android/SukiSU-Ultra
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

kernel: add prefix for functions in sepolicy (#49)

Browse Source 
* kernel: add prefix for functions in sepolicy

* ci: fix 5.15 compile error
This commit is contained in:
Ylarod
2023-01-13 20:05:52 +08:00
committed by GitHub
parent dd905a1852
commit 177d6dba15
4 changed files with 115 additions and 108 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
kernel/selinux/Makefile
View File

@@ -4,6 +4,6 @@ obj-y += rules.o
ccflags-y += -Wno-implicit-function-declaration -Wno-strict-prototypes -Wno-int-conversion
ccflags-y += -Wno-macro-redefined -Wno-declaration-after-statement
ccflags-y += -Wno-macro-redefined -Wno-declaration-after-statement -Wno-unused-function
ccflags-y += -I$(srctree)/security/selinux -I$(srctree)/security/selinux/include
ccflags-y += -I$(objtree)/security/selinux

66
kernel/selinux/rules.c
View File

@@ -31,61 +31,61 @@ void apply_kernelsu_rules()
db = &ss->policydb;
#endif
permissive(db, KERNEL_SU_DOMAIN);
typeattribute(db, KERNEL_SU_DOMAIN, "mlstrustedsubject");
typeattribute(db, KERNEL_SU_DOMAIN, "netdomain");
typeattribute(db, KERNEL_SU_DOMAIN, "bluetoothdomain");
ksu_permissive(db, KERNEL_SU_DOMAIN);
ksu_typeattribute(db, KERNEL_SU_DOMAIN, "mlstrustedsubject");
ksu_typeattribute(db, KERNEL_SU_DOMAIN, "netdomain");
ksu_typeattribute(db, KERNEL_SU_DOMAIN, "bluetoothdomain");
// allow all!
allow(db, KERNEL_SU_DOMAIN, ALL, ALL, ALL);
ksu_allow(db, KERNEL_SU_DOMAIN, ALL, ALL, ALL);
// allow us do any ioctl
if (db->policyvers >= POLICYDB_VERSION_XPERMS_IOCTL) {
allowxperm(db, KERNEL_SU_DOMAIN, ALL, "blk_file", ALL);
allowxperm(db, KERNEL_SU_DOMAIN, ALL, "fifo_file", ALL);
allowxperm(db, KERNEL_SU_DOMAIN, ALL, "chr_file", ALL);
ksu_allowxperm(db, KERNEL_SU_DOMAIN, ALL, "blk_file", ALL);
ksu_allowxperm(db, KERNEL_SU_DOMAIN, ALL, "fifo_file", ALL);
ksu_allowxperm(db, KERNEL_SU_DOMAIN, ALL, "chr_file", ALL);
}
// we need to save allowlist in /data/adb
allow(db, "kernel", "adb_data_file", "dir", ALL);
allow(db, "kernel", "adb_data_file", "file", ALL);
ksu_allow(db, "kernel", "adb_data_file", "dir", ALL);
ksu_allow(db, "kernel", "adb_data_file", "file", ALL);
// we may need to do mount on shell
allow(db, "kernel", "shell_data_file", "file", ALL);
ksu_allow(db, "kernel", "shell_data_file", "file", ALL);
// our ksud triggered by init
allow(db, "init", "adb_data_file", "file", "execute");
allow(db, "init", KERNEL_SU_DOMAIN, ALL, ALL);
ksu_allow(db, "init", "adb_data_file", "file", "execute");
ksu_allow(db, "init", KERNEL_SU_DOMAIN, ALL, ALL);
// copied from Magisk rules
// suRights
allow(db, "servicemanager", KERNEL_SU_DOMAIN, "dir", "search");
allow(db, "servicemanager", KERNEL_SU_DOMAIN, "dir", "read");
allow(db, "servicemanager", KERNEL_SU_DOMAIN, "file", "open");
allow(db, "servicemanager", KERNEL_SU_DOMAIN, "file", "read");
allow(db, "servicemanager", KERNEL_SU_DOMAIN, "process", "getattr");
allow(db, ALL, KERNEL_SU_DOMAIN, "process", "sigchld");
ksu_allow(db, "servicemanager", KERNEL_SU_DOMAIN, "dir", "search");
ksu_allow(db, "servicemanager", KERNEL_SU_DOMAIN, "dir", "read");
ksu_allow(db, "servicemanager", KERNEL_SU_DOMAIN, "file", "open");
ksu_allow(db, "servicemanager", KERNEL_SU_DOMAIN, "file", "read");
ksu_allow(db, "servicemanager", KERNEL_SU_DOMAIN, "process", "getattr");
ksu_allow(db, ALL, KERNEL_SU_DOMAIN, "process", "sigchld");
// allowLog
allow(db, "logd", KERNEL_SU_DOMAIN, "dir", "search");
allow(db, "logd", KERNEL_SU_DOMAIN, "file", "read");
allow(db, "logd", KERNEL_SU_DOMAIN, "file", "open");
allow(db, "logd", KERNEL_SU_DOMAIN, "file", "getattr");
ksu_allow(db, "logd", KERNEL_SU_DOMAIN, "dir", "search");
ksu_allow(db, "logd", KERNEL_SU_DOMAIN, "file", "read");
ksu_allow(db, "logd", KERNEL_SU_DOMAIN, "file", "open");
ksu_allow(db, "logd", KERNEL_SU_DOMAIN, "file", "getattr");
// dumpsys
allow(db, ALL, KERNEL_SU_DOMAIN, "fd", "use");
allow(db, ALL, KERNEL_SU_DOMAIN, "fifo_file", "write");
allow(db, ALL, KERNEL_SU_DOMAIN, "fifo_file", "read");
allow(db, ALL, KERNEL_SU_DOMAIN, "fifo_file", "open");
allow(db, ALL, KERNEL_SU_DOMAIN, "fifo_file", "getattr");
ksu_allow(db, ALL, KERNEL_SU_DOMAIN, "fd", "use");
ksu_allow(db, ALL, KERNEL_SU_DOMAIN, "fifo_file", "write");
ksu_allow(db, ALL, KERNEL_SU_DOMAIN, "fifo_file", "read");
ksu_allow(db, ALL, KERNEL_SU_DOMAIN, "fifo_file", "open");
ksu_allow(db, ALL, KERNEL_SU_DOMAIN, "fifo_file", "getattr");
// bootctl
allow(db, "hwservicemanager", KERNEL_SU_DOMAIN, "dir", "search");
allow(db, "hwservicemanager", KERNEL_SU_DOMAIN, "file", "read");
allow(db, "hwservicemanager", KERNEL_SU_DOMAIN, "file", "open");
allow(db, "hwservicemanager", KERNEL_SU_DOMAIN, "process", "getattr");
ksu_allow(db, "hwservicemanager", KERNEL_SU_DOMAIN, "dir", "search");
ksu_allow(db, "hwservicemanager", KERNEL_SU_DOMAIN, "file", "read");
ksu_allow(db, "hwservicemanager", KERNEL_SU_DOMAIN, "file", "open");
ksu_allow(db, "hwservicemanager", KERNEL_SU_DOMAIN, "process", "getattr");
// Allow all binder transactions
allow(db, ALL, KERNEL_SU_DOMAIN, "binder", ALL);
ksu_allow(db, ALL, KERNEL_SU_DOMAIN, "binder", ALL);
rcu_read_unlock();
}

92
kernel/selinux/sepolicy.c
View File

@@ -2,6 +2,38 @@
#include "sepolicy.h"
#include "../klog.h"
//////////////////////////////////////////////////////
// Declaration
//////////////////////////////////////////////////////
static struct avtab_node* get_avtab_node(struct policydb* db, struct avtab_key *key, struct avtab_extended_perms *xperms);
static bool add_rule(struct policydb* db, const char *s, const char *t, const char *c, const char *p, int effect, bool invert);
static void add_rule_raw(struct policydb* db, struct type_datum *src, struct type_datum *tgt, struct class_datum *cls, struct perm_datum *perm, int effect, bool invert);
static void add_xperm_rule_raw(struct policydb* db, struct type_datum *src, struct type_datum *tgt,
struct class_datum *cls, uint16_t low, uint16_t high, int effect, bool invert);
static bool add_xperm_rule(struct policydb* db, const char *s, const char *t, const char *c, const char *range, int effect, bool invert);
static bool add_type_rule(struct policydb* db, const char *s, const char *t, const char *c, const char *d, int effect);
static bool add_filename_trans(const char *s, const char *t, const char *c, const char *d, const char *o);
static bool add_genfscon(const char *fs_name, const char *path, const char *context);
static bool add_type(struct policydb* db, const char *type_name, bool attr);
static bool set_type_state(struct policydb* db, const char *type_name, bool permissive);
static void add_typeattribute_raw(struct policydb* db, struct type_datum *type, struct type_datum *attr);
static bool add_typeattribute(struct policydb* db, const char *type, const char *attr);
//////////////////////////////////////////////////////
// Implementation
//////////////////////////////////////////////////////
// Invert is adding rules for auditdeny; in other cases, invert is removing rules
#define strip_av(effect, invert) ((effect == AVTAB_AUDITDENY) == !invert)
@@ -27,7 +59,7 @@
hash_for_each (avtab.htable, avtab.nslot, cur) \
;
struct avtab_node *get_avtab_node(struct policydb *db, struct avtab_key *key,
static struct avtab_node *get_avtab_node(struct policydb *db, struct avtab_key *key,
struct avtab_extended_perms *xperms)
{
struct avtab_node *node;
@@ -81,7 +113,7 @@ struct avtab_node *get_avtab_node(struct policydb *db, struct avtab_key *key,
return node;
}
bool add_rule(struct policydb *db, const char *s, const char *t, const char *c,
static bool add_rule(struct policydb *db, const char *s, const char *t, const char *c,
const char *p, int effect, bool invert)
{
struct type_datum *src = NULL, *tgt = NULL;
@@ -132,7 +164,7 @@ bool add_rule(struct policydb *db, const char *s, const char *t, const char *c,
return true;
}
void add_rule_raw(struct policydb *db, struct type_datum *src,
static void add_rule_raw(struct policydb *db, struct type_datum *src,
struct type_datum *tgt, struct class_datum *cls,
struct perm_datum *perm, int effect, bool invert)
{
@@ -214,7 +246,7 @@ void add_rule_raw(struct policydb *db, struct type_datum *src,
#define xperm_set(x, p) (p[x >> 5] |= (1 << (x & 0x1f)))
#define xperm_clear(x, p) (p[x >> 5] &= ~(1 << (x & 0x1f)))
void add_xperm_rule_raw(struct policydb *db, struct type_datum *src,
static void add_xperm_rule_raw(struct policydb *db, struct type_datum *src,
struct type_datum *tgt, struct class_datum *cls,
uint16_t low, uint16_t high, int effect, bool invert)
{
@@ -306,7 +338,7 @@ void add_xperm_rule_raw(struct policydb *db, struct type_datum *src,
}
}
bool add_xperm_rule(struct policydb *db, const char *s, const char *t,
static bool add_xperm_rule(struct policydb *db, const char *s, const char *t,
const char *c, const char *range, int effect, bool invert)
{
struct type_datum *src = NULL, *tgt = NULL;
@@ -354,7 +386,7 @@ bool add_xperm_rule(struct policydb *db, const char *s, const char *t,
return true;
}
bool add_type_rule(struct policydb *db, const char *s, const char *t,
static bool add_type_rule(struct policydb *db, const char *s, const char *t,
const char *c, const char *d, int effect)
{
struct type_datum *src, *tgt, *def;
@@ -393,23 +425,23 @@ bool add_type_rule(struct policydb *db, const char *s, const char *t,
return true;
}
bool add_filename_trans(const char *s, const char *t, const char *c,
static bool add_filename_trans(const char *s, const char *t, const char *c,
const char *d, const char *o)
{
return false;
}
bool add_genfscon(const char *fs_name, const char *path, const char *context)
static bool add_genfscon(const char *fs_name, const char *path, const char *context)
{
return false;
}
bool add_type(struct policydb *db, const char *type_name, bool attr)
static bool add_type(struct policydb *db, const char *type_name, bool attr)
{
return false;
}
bool set_type_state(struct policydb *db, const char *type_name, bool permissive)
static bool set_type_state(struct policydb *db, const char *type_name, bool permissive)
{
struct type_datum *type;
if (type_name == NULL) {
@@ -437,7 +469,7 @@ bool set_type_state(struct policydb *db, const char *type_name, bool permissive)
return true;
}
void add_typeattribute_raw(struct policydb *db, struct type_datum *type,
static void add_typeattribute_raw(struct policydb *db, struct type_datum *type,
struct type_datum *attr)
{
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 1, 0)
@@ -466,7 +498,7 @@ void add_typeattribute_raw(struct policydb *db, struct type_datum *type,
};
}
bool add_typeattribute(struct policydb *db, const char *type, const char *attr)
static bool add_typeattribute(struct policydb *db, const char *type, const char *attr)
{
struct type_datum *type_d = symtab_search(&db->p_types, type);
if (type_d == NULL) {
@@ -490,77 +522,79 @@ bool add_typeattribute(struct policydb *db, const char *type, const char *attr)
return true;
}
//////////////////////////////////////////////////////////////////////////
// Operation on types
bool type(struct policydb *db, const char *name, const char *attr)
bool ksu_type(struct policydb *db, const char *name, const char *attr)
{
return add_type(db, name, false) && add_typeattribute(db, name, attr);
}
bool attribute(struct policydb *db, const char *name)
bool ksu_attribute(struct policydb *db, const char *name)
{
return add_type(db, name, true);
}
bool permissive(struct policydb *db, const char *type)
bool ksu_permissive(struct policydb *db, const char *type)
{
return set_type_state(db, type, true);
}
bool enforce(struct policydb *db, const char *type)
bool ksu_enforce(struct policydb *db, const char *type)
{
return set_type_state(db, type, false);
}
bool typeattribute(struct policydb *db, const char *type, const char *attr)
bool ksu_typeattribute(struct policydb *db, const char *type, const char *attr)
{
return add_typeattribute(db, type, attr);
}
bool exists(struct policydb *db, const char *type)
bool ksu_exists(struct policydb *db, const char *type)
{
return symtab_search(&db->p_types, type) != NULL;
}
// Access vector rules
bool allow(struct policydb *db, const char *src, const char *tgt,
bool ksu_allow(struct policydb *db, const char *src, const char *tgt,
const char *cls, const char *perm)
{
return add_rule(db, src, tgt, cls, perm, AVTAB_ALLOWED, false);
}
bool deny(struct policydb *db, const char *src, const char *tgt,
bool ksu_deny(struct policydb *db, const char *src, const char *tgt,
const char *cls, const char *perm)
{
return add_rule(db, src, tgt, cls, perm, AVTAB_ALLOWED, true);
}
bool auditallow(struct policydb *db, const char *src, const char *tgt,
bool ksu_auditallow(struct policydb *db, const char *src, const char *tgt,
const char *cls, const char *perm)
{
return add_rule(db, src, tgt, cls, perm, AVTAB_AUDITALLOW, false);
}
bool dontaudit(struct policydb *db, const char *src, const char *tgt,
bool ksu_dontaudit(struct policydb *db, const char *src, const char *tgt,
const char *cls, const char *perm)
{
return add_rule(db, src, tgt, cls, perm, AVTAB_AUDITDENY, true);
}
// Extended permissions access vector rules
bool allowxperm(struct policydb *db, const char *src, const char *tgt,
bool ksu_allowxperm(struct policydb *db, const char *src, const char *tgt,
const char *cls, const char *range)
{
return add_xperm_rule(db, src, tgt, cls, range, AVTAB_XPERMS_ALLOWED,
false);
}
bool auditallowxperm(struct policydb *db, const char *src, const char *tgt,
bool ksu_auditallowxperm(struct policydb *db, const char *src, const char *tgt,
const char *cls, const char *range)
{
return add_xperm_rule(db, src, tgt, cls, range, AVTAB_XPERMS_AUDITALLOW,
false);
}
bool dontauditxperm(struct policydb *db, const char *src, const char *tgt,
bool ksu_dontauditxperm(struct policydb *db, const char *src, const char *tgt,
const char *cls, const char *range)
{
return add_xperm_rule(db, src, tgt, cls, range, AVTAB_XPERMS_DONTAUDIT,
@@ -568,25 +602,25 @@ bool dontauditxperm(struct policydb *db, const char *src, const char *tgt,
}
// Type rules
bool type_transition(struct policydb *db, const char *src, const char *tgt,
bool ksu_type_transition(struct policydb *db, const char *src, const char *tgt,
const char *cls, const char *def, const char *obj)
{
return false;
}
bool type_change(struct policydb *db, const char *src, const char *tgt,
bool ksu_type_change(struct policydb *db, const char *src, const char *tgt,
const char *cls, const char *def)
{
return false;
}
bool type_member(struct policydb *db, const char *src, const char *tgt,
bool ksu_type_member(struct policydb *db, const char *src, const char *tgt,
const char *cls, const char *def)
{
return false;
}
// File system labeling
bool genfscon(struct policydb *db, const char *fs_name, const char *path,
bool ksu_genfscon(struct policydb *db, const char *fs_name, const char *path,
const char *ctx)
{
return false;

63
kernel/selinux/sepolicy.h
View File

@@ -6,59 +6,32 @@
#include <ss/services.h>
#include <objsec.h>
// Operation on types
bool type(struct policydb* db, const char* name, const char* attr);
bool attribute(struct policydb* db, const char* name);
bool permissive(struct policydb* db, const char* type);
bool enforce(struct policydb* db, const char* type);
bool typeattribute(struct policydb* db, const char* type, const char* attr);
bool exists(struct policydb* db, const char* type);
bool ksu_type(struct policydb* db, const char* name, const char* attr);
bool ksu_attribute(struct policydb* db, const char* name);
bool ksu_permissive(struct policydb* db, const char* type);
bool ksu_enforce(struct policydb* db, const char* type);
bool ksu_typeattribute(struct policydb* db, const char* type, const char* attr);
bool ksu_exists(struct policydb* db, const char* type);
// Access vector rules
bool allow(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* perm);
bool deny(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* perm);
bool auditallow(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* perm);
bool dontaudit(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* perm);
bool ksu_allow(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* perm);
bool ksu_deny(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* perm);
bool ksu_auditallow(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* perm);
bool ksu_dontaudit(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* perm);
// Extended permissions access vector rules
bool allowxperm(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* range);
bool auditallowxperm(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* range);
bool dontauditxperm(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* range);
bool ksu_allowxperm(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* range);
bool ksu_auditallowxperm(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* range);
bool ksu_dontauditxperm(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* range);
// Type rules
bool type_transition(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* def, const char* obj);
bool type_change(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* def);
bool type_member(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* def);
bool ksu_type_transition(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* def, const char* obj);
bool ksu_type_change(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* def);
bool ksu_type_member(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* def);
// File system labeling
bool genfscon(struct policydb* db, const char* fs_name, const char* path, const char* ctx);
//////////////////////////////////////////////////////
// Internal use
//////////////////////////////////////////////////////
struct avtab_node* get_avtab_node(struct policydb* db, struct avtab_key *key, struct avtab_extended_perms *xperms);
bool add_rule(struct policydb* db, const char *s, const char *t, const char *c, const char *p, int effect, bool invert);
void add_rule_raw(struct policydb* db, struct type_datum *src, struct type_datum *tgt, struct class_datum *cls, struct perm_datum *perm, int effect, bool invert);
void add_xperm_rule_raw(struct policydb* db, struct type_datum *src, struct type_datum *tgt,
struct class_datum *cls, uint16_t low, uint16_t high, int effect, bool invert);
bool add_xperm_rule(struct policydb* db, const char *s, const char *t, const char *c, const char *range, int effect, bool invert);
bool add_type_rule(struct policydb* db, const char *s, const char *t, const char *c, const char *d, int effect);
bool add_filename_trans(const char *s, const char *t, const char *c, const char *d, const char *o);
bool add_genfscon(const char *fs_name, const char *path, const char *context);
bool add_type(struct policydb* db, const char *type_name, bool attr);
bool set_type_state(struct policydb* db, const char *type_name, bool permissive);
void add_typeattribute_raw(struct policydb* db, struct type_datum *type, struct type_datum *attr);
bool add_typeattribute(struct policydb* db, const char *type, const char *attr);
bool ksu_genfscon(struct policydb* db, const char* fs_name, const char* path, const char* ctx);
#endif