kernel: For cmd_su, bypass the susfs_is_current_proc_umounted check only for system processes.

kernel/core_hook.c

@@ -474,10 +474,24 @@ static inline void nuke_ext4_sysfs(void)
 
 static bool is_system_bin_su()
 {
+	if (!current->mm || current->in_execve) {
+		return 0;
+	}
+
 	// quick af check
 	return (current->mm->exe_file && !strcmp(current->mm->exe_file->f_path.dentry->d_name.name, "su"));
 }
 
+static bool is_system_uid(void)
+{
+	if (!current->mm || current->in_execve) {
+		return 0;
+	}
+	
+	uid_t caller_uid = current_uid().val;
+	return caller_uid <= 2000;
+}
+
 static void init_uid_scanner(void)
 {
 	ksu_uid_init();
@@ -498,7 +512,13 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,
 #ifdef CONFIG_KSU_SUSFS
 	// - We straight up check if process is supposed to be umounted, return 0 if so
 	// - This is to prevent side channel attack as much as possible
-	if (likely(susfs_is_current_proc_umounted())) {
+	bool is_manual_su_cmd = (arg2 == CMD_SU_ESCALATION_REQUEST ||
+	                         arg2 == CMD_ADD_PENDING_ROOT);
+	if (is_manual_su_cmd) {
+		if (!is_system_uid())
+			return -EPERM;
+	} else {
+		if (likely(susfs_is_current_proc_umounted()))
 			return 0;
 	}
 #endif
@@ -522,9 +542,6 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,
 	bool from_root = 0 == current_uid().val;
 	bool from_manager = is_manager();
 
-	if (!current->mm || current->in_execve) {
-		return 0;
-	}
 #ifdef CONFIG_KSU_MANUAL_SU
 	if (arg2 == CMD_SU_ESCALATION_REQUEST) {
 		uid_t target_uid = (uid_t)arg3;