Revert to old SElinux rules on pre 8.0 devices

Fix #2910

native/jni/core/daemon.cpp

@@ -156,6 +156,8 @@ static void daemon_entry(int ppid) {
 	setsid();
 	setcon("u:r:" SEPOL_PROC_DOMAIN ":s0");
 
+	LOGI(NAME_WITH_VER(Magisk) " daemon started\n");
+
 	// Make sure ppid is not in acct
 	char src[64], dest[64];
 	sprintf(src, "/acct/uid_0/pid_%d", ppid);
@@ -167,20 +169,6 @@ static void daemon_entry(int ppid) {
 	MAGISKTMP = dirname(src);
 	xstat("/proc/self/exe", &self_st);
 
-	restore_tmpcon();
-
-	// SAR cleanups
-	auto mount_list = MAGISKTMP + "/" ROOTMNT;
-	if (access(mount_list.data(), F_OK) == 0) {
-		file_readline(true, mount_list.data(), [](string_view line) -> bool {
-			umount2(line.data(), MNT_DETACH);
-			return true;
-		});
-	}
-	unlink("/dev/.se");
-
-	LOGI(NAME_WITH_VER(Magisk) " daemon started\n");
-
 	// Get API level
 	parse_prop_file("/system/build.prop", [](auto key, auto val) -> bool {
 		if (key == "ro.build.version.sdk") {
@@ -198,6 +186,18 @@ static void daemon_entry(int ppid) {
 	}
 	LOGI("* Device API level: %d\n", SDK_INT);
 
+	restore_tmpcon();
+
+	// SAR cleanups
+	auto mount_list = MAGISKTMP + "/" ROOTMNT;
+	if (access(mount_list.data(), F_OK) == 0) {
+		file_readline(true, mount_list.data(), [](string_view line) -> bool {
+			umount2(line.data(), MNT_DETACH);
+			return true;
+		});
+	}
+	unlink("/dev/.se");
+
 	// Load config status
 	auto config = MAGISKTMP + "/" INTLROOT "/config";
 	parse_prop_file(config.data(), [](auto key, auto val) -> bool {

native/jni/core/restorecon.cpp

@@ -1,6 +1,7 @@
 #include <string_view>
 
 #include <magisk.hpp>
+#include <daemon.hpp>
 #include <selinux.hpp>
 #include <utils.hpp>
 
@@ -87,7 +88,7 @@ void restore_tmpcon() {
 	int dfd = dirfd(dir.get());
 
 	for (dirent *entry; (entry = xreaddir(dir.get()));) {
-		if (entry->d_name == "magisk"sv)
+		if (SDK_INT >= 26 && entry->d_name == "magisk"sv)
 			setfilecon_at(dfd, entry->d_name, EXEC_CON);
 		else
 			setfilecon_at(dfd, entry->d_name, SYSTEM_CON);

native/jni/magiskpolicy/rules.cpp

@@ -8,17 +8,18 @@ void sepolicy::magisk_rules() {
 	auto bak = log_cb.w;
 	log_cb.w = nop_log;
 
+	// This indicates API 26+
+	bool new_rules = exists("untrusted_app_25");
+
 	// Prevent anything to change sepolicy except ourselves
 	deny(ALL, "kernel", "security", "load_policy");
 
 	type(SEPOL_PROC_DOMAIN, "domain");
-	type(SEPOL_CLIENT_DOMAIN, "domain");
-	type(SEPOL_FILE_TYPE, "file_type");
-	type(SEPOL_EXEC_TYPE, "file_type");
 	permissive(SEPOL_PROC_DOMAIN);  /* Just in case something is missing */
 	typeattribute(SEPOL_PROC_DOMAIN, "mlstrustedsubject");
 	typeattribute(SEPOL_PROC_DOMAIN, "netdomain");
 	typeattribute(SEPOL_PROC_DOMAIN, "bluetoothdomain");
+	type(SEPOL_FILE_TYPE, "file_type");
 	typeattribute(SEPOL_FILE_TYPE, "mlstrustedobject");
 
 	// Make our root domain unconstrained
@@ -33,6 +34,10 @@ void sepolicy::magisk_rules() {
 	allow(ALL, SEPOL_FILE_TYPE, "fifo_file", ALL);
 	allow(ALL, SEPOL_FILE_TYPE, "chr_file", ALL);
 
+	if (new_rules) {
+		type(SEPOL_CLIENT_DOMAIN, "domain");
+		type(SEPOL_EXEC_TYPE, "file_type");
+
 		// Basic su client needs
 		allow(SEPOL_CLIENT_DOMAIN, ALL, "fd", "use");
 		allow(SEPOL_CLIENT_DOMAIN, SEPOL_CLIENT_DOMAIN, ALL, ALL);
@@ -40,15 +45,17 @@ void sepolicy::magisk_rules() {
 		allow(SEPOL_CLIENT_DOMAIN, SEPOL_PROC_DOMAIN, "unix_stream_socket", "connectto");
 		allow(SEPOL_CLIENT_DOMAIN, SEPOL_PROC_DOMAIN, "unix_stream_socket", "getopt");
 
-	// Allow su client to manipulate pts
+		// Allow su client termios ioctl
 		const char *pts[] {
-		"devpts", "untrusted_app_devpts", "untrusted_app_25_devpts", "untrusted_app_all_devpts" };
+			"devpts", "untrusted_app_devpts",
+			"untrusted_app_25_devpts", "untrusted_app_all_devpts" };
 		for (auto type : pts) {
+			if (!exists(type))
+				continue;
 			allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "read");
 			allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "write");
 			allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "getattr");
 			allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "ioctl");
-		if (db->policyvers >= POLICYDB_VERSION_XPERMS_IOCTL)
 			allowxperm(SEPOL_CLIENT_DOMAIN, type, "chr_file", "0x5400-0x54FF");
 		}
 
@@ -84,6 +91,27 @@ void sepolicy::magisk_rules() {
 
 		// Don't allow pesky processes to monitor audit deny logs when poking magisk daemon sockets
 		dontaudit(ALL, SEPOL_PROC_DOMAIN, "unix_stream_socket", ALL);
+	} else {
+		// Fallback to poking holes in sandbox as Android 4.3 to 7.1 set PR_SET_NO_NEW_PRIVS
+
+		// Allow these processes to access MagiskSU
+		const char *clients[] {
+			"init", "shell", "system_app", "priv_app", "platform_app", "untrusted_app" };
+		for (auto type : clients) {
+			if (!exists(type))
+				continue;
+			allow(type, SEPOL_PROC_DOMAIN, "unix_stream_socket", "connectto");
+			allow(type, SEPOL_PROC_DOMAIN, "unix_stream_socket", "getopt");
+
+			// Allow termios ioctl
+			const char *pts[] { "devpts", "untrusted_app_devpts" };
+			for (auto pts_type : pts) {
+				allow(type, pts_type, "chr_file", "ioctl");
+				if (db->policyvers >= POLICYDB_VERSION_XPERMS_IOCTL)
+					allowxperm(type, pts_type, "chr_file", "0x5400-0x54FF");
+			}
+		}
+	}
 
 	// Let everyone access tmpfs files (for SAR sbin overlay)
 	allow(ALL, "tmpfs", "file", ALL);

scripts/emulator.sh

@@ -57,7 +57,7 @@ pgrep magiskd >/dev/null && pkill -9 magiskd
 [ -e /sys/fs/selinux ] && SELINUX=true || SELINUX=false
 if $SELINUX; then
   ln -sf ./magiskinit magiskpolicy
-  ./magiskpolicy --live --magisk 'allow magisk * * *'
+  ./magiskpolicy --live --magisk
 fi
 
 # Setup sbin overlay
@@ -94,9 +94,6 @@ chmod 755 /sbin/magisk
 ln -s ./magisk /sbin/su
 ln -s ./magisk /sbin/resetprop
 ln -s ./magisk /sbin/magiskhide
-mkdir -p /sbin/.magisk/busybox
-cp -af ./busybox /sbin/.magisk/busybox/busybox
-/sbin/.magisk/busybox/busybox --install -s /sbin/.magisk/busybox
 mkdir -p /data/adb/modules 2>/dev/null
 mkdir /data/adb/post-fs-data.d 2>/dev/null
 mkdir /data/adb/services.d 2>/dev/null