Utf8CStr is in many cases a better string view class than
std::string_view, because it provides "view" access to a string buffer
that is guaranteed to be null terminated. It also has the additional
benefit of being UTF-8 verified and can seemlessly cross FFI boundaries.
We would want to start use more Utf8CStr in our existing C++ codebase.
The existing sepolicy patching strategy looks like this:
1. 2SI: use LD_PRELOAD to hijack `security_load_policy`
2. Split policy: devices using split policy implies it also needs to
do early mount, which means fstab is stored in device tree.
So we do the following:
- Hijack the fstab node in the device tree in sysfs
- Wait for init to mount selinuxfs for us
- Hijack selinuxfs to intercept sepolicy loading
3. Monolithic policy: directly patch `/sepolicy`
Method #1 and #2 both has the magiskinit pre-init daemon handling
the sepolicy patching and loading process, while method #3 gives us
zero control over sepolicy loading process. Downsides:
a. Pre-init daemon bypasses the need to guess which sepolicy init
will load, because the original init will literally send the stock
sepolicy file directly to us with this approach.
b. If we want to add more features/functionalities during the sepolicy
patching process, we will leave out devices using method #3
In order to solve these issues, we completely redesign the sepolicy
patching strategy for non-2SI devices. Instead of limiting usage of
pre-init daemon to early mount devices, we always intercept the
sepolicy loading process regardless of the Android version and device
setup. This will give us a unified implementation for sepolicy patching,
and will make it easier to develop further new features down the line.
Before magiskd is executed, all files in magisk tmpfs still shares
tmpfs label. This commit tightens the rule to only allow init, zygote
and shell to access magisk tmpfs files. Zygotes rules is needed
because lower Android versions don't have rule for zygote itself
using memfd even memfd is supported in kernel.
