Fix some issues with selinux rules
This commit is contained in:
parent
61599059d5
commit
4dacffd7a1
@ -3,6 +3,8 @@
|
|||||||
|
|
||||||
#include "sepolicy.hpp"
|
#include "sepolicy.hpp"
|
||||||
|
|
||||||
|
using namespace std;
|
||||||
|
|
||||||
void sepolicy::magisk_rules() {
|
void sepolicy::magisk_rules() {
|
||||||
// Temp suppress warnings
|
// Temp suppress warnings
|
||||||
auto bak = log_cb.w;
|
auto bak = log_cb.w;
|
||||||
@ -24,9 +26,11 @@ void sepolicy::magisk_rules() {
|
|||||||
|
|
||||||
// Make our root domain unconstrained
|
// Make our root domain unconstrained
|
||||||
allow(SEPOL_PROC_DOMAIN, ALL, ALL, ALL);
|
allow(SEPOL_PROC_DOMAIN, ALL, ALL, ALL);
|
||||||
// Allow us to do any ioctl on all block devices
|
// Allow us to do any ioctl
|
||||||
if (db->policyvers >= POLICYDB_VERSION_XPERMS_IOCTL)
|
if (db->policyvers >= POLICYDB_VERSION_XPERMS_IOCTL) {
|
||||||
allowxperm(SEPOL_PROC_DOMAIN, ALL, "blk_file", ALL);
|
allowxperm(SEPOL_PROC_DOMAIN, ALL, "blk_file", ALL);
|
||||||
|
allowxperm(SEPOL_PROC_DOMAIN, ALL, "fifo_file", ALL);
|
||||||
|
}
|
||||||
|
|
||||||
// Create unconstrained file type
|
// Create unconstrained file type
|
||||||
allow(ALL, SEPOL_FILE_TYPE, "file", ALL);
|
allow(ALL, SEPOL_FILE_TYPE, "file", ALL);
|
||||||
@ -35,34 +39,31 @@ void sepolicy::magisk_rules() {
|
|||||||
allow(ALL, SEPOL_FILE_TYPE, "chr_file", ALL);
|
allow(ALL, SEPOL_FILE_TYPE, "chr_file", ALL);
|
||||||
|
|
||||||
if (new_rules) {
|
if (new_rules) {
|
||||||
|
// Make client type literally untrusted_app
|
||||||
type(SEPOL_CLIENT_DOMAIN, "domain");
|
type(SEPOL_CLIENT_DOMAIN, "domain");
|
||||||
|
typeattribute(SEPOL_CLIENT_DOMAIN, "coredomain");
|
||||||
|
typeattribute(SEPOL_CLIENT_DOMAIN, "appdomain");
|
||||||
|
typeattribute(SEPOL_CLIENT_DOMAIN, "untrusted_app_all");
|
||||||
|
typeattribute(SEPOL_CLIENT_DOMAIN, "netdomain");
|
||||||
|
typeattribute(SEPOL_CLIENT_DOMAIN, "bluetoothdomain");
|
||||||
|
|
||||||
type(SEPOL_EXEC_TYPE, "file_type");
|
type(SEPOL_EXEC_TYPE, "file_type");
|
||||||
|
typeattribute(SEPOL_EXEC_TYPE, "exec_type");
|
||||||
|
|
||||||
// Basic su client needs
|
// Basic su client needs
|
||||||
allow(SEPOL_CLIENT_DOMAIN, ALL, "fd", "use");
|
|
||||||
allow(SEPOL_CLIENT_DOMAIN, SEPOL_CLIENT_DOMAIN, ALL, ALL);
|
|
||||||
allow(SEPOL_CLIENT_DOMAIN, SEPOL_EXEC_TYPE, "file", ALL);
|
allow(SEPOL_CLIENT_DOMAIN, SEPOL_EXEC_TYPE, "file", ALL);
|
||||||
allow(SEPOL_CLIENT_DOMAIN, SEPOL_PROC_DOMAIN, "unix_stream_socket", "connectto");
|
allow(SEPOL_CLIENT_DOMAIN, SEPOL_CLIENT_DOMAIN, ALL, ALL);
|
||||||
allow(SEPOL_CLIENT_DOMAIN, SEPOL_PROC_DOMAIN, "unix_stream_socket", "getopt");
|
|
||||||
|
|
||||||
// Allow su client termios ioctl
|
// Allow su client termios ioctl
|
||||||
const char *pts[] {
|
const char *pts[] {
|
||||||
"devpts", "untrusted_app_devpts",
|
"devpts", "untrusted_app_devpts",
|
||||||
"untrusted_app_25_devpts", "untrusted_app_all_devpts" };
|
"untrusted_app_25_devpts", "untrusted_app_all_devpts" };
|
||||||
for (auto type : pts) {
|
for (auto type : pts) {
|
||||||
if (!exists(type))
|
|
||||||
continue;
|
|
||||||
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "read");
|
|
||||||
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "write");
|
|
||||||
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "getattr");
|
|
||||||
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "ioctl");
|
|
||||||
allowxperm(SEPOL_CLIENT_DOMAIN, type, "chr_file", "0x5400-0x54FF");
|
allowxperm(SEPOL_CLIENT_DOMAIN, type, "chr_file", "0x5400-0x54FF");
|
||||||
}
|
}
|
||||||
|
|
||||||
// Allow these processes to access MagiskSU
|
// Allow these processes to access MagiskSU
|
||||||
const char *clients[] {
|
vector<const char *> clients{ "init", "shell", "update_engine", "appdomain" };
|
||||||
"init", "shell", "system_app", "priv_app", "platform_app", "untrusted_app",
|
|
||||||
"untrusted_app_25", "untrusted_app_27", "untrusted_app_29", "update_engine" };
|
|
||||||
for (auto type : clients) {
|
for (auto type : clients) {
|
||||||
if (!exists(type))
|
if (!exists(type))
|
||||||
continue;
|
continue;
|
||||||
@ -73,30 +74,40 @@ void sepolicy::magisk_rules() {
|
|||||||
allow(type, SEPOL_EXEC_TYPE, "file", "execute");
|
allow(type, SEPOL_EXEC_TYPE, "file", "execute");
|
||||||
|
|
||||||
// Auto transit to client domain
|
// Auto transit to client domain
|
||||||
type_transition(type, SEPOL_EXEC_TYPE, "process", SEPOL_CLIENT_DOMAIN);
|
|
||||||
allow(type, SEPOL_CLIENT_DOMAIN, "process", "transition");
|
allow(type, SEPOL_CLIENT_DOMAIN, "process", "transition");
|
||||||
dontaudit(type, SEPOL_CLIENT_DOMAIN, "process", "siginh");
|
dontaudit(type, SEPOL_CLIENT_DOMAIN, "process", "siginh");
|
||||||
dontaudit(type, SEPOL_CLIENT_DOMAIN, "process", "rlimitinh");
|
dontaudit(type, SEPOL_CLIENT_DOMAIN, "process", "rlimitinh");
|
||||||
dontaudit(type, SEPOL_CLIENT_DOMAIN, "process", "noatsecure");
|
dontaudit(type, SEPOL_CLIENT_DOMAIN, "process", "noatsecure");
|
||||||
|
|
||||||
allow(SEPOL_CLIENT_DOMAIN, type, "process", "sigchld");
|
// Kill client process
|
||||||
allow(SEPOL_CLIENT_DOMAIN, type, "fifo_file", "read");
|
allow(type, SEPOL_CLIENT_DOMAIN, "process", "signal");
|
||||||
allow(SEPOL_CLIENT_DOMAIN, type, "fifo_file", "write");
|
}
|
||||||
allow(SEPOL_CLIENT_DOMAIN, type, "fifo_file", "ioctl");
|
|
||||||
|
// type transition require actual types, not attributes
|
||||||
|
const char *app_types[] {
|
||||||
|
"system_app", "priv_app", "platform_app", "untrusted_app",
|
||||||
|
"untrusted_app_25", "untrusted_app_27", "untrusted_app_29" };
|
||||||
|
clients.pop_back();
|
||||||
|
clients.insert(clients.end(), app_types, app_types + std::size(app_types));
|
||||||
|
for (auto type : clients) {
|
||||||
|
// Auto transit to client domain
|
||||||
|
type_transition(type, SEPOL_EXEC_TYPE, "process", SEPOL_CLIENT_DOMAIN);
|
||||||
}
|
}
|
||||||
|
|
||||||
// Allow system_server to manage magisk_client
|
// Allow system_server to manage magisk_client
|
||||||
allow("system_server", SEPOL_CLIENT_DOMAIN, "process", "getpgid");
|
allow("system_server", SEPOL_CLIENT_DOMAIN, "process", "getpgid");
|
||||||
allow("system_server", SEPOL_CLIENT_DOMAIN, "process", "sigkill");
|
allow("system_server", SEPOL_CLIENT_DOMAIN, "process", "sigkill");
|
||||||
|
|
||||||
// Don't allow pesky processes to monitor audit deny logs when poking magisk daemon sockets
|
// Don't allow pesky processes to monitor audit deny logs when poking magisk daemon socket
|
||||||
dontaudit(ALL, SEPOL_PROC_DOMAIN, "unix_stream_socket", ALL);
|
dontaudit(ALL, SEPOL_PROC_DOMAIN, "unix_stream_socket", ALL);
|
||||||
|
|
||||||
|
// Only allow client processes to connect to magisk daemon socket
|
||||||
|
allow(SEPOL_CLIENT_DOMAIN, SEPOL_PROC_DOMAIN, "unix_stream_socket", ALL);
|
||||||
} else {
|
} else {
|
||||||
// Fallback to poking holes in sandbox as Android 4.3 to 7.1 set PR_SET_NO_NEW_PRIVS
|
// Fallback to poking holes in sandbox as Android 4.3 to 7.1 set PR_SET_NO_NEW_PRIVS
|
||||||
|
|
||||||
// Allow these processes to access MagiskSU
|
// Allow these processes to access MagiskSU
|
||||||
const char *clients[] {
|
const char *clients[] { "init", "shell", "appdomain" };
|
||||||
"init", "shell", "system_app", "priv_app", "platform_app", "untrusted_app" };
|
|
||||||
for (auto type : clients) {
|
for (auto type : clients) {
|
||||||
if (!exists(type))
|
if (!exists(type))
|
||||||
continue;
|
continue;
|
||||||
|
Loading…
Reference in New Issue
Block a user