app: support config restrict policy

2025-09-06 06:36:58 +00:00 · 2023-06-28 04:47:44 +08:00
parent ff18cb8e70
commit e5d36d1d24
12 changed files with 113 additions and 13 deletions
--- a/app/core/src/main/java/com/topjohnwu/magisk/core/Config.kt
+++ b/app/core/src/main/java/com/topjohnwu/magisk/core/Config.kt
@@ -32,6 +32,7 @@ object Config : PreferenceConfig, DBConfig {
        const val SU_NOTIFICATION = "su_notification"
        const val SU_REAUTH = "su_reauth"
        const val SU_TAPJACK = "su_tapjack"
+        const val SU_RESTRICT = "su_restrict"
        const val CHECK_UPDATES = "check_update"
        const val RELEASE_CHANNEL = "release_channel"
        const val CUSTOM_CHANNEL = "custom_channel"
@@ -147,6 +148,7 @@ object Config : PreferenceConfig, DBConfig {
        }
    var suReAuth by preference(Key.SU_REAUTH, false)
    var suTapjack by preference(Key.SU_TAPJACK, true)
+    var suRestrict by preference(Key.SU_RESTRICT, false)

    private const val SU_FINGERPRINT = "su_fingerprint"
    private const val UPDATE_CHANNEL = "update_channel"
--- a/app/core/src/main/java/com/topjohnwu/magisk/core/su/SuCallbackHandler.kt
+++ b/app/core/src/main/java/com/topjohnwu/magisk/core/su/SuCallbackHandler.kt
@@ -70,7 +70,7 @@ object SuCallbackHandler {
        }.getOrNull() ?: createSuLog(fromUid, toUid, pid, command, policy, target, seContext, gids)

        if (notify)
-            notify(context, log.action == SuPolicy.ALLOW, log.appName)
+            notify(context, log.action >= SuPolicy.ALLOW, log.appName)

        runBlocking { ServiceLocator.logRepo.insert(log) }
    }
@@ -86,7 +86,7 @@ object SuCallbackHandler {
            pm.getPackageInfo(uid, pid)?.applicationInfo?.getLabel(pm)
        }.getOrNull() ?: "[UID] $uid"

-        notify(context, policy == SuPolicy.ALLOW, appName)
+        notify(context, policy >= SuPolicy.ALLOW, appName)
    }

    private fun notify(context: Context, granted: Boolean, appName: String) {
--- a/app/core/src/main/java/com/topjohnwu/magisk/core/su/SuRequestHandler.kt
+++ b/app/core/src/main/java/com/topjohnwu/magisk/core/su/SuRequestHandler.kt
@@ -82,7 +82,11 @@ class SuRequestHandler(
    }

    suspend fun respond(action: Int, time: Long) {
-        policy.policy = action
+        if (action == SuPolicy.ALLOW && Config.suRestrict) {
+            policy.policy = SuPolicy.RESTRICT
+        } else {
+            policy.policy = action
+        }
        if (time >= 0) {
            policy.remain = TimeUnit.MINUTES.toSeconds(time)
        } else {
--- a/app/core/src/main/res/values-zh-rCN/strings.xml
+++ b/app/core/src/main/res/values-zh-rCN/strings.xml
@@ -54,6 +54,7 @@
    <string name="touch_filtered_warning">由于某个应用遮挡了超级用户请求界面，因此 Magisk 无法验证您的回应</string>
    <string name="deny">拒绝</string>
    <string name="prompt">提示</string>
+    <string name="restrict">受限</string>
    <string name="grant">允许</string>
    <string name="su_warning">将授予对该设备的最高权限。\n如果不确定，请拒绝！</string>
    <string name="forever">永久</string>
@@ -173,6 +174,8 @@
    <string name="settings_su_auth_title">身份验证</string>
    <string name="settings_su_auth_summary">对超级用户请求验证身份</string>
    <string name="settings_su_auth_insecure">设备未配置验证方式</string>
+    <string name="settings_su_restrict_title">限制超级用户权能</string>
+    <string name="settings_su_restrict_summary">默认限制新的超级用户应用。警告，这会破坏大多数应用，不建议启用。</string>
    <string name="settings_customization">个性化</string>
    <string name="setting_add_shortcut_summary">在隐藏后难以识别名称和图标的情况下，添加快捷方式到桌面</string>
    <string name="settings_doh_title">安全 DNS（DoH）</string>
--- a/app/core/src/main/res/values/strings.xml
+++ b/app/core/src/main/res/values/strings.xml
@@ -53,6 +53,7 @@
    <string name="touch_filtered_warning">Because an app is obscuring a Superuser request, Magisk can\'t verify your response.</string>
    <string name="deny">Deny</string>
    <string name="prompt">Prompt</string>
+    <string name="restrict">Restrict</string>
    <string name="grant">Grant</string>
    <string name="su_warning">Grants full access to your device.\nDeny if you\'re not sure!</string>
    <string name="forever">Forever</string>
@@ -170,6 +171,8 @@
    <string name="settings_su_auth_title">User authentication</string>
    <string name="settings_su_auth_summary">Ask for user authentication during Superuser requests</string>
    <string name="settings_su_auth_insecure">No authentication method is configured on the device</string>
+    <string name="settings_su_restrict_title">Restrict root capabilities</string>
+    <string name="settings_su_restrict_summary">Will restrict new superuser apps by default. Warning, this will break most apps, do not enable it.</string>
    <string name="settings_customization">Customization</string>
    <string name="setting_add_shortcut_summary">Add a pretty shortcut to the home screen in case the name and icon are difficult to recognize after hiding the app</string>
    <string name="settings_doh_title">DNS over HTTPS</string>