From 13c791232021402401ac1f24feaecd5aebe39c37 Mon Sep 17 00:00:00 2001
From: Huy Minh <buingoc67@gmail.com>
Date: Fri, 3 Oct 2025 16:08:23 +0700
Subject: [PATCH] kernel: add initial 6.8+/6.14 kernel support

* This is a squashed of un-merged pull requests of Official KernelSU
* LKM support are not available.
* Require this additional patch to avoid kernel panic because of "Too many LSMs registered":
https://github.com/android-generic/kernel-zenith/commit/7042991a5c9ddae256f3864a598017310bb5ff2c

* Un-merged pull requests of Official KernelSU:
https://github.com/tiann/KernelSU/pull/1785
https://github.com/tiann/KernelSU/pull/2662

* This commit probably not 100% completed.

Signed-off-by: rsuntk <rsuntk@yukiprjkt.my.id>
---
 kernel/core_hook.c       | 19 +++++++++++++++++++
 kernel/selinux/selinux.c | 30 ++++++++++++++++++++++++++++++
 2 files changed, 49 insertions(+)

diff --git a/kernel/core_hook.c b/kernel/core_hook.c
index a519dd57..9d06c97f 100644
--- a/kernel/core_hook.c
+++ b/kernel/core_hook.c
@@ -215,7 +215,10 @@ static void disable_seccomp_for_task(struct task_struct *tsk)
 		seccomp_filter_release(tsk);
 		atomic_set(&tsk->seccomp.filter_count, 0);
 #else
+	// for 6.11+ kernel support?
+#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 9, 0)
 		put_seccomp_filter(tsk);
+#endif
 		tsk->seccomp.filter = NULL;
 #endif
 	}
@@ -1171,9 +1174,25 @@ static struct security_hook_list ksu_hooks[] = {
 #endif
 };
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 8, 0)
+const struct lsm_id ksu_lsmid = {
+	.name = "ksu",
+	.id = 912,
+};
+#endif
+
 void __init ksu_lsm_hook_init(void)
 {
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 8, 0)
+	// https://elixir.bootlin.com/linux/v6.8/source/include/linux/lsm_hooks.h#L120
+	security_add_hooks(ksu_hooks, ARRAY_SIZE(ksu_hooks), &ksu_lsmid);
+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4, 11, 0)
 	security_add_hooks(ksu_hooks, ARRAY_SIZE(ksu_hooks), "ksu");
+#else
+	// https://elixir.bootlin.com/linux/v4.10.17/source/include/linux/lsm_hooks.h#L1892
+	security_add_hooks(ksu_hooks, ARRAY_SIZE(ksu_hooks));
+#endif
 }
 
 #else
diff --git a/kernel/selinux/selinux.c b/kernel/selinux/selinux.c
index 17a25dae..e4b5a5aa 100644
--- a/kernel/selinux/selinux.c
+++ b/kernel/selinux/selinux.c
@@ -86,15 +86,30 @@ static inline u32 current_sid(void)
 
 bool is_ksu_domain()
 {
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0)
+	struct lsm_context ctx;
+#else
 	char *domain;
 	u32 seclen;
+#endif
 	bool result;
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0)
+	int err = security_secid_to_secctx(current_sid(), &ctx);
+#else
 	int err = security_secid_to_secctx(current_sid(), &domain, &seclen);
+#endif
+
 	if (err) {
 		return false;
 	}
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0)
+	result = strncmp(KERNEL_SU_DOMAIN, ctx.context, ctx.len) == 0;
+	security_release_secctx(&ctx);
+#else
 	result = strncmp(KERNEL_SU_DOMAIN, domain, seclen) == 0;
 	security_release_secctx(domain, seclen);
+#endif
 	return result;
 }
 
@@ -104,15 +119,30 @@ bool is_zygote(void *sec)
 	if (!tsec) {
 		return false;
 	}
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0)
+	struct lsm_context ctx;
+#else
 	char *domain;
 	u32 seclen;
+#endif
 	bool result;
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0)
+	int err = security_secid_to_secctx(tsec->sid, &ctx);
+#else
 	int err = security_secid_to_secctx(tsec->sid, &domain, &seclen);
+#endif
 	if (err) {
 		return false;
 	}
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0)
+	result = strncmp("u:r:zygote:s0", ctx.context, ctx.len) == 0;
+	security_release_secctx(&ctx);
+#else
 	result = strncmp("u:r:zygote:s0", domain, seclen) == 0;
 	security_release_secctx(domain, seclen);
+#endif
 	return result;
 }