Handle selinux for Samsung in binary

2017-03-29 02:23:10 +08:00 · 2017-03-29 02:23:10 +08:00 · 3f016f785f
commit 3f016f785f
parent a6427d081e
3 changed files with 24 additions and 18 deletions
--- a/jni/magiskhide/magiskhide.h
+++ b/jni/magiskhide/magiskhide.h
@ -22,6 +22,7 @@
 #define HIDELIST 		"/magisk/.core/magiskhide/hidelist"
 #define DUMMYPATH		"/dev/magisk/dummy"
 #define ENFORCE_FILE 	"/sys/fs/selinux/enforce"
+#define POLICY_FILE 	"/sys/fs/selinux/policy"
 #define SEPOLICY_INJECT "/data/magisk/magiskpolicy"

 // Main thread
--- a/jni/magiskhide/util.c
+++ b/jni/magiskhide/util.c
@ -60,25 +60,37 @@ void run_as_daemon() {

 void manage_selinux() {
 	char *argv[] = { SEPOLICY_INJECT, "--live", "permissive *", NULL };
-	char str[20];
+	char val[1];
 	int fd, ret;
-	fd = open(ENFORCE_FILE, O_RDONLY);
-	if (fd < 0)
-		return;
-	ret = read(fd, str, 20);
-	close(fd);
-	if (ret < 1)
-		return;
-	// Permissive
-	if (str[0] == '0') {
-		fprintf(logfile, "MagiskHide: Permissive detected, switching to pseudo enforced\n");
 	fd = open(ENFORCE_FILE, O_RDWR);
 	if (fd < 0)
 		return;
-		ret = write(fd, "1", 1);
-		close(fd);
-		if (ret < 1)
+	if (read(fd, val, 1) < 1)
 		return;
+	lseek(fd, 0, SEEK_SET);
+	// Permissive
+	if (val[0] == '0') {
+
+		fprintf(logfile, "MagiskHide: Permissive detected\n");
+
+		if (write(fd, "1", 1) < 1)
+			return;
+		lseek(fd, 0, SEEK_SET);
+
+		if (read(fd, val, 1) < 1)
+			return;
+		lseek(fd, 0, SEEK_SET);
+		close(fd);
+
+		if (val[0] == '0') {
+			fprintf(logfile, "MagiskHide: Unable to set to enforce, hide the state\n");
+			chmod(ENFORCE_FILE, 0640);
+			chmod(POLICY_FILE, 0440);
+			return;
+		}
+
+		fprintf(logfile, "MagiskHide: Calling magiskpolicy for pseudo enforce mode\n");
+
 		switch(fork()) {
 			case -1:
 				return;
--- a/zip_static/common/magiskhide/enable
+++ b/zip_static/common/magiskhide/enable
@ -27,10 +27,6 @@ if [ ! -d /sbin_orig ]; then
  mount -o bind /dev/sbin_bind /sbin
 fi

-# Sammy device like these permissions
-chmod 640 /sys/fs/selinux/enforce
-chmod 440 /sys/fs/selinux/policy
-
 log_print "Removing dangerous read-only system props"

 VERIFYBOOT=`getprop ro.boot.verifiedbootstate`
@ -40,7 +36,6 @@ DEBUGGABLE=`getprop ro.debuggable`
 SECURE=`getprop ro.secure`
 BUILDTYPE=`getprop ro.build.type`
 BUILDTAGS=`getprop ro.build.tags`
-BUILDSELINUX=`getprop ro.build.selinux`

 [ ! -z "$VERIFYBOOT" -a "$VERIFYBOOT" != "green" ] && \
 log_print "`$BINPATH/resetprop -v -n ro.boot.verifiedbootstate green`"
@ -56,8 +51,6 @@ log_print "`$BINPATH/resetprop -v -n ro.secure 1`"
 log_print "`$BINPATH/resetprop -v -n ro.build.type user`"
 [ ! -z "$BUILDTAGS" -a "$BUILDTAGS" != "release-keys" ] && \
 log_print "`$BINPATH/resetprop -v -n ro.build.tags release-keys`"
-[ ! -z "$BUILDSELINUX" -a "$BUILDSELINUX" != "1" ] && \
-log_print "`$BINPATH/resetprop -v -n ro.build.selinux 1`"

 touch $MODDIR/hidelist
 chmod -R 755 $MODDIR