Magisk/main.c

#include "sepolicy-inject.h"

static void usage(char *arg0) {
	fprintf(stderr, "%s [--live] [--minimal] [--load <infile>] [--save <outfile>] [policystatement...]\n\n", arg0);
	fprintf(stderr, "Supported policy statements:\n\n");
	fprintf(stderr, "\"allow source-class target-class permission-class permission\"\n");
	fprintf(stderr, "\"deny source-class target-class permission-class permission\"\n");
	fprintf(stderr, "\"permissive class\"\n");
	fprintf(stderr, "\"enforcing class\"\n");
	fprintf(stderr, "\"attradd class attribute\"\n");
	fprintf(stderr, "\n");
	exit(1);
}

// Pattern 1: action { source } { target } class { permission }
static int parse_pattern_1(int action, char* statement) {
	int state = 0, in_bracket = 0;
	char *tok, *class;
	struct vector source, target, permission, *temp;
	vec_init(&source);
	vec_init(&target);
	vec_init(&permission);
	tok = strtok(statement, " ");
	while (tok != NULL) {
		if (tok[0] == '{') {
			if (in_bracket || state == 2) return 1;
			in_bracket = 1;
			if (tok[1]) {
				++tok;
				continue;
			}
		} else if (tok[strlen(tok) - 1] == '}') {
			if (!in_bracket || state == 2) return 1;
			in_bracket = 0;
			if (strlen(tok) - 1) {
				tok[strlen(tok) - 1] = '\0';
				continue;
			}
		} else {
			if (tok[0] == '*') tok = ALL;
			switch (state) {
				case 0:
					temp = &source;
					break;
				case 1:
					temp = &target;
					break;
				case 2:
					temp = NULL;
					class = tok;
					break;
				case 3:
					temp = &permission;
					break;
				default:
					return 1;
			}
			vec_push_back(temp, tok);
		}
		if (!in_bracket) ++state;
		tok = strtok(NULL, " ");
	}
	if (state != 4) return 1;
	for(int i = 0; i < source.size; ++i)
		for (int j = 0; j < target.size; ++j)
			for (int k = 0; k < permission.size; ++k)
				switch (action) {
					case 0:
						allow(source.data[i], target.data[j], class, permission.data[k]);
						break;
					case 1:
						deny(source.data[i], target.data[j], class, permission.data[k]);
						break;
					case 2:
						auditallow(source.data[i], target.data[j], class, permission.data[k]);
						break;
					case 3:
						auditdeny(source.data[i], target.data[j], class, permission.data[k]);
						break;
					default:
						return 1;
				}
	vec_destroy(&source);
	vec_destroy(&target);
	vec_destroy(&permission);
	return 0;
}

int main(int argc, char *argv[]) {
	char *infile = NULL, *outfile, *tok, cpy[ARG_MAX];
	int live = 0, minimal = 0;
	struct vector rules;

	vec_init(&rules);

	if (argc < 2) usage(argv[0]);
	for (int i = 1; i < argc; ++i) {
		if (argv[i][0] == '-' && argv[i][1] == '-') {
			if (strcmp(argv[i], "--live") == 0)
				live = 1;
			else if (strcmp(argv[i], "--minimal") == 0)
				minimal = 1;
			else if (strcmp(argv[i], "--load") == 0) {
				if (i + 1 >= argc) usage(argv[0]);
				infile = argv[i + 1];
				i += 1;
			} else if (strcmp(argv[i], "--save") == 0) {
				if (i + 1 >= argc) usage(argv[0]);
				outfile = argv[i + 1];
				i += 1;
			} else 
				usage(argv[0]);
		} else
			vec_push_back(&rules, argv[i]);
	}

	policydb_t policydb;
	struct policy_file pf;
	sidtab_t sidtab;

	// Use current policy if not specified
	if(!infile)
		infile = "/sys/fs/selinux/policy";

	sepol_set_policydb(&policydb);
	sepol_set_sidtab(&sidtab);

	if (load_policy(infile, &policydb, &pf)) {
		fprintf(stderr, "Could not load policy\n");
		return 1;
	}

	if (policydb_load_isids(&policydb, &sidtab))
		return 1;

	policy = &policydb;

	if (!minimal && rules.size == 0) su_rules();
	if (minimal) min_rules();

	for (int i = 0; i < rules.size; ++i) {
		// Since strtok will modify the origin string, copy the policy for error messages
		strcpy(cpy, rules.data[i]);
		tok = strtok(rules.data[i], " ");
		if (strcmp(tok, "allow") == 0) {
			if (parse_pattern_1(0, rules.data[i] + strlen(tok) + 1))
				printf("Syntax error in \"%s\"\n", cpy);
		} else if (strcmp(tok, "deny") == 0) {
			if (parse_pattern_1(1, rules.data[i] + strlen(tok) + 1))
				printf("Syntax error in \"%s\"\n", cpy);
		} else if (strcmp(tok, "auditallow") == 0) {
			if (parse_pattern_1(2, rules.data[i] + strlen(tok) + 1))
				printf("Syntax error in \"%s\"\n", cpy);
		} else if (strcmp(tok, "auditdeny") == 0) {
			if (parse_pattern_1(3, rules.data[i] + strlen(tok) + 1))
				printf("Syntax error in \"%s\"\n", cpy);
		}
	}

	vec_destroy(&rules);

	if (live) 
		outfile = "/sys/fs/selinux/load";

	if (outfile) {
		int fd, ret;
		void *data = NULL;
		size_t len;
		policydb_to_image(NULL, policy, &data, &len);
		if (data == NULL) fprintf(stderr, "Error!");

		fd = open(outfile, O_RDWR | O_CREAT);
		if (fd < 0) {
			fprintf(stderr, "Can't open '%s':  %s\n",
			        outfile, strerror(errno));
			return 1;
		}
		ret = write(fd, data, len);
		close(fd);
		if (ret < 0) {
			fprintf(stderr, "Could not write policy to %s\n",
			        outfile);
			return 1;
		}
	}

	policydb_destroy(&policydb);
	return 0;
}
Project restructure 2017-01-31 17:51:45 +01:00			`#include "sepolicy-inject.h"`

			`static void usage(char *arg0) {`
Whole new command-line 2017-02-03 18:58:15 +01:00			`fprintf(stderr, "%s [--live] [--minimal] [--load <infile>] [--save <outfile>] [policystatement...]\n\n", arg0);`
			`fprintf(stderr, "Supported policy statements:\n\n");`
			`fprintf(stderr, "\"allow source-class target-class permission-class permission\"\n");`
			`fprintf(stderr, "\"deny source-class target-class permission-class permission\"\n");`
			`fprintf(stderr, "\"permissive class\"\n");`
			`fprintf(stderr, "\"enforcing class\"\n");`
			`fprintf(stderr, "\"attradd class attribute\"\n");`
			`fprintf(stderr, "\n");`
Project restructure 2017-01-31 17:51:45 +01:00			`exit(1);`
			`}`

Whole new command-line 2017-02-03 18:58:15 +01:00			`// Pattern 1: action { source } { target } class { permission }`
			`static int parse_pattern_1(int action, char* statement) {`
			`int state = 0, in_bracket = 0;`
			`char tok, class;`
			`struct vector source, target, permission, *temp;`
			`vec_init(&source);`
			`vec_init(&target);`
			`vec_init(&permission);`
			`tok = strtok(statement, " ");`
			`while (tok != NULL) {`
			`if (tok[0] == '{') {`
			`if (in_bracket \|\| state == 2) return 1;`
			`in_bracket = 1;`
			`if (tok[1]) {`
			`++tok;`
			`continue;`
Project restructure 2017-01-31 17:51:45 +01:00			`}`
Whole new command-line 2017-02-03 18:58:15 +01:00			`} else if (tok[strlen(tok) - 1] == '}') {`
			`if (!in_bracket \|\| state == 2) return 1;`
			`in_bracket = 0;`
			`if (strlen(tok) - 1) {`
			`tok[strlen(tok) - 1] = '\0';`
			`continue;`
			`}`
			`} else {`
			`if (tok[0] == '*') tok = ALL;`
			`switch (state) {`
			`case 0:`
			`temp = &source;`
			`break;`
			`case 1:`
			`temp = &target;`
			`break;`
			`case 2:`
			`temp = NULL;`
			`class = tok;`
			`break;`
			`case 3:`
			`temp = &permission;`
			`break;`
			`default:`
			`return 1;`
			`}`
			`vec_push_back(temp, tok);`
			`}`
			`if (!in_bracket) ++state;`
			`tok = strtok(NULL, " ");`
Project restructure 2017-01-31 17:51:45 +01:00			`}`
Whole new command-line 2017-02-03 18:58:15 +01:00			`if (state != 4) return 1;`
			`for(int i = 0; i < source.size; ++i)`
			`for (int j = 0; j < target.size; ++j)`
			`for (int k = 0; k < permission.size; ++k)`
			`switch (action) {`
			`case 0:`
			`allow(source.data[i], target.data[j], class, permission.data[k]);`
			`break;`
			`case 1:`
			`deny(source.data[i], target.data[j], class, permission.data[k]);`
			`break;`
			`case 2:`
			`auditallow(source.data[i], target.data[j], class, permission.data[k]);`
			`break;`
			`case 3:`
			`auditdeny(source.data[i], target.data[j], class, permission.data[k]);`
			`break;`
			`default:`
			`return 1;`
			`}`
			`vec_destroy(&source);`
			`vec_destroy(&target);`
			`vec_destroy(&permission);`
			`return 0;`
			`}`
Project restructure 2017-01-31 17:51:45 +01:00
Whole new command-line 2017-02-03 18:58:15 +01:00			`int main(int argc, char *argv[]) {`
			`char infile = NULL, outfile, *tok, cpy[ARG_MAX];`
			`int live = 0, minimal = 0;`
			`struct vector rules;`

			`vec_init(&rules);`

			`if (argc < 2) usage(argv[0]);`
			`for (int i = 1; i < argc; ++i) {`
			`if (argv[i][0] == '-' && argv[i][1] == '-') {`
			`if (strcmp(argv[i], "--live") == 0)`
			`live = 1;`
			`else if (strcmp(argv[i], "--minimal") == 0)`
			`minimal = 1;`
			`else if (strcmp(argv[i], "--load") == 0) {`
			`if (i + 1 >= argc) usage(argv[0]);`
			`infile = argv[i + 1];`
			`i += 1;`
			`} else if (strcmp(argv[i], "--save") == 0) {`
			`if (i + 1 >= argc) usage(argv[0]);`
			`outfile = argv[i + 1];`
			`i += 1;`
			`} else`
			`usage(argv[0]);`
			`} else`
			`vec_push_back(&rules, argv[i]);`
			`}`
Project restructure 2017-01-31 17:51:45 +01:00
Whole new command-line 2017-02-03 18:58:15 +01:00			`policydb_t policydb;`
			`struct policy_file pf;`
			`sidtab_t sidtab;`
Project restructure 2017-01-31 17:51:45 +01:00
			`// Use current policy if not specified`
			`if(!infile)`
			`infile = "/sys/fs/selinux/policy";`

			`sepol_set_policydb(&policydb);`
			`sepol_set_sidtab(&sidtab);`

			`if (load_policy(infile, &policydb, &pf)) {`
			`fprintf(stderr, "Could not load policy\n");`
			`return 1;`
			`}`

			`if (policydb_load_isids(&policydb, &sidtab))`
			`return 1;`

			`policy = &policydb;`

Whole new command-line 2017-02-03 18:58:15 +01:00			`if (!minimal && rules.size == 0) su_rules();`
			`if (minimal) min_rules();`

			`for (int i = 0; i < rules.size; ++i) {`
			`// Since strtok will modify the origin string, copy the policy for error messages`
			`strcpy(cpy, rules.data[i]);`
			`tok = strtok(rules.data[i], " ");`
			`if (strcmp(tok, "allow") == 0) {`
			`if (parse_pattern_1(0, rules.data[i] + strlen(tok) + 1))`
			`printf("Syntax error in \"%s\"\n", cpy);`
			`} else if (strcmp(tok, "deny") == 0) {`
			`if (parse_pattern_1(1, rules.data[i] + strlen(tok) + 1))`
			`printf("Syntax error in \"%s\"\n", cpy);`
			`} else if (strcmp(tok, "auditallow") == 0) {`
			`if (parse_pattern_1(2, rules.data[i] + strlen(tok) + 1))`
			`printf("Syntax error in \"%s\"\n", cpy);`
			`} else if (strcmp(tok, "auditdeny") == 0) {`
			`if (parse_pattern_1(3, rules.data[i] + strlen(tok) + 1))`
			`printf("Syntax error in \"%s\"\n", cpy);`
Project restructure 2017-01-31 17:51:45 +01:00			`}`
Whole new command-line 2017-02-03 18:58:15 +01:00			`}`
Project restructure 2017-01-31 17:51:45 +01:00
Whole new command-line 2017-02-03 18:58:15 +01:00			`vec_destroy(&rules);`
Project restructure 2017-01-31 17:51:45 +01:00
Whole new command-line 2017-02-03 18:58:15 +01:00			`if (live)`
			`outfile = "/sys/fs/selinux/load";`
Project restructure 2017-01-31 17:51:45 +01:00
			`if (outfile) {`
Whole new command-line 2017-02-03 18:58:15 +01:00			`int fd, ret;`
			`void *data = NULL;`
			`size_t len;`
			`policydb_to_image(NULL, policy, &data, &len);`
			`if (data == NULL) fprintf(stderr, "Error!");`

			`fd = open(outfile, O_RDWR \| O_CREAT);`
			`if (fd < 0) {`
			`fprintf(stderr, "Can't open '%s': %s\n",`
			`outfile, strerror(errno));`
Project restructure 2017-01-31 17:51:45 +01:00			`return 1;`
			`}`
Whole new command-line 2017-02-03 18:58:15 +01:00			`ret = write(fd, data, len);`
			`close(fd);`
			`if (ret < 0) {`
			`fprintf(stderr, "Could not write policy to %s\n",`
			`outfile);`
Project restructure 2017-01-31 17:51:45 +01:00			`return 1;`
			`}`
			`}`

			`policydb_destroy(&policydb);`
			`return 0;`
			`}`