[WIP] Fix SELinux

scripts/build.sh

@@ -480,8 +480,6 @@ if [ "$HAS_GAPPS" ] || [ "$ROOT_SOL" = "magisk" ]; then
     "$WORK_DIR/magisk/magiskboot" compress=xz "$WORK_DIR/magisk/magisk64" "$WORK_DIR/magisk/magisk64.xz"
     "$WORK_DIR/magisk/magiskboot" compress=xz "$WORK_DIR/magisk/magisk32" "$WORK_DIR/magisk/magisk32.xz"
     "$WORK_DIR/magisk/magiskboot" compress=xz "$MAGISK_PATH" "$WORK_DIR/magisk/stub.xz"
-    echo "KEEPFORCEENCRYPT=true" >>"$WORK_DIR/magisk/config"
-    echo "PREINITDEVICE=sde" >>"$WORK_DIR/magisk/config"
     "$WORK_DIR/magisk/magiskboot" cpio "$WORK_DIR/wsa/$ARCH/Tools/initrd.img" \
         "mv /init /wsainit" \
         "add 0750 /lspinit ../bin/$ARCH/lspinit" \
@@ -493,7 +491,8 @@ if [ "$HAS_GAPPS" ] || [ "$ROOT_SOL" = "magisk" ]; then
         "add 0644 overlay.d/sbin/magisk32.xz $WORK_DIR/magisk/magisk32.xz" \
         "add 0644 overlay.d/sbin/stub.xz $WORK_DIR/magisk/stub.xz" \
         "mkdir 000 .backup" \
-        "add 000 .backup/.magisk $WORK_DIR/magisk/config" \
+        "add 0750 overlay.d/sbin/post-fs-data.sh post-fs-data.sh" \
+        "add 000 overlay.d/init.lsp.se.rc init.lsp.se.rc" \
         || abort "Unable to patch initrd"
     echo -e "Integrate Magisk done\n"
 elif [ "$ROOT_SOL" = "kernelsu" ]; then
@@ -523,6 +522,7 @@ if [ "$HAS_GAPPS" ]; then
         echo "Integrating GApps"
         "$WORK_DIR/magisk/magiskboot" cpio "$WORK_DIR/wsa/$ARCH/Tools/initrd.img" \
             "add 000 overlay.d/init.lsp.cust.rc init.lsp.cust.rc" \
+            "add 000 overlay.d/sbin/sepolicy.rule sepolicy.rule" \
             "add 000 overlay.d/sbin/cust.img $GAPPS_PATH" \
             || abort "Unable to patch initrd"
         echo -e "done\n"

scripts/init.lsp.cust.rc

@@ -0,0 +1,8 @@
+
+on post-fs
+    mkdir /mnt/cust 0775 system system
+    mount erofs loop@${MAGISKTMP}/cust.img /mnt/cust ro,seclabel
+    wait /system
+    mount overlay overlay /system_ext lowerdir=/mnt/cust/system_ext:/system_ext,seclabel
+    mount overlay overlay /product lowerdir=/mnt/cust/product:/product,seclabel
+    mount overlay overlay /system/priv-app lowerdir=/mnt/cust/system/priv-app:/system/priv-app,seclabel

scripts/init.lsp.se.rc

@@ -0,0 +1,2 @@
+on post-fs-data
+    exec u:r:magisk:s0 0 0 -- ${MAGISKTMP}/post-fs-data.sh

scripts/post-fs-data.sh

@@ -0,0 +1,25 @@
+#!/system/bin/sh
+MAGISKTMP=/sbin
+[ -d /sbin ] || MAGISKTMP=/debug_ramdisk
+MAGISKBIN=/data/adb/magisk
+if [ ! -f $MAGISKBIN/magiskpolicy ]; then
+    # shellcheck disable=SC2174
+    mkdir -p -m 755 $MAGISKBIN
+    chcon u:object_r:system_file:s0 $MAGISKBIN
+    ABI=$(/system/bin/getprop ro.product.cpu.abi)
+    /system/bin/unzip -d $MAGISKBIN -j $MAGISKTMP/stub.apk "lib/$ABI/libmagiskpolicy.so"
+    mv $MAGISKBIN/libmagiskpolicy.so $MAGISKBIN/magiskpolicy
+    chmod 755 $MAGISKBIN/magiskpolicy
+fi
+# [ -b $MAGISKTMP/.magisk/block/preinit ] || {
+#     export MAGISKTMP
+#     MAKEDEV=1 $MAGISKTMP/magisk --preinit-device 2>&1
+#     RULESCMD=""
+#     for r in "$MAGISKTMP"/.magisk/preinit/*/sepolicy.rule; do
+#         [ -f "$r" ] || continue
+#         RULESCMD="$RULESCMD --apply $r"
+#     done
+#     # shellcheck disable=SC2086
+#     $MAGISKBIN/magiskpolicy --live $RULESCMD 2>&1
+# }
+[ -f $MAGISKTMP/sepolicy.rule ] && $MAGISKBIN/magiskpolicy --live --apply $MAGISKTMP/sepolicy.rule

scripts/sepolicy.rule

@@ -0,0 +1,9 @@
+allow gmscore_app gmscore_app vsock_socket { create connect write read }
+allow gmscore_app device_config_runtime_native_boot_prop file read
+allow gmscore_app system_server_tmpfs dir search
+allow gmscore_app system_server_tmpfs file open
+allow gmscore_app system_server_tmpfs filesystem getattr
+allow gmscore_app media_rw_data_file filesystem getattr
+allow platform_app default_android_service service_manager { find add }
+allow system_app default_android_service service_manager { find add }
+allow system_server default_android_service service_manager add