From 2bc0f0c7161a66dd4b32352ba2ed3b5eacf0eec3 Mon Sep 17 00:00:00 2001 From: JingMatrix Date: Sun, 5 Jan 2025 13:39:42 +0100 Subject: [PATCH] Refine SELinux rules for Xposed files (#149) 1. The SELinux context label `magisk_file` is widely used by Zygisk implementation modules. It is improper for LSPosed to abuse this label for its own files. We replace it by `xposed_file`. 2. A new rule added according to the SELinux logs, which is needed to write to the mangaer's SharedPreference. 3. `xposed_data` is a new SELinux context label for XSharedPreference files, it is not meant to provide MAC restricted access but to conform with Android's rule: https://developer.android.com/about/versions/pie/android-9.0-changes-28#per-app-selinux. 4. We add attribute `mlstrustedobject` to ignore the `Multi-Level and Multi-Category Security` enforced on Android. --- .../org/lsposed/lspd/service/ConfigFileManager.java | 2 +- .../java/org/lsposed/lspd/service/ConfigManager.java | 2 +- .../java/org/lsposed/lspd/service/Dex2OatService.java | 6 +++--- .../org/lsposed/lspd/service/LSPManagerService.java | 2 +- magisk-loader/magisk_module/customize.sh | 2 +- magisk-loader/magisk_module/sepolicy.rule | 10 ++++++++++ 6 files changed, 17 insertions(+), 7 deletions(-) diff --git a/daemon/src/main/java/org/lsposed/lspd/service/ConfigFileManager.java b/daemon/src/main/java/org/lsposed/lspd/service/ConfigFileManager.java index 63420c46..edb04bb8 100644 --- a/daemon/src/main/java/org/lsposed/lspd/service/ConfigFileManager.java +++ b/daemon/src/main/java/org/lsposed/lspd/service/ConfigFileManager.java @@ -457,7 +457,7 @@ public class ConfigFileManager { if (uid != -1) { if (path.toFile().mkdirs()) { try { - SELinux.setFileContext(path.toString(), "u:object_r:magisk_file:s0"); + SELinux.setFileContext(path.toString(), "u:object_r:xposed_file:s0"); Os.chown(path.toString(), uid, uid); Os.chmod(path.toString(), 0755); } catch (ErrnoException e) { diff --git a/daemon/src/main/java/org/lsposed/lspd/service/ConfigManager.java b/daemon/src/main/java/org/lsposed/lspd/service/ConfigManager.java index c90a65aa..e058e68a 100644 --- a/daemon/src/main/java/org/lsposed/lspd/service/ConfigManager.java +++ b/daemon/src/main/java/org/lsposed/lspd/service/ConfigManager.java @@ -299,7 +299,7 @@ public class ConfigManager { try { var perms = PosixFilePermissions.fromString("rwx--x--x"); Files.createDirectories(miscPath, PosixFilePermissions.asFileAttribute(perms)); - walkFileTree(miscPath, f -> SELinux.setFileContext(f.toString(), "u:object_r:magisk_file:s0")); + walkFileTree(miscPath, f -> SELinux.setFileContext(f.toString(), "u:object_r:xposed_data:s0")); } catch (IOException e) { Log.e(TAG, Log.getStackTraceString(e)); } diff --git a/daemon/src/main/java/org/lsposed/lspd/service/Dex2OatService.java b/daemon/src/main/java/org/lsposed/lspd/service/Dex2OatService.java index dba8bd7d..4f1f5d8f 100644 --- a/daemon/src/main/java/org/lsposed/lspd/service/Dex2OatService.java +++ b/daemon/src/main/java/org/lsposed/lspd/service/Dex2OatService.java @@ -171,7 +171,7 @@ public class Dex2OatService implements Runnable { Log.i(TAG, "Dex2oat wrapper daemon start"); var sockPath = getSockPath(); Log.d(TAG, "wrapper path: " + sockPath); - var magisk_file = "u:object_r:magisk_file:s0"; + var xposed_file = "u:object_r:xposed_file:s0"; var dex2oat_exec = "u:object_r:dex2oat_exec:s0"; if (SELinux.checkSELinuxAccess("u:r:dex2oat:s0", dex2oat_exec, "file", "execute_no_trans")) { @@ -179,8 +179,8 @@ public class Dex2OatService implements Runnable { SELinux.setFileContext(WRAPPER64, dex2oat_exec); setSockCreateContext("u:r:dex2oat:s0"); } else { - SELinux.setFileContext(WRAPPER32, magisk_file); - SELinux.setFileContext(WRAPPER64, magisk_file); + SELinux.setFileContext(WRAPPER32, xposed_file); + SELinux.setFileContext(WRAPPER64, xposed_file); setSockCreateContext("u:r:installd:s0"); } try (var server = new LocalServerSocket(sockPath)) { diff --git a/daemon/src/main/java/org/lsposed/lspd/service/LSPManagerService.java b/daemon/src/main/java/org/lsposed/lspd/service/LSPManagerService.java index 9beaf9e1..46a3cd54 100644 --- a/daemon/src/main/java/org/lsposed/lspd/service/LSPManagerService.java +++ b/daemon/src/main/java/org/lsposed/lspd/service/LSPManagerService.java @@ -191,7 +191,7 @@ public class LSPManagerService extends ILSPManagerService.Stub { private void ensureWebViewPermission(File f) { if (!f.exists()) return; - SELinux.setFileContext(f.getAbsolutePath(), "u:object_r:magisk_file:s0"); + SELinux.setFileContext(f.getAbsolutePath(), "u:object_r:xposed_file:s0"); try { Os.chown(f.getAbsolutePath(), BuildConfig.MANAGER_INJECTED_UID, BuildConfig.MANAGER_INJECTED_UID); } catch (ErrnoException e) { diff --git a/magisk-loader/magisk_module/customize.sh b/magisk-loader/magisk_module/customize.sh index 5db19267..55ed29c1 100644 --- a/magisk-loader/magisk_module/customize.sh +++ b/magisk-loader/magisk_module/customize.sh @@ -149,7 +149,7 @@ else fi set_perm_recursive "$MODPATH" 0 0 0755 0644 -set_perm_recursive "$MODPATH/bin" 0 2000 0755 0755 u:object_r:magisk_file:s0 +set_perm_recursive "$MODPATH/bin" 0 2000 0755 0755 u:object_r:xposed_file:s0 chmod 0744 "$MODPATH/daemon" if [ "$(grep_prop ro.maple.enable)" == "1" ] && [ "$FLAVOR" == "zygisk" ]; then diff --git a/magisk-loader/magisk_module/sepolicy.rule b/magisk-loader/magisk_module/sepolicy.rule index e0b8c560..bfbef3d8 100644 --- a/magisk-loader/magisk_module/sepolicy.rule +++ b/magisk-loader/magisk_module/sepolicy.rule @@ -1 +1,11 @@ allow dex2oat dex2oat_exec file execute_no_trans + +allow shell shell dir write + +type xposed_file file_type +typeattribute xposed_file mlstrustedobject +allow {installd isolated_app shell} xposed_file {file dir} * + +type xposed_data file_type +typeattribute xposed_data mlstrustedobject +allow * xposed_data {file dir} *