[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-70584":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":8,"language":10,"languages":8,"totalLinesOfCode":8,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":14,"subscribersCount":14,"size":14,"stars1d":15,"stars7d":16,"stars30d":17,"stars90d":14,"forks30d":14,"starsTrendScore":18,"compositeScore":19,"rankGlobal":8,"rankLanguage":8,"license":8,"archived":20,"fork":20,"defaultBranch":21,"hasWiki":20,"hasPages":20,"topics":22,"createdAt":8,"pushedAt":8,"updatedAt":23,"readmeContent":24,"aiSummary":25,"trendingCount":14,"starSnapshotCount":14,"syncStatus":15,"lastSyncTime":26,"discoverSource":27},70584,"DirtySepolicy","LSPosed\u002FDirtySepolicy","LSPosed",null,"","Java",385,52,4,0,2,8,162,6,57.17,false,"master",[],"2026-06-12 04:00:56","# Dirty Sepolicy: Check Android SELinux access\n\nThis project discloses a method to detect the Android device sepolicy.\nIt can accurately identify all userspace su solutions, and it is impossible to bypass.\n\n## Background\n\nThe LSPosed team originally discovered this method in August 2024.\nAt that time, we decided not to disclose it and chose not to implement this detection mechanism.\n\nIn May 2026, [FldBudin](https:\u002F\u002Fgithub.com\u002FFldBudin) independently discovered this method and made it public in [Duck Detector](https:\u002F\u002Fgithub.com\u002Feltavine\u002FDuck-Detector-Refactoring\u002Fpull\u002F22).\nGiven that the method is now publicly known, we have decided to publish our example implementation as well.\n\n## How it works\n\nThe detection utilizes the **App Zygote** process. An App Zygote is an application-specific Zygote process that preloads resources and forks isolated services for the application.\nTo function correctly, the App Zygote must transition into the restricted context of the isolated service. Because of this requirement, it is indispensable for it to have the permission to [query and check SELinux access rules](https:\u002F\u002Fandroid.googlesource.com\u002Fplatform\u002Fsystem\u002Fsepolicy\u002F+\u002Fmaster\u002Fprivate\u002Fapp_zygote.te#:~:text=%23%20Check%20validity%20of%20SELinux,selinux_check_access(app_zygote)).\nThis inherent design makes it the perfect candidate to query SELinux without being restricted by normal untrusted app constraints.\n\nIn this implementation, the `AppZygote.java` uses its privileges to check the system's global SELinux policies for \"dirty\" rules injected by common root and hooking solutions.\n- `security:compute_av`: Compute an access vector given a source, target and class, java api `SELinux.checkSELinuxAccess`, can detect the existence of specific allow rules.\n- `security:check_context`: Determine whether the context is valid, no java api, you need to manually write `\u002Fsys\u002Ffs\u002Fselinux\u002Fcontext`, can detect the existence of specific type or domain.\n- `process:setcurrent`: Set the current process context, no java api, you need to manually write `\u002Fproc\u002Fself\u002Fattr\u002Fcurrent`, can also detect the existence of specific type or domain, because the kernel will check the validity of the requested context first and return `EINVAL` if the context is invalid. This is different from the case of no permission, which returns `EPERM` instead of `EINVAL` when the context is valid but the `process:dyntransition` is not allowed.\n\nDevelopers can easily extend this implementation by adding the specific SELinux rule characteristics of other future popular su solutions or root tools.\nBecause the app zygote and zygote share code, SELinux permissions must be checked, otherwise, the process will crash, so this detection cannot be bypassed in userspace.\nThe only way to circumvent this detection is by modifying the kernel itself.\n\n## app zygote crashed\n\nApp crashes or service bind timeout are most likely due to app zygote crashd, this should be seen as a signal that the check is being blocked by root.\nIt is important to note that selinux_check_access may [create SELinux netlink socket](https:\u002F\u002Fcs.android.com\u002Fandroid\u002Fplatform\u002Fsuperproject\u002F+\u002Fandroid-11.0.0_r21:external\u002Fselinux\u002Flibselinux\u002Fsrc\u002FcheckAccess.c;l=22),\nbefore Android 13, this socket is always created. This fd will be rejected when fork new app process, and crash app zygote.\nApp zygote can mark fds created during doPreload, but only after [Android 12](https:\u002F\u002Fcs.android.com\u002Fandroid\u002Fplatform\u002Fsuperproject\u002F+\u002Fandroid-12.0.0_r3:frameworks\u002Fbase\u002Fcore\u002Fjava\u002Fcom\u002Fandroid\u002Finternal\u002Fos\u002FAppZygoteInit.java;l=94-96;drc=ff6ac69e69423107a626a00c3e01e9bf5eb2814c), \ndevelopers should manually close this fd for old android versions.\n\n## License\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n    http:\u002F\u002Fwww.apache.org\u002Flicenses\u002FLICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n","DirtySepolicy 是一个用于检测Android设备SELinux访问规则的工具。其核心功能是通过利用App Zygote进程的权限来检查系统全局SELinux策略中是否存在由常见root和hooking解决方案注入的“脏”规则。该工具能够准确识别所有用户空间su解决方案，并且无法绕过。它适用于需要验证Android设备安全性的场景，如企业级应用的安全审计或个人用户的安全检查。开发者还可以根据未来流行的su解决方案或root工具的具体SELinux规则特征轻松扩展此实现。由于App Zygote与Zygote共享代码，因此必须检查SELinux权限，否则进程将崩溃，这意味着这种检测在用户空间内无法被规避。唯一绕过的方法是修改内核本身。","2026-06-11 03:32:54","CREATED_QUERY"]