├── .gitattributes ├── .gitignore ├── META-INF └── com │ └── google │ └── android │ ├── update-binary │ └── updater-script ├── arm ├── magiskboot ├── magiskpolicy └── magiskpolicy64 ├── chromeos ├── futility ├── kernel.keyblock └── kernel_data_key.vbprivk ├── common ├── boot_patch.sh └── util_functions.sh ├── install.sh ├── policies.example.txt └── x86 ├── magiskboot ├── magiskpolicy └── magiskpolicy64 /.gitattributes: -------------------------------------------------------------------------------- 1 | # Declare files that will always have LF line endings on checkout. 2 | META-INF/** text eol=lf 3 | *.prop text eol=lf 4 | *.sh text eol=lf 5 | *.md text eol=lf 6 | 7 | # Denote all files that are truly binary and should not be modified. 8 | arm/** binary 9 | chromeos/** binary 10 | x86/** binary -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | /policies.txt 2 | /*.zip -------------------------------------------------------------------------------- /META-INF/com/google/android/update-binary: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RikkaApps/magisk-custom-sepolicy-installer/4a6095415374e8681126af82a51c0ae35f3fe6d8/META-INF/com/google/android/update-binary -------------------------------------------------------------------------------- /META-INF/com/google/android/updater-script: -------------------------------------------------------------------------------- 1 | #MAGISK 2 | ########################################################################################## 3 | # 4 | # Magisk Flash Script 5 | # by topjohnwu 6 | # 7 | # This script will detect, construct the environment for Magisk 8 | # It will then call boot_patch.sh to patch the boot image 9 | # 10 | ########################################################################################## 11 | 12 | ########################################################################################## 13 | # Preparation 14 | ########################################################################################## 15 | 16 | COMMONDIR=$INSTALLER/common 17 | CHROMEDIR=$INSTALLER/chromeos 18 | 19 | # Default permissions 20 | umask 022 21 | 22 | OUTFD=$2 23 | ZIP=$3 24 | 25 | if [ ! -f $COMMONDIR/util_functions.sh ]; then 26 | echo "! Unable to extract zip file!" 27 | exit 1 28 | fi 29 | 30 | # Load utility fuctions 31 | . $COMMONDIR/util_functions.sh 32 | 33 | setup_flashable 34 | 35 | ########################################################################################## 36 | # Detection 37 | ########################################################################################## 38 | 39 | ui_print "*****************************************" 40 | ui_print "* Magisk Custom SELinux Policy Installer " 41 | ui_print "*****************************************" 42 | 43 | is_mounted /data || mount /data || is_mounted /cache || mount /cache || is_mounted /system || mount /system 44 | mount_partitions 45 | check_data 46 | get_flags 47 | find_boot_image 48 | 49 | [ -z $BOOTIMAGE ] && abort "! Unable to detect target image" 50 | ui_print "- Target image: $BOOTIMAGE" 51 | 52 | # Detect version and architecture 53 | api_level_arch_detect 54 | 55 | ui_print "- Device platform: $ARCH" 56 | 57 | BINDIR=$INSTALLER/$ARCH32 58 | chmod -R 755 $CHROMEDIR $BINDIR 59 | 60 | ########################################################################################## 61 | # Environment 62 | ########################################################################################## 63 | 64 | ui_print "- Constructing environment" 65 | 66 | # Copy required files 67 | mv $BINDIR/* $COMMONDIR/* $CHROMEDIR $BBDIR/busybox $INSTALLER/ 68 | chmod -R 755 $INSTALLER 69 | 70 | $BOOTMODE || recovery_actions 71 | 72 | ########################################################################################## 73 | # Boot patching 74 | ########################################################################################## 75 | 76 | eval $BOOTSIGNER -verify < $BOOTIMAGE && BOOTSIGNED=true 77 | $BOOTSIGNED && ui_print "- Boot image is signed with AVB 1.0" 78 | 79 | SOURCEDMODE=true 80 | cd $INSTALLER 81 | 82 | $IS64BIT && mv -f magiskpolicy64 magiskpolicy || rm -f magiskpolicy64 83 | 84 | [ ! -f ./install.sh ] && abort "! Missing install.sh!" 85 | . ./install.sh 86 | print_modname 87 | 88 | # Source the boot patcher 89 | . ./boot_patch.sh "$BOOTIMAGE" 90 | 91 | ui_print "- Flashing new boot image" 92 | 93 | if ! flash_image new-boot.img "$BOOTIMAGE"; then 94 | ui_print "- Compressing ramdisk to fit in partition" 95 | ./magiskboot cpio ramdisk.cpio compress 96 | ./magiskboot repack "$BOOTIMAGE" 97 | flash_image new-boot.img "$BOOTIMAGE" || abort "! Insufficient partition size" 98 | fi 99 | 100 | ./magiskboot cleanup 101 | rm -f new-boot.img 102 | 103 | cd / 104 | # Cleanups 105 | $BOOTMODE || recovery_cleanup 106 | rm -rf $TMPDIR 107 | 108 | ui_print "- Done" 109 | exit 0 110 | -------------------------------------------------------------------------------- /arm/magiskboot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RikkaApps/magisk-custom-sepolicy-installer/4a6095415374e8681126af82a51c0ae35f3fe6d8/arm/magiskboot -------------------------------------------------------------------------------- /arm/magiskpolicy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RikkaApps/magisk-custom-sepolicy-installer/4a6095415374e8681126af82a51c0ae35f3fe6d8/arm/magiskpolicy -------------------------------------------------------------------------------- /arm/magiskpolicy64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RikkaApps/magisk-custom-sepolicy-installer/4a6095415374e8681126af82a51c0ae35f3fe6d8/arm/magiskpolicy64 -------------------------------------------------------------------------------- /chromeos/futility: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RikkaApps/magisk-custom-sepolicy-installer/4a6095415374e8681126af82a51c0ae35f3fe6d8/chromeos/futility -------------------------------------------------------------------------------- /chromeos/kernel.keyblock: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RikkaApps/magisk-custom-sepolicy-installer/4a6095415374e8681126af82a51c0ae35f3fe6d8/chromeos/kernel.keyblock -------------------------------------------------------------------------------- /chromeos/kernel_data_key.vbprivk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RikkaApps/magisk-custom-sepolicy-installer/4a6095415374e8681126af82a51c0ae35f3fe6d8/chromeos/kernel_data_key.vbprivk -------------------------------------------------------------------------------- /common/boot_patch.sh: -------------------------------------------------------------------------------- 1 | #!/system/bin/sh 2 | ########################################################################################## 3 | # Functions 4 | ########################################################################################## 5 | 6 | # Pure bash dirname implementation 7 | getdir() { 8 | case "$1" in 9 | */*) dir=${1%/*}; [ -z $dir ] && echo "/" || echo $dir ;; 10 | *) echo "." ;; 11 | esac 12 | } 13 | 14 | ########################################################################################## 15 | # Initialization 16 | ########################################################################################## 17 | 18 | if [ -z $SOURCEDMODE ]; then 19 | # Switch to the location of the script file 20 | cd "`getdir "${BASH_SOURCE:-$0}"`" 21 | # Load utility functions 22 | . ./util_functions.sh 23 | fi 24 | 25 | BOOTIMAGE="$1" 26 | [ -e "$BOOTIMAGE" ] || abort "$BOOTIMAGE does not exist!" 27 | 28 | chmod -R 755 . 29 | 30 | ########################################################################################## 31 | # Unpack 32 | ########################################################################################## 33 | 34 | CHROMEOS=false 35 | 36 | ui_print "- Unpacking boot image" 37 | ./magiskboot unpack "$BOOTIMAGE" 38 | 39 | case $? in 40 | 1 ) 41 | abort "! Unsupported/Unknown image format" 42 | ;; 43 | 2 ) 44 | ui_print "- ChromeOS boot image detected" 45 | CHROMEOS=true 46 | ;; 47 | esac 48 | 49 | ########################################################################################## 50 | # Ramdisk restores 51 | ########################################################################################## 52 | 53 | # Test patch status and do restore 54 | ui_print "- Checking ramdisk status" 55 | if [ -e ramdisk.cpio ]; then 56 | ./magiskboot cpio ramdisk.cpio test 57 | STATUS=$? 58 | else 59 | # Stock A only system-as-root 60 | STATUS=0 61 | fi 62 | case $((STATUS & 3)) in 63 | 0 ) # Stock boot 64 | ui_print "- Stock boot image detected" 65 | abort "! Please install Magisk first" 66 | ;; 67 | 1 ) # Magisk patched 68 | ui_print "- Magisk patched boot image detected" 69 | ./magiskboot cpio ramdisk.cpio "exists sepolicy_custom" 70 | if [ $? -eq 0 ]; then 71 | ui_print "- Patch from existing sepolicy_custom" 72 | ./magiskboot cpio ramdisk.cpio "extract sepolicy_custom ./sepolicy_custom" 73 | else 74 | if [ -f /system/etc/selinux/plat_sepolicy.cil ]; then 75 | ui_print "- Creating new sepolicy_custom from split cil policies" 76 | ./magiskpolicy --load-split --save ./sepolicy_custom 77 | else 78 | ./magiskboot cpio ramdisk.cpio "exists sepolicy" 79 | if [ $? -eq 0 ]; then 80 | ui_print "- Extracting sepolicy" 81 | ./magiskboot cpio ramdisk.cpio "extract sepolicy sepolicy_custom" 82 | fi 83 | fi 84 | fi 85 | ;; 86 | 2 ) # Unsupported 87 | ui_print "! Boot image patched by unsupported programs" 88 | abort "! Please restore back to stock boot image and install Magisk" 89 | ;; 90 | esac 91 | 92 | ########################################################################################## 93 | # Ramdisk patches 94 | ########################################################################################## 95 | 96 | [ -f ./sepolicy_custom ] || abort "! Failed to create sepolicy_custom" 97 | 98 | ui_print "- Patching ramdisk" 99 | 100 | patch_policy 101 | 102 | ./magiskboot cpio ramdisk.cpio \ 103 | "add 644 sepolicy_custom sepolicy_custom" 104 | 105 | if [ $((STATUS & 4)) -ne 0 ]; then 106 | ui_print "- Compressing ramdisk" 107 | ./magiskboot --cpio ramdisk.cpio compress 108 | fi 109 | 110 | rm -f sepolicy_custom 111 | 112 | ########################################################################################## 113 | # Repack and flash 114 | ########################################################################################## 115 | 116 | ui_print "- Repacking boot image" 117 | ./magiskboot repack "$BOOTIMAGE" || abort "! Unable to repack boot image!" 118 | 119 | # Sign chromeos boot 120 | $CHROMEOS && sign_chromeos 121 | 122 | # Reset any error code 123 | true 124 | -------------------------------------------------------------------------------- /common/util_functions.sh: -------------------------------------------------------------------------------- 1 | ######################################### 2 | # 3 | # Magisk General Utility Functions 4 | # by topjohnwu 5 | # 6 | ######################################### 7 | 8 | ########## 9 | # Presets 10 | ########## 11 | 12 | MAGISK_VER="19.4-a92e039" 13 | MAGISK_VER_CODE=19400 14 | 15 | # Detect whether in boot mode 16 | [ -z $BOOTMODE ] && BOOTMODE=false 17 | $BOOTMODE || ps | grep zygote | grep -qv grep && BOOTMODE=true 18 | $BOOTMODE || ps -A 2>/dev/null | grep zygote | grep -qv grep && BOOTMODE=true 19 | 20 | # Presets 21 | MAGISKTMP=/sbin/.magisk 22 | NVBASE=/data/adb 23 | [ -z $TMPDIR ] && TMPDIR=/dev/tmp 24 | 25 | # Bootsigner related stuff 26 | BOOTSIGNERCLASS=a.a 27 | BOOTSIGNER="/system/bin/dalvikvm -Xnodex2oat -Xnoimage-dex2oat -cp \$APK \$BOOTSIGNERCLASS" 28 | BOOTSIGNED=false 29 | 30 | ################### 31 | # Helper Functions 32 | ################### 33 | 34 | ui_print() { 35 | $BOOTMODE && echo "$1" || echo -e "ui_print $1\nui_print" >> /proc/self/fd/$OUTFD 36 | } 37 | 38 | toupper() { 39 | echo "$@" | tr '[:lower:]' '[:upper:]' 40 | } 41 | 42 | grep_cmdline() { 43 | local REGEX="s/^$1=//p" 44 | cat /proc/cmdline | tr '[:space:]' '\n' | sed -n "$REGEX" 2>/dev/null 45 | } 46 | 47 | grep_prop() { 48 | local REGEX="s/^$1=//p" 49 | shift 50 | local FILES=$@ 51 | [ -z "$FILES" ] && FILES='/system/build.prop' 52 | sed -n "$REGEX" $FILES 2>/dev/null | head -n 1 53 | } 54 | 55 | getvar() { 56 | local VARNAME=$1 57 | local VALUE= 58 | VALUE=`grep_prop $VARNAME /sbin/.magisk/config /data/.magisk /cache/.magisk` 59 | [ ! -z $VALUE ] && eval $VARNAME=\$VALUE 60 | } 61 | 62 | is_mounted() { 63 | grep -q " `readlink -f $1` " /proc/mounts 2>/dev/null 64 | return $? 65 | } 66 | 67 | abort() { 68 | ui_print "$1" 69 | $BOOTMODE || recovery_cleanup 70 | exit 1 71 | } 72 | 73 | resolve_vars() { 74 | MAGISKBIN=$NVBASE/magisk 75 | POSTFSDATAD=$NVBASE/post-fs-data.d 76 | SERVICED=$NVBASE/service.d 77 | } 78 | 79 | ###################### 80 | # Environment Related 81 | ###################### 82 | 83 | setup_flashable() { 84 | # Preserve environment varibles 85 | OLD_PATH=$PATH 86 | ensure_bb 87 | $BOOTMODE && return 88 | if [ -z $OUTFD ] || readlink /proc/$$/fd/$OUTFD | grep -q /tmp; then 89 | # We will have to manually find out OUTFD 90 | for FD in `ls /proc/$$/fd`; do 91 | if readlink /proc/$$/fd/$FD | grep -q pipe; then 92 | if ps | grep -v grep | grep -q " 3 $FD "; then 93 | OUTFD=$FD 94 | break 95 | fi 96 | fi 97 | done 98 | fi 99 | } 100 | 101 | ensure_bb() { 102 | if [ -x $MAGISKTMP/busybox/busybox ]; then 103 | [ -z $BBDIR ] && BBDIR=$MAGISKTMP/busybox 104 | elif [ -x $TMPDIR/bin/busybox ]; then 105 | [ -z $BBDIR ] && BBDIR=$TMPDIR/bin 106 | else 107 | # Construct the PATH 108 | [ -z $BBDIR ] && BBDIR=$TMPDIR/bin 109 | mkdir -p $BBDIR 110 | ln -s $MAGISKBIN/busybox $BBDIR/busybox 111 | $MAGISKBIN/busybox --install -s $BBDIR 112 | fi 113 | echo $PATH | grep -q "^$BBDIR" || export PATH=$BBDIR:$PATH 114 | } 115 | 116 | recovery_actions() { 117 | # Make sure random don't get blocked 118 | mount -o bind /dev/urandom /dev/random 119 | # Unset library paths 120 | OLD_LD_LIB=$LD_LIBRARY_PATH 121 | OLD_LD_PRE=$LD_PRELOAD 122 | OLD_LD_CFG=$LD_CONFIG_FILE 123 | unset LD_LIBRARY_PATH 124 | unset LD_PRELOAD 125 | unset LD_CONFIG_FILE 126 | # Force our own busybox path to be in the front 127 | # and do not use anything in recovery's sbin 128 | export PATH=$BBDIR:/system/bin:/vendor/bin 129 | } 130 | 131 | recovery_cleanup() { 132 | export PATH=$OLD_PATH 133 | [ -z $OLD_LD_LIB ] || export LD_LIBRARY_PATH=$OLD_LD_LIB 134 | [ -z $OLD_LD_PRE ] || export LD_PRELOAD=$OLD_LD_PRE 135 | [ -z $OLD_LD_CFG ] || export LD_CONFIG_FILE=$OLD_LD_CFG 136 | ui_print "- Unmounting partitions" 137 | umount -l /system_root 2>/dev/null 138 | umount -l /system 2>/dev/null 139 | umount -l /vendor 2>/dev/null 140 | umount -l /dev/random 2>/dev/null 141 | } 142 | 143 | ####################### 144 | # Installation Related 145 | ####################### 146 | 147 | find_block() { 148 | for BLOCK in "$@"; do 149 | DEVICE=`find /dev/block -type l -iname $BLOCK | head -n 1` 2>/dev/null 150 | if [ ! -z $DEVICE ]; then 151 | readlink -f $DEVICE 152 | return 0 153 | fi 154 | done 155 | # Fallback by parsing sysfs uevents 156 | for uevent in /sys/dev/block/*/uevent; do 157 | local DEVNAME=`grep_prop DEVNAME $uevent` 158 | local PARTNAME=`grep_prop PARTNAME $uevent` 159 | for BLOCK in "$@"; do 160 | if [ "`toupper $BLOCK`" = "`toupper $PARTNAME`" ]; then 161 | echo /dev/block/$DEVNAME 162 | return 0 163 | fi 164 | done 165 | done 166 | return 1 167 | } 168 | 169 | mount_part() { 170 | $BOOTMODE && return 171 | local PART=$1 172 | local POINT=/${PART} 173 | [ -L $POINT ] && rm -f $POINT 174 | mkdir $POINT 2>/dev/null 175 | is_mounted $POINT && return 176 | ui_print "- Mounting $PART" 177 | mount -o ro $POINT 2>/dev/null 178 | if ! is_mounted $POINT; then 179 | local BLOCK=`find_block $PART$SLOT` 180 | mount -o ro $BLOCK $POINT 181 | fi 182 | is_mounted $POINT || abort "! Cannot mount $POINT" 183 | } 184 | 185 | mount_partitions() { 186 | # Check A/B slot 187 | SLOT=`grep_cmdline androidboot.slot_suffix` 188 | if [ -z $SLOT ]; then 189 | SLOT=`grep_cmdline androidboot.slot` 190 | [ -z $SLOT ] || SLOT=_${SLOT} 191 | fi 192 | [ -z $SLOT ] || ui_print "- Current boot slot: $SLOT" 193 | 194 | mount_part system 195 | if [ -f /system/init.rc ]; then 196 | SYSTEM_ROOT=true 197 | [ -L /system_root ] && rm -f /system_root 198 | mkdir /system_root 2>/dev/null 199 | mount --move /system /system_root 200 | mount -o bind /system_root/system /system 201 | else 202 | grep ' / ' /proc/mounts | grep -qv 'rootfs' || grep -q ' /system_root ' /proc/mounts \ 203 | && SYSTEM_ROOT=true || SYSTEM_ROOT=false 204 | fi 205 | [ -L /system/vendor ] && mount_part vendor 206 | $SYSTEM_ROOT && ui_print "- Device is system-as-root" 207 | } 208 | 209 | get_flags() { 210 | # override variables 211 | getvar KEEPVERITY 212 | getvar KEEPFORCEENCRYPT 213 | getvar RECOVERYMODE 214 | if [ -z $KEEPVERITY ]; then 215 | if $SYSTEM_ROOT; then 216 | KEEPVERITY=true 217 | ui_print "- System-as-root, keep dm/avb-verity" 218 | else 219 | KEEPVERITY=false 220 | fi 221 | fi 222 | if [ -z $KEEPFORCEENCRYPT ]; then 223 | grep ' /data ' /proc/mounts | grep -q 'dm-' && FDE=true || FDE=false 224 | [ -d /data/unencrypted ] && FBE=true || FBE=false 225 | # No data access means unable to decrypt in recovery 226 | if $FDE || $FBE || ! $DATA; then 227 | KEEPFORCEENCRYPT=true 228 | ui_print "- Encrypted data, keep forceencrypt" 229 | else 230 | KEEPFORCEENCRYPT=false 231 | fi 232 | fi 233 | [ -z $RECOVERYMODE ] && RECOVERYMODE=false 234 | } 235 | 236 | find_boot_image() { 237 | BOOTIMAGE= 238 | if $RECOVERYMODE; then 239 | BOOTIMAGE=`find_block recovery_ramdisk$SLOT recovery` 240 | elif [ ! -z $SLOT ]; then 241 | BOOTIMAGE=`find_block ramdisk$SLOT recovery_ramdisk$SLOT boot$SLOT` 242 | else 243 | BOOTIMAGE=`find_block ramdisk recovery_ramdisk kern-a android_boot kernel boot lnx bootimg boot_a` 244 | fi 245 | if [ -z $BOOTIMAGE ]; then 246 | # Lets see what fstabs tells me 247 | BOOTIMAGE=`grep -v '#' /etc/*fstab* | grep -E '/boot[^a-zA-Z]' | grep -oE '/dev/[a-zA-Z0-9_./-]*' | head -n 1` 248 | fi 249 | } 250 | 251 | flash_image() { 252 | # Make sure all blocks are writable 253 | $MAGISKBIN/magisk --unlock-blocks 2>/dev/null 254 | case "$1" in 255 | *.gz) CMD1="$MAGISKBIN/magiskboot decompress '$1' - 2>/dev/null";; 256 | *) CMD1="cat '$1'";; 257 | esac 258 | if $BOOTSIGNED; then 259 | CMD2="$BOOTSIGNER -sign" 260 | ui_print "- Sign image with test keys" 261 | else 262 | CMD2="cat -" 263 | fi 264 | if [ -b "$2" ]; then 265 | local img_sz=`stat -c '%s' "$1"` 266 | local blk_sz=`blockdev --getsize64 "$2"` 267 | [ $img_sz -gt $blk_sz ] && return 1 268 | eval $CMD1 | eval $CMD2 | cat - /dev/zero > "$2" 2>/dev/null 269 | else 270 | ui_print "- Not block device, storing image" 271 | eval $CMD1 | eval $CMD2 > "$2" 2>/dev/null 272 | fi 273 | return 0 274 | } 275 | 276 | find_dtbo_image() { 277 | DTBOIMAGE=`find_block dtbo$SLOT` 278 | } 279 | 280 | patch_dtbo_image() { 281 | find_dtbo_image 282 | if [ ! -z $DTBOIMAGE ]; then 283 | ui_print "- DTBO image: $DTBOIMAGE" 284 | if $MAGISKBIN/magiskboot --dtb-test $DTBOIMAGE; then 285 | ui_print "- Backing up stock DTBO image" 286 | $MAGISKBIN/magiskboot --compress $DTBOIMAGE $MAGISKBIN/stock_dtbo.img.gz 287 | ui_print "- Patching DTBO to remove avb-verity" 288 | $MAGISKBIN/magiskboot --dtb-patch $DTBOIMAGE 289 | return 0 290 | fi 291 | fi 292 | return 1 293 | } 294 | 295 | sign_chromeos() { 296 | ui_print "- Signing ChromeOS boot image" 297 | 298 | echo > empty 299 | ./chromeos/futility vbutil_kernel --pack new-boot.img.signed \ 300 | --keyblock ./chromeos/kernel.keyblock --signprivate ./chromeos/kernel_data_key.vbprivk \ 301 | --version 1 --vmlinuz new-boot.img --config empty --arch arm --bootloader empty --flags 0x1 302 | 303 | rm -f empty new-boot.img 304 | mv new-boot.img.signed new-boot.img 305 | } 306 | 307 | remove_system_su() { 308 | if [ -f /system/bin/su -o -f /system/xbin/su ] && [ ! -f /su/bin/su ]; then 309 | ui_print "- Removing system installed root" 310 | mount -o rw,remount /system 311 | # SuperSU 312 | if [ -e /system/bin/.ext/.su ]; then 313 | mv -f /system/bin/app_process32_original /system/bin/app_process32 2>/dev/null 314 | mv -f /system/bin/app_process64_original /system/bin/app_process64 2>/dev/null 315 | mv -f /system/bin/install-recovery_original.sh /system/bin/install-recovery.sh 2>/dev/null 316 | cd /system/bin 317 | if [ -e app_process64 ]; then 318 | ln -sf app_process64 app_process 319 | elif [ -e app_process32 ]; then 320 | ln -sf app_process32 app_process 321 | fi 322 | fi 323 | rm -rf /system/.pin /system/bin/.ext /system/etc/.installed_su_daemon /system/etc/.has_su_daemon \ 324 | /system/xbin/daemonsu /system/xbin/su /system/xbin/sugote /system/xbin/sugote-mksh /system/xbin/supolicy \ 325 | /system/bin/app_process_init /system/bin/su /cache/su /system/lib/libsupol.so /system/lib64/libsupol.so \ 326 | /system/su.d /system/etc/install-recovery.sh /system/etc/init.d/99SuperSUDaemon /cache/install-recovery.sh \ 327 | /system/.supersu /cache/.supersu /data/.supersu \ 328 | /system/app/Superuser.apk /system/app/SuperSU /cache/Superuser.apk 2>/dev/null 329 | fi 330 | } 331 | 332 | api_level_arch_detect() { 333 | API=`grep_prop ro.build.version.sdk` 334 | ABI=`grep_prop ro.product.cpu.abi | cut -c-3` 335 | ABI2=`grep_prop ro.product.cpu.abi2 | cut -c-3` 336 | ABILONG=`grep_prop ro.product.cpu.abi` 337 | 338 | ARCH=arm 339 | ARCH32=arm 340 | IS64BIT=false 341 | if [ "$ABI" = "x86" ]; then ARCH=x86; ARCH32=x86; fi; 342 | if [ "$ABI2" = "x86" ]; then ARCH=x86; ARCH32=x86; fi; 343 | if [ "$ABILONG" = "arm64-v8a" ]; then ARCH=arm64; ARCH32=arm; IS64BIT=true; fi; 344 | if [ "$ABILONG" = "x86_64" ]; then ARCH=x64; ARCH32=x86; IS64BIT=true; fi; 345 | } 346 | 347 | check_data() { 348 | DATA=false 349 | DATA_DE=false 350 | if grep ' /data ' /proc/mounts | grep -vq 'tmpfs'; then 351 | # Test if data is writable 352 | touch /data/.rw && rm /data/.rw && DATA=true 353 | # Test if DE storage is writable 354 | $DATA && [ -d /data/adb ] && touch /data/adb/.rw && rm /data/adb/.rw && DATA_DE=true 355 | fi 356 | $DATA && NVBASE=/data || NVBASE=/cache/data_adb 357 | $DATA_DE && NVBASE=/data/adb 358 | resolve_vars 359 | } 360 | 361 | find_manager_apk() { 362 | APK=/data/adb/magisk.apk 363 | [ -f $APK ] || APK=/data/magisk/magisk.apk 364 | [ -f $APK ] || APK=/data/app/com.topjohnwu.magisk*/*.apk 365 | if [ ! -f $APK ]; then 366 | DBAPK=`magisk --sqlite "SELECT value FROM strings WHERE key='requester'" | cut -d= -f2` 367 | [ -z "$DBAPK" ] || APK=/data/app/$DBAPK*/*.apk 368 | fi 369 | } 370 | 371 | ################# 372 | # Module Related 373 | ################# 374 | 375 | set_perm() { 376 | chown $2:$3 $1 || return 1 377 | chmod $4 $1 || return 1 378 | CON=$5 379 | [ -z $CON ] && CON=u:object_r:system_file:s0 380 | chcon $CON $1 || return 1 381 | } 382 | 383 | set_perm_recursive() { 384 | find $1 -type d 2>/dev/null | while read dir; do 385 | set_perm $dir $2 $3 $4 $6 386 | done 387 | find $1 -type f -o -type l 2>/dev/null | while read file; do 388 | set_perm $file $2 $3 $5 $6 389 | done 390 | } 391 | 392 | mktouch() { 393 | mkdir -p ${1%/*} 2>/dev/null 394 | [ -z $2 ] && touch $1 || echo $2 > $1 395 | chmod 644 $1 396 | } 397 | 398 | request_size_check() { 399 | reqSizeM=`du -ms "$1" | cut -f1` 400 | } 401 | 402 | request_zip_size_check() { 403 | reqSizeM=`unzip -l "$1" | tail -n 1 | awk '{ print int(($1 - 1) / 1048576 + 1) }'` 404 | } 405 | 406 | ################################## 407 | # Backwards Compatibile Functions 408 | ################################## 409 | 410 | get_outfd() { setup_flashable; } 411 | 412 | mount_magisk_img() { 413 | $BOOTMODE && MODULE_BASE=modules_update || MODULE_BASE=modules 414 | MODULEPATH=$NVBASE/$MODULE_BASE 415 | mkdir -p $MODULEPATH 2>/dev/null 416 | ln -s $MODULEPATH $MOUNTPATH 417 | } 418 | 419 | unmount_magisk_img() { 420 | rm -f $MOUNTPATH 2>/dev/null 421 | } 422 | 423 | boot_actions() { return; } 424 | 425 | ######## 426 | # Setup 427 | ######## 428 | 429 | resolve_vars 430 | -------------------------------------------------------------------------------- /install.sh: -------------------------------------------------------------------------------- 1 | #!/system/bin/sh 2 | print_modname() { 3 | ui_print "*****************************************" 4 | ui_print "SELinux Rules Example" 5 | ui_print "*****************************************" 6 | } 7 | 8 | patch_policy() { 9 | while read -r LINE || [ -n "$LINE" ]; do 10 | [ -z $LINE ] && continue 11 | ui_print "- Custom policy: $LINE" 12 | ./magiskpolicy --load ./sepolicy_custom --save ./sepolicy_custom "$LINE" 13 | done < ./policies.txt 14 | } -------------------------------------------------------------------------------- /policies.example.txt: -------------------------------------------------------------------------------- 1 | create magisk -------------------------------------------------------------------------------- /x86/magiskboot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RikkaApps/magisk-custom-sepolicy-installer/4a6095415374e8681126af82a51c0ae35f3fe6d8/x86/magiskboot -------------------------------------------------------------------------------- /x86/magiskpolicy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RikkaApps/magisk-custom-sepolicy-installer/4a6095415374e8681126af82a51c0ae35f3fe6d8/x86/magiskpolicy -------------------------------------------------------------------------------- /x86/magiskpolicy64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RikkaApps/magisk-custom-sepolicy-installer/4a6095415374e8681126af82a51c0ae35f3fe6d8/x86/magiskpolicy64 --------------------------------------------------------------------------------