Revert "Drop API 17 (Android 4.2) support"

Turns out that we cannot use AndroidKeystore anyways, so we don't
actually need to drop API 17. Revert this change.

build.gradle

@@ -47,7 +47,7 @@ subprojects {
 
                 defaultConfig {
                     if (minSdkVersion == null)
-                        minSdkVersion 18
+                        minSdkVersion 17
                     targetSdkVersion 28
                 }
 

native/jni/core/applets.cpp

@@ -26,7 +26,7 @@ static int (*applet_main[]) (int, char *[]) =
 
 int main(int argc, char *argv[]) {
 	umask(0);
-	selinux_builtin_impl();
+	dload_selinux();
 	cmdline_logging();
 	init_argv0(argc, argv);
 

native/jni/init/rootdir.cpp

@@ -153,24 +153,25 @@ void SARCompatInit::setup_rootfs() {
 }
 
 bool MagiskInit::patch_sepolicy(const char *file) {
-	bool require_patch = false;
+	bool patch_init = false;
-
-	// Mount selinuxfs to communicate with kernel
-	xmount("selinuxfs", SELINUX_MNT, "selinuxfs", 0, nullptr);
 
 	if (access(SPLIT_PLAT_CIL, R_OK) == 0) {
 		LOGD("sepol: split policy\n");
-		load_split_cil();
+		patch_init = true;
-		require_patch = true;
 	} else if (access("/sepolicy", R_OK) == 0) {
 		LOGD("sepol: monolithic policy\n");
 		load_policydb("/sepolicy");
 	} else {
-		// Fatal error!!
 		LOGD("sepol: no selinux\n");
 		return false;
 	}
 
+	// Mount selinuxfs to communicate with kernel
+	xmount("selinuxfs", SELINUX_MNT, "selinuxfs", 0, nullptr);
+
+	if (patch_init)
+		load_split_cil();
+
 	sepol_magisk_rules();
 	sepol_allow(SEPOL_PROC_DOMAIN, ALL, ALL, ALL);
 	dump_policydb(file);
@@ -181,7 +182,7 @@ bool MagiskInit::patch_sepolicy(const char *file) {
 		link("/sepolicy", "/sepolicy_debug");
 	}
 
-	return require_patch;
+	return patch_init;
 }
 
 constexpr const char wrapper[] =

native/jni/utils/include/selinux.h

@@ -20,7 +20,7 @@
 
 __BEGIN_DECLS
 
-#define freecon free
+extern void (*freecon)(char *con);
 extern int (*setcon)(const char *con);
 extern int (*getfilecon)(const char *path, char **con);
 extern int (*lgetfilecon)(const char *path, char **con);
@@ -32,6 +32,7 @@ void getfilecon_at(int dirfd, const char *name, char **con);
 void setfilecon_at(int dirfd, const char *name, const char *con);
 
 void selinux_builtin_impl();
+void dload_selinux();
 void restorecon();
 void restore_rootcon();
 

native/jni/utils/selinux.cpp

@@ -38,6 +38,10 @@ static int stub(int, char **ctx) {
 
 // Builtin implementation
 
+static void __freecon(char *s) {
+	free(s);
+}
+
 static int __setcon(const char *ctx) {
 	int fd = open("/proc/self/attr/current", O_WRONLY | O_CLOEXEC);
 	if (fd < 0)
@@ -110,6 +114,7 @@ static int __fsetfilecon(int fd, const char *ctx) {
 
 // Function pointers
 
+void (*freecon)(char *) = __freecon;
 int (*setcon)(const char *) = stub;
 int (*getfilecon)(const char *, char **) = stub;
 int (*lgetfilecon)(const char *, char **) = stub;
@@ -141,6 +146,16 @@ void selinux_builtin_impl() {
 	fsetfilecon = __fsetfilecon;
 }
 
+void dload_selinux() {
+	if (access("/system/lib/libselinux.so", F_OK))
+		return;
+	/* We only check whether libselinux.so exists but don't dlopen.
+	 * For some reason calling symbols returned from dlsym
+	 * will result to SEGV_ACCERR on some devices.
+	 * Always use builtin implementations for SELinux stuffs. */
+	selinux_builtin_impl();
+}
+
 static void restore_syscon(int dirfd) {
 	struct dirent *entry;
 	DIR *dir;

scripts/flash_script.sh

@@ -53,7 +53,7 @@ ui_print "- Target image: $BOOTIMAGE"
 # Detect version and architecture
 api_level_arch_detect
 
-[ $API -lt 18 ] && abort "! Magisk is only for Android 4.3 and above"
+[ $API -lt 17 ] && abort "! Magisk is only for Android 4.2 and above"
 
 ui_print "- Device platform: $ARCH"