Skip to content

Commit 9e3768a

Browse files
Enginex0Enginex0
committed
fix(sepolicy): merge full policy into sepolicy.rule for Magisk compat
Previously only type declarations lived in sepolicy.rule while all allow/deny rules were in ksu_rules.txt. Magisk and APatch only read sepolicy.rule, so the daemon had zero permissions on those managers.
1 parent edad374 commit 9e3768a

1 file changed

Lines changed: 53 additions & 0 deletions

File tree

module/sepolicy.rule

Lines changed: 53 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,56 @@
11
type msd_daemon
22
typeattribute msd_daemon domain
33
typeattribute msd_daemon mlstrustedsubject
4+
5+
allow msd_daemon msd_daemon process { fork sigchld sigkill sigstop signull signal getsched setsched }
6+
allow msd_daemon msd_daemon process { getsession getpgid setpgid getcap setcap getattr setrlimit }
7+
allow msd_daemon msd_daemon fd use
8+
allow msd_daemon msd_daemon fifo_file { read write ioctl lock append getattr setattr open }
9+
allow msd_daemon msd_daemon file { read write ioctl lock append getattr setattr open }
10+
allow msd_daemon msd_daemon dir { read getattr search open }
11+
allow msd_daemon msd_daemon lnk_file { read getattr open }
12+
allow msd_daemon msd_daemon unix_dgram_socket { create read write ioctl bind sendto connect }
13+
allow msd_daemon msd_daemon unix_dgram_socket { listen accept getopt setopt getattr setattr shutdown }
14+
allow msd_daemon msd_daemon unix_stream_socket { create read write ioctl bind listen accept connect }
15+
allow msd_daemon msd_daemon unix_stream_socket { sendto recvfrom getopt setopt getattr setattr shutdown }
16+
17+
allow su msd_daemon process { transition rlimitinh siginh }
18+
allow init msd_daemon process { transition rlimitinh siginh }
19+
deny init msd_daemon process noatsecure
20+
allow msd_daemon system_file file { entrypoint execute map read }
21+
22+
allow msd_daemon msd_daemon capability { chown setgid setuid }
23+
allow msd_daemon selinuxfs file { open read }
24+
25+
allow msd_daemon hal_usb_gadget_impl dir search
26+
deny msd_daemon domain file read
27+
allow msd_daemon hal_usb_gadget_impl file read
28+
allow msd_daemon hal_usb_gadget_impl lnk_file read
29+
allow msd_daemon hal_usb_gadget_impl process { sigstop signal }
30+
31+
allow msd_daemon configfs dir { add_name create open read remove_name rmdir search setattr write }
32+
allow msd_daemon configfs file { create getattr open read setattr write }
33+
allow msd_daemon configfs lnk_file { create read setattr unlink }
34+
35+
allow msd_daemon storage_config_prop file { getattr map open read }
36+
allow msd_daemon usb_control_prop file { getattr map open read }
37+
38+
allow msd_daemon mediaprovider fd use
39+
allow msd_daemon platform_app fd use
40+
allow msd_daemon mediaprovider_app fd use
41+
allow msd_daemon fuse file { getattr read open write }
42+
allow kernel msd_daemon fd use
43+
44+
deny msd_daemon msd_daemon unix_stream_socket connectto
45+
allow untrusted_app msd_daemon unix_stream_socket connectto
46+
47+
allow msd_daemon shell_data_file file { write append open getattr }
48+
allow msd_daemon shell_data_file dir { search write add_name }
49+
50+
allow msd_daemon usb_configfs dir { add_name create open read remove_name rmdir search setattr write }
51+
allow msd_daemon usb_configfs file { create getattr open read setattr write }
52+
allow msd_daemon usb_configfs lnk_file { create read setattr unlink }
53+
allow msd_daemon sdcardfs file { getattr read open write }
54+
allow msd_daemon media_rw_data_file file { getattr read open write }
55+
allow msd_daemon vfat file { getattr read open write }
56+
allow msd_daemon exfat file { getattr read open write }

0 commit comments

Comments
 (0)