From 762b678d248eba29a709b35b035d407aa5ae943b Mon Sep 17 00:00:00 2001 From: topjohnwu Date: Fri, 23 Nov 2018 20:59:14 -0500 Subject: [PATCH] Prevent any SELinux issues of root shell streams --- native/jni/magiskpolicy/rules.cpp | 13 +++++++------ native/jni/su/su_daemon.cpp | 15 +++++++++------ 2 files changed, 16 insertions(+), 12 deletions(-) diff --git a/native/jni/magiskpolicy/rules.cpp b/native/jni/magiskpolicy/rules.cpp index 67c9f1da8..87d3c8430 100644 --- a/native/jni/magiskpolicy/rules.cpp +++ b/native/jni/magiskpolicy/rules.cpp @@ -10,10 +10,6 @@ static void allowSuClient(const char *target) { sepol_allow(SEPOL_PROC_DOMAIN, target, "fd", "use"); sepol_allow(SEPOL_PROC_DOMAIN, target, "fifo_file", ALL); - // Allow access to magisk files - sepol_allow(target, SEPOL_FILE_DOMAIN, "file", ALL); - sepol_allow(target, SEPOL_FILE_DOMAIN, "dir", ALL); - // Allow binder service sepol_allow(target, SEPOL_PROC_DOMAIN, "binder", "call"); sepol_allow(target, SEPOL_PROC_DOMAIN, "binder", "transfer"); @@ -150,10 +146,15 @@ void sepol_magisk_rules() { sepol_allow(SEPOL_PROC_DOMAIN, ALL, "chr_file", ALL); sepol_allow(SEPOL_PROC_DOMAIN, ALL, "fifo_file", ALL); + // Super files + sepol_allow(ALL, SEPOL_FILE_DOMAIN, "file", ALL); + sepol_allow(ALL, SEPOL_FILE_DOMAIN, "dir", ALL); + sepol_allow(ALL, SEPOL_FILE_DOMAIN, "fifo_file", ALL); + sepol_allow(ALL, SEPOL_FILE_DOMAIN, "chr_file", ALL); + sepol_allow(SEPOL_FILE_DOMAIN, ALL, "filesystem", "associate"); + // For changing attributes sepol_allow("rootfs", "tmpfs", "filesystem", "associate"); - sepol_allow(SEPOL_FILE_DOMAIN, "labeledfs", "filesystem", "associate"); - sepol_allow(SEPOL_FILE_DOMAIN, "tmpfs", "filesystem", "associate"); // Xposed sepol_allow("untrusted_app", "untrusted_app", "capability", "setgid"); diff --git a/native/jni/su/su_daemon.cpp b/native/jni/su/su_daemon.cpp index acd5b7943..98219541b 100644 --- a/native/jni/su/su_daemon.cpp +++ b/native/jni/su/su_daemon.cpp @@ -267,7 +267,6 @@ void su_daemon_handler(int client, struct ucred *credential) { int infd = recv_fd(client); int outfd = recv_fd(client); int errfd = recv_fd(client); - int ptsfd = -1; if (pts_slave[0]) { LOGD("su: pts_slave=[%s]\n", pts_slave); @@ -279,13 +278,10 @@ void su_daemon_handler(int client, struct ucred *credential) { if(st.st_uid != info->uid && info->uid != 0) LOGE("su: Wrong permission of pts_slave"); - // Set our pts_slave to devpts, same restriction as adb shell - lsetfilecon(pts_slave, "u:object_r:devpts:s0"); - // Opening the TTY has to occur after the // fork() and setsid() so that it becomes // our controlling TTY and not the daemon's - ptsfd = xopen(pts_slave, O_RDWR); + int ptsfd = xopen(pts_slave, O_RDWR); if (infd < 0) infd = ptsfd; @@ -302,7 +298,14 @@ void su_daemon_handler(int client, struct ucred *credential) { xdup2(outfd, STDOUT_FILENO); xdup2(errfd, STDERR_FILENO); - close(ptsfd); + // Unleash all streams from SELinux hell + setfilecon("/proc/self/fd/0", "u:object_r:" SEPOL_FILE_DOMAIN ":s0"); + setfilecon("/proc/self/fd/1", "u:object_r:" SEPOL_FILE_DOMAIN ":s0"); + setfilecon("/proc/self/fd/2", "u:object_r:" SEPOL_FILE_DOMAIN ":s0"); + + close(infd); + close(outfd); + close(errfd); close(client); // Handle namespaces