kernel: make the profile uid, gid, capabilities really work
This commit is contained in:
weishu
@@ -181,7 +181,7 @@ bool ksu_is_allow_uid(uid_t uid)
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
bool ksu_is_uid_should_umount(uid_t uid)
|
bool ksu_uid_should_umount(uid_t uid)
|
||||||
{
|
{
|
||||||
struct app_profile profile = { .current_uid = uid };
|
struct app_profile profile = { .current_uid = uid };
|
||||||
bool found = ksu_get_app_profile(&profile);
|
bool found = ksu_get_app_profile(&profile);
|
||||||
@@ -202,6 +202,24 @@ bool ksu_is_uid_should_umount(uid_t uid)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
struct root_profile *ksu_get_root_profile(uid_t uid)
|
||||||
|
{
|
||||||
|
struct perm_data *p = NULL;
|
||||||
|
struct list_head *pos = NULL;
|
||||||
|
|
||||||
|
list_for_each (pos, &allow_list) {
|
||||||
|
p = list_entry(pos, struct perm_data, list);
|
||||||
|
if (uid == p->profile.current_uid && p->profile.allow_su) {
|
||||||
|
if (!p->profile.rp_config.use_default) {
|
||||||
|
return &p->profile.rp_config.profile;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// use default profile
|
||||||
|
return &default_root_profile;
|
||||||
|
}
|
||||||
|
|
||||||
bool ksu_get_allow_list(int *array, int *length, bool allow)
|
bool ksu_get_allow_list(int *array, int *length, bool allow)
|
||||||
{
|
{
|
||||||
struct perm_data *p = NULL;
|
struct perm_data *p = NULL;
|
||||||
|
|||||||
@@ -21,5 +21,6 @@ void ksu_prune_allowlist(bool (*is_uid_exist)(uid_t, void *), void *data);
|
|||||||
bool ksu_get_app_profile(struct app_profile *);
|
bool ksu_get_app_profile(struct app_profile *);
|
||||||
bool ksu_set_app_profile(struct app_profile *, bool persist);
|
bool ksu_set_app_profile(struct app_profile *, bool persist);
|
||||||
|
|
||||||
bool ksu_is_uid_should_umount(uid_t uid);
|
bool ksu_uid_should_umount(uid_t uid);
|
||||||
|
struct root_profile *ksu_get_root_profile(uid_t uid);
|
||||||
#endif
|
#endif
|
||||||
@@ -1,3 +1,4 @@
|
|||||||
|
#include "linux/capability.h"
|
||||||
#include "linux/cred.h"
|
#include "linux/cred.h"
|
||||||
#include "linux/dcache.h"
|
#include "linux/dcache.h"
|
||||||
#include "linux/err.h"
|
#include "linux/err.h"
|
||||||
@@ -59,18 +60,26 @@ void escape_to_root(void)
|
|||||||
|
|
||||||
cred = (struct cred *)__task_cred(current);
|
cred = (struct cred *)__task_cred(current);
|
||||||
|
|
||||||
memset(&cred->uid, 0, sizeof(cred->uid));
|
struct root_profile *profile = ksu_get_root_profile(cred->uid.val);
|
||||||
memset(&cred->gid, 0, sizeof(cred->gid));
|
|
||||||
memset(&cred->suid, 0, sizeof(cred->suid));
|
cred->uid.val = profile->uid;
|
||||||
memset(&cred->euid, 0, sizeof(cred->euid));
|
cred->suid.val = profile->uid;
|
||||||
memset(&cred->egid, 0, sizeof(cred->egid));
|
cred->euid.val = profile->uid;
|
||||||
memset(&cred->fsuid, 0, sizeof(cred->fsuid));
|
cred->fsuid.val = profile->uid;
|
||||||
memset(&cred->fsgid, 0, sizeof(cred->fsgid));
|
|
||||||
memset(&cred->cap_inheritable, 0xff, sizeof(cred->cap_inheritable));
|
cred->gid.val = profile->gid;
|
||||||
memset(&cred->cap_permitted, 0xff, sizeof(cred->cap_permitted));
|
cred->fsgid.val = profile->gid;
|
||||||
memset(&cred->cap_effective, 0xff, sizeof(cred->cap_effective));
|
cred->sgid.val = profile->gid;
|
||||||
memset(&cred->cap_bset, 0xff, sizeof(cred->cap_bset));
|
cred->egid.val = profile->gid;
|
||||||
memset(&cred->cap_ambient, 0xff, sizeof(cred->cap_ambient));
|
|
||||||
|
BUILD_BUG_ON(sizeof(profile->capabilities.effective) != sizeof(kernel_cap_t));
|
||||||
|
|
||||||
|
// capabilities
|
||||||
|
memcpy(&cred->cap_effective, &profile->capabilities.effective, sizeof(cred->cap_effective));
|
||||||
|
memcpy(&cred->cap_inheritable, &profile->capabilities.effective, sizeof(cred->cap_inheritable));
|
||||||
|
memcpy(&cred->cap_permitted, &profile->capabilities.effective, sizeof(cred->cap_permitted));
|
||||||
|
memcpy(&cred->cap_bset, &profile->capabilities.effective, sizeof(cred->cap_bset));
|
||||||
|
memcpy(&cred->cap_ambient, &profile->capabilities.effective, sizeof(cred->cap_ambient));
|
||||||
|
|
||||||
// disable seccomp
|
// disable seccomp
|
||||||
#if defined(CONFIG_GENERIC_ENTRY) && \
|
#if defined(CONFIG_GENERIC_ENTRY) && \
|
||||||
@@ -322,15 +331,15 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (arg2 == CMD_IS_UID_GRANTED_ROOT ||
|
if (arg2 == CMD_UID_GRANTED_ROOT ||
|
||||||
arg2 == CMD_IS_UID_SHOULD_UMOUNT) {
|
arg2 == CMD_UID_SHOULD_UMOUNT) {
|
||||||
if (is_manager() || 0 == current_uid().val) {
|
if (is_manager() || 0 == current_uid().val) {
|
||||||
uid_t target_uid = (uid_t)arg3;
|
uid_t target_uid = (uid_t)arg3;
|
||||||
bool allow = false;
|
bool allow = false;
|
||||||
if (arg2 == CMD_IS_UID_GRANTED_ROOT) {
|
if (arg2 == CMD_UID_GRANTED_ROOT) {
|
||||||
allow = ksu_is_allow_uid(target_uid);
|
allow = ksu_is_allow_uid(target_uid);
|
||||||
} else if (arg2 == CMD_IS_UID_SHOULD_UMOUNT) {
|
} else if (arg2 == CMD_UID_SHOULD_UMOUNT) {
|
||||||
allow = ksu_is_uid_should_umount(target_uid);
|
allow = ksu_uid_should_umount(target_uid);
|
||||||
} else {
|
} else {
|
||||||
pr_err("unknown cmd: %d\n", arg2);
|
pr_err("unknown cmd: %d\n", arg2);
|
||||||
}
|
}
|
||||||
@@ -418,7 +427,7 @@ static bool should_umount(struct path *path)
|
|||||||
if (path->mnt && path->mnt->mnt_sb && path->mnt->mnt_sb->s_type) {
|
if (path->mnt && path->mnt->mnt_sb && path->mnt->mnt_sb->s_type) {
|
||||||
const char *fstype = path->mnt->mnt_sb->s_type->name;
|
const char *fstype = path->mnt->mnt_sb->s_type->name;
|
||||||
if (strcmp(fstype, "overlay") == 0) {
|
if (strcmp(fstype, "overlay") == 0) {
|
||||||
return ksu_is_uid_should_umount(current_uid().val);
|
return ksu_uid_should_umount(current_uid().val);
|
||||||
}
|
}
|
||||||
#ifdef CONFIG_KSU_DEBUG
|
#ifdef CONFIG_KSU_DEBUG
|
||||||
pr_info("uid: %d should not umount!\n", current_uid().val);
|
pr_info("uid: %d should not umount!\n", current_uid().val);
|
||||||
|
|||||||
@@ -1,7 +1,6 @@
|
|||||||
#ifndef __KSU_H_KSU
|
#ifndef __KSU_H_KSU
|
||||||
#define __KSU_H_KSU
|
#define __KSU_H_KSU
|
||||||
|
|
||||||
#include "linux/capability.h"
|
|
||||||
#include "linux/types.h"
|
#include "linux/types.h"
|
||||||
#include "linux/workqueue.h"
|
#include "linux/workqueue.h"
|
||||||
|
|
||||||
@@ -29,8 +28,8 @@
|
|||||||
#define CMD_CHECK_SAFEMODE 9
|
#define CMD_CHECK_SAFEMODE 9
|
||||||
#define CMD_GET_APP_PROFILE 10
|
#define CMD_GET_APP_PROFILE 10
|
||||||
#define CMD_SET_APP_PROFILE 11
|
#define CMD_SET_APP_PROFILE 11
|
||||||
#define CMD_IS_UID_GRANTED_ROOT 12
|
#define CMD_UID_GRANTED_ROOT 12
|
||||||
#define CMD_IS_UID_SHOULD_UMOUNT 13
|
#define CMD_UID_SHOULD_UMOUNT 13
|
||||||
|
|
||||||
#define EVENT_POST_FS_DATA 1
|
#define EVENT_POST_FS_DATA 1
|
||||||
#define EVENT_BOOT_COMPLETED 2
|
#define EVENT_BOOT_COMPLETED 2
|
||||||
|
|||||||
Reference in New Issue
Block a user