Load custom sepolicy

This commit is contained in:
topjohnwu 2019-06-25 21:34:02 -07:00
parent 911b8273fe
commit a462435f2f
3 changed files with 60 additions and 3 deletions

View File

@ -12,6 +12,7 @@
#define BLOCKDIR MAGISKTMP "/block" #define BLOCKDIR MAGISKTMP "/block"
#define BBPATH MAGISKTMP "/busybox" #define BBPATH MAGISKTMP "/busybox"
#define MODULEMNT MAGISKTMP "/modules" #define MODULEMNT MAGISKTMP "/modules"
#define ROOTOVERLAY MAGISKTMP "/rootdir"
#define SECURE_DIR "/data/adb" #define SECURE_DIR "/data/adb"
#define MODULEROOT SECURE_DIR "/modules" #define MODULEROOT SECURE_DIR "/modules"
#define MODULEUPGRADE SECURE_DIR "/modules_update" #define MODULEUPGRADE SECURE_DIR "/modules_update"

View File

@ -33,7 +33,7 @@ protected:
virtual void early_mount() = 0; virtual void early_mount() = 0;
bool read_dt_fstab(const char *name, char *partname, char *fstype); bool read_dt_fstab(const char *name, char *partname, char *fstype);
bool patch_sepolicy(); bool patch_sepolicy(const char *file = "/sepolicy");
void cleanup() override; void cleanup() override;
public: public:
MagiskInit(char *argv[], cmdline *cmd) : BaseInit(argv, cmd) {}; MagiskInit(char *argv[], cmdline *cmd) : BaseInit(argv, cmd) {};

View File

@ -123,7 +123,7 @@ void SARCompatInit::setup_rootfs() {
RootFSInit::setup_rootfs(); RootFSInit::setup_rootfs();
} }
bool MagiskInit::patch_sepolicy() { bool MagiskInit::patch_sepolicy(const char *file) {
bool patch_init = false; bool patch_init = false;
if (access(SPLIT_PLAT_CIL, R_OK) == 0) { if (access(SPLIT_PLAT_CIL, R_OK) == 0) {
@ -145,7 +145,7 @@ bool MagiskInit::patch_sepolicy() {
sepol_magisk_rules(); sepol_magisk_rules();
sepol_allow(SEPOL_PROC_DOMAIN, ALL, ALL, ALL); sepol_allow(SEPOL_PROC_DOMAIN, ALL, ALL, ALL);
dump_policydb("/sepolicy"); dump_policydb(file);
// Remove OnePlus stupid debug sepolicy and use our own // Remove OnePlus stupid debug sepolicy and use our own
if (access("/sepolicy_debug", F_OK) == 0) { if (access("/sepolicy_debug", F_OK) == 0) {
@ -192,6 +192,9 @@ static void sbin_overlay(const raw_data &self, const raw_data &config) {
#define ROOTMIR MIRRDIR "/system_root" #define ROOTMIR MIRRDIR "/system_root"
#define ROOTBLK BLOCKDIR "/system_root" #define ROOTBLK BLOCKDIR "/system_root"
#define MONOPOLICY "/sepolicy"
#define PATCHPOLICY "/sbin/.se"
#define LIBSELINUX "/system/" LIBNAME "/libselinux.so"
void SARInit::patch_rootdir() { void SARInit::patch_rootdir() {
sbin_overlay(self, config); sbin_overlay(self, config);
@ -232,6 +235,59 @@ void SARInit::patch_rootdir() {
} }
close(src); close(src);
close(dest); close(dest);
// Customize rootdir
char *addr;
size_t size;
file_attr attr;
bool redirect = false;
xmkdir(ROOTOVERLAY, 0);
src = xopen("/init", O_RDONLY | O_CLOEXEC);
fgetattr(src, &attr);
fd_full_read(src, (void**)&addr, &size);
close(src);
for (char *p = addr; p < addr + size; ++p) {
if (memcmp(p, SPLIT_PLAT_CIL, sizeof(SPLIT_PLAT_CIL)) == 0) {
// Force init to load monolithic policy
LOGD("Remove from init: " SPLIT_PLAT_CIL "\n");
memset(p, 'x', sizeof(SPLIT_PLAT_CIL) - 1);
p += sizeof(SPLIT_PLAT_CIL) - 1;
} else if (memcmp(p, MONOPOLICY, sizeof(MONOPOLICY)) == 0) {
// Redirect /sepolicy to tmpfs
LOGD("Patch init [" MONOPOLICY "] -> [" PATCHPOLICY "]\n");
memcpy(p, PATCHPOLICY, sizeof(PATCHPOLICY));
redirect = true;
p += sizeof(MONOPOLICY) - 1;
}
}
dest = xopen(ROOTOVERLAY "/init", O_CREAT | O_WRONLY | O_CLOEXEC);
xwrite(dest, addr, size);
free(addr);
fsetattr(dest, &attr);
close(dest);
xmount(ROOTOVERLAY "/init", "/init", nullptr, MS_BIND, nullptr);
if (!redirect) {
// init is dynamically linked, need to patch libselinux
full_read(LIBSELINUX, (void**)&addr, &size);
getattr(LIBSELINUX, &attr);
for (char *p = addr; p < addr + size; ++p) {
if (memcmp(p, MONOPOLICY, sizeof(MONOPOLICY)) == 0) {
// Redirect /sepolicy to tmpfs
LOGD("Patch libselinux.so [" MONOPOLICY "] -> [" PATCHPOLICY "]\n");
memcpy(p, PATCHPOLICY, sizeof(PATCHPOLICY));
break;
}
}
dest = xopen(ROOTOVERLAY "/libselinux.so", O_CREAT | O_WRONLY | O_CLOEXEC);
xwrite(dest, addr, size);
free(addr);
fsetattr(dest, &attr);
close(dest);
xmount(ROOTOVERLAY "/libselinux.so", LIBSELINUX, nullptr, MS_BIND, nullptr);
}
patch_sepolicy(PATCHPOLICY);
} }
#ifdef MAGISK_DEBUG #ifdef MAGISK_DEBUG