Load custom sepolicy
This commit is contained in:
parent
911b8273fe
commit
a462435f2f
@ -12,6 +12,7 @@
|
|||||||
#define BLOCKDIR MAGISKTMP "/block"
|
#define BLOCKDIR MAGISKTMP "/block"
|
||||||
#define BBPATH MAGISKTMP "/busybox"
|
#define BBPATH MAGISKTMP "/busybox"
|
||||||
#define MODULEMNT MAGISKTMP "/modules"
|
#define MODULEMNT MAGISKTMP "/modules"
|
||||||
|
#define ROOTOVERLAY MAGISKTMP "/rootdir"
|
||||||
#define SECURE_DIR "/data/adb"
|
#define SECURE_DIR "/data/adb"
|
||||||
#define MODULEROOT SECURE_DIR "/modules"
|
#define MODULEROOT SECURE_DIR "/modules"
|
||||||
#define MODULEUPGRADE SECURE_DIR "/modules_update"
|
#define MODULEUPGRADE SECURE_DIR "/modules_update"
|
||||||
|
@ -33,7 +33,7 @@ protected:
|
|||||||
|
|
||||||
virtual void early_mount() = 0;
|
virtual void early_mount() = 0;
|
||||||
bool read_dt_fstab(const char *name, char *partname, char *fstype);
|
bool read_dt_fstab(const char *name, char *partname, char *fstype);
|
||||||
bool patch_sepolicy();
|
bool patch_sepolicy(const char *file = "/sepolicy");
|
||||||
void cleanup() override;
|
void cleanup() override;
|
||||||
public:
|
public:
|
||||||
MagiskInit(char *argv[], cmdline *cmd) : BaseInit(argv, cmd) {};
|
MagiskInit(char *argv[], cmdline *cmd) : BaseInit(argv, cmd) {};
|
||||||
|
@ -123,7 +123,7 @@ void SARCompatInit::setup_rootfs() {
|
|||||||
RootFSInit::setup_rootfs();
|
RootFSInit::setup_rootfs();
|
||||||
}
|
}
|
||||||
|
|
||||||
bool MagiskInit::patch_sepolicy() {
|
bool MagiskInit::patch_sepolicy(const char *file) {
|
||||||
bool patch_init = false;
|
bool patch_init = false;
|
||||||
|
|
||||||
if (access(SPLIT_PLAT_CIL, R_OK) == 0) {
|
if (access(SPLIT_PLAT_CIL, R_OK) == 0) {
|
||||||
@ -145,7 +145,7 @@ bool MagiskInit::patch_sepolicy() {
|
|||||||
|
|
||||||
sepol_magisk_rules();
|
sepol_magisk_rules();
|
||||||
sepol_allow(SEPOL_PROC_DOMAIN, ALL, ALL, ALL);
|
sepol_allow(SEPOL_PROC_DOMAIN, ALL, ALL, ALL);
|
||||||
dump_policydb("/sepolicy");
|
dump_policydb(file);
|
||||||
|
|
||||||
// Remove OnePlus stupid debug sepolicy and use our own
|
// Remove OnePlus stupid debug sepolicy and use our own
|
||||||
if (access("/sepolicy_debug", F_OK) == 0) {
|
if (access("/sepolicy_debug", F_OK) == 0) {
|
||||||
@ -192,6 +192,9 @@ static void sbin_overlay(const raw_data &self, const raw_data &config) {
|
|||||||
|
|
||||||
#define ROOTMIR MIRRDIR "/system_root"
|
#define ROOTMIR MIRRDIR "/system_root"
|
||||||
#define ROOTBLK BLOCKDIR "/system_root"
|
#define ROOTBLK BLOCKDIR "/system_root"
|
||||||
|
#define MONOPOLICY "/sepolicy"
|
||||||
|
#define PATCHPOLICY "/sbin/.se"
|
||||||
|
#define LIBSELINUX "/system/" LIBNAME "/libselinux.so"
|
||||||
|
|
||||||
void SARInit::patch_rootdir() {
|
void SARInit::patch_rootdir() {
|
||||||
sbin_overlay(self, config);
|
sbin_overlay(self, config);
|
||||||
@ -232,6 +235,59 @@ void SARInit::patch_rootdir() {
|
|||||||
}
|
}
|
||||||
close(src);
|
close(src);
|
||||||
close(dest);
|
close(dest);
|
||||||
|
|
||||||
|
// Customize rootdir
|
||||||
|
char *addr;
|
||||||
|
size_t size;
|
||||||
|
file_attr attr;
|
||||||
|
bool redirect = false;
|
||||||
|
xmkdir(ROOTOVERLAY, 0);
|
||||||
|
src = xopen("/init", O_RDONLY | O_CLOEXEC);
|
||||||
|
fgetattr(src, &attr);
|
||||||
|
fd_full_read(src, (void**)&addr, &size);
|
||||||
|
close(src);
|
||||||
|
for (char *p = addr; p < addr + size; ++p) {
|
||||||
|
if (memcmp(p, SPLIT_PLAT_CIL, sizeof(SPLIT_PLAT_CIL)) == 0) {
|
||||||
|
// Force init to load monolithic policy
|
||||||
|
LOGD("Remove from init: " SPLIT_PLAT_CIL "\n");
|
||||||
|
memset(p, 'x', sizeof(SPLIT_PLAT_CIL) - 1);
|
||||||
|
p += sizeof(SPLIT_PLAT_CIL) - 1;
|
||||||
|
} else if (memcmp(p, MONOPOLICY, sizeof(MONOPOLICY)) == 0) {
|
||||||
|
// Redirect /sepolicy to tmpfs
|
||||||
|
LOGD("Patch init [" MONOPOLICY "] -> [" PATCHPOLICY "]\n");
|
||||||
|
memcpy(p, PATCHPOLICY, sizeof(PATCHPOLICY));
|
||||||
|
redirect = true;
|
||||||
|
p += sizeof(MONOPOLICY) - 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
dest = xopen(ROOTOVERLAY "/init", O_CREAT | O_WRONLY | O_CLOEXEC);
|
||||||
|
xwrite(dest, addr, size);
|
||||||
|
free(addr);
|
||||||
|
fsetattr(dest, &attr);
|
||||||
|
close(dest);
|
||||||
|
xmount(ROOTOVERLAY "/init", "/init", nullptr, MS_BIND, nullptr);
|
||||||
|
|
||||||
|
if (!redirect) {
|
||||||
|
// init is dynamically linked, need to patch libselinux
|
||||||
|
full_read(LIBSELINUX, (void**)&addr, &size);
|
||||||
|
getattr(LIBSELINUX, &attr);
|
||||||
|
for (char *p = addr; p < addr + size; ++p) {
|
||||||
|
if (memcmp(p, MONOPOLICY, sizeof(MONOPOLICY)) == 0) {
|
||||||
|
// Redirect /sepolicy to tmpfs
|
||||||
|
LOGD("Patch libselinux.so [" MONOPOLICY "] -> [" PATCHPOLICY "]\n");
|
||||||
|
memcpy(p, PATCHPOLICY, sizeof(PATCHPOLICY));
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
dest = xopen(ROOTOVERLAY "/libselinux.so", O_CREAT | O_WRONLY | O_CLOEXEC);
|
||||||
|
xwrite(dest, addr, size);
|
||||||
|
free(addr);
|
||||||
|
fsetattr(dest, &attr);
|
||||||
|
close(dest);
|
||||||
|
xmount(ROOTOVERLAY "/libselinux.so", LIBSELINUX, nullptr, MS_BIND, nullptr);
|
||||||
|
}
|
||||||
|
|
||||||
|
patch_sepolicy(PATCHPOLICY);
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef MAGISK_DEBUG
|
#ifdef MAGISK_DEBUG
|
||||||
|
Loading…
Reference in New Issue
Block a user