Apply all sepolicy patches pre-init
Boot services tend to fail in the middle when the kernel loads a sepolicy live. It seems that moving full patch (allow magisk * * *) to late_start is still not enough to fix service startup failures. So screw it, apply all patched in magiskinit, which makes sure that all rules are only loaded in a single step. The only down side is that some OEM with a HUGE set of secontexts (e.g. Samsung) might suffer a slightly longer boot time, which IS the reason why the rules are split to 2 parts in the first place.
This commit is contained in:
parent
ff36f2ba17
commit
ada0f93686
@ -706,6 +706,8 @@ void startup() {
|
|||||||
xsymlink(MIRRDIR "/bin/busybox", BBPATH "/busybox");
|
xsymlink(MIRRDIR "/bin/busybox", BBPATH "/busybox");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
xmount(NULL, "/", NULL, MS_REMOUNT | MS_RDONLY, NULL);
|
||||||
|
|
||||||
// Start post-fs-data mode
|
// Start post-fs-data mode
|
||||||
execl("/sbin/magisk.bin", "magisk", "--post-fs-data", NULL);
|
execl("/sbin/magisk.bin", "magisk", "--post-fs-data", NULL);
|
||||||
}
|
}
|
||||||
@ -720,10 +722,6 @@ void post_fs_data(int client) {
|
|||||||
|
|
||||||
LOGI("** post-fs-data mode running\n");
|
LOGI("** post-fs-data mode running\n");
|
||||||
|
|
||||||
xmount(NULL, "/", NULL, MS_REMOUNT | MS_RDONLY, NULL);
|
|
||||||
full_patch_pid = exec_command(0, NULL, NULL,
|
|
||||||
"/sbin/magiskpolicy", "--save", TMPSEPOLICY, "allow "SEPOL_PROC_DOMAIN" * * *", NULL);
|
|
||||||
|
|
||||||
// Allocate buffer
|
// Allocate buffer
|
||||||
vec_init(&module_list);
|
vec_init(&module_list);
|
||||||
|
|
||||||
@ -843,14 +841,6 @@ void late_start(int client) {
|
|||||||
|
|
||||||
auto_start_magiskhide();
|
auto_start_magiskhide();
|
||||||
|
|
||||||
if (full_patch_pid > 0) {
|
|
||||||
// Wait till the full patch is done
|
|
||||||
waitpid(full_patch_pid, NULL, 0);
|
|
||||||
// Load the policy
|
|
||||||
exec_command_sync("/sbin/magiskpolicy", "--live", "--load", TMPSEPOLICY, NULL);
|
|
||||||
unlink(TMPSEPOLICY);
|
|
||||||
}
|
|
||||||
|
|
||||||
// Run scripts after full patch, most reliable way to run scripts
|
// Run scripts after full patch, most reliable way to run scripts
|
||||||
LOGI("* Running service.d scripts\n");
|
LOGI("* Running service.d scripts\n");
|
||||||
exec_common_script("service");
|
exec_common_script("service");
|
||||||
|
@ -23,7 +23,6 @@
|
|||||||
|
|
||||||
int setup_done = 0;
|
int setup_done = 0;
|
||||||
int seperate_vendor = 0;
|
int seperate_vendor = 0;
|
||||||
int full_patch_pid = -1;
|
|
||||||
|
|
||||||
static void *request_handler(void *args) {
|
static void *request_handler(void *args) {
|
||||||
int client = *((int *) args);
|
int client = *((int *) args);
|
||||||
|
@ -220,6 +220,7 @@ static int patch_sepolicy() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
sepol_magisk_rules();
|
sepol_magisk_rules();
|
||||||
|
sepol_allow(SEPOL_PROC_DOMAIN, ALL, ALL, ALL);
|
||||||
dump_policydb("/sepolicy");
|
dump_policydb("/sepolicy");
|
||||||
|
|
||||||
// Remove the stupid debug sepolicy and use our own
|
// Remove the stupid debug sepolicy and use our own
|
||||||
|
@ -10,7 +10,6 @@
|
|||||||
|
|
||||||
extern int setup_done;
|
extern int setup_done;
|
||||||
extern int seperate_vendor;
|
extern int seperate_vendor;
|
||||||
extern int full_patch_pid;
|
|
||||||
|
|
||||||
// Commands require connecting to daemon
|
// Commands require connecting to daemon
|
||||||
enum {
|
enum {
|
||||||
|
@ -66,8 +66,8 @@ static void usage(char *arg0) {
|
|||||||
"\n"
|
"\n"
|
||||||
"Options:\n"
|
"Options:\n"
|
||||||
" --live directly apply sepolicy live\n"
|
" --live directly apply sepolicy live\n"
|
||||||
" --magisk inject built-in rules for a Magisk\n"
|
" --magisk inject built-in rules for a minimal\n"
|
||||||
" selinux environment\n"
|
" Magisk selinux environment\n"
|
||||||
" --load FILE load policies from FILE\n"
|
" --load FILE load policies from FILE\n"
|
||||||
" --compile-split compile and load split cil policies\n"
|
" --compile-split compile and load split cil policies\n"
|
||||||
" from system and vendor just like init\n"
|
" from system and vendor just like init\n"
|
||||||
|
Loading…
x
Reference in New Issue
Block a user