Add support for pre-init custom sepolicy patches

Close #1685

native/jni/init/init.h

@@ -3,6 +3,8 @@
 #include <stdlib.h>
 #include <vector>
 
+#include <magisk.h>
+
 struct cmdline {
 	bool skip_initramfs;
 	bool force_normal_boot;
@@ -45,7 +47,7 @@ protected:
 	virtual void cleanup();
 public:
 	BaseInit(char *argv[], cmdline *cmd) :
-	cmd(cmd), argv(argv), mount_list{"/sys", "/proc", "/dev"} {}
+	cmd(cmd), argv(argv), mount_list{"/sys", "/proc"} {}
 	virtual ~BaseInit() = default;
 	virtual void start() = 0;
 };
@@ -53,6 +55,7 @@ public:
 class MagiskInit : public BaseInit {
 protected:
 	raw_data self;
+	const char *persist_dir;
 
 	virtual void early_mount() = 0;
 	bool patch_sepolicy(const char *file = "/sepolicy");
@@ -68,7 +71,9 @@ protected:
 	void backup_files();
 	void patch_rootdir();
 public:
-	SARBase(char *argv[], cmdline *cmd) : MagiskInit(argv, cmd) {};
+	SARBase(char *argv[], cmdline *cmd) : MagiskInit(argv, cmd) {
+		persist_dir = MIRRDIR "/persist/magisk";
+	}
 	void start() override {
 		early_mount();
 		patch_rootdir();
@@ -132,7 +137,9 @@ private:
 protected:
 	void early_mount() override;
 public:
-	RootFSInit(char *argv[], cmdline *cmd) : MagiskInit(argv, cmd) {};
+	RootFSInit(char *argv[], cmdline *cmd) : MagiskInit(argv, cmd) {
+		persist_dir = "/dev/.magisk/mirror/persist/magisk";
+	}
 
 	void start() override {
 		early_mount();

native/jni/init/mount.cpp

@@ -126,6 +126,13 @@ void RootFSInit::early_mount() {
 	root = xopen("/", O_RDONLY | O_CLOEXEC);
 	rename("/.backup/init", "/init");
 
+	// Mount sbin overlay for persist, but move it and add to cleanup list
+	mount_sbin();
+	xmount("/sbin", "/dev", nullptr, MS_MOVE, nullptr);
+	mount_list.emplace_back("/dev");
+	mount_list.emplace_back("/dev/.magisk/mirror/persist");
+	mount_list.emplace_back("/dev/.magisk/mirror/cache");
+
 	mount_root(system);
 	mount_root(vendor);
 	mount_root(product);
@@ -169,6 +176,7 @@ void SARInit::early_mount() {
 	// Make dev writable
 	xmkdir("/dev", 0755);
 	xmount("tmpfs", "/dev", "tmpfs", 0, "mode=755");
+	mount_list.emplace_back("/dev");
 
 	backup_files();
 
@@ -227,9 +235,11 @@ void SecondStageInit::early_mount() {
 void BaseInit::cleanup() {
 	// Unmount in reverse order
 	for (auto &p : reversed(mount_list)) {
-		LOGD("Unmount [%s]\n", p.data());
-		umount(p.data());
+		if (xumount(p.data()) == 0)
+			LOGD("Unmount [%s]\n", p.data());
 	}
+	mount_list.clear();
+	mount_list.shrink_to_fit();
 }
 
 void mount_sbin() {
@@ -248,8 +258,12 @@ void mount_sbin() {
 		// Fallback to cache
 		strcpy(partname, "cache");
 		strcpy(block_dev, BLOCKDIR "/cache");
-		if (setup_block(false) < 0)
-			return;
+		if (setup_block(false) < 0) {
+			// Try NVIDIA's BS
+			strcpy(partname, "CAC");
+			if (setup_block(false) < 0)
+				return;
+		}
 		mnt_point = MIRRDIR "/cache";
 		xsymlink("./cache", MIRRDIR "/persist");
 	}

native/jni/init/rootdir.cpp

@@ -164,7 +164,23 @@ bool MagiskInit::patch_sepolicy(const char *file) {
 
 	sepol_magisk_rules();
 	sepol_allow(SEPOL_PROC_DOMAIN, ALL, ALL, ALL);
+
+	// Custom rules
+	if (auto dir = xopen_dir(persist_dir); dir) {
+		char path[4096];
+		for (dirent *entry; (entry = xreaddir(dir.get()));) {
+			if (entry->d_name == "."sv || entry->d_name == ".."sv)
+				continue;
+			snprintf(path, sizeof(path), "%s/%s/sepolicy.rule", persist_dir, entry->d_name);
+			if (access(path, R_OK) == 0) {
+				LOGD("Loading custom sepolicy patch: %s\n", path);
+				load_rule_file(path);
+			}
+		}
+	}
+
 	dump_policydb(file);
+	destroy_policydb();
 
 	// Remove OnePlus stupid debug sepolicy and use our own
 	if (access("/sepolicy_debug", F_OK) == 0) {

native/jni/magiskpolicy/policydb.cpp

@@ -13,6 +13,7 @@
 #include "sepolicy.h"
 
 int load_policydb(const char *file) {
+	LOGD("Load policy from: %s\n", file);
 	if (magisk_policydb)
 		destroy_policydb();
 
@@ -101,7 +102,7 @@ static void load_cil(struct cil_db *db, const char *file) {
 	size_t size;
 	mmap_ro(file, addr, size);
 	cil_add_file(db, (char *) file, addr, size);
-	LOGD("cil_add[%s]\n", file);
+	LOGD("cil_add [%s]\n", file);
 	munmap(addr, size);
 }