diff --git a/jni/magiskhide/hide.c b/jni/magiskhide/hide.c index 67fb8dbff..22685b857 100644 --- a/jni/magiskhide/hide.c +++ b/jni/magiskhide/hide.c @@ -42,9 +42,10 @@ int hideMagisk() { } } - // First unmount the dummy skeletons and the cache mounts + // First unmount the dummy skeletons, cache mounts, and /sbin links for(i = mount_size - 1; i >= 0; --i) { if (strstr(mount_list[i], "tmpfs /system") || strstr(mount_list[i], "tmpfs /vendor") + || strstr(mount_list[i], "tmpfs /sbin") || (strstr(mount_list[i], cache_block) && strstr(mount_list[i], "/system/")) ) { sscanf(mount_list[i], "%*s %512s", buffer); lazy_unmount(buffer); diff --git a/jni/magiskpolicy b/jni/magiskpolicy index ca75dd072..2e6bea23a 160000 --- a/jni/magiskpolicy +++ b/jni/magiskpolicy @@ -1 +1 @@ -Subproject commit ca75dd07283ff5fb9fec32f106ba8c58642742a0 +Subproject commit 2e6bea23acc073aa9b3890c50342dd4a3dc8e754 diff --git a/scripts/flash_script.sh b/scripts/flash_script.sh index d47ded835..82bf697a7 100644 --- a/scripts/flash_script.sh +++ b/scripts/flash_script.sh @@ -248,9 +248,11 @@ is_mounted /data && MAGISKBIN=/data/magisk || MAGISKBIN=/cache/data_bin # Copy required files rm -rf $MAGISKBIN 2>/dev/null mkdir -p $MAGISKBIN -cp -af $BINDIR/busybox $BINDIR/magiskpolicy $BINDIR/resetprop $BINDIR/magiskboot \ - $COMMONDIR/ramdisk_patch.sh $COMMONDIR/init.magisk.rc \ - $COMMONDIR/magic_mask.sh $COMMONDIR/magisk.apk $MAGISKBIN +cp -af $BINDIR/. $COMMONDIR/ramdisk_patch.sh $COMMONDIR/magic_mask.sh \ + $COMMONDIR/init.magisk.rc $COMMONDIR/magisk.apk $MAGISKBIN +# Legacy support +ln -sf /data/magisk/magiskpolicy $MAGISKBIN/sepolicy-inject + chmod -R 755 $MAGISKBIN chcon -h u:object_r:system_file:s0 $MAGISKBIN $MAGISKBIN/* @@ -416,18 +418,10 @@ MAGISKLOOP=$LOOPDEVICE # Core folders and scripts mkdir -p $COREDIR/magiskhide $COREDIR/post-fs-data.d $COREDIR/service.d 2>/dev/null -cp -af $COMMONDIR/magiskhide/. $BINDIR/magiskhide $COREDIR/magiskhide +cp -af $COMMONDIR/magiskhide/. $COREDIR/magiskhide chmod -R 755 $COREDIR/magiskhide $COREDIR/post-fs-data.d $COREDIR/service.d chown -R 0.0 $COREDIR/magiskhide $COREDIR/post-fs-data.d $COREDIR/service.d -if ! $SUPERSU; then - ui_print "- Installing MagiskSU" - mkdir -p $COREDIR/su 2>/dev/null - cp -af $BINDIR/su $COMMONDIR/magisksu.sh $COREDIR/su - chmod -R 755 $COREDIR/su - chown -R 0.0 $COREDIR/su -fi - ########################################################################################## # Repack and flash ########################################################################################## diff --git a/scripts/init.magisk.rc b/scripts/init.magisk.rc index 443b428b8..c5e890d4a 100644 --- a/scripts/init.magisk.rc +++ b/scripts/init.magisk.rc @@ -3,13 +3,12 @@ on post-fs start magisk_pfs wait /dev/.magisk.unblock 20 - rm /dev/.magisk.unblock on post-fs-data + rm /dev/.magisk.unblock load_persist_props start magisk_pfsd wait /dev/.magisk.unblock 60 - rm /dev/.magisk.unblock on property:magisk.restart_pfsd=1 trigger post-fs-data diff --git a/scripts/magic_mask.sh b/scripts/magic_mask.sh index 1ea832571..00efcc7ca 100644 --- a/scripts/magic_mask.sh +++ b/scripts/magic_mask.sh @@ -171,7 +171,7 @@ clone_dummy() { cp -afc "$ITEM" "$DUMMDIR$REAL" else if $LINK && [ ! -e "$MOUNTINFO$REAL" ]; then - ln -s "$MIRRDIR$REAL" "$DUMMDIR$REAL" + ln -sf "$MIRRDIR$REAL" "$DUMMDIR$REAL" else if [ -d "$ITEM" ]; then mkdir -p "$DUMMDIR$REAL" @@ -317,7 +317,7 @@ case $1 in # Set up environment mkdir -p $TOOLPATH $BINPATH/busybox --install -s $TOOLPATH - ln -s $BINPATH/busybox $TOOLPATH/busybox + ln -sf $BINPATH/busybox $TOOLPATH/busybox # Prevent issues rm -f $TOOLPATH/su $TOOLPATH/sh $TOOLPATH/reboot chmod -R 755 $TOOLPATH @@ -346,7 +346,7 @@ case $1 in # Remove empty directories, legacy paths, symlinks, old temporary images find $MOUNTPOINT -type d -depth ! -path "*core*" -exec rmdir {} \; 2>/dev/null rm -rf $MOUNTPOINT/zzsupersu $MOUNTPOINT/phh $COREDIR/bin $COREDIR/dummy $COREDIR/mirror \ - $COREDIR/busybox /data/magisk/*.img /data/busybox 2>/dev/null + $COREDIR/busybox $COREDIR/su /data/magisk/*.img /data/busybox 2>/dev/null # Remove modules that are labeled to be removed for MOD in $MOUNTPOINT/* ; do @@ -374,10 +374,21 @@ case $1 in fi fi - # Start MagiskSU if no SuperSU - export PATH=$OLDPATH - [ ! -f /sbin/launch_daemonsu.sh ] && sh $COREDIR/su/magisksu.sh - export PATH=$TOOLPATH:$OLDPATH + log_print "* Linking binaries to /sbin" + mount -o rw,remount rootfs / + chmod 755 /sbin + ln -sf $BINPATH/magiskpolicy /sbin/magiskpolicy + ln -sf $BINPATH/magiskpolicy /sbin/sepolicy-inject + ln -sf $BINPATH/resetprop /sbin/resetprop + if [ ! -f /sbin/launch_daemonsu.sh ]; then + log_print "* Starting MagiskSU" + export PATH=$OLDPATH + ln -sf $BINPATH/su /sbin/su + ln -sf $BINPATH/magiskpolicy /sbin/supolicy + /sbin/su --daemon + export PATH=$TOOLPATH:$OLDPATH + fi + mount -o ro,remount rootfs / [ -f $DISABLEFILE ] && unblock @@ -389,7 +400,7 @@ case $1 in # Link vendor if not exist if [ ! -e /vendor ]; then mount -o rw,remount rootfs / - ln -s /system/vendor /vendor + ln -sf /system/vendor /vendor mount -o ro,remount rootfs / fi @@ -402,7 +413,7 @@ case $1 in (travel system) rm -f $MOD/vendor 2>/dev/null if [ -d $MOD/system/vendor ]; then - ln -s $MOD/system/vendor $MOD/vendor + ln -sf $MOD/system/vendor $MOD/vendor (travel vendor) fi fi @@ -434,7 +445,7 @@ case $1 in mkdir -p $MIRRDIR/vendor mount -o ro $VENDORBLOCK $MIRRDIR/vendor else - ln -s $MIRRDIR/system/vendor $MIRRDIR/vendor + ln -sf $MIRRDIR/system/vendor $MIRRDIR/vendor fi # Since mirrors always exist, we load libraries and binaries from mirrors diff --git a/zip_static/common/magiskhide/enable b/zip_static/common/magiskhide/enable index 740ff1489..d16e6d82b 100644 --- a/zip_static/common/magiskhide/enable +++ b/zip_static/common/magiskhide/enable @@ -14,11 +14,33 @@ log_print() { # Only enable when isn't started ps | grep "magiskhide --daemon" | grep -v grep >/dev/null 2>&1 && exit -log_print "Removing tampered read-only system props" +if [ ! -d /sbin_orig ]; then + log_print "Moving and re-linking /sbin binaries" + mount -o rw,remount rootfs / + mv -f /sbin /sbin_orig + mkdir /sbin + mount -o ro,remount rootfs / + mkdir -p /dev/sbin_bind + chmod 755 /dev/sbin_bind + ln -s /sbin_orig/* /dev/sbin_bind + chcon -h u:object_r:rootfs:s0 /dev/sbin_bind /dev/sbin_bind/* + mount -o bind /dev/sbin_bind /sbin +fi + +# Sammy device like these permissions +chmod 640 /sys/fs/selinux/enforce +chmod 440 /sys/fs/selinux/policy + +log_print "Removing dangerous read-only system props" VERIFYBOOT=`getprop ro.boot.verifiedbootstate` FLASHLOCKED=`getprop ro.boot.flash.locked` VERITYMODE=`getprop ro.boot.veritymode` +DEBUGGABLE=`getprop ro.debuggable` +SECURE=`getprop ro.secure` +BUILDTYPE=`getprop ro.build.type` +BUILDTAGS=`getprop ro.build.tags` +BUILDSELINUX=`getprop ro.build.selinux` [ ! -z "$VERIFYBOOT" -a "$VERIFYBOOT" != "green" ] && \ log_print "`$BINPATH/resetprop -v -n ro.boot.verifiedbootstate green`" @@ -26,6 +48,16 @@ log_print "`$BINPATH/resetprop -v -n ro.boot.verifiedbootstate green`" log_print "`$BINPATH/resetprop -v -n ro.boot.flash.locked 1`" [ ! -z "$VERITYMODE" -a "$VERITYMODE" != "enforcing" ] && \ log_print "`$BINPATH/resetprop -v -n ro.boot.veritymode enforcing`" +[ ! -z "$DEBUGGABLE" -a "$DEBUGGABLE" != "0" ] && \ +log_print "`$BINPATH/resetprop -v -n ro.debuggable 0`" +[ ! -z "$SECURE" -a "$SECURE" != "1" ] && \ +log_print "`$BINPATH/resetprop -v -n ro.secure 1`" +[ ! -z "$BUILDTYPE" -a "$BUILDTYPE" != "user" ] && \ +log_print "`$BINPATH/resetprop -v -n ro.build.type user`" +[ ! -z "$BUILDTAGS" -a "$BUILDTAGS" != "release-keys" ] && \ +log_print "`$BINPATH/resetprop -v -n ro.build.tags release-keys`" +[ ! -z "$BUILDSELINUX" -a "$BUILDSELINUX" != "0" ] && \ +log_print "`$BINPATH/resetprop -v -n ro.build.selinux 0`" touch $MODDIR/hidelist chmod -R 755 $MODDIR @@ -40,4 +72,4 @@ while read PROCESS; do done < $MODDIR/hidelist log_print "Starting MagiskHide daemon" -$MODDIR/magiskhide --daemon +$BINPATH/magiskhide --daemon