-
Notifications
You must be signed in to change notification settings - Fork 571
Explanation about incorrect SELinux rules from third party ROMs cause Riru not working
The idea is from @vvb2060
There have been a lot of "Riru not work" reports that show some third-party ROMs have incorrect SELinux rules (allow init system_file:dir relabelfrom
). This rule does not exist in AOSP. (See https://cs.android.com/android/platform/superproject/+/android-11.0.0_r1:system/sepolicy/public/init.te;l=199;bpv=1;bpt=0, AOSP explicitly disallow init to relabel system_file)
For Riru, this will make zygote
not able to access necessary files from Magisk module folders since the folders are relabeled to adb_data_file
but zygote
is not allowed to access adb_data_file
.
If there are other Magisk modules that do the same thing like Riru, let non-root processes read modules files directly, these modules will be broken as well.
If your ROM has such problems, our recommendation is:
- Report this problem to your ROM maintainers.
- Switch to other ROMs which does not have this problem, such as official LineageOS.
The reason we (@vvb2060) don't try to bypass this "problem" is we hope the whole third-party ROM community really pays attention to SELinux, not only have SELinux enforcing but also write correct rules.
Riru (and other modules with the same behavior) require the context of /data/adb/modules
and its subfolders to be system_file
. It's unreasonable that a module needs to modify the /data/adb/modules
folder that managed by Magisk.
这都是 @vvb2060 的主意
大量的“Riru 无法正常工作”报告表明,某些第三方 ROM 具有不正确的 SELinux 规则(allow init system_file:dir relabelfrom
)。此规则在 AOSP 中不存在。(参见 https://cs.android.com/android/platform/superproject/+/android-11.0.0_r1:system/sepolicy/public/init.te;l=199;bpv=1;bpt=0,AOSP 显式地禁止 init relabel system_file)
对于 Riru 来说,这将使 zygote
无法访问 Magisk 模块文件夹中的必要文件,因为文件夹被重新标记为 adb_data_file
,而 zygote
不被允许访问 adb_data_file
。如果有其他 Magisk 模块做和 Riru 类似的事情,即让非 root 进程直接读取模块文件,那些模块也会损坏。
如果您的 ROM 有此类问题,我们建议:
- 向你的 ROM 的维护人员回报这个问题。
- 切换到其他无此问题的 ROM,例如官方 LineageOS。
我们(@vvb2060)不尝试绕过此“问题”的原因是我们希望整个第三方 ROM 社区真正关注 SELinux,不只是要保证 SELinux 强制执行,还要编写正确的规则。
Riru(及其他有相同行为的模块)要求 /data/adb/modules
及其子文件夹的 context 为 system_file
。让某个模块修改由 Magisk 管理的 /data/adb/modules
文件夹显然不合理。