Introduce SELinux labels for Xposed files #149
Conversation
|
It is strange to still have AVC denial logs as follows: |
|
To reproduce the previous case,
@Dev4Mod I notify you about this bug since your module is taken as an example. However, this happens for any modules using XSharedPrefrences. |
| @@ -1 +1,7 @@ | |||
| allow dex2oat dex2oat_exec file execute_no_trans | |||
|
|
|||
| allow zygote appdomain_tmpfs file * | |||
There was a problem hiding this comment.
The issue is on userdebug rom, su is appdomain, so tmpfs it creates is appdomain_tmpfs too. So this should be fixed in zygisk, not lsposed.
There was a problem hiding this comment.
Okay, that is reasonable. It is strange that in the users' phone, without LSPosed, NeoZygisk without this rule can still work without problem.
There was a problem hiding this comment.
Confirmed from logs that you are correct, this rule must be added from the Zygisk side. Thanks for pointing ot out!
| @@ -299,7 +299,7 @@ private synchronized void updateConfig() { | |||
| try { | |||
| var perms = PosixFilePermissions.fromString("rwx--x--x"); | |||
| Files.createDirectories(miscPath, PosixFilePermissions.asFileAttribute(perms)); | |||
| walkFileTree(miscPath, f -> SELinux.setFileContext(f.toString(), "u:object_r:magisk_file:s0")); | |||
| walkFileTree(miscPath, f -> SELinux.setFileContext(f.toString(), "u:object_r:app_data_file:s0")); | |||
There was a problem hiding this comment.
I think it is because app_data_file has mlstrustedsubject comstraints, and you cannot just simply allow it here without relax it:
https://developer.android.com/about/versions/pie/android-9.0-changes-28?hl=zh-cn#per-app-selinux
https://cs.android.com/android/platform/superproject/main/+/main:system/sepolicy/private/app.te;l=247?q=app.te&ss=android%2Fplatform%2Fsuperproject%2Fmain
1. The SELinux context label `magisk_file` is widely used by Zygisk implementation modules. It is improper for LSPosed to abuse this label for its own files. We replace it by `xposed_file`. 2. A new rule added according to the SELinux logs, which is needed to write to the mangaer's SharedPreference. 3. `xposed_data` is a new SELinux context label for XSharedPreference files, it is not meant to provide MAC restricted access but to conform with Android's rule: https://developer.android.com/about/versions/pie/android-9.0-changes-28#per-app-selinux. We add attribute `mlstrustedobject` to ignore the `Multi-Level and Multi-Category Security` enforced on Android.
|
It turns out that we should add attribute |
|
Current rule still causes the problem of WebView crashing: We should thus also add |
1. The SELinux context label `magisk_file` is widely used by Zygisk implementation modules. It is improper for LSPosed to abuse this label for its own files. We replace it by `xposed_file`. 2. A new rule added according to the SELinux logs, which is needed to write to the mangaer's SharedPreference. 3. `xposed_data` is a new SELinux context label for XSharedPreference files, it is not meant to provide MAC restricted access but to conform with Android's rule: https://developer.android.com/about/versions/pie/android-9.0-changes-28#per-app-selinux. 4. We add attribute `mlstrustedobject` to ignore the `Multi-Level and Multi-Category Security` enforced on Android.
The SELinux context label
magisk_fileis widely used by Zygisk implementation modules. It is improper for LSPosed to abuse this label for its own files.We thus introduce two new labels,
xposed_fileandxposed_module. The first one will be used with strict MAC rules, while the second one is meant to be accessible for all application processes, including Xposed modules. Thexposed_modulelabel might be removed in the future since its function remains unclear.