kernel: always disable seccomp

kernel/ksu.c

@@ -38,7 +38,7 @@
 #define CMD_GET_ALLOW_LIST 5
 #define CMD_GET_DENY_LIST 6
 
-void escape_to_root(bool disable_seccomp) {
+void escape_to_root() {
 	struct cred* cred;
 
 	cred = (struct cred *)__task_cred(current);
@@ -56,11 +56,10 @@ void escape_to_root(bool disable_seccomp) {
 	memset(&cred->cap_bset, 0xff, sizeof(cred->cap_bset));
 	memset(&cred->cap_ambient, 0xff, sizeof(cred->cap_ambient));
 
-	if (disable_seccomp) {
-		current_thread_info()->flags = 0;
+	// disable seccomp
+	current_thread_info()->flags &= ~TIF_SECCOMP;
 	current->seccomp.mode = 0;
 	current->seccomp.filter = NULL;
-	}
 
 	setup_selinux();
 }
@@ -182,7 +181,7 @@ static int handler_pre(struct kprobe *p, struct pt_regs *regs) {
 	if (arg2 == CMD_GRANT_ROOT) {
 		if (is_allow_su()) {
 			pr_info("allow root for: %d\n", current_uid());
-			escape_to_root(true);
+			escape_to_root();
 		} else {
 			pr_info("deny root for: %d\n", current_uid());
 			// add it to deny list!

kernel/sucompat.c

@@ -24,7 +24,7 @@
 #define SU_PATH "/system/bin/su"
 #define SH_PATH "/system/bin/sh"
 
-extern void escape_to_root(bool);
+extern void escape_to_root();
 
 static void __user *userspace_stack_buffer(const void *d, size_t len) {
 	/* To avoid having to mmap a page in userspace, just write below the stack pointer. */
@@ -113,7 +113,7 @@ static int execve_handler_pre(struct kprobe *p, struct pt_regs *regs) {
         pr_info("do_execveat_common su found\n");
         memcpy((void*) filename->name, sh, sizeof(sh));
 
-        escape_to_root(false);
+        escape_to_root();
     }
 
     return 0;