MarcoBuster/Magisk
1
1
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Magisk/zip_static/common/supatch.sh
topjohnwu 88a97319cc Add zip static files
2016-09-14 10:31:13 +08:00

227 lines
7.5 KiB
Bash
Raw Blame History

#Extracted from global_macros
rw_socket_perms="ioctl read getattr write setattr lock append bind connect getopt setopt shutdown"
create_socket_perms="create $rw_socket_perms"
rw_stream_socket_perms="$rw_socket_perms listen accept"
create_stream_socket_perms="create $rw_stream_socket_perms"
# bootimg.sh
#allow <list of scontext> <list of tcontext> <class> <list of perm>
allow() {
[ -z "$1" -o -z "$2" -o -z "$3" ] && false
for s in $1;do
for t in $2;do
for c in $3;do
echo "allow ($s) ($t) ($c) ($4)"
if [ "$4" = "*" ]; then
$BINDIR/sepolicy-inject -s $s -t $t -c $c -P sepolicy >/dev/null 2>&1
else
$BINDIR/sepolicy-inject -s $s -t $t -c $3 -p $(echo $4|tr ' ' ',') -P sepolicy 2>/dev/null 2>&1
fi
done
done
done
}
noaudit() {
for s in $1;do
for t in $2;do
for p in $4;do
$BINDIR/sepolicy-inject -s $s -t $t -c $3 -p $p -P sepolicy 2>/dev/null 2>&1
done
done
done
}
# su-communication
#allowSuClient <scontext>
allowSuClient() {
#All domain-s already have read access to rootfs
allow $1 rootfs file "execute_no_trans execute" #TODO: Why do I need execute?!? (on MTK 5.1, kernel 3.10)
allow $1 su_daemon unix_stream_socket "connectto getopt"
allow $1 su_device dir "search read"
allow $1 su_device sock_file "read write"
allow su_daemon $1 "fd" "use"
allow su_daemon $1 fifo_file "read write getattr ioctl"
#Read /proc/callerpid/cmdline in from_init, drop?
#Requiring sys_ptrace sucks
allow su_daemon "$1" "dir" "search"
allow su_daemon "$1" "file" "read open"
allow su_daemon "$1" "lnk_file" "read"
allow su_daemon su_daemon "capability" "sys_ptrace"
}
suDaemonTo() {
allow su_daemon $1 "process" "transition"
noaudit su_daemon $1 "process" "siginh rlimitinh noatsecure"
}
suDaemonRights() {
allow su_daemon rootfs file "entrypoint"
allow su_daemon su_daemon "dir" "search read"
allow su_daemon su_daemon "file" "read write open"
allow su_daemon su_daemon "lnk_file" "read"
allow su_daemon su_daemon "unix_dgram_socket" "create connect write"
allow su_daemon su_daemon "unix_stream_socket" "$create_stream_socket_perms"
allow su_daemon devpts chr_file "read write open getattr"
#untrusted_app_devpts not in Android 4.4
allow su_daemon untrusted_app_devpts chr_file "read write open getattr" || true
allow su_daemon su_daemon "capability" "setuid setgid"
#Access to /data/data/me.phh.superuser/xxx
allow su_daemon app_data_file "dir" "getattr search write add_name"
allow su_daemon app_data_file "file" "getattr read open lock"
#FIXME: This shouldn't exist
#dac_override can be fixed by having pts_slave's fd forwarded over socket
#Instead of forwarding the name
allow su_daemon su_daemon "capability" "dac_override"
allow su_daemon su_daemon "process" "fork sigchld"
#toolbox needed for log
allow su_daemon toolbox_exec "file" "execute read open execute_no_trans" || true
#Create /dev/me.phh.superuser. Could be done by init
allow su_daemon device "dir" "write add_name"
allow su_daemon su_device "dir" "create setattr remove_name add_name"
allow su_daemon su_device "sock_file" "create unlink"
#Allow su daemon to start su apk
allow su_daemon zygote_exec "file" "execute read open execute_no_trans"
allow su_daemon zygote_exec "lnk_file" "read getattr"
#Send request to APK
allow su_daemon su_device dir "search write add_name"
#Allow su_daemon to switch to su or su_sensitive
allow su_daemon su_daemon "process" "setexec"
#Allow su_daemon to execute a shell (every commands are supposed to go through a shell)
allow su_daemon shell_exec file "execute read open"
allow su_daemon su_daemon "capability" "chown"
suDaemonTo su
}
# rights
#In this file lies the real permissions of a process running in su
suBind() {
#Allow to override /system/xbin/su
allow su_daemon su_exec "file" "mounton read"
#We will create files in /dev/su/, they will be marked as su_device
allow su_daemon su_device "dir file lnk_file" "*"
allow su_daemon su_device "file" "relabelfrom"
allow su_daemon system_file "file" "relabelto"
}
#This is the vital minimum for su to open a uid 0 shell
suRights() {
#Admit su_daemon is meant to be god.
allow su_daemon su_daemon "capability" "sys_admin"
allow servicemanager su "dir" "search read"
allow servicemanager su "file" "open read"
allow servicemanager su "process" "getattr"
allow servicemanager su "binder" "transfer"
[ "$API" -ge 20 ] && allow system_server su binder "call"
}
suL9() {
allow su_daemon su_daemon "dir file lnk_file" "*"
allow su_daemon system_data_file "dir file lnk_file" "*"
allow su_daemon "labeledfs" filesystem "associate"
allow su_daemon su_daemon process setfscreate
allow su_daemon tmpfs filesystem associate
allow su_daemon su_daemon file relabelfrom
allow su_daemon system_file file mounton
}
otherToSU() {
# allowLog
if allow su logd unix_dgram_socket "sendto";then
allow logd su dir "search"
allow logd su file "read open getattr"
fi
# suBackL0
[ "$API" -ge 20 ] && allow system_server su binder "call transfer"
#ES Explorer opens a sokcet
allow untrusted_app su unix_stream_socket "$rw_socket_perms connectto"
#Any domain is allowed to send su "sigchld"
#TODO: Have sepolicy-inject handle that
#allow "=domain" su process "sigchld"
allow surfaceflinger su "process" "sigchld"
# suNetworkL0
$BINDIR/sepolicy-inject -a netdomain -s su -P sepolicy
$BINDIR/sepolicy-inject -a bluetoothdomain -s su -P sepolicy
# suBackL6
#Used by CF.lumen (restarts surfaceflinger, and communicates with it)
#TODO: Add a rule to enforce surfaceflinger doesn't have dac_override
allow surfaceflinger app_data_file "dir file lnk_file" "*"
$BINDIR/sepolicy-inject -a mlstrustedsubject -s surfaceflinger -P sepolicy
}
#Samsung specific
#Prevent system from loading policy
if $BINDIR/sepolicy-inject -e -s knox_system_app -P sepolicy;then
$BINDIR/sepolicy-inject --not -s init -t kernel -c security -p load_policy -P sepolicy
for i in policyloader_app system_server system_app installd init ueventd runas drsd debuggerd vold zygote auditd servicemanager itsonbs commonplatformappdomain;do
$BINDIR/sepolicy-inject --not -s "$i" -t security_spota_file -c dir -p read,write -P sepolicy
$BINDIR/sepolicy-inject --not -s "$i" -t security_spota_file -c file -p read,write -P sepolicy
done
fi
#Create domains if they don't exist
$BINDIR/sepolicy-inject -z su -P sepolicy
$BINDIR/sepolicy-inject -z su_device -P sepolicy
$BINDIR/sepolicy-inject -z su_daemon -P sepolicy
#Autotransition su's socket to su_device
$BINDIR/sepolicy-inject -s su_daemon -f device -c file -t su_device -P sepolicy
$BINDIR/sepolicy-inject -s su_daemon -f device -c dir -t su_device -P sepolicy
allow su_device tmpfs filesystem "associate"
#Transition from untrusted_app to su_client
#TODO: other contexts want access to su?
allowSuClient shell
allowSuClient untrusted_app
allowSuClient platform_app
allowSuClient su
#HTC Debug context requires SU
$BINDIR/sepolicy-inject -e -s ssd_tool -P sepolicy && allowSuClient ssd_tool
#Allow init to execute su daemon/transition
allow init su_daemon process "transition"
noaudit init su_daemon process "rlimitinh siginh noatsecure"
suDaemonRights
suBind
suRights
otherToSU
#Need to set su_device/su as trusted to be accessible from other categories
$BINDIR/sepolicy-inject -a mlstrustedobject -s su_device -P sepolicy
$BINDIR/sepolicy-inject -a mlstrustedsubject -s su_daemon -P sepolicy
$BINDIR/sepolicy-inject -a mlstrustedsubject -s su -P sepolicy
suL9
# Just in case :)
$BINDIR/sepolicy-inject -Z su -P sepolicy
Reference in New Issue View Git Blame Copy Permalink