kernel: Added legacy throne tracker support, using packages.list to scan application UIDs

kernel/Kconfig

@@ -15,6 +15,15 @@ config KSU_DEBUG
 	help
 	  Enable KernelSU debug mode.
 
+config KSU_THRONE_TRACKER_LEGACY
+	bool "Use legacy throne tracker (packages.list scanning)"
+	depends on KSU
+	default n
+	help
+	  Use legacy throne tracker that scans packages.list for app UIDs.
+	  This is kept for Ultra-Legacy Linux 4.4-3.X kernels which are prone to deadlocks.
+	  Enable this if default scanning deadlocks/crashes on you.
+
 config KSU_ALLOWLIST_WORKAROUND
 	bool "KernelSU Session init keyring workaround"
 	depends on KSU

kernel/Makefile

@@ -3,7 +3,6 @@ kernelsu-objs += allowlist.o
 kernelsu-objs += dynamic_manager.o
 kernelsu-objs += apk_sign.o
 kernelsu-objs += sucompat.o
-kernelsu-objs += throne_tracker.o
 kernelsu-objs += core_hook.o
 kernelsu-objs += ksud.o
 kernelsu-objs += embed_ksud.o
@@ -14,6 +13,14 @@ ifeq ($(CONFIG_KSU_TRACEPOINT_HOOK), y)
 kernelsu-objs += ksu_trace.o
 endif
 
+ifeq ($(CONFIG_KSU_THRONE_TRACKER_LEGACY),y)
+$(info -- KernelSU/compat: using legacy throne tracker)
+kernelsu-objs += throne_tracker_legacy.o
+else
+$(info -- KernelSU/compat: using new throne tracker)
+kernelsu-objs += throne_tracker.o
+endif
+
 kernelsu-objs += selinux/selinux.o
 kernelsu-objs += selinux/sepolicy.o
 kernelsu-objs += selinux/rules.o

kernel/throne_tracker_legacy.c

@@ -0,0 +1,609 @@
+#include <linux/err.h>
+#include <linux/fs.h>
+#include <linux/list.h>
+#include <linux/slab.h>
+#include <linux/string.h>
+#include <linux/types.h>
+#include <linux/version.h>
+
+#include "allowlist.h"
+#include "klog.h" // IWYU pragma: keep
+#include "ksu.h"
+#include "manager.h"
+#include "throne_tracker.h"
+#include "kernel_compat.h"
+#include "dynamic_manager.h"
+#include "throne_comm.h"
+
+uid_t ksu_manager_uid = KSU_INVALID_UID;
+
+#define SYSTEM_PACKAGES_LIST_PATH "/data/system/packages.list.tmp"
+#define KSU_UID_LIST_PATH "/data/misc/user_uid/uid_list"
+
+struct uid_data {
+	struct list_head list;
+	u32 uid;
+	char package[KSU_MAX_PACKAGE_NAME];
+};
+
+// Try read whitelist first, fallback if failed
+static int read_uid_whitelist(struct list_head *uid_list)
+{
+	struct file *fp;
+	char *file_content = NULL;
+	char *line, *next_line;
+	loff_t file_size;
+	loff_t pos = 0;
+	int count = 0;
+	ssize_t bytes_read;
+	
+	fp = ksu_filp_open_compat(KSU_UID_LIST_PATH, O_RDONLY, 0);
+	if (IS_ERR(fp)) {
+		pr_info("whitelist not found, fallback needed\n");
+		return -ENOENT;
+	}
+
+	file_size = fp->f_inode->i_size;
+	if (file_size <= 0) {
+		pr_info("whitelist file is empty\n");
+		filp_close(fp, NULL);
+		return -ENODATA;
+	}
+
+	file_content = kzalloc(file_size + 1, GFP_ATOMIC);
+	if (!file_content) {
+		pr_err("failed to allocate memory for whitelist file (%lld bytes)\n", file_size);
+		filp_close(fp, NULL);
+		return -ENOMEM;
+	}
+
+	bytes_read = ksu_kernel_read_compat(fp, file_content, file_size, &pos);
+	if (bytes_read != file_size) {
+		pr_err("failed to read whitelist file: read %zd bytes, expected %lld bytes\n", 
+		       bytes_read, file_size);
+		kfree(file_content);
+		filp_close(fp, NULL);
+		return -EIO;
+	}
+
+	file_content[file_size] = '\0';
+	filp_close(fp, NULL);
+
+	pr_info("successfully read whitelist file (%lld bytes), parsing lines...\n", file_size);
+
+	line = file_content;
+	while (line && *line) {
+		next_line = strchr(line, '\n');
+		if (next_line) {
+			*next_line = '\0';
+			next_line++;
+		}
+
+		char *trimmed_line = line;
+		while (*trimmed_line == ' ' || *trimmed_line == '\t' || *trimmed_line == '\r') {
+			trimmed_line++;
+		}
+
+		if (strlen(trimmed_line) > 0) {
+			char *line_copy = trimmed_line;
+			char *uid_str = strsep(&line_copy, " \t");
+			char *package_name = line_copy;
+			
+			if (package_name) {
+				while (*package_name == ' ' || *package_name == '\t') {
+					package_name++;
+				}
+			}
+			
+			if (uid_str && package_name && strlen(package_name) > 0) {
+				u32 uid;
+				if (!kstrtou32(uid_str, 10, &uid)) {
+					struct uid_data *data = kzalloc(sizeof(struct uid_data), GFP_ATOMIC);
+					if (data) {
+						data->uid = uid;
+						size_t pkg_len = strlen(package_name);
+						size_t copy_len = min(pkg_len, (size_t)(KSU_MAX_PACKAGE_NAME - 1));
+						strncpy(data->package, package_name, copy_len);
+						data->package[copy_len] = '\0';
+						
+						list_add_tail(&data->list, uid_list);
+						count++;
+						
+						if (count % 100 == 0) {
+							pr_info("parsed %d packages so far...\n", count);
+						}
+					} else {
+						pr_err("failed to allocate memory for uid_data\n");
+					}
+				} else {
+					pr_warn("invalid uid format in line: %s\n", trimmed_line);
+				}
+			} else {
+				pr_warn("invalid line format: %s\n", trimmed_line);
+			}
+		}
+
+		line = next_line;
+	}
+	
+	kfree(file_content);
+	pr_info("successfully loaded %d uids from whitelist\n", count);
+	return count > 0 ? 0 : -ENODATA;
+}
+
+static int get_pkg_from_apk_path(char *pkg, const char *path)
+{
+	int len = strlen(path);
+	if (len >= KSU_MAX_PACKAGE_NAME || len < 1)
+		return -1;
+
+	const char *last_slash = NULL;
+	const char *second_last_slash = NULL;
+
+	int i;
+	for (i = len - 1; i >= 0; i--) {
+		if (path[i] == '/') {
+			if (!last_slash) {
+				last_slash = &path[i];
+			} else {
+				second_last_slash = &path[i];
+				break;
+			}
+		}
+	}
+
+	if (!last_slash || !second_last_slash)
+		return -1;
+
+	const char *last_hyphen = strchr(second_last_slash, '-');
+	if (!last_hyphen || last_hyphen > last_slash)
+		return -1;
+
+	int pkg_len = last_hyphen - second_last_slash - 1;
+	if (pkg_len >= KSU_MAX_PACKAGE_NAME || pkg_len <= 0)
+		return -1;
+
+	// Copying the package name
+	strncpy(pkg, second_last_slash + 1, pkg_len);
+	pkg[pkg_len] = '\0';
+
+	return 0;
+}
+
+static void crown_manager(const char *apk, struct list_head *uid_data,
+			  int signature_index)
+{
+	char pkg[KSU_MAX_PACKAGE_NAME];
+	if (get_pkg_from_apk_path(pkg, apk) < 0) {
+		pr_err("Failed to get package name from apk path: %s\n", apk);
+		return;
+	}
+
+	pr_info("manager pkg: %s, signature_index: %d\n", pkg, signature_index);
+
+#ifdef KSU_MANAGER_PACKAGE
+	// pkg is `/<real package>`
+	if (strncmp(pkg, KSU_MANAGER_PACKAGE, sizeof(KSU_MANAGER_PACKAGE))) {
+		pr_info("manager package is inconsistent with kernel build: %s\n",
+			KSU_MANAGER_PACKAGE);
+		return;
+	}
+#endif
+	struct list_head *list = (struct list_head *)uid_data;
+	struct uid_data *np;
+
+	list_for_each_entry(np, list, list) {
+		if (strncmp(np->package, pkg, KSU_MAX_PACKAGE_NAME) == 0) {
+			pr_info("Crowning manager: %s(uid=%d, signature_index=%d)\n",
+				pkg, np->uid, signature_index);
+
+			// Dynamic Sign index (1) or multi-manager signatures (2+)
+			if (signature_index == DYNAMIC_SIGN_INDEX || signature_index >= 2) {
+				ksu_add_manager(np->uid, signature_index);
+
+				if (!ksu_is_manager_uid_valid()) {
+					ksu_set_manager_uid(np->uid);
+				}
+			} else {
+				ksu_set_manager_uid(np->uid);
+			}
+			break;
+		}
+	}
+}
+
+#define DATA_PATH_LEN 384 // 384 is enough for /data/app/<package>/base.apk
+
+struct data_path {
+	char dirpath[DATA_PATH_LEN];
+	int depth;
+	struct list_head list;
+};
+
+struct apk_path_hash {
+	unsigned int hash;
+	bool exists;
+	struct list_head list;
+};
+
+static struct list_head apk_path_hash_list;
+
+struct my_dir_context {
+	struct dir_context ctx;
+	struct list_head *data_path_list;
+	char *parent_dir;
+	void *private_data;
+	int depth;
+	int *stop;
+};
+// https://docs.kernel.org/filesystems/porting.html
+// filldir_t (readdir callbacks) calling conventions have changed. Instead of returning 0 or -E... it returns bool now. false means "no more" (as -E... used to) and true - "keep going" (as 0 in old calling conventions). Rationale: callers never looked at specific -E... values anyway. -> iterate_shared() instances require no changes at all, all filldir_t ones in the tree converted.
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0)
+#define FILLDIR_RETURN_TYPE bool
+#define FILLDIR_ACTOR_CONTINUE true
+#define FILLDIR_ACTOR_STOP false
+#else
+#define FILLDIR_RETURN_TYPE int
+#define FILLDIR_ACTOR_CONTINUE 0
+#define FILLDIR_ACTOR_STOP -EINVAL
+#endif
+FILLDIR_RETURN_TYPE my_actor(struct dir_context *ctx, const char *name,
+			     int namelen, loff_t off, u64 ino,
+			     unsigned int d_type)
+{
+	struct my_dir_context *my_ctx =
+		container_of(ctx, struct my_dir_context, ctx);
+	char dirpath[DATA_PATH_LEN];
+
+	if (!my_ctx) {
+		pr_err("Invalid context\n");
+		return FILLDIR_ACTOR_STOP;
+	}
+	if (my_ctx->stop && *my_ctx->stop) {
+		pr_info("Stop searching\n");
+		return FILLDIR_ACTOR_STOP;
+	}
+
+	if (!strncmp(name, "..", namelen) || !strncmp(name, ".", namelen))
+		return FILLDIR_ACTOR_CONTINUE; // Skip "." and ".."
+
+	if (d_type == DT_DIR && namelen >= 8 && !strncmp(name, "vmdl", 4) &&
+	    !strncmp(name + namelen - 4, ".tmp", 4)) {
+		pr_info("Skipping directory: %.*s\n", namelen, name);
+		return FILLDIR_ACTOR_CONTINUE; // Skip staging package
+	}
+
+	if (snprintf(dirpath, DATA_PATH_LEN, "%s/%.*s", my_ctx->parent_dir,
+		     namelen, name) >= DATA_PATH_LEN) {
+		pr_err("Path too long: %s/%.*s\n", my_ctx->parent_dir, namelen,
+		       name);
+		return FILLDIR_ACTOR_CONTINUE;
+	}
+
+	if (d_type == DT_DIR && my_ctx->depth > 0 &&
+	    (my_ctx->stop && !*my_ctx->stop)) {
+		struct data_path *data =
+			kmalloc(sizeof(struct data_path), GFP_ATOMIC);
+
+		if (!data) {
+			pr_err("Failed to allocate memory for %s\n", dirpath);
+			return FILLDIR_ACTOR_CONTINUE;
+		}
+
+		strscpy(data->dirpath, dirpath, DATA_PATH_LEN);
+		data->depth = my_ctx->depth - 1;
+		list_add_tail(&data->list, my_ctx->data_path_list);
+	} else {
+		if ((namelen == 8) &&
+		    (strncmp(name, "base.apk", namelen) == 0)) {
+			struct apk_path_hash *pos, *n;
+#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 8, 0)
+			unsigned int hash =
+				full_name_hash(dirpath, strlen(dirpath));
+#else
+			unsigned int hash =
+				full_name_hash(NULL, dirpath, strlen(dirpath));
+#endif
+			list_for_each_entry(pos, &apk_path_hash_list, list) {
+				if (hash == pos->hash) {
+					pos->exists = true;
+					return FILLDIR_ACTOR_CONTINUE;
+				}
+			}
+
+			int signature_index = -1;
+			bool is_multi_manager = is_dynamic_manager_apk(
+				dirpath, &signature_index);
+
+			pr_info("Found new base.apk at path: %s, is_multi_manager: %d, signature_index: %d\n",
+				dirpath, is_multi_manager, signature_index);
+			// Check for dynamic sign or multi-manager signatures
+			if (is_multi_manager &&
+			    (signature_index == DYNAMIC_SIGN_INDEX || signature_index >= 2)) {
+				crown_manager(dirpath, my_ctx->private_data,
+					      signature_index);
+
+				struct apk_path_hash *apk_data =
+					kmalloc(sizeof(struct apk_path_hash),
+						GFP_ATOMIC);
+
+				if (apk_data) {
+					apk_data->hash = hash;
+					apk_data->exists = true;
+					list_add_tail(&apk_data->list,
+						      &apk_path_hash_list);
+				}
+
+			} else if (is_manager_apk(dirpath)) {
+				crown_manager(dirpath, my_ctx->private_data, 0);
+				*my_ctx->stop = 1;
+
+				// Manager found, clear APK cache list
+				list_for_each_entry_safe(
+					pos, n, &apk_path_hash_list, list) {
+					list_del(&pos->list);
+					kfree(pos);
+				}
+			} else {
+				struct apk_path_hash *apk_data =
+					kmalloc(sizeof(struct apk_path_hash),
+						GFP_ATOMIC);
+				if (apk_data) {
+					apk_data->hash = hash;
+					apk_data->exists = true;
+					list_add_tail(&apk_data->list,
+						      &apk_path_hash_list);
+				}
+			}
+		}
+	}
+
+	return FILLDIR_ACTOR_CONTINUE;
+}
+
+void search_manager(const char *path, int depth, struct list_head *uid_data)
+{
+	int i, stop = 0;
+	struct list_head data_path_list;
+	INIT_LIST_HEAD(&data_path_list);
+	INIT_LIST_HEAD(&apk_path_hash_list);
+	unsigned long data_app_magic = 0;
+
+	// Initialize APK cache list
+	struct apk_path_hash *pos, *n;
+	list_for_each_entry(pos, &apk_path_hash_list, list) {
+		pos->exists = false;
+	}
+
+	// First depth
+	struct data_path data;
+	strscpy(data.dirpath, path, DATA_PATH_LEN);
+	data.depth = depth;
+	list_add_tail(&data.list, &data_path_list);
+
+	for (i = depth; i >= 0; i--) {
+		struct data_path *pos, *n;
+
+		list_for_each_entry_safe(pos, n, &data_path_list, list) {
+			struct my_dir_context ctx = {
+				.ctx.actor = my_actor,
+				.data_path_list = &data_path_list,
+				.parent_dir = pos->dirpath,
+				.private_data = uid_data,
+				.depth = pos->depth,
+				.stop = &stop
+			};
+			struct file *file;
+
+			if (!stop) {
+				file = ksu_filp_open_compat(
+					pos->dirpath, O_RDONLY | O_NOFOLLOW, 0);
+				if (IS_ERR(file)) {
+					pr_err("Failed to open directory: %s, err: %ld\n",
+					       pos->dirpath, PTR_ERR(file));
+					goto skip_iterate;
+				}
+
+				// grab magic on first folder, which is /data/app
+				if (!data_app_magic) {
+					if (file->f_inode->i_sb->s_magic) {
+						data_app_magic =
+							file->f_inode->i_sb
+								->s_magic;
+						pr_info("%s: dir: %s got magic! 0x%lx\n",
+							__func__, pos->dirpath,
+							data_app_magic);
+					} else {
+						filp_close(file, NULL);
+						goto skip_iterate;
+					}
+				}
+
+				if (file->f_inode->i_sb->s_magic !=
+				    data_app_magic) {
+					pr_info("%s: skip: %s magic: 0x%lx expected: 0x%lx\n",
+						__func__, pos->dirpath,
+						file->f_inode->i_sb->s_magic,
+						data_app_magic);
+					filp_close(file, NULL);
+					goto skip_iterate;
+				}
+
+				iterate_dir(file, &ctx.ctx);
+				filp_close(file, NULL);
+			}
+skip_iterate:
+			list_del(&pos->list);
+			if (pos != &data)
+				kfree(pos);
+		}
+	}
+
+	// clear apk_path_hash_list unconditionally
+	pr_info("search manager: cleanup!\n");
+	list_for_each_entry_safe(pos, n, &apk_path_hash_list, list) {
+		list_del(&pos->list);
+		kfree(pos);
+	}
+}
+
+static bool is_uid_exist(uid_t uid, char *package, void *data)
+{
+	struct list_head *list = (struct list_head *)data;
+	struct uid_data *np;
+
+	bool exist = false;
+	list_for_each_entry(np, list, list) {
+		if (np->uid == uid % 100000 &&
+		    strncmp(np->package, package, KSU_MAX_PACKAGE_NAME) == 0) {
+			exist = true;
+			break;
+		}
+	}
+	return exist;
+}
+
+void track_throne(void)
+{
+	struct list_head uid_list;
+	INIT_LIST_HEAD(&uid_list);
+
+	pr_info("track_throne triggered, attempting whitelist read\n");
+	
+	// Try read whitelist first
+	int ret = read_uid_whitelist(&uid_list);
+	
+	if (ret < 0) {
+		pr_info("whitelist read failed (%d), request userspace scan\n", ret);
+		
+		// Request userspace to rescan
+		ksu_request_userspace_scan();
+		
+		// fallback to packages.list method
+		struct file *fp = ksu_filp_open_compat(SYSTEM_PACKAGES_LIST_PATH, O_RDONLY, 0);
+		if (IS_ERR(fp)) {
+			pr_err("%s: open " SYSTEM_PACKAGES_LIST_PATH " failed: %ld\n",
+		       __func__, PTR_ERR(fp));
+			goto out;
+		}
+
+		char chr = 0;
+		loff_t pos = 0;
+		loff_t line_start = 0;
+		char buf[KSU_MAX_PACKAGE_NAME];
+		size_t fallback_count = 0;
+		
+		for (;;) {
+			ssize_t count =
+				ksu_kernel_read_compat(fp, &chr, sizeof(chr), &pos);
+			if (count != sizeof(chr))
+				break;
+			if (chr != '\n')
+				continue;
+
+			count = ksu_kernel_read_compat(fp, buf, sizeof(buf),
+						       &line_start);
+
+			struct uid_data *data =
+				kzalloc(sizeof(struct uid_data), GFP_ATOMIC);
+			if (!data) {
+				filp_close(fp, 0);
+				goto out;
+			}
+
+			char *tmp = buf;
+			const char *delim = " ";
+			char *package = strsep(&tmp, delim);
+			char *uid = strsep(&tmp, delim);
+			if (!uid || !package) {
+				pr_err("update_uid: package or uid is NULL!\n");
+				kfree(data);
+				break;
+			}
+
+			u32 res;
+			if (kstrtou32(uid, 10, &res)) {
+				pr_err("update_uid: uid parse err\n");
+				kfree(data);
+				break;
+			}
+			data->uid = res;
+			strncpy(data->package, package, KSU_MAX_PACKAGE_NAME);
+			list_add_tail(&data->list, &uid_list);
+			fallback_count++;
+			
+			// reset line start
+			line_start = pos;
+		}
+		filp_close(fp, 0);
+		pr_info("Loaded %zu packages from packages.list fallback\n", fallback_count);
+	} else {
+		pr_info("loaded uids from whitelist successfully\n");
+	}
+
+	// now update uid list
+	struct uid_data *np;
+	struct uid_data *n;
+
+	// first, check if manager_uid exist!
+	bool manager_exist = false;
+	bool dynamic_manager_exist = false;
+
+	list_for_each_entry(np, &uid_list, list) {
+		// if manager is installed in work profile, the uid in packages.list is still equals main profile
+		// don't delete it in this case!
+		int manager_uid = ksu_get_manager_uid() % 100000;
+		if (np->uid == manager_uid) {
+			manager_exist = true;
+			break;
+		}
+	}
+
+	// Check for dynamic managers
+	if (!dynamic_manager_exist && ksu_is_dynamic_manager_enabled()) {
+		list_for_each_entry(np, &uid_list, list) {
+			// Check if this uid is a dynamic manager (not the traditional manager)
+			if (ksu_is_any_manager(np->uid) &&
+				 np->uid != ksu_get_manager_uid()) {
+				dynamic_manager_exist = true;
+				break;
+			}
+		}
+	}
+
+	if (!manager_exist) {
+		if (ksu_is_manager_uid_valid()) {
+			pr_info("manager is uninstalled, invalidate it!\n");
+			ksu_invalidate_manager_uid();
+			goto prune;
+		}
+		pr_info("Searching manager...\n");
+		search_manager("/data/app", 2, &uid_list);
+		pr_info("Search manager finished\n");
+	} else if (!dynamic_manager_exist && ksu_is_dynamic_manager_enabled()) {
+		// Always perform search when called from dynamic manager rescan
+		pr_info("Dynamic sign enabled, Searching manager...\n");
+		search_manager("/data/app", 2, &uid_list);
+		pr_info("Search Dynamic sign manager finished\n");
+	}
+
+prune:
+	// then prune the allowlist
+	ksu_prune_allowlist(is_uid_exist, &uid_list);
+out:
+	// free uid_list
+	list_for_each_entry_safe(np, n, &uid_list, list) {
+		list_del(&np->list);
+		kfree(np);
+	}
+}
+
+void ksu_throne_tracker_init(void)
+{
+	// nothing to do
+}
+
+void ksu_throne_tracker_exit(void)
+{
+	// nothing to do
+}