pf.fp = fp.get();
pf.type = PF_USE_STDIO;
auto db = static_cast<policydb_t *>(xmalloc(sizeof(policydb_t)));
if (policydb_init(db) || policydb_read(db, &pf, 0)) {
LOGE("Fail to load policy from %s\n", file);
free(db);
return nullptr;
}
auto db = static_cast<policydb_t *>(xmalloc(sizeof(policydb_t)));
if (policydb_init(db) || policydb_read(db, &pf, 0)) {
LOGE("Fail to load policy from %s\n", file);
free(db);
return nullptr;
}
auto sepol = new sepolicy();
sepol->db = db;
return sepol;
auto sepol = new sepolicy();
sepol->db = db;
return sepol;
}
sepolicy *sepolicy::compile_split() {
char path[128], plat_ver[10];
cil_db_t *db = nullptr;
sepol_policydb_t *pdb = nullptr;
FILE *f;
int policy_ver;
const char *cil_file;
char path[128], plat_ver[10];
cil_db_t *db = nullptr;
sepol_policydb_t *pdb = nullptr;
FILE *f;
int policy_ver;
const char *cil_file;
cil_db_init(&db);
run_finally fin([db_ptr = &db]{ cil_db_destroy(db_ptr); });
cil_set_mls(db, 1);
cil_set_multiple_decls(db, 1);
cil_set_disable_neverallow(db, 1);
cil_set_target_platform(db, SEPOL_TARGET_SELINUX);
cil_set_attrs_expand_generated(db, 0);
cil_db_init(&db);
run_finally fin([db_ptr = &db]{ cil_db_destroy(db_ptr); });
cil_set_mls(db, 1);
cil_set_multiple_decls(db, 1);
cil_set_disable_neverallow(db, 1);
cil_set_target_platform(db, SEPOL_TARGET_SELINUX);
cil_set_attrs_expand_generated(db, 0);
f = xfopen(SELINUX_VERSION, "re");
fscanf(f, "%d", &policy_ver);
fclose(f);
cil_set_policy_version(db, policy_ver);
f = xfopen(SELINUX_VERSION, "re");
fscanf(f, "%d", &policy_ver);
fclose(f);
cil_set_policy_version(db, policy_ver);
// Get mapping version
f = xfopen(VEND_POLICY_DIR "plat_sepolicy_vers.txt", "re");
fscanf(f, "%s", plat_ver);
fclose(f);
// Get mapping version
f = xfopen(VEND_POLICY_DIR "plat_sepolicy_vers.txt", "re");
fscanf(f, "%s", plat_ver);
fclose(f);
// plat
load_cil(db, SPLIT_PLAT_CIL);
// plat
load_cil(db, SPLIT_PLAT_CIL);
sprintf(path, PLAT_POLICY_DIR "mapping/%s.cil", plat_ver);
load_cil(db, path);
sprintf(path, PLAT_POLICY_DIR "mapping/%s.cil", plat_ver);
load_cil(db, path);
sprintf(path, PLAT_POLICY_DIR "mapping/%s.compat.cil", plat_ver);
if (access(path, R_OK) == 0)
load_cil(db, path);
sprintf(path, PLAT_POLICY_DIR "mapping/%s.compat.cil", plat_ver);
if (access(path, R_OK) == 0)
load_cil(db, path);
// system_ext
sprintf(path, SYSEXT_POLICY_DIR "mapping/%s.cil", plat_ver);
if (access(path, R_OK) == 0)
load_cil(db, path);
// system_ext
sprintf(path, SYSEXT_POLICY_DIR "mapping/%s.cil", plat_ver);
if (access(path, R_OK) == 0)
load_cil(db, path);
cil_file = SYSEXT_POLICY_DIR "system_ext_sepolicy.cil";
if (access(cil_file, R_OK) == 0)
load_cil(db, cil_file);
cil_file = SYSEXT_POLICY_DIR "system_ext_sepolicy.cil";
if (access(cil_file, R_OK) == 0)
load_cil(db, cil_file);
// product
sprintf(path, PROD_POLICY_DIR "mapping/%s.cil", plat_ver);
if (access(path, R_OK) == 0)
load_cil(db, path);
// product
sprintf(path, PROD_POLICY_DIR "mapping/%s.cil", plat_ver);
if (access(path, R_OK) == 0)
load_cil(db, path);
cil_file = PROD_POLICY_DIR "product_sepolicy.cil";
if (access(cil_file, R_OK) == 0)
load_cil(db, cil_file);
cil_file = PROD_POLICY_DIR "product_sepolicy.cil";
if (access(cil_file, R_OK) == 0)
load_cil(db, cil_file);
// vendor
cil_file = VEND_POLICY_DIR "nonplat_sepolicy.cil";
if (access(cil_file, R_OK) == 0)
load_cil(db, cil_file);
// vendor
cil_file = VEND_POLICY_DIR "nonplat_sepolicy.cil";
if (access(cil_file, R_OK) == 0)
load_cil(db, cil_file);
cil_file = VEND_POLICY_DIR "plat_pub_versioned.cil";
if (access(cil_file, R_OK) == 0)
load_cil(db, cil_file);
cil_file = VEND_POLICY_DIR "plat_pub_versioned.cil";
if (access(cil_file, R_OK) == 0)
load_cil(db, cil_file);
cil_file = VEND_POLICY_DIR "vendor_sepolicy.cil";
if (access(cil_file, R_OK) == 0)
load_cil(db, cil_file);
cil_file = VEND_POLICY_DIR "vendor_sepolicy.cil";
if (access(cil_file, R_OK) == 0)
load_cil(db, cil_file);
// odm
cil_file = ODM_POLICY_DIR "odm_sepolicy.cil";
if (access(cil_file, R_OK) == 0)
load_cil(db, cil_file);
// odm
cil_file = ODM_POLICY_DIR "odm_sepolicy.cil";
if (access(cil_file, R_OK) == 0)
load_cil(db, cil_file);
if (cil_compile(db))
return nullptr;
if (cil_build_policydb(db, &pdb))
return nullptr;
if (cil_compile(db))
return nullptr;
if (cil_build_policydb(db, &pdb))
return nullptr;
auto sepol = new sepolicy();
sepol->db = &pdb->p;
return sepol;
auto sepol = new sepolicy();
sepol->db = &pdb->p;
return sepol;
}
sepolicy *sepolicy::from_split() {
const char *odm_pre = ODM_POLICY_DIR "precompiled_sepolicy";
const char *vend_pre = VEND_POLICY_DIR "precompiled_sepolicy";
if (access(odm_pre, R_OK) == 0 && check_precompiled(odm_pre))
return sepolicy::from_file(odm_pre);
else if (access(vend_pre, R_OK) == 0 && check_precompiled(vend_pre))
return sepolicy::from_file(vend_pre);
else
return sepolicy::compile_split();
const char *odm_pre = ODM_POLICY_DIR "precompiled_sepolicy";
const char *vend_pre = VEND_POLICY_DIR "precompiled_sepolicy";
if (access(odm_pre, R_OK) == 0 && check_precompiled(odm_pre))
return sepolicy::from_file(odm_pre);
else if (access(vend_pre, R_OK) == 0 && check_precompiled(vend_pre))
return sepolicy::from_file(vend_pre);
else
return sepolicy::compile_split();
}
sepolicy::~sepolicy() {
policydb_destroy(db);
free(db);
policydb_destroy(db);
free(db);
}
bool sepolicy::to_file(const char *file) {
uint8_t *data;
size_t len;
uint8_t *data;
size_t len;
/* No partial writes are allowed to /sys/fs/selinux/load, thus the reason why we
* first dump everything into memory, then directly call write system call */
/* No partial writes are allowed to /sys/fs/selinux/load, thus the reason why we
* first dump everything into memory, then directly call write system call */
auto fp = make_stream_fp<byte_stream>(data, len);
run_finally fin([=]{ free(data); });
auto fp = make_stream_fp<byte_stream>(data, len);
run_finally fin([=]{ free(data); });
policy_file_t pf;
policy_file_init(&pf);
pf.type = PF_USE_STDIO;
pf.fp = fp.get();
if (policydb_write(db, &pf)) {
LOGE("Fail to create policy image\n");
return false;
}
policy_file_t pf;
policy_file_init(&pf);
pf.type = PF_USE_STDIO;
pf.fp = fp.get();
if (policydb_write(db, &pf)) {
LOGE("Fail to create policy image\n");
return false;
}
int fd = xopen(file, O_WRONLY | O_CREAT | O_TRUNC | O_CLOEXEC, 0644);
if (fd < 0)
return false;
xwrite(fd, data, len);
int fd = xopen(file, O_WRONLY | O_CREAT | O_TRUNC | O_CLOEXEC, 0644);
if (fd < 0)
return false;
xwrite(fd, data, len);
close(fd);
return true;
close(fd);
return true;
}

352
native/jni/magiskpolicy/rules.cpp
View File

@@ -6,220 +6,220 @@
using namespace std;
void sepolicy::magisk_rules() {
// Temp suppress warnings
auto bak = log_cb.w;
log_cb.w = nop_log;
// Temp suppress warnings
auto bak = log_cb.w;
log_cb.w = nop_log;
// This indicates API 26+
bool new_rules = exists("untrusted_app_25");
// This indicates API 26+
bool new_rules = exists("untrusted_app_25");
// Prevent anything to change sepolicy except ourselves
deny(ALL, "kernel", "security", "load_policy");
// Prevent anything to change sepolicy except ourselves
deny(ALL, "kernel", "security", "load_policy");
type(SEPOL_PROC_DOMAIN, "domain");
permissive(SEPOL_PROC_DOMAIN); /* Just in case something is missing */
typeattribute(SEPOL_PROC_DOMAIN, "mlstrustedsubject");
typeattribute(SEPOL_PROC_DOMAIN, "netdomain");
typeattribute(SEPOL_PROC_DOMAIN, "bluetoothdomain");
type(SEPOL_FILE_TYPE, "file_type");
typeattribute(SEPOL_FILE_TYPE, "mlstrustedobject");
type(SEPOL_PROC_DOMAIN, "domain");
permissive(SEPOL_PROC_DOMAIN); /* Just in case something is missing */
typeattribute(SEPOL_PROC_DOMAIN, "mlstrustedsubject");
typeattribute(SEPOL_PROC_DOMAIN, "netdomain");
typeattribute(SEPOL_PROC_DOMAIN, "bluetoothdomain");
type(SEPOL_FILE_TYPE, "file_type");
typeattribute(SEPOL_FILE_TYPE, "mlstrustedobject");
// Make our root domain unconstrained
allow(SEPOL_PROC_DOMAIN, ALL, ALL, ALL);
// Allow us to do any ioctl
if (db->policyvers >= POLICYDB_VERSION_XPERMS_IOCTL) {
allowxperm(SEPOL_PROC_DOMAIN, ALL, "blk_file", ALL);
allowxperm(SEPOL_PROC_DOMAIN, ALL, "fifo_file", ALL);
}
// Make our root domain unconstrained
allow(SEPOL_PROC_DOMAIN, ALL, ALL, ALL);
// Allow us to do any ioctl
if (db->policyvers >= POLICYDB_VERSION_XPERMS_IOCTL) {
allowxperm(SEPOL_PROC_DOMAIN, ALL, "blk_file", ALL);
allowxperm(SEPOL_PROC_DOMAIN, ALL, "fifo_file", ALL);
}
// Create unconstrained file type
allow(ALL, SEPOL_FILE_TYPE, "file", ALL);
allow(ALL, SEPOL_FILE_TYPE, "dir", ALL);
allow(ALL, SEPOL_FILE_TYPE, "fifo_file", ALL);
allow(ALL, SEPOL_FILE_TYPE, "chr_file", ALL);
// Create unconstrained file type
allow(ALL, SEPOL_FILE_TYPE, "file", ALL);
allow(ALL, SEPOL_FILE_TYPE, "dir", ALL);
allow(ALL, SEPOL_FILE_TYPE, "fifo_file", ALL);
allow(ALL, SEPOL_FILE_TYPE, "chr_file", ALL);
if (new_rules) {
// Make client type literally untrusted_app
type(SEPOL_CLIENT_DOMAIN, "domain");
typeattribute(SEPOL_CLIENT_DOMAIN, "coredomain");
typeattribute(SEPOL_CLIENT_DOMAIN, "appdomain");
typeattribute(SEPOL_CLIENT_DOMAIN, "untrusted_app_all");
typeattribute(SEPOL_CLIENT_DOMAIN, "netdomain");
typeattribute(SEPOL_CLIENT_DOMAIN, "bluetoothdomain");
if (new_rules) {
// Make client type literally untrusted_app
type(SEPOL_CLIENT_DOMAIN, "domain");
typeattribute(SEPOL_CLIENT_DOMAIN, "coredomain");
typeattribute(SEPOL_CLIENT_DOMAIN, "appdomain");
typeattribute(SEPOL_CLIENT_DOMAIN, "untrusted_app_all");
typeattribute(SEPOL_CLIENT_DOMAIN, "netdomain");
typeattribute(SEPOL_CLIENT_DOMAIN, "bluetoothdomain");
type(SEPOL_EXEC_TYPE, "file_type");
typeattribute(SEPOL_EXEC_TYPE, "exec_type");
type(SEPOL_EXEC_TYPE, "file_type");
typeattribute(SEPOL_EXEC_TYPE, "exec_type");
// Basic su client needs
allow(SEPOL_CLIENT_DOMAIN, SEPOL_EXEC_TYPE, "file", ALL);
allow(SEPOL_CLIENT_DOMAIN, SEPOL_CLIENT_DOMAIN, ALL, ALL);
// Basic su client needs
allow(SEPOL_CLIENT_DOMAIN, SEPOL_EXEC_TYPE, "file", ALL);
allow(SEPOL_CLIENT_DOMAIN, SEPOL_CLIENT_DOMAIN, ALL, ALL);
const char *pts[] {
"devpts", "untrusted_app_devpts",
"untrusted_app_25_devpts", "untrusted_app_all_devpts" };
for (auto type : pts) {
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "open");
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "getattr");
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "read");
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "write");
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "ioctl");
allowxperm(SEPOL_CLIENT_DOMAIN, type, "chr_file", "0x5400-0x54FF");
}
const char *pts[] {
"devpts", "untrusted_app_devpts",
"untrusted_app_25_devpts", "untrusted_app_all_devpts" };
for (auto type : pts) {
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "open");
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "getattr");
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "read");
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "write");
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "ioctl");
allowxperm(SEPOL_CLIENT_DOMAIN, type, "chr_file", "0x5400-0x54FF");
}
// Allow these processes to access MagiskSU
vector<const char *> clients{ "init", "shell", "update_engine", "appdomain" };
for (auto type : clients) {
if (!exists(type))
continue;
// exec magisk
allow(type, SEPOL_EXEC_TYPE, "file", "read");
allow(type, SEPOL_EXEC_TYPE, "file", "open");
allow(type, SEPOL_EXEC_TYPE, "file", "getattr");
allow(type, SEPOL_EXEC_TYPE, "file", "execute");
allow(SEPOL_CLIENT_DOMAIN, type, "process", "sigchld");
// Allow these processes to access MagiskSU
vector<const char *> clients{ "init", "shell", "update_engine", "appdomain" };
for (auto type : clients) {
if (!exists(type))
continue;
// exec magisk
allow(type, SEPOL_EXEC_TYPE, "file", "read");
allow(type, SEPOL_EXEC_TYPE, "file", "open");
allow(type, SEPOL_EXEC_TYPE, "file", "getattr");
allow(type, SEPOL_EXEC_TYPE, "file", "execute");
allow(SEPOL_CLIENT_DOMAIN, type, "process", "sigchld");
// Auto transit to client domain
allow(type, SEPOL_CLIENT_DOMAIN, "process", "transition");
dontaudit(type, SEPOL_CLIENT_DOMAIN, "process", "siginh");
dontaudit(type, SEPOL_CLIENT_DOMAIN, "process", "rlimitinh");
dontaudit(type, SEPOL_CLIENT_DOMAIN, "process", "noatsecure");
// Auto transit to client domain
allow(type, SEPOL_CLIENT_DOMAIN, "process", "transition");
dontaudit(type, SEPOL_CLIENT_DOMAIN, "process", "siginh");
dontaudit(type, SEPOL_CLIENT_DOMAIN, "process", "rlimitinh");
dontaudit(type, SEPOL_CLIENT_DOMAIN, "process", "noatsecure");
// Kill client process
allow(type, SEPOL_CLIENT_DOMAIN, "process", "signal");
}
// Kill client process
allow(type, SEPOL_CLIENT_DOMAIN, "process", "signal");
}
// type transition require actual types, not attributes
const char *app_types[] {
"system_app", "priv_app", "platform_app", "untrusted_app",
"untrusted_app_25", "untrusted_app_27", "untrusted_app_29" };
clients.pop_back();
clients.insert(clients.end(), app_types, app_types + std::size(app_types));
for (auto type : clients) {
// Auto transit to client domain
type_transition(type, SEPOL_EXEC_TYPE, "process", SEPOL_CLIENT_DOMAIN);
}
// type transition require actual types, not attributes
const char *app_types[] {
"system_app", "priv_app", "platform_app", "untrusted_app",
"untrusted_app_25", "untrusted_app_27", "untrusted_app_29" };
clients.pop_back();
clients.insert(clients.end(), app_types, app_types + std::size(app_types));
for (auto type : clients) {
// Auto transit to client domain
type_transition(type, SEPOL_EXEC_TYPE, "process", SEPOL_CLIENT_DOMAIN);
}
// Allow system_server to manage magisk_client
allow("system_server", SEPOL_CLIENT_DOMAIN, "process", "getpgid");
allow("system_server", SEPOL_CLIENT_DOMAIN, "process", "sigkill");
// Allow system_server to manage magisk_client
allow("system_server", SEPOL_CLIENT_DOMAIN, "process", "getpgid");
allow("system_server", SEPOL_CLIENT_DOMAIN, "process", "sigkill");
// Don't allow pesky processes to monitor audit deny logs when poking magisk daemon socket
dontaudit(ALL, SEPOL_PROC_DOMAIN, "unix_stream_socket", ALL);
// Don't allow pesky processes to monitor audit deny logs when poking magisk daemon socket
dontaudit(ALL, SEPOL_PROC_DOMAIN, "unix_stream_socket", ALL);
// Only allow client processes to connect to magisk daemon socket
allow(SEPOL_CLIENT_DOMAIN, SEPOL_PROC_DOMAIN, "unix_stream_socket", ALL);
} else {
// Fallback to poking holes in sandbox as Android 4.3 to 7.1 set PR_SET_NO_NEW_PRIVS
// Only allow client processes to connect to magisk daemon socket
allow(SEPOL_CLIENT_DOMAIN, SEPOL_PROC_DOMAIN, "unix_stream_socket", ALL);
} else {
// Fallback to poking holes in sandbox as Android 4.3 to 7.1 set PR_SET_NO_NEW_PRIVS
// Allow these processes to access MagiskSU
const char *clients[] { "init", "shell", "appdomain" };
for (auto type : clients) {
if (!exists(type))
continue;
allow(type, SEPOL_PROC_DOMAIN, "unix_stream_socket", "connectto");
allow(type, SEPOL_PROC_DOMAIN, "unix_stream_socket", "getopt");
// Allow these processes to access MagiskSU
const char *clients[] { "init", "shell", "appdomain" };
for (auto type : clients) {
if (!exists(type))
continue;
allow(type, SEPOL_PROC_DOMAIN, "unix_stream_socket", "connectto");
allow(type, SEPOL_PROC_DOMAIN, "unix_stream_socket", "getopt");
// Allow termios ioctl
const char *pts[] { "devpts", "untrusted_app_devpts" };
for (auto pts_type : pts) {
allow(type, pts_type, "chr_file", "ioctl");
if (db->policyvers >= POLICYDB_VERSION_XPERMS_IOCTL)
allowxperm(type, pts_type, "chr_file", "0x5400-0x54FF");
}
}
}
// Allow termios ioctl
const char *pts[] { "devpts", "untrusted_app_devpts" };
for (auto pts_type : pts) {
allow(type, pts_type, "chr_file", "ioctl");
if (db->policyvers >= POLICYDB_VERSION_XPERMS_IOCTL)
allowxperm(type, pts_type, "chr_file", "0x5400-0x54FF");
}
}
}
// Let everyone access tmpfs files (for SAR sbin overlay)
allow(ALL, "tmpfs", "file", ALL);
// Let everyone access tmpfs files (for SAR sbin overlay)
allow(ALL, "tmpfs", "file", ALL);
// For relabelling files
allow("rootfs", "labeledfs", "filesystem", "associate");
allow(SEPOL_FILE_TYPE, "pipefs", "filesystem", "associate");
allow(SEPOL_FILE_TYPE, "devpts", "filesystem", "associate");
// For relabelling files
allow("rootfs", "labeledfs", "filesystem", "associate");
allow(SEPOL_FILE_TYPE, "pipefs", "filesystem", "associate");
allow(SEPOL_FILE_TYPE, "devpts", "filesystem", "associate");
// Let init transit to SEPOL_PROC_DOMAIN
allow("kernel", "kernel", "process", "setcurrent");
allow("kernel", SEPOL_PROC_DOMAIN, "process", "dyntransition");
// Let init transit to SEPOL_PROC_DOMAIN
allow("kernel", "kernel", "process", "setcurrent");
allow("kernel", SEPOL_PROC_DOMAIN, "process", "dyntransition");
// Let init run stuffs
allow("kernel", SEPOL_PROC_DOMAIN, "fd", "use");
allow("init", SEPOL_PROC_DOMAIN, "process", ALL);
allow("init", "tmpfs", "file", "getattr");
allow("init", "tmpfs", "file", "execute");
// Let init run stuffs
allow("kernel", SEPOL_PROC_DOMAIN, "fd", "use");
allow("init", SEPOL_PROC_DOMAIN, "process", ALL);
allow("init", "tmpfs", "file", "getattr");
allow("init", "tmpfs", "file", "execute");
// suRights
allow("servicemanager", SEPOL_PROC_DOMAIN, "dir", "search");
allow("servicemanager", SEPOL_PROC_DOMAIN, "dir", "read");
allow("servicemanager", SEPOL_PROC_DOMAIN, "file", "open");
allow("servicemanager", SEPOL_PROC_DOMAIN, "file", "read");
allow("servicemanager", SEPOL_PROC_DOMAIN, "process", "getattr");
allow("servicemanager", SEPOL_PROC_DOMAIN, "binder", "transfer");
allow(ALL, SEPOL_PROC_DOMAIN, "process", "sigchld");
// suRights
allow("servicemanager", SEPOL_PROC_DOMAIN, "dir", "search");
allow("servicemanager", SEPOL_PROC_DOMAIN, "dir", "read");
allow("servicemanager", SEPOL_PROC_DOMAIN, "file", "open");
allow("servicemanager", SEPOL_PROC_DOMAIN, "file", "read");
allow("servicemanager", SEPOL_PROC_DOMAIN, "process", "getattr");
allow("servicemanager", SEPOL_PROC_DOMAIN, "binder", "transfer");
allow(ALL, SEPOL_PROC_DOMAIN, "process", "sigchld");
// allowLog
allow("logd", SEPOL_PROC_DOMAIN, "dir", "search");
allow("logd", SEPOL_PROC_DOMAIN, "file", "read");
allow("logd", SEPOL_PROC_DOMAIN, "file", "open");
allow("logd", SEPOL_PROC_DOMAIN, "file", "getattr");
// allowLog
allow("logd", SEPOL_PROC_DOMAIN, "dir", "search");
allow("logd", SEPOL_PROC_DOMAIN, "file", "read");
allow("logd", SEPOL_PROC_DOMAIN, "file", "open");
allow("logd", SEPOL_PROC_DOMAIN, "file", "getattr");
// suBackL6
allow("surfaceflinger", "app_data_file", "dir", ALL);
allow("surfaceflinger", "app_data_file", "file", ALL);
allow("surfaceflinger", "app_data_file", "lnk_file", ALL);
typeattribute("surfaceflinger", "mlstrustedsubject");
// suBackL6
allow("surfaceflinger", "app_data_file", "dir", ALL);
allow("surfaceflinger", "app_data_file", "file", ALL);
allow("surfaceflinger", "app_data_file", "lnk_file", ALL);
typeattribute("surfaceflinger", "mlstrustedsubject");
// suMiscL6
allow("audioserver", "audioserver", "process", "execmem");
// suMiscL6
allow("audioserver", "audioserver", "process", "execmem");
// Liveboot
allow("surfaceflinger", SEPOL_PROC_DOMAIN, "process", "ptrace");
allow("surfaceflinger", SEPOL_PROC_DOMAIN, "binder", "transfer");
allow("surfaceflinger", SEPOL_PROC_DOMAIN, "binder", "call");
allow("surfaceflinger", SEPOL_PROC_DOMAIN, "fd", "use");
allow("debuggerd", SEPOL_PROC_DOMAIN, "process", "ptrace");
// Liveboot
allow("surfaceflinger", SEPOL_PROC_DOMAIN, "process", "ptrace");
allow("surfaceflinger", SEPOL_PROC_DOMAIN, "binder", "transfer");
allow("surfaceflinger", SEPOL_PROC_DOMAIN, "binder", "call");
allow("surfaceflinger", SEPOL_PROC_DOMAIN, "fd", "use");
allow("debuggerd", SEPOL_PROC_DOMAIN, "process", "ptrace");
// dumpsys
allow(ALL, SEPOL_PROC_DOMAIN, "fd", "use");
allow(ALL, SEPOL_PROC_DOMAIN, "fifo_file", "write");
allow(ALL, SEPOL_PROC_DOMAIN, "fifo_file", "read");
allow(ALL, SEPOL_PROC_DOMAIN, "fifo_file", "open");
allow(ALL, SEPOL_PROC_DOMAIN, "fifo_file", "getattr");
// dumpsys
allow(ALL, SEPOL_PROC_DOMAIN, "fd", "use");
allow(ALL, SEPOL_PROC_DOMAIN, "fifo_file", "write");
allow(ALL, SEPOL_PROC_DOMAIN, "fifo_file", "read");
allow(ALL, SEPOL_PROC_DOMAIN, "fifo_file", "open");
allow(ALL, SEPOL_PROC_DOMAIN, "fifo_file", "getattr");
// bootctl
allow("hwservicemanager", SEPOL_PROC_DOMAIN, "dir", "search");
allow("hwservicemanager", SEPOL_PROC_DOMAIN, "file", "read");
allow("hwservicemanager", SEPOL_PROC_DOMAIN, "file", "open");
allow("hwservicemanager", SEPOL_PROC_DOMAIN, "process", "getattr");
allow("hwservicemanager", SEPOL_PROC_DOMAIN, "binder", "transfer");
// bootctl
allow("hwservicemanager", SEPOL_PROC_DOMAIN, "dir", "search");
allow("hwservicemanager", SEPOL_PROC_DOMAIN, "file", "read");
allow("hwservicemanager", SEPOL_PROC_DOMAIN, "file", "open");
allow("hwservicemanager", SEPOL_PROC_DOMAIN, "process", "getattr");
allow("hwservicemanager", SEPOL_PROC_DOMAIN, "binder", "transfer");
// For mounting loop devices, mirrors, tmpfs
allow("kernel", ALL, "file", "read");
allow("kernel", ALL, "file", "write");
// For mounting loop devices, mirrors, tmpfs
allow("kernel", ALL, "file", "read");
allow("kernel", ALL, "file", "write");
// Allow all binder transactions
allow(ALL, SEPOL_PROC_DOMAIN, "binder", ALL);
// Allow all binder transactions
allow(ALL, SEPOL_PROC_DOMAIN, "binder", ALL);
// For changing file context
allow("rootfs", "tmpfs", "filesystem", "associate");
// For changing file context
allow("rootfs", "tmpfs", "filesystem", "associate");
// Xposed
allow("untrusted_app", "untrusted_app", "capability", "setgid");
allow("system_server", "dex2oat_exec", "file", ALL);
// Xposed
allow("untrusted_app", "untrusted_app", "capability", "setgid");
allow("system_server", "dex2oat_exec", "file", ALL);
// Support deodexed ROM on Oreo
allow("zygote", "dalvikcache_data_file", "file", "execute");
// Support deodexed ROM on Oreo
allow("zygote", "dalvikcache_data_file", "file", "execute");
// Support deodexed ROM on Pie (Samsung)
allow("system_server", "dalvikcache_data_file", "file", "write");
allow("system_server", "dalvikcache_data_file", "file", "execute");
// Support deodexed ROM on Pie (Samsung)
allow("system_server", "dalvikcache_data_file", "file", "write");
allow("system_server", "dalvikcache_data_file", "file", "execute");
// Allow update_engine/addon.d-v2 to run permissive on all ROMs
permissive("update_engine");
// Allow update_engine/addon.d-v2 to run permissive on all ROMs
permissive("update_engine");
#if 0
// Remove all dontaudit in debug mode
impl->strip_dontaudit();
// Remove all dontaudit in debug mode
impl->strip_dontaudit();
#endif
log_cb.w = bak;
log_cb.w = bak;
}

1028
native/jni/magiskpolicy/sepolicy.cpp
View File

File diff suppressed because it is too large Load Diff

30
native/jni/magiskpolicy/sepolicy.hpp
View File

@@ -5,21 +5,21 @@
// Internal APIs, do not use directly
struct sepol_impl : public sepolicy {
void check_avtab_node(avtab_ptr_t node);
avtab_ptr_t get_avtab_node(avtab_key_t *key, avtab_extended_perms_t *xperms);
bool add_rule(const char *s, const char *t, const char *c, const char *p, int effect, bool invert);
void add_rule(type_datum_t *src, type_datum_t *tgt, class_datum_t *cls, perm_datum_t *perm, int effect, bool invert);
void add_xperm_rule(type_datum_t *src, type_datum_t *tgt,
class_datum_t *cls, uint16_t low, uint16_t high, int effect, bool invert);
bool add_xperm_rule(const char *s, const char *t, const char *c, const char *range, int effect, bool invert);
bool add_type_rule(const char *s, const char *t, const char *c, const char *d, int effect);
bool add_filename_trans(const char *s, const char *t, const char *c, const char *d, const char *o);
bool add_genfscon(const char *fs_name, const char *path, const char *context);
bool add_type(const char *type_name, uint32_t flavor);
bool set_type_state(const char *type_name, bool permissive);
void add_typeattribute(type_datum_t *type, type_datum_t *attr);
bool add_typeattribute(const char *type, const char *attr);
void strip_dontaudit();
void check_avtab_node(avtab_ptr_t node);
avtab_ptr_t get_avtab_node(avtab_key_t *key, avtab_extended_perms_t *xperms);
bool add_rule(const char *s, const char *t, const char *c, const char *p, int effect, bool invert);
void add_rule(type_datum_t *src, type_datum_t *tgt, class_datum_t *cls, perm_datum_t *perm, int effect, bool invert);
void add_xperm_rule(type_datum_t *src, type_datum_t *tgt,
class_datum_t *cls, uint16_t low, uint16_t high, int effect, bool invert);
bool add_xperm_rule(const char *s, const char *t, const char *c, const char *range, int effect, bool invert);
bool add_type_rule(const char *s, const char *t, const char *c, const char *d, int effect);
bool add_filename_trans(const char *s, const char *t, const char *c, const char *d, const char *o);
bool add_genfscon(const char *fs_name, const char *path, const char *context);
bool add_type(const char *type_name, uint32_t flavor);
bool set_type_state(const char *type_name, bool permissive);
void add_typeattribute(type_datum_t *type, type_datum_t *attr);
bool add_typeattribute(const char *type, const char *attr);
void strip_dontaudit();
};
#define impl static_cast<sepol_impl *>(this)

296
native/jni/magiskpolicy/statement.cpp
View File

@@ -59,7 +59,7 @@ R"EOF("genfscon fs_name partial_path fs_context"
)EOF";
void statement_help() {
fprintf(stderr,
fprintf(stderr,
R"EOF(One policy statement should be treated as one parameter;
this means each policy statement should be enclosed in quotes.
Multiple policy statements can be provided in a single command.
@@ -91,65 +91,65 @@ Supported policy statements:
%s
)EOF", type_msg_1, type_msg_2, type_msg_3, type_msg_4,
type_msg_5, type_msg_6, type_msg_7, type_msg_8, type_msg_9);
exit(0);
exit(0);
}
using parsed_tokens = vector<vector<const char *>>;
static bool tokenize_string(char *stmt, parsed_tokens &arr) {
// cur is the pointer to where the top level is parsing
char *cur = stmt;
for (char *tok; (tok = strtok_r(nullptr, " ", &cur)) != nullptr;) {
vector<const char *> token;
if (tok[0] == '{') {
// cur could point to somewhere in the braces, restore the string
if (cur)
cur[-1] = ' ';
++tok;
char *end = strchr(tok, '}');
if (end == nullptr) {
// Bracket not closed, syntax error
return false;
}
*end = '\0';
for (char *sub_tok; (sub_tok = strtok_r(nullptr, " ", &tok)) != nullptr;)
token.push_back(sub_tok);
cur = end + 1;
} else if (tok[0] == '*') {
token.push_back(nullptr);
} else {
token.push_back(tok);
}
arr.push_back(std::move(token));
}
return true;
// cur is the pointer to where the top level is parsing
char *cur = stmt;
for (char *tok; (tok = strtok_r(nullptr, " ", &cur)) != nullptr;) {
vector<const char *> token;
if (tok[0] == '{') {
// cur could point to somewhere in the braces, restore the string
if (cur)
cur[-1] = ' ';
++tok;
char *end = strchr(tok, '}');
if (end == nullptr) {
// Bracket not closed, syntax error
return false;
}
*end = '\0';
for (char *sub_tok; (sub_tok = strtok_r(nullptr, " ", &tok)) != nullptr;)
token.push_back(sub_tok);
cur = end + 1;
} else if (tok[0] == '*') {
token.push_back(nullptr);
} else {
token.push_back(tok);
}
arr.push_back(std::move(token));
}
return true;
}
// Check array size and all args listed in 'ones' have size = 1 (no multiple entries)
template <int size, int ...ones>
static bool check_tokens(parsed_tokens &arr) {
if (arr.size() != size)
return false;
initializer_list<int> list{ones...};
for (int i : list)
if (arr[i].size() != 1)
return false;
return true;
if (arr.size() != size)
return false;
initializer_list<int> list{ones...};
for (int i : list)
if (arr[i].size() != 1)
return false;
return true;
}
template <int size, int ...ones>
static bool tokenize_and_check(char *stmt, parsed_tokens &arr) {
return tokenize_string(stmt, arr) && check_tokens<size, ones...>(arr);
return tokenize_string(stmt, arr) && check_tokens<size, ones...>(arr);
}
template <typename Func, typename ...Args>
static void run_and_check(const Func &fn, const char *action, Args ...args) {
if (!fn(args...)) {
string s = "Error in: %s";
for (int i = 0; i < sizeof...(args); ++i) s += " %s";
s += "\n";
LOGW(s.data(), action, (args ? args : "*")...);
}
if (!fn(args...)) {
string s = "Error in: %s";
for (int i = 0; i < sizeof...(args); ++i) s += " %s";
s += "\n";
LOGW(s.data(), action, (args ? args : "*")...);
}
}
#define run_fn(...) run_and_check(fn, action, __VA_ARGS__)
@@ -157,166 +157,166 @@ static void run_and_check(const Func &fn, const char *action, Args ...args) {
// Pattern 1: allow { source } { target } { class } { permission }
template <typename Func>
static bool parse_pattern_1(const Func &fn, const char *action, char *stmt) {
parsed_tokens arr;
if (!tokenize_and_check<4>(stmt, arr))
return false;
for (auto src : arr[0])
for (auto tgt : arr[1])
for (auto cls : arr[2])
for (auto perm : arr[3])
run_fn(src, tgt, cls, perm);
return true;
parsed_tokens arr;
if (!tokenize_and_check<4>(stmt, arr))
return false;
for (auto src : arr[0])
for (auto tgt : arr[1])
for (auto cls : arr[2])
for (auto perm : arr[3])
run_fn(src, tgt, cls, perm);
return true;
}
// Pattern 2: allowxperm { source } { target } { class } ioctl range
template <typename Func>
static bool parse_pattern_2(const Func &fn, const char *action, char *stmt) {
parsed_tokens arr;
if (!tokenize_and_check<5, 3, 4>(stmt, arr) || arr[3][0] != "ioctl"sv)
return false;
auto range = arr[4][0];
for (auto src : arr[0])
for (auto tgt : arr[1])
for (auto cls : arr[2])
run_fn(src, tgt, cls, range);
return true;
parsed_tokens arr;
if (!tokenize_and_check<5, 3, 4>(stmt, arr) || arr[3][0] != "ioctl"sv)
return false;
auto range = arr[4][0];
for (auto src : arr[0])
for (auto tgt : arr[1])
for (auto cls : arr[2])
run_fn(src, tgt, cls, range);
return true;
}
// Pattern 3: permissive { type }
template <typename Func>
static bool parse_pattern_3(const Func &fn, const char *action, char *stmt) {
parsed_tokens arr;
if (!tokenize_and_check<1>(stmt, arr))
return false;
for (auto type : arr[0])
run_fn(type);
return true;
parsed_tokens arr;
if (!tokenize_and_check<1>(stmt, arr))
return false;
for (auto type : arr[0])
run_fn(type);
return true;
}
// Pattern 4: typeattribute { type } { attribute }
template <typename Func>
static bool parse_pattern_4(const Func &fn, const char *action, char *stmt) {
parsed_tokens arr;
if (!tokenize_and_check<2>(stmt, arr))
return false;
for (auto type : arr[0])
for (auto attr : arr[1])
run_fn(type, attr);
return true;
parsed_tokens arr;
if (!tokenize_and_check<2>(stmt, arr))
return false;
for (auto type : arr[0])
for (auto attr : arr[1])
run_fn(type, attr);
return true;
}
// Pattern 5: type name { attribute }
template <typename Func>
static bool parse_pattern_5(const Func &fn, const char *action, char *stmt) {
parsed_tokens arr;
string tmp_str;
if (!tokenize_string(stmt, arr))
return false;
if (arr.size() == 1) {
arr.emplace_back(initializer_list<const char*>{ "domain" });
}
if (!check_tokens<2, 0>(arr))
return false;
for (auto attr : arr[1])
run_fn(arr[0][0], attr);
return true;
parsed_tokens arr;
string tmp_str;
if (!tokenize_string(stmt, arr))
return false;
if (arr.size() == 1) {
arr.emplace_back(initializer_list<const char*>{ "domain" });
}
if (!check_tokens<2, 0>(arr))
return false;
for (auto attr : arr[1])
run_fn(arr[0][0], attr);
return true;
}
// Pattern 6: attribute name
template <typename Func>
static bool parse_pattern_6(const Func &fn, const char *action, char *stmt) {
parsed_tokens arr;
if (!tokenize_and_check<1, 0>(stmt, arr))
return false;
run_fn(arr[0][1]);
return true;
parsed_tokens arr;
if (!tokenize_and_check<1, 0>(stmt, arr))
return false;
run_fn(arr[0][1]);
return true;
}
// Pattern 7: type_transition source target class default (filename)
template <typename Func>
static bool parse_pattern_7(const Func &fn, const char *action, char *stmt) {
parsed_tokens arr;
if (!tokenize_string(stmt, arr))
return false;
if (arr.size() == 4)
arr.emplace_back(initializer_list<const char*>{nullptr});
if (!check_tokens<5, 0, 1, 2, 3, 4>(arr))
return false;
run_fn(arr[0][0], arr[1][0], arr[2][0], arr[3][0], arr[4][0]);
return true;
parsed_tokens arr;
if (!tokenize_string(stmt, arr))
return false;
if (arr.size() == 4)
arr.emplace_back(initializer_list<const char*>{nullptr});
if (!check_tokens<5, 0, 1, 2, 3, 4>(arr))
return false;
run_fn(arr[0][0], arr[1][0], arr[2][0], arr[3][0], arr[4][0]);
return true;
}
// Pattern 8: type_change source target class default
template <typename Func>
static bool parse_pattern_8(const Func &fn, const char *action, char *stmt) {
parsed_tokens arr;
if (!tokenize_and_check<4, 0, 1, 2, 3>(stmt, arr))
return false;
run_fn(arr[0][0], arr[1][0], arr[2][0], arr[3][0]);
return true;
parsed_tokens arr;
if (!tokenize_and_check<4, 0, 1, 2, 3>(stmt, arr))
return false;
run_fn(arr[0][0], arr[1][0], arr[2][0], arr[3][0]);
return true;
}
// Pattern 9: genfscon name path context
template <typename Func>
static bool parse_pattern_9(const Func &fn, const char *action, char *stmt) {
parsed_tokens arr;
if (!tokenize_and_check<3, 0, 1, 2>(stmt, arr))
return false;
run_fn(arr[0][0], arr[1][0], arr[2][0]);
return true;
parsed_tokens arr;
if (!tokenize_and_check<3, 0, 1, 2>(stmt, arr))
return false;
run_fn(arr[0][0], arr[1][0], arr[2][0]);
return true;
}
#define add_action_func(name, type, fn) \
else if (strcmp(name, action) == 0) { \
auto __fn = [=](auto && ...args){ return (fn)(args...); };\
if (!parse_pattern_##type(__fn, name, remain)) \
LOGW("Syntax error in '%s'\n\n%s\n", stmt, type_msg_##type); \
auto __fn = [=](auto && ...args){ return (fn)(args...); };\
if (!parse_pattern_##type(__fn, name, remain)) \
LOGW("Syntax error in '%s'\n\n%s\n", stmt, type_msg_##type); \
}
#define add_action(act, type) add_action_func(#act, type, act)
void sepolicy::parse_statement(const char *stmt) {
// strtok modify strings, create a copy
string cpy(stmt);
// strtok modify strings, create a copy
string cpy(stmt);
char *remain;
char *action = strtok_r(cpy.data(), " ", &remain);
if (remain == nullptr) {
LOGW("Syntax error in '%s'\n\n", stmt);
return;
}
char *remain;
char *action = strtok_r(cpy.data(), " ", &remain);
if (remain == nullptr) {
LOGW("Syntax error in '%s'\n\n", stmt);
return;
}
if (0) {}
add_action(allow, 1)
add_action(deny, 1)
add_action(auditallow, 1)
add_action(dontaudit, 1)
add_action(allowxperm, 2)
add_action(auditallowxperm, 2)
add_action(dontauditxperm, 2)
add_action(permissive, 3)
add_action(enforce, 3)
add_action(typeattribute, 4)
add_action(type, 5)
add_action(attribute, 6)
add_action(type_transition, 7)
add_action(type_change, 8)
add_action(type_member, 8)
add_action(genfscon, 9)
if (0) {}
add_action(allow, 1)
add_action(deny, 1)
add_action(auditallow, 1)
add_action(dontaudit, 1)
add_action(allowxperm, 2)
add_action(auditallowxperm, 2)
add_action(dontauditxperm, 2)
add_action(permissive, 3)
add_action(enforce, 3)
add_action(typeattribute, 4)
add_action(type, 5)
add_action(attribute, 6)
add_action(type_transition, 7)
add_action(type_change, 8)
add_action(type_member, 8)
add_action(genfscon, 9)
// Backwards compatible syntax
add_action(create, 3)
add_action_func("attradd", 4, typeattribute)
add_action_func("name_transition", 7, type_transition)
// Backwards compatible syntax
add_action(create, 3)
add_action_func("attradd", 4, typeattribute)
add_action_func("name_transition", 7, type_transition)
else { LOGW("Unknown action: '%s'\n\n", action); }
else { LOGW("Unknown action: '%s'\n\n", action); }
}
void sepolicy::load_rule_file(const char *file) {
file_readline(true, file, [=](string_view line) -> bool {
if (line.empty() || line[0] == '#')
return true;
parse_statement(line.data());
return true;
});
file_readline(true, file, [=](string_view line) -> bool {
if (line.empty() || line[0] == '#')
return true;
parse_statement(line.data());
return true;
});
}