Separate public and private APIs
This commit is contained in:
parent
7bb8b9039c
commit
838b2757eb
@ -3,7 +3,7 @@ LOCAL_PATH := $(call my-dir)
|
||||
include $(CLEAR_VARS)
|
||||
LOCAL_MODULE := magiskpolicy
|
||||
LOCAL_STATIC_LIBRARIES := libsepol
|
||||
LOCAL_SRC_FILES := magiskpolicy.c sepolicy.c rules.c utils.c ../utils/vector.c
|
||||
LOCAL_SRC_FILES := magiskpolicy.c sepolicy.c rules.c api.c ../utils/vector.c
|
||||
LOCAL_C_INCLUDES := jni/selinux/libsepol/include jni/utils
|
||||
LOCAL_CFLAGS := -DINDEP_BINARY
|
||||
include $(BUILD_EXECUTABLE)
|
||||
|
@ -1,44 +1,45 @@
|
||||
#include "magiskpolicy.h"
|
||||
#include "sepolicy.h"
|
||||
|
||||
int allow(char *s, char *t, char *c, char *p) {
|
||||
int sepol_allow(char *s, char *t, char *c, char *p) {
|
||||
return add_rule(s, t, c, p, AVTAB_ALLOWED, 0);
|
||||
}
|
||||
|
||||
int deny(char *s, char *t, char *c, char *p) {
|
||||
int sepol_deny(char *s, char *t, char *c, char *p) {
|
||||
return add_rule(s, t, c, p, AVTAB_ALLOWED, 1);
|
||||
}
|
||||
|
||||
int auditallow(char *s, char *t, char *c, char *p) {
|
||||
int sepol_auditallow(char *s, char *t, char *c, char *p) {
|
||||
return add_rule(s, t, c, p, AVTAB_AUDITALLOW, 0);
|
||||
}
|
||||
|
||||
int auditdeny(char *s, char *t, char *c, char *p) {
|
||||
int sepol_auditdeny(char *s, char *t, char *c, char *p) {
|
||||
return add_rule(s, t, c, p, AVTAB_AUDITDENY, 0);
|
||||
}
|
||||
|
||||
int typetrans(char *s, char *t, char *c, char *d, char *o) {
|
||||
int sepol_typetrans(char *s, char *t, char *c, char *d, char *o) {
|
||||
if (o == NULL)
|
||||
return add_transition(s, t, c, d);
|
||||
else
|
||||
return add_file_transition(s, t, c, d, o);
|
||||
}
|
||||
|
||||
int permissive(char *s) {
|
||||
int sepol_permissive(char *s) {
|
||||
return set_domain_state(s, 1);
|
||||
}
|
||||
|
||||
int enforce(char *s) {
|
||||
int sepol_enforce(char *s) {
|
||||
return set_domain_state(s, 0);
|
||||
}
|
||||
|
||||
int create(char *s) {
|
||||
int sepol_create(char *s) {
|
||||
return create_domain(s);
|
||||
}
|
||||
|
||||
int attradd(char *s, char *a) {
|
||||
int sepol_attradd(char *s, char *a) {
|
||||
return add_typeattribute(s, a);
|
||||
}
|
||||
|
||||
int exists(char* source) {
|
||||
int sepol_exists(char* source) {
|
||||
return !! hashtab_search(policy->p_types.table, source);
|
||||
}
|
@ -1,5 +1,7 @@
|
||||
#include "vector.h"
|
||||
#include "magiskpolicy.h"
|
||||
/* magiskpolicy.c - Main function for policy patching
|
||||
*
|
||||
* Includes all the parsing logic for the policy statements
|
||||
*/
|
||||
|
||||
#ifdef INDEP_BINARY
|
||||
int magiskpolicy_main(int argc, char *argv[]);
|
||||
@ -10,6 +12,9 @@ int main(int argc, char *argv[]) {
|
||||
#include "magisk.h"
|
||||
#endif
|
||||
|
||||
#include "magiskpolicy.h"
|
||||
#include "sepolicy.h"
|
||||
|
||||
static int syntax_err = 0;
|
||||
static char err_msg[ARG_MAX];
|
||||
|
||||
@ -112,19 +117,19 @@ static int parse_pattern_1(int action, char* statement) {
|
||||
for (int k = 0; k < permission.size; ++k)
|
||||
switch (action) {
|
||||
case 0:
|
||||
if (allow(source.data[i], target.data[j], class, permission.data[k]))
|
||||
if (sepol_allow(source.data[i], target.data[j], class, permission.data[k]))
|
||||
fprintf(stderr, "Error in: allow %s %s %s %s\n", source.data[i], target.data[j], class, permission.data[k]);
|
||||
break;
|
||||
case 1:
|
||||
if (deny(source.data[i], target.data[j], class, permission.data[k]))
|
||||
if (sepol_deny(source.data[i], target.data[j], class, permission.data[k]))
|
||||
fprintf(stderr, "Error in: deny %s %s %s %s\n", source.data[i], target.data[j], class, permission.data[k]);
|
||||
break;
|
||||
case 2:
|
||||
if (auditallow(source.data[i], target.data[j], class, permission.data[k]))
|
||||
if (sepol_auditallow(source.data[i], target.data[j], class, permission.data[k]))
|
||||
fprintf(stderr, "Error in: auditallow %s %s %s %s\n", source.data[i], target.data[j], class, permission.data[k]);
|
||||
break;
|
||||
case 3:
|
||||
if (auditdeny(source.data[i], target.data[j], class, permission.data[k]))
|
||||
if (sepol_auditdeny(source.data[i], target.data[j], class, permission.data[k]))
|
||||
fprintf(stderr, "Error in: auditdeny %s %s %s %s\n", source.data[i], target.data[j], class, permission.data[k]);
|
||||
break;
|
||||
default:
|
||||
@ -181,7 +186,7 @@ static int parse_pattern_2(int action, char* statement) {
|
||||
for (int j = 0; j < attribute.size; ++j)
|
||||
switch (action) {
|
||||
case 0:
|
||||
if (attradd(class.data[i], attribute.data[j]))
|
||||
if (sepol_attradd(class.data[i], attribute.data[j]))
|
||||
fprintf(stderr, "Error in: attradd %s %s\n", class.data[i], attribute.data[j]);
|
||||
break;
|
||||
default:
|
||||
@ -206,15 +211,15 @@ static int parse_pattern_3(int action, char* statement) {
|
||||
for (int i = 0; i < classes.size; ++i) {
|
||||
switch (action) {
|
||||
case 0:
|
||||
if (create(classes.data[i]))
|
||||
if (sepol_create(classes.data[i]))
|
||||
fprintf(stderr, "Domain %s already exists\n", classes.data[i]);
|
||||
break;
|
||||
case 1:
|
||||
if (permissive(classes.data[i]))
|
||||
if (sepol_permissive(classes.data[i]))
|
||||
fprintf(stderr, "Error in: permissive %s\n", classes.data[i]);
|
||||
break;
|
||||
case 2:
|
||||
if (enforce(classes.data[i]))
|
||||
if (sepol_enforce(classes.data[i]))
|
||||
fprintf(stderr, "Error in: enforce %s\n", classes.data[i]);
|
||||
break;
|
||||
}
|
||||
@ -253,7 +258,7 @@ static int parse_pattern_4(int action, char* statement) {
|
||||
++state;
|
||||
}
|
||||
if (state < 4) return 1;
|
||||
if (typetrans(source, target, class, def, filename))
|
||||
if (sepol_typetrans(source, target, class, def, filename))
|
||||
fprintf(stderr, "Error in: typetrans %s %s %s %s %s\n", source, target, class, def, filename ? filename : "");
|
||||
return 0;
|
||||
}
|
||||
@ -313,8 +318,8 @@ int magiskpolicy_main(int argc, char *argv[]) {
|
||||
if (policydb_load_isids(&policydb, &sidtab))
|
||||
return 1;
|
||||
|
||||
if (full) full_rules();
|
||||
else if (minimal) min_rules();
|
||||
if (full) sepol_full_rules();
|
||||
else if (minimal) sepol_min_rules();
|
||||
|
||||
for (int i = 0; i < rules.size; ++i) {
|
||||
// Since strtok will modify the origin string, copy the policy for error messages
|
||||
|
@ -1,61 +1,27 @@
|
||||
#ifndef MAGISKPOLICY_H
|
||||
#define MAGISKPOLICY_H
|
||||
/* magiskpolicy.h - Public API for policy patching
|
||||
*/
|
||||
|
||||
#ifndef _MAGISKPOLICY_H
|
||||
#define _MAGISKPOLICY_H
|
||||
|
||||
#include <stdlib.h>
|
||||
|
||||
#define ALL NULL
|
||||
|
||||
#include <getopt.h>
|
||||
#include <unistd.h>
|
||||
#include <stdlib.h>
|
||||
#include <sys/mman.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
#include <fcntl.h>
|
||||
#include <stdio.h>
|
||||
#include <limits.h>
|
||||
#include <string.h>
|
||||
#include <sepol/debug.h>
|
||||
#include <sepol/policydb/policydb.h>
|
||||
#include <sepol/policydb/expand.h>
|
||||
#include <sepol/policydb/link.h>
|
||||
#include <sepol/policydb/services.h>
|
||||
#include <sepol/policydb/avrule_block.h>
|
||||
#include <sepol/policydb/conditional.h>
|
||||
#include <sepol/policydb/constraint.h>
|
||||
|
||||
#include "vector.h"
|
||||
|
||||
// hashtab traversal macro
|
||||
#define hashtab_for_each(table, ptr) \
|
||||
for (int _i = 0; _i < table->size; ++_i) \
|
||||
for (*ptr = table->htable[_i]; *ptr != NULL; *ptr = (*ptr)->next)
|
||||
|
||||
// Global policydb
|
||||
policydb_t *policy;
|
||||
|
||||
// sepolicy manipulation functions
|
||||
int load_policy(const char *filename);
|
||||
int dump_policy(const char *filename);
|
||||
int create_domain(char *d);
|
||||
int set_domain_state(char* s, int state);
|
||||
int add_transition(char *s, char *t, char *c, char *d);
|
||||
int add_file_transition(char *s, char *t, char *c, char *d, char* filename);
|
||||
int add_typeattribute(char *domainS, char *attr);
|
||||
int add_rule(char *s, char *t, char *c, char *p, int effect, int not);
|
||||
|
||||
// Handy functions
|
||||
int allow(char *s, char *t, char *c, char *p);
|
||||
int deny(char *s, char *t, char *c, char *p);
|
||||
int auditallow(char *s, char *t, char *c, char *p);
|
||||
int auditdeny(char *s, char *t, char *c, char *p);
|
||||
int typetrans(char *s, char *t, char *c, char *d, char *o);
|
||||
int create(char *s);
|
||||
int permissive(char *s);
|
||||
int enforce(char *s);
|
||||
int attradd(char *s, char *a);
|
||||
int exists(char *source);
|
||||
int sepol_allow(char *s, char *t, char *c, char *p);
|
||||
int sepol_deny(char *s, char *t, char *c, char *p);
|
||||
int sepol_auditallow(char *s, char *t, char *c, char *p);
|
||||
int sepol_auditdeny(char *s, char *t, char *c, char *p);
|
||||
int sepol_typetrans(char *s, char *t, char *c, char *d, char *o);
|
||||
int sepol_create(char *s);
|
||||
int sepol_permissive(char *s);
|
||||
int sepol_enforce(char *s);
|
||||
int sepol_attradd(char *s, char *a);
|
||||
int sepol_exists(char *source);
|
||||
|
||||
// Built in rules
|
||||
void full_rules();
|
||||
void min_rules();
|
||||
void sepol_full_rules();
|
||||
void sepol_min_rules();
|
||||
|
||||
#endif
|
||||
|
316
rules.c
316
rules.c
@ -1,230 +1,230 @@
|
||||
#include "magiskpolicy.h"
|
||||
|
||||
void samsung() {
|
||||
deny("init", "kernel", "security", "load_policy");
|
||||
deny("policyloader_app", "security_spota_file", "dir", "read");
|
||||
deny("policyloader_app", "security_spota_file", "dir", "write");
|
||||
deny("policyloader_app", "security_spota_file", "file", "read");
|
||||
deny("policyloader_app", "security_spota_file", "file", "write");
|
||||
deny("system_server", "security_spota_file", "dir", "read");
|
||||
deny("system_server", "security_spota_file", "dir", "write");
|
||||
deny("system_server", "security_spota_file", "file", "read");
|
||||
deny("system_server", "security_spota_file", "file", "write");
|
||||
deny("system_app", "security_spota_file", "dir", "read");
|
||||
deny("system_app", "security_spota_file", "dir", "write");
|
||||
deny("system_app", "security_spota_file", "file", "read");
|
||||
deny("system_app", "security_spota_file", "file", "write");
|
||||
deny("installd", "security_spota_file", "dir", "read");
|
||||
deny("installd", "security_spota_file", "dir", "write");
|
||||
deny("installd", "security_spota_file", "file", "read");
|
||||
deny("installd", "security_spota_file", "file", "write");
|
||||
deny("init", "security_spota_file", "dir", "read");
|
||||
deny("init", "security_spota_file", "dir", "write");
|
||||
deny("init", "security_spota_file", "file", "read");
|
||||
deny("init", "security_spota_file", "file", "write");
|
||||
deny("ueventd", "security_spota_file", "dir", "read");
|
||||
deny("ueventd", "security_spota_file", "dir", "write");
|
||||
deny("ueventd", "security_spota_file", "file", "read");
|
||||
deny("ueventd", "security_spota_file", "file", "write");
|
||||
deny("runas", "security_spota_file", "dir", "read");
|
||||
deny("runas", "security_spota_file", "dir", "write");
|
||||
deny("runas", "security_spota_file", "file", "read");
|
||||
deny("runas", "security_spota_file", "file", "write");
|
||||
deny("drsd", "security_spota_file", "dir", "read");
|
||||
deny("drsd", "security_spota_file", "dir", "write");
|
||||
deny("drsd", "security_spota_file", "file", "read");
|
||||
deny("drsd", "security_spota_file", "file", "write");
|
||||
deny("debuggerd", "security_spota_file", "dir", "read");
|
||||
deny("debuggerd", "security_spota_file", "dir", "write");
|
||||
deny("debuggerd", "security_spota_file", "file", "read");
|
||||
deny("debuggerd", "security_spota_file", "file", "write");
|
||||
deny("vold", "security_spota_file", "dir", "read");
|
||||
deny("vold", "security_spota_file", "dir", "write");
|
||||
deny("vold", "security_spota_file", "file", "read");
|
||||
deny("vold", "security_spota_file", "file", "write");
|
||||
deny("zygote", "security_spota_file", "dir", "read");
|
||||
deny("zygote", "security_spota_file", "dir", "write");
|
||||
deny("zygote", "security_spota_file", "file", "read");
|
||||
deny("zygote", "security_spota_file", "file", "write");
|
||||
deny("auditd", "security_spota_file", "dir", "read");
|
||||
deny("auditd", "security_spota_file", "dir", "write");
|
||||
deny("auditd", "security_spota_file", "file", "read");
|
||||
deny("auditd", "security_spota_file", "file", "write");
|
||||
deny("servicemanager", "security_spota_file", "dir", "read");
|
||||
deny("servicemanager", "security_spota_file", "dir", "write");
|
||||
deny("servicemanager", "security_spota_file", "file", "read");
|
||||
deny("servicemanager", "security_spota_file", "file", "write");
|
||||
deny("itsonbs", "security_spota_file", "dir", "read");
|
||||
deny("itsonbs", "security_spota_file", "dir", "write");
|
||||
deny("itsonbs", "security_spota_file", "file", "read");
|
||||
deny("itsonbs", "security_spota_file", "file", "write");
|
||||
deny("commonplatformappdomain", "security_spota_file", "dir", "read");
|
||||
deny("commonplatformappdomain", "security_spota_file", "dir", "write");
|
||||
deny("commonplatformappdomain", "security_spota_file", "file", "read");
|
||||
deny("commonplatformappdomain", "security_spota_file", "file", "write");
|
||||
sepol_deny("init", "kernel", "security", "load_policy");
|
||||
sepol_deny("policyloader_app", "security_spota_file", "dir", "read");
|
||||
sepol_deny("policyloader_app", "security_spota_file", "dir", "write");
|
||||
sepol_deny("policyloader_app", "security_spota_file", "file", "read");
|
||||
sepol_deny("policyloader_app", "security_spota_file", "file", "write");
|
||||
sepol_deny("system_server", "security_spota_file", "dir", "read");
|
||||
sepol_deny("system_server", "security_spota_file", "dir", "write");
|
||||
sepol_deny("system_server", "security_spota_file", "file", "read");
|
||||
sepol_deny("system_server", "security_spota_file", "file", "write");
|
||||
sepol_deny("system_app", "security_spota_file", "dir", "read");
|
||||
sepol_deny("system_app", "security_spota_file", "dir", "write");
|
||||
sepol_deny("system_app", "security_spota_file", "file", "read");
|
||||
sepol_deny("system_app", "security_spota_file", "file", "write");
|
||||
sepol_deny("installd", "security_spota_file", "dir", "read");
|
||||
sepol_deny("installd", "security_spota_file", "dir", "write");
|
||||
sepol_deny("installd", "security_spota_file", "file", "read");
|
||||
sepol_deny("installd", "security_spota_file", "file", "write");
|
||||
sepol_deny("init", "security_spota_file", "dir", "read");
|
||||
sepol_deny("init", "security_spota_file", "dir", "write");
|
||||
sepol_deny("init", "security_spota_file", "file", "read");
|
||||
sepol_deny("init", "security_spota_file", "file", "write");
|
||||
sepol_deny("ueventd", "security_spota_file", "dir", "read");
|
||||
sepol_deny("ueventd", "security_spota_file", "dir", "write");
|
||||
sepol_deny("ueventd", "security_spota_file", "file", "read");
|
||||
sepol_deny("ueventd", "security_spota_file", "file", "write");
|
||||
sepol_deny("runas", "security_spota_file", "dir", "read");
|
||||
sepol_deny("runas", "security_spota_file", "dir", "write");
|
||||
sepol_deny("runas", "security_spota_file", "file", "read");
|
||||
sepol_deny("runas", "security_spota_file", "file", "write");
|
||||
sepol_deny("drsd", "security_spota_file", "dir", "read");
|
||||
sepol_deny("drsd", "security_spota_file", "dir", "write");
|
||||
sepol_deny("drsd", "security_spota_file", "file", "read");
|
||||
sepol_deny("drsd", "security_spota_file", "file", "write");
|
||||
sepol_deny("debuggerd", "security_spota_file", "dir", "read");
|
||||
sepol_deny("debuggerd", "security_spota_file", "dir", "write");
|
||||
sepol_deny("debuggerd", "security_spota_file", "file", "read");
|
||||
sepol_deny("debuggerd", "security_spota_file", "file", "write");
|
||||
sepol_deny("vold", "security_spota_file", "dir", "read");
|
||||
sepol_deny("vold", "security_spota_file", "dir", "write");
|
||||
sepol_deny("vold", "security_spota_file", "file", "read");
|
||||
sepol_deny("vold", "security_spota_file", "file", "write");
|
||||
sepol_deny("zygote", "security_spota_file", "dir", "read");
|
||||
sepol_deny("zygote", "security_spota_file", "dir", "write");
|
||||
sepol_deny("zygote", "security_spota_file", "file", "read");
|
||||
sepol_deny("zygote", "security_spota_file", "file", "write");
|
||||
sepol_deny("auditd", "security_spota_file", "dir", "read");
|
||||
sepol_deny("auditd", "security_spota_file", "dir", "write");
|
||||
sepol_deny("auditd", "security_spota_file", "file", "read");
|
||||
sepol_deny("auditd", "security_spota_file", "file", "write");
|
||||
sepol_deny("servicemanager", "security_spota_file", "dir", "read");
|
||||
sepol_deny("servicemanager", "security_spota_file", "dir", "write");
|
||||
sepol_deny("servicemanager", "security_spota_file", "file", "read");
|
||||
sepol_deny("servicemanager", "security_spota_file", "file", "write");
|
||||
sepol_deny("itsonbs", "security_spota_file", "dir", "read");
|
||||
sepol_deny("itsonbs", "security_spota_file", "dir", "write");
|
||||
sepol_deny("itsonbs", "security_spota_file", "file", "read");
|
||||
sepol_deny("itsonbs", "security_spota_file", "file", "write");
|
||||
sepol_deny("commonplatformappdomain", "security_spota_file", "dir", "read");
|
||||
sepol_deny("commonplatformappdomain", "security_spota_file", "dir", "write");
|
||||
sepol_deny("commonplatformappdomain", "security_spota_file", "file", "read");
|
||||
sepol_deny("commonplatformappdomain", "security_spota_file", "file", "write");
|
||||
}
|
||||
|
||||
void allowSuClient(char *target) {
|
||||
allow(target, "rootfs", "file", "execute_no_trans");
|
||||
allow(target, "rootfs", "file", "execute");
|
||||
allow(target, "su", "unix_stream_socket", "connectto");
|
||||
allow(target, "su", "unix_stream_socket", "getopt");
|
||||
allow(target, "su_device", "dir", "search");
|
||||
allow(target, "su_device", "dir", "read");
|
||||
allow(target, "su_device", "sock_file", "read");
|
||||
allow(target, "su_device", "sock_file", "write");
|
||||
sepol_allow(target, "rootfs", "file", "execute_no_trans");
|
||||
sepol_allow(target, "rootfs", "file", "execute");
|
||||
sepol_allow(target, "su", "unix_stream_socket", "connectto");
|
||||
sepol_allow(target, "su", "unix_stream_socket", "getopt");
|
||||
sepol_allow(target, "su_device", "dir", "search");
|
||||
sepol_allow(target, "su_device", "dir", "read");
|
||||
sepol_allow(target, "su_device", "sock_file", "read");
|
||||
sepol_allow(target, "su_device", "sock_file", "write");
|
||||
}
|
||||
|
||||
void suRights() {
|
||||
allow("servicemanager", "su", "dir", "search");
|
||||
allow("servicemanager", "su", "dir", "read");
|
||||
allow("servicemanager", "su", "file", "open");
|
||||
allow("servicemanager", "su", "file", "read");
|
||||
allow("servicemanager", "su", "process", "getattr");
|
||||
allow("servicemanager", "su", "binder", "transfer");
|
||||
allow("system_server", "su", "binder", "call");
|
||||
sepol_allow("servicemanager", "su", "dir", "search");
|
||||
sepol_allow("servicemanager", "su", "dir", "read");
|
||||
sepol_allow("servicemanager", "su", "file", "open");
|
||||
sepol_allow("servicemanager", "su", "file", "read");
|
||||
sepol_allow("servicemanager", "su", "process", "getattr");
|
||||
sepol_allow("servicemanager", "su", "binder", "transfer");
|
||||
sepol_allow("system_server", "su", "binder", "call");
|
||||
}
|
||||
|
||||
void otherToSU() {
|
||||
// allowLog
|
||||
allow("logd", "su", "dir", "search");
|
||||
allow("logd", "su", "file", "read");
|
||||
allow("logd", "su", "file", "open");
|
||||
allow("logd", "su", "file", "getattr");
|
||||
sepol_allow("logd", "su", "dir", "search");
|
||||
sepol_allow("logd", "su", "file", "read");
|
||||
sepol_allow("logd", "su", "file", "open");
|
||||
sepol_allow("logd", "su", "file", "getattr");
|
||||
|
||||
// suBackL0
|
||||
allow("system_server", "su", "binder", "call");
|
||||
allow("system_server", "su", "binder", "transfer");
|
||||
sepol_allow("system_server", "su", "binder", "call");
|
||||
sepol_allow("system_server", "su", "binder", "transfer");
|
||||
|
||||
// ES Explorer opens a sokcet
|
||||
allow("untrusted_app", "su", "unix_stream_socket", "ioctl");
|
||||
allow("untrusted_app", "su", "unix_stream_socket", "read");
|
||||
allow("untrusted_app", "su", "unix_stream_socket", "getattr");
|
||||
allow("untrusted_app", "su", "unix_stream_socket", "write");
|
||||
allow("untrusted_app", "su", "unix_stream_socket", "setattr");
|
||||
allow("untrusted_app", "su", "unix_stream_socket", "lock");
|
||||
allow("untrusted_app", "su", "unix_stream_socket", "append");
|
||||
allow("untrusted_app", "su", "unix_stream_socket", "bind");
|
||||
allow("untrusted_app", "su", "unix_stream_socket", "connect");
|
||||
allow("untrusted_app", "su", "unix_stream_socket", "getopt");
|
||||
allow("untrusted_app", "su", "unix_stream_socket", "setopt");
|
||||
allow("untrusted_app", "su", "unix_stream_socket", "shutdown");
|
||||
allow("untrusted_app", "su", "unix_stream_socket", "connectto");
|
||||
sepol_allow("untrusted_app", "su", "unix_stream_socket", "ioctl");
|
||||
sepol_allow("untrusted_app", "su", "unix_stream_socket", "read");
|
||||
sepol_allow("untrusted_app", "su", "unix_stream_socket", "getattr");
|
||||
sepol_allow("untrusted_app", "su", "unix_stream_socket", "write");
|
||||
sepol_allow("untrusted_app", "su", "unix_stream_socket", "setattr");
|
||||
sepol_allow("untrusted_app", "su", "unix_stream_socket", "lock");
|
||||
sepol_allow("untrusted_app", "su", "unix_stream_socket", "append");
|
||||
sepol_allow("untrusted_app", "su", "unix_stream_socket", "bind");
|
||||
sepol_allow("untrusted_app", "su", "unix_stream_socket", "connect");
|
||||
sepol_allow("untrusted_app", "su", "unix_stream_socket", "getopt");
|
||||
sepol_allow("untrusted_app", "su", "unix_stream_socket", "setopt");
|
||||
sepol_allow("untrusted_app", "su", "unix_stream_socket", "shutdown");
|
||||
sepol_allow("untrusted_app", "su", "unix_stream_socket", "connectto");
|
||||
|
||||
// Any domain is allowed to send su "sigchld"
|
||||
allow(ALL, "su", "process", "sigchld");
|
||||
sepol_allow(ALL, "su", "process", "sigchld");
|
||||
|
||||
// uNetworkL0
|
||||
attradd("su", "netdomain");
|
||||
attradd("su", "bluetoothdomain");
|
||||
sepol_attradd("su", "netdomain");
|
||||
sepol_attradd("su", "bluetoothdomain");
|
||||
|
||||
// suBackL6
|
||||
allow("surfaceflinger", "app_data_file", "dir", ALL);
|
||||
allow("surfaceflinger", "app_data_file", "file", ALL);
|
||||
allow("surfaceflinger", "app_data_file", "lnk_file", ALL);
|
||||
attradd("surfaceflinger", "mlstrustedsubject");
|
||||
sepol_allow("surfaceflinger", "app_data_file", "dir", ALL);
|
||||
sepol_allow("surfaceflinger", "app_data_file", "file", ALL);
|
||||
sepol_allow("surfaceflinger", "app_data_file", "lnk_file", ALL);
|
||||
sepol_attradd("surfaceflinger", "mlstrustedsubject");
|
||||
|
||||
// suMiscL6
|
||||
if (exists("audioserver"))
|
||||
allow("audioserver", "audioserver", "process", "execmem");
|
||||
if (sepol_exists("audioserver"))
|
||||
sepol_allow("audioserver", "audioserver", "process", "execmem");
|
||||
}
|
||||
|
||||
void full_rules() {
|
||||
void sepol_full_rules() {
|
||||
// Samsung specific
|
||||
// Prevent system from loading policy
|
||||
if(exists("knox_system_app"))
|
||||
if(sepol_exists("knox_system_app"))
|
||||
samsung();
|
||||
|
||||
// Min rules first
|
||||
min_rules();
|
||||
sepol_min_rules();
|
||||
|
||||
// Create domains if they don't exist
|
||||
if (!exists("su_device"))
|
||||
create("su_device");
|
||||
enforce("su_device");
|
||||
if (!sepol_exists("su_device"))
|
||||
sepol_create("su_device");
|
||||
sepol_enforce("su_device");
|
||||
|
||||
// Patch su to everything
|
||||
allow("su", ALL, ALL, ALL);
|
||||
sepol_allow("su", ALL, ALL, ALL);
|
||||
|
||||
// Autotransition su's socket to su_device
|
||||
add_transition("su", "device", "file", "su_device");
|
||||
add_transition("su", "device", "dir", "su_device");
|
||||
allow("su_device", "tmpfs", "filesystem", "associate");
|
||||
sepol_typetrans("su", "device", "file", "su_device", NULL);
|
||||
sepol_typetrans("su", "device", "dir", "su_device", NULL);
|
||||
sepol_allow("su_device", "tmpfs", "filesystem", "associate");
|
||||
|
||||
// Transition from untrusted_app to su_client
|
||||
allowSuClient("shell");
|
||||
allowSuClient("untrusted_app");
|
||||
allowSuClient("system_app");
|
||||
allowSuClient("platform_app");
|
||||
if (exists("priv_app"))
|
||||
if (sepol_exists("priv_app"))
|
||||
allowSuClient("priv_app");
|
||||
if (exists("ssd_tool"))
|
||||
if (sepol_exists("ssd_tool"))
|
||||
allowSuClient("ssd_tool");
|
||||
|
||||
// Allow init to execute su daemon/transition
|
||||
allow("init", "su", "process", "transition");
|
||||
allow("init", "su", "process", "rlimitinh");
|
||||
allow("init", "su", "process", "siginh");
|
||||
allow("init", "su", "process", "noatsecure");
|
||||
sepol_allow("init", "su", "process", "transition");
|
||||
sepol_allow("init", "su", "process", "rlimitinh");
|
||||
sepol_allow("init", "su", "process", "siginh");
|
||||
sepol_allow("init", "su", "process", "noatsecure");
|
||||
suRights();
|
||||
otherToSU();
|
||||
|
||||
// Need to set su_device/su as trusted to be accessible from other categories
|
||||
attradd("su_device", "mlstrustedobject");
|
||||
attradd("su", "mlstrustedsubject");
|
||||
sepol_attradd("su_device", "mlstrustedobject");
|
||||
sepol_attradd("su", "mlstrustedsubject");
|
||||
|
||||
}
|
||||
|
||||
// Minimal to run Magisk script before live patching
|
||||
void min_rules() {
|
||||
void sepol_min_rules() {
|
||||
|
||||
if (!exists("su"))
|
||||
create("su");
|
||||
permissive("su");
|
||||
permissive("init");
|
||||
if (!sepol_exists("su"))
|
||||
sepol_create("su");
|
||||
sepol_permissive("su");
|
||||
sepol_permissive("init");
|
||||
|
||||
attradd("su", "mlstrustedsubject");
|
||||
sepol_attradd("su", "mlstrustedsubject");
|
||||
|
||||
// Let init run stuffs in su context
|
||||
allow("kernel", "su", "fd", "use");
|
||||
allow("init", "su", "process", ALL);
|
||||
allow("init", "system_file", "dir", ALL);
|
||||
allow("init", "system_file", "lnk_file", ALL);
|
||||
allow("init", "system_file", "file", ALL);
|
||||
sepol_allow("kernel", "su", "fd", "use");
|
||||
sepol_allow("init", "su", "process", ALL);
|
||||
sepol_allow("init", "system_file", "dir", ALL);
|
||||
sepol_allow("init", "system_file", "lnk_file", ALL);
|
||||
sepol_allow("init", "system_file", "file", ALL);
|
||||
|
||||
// Misc: basic shell scripts, prop management etc.
|
||||
allow("su", "property_socket", "sock_file", "write");
|
||||
if (exists("default_prop"))
|
||||
allow("su", "default_prop", "property_service", "set");
|
||||
allow("su", "init", "unix_stream_socket", "connectto");
|
||||
allow("su", "su", "unix_dgram_socket", ALL);
|
||||
allow("su", "su", "unix_stream_socket", ALL);
|
||||
allow("su", "su", "process", ALL);
|
||||
allow("su", "su", "capability", ALL);
|
||||
allow("su", "su", "file", ALL);
|
||||
allow("su", "su", "fifo_file", ALL);
|
||||
allow("su", "su", "lnk_file", ALL);
|
||||
allow("su", "su", "dir", ALL);
|
||||
sepol_allow("su", "property_socket", "sock_file", "write");
|
||||
if (sepol_exists("default_prop"))
|
||||
sepol_allow("su", "default_prop", "property_service", "set");
|
||||
sepol_allow("su", "init", "unix_stream_socket", "connectto");
|
||||
sepol_allow("su", "su", "unix_dgram_socket", ALL);
|
||||
sepol_allow("su", "su", "unix_stream_socket", ALL);
|
||||
sepol_allow("su", "su", "process", ALL);
|
||||
sepol_allow("su", "su", "capability", ALL);
|
||||
sepol_allow("su", "su", "file", ALL);
|
||||
sepol_allow("su", "su", "fifo_file", ALL);
|
||||
sepol_allow("su", "su", "lnk_file", ALL);
|
||||
sepol_allow("su", "su", "dir", ALL);
|
||||
|
||||
// Allow su to do anything to files/dir/links
|
||||
allow("su", ALL, "file", ALL);
|
||||
allow("su", ALL, "dir", ALL);
|
||||
allow("su", ALL, "lnk_file", ALL);
|
||||
sepol_allow("su", ALL, "file", ALL);
|
||||
sepol_allow("su", ALL, "dir", ALL);
|
||||
sepol_allow("su", ALL, "lnk_file", ALL);
|
||||
|
||||
// For sepolicy live patching
|
||||
allow("su", "kernel", "security", "read_policy");
|
||||
allow("su", "kernel", "security", "load_policy");
|
||||
sepol_allow("su", "kernel", "security", "read_policy");
|
||||
sepol_allow("su", "kernel", "security", "load_policy");
|
||||
|
||||
// For mounting loop devices and mirrors
|
||||
allow("su", "kernel", "process", "setsched");
|
||||
allow("su", "labeledfs", "filesystem", "mount");
|
||||
allow("su", "labeledfs", "filesystem", "unmount");
|
||||
allow("su", "loop_device", "blk_file", ALL);
|
||||
allow("su", "block_device", "blk_file", ALL);
|
||||
allow("su", "system_block_device", "blk_file", ALL);
|
||||
sepol_allow("su", "kernel", "process", "setsched");
|
||||
sepol_allow("su", "labeledfs", "filesystem", "mount");
|
||||
sepol_allow("su", "labeledfs", "filesystem", "unmount");
|
||||
sepol_allow("su", "loop_device", "blk_file", ALL);
|
||||
sepol_allow("su", "block_device", "blk_file", ALL);
|
||||
sepol_allow("su", "system_block_device", "blk_file", ALL);
|
||||
|
||||
// Xposed
|
||||
allow("untrusted_app", "untrusted_app", "capability", "setgid");
|
||||
allow("system_server", "dex2oat_exec", "file", ALL);
|
||||
sepol_allow("untrusted_app", "untrusted_app", "capability", "setgid");
|
||||
sepol_allow("system_server", "dex2oat_exec", "file", ALL);
|
||||
|
||||
}
|
||||
|
@ -1,4 +1,5 @@
|
||||
#include "magiskpolicy.h"
|
||||
#include "sepolicy.h"
|
||||
|
||||
static void *cmalloc(size_t s) {
|
||||
void *t = malloc(s);
|
||||
|
48
sepolicy.h
Normal file
48
sepolicy.h
Normal file
@ -0,0 +1,48 @@
|
||||
/* sepolicy.h - Header for magiskpolicy non-public APIs
|
||||
*/
|
||||
|
||||
#ifndef _SEPOLICY_H
|
||||
#define _SEPOLICY_H
|
||||
|
||||
#define ALL NULL
|
||||
|
||||
#include <getopt.h>
|
||||
#include <unistd.h>
|
||||
#include <stdlib.h>
|
||||
#include <sys/mman.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
#include <fcntl.h>
|
||||
#include <stdio.h>
|
||||
#include <limits.h>
|
||||
#include <string.h>
|
||||
#include <sepol/debug.h>
|
||||
#include <sepol/policydb/policydb.h>
|
||||
#include <sepol/policydb/expand.h>
|
||||
#include <sepol/policydb/link.h>
|
||||
#include <sepol/policydb/services.h>
|
||||
#include <sepol/policydb/avrule_block.h>
|
||||
#include <sepol/policydb/conditional.h>
|
||||
#include <sepol/policydb/constraint.h>
|
||||
|
||||
#include "vector.h"
|
||||
|
||||
// hashtab traversal macro
|
||||
#define hashtab_for_each(table, ptr) \
|
||||
for (int _i = 0; _i < table->size; ++_i) \
|
||||
for (*ptr = table->htable[_i]; *ptr != NULL; *ptr = (*ptr)->next)
|
||||
|
||||
// Global policydb
|
||||
policydb_t *policy;
|
||||
|
||||
// sepolicy manipulation functions
|
||||
int load_policy(const char *filename);
|
||||
int dump_policy(const char *filename);
|
||||
int create_domain(char *d);
|
||||
int set_domain_state(char* s, int state);
|
||||
int add_transition(char *s, char *t, char *c, char *d);
|
||||
int add_file_transition(char *s, char *t, char *c, char *d, char* filename);
|
||||
int add_typeattribute(char *domainS, char *attr);
|
||||
int add_rule(char *s, char *t, char *c, char *p, int effect, int not);
|
||||
|
||||
#endif
|
Loading…
x
Reference in New Issue
Block a user