Skip to content

Commit

Permalink
Remove an additional unique_ptr indirection
Browse files Browse the repository at this point in the history
  • Loading branch information
@topjohnwu
topjohnwu committed Feb 5, 2025
1 parent a14fc90 commit b7ca73f
Show file tree
Hide file tree
Showing 10 changed files with 111 additions and 131 deletions.
16 changes: 8 additions & 8 deletions native/src/init/selinux.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,19 +9,19 @@ using namespace std;

void MagiskInit::patch_sepolicy(const char *in, const char *out) {
LOGD("Patching monolithic policy\n");
auto sepol = unique_ptr<sepolicy>(sepolicy::from_file(in));
auto sepol = SePolicy::from_file(in);

sepol->magisk_rules();
sepol.magisk_rules();

// Custom rules
auto rule = "/data/" PREINITMIRR "/sepolicy.rule";
if (xaccess(rule, R_OK) == 0) {
LOGD("Loading custom sepolicy patch: [%s]\n", rule);
sepol->load_rule_file(rule);
sepol.load_rule_file(rule);
}

LOGD("Dumping sepolicy to: [%s]\n", out);
sepol->to_file(out);
sepol.to_file(out);

// Remove OnePlus stupid debug sepolicy and use our own
if (access("/sepolicy_debug", F_OK) == 0) {
Expand Down Expand Up @@ -124,12 +124,12 @@ bool MagiskInit::hijack_sepolicy() {
xumount2(SELINUX_ENFORCE, MNT_DETACH);

// Load and patch policy
auto sepol = unique_ptr<sepolicy>(sepolicy::from_file(MOCK_LOAD));
sepol->magisk_rules();
sepol->load_rules(rules);
auto sepol = SePolicy::from_file(MOCK_LOAD);
sepol.magisk_rules();
sepol.load_rules(rules);

// Load patched policy into kernel
sepol->to_file(SELINUX_LOAD);
sepol.to_file(SELINUX_LOAD);

// restore mounted files' context after sepolicy loaded
rust::reset_overlay_contexts();
Expand Down
32 changes: 16 additions & 16 deletions native/src/sepolicy/api.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,70 +62,70 @@ static inline void expand(const Xperms &vec, T &&...args) {
}
}

void sepolicy::allow(StrVec src, StrVec tgt, StrVec cls, StrVec perm) noexcept {
void SePolicy::allow(StrVec src, StrVec tgt, StrVec cls, StrVec perm) noexcept {
expand(src, tgt, cls, perm, [this](auto ...args) {
print_rule("allow", args...);
impl->add_rule(args..., AVTAB_ALLOWED, false);
});
}

void sepolicy::deny(StrVec src, StrVec tgt, StrVec cls, StrVec perm) noexcept {
void SePolicy::deny(StrVec src, StrVec tgt, StrVec cls, StrVec perm) noexcept {
expand(src, tgt, cls, perm, [this](auto ...args) {
print_rule("deny", args...);
impl->add_rule(args..., AVTAB_ALLOWED, true);
});
}

void sepolicy::auditallow(StrVec src, StrVec tgt, StrVec cls, StrVec perm) noexcept {
void SePolicy::auditallow(StrVec src, StrVec tgt, StrVec cls, StrVec perm) noexcept {
expand(src, tgt, cls, perm, [this](auto ...args) {
print_rule("auditallow", args...);
impl->add_rule(args..., AVTAB_AUDITALLOW, false);
});
}

void sepolicy::dontaudit(StrVec src, StrVec tgt, StrVec cls, StrVec perm) noexcept {
void SePolicy::dontaudit(StrVec src, StrVec tgt, StrVec cls, StrVec perm) noexcept {
expand(src, tgt, cls, perm, [this](auto ...args) {
print_rule("dontaudit", args...);
impl->add_rule(args..., AVTAB_AUDITDENY, true);
});
}

void sepolicy::permissive(StrVec types) noexcept {
void SePolicy::permissive(StrVec types) noexcept {
expand(types, [this](auto ...args) {
print_rule("permissive", args...);
impl->set_type_state(args..., true);
});
}

void sepolicy::enforce(StrVec types) noexcept {
void SePolicy::enforce(StrVec types) noexcept {
expand(types, [this](auto ...args) {
print_rule("enforce", args...);
impl->set_type_state(args..., false);
});
}

void sepolicy::typeattribute(StrVec types, StrVec attrs) noexcept {
void SePolicy::typeattribute(StrVec types, StrVec attrs) noexcept {
expand(types, attrs, [this](auto ...args) {
print_rule("typeattribute", args...);
impl->add_typeattribute(args...);
});
}

void sepolicy::type(Str type, StrVec attrs) noexcept {
void SePolicy::type(Str type, StrVec attrs) noexcept {
expand(type, attrs, [this](auto name, auto attr) {
print_rule("type", name, attr);
impl->add_type(name, TYPE_TYPE) && impl->add_typeattribute(name, attr);
});
}

void sepolicy::attribute(Str name) noexcept {
void SePolicy::attribute(Str name) noexcept {
expand(name, [this](auto ...args) {
print_rule("attribute", args...);
impl->add_type(args..., TYPE_ATTRIB);
});
}

void sepolicy::type_transition(Str src, Str tgt, Str cls, Str def, Str obj) noexcept {
void SePolicy::type_transition(Str src, Str tgt, Str cls, Str def, Str obj) noexcept {
expand(src, tgt, cls, def, obj, [this](auto s, auto t, auto c, auto d, auto o) {
if (o) {
print_rule("type_transition", s, t, c, d, o);
Expand All @@ -137,42 +137,42 @@ void sepolicy::type_transition(Str src, Str tgt, Str cls, Str def, Str obj) noex
});
}

void sepolicy::type_change(Str src, Str tgt, Str cls, Str def) noexcept {
void SePolicy::type_change(Str src, Str tgt, Str cls, Str def) noexcept {
expand(src, tgt, cls, def, [this](auto ...args) {
print_rule("type_change", args...);
impl->add_type_rule(args..., AVTAB_CHANGE);
});
}

void sepolicy::type_member(Str src, Str tgt, Str cls, Str def) noexcept {
void SePolicy::type_member(Str src, Str tgt, Str cls, Str def) noexcept {
expand(src, tgt, cls, def, [this](auto ...args) {
print_rule("type_member", args...);
impl->add_type_rule(args..., AVTAB_MEMBER);
});
}

void sepolicy::genfscon(Str fs_name, Str path, Str ctx) noexcept {
void SePolicy::genfscon(Str fs_name, Str path, Str ctx) noexcept {
expand(fs_name, path, ctx, [this](auto ...args) {
print_rule("genfscon", args...);
impl->add_genfscon(args...);
});
}

void sepolicy::allowxperm(StrVec src, StrVec tgt, StrVec cls, Xperms xperm) noexcept {
void SePolicy::allowxperm(StrVec src, StrVec tgt, StrVec cls, Xperms xperm) noexcept {
expand(src, tgt, cls, xperm, [this](auto ...args) {
print_rule("allowxperm", args...);
impl->add_xperm_rule(args..., AVTAB_XPERMS_ALLOWED);
});
}

void sepolicy::auditallowxperm(StrVec src, StrVec tgt, StrVec cls, Xperms xperm) noexcept {
void SePolicy::auditallowxperm(StrVec src, StrVec tgt, StrVec cls, Xperms xperm) noexcept {
expand(src, tgt, cls, xperm, [this](auto ...args) {
print_rule("auditallowxperm", args...);
impl->add_xperm_rule(args..., AVTAB_XPERMS_AUDITALLOW);
});
}

void sepolicy::dontauditxperm(StrVec src, StrVec tgt, StrVec cls, Xperms xperm) noexcept {
void SePolicy::dontauditxperm(StrVec src, StrVec tgt, StrVec cls, Xperms xperm) noexcept {
expand(src, tgt, cls, xperm, [this](auto ...args) {
print_rule("dontauditxperm", args...);
impl->add_xperm_rule(args..., AVTAB_XPERMS_DONTAUDIT);
Expand Down
1 change: 1 addition & 0 deletions native/src/sepolicy/include/sepolicy.hpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
#include <base.hpp>

#include "../policy-rs.hpp"

// sepolicy paths
#define PLAT_POLICY_DIR "/system/etc/selinux/"
#define VEND_POLICY_DIR "/vendor/etc/selinux/"
Expand Down
106 changes: 44 additions & 62 deletions native/src/sepolicy/lib.rs
View file
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
#![feature(format_args_nl)]
#![feature(try_blocks)]

use std::fmt::Write;
use std::io::{BufRead, BufReader, Cursor};
use cxx::CxxString;
pub use base;
use base::libc::{O_CLOEXEC, O_RDONLY};
use base::{BufReadExt, FsPath, LoggedResult, Utf8CStr};
use cxx::CxxString;
use std::fmt::Write;
use std::io::{BufRead, BufReader, Cursor};

use crate::ffi::sepolicy;
use crate::ffi::SePolicy;

mod rules;
mod statement;
Expand All @@ -21,7 +21,7 @@ pub mod ffi {
reset: bool,
}

pub struct sepolicy {
struct SePolicy {
#[cxx_name = "impl"]
_impl: UniquePtr<sepol_impl>,
}
Expand All @@ -36,88 +36,70 @@ pub mod ffi {

type sepol_impl;

fn allow(self: &mut sepolicy, s: Vec<&str>, t: Vec<&str>, c: Vec<&str>, p: Vec<&str>);
fn deny(self: &mut sepolicy, s: Vec<&str>, t: Vec<&str>, c: Vec<&str>, p: Vec<&str>);
fn auditallow(
self: &mut sepolicy,
s: Vec<&str>,
t: Vec<&str>,
c: Vec<&str>,
p: Vec<&str>,
);
fn dontaudit(
self: &mut sepolicy,
s: Vec<&str>,
t: Vec<&str>,
c: Vec<&str>,
p: Vec<&str>,
);
fn allowxperm(
self: &mut sepolicy,
s: Vec<&str>,
t: Vec<&str>,
c: Vec<&str>,
p: Vec<Xperm>,
);
fn allow(self: &mut SePolicy, s: Vec<&str>, t: Vec<&str>, c: Vec<&str>, p: Vec<&str>);
fn deny(self: &mut SePolicy, s: Vec<&str>, t: Vec<&str>, c: Vec<&str>, p: Vec<&str>);
fn auditallow(self: &mut SePolicy, s: Vec<&str>, t: Vec<&str>, c: Vec<&str>, p: Vec<&str>);
fn dontaudit(self: &mut SePolicy, s: Vec<&str>, t: Vec<&str>, c: Vec<&str>, p: Vec<&str>);
fn allowxperm(self: &mut SePolicy, s: Vec<&str>, t: Vec<&str>, c: Vec<&str>, p: Vec<Xperm>);
fn auditallowxperm(
self: &mut sepolicy,
self: &mut SePolicy,
s: Vec<&str>,
t: Vec<&str>,
c: Vec<&str>,
p: Vec<Xperm>,
);
fn dontauditxperm(
self: &mut sepolicy,
self: &mut SePolicy,
s: Vec<&str>,
t: Vec<&str>,
c: Vec<&str>,
p: Vec<Xperm>,
);
fn permissive(self: &mut sepolicy, t: Vec<&str>);
fn enforce(self: &mut sepolicy, t: Vec<&str>);
fn typeattribute(self: &mut sepolicy, t: Vec<&str>, a: Vec<&str>);
fn permissive(self: &mut SePolicy, t: Vec<&str>);
fn enforce(self: &mut SePolicy, t: Vec<&str>);
fn typeattribute(self: &mut SePolicy, t: Vec<&str>, a: Vec<&str>);
#[cxx_name = "type"]
fn type_(self: &mut sepolicy, t: &str, a: Vec<&str>);
fn attribute(self: &mut sepolicy, t: &str);
fn type_transition(self: &mut sepolicy, s: &str, t: &str, c: &str, d: &str, o: &str);
fn type_change(self: &mut sepolicy, s: &str, t: &str, c: &str, d: &str);
fn type_member(self: &mut sepolicy, s: &str, t: &str, c: &str, d: &str);
fn genfscon(self: &mut sepolicy, s: &str, t: &str, c: &str);
fn type_(self: &mut SePolicy, t: &str, a: Vec<&str>);
fn attribute(self: &mut SePolicy, t: &str);
fn type_transition(self: &mut SePolicy, s: &str, t: &str, c: &str, d: &str, o: &str);
fn type_change(self: &mut SePolicy, s: &str, t: &str, c: &str, d: &str);
fn type_member(self: &mut SePolicy, s: &str, t: &str, c: &str, d: &str);
fn genfscon(self: &mut SePolicy, s: &str, t: &str, c: &str);
#[allow(dead_code)]
fn strip_dontaudit(self: &mut sepolicy);

fn print_rules(self: &sepolicy);
fn to_file(self: &sepolicy, file: Utf8CStrRef) -> bool;

#[Self = sepolicy]
fn from_file(file: Utf8CStrRef) -> UniquePtr<sepolicy>;
#[Self = sepolicy]
fn from_split() -> UniquePtr<sepolicy>;
#[Self = sepolicy]
fn compile_split() -> UniquePtr<sepolicy>;
#[Self = sepolicy]
unsafe fn from_data(data: *mut c_char, len: usize) -> UniquePtr<sepolicy>;
fn strip_dontaudit(self: &mut SePolicy);

fn print_rules(self: &SePolicy);
fn to_file(self: &SePolicy, file: Utf8CStrRef) -> bool;

#[Self = SePolicy]
fn from_file(file: Utf8CStrRef) -> SePolicy;
#[Self = SePolicy]
fn from_split() -> SePolicy;
#[Self = SePolicy]
fn compile_split() -> SePolicy;
#[Self = SePolicy]
unsafe fn from_data(data: *mut c_char, len: usize) -> SePolicy;
}

extern "Rust" {
fn parse_statement(self: &mut sepolicy, statement: Utf8CStrRef);
fn magisk_rules(self: &mut sepolicy);
fn load_rule_file(self: &mut sepolicy, filename: Utf8CStrRef);
fn load_rules(self: &mut sepolicy, rules: &CxxString);
#[Self = sepolicy]
fn parse_statement(self: &mut SePolicy, statement: Utf8CStrRef);
fn magisk_rules(self: &mut SePolicy);
fn load_rule_file(self: &mut SePolicy, filename: Utf8CStrRef);
fn load_rules(self: &mut SePolicy, rules: &CxxString);
#[Self = SePolicy]
fn xperm_to_string(perm: &Xperm) -> String;
#[Self = sepolicy]
#[Self = SePolicy]
fn print_statement_help();
}
}

impl sepolicy {
fn load_rules(self: &mut sepolicy, rules: &CxxString) {
impl SePolicy {
fn load_rules(self: &mut SePolicy, rules: &CxxString) {
let mut cursor = Cursor::new(rules.as_bytes());
self.load_rules_from_reader(&mut cursor);
}

pub fn load_rule_file(self: &mut sepolicy, filename: &Utf8CStr) {
pub fn load_rule_file(self: &mut SePolicy, filename: &Utf8CStr) {
let result: LoggedResult<()> = try {
let file = FsPath::from(filename).open(O_RDONLY | O_CLOEXEC)?;
let mut reader = BufReader::new(file);
Expand All @@ -126,7 +108,7 @@ impl sepolicy {
result.ok();
}

fn load_rules_from_reader<T: BufRead>(self: &mut sepolicy, reader: &mut T) {
fn load_rules_from_reader<T: BufRead>(self: &mut SePolicy, reader: &mut T) {
reader.foreach_lines(|line| {
self.parse_statement(line);
true
Expand Down
Loading

0 comments on commit b7ca73f

Please # to comment.