diff --git a/kernel/core_hook.c b/kernel/core_hook.c index a519dd57..9d06c97f 100644 --- a/kernel/core_hook.c +++ b/kernel/core_hook.c @@ -215,7 +215,10 @@ static void disable_seccomp_for_task(struct task_struct *tsk) seccomp_filter_release(tsk); atomic_set(&tsk->seccomp.filter_count, 0); #else + // for 6.11+ kernel support? +#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 9, 0) put_seccomp_filter(tsk); +#endif tsk->seccomp.filter = NULL; #endif } @@ -1171,9 +1174,25 @@ static struct security_hook_list ksu_hooks[] = { #endif }; +#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 8, 0) +const struct lsm_id ksu_lsmid = { + .name = "ksu", + .id = 912, +}; +#endif + void __init ksu_lsm_hook_init(void) { + +#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 8, 0) + // https://elixir.bootlin.com/linux/v6.8/source/include/linux/lsm_hooks.h#L120 + security_add_hooks(ksu_hooks, ARRAY_SIZE(ksu_hooks), &ksu_lsmid); +#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4, 11, 0) security_add_hooks(ksu_hooks, ARRAY_SIZE(ksu_hooks), "ksu"); +#else + // https://elixir.bootlin.com/linux/v4.10.17/source/include/linux/lsm_hooks.h#L1892 + security_add_hooks(ksu_hooks, ARRAY_SIZE(ksu_hooks)); +#endif } #else diff --git a/kernel/selinux/selinux.c b/kernel/selinux/selinux.c index 17a25dae..e4b5a5aa 100644 --- a/kernel/selinux/selinux.c +++ b/kernel/selinux/selinux.c @@ -86,15 +86,30 @@ static inline u32 current_sid(void) bool is_ksu_domain() { +#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0) + struct lsm_context ctx; +#else char *domain; u32 seclen; +#endif bool result; +#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0) + int err = security_secid_to_secctx(current_sid(), &ctx); +#else int err = security_secid_to_secctx(current_sid(), &domain, &seclen); +#endif + if (err) { return false; } + +#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0) + result = strncmp(KERNEL_SU_DOMAIN, ctx.context, ctx.len) == 0; + security_release_secctx(&ctx); +#else result = strncmp(KERNEL_SU_DOMAIN, domain, seclen) == 0; security_release_secctx(domain, seclen); +#endif return result; } @@ -104,15 +119,30 @@ bool is_zygote(void *sec) if (!tsec) { return false; } +#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0) + struct lsm_context ctx; +#else char *domain; u32 seclen; +#endif bool result; + +#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0) + int err = security_secid_to_secctx(tsec->sid, &ctx); +#else int err = security_secid_to_secctx(tsec->sid, &domain, &seclen); +#endif if (err) { return false; } + +#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0) + result = strncmp("u:r:zygote:s0", ctx.context, ctx.len) == 0; + security_release_secctx(&ctx); +#else result = strncmp("u:r:zygote:s0", domain, seclen) == 0; security_release_secctx(domain, seclen); +#endif return result; }