From 838b2757ebe559eab6e0825abaef941f0d06fed7 Mon Sep 17 00:00:00 2001 From: topjohnwu Date: Sat, 15 Apr 2017 19:26:29 +0800 Subject: [PATCH] Separate public and private APIs --- Android.mk | 2 +- utils.c => api.c | 21 ++-- magiskpolicy.c | 31 +++-- magiskpolicy.h | 72 +++-------- rules.c | 316 +++++++++++++++++++++++------------------------ sepolicy.c | 1 + sepolicy.h | 48 +++++++ 7 files changed, 256 insertions(+), 235 deletions(-) rename utils.c => api.c (53%) create mode 100644 sepolicy.h diff --git a/Android.mk b/Android.mk index 34bb16030..ded8819a5 100644 --- a/Android.mk +++ b/Android.mk @@ -3,7 +3,7 @@ LOCAL_PATH := $(call my-dir) include $(CLEAR_VARS) LOCAL_MODULE := magiskpolicy LOCAL_STATIC_LIBRARIES := libsepol -LOCAL_SRC_FILES := magiskpolicy.c sepolicy.c rules.c utils.c ../utils/vector.c +LOCAL_SRC_FILES := magiskpolicy.c sepolicy.c rules.c api.c ../utils/vector.c LOCAL_C_INCLUDES := jni/selinux/libsepol/include jni/utils LOCAL_CFLAGS := -DINDEP_BINARY include $(BUILD_EXECUTABLE) diff --git a/utils.c b/api.c similarity index 53% rename from utils.c rename to api.c index a1e0e63d6..080265e0f 100644 --- a/utils.c +++ b/api.c @@ -1,44 +1,45 @@ #include "magiskpolicy.h" +#include "sepolicy.h" -int allow(char *s, char *t, char *c, char *p) { +int sepol_allow(char *s, char *t, char *c, char *p) { return add_rule(s, t, c, p, AVTAB_ALLOWED, 0); } -int deny(char *s, char *t, char *c, char *p) { +int sepol_deny(char *s, char *t, char *c, char *p) { return add_rule(s, t, c, p, AVTAB_ALLOWED, 1); } -int auditallow(char *s, char *t, char *c, char *p) { +int sepol_auditallow(char *s, char *t, char *c, char *p) { return add_rule(s, t, c, p, AVTAB_AUDITALLOW, 0); } -int auditdeny(char *s, char *t, char *c, char *p) { +int sepol_auditdeny(char *s, char *t, char *c, char *p) { return add_rule(s, t, c, p, AVTAB_AUDITDENY, 0); } -int typetrans(char *s, char *t, char *c, char *d, char *o) { +int sepol_typetrans(char *s, char *t, char *c, char *d, char *o) { if (o == NULL) return add_transition(s, t, c, d); else return add_file_transition(s, t, c, d, o); } -int permissive(char *s) { +int sepol_permissive(char *s) { return set_domain_state(s, 1); } -int enforce(char *s) { +int sepol_enforce(char *s) { return set_domain_state(s, 0); } -int create(char *s) { +int sepol_create(char *s) { return create_domain(s); } -int attradd(char *s, char *a) { +int sepol_attradd(char *s, char *a) { return add_typeattribute(s, a); } -int exists(char* source) { +int sepol_exists(char* source) { return !! hashtab_search(policy->p_types.table, source); } diff --git a/magiskpolicy.c b/magiskpolicy.c index e90022df0..b8c244f0f 100644 --- a/magiskpolicy.c +++ b/magiskpolicy.c @@ -1,5 +1,7 @@ -#include "vector.h" -#include "magiskpolicy.h" +/* magiskpolicy.c - Main function for policy patching + * + * Includes all the parsing logic for the policy statements + */ #ifdef INDEP_BINARY int magiskpolicy_main(int argc, char *argv[]); @@ -10,6 +12,9 @@ int main(int argc, char *argv[]) { #include "magisk.h" #endif +#include "magiskpolicy.h" +#include "sepolicy.h" + static int syntax_err = 0; static char err_msg[ARG_MAX]; @@ -112,19 +117,19 @@ static int parse_pattern_1(int action, char* statement) { for (int k = 0; k < permission.size; ++k) switch (action) { case 0: - if (allow(source.data[i], target.data[j], class, permission.data[k])) + if (sepol_allow(source.data[i], target.data[j], class, permission.data[k])) fprintf(stderr, "Error in: allow %s %s %s %s\n", source.data[i], target.data[j], class, permission.data[k]); break; case 1: - if (deny(source.data[i], target.data[j], class, permission.data[k])) + if (sepol_deny(source.data[i], target.data[j], class, permission.data[k])) fprintf(stderr, "Error in: deny %s %s %s %s\n", source.data[i], target.data[j], class, permission.data[k]); break; case 2: - if (auditallow(source.data[i], target.data[j], class, permission.data[k])) + if (sepol_auditallow(source.data[i], target.data[j], class, permission.data[k])) fprintf(stderr, "Error in: auditallow %s %s %s %s\n", source.data[i], target.data[j], class, permission.data[k]); break; case 3: - if (auditdeny(source.data[i], target.data[j], class, permission.data[k])) + if (sepol_auditdeny(source.data[i], target.data[j], class, permission.data[k])) fprintf(stderr, "Error in: auditdeny %s %s %s %s\n", source.data[i], target.data[j], class, permission.data[k]); break; default: @@ -181,7 +186,7 @@ static int parse_pattern_2(int action, char* statement) { for (int j = 0; j < attribute.size; ++j) switch (action) { case 0: - if (attradd(class.data[i], attribute.data[j])) + if (sepol_attradd(class.data[i], attribute.data[j])) fprintf(stderr, "Error in: attradd %s %s\n", class.data[i], attribute.data[j]); break; default: @@ -206,15 +211,15 @@ static int parse_pattern_3(int action, char* statement) { for (int i = 0; i < classes.size; ++i) { switch (action) { case 0: - if (create(classes.data[i])) + if (sepol_create(classes.data[i])) fprintf(stderr, "Domain %s already exists\n", classes.data[i]); break; case 1: - if (permissive(classes.data[i])) + if (sepol_permissive(classes.data[i])) fprintf(stderr, "Error in: permissive %s\n", classes.data[i]); break; case 2: - if (enforce(classes.data[i])) + if (sepol_enforce(classes.data[i])) fprintf(stderr, "Error in: enforce %s\n", classes.data[i]); break; } @@ -253,7 +258,7 @@ static int parse_pattern_4(int action, char* statement) { ++state; } if (state < 4) return 1; - if (typetrans(source, target, class, def, filename)) + if (sepol_typetrans(source, target, class, def, filename)) fprintf(stderr, "Error in: typetrans %s %s %s %s %s\n", source, target, class, def, filename ? filename : ""); return 0; } @@ -313,8 +318,8 @@ int magiskpolicy_main(int argc, char *argv[]) { if (policydb_load_isids(&policydb, &sidtab)) return 1; - if (full) full_rules(); - else if (minimal) min_rules(); + if (full) sepol_full_rules(); + else if (minimal) sepol_min_rules(); for (int i = 0; i < rules.size; ++i) { // Since strtok will modify the origin string, copy the policy for error messages diff --git a/magiskpolicy.h b/magiskpolicy.h index 17beb59cf..d9d66785f 100644 --- a/magiskpolicy.h +++ b/magiskpolicy.h @@ -1,61 +1,27 @@ -#ifndef MAGISKPOLICY_H -#define MAGISKPOLICY_H +/* magiskpolicy.h - Public API for policy patching + */ + +#ifndef _MAGISKPOLICY_H +#define _MAGISKPOLICY_H + +#include #define ALL NULL -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include "vector.h" - -// hashtab traversal macro -#define hashtab_for_each(table, ptr) \ - for (int _i = 0; _i < table->size; ++_i) \ - for (*ptr = table->htable[_i]; *ptr != NULL; *ptr = (*ptr)->next) - -// Global policydb -policydb_t *policy; - -// sepolicy manipulation functions -int load_policy(const char *filename); -int dump_policy(const char *filename); -int create_domain(char *d); -int set_domain_state(char* s, int state); -int add_transition(char *s, char *t, char *c, char *d); -int add_file_transition(char *s, char *t, char *c, char *d, char* filename); -int add_typeattribute(char *domainS, char *attr); -int add_rule(char *s, char *t, char *c, char *p, int effect, int not); - // Handy functions -int allow(char *s, char *t, char *c, char *p); -int deny(char *s, char *t, char *c, char *p); -int auditallow(char *s, char *t, char *c, char *p); -int auditdeny(char *s, char *t, char *c, char *p); -int typetrans(char *s, char *t, char *c, char *d, char *o); -int create(char *s); -int permissive(char *s); -int enforce(char *s); -int attradd(char *s, char *a); -int exists(char *source); +int sepol_allow(char *s, char *t, char *c, char *p); +int sepol_deny(char *s, char *t, char *c, char *p); +int sepol_auditallow(char *s, char *t, char *c, char *p); +int sepol_auditdeny(char *s, char *t, char *c, char *p); +int sepol_typetrans(char *s, char *t, char *c, char *d, char *o); +int sepol_create(char *s); +int sepol_permissive(char *s); +int sepol_enforce(char *s); +int sepol_attradd(char *s, char *a); +int sepol_exists(char *source); // Built in rules -void full_rules(); -void min_rules(); +void sepol_full_rules(); +void sepol_min_rules(); #endif diff --git a/rules.c b/rules.c index 2e6a4d3dd..6fcdb071c 100644 --- a/rules.c +++ b/rules.c @@ -1,230 +1,230 @@ #include "magiskpolicy.h" void samsung() { - deny("init", "kernel", "security", "load_policy"); - deny("policyloader_app", "security_spota_file", "dir", "read"); - deny("policyloader_app", "security_spota_file", "dir", "write"); - deny("policyloader_app", "security_spota_file", "file", "read"); - deny("policyloader_app", "security_spota_file", "file", "write"); - deny("system_server", "security_spota_file", "dir", "read"); - deny("system_server", "security_spota_file", "dir", "write"); - deny("system_server", "security_spota_file", "file", "read"); - deny("system_server", "security_spota_file", "file", "write"); - deny("system_app", "security_spota_file", "dir", "read"); - deny("system_app", "security_spota_file", "dir", "write"); - deny("system_app", "security_spota_file", "file", "read"); - deny("system_app", "security_spota_file", "file", "write"); - deny("installd", "security_spota_file", "dir", "read"); - deny("installd", "security_spota_file", "dir", "write"); - deny("installd", "security_spota_file", "file", "read"); - deny("installd", "security_spota_file", "file", "write"); - deny("init", "security_spota_file", "dir", "read"); - deny("init", "security_spota_file", "dir", "write"); - deny("init", "security_spota_file", "file", "read"); - deny("init", "security_spota_file", "file", "write"); - deny("ueventd", "security_spota_file", "dir", "read"); - deny("ueventd", "security_spota_file", "dir", "write"); - deny("ueventd", "security_spota_file", "file", "read"); - deny("ueventd", "security_spota_file", "file", "write"); - deny("runas", "security_spota_file", "dir", "read"); - deny("runas", "security_spota_file", "dir", "write"); - deny("runas", "security_spota_file", "file", "read"); - deny("runas", "security_spota_file", "file", "write"); - deny("drsd", "security_spota_file", "dir", "read"); - deny("drsd", "security_spota_file", "dir", "write"); - deny("drsd", "security_spota_file", "file", "read"); - deny("drsd", "security_spota_file", "file", "write"); - deny("debuggerd", "security_spota_file", "dir", "read"); - deny("debuggerd", "security_spota_file", "dir", "write"); - deny("debuggerd", "security_spota_file", "file", "read"); - deny("debuggerd", "security_spota_file", "file", "write"); - deny("vold", "security_spota_file", "dir", "read"); - deny("vold", "security_spota_file", "dir", "write"); - deny("vold", "security_spota_file", "file", "read"); - deny("vold", "security_spota_file", "file", "write"); - deny("zygote", "security_spota_file", "dir", "read"); - deny("zygote", "security_spota_file", "dir", "write"); - deny("zygote", "security_spota_file", "file", "read"); - deny("zygote", "security_spota_file", "file", "write"); - deny("auditd", "security_spota_file", "dir", "read"); - deny("auditd", "security_spota_file", "dir", "write"); - deny("auditd", "security_spota_file", "file", "read"); - deny("auditd", "security_spota_file", "file", "write"); - deny("servicemanager", "security_spota_file", "dir", "read"); - deny("servicemanager", "security_spota_file", "dir", "write"); - deny("servicemanager", "security_spota_file", "file", "read"); - deny("servicemanager", "security_spota_file", "file", "write"); - deny("itsonbs", "security_spota_file", "dir", "read"); - deny("itsonbs", "security_spota_file", "dir", "write"); - deny("itsonbs", "security_spota_file", "file", "read"); - deny("itsonbs", "security_spota_file", "file", "write"); - deny("commonplatformappdomain", "security_spota_file", "dir", "read"); - deny("commonplatformappdomain", "security_spota_file", "dir", "write"); - deny("commonplatformappdomain", "security_spota_file", "file", "read"); - deny("commonplatformappdomain", "security_spota_file", "file", "write"); + sepol_deny("init", "kernel", "security", "load_policy"); + sepol_deny("policyloader_app", "security_spota_file", "dir", "read"); + sepol_deny("policyloader_app", "security_spota_file", "dir", "write"); + sepol_deny("policyloader_app", "security_spota_file", "file", "read"); + sepol_deny("policyloader_app", "security_spota_file", "file", "write"); + sepol_deny("system_server", "security_spota_file", "dir", "read"); + sepol_deny("system_server", "security_spota_file", "dir", "write"); + sepol_deny("system_server", "security_spota_file", "file", "read"); + sepol_deny("system_server", "security_spota_file", "file", "write"); + sepol_deny("system_app", "security_spota_file", "dir", "read"); + sepol_deny("system_app", "security_spota_file", "dir", "write"); + sepol_deny("system_app", "security_spota_file", "file", "read"); + sepol_deny("system_app", "security_spota_file", "file", "write"); + sepol_deny("installd", "security_spota_file", "dir", "read"); + sepol_deny("installd", "security_spota_file", "dir", "write"); + sepol_deny("installd", "security_spota_file", "file", "read"); + sepol_deny("installd", "security_spota_file", "file", "write"); + sepol_deny("init", "security_spota_file", "dir", "read"); + sepol_deny("init", "security_spota_file", "dir", "write"); + sepol_deny("init", "security_spota_file", "file", "read"); + sepol_deny("init", "security_spota_file", "file", "write"); + sepol_deny("ueventd", "security_spota_file", "dir", "read"); + sepol_deny("ueventd", "security_spota_file", "dir", "write"); + sepol_deny("ueventd", "security_spota_file", "file", "read"); + sepol_deny("ueventd", "security_spota_file", "file", "write"); + sepol_deny("runas", "security_spota_file", "dir", "read"); + sepol_deny("runas", "security_spota_file", "dir", "write"); + sepol_deny("runas", "security_spota_file", "file", "read"); + sepol_deny("runas", "security_spota_file", "file", "write"); + sepol_deny("drsd", "security_spota_file", "dir", "read"); + sepol_deny("drsd", "security_spota_file", "dir", "write"); + sepol_deny("drsd", "security_spota_file", "file", "read"); + sepol_deny("drsd", "security_spota_file", "file", "write"); + sepol_deny("debuggerd", "security_spota_file", "dir", "read"); + sepol_deny("debuggerd", "security_spota_file", "dir", "write"); + sepol_deny("debuggerd", "security_spota_file", "file", "read"); + sepol_deny("debuggerd", "security_spota_file", "file", "write"); + sepol_deny("vold", "security_spota_file", "dir", "read"); + sepol_deny("vold", "security_spota_file", "dir", "write"); + sepol_deny("vold", "security_spota_file", "file", "read"); + sepol_deny("vold", "security_spota_file", "file", "write"); + sepol_deny("zygote", "security_spota_file", "dir", "read"); + sepol_deny("zygote", "security_spota_file", "dir", "write"); + sepol_deny("zygote", "security_spota_file", "file", "read"); + sepol_deny("zygote", "security_spota_file", "file", "write"); + sepol_deny("auditd", "security_spota_file", "dir", "read"); + sepol_deny("auditd", "security_spota_file", "dir", "write"); + sepol_deny("auditd", "security_spota_file", "file", "read"); + sepol_deny("auditd", "security_spota_file", "file", "write"); + sepol_deny("servicemanager", "security_spota_file", "dir", "read"); + sepol_deny("servicemanager", "security_spota_file", "dir", "write"); + sepol_deny("servicemanager", "security_spota_file", "file", "read"); + sepol_deny("servicemanager", "security_spota_file", "file", "write"); + sepol_deny("itsonbs", "security_spota_file", "dir", "read"); + sepol_deny("itsonbs", "security_spota_file", "dir", "write"); + sepol_deny("itsonbs", "security_spota_file", "file", "read"); + sepol_deny("itsonbs", "security_spota_file", "file", "write"); + sepol_deny("commonplatformappdomain", "security_spota_file", "dir", "read"); + sepol_deny("commonplatformappdomain", "security_spota_file", "dir", "write"); + sepol_deny("commonplatformappdomain", "security_spota_file", "file", "read"); + sepol_deny("commonplatformappdomain", "security_spota_file", "file", "write"); } void allowSuClient(char *target) { - allow(target, "rootfs", "file", "execute_no_trans"); - allow(target, "rootfs", "file", "execute"); - allow(target, "su", "unix_stream_socket", "connectto"); - allow(target, "su", "unix_stream_socket", "getopt"); - allow(target, "su_device", "dir", "search"); - allow(target, "su_device", "dir", "read"); - allow(target, "su_device", "sock_file", "read"); - allow(target, "su_device", "sock_file", "write"); + sepol_allow(target, "rootfs", "file", "execute_no_trans"); + sepol_allow(target, "rootfs", "file", "execute"); + sepol_allow(target, "su", "unix_stream_socket", "connectto"); + sepol_allow(target, "su", "unix_stream_socket", "getopt"); + sepol_allow(target, "su_device", "dir", "search"); + sepol_allow(target, "su_device", "dir", "read"); + sepol_allow(target, "su_device", "sock_file", "read"); + sepol_allow(target, "su_device", "sock_file", "write"); } void suRights() { - allow("servicemanager", "su", "dir", "search"); - allow("servicemanager", "su", "dir", "read"); - allow("servicemanager", "su", "file", "open"); - allow("servicemanager", "su", "file", "read"); - allow("servicemanager", "su", "process", "getattr"); - allow("servicemanager", "su", "binder", "transfer"); - allow("system_server", "su", "binder", "call"); + sepol_allow("servicemanager", "su", "dir", "search"); + sepol_allow("servicemanager", "su", "dir", "read"); + sepol_allow("servicemanager", "su", "file", "open"); + sepol_allow("servicemanager", "su", "file", "read"); + sepol_allow("servicemanager", "su", "process", "getattr"); + sepol_allow("servicemanager", "su", "binder", "transfer"); + sepol_allow("system_server", "su", "binder", "call"); } void otherToSU() { // allowLog - allow("logd", "su", "dir", "search"); - allow("logd", "su", "file", "read"); - allow("logd", "su", "file", "open"); - allow("logd", "su", "file", "getattr"); + sepol_allow("logd", "su", "dir", "search"); + sepol_allow("logd", "su", "file", "read"); + sepol_allow("logd", "su", "file", "open"); + sepol_allow("logd", "su", "file", "getattr"); // suBackL0 - allow("system_server", "su", "binder", "call"); - allow("system_server", "su", "binder", "transfer"); + sepol_allow("system_server", "su", "binder", "call"); + sepol_allow("system_server", "su", "binder", "transfer"); // ES Explorer opens a sokcet - allow("untrusted_app", "su", "unix_stream_socket", "ioctl"); - allow("untrusted_app", "su", "unix_stream_socket", "read"); - allow("untrusted_app", "su", "unix_stream_socket", "getattr"); - allow("untrusted_app", "su", "unix_stream_socket", "write"); - allow("untrusted_app", "su", "unix_stream_socket", "setattr"); - allow("untrusted_app", "su", "unix_stream_socket", "lock"); - allow("untrusted_app", "su", "unix_stream_socket", "append"); - allow("untrusted_app", "su", "unix_stream_socket", "bind"); - allow("untrusted_app", "su", "unix_stream_socket", "connect"); - allow("untrusted_app", "su", "unix_stream_socket", "getopt"); - allow("untrusted_app", "su", "unix_stream_socket", "setopt"); - allow("untrusted_app", "su", "unix_stream_socket", "shutdown"); - allow("untrusted_app", "su", "unix_stream_socket", "connectto"); + sepol_allow("untrusted_app", "su", "unix_stream_socket", "ioctl"); + sepol_allow("untrusted_app", "su", "unix_stream_socket", "read"); + sepol_allow("untrusted_app", "su", "unix_stream_socket", "getattr"); + sepol_allow("untrusted_app", "su", "unix_stream_socket", "write"); + sepol_allow("untrusted_app", "su", "unix_stream_socket", "setattr"); + sepol_allow("untrusted_app", "su", "unix_stream_socket", "lock"); + sepol_allow("untrusted_app", "su", "unix_stream_socket", "append"); + sepol_allow("untrusted_app", "su", "unix_stream_socket", "bind"); + sepol_allow("untrusted_app", "su", "unix_stream_socket", "connect"); + sepol_allow("untrusted_app", "su", "unix_stream_socket", "getopt"); + sepol_allow("untrusted_app", "su", "unix_stream_socket", "setopt"); + sepol_allow("untrusted_app", "su", "unix_stream_socket", "shutdown"); + sepol_allow("untrusted_app", "su", "unix_stream_socket", "connectto"); // Any domain is allowed to send su "sigchld" - allow(ALL, "su", "process", "sigchld"); + sepol_allow(ALL, "su", "process", "sigchld"); // uNetworkL0 - attradd("su", "netdomain"); - attradd("su", "bluetoothdomain"); + sepol_attradd("su", "netdomain"); + sepol_attradd("su", "bluetoothdomain"); // suBackL6 - allow("surfaceflinger", "app_data_file", "dir", ALL); - allow("surfaceflinger", "app_data_file", "file", ALL); - allow("surfaceflinger", "app_data_file", "lnk_file", ALL); - attradd("surfaceflinger", "mlstrustedsubject"); + sepol_allow("surfaceflinger", "app_data_file", "dir", ALL); + sepol_allow("surfaceflinger", "app_data_file", "file", ALL); + sepol_allow("surfaceflinger", "app_data_file", "lnk_file", ALL); + sepol_attradd("surfaceflinger", "mlstrustedsubject"); // suMiscL6 - if (exists("audioserver")) - allow("audioserver", "audioserver", "process", "execmem"); + if (sepol_exists("audioserver")) + sepol_allow("audioserver", "audioserver", "process", "execmem"); } -void full_rules() { +void sepol_full_rules() { // Samsung specific // Prevent system from loading policy - if(exists("knox_system_app")) + if(sepol_exists("knox_system_app")) samsung(); // Min rules first - min_rules(); + sepol_min_rules(); // Create domains if they don't exist - if (!exists("su_device")) - create("su_device"); - enforce("su_device"); + if (!sepol_exists("su_device")) + sepol_create("su_device"); + sepol_enforce("su_device"); // Patch su to everything - allow("su", ALL, ALL, ALL); + sepol_allow("su", ALL, ALL, ALL); // Autotransition su's socket to su_device - add_transition("su", "device", "file", "su_device"); - add_transition("su", "device", "dir", "su_device"); - allow("su_device", "tmpfs", "filesystem", "associate"); + sepol_typetrans("su", "device", "file", "su_device", NULL); + sepol_typetrans("su", "device", "dir", "su_device", NULL); + sepol_allow("su_device", "tmpfs", "filesystem", "associate"); // Transition from untrusted_app to su_client allowSuClient("shell"); allowSuClient("untrusted_app"); allowSuClient("system_app"); allowSuClient("platform_app"); - if (exists("priv_app")) + if (sepol_exists("priv_app")) allowSuClient("priv_app"); - if (exists("ssd_tool")) + if (sepol_exists("ssd_tool")) allowSuClient("ssd_tool"); // Allow init to execute su daemon/transition - allow("init", "su", "process", "transition"); - allow("init", "su", "process", "rlimitinh"); - allow("init", "su", "process", "siginh"); - allow("init", "su", "process", "noatsecure"); + sepol_allow("init", "su", "process", "transition"); + sepol_allow("init", "su", "process", "rlimitinh"); + sepol_allow("init", "su", "process", "siginh"); + sepol_allow("init", "su", "process", "noatsecure"); suRights(); otherToSU(); // Need to set su_device/su as trusted to be accessible from other categories - attradd("su_device", "mlstrustedobject"); - attradd("su", "mlstrustedsubject"); + sepol_attradd("su_device", "mlstrustedobject"); + sepol_attradd("su", "mlstrustedsubject"); } // Minimal to run Magisk script before live patching -void min_rules() { +void sepol_min_rules() { - if (!exists("su")) - create("su"); - permissive("su"); - permissive("init"); + if (!sepol_exists("su")) + sepol_create("su"); + sepol_permissive("su"); + sepol_permissive("init"); - attradd("su", "mlstrustedsubject"); + sepol_attradd("su", "mlstrustedsubject"); // Let init run stuffs in su context - allow("kernel", "su", "fd", "use"); - allow("init", "su", "process", ALL); - allow("init", "system_file", "dir", ALL); - allow("init", "system_file", "lnk_file", ALL); - allow("init", "system_file", "file", ALL); + sepol_allow("kernel", "su", "fd", "use"); + sepol_allow("init", "su", "process", ALL); + sepol_allow("init", "system_file", "dir", ALL); + sepol_allow("init", "system_file", "lnk_file", ALL); + sepol_allow("init", "system_file", "file", ALL); // Misc: basic shell scripts, prop management etc. - allow("su", "property_socket", "sock_file", "write"); - if (exists("default_prop")) - allow("su", "default_prop", "property_service", "set"); - allow("su", "init", "unix_stream_socket", "connectto"); - allow("su", "su", "unix_dgram_socket", ALL); - allow("su", "su", "unix_stream_socket", ALL); - allow("su", "su", "process", ALL); - allow("su", "su", "capability", ALL); - allow("su", "su", "file", ALL); - allow("su", "su", "fifo_file", ALL); - allow("su", "su", "lnk_file", ALL); - allow("su", "su", "dir", ALL); + sepol_allow("su", "property_socket", "sock_file", "write"); + if (sepol_exists("default_prop")) + sepol_allow("su", "default_prop", "property_service", "set"); + sepol_allow("su", "init", "unix_stream_socket", "connectto"); + sepol_allow("su", "su", "unix_dgram_socket", ALL); + sepol_allow("su", "su", "unix_stream_socket", ALL); + sepol_allow("su", "su", "process", ALL); + sepol_allow("su", "su", "capability", ALL); + sepol_allow("su", "su", "file", ALL); + sepol_allow("su", "su", "fifo_file", ALL); + sepol_allow("su", "su", "lnk_file", ALL); + sepol_allow("su", "su", "dir", ALL); // Allow su to do anything to files/dir/links - allow("su", ALL, "file", ALL); - allow("su", ALL, "dir", ALL); - allow("su", ALL, "lnk_file", ALL); + sepol_allow("su", ALL, "file", ALL); + sepol_allow("su", ALL, "dir", ALL); + sepol_allow("su", ALL, "lnk_file", ALL); // For sepolicy live patching - allow("su", "kernel", "security", "read_policy"); - allow("su", "kernel", "security", "load_policy"); + sepol_allow("su", "kernel", "security", "read_policy"); + sepol_allow("su", "kernel", "security", "load_policy"); // For mounting loop devices and mirrors - allow("su", "kernel", "process", "setsched"); - allow("su", "labeledfs", "filesystem", "mount"); - allow("su", "labeledfs", "filesystem", "unmount"); - allow("su", "loop_device", "blk_file", ALL); - allow("su", "block_device", "blk_file", ALL); - allow("su", "system_block_device", "blk_file", ALL); + sepol_allow("su", "kernel", "process", "setsched"); + sepol_allow("su", "labeledfs", "filesystem", "mount"); + sepol_allow("su", "labeledfs", "filesystem", "unmount"); + sepol_allow("su", "loop_device", "blk_file", ALL); + sepol_allow("su", "block_device", "blk_file", ALL); + sepol_allow("su", "system_block_device", "blk_file", ALL); // Xposed - allow("untrusted_app", "untrusted_app", "capability", "setgid"); - allow("system_server", "dex2oat_exec", "file", ALL); + sepol_allow("untrusted_app", "untrusted_app", "capability", "setgid"); + sepol_allow("system_server", "dex2oat_exec", "file", ALL); } diff --git a/sepolicy.c b/sepolicy.c index e43c604a3..5694e8558 100644 --- a/sepolicy.c +++ b/sepolicy.c @@ -1,4 +1,5 @@ #include "magiskpolicy.h" +#include "sepolicy.h" static void *cmalloc(size_t s) { void *t = malloc(s); diff --git a/sepolicy.h b/sepolicy.h new file mode 100644 index 000000000..4fafa6636 --- /dev/null +++ b/sepolicy.h @@ -0,0 +1,48 @@ +/* sepolicy.h - Header for magiskpolicy non-public APIs + */ + +#ifndef _SEPOLICY_H +#define _SEPOLICY_H + +#define ALL NULL + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "vector.h" + +// hashtab traversal macro +#define hashtab_for_each(table, ptr) \ + for (int _i = 0; _i < table->size; ++_i) \ + for (*ptr = table->htable[_i]; *ptr != NULL; *ptr = (*ptr)->next) + +// Global policydb +policydb_t *policy; + +// sepolicy manipulation functions +int load_policy(const char *filename); +int dump_policy(const char *filename); +int create_domain(char *d); +int set_domain_state(char* s, int state); +int add_transition(char *s, char *t, char *c, char *d); +int add_file_transition(char *s, char *t, char *c, char *d, char* filename); +int add_typeattribute(char *domainS, char *attr); +int add_rule(char *s, char *t, char *c, char *p, int effect, int not); + +#endif