diff --git a/jni/sepolicy-inject b/jni/sepolicy-inject index c69db035e..3a0df5660 160000 --- a/jni/sepolicy-inject +++ b/jni/sepolicy-inject @@ -1 +1 @@ -Subproject commit c69db035ee32e34256c3cd8562e28bc4f5fba2db +Subproject commit 3a0df56605bc9226b4c989979c1d4e9a8a565ad4 diff --git a/zip_static/META-INF/com/google/android/update-binary b/zip_static/META-INF/com/google/android/update-binary index b49fb4731..cbaf9aea7 100644 --- a/zip_static/META-INF/com/google/android/update-binary +++ b/zip_static/META-INF/com/google/android/update-binary @@ -8,19 +8,12 @@ # ########################################################################################## -TMPDIR=/tmp - if [ -z "$BOOTMODE" ]; then BOOTMODE=false fi -mount -o rw,remount rootfs / -mkdir /magisk 2>/dev/null - -if ($BOOTMODE); then - TMPDIR=/data/tmp - mount -o ro,remount rootfs / -fi +TMPDIR=/tmp +($BOOTMODE) && TMPDIR=/dev/tmp INSTALLER=$TMPDIR/magisk @@ -87,6 +80,11 @@ find_boot_image() { if [ ! -z "$BOOTIMAGE" ]; then break; fi done fi + if [ -z "$BOOTIMAGE" ]; then + FSTAB="/etc/recovery.fstab" + [ ! -f "$FSTAB" ] && FSTAB="/etc/recovery.fstab.bak" + BOOTIMAGE=$(grep -E '\b/boot\b' "$FSTAB" | grep -oE '/dev/[a-zA-Z0-9_./-]*') + fi } is_mounted() { @@ -98,6 +96,40 @@ is_mounted() { return $? } +mount_image() { + if [ ! -d "$2" ]; then + mount -o rw,remount rootfs / + mkdir -p $2 2>/dev/null + ($BOOTMODE) && mount -o ro,remount rootfs / + [ ! -d "$2" ] && return 1 + fi + if (! is_mounted $2); then + LOOPDEVICE= + for LOOP in 0 1 2 3 4 5 6 7; do + if (! is_mounted $2); then + LOOPDEVICE=/dev/block/loop$LOOP + if [ ! -f "$LOOPDEVICE" ]; then + mknod $LOOPDEVICE b 7 $LOOP + fi + losetup $LOOPDEVICE $1 + if [ "$?" -eq "0" ]; then + mount -t ext4 -o loop $LOOPDEVICE $2 + if (! is_mounted $2); then + /system/bin/toolbox mount -t ext4 -o loop $LOOPDEVICE $2 + fi + if (! is_mounted $2); then + /system/bin/toybox mount -t ext4 -o loop $LOOPDEVICE $2 + fi + fi + if (is_mounted $2); then + ui_print "- Mounting $1 to $2" + break; + fi + fi + done + fi +} + grep_prop() { REGEX="s/^$1=//p" shift @@ -108,6 +140,22 @@ grep_prop() { cat $FILES 2>/dev/null | sed -n $REGEX | head -n 1 } +unpack_boot() { + rm -rf $UNPACKDIR $RAMDISK 2>/dev/null + mkdir -p $UNPACKDIR + mkdir -p $RAMDISK + cd $UNPACKDIR + $BINDIR/bootimgtools --extract $1 + + find $TMPDIR/boottmp -type d -exec chmod 755 {} \; + find $TMPDIR/boottmp -type f -exec chmod 644 {} \; + chmod 755 $(find $TMPDIR/boottmp -type d) + chmod 644 $(find $TMPDIR/boottmp -type f) + + cd $RAMDISK + gunzip -c < $UNPACKDIR/ramdisk.gz | cpio -i +} + repack_boot() { cd $RAMDISK find . | cpio -o -H newc 2>/dev/null | gzip -9 > $UNPACKDIR/ramdisk.gz @@ -190,7 +238,7 @@ if [ -z "$NOOVERRIDE" ]; then # read override variables getvar KEEPVERITY getvar KEEPFORCEENCRYPT - getvar KEEPSUPERSU + getvar NORESTORE fi if [ -z "$KEEPVERITY" ]; then @@ -201,9 +249,9 @@ if [ -z "$KEEPFORCEENCRYPT" ]; then # we don't keep forceencrypt by default KEEPFORCEENCRYPT=false fi -if [ -z "$KEEPSUPERSU" ]; then - # we don't keep SuperSU by default - KEEPSUPERSU=false +if [ -z "$NORESTORE" ]; then + # we don't keep ramdisk by default + NORESTORE=false fi SAMSUNG=false @@ -212,10 +260,34 @@ if [ $? -eq 0 ]; then SAMSUNG=true fi +########################################################################################## +# Environment +########################################################################################## + +ui_print "- Constructing environment" + +if (is_mounted /data); then + rm -rf /data/busybox /data/magisk 2>/dev/null + mkdir -p /data/busybox + cp -af $BINDIR /data/magisk + chmod 755 /data/busybox /data/magisk /data/magisk/* + chcon 'u:object_r:system_file:s0' /data/busybox /data/magisk /data/magisk/* + /data/magisk/busybox --install -s /data/busybox + # Prevent issues + rm -f /data/busybox/su /data/busybox/sh +else + rm -rf /cache/data_bin 2>/dev/null + mkdir -p /cache/data_bin + cp -af $BINDIR /cache/data_bin +fi + ########################################################################################## # Image ########################################################################################## +# Fix SuperSU..... +($BOOTMODE) && /data/magisk/sepolicy-inject -s fsck --live + if (is_mounted /data); then IMG=/data/magisk.img else @@ -230,55 +302,12 @@ else make_ext4fs -l 64M -a /magisk -S $INSTALLER/common/file_contexts_image $IMG fi +mount_image $IMG /magisk if (! is_mounted /magisk); then - ui_print "- Mounting $IMG to /magisk" - LOOPDEVICE= - for LOOP in 0 1 2 3 4 5 6 7; do - if (! is_mounted /magisk); then - LOOPDEVICE=/dev/block/loop$LOOP - if [ ! -f "$LOOPDEVICE" ]; then - mknod $LOOPDEVICE b 7 $LOOP - fi - losetup $LOOPDEVICE $IMG - if [ "$?" -eq "0" ]; then - mount -t ext4 -o loop $LOOPDEVICE /magisk - if (! is_mounted /magisk); then - /system/bin/toolbox mount -t ext4 -o loop $LOOPDEVICE /magisk - fi - if (! is_mounted /magisk); then - /system/bin/toybox mount -t ext4 -o loop $LOOPDEVICE /magisk - fi - fi - if (is_mounted /magisk); then - break; - fi - fi - done -fi - -rm -rf $COREDIR/bin 2>/dev/null - -########################################################################################## -# Environment -########################################################################################## - -ui_print "- Constructing environment" - -if (is_mounted /data); then - rm -rf /data/busybox /data/magisk - mkdir -p /data/busybox - mkdir -p /data/magisk - cp -af $BINDIR/busybox $BINDIR/su $BINDIR/sepolicy-inject /data/magisk - chmod 755 /data/busybox /data/magisk /data/magisk/* - chcon 'u:object_r:system_file:s0' /data/busybox /data/magisk /data/magisk/* - /data/magisk/busybox --install -s /data/busybox - # Prevent issues - rm -f /data/busybox/su /data/busybox/sh -else - rm -rf /cache/data_bin - mkdir -p /cache/data_bin - cp -af $BINDIR/busybox $BINDIR/su $BINDIR/sepolicy-inject /cache/data_bin + ui_print "! Image mount failed... abort" + exit 1 fi +MAGISKLOOP=$LOOPDEVICE ########################################################################################## # Boot image patch @@ -294,8 +323,6 @@ ORIGBOOT=$TMPDIR/boottmp/boot.img NEWBOOT=$TMPDIR/boottmp/new-boot.img UNPACKDIR=$TMPDIR/boottmp/bootunpack RAMDISK=$TMPDIR/boottmp/ramdisk -mkdir -p $UNPACKDIR -mkdir -p $RAMDISK chmod 777 $CHROMEDIR/futility $BINDIR/* @@ -303,45 +330,87 @@ ui_print "- Dumping boot image" dd if=$BOOTIMAGE of=$ORIGBOOT ui_print "- Unpacking boot image" -cd $UNPACKDIR -$BINDIR/bootimgtools --extract $ORIGBOOT +unpack_boot $ORIGBOOT -chmod 755 $(find $TMPDIR/boottmp -type d) -chmod 644 $(find $TMPDIR/boottmp -type f) +SUPERSU=false -cd $RAMDISK -gunzip -c < $UNPACKDIR/ramdisk.gz | cpio -i - -if [ -f "supersu" ]; then - KEEPSUPERSU=true -fi - -if (! $KEEPSUPERSU); then +if (! $NORESTORE); then # Backups if [ -d ".backup" ]; then - ui_print "- Reverting ramdisk backup" + ui_print "- Restoring ramdisk with backup" cp -af .backup/* . rm -rf magisk init.magisk.rc sbin/magic_mask.sh sbin/magisk_wrapper.sh 2>/dev/null else - if [ -d "magisk" -o -d "su" ]; then - cp -af /data/stock_boot*.gz /data/stock_boot.img.gz 2>/dev/null - gzip -d /data/stock_boot.img.gz 2>/dev/null - if [ -f "/data/stock_boot.img" ]; then - ui_print "- Using boot image backup" - cp -af /data/stock_boot.img $ORIGBOOT - rm -rf $RAMDISK $TMPDIR - mkdir -p $UNPACKDIR - mkdir -p $RAMDISK + if [ -f "sbin/launch_daemonsu.sh" ]; then + SUPERSU=true + # Save it for helper module + cp -af sbin/launch_daemonsu.sh $INSTALLER/roothelper/launch_daemonsu.sh + fi + # Non-standard boot image restores + if ($SUPERSU); then + ui_print "- SuperSU patched boot detected" + # Restore with SuperSU's backup + MOUNTSU=false + (! is_mounted /su) && (is_mounted /data) && mount_image /data/su.img /su && MOUNTSU=true + if (is_mounted /su); then + # Use sukernel's built-in functions + ui_print "- Using sukernel to restore boot image" cd $UNPACKDIR - $BINDIR/bootimgtools --extract $ORIGBOOT - cd $RAMDISK - gunzip -c < $UNPACKDIR/ramdisk.gz | cpio -i + gunzip -c < $UNPACKDIR/ramdisk.gz > suramdisk + /su/bin/sukernel --restore suramdisk /data/stock_boot.img + if [ "$?" -ne "0" ]; then + # No boot backup found, use ramdisk backup + ui_print "- Restoring ramdisk with backup" + /su/bin/sukernel --cpio-restore suramdisk suramdisk + rm -rf $RAMDISK + mkdir -p $RAMDISK + cd $RAMDISK + cpio -i < $UNPACKDIR/suramdisk + rm -f $UNPACKDIR/suramdisk + else + ui_print "- Restoring boot image with backup" + cp -af /data/stock_boot.img $ORIGBOOT + unpack_boot $ORIGBOOT + fi + if ($MOUNTSU); then + ui_print "- Unmounting su.img" + umount /su + losetup -d $LOOPDEVICE + fi else - ui_print "! No backups found" - ui_print "! Installer will still proceed, but might cause issues" - ui_print "! If possible, please restore to stock boot then flash Magisk again" - # Force removing SuperSU parts - rm -rf su init.supersu.rc sbin/launch_daemonsu.sh 2>/dev/null + # Find the boot backup ourselves + ui_print "! su.img mount failed... find the backup ourselves" + cp -af /data/stock_boot_*.gz /data/stock_boot.img.gz 2>/dev/null + gzip -d /data/stock_boot.img.gz 2>/dev/null + rm -rf /data/stock_boot.img.gz 2>/dev/null + if [ -f "/data/stock_boot.img" ]; then + ui_print "- Restoring boot image with backup" + cp -af /data/stock_boot.img $ORIGBOOT + unpack_boot $ORIGBOOT + else + ui_print "! No backups found" + ui_print "! Installer will still proceed, but might cause issues" + ui_print "! If possible, please restore to stock boot then flash Magisk again" + # Force removing SuperSU parts + rm -rf su init.supersu.rc sbin/launch_daemonsu.sh 2>/dev/null + fi + fi + else + # Magisk's own situation + if [ -d "magisk" ]; then + cp -af /data/stock_boot_*.gz /data/stock_boot.img.gz 2>/dev/null + gzip -d /data/stock_boot.img.gz 2>/dev/null + if [ -f "/data/stock_boot.img" ]; then + ui_print "- Restoring boot image with backup" + cp -af /data/stock_boot.img $ORIGBOOT + unpack_boot $ORIGBOOT + else + ui_print "! No backups found" + ui_print "! Installer will still proceed, but might cause issues" + ui_print "! If possible, please restore to stock boot then flash Magisk again" + # Removing other boot image modifications + rm -rf sbin/su init.xposed.rc sbin/mount_xposed.sh 2>/dev/null + fi fi fi ui_print "- Creating backups" @@ -355,6 +424,10 @@ if (! $KEEPSUPERSU); then fi fi +ui_print "- Installing root helper module" +cp -af $INSTALLER/roothelper /magisk/00roothelper +chmod 755 /magisk/00roothelper/post-fs-data.sh + # Patch ramdisk ui_print "- Patching ramdisk" @@ -362,65 +435,29 @@ if [ $(grep -c "import /init.magisk.rc" init.rc) -eq "0" ]; then sed -i "/import \/init\.environ\.rc/iimport /init.magisk.rc" init.rc fi -if (! $KEEPSUPERSU); then - sed -i "/selinux.reload_policy/d" init.rc - find . -type f -name "*fstab*" 2>/dev/null | while read FSTAB ; do - if (! $KEEPVERITY); then - sed -i "s/,support_scfs//g" $FSTAB - sed -i 's;,\{0,1\}verify\(=[^,]*\)\{0,1\};;g' $FSTAB - fi - if (! $KEEPFORCEENCRYPT); then - sed -i "s/forceencrypt/encryptable/g" $FSTAB - sed -i "s/forcefdeorfbe/encryptable/g" $FSTAB - fi - done - rm verity_key 2>/dev/null - - # sepolicy patches - # LD_LIBRARY_PATH=$BINDIR $BINDIR/supolicy --file sepolicy sepolicy.patched - # mv -f sepolicy.patched sepolicy - . $INSTALLER/common/supatch.sh - allow su_daemon "rootfs proc init system_file" "file dir lnk_file" "*" - allow init su_daemon unix_stream_socket connectto - allow su_daemon shell_exec file getattr - allow su_daemon tmpfs dir "*" - allow su_daemon selinuxfs file "read open write" - allow su_daemon kernel security "read_policy load_policy" - allow su_daemon toolbox_exec file "*" - allow kernel su fd use - allow init "rootfs system_file" file "*" - if $BINDIR/sepolicy-inject -e -s toolbox -P sepolicy; then - allow toolbox property_socket sock_file write - allow toolbox init unix_stream_socket connectto - allow toolbox init fifo_file "*" - allow toolbox default_prop property_service "*" - allow toolbox device dir "*" +sed -i "/selinux.reload_policy/d" init.rc +find . -type f -name "*fstab*" 2>/dev/null | while read FSTAB ; do + if (! $KEEPVERITY); then + sed -i "s/,support_scfs//g" $FSTAB + sed -i 's;,\{0,1\}verify\(=[^,]*\)\{0,1\};;g' $FSTAB fi - # Just in case - $BINDIR/sepolicy-inject -Z init -P sepolicy - $BINDIR/sepolicy-inject -Z toolbox -P sepolicy - $BINDIR/sepolicy-inject -Z su_daemon -P sepolicy - # Fix Xposed - allow zygote app_data_file "dir file" "*" - allow zygote input_device "dir chr_file" "*" - allow untrusted_app untrusted_app capability setgid - allow "system_server system_app" "app_data_file" "file dir" "*" -fi + if (! $KEEPFORCEENCRYPT); then + sed -i "s/forceencrypt/encryptable/g" $FSTAB + sed -i "s/forcefdeorfbe/encryptable/g" $FSTAB + fi +done +rm verity_key 2>/dev/null + +# sepolicy patches +$BINDIR/sepolicy-inject --magisk -P sepolicy # Add new items mkdir -p magisk 2>/dev/null cp -af $INSTALLER/common/init.magisk.rc init.magisk.rc cp -af $INSTALLER/common/magic_mask.sh sbin/magic_mask.sh -cp -af $INSTALLER/common/magisk_wrapper.sh sbin/magisk_wrapper.sh -if (! $KEEPSUPERSU); then - cp -af $BINDIR/su $BINDIR/sepolicy-inject magisk -else - touch supersu -fi - -chmod 0755 magisk magisk/* -chmod 0750 init.magisk.rc sbin/magic_mask.sh sbin/magisk_wrapper.sh +chmod 0755 magisk +chmod 0750 init.magisk.rc sbin/magic_mask.sh ui_print "- Repacking boot image" repack_boot @@ -429,14 +466,8 @@ ORIGSIZE=$(ls -l $ORIGBOOT | awk '{print $5}') NEWSIZE=$(ls -l $NEWBOOT | awk '{print $5}') if [ "$NEWSIZE" -gt "$ORIGSIZE" ]; then ui_print "! Boot partition space insufficient" - ui_print "! Remove ramdisk backups and binaries" - rm -rf $RAMDISK/.backup $NEWBOOT $RAMDISK/magisk/* 2>/dev/null - if (! $KEEPSUPERSU); then - mkdir -p /cache/magisk - cp $BINDIR/su $BINDIR/sepolicy-inject /cache/magisk - chmod 755 /cache/magisk /cache/magisk/* - chcon 'u:object_r:system_file:s0' /cache/magisk /cache/magisk/* - fi + ui_print "! Try to remove ramdisk backups" + rm -rf $RAMDISK/.backup $NEWBOOT 2>/dev/null repack_boot NEWSIZE=$(ls -l $NEWBOOT | awk '{print $5}') if [ "$NEWSIZE" -gt "$ORIGSIZE" ]; then @@ -448,13 +479,18 @@ fi chmod 644 $NEWBOOT +if [ -L "$BOOTIMAGE" ]; then + ui_print "- Block symlink detected!" +else + dd if=/dev/zero of=$BOOTIMAGE bs=4096 2>/dev/null +fi ui_print "- Flashing new boot image" -dd if=/dev/zero of=$BOOTIMAGE bs=4096 2>/dev/null dd if=$NEWBOOT of=$BOOTIMAGE bs=4096 if (! $BOOTMODE); then + ui_print "- Unmounting partitions" umount /magisk - losetup -d $LOOPDEVICE + losetup -d $MAGISKLOOP umount /system fi diff --git a/zip_static/META-INF/com/google/android/updater-script b/zip_static/META-INF/com/google/android/updater-script index 67d290281..492be8329 100644 --- a/zip_static/META-INF/com/google/android/updater-script +++ b/zip_static/META-INF/com/google/android/updater-script @@ -1 +1 @@ -# this is a dummy file, the magic is in update-binary \ No newline at end of file +#MAGISK \ No newline at end of file diff --git a/zip_static/arm/su b/zip_static/arm/su deleted file mode 100644 index 7314e51e4..000000000 Binary files a/zip_static/arm/su and /dev/null differ diff --git a/zip_static/common/init.magisk.rc b/zip_static/common/init.magisk.rc index 6ca9532cc..89a135c23 100644 --- a/zip_static/common/init.magisk.rc +++ b/zip_static/common/init.magisk.rc @@ -2,57 +2,38 @@ on post-fs # Paths - export PATH /sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin:/su/bin:/magisk/.core/bin:/magisk/busybox/bin:/data/magisk - - # Start root - start phhsu - wait /dev/su 1 + export PATH /magisk/.core/bin:/sbin:/vendor/bin:/system/sbin:/system/bin:/magisk/.core/busybox:/system/xbin start magisk_pfs - wait /dev/unblock 20 - rmdir /dev/unblock + wait /dev/.magisk.unblock 20 + rm /dev/.magisk.unblock on post-fs-data - # Try to start root again in case post-fs failed - start phhsu - wait /dev/su 1 - start magisk_pfsd - wait /dev/unblock 20 - rmdir /dev/unblock + wait /dev/.magisk.unblock 40 + rm /dev/.magisk.unblock on property:magisk.root=* start magisk_root # Services -service phhsu /sbin/magisk_wrapper.sh phhsu - user root - seclabel u:r:su_daemon:s0 - oneshot - # launch post-fs script -service magisk_pfs /sbin/magisk_wrapper.sh post-fs +service magisk_pfs /sbin/magic_mask.sh post-fs user root - seclabel u:r:init:s0 + seclabel u:r:su:s0 oneshot # launch post-fs-data script -service magisk_pfsd /sbin/magisk_wrapper.sh post-fs-data +service magisk_pfsd /sbin/magic_mask.sh post-fs-data user root - seclabel u:r:init:s0 + seclabel u:r:su:s0 oneshot # launch late_start script -service magisk_service /sbin/magisk_wrapper.sh service +service magisk_service /sbin/magic_mask.sh service class late_start user root - seclabel u:r:init:s0 + seclabel u:r:su:s0 oneshot - -# root handling -service magisk_root /sbin/magisk_wrapper.sh root - user root - seclabel u:r:init:s0 - oneshot \ No newline at end of file diff --git a/zip_static/common/magic_mask.sh b/zip_static/common/magic_mask.sh index c00f0ac65..45e8f64e1 100644 --- a/zip_static/common/magic_mask.sh +++ b/zip_static/common/magic_mask.sh @@ -8,13 +8,14 @@ COREDIR=/magisk/.core DUMMDIR=$COREDIR/dummy MIRRDIR=$COREDIR/mirror -TMPDIR=/cache/tmp +TMPDIR=/dev/tmp -# Use the included busybox to do everything in all scripts for maximum compatibility +# Use the included busybox to do everything for maximum compatibility # We also do so because we rely on the option "-c" for cp (reserve contexts) + +# Reserve the original PATH +export OLDPATH=$PATH export PATH="/data/busybox:$PATH" -# Version info -setprop magisk.version 7 log_print() { echo $1 @@ -32,7 +33,7 @@ mktouch() { } unblock() { - mkdir -p /dev/unblock + touch /dev/.magisk.unblock exit } @@ -185,9 +186,12 @@ merge_image() { if ($OK); then # Merge (will reserve selinux contexts) - if [ `cp -afc /cache/merge_img/. /cache/data_img >/dev/null 2>&1; echo $?` -eq 0 ]; then - log_print "Merge complete" - fi + cd /cache/merge_img + for MOD in *; do + rm -rf /cache/data_img/$MOD + cp -afc $MOD /cache/data_img/ + done + log_print "Merge complete" fi umount /cache/data_img @@ -215,6 +219,15 @@ case $1 in chmod 644 $LOGFILE log_print "Magisk post-fs mode running..." + if [ -d "/cache/magisk_merge" ]; then + cd /cache/magisk_merge + for MOD in *; do + rm -rf /cache/magisk/$MOD + cp -afc $MOD /cache/magisk/ + done + rm -rf /cache/magisk_merge + fi + for MOD in /cache/magisk/* ; do if [ -f "$MOD/remove" ]; then log_print "Remove module: $MOD" @@ -244,6 +257,10 @@ case $1 in log_print "Magisk post-fs-data mode running..." + # Live patch sepolicy + /data/magisk/sepolicy-inject --live -s su + + # Cache support if [ -d "/cache/data_bin" ]; then rm -rf /data/busybox /data/magisk mkdir -p /data/busybox @@ -254,14 +271,15 @@ case $1 in # Prevent issues rm -f /data/busybox/su /data/busybox/sh fi - mv /cache/stock_boot.img /data 2>/dev/null + + chmod 644 $IMG /cache/magisk.img /data/magisk_merge.img 2>/dev/null # Handle image merging merge_image /cache/magisk.img merge_image /data/magisk_merge.img - # Mount /data image + # Mount magisk.img if [ `cat /proc/mounts | grep /magisk >/dev/null 2>&1; echo $?` -ne 0 ]; then loopsetup $IMG if [ ! -z "$LOOPDEVICE" ]; then @@ -274,13 +292,14 @@ case $1 in unblock fi - mkdir -p $DUMMDIR - mkdir -p $MIRRDIR/system - log_print "Preparing modules" # First do cleanups - rm -rf $DUMMDIR/* + rm -rf $DUMMDIR rmdir $(find /magisk -type d -depth ! -path "*core*" ) 2>/dev/null + rm -rf $COREDIR/bin + + mkdir -p $DUMMDIR + mkdir -p $MIRRDIR/system # Travel through all mods for MOD in /magisk/* ; do @@ -292,9 +311,11 @@ case $1 in fi done - # Proper permissions - find $DUMMDIR -type d -exec chmod 755 {} \; - find $DUMMDIR -type f -exec chmod 644 {} \; + # Proper permissions for generated items + chmod 755 $(find $COREDIR -type d) + chmod 644 $(find $COREDIR -type f) + find $COREDIR -type d -exec chmod 755 {} \; + find $COREDIR -type f -exec chmod 644 {} \; # linker(64), t*box, and app_process* are required if we need to dummy mount bin folder if [ -f "$TMPDIR/dummy/system/bin" ]; then @@ -303,7 +324,7 @@ case $1 in cp -afc linker* t*box app_process* $DUMMDIR/system/bin/ fi - # Shrink the image if possible + # Unmount, shrink, remount if [ `umount /magisk >/dev/null 2>&1; echo $?` -eq 0 ]; then losetup -d $LOOPDEVICE target_size_check $IMG @@ -323,8 +344,7 @@ case $1 in unblock fi - # Remove legacy phh root and crap folder - rm -rf /magisk/phh + # Remove crap folder rm -rf /magisk/lost+found # Start doing tasks @@ -350,9 +370,7 @@ case $1 in run_scripts post-fs-data # Bind hosts for Adblock apps - if [ ! -f "$COREDIR/hosts" ]; then - cp -afc /system/etc/hosts $COREDIR/hosts - fi + [ ! -f "$COREDIR/hosts" ] && cp -afc /system/etc/hosts $COREDIR/hosts log_print "Enabling systemless hosts file support" bind_mount $COREDIR/hosts /system/etc/hosts @@ -363,7 +381,7 @@ case $1 in # Stage 4 log_print "Bind mount mirror items" # Find all empty directores and dummy files, they should be mounted by original files in /system - find $DUMMDIR -type d -exec sh -c 'if [ -z "$(ls -A $1)" ]; then echo $1; fi' -- {} \; -o \( -type f -size 0 -print \) | while read ITEM ; do + find $DUMMDIR -type d -exec sh -c '[ -z "$(ls -A $1)" ] && echo $1' -- {} \; -o \( -type f -size 0 -print \) | while read ITEM ; do ORIG=${ITEM/dummy/mirror} TARGET=${ITEM#$DUMMDIR} bind_mount $ORIG $TARGET @@ -372,17 +390,13 @@ case $1 in # All done rm -rf $TMPDIR - if [ ! -f "/supersu" ]; then - # Expose root path - setprop magisk.supath /magisk/.core/bin - setprop magisk.root 1 - fi - unblock ;; service ) - rm -rf /cache/unblock + # Version info + setprop magisk.version 7 + rm -rf /dev/unblock* log_print "Magisk late_start service mode running..." run_scripts service ;; @@ -392,11 +406,10 @@ case $1 in ROOT=$(getprop magisk.root) if [ "$ROOT" -eq "1" ]; then log_print "Enabling root" - rm -f SUPATH - ln -s /data/magisk $SUPATH + ln -s $SUPATH /magisk/.core/bin else log_print "Disabling root" - rm -f SUPATH + rm -f /magisk/.core/bin fi ;; esac diff --git a/zip_static/common/magisk_wrapper.sh b/zip_static/common/magisk_wrapper.sh deleted file mode 100644 index be726f014..000000000 --- a/zip_static/common/magisk_wrapper.sh +++ /dev/null @@ -1,42 +0,0 @@ -#!/system/bin/sh - -BINDIR=/magisk/.core/bin - -# Find where's su binary -for DIR in /magisk /data/magisk /cache/magisk /su/bin; do - [ -f "$DIR/su" ] && break -done - -case $1 in - phhsu ) - if [ ! -d "/dev/su" ]; then - $DIR/sepolicy-inject --live --auto -s su - exec $DIR/su --daemon - fi - ;; - post-fs ) - # If su call fails, temporary switch to permissive (workaround) - # This workaround will not always work (e.g. Samsung stock boot images) - if [ `$DIR/su -c "/sbin/magic_mask.sh post-fs" >/dev/null 2>&1; echo $?` -ne 0 ]; then - echo 0 > /sys/fs/selinux/enforce - /sbin/magic_mask.sh post-fs - echo 1 > /sys/fs/selinux/enforce - fi - ;; - post-fs-data ) - # su call shall always work - if [ `$DIR/su -c "/sbin/magic_mask.sh post-fs-data" >/dev/null 2>&1; echo $?` -ne 0 ]; then - /sbin/magic_mask.sh post-fs-data - fi - ;; - service ) - # su call shall always work - if [ `$DIR/su -c "/sbin/magic_mask.sh service" >/dev/null 2>&1; echo $?` -ne 0 ]; then - /sbin/magic_mask.sh service - fi - ;; - root ) - # This will only be used in phh root - $DIR/su -c "/sbin/magic_mask.sh root" - ;; -esac \ No newline at end of file diff --git a/zip_static/common/supatch.sh b/zip_static/common/supatch.sh deleted file mode 100644 index f3dba9144..000000000 --- a/zip_static/common/supatch.sh +++ /dev/null @@ -1,226 +0,0 @@ -#Extracted from global_macros -rw_socket_perms="ioctl read getattr write setattr lock append bind connect getopt setopt shutdown" -create_socket_perms="create $rw_socket_perms" -rw_stream_socket_perms="$rw_socket_perms listen accept" -create_stream_socket_perms="create $rw_stream_socket_perms" - -# bootimg.sh - -#allow -allow() { - [ -z "$1" -o -z "$2" -o -z "$3" ] && false - for s in $1;do - for t in $2;do - for c in $3;do - echo "allow ($s) ($t) ($c) ($4)" - if [ "$4" = "*" ]; then - $BINDIR/sepolicy-inject -s $s -t $t -c $c -P sepolicy >/dev/null 2>&1 - else - $BINDIR/sepolicy-inject -s $s -t $t -c $3 -p $(echo $4|tr ' ' ',') -P sepolicy 2>/dev/null 2>&1 - fi - done - done - done -} - -noaudit() { - for s in $1;do - for t in $2;do - for p in $4;do - $BINDIR/sepolicy-inject -s $s -t $t -c $3 -p $p -P sepolicy 2>/dev/null 2>&1 - done - done - done -} - -# su-communication - -#allowSuClient -allowSuClient() { - #All domain-s already have read access to rootfs - allow $1 rootfs file "execute_no_trans execute" #TODO: Why do I need execute?!? (on MTK 5.1, kernel 3.10) - allow $1 su_daemon unix_stream_socket "connectto getopt" - - allow $1 su_device dir "search read" - allow $1 su_device sock_file "read write" - allow su_daemon $1 "fd" "use" - - allow su_daemon $1 fifo_file "read write getattr ioctl" - - #Read /proc/callerpid/cmdline in from_init, drop? - #Requiring sys_ptrace sucks - allow su_daemon "$1" "dir" "search" - allow su_daemon "$1" "file" "read open" - allow su_daemon "$1" "lnk_file" "read" - allow su_daemon su_daemon "capability" "sys_ptrace" -} - -suDaemonTo() { - allow su_daemon $1 "process" "transition" - noaudit su_daemon $1 "process" "siginh rlimitinh noatsecure" -} - -suDaemonRights() { - allow su_daemon rootfs file "entrypoint" - - allow su_daemon su_daemon "dir" "search read" - allow su_daemon su_daemon "file" "read write open" - allow su_daemon su_daemon "lnk_file" "read" - allow su_daemon su_daemon "unix_dgram_socket" "create connect write" - allow su_daemon su_daemon "unix_stream_socket" "$create_stream_socket_perms" - - allow su_daemon devpts chr_file "read write open getattr" - #untrusted_app_devpts not in Android 4.4 - allow su_daemon untrusted_app_devpts chr_file "read write open getattr" || true - - allow su_daemon su_daemon "capability" "setuid setgid" - - #Access to /data/data/me.phh.superuser/xxx - allow su_daemon app_data_file "dir" "getattr search write add_name" - allow su_daemon app_data_file "file" "getattr read open lock" - - #FIXME: This shouldn't exist - #dac_override can be fixed by having pts_slave's fd forwarded over socket - #Instead of forwarding the name - allow su_daemon su_daemon "capability" "dac_override" - - allow su_daemon su_daemon "process" "fork sigchld" - - #toolbox needed for log - allow su_daemon toolbox_exec "file" "execute read open execute_no_trans" || true - - #Create /dev/me.phh.superuser. Could be done by init - allow su_daemon device "dir" "write add_name" - allow su_daemon su_device "dir" "create setattr remove_name add_name" - allow su_daemon su_device "sock_file" "create unlink" - - #Allow su daemon to start su apk - allow su_daemon zygote_exec "file" "execute read open execute_no_trans" - allow su_daemon zygote_exec "lnk_file" "read getattr" - - #Send request to APK - allow su_daemon su_device dir "search write add_name" - - #Allow su_daemon to switch to su or su_sensitive - allow su_daemon su_daemon "process" "setexec" - - #Allow su_daemon to execute a shell (every commands are supposed to go through a shell) - allow su_daemon shell_exec file "execute read open" - - allow su_daemon su_daemon "capability" "chown" - - suDaemonTo su -} - -# rights - -#In this file lies the real permissions of a process running in su - -suBind() { - #Allow to override /system/xbin/su - allow su_daemon su_exec "file" "mounton read" - - #We will create files in /dev/su/, they will be marked as su_device - allow su_daemon su_device "dir file lnk_file" "*" - allow su_daemon su_device "file" "relabelfrom" - allow su_daemon system_file "file" "relabelto" -} - -#This is the vital minimum for su to open a uid 0 shell -suRights() { - - #Admit su_daemon is meant to be god. - allow su_daemon su_daemon "capability" "sys_admin" - - allow servicemanager su "dir" "search read" - allow servicemanager su "file" "open read" - allow servicemanager su "process" "getattr" - allow servicemanager su "binder" "transfer" - [ "$API" -ge 20 ] && allow system_server su binder "call" -} - -suL9() { - allow su_daemon su_daemon "dir file lnk_file" "*" - allow su_daemon system_data_file "dir file lnk_file" "*" - allow su_daemon "labeledfs" filesystem "associate" - allow su_daemon su_daemon process setfscreate - allow su_daemon tmpfs filesystem associate - allow su_daemon su_daemon file relabelfrom - allow su_daemon system_file file mounton -} - -otherToSU() { - # allowLog - if allow su logd unix_dgram_socket "sendto";then - allow logd su dir "search" - allow logd su file "read open getattr" - fi - - # suBackL0 - [ "$API" -ge 20 ] && allow system_server su binder "call transfer" - #ES Explorer opens a sokcet - allow untrusted_app su unix_stream_socket "$rw_socket_perms connectto" - #Any domain is allowed to send su "sigchld" - #TODO: Have sepolicy-inject handle that - #allow "=domain" su process "sigchld" - allow surfaceflinger su "process" "sigchld" - - # suNetworkL0 - $BINDIR/sepolicy-inject -a netdomain -s su -P sepolicy - $BINDIR/sepolicy-inject -a bluetoothdomain -s su -P sepolicy - - # suBackL6 - #Used by CF.lumen (restarts surfaceflinger, and communicates with it) - #TODO: Add a rule to enforce surfaceflinger doesn't have dac_override - allow surfaceflinger app_data_file "dir file lnk_file" "*" - $BINDIR/sepolicy-inject -a mlstrustedsubject -s surfaceflinger -P sepolicy -} - -#Samsung specific -#Prevent system from loading policy -if $BINDIR/sepolicy-inject -e -s knox_system_app -P sepolicy;then - $BINDIR/sepolicy-inject --not -s init -t kernel -c security -p load_policy -P sepolicy - for i in policyloader_app system_server system_app installd init ueventd runas drsd debuggerd vold zygote auditd servicemanager itsonbs commonplatformappdomain;do - $BINDIR/sepolicy-inject --not -s "$i" -t security_spota_file -c dir -p read,write -P sepolicy - $BINDIR/sepolicy-inject --not -s "$i" -t security_spota_file -c file -p read,write -P sepolicy - done -fi - -#Create domains if they don't exist -$BINDIR/sepolicy-inject -z su -P sepolicy -$BINDIR/sepolicy-inject -z su_device -P sepolicy -$BINDIR/sepolicy-inject -z su_daemon -P sepolicy - -#Autotransition su's socket to su_device -$BINDIR/sepolicy-inject -s su_daemon -f device -c file -t su_device -P sepolicy -$BINDIR/sepolicy-inject -s su_daemon -f device -c dir -t su_device -P sepolicy -allow su_device tmpfs filesystem "associate" - -#Transition from untrusted_app to su_client -#TODO: other contexts want access to su? -allowSuClient shell -allowSuClient untrusted_app -allowSuClient platform_app -allowSuClient su - -#HTC Debug context requires SU -$BINDIR/sepolicy-inject -e -s ssd_tool -P sepolicy && allowSuClient ssd_tool - -#Allow init to execute su daemon/transition -allow init su_daemon process "transition" -noaudit init su_daemon process "rlimitinh siginh noatsecure" -suDaemonRights -suBind - -suRights -otherToSU - -#Need to set su_device/su as trusted to be accessible from other categories -$BINDIR/sepolicy-inject -a mlstrustedobject -s su_device -P sepolicy -$BINDIR/sepolicy-inject -a mlstrustedsubject -s su_daemon -P sepolicy -$BINDIR/sepolicy-inject -a mlstrustedsubject -s su -P sepolicy - -suL9 - -# Just in case :) -$BINDIR/sepolicy-inject -Z su -P sepolicy diff --git a/zip_static/roothelper/phh.prop b/zip_static/roothelper/phh.prop new file mode 100644 index 000000000..41af7f87e --- /dev/null +++ b/zip_static/roothelper/phh.prop @@ -0,0 +1,9 @@ +id=phh +name=phh's SuperUser +version=Root Helper +versionCode=1 +author=phhusson, topjohnwu +description=This is a helper, please upgrade from downloads section :) +support=http://forum.xda-developers.com/showthread.php?t=3216394 +donate=http://forum.xda-developers.com/donatetome.php?u=1915408 +cacheModule=false diff --git a/zip_static/roothelper/phh.sh b/zip_static/roothelper/phh.sh new file mode 100644 index 000000000..641d0446c --- /dev/null +++ b/zip_static/roothelper/phh.sh @@ -0,0 +1,37 @@ +#!/system/bin/sh + +LOGFILE=/cache/magisk.log + +log_print() { + echo $1 + echo "phh: $1" >> $LOGFILE + log -p i -t phh "$1" +} + +launch_daemonsu() { + export PATH=$OLDPATH + # Switch contexts + echo "u:r:su_daemon:s0" > /proc/self/attr/current + # Start daemon + exec /magisk/phh/bin/su --daemon +} + +log_print "Live patching sepolicy" +/magisk/phh/bin/sepolicy-inject --live + +# Expose the root path +log_print "Linking supath" +rm -rf /magisk/.core/bin +ln -s /magisk/phh/bin /magisk/.core/bin + +# Run su.d +for script in /magisk/phh/su.d/* ; do + if [ -f "$script" ]; then + chmod 755 $script + log_print "su.d: $script" + $script + fi +done + +log_print "Starting su daemon" +(launch_daemonsu &) diff --git a/zip_static/roothelper/post-fs-data.sh b/zip_static/roothelper/post-fs-data.sh new file mode 100644 index 000000000..7e1f9264f --- /dev/null +++ b/zip_static/roothelper/post-fs-data.sh @@ -0,0 +1,29 @@ +#!/system/bin/sh + +cd /magisk/00roothelper + +if [ -f "launch_daemonsu.sh" ]; then + # SuperSU mode + rm -rf /magisk/supersu /magisk/99supersu + mkdir -p /magisk/99supersu + cp supersu.sh /magisk/99supersu/post-fs-data.sh + cp supersu.prop /magisk/99supersu/module.prop + cp launch_daemonsu.sh /magisk/99supersu/launch_daemonsu.sh + chmod 755 /magisk/99supersu/* +else + # phh mode + if [ -f "/magisk/phh/su" ]]; then + # Old version detected + cp /magisk/phh/su su + rm -rf /magisk/phh + mkdir -p /magisk/phh/bin + mkdir -p /magisk/phh/su.d + cp su /magisk/phh/bin/su + cp /data/magisk/sepolicy-inject /magisk/phh/bin/sepolicy-inject + cp phh.sh /magisk/phh/post-fs-data.sh + cp phh.prop /magisk/phh/module.prop + chmod 755 /magisk/phh/* /magisk/phh/bin/* + fi +fi + +rm -rf /magisk/00roothelper diff --git a/zip_static/roothelper/supersu.prop b/zip_static/roothelper/supersu.prop new file mode 100644 index 000000000..5d407e4d1 --- /dev/null +++ b/zip_static/roothelper/supersu.prop @@ -0,0 +1,7 @@ +id=supersu +name=SuperSU Helper +version=v1 +versionCode=1 +author=topjohnwu +description=This is a helper module for Chainfire's SuperSU to work with Magisk +cacheModule=false diff --git a/zip_static/roothelper/supersu.sh b/zip_static/roothelper/supersu.sh new file mode 100644 index 000000000..2129b5529 --- /dev/null +++ b/zip_static/roothelper/supersu.sh @@ -0,0 +1,11 @@ +#!/system/bin/sh + +mount -o rw,remount rootfs / +mkdir /su 2>/dev/null +mount -o ro,remount rootfs / + +chmod 755 /magisk/99supersu/launch_daemonsu.sh +/magisk/99supersu/launch_daemonsu.sh post-fs-data + +rm -rf /magisk/.core/bin +ln -s /su/bin /magisk/.core/bin diff --git a/zip_static/x86/su b/zip_static/x86/su deleted file mode 100644 index 52196cb32..000000000 Binary files a/zip_static/x86/su and /dev/null differ