Add Magisk rules

This commit is contained in:
topjohnwu 2016-10-02 22:48:49 +08:00
parent f140f5f14b
commit 98cdee7f03
2 changed files with 73 additions and 5 deletions

View File

@ -284,7 +284,7 @@ void otherToSU() {
add_type("surfaceflinger", "mlstrustedsubject", policy);
}
void builtin_rules(policydb_t *policydb) {
void phh_rules(policydb_t *policydb) {
policy = policydb;
// Samsung specific
@ -306,6 +306,7 @@ void builtin_rules(policydb_t *policydb) {
// Transition from untrusted_app to su_client
allowSuClient("shell");
allowSuClient("untrusted_app");
allowSuClient("system_app");
allowSuClient("platform_app");
allowSuClient("su");
@ -327,4 +328,64 @@ void builtin_rules(policydb_t *policydb) {
add_type("su_device", "mlstrustedobject", policy);
add_type("su_daemon", "mlstrustedsubject", policy);
add_type("su", "mlstrustedsubject", policy);
}
void magisk_rules(policydb_t *policydb) {
policy = policydb;
setPermissive("su", 1);
setPermissive("init", 1);
add_type("su", "mlstrustedsubject", policy);
// Minimal to run Magisk script before live patching
allow("kernel", "su", "fd", "use");
allow("init", "su", "process", ALL);
allow("init", "system_file", "dir", ALL);
allow("init", "system_file", "lnk_file", ALL);
allow("init", "system_file", "file", ALL);
allow("su", "property_socket", "sock_file", "write");
allow("su", "shell_exec", "file", ALL);
allow("su", "init", "unix_stream_socket", "connectto");
allow("su", "su", "unix_dgram_socket", ALL);
allow("su", "su", "unix_stream_socket", ALL);
allow("su", "su", "process", ALL);
allow("su", "su", "capability", ALL);
allow("su", "su", "file", ALL);
allow("su", "su", "fifo_file", ALL);
allow("su", "su", "lnk_file", ALL);
allow("su", "su", "dir", ALL);
allow("su", "device", "file", ALL);
allow("su", "device", "dir", ALL);
allow("su", "storage_file", "file", ALL);
allow("su", "storage_file", "dir", ALL);
allow("su", "sysfs", "file", ALL);
allow("su", "sysfs", "dir", ALL);
allow("su", "block_device", "file", ALL);
allow("su", "block_device", "dir", ALL);
allow("su", "rootfs", "file", ALL);
allow("su", "rootfs", "dir", ALL);
allow("su", "toolbox_exec", "file", ALL);
allow("su", "toolbox_exec", "dir", ALL);
allow("su", "cache_file", "file", ALL);
allow("su", "cache_file", "dir", ALL);
allow("su", "system_file", "file", ALL);
allow("su", "system_file", "dir", ALL);
allow("su", "system_data_file", "file", ALL);
allow("su", "system_data_file", "dir", ALL);
allow("su", "kernel", "security", "read_policy");
allow("su", "kernel", "security", "load_policy");
allow("su", "selinuxfs", "file", ALL);
// Xposed
allow("untrusted_app", "untrusted_app", "capability", "setgid");
allow("system_server", "dex2oat_exec", "file", ALL);
// SuperSU
allow("init", "system_file", "file", "execute_no_trans");
allow("init", "su", "fd", "use");
allow("init", "kernel", "security", "read_policy");
allow("init", "kernel", "security", "load_policy");
}

View File

@ -23,7 +23,8 @@
#include <sepol/policydb/conditional.h>
#include <sepol/policydb/constraint.h>
extern void builtin_rules(policydb_t *policydb);
extern void phh_rules(policydb_t *policydb);
extern void magisk_rules(policydb_t *policydb);
void usage(char *arg0) {
fprintf(stderr, "%s -s <source type> -t <target type> -c <class> -p <perm_list> -P <policy file>\n", arg0);
@ -545,7 +546,7 @@ int main(int argc, char **argv)
{
char *policy = NULL, *source = NULL, *target = NULL, *class = NULL, *perm = NULL;
char *fcon = NULL, *outfile = NULL, *permissive = NULL, *attr = NULL, *filetrans = NULL;
int exists = 0, not = 0, live = 0, builtin = 0;
int exists = 0, not = 0, live = 0, builtin = 0, magisk = 0;
policydb_t policydb;
struct policy_file pf, outpf;
sidtab_t sidtab;
@ -569,6 +570,7 @@ int main(int argc, char **argv)
{"not-permissive", required_argument, NULL, 'z'},
{"not", no_argument, NULL, 0},
{"live", no_argument, NULL, 0},
{"magisk", no_argument, NULL, 0},
{NULL, 0, NULL, 0}
};
@ -580,6 +582,8 @@ int main(int argc, char **argv)
not = 1;
else if(strcmp(long_options[option_index].name, "live") == 0)
live = 1;
else if(strcmp(long_options[option_index].name, "magisk") == 0)
magisk = 1;
else
usage(argv[0]);
break;
@ -630,7 +634,7 @@ int main(int argc, char **argv)
}
// Use builtin rules if nothing specified
if (!source && !target && !class && !perm && !permissive && !fcon && !attr &&!filetrans && !exists)
if (!magisk && !source && !target && !class && !perm && !permissive && !fcon && !attr &&!filetrans && !exists)
builtin = 1;
// Overwrite original if not specified
@ -653,7 +657,10 @@ int main(int argc, char **argv)
return 1;
if (builtin) {
builtin_rules(&policydb);
phh_rules(&policydb);
}
else if (magisk) {
magisk_rules(&policydb);
}
else if (permissive) {
type_datum_t *type;