Check Android version before actually doing anything

Close #233

.gitattributes

@@ -0,0 +1,16 @@
+# Set the default behavior, in case people don't have core.autocrlf set.
+* text eol=lf
+
+# Explicitly declare text files you want to always be normalized and converted
+# to native line endings on checkout.
+# *.c text
+# *.h text
+
+# Declare files that will always have CRLF line endings on checkout.
+*.cmd text eol=crlf
+
+# Denote all files that are truly binary and should not be modified.
+chromeos/** binary
+*.jar binary
+*.exe binary
+*.apk binary

.gitignore

@@ -1,21 +1,7 @@
 obj/
 libs/
 *.zip
+*.jks
 
-# Generated binaries
-zip_static/arm/*
-zip_static/arm64/*
-zip_static/x86/*
-zip_static/x64/*
-uninstaller/arm/*
-uninstaller/arm64/*
-uninstaller/x86/*
-uninstaller/x64/*
-zipsigntools/zipadjust
-
-# Generated scripts
-zip_static/common/magic_mask.sh
-zip_static/META-INF/com/google/android/update-binary
-
-# Leave all busybox!
-!busybox
+# Copied binaries
+ziptools/zipadjust

.gitmodules

@@ -1,9 +1,15 @@
-[submodule "selinux"]
-	path = selinux
-	url = https://github.com/topjohnwu/selinux
-[submodule "jni/sepolicy-inject"]
-	path = jni/sepolicy-inject
-	url = https://github.com/topjohnwu/sepolicy-inject
-[submodule "jni/resetprop"]
-	path = jni/resetprop
-	url = https://github.com/topjohnwu/resetprop.git
+[submodule "jni/selinux"]
+	path = jni/selinux
+	url = https://github.com/topjohnwu/selinux.git
+[submodule "jni/su"]
+	path = jni/su
+	url = https://github.com/topjohnwu/MagiskSU.git
+[submodule "jni/ndk-compression"]
+	path = jni/ndk-compression
+	url = https://github.com/topjohnwu/ndk-compression.git
+[submodule "jni/magiskpolicy"]
+	path = jni/magiskpolicy
+	url = https://github.com/topjohnwu/magiskpolicy.git
+[submodule "MagiskManager"]
+	path = MagiskManager
+	url = https://github.com/topjohnwu/MagiskManager.git

README.MD

@@ -1,10 +1,78 @@
 # Magisk
-###Static binaries included:  
-* Busybox: http://forum.xda-developers.com/android/software-hacking/tool-busybox-flashable-archs-t3348543
 
-###How to build Magisk
-1. Only support MacOS and Linux
-2. Download and install NDK
-3. Add the NDK directory into PATH.  
-To check if success, please try calling `which ndk-build` and see if it returns the NDK directory
-4. Execute `./build.sh`, it will give you further information
+## How to build Magisk
+
+#### Building has been tested on 3 major platforms:
+
+***macOS 10.12.5***  
+***Ubuntu 17.04 x64***  
+***Windows 10 Creators Update x64***  
+
+#### Environment Requirements
+
+1. Python 3 **(>= 3.5)**: `python3` (or in some cases `python`) should be accessible  
+2. Java runtime: `java` should be accessible  
+3. (Unix only) C compiler: `gcc` should be accessible  
+4. Android SDK: `ANDROID_HOME` environment variable should point to the Android SDK folder  
+5. NDK: Install NDK using `sdkmanager`, or through Android SDK Manager  
+6. Android build-tools: Should have build-tools version matching `MagiskManager/app/build.gradle` installed  
+
+#### Instructions and Notes
+
+1. The python build script uses ANSI color codes to change the color of the terminal output. For Windows, this **only** works on Windows 10, as previous Windows console do not support them. If you insist to use an older Windows version, a quick Google search should provide many workarounds  
+2. After installing the latest Python 3 on Windows (allow the installer to add Python to PATH, or you'll have to manually set the environment), instead of calling `python3` like most Unix environment, you should call `python` in shell (cmd or Powershell both OK). You can double check the version by `python --version`  
+3. The build script will do several checks, it will refuse to run if the environment doesn't meet the requirements  
+4. For further instructions, please check the built in help message by `python3 build.py -h`  
+(Unix users can simply `./build.py -h`, Windows users, as mentioned, call `python` instead)  
+5. Each action has its own help message, access them by commands like `python3 build.py all -h`  
+6. To build Magisk for release (enabled through the `--release` flag, the script builds in debug mode by default), you will need to provide a Java keystore file, and place it in `release_signature.jks` to sign Magisk Manager APK for release builds. For more information, check out [Google's Official Documentation](https://developer.android.com/studio/publish/app-signing.html#signing-manually)
+7. To properly setup the Android SDK environment, the easiest way is to use Android Studio and open Magisk Manager. If gradle sync passed, your build-tools etc. should be set properly. You can also access SDK Manager GUI within Android Studio to download NDK. Don't forget to add Android Studio's SDK path into environment variable ANDROID_HOME.  
+
+## License
+
+Magisk, including all subprojects (git submodule) is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+## Credits
+
+**MagiskManager** (`MagiskManager`)
+* Copyright 2016-2017, John Wu (@topjohnwu)
+* All contributors and translators
+
+**MagiskSU** (`jni/su`)
+* Copyright 2016-2017, John Wu (@topjohnwu)
+* Copyright 2015, Pierre-Hugues Husson (phh@phh.me)
+* Copyright 2013, Koushik Dutta (@koush)
+* Copyright 2010, Adam Shanks (@ChainsDD)
+* Copyright 2008, Zinx Verituse (@zinxv)
+
+**MagiskPolicy** (`jni/magiskpolicy`)
+* Copyright 2016-2017, John Wu (@topjohnwu)
+* Copyright 2015, Pierre-Hugues Husson (phh@phh.me)
+* Copyright 2015, Joshua Brindle (@joshua_brindle)
+
+**MagiskHide** (`jni/magiskhide`)
+* Copyright 2016-2017, John Wu (@topjohnwu)
+* Copyright 2016, Pierre-Hugues Husson (phh@phh.me) (original hidesu)
+
+**resetprop** (`jni/resetprop`)
+ * Copyright 2016-2017 John Wu (@topjohnwu)
+ * Copyright 2016 nkk71 (nkk71x@gmail.com)
+ 
+**SELinux** (`jni/selinux`)
+* Makefile for NDK: Copyright 2016-2017, John Wu (@topjohnwu)
+* It is maintained by many developers in SELinux project, copyright belongs to them
+
+**ndk-compression** (`jni/ndk-compression`)
+* Makefile for NDK: Copyright 2017, John Wu (@topjohnwu)
+* Each library has its own copyright message in each directories
+
+**Others Not Mentioned**
+* Copyright 2016-2017, John Wu (@topjohnwu)

build.sh

@@ -1,170 +0,0 @@
-#!/bin/bash
-
-usage() {
-  echo "$0 all <version name>"
-  echo -e "\tBuild binaries, zip, and sign Magisk"
-  echo -e "\tThis is equlivant to first --build, then --zip"
-  echo "$0 clean"
-  echo -e "\tCleanup compiled / generated files"
-  echo "$0 build"
-  echo -e "\tBuild the binaries with ndk"
-  echo "$0 zip <version name>"
-  echo -e "\tZip and sign Magisk"
-  echo "$0 uninstaller"
-  echo -e "\tZip and sign the uninstaller"
-  exit 1
-}
-
-cleanup() {
-  echo "************************"
-  echo "* Cleaning up"
-  echo "************************"
-  ndk-build clean 2>/dev/null
-  ls zip_static/arm/* | grep -v "busybox" | xargs rm -rfv
-  ls zip_static/arm64/* | grep -v "busybox" | xargs rm -rfv
-  ls zip_static/x86/* | grep -v "busybox" | xargs rm -rfv
-  ls zip_static/x64/* | grep -v "busybox" | xargs rm -rfv
-  rm -rfv zip_static/META-INF/com/google/android/update-binary 
-  rm -rfv zip_static/common/magic_mask.sh
-  rm -rfv uninstaller/arm
-  rm -rfv uninstaller/arm64
-  rm -rfv uninstaller/x86
-  rm -rfv uninstaller/x64
-}
-
-mkcp() {
-  [ ! -d "$2" ] && mkdir -p "$2"
-  cp -afv $1 $2
-}
-
-build_bin() {
-  echo "************************"
-  echo "* Building binaries"
-  echo "************************"
-  if [ -z `which ndk-build` ]; then
-    echo "!!!!!!!!!!!!!!!!!!!!!!!!"
-    echo "! Please add ndk-build to PATH!"
-    echo "!!!!!!!!!!!!!!!!!!!!!!!!"
-    exit 1
-  fi
-  ndk-build -j4
-  if [ $? -ne 0 ]; then
-    echo "!!!!!!!!!!!!!!!!!!!!!!!!"
-    echo "! Magisk binary tools build failed...."
-    echo "!!!!!!!!!!!!!!!!!!!!!!!!"
-    exit 1
-  fi
-  echo "************************"
-  echo "* Copying binaries"
-  echo "************************"
-  mkcp "libs/armeabi/*" zip_static/arm
-  mkcp libs/armeabi/bootimgtools uninstaller/arm
-  mkcp "libs/arm64-v8a/*" zip_static/arm64
-  mkcp libs/arm64-v8a/bootimgtools uninstaller/arm64
-  mkcp "libs/x86/*" zip_static/x86
-  mkcp libs/x86/bootimgtools uninstaller/x86
-  mkcp "libs/x86_64/*" zip_static/x64
-  mkcp libs/x86_64/bootimgtools uninstaller/x64
-}
-
-zip_package() {
-  if [ ! -f "zip_static/arm/bootimgtools" ]; then
-    echo "!!!!!!!!!!!!!!!!!!!!!!!!"
-    echo "! Missing binaries!!"
-    echo "! Please run \"$0 build\" before zipping"
-    echo "!!!!!!!!!!!!!!!!!!!!!!!!"
-    exit 1
-  fi
-  echo "************************"
-  echo "* Adding version info"
-  echo "************************"
-  sed "s/MAGISK_VERSION_STUB/Magisk v$1 Boot Image Patcher/g" scripts/flash_script.sh > zip_static/META-INF/com/google/android/update-binary
-  sed "s/MAGISK_VERSION_STUB/setprop magisk.version \"$1\"/g" scripts/magic_mask.sh > zip_static/common/magic_mask.sh
-  echo "************************"
-  echo "* Zipping Magisk v$1"
-  echo "************************"
-  cd zip_static
-  find . -type f -exec chmod 644 {} \;
-  find . -type d -exec chmod 755 {} \;
-  rm -rf "../Magisk-v$1.zip"
-  zip "../Magisk-v$1.zip" -r .
-  cd ../
-  sign_zip "Magisk-v$1.zip"
-}
-
-zip_uninstaller() {
-  if [ ! -f "uninstaller/arm/bootimgtools" ]; then
-    echo "! Missing binaries!!"
-    echo "! Please run \"$0 build\" before zipping"
-    exit 1
-  fi
-  echo "************************"
-  echo "* Zipping uninstaller"
-  echo "************************"
-  cd uninstaller
-  find . -type f -exec chmod 644 {} \;
-  find . -type d -exec chmod 755 {} \;
-  TIMESTAMP=$(date "+%Y%m%d")
-  rm -rf "../Magisk-uninstaller-$TIMESTAMP.zip"
-  zip "../Magisk-uninstaller-$TIMESTAMP.zip" -r .
-  cd ../
-  sign_zip "Magisk-uninstaller-$TIMESTAMP.zip"
-}
-
-sign_zip() {
-  if [ ! -f "zipsigntools/zipadjust" ]; then
-    echo "************************"
-    echo "* Compiling ZipAdjust"
-    echo "************************"
-    gcc -o zipsigntools/zipadjust zipsigntools/src/*.c -lz
-    if [ $? -ne 0 ]; then
-      echo "!!!!!!!!!!!!!!!!!!!!!!!!"
-      echo "! ZipAdjust Build failed...."
-      echo "!!!!!!!!!!!!!!!!!!!!!!!!"
-      exit 1
-    fi
-    chmod 755 zipsigntools/zipadjust
-  fi
-  echo "************************"
-  echo "* First sign $1"
-  echo "************************"
-  java -jar "zipsigntools/signapk.jar" "zipsigntools/test.certificate.x509.pem" "zipsigntools/test.key.pk8" "$1" "${1%.*}-firstsign.zip"
-  echo "************************"
-  echo "* Adjusting $1"
-  echo "************************"
-  zipsigntools/zipadjust "${1%.*}-firstsign.zip" "${1%.*}-adjusted.zip"
-  echo "************************"
-  echo "* Final sign $1"
-  echo "************************"
-  java -jar "zipsigntools/signapk.jar" "zipsigntools/test.certificate.x509.pem" "zipsigntools/test.key.pk8" "${1%.*}-adjusted.zip" "${1%.*}-signed.zip"
-
-  mv "${1%.*}-signed.zip" "$1"
-  rm "${1%.*}-adjusted.zip" "${1%.*}-firstsign.zip"
-}
-
-DIR="$(cd "$(dirname "$0")"; pwd)"
-cd "$DIR"
-
-case $1 in
-  "all" )
-    [ -z "$2" ] && echo -e "! Missing version number\n" && usage
-    build_bin
-    zip_package $2
-    ;;
-  "clean" )
-    cleanup
-    ;;
-  "build" )
-    build_bin
-    ;;
-  "zip" )
-    [ -z "$2" ] && echo -e "! Missing version number\n" && usage
-    zip_package $2
-    ;;
-  "uninstaller" )
-    zip_uninstaller
-    ;;
-  * )
-    usage
-    ;;
-esac

jni/Android.mk

@@ -1,35 +1,56 @@
-my_path := $(call my-dir)
-
-LOCAL_PATH := $(my_path)
+LOCAL_PATH := $(call my-dir)
 
 include $(CLEAR_VARS)
-LOCAL_MODULE := magiskhide
-LOCAL_MODULE_TAGS := optional
-LOCAL_SRC_FILES := magiskhide.c
-LOCAL_CFLAGS += -std=gnu11
-include $(BUILD_EXECUTABLE)
-
-include $(CLEAR_VARS)
-LOCAL_MODULE := bootimgtools
-LOCAL_MODULE_TAGS := optional
-LOCAL_SRC_FILES := bootimgtools.c extract.c repack.c hexpatch.c
-LOCAL_CFLAGS += -std=gnu11
-include $(BUILD_EXECUTABLE)
-
-include $(CLEAR_VARS)
-LOCAL_MODULE := sepolicy-inject
-LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE := magisk
 LOCAL_STATIC_LIBRARIES := libsepol
-LOCAL_SRC_FILES := sepolicy-inject/sepolicy-inject.c sepolicy-inject/builtin_rules.c
-LOCAL_C_INCLUDES := selinux/libsepol/include/
-LOCAL_CFLAGS += -std=gnu11
+LOCAL_SHARED_LIBRARIES := libsqlite libselinux
+
+LOCAL_C_INCLUDES := \
+	$(LOCAL_PATH)/utils \
+	$(LOCAL_PATH)/daemon \
+	$(LOCAL_PATH)/resetprop \
+	$(LOCAL_PATH)/magiskpolicy \
+	$(LOCAL_PATH)/external \
+	$(LOCAL_PATH)/selinux/libsepol/include
+
+LOCAL_SRC_FILES := \
+	main.c \
+	utils/misc.c \
+	utils/vector.c \
+	utils/xwrap.c \
+	utils/list.c \
+	utils/img.c \
+	daemon/daemon.c \
+	daemon/socket_trans.c \
+	daemon/log_monitor.c \
+	daemon/bootstages.c \
+	magiskhide/magiskhide.c \
+	magiskhide/proc_monitor.c \
+	magiskhide/hide_utils.c \
+	magiskpolicy/magiskpolicy.c \
+	magiskpolicy/rules.c \
+	magiskpolicy/sepolicy.c \
+	magiskpolicy/api.c \
+	resetprop/resetprop.cpp \
+	resetprop/system_properties.cpp \
+	su/su.c \
+	su/activity.c \
+	su/db.c \
+	su/misc.c \
+	su/pts.c \
+	su/su_daemon.c \
+	su/su_socket.c
+
+LOCAL_CFLAGS := -Wno-implicit-exception-spec-mismatch
+LOCAL_LDLIBS := -llog
+
 include $(BUILD_EXECUTABLE)
 
-include $(CLEAR_VARS)
-LOCAL_MODULE := resetprop
-LOCAL_MODULE_TAGS := optional
-LOCAL_SRC_FILES := resetprop/resetprop.cpp resetprop/system_properties.cpp resetprop/libc_logging.cpp
-LOCAL_LDLIBS += -latomic
-include $(BUILD_EXECUTABLE)
+# External shared libraries, build stub libraries for linking
+include jni/external/Android.mk
 
-include selinux/libsepol/Android.mk
+# libsepol, static library
+include jni/selinux/libsepol/Android.mk
+
+# Build magiskboot
+include jni/magiskboot/Android.mk

jni/Application.mk

@@ -1,5 +1,4 @@
-APP_ABI := x86 x86_64 armeabi arm64-v8a
-APP_PIE = true
+APP_ABI := x86 x86_64 armeabi-v7a arm64-v8a
 APP_PLATFORM := android-21
+APP_UNIFIED_HEADERS := true
 APP_CPPFLAGS += -std=c++11
-# APP_STL := c++_static

jni/bootimgtools.c

@@ -1,45 +0,0 @@
-#include <getopt.h>
-#include <stdio.h>
-
-#include "bootimgtools.h"
-
-/********************
-  Patch Boot Image
-*********************/
-
-int usage(char *arg0) {
-	fprintf(stderr, "Boot Image Unpack/Repack Tool\n");
-	fprintf(stderr, "%s --extract <bootimage>\n", arg0);
-	fprintf(stderr, "  Unpack <bootimage> into current directory\n\n");
-	fprintf(stderr, "%s --repack <bootimage>\n", arg0);
-	fprintf(stderr, "  Repack kernel, dt, ramdisk... from current directory to new-image.img\n  <bootimage> is the image you've just unpacked\n\n");
-	fprintf(stderr, "%s --hexpatch <bootimage> <hexpattern1> <hexpattern2>\n", arg0);
-	fprintf(stderr, "  Search <hexpattern1> in <bootimage>, and replace with <hexpattern2>\n\n");
-	return 1;
-}
-
-int main(int argc, char *argv[])
-{
-	char ch;
-	struct option long_options[] = {
-		{"extract", required_argument, NULL, 'e'},
-		{"repack", required_argument, NULL, 'r'},
-		{"hexpatch", required_argument, NULL, 'p'},
-		{NULL, 0, NULL, 0}
-	};
-	while ((ch = getopt_long(argc, argv, "e:r:p:", long_options, NULL)) != -1) {
-		switch (ch) {
-			case 'e':
-				return extract(optarg);
-			case 'r':
-				return repack(optarg);
-			case 'p':
-				if (argc < 5) return usage(argv[0]);
-				optind += 2;
-				return hexpatch(argv[optind - 3], argv[optind - 2], argv[optind - 1]);
-			default:
-				return usage(argv[0]);
-		}
-	}
-	return 0;
-}

jni/daemon/daemon.c

@@ -0,0 +1,200 @@
+/* daemon.c - Magisk Daemon
+ *
+ * Start the daemon and wait for requests
+ * Connect the daemon and send requests through sockets
+ */
+
+#include <stdlib.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <string.h>
+#include <errno.h>
+#include <pthread.h>
+#include <sys/un.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/mount.h>
+#include <selinux/selinux.h>
+
+#include "magisk.h"
+#include "utils.h"
+#include "daemon.h"
+#include "magiskpolicy.h"
+
+pthread_t sepol_patch;
+
+static void *request_handler(void *args) {
+	// Setup the default error handler for threads
+	err_handler = exit_thread;
+
+	int client = *((int *) args);
+	free(args);
+	client_request req = read_int(client);
+
+	struct ucred credentials;
+	get_client_cred(client, &credentials);
+
+	switch (req) {
+	case LAUNCH_MAGISKHIDE:
+	case STOP_MAGISKHIDE:
+	case ADD_HIDELIST:
+	case RM_HIDELIST:
+	case POST_FS:
+	case POST_FS_DATA:
+	case LATE_START:
+		if (credentials.uid != 0) {
+			write_int(client, ROOT_REQUIRED);
+			close(client);
+			return NULL;
+		}
+	default:
+		break;
+	}
+
+	switch (req) {
+	case LAUNCH_MAGISKHIDE:
+		launch_magiskhide(client);
+		break;
+	case STOP_MAGISKHIDE:
+		stop_magiskhide(client);
+		break;
+	case ADD_HIDELIST:
+		add_hide_list(client);
+		break;
+	case RM_HIDELIST:
+		rm_hide_list(client);
+		break;
+	case SUPERUSER:
+		su_daemon_receiver(client);
+		break;
+	case CHECK_VERSION:
+		write_string(client, MAGISK_VER_STR);
+		close(client);
+		break;
+	case CHECK_VERSION_CODE:
+		write_int(client, MAGISK_VER_CODE);
+		close(client);
+		break;
+	case POST_FS:
+		post_fs(client);
+		break;
+	case POST_FS_DATA:
+		post_fs_data(client);
+		break;
+	case LATE_START:
+		late_start(client);
+		break;
+	default:
+		break;
+	}
+	return NULL;
+}
+
+/* Setup the address and return socket fd */
+static int setup_socket(struct sockaddr_un *sun) {
+	int fd = xsocket(AF_LOCAL, SOCK_STREAM | SOCK_CLOEXEC, 0);
+	memset(sun, 0, sizeof(*sun));
+	sun->sun_family = AF_LOCAL;
+	memcpy(sun->sun_path, REQUESTOR_DAEMON_PATH, REQUESTOR_DAEMON_PATH_LEN);
+	return fd;
+}
+
+static void *large_sepol_patch(void *args) {
+	LOGD("sepol: Starting large patch thread\n");
+	// Patch su to everything
+	sepol_allow("su", ALL, ALL, ALL);
+	dump_policydb(SELINUX_LOAD);
+	LOGD("sepol: Large patch done\n");
+	destroy_policydb();
+	return NULL;
+}
+
+void start_daemon(int client) {
+	// Launch the daemon, create new session, set proper context
+	if (getuid() != UID_ROOT || getgid() != UID_ROOT) {
+		fprintf(stderr, "Starting daemon requires root: %s\n", strerror(errno));
+		PLOGE("start daemon");
+	}
+
+	switch (fork()) {
+	case -1:
+		PLOGE("fork");
+	case 0:
+		break;
+	default:
+		return;
+	}
+
+	// First close the client, it's useless for us
+	close(client);
+	xsetsid();
+	setcon("u:r:su:s0");
+	umask(022);
+	int fd = xopen("/dev/null", O_RDWR | O_CLOEXEC);
+	xdup2(fd, STDIN_FILENO);
+	xdup2(fd, STDOUT_FILENO);
+	xdup2(fd, STDERR_FILENO);
+	close(fd);
+
+	// Patch selinux with medium patch before we do anything
+	load_policydb(SELINUX_POLICY);
+	sepol_med_rules();
+	dump_policydb(SELINUX_LOAD);
+
+	// Continue the larger patch in another thread, we will join later
+	pthread_create(&sepol_patch, NULL, large_sepol_patch, NULL);
+
+	struct sockaddr_un sun;
+	fd = setup_socket(&sun);
+
+	xbind(fd, (struct sockaddr*) &sun, sizeof(sun));
+	xlisten(fd, 10);
+
+	// Change process name
+	strcpy(argv0, "magisk_daemon");
+	// The root daemon should not do anything if an error occurs
+	// It should stay intact under any circumstances
+	err_handler = do_nothing;
+
+	LOGI("Magisk v" xstr(MAGISK_VERSION) "(" xstr(MAGISK_VER_CODE) ") daemon started\n");
+
+	// Unlock all blocks for rw
+	unlock_blocks();
+
+	// Setup links under /sbin
+	xmount(NULL, "/", NULL, MS_REMOUNT, NULL);
+	create_links(NULL, "/sbin");
+	xchmod("/sbin", 0755);
+	xmkdir("/magisk", 0755);
+	xchmod("/magisk", 0755);
+	xmount(NULL, "/", NULL, MS_REMOUNT | MS_RDONLY, NULL);
+
+	// Loop forever to listen for requests
+	while(1) {
+		int *client = xmalloc(sizeof(int));
+		*client = xaccept4(fd, NULL, NULL, SOCK_CLOEXEC);
+		pthread_t thread;
+		xpthread_create(&thread, NULL, request_handler, client);
+		// Detach the thread, we will never join it
+		pthread_detach(thread);
+	}
+}
+
+/* Connect the daemon, and return a socketfd */
+int connect_daemon() {
+	struct sockaddr_un sun;
+	int fd = setup_socket(&sun);
+	if (connect(fd, (struct sockaddr*) &sun, sizeof(sun))) {
+		/* If we cannot access the daemon, we start the daemon
+		 * since there is no clear entry point when the daemon should be started
+		 */
+		LOGD("client: connect fail, try launching new daemon process\n");
+		start_daemon(fd);
+		do {
+			// Wait for 10ms
+			usleep(10);
+		} while (connect(fd, (struct sockaddr*) &sun, sizeof(sun)));
+	}
+	return fd;
+}

jni/daemon/daemon.h

@@ -0,0 +1,79 @@
+/* daemon.h - Utility functions for daemon-client communication
+ */
+
+#ifndef _DAEMON_H_
+#define _DAEMON_H_
+
+#include <pthread.h>
+
+extern pthread_t sepol_patch;
+
+// Commands require connecting to daemon
+typedef enum {
+	DO_NOTHING = 0,
+	LAUNCH_MAGISKHIDE,
+	STOP_MAGISKHIDE,
+	ADD_HIDELIST,
+	RM_HIDELIST,
+	SUPERUSER,
+	CHECK_VERSION,
+	CHECK_VERSION_CODE,
+	POST_FS,
+	POST_FS_DATA,
+	LATE_START,
+	TEST
+} client_request;
+
+// Return codes for daemon
+typedef enum {
+	DAEMON_ERROR = -1,
+	DAEMON_SUCCESS = 0,
+	ROOT_REQUIRED,
+	HIDE_IS_ENABLED,
+	HIDE_NOT_ENABLED,
+	HIDE_ITEM_EXIST,
+	HIDE_ITEM_NOT_EXIST,
+} daemon_response;
+
+// daemon.c
+
+void start_daemon(int client);
+int connect_daemon();
+
+// socket_trans.c
+
+int recv_fd(int sockfd);
+void send_fd(int sockfd, int fd);
+int read_int(int fd);
+void write_int(int fd, int val);
+char* read_string(int fd);
+void write_string(int fd, const char* val);
+
+// log_monitor.c
+
+void monitor_logs();
+
+/***************
+ * Boot Stages *
+ ***************/
+
+void post_fs(int client);
+void post_fs_data(int client);
+void late_start(int client);
+
+/**************
+ * MagiskHide *
+ **************/
+
+void launch_magiskhide(int client);
+void stop_magiskhide(int client);
+void add_hide_list(int client);
+void rm_hide_list(int client);
+
+/*************
+ * Superuser *
+ *************/
+
+void su_daemon_receiver(int client);
+
+#endif

jni/daemon/log_monitor.c

@@ -0,0 +1,46 @@
+/* log_monitor.c - New thread to monitor logcat
+ *
+ * Open a new thread to call logcat and get logs with tag "Magisk"
+ * Also, write the logs to a log file for debugging purpose
+ *
+ */
+
+#include <stdio.h>
+#include <limits.h>
+#include <pthread.h>
+#include <unistd.h>
+#include <sys/wait.h>
+
+#include "magisk.h"
+#include "utils.h"
+#include "daemon.h"
+
+static void *logger_thread(void *args) {
+	// Setup error handler
+	err_handler = exit_thread;
+
+	rename(LOGFILE, LASTLOG);
+	int log_fd, log_pid;
+
+	log_fd = xopen(LOGFILE, O_WRONLY | O_CREAT | O_CLOEXEC | O_TRUNC, 0644);
+
+	while (1) {
+		// Start logcat
+		char *const command[] = { "logcat", "-s", "Magisk", "-v", "thread", NULL };
+		log_pid = run_command(0, &log_fd, "/system/bin/logcat", command);
+		if (log_pid > 0)
+			waitpid(log_pid, NULL, 0);
+		// For some reason it went here, clear buffer and restart
+		system("logcat -c");
+	}
+
+	// Should never be here, but well...
+	return NULL;
+}
+
+/* Start a new thread to monitor logcat and dump to logfile */
+void monitor_logs() {
+	pthread_t thread;
+	xpthread_create(&thread, NULL, logger_thread, NULL);
+	pthread_detach(thread);
+}

jni/daemon/socket_trans.c

@@ -0,0 +1,148 @@
+/* socket_trans.c - Functions to transfer data through socket
+ */
+
+#include <unistd.h>
+#include <string.h>
+#include <stdlib.h>
+#include <limits.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include "magisk.h"
+#include "utils.h"
+#include "daemon.h"
+
+/*
+ * Receive a file descriptor from a Unix socket.
+ * Contributed by @mkasick
+ *
+ * Returns the file descriptor on success, or -1 if a file
+ * descriptor was not actually included in the message
+ *
+ * On error the function terminates by calling exit(-1)
+ */
+int recv_fd(int sockfd) {
+    // Need to receive data from the message, otherwise don't care about it.
+    char iovbuf;
+
+    struct iovec iov = {
+        .iov_base = &iovbuf,
+        .iov_len  = 1,
+    };
+
+    char cmsgbuf[CMSG_SPACE(sizeof(int))];
+
+    struct msghdr msg = {
+        .msg_iov        = &iov,
+        .msg_iovlen     = 1,
+        .msg_control    = cmsgbuf,
+        .msg_controllen = sizeof(cmsgbuf),
+    };
+
+    xrecvmsg(sockfd, &msg, MSG_WAITALL);
+
+    // Was a control message actually sent?
+    switch (msg.msg_controllen) {
+    case 0:
+        // No, so the file descriptor was closed and won't be used.
+        return -1;
+    case sizeof(cmsgbuf):
+        // Yes, grab the file descriptor from it.
+        break;
+    default:
+        goto error;
+    }
+
+    struct cmsghdr *cmsg = CMSG_FIRSTHDR(&msg);
+
+    if (cmsg             == NULL                  ||
+        cmsg->cmsg_len   != CMSG_LEN(sizeof(int)) ||
+        cmsg->cmsg_level != SOL_SOCKET            ||
+        cmsg->cmsg_type  != SCM_RIGHTS) {
+error:
+        LOGE("unable to read fd");
+        exit(-1);
+    }
+
+    return *(int *)CMSG_DATA(cmsg);
+}
+
+/*
+ * Send a file descriptor through a Unix socket.
+ * Contributed by @mkasick
+ *
+ * On error the function terminates by calling exit(-1)
+ *
+ * fd may be -1, in which case the dummy data is sent,
+ * but no control message with the FD is sent.
+ */
+void send_fd(int sockfd, int fd) {
+    // Need to send some data in the message, this will do.
+    struct iovec iov = {
+        .iov_base = "",
+        .iov_len  = 1,
+    };
+
+    struct msghdr msg = {
+        .msg_iov        = &iov,
+        .msg_iovlen     = 1,
+    };
+
+    char cmsgbuf[CMSG_SPACE(sizeof(int))];
+
+    if (fd != -1) {
+        // Is the file descriptor actually open?
+        if (fcntl(fd, F_GETFD) == -1) {
+            if (errno != EBADF) {
+                PLOGE("unable to send fd");
+            }
+            // It's closed, don't send a control message or sendmsg will EBADF.
+        } else {
+            // It's open, send the file descriptor in a control message.
+            msg.msg_control    = cmsgbuf;
+            msg.msg_controllen = sizeof(cmsgbuf);
+
+            struct cmsghdr *cmsg = CMSG_FIRSTHDR(&msg);
+
+            cmsg->cmsg_len   = CMSG_LEN(sizeof(int));
+            cmsg->cmsg_level = SOL_SOCKET;
+            cmsg->cmsg_type  = SCM_RIGHTS;
+
+            *(int *)CMSG_DATA(cmsg) = fd;
+        }
+    }
+
+    xsendmsg(sockfd, &msg, 0);
+}
+
+int read_int(int fd) {
+    int val;
+    xxread(fd, &val, sizeof(int));
+    return val;
+}
+
+void write_int(int fd, int val) {
+    if (fd < 0) return;
+    xwrite(fd, &val, sizeof(int));
+}
+
+char* read_string(int fd) {
+    int len = read_int(fd);
+    if (len > PATH_MAX || len < 0) {
+        LOGE("invalid string length %d", len);
+        exit(1);
+    }
+    char* val = xmalloc(sizeof(char) * (len + 1));
+    xxread(fd, val, len);
+    val[len] = '\0';
+    return val;
+}
+
+void write_string(int fd, const char* val) {
+    if (fd < 0) return;
+    int len = strlen(val);
+    write_int(fd, len);
+    xwrite(fd, val, len);
+}

jni/external/Android.mk

@@ -0,0 +1,13 @@
+LOCAL_PATH:= $(call my-dir)
+
+# libsqlite.so (stub)
+include $(CLEAR_VARS)
+LOCAL_MODULE:= libsqlite
+LOCAL_SRC_FILES := sqlite3_stub.c
+include $(BUILD_SHARED_LIBRARY)
+
+# libselinux.so (stub)
+include $(CLEAR_VARS)
+LOCAL_MODULE:= libselinux
+LOCAL_SRC_FILES := selinux_stub.c
+include $(BUILD_SHARED_LIBRARY)

jni/external/selinux/context.h

@@ -0,0 +1,50 @@
+#ifndef _SELINUX_CONTEXT_H_
+#define _SELINUX_CONTEXT_H_
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * Functions to deal with security contexts in user space.
+ */
+
+	typedef struct {
+		void *ptr;
+	} context_s_t;
+
+	typedef context_s_t *context_t;
+
+/* Return a new context initialized to a context string */
+
+	extern context_t context_new(const char *);
+
+/* 
+ * Return a pointer to the string value of the context_t
+ * Valid until the next call to context_str or context_free 
+ * for the same context_t*
+ */
+
+	extern char *context_str(context_t);
+
+/* Free the storage used by a context */
+	extern void context_free(context_t);
+
+/* Get a pointer to the string value of a context component */
+
+	extern const char *context_type_get(context_t);
+	extern const char *context_range_get(context_t);
+	extern const char *context_role_get(context_t);
+	extern const char *context_user_get(context_t);
+
+/* Set a context component.  Returns nonzero if unsuccessful */
+
+	extern int context_type_set(context_t, const char *);
+	extern int context_range_set(context_t, const char *);
+	extern int context_role_set(context_t, const char *);
+	extern int context_user_set(context_t, const char *);
+
+#ifdef __cplusplus
+}
+#endif
+#endif

jni/external/selinux/flask.h

@@ -0,0 +1,118 @@
+/* This file is automatically generated.  Do not edit. */
+#ifndef _SELINUX_FLASK_H_
+#define _SELINUX_FLASK_H_
+
+#warning "Please remove any #include's of this header in your source code."
+#warning "Instead, use string_to_security_class() to map the class name to a value."
+
+/*
+ * Security object class definitions
+ */
+#define SECCLASS_SECURITY                                1
+#define SECCLASS_PROCESS                                 2
+#define SECCLASS_SYSTEM                                  3
+#define SECCLASS_CAPABILITY                              4
+#define SECCLASS_FILESYSTEM                              5
+#define SECCLASS_FILE                                    6
+#define SECCLASS_DIR                                     7
+#define SECCLASS_FD                                      8
+#define SECCLASS_LNK_FILE                                9
+#define SECCLASS_CHR_FILE                                10
+#define SECCLASS_BLK_FILE                                11
+#define SECCLASS_SOCK_FILE                               12
+#define SECCLASS_FIFO_FILE                               13
+#define SECCLASS_SOCKET                                  14
+#define SECCLASS_TCP_SOCKET                              15
+#define SECCLASS_UDP_SOCKET                              16
+#define SECCLASS_RAWIP_SOCKET                            17
+#define SECCLASS_NODE                                    18
+#define SECCLASS_NETIF                                   19
+#define SECCLASS_NETLINK_SOCKET                          20
+#define SECCLASS_PACKET_SOCKET                           21
+#define SECCLASS_KEY_SOCKET                              22
+#define SECCLASS_UNIX_STREAM_SOCKET                      23
+#define SECCLASS_UNIX_DGRAM_SOCKET                       24
+#define SECCLASS_SEM                                     25
+#define SECCLASS_MSG                                     26
+#define SECCLASS_MSGQ                                    27
+#define SECCLASS_SHM                                     28
+#define SECCLASS_IPC                                     29
+#define SECCLASS_PASSWD                                  30
+#define SECCLASS_X_DRAWABLE                              31
+#define SECCLASS_X_SCREEN                                32
+#define SECCLASS_X_GC                                    33
+#define SECCLASS_X_FONT                                  34
+#define SECCLASS_X_COLORMAP                              35
+#define SECCLASS_X_PROPERTY                              36
+#define SECCLASS_X_SELECTION                             37
+#define SECCLASS_X_CURSOR                                38
+#define SECCLASS_X_CLIENT                                39
+#define SECCLASS_X_DEVICE                                40
+#define SECCLASS_X_SERVER                                41
+#define SECCLASS_X_EXTENSION                             42
+#define SECCLASS_NETLINK_ROUTE_SOCKET                    43
+#define SECCLASS_NETLINK_FIREWALL_SOCKET                 44
+#define SECCLASS_NETLINK_TCPDIAG_SOCKET                  45
+#define SECCLASS_NETLINK_NFLOG_SOCKET                    46
+#define SECCLASS_NETLINK_XFRM_SOCKET                     47
+#define SECCLASS_NETLINK_SELINUX_SOCKET                  48
+#define SECCLASS_NETLINK_AUDIT_SOCKET                    49
+#define SECCLASS_NETLINK_IP6FW_SOCKET                    50
+#define SECCLASS_NETLINK_DNRT_SOCKET                     51
+#define SECCLASS_DBUS                                    52
+#define SECCLASS_NSCD                                    53
+#define SECCLASS_ASSOCIATION                             54
+#define SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET           55
+#define SECCLASS_APPLETALK_SOCKET                        56
+#define SECCLASS_PACKET                                  57
+#define SECCLASS_KEY                                     58
+#define SECCLASS_CONTEXT                                 59
+#define SECCLASS_DCCP_SOCKET                             60
+#define SECCLASS_MEMPROTECT                              61
+#define SECCLASS_DB_DATABASE                             62
+#define SECCLASS_DB_TABLE                                63
+#define SECCLASS_DB_PROCEDURE                            64
+#define SECCLASS_DB_COLUMN                               65
+#define SECCLASS_DB_TUPLE                                66
+#define SECCLASS_DB_BLOB                                 67
+#define SECCLASS_PEER                                    68
+#define SECCLASS_CAPABILITY2                             69
+#define SECCLASS_X_RESOURCE                              70
+#define SECCLASS_X_EVENT                                 71
+#define SECCLASS_X_SYNTHETIC_EVENT                       72
+#define SECCLASS_X_APPLICATION_DATA                      73
+
+/*
+ * Security identifier indices for initial entities
+ */
+#define SECINITSID_KERNEL                               1
+#define SECINITSID_SECURITY                             2
+#define SECINITSID_UNLABELED                            3
+#define SECINITSID_FS                                   4
+#define SECINITSID_FILE                                 5
+#define SECINITSID_FILE_LABELS                          6
+#define SECINITSID_INIT                                 7
+#define SECINITSID_ANY_SOCKET                           8
+#define SECINITSID_PORT                                 9
+#define SECINITSID_NETIF                                10
+#define SECINITSID_NETMSG                               11
+#define SECINITSID_NODE                                 12
+#define SECINITSID_IGMP_PACKET                          13
+#define SECINITSID_ICMP_SOCKET                          14
+#define SECINITSID_TCP_SOCKET                           15
+#define SECINITSID_SYSCTL_MODPROBE                      16
+#define SECINITSID_SYSCTL                               17
+#define SECINITSID_SYSCTL_FS                            18
+#define SECINITSID_SYSCTL_KERNEL                        19
+#define SECINITSID_SYSCTL_NET                           20
+#define SECINITSID_SYSCTL_NET_UNIX                      21
+#define SECINITSID_SYSCTL_VM                            22
+#define SECINITSID_SYSCTL_DEV                           23
+#define SECINITSID_KMOD                                 24
+#define SECINITSID_POLICY                               25
+#define SECINITSID_SCMP_PACKET                          26
+#define SECINITSID_DEVNULL                              27
+
+#define SECINITSID_NUM                                  27
+
+#endif

jni/external/selinux/get_context_list.h

@@ -0,0 +1,82 @@
+#ifndef _SELINUX_GET_SID_LIST_H_
+#define _SELINUX_GET_SID_LIST_H_
+
+#include <selinux/selinux.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define SELINUX_DEFAULTUSER "user_u"
+
+/* Get an ordered list of authorized security contexts for a user session
+   for 'user' spawned by 'fromcon' and set *conary to refer to the 
+   NULL-terminated array of contexts.  Every entry in the list will
+   be authorized by the policy, but the ordering is subject to user
+   customizable preferences.  Returns number of entries in *conary.
+   If 'fromcon' is NULL, defaults to current context.
+   Caller must free via freeconary. */
+	extern int get_ordered_context_list(const char *user,
+					    char * fromcon,
+					    char *** list);
+
+/* As above, but use the provided MLS level rather than the
+   default level for the user. */
+	int get_ordered_context_list_with_level(const char *user,
+						const char *level,
+						char * fromcon,
+						char *** list);
+
+/* Get the default security context for a user session for 'user'
+   spawned by 'fromcon' and set *newcon to refer to it.  The context
+   will be one of those authorized by the policy, but the selection
+   of a default is subject to user customizable preferences.
+   If 'fromcon' is NULL, defaults to current context.
+   Returns 0 on success or -1 otherwise.
+   Caller must free via freecon. */
+	extern int get_default_context(const char *user,
+				       char * fromcon,
+				       char ** newcon);
+
+/* As above, but use the provided MLS level rather than the
+   default level for the user. */
+	int get_default_context_with_level(const char *user,
+					   const char *level,
+					   char * fromcon,
+					   char ** newcon);
+
+/* Same as get_default_context, but only return a context
+   that has the specified role.  If no reachable context exists
+   for the user with that role, then return -1. */
+	int get_default_context_with_role(const char *user,
+					  const char *role,
+					  char * fromcon,
+					  char ** newcon);
+
+/* Same as get_default_context, but only return a context
+   that has the specified role and level.  If no reachable context exists
+   for the user with that role, then return -1. */
+	int get_default_context_with_rolelevel(const char *user,
+					       const char *role,
+					       const char *level,
+					       char * fromcon,
+					       char ** newcon);
+
+/* Given a list of authorized security contexts for the user, 
+   query the user to select one and set *newcon to refer to it.
+   Caller must free via freecon.
+   Returns 0 on sucess or -1 otherwise. */
+	extern int query_user_context(char ** list,
+				      char ** newcon);
+
+/* Allow the user to manually enter a context as a fallback
+   if a list of authorized contexts could not be obtained. 
+   Caller must free via freecon.
+   Returns 0 on success or -1 otherwise. */
+	extern int manual_user_enter_context(const char *user,
+					     char ** newcon);
+
+#ifdef __cplusplus
+}
+#endif
+#endif

jni/external/selinux/get_default_type.h

@@ -0,0 +1,23 @@
+/* get_default_type.h - contains header information and function prototypes
+ *                  for functions to get the default type for a role
+ */
+
+#ifndef _SELINUX_GET_DEFAULT_TYPE_H_
+#define _SELINUX_GET_DEFAULT_TYPE_H_
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Return path to default type file. */
+	const char *selinux_default_type_path(void);
+
+/* Get the default type (domain) for 'role' and set 'type' to refer to it.
+   Caller must free via free().
+   Return 0 on success or -1 otherwise. */
+	int get_default_type(const char *role, char **type);
+
+#ifdef __cplusplus
+}
+#endif
+#endif				/* ifndef _GET_DEFAULT_TYPE_H_ */

jni/external/selinux/label.h

@@ -0,0 +1,190 @@
+/*
+ * Labeling interface for userspace object managers and others.
+ *
+ * Author : Eamon Walsh <ewalsh@tycho.nsa.gov>
+ */
+#ifndef _SELABEL_H_
+#define _SELABEL_H_
+
+#include <stdbool.h>
+#include <sys/types.h>
+#include <selinux/selinux.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * Opaque type used for all label handles.
+ */
+
+struct selabel_handle;
+
+/* 
+ * Available backends.
+ */
+
+/* file contexts */
+#define SELABEL_CTX_FILE	0
+/* media contexts */
+#define SELABEL_CTX_MEDIA	1
+/* x contexts */
+#define SELABEL_CTX_X		2
+/* db objects */
+#define SELABEL_CTX_DB		3
+/* Android property service contexts */
+#define SELABEL_CTX_ANDROID_PROP 4
+/* Android service contexts */
+#define SELABEL_CTX_ANDROID_SERVICE 5
+
+/*
+ * Available options
+ */
+
+/* no-op option, useful for unused slots in an array of options */
+#define SELABEL_OPT_UNUSED	0
+/* validate contexts before returning them (boolean value) */
+#define SELABEL_OPT_VALIDATE	1
+/* don't use local customizations to backend data (boolean value) */
+#define SELABEL_OPT_BASEONLY	2
+/* specify an alternate path to use when loading backend data */
+#define SELABEL_OPT_PATH	3
+/* select a subset of the search space as an optimization (file backend) */
+#define SELABEL_OPT_SUBSET	4
+/* require a hash calculation on spec files */
+#define SELABEL_OPT_DIGEST	5
+/* total number of options */
+#define SELABEL_NOPT		6
+
+/*
+ * Label operations
+ */
+
+/**
+ * selabel_open - Create a labeling handle.
+ * @backend: one of the constants specifying a supported labeling backend.
+ * @opts: array of selabel_opt structures specifying label options or NULL.
+ * @nopts: number of elements in opts array or zero for no options.
+ *
+ * Open a labeling backend for use.  The available backend identifiers are
+ * listed above.  Options may be provided via the opts parameter; available
+ * options are listed above.  Not all options may be supported by every
+ * backend.  Return value is the created handle on success or NULL with
+ * @errno set on failure.
+ */
+struct selabel_handle *selabel_open(unsigned int backend,
+				    const struct selinux_opt *opts,
+				    unsigned nopts);
+
+/**
+ * selabel_close - Close a labeling handle.
+ * @handle: specifies handle to close
+ *
+ * Destroy the specified handle, closing files, freeing allocated memory,
+ * etc.  The handle may not be further used after it has been closed.
+ */
+void selabel_close(struct selabel_handle *handle);
+
+/**
+ * selabel_lookup - Perform labeling lookup operation.
+ * @handle: specifies backend instance to query
+ * @con: returns the appropriate context with which to label the object
+ * @key: string input to lookup operation
+ * @type: numeric input to the lookup operation
+ *
+ * Perform a labeling lookup operation.  Return %0 on success, -%1 with
+ * @errno set on failure.  The key and type arguments are the inputs to the
+ * lookup operation; appropriate values are dictated by the backend in use.
+ * The result is returned in the memory pointed to by @con and must be freed
+ * by the user with freecon().
+ */
+int selabel_lookup(struct selabel_handle *handle, char **con,
+		   const char *key, int type);
+int selabel_lookup_raw(struct selabel_handle *handle, char **con,
+		       const char *key, int type);
+
+bool selabel_partial_match(struct selabel_handle *handle, const char *key);
+
+int selabel_lookup_best_match(struct selabel_handle *rec, char **con,
+			      const char *key, const char **aliases, int type);
+int selabel_lookup_best_match_raw(struct selabel_handle *rec, char **con,
+			      const char *key, const char **aliases, int type);
+
+/**
+ * selabel_digest - Retrieve the SHA1 digest and the list of specfiles used to
+ *		    generate the digest. The SELABEL_OPT_DIGEST option must
+ *		    be set in selabel_open() to initiate the digest generation.
+ * @handle: specifies backend instance to query
+ * @digest: returns a pointer to the SHA1 digest.
+ * @digest_len: returns length of digest in bytes.
+ * @specfiles: a list of specfiles used in the SHA1 digest generation.
+ *	       The list is NULL terminated and will hold @num_specfiles entries.
+ * @num_specfiles: number of specfiles in the list.
+ *
+ * Return %0 on success, -%1 with @errno set on failure.
+ */
+int selabel_digest(struct selabel_handle *rec,
+			    unsigned char **digest, size_t *digest_len,
+			    char ***specfiles, size_t *num_specfiles);
+
+enum selabel_cmp_result {
+	SELABEL_SUBSET,
+	SELABEL_EQUAL,
+	SELABEL_SUPERSET,
+	SELABEL_INCOMPARABLE
+};
+
+/**
+ * selabel_cmp - Compare two label configurations.
+ * @h1: handle for the first label configuration
+ * @h2: handle for the first label configuration
+ *
+ * Compare two label configurations.
+ * Return %SELABEL_SUBSET if @h1 is a subset of @h2, %SELABEL_EQUAL
+ * if @h1 is identical to @h2, %SELABEL_SUPERSET if @h1 is a superset
+ * of @h2, and %SELABEL_INCOMPARABLE if @h1 and @h2 are incomparable.
+ */
+enum selabel_cmp_result selabel_cmp(struct selabel_handle *h1,
+				    struct selabel_handle *h2);
+
+/**
+ * selabel_stats - log labeling operation statistics.
+ * @handle: specifies backend instance to query
+ *
+ * Log a message with information about the number of queries performed,
+ * number of unused matching entries, or other operational statistics.
+ * Message is backend-specific, some backends may not output a message.
+ */
+void selabel_stats(struct selabel_handle *handle);
+
+/*
+ * Type codes used by specific backends
+ */
+
+/* X backend */
+#define SELABEL_X_PROP		1
+#define SELABEL_X_EXT		2
+#define SELABEL_X_CLIENT	3
+#define SELABEL_X_EVENT		4
+#define SELABEL_X_SELN		5
+#define SELABEL_X_POLYPROP	6
+#define SELABEL_X_POLYSELN	7
+
+/* DB backend */
+#define SELABEL_DB_DATABASE	1
+#define SELABEL_DB_SCHEMA	2
+#define SELABEL_DB_TABLE	3
+#define SELABEL_DB_COLUMN	4
+#define SELABEL_DB_SEQUENCE	5
+#define SELABEL_DB_VIEW		6
+#define SELABEL_DB_PROCEDURE	7
+#define SELABEL_DB_BLOB		8
+#define SELABEL_DB_TUPLE	9
+#define SELABEL_DB_LANGUAGE	10
+#define SELABEL_DB_EXCEPTION 11
+#define SELABEL_DB_DATATYPE 12
+
+#ifdef __cplusplus
+}
+#endif
+#endif	/* _SELABEL_H_ */

jni/external/selinux/restorecon.h

@@ -0,0 +1,187 @@
+#ifndef _RESTORECON_H_
+#define _RESTORECON_H_
+
+#include <sys/types.h>
+#include <stdarg.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * selinux_restorecon - Relabel files.
+ * @pathname: specifies file/directory to relabel.
+ * @restorecon_flags: specifies the actions to be performed when relabeling.
+ *
+ * selinux_restorecon(3) will automatically call
+ * selinux_restorecon_default_handle(3) and selinux_restorecon_set_sehandle(3)
+ * first time through to set the selabel_open(3) parameters to use the
+ * currently loaded policy file_contexts and request their computed digest.
+ *
+ * Should other selabel_open(3) parameters be required see
+ * selinux_restorecon_set_sehandle(3).
+ */
+extern int selinux_restorecon(const char *pathname,
+				    unsigned int restorecon_flags);
+/*
+ * restorecon_flags options
+ */
+/*
+ * Force the checking of labels even if the stored SHA1
+ * digest matches the specfiles SHA1 digest.
+ */
+#define SELINUX_RESTORECON_IGNORE_DIGEST		0x0001
+/*
+ * Do not change file labels.
+ */
+#define SELINUX_RESTORECON_NOCHANGE			0x0002
+/*
+ * If set set change file label to that in spec file.
+ * If not only change type component to that in spec file.
+ */
+#define SELINUX_RESTORECON_SET_SPECFILE_CTX		0x0004
+/*
+ * Recursively descend directories.
+ */
+#define SELINUX_RESTORECON_RECURSE			0x0008
+/*
+ * Log changes to selinux log. Note that if VERBOSE and
+ * PROGRESS are set, then PROGRESS will take precedence.
+ */
+#define SELINUX_RESTORECON_VERBOSE			0x0010
+/*
+ * If SELINUX_RESTORECON_PROGRESS is true and
+ * SELINUX_RESTORECON_MASS_RELABEL is true, then output approx % complete,
+ * else output the number of files in 1k blocks processed to stdout.
+ */
+#define SELINUX_RESTORECON_PROGRESS			0x0020
+/*
+ * Convert passed-in pathname to canonical pathname.
+ */
+#define SELINUX_RESTORECON_REALPATH			0x0040
+/*
+ * Prevent descending into directories that have a different
+ * device number than the pathname from which the descent began.
+ */
+#define SELINUX_RESTORECON_XDEV				0x0080
+/*
+ * Attempt to add an association between an inode and a specification.
+ * If there is already an association for the inode and it conflicts
+ * with the specification, then use the last matching specification.
+ */
+#define SELINUX_RESTORECON_ADD_ASSOC			0x0100
+/*
+ * Abort on errors during the file tree walk.
+ */
+#define SELINUX_RESTORECON_ABORT_ON_ERROR		0x0200
+/*
+ * Log any label changes to syslog.
+ */
+#define SELINUX_RESTORECON_SYSLOG_CHANGES		0x0400
+/*
+ * Log what spec matched each file.
+ */
+#define SELINUX_RESTORECON_LOG_MATCHES			0x0800
+/*
+ * Ignore files that do not exist.
+ */
+#define SELINUX_RESTORECON_IGNORE_NOENTRY		0x1000
+/*
+ * Do not read /proc/mounts to obtain a list of non-seclabel
+ * mounts to be excluded from relabeling checks.
+ */
+#define SELINUX_RESTORECON_IGNORE_MOUNTS		0x2000
+/*
+ * Set if there is a mass relabel required.
+ * See SELINUX_RESTORECON_PROGRESS flag for details.
+ */
+#define SELINUX_RESTORECON_MASS_RELABEL			0x4000
+
+/**
+ * selinux_restorecon_set_sehandle - Set the global fc handle.
+ * @hndl: specifies handle to set as the global fc handle.
+ *
+ * Called by a process that has already called selabel_open(3) with it's
+ * required parameters, or if selinux_restorecon_default_handle(3) has been
+ * called to set the default selabel_open(3) parameters.
+ */
+// extern void selinux_restorecon_set_sehandle(struct selabel_handle *hndl);
+
+/**
+ * selinux_restorecon_default_handle - Sets default selabel_open(3) parameters
+ *				       to use the currently loaded policy and
+ *				       file_contexts, also requests the digest.
+ *
+ * Return value is the created handle on success or NULL with @errno set on
+ * failure.
+ */
+extern struct selabel_handle *selinux_restorecon_default_handle(void);
+
+/**
+ * selinux_restorecon_set_exclude_list - Add a list of directories that are
+ *					 to be excluded from relabeling.
+ * @exclude_list: containing a NULL terminated list of one or more
+ *		  directories not to be relabeled.
+ */
+extern void selinux_restorecon_set_exclude_list(const char **exclude_list);
+
+/**
+ * selinux_restorecon_set_alt_rootpath - Use alternate rootpath.
+ * @alt_rootpath: containing the alternate rootpath to be used.
+ *
+ * Return %0 on success, -%1 with @errno set on failure.
+ */
+extern int selinux_restorecon_set_alt_rootpath(const char *alt_rootpath);
+
+/**
+ * selinux_restorecon_xattr - Read/remove RESTORECON_LAST xattr entries.
+ * @pathname: specifies directory path to check.
+ * @xattr_flags: specifies the actions to be performed.
+ * @xattr_list: a linked list of struct dir_xattr structures containing
+ *              the directory, digest and result of the action on the
+ *              RESTORECON_LAST entry.
+ *
+ * selinux_restorecon_xattr(3) will automatically call
+ * selinux_restorecon_default_handle(3) and selinux_restorecon_set_sehandle(3)
+ * first time through to set the selabel_open(3) parameters to use the
+ * currently loaded policy file_contexts and request their computed digest.
+ *
+ * Should other selabel_open(3) parameters be required see
+ * selinux_restorecon_set_sehandle(3), however note that a file_contexts
+ * computed digest is required for selinux_restorecon_xattr().
+ */
+enum digest_result {
+	MATCH = 0,
+	NOMATCH,
+	DELETED_MATCH,
+	DELETED_NOMATCH,
+	ERROR
+};
+
+struct dir_xattr {
+	char *directory;
+	char *digest; /* A hex encoded string that can be printed. */
+	enum digest_result result;
+	struct dir_xattr *next;
+};
+
+extern int selinux_restorecon_xattr(const char *pathname,
+				    unsigned int xattr_flags,
+				    struct dir_xattr ***xattr_list);
+
+/*
+ * xattr_flags options
+ */
+/* Recursively descend directories. */
+#define SELINUX_RESTORECON_XATTR_RECURSE			0x0001
+/* Delete non-matching digests from each directory in pathname. */
+#define SELINUX_RESTORECON_XATTR_DELETE_NONMATCH_DIGESTS	0x0002
+/* Delete all digests found in pathname. */
+#define SELINUX_RESTORECON_XATTR_DELETE_ALL_DIGESTS		0x0004
+/* Do not read /proc/mounts. */
+#define SELINUX_RESTORECON_XATTR_IGNORE_MOUNTS			0x0008
+
+#ifdef __cplusplus
+}
+#endif
+#endif