Fix restorecon

2024-11-16 00:13:57 +01:00 · 2023-03-15 00:24:33 +08:00 · 2023-03-15 00:24:33 +08:00 · 69529ac59c
commit 69529ac59c
parent a18a440236
8 changed files with 16 additions and 21 deletions
--- a/native/src/base/include/selinux.hpp
+++ b/native/src/base/include/selinux.hpp
@ -18,10 +18,12 @@

 // Unconstrained domain the daemon and root processes run in
 #define SEPOL_PROC_DOMAIN   "magisk"
+#define MAGISK_PROC_CON     "u:r:" SEPOL_PROC_DOMAIN ":s0"
 // Highly constrained domain, sole purpose is to connect to daemon
 #define SEPOL_CLIENT_DOMAIN "magisk_client"
 // Unconstrained file type that anyone can access
 #define SEPOL_FILE_TYPE     "magisk_file"
+#define MAGISK_FILE_CON     "u:object_r:" SEPOL_FILE_TYPE ":s0"
 // Special file type to allow clients to transit to client domain automatically
 #define SEPOL_EXEC_TYPE     "magisk_exec"

@ -40,4 +42,3 @@ bool selinux_enabled();
 void enable_selinux();
 void restorecon();
 void restore_tmpcon();
-void restore_databincon();
--- a/native/src/core/bootstages.cpp
+++ b/native/src/core/bootstages.cpp
@ -57,7 +57,6 @@ static void mount_mirrors() {
        xmount(nullptr, dest.data(), nullptr, MS_REMOUNT | MS_BIND | MS_RDONLY, nullptr);
        xmount(nullptr, dest.data(), nullptr, MS_PRIVATE, nullptr);
        chmod(SECURE_DIR, 0700);
-        restorecon();
    }

    // Check and mount preinit mirror
@ -233,8 +232,7 @@ static bool magisk_env() {
    xmkdir(DATABIN, 0755);
    xmkdir(SECURE_DIR "/post-fs-data.d", 0755);
    xmkdir(SECURE_DIR "/service.d", 0755);
-
-    restore_databincon();
+    restorecon();

    if (access(DATABIN "/busybox", X_OK))
        return false;
--- a/native/src/core/daemon.cpp
+++ b/native/src/core/daemon.cpp
@ -317,7 +317,7 @@ static void daemon_entry() {
        close(fd);

    setsid();
-    setcon("u:r:" SEPOL_PROC_DOMAIN ":s0");
+    setcon(MAGISK_PROC_CON);

    start_log_daemon();

--- a/native/src/core/restorecon.cpp
+++ b/native/src/core/restorecon.cpp
@ -10,10 +10,9 @@ using namespace std;
 #define SYSTEM_CON  "u:object_r:system_file:s0"
 #define ADB_CON     "u:object_r:adb_data_file:s0"
 #define ROOT_CON    "u:object_r:rootfs:s0"
-#define MAGISK_CON  "u:object_r:" SEPOL_FILE_TYPE ":s0"
 #define EXEC_CON    "u:object_r:" SEPOL_EXEC_TYPE ":s0"

-static void restore_syscon(int dirfd) {
+static void restore_syscon_from_null(int dirfd) {
    struct dirent *entry;
    char *con;

@ -27,7 +26,7 @@ static void restore_syscon(int dirfd) {
    while ((entry = xreaddir(dir.get()))) {
        int fd = openat(dirfd, entry->d_name, O_RDONLY | O_CLOEXEC);
        if (entry->d_type == DT_DIR) {
-            restore_syscon(fd);
+            restore_syscon_from_null(fd);
            continue;
        } else if (entry->d_type == DT_REG) {
            if (fgetfilecon(fd, &con) >= 0) {
@ -45,20 +44,20 @@ static void restore_syscon(int dirfd) {
    }
 }

-static void restore_magiskcon(int dirfd) {
+static void restore_syscon(int dirfd) {
    struct dirent *entry;

-    fsetfilecon(dirfd, MAGISK_CON);
+    fsetfilecon(dirfd, SYSTEM_CON);
    fchown(dirfd, 0, 0);

    auto dir = xopen_dir(dirfd);
    while ((entry = xreaddir(dir.get()))) {
        int fd = xopenat(dirfd, entry->d_name, O_RDONLY | O_CLOEXEC);
        if (entry->d_type == DT_DIR) {
-            restore_magiskcon(fd);
+            restore_syscon(fd);
            continue;
        } else if (entry->d_type) {
-            fsetfilecon(fd, MAGISK_CON);
+            fsetfilecon(fd, SYSTEM_CON);
            fchown(fd, 0, 0);
        }
        close(fd);
@ -73,11 +72,8 @@ void restorecon() {
        lsetfilecon(SECURE_DIR, ADB_CON);
    close(fd);
    lsetfilecon(MODULEROOT, SYSTEM_CON);
-    restore_syscon(xopen(MODULEROOT, O_RDONLY | O_CLOEXEC));
-}
-
-void restore_databincon() {
-    restore_magiskcon(xopen(DATABIN, O_RDONLY | O_CLOEXEC));
+    restore_syscon_from_null(xopen(MODULEROOT, O_RDONLY | O_CLOEXEC));
+    restore_syscon(xopen(DATABIN, O_RDONLY | O_CLOEXEC));
 }

 void restore_tmpcon() {
--- a/native/src/core/scripting.cpp
+++ b/native/src/core/scripting.cpp
@ -159,7 +159,7 @@ rm -f $APK
 )EOF";

 void install_apk(const char *apk) {
-    setfilecon(apk, "u:object_r:" SEPOL_FILE_TYPE ":s0");
+    setfilecon(apk, MAGISK_FILE_CON);
    exec_t exec {
        .fork = fork_no_orphan
    };
--- a/native/src/init/rootdir.cpp
+++ b/native/src/init/rootdir.cpp
@ -72,7 +72,7 @@ on property:init.svc.zygote=restarting

 on property:init.svc.zygote=stopped
    exec %2$s 0 0 -- %1$s/magisk --zygote-restart
-)EOF", tmp_dir, "u:r:" SEPOL_PROC_DOMAIN ":s0");
+)EOF", tmp_dir, MAGISK_PROC_CON);

    fclose(rc);
    clone_attr(src, dest);
--- a/native/src/su/connect.cpp
+++ b/native/src/su/connect.cpp
@ -197,7 +197,7 @@ int app_request(const su_context &ctx) {
    gen_rand_str(fifo + 12, 32);
    mkfifo(fifo, 0600);
    chown(fifo, ctx.info->mgr_uid, ctx.info->mgr_uid);
-    setfilecon(fifo, "u:object_r:" SEPOL_FILE_TYPE ":s0");
+    setfilecon(fifo, MAGISK_FILE_CON);

    // Send request
    vector<Extra> extras;
--- a/native/src/zygisk/entry.cpp
+++ b/native/src/zygisk/entry.cpp
@ -266,7 +266,7 @@ static void setup_files(int client, const sock_cred *cred) {
    string ld_data = read_string(client);
    xwrite(ld_fd, ld_data.data(), ld_data.size());
    close(ld_fd);
-    setfilecon(mbin.data(), "u:object_r:" SEPOL_FILE_TYPE ":s0");
+    setfilecon(mbin.data(), MAGISK_FILE_CON);
    xmount(mbin.data(), hbin, nullptr, MS_BIND, nullptr);

    send_fd(client, app_fd);