Skip to content
This repository has been archived by the owner on Jan 8, 2024. It is now read-only.

Explanation about incorrect SELinux rules from third party ROMs cause Riru not working

Jump to bottom
Rikka edited this page May 27, 2021 · 10 revisions

English

The idea is from @vvb2060

There have been a lot of "Riru not work" reports that show some third-party ROMs have incorrect SELinux rules (allow init system_file:dir relabelfrom). This rule does not exist in AOSP. (See https://cs.android.com/android/platform/superproject/+/android-11.0.0_r1:system/sepolicy/public/init.te;l=199;bpv=1;bpt=0, AOSP explicitly disallow init to relabel system_file)

For Riru, this will make zygote not able to access necessary files from Magisk module folders since the folders are relabeled to adb_data_file but zygote is not allowed to access adb_data_file.

If there are other Magisk modules that do the same thing like Riru, let non-root processes read modules files directly, these modules will be broken as well.

If your ROM has such problems, our recommendation is:

  1. Report this problem to your ROM maintainers.
  2. Switch to other ROMs which does not have this problem, such as official LineageOS.

The reason we (@vvb2060) don't try to bypass this "problem" is we hope the whole third-party ROM community really pays attention to SELinux, not only have SELinux enforcing but also write correct rules.

Why this problem should not be "solved" by Riru

Riru (and other modules with the same behavior) require the context of /data/adb/modules and its subfolders to be system_file. It's unreasonable that a module needs to modify the /data/adb/modules folder that managed by Magisk.

Chinese

这都是 @vvb2060 的主意

大量的“Riru 无法正常工作”报告表明,某些第三方 ROM 具有不正确的 SELinux 规则(allow init system_file:dir relabelfrom)。此规则在 AOSP 中不存在。(参见 https://cs.android.com/android/platform/superproject/+/android-11.0.0_r1:system/sepolicy/public/init.te;l=199;bpv=1;bpt=0,AOSP 显式地禁止 init relabel system_file)

对于 Riru 来说,这将使 zygote 无法访问 Magisk 模块文件夹中的必要文件,因为文件夹被重新标记为 adb_data_file,而 zygote 不被允许访问 adb_data_file。如果有其他 Magisk 模块做和 Riru 类似的事情,即让非 root 进程直接读取模块文件,那些模块也会损坏。

如果您的 ROM 有此类问题,我们建议:

  1. 向你的 ROM 的维护人员回报这个问题。
  2. 切换到其他无此问题的 ROM,例如官方 LineageOS。

我们(@vvb2060)不尝试绕过此“问题”的原因是我们希望整个第三方 ROM 社区真正关注 SELinux,不只是要保证 SELinux 强制执行,还要编写正确的规则。

为什么此问题不应该由 Riru “解决”

Riru(及其他有相同行为的模块)要求 /data/adb/modules 及其子文件夹的 context 为 system_file。让某个模块修改由 Magisk 管理的 /data/adb/modules 文件夹显然不合理。

Clone this wiki locally