2020-06-17 10:17:28 +02:00
|
|
|
#include <utils.hpp>
|
2020-03-09 09:50:30 +01:00
|
|
|
#include <magiskpolicy.hpp>
|
2019-02-10 09:57:51 +01:00
|
|
|
|
2020-05-23 09:18:25 +02:00
|
|
|
#include "sepolicy.hpp"
|
2016-09-13 00:19:07 +02:00
|
|
|
|
2020-05-21 15:48:02 +02:00
|
|
|
void sepolicy::magisk_rules() {
|
2018-11-29 12:31:05 +01:00
|
|
|
// Temp suppress warnings
|
|
|
|
|
auto bak = log_cb.w;
|
|
|
|
|
log_cb.w = nop_log;
|
|
|
|
|
|
2020-07-06 10:13:50 +02:00
|
|
|
// This indicates API 26+
|
|
|
|
|
bool new_rules = exists("untrusted_app_25");
|
|
|
|
|
|
2020-05-25 11:30:39 +02:00
|
|
|
// Prevent anything to change sepolicy except ourselves
|
2020-05-21 15:48:02 +02:00
|
|
|
deny(ALL, "kernel", "security", "load_policy");
|
2018-09-20 22:55:16 +02:00
|
|
|
|
2020-05-25 11:30:39 +02:00
|
|
|
type(SEPOL_PROC_DOMAIN, "domain");
|
2020-06-04 08:29:42 +02:00
|
|
|
permissive(SEPOL_PROC_DOMAIN); /* Just in case something is missing */
|
2020-05-21 15:48:02 +02:00
|
|
|
typeattribute(SEPOL_PROC_DOMAIN, "mlstrustedsubject");
|
|
|
|
|
typeattribute(SEPOL_PROC_DOMAIN, "netdomain");
|
|
|
|
|
typeattribute(SEPOL_PROC_DOMAIN, "bluetoothdomain");
|
2020-07-06 10:13:50 +02:00
|
|
|
type(SEPOL_FILE_TYPE, "file_type");
|
2020-06-04 08:29:42 +02:00
|
|
|
typeattribute(SEPOL_FILE_TYPE, "mlstrustedobject");
|
|
|
|
|
|
|
|
|
|
// Make our root domain unconstrained
|
|
|
|
|
allow(SEPOL_PROC_DOMAIN, ALL, ALL, ALL);
|
|
|
|
|
// Allow us to do any ioctl on all block devices
|
|
|
|
|
if (db->policyvers >= POLICYDB_VERSION_XPERMS_IOCTL)
|
|
|
|
|
allowxperm(SEPOL_PROC_DOMAIN, ALL, "blk_file", ALL);
|
|
|
|
|
|
|
|
|
|
// Create unconstrained file type
|
|
|
|
|
allow(ALL, SEPOL_FILE_TYPE, "file", ALL);
|
|
|
|
|
allow(ALL, SEPOL_FILE_TYPE, "dir", ALL);
|
|
|
|
|
allow(ALL, SEPOL_FILE_TYPE, "fifo_file", ALL);
|
|
|
|
|
allow(ALL, SEPOL_FILE_TYPE, "chr_file", ALL);
|
|
|
|
|
|
2020-07-06 10:13:50 +02:00
|
|
|
if (new_rules) {
|
|
|
|
|
type(SEPOL_CLIENT_DOMAIN, "domain");
|
|
|
|
|
type(SEPOL_EXEC_TYPE, "file_type");
|
|
|
|
|
|
|
|
|
|
// Basic su client needs
|
|
|
|
|
allow(SEPOL_CLIENT_DOMAIN, ALL, "fd", "use");
|
|
|
|
|
allow(SEPOL_CLIENT_DOMAIN, SEPOL_CLIENT_DOMAIN, ALL, ALL);
|
|
|
|
|
allow(SEPOL_CLIENT_DOMAIN, SEPOL_EXEC_TYPE, "file", ALL);
|
|
|
|
|
allow(SEPOL_CLIENT_DOMAIN, SEPOL_PROC_DOMAIN, "unix_stream_socket", "connectto");
|
|
|
|
|
allow(SEPOL_CLIENT_DOMAIN, SEPOL_PROC_DOMAIN, "unix_stream_socket", "getopt");
|
|
|
|
|
|
|
|
|
|
// Allow su client termios ioctl
|
|
|
|
|
const char *pts[] {
|
|
|
|
|
"devpts", "untrusted_app_devpts",
|
|
|
|
|
"untrusted_app_25_devpts", "untrusted_app_all_devpts" };
|
|
|
|
|
for (auto type : pts) {
|
|
|
|
|
if (!exists(type))
|
|
|
|
|
continue;
|
|
|
|
|
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "read");
|
|
|
|
|
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "write");
|
|
|
|
|
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "getattr");
|
|
|
|
|
allow(SEPOL_CLIENT_DOMAIN, type, "chr_file", "ioctl");
|
2020-06-04 08:29:42 +02:00
|
|
|
allowxperm(SEPOL_CLIENT_DOMAIN, type, "chr_file", "0x5400-0x54FF");
|
2020-07-06 10:13:50 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Allow these processes to access MagiskSU
|
|
|
|
|
const char *clients[] {
|
|
|
|
|
"init", "shell", "system_app", "priv_app", "platform_app", "untrusted_app",
|
|
|
|
|
"untrusted_app_25", "untrusted_app_27", "untrusted_app_29", "update_engine" };
|
|
|
|
|
for (auto type : clients) {
|
|
|
|
|
if (!exists(type))
|
|
|
|
|
continue;
|
|
|
|
|
// exec magisk
|
|
|
|
|
allow(type, SEPOL_EXEC_TYPE, "file", "read");
|
|
|
|
|
allow(type, SEPOL_EXEC_TYPE, "file", "open");
|
|
|
|
|
allow(type, SEPOL_EXEC_TYPE, "file", "getattr");
|
|
|
|
|
allow(type, SEPOL_EXEC_TYPE, "file", "execute");
|
|
|
|
|
|
|
|
|
|
// Auto transit to client domain
|
|
|
|
|
type_transition(type, SEPOL_EXEC_TYPE, "process", SEPOL_CLIENT_DOMAIN);
|
|
|
|
|
allow(type, SEPOL_CLIENT_DOMAIN, "process", "transition");
|
|
|
|
|
dontaudit(type, SEPOL_CLIENT_DOMAIN, "process", "siginh");
|
|
|
|
|
dontaudit(type, SEPOL_CLIENT_DOMAIN, "process", "rlimitinh");
|
|
|
|
|
dontaudit(type, SEPOL_CLIENT_DOMAIN, "process", "noatsecure");
|
|
|
|
|
|
|
|
|
|
allow(SEPOL_CLIENT_DOMAIN, type, "process", "sigchld");
|
|
|
|
|
allow(SEPOL_CLIENT_DOMAIN, type, "fifo_file", "read");
|
|
|
|
|
allow(SEPOL_CLIENT_DOMAIN, type, "fifo_file", "write");
|
|
|
|
|
allow(SEPOL_CLIENT_DOMAIN, type, "fifo_file", "ioctl");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Allow system_server to manage magisk_client
|
|
|
|
|
allow("system_server", SEPOL_CLIENT_DOMAIN, "process", "getpgid");
|
|
|
|
|
allow("system_server", SEPOL_CLIENT_DOMAIN, "process", "sigkill");
|
|
|
|
|
|
|
|
|
|
// Don't allow pesky processes to monitor audit deny logs when poking magisk daemon sockets
|
|
|
|
|
dontaudit(ALL, SEPOL_PROC_DOMAIN, "unix_stream_socket", ALL);
|
|
|
|
|
} else {
|
|
|
|
|
// Fallback to poking holes in sandbox as Android 4.3 to 7.1 set PR_SET_NO_NEW_PRIVS
|
|
|
|
|
|
|
|
|
|
// Allow these processes to access MagiskSU
|
|
|
|
|
const char *clients[] {
|
|
|
|
|
"init", "shell", "system_app", "priv_app", "platform_app", "untrusted_app" };
|
|
|
|
|
for (auto type : clients) {
|
|
|
|
|
if (!exists(type))
|
|
|
|
|
continue;
|
|
|
|
|
allow(type, SEPOL_PROC_DOMAIN, "unix_stream_socket", "connectto");
|
|
|
|
|
allow(type, SEPOL_PROC_DOMAIN, "unix_stream_socket", "getopt");
|
|
|
|
|
|
|
|
|
|
// Allow termios ioctl
|
|
|
|
|
const char *pts[] { "devpts", "untrusted_app_devpts" };
|
|
|
|
|
for (auto pts_type : pts) {
|
|
|
|
|
allow(type, pts_type, "chr_file", "ioctl");
|
|
|
|
|
if (db->policyvers >= POLICYDB_VERSION_XPERMS_IOCTL)
|
|
|
|
|
allowxperm(type, pts_type, "chr_file", "0x5400-0x54FF");
|
|
|
|
|
}
|
|
|
|
|
}
|
2020-06-04 08:29:42 +02:00
|
|
|
}
|
|
|
|
|
|
2019-06-26 08:31:59 +02:00
|
|
|
// Let everyone access tmpfs files (for SAR sbin overlay)
|
2020-05-21 15:48:02 +02:00
|
|
|
allow(ALL, "tmpfs", "file", ALL);
|
2019-06-26 08:31:59 +02:00
|
|
|
|
2020-06-04 08:29:42 +02:00
|
|
|
// For relabelling files
|
2020-05-21 15:48:02 +02:00
|
|
|
allow("rootfs", "labeledfs", "filesystem", "associate");
|
2020-06-04 08:29:42 +02:00
|
|
|
allow(SEPOL_FILE_TYPE, "pipefs", "filesystem", "associate");
|
|
|
|
|
allow(SEPOL_FILE_TYPE, "devpts", "filesystem", "associate");
|
2019-07-04 22:02:36 +02:00
|
|
|
|
2019-04-30 02:26:51 +02:00
|
|
|
// Let init transit to SEPOL_PROC_DOMAIN
|
2020-05-21 15:48:02 +02:00
|
|
|
allow("kernel", "kernel", "process", "setcurrent");
|
|
|
|
|
allow("kernel", SEPOL_PROC_DOMAIN, "process", "dyntransition");
|
2019-02-09 07:51:46 +01:00
|
|
|
|
2018-09-20 22:55:16 +02:00
|
|
|
// Let init run stuffs
|
2020-05-21 15:48:02 +02:00
|
|
|
allow("kernel", SEPOL_PROC_DOMAIN, "fd", "use");
|
|
|
|
|
allow("init", SEPOL_PROC_DOMAIN, "process", ALL);
|
|
|
|
|
allow("init", "tmpfs", "file", "getattr");
|
|
|
|
|
allow("init", "tmpfs", "file", "execute");
|
2018-09-20 22:55:16 +02:00
|
|
|
|
2018-07-20 16:22:49 +02:00
|
|
|
// suRights
|
2020-05-21 15:48:02 +02:00
|
|
|
allow("servicemanager", SEPOL_PROC_DOMAIN, "dir", "search");
|
|
|
|
|
allow("servicemanager", SEPOL_PROC_DOMAIN, "dir", "read");
|
|
|
|
|
allow("servicemanager", SEPOL_PROC_DOMAIN, "file", "open");
|
|
|
|
|
allow("servicemanager", SEPOL_PROC_DOMAIN, "file", "read");
|
|
|
|
|
allow("servicemanager", SEPOL_PROC_DOMAIN, "process", "getattr");
|
|
|
|
|
allow("servicemanager", SEPOL_PROC_DOMAIN, "binder", "transfer");
|
|
|
|
|
allow(ALL, SEPOL_PROC_DOMAIN, "process", "sigchld");
|
2018-09-11 17:04:46 +02:00
|
|
|
|
2016-09-13 00:19:07 +02:00
|
|
|
// allowLog
|
2020-05-21 15:48:02 +02:00
|
|
|
allow("logd", SEPOL_PROC_DOMAIN, "dir", "search");
|
|
|
|
|
allow("logd", SEPOL_PROC_DOMAIN, "file", "read");
|
|
|
|
|
allow("logd", SEPOL_PROC_DOMAIN, "file", "open");
|
|
|
|
|
allow("logd", SEPOL_PROC_DOMAIN, "file", "getattr");
|
2016-09-13 00:19:07 +02:00
|
|
|
|
|
|
|
|
// suBackL6
|
2020-05-21 15:48:02 +02:00
|
|
|
allow("surfaceflinger", "app_data_file", "dir", ALL);
|
|
|
|
|
allow("surfaceflinger", "app_data_file", "file", ALL);
|
|
|
|
|
allow("surfaceflinger", "app_data_file", "lnk_file", ALL);
|
|
|
|
|
typeattribute("surfaceflinger", "mlstrustedsubject");
|
2016-11-02 18:20:35 +01:00
|
|
|
|
|
|
|
|
// suMiscL6
|
2020-05-25 11:30:39 +02:00
|
|
|
allow("audioserver", "audioserver", "process", "execmem");
|
2017-06-07 05:42:51 +02:00
|
|
|
|
|
|
|
|
// Liveboot
|
2020-05-21 15:48:02 +02:00
|
|
|
allow("surfaceflinger", SEPOL_PROC_DOMAIN, "process", "ptrace");
|
|
|
|
|
allow("surfaceflinger", SEPOL_PROC_DOMAIN, "binder", "transfer");
|
|
|
|
|
allow("surfaceflinger", SEPOL_PROC_DOMAIN, "binder", "call");
|
|
|
|
|
allow("surfaceflinger", SEPOL_PROC_DOMAIN, "fd", "use");
|
|
|
|
|
allow("debuggerd", SEPOL_PROC_DOMAIN, "process", "ptrace");
|
2017-11-28 23:09:35 +01:00
|
|
|
|
|
|
|
|
// dumpsys
|
2020-05-21 15:48:02 +02:00
|
|
|
allow(ALL, SEPOL_PROC_DOMAIN, "fd", "use");
|
|
|
|
|
allow(ALL, SEPOL_PROC_DOMAIN, "fifo_file", "write");
|
|
|
|
|
allow(ALL, SEPOL_PROC_DOMAIN, "fifo_file", "read");
|
|
|
|
|
allow(ALL, SEPOL_PROC_DOMAIN, "fifo_file", "open");
|
|
|
|
|
allow(ALL, SEPOL_PROC_DOMAIN, "fifo_file", "getattr");
|
2018-07-20 16:22:49 +02:00
|
|
|
|
|
|
|
|
// bootctl
|
2020-05-21 15:48:02 +02:00
|
|
|
allow("hwservicemanager", SEPOL_PROC_DOMAIN, "dir", "search");
|
|
|
|
|
allow("hwservicemanager", SEPOL_PROC_DOMAIN, "file", "read");
|
|
|
|
|
allow("hwservicemanager", SEPOL_PROC_DOMAIN, "file", "open");
|
|
|
|
|
allow("hwservicemanager", SEPOL_PROC_DOMAIN, "process", "getattr");
|
|
|
|
|
allow("hwservicemanager", SEPOL_PROC_DOMAIN, "binder", "transfer");
|
2017-11-28 23:09:35 +01:00
|
|
|
|
2017-12-31 12:20:49 +01:00
|
|
|
// For mounting loop devices, mirrors, tmpfs
|
2020-05-21 15:48:02 +02:00
|
|
|
allow("kernel", ALL, "file", "read");
|
|
|
|
|
allow("kernel", ALL, "file", "write");
|
2017-03-29 20:02:39 +02:00
|
|
|
|
2019-02-02 19:24:55 +01:00
|
|
|
// Allow all binder transactions
|
2020-05-21 15:48:02 +02:00
|
|
|
allow(ALL, SEPOL_PROC_DOMAIN, "binder", ALL);
|
2019-02-02 19:24:55 +01:00
|
|
|
|
2020-05-25 11:30:39 +02:00
|
|
|
// For changing file context
|
2020-05-21 15:48:02 +02:00
|
|
|
allow("rootfs", "tmpfs", "filesystem", "associate");
|
2017-07-13 18:49:40 +02:00
|
|
|
|
2016-10-02 16:48:49 +02:00
|
|
|
// Xposed
|
2020-05-21 15:48:02 +02:00
|
|
|
allow("untrusted_app", "untrusted_app", "capability", "setgid");
|
|
|
|
|
allow("system_server", "dex2oat_exec", "file", ALL);
|
2018-07-06 19:36:57 +02:00
|
|
|
|
|
|
|
|
// Support deodexed ROM on Oreo
|
2020-05-21 15:48:02 +02:00
|
|
|
allow("zygote", "dalvikcache_data_file", "file", "execute");
|
2018-08-03 16:40:49 +02:00
|
|
|
|
2019-02-17 16:34:22 +01:00
|
|
|
// Support deodexed ROM on Pie (Samsung)
|
2020-05-21 15:48:02 +02:00
|
|
|
allow("system_server", "dalvikcache_data_file", "file", "write");
|
|
|
|
|
allow("system_server", "dalvikcache_data_file", "file", "execute");
|
2019-09-19 16:53:05 +02:00
|
|
|
|
|
|
|
|
// Allow update_engine/addon.d-v2 to run permissive on all ROMs
|
2020-05-21 15:48:02 +02:00
|
|
|
permissive("update_engine");
|
2018-11-29 12:28:37 +01:00
|
|
|
|
2019-11-23 23:18:55 +01:00
|
|
|
#if 0
|
2019-04-30 02:26:51 +02:00
|
|
|
// Remove all dontaudit in debug mode
|
2020-05-23 09:18:25 +02:00
|
|
|
impl->strip_dontaudit();
|
2019-04-30 02:26:51 +02:00
|
|
|
#endif
|
2018-11-29 12:31:05 +01:00
|
|
|
|
|
|
|
|
log_cb.w = bak;
|
2017-04-15 20:29:42 +02:00
|
|
|
}
|
