Report if module files have incorrect context

rirud/src/main/java/riru/Daemon.java

@@ -62,6 +62,11 @@ public void binderDied() {
     private void onRiruNotLoaded(boolean allowRestart, boolean isFirst) {
         Log.w(TAG, "Riru is not loaded.");
 
+        if (DaemonUtils.hasIncorrectFileContext()) {
+            DaemonUtils.writeStatus(R.string.bad_file_context);
+            return;
+        }
+
         boolean filesMounted = true;
         if (DaemonUtils.has64Bit()) {
             filesMounted = new File("/system/lib64/libriruloader.so").exists();

rirud/src/main/java/riru/DaemonUtils.java

@@ -5,6 +5,7 @@
 import android.content.res.Resources;
 import android.os.Build;
 import android.os.IBinder;
+import android.os.SELinux;
 import android.os.ServiceManager;
 import android.os.SystemProperties;
 import android.system.ErrnoException;
@@ -31,6 +32,7 @@
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
+import java.util.Objects;
 
 import static riru.Daemon.TAG;
 
@@ -58,13 +60,22 @@ public class DaemonUtils {
     @SuppressWarnings("unchecked")
     private static final List<String>[] loadedModules = new List[]{new ArrayList<>(), new ArrayList<>()};
 
+    private static boolean isSELinuxEnforcing = false;
+    private static boolean fileContext = true;
+
     static {
         originalNativeBridge = SystemProperties.get("ro.dalvik.vm.native.bridge");
 
         if (TextUtils.isEmpty(originalNativeBridge)) {
             originalNativeBridge = "0";
         }
 
+        try {
+            isSELinuxEnforcing = hasSELinux() && SELinux.isSELinuxEnabled() && SELinux.isSELinuxEnforced();
+        } catch (Throwable e) {
+            Log.e(TAG, "read is enforcing", e);
+        }
+
         try {
             AssetManager am = AssetManager.class.newInstance();
             Method addAssetPath = AssetManager.class.getDeclaredMethod("addAssetPath", String.class);
@@ -91,6 +102,22 @@ public class DaemonUtils {
         } catch (Throwable e) {
             Log.e(TAG, "collect modules 32", e);
         }
+
+        File magiskDir = new File(DaemonUtils.getMagiskTmpfsPath(), ".magisk/modules/riru-core");
+
+        if (has64Bit()) {
+            fileContext &= isSystemFileContextForChildren(new File(magiskDir, "lib64"));
+            fileContext &= isSystemFileContextForParent(new File(magiskDir, "lib64"), magiskDir);
+            fileContext &= isSystemFileContextForChildren(new File(magiskDir, "system/lib64"));
+            fileContext &= isSystemFileContextForParent(new File(magiskDir, "system/lib64"), magiskDir);
+        }
+
+        if (has32Bit()) {
+            fileContext &= isSystemFileContextForChildren(new File(magiskDir, "lib"));
+            fileContext &= isSystemFileContextForParent(new File(magiskDir, "lib"), magiskDir);
+            fileContext &= isSystemFileContextForChildren(new File(magiskDir, "system/lib"));
+            fileContext &= isSystemFileContextForParent(new File(magiskDir, "system/lib"), magiskDir);
+        }
     }
 
     public static void init(String[] args) {
@@ -433,6 +460,46 @@ public static String getDevRandom() {
         return devRandom;
     }
 
+    private static boolean isSystemFileContext(File file) {
+        if (!isSELinuxEnforcing) return true;
+
+        String path = file.getAbsolutePath();
+        try {
+            String context = SELinux.getFileContext(path);
+            if (!Objects.equals("u:object_r:system_file:s0", context)) {
+                Log.w(TAG, "Context for " + path + " is " + context + " rather than u:object_r:system_file:s0");
+                return false;
+            } else {
+                Log.d(TAG, context + " " + path);
+            }
+        } catch (Throwable ignored) {
+        }
+        return true;
+    }
+
+    private static boolean isSystemFileContextForChildren(File folder) {
+        if (!isSELinuxEnforcing) return true;
+
+        File[] files = folder.listFiles();
+        if (files != null) {
+            for (File f : files) {
+                if (!isSystemFileContext(f)) return false;
+            }
+        }
+        return true;
+    }
+
+    private static boolean isSystemFileContextForParent(File from, File to) {
+        if (!isSELinuxEnforcing) return true;
+
+        do {
+            if (!isSystemFileContext(from)) return false;
+            from = from.getParentFile();
+        } while (from != null && !Objects.equals(from, to));
+
+        return isSystemFileContext(to);
+    }
+
     private static void collectModules(boolean is64) {
         Map<String, List<Pair<String, String>>> m = is64 ? modules64 : modules;
 
@@ -459,6 +526,8 @@ private static void collectModules(boolean is64) {
             List<Pair<String, String>> libs = new ArrayList<>();
             m.put(magiskDir.getAbsolutePath(), libs);
 
+            Log.d(TAG, magiskDir.getAbsolutePath() + " is a Riru module");
+
             for (File lib : libsFiles) {
                 String name = lib.getName();
                 String id = name;
@@ -470,11 +539,20 @@ private static void collectModules(boolean is64) {
                     lib = new File("/system/" + (is64 ? "lib64" : "lib"), name + SO_SUFFIX);
 
                 libs.add(new Pair<>(id, lib.getAbsolutePath()));
+                Log.d(TAG, "Path for " + id + " is " + lib.getAbsolutePath());
+
+                fileContext &= isSystemFileContext(lib);
             }
+
+            fileContext &= isSystemFileContextForParent(libDir, magiskDir);
         }
     }
 
     public static Map<String, List<Pair<String, String>>> getModules(boolean is64) {
         return is64 ? modules64 : modules;
     }
+
+    public static boolean hasIncorrectFileContext() {
+        return !fileContext;
+    }
 }

rirud/src/main/res/values-zh-rCN/strings.xml

@@ -7,5 +7,6 @@
     <string name="bad_prop">\u26A0\uFE0F 系统属性错误。请不要使用“优化”模块，因为通过修改属性来优化非常值得怀疑。</string>
     <string name="not_loaded">\u26A0\uFE0F Riru 未被加载，原因未知。</string>
     <string name="loaded">\uD83D\uDE0B Riru 正常工作中。已载入 %1$d 个模块 %2$s。</string>
+    <string name="bad_file_context">\u26A0\uFE0F Riru 和模块文件的 SELinux 上下文不正确，请尝试重新安装 Riru 和所有 Riru 模块。</string>
     <string name="empty">无</string>
 </resources>

rirud/src/main/res/values-zh-rTW/strings.xml

@@ -7,5 +7,6 @@
     <string name="bad_prop">\u26A0\uFE0F 系統屬性錯誤。請不要使用“最佳化”模組，因為透過修改屬性來最佳化非常值得懷疑。</string>
     <string name="not_loaded">\u26A0\uFE0F Riru 未被載入，原因未知。</string>
     <string name="loaded">\uD83D\uDE0B Riru 正常工作中。已載入 %1$d 個模組 %2$s。</string>
+    <string name="bad_file_context">\u26A0\uFE0F Riru 和模組檔案的 SELinux 上下文不正確，請嘗試重新安裝 Riru 和所有 Riru 模組。</string>
     <string name="empty">無</string>
 </resources>

rirud/src/main/res/values/strings.xml

@@ -7,5 +7,6 @@
     <string name="bad_prop">\u26A0\uFE0F System property is wrong. Please don\'t use \"optimize\" modules since it\'s very questionable to optimize by changing properties.</string>
     <string name="not_loaded">\u26A0\uFE0F Riru is not loaded and the reason in unknown.</string>
     <string name="loaded">\uD83D\uDE0B Riru is working normally. Loaded %1$d modules, %2$s.</string>
+    <string name="bad_file_context">\u26A0\uFE0F SELinux context for Riru and modules files are incorrect, try reinstalling Riru and all Riru modules.</string>
     <string name="empty">none</string>
 </resources>

stub/src/main/java/android/os/SELinux.java

@@ -7,4 +7,6 @@ public class SELinux {
     public static final native boolean isSELinuxEnforced();
 
     public static final native boolean checkSELinuxAccess(String scon, String tcon, String tclass, String perm);
+
+    public static final native String getFileContext(String path);
 }