kernel: provide is_ksu_transition check

context: this is known by many as `selinux hook`, `4.9 hook` add is_ksu_transition check which allows ksud execution under nosuid. it also eases up integration on 3.X kernels that does not have check_nnp_nosuid. this also adds a `ksu_execveat_hook` check since this transition is NOT needed anymore once ksud ran. Usage: if (check_ksu_transition(old_tsec, new_tsec)) return 0; on either check_nnp_nosuid or selinux_bprm_set_creds (after execve sid reset) reference: dfe003c9fd taken from: `allow init exec ksud under nosuid` - 3df9df42a6 - https://github.com/tiann/KernelSU/pull/166#issue-1565872173 Signed-off-by: backslashxx <118538522+backslashxx@users.noreply.github.com> Signed-off-by: rsuntk <rsuntk@yukiprjkt.my.id>
2025-06-08 07:14:10 +07:00
parent aec76a388f
commit 1d1e0f1e7f
1 changed files with 25 additions and 0 deletions
--- a/kernel/ksud.c
+++ b/kernel/ksud.c
@@ -635,6 +635,31 @@ __maybe_unused int ksu_handle_execve_ksud(const char __user *filename_user,
 }
 #endif

+#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 14, 0)
+#include "objsec.h" // task_security_struct
+bool is_ksu_transition(const struct task_security_struct *old_tsec,
+			const struct task_security_struct *new_tsec)
+{
+	static u32 ksu_sid;
+	char *secdata;
+	u32 seclen;
+	bool allowed = false;
+
+	if (!ksu_execveat_hook) // not needed anymore once ksud ran
+		return false;
+
+	if (!ksu_sid)
+		security_secctx_to_secid("u:r:su:s0", strlen("u:r:su:s0"), &ksu_sid);
+
+	if (security_secid_to_secctx(old_tsec->sid, &secdata, &seclen))
+		return false;
+
+	allowed = (!strcmp("u:r:init:s0", secdata) && new_tsec->sid == ksu_sid);
+	security_release_secctx(secdata, seclen);
+	return allowed;
+}
+#endif
+
 static void stop_vfs_read_hook()
 {
 #ifdef CONFIG_KSU_KPROBES_HOOK