diff --git a/kernel/Makefile b/kernel/Makefile index adb47909..3a2218a4 100644 --- a/kernel/Makefile +++ b/kernel/Makefile @@ -119,7 +119,7 @@ ccflags-y += -DKSU_KERNEL_WRITE endif ifeq ($(shell grep -q "int\s\+path_umount" $(srctree)/fs/namespace.c; echo $$?),0) -ccflags-y += -DKSU_HAS_PATH_UMOUNTAdd commentMore actions +ccflags-y += -DKSU_HAS_PATH_UMOUNT endif # 检查三星 UH 驱动程序 diff --git a/kernel/selinux/rules.c b/kernel/selinux/rules.c index f658a049..477347d6 100644 --- a/kernel/selinux/rules.c +++ b/kernel/selinux/rules.c @@ -91,6 +91,7 @@ void ksu_apply_kernelsu_rules() ksu_allow(db, "init", "adb_data_file", "file", ALL); ksu_allow(db, "init", "adb_data_file", "dir", ALL); // #1289 ksu_allow(db, "init", KERNEL_SU_DOMAIN, ALL, ALL); + // we need to umount modules in zygote ksu_allow(db, "zygote", "adb_data_file", "dir", "search"); @@ -130,9 +131,9 @@ void ksu_apply_kernelsu_rules() // Allow all binder transactions ksu_allow(db, ALL, KERNEL_SU_DOMAIN, "binder", ALL); - // Allow system server kill su process - ksu_allow(db, "system_server", KERNEL_SU_DOMAIN, "process", "getpgid"); - ksu_allow(db, "system_server", KERNEL_SU_DOMAIN, "process", "sigkill"); + // Allow system server kill su process + ksu_allow(db, "system_server", KERNEL_SU_DOMAIN, "process", "getpgid"); + ksu_allow(db, "system_server", KERNEL_SU_DOMAIN, "process", "sigkill"); #ifdef CONFIG_KSU_SUSFS // Allow umount in zygote process without installing zygisk @@ -157,34 +158,30 @@ void ksu_apply_kernelsu_rules() #define CMD_TYPE_CHANGE 8 #define CMD_GENFSCON 9 -#ifdef CONFIG_64BIT -struct sepol_data { - u32 cmd; - u32 subcmd; - u64 field_sepol1; - u64 field_sepol2; - u64 field_sepol3; - u64 field_sepol4; - u64 field_sepol5; - u64 field_sepol6; - u64 field_sepol7; -}; -#ifdef CONFIG_COMPAT +// keep it! extern bool ksu_is_compat __read_mostly; -struct sepol_compat_data { - u32 cmd; - u32 subcmd; - u32 field_sepol1; - u32 field_sepol2; - u32 field_sepol3; - u32 field_sepol4; - u32 field_sepol5; - u32 field_sepol6; - u32 field_sepol7; -}; -#endif // CONFIG_COMPAT + +// armv7l kernel compat +#ifdef CONFIG_64BIT +#define usize u64 #else +#define usize u32 +#endif + struct sepol_data { + u32 cmd; + u32 subcmd; + usize field_sepol1; + usize field_sepol2; + usize field_sepol3; + usize field_sepol4; + usize field_sepol5; + usize field_sepol6; + usize field_sepol7; +}; + +// ksud 32-bit on arm64 kernel +struct __maybe_unused sepol_data_compat { u32 cmd; u32 subcmd; u32 field_sepol1; @@ -195,7 +192,6 @@ struct sepol_data { u32 field_sepol6; u32 field_sepol7; }; -#endif // CONFIG_64BIT static int get_object(char *buf, char __user *user_object, size_t buf_sz, char **object) @@ -217,7 +213,8 @@ static int get_object(char *buf, char __user *user_object, size_t buf_sz, // reset avc cache table, otherwise the new rules will not take effect if already denied static void reset_avc_cache() { -#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 4, 0) || !defined(KSU_COMPAT_USE_SELINUX_STATE) +#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 4, 0) || \ + !defined(KSU_COMPAT_USE_SELINUX_STATE) avc_ss_reset(0); selnl_notify_policyload(0); selinux_status_update_policyload(0); @@ -243,22 +240,22 @@ int ksu_handle_sepolicy(unsigned long arg3, void __user *arg4) u32 cmd, subcmd; char __user *sepol1, *sepol2, *sepol3, *sepol4, *sepol5, *sepol6, *sepol7; -#if defined(CONFIG_64BIT) && defined(CONFIG_COMPAT) if (unlikely(ksu_is_compat)) { - struct sepol_compat_data compat_data; - if (copy_from_user(&compat_data, arg4, sizeof(struct sepol_compat_data))) { + struct sepol_data_compat data_compat; + if (copy_from_user(&data_compat, arg4, sizeof(struct sepol_data_compat))) { pr_err("sepol: copy sepol_data failed.\n"); return -1; } - sepol1 = compat_ptr(compat_data.field_sepol1); - sepol2 = compat_ptr(compat_data.field_sepol2); - sepol3 = compat_ptr(compat_data.field_sepol3); - sepol4 = compat_ptr(compat_data.field_sepol4); - sepol5 = compat_ptr(compat_data.field_sepol5); - sepol6 = compat_ptr(compat_data.field_sepol6); - sepol7 = compat_ptr(compat_data.field_sepol7); - cmd = compat_data.cmd; - subcmd = compat_data.subcmd; + pr_info("sepol: running in compat mode!\n"); + sepol1 = compat_ptr(data_compat.field_sepol1); + sepol2 = compat_ptr(data_compat.field_sepol2); + sepol3 = compat_ptr(data_compat.field_sepol3); + sepol4 = compat_ptr(data_compat.field_sepol4); + sepol5 = compat_ptr(data_compat.field_sepol5); + sepol6 = compat_ptr(data_compat.field_sepol6); + sepol7 = compat_ptr(data_compat.field_sepol7); + cmd = data_compat.cmd; + subcmd = data_compat.subcmd; } else { struct sepol_data data; if (copy_from_user(&data, arg4, sizeof(struct sepol_data))) { @@ -275,26 +272,6 @@ int ksu_handle_sepolicy(unsigned long arg3, void __user *arg4) cmd = data.cmd; subcmd = data.subcmd; } -#else - // basically for full native, say (64BIT=y COMPAT=n) || (64BIT=n) - - struct sepol_data data; - if (copy_from_user(&data, arg4, sizeof(struct sepol_data))) { - pr_err("sepol: copy sepol_data failed.\n"); - return -1; - } - - - sepol1 = data.field_sepol1; - sepol2 = data.field_sepol2; - sepol3 = data.field_sepol3; - sepol4 = data.field_sepol4; - sepol5 = data.field_sepol5; - sepol6 = data.field_sepol6; - sepol7 = data.field_sepol7; - cmd = data.cmd; - subcmd = data.subcmd; -#endif rcu_read_lock(); diff --git a/kernel/selinux/selinux.c b/kernel/selinux/selinux.c index b4ad7c99..3357f21b 100644 --- a/kernel/selinux/selinux.c +++ b/kernel/selinux/selinux.c @@ -2,6 +2,9 @@ #include "objsec.h" #include "linux/version.h" #include "../klog.h" // IWYU pragma: keep +#ifdef SAMSUNG_SELINUX_PORTING +#include "security.h" // Samsung SELinux Porting +#endif #ifndef KSU_COMPAT_USE_SELINUX_STATE #include "avc.h" #endif @@ -72,18 +75,14 @@ void ksu_setup_selinux(const char *domain) pr_err("transive domain failed.\n"); return; } - - /* we didn't need this now, we have change selinux rules when boot! -if (!is_domain_permissive) { - if (set_domain_permissive() == 0) { - is_domain_permissive = true; - } -}*/ } void ksu_setenforce(bool enforce) { #ifdef CONFIG_SECURITY_SELINUX_DEVELOP +#ifdef SAMSUNG_SELINUX_PORTING + selinux_enforcing = enforce; +#endif #ifdef KSU_COMPAT_USE_SELINUX_STATE selinux_state.enforcing = enforce; #else @@ -105,6 +104,9 @@ bool ksu_getenforce() #endif #ifdef CONFIG_SECURITY_SELINUX_DEVELOP +#ifdef SAMSUNG_SELINUX_PORTING + return selinux_enforcing; +#endif #ifdef KSU_COMPAT_USE_SELINUX_STATE return selinux_state.enforcing; #else