Separate public and private APIs

2017-04-15 19:26:29 +08:00 · 2017-04-15 19:26:29 +08:00 · 838b2757eb
commit 838b2757eb
parent 7bb8b9039c
7 changed files with 256 additions and 235 deletions
--- a/Android.mk
+++ b/Android.mk
@ -3,7 +3,7 @@ LOCAL_PATH := $(call my-dir)
 include $(CLEAR_VARS)
 LOCAL_MODULE := magiskpolicy
 LOCAL_STATIC_LIBRARIES := libsepol
-LOCAL_SRC_FILES := magiskpolicy.c sepolicy.c rules.c utils.c ../utils/vector.c
+LOCAL_SRC_FILES := magiskpolicy.c sepolicy.c rules.c api.c ../utils/vector.c
 LOCAL_C_INCLUDES := jni/selinux/libsepol/include jni/utils
 LOCAL_CFLAGS := -DINDEP_BINARY
 include $(BUILD_EXECUTABLE)
--- a/utils.c
+++ b/utils.c
@ -1,44 +1,45 @@
 #include "magiskpolicy.h"
+#include "sepolicy.h"

-int allow(char *s, char *t, char *c, char *p) {
+int sepol_allow(char *s, char *t, char *c, char *p) {
 	return add_rule(s, t, c, p, AVTAB_ALLOWED, 0);
 }

-int deny(char *s, char *t, char *c, char *p) {
+int sepol_deny(char *s, char *t, char *c, char *p) {
 	return add_rule(s, t, c, p, AVTAB_ALLOWED, 1);
 }

-int auditallow(char *s, char *t, char *c, char *p) {
+int sepol_auditallow(char *s, char *t, char *c, char *p) {
 	return add_rule(s, t, c, p, AVTAB_AUDITALLOW, 0);
 }

-int auditdeny(char *s, char *t, char *c, char *p) {
+int sepol_auditdeny(char *s, char *t, char *c, char *p) {
 	return add_rule(s, t, c, p, AVTAB_AUDITDENY, 0);
 }

-int typetrans(char *s, char *t, char *c, char *d, char *o) {
+int sepol_typetrans(char *s, char *t, char *c, char *d, char *o) {
 	if (o == NULL)
 		return add_transition(s, t, c, d);
 	else
 		return add_file_transition(s, t, c, d, o);
 }

-int permissive(char *s) {
+int sepol_permissive(char *s) {
 	return set_domain_state(s, 1);
 }

-int enforce(char *s) {
+int sepol_enforce(char *s) {
 	return set_domain_state(s, 0);
 }

-int create(char *s) {
+int sepol_create(char *s) {
 	return create_domain(s);
 }

-int attradd(char *s, char *a) {
+int sepol_attradd(char *s, char *a) {
 	return add_typeattribute(s, a);
 }

-int exists(char* source) {
+int sepol_exists(char* source) {
 	return !! hashtab_search(policy->p_types.table, source);
 }
--- a/magiskpolicy.c
+++ b/magiskpolicy.c
@ -1,5 +1,7 @@
-#include "vector.h"
-#include "magiskpolicy.h"
+/* magiskpolicy.c - Main function for policy patching
+ *
+ * Includes all the parsing logic for the policy statements
+ */

 #ifdef INDEP_BINARY
 int magiskpolicy_main(int argc, char *argv[]);
@ -10,6 +12,9 @@ int main(int argc, char *argv[]) {
 #include "magisk.h"
 #endif

+#include "magiskpolicy.h"
+#include "sepolicy.h"
+
 static int syntax_err = 0;
 static char err_msg[ARG_MAX];

@ -112,19 +117,19 @@ static int parse_pattern_1(int action, char* statement) {
 			for (int k = 0; k < permission.size; ++k)
 				switch (action) {
 					case 0:
-						if (allow(source.data[i], target.data[j], class, permission.data[k]))
+						if (sepol_allow(source.data[i], target.data[j], class, permission.data[k]))
 							fprintf(stderr, "Error in: allow %s %s %s %s\n", source.data[i], target.data[j], class, permission.data[k]);
 						break;
 					case 1:
-						if (deny(source.data[i], target.data[j], class, permission.data[k]))
+						if (sepol_deny(source.data[i], target.data[j], class, permission.data[k]))
 							fprintf(stderr, "Error in: deny %s %s %s %s\n", source.data[i], target.data[j], class, permission.data[k]);
 						break;
 					case 2:
-						if (auditallow(source.data[i], target.data[j], class, permission.data[k]))
+						if (sepol_auditallow(source.data[i], target.data[j], class, permission.data[k]))
 							fprintf(stderr, "Error in: auditallow %s %s %s %s\n", source.data[i], target.data[j], class, permission.data[k]);
 						break;
 					case 3:
-						if (auditdeny(source.data[i], target.data[j], class, permission.data[k]))
+						if (sepol_auditdeny(source.data[i], target.data[j], class, permission.data[k]))
 							fprintf(stderr, "Error in: auditdeny %s %s %s %s\n", source.data[i], target.data[j], class, permission.data[k]);
 						break;
 					default:
@ -181,7 +186,7 @@ static int parse_pattern_2(int action, char* statement) {
 		for (int j = 0; j < attribute.size; ++j)
 			switch (action) {
 				case 0:
-					if (attradd(class.data[i], attribute.data[j]))
+					if (sepol_attradd(class.data[i], attribute.data[j]))
 						fprintf(stderr, "Error in: attradd %s %s\n", class.data[i], attribute.data[j]);
 					break;
 				default:
@ -206,15 +211,15 @@ static int parse_pattern_3(int action, char* statement) {
 	for (int i = 0; i < classes.size; ++i) {
 		switch (action) {
 			case 0:
-				if (create(classes.data[i]))
+				if (sepol_create(classes.data[i]))
 					fprintf(stderr, "Domain %s already exists\n", classes.data[i]);
 				break;
 			case 1:
-				if (permissive(classes.data[i]))
+				if (sepol_permissive(classes.data[i]))
 					fprintf(stderr, "Error in: permissive %s\n", classes.data[i]);
 				break;
 			case 2:
-				if (enforce(classes.data[i]))
+				if (sepol_enforce(classes.data[i]))
 					fprintf(stderr, "Error in: enforce %s\n", classes.data[i]);
 				break;
 		}
@ -253,7 +258,7 @@ static int parse_pattern_4(int action, char* statement) {
 		++state;
 	}
 	if (state < 4) return 1;
-	if (typetrans(source, target, class, def, filename))
+	if (sepol_typetrans(source, target, class, def, filename))
 		fprintf(stderr, "Error in: typetrans %s %s %s %s %s\n", source, target, class, def, filename ? filename : "");
 	return 0;
 }
@ -313,8 +318,8 @@ int magiskpolicy_main(int argc, char *argv[]) {
 	if (policydb_load_isids(&policydb, &sidtab))
 		return 1;

-	if (full) full_rules();
-	else if (minimal) min_rules();
+	if (full) sepol_full_rules();
+	else if (minimal) sepol_min_rules();

 	for (int i = 0; i < rules.size; ++i) {
 		// Since strtok will modify the origin string, copy the policy for error messages
--- a/magiskpolicy.h
+++ b/magiskpolicy.h
@ -1,61 +1,27 @@
-#ifndef MAGISKPOLICY_H
-#define MAGISKPOLICY_H
+/* magiskpolicy.h - Public API for policy patching
+ */
+
+#ifndef _MAGISKPOLICY_H
+#define _MAGISKPOLICY_H
+
+#include <stdlib.h>

 #define ALL NULL

-#include <getopt.h>
-#include <unistd.h>
-#include <stdlib.h>
-#include <sys/mman.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <fcntl.h>
-#include <stdio.h>
-#include <limits.h>
-#include <string.h>
-#include <sepol/debug.h>
-#include <sepol/policydb/policydb.h>
-#include <sepol/policydb/expand.h>
-#include <sepol/policydb/link.h>
-#include <sepol/policydb/services.h>
-#include <sepol/policydb/avrule_block.h>
-#include <sepol/policydb/conditional.h>
-#include <sepol/policydb/constraint.h>
-
-#include "vector.h"
-
-// hashtab traversal macro
-#define hashtab_for_each(table, ptr) \
-	for (int _i = 0; _i < table->size; ++_i) \
-		for (*ptr = table->htable[_i]; *ptr != NULL; *ptr = (*ptr)->next)
-
-// Global policydb
-policydb_t *policy;
-
-// sepolicy manipulation functions
-int load_policy(const char *filename);
-int dump_policy(const char *filename);
-int create_domain(char *d);
-int set_domain_state(char* s, int state);
-int add_transition(char *s, char *t, char *c, char *d);
-int add_file_transition(char *s, char *t, char *c, char *d, char* filename);
-int add_typeattribute(char *domainS, char *attr);
-int add_rule(char *s, char *t, char *c, char *p, int effect, int not);
-
 // Handy functions
-int allow(char *s, char *t, char *c, char *p);
-int deny(char *s, char *t, char *c, char *p);
-int auditallow(char *s, char *t, char *c, char *p);
-int auditdeny(char *s, char *t, char *c, char *p);
-int typetrans(char *s, char *t, char *c, char *d, char *o);
-int create(char *s);
-int permissive(char *s);
-int enforce(char *s);
-int attradd(char *s, char *a);
-int exists(char *source);
+int sepol_allow(char *s, char *t, char *c, char *p);
+int sepol_deny(char *s, char *t, char *c, char *p);
+int sepol_auditallow(char *s, char *t, char *c, char *p);
+int sepol_auditdeny(char *s, char *t, char *c, char *p);
+int sepol_typetrans(char *s, char *t, char *c, char *d, char *o);
+int sepol_create(char *s);
+int sepol_permissive(char *s);
+int sepol_enforce(char *s);
+int sepol_attradd(char *s, char *a);
+int sepol_exists(char *source);

 // Built in rules
-void full_rules();
-void min_rules();
+void sepol_full_rules();
+void sepol_min_rules();

 #endif
--- a/rules.c
+++ b/rules.c
@ -1,230 +1,230 @@
 #include "magiskpolicy.h"

 void samsung() {
-	deny("init", "kernel", "security", "load_policy");
-	deny("policyloader_app", "security_spota_file", "dir", "read");
-	deny("policyloader_app", "security_spota_file", "dir", "write");
-	deny("policyloader_app", "security_spota_file", "file", "read");
-	deny("policyloader_app", "security_spota_file", "file", "write");
-	deny("system_server", "security_spota_file", "dir", "read");
-	deny("system_server", "security_spota_file", "dir", "write");
-	deny("system_server", "security_spota_file", "file", "read");
-	deny("system_server", "security_spota_file", "file", "write");
-	deny("system_app", "security_spota_file", "dir", "read");
-	deny("system_app", "security_spota_file", "dir", "write");
-	deny("system_app", "security_spota_file", "file", "read");
-	deny("system_app", "security_spota_file", "file", "write");
-	deny("installd", "security_spota_file", "dir", "read");
-	deny("installd", "security_spota_file", "dir", "write");
-	deny("installd", "security_spota_file", "file", "read");
-	deny("installd", "security_spota_file", "file", "write");
-	deny("init", "security_spota_file", "dir", "read");
-	deny("init", "security_spota_file", "dir", "write");
-	deny("init", "security_spota_file", "file", "read");
-	deny("init", "security_spota_file", "file", "write");
-	deny("ueventd", "security_spota_file", "dir", "read");
-	deny("ueventd", "security_spota_file", "dir", "write");
-	deny("ueventd", "security_spota_file", "file", "read");
-	deny("ueventd", "security_spota_file", "file", "write");
-	deny("runas", "security_spota_file", "dir", "read");
-	deny("runas", "security_spota_file", "dir", "write");
-	deny("runas", "security_spota_file", "file", "read");
-	deny("runas", "security_spota_file", "file", "write");
-	deny("drsd", "security_spota_file", "dir", "read");
-	deny("drsd", "security_spota_file", "dir", "write");
-	deny("drsd", "security_spota_file", "file", "read");
-	deny("drsd", "security_spota_file", "file", "write");
-	deny("debuggerd", "security_spota_file", "dir", "read");
-	deny("debuggerd", "security_spota_file", "dir", "write");
-	deny("debuggerd", "security_spota_file", "file", "read");
-	deny("debuggerd", "security_spota_file", "file", "write");
-	deny("vold", "security_spota_file", "dir", "read");
-	deny("vold", "security_spota_file", "dir", "write");
-	deny("vold", "security_spota_file", "file", "read");
-	deny("vold", "security_spota_file", "file", "write");
-	deny("zygote", "security_spota_file", "dir", "read");
-	deny("zygote", "security_spota_file", "dir", "write");
-	deny("zygote", "security_spota_file", "file", "read");
-	deny("zygote", "security_spota_file", "file", "write");
-	deny("auditd", "security_spota_file", "dir", "read");
-	deny("auditd", "security_spota_file", "dir", "write");
-	deny("auditd", "security_spota_file", "file", "read");
-	deny("auditd", "security_spota_file", "file", "write");
-	deny("servicemanager", "security_spota_file", "dir", "read");
-	deny("servicemanager", "security_spota_file", "dir", "write");
-	deny("servicemanager", "security_spota_file", "file", "read");
-	deny("servicemanager", "security_spota_file", "file", "write");
-	deny("itsonbs", "security_spota_file", "dir", "read");
-	deny("itsonbs", "security_spota_file", "dir", "write");
-	deny("itsonbs", "security_spota_file", "file", "read");
-	deny("itsonbs", "security_spota_file", "file", "write");
-	deny("commonplatformappdomain", "security_spota_file", "dir", "read");
-	deny("commonplatformappdomain", "security_spota_file", "dir", "write");
-	deny("commonplatformappdomain", "security_spota_file", "file", "read");
-	deny("commonplatformappdomain", "security_spota_file", "file", "write");
+	sepol_deny("init", "kernel", "security", "load_policy");
+	sepol_deny("policyloader_app", "security_spota_file", "dir", "read");
+	sepol_deny("policyloader_app", "security_spota_file", "dir", "write");
+	sepol_deny("policyloader_app", "security_spota_file", "file", "read");
+	sepol_deny("policyloader_app", "security_spota_file", "file", "write");
+	sepol_deny("system_server", "security_spota_file", "dir", "read");
+	sepol_deny("system_server", "security_spota_file", "dir", "write");
+	sepol_deny("system_server", "security_spota_file", "file", "read");
+	sepol_deny("system_server", "security_spota_file", "file", "write");
+	sepol_deny("system_app", "security_spota_file", "dir", "read");
+	sepol_deny("system_app", "security_spota_file", "dir", "write");
+	sepol_deny("system_app", "security_spota_file", "file", "read");
+	sepol_deny("system_app", "security_spota_file", "file", "write");
+	sepol_deny("installd", "security_spota_file", "dir", "read");
+	sepol_deny("installd", "security_spota_file", "dir", "write");
+	sepol_deny("installd", "security_spota_file", "file", "read");
+	sepol_deny("installd", "security_spota_file", "file", "write");
+	sepol_deny("init", "security_spota_file", "dir", "read");
+	sepol_deny("init", "security_spota_file", "dir", "write");
+	sepol_deny("init", "security_spota_file", "file", "read");
+	sepol_deny("init", "security_spota_file", "file", "write");
+	sepol_deny("ueventd", "security_spota_file", "dir", "read");
+	sepol_deny("ueventd", "security_spota_file", "dir", "write");
+	sepol_deny("ueventd", "security_spota_file", "file", "read");
+	sepol_deny("ueventd", "security_spota_file", "file", "write");
+	sepol_deny("runas", "security_spota_file", "dir", "read");
+	sepol_deny("runas", "security_spota_file", "dir", "write");
+	sepol_deny("runas", "security_spota_file", "file", "read");
+	sepol_deny("runas", "security_spota_file", "file", "write");
+	sepol_deny("drsd", "security_spota_file", "dir", "read");
+	sepol_deny("drsd", "security_spota_file", "dir", "write");
+	sepol_deny("drsd", "security_spota_file", "file", "read");
+	sepol_deny("drsd", "security_spota_file", "file", "write");
+	sepol_deny("debuggerd", "security_spota_file", "dir", "read");
+	sepol_deny("debuggerd", "security_spota_file", "dir", "write");
+	sepol_deny("debuggerd", "security_spota_file", "file", "read");
+	sepol_deny("debuggerd", "security_spota_file", "file", "write");
+	sepol_deny("vold", "security_spota_file", "dir", "read");
+	sepol_deny("vold", "security_spota_file", "dir", "write");
+	sepol_deny("vold", "security_spota_file", "file", "read");
+	sepol_deny("vold", "security_spota_file", "file", "write");
+	sepol_deny("zygote", "security_spota_file", "dir", "read");
+	sepol_deny("zygote", "security_spota_file", "dir", "write");
+	sepol_deny("zygote", "security_spota_file", "file", "read");
+	sepol_deny("zygote", "security_spota_file", "file", "write");
+	sepol_deny("auditd", "security_spota_file", "dir", "read");
+	sepol_deny("auditd", "security_spota_file", "dir", "write");
+	sepol_deny("auditd", "security_spota_file", "file", "read");
+	sepol_deny("auditd", "security_spota_file", "file", "write");
+	sepol_deny("servicemanager", "security_spota_file", "dir", "read");
+	sepol_deny("servicemanager", "security_spota_file", "dir", "write");
+	sepol_deny("servicemanager", "security_spota_file", "file", "read");
+	sepol_deny("servicemanager", "security_spota_file", "file", "write");
+	sepol_deny("itsonbs", "security_spota_file", "dir", "read");
+	sepol_deny("itsonbs", "security_spota_file", "dir", "write");
+	sepol_deny("itsonbs", "security_spota_file", "file", "read");
+	sepol_deny("itsonbs", "security_spota_file", "file", "write");
+	sepol_deny("commonplatformappdomain", "security_spota_file", "dir", "read");
+	sepol_deny("commonplatformappdomain", "security_spota_file", "dir", "write");
+	sepol_deny("commonplatformappdomain", "security_spota_file", "file", "read");
+	sepol_deny("commonplatformappdomain", "security_spota_file", "file", "write");
 }

 void allowSuClient(char *target) {
-	allow(target, "rootfs", "file", "execute_no_trans");
-	allow(target, "rootfs", "file", "execute");
-	allow(target, "su", "unix_stream_socket", "connectto");
-	allow(target, "su", "unix_stream_socket", "getopt");
-	allow(target, "su_device", "dir", "search");
-	allow(target, "su_device", "dir", "read");
-	allow(target, "su_device", "sock_file", "read");
-	allow(target, "su_device", "sock_file", "write");
+	sepol_allow(target, "rootfs", "file", "execute_no_trans");
+	sepol_allow(target, "rootfs", "file", "execute");
+	sepol_allow(target, "su", "unix_stream_socket", "connectto");
+	sepol_allow(target, "su", "unix_stream_socket", "getopt");
+	sepol_allow(target, "su_device", "dir", "search");
+	sepol_allow(target, "su_device", "dir", "read");
+	sepol_allow(target, "su_device", "sock_file", "read");
+	sepol_allow(target, "su_device", "sock_file", "write");
 }

 void suRights() {
-	allow("servicemanager", "su", "dir", "search");
-	allow("servicemanager", "su", "dir", "read");
-	allow("servicemanager", "su", "file", "open");
-	allow("servicemanager", "su", "file", "read");
-	allow("servicemanager", "su", "process", "getattr");
-	allow("servicemanager", "su", "binder", "transfer");
-	allow("system_server", "su", "binder", "call");
+	sepol_allow("servicemanager", "su", "dir", "search");
+	sepol_allow("servicemanager", "su", "dir", "read");
+	sepol_allow("servicemanager", "su", "file", "open");
+	sepol_allow("servicemanager", "su", "file", "read");
+	sepol_allow("servicemanager", "su", "process", "getattr");
+	sepol_allow("servicemanager", "su", "binder", "transfer");
+	sepol_allow("system_server", "su", "binder", "call");
 }

 void otherToSU() {
 	// allowLog
-	allow("logd", "su", "dir", "search");
-	allow("logd", "su", "file", "read");
-	allow("logd", "su", "file", "open");
-	allow("logd", "su", "file", "getattr");
+	sepol_allow("logd", "su", "dir", "search");
+	sepol_allow("logd", "su", "file", "read");
+	sepol_allow("logd", "su", "file", "open");
+	sepol_allow("logd", "su", "file", "getattr");

 	// suBackL0
-	allow("system_server", "su", "binder", "call");
-	allow("system_server", "su", "binder", "transfer");
+	sepol_allow("system_server", "su", "binder", "call");
+	sepol_allow("system_server", "su", "binder", "transfer");

 	// ES Explorer opens a sokcet
-	allow("untrusted_app", "su", "unix_stream_socket", "ioctl");
-	allow("untrusted_app", "su", "unix_stream_socket", "read");
-	allow("untrusted_app", "su", "unix_stream_socket", "getattr");
-	allow("untrusted_app", "su", "unix_stream_socket", "write");
-	allow("untrusted_app", "su", "unix_stream_socket", "setattr");
-	allow("untrusted_app", "su", "unix_stream_socket", "lock");
-	allow("untrusted_app", "su", "unix_stream_socket", "append");
-	allow("untrusted_app", "su", "unix_stream_socket", "bind");
-	allow("untrusted_app", "su", "unix_stream_socket", "connect");
-	allow("untrusted_app", "su", "unix_stream_socket", "getopt");
-	allow("untrusted_app", "su", "unix_stream_socket", "setopt");
-	allow("untrusted_app", "su", "unix_stream_socket", "shutdown");
-	allow("untrusted_app", "su", "unix_stream_socket", "connectto");
+	sepol_allow("untrusted_app", "su", "unix_stream_socket", "ioctl");
+	sepol_allow("untrusted_app", "su", "unix_stream_socket", "read");
+	sepol_allow("untrusted_app", "su", "unix_stream_socket", "getattr");
+	sepol_allow("untrusted_app", "su", "unix_stream_socket", "write");
+	sepol_allow("untrusted_app", "su", "unix_stream_socket", "setattr");
+	sepol_allow("untrusted_app", "su", "unix_stream_socket", "lock");
+	sepol_allow("untrusted_app", "su", "unix_stream_socket", "append");
+	sepol_allow("untrusted_app", "su", "unix_stream_socket", "bind");
+	sepol_allow("untrusted_app", "su", "unix_stream_socket", "connect");
+	sepol_allow("untrusted_app", "su", "unix_stream_socket", "getopt");
+	sepol_allow("untrusted_app", "su", "unix_stream_socket", "setopt");
+	sepol_allow("untrusted_app", "su", "unix_stream_socket", "shutdown");
+	sepol_allow("untrusted_app", "su", "unix_stream_socket", "connectto");

 	// Any domain is allowed to send su "sigchld"
-	allow(ALL, "su", "process", "sigchld");
+	sepol_allow(ALL, "su", "process", "sigchld");

 	// uNetworkL0
-	attradd("su", "netdomain");
-	attradd("su", "bluetoothdomain");
+	sepol_attradd("su", "netdomain");
+	sepol_attradd("su", "bluetoothdomain");

 	// suBackL6
-	allow("surfaceflinger", "app_data_file", "dir", ALL);
-	allow("surfaceflinger", "app_data_file", "file", ALL);
-	allow("surfaceflinger", "app_data_file", "lnk_file", ALL);
-	attradd("surfaceflinger", "mlstrustedsubject");
+	sepol_allow("surfaceflinger", "app_data_file", "dir", ALL);
+	sepol_allow("surfaceflinger", "app_data_file", "file", ALL);
+	sepol_allow("surfaceflinger", "app_data_file", "lnk_file", ALL);
+	sepol_attradd("surfaceflinger", "mlstrustedsubject");

 	// suMiscL6
-	if (exists("audioserver"))
-		allow("audioserver", "audioserver", "process", "execmem");
+	if (sepol_exists("audioserver"))
+		sepol_allow("audioserver", "audioserver", "process", "execmem");
 }

-void full_rules() {
+void sepol_full_rules() {
 	// Samsung specific
 	// Prevent system from loading policy
-	if(exists("knox_system_app"))
+	if(sepol_exists("knox_system_app"))
 		samsung();

 	// Min rules first
-	min_rules();
+	sepol_min_rules();

 	// Create domains if they don't exist
-	if (!exists("su_device"))
-		create("su_device");
-	enforce("su_device");
+	if (!sepol_exists("su_device"))
+		sepol_create("su_device");
+	sepol_enforce("su_device");

 	// Patch su to everything
-	allow("su", ALL, ALL, ALL);
+	sepol_allow("su", ALL, ALL, ALL);

 	// Autotransition su's socket to su_device
-	add_transition("su", "device", "file", "su_device");
-	add_transition("su", "device", "dir", "su_device");
-	allow("su_device", "tmpfs", "filesystem", "associate");
+	sepol_typetrans("su", "device", "file", "su_device", NULL);
+	sepol_typetrans("su", "device", "dir", "su_device", NULL);
+	sepol_allow("su_device", "tmpfs", "filesystem", "associate");

 	// Transition from untrusted_app to su_client
 	allowSuClient("shell");
 	allowSuClient("untrusted_app");
 	allowSuClient("system_app");
 	allowSuClient("platform_app");
-	if (exists("priv_app"))
+	if (sepol_exists("priv_app"))
 		allowSuClient("priv_app");
-	if (exists("ssd_tool"))
+	if (sepol_exists("ssd_tool"))
 		allowSuClient("ssd_tool");

 	// Allow init to execute su daemon/transition
-	allow("init", "su", "process", "transition");
-	allow("init", "su", "process", "rlimitinh");
-	allow("init", "su", "process", "siginh");
-	allow("init", "su", "process", "noatsecure");
+	sepol_allow("init", "su", "process", "transition");
+	sepol_allow("init", "su", "process", "rlimitinh");
+	sepol_allow("init", "su", "process", "siginh");
+	sepol_allow("init", "su", "process", "noatsecure");
 	suRights();
 	otherToSU();

 	// Need to set su_device/su as trusted to be accessible from other categories
-	attradd("su_device", "mlstrustedobject");
-	attradd("su", "mlstrustedsubject");
+	sepol_attradd("su_device", "mlstrustedobject");
+	sepol_attradd("su", "mlstrustedsubject");

 }

 // Minimal to run Magisk script before live patching
-void min_rules() {
+void sepol_min_rules() {

-	if (!exists("su"))
-		create("su");
-	permissive("su");
-	permissive("init");
+	if (!sepol_exists("su"))
+		sepol_create("su");
+	sepol_permissive("su");
+	sepol_permissive("init");

-	attradd("su", "mlstrustedsubject");
+	sepol_attradd("su", "mlstrustedsubject");

 	// Let init run stuffs in su context
-	allow("kernel", "su", "fd", "use");
-	allow("init", "su", "process", ALL);
-	allow("init", "system_file", "dir", ALL);
-	allow("init", "system_file", "lnk_file", ALL);
-	allow("init", "system_file", "file", ALL);
+	sepol_allow("kernel", "su", "fd", "use");
+	sepol_allow("init", "su", "process", ALL);
+	sepol_allow("init", "system_file", "dir", ALL);
+	sepol_allow("init", "system_file", "lnk_file", ALL);
+	sepol_allow("init", "system_file", "file", ALL);

 	// Misc: basic shell scripts, prop management etc.
-	allow("su", "property_socket", "sock_file", "write");
-	if (exists("default_prop"))
-		allow("su", "default_prop", "property_service", "set");
-	allow("su", "init", "unix_stream_socket", "connectto");
-	allow("su", "su", "unix_dgram_socket", ALL);
-	allow("su", "su", "unix_stream_socket", ALL);
-	allow("su", "su", "process", ALL);
-	allow("su", "su", "capability", ALL);
-	allow("su", "su", "file", ALL);
-	allow("su", "su", "fifo_file", ALL);
-	allow("su", "su", "lnk_file", ALL);
-	allow("su", "su", "dir", ALL);
+	sepol_allow("su", "property_socket", "sock_file", "write");
+	if (sepol_exists("default_prop"))
+		sepol_allow("su", "default_prop", "property_service", "set");
+	sepol_allow("su", "init", "unix_stream_socket", "connectto");
+	sepol_allow("su", "su", "unix_dgram_socket", ALL);
+	sepol_allow("su", "su", "unix_stream_socket", ALL);
+	sepol_allow("su", "su", "process", ALL);
+	sepol_allow("su", "su", "capability", ALL);
+	sepol_allow("su", "su", "file", ALL);
+	sepol_allow("su", "su", "fifo_file", ALL);
+	sepol_allow("su", "su", "lnk_file", ALL);
+	sepol_allow("su", "su", "dir", ALL);

 	// Allow su to do anything to files/dir/links
-	allow("su", ALL, "file", ALL);
-	allow("su", ALL, "dir", ALL);
-	allow("su", ALL, "lnk_file", ALL);
+	sepol_allow("su", ALL, "file", ALL);
+	sepol_allow("su", ALL, "dir", ALL);
+	sepol_allow("su", ALL, "lnk_file", ALL);

 	// For sepolicy live patching
-	allow("su", "kernel", "security", "read_policy");
-	allow("su", "kernel", "security", "load_policy");
+	sepol_allow("su", "kernel", "security", "read_policy");
+	sepol_allow("su", "kernel", "security", "load_policy");

 	// For mounting loop devices and mirrors
-	allow("su", "kernel", "process", "setsched");
-	allow("su", "labeledfs", "filesystem", "mount");
-	allow("su", "labeledfs", "filesystem", "unmount");
-	allow("su", "loop_device", "blk_file", ALL);
-	allow("su", "block_device", "blk_file", ALL);
-	allow("su", "system_block_device", "blk_file", ALL);
+	sepol_allow("su", "kernel", "process", "setsched");
+	sepol_allow("su", "labeledfs", "filesystem", "mount");
+	sepol_allow("su", "labeledfs", "filesystem", "unmount");
+	sepol_allow("su", "loop_device", "blk_file", ALL);
+	sepol_allow("su", "block_device", "blk_file", ALL);
+	sepol_allow("su", "system_block_device", "blk_file", ALL);

 	// Xposed
-	allow("untrusted_app", "untrusted_app", "capability", "setgid");
-	allow("system_server", "dex2oat_exec", "file", ALL);
+	sepol_allow("untrusted_app", "untrusted_app", "capability", "setgid");
+	sepol_allow("system_server", "dex2oat_exec", "file", ALL);

 }
--- a/sepolicy.c
+++ b/sepolicy.c
@ -1,4 +1,5 @@
 #include "magiskpolicy.h"
+#include "sepolicy.h"

 static void *cmalloc(size_t s) {
 	void *t = malloc(s);
--- a/sepolicy.h
+++ b/sepolicy.h
@ -0,0 +1,48 @@
+/* sepolicy.h - Header for magiskpolicy non-public APIs
+ */
+
+#ifndef _SEPOLICY_H
+#define _SEPOLICY_H
+
+#define ALL NULL
+
+#include <getopt.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <sys/mman.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <limits.h>
+#include <string.h>
+#include <sepol/debug.h>
+#include <sepol/policydb/policydb.h>
+#include <sepol/policydb/expand.h>
+#include <sepol/policydb/link.h>
+#include <sepol/policydb/services.h>
+#include <sepol/policydb/avrule_block.h>
+#include <sepol/policydb/conditional.h>
+#include <sepol/policydb/constraint.h>
+
+#include "vector.h"
+
+// hashtab traversal macro
+#define hashtab_for_each(table, ptr) \
+	for (int _i = 0; _i < table->size; ++_i) \
+		for (*ptr = table->htable[_i]; *ptr != NULL; *ptr = (*ptr)->next)
+
+// Global policydb
+policydb_t *policy;
+
+// sepolicy manipulation functions
+int load_policy(const char *filename);
+int dump_policy(const char *filename);
+int create_domain(char *d);
+int set_domain_state(char* s, int state);
+int add_transition(char *s, char *t, char *c, char *d);
+int add_file_transition(char *s, char *t, char *c, char *d, char* filename);
+int add_typeattribute(char *domainS, char *attr);
+int add_rule(char *s, char *t, char *c, char *p, int effect, int not);
+
+#endif