From d6fb9868bf6f25e58e77c1c35629c0905f8f60da Mon Sep 17 00:00:00 2001 From: topjohnwu Date: Tue, 19 Nov 2019 05:20:18 -0500 Subject: [PATCH] Small sepolicy refactor and fixes --- native/jni/magiskpolicy/api.cpp | 37 ++-- native/jni/magiskpolicy/magiskpolicy.cpp | 2 +- native/jni/magiskpolicy/policydb.cpp | 22 +-- native/jni/magiskpolicy/rules.cpp | 10 +- native/jni/magiskpolicy/sepolicy.c | 225 +++++++++++------------ native/jni/magiskpolicy/sepolicy.h | 23 +-- 6 files changed, 149 insertions(+), 170 deletions(-) diff --git a/native/jni/magiskpolicy/api.cpp b/native/jni/magiskpolicy/api.cpp index 2c29c4e68..8fa498ae2 100644 --- a/native/jni/magiskpolicy/api.cpp +++ b/native/jni/magiskpolicy/api.cpp @@ -1,81 +1,84 @@ #include "magiskpolicy.h" #include "sepolicy.h" +//#define vprint(fmt, ...) printf(fmt, __VA_ARGS__) +#define vprint(...) + int sepol_allow(const char *s, const char *t, const char *c, const char *p) { -// printf("allow %s %s %s %s\n", s, t, c, p); + vprint("allow %s %s %s %s\n", s, t, c, p); return add_rule(s, t, c, p, AVTAB_ALLOWED, 0); } int sepol_deny(const char *s, const char *t, const char *c, const char *p) { - // printf("deny %s %s %s %s\n", s, t, c, p); + vprint("deny %s %s %s %s\n", s, t, c, p); return add_rule(s, t, c, p, AVTAB_ALLOWED, 1); } int sepol_auditallow(const char *s, const char *t, const char *c, const char *p) { - // printf("auditallow %s %s %s %s\n", s, t, c, p); + vprint("auditallow %s %s %s %s\n", s, t, c, p); return add_rule(s, t, c, p, AVTAB_AUDITALLOW, 0); } int sepol_dontaudit(const char *s, const char *t, const char *c, const char *p) { - // printf("dontaudit %s %s %s %s\n", s, t, c, p); - return add_rule(s, t, c, p, AVTAB_AUDITDENY, 0); + vprint("dontaudit %s %s %s %s\n", s, t, c, p); + return add_rule(s, t, c, p, AVTAB_AUDITDENY, 1); } int sepol_allowxperm(const char *s, const char *t, const char *c, const char *range) { - // printf("allowxperm %s %s %s %s\n", s, t, c, range); + vprint("allowxperm %s %s %s %s\n", s, t, c, range); return add_xperm_rule(s, t, c, range, AVTAB_XPERMS_ALLOWED, 0); } int sepol_auditallowxperm(const char *s, const char *t, const char *c, const char *range) { - // printf("auditallowxperm %s %s %s %s\n", s, t, c, range); + vprint("auditallowxperm %s %s %s %s\n", s, t, c, range); return add_xperm_rule(s, t, c, range, AVTAB_XPERMS_AUDITALLOW, 0); } int sepol_dontauditxperm(const char *s, const char *t, const char *c, const char *range) { - // printf("dontauditxperm %s %s %s %s\n", s, t, c, range); + vprint("dontauditxperm %s %s %s %s\n", s, t, c, range); return add_xperm_rule(s, t, c, range, AVTAB_XPERMS_DONTAUDIT, 0); } int sepol_typetrans(const char *s, const char *t, const char *c, const char *d) { - // printf("type_transition %s %s %s %s\n", s, t, c, d); + vprint("type_transition %s %s %s %s\n", s, t, c, d); return add_type_rule(s, t, c, d, AVTAB_TRANSITION); } int sepol_typechange(const char *s, const char *t, const char *c, const char *d) { - // printf("type_change %s %s %s %s\n", s, t, c, d); + vprint("type_change %s %s %s %s\n", s, t, c, d); return add_type_rule(s, t, c, d, AVTAB_CHANGE); } int sepol_typemember(const char *s, const char *t, const char *c, const char *d) { - // printf("type_member %s %s %s %s\n", s, t, c, d); + vprint("type_member %s %s %s %s\n", s, t, c, d); return add_type_rule(s, t, c, d, AVTAB_MEMBER); } int sepol_nametrans(const char *s, const char *t, const char *c, const char *d, const char *o) { - // printf("name_trans %s %s %s %s %s\n", s, t, c, d, o); + vprint("name_trans %s %s %s %s %s\n", s, t, c, d, o); return add_filename_trans(s, t, c, d, o); } int sepol_permissive(const char *s) { - // printf("permissive %s\n", s); + vprint("permissive %s\n", s); return set_domain_state(s, 1); } int sepol_enforce(const char *s) { - // printf("enforce %s\n", s); + vprint("enforce %s\n", s); return set_domain_state(s, 0); } int sepol_create(const char *s) { - // printf("create %s\n", s); + vprint("create %s\n", s); return create_domain(s); } int sepol_attradd(const char *s, const char *a) { - // printf("attradd %s %s\n", s, a); + vprint("attradd %s %s\n", s, a); return add_typeattribute(s, a); } int sepol_exists(const char *source) { - return hashtab_search(policydb->p_types.table, source) != nullptr; + return hashtab_search(magisk_policydb->p_types.table, source) != nullptr; } diff --git a/native/jni/magiskpolicy/magiskpolicy.cpp b/native/jni/magiskpolicy/magiskpolicy.cpp index 9344bb886..d612ee3fb 100644 --- a/native/jni/magiskpolicy/magiskpolicy.cpp +++ b/native/jni/magiskpolicy/magiskpolicy.cpp @@ -487,7 +487,7 @@ int magiskpolicy_main(int argc, char *argv[]) { } // Use current policy if nothing is loaded - if (policydb == nullptr && load_policydb(SELINUX_POLICY)) { + if (magisk_policydb == nullptr && load_policydb(SELINUX_POLICY)) { fprintf(stderr, "Cannot load policy from " SELINUX_POLICY "\n"); return 1; } diff --git a/native/jni/magiskpolicy/policydb.cpp b/native/jni/magiskpolicy/policydb.cpp index 9c04938c6..ec115efb7 100644 --- a/native/jni/magiskpolicy/policydb.cpp +++ b/native/jni/magiskpolicy/policydb.cpp @@ -11,10 +11,8 @@ #include "magiskpolicy.h" #include "sepolicy.h" -policydb_t *policydb = nullptr; - int load_policydb(const char *file) { - if (policydb) + if (magisk_policydb) destroy_policydb(); struct policy_file pf; @@ -22,8 +20,8 @@ int load_policydb(const char *file) { pf.fp = xfopen(file, "re"); pf.type = PF_USE_STDIO; - policydb = new policydb_t(); - if (policydb_init(policydb) || policydb_read(policydb, &pf, 0)) + magisk_policydb = static_cast(xmalloc(sizeof(policydb_t))); + if (policydb_init(magisk_policydb) || policydb_read(magisk_policydb, &pf, 0)) return 1; fclose(pf.fp); @@ -169,7 +167,7 @@ int compile_split_cil() { return 1; cil_db_destroy(&db); - policydb = &pdb->p; + magisk_policydb = &pdb->p; return 0; } @@ -177,7 +175,7 @@ int dump_policydb(const char *file) { int fd, ret; void *data = nullptr; size_t len; - policydb_to_image(nullptr, policydb, &data, &len); + policydb_to_image(nullptr, magisk_policydb, &data, &len); if (data == nullptr) { LOGE("Fail to dump policy image!\n"); return 1; @@ -194,9 +192,9 @@ int dump_policydb(const char *file) { } void destroy_policydb() { - if (policydb) { - policydb_destroy(policydb); - delete policydb; - policydb = nullptr; + if (magisk_policydb) { + policydb_destroy(magisk_policydb); + free(magisk_policydb); + magisk_policydb = nullptr; } -} \ No newline at end of file +} diff --git a/native/jni/magiskpolicy/rules.cpp b/native/jni/magiskpolicy/rules.cpp index eb6f6df47..6ea22e408 100644 --- a/native/jni/magiskpolicy/rules.cpp +++ b/native/jni/magiskpolicy/rules.cpp @@ -21,7 +21,7 @@ static void allowSuClient(const char *target) { sepol_allow(target, "untrusted_app_devpts", "chr_file", "ioctl"); sepol_allow(target, "untrusted_app_25_devpts", "chr_file", "ioctl"); sepol_allow(target, "untrusted_app_all_devpts", "chr_file", "ioctl"); - if (policydb->policyvers >= POLICYDB_VERSION_XPERMS_IOCTL) { + if (magisk_policydb->policyvers >= POLICYDB_VERSION_XPERMS_IOCTL) { sepol_allowxperm(target, "devpts", "chr_file", "0x5400-0x54FF"); sepol_allowxperm(target, "untrusted_app_devpts", "chr_file", "0x5400-0x54FF"); sepol_allowxperm(target, "untrusted_app_25_devpts", "chr_file", "0x5400-0x54FF"); @@ -166,7 +166,7 @@ void sepol_magisk_rules() { sepol_allow(SEPOL_PROC_DOMAIN, ALL, "fifo_file", ALL); // Allow us to do any ioctl on all block devices - if (policydb->policyvers >= POLICYDB_VERSION_XPERMS_IOCTL) + if (magisk_policydb->policyvers >= POLICYDB_VERSION_XPERMS_IOCTL) sepol_allowxperm(SEPOL_PROC_DOMAIN, ALL, "blk_file", "0x0000-0xFFFF"); // Allow all binder transactions @@ -198,11 +198,7 @@ void sepol_magisk_rules() { #ifdef MAGISK_DEBUG // Remove all dontaudit in debug mode - avtab_ptr_t av; - avtab_for_each(&policydb->te_avtab, av, { - if (av->key.specified == AVTAB_AUDITDENY || av->key.specified == AVTAB_XPERMS_DONTAUDIT) - avtab_remove_node(&policydb->te_avtab, av); - }) + strip_dontaudit(); #endif log_cb.w = bak; diff --git a/native/jni/magiskpolicy/sepolicy.c b/native/jni/magiskpolicy/sepolicy.c index f876fcd81..6b9cd6fad 100644 --- a/native/jni/magiskpolicy/sepolicy.c +++ b/native/jni/magiskpolicy/sepolicy.c @@ -5,47 +5,44 @@ #include "sepolicy.h" +policydb_t *magisk_policydb = NULL; +#define mpdb magisk_policydb + extern void *xmalloc(size_t size); extern void *xcalloc(size_t nmemb, size_t size); extern void *xrealloc(void *ptr, size_t size); extern int policydb_index_decls(sepol_handle_t * handle, policydb_t * p); -static int get_attr(const char *type, int value) { - type_datum_t *attr = hashtab_search(policydb->p_types.table, type); - if (!attr) - return 1; +// Generic hash table traversal +#define hash_for_each(node_ptr, n_slots, table, block) \ + for (int __i = 0; __i < (table)->n_slots; ++__i) { \ + __typeof__(*(table)->node_ptr) node; \ + __typeof__(node) __next; \ + for (node = (table)->node_ptr[__i]; node; node = __next) { \ + __next = node->next; \ + block \ + } \ + } \ - if (attr->flavor != TYPE_ATTRIB) - return 1; +// hashtab traversal +#define hashtab_for_each(hashtab, block) \ +hash_for_each(htable, size, hashtab, block) - return ebitmap_get_bit(&policydb->attr_type_map[attr->s.value - 1], value - 1) != 0; -} - -static int get_attr_id(const char *type) { - type_datum_t *attr = hashtab_search(policydb->p_types.table, type); - if (!attr) - return 1; - - if (attr->flavor != TYPE_ATTRIB) - return 1; - - return attr->s.value; -} +// avtab traversal +#define avtab_for_each(avtab, block) \ +hash_for_each(htable, nslot, avtab, block) static int set_attr(const char *type, int value) { - type_datum_t *attr = hashtab_search(policydb->p_types.table, type); - if (!attr) - return 1; + type_datum_t *attr = hashtab_search(mpdb->p_types.table, type); + if (!attr || attr->flavor != TYPE_ATTRIB) + return -1; - if (attr->flavor != TYPE_ATTRIB) - return 1; + if (ebitmap_set_bit(&mpdb->type_attr_map[value - 1], attr->s.value - 1, 1)) + return -1; + if (ebitmap_set_bit(&mpdb->attr_type_map[attr->s.value - 1], value - 1, 1)) + return -1; - if(ebitmap_set_bit(&policydb->type_attr_map[value - 1], attr->s.value - 1, 1)) - return 1; - if(ebitmap_set_bit(&policydb->attr_type_map[attr->s.value - 1], value - 1, 1)) - return 1; - - return 0; + return attr->s.value; } static void check_avtab_node(avtab_ptr_t node) { @@ -57,7 +54,7 @@ static void check_avtab_node(avtab_ptr_t node) { else redundant = node->datum.data == 0U; if (redundant) - avtab_remove_node(&policydb->te_avtab, node); + avtab_remove_node(&mpdb->te_avtab, node); } static avtab_ptr_t get_avtab_node(avtab_key_t *key, avtab_extended_perms_t *xperms) { @@ -67,7 +64,7 @@ static avtab_ptr_t get_avtab_node(avtab_key_t *key, avtab_extended_perms_t *xper /* AVTAB_XPERMS entries are not necessarily unique */ if (key->specified & AVTAB_XPERMS) { - node = avtab_search_node(&policydb->te_avtab, key); + node = avtab_search_node(&mpdb->te_avtab, key); while (node) { if ((node->datum.xperms->specified == xperms->specified) && (node->datum.xperms->driver == xperms->driver)) { @@ -79,7 +76,7 @@ static avtab_ptr_t get_avtab_node(avtab_key_t *key, avtab_extended_perms_t *xper if (!match) node = NULL; } else { - node = avtab_search_node(&policydb->te_avtab, key); + node = avtab_search_node(&mpdb->te_avtab, key); } if (!node) { @@ -90,26 +87,27 @@ static avtab_ptr_t get_avtab_node(avtab_key_t *key, avtab_extended_perms_t *xper */ avdatum.data = key->specified == AVTAB_AUDITDENY ? ~0U : 0U; /* this is used to get the node - insertion is actually unique */ - node = avtab_insert_nonunique(&policydb->te_avtab, key, &avdatum); + node = avtab_insert_nonunique(&mpdb->te_avtab, key, &avdatum); } return node; } -static int add_avrule(avtab_key_t *key, int p, int not) { +static int add_avrule(avtab_key_t *key, int val, int not) { avtab_ptr_t node = get_avtab_node(key, NULL); - // Support DONTAUDIT (AUDITDENY is inverted) - if (AVTAB_AUDITDENY == node->key.specified == !not) { - if (p < 0) + + if (not) { + if (val < 0) node->datum.data = 0U; else - node->datum.data &= ~(1U << (p - 1)); + node->datum.data &= ~(1U << (val - 1)); } else { - if (p < 0) + if (val < 0) node->datum.data = ~0U; else - node->datum.data |= 1U << (p - 1); + node->datum.data |= 1U << (val - 1); } + check_avtab_node(node); return 0; } @@ -117,22 +115,21 @@ static int add_avrule(avtab_key_t *key, int p, int not) { static int add_rule_auto(type_datum_t *src, type_datum_t *tgt, class_datum_t *cls, perm_datum_t *perm, int effect, int not) { avtab_key_t key; - hashtab_ptr_t cur; int ret = 0; if (src == NULL) { - hashtab_for_each(policydb->p_types.table, cur, { - src = cur->datum; + hashtab_for_each(mpdb->p_types.table, { + src = node->datum; ret |= add_rule_auto(src, tgt, cls, perm, effect, not); }) } else if (tgt == NULL) { - hashtab_for_each(policydb->p_types.table, cur, { - tgt = cur->datum; + hashtab_for_each(mpdb->p_types.table, { + tgt = node->datum; ret |= add_rule_auto(src, tgt, cls, perm, effect, not); }) } else if (cls == NULL) { - hashtab_for_each(policydb->p_classes.table, cur, { - cls = cur->datum; + hashtab_for_each(mpdb->p_classes.table, { + cls = node->datum; ret |= add_rule_auto(src, tgt, cls, perm, effect, not); }) } else { @@ -189,22 +186,21 @@ static int add_avxrule(avtab_key_t *key, uint16_t low, uint16_t high, int not) { static int add_xperm_rule_auto(type_datum_t *src, type_datum_t *tgt, class_datum_t *cls, uint16_t low, uint16_t high, int effect, int not) { avtab_key_t key; - hashtab_ptr_t cur; int ret = 0; if (src == NULL) { - hashtab_for_each(policydb->p_types.table, cur, { - src = cur->datum; + hashtab_for_each(mpdb->p_types.table, { + src = node->datum; ret |= add_xperm_rule_auto(src, tgt, cls, low, high, effect, not); }) } else if (tgt == NULL) { - hashtab_for_each(policydb->p_types.table, cur, { - tgt = cur->datum; + hashtab_for_each(mpdb->p_types.table, { + tgt = node->datum; ret |= add_xperm_rule_auto(src, tgt, cls, low, high, effect, not); }) } else if (cls == NULL) { - hashtab_for_each(policydb->p_classes.table, cur, { - cls = cur->datum; + hashtab_for_each(mpdb->p_classes.table, { + cls = node->datum; ret |= add_xperm_rule_auto(src, tgt, cls, low, high, effect, not); }) } else { @@ -218,50 +214,50 @@ static int add_xperm_rule_auto(type_datum_t *src, type_datum_t *tgt, class_datum } int create_domain(const char *d) { - symtab_datum_t *src = hashtab_search(policydb->p_types.table, d); - if(src) { + symtab_datum_t *src = hashtab_search(mpdb->p_types.table, d); + if (src) { LOGW("Domain %s already exists\n", d); return 0; } - type_datum_t *typedatum = (type_datum_t *) xmalloc(sizeof(type_datum_t)); + type_datum_t *typedatum = xmalloc(sizeof(type_datum_t)); type_datum_init(typedatum); typedatum->primary = 1; typedatum->flavor = TYPE_TYPE; uint32_t value = 0; - symtab_insert(policydb, SYM_TYPES, strdup(d), typedatum, SCOPE_DECL, 1, &value); + symtab_insert(mpdb, SYM_TYPES, strdup(d), typedatum, SCOPE_DECL, 1, &value); typedatum->s.value = value; - if (ebitmap_set_bit(&policydb->global->branch_list->declared.scope[SYM_TYPES], value - 1, 1)) { + if (ebitmap_set_bit(&mpdb->global->branch_list->declared.scope[SYM_TYPES], value - 1, 1)) { return 1; } - policydb->type_attr_map = xrealloc(policydb->type_attr_map, sizeof(ebitmap_t) * policydb->p_types.nprim); - policydb->attr_type_map = xrealloc(policydb->attr_type_map, sizeof(ebitmap_t) * policydb->p_types.nprim); - ebitmap_init(&policydb->type_attr_map[value-1]); - ebitmap_init(&policydb->attr_type_map[value-1]); - ebitmap_set_bit(&policydb->type_attr_map[value-1], value-1, 1); + mpdb->type_attr_map = xrealloc(mpdb->type_attr_map, sizeof(ebitmap_t) * mpdb->p_types.nprim); + mpdb->attr_type_map = xrealloc(mpdb->attr_type_map, sizeof(ebitmap_t) * mpdb->p_types.nprim); + ebitmap_init(&mpdb->type_attr_map[value-1]); + ebitmap_init(&mpdb->attr_type_map[value-1]); + ebitmap_set_bit(&mpdb->type_attr_map[value-1], value-1, 1); - src = hashtab_search(policydb->p_types.table, d); + src = hashtab_search(mpdb->p_types.table, d); if(!src) return 1; - if(policydb_index_decls(NULL, policydb)) + if(policydb_index_decls(NULL, mpdb)) return 1; - if(policydb_index_classes(policydb)) + if(policydb_index_classes(mpdb)) return 1; - if(policydb_index_others(NULL, policydb, 0)) + if(policydb_index_others(NULL, mpdb, 0)) return 1; //Add the domain to all roles - for(unsigned i=0; ip_roles.nprim; ++i) { + for(unsigned i = 0; i < mpdb->p_roles.nprim; ++i) { //Not sure all those three calls are needed - ebitmap_set_bit(&policydb->role_val_to_struct[i]->types.negset, value-1, 0); - ebitmap_set_bit(&policydb->role_val_to_struct[i]->types.types, value-1, 1); - type_set_expand(&policydb->role_val_to_struct[i]->types, &policydb->role_val_to_struct[i]->cache, policydb, 0); + ebitmap_set_bit(&mpdb->role_val_to_struct[i]->types.negset, value - 1, 0); + ebitmap_set_bit(&mpdb->role_val_to_struct[i]->types.types, value - 1, 1); + type_set_expand(&mpdb->role_val_to_struct[i]->types, &mpdb->role_val_to_struct[i]->cache, mpdb, 0); } return set_attr("domain", value); @@ -269,22 +265,21 @@ int create_domain(const char *d) { int set_domain_state(const char *s, int state) { type_datum_t *type; - hashtab_ptr_t cur; if (s == NULL) { - hashtab_for_each(policydb->p_types.table, cur, { - type = cur->datum; - if (ebitmap_set_bit(&policydb->permissive_map, type->s.value, state)) { + hashtab_for_each(mpdb->p_types.table, { + type = node->datum; + if (ebitmap_set_bit(&mpdb->permissive_map, type->s.value, state)) { LOGW("Could not set bit in permissive map\n"); return 1; } }) } else { - type = hashtab_search(policydb->p_types.table, s); + type = hashtab_search(mpdb->p_types.table, s); if (type == NULL) { LOGW("type %s does not exist\n", s); return 1; } - if (ebitmap_set_bit(&policydb->permissive_map, type->s.value, state)) { + if (ebitmap_set_bit(&mpdb->permissive_map, type->s.value, state)) { LOGW("Could not set bit in permissive map\n"); return 1; } @@ -297,22 +292,22 @@ int add_filename_trans(const char *s, const char *t, const char *c, const char * type_datum_t *src, *tgt, *def; class_datum_t *cls; - src = hashtab_search(policydb->p_types.table, s); + src = hashtab_search(mpdb->p_types.table, s); if (src == NULL) { LOGW("source type %s does not exist\n", s); return 1; } - tgt = hashtab_search(policydb->p_types.table, t); + tgt = hashtab_search(mpdb->p_types.table, t); if (tgt == NULL) { LOGW("target type %s does not exist\n", t); return 1; } - cls = hashtab_search(policydb->p_classes.table, c); + cls = hashtab_search(mpdb->p_classes.table, c); if (cls == NULL) { LOGW("class %s does not exist\n", c); return 1; } - def = hashtab_search(policydb->p_types.table, d); + def = hashtab_search(mpdb->p_types.table, d); if (def == NULL) { LOGW("default type %s does not exist\n", d); return 1; @@ -325,11 +320,11 @@ int add_filename_trans(const char *s, const char *t, const char *c, const char * trans_key.name = (char *) o; filename_trans_datum_t *trans_datum; - trans_datum = hashtab_search(policydb->p_types.table, (hashtab_key_t) &trans_key); + trans_datum = hashtab_search(mpdb->filename_trans, (hashtab_key_t) &trans_key); if (trans_datum == NULL) { trans_datum = xcalloc(sizeof(*trans_datum), 1); - hashtab_insert(policydb->filename_trans, (hashtab_key_t) &trans_key, trans_datum); + hashtab_insert(mpdb->filename_trans, (hashtab_key_t) &trans_key, trans_datum); } // Overwrite existing @@ -337,32 +332,29 @@ int add_filename_trans(const char *s, const char *t, const char *c, const char * return 0; } -int add_typeattribute(const char *domainS, const char *attr) { - type_datum_t *domain; - - domain = hashtab_search(policydb->p_types.table, domainS); +int add_typeattribute(const char *type, const char *attr) { + type_datum_t *domain = hashtab_search(mpdb->p_types.table, type); if (domain == NULL) { - LOGW("source type %s does not exist\n", domainS); + LOGW("type %s does not exist\n", type); return 1; } - set_attr(attr, domain->s.value); + int attr_id = set_attr(attr, domain->s.value); + if (attr_id < 0) + return 1; - int typeId = get_attr_id(attr); - //Now let's update all constraints! - //(kernel doesn't support (yet?) type_names rules) - for(int i = 0; i < policydb->p_classes.nprim; ++i) { - class_datum_t *cl = policydb->class_val_to_struct[i]; - for(constraint_node_t *n = cl->constraints; n ; n=n->next) { - for(constraint_expr_t *e = n->expr; e; e = e->next) { - if(e->expr_type == CEXPR_NAMES) { - if(ebitmap_get_bit(&e->type_names->types, typeId - 1)) { - ebitmap_set_bit(&e->names, domain->s.value-1, 1); - } + hashtab_for_each(mpdb->p_classes.table, { + class_datum_t *cls = node->datum; + for (constraint_node_t *n = cls->constraints; n ; n = n->next) { + for (constraint_expr_t *e = n->expr; e; e = e->next) { + if (e->expr_type == CEXPR_NAMES && + ebitmap_get_bit(&e->type_names->types, attr_id - 1)) { + ebitmap_set_bit(&e->names, domain->s.value - 1, 1); } } } - } + }) + return 0; } @@ -372,7 +364,7 @@ int add_rule(const char *s, const char *t, const char *c, const char *p, int eff perm_datum_t *perm = NULL; if (s) { - src = hashtab_search(policydb->p_types.table, s); + src = hashtab_search(mpdb->p_types.table, s); if (src == NULL) { LOGW("source type %s does not exist\n", s); return 1; @@ -380,7 +372,7 @@ int add_rule(const char *s, const char *t, const char *c, const char *p, int eff } if (t) { - tgt = hashtab_search(policydb->p_types.table, t); + tgt = hashtab_search(mpdb->p_types.table, t); if (tgt == NULL) { LOGW("target type %s does not exist\n", t); return 1; @@ -388,7 +380,7 @@ int add_rule(const char *s, const char *t, const char *c, const char *p, int eff } if (c) { - cls = hashtab_search(policydb->p_classes.table, c); + cls = hashtab_search(mpdb->p_classes.table, c); if (cls == NULL) { LOGW("class %s does not exist\n", c); return 1; @@ -419,7 +411,7 @@ int add_xperm_rule(const char *s, const char *t, const char *c, const char *rang class_datum_t *cls = NULL; if (s) { - src = hashtab_search(policydb->p_types.table, s); + src = hashtab_search(mpdb->p_types.table, s); if (src == NULL) { LOGW("source type %s does not exist\n", s); return 1; @@ -427,7 +419,7 @@ int add_xperm_rule(const char *s, const char *t, const char *c, const char *rang } if (t) { - tgt = hashtab_search(policydb->p_types.table, t); + tgt = hashtab_search(mpdb->p_types.table, t); if (tgt == NULL) { LOGW("target type %s does not exist\n", t); return 1; @@ -435,7 +427,7 @@ int add_xperm_rule(const char *s, const char *t, const char *c, const char *rang } if (c) { - cls = hashtab_search(policydb->p_classes.table, c); + cls = hashtab_search(mpdb->p_classes.table, c); if (cls == NULL) { LOGW("class %s does not exist\n", c); return 1; @@ -463,22 +455,22 @@ int add_type_rule(const char *s, const char *t, const char *c, const char *d, in type_datum_t *src, *tgt, *def; class_datum_t *cls; - src = hashtab_search(policydb->p_types.table, s); + src = hashtab_search(mpdb->p_types.table, s); if (src == NULL) { LOGW("source type %s does not exist\n", s); return 1; } - tgt = hashtab_search(policydb->p_types.table, t); + tgt = hashtab_search(mpdb->p_types.table, t); if (tgt == NULL) { LOGW("target type %s does not exist\n", t); return 1; } - cls = hashtab_search(policydb->p_classes.table, c); + cls = hashtab_search(mpdb->p_classes.table, c); if (cls == NULL) { LOGW("class %s does not exist\n", c); return 1; } - def = hashtab_search(policydb->p_types.table, d); + def = hashtab_search(mpdb->p_types.table, d); if (def == NULL) { LOGW("default type %s does not exist\n", d); return 1; @@ -495,3 +487,10 @@ int add_type_rule(const char *s, const char *t, const char *c, const char *d, in return 0; } + +void strip_dontaudit() { + avtab_for_each(&mpdb->te_avtab, { + if (node->key.specified == AVTAB_AUDITDENY || node->key.specified == AVTAB_XPERMS_DONTAUDIT) + avtab_remove_node(&magisk_policydb->te_avtab, node); + }) +} diff --git a/native/jni/magiskpolicy/sepolicy.h b/native/jni/magiskpolicy/sepolicy.h index b582cb9e1..ecff77ef0 100644 --- a/native/jni/magiskpolicy/sepolicy.h +++ b/native/jni/magiskpolicy/sepolicy.h @@ -5,32 +5,15 @@ __BEGIN_DECLS // Global policydb -extern policydb_t *policydb; - -// General hash table traversal -#define hash_for_each(table, slots, tab, cur, block) \ - for (int __i = 0; __i < (tab)->slots; ++__i) { \ - __typeof__(cur) __next; \ - for (cur = (tab)->table[__i]; cur; cur = __next) { \ - __next = cur->next; \ - block \ - } \ - } \ - -// hashtab traversal -#define hashtab_for_each(hashtab, cur, block) \ -hash_for_each(htable, size, hashtab, cur, block) - -// avtab traversal -#define avtab_for_each(avtab, cur, block) \ -hash_for_each(htable, nslot, avtab, cur, block) +extern policydb_t *magisk_policydb; int create_domain(const char *d); int set_domain_state(const char *s, int state); -int add_typeattribute(const char *domainS, const char *attr); +int add_typeattribute(const char *type, const char *attr); int add_rule(const char *s, const char *t, const char *c, const char *p, int effect, int n); int add_xperm_rule(const char *s, const char *t, const char *c, const char *range, int effect, int n); int add_type_rule(const char *s, const char *t, const char *c, const char *d, int effect); int add_filename_trans(const char *s, const char *t, const char *c, const char *d, const char *o); +void strip_dontaudit(); __END_DECLS