cba0d04000
The state of ROM A/B OTA addon.d-v2 support is an inconsistent mess currently: - LineageOS builds userdebug with permissive update_engine domain, OmniROM builds userdebug with a more restricted update_engine domain, and CarbonROM builds user with a hybrid closer to Omni's - addon.d-v2 scripts cannot function to the full extent they should when there is a more restricted update_engine domain sepolicy in place, which is likely why Lineage made update_engine completely permissive Evidence for the above: - many addon.d-v2 scripts only work (or fully work) on Lineage, see below - Magisk's addon.d-v2 script would work on Lineage without issue, but would work on Carbon and Omni only if further allow rules were added for basic things like "file read" and "dir search" suggesting these ROMs' addon.d-v2 is severely limited - Omni includes a /system/addon.d/69-gapps.sh script with the ROM itself (despite shipping without GApps), and with Magisk's more permissive sepolicy and no GApps installed it will remove important ROM files during OTA, resulting in a bootloop; the issue with shipping this script was therefore masked by Omni's overly restrictive update_engine sepolicy not allowing the script to function as intended The solution: - guarantee a consistent addon.d-v2 experience for users across ROMs when rooted with Magisk by making update_engine permissive as Lineage has - hopefully ROMs can work together to come up with something standard for unrooted addon.d-v2 function
210 lines
8.6 KiB
C++
210 lines
8.6 KiB
C++
#include <logging.h>
|
|
#include <flags.h>
|
|
|
|
#include "magiskpolicy.h"
|
|
#include "sepolicy.h"
|
|
|
|
static void allowSuClient(const char *target) {
|
|
if (!sepol_exists(target))
|
|
return;
|
|
sepol_allow(target, SEPOL_PROC_DOMAIN, "unix_stream_socket", "connectto");
|
|
sepol_allow(target, SEPOL_PROC_DOMAIN, "unix_stream_socket", "getopt");
|
|
sepol_allow(SEPOL_PROC_DOMAIN, target, "fd", "use");
|
|
sepol_allow(SEPOL_PROC_DOMAIN, target, "fifo_file", ALL);
|
|
|
|
// Allow binder service
|
|
sepol_allow(target, SEPOL_PROC_DOMAIN, "binder", "call");
|
|
sepol_allow(target, SEPOL_PROC_DOMAIN, "binder", "transfer");
|
|
|
|
// Allow termios ioctl
|
|
sepol_allow(target, "devpts", "chr_file", "ioctl");
|
|
sepol_allow(target, "untrusted_app_devpts", "chr_file", "ioctl");
|
|
sepol_allow(target, "untrusted_app_25_devpts", "chr_file", "ioctl");
|
|
sepol_allow(target, "untrusted_app_all_devpts", "chr_file", "ioctl");
|
|
if (policydb->policyvers >= POLICYDB_VERSION_XPERMS_IOCTL) {
|
|
sepol_allowxperm(target, "devpts", "chr_file", "0x5400-0x54FF");
|
|
sepol_allowxperm(target, "untrusted_app_devpts", "chr_file", "0x5400-0x54FF");
|
|
sepol_allowxperm(target, "untrusted_app_25_devpts", "chr_file", "0x5400-0x54FF");
|
|
sepol_allowxperm(target, "untrusted_app_all_devpts", "chr_file", "0x5400-0x54FF");
|
|
}
|
|
}
|
|
|
|
void sepol_magisk_rules() {
|
|
// Temp suppress warnings
|
|
auto bak = log_cb.w;
|
|
log_cb.w = nop_log;
|
|
|
|
// First prevent anything to change sepolicy except ourselves
|
|
sepol_deny(ALL, "kernel", "security", "load_policy");
|
|
|
|
if (!sepol_exists(SEPOL_PROC_DOMAIN))
|
|
sepol_create(SEPOL_PROC_DOMAIN);
|
|
if (!sepol_exists(SEPOL_FILE_DOMAIN))
|
|
sepol_create(SEPOL_FILE_DOMAIN);
|
|
sepol_permissive(SEPOL_PROC_DOMAIN);
|
|
|
|
sepol_attradd(SEPOL_PROC_DOMAIN, "mlstrustedsubject");
|
|
sepol_attradd(SEPOL_PROC_DOMAIN, "netdomain");
|
|
sepol_attradd(SEPOL_PROC_DOMAIN, "bluetoothdomain");
|
|
sepol_attradd(SEPOL_FILE_DOMAIN, "mlstrustedobject");
|
|
|
|
// Let everyone access tmpfs files (for SAR sbin overlay)
|
|
sepol_allow(ALL, "tmpfs", "file", ALL);
|
|
|
|
// For normal rootfs file/directory operations when rw (for SAR / overlay)
|
|
sepol_allow("rootfs", "labeledfs", "filesystem", "associate");
|
|
|
|
// Let init transit to SEPOL_PROC_DOMAIN
|
|
sepol_allow("kernel", "kernel", "process", "setcurrent");
|
|
sepol_allow("kernel", SEPOL_PROC_DOMAIN, "process", "dyntransition");
|
|
|
|
// Let init run stuffs
|
|
sepol_allow("kernel", SEPOL_PROC_DOMAIN, "fd", "use");
|
|
sepol_allow("init", SEPOL_PROC_DOMAIN, "process", ALL);
|
|
sepol_allow("init", "tmpfs", "file", "getattr");
|
|
sepol_allow("init", "tmpfs", "file", "execute");
|
|
|
|
// Shell, properties, logs
|
|
if (sepol_exists("default_prop"))
|
|
sepol_allow(SEPOL_PROC_DOMAIN, "default_prop", "property_service", "set");
|
|
sepol_allow(SEPOL_PROC_DOMAIN, "init", "unix_stream_socket", "connectto");
|
|
sepol_allow(SEPOL_PROC_DOMAIN, "rootfs", "filesystem", "remount");
|
|
if (sepol_exists("logd"))
|
|
sepol_allow(SEPOL_PROC_DOMAIN, "logd", "unix_stream_socket", "connectto");
|
|
sepol_allow(SEPOL_PROC_DOMAIN, SEPOL_PROC_DOMAIN, ALL, ALL);
|
|
|
|
// For sepolicy live patching
|
|
sepol_allow(SEPOL_PROC_DOMAIN, "kernel", "security", "read_policy");
|
|
sepol_allow(SEPOL_PROC_DOMAIN, "kernel", "security", "load_policy");
|
|
|
|
// Allow these processes to access MagiskSU
|
|
allowSuClient("init");
|
|
allowSuClient("shell");
|
|
allowSuClient("system_app");
|
|
allowSuClient("priv_app");
|
|
allowSuClient("platform_app");
|
|
allowSuClient("untrusted_app");
|
|
allowSuClient("untrusted_app_25");
|
|
allowSuClient("untrusted_app_27");
|
|
allowSuClient("update_engine");
|
|
|
|
// suRights
|
|
sepol_allow("servicemanager", SEPOL_PROC_DOMAIN, "dir", "search");
|
|
sepol_allow("servicemanager", SEPOL_PROC_DOMAIN, "dir", "read");
|
|
sepol_allow("servicemanager", SEPOL_PROC_DOMAIN, "file", "open");
|
|
sepol_allow("servicemanager", SEPOL_PROC_DOMAIN, "file", "read");
|
|
sepol_allow("servicemanager", SEPOL_PROC_DOMAIN, "process", "getattr");
|
|
sepol_allow("servicemanager", SEPOL_PROC_DOMAIN, "binder", "transfer");
|
|
sepol_allow(SEPOL_PROC_DOMAIN, "servicemanager", "dir", "search");
|
|
sepol_allow(SEPOL_PROC_DOMAIN, "servicemanager", "dir", "read");
|
|
sepol_allow(SEPOL_PROC_DOMAIN, "servicemanager", "file", "open");
|
|
sepol_allow(SEPOL_PROC_DOMAIN, "servicemanager", "file", "read");
|
|
sepol_allow(SEPOL_PROC_DOMAIN, "servicemanager", "process", "getattr");
|
|
sepol_allow(SEPOL_PROC_DOMAIN, "servicemanager", "binder", "transfer");
|
|
sepol_allow(SEPOL_PROC_DOMAIN, "servicemanager", "binder", "call");
|
|
sepol_allow(ALL, SEPOL_PROC_DOMAIN, "process", "sigchld");
|
|
|
|
// allowLog
|
|
sepol_allow("logd", SEPOL_PROC_DOMAIN, "dir", "search");
|
|
sepol_allow("logd", SEPOL_PROC_DOMAIN, "file", "read");
|
|
sepol_allow("logd", SEPOL_PROC_DOMAIN, "file", "open");
|
|
sepol_allow("logd", SEPOL_PROC_DOMAIN, "file", "getattr");
|
|
|
|
// suBackL0
|
|
sepol_allow("system_server", SEPOL_PROC_DOMAIN, "binder", "call");
|
|
sepol_allow("system_server", SEPOL_PROC_DOMAIN, "binder", "transfer");
|
|
sepol_allow(SEPOL_PROC_DOMAIN, "system_server", "binder", "call");
|
|
sepol_allow(SEPOL_PROC_DOMAIN, "system_server", "binder", "transfer");
|
|
|
|
// suBackL6
|
|
sepol_allow("surfaceflinger", "app_data_file", "dir", ALL);
|
|
sepol_allow("surfaceflinger", "app_data_file", "file", ALL);
|
|
sepol_allow("surfaceflinger", "app_data_file", "lnk_file", ALL);
|
|
sepol_attradd("surfaceflinger", "mlstrustedsubject");
|
|
|
|
// suMiscL6
|
|
if (sepol_exists("audioserver"))
|
|
sepol_allow("audioserver", "audioserver", "process", "execmem");
|
|
|
|
// Liveboot
|
|
sepol_allow("surfaceflinger", SEPOL_PROC_DOMAIN, "process", "ptrace");
|
|
sepol_allow("surfaceflinger", SEPOL_PROC_DOMAIN, "binder", "transfer");
|
|
sepol_allow("surfaceflinger", SEPOL_PROC_DOMAIN, "binder", "call");
|
|
sepol_allow("surfaceflinger", SEPOL_PROC_DOMAIN, "fd", "use");
|
|
sepol_allow("debuggerd", SEPOL_PROC_DOMAIN, "process", "ptrace");
|
|
|
|
// dumpsys
|
|
sepol_allow(ALL, SEPOL_PROC_DOMAIN, "fd", "use");
|
|
sepol_allow(ALL, SEPOL_PROC_DOMAIN, "fifo_file", "write");
|
|
sepol_allow(ALL, SEPOL_PROC_DOMAIN, "fifo_file", "read");
|
|
sepol_allow(ALL, SEPOL_PROC_DOMAIN, "fifo_file", "open");
|
|
sepol_allow(ALL, SEPOL_PROC_DOMAIN, "fifo_file", "getattr");
|
|
|
|
// bootctl
|
|
sepol_allow("hwservicemanager", SEPOL_PROC_DOMAIN, "dir", "search");
|
|
sepol_allow("hwservicemanager", SEPOL_PROC_DOMAIN, "file", "read");
|
|
sepol_allow("hwservicemanager", SEPOL_PROC_DOMAIN, "file", "open");
|
|
sepol_allow("hwservicemanager", SEPOL_PROC_DOMAIN, "process", "getattr");
|
|
sepol_allow("hwservicemanager", SEPOL_PROC_DOMAIN, "binder", "transfer");
|
|
|
|
// For mounting loop devices, mirrors, tmpfs
|
|
sepol_allow(SEPOL_PROC_DOMAIN, "kernel", "process", "setsched");
|
|
sepol_allow(SEPOL_PROC_DOMAIN, "labeledfs", "filesystem", "mount");
|
|
sepol_allow(SEPOL_PROC_DOMAIN, "labeledfs", "filesystem", "unmount");
|
|
sepol_allow(SEPOL_PROC_DOMAIN, "tmpfs", "filesystem", "mount");
|
|
sepol_allow(SEPOL_PROC_DOMAIN, "tmpfs", "filesystem", "unmount");
|
|
sepol_allow("kernel", ALL, "file", "read");
|
|
sepol_allow("kernel", ALL, "file", "write");
|
|
|
|
// Allow us to do anything to any files/dir/links
|
|
sepol_allow(SEPOL_PROC_DOMAIN, ALL, "file", ALL);
|
|
sepol_allow(SEPOL_PROC_DOMAIN, ALL, "dir", ALL);
|
|
sepol_allow(SEPOL_PROC_DOMAIN, ALL, "lnk_file", ALL);
|
|
sepol_allow(SEPOL_PROC_DOMAIN, ALL, "blk_file", ALL);
|
|
sepol_allow(SEPOL_PROC_DOMAIN, ALL, "sock_file", ALL);
|
|
sepol_allow(SEPOL_PROC_DOMAIN, ALL, "chr_file", ALL);
|
|
sepol_allow(SEPOL_PROC_DOMAIN, ALL, "fifo_file", ALL);
|
|
|
|
// Allow us to do any ioctl on all block devices
|
|
if (policydb->policyvers >= POLICYDB_VERSION_XPERMS_IOCTL)
|
|
sepol_allowxperm(SEPOL_PROC_DOMAIN, ALL, "blk_file", "0x0000-0xFFFF");
|
|
|
|
// Allow all binder transactions
|
|
sepol_allow(ALL, SEPOL_PROC_DOMAIN, "binder", ALL);
|
|
|
|
// Super files
|
|
sepol_allow(ALL, SEPOL_FILE_DOMAIN, "file", ALL);
|
|
sepol_allow(ALL, SEPOL_FILE_DOMAIN, "dir", ALL);
|
|
sepol_allow(ALL, SEPOL_FILE_DOMAIN, "fifo_file", ALL);
|
|
sepol_allow(ALL, SEPOL_FILE_DOMAIN, "chr_file", ALL);
|
|
sepol_allow(SEPOL_FILE_DOMAIN, ALL, "filesystem", "associate");
|
|
|
|
// For changing attributes
|
|
sepol_allow("rootfs", "tmpfs", "filesystem", "associate");
|
|
|
|
// Xposed
|
|
sepol_allow("untrusted_app", "untrusted_app", "capability", "setgid");
|
|
sepol_allow("system_server", "dex2oat_exec", "file", ALL);
|
|
|
|
// Support deodexed ROM on Oreo
|
|
sepol_allow("zygote", "dalvikcache_data_file", "file", "execute");
|
|
|
|
// Support deodexed ROM on Pie (Samsung)
|
|
sepol_allow("system_server", "dalvikcache_data_file", "file", "write");
|
|
sepol_allow("system_server", "dalvikcache_data_file", "file", "execute");
|
|
|
|
// Allow update_engine/addon.d-v2 to run permissive on all ROMs
|
|
sepol_permissive("update_engine");
|
|
|
|
#ifdef MAGISK_DEBUG
|
|
// Remove all dontaudit in debug mode
|
|
avtab_ptr_t av;
|
|
avtab_for_each(&policydb->te_avtab, av, {
|
|
if (av->key.specified == AVTAB_AUDITDENY || av->key.specified == AVTAB_XPERMS_DONTAUDIT)
|
|
avtab_remove_node(&policydb->te_avtab, av);
|
|
})
|
|
#endif
|
|
|
|
log_cb.w = bak;
|
|
}
|