Apply all sepolicy patches pre-init
Boot services tend to fail in the middle when the kernel loads a sepolicy live. It seems that moving full patch (allow magisk * * *) to late_start is still not enough to fix service startup failures. So screw it, apply all patched in magiskinit, which makes sure that all rules are only loaded in a single step. The only down side is that some OEM with a HUGE set of secontexts (e.g. Samsung) might suffer a slightly longer boot time, which IS the reason why the rules are split to 2 parts in the first place.
This commit is contained in:
parent
ff36f2ba17
commit
ada0f93686
@ -706,6 +706,8 @@ void startup() {
|
||||
xsymlink(MIRRDIR "/bin/busybox", BBPATH "/busybox");
|
||||
}
|
||||
|
||||
xmount(NULL, "/", NULL, MS_REMOUNT | MS_RDONLY, NULL);
|
||||
|
||||
// Start post-fs-data mode
|
||||
execl("/sbin/magisk.bin", "magisk", "--post-fs-data", NULL);
|
||||
}
|
||||
@ -720,10 +722,6 @@ void post_fs_data(int client) {
|
||||
|
||||
LOGI("** post-fs-data mode running\n");
|
||||
|
||||
xmount(NULL, "/", NULL, MS_REMOUNT | MS_RDONLY, NULL);
|
||||
full_patch_pid = exec_command(0, NULL, NULL,
|
||||
"/sbin/magiskpolicy", "--save", TMPSEPOLICY, "allow "SEPOL_PROC_DOMAIN" * * *", NULL);
|
||||
|
||||
// Allocate buffer
|
||||
vec_init(&module_list);
|
||||
|
||||
@ -843,14 +841,6 @@ void late_start(int client) {
|
||||
|
||||
auto_start_magiskhide();
|
||||
|
||||
if (full_patch_pid > 0) {
|
||||
// Wait till the full patch is done
|
||||
waitpid(full_patch_pid, NULL, 0);
|
||||
// Load the policy
|
||||
exec_command_sync("/sbin/magiskpolicy", "--live", "--load", TMPSEPOLICY, NULL);
|
||||
unlink(TMPSEPOLICY);
|
||||
}
|
||||
|
||||
// Run scripts after full patch, most reliable way to run scripts
|
||||
LOGI("* Running service.d scripts\n");
|
||||
exec_common_script("service");
|
||||
|
@ -23,7 +23,6 @@
|
||||
|
||||
int setup_done = 0;
|
||||
int seperate_vendor = 0;
|
||||
int full_patch_pid = -1;
|
||||
|
||||
static void *request_handler(void *args) {
|
||||
int client = *((int *) args);
|
||||
|
@ -220,6 +220,7 @@ static int patch_sepolicy() {
|
||||
}
|
||||
|
||||
sepol_magisk_rules();
|
||||
sepol_allow(SEPOL_PROC_DOMAIN, ALL, ALL, ALL);
|
||||
dump_policydb("/sepolicy");
|
||||
|
||||
// Remove the stupid debug sepolicy and use our own
|
||||
|
@ -10,7 +10,6 @@
|
||||
|
||||
extern int setup_done;
|
||||
extern int seperate_vendor;
|
||||
extern int full_patch_pid;
|
||||
|
||||
// Commands require connecting to daemon
|
||||
enum {
|
||||
|
@ -66,8 +66,8 @@ static void usage(char *arg0) {
|
||||
"\n"
|
||||
"Options:\n"
|
||||
" --live directly apply sepolicy live\n"
|
||||
" --magisk inject built-in rules for a Magisk\n"
|
||||
" selinux environment\n"
|
||||
" --magisk inject built-in rules for a minimal\n"
|
||||
" Magisk selinux environment\n"
|
||||
" --load FILE load policies from FILE\n"
|
||||
" --compile-split compile and load split cil policies\n"
|
||||
" from system and vendor just like init\n"
|
||||
|
Loading…
x
Reference in New Issue
Block a user