mirror of
https://github.com/topjohnwu/Magisk.git
synced 2025-03-03 22:05:10 +00:00
c9eac0c438
The existing sepolicy patching strategy looks like this: 1. 2SI: use LD_PRELOAD to hijack `security_load_policy` 2. Split policy: devices using split policy implies it also needs to do early mount, which means fstab is stored in device tree. So we do the following: - Hijack the fstab node in the device tree in sysfs - Wait for init to mount selinuxfs for us - Hijack selinuxfs to intercept sepolicy loading 3. Monolithic policy: directly patch `/sepolicy` Method #1 and #2 both has the magiskinit pre-init daemon handling the sepolicy patching and loading process, while method #3 gives us zero control over sepolicy loading process. Downsides: a. Pre-init daemon bypasses the need to guess which sepolicy init will load, because the original init will literally send the stock sepolicy file directly to us with this approach. b. If we want to add more features/functionalities during the sepolicy patching process, we will leave out devices using method #3 In order to solve these issues, we completely redesign the sepolicy patching strategy for non-2SI devices. Instead of limiting usage of pre-init daemon to early mount devices, we always intercept the sepolicy loading process regardless of the Android version and device setup. This will give us a unified implementation for sepolicy patching, and will make it easier to develop further new features down the line.