android/SukiSU-Ultra
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

kernel: baby version of profile

Browse Source
This commit is contained in:
weishu
2023-06-03 00:00:56 +08:00
parent 41265b0203
commit 3abb7e4ca2
4 changed files with 189 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

153
kernel/allowlist.c
View File

@@ -1,5 +1,7 @@
#include "ksu.h"
#include "linux/delay.h"
#include "linux/fs.h"
#include "linux/gfp.h"
#include "linux/kernel.h"
#include "linux/list.h"
#include "linux/printk.h"
@@ -8,16 +10,32 @@
#include "klog.h" // IWYU pragma: keep
#include "selinux/selinux.h"
#include "kernel_compat.h"
#include "allowlist.h"
#define FILE_MAGIC 0x7f4b5355 // ' KSU', u32
#define FILE_FORMAT_VERSION 1 // u32
#define FILE_FORMAT_VERSION 2 // u32
static DEFINE_MUTEX(allowlist_mutex);
// default root identify
static struct root_identity default_root_identity;
static bool default_umount_modules = true;
static void init_root_identity()
{
default_root_identity.uid = 0;
default_root_identity.gid = 0;
default_root_identity.groups_count = 1;
default_root_identity.groups[0] = 0;
memset(&default_root_identity.capabilities, 0xff,
sizeof(default_root_identity.capabilities));
default_root_identity.namespaces = 0;
strcpy(default_root_identity.selinux_domain, "su");
}
struct perm_data {
struct list_head list;
uid_t uid;
bool allow;
struct app_profile profile;
};
static struct list_head allow_list;
@@ -36,20 +54,65 @@ void ksu_show_allow_list(void)
pr_info("ksu_show_allow_list");
list_for_each (pos, &allow_list) {
p = list_entry(pos, struct perm_data, list);
pr_info("uid :%d, allow: %d\n", p->uid, p->allow);
pr_info("uid :%d, allow: %d\n", p->profile.current_uid,
p->profile.allow_su);
}
}
bool ksu_allow_uid(uid_t uid, bool allow, bool persist)
static void ksu_grant_root_to_shell()
{
struct app_profile profile = {
.allow_su = true,
.current_uid = 2000,
};
strcpy(profile.key, "com.android.shell");
ksu_set_app_profile(&profile, false);
}
bool ksu_get_app_profile(struct app_profile *profile)
{
struct perm_data *p = NULL;
struct list_head *pos = NULL;
bool found = false;
list_for_each (pos, &allow_list) {
p = list_entry(pos, struct perm_data, list);
if (!strcmp(profile->key, p->profile.key)) {
// found it, override it with ours
memcpy(profile, &p->profile, sizeof(*profile));
found = true;
goto exit;
}
}
if (!found) {
// don't found, fill it with default profile
if (profile->allow_su) {
profile->root_profile.use_default = true;
memcpy(&profile->root_profile.identity,
&default_root_identity,
sizeof(default_root_identity));
} else {
profile->non_root_profile.use_default = true;
profile->non_root_profile.umount_modules =
default_umount_modules;
}
}
exit:
return found;
}
bool ksu_set_app_profile(struct app_profile *profile, bool persist)
{
// find the node first!
struct perm_data *p = NULL;
struct list_head *pos = NULL;
bool result = false;
list_for_each (pos, &allow_list) {
p = list_entry(pos, struct perm_data, list);
if (uid == p->uid) {
p->allow = allow;
if (!strcmp(profile->key, p->profile.key)) {
// found it, just override it all!
memcpy(&p->profile, profile, sizeof(*profile));
result = true;
goto exit;
}
@@ -58,14 +121,13 @@ bool ksu_allow_uid(uid_t uid, bool allow, bool persist)
// not found, alloc a new node!
p = (struct perm_data *)kmalloc(sizeof(struct perm_data), GFP_KERNEL);
if (!p) {
pr_err("alloc allow node failed.\n");
pr_err("ksu_set_app_profile alloc failed\n");
return false;
}
p->uid = uid;
p->allow = allow;
pr_info("allow_uid: %d, allow: %d", uid, allow);
memcpy(&p->profile, profile, sizeof(*profile));
pr_info("set app profile, key: %s, uid: %d\n", profile->key,
profile->current_uid);
list_add_tail(&p->list, &allow_list);
result = true;
@@ -89,8 +151,8 @@ bool ksu_is_allow_uid(uid_t uid)
list_for_each (pos, &allow_list) {
p = list_entry(pos, struct perm_data, list);
// pr_info("is_allow_uid uid :%d, allow: %d\n", p->uid, p->allow);
if (uid == p->uid) {
return p->allow;
if (uid == p->profile.current_uid) {
return p->profile.allow_su;
}
}
@@ -105,8 +167,8 @@ bool ksu_get_allow_list(int *array, int *length, bool allow)
list_for_each (pos, &allow_list) {
p = list_entry(pos, struct perm_data, list);
// pr_info("get_allow_list uid: %d allow: %d\n", p->uid, p->allow);
if (p->allow == allow) {
array[i++] = p->uid;
if (p->profile.allow_su == allow) {
array[i++] = p->profile.allow_su;
}
}
*length = i;
@@ -114,7 +176,7 @@ bool ksu_get_allow_list(int *array, int *length, bool allow)
return true;
}
void do_persistent_allow_list(struct work_struct *work)
void do_save_allow_list(struct work_struct *work)
{
u32 magic = FILE_MAGIC;
u32 version = FILE_FORMAT_VERSION;
@@ -131,7 +193,8 @@ void do_persistent_allow_list(struct work_struct *work)
}
// store magic and version
if (ksu_kernel_write_compat(fp, &magic, sizeof(magic), &off) != sizeof(magic)) {
if (ksu_kernel_write_compat(fp, &magic, sizeof(magic), &off) !=
sizeof(magic)) {
pr_err("save_allow_list write magic failed.\n");
goto exit;
}
@@ -144,10 +207,12 @@ void do_persistent_allow_list(struct work_struct *work)
list_for_each (pos, &allow_list) {
p = list_entry(pos, struct perm_data, list);
pr_info("save allow list uid :%d, allow: %d\n", p->uid,
p->allow);
ksu_kernel_write_compat(fp, &p->uid, sizeof(p->uid), &off);
ksu_kernel_write_compat(fp, &p->allow, sizeof(p->allow), &off);
pr_info("save allow list, name: %s uid :%d, allow: %d\n",
p->profile.key, p->profile.current_uid,
p->profile.allow_su);
ksu_kernel_write_compat(fp, &p->profile, sizeof(p->profile),
&off);
}
exit:
@@ -163,27 +228,21 @@ void do_load_allow_list(struct work_struct *work)
u32 version;
KWORKER_INSTALL_KEYRING();
#ifdef CONFIG_KSU_DEBUG
// always allow adb shell by default
ksu_grant_root_to_shell();
#endif
// load allowlist now!
fp = filp_open(KERNEL_SU_ALLOWLIST, O_RDONLY, 0);
if (IS_ERR(fp)) {
#ifdef CONFIG_KSU_DEBUG
int errno = PTR_ERR(fp);
if (errno == -ENOENT) {
ksu_allow_uid(2000, true,
true); // allow adb shell by default
} else {
pr_err("load_allow_list open file failed: %ld\n",
PTR_ERR(fp));
}
#else
pr_err("load_allow_list open file failed: %ld\n", PTR_ERR(fp));
#endif
return;
}
// verify magic
if (ksu_kernel_read_compat(fp, &magic, sizeof(magic), &off) != sizeof(magic) ||
if (ksu_kernel_read_compat(fp, &magic, sizeof(magic), &off) !=
sizeof(magic) ||
magic != FILE_MAGIC) {
pr_err("allowlist file invalid: %d!\n", magic);
goto exit;
@@ -198,18 +257,19 @@ void do_load_allow_list(struct work_struct *work)
pr_info("allowlist version: %d\n", version);
while (true) {
u32 uid;
bool allow = false;
ret = ksu_kernel_read_compat(fp, &uid, sizeof(uid), &off);
struct app_profile profile;
ret = ksu_kernel_read_compat(fp, &profile, sizeof(profile),
&off);
if (ret <= 0) {
pr_info("load_allow_list read err: %zd\n", ret);
break;
}
ret = ksu_kernel_read_compat(fp, &allow, sizeof(allow), &off);
pr_info("load_allow_uid: %d, allow: %d\n", uid, allow);
ksu_allow_uid(uid, allow, false);
pr_info("load_allow_uid, name: %s, uid: %d, allow: %d\n",
profile.key, profile.current_uid, profile.allow_su);
ksu_set_app_profile(&profile, false);
}
exit:
@@ -226,7 +286,7 @@ void ksu_prune_allowlist(bool (*is_uid_exist)(uid_t, void *), void *data)
// TODO: use RCU!
mutex_lock(&allowlist_mutex);
list_for_each_entry_safe (np, n, &allow_list, list) {
uid_t uid = np->uid;
uid_t uid = np->profile.current_uid;
if (!is_uid_exist(uid, data)) {
modified = true;
pr_info("prune uid: %d\n", uid);
@@ -256,8 +316,11 @@ void ksu_allowlist_init(void)
{
INIT_LIST_HEAD(&allow_list);
INIT_WORK(&ksu_save_work, do_persistent_allow_list);
INIT_WORK(&ksu_save_work, do_save_allow_list);
INIT_WORK(&ksu_load_work, do_load_allow_list);
// init default_root_identity, which is used for root identity when root profile is not set.
init_root_identity();
}
void ksu_allowlist_exit(void)
@@ -265,7 +328,7 @@ void ksu_allowlist_exit(void)
struct perm_data *np = NULL;
struct perm_data *n = NULL;
do_persistent_allow_list(NULL);
do_save_allow_list(NULL);
// free allowlist
mutex_lock(&allowlist_mutex);