用Magisk为Android 增强Selinux限制

/data/adb/service.d/se
内容为

magiskpolicy --live "deny untrusted_app sysfs_thermal  file * "
magiskpolicy --live "deny untrusted_app sysfs_thermal  lnk_file * " 
magiskpolicy --live "deny untrusted_app sysfs_thermal  dir * "

magiskpolicy --live "deny untrusted_app_27 sysfs_thermal  file * "
magiskpolicy --live "deny untrusted_app_27 sysfs_thermal  lnk_file * " 
magiskpolicy --live "deny untrusted_app_27 sysfs_thermal  dir * "

magiskpolicy --live "deny untrusted_app_25 sysfs_thermal  file * "
magiskpolicy --live "deny untrusted_app_25 sysfs_thermal  lnk_file * " 
magiskpolicy --live "deny untrusted_app_25 sysfs_thermal  dir * "

magiskpolicy --live "deny untrusted_app untrusted_app  netlink_route_socket * "
magiskpolicy --live "deny untrusted_app_27 untrusted_app_27 netlink_route_socket * "
magiskpolicy --live "deny untrusted_app_25 untrusted_app_25 netlink_route_socket * "

magiskpolicy --live "deny untrusted_app untrusted_app udp_socket ioctl"
magiskpolicy --live "deny untrusted_app untrusted_app tcp_socket ioctl"
magiskpolicy --live "deny untrusted_app_27 untrusted_app_27 udp_socket ioctl"
magiskpolicy --live "deny untrusted_app_27 untrusted_app_27 tcp_socket ioctl"
magiskpolicy --live "deny untrusted_app_25 untrusted_app_25 udp_socket ioctl"
magiskpolicy --live "deny untrusted_app_25 untrusted_app_25 tcp_socket ioctl"

/data/adb/post-fs-data.d/hiden

resetprop gsm.version.baseband MPSS.Gen5.2020
resetprop gsm.imei1 unkown
resetprop gsm.imei2 unkown
resetprop gsm.meid   unkown

搜索规则

./sesearch --all   --target sysfs_thermal  --source   untrusted_app

Found 3 semantic av rules:
   allow untrusted_app sysfs_thermal : file { ioctl read getattr lock map open } ; 
   allow untrusted_app sysfs_thermal : dir { ioctl read getattr lock search open } ; 
   allow untrusted_app sysfs_thermal : lnk_file { ioctl read getattr lock map open } ; 




./sesearch --all  --class  netlink_route_socket  --target untrusted_app
allow untrusted_app untrusted_app : netlink_route_socket { read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_read } ;




./sesearch --all  --class  udp_socket  --target untrusted_app                                                                                                                                                                                         
   allow untrusted_app untrusted_app : udp_socket { ioctl read write create getattr setattr lock append map bind connect getopt setopt shutdown } ; 





发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注