MarcoBuster/Magisk
1
1
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add Magisk rules

Browse Source
This commit is contained in:
topjohnwu 2016-10-02 22:48:49 +08:00
parent f140f5f14b
commit 98cdee7f03
2 changed files with 73 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
builtin_rules.c
View File

@ -284,7 +284,7 @@ void otherToSU() {
add_type("surfaceflinger", "mlstrustedsubject", policy); add_type("surfaceflinger", "mlstrustedsubject", policy);
} }
void builtin_rules(policydb_t *policydb) { void phh_rules(policydb_t *policydb) {
policy = policydb; policy = policydb;
// Samsung specific // Samsung specific
@ -306,6 +306,7 @@ void builtin_rules(policydb_t *policydb) {
// Transition from untrusted_app to su_client // Transition from untrusted_app to su_client
allowSuClient("shell"); allowSuClient("shell");
allowSuClient("untrusted_app"); allowSuClient("untrusted_app");
allowSuClient("system_app");
allowSuClient("platform_app"); allowSuClient("platform_app");
allowSuClient("su"); allowSuClient("su");
@ -328,3 +329,63 @@ void builtin_rules(policydb_t *policydb) {
add_type("su_daemon", "mlstrustedsubject", policy); add_type("su_daemon", "mlstrustedsubject", policy);
add_type("su", "mlstrustedsubject", policy); add_type("su", "mlstrustedsubject", policy);
} }
void magisk_rules(policydb_t *policydb) {
policy = policydb;
setPermissive("su", 1);
setPermissive("init", 1);
add_type("su", "mlstrustedsubject", policy);
// Minimal to run Magisk script before live patching
allow("kernel", "su", "fd", "use");
allow("init", "su", "process", ALL);
allow("init", "system_file", "dir", ALL);
allow("init", "system_file", "lnk_file", ALL);
allow("init", "system_file", "file", ALL);
allow("su", "property_socket", "sock_file", "write");
allow("su", "shell_exec", "file", ALL);
allow("su", "init", "unix_stream_socket", "connectto");
allow("su", "su", "unix_dgram_socket", ALL);
allow("su", "su", "unix_stream_socket", ALL);
allow("su", "su", "process", ALL);
allow("su", "su", "capability", ALL);
allow("su", "su", "file", ALL);
allow("su", "su", "fifo_file", ALL);
allow("su", "su", "lnk_file", ALL);
allow("su", "su", "dir", ALL);
allow("su", "device", "file", ALL);
allow("su", "device", "dir", ALL);
allow("su", "storage_file", "file", ALL);
allow("su", "storage_file", "dir", ALL);
allow("su", "sysfs", "file", ALL);
allow("su", "sysfs", "dir", ALL);
allow("su", "block_device", "file", ALL);
allow("su", "block_device", "dir", ALL);
allow("su", "rootfs", "file", ALL);
allow("su", "rootfs", "dir", ALL);
allow("su", "toolbox_exec", "file", ALL);
allow("su", "toolbox_exec", "dir", ALL);
allow("su", "cache_file", "file", ALL);
allow("su", "cache_file", "dir", ALL);
allow("su", "system_file", "file", ALL);
allow("su", "system_file", "dir", ALL);
allow("su", "system_data_file", "file", ALL);
allow("su", "system_data_file", "dir", ALL);
allow("su", "kernel", "security", "read_policy");
allow("su", "kernel", "security", "load_policy");
allow("su", "selinuxfs", "file", ALL);
// Xposed
allow("untrusted_app", "untrusted_app", "capability", "setgid");
allow("system_server", "dex2oat_exec", "file", ALL);
// SuperSU
allow("init", "system_file", "file", "execute_no_trans");
allow("init", "su", "fd", "use");
allow("init", "kernel", "security", "read_policy");
allow("init", "kernel", "security", "load_policy");
}

15
sepolicy-inject.c
View File

@ -23,7 +23,8 @@
#include <sepol/policydb/conditional.h> #include <sepol/policydb/conditional.h>
#include <sepol/policydb/constraint.h> #include <sepol/policydb/constraint.h>
extern void builtin_rules(policydb_t *policydb); extern void phh_rules(policydb_t *policydb);
extern void magisk_rules(policydb_t *policydb);
void usage(char *arg0) { void usage(char *arg0) {
fprintf(stderr, "%s -s <source type> -t <target type> -c <class> -p <perm_list> -P <policy file>\n", arg0); fprintf(stderr, "%s -s <source type> -t <target type> -c <class> -p <perm_list> -P <policy file>\n", arg0);
@ -545,7 +546,7 @@ int main(int argc, char **argv)
{ {
char *policy = NULL, *source = NULL, *target = NULL, *class = NULL, *perm = NULL; char *policy = NULL, *source = NULL, *target = NULL, *class = NULL, *perm = NULL;
char *fcon = NULL, *outfile = NULL, *permissive = NULL, *attr = NULL, *filetrans = NULL; char *fcon = NULL, *outfile = NULL, *permissive = NULL, *attr = NULL, *filetrans = NULL;
int exists = 0, not = 0, live = 0, builtin = 0; int exists = 0, not = 0, live = 0, builtin = 0, magisk = 0;
policydb_t policydb; policydb_t policydb;
struct policy_file pf, outpf; struct policy_file pf, outpf;
sidtab_t sidtab; sidtab_t sidtab;
@ -569,6 +570,7 @@ int main(int argc, char **argv)
{"not-permissive", required_argument, NULL, 'z'}, {"not-permissive", required_argument, NULL, 'z'},
{"not", no_argument, NULL, 0}, {"not", no_argument, NULL, 0},
{"live", no_argument, NULL, 0}, {"live", no_argument, NULL, 0},
{"magisk", no_argument, NULL, 0},
{NULL, 0, NULL, 0} {NULL, 0, NULL, 0}
}; };
@ -580,6 +582,8 @@ int main(int argc, char **argv)
not = 1; not = 1;
else if(strcmp(long_options[option_index].name, "live") == 0) else if(strcmp(long_options[option_index].name, "live") == 0)
live = 1; live = 1;
else if(strcmp(long_options[option_index].name, "magisk") == 0)
magisk = 1;
else else
usage(argv[0]); usage(argv[0]);
break; break;
@ -630,7 +634,7 @@ int main(int argc, char **argv)
} }
// Use builtin rules if nothing specified // Use builtin rules if nothing specified
if (!source && !target && !class && !perm && !permissive && !fcon && !attr &&!filetrans && !exists) if (!magisk && !source && !target && !class && !perm && !permissive && !fcon && !attr &&!filetrans && !exists)
builtin = 1; builtin = 1;
// Overwrite original if not specified // Overwrite original if not specified
@ -653,7 +657,10 @@ int main(int argc, char **argv)
return 1; return 1;
if (builtin) { if (builtin) {
builtin_rules(&policydb); phh_rules(&policydb);
}
else if (magisk) {
magisk_rules(&policydb);
} }
else if (permissive) { else if (permissive) {
type_datum_t *type; type_datum_t *type;