kernel: refact (#113)
* refact
* sort inlude
* update
* unregister execve kprobe
* update log
* don't unregister if not in kprobe
* opt for no kprobe
* opt for no kprobe
* stop debug
* don't forget to call ksu_uid_observer_exit
* rename core to core_hook
* direct call do_persistent_allow_list
* add prefix
* use getter, add warn
* add wrapper
* run clang-format
clang-format --style="{BasedOnStyle: InheritParentConfig, SortIncludes: true}" -i kernel/**/*.[ch]
* try fix wsa x64 build
This commit is contained in:
Ylarod
GitHub
@@ -1,15 +1,13 @@
|
||||
#include <linux/version.h>
|
||||
#include "sepolicy.h"
|
||||
#include "linux/version.h"
|
||||
|
||||
#include "selinux.h"
|
||||
#include "sepolicy.h"
|
||||
#include "ss/services.h"
|
||||
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 0)
|
||||
#define SELINUX_POLICY_INSTEAD_SELINUX_SS
|
||||
#endif
|
||||
|
||||
#ifndef SELINUX_POLICY_INSTEAD_SELINUX_SS
|
||||
#include <ss/services.h>
|
||||
#endif
|
||||
|
||||
#define KERNEL_SU_DOMAIN "su"
|
||||
#define KERNEL_SU_FILE "ksu_file"
|
||||
#define ALL NULL
|
||||
@@ -37,10 +35,10 @@ void apply_kernelsu_rules()
|
||||
ksu_typeattribute(db, KERNEL_SU_DOMAIN, "netdomain");
|
||||
ksu_typeattribute(db, KERNEL_SU_DOMAIN, "bluetoothdomain");
|
||||
|
||||
// Create unconstrained file type
|
||||
ksu_type(db, KERNEL_SU_FILE, "file_type");
|
||||
ksu_typeattribute(db, KERNEL_SU_FILE, "mlstrustedobject");
|
||||
ksu_allow(db, ALL, KERNEL_SU_FILE, ALL, ALL);
|
||||
// Create unconstrained file type
|
||||
ksu_type(db, KERNEL_SU_FILE, "file_type");
|
||||
ksu_typeattribute(db, KERNEL_SU_FILE, "mlstrustedobject");
|
||||
ksu_allow(db, ALL, KERNEL_SU_FILE, ALL, ALL);
|
||||
|
||||
// allow all!
|
||||
ksu_allow(db, KERNEL_SU_DOMAIN, ALL, ALL, ALL);
|
||||
@@ -59,9 +57,11 @@ void apply_kernelsu_rules()
|
||||
ksu_allow(db, "kernel", "shell_data_file", "file", ALL);
|
||||
// we need to read /data/system/packages.list
|
||||
ksu_allow(db, "kernel", "kernel", "capability", "dac_override");
|
||||
// Android 10+: http://aospxref.com/android-12.0.0_r3/xref/system/sepolicy/private/file_contexts#512
|
||||
// Android 10+:
|
||||
// http://aospxref.com/android-12.0.0_r3/xref/system/sepolicy/private/file_contexts#512
|
||||
ksu_allow(db, "kernel", "packages_list_file", "file", ALL);
|
||||
// Android 9-: http://aospxref.com/android-9.0.0_r61/xref/system/sepolicy/private/file_contexts#360
|
||||
// Android 9-:
|
||||
// http://aospxref.com/android-9.0.0_r61/xref/system/sepolicy/private/file_contexts#360
|
||||
ksu_allow(db, "kernel", "system_data_file", "file", ALL);
|
||||
|
||||
// our ksud triggered by init
|
||||
@@ -94,14 +94,17 @@ void apply_kernelsu_rules()
|
||||
ksu_allow(db, "hwservicemanager", KERNEL_SU_DOMAIN, "dir", "search");
|
||||
ksu_allow(db, "hwservicemanager", KERNEL_SU_DOMAIN, "file", "read");
|
||||
ksu_allow(db, "hwservicemanager", KERNEL_SU_DOMAIN, "file", "open");
|
||||
ksu_allow(db, "hwservicemanager", KERNEL_SU_DOMAIN, "process", "getattr");
|
||||
ksu_allow(db, "hwservicemanager", KERNEL_SU_DOMAIN, "process",
|
||||
"getattr");
|
||||
|
||||
// Allow all binder transactions
|
||||
ksu_allow(db, ALL, KERNEL_SU_DOMAIN, "binder", ALL);
|
||||
|
||||
// Allow system server devpts
|
||||
ksu_allow(db, "system_server", "untrusted_app_all_devpts", "chr_file", "read");
|
||||
ksu_allow(db, "system_server", "untrusted_app_all_devpts", "chr_file", "write");
|
||||
ksu_allow(db, "system_server", "untrusted_app_all_devpts", "chr_file",
|
||||
"read");
|
||||
ksu_allow(db, "system_server", "untrusted_app_all_devpts", "chr_file",
|
||||
"write");
|
||||
|
||||
rcu_read_unlock();
|
||||
}
|
||||
@@ -1,20 +1,7 @@
|
||||
#include <linux/cpu.h>
|
||||
#include <linux/memory.h>
|
||||
#include <linux/uaccess.h>
|
||||
#include <linux/init.h>
|
||||
#include <linux/module.h>
|
||||
#include <linux/kprobes.h>
|
||||
#include <linux/printk.h>
|
||||
#include <linux/string.h>
|
||||
#include <linux/kernel.h>
|
||||
#include <linux/slab.h>
|
||||
|
||||
#include <ss/sidtab.h>
|
||||
#include <ss/services.h>
|
||||
#include <objsec.h>
|
||||
#include "linux/printk.h"
|
||||
|
||||
#include "objsec.h"
|
||||
#include "selinux.h"
|
||||
#include "../klog.h"
|
||||
|
||||
#define KERNEL_SU_DOMAIN "u:r:su:s0"
|
||||
|
||||
@@ -57,11 +44,11 @@ void setup_selinux()
|
||||
}
|
||||
|
||||
/* we didn't need this now, we have change selinux rules when boot!
|
||||
if (!is_domain_permissive) {
|
||||
if (set_domain_permissive() == 0) {
|
||||
is_domain_permissive = true;
|
||||
}
|
||||
}*/
|
||||
if (!is_domain_permissive) {
|
||||
if (set_domain_permissive() == 0) {
|
||||
is_domain_permissive = true;
|
||||
}
|
||||
}*/
|
||||
}
|
||||
|
||||
void setenforce(bool enforce)
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
#ifndef __KSU_H_SELINUX
|
||||
#define __KSU_H_SELINUX
|
||||
|
||||
#include <linux/types.h>
|
||||
#include "linux/types.h"
|
||||
|
||||
void setup_selinux();
|
||||
|
||||
|
||||
@@ -1,9 +1,8 @@
|
||||
#include <linux/gfp.h>
|
||||
#include <linux/version.h>
|
||||
#include <linux/printk.h>
|
||||
#include <linux/slab.h>
|
||||
#include "sepolicy.h"
|
||||
#include "../klog.h"
|
||||
#include "linux/gfp.h"
|
||||
#include "linux/printk.h"
|
||||
#include "linux/slab.h"
|
||||
#include "linux/version.h"
|
||||
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 0)
|
||||
// TODO: backport to lower kernel
|
||||
@@ -57,7 +56,8 @@ static bool add_typeattribute(struct policydb *db, const char *type,
|
||||
// Implementation
|
||||
//////////////////////////////////////////////////////
|
||||
|
||||
// Invert is adding rules for auditdeny; in other cases, invert is removing rules
|
||||
// Invert is adding rules for auditdeny; in other cases, invert is removing
|
||||
// rules
|
||||
#define strip_av(effect, invert) ((effect == AVTAB_AUDITDENY) == !invert)
|
||||
|
||||
#define hash_for_each(node_ptr, n_slot, cur) \
|
||||
@@ -65,7 +65,8 @@ static bool add_typeattribute(struct policydb *db, const char *type,
|
||||
for (i = 0; i < n_slot; ++i) \
|
||||
for (cur = node_ptr[i]; cur; cur = cur->next)
|
||||
|
||||
// htable is a struct instead of pointer above 5.8.0: https://elixir.bootlin.com/linux/v5.8-rc1/source/security/selinux/ss/symtab.h
|
||||
// htable is a struct instead of pointer above 5.8.0:
|
||||
// https://elixir.bootlin.com/linux/v5.8-rc1/source/security/selinux/ss/symtab.h
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 8, 0)
|
||||
#define hashtab_for_each(htab, cur) hash_for_each (htab.htable, htab.size, cur)
|
||||
#else
|
||||
@@ -73,7 +74,8 @@ static bool add_typeattribute(struct policydb *db, const char *type,
|
||||
hash_for_each (htab->htable, htab->size, cur)
|
||||
#endif
|
||||
|
||||
// symtab_search is introduced on 5.9.0: https://elixir.bootlin.com/linux/v5.9-rc1/source/security/selinux/ss/symtab.h
|
||||
// symtab_search is introduced on 5.9.0:
|
||||
// https://elixir.bootlin.com/linux/v5.9-rc1/source/security/selinux/ss/symtab.h
|
||||
#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 9, 0)
|
||||
#define symtab_search(s, name) hashtab_search((s)->table, name)
|
||||
#endif
|
||||
@@ -110,9 +112,9 @@ static struct avtab_node *get_avtab_node(struct policydb *db,
|
||||
if (!node) {
|
||||
struct avtab_datum avdatum = {};
|
||||
/*
|
||||
* AUDITDENY, aka DONTAUDIT, are &= assigned, versus |= for
|
||||
* others. Initialize the data accordingly.
|
||||
*/
|
||||
* AUDITDENY, aka DONTAUDIT, are &= assigned, versus |= for
|
||||
* others. Initialize the data accordingly.
|
||||
*/
|
||||
if (key->specified & AVTAB_XPERMS) {
|
||||
avdatum.u.xperms = xperms;
|
||||
} else {
|
||||
|
||||
@@ -1,37 +1,46 @@
|
||||
#ifndef __KSU_H_SEPOLICY
|
||||
#define __KSU_H_SEPOLICY
|
||||
|
||||
#include <linux/types.h>
|
||||
#include <ss/sidtab.h>
|
||||
#include <ss/services.h>
|
||||
#include <objsec.h>
|
||||
#include "linux/types.h"
|
||||
|
||||
#include "ss/policydb.h"
|
||||
|
||||
// Operation on types
|
||||
bool ksu_type(struct policydb* db, const char* name, const char* attr);
|
||||
bool ksu_attribute(struct policydb* db, const char* name);
|
||||
bool ksu_permissive(struct policydb* db, const char* type);
|
||||
bool ksu_enforce(struct policydb* db, const char* type);
|
||||
bool ksu_typeattribute(struct policydb* db, const char* type, const char* attr);
|
||||
bool ksu_exists(struct policydb* db, const char* type);
|
||||
bool ksu_type(struct policydb *db, const char *name, const char *attr);
|
||||
bool ksu_attribute(struct policydb *db, const char *name);
|
||||
bool ksu_permissive(struct policydb *db, const char *type);
|
||||
bool ksu_enforce(struct policydb *db, const char *type);
|
||||
bool ksu_typeattribute(struct policydb *db, const char *type, const char *attr);
|
||||
bool ksu_exists(struct policydb *db, const char *type);
|
||||
|
||||
// Access vector rules
|
||||
bool ksu_allow(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* perm);
|
||||
bool ksu_deny(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* perm);
|
||||
bool ksu_auditallow(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* perm);
|
||||
bool ksu_dontaudit(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* perm);
|
||||
bool ksu_allow(struct policydb *db, const char *src, const char *tgt,
|
||||
const char *cls, const char *perm);
|
||||
bool ksu_deny(struct policydb *db, const char *src, const char *tgt,
|
||||
const char *cls, const char *perm);
|
||||
bool ksu_auditallow(struct policydb *db, const char *src, const char *tgt,
|
||||
const char *cls, const char *perm);
|
||||
bool ksu_dontaudit(struct policydb *db, const char *src, const char *tgt,
|
||||
const char *cls, const char *perm);
|
||||
|
||||
// Extended permissions access vector rules
|
||||
bool ksu_allowxperm(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* range);
|
||||
bool ksu_auditallowxperm(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* range);
|
||||
bool ksu_dontauditxperm(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* range);
|
||||
bool ksu_allowxperm(struct policydb *db, const char *src, const char *tgt,
|
||||
const char *cls, const char *range);
|
||||
bool ksu_auditallowxperm(struct policydb *db, const char *src, const char *tgt,
|
||||
const char *cls, const char *range);
|
||||
bool ksu_dontauditxperm(struct policydb *db, const char *src, const char *tgt,
|
||||
const char *cls, const char *range);
|
||||
|
||||
// Type rules
|
||||
bool ksu_type_transition(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* def, const char* obj);
|
||||
bool ksu_type_change(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* def);
|
||||
bool ksu_type_member(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* def);
|
||||
bool ksu_type_transition(struct policydb *db, const char *src, const char *tgt,
|
||||
const char *cls, const char *def, const char *obj);
|
||||
bool ksu_type_change(struct policydb *db, const char *src, const char *tgt,
|
||||
const char *cls, const char *def);
|
||||
bool ksu_type_member(struct policydb *db, const char *src, const char *tgt,
|
||||
const char *cls, const char *def);
|
||||
|
||||
// File system labeling
|
||||
bool ksu_genfscon(struct policydb* db, const char* fs_name, const char* path, const char* ctx);
|
||||
bool ksu_genfscon(struct policydb *db, const char *fs_name, const char *path,
|
||||
const char *ctx);
|
||||
|
||||
#endif
|
||||
|
||||
Reference in New Issue
Block a user