kernel: support xperms for sepolicy
This commit is contained in:
weishu
@@ -6,60 +6,69 @@
|
||||
|
||||
void apply_kernelsu_rules() {
|
||||
|
||||
struct selinux_policy *policy;
|
||||
struct policydb *db;
|
||||
struct selinux_policy *policy;
|
||||
struct policydb *db;
|
||||
|
||||
if (!getenforce()) {
|
||||
pr_info("SELinux permissive or disabled, don't apply rules.");
|
||||
return;
|
||||
}
|
||||
if (!getenforce()) {
|
||||
pr_info("SELinux permissive or disabled, don't apply rules.");
|
||||
return;
|
||||
}
|
||||
|
||||
rcu_read_lock();
|
||||
policy = rcu_dereference(selinux_state.policy);
|
||||
db = &policy->policydb;
|
||||
rcu_read_lock();
|
||||
policy = rcu_dereference(selinux_state.policy);
|
||||
db = &policy->policydb;
|
||||
|
||||
permissive(db, KERNEL_SU_DOMAIN);
|
||||
typeattribute(db, KERNEL_SU_DOMAIN, "mlstrustedsubject");
|
||||
typeattribute(db, KERNEL_SU_DOMAIN, "netdomain");
|
||||
typeattribute(db, KERNEL_SU_DOMAIN, "bluetoothdomain");
|
||||
permissive(db, KERNEL_SU_DOMAIN);
|
||||
typeattribute(db, KERNEL_SU_DOMAIN, "mlstrustedsubject");
|
||||
typeattribute(db, KERNEL_SU_DOMAIN, "netdomain");
|
||||
typeattribute(db, KERNEL_SU_DOMAIN, "bluetoothdomain");
|
||||
|
||||
// allow all!
|
||||
allow(db, KERNEL_SU_DOMAIN, ALL, ALL, ALL);
|
||||
// allow all!
|
||||
allow(db, KERNEL_SU_DOMAIN, ALL, ALL, ALL);
|
||||
|
||||
// allow us do any ioctl
|
||||
if (db->policyvers >= POLICYDB_VERSION_XPERMS_IOCTL) {
|
||||
allowxperm(db, KERNEL_SU_DOMAIN, ALL, "blk_file", ALL);
|
||||
allowxperm(db, KERNEL_SU_DOMAIN, ALL, "fifo_file", ALL);
|
||||
allowxperm(db, KERNEL_SU_DOMAIN, ALL, "chr_file", ALL);
|
||||
}
|
||||
|
||||
// we need to save allowlist in /data/adb
|
||||
allow(db, "kernel", "adb_data_file", "dir", ALL);
|
||||
allow(db, "kernel", "adb_data_file", "file", ALL);
|
||||
// we may need to do mount on shell
|
||||
allow(db, "kernel", "shell_data_file", "file", ALL);
|
||||
|
||||
// we need to save allowlist in /data/adb
|
||||
allow(db, "kernel", "adb_data_file", "dir", ALL);
|
||||
allow(db, "kernel", "adb_data_file", "file", ALL);
|
||||
// copied from Magisk rules
|
||||
// suRights
|
||||
allow(db, "servicemanager", KERNEL_SU_DOMAIN, "dir", "search");
|
||||
allow(db, "servicemanager", KERNEL_SU_DOMAIN, "dir", "read");
|
||||
allow(db, "servicemanager", KERNEL_SU_DOMAIN, "file", "open");
|
||||
allow(db, "servicemanager", KERNEL_SU_DOMAIN, "file", "read");
|
||||
allow(db, "servicemanager", KERNEL_SU_DOMAIN, "process", "getattr");
|
||||
allow(db, ALL, KERNEL_SU_DOMAIN, "process", "sigchld");
|
||||
|
||||
// copied from Magisk rules
|
||||
// suRights
|
||||
allow(db, "servicemanager", KERNEL_SU_DOMAIN, "dir", "search");
|
||||
allow(db, "servicemanager", KERNEL_SU_DOMAIN, "dir", "read");
|
||||
allow(db, "servicemanager", KERNEL_SU_DOMAIN, "file", "open");
|
||||
allow(db, "servicemanager", KERNEL_SU_DOMAIN, "file", "read");
|
||||
allow(db, "servicemanager", KERNEL_SU_DOMAIN, "process", "getattr");
|
||||
allow(db, ALL, KERNEL_SU_DOMAIN, "process", "sigchld");
|
||||
// allowLog
|
||||
allow(db, "logd", KERNEL_SU_DOMAIN, "dir", "search");
|
||||
allow(db, "logd", KERNEL_SU_DOMAIN, "file", "read");
|
||||
allow(db, "logd", KERNEL_SU_DOMAIN, "file", "open");
|
||||
allow(db, "logd", KERNEL_SU_DOMAIN, "file", "getattr");
|
||||
|
||||
// allowLog
|
||||
allow(db, "logd", KERNEL_SU_DOMAIN, "dir", "search");
|
||||
allow(db, "logd", KERNEL_SU_DOMAIN, "file", "read");
|
||||
allow(db, "logd", KERNEL_SU_DOMAIN, "file", "open");
|
||||
allow(db, "logd", KERNEL_SU_DOMAIN, "file", "getattr");
|
||||
// dumpsys
|
||||
allow(db, ALL, KERNEL_SU_DOMAIN, "fd", "use");
|
||||
allow(db, ALL, KERNEL_SU_DOMAIN, "fifo_file", "write");
|
||||
allow(db, ALL, KERNEL_SU_DOMAIN, "fifo_file", "read");
|
||||
allow(db, ALL, KERNEL_SU_DOMAIN, "fifo_file", "open");
|
||||
allow(db, ALL, KERNEL_SU_DOMAIN, "fifo_file", "getattr");
|
||||
|
||||
// dumpsys
|
||||
allow(db, ALL, KERNEL_SU_DOMAIN, "fd", "use");
|
||||
allow(db, ALL, KERNEL_SU_DOMAIN, "fifo_file", "write");
|
||||
allow(db, ALL, KERNEL_SU_DOMAIN, "fifo_file", "read");
|
||||
allow(db, ALL, KERNEL_SU_DOMAIN, "fifo_file", "open");
|
||||
allow(db, ALL, KERNEL_SU_DOMAIN, "fifo_file", "getattr");
|
||||
// bootctl
|
||||
allow(db, "hwservicemanager", KERNEL_SU_DOMAIN, "dir", "search");
|
||||
allow(db, "hwservicemanager", KERNEL_SU_DOMAIN, "file", "read");
|
||||
allow(db, "hwservicemanager", KERNEL_SU_DOMAIN, "file", "open");
|
||||
allow(db, "hwservicemanager", KERNEL_SU_DOMAIN, "process", "getattr");
|
||||
|
||||
// bootctl
|
||||
allow(db, "hwservicemanager", KERNEL_SU_DOMAIN, "dir", "search");
|
||||
allow(db, "hwservicemanager", KERNEL_SU_DOMAIN, "file", "read");
|
||||
allow(db, "hwservicemanager", KERNEL_SU_DOMAIN, "file", "open");
|
||||
allow(db, "hwservicemanager", KERNEL_SU_DOMAIN, "process", "getattr");
|
||||
// Allow all binder transactions
|
||||
allow(db, ALL, KERNEL_SU_DOMAIN, "binder", ALL);
|
||||
|
||||
// Allow all binder transactions
|
||||
allow(db, ALL, KERNEL_SU_DOMAIN, "binder", ALL);
|
||||
|
||||
rcu_read_unlock();
|
||||
rcu_read_unlock();
|
||||
}
|
||||
Reference in New Issue
Block a user