Introduce SELinux labels for Xposed files#149
Conversation
|
It is strange to still have AVC denial logs as follows: |
|
To reproduce the previous case,
@Dev4Mod I notify you about this bug since your module is taken as an example. However, this happens for any modules using XSharedPrefrences. |
There was a problem hiding this comment.
The issue is on userdebug rom, su is appdomain, so tmpfs it creates is appdomain_tmpfs too. So this should be fixed in zygisk, not lsposed.
There was a problem hiding this comment.
Okay, that is reasonable. It is strange that in the users' phone, without LSPosed, NeoZygisk without this rule can still work without problem.
There was a problem hiding this comment.
Confirmed from logs that you are correct, this rule must be added from the Zygisk side. Thanks for pointing ot out!
There was a problem hiding this comment.
I think it is because app_data_file has mlstrustedsubject comstraints, and you cannot just simply allow it here without relax it:
https://developer.android.com/about/versions/pie/android-9.0-changes-28?hl=zh-cn#per-app-selinux
https://cs.android.com/android/platform/superproject/main/+/main:system/sepolicy/private/app.te;l=247?q=app.te&ss=android%2Fplatform%2Fsuperproject%2Fmain
1. The SELinux context label `magisk_file` is widely used by Zygisk implementation modules. It is improper for LSPosed to abuse this label for its own files. We replace it by `xposed_file`. 2. A new rule added according to the SELinux logs, which is needed to write to the mangaer's SharedPreference. 3. `xposed_data` is a new SELinux context label for XSharedPreference files, it is not meant to provide MAC restricted access but to conform with Android's rule: https://developer.android.com/about/versions/pie/android-9.0-changes-28#per-app-selinux. We add attribute `mlstrustedobject` to ignore the `Multi-Level and Multi-Category Security` enforced on Android.
|
It turns out that we should add attribute |
|
Current rule still causes the problem of WebView crashing: We should thus also add |
1. The SELinux context label `magisk_file` is widely used by Zygisk implementation modules. It is improper for LSPosed to abuse this label for its own files. We replace it by `xposed_file`. 2. A new rule added according to the SELinux logs, which is needed to write to the mangaer's SharedPreference. 3. `xposed_data` is a new SELinux context label for XSharedPreference files, it is not meant to provide MAC restricted access but to conform with Android's rule: https://developer.android.com/about/versions/pie/android-9.0-changes-28#per-app-selinux. 4. We add attribute `mlstrustedobject` to ignore the `Multi-Level and Multi-Category Security` enforced on Android.
1. The SELinux context label `magisk_file` is widely used by Zygisk implementation modules. It is improper for LSPosed to abuse this label for its own files. We replace it by `xposed_file`. 2. A new rule added according to the SELinux logs, which is needed to write to the mangaer's SharedPreference. 3. `xposed_data` is a new SELinux context label for XSharedPreference files, it is not meant to provide MAC restricted access but to conform with Android's rule: https://developer.android.com/about/versions/pie/android-9.0-changes-28#per-app-selinux. 4. We add attribute `mlstrustedobject` to ignore the `Multi-Level and Multi-Category Security` enforced on Android.
2 participants
The SELinux context label
magisk_fileis widely used by Zygisk implementation modules. It is improper for LSPosed to abuse this label for its own files.We thus introduce two new labels,
xposed_fileandxposed_module. The first one will be used with strict MAC rules, while the second one is meant to be accessible for all application processes, including Xposed modules. Thexposed_modulelabel might be removed in the future since its function remains unclear.