diff --git a/build.gradle b/build.gradle index 28680819c..f0236679e 100644 --- a/build.gradle +++ b/build.gradle @@ -47,7 +47,7 @@ subprojects { defaultConfig { if (minSdkVersion == null) - minSdkVersion 18 + minSdkVersion 17 targetSdkVersion 28 } diff --git a/native/jni/core/applets.cpp b/native/jni/core/applets.cpp index f1ab263bf..4932bc9e0 100644 --- a/native/jni/core/applets.cpp +++ b/native/jni/core/applets.cpp @@ -26,7 +26,7 @@ static int (*applet_main[]) (int, char *[]) = int main(int argc, char *argv[]) { umask(0); - selinux_builtin_impl(); + dload_selinux(); cmdline_logging(); init_argv0(argc, argv); diff --git a/native/jni/init/rootdir.cpp b/native/jni/init/rootdir.cpp index 6d39bce33..e5a362e8f 100644 --- a/native/jni/init/rootdir.cpp +++ b/native/jni/init/rootdir.cpp @@ -153,24 +153,25 @@ void SARCompatInit::setup_rootfs() { } bool MagiskInit::patch_sepolicy(const char *file) { - bool require_patch = false; - - // Mount selinuxfs to communicate with kernel - xmount("selinuxfs", SELINUX_MNT, "selinuxfs", 0, nullptr); + bool patch_init = false; if (access(SPLIT_PLAT_CIL, R_OK) == 0) { LOGD("sepol: split policy\n"); - load_split_cil(); - require_patch = true; + patch_init = true; } else if (access("/sepolicy", R_OK) == 0) { LOGD("sepol: monolithic policy\n"); load_policydb("/sepolicy"); } else { - // Fatal error!! LOGD("sepol: no selinux\n"); return false; } + // Mount selinuxfs to communicate with kernel + xmount("selinuxfs", SELINUX_MNT, "selinuxfs", 0, nullptr); + + if (patch_init) + load_split_cil(); + sepol_magisk_rules(); sepol_allow(SEPOL_PROC_DOMAIN, ALL, ALL, ALL); dump_policydb(file); @@ -181,7 +182,7 @@ bool MagiskInit::patch_sepolicy(const char *file) { link("/sepolicy", "/sepolicy_debug"); } - return require_patch; + return patch_init; } constexpr const char wrapper[] = diff --git a/native/jni/utils/include/selinux.h b/native/jni/utils/include/selinux.h index 15e4615e8..322afaaff 100644 --- a/native/jni/utils/include/selinux.h +++ b/native/jni/utils/include/selinux.h @@ -20,7 +20,7 @@ __BEGIN_DECLS -#define freecon free +extern void (*freecon)(char *con); extern int (*setcon)(const char *con); extern int (*getfilecon)(const char *path, char **con); extern int (*lgetfilecon)(const char *path, char **con); @@ -32,6 +32,7 @@ void getfilecon_at(int dirfd, const char *name, char **con); void setfilecon_at(int dirfd, const char *name, const char *con); void selinux_builtin_impl(); +void dload_selinux(); void restorecon(); void restore_rootcon(); diff --git a/native/jni/utils/selinux.cpp b/native/jni/utils/selinux.cpp index d530c3392..ed3696191 100644 --- a/native/jni/utils/selinux.cpp +++ b/native/jni/utils/selinux.cpp @@ -38,6 +38,10 @@ static int stub(int, char **ctx) { // Builtin implementation +static void __freecon(char *s) { + free(s); +} + static int __setcon(const char *ctx) { int fd = open("/proc/self/attr/current", O_WRONLY | O_CLOEXEC); if (fd < 0) @@ -110,6 +114,7 @@ static int __fsetfilecon(int fd, const char *ctx) { // Function pointers +void (*freecon)(char *) = __freecon; int (*setcon)(const char *) = stub; int (*getfilecon)(const char *, char **) = stub; int (*lgetfilecon)(const char *, char **) = stub; @@ -141,6 +146,16 @@ void selinux_builtin_impl() { fsetfilecon = __fsetfilecon; } +void dload_selinux() { + if (access("/system/lib/libselinux.so", F_OK)) + return; + /* We only check whether libselinux.so exists but don't dlopen. + * For some reason calling symbols returned from dlsym + * will result to SEGV_ACCERR on some devices. + * Always use builtin implementations for SELinux stuffs. */ + selinux_builtin_impl(); +} + static void restore_syscon(int dirfd) { struct dirent *entry; DIR *dir; diff --git a/scripts/flash_script.sh b/scripts/flash_script.sh index 0239db1de..f8f47e4cf 100644 --- a/scripts/flash_script.sh +++ b/scripts/flash_script.sh @@ -53,7 +53,7 @@ ui_print "- Target image: $BOOTIMAGE" # Detect version and architecture api_level_arch_detect -[ $API -lt 18 ] && abort "! Magisk is only for Android 4.3 and above" +[ $API -lt 17 ] && abort "! Magisk is only for Android 4.2 and above" ui_print "- Device platform: $ARCH"