From ada0f93686296b43b6a14a5af1677492ba1852e8 Mon Sep 17 00:00:00 2001 From: topjohnwu Date: Thu, 9 Aug 2018 03:20:28 +0800 Subject: [PATCH] Apply all sepolicy patches pre-init Boot services tend to fail in the middle when the kernel loads a sepolicy live. It seems that moving full patch (allow magisk * * *) to late_start is still not enough to fix service startup failures. So screw it, apply all patched in magiskinit, which makes sure that all rules are only loaded in a single step. The only down side is that some OEM with a HUGE set of secontexts (e.g. Samsung) might suffer a slightly longer boot time, which IS the reason why the rules are split to 2 parts in the first place. --- native/jni/core/bootstages.c | 14 ++------------ native/jni/core/daemon.c | 1 - native/jni/core/magiskinit.c | 1 + native/jni/include/daemon.h | 1 - native/jni/magiskpolicy/magiskpolicy.c | 4 ++-- 5 files changed, 5 insertions(+), 16 deletions(-) diff --git a/native/jni/core/bootstages.c b/native/jni/core/bootstages.c index a9806a44b..b5a5d4986 100644 --- a/native/jni/core/bootstages.c +++ b/native/jni/core/bootstages.c @@ -706,6 +706,8 @@ void startup() { xsymlink(MIRRDIR "/bin/busybox", BBPATH "/busybox"); } + xmount(NULL, "/", NULL, MS_REMOUNT | MS_RDONLY, NULL); + // Start post-fs-data mode execl("/sbin/magisk.bin", "magisk", "--post-fs-data", NULL); } @@ -720,10 +722,6 @@ void post_fs_data(int client) { LOGI("** post-fs-data mode running\n"); - xmount(NULL, "/", NULL, MS_REMOUNT | MS_RDONLY, NULL); - full_patch_pid = exec_command(0, NULL, NULL, - "/sbin/magiskpolicy", "--save", TMPSEPOLICY, "allow "SEPOL_PROC_DOMAIN" * * *", NULL); - // Allocate buffer vec_init(&module_list); @@ -843,14 +841,6 @@ void late_start(int client) { auto_start_magiskhide(); - if (full_patch_pid > 0) { - // Wait till the full patch is done - waitpid(full_patch_pid, NULL, 0); - // Load the policy - exec_command_sync("/sbin/magiskpolicy", "--live", "--load", TMPSEPOLICY, NULL); - unlink(TMPSEPOLICY); - } - // Run scripts after full patch, most reliable way to run scripts LOGI("* Running service.d scripts\n"); exec_common_script("service"); diff --git a/native/jni/core/daemon.c b/native/jni/core/daemon.c index c6e4d4e10..f70a95e94 100644 --- a/native/jni/core/daemon.c +++ b/native/jni/core/daemon.c @@ -23,7 +23,6 @@ int setup_done = 0; int seperate_vendor = 0; -int full_patch_pid = -1; static void *request_handler(void *args) { int client = *((int *) args); diff --git a/native/jni/core/magiskinit.c b/native/jni/core/magiskinit.c index 133f20e52..991cff9e4 100644 --- a/native/jni/core/magiskinit.c +++ b/native/jni/core/magiskinit.c @@ -220,6 +220,7 @@ static int patch_sepolicy() { } sepol_magisk_rules(); + sepol_allow(SEPOL_PROC_DOMAIN, ALL, ALL, ALL); dump_policydb("/sepolicy"); // Remove the stupid debug sepolicy and use our own diff --git a/native/jni/include/daemon.h b/native/jni/include/daemon.h index 31c81aa48..b71406018 100644 --- a/native/jni/include/daemon.h +++ b/native/jni/include/daemon.h @@ -10,7 +10,6 @@ extern int setup_done; extern int seperate_vendor; -extern int full_patch_pid; // Commands require connecting to daemon enum { diff --git a/native/jni/magiskpolicy/magiskpolicy.c b/native/jni/magiskpolicy/magiskpolicy.c index 621f8fb2c..75221cfa8 100644 --- a/native/jni/magiskpolicy/magiskpolicy.c +++ b/native/jni/magiskpolicy/magiskpolicy.c @@ -66,8 +66,8 @@ static void usage(char *arg0) { "\n" "Options:\n" " --live directly apply sepolicy live\n" - " --magisk inject built-in rules for a Magisk\n" - " selinux environment\n" + " --magisk inject built-in rules for a minimal\n" + " Magisk selinux environment\n" " --load FILE load policies from FILE\n" " --compile-split compile and load split cil policies\n" " from system and vendor just like init\n"