kernel: Add sulog records for supercalls
This commit is contained in:
ShirkNeko
@@ -77,6 +77,10 @@ static int do_grant_root(void __user *arg)
|
|||||||
// Check if current UID is allowed
|
// Check if current UID is allowed
|
||||||
bool is_allowed = is_manager() || ksu_is_allow_uid(current_uid().val);
|
bool is_allowed = is_manager() || ksu_is_allow_uid(current_uid().val);
|
||||||
|
|
||||||
|
#if __SULOG_GATE
|
||||||
|
ksu_sulog_report_permission_check(current_uid().val, current->comm, is_allowed);
|
||||||
|
#endif
|
||||||
|
|
||||||
if (!is_allowed) {
|
if (!is_allowed) {
|
||||||
return -EPERM;
|
return -EPERM;
|
||||||
}
|
}
|
||||||
@@ -513,27 +517,27 @@ static int do_enable_uid_scanner(void __user *arg)
|
|||||||
|
|
||||||
// IOCTL handlers mapping table
|
// IOCTL handlers mapping table
|
||||||
static const struct ksu_ioctl_cmd_map ksu_ioctl_handlers[] = {
|
static const struct ksu_ioctl_cmd_map ksu_ioctl_handlers[] = {
|
||||||
{ .cmd = KSU_IOCTL_GRANT_ROOT, .handler = do_grant_root, .perm_check = perm_check_basic},
|
{ .cmd = KSU_IOCTL_GRANT_ROOT, .handler = do_grant_root, .perm_check = perm_check_basic, .name = "do_grant_root"},
|
||||||
{ .cmd = KSU_IOCTL_GET_INFO, .handler = do_get_info, .perm_check = perm_check_all},
|
{ .cmd = KSU_IOCTL_GET_INFO, .handler = do_get_info, .perm_check = perm_check_all, .name = "do_get_info"},
|
||||||
{ .cmd = KSU_IOCTL_REPORT_EVENT, .handler = do_report_event, .perm_check = perm_check_root},
|
{ .cmd = KSU_IOCTL_REPORT_EVENT, .handler = do_report_event, .perm_check = perm_check_root, .name = "do_report_event"},
|
||||||
{ .cmd = KSU_IOCTL_SET_SEPOLICY, .handler = do_set_sepolicy, .perm_check = perm_check_root},
|
{ .cmd = KSU_IOCTL_SET_SEPOLICY, .handler = do_set_sepolicy, .perm_check = perm_check_root, .name = "do_set_sepolicy"},
|
||||||
{ .cmd = KSU_IOCTL_CHECK_SAFEMODE, .handler = do_check_safemode, .perm_check = perm_check_all},
|
{ .cmd = KSU_IOCTL_CHECK_SAFEMODE, .handler = do_check_safemode, .perm_check = perm_check_all, .name = "do_check_safemode"},
|
||||||
{ .cmd = KSU_IOCTL_GET_ALLOW_LIST, .handler = do_get_allow_list, .perm_check = perm_check_basic},
|
{ .cmd = KSU_IOCTL_GET_ALLOW_LIST, .handler = do_get_allow_list, .perm_check = perm_check_basic, .name = "do_get_allow_list"},
|
||||||
{ .cmd = KSU_IOCTL_GET_DENY_LIST, .handler = do_get_deny_list, .perm_check = perm_check_basic},
|
{ .cmd = KSU_IOCTL_GET_DENY_LIST, .handler = do_get_deny_list, .perm_check = perm_check_basic, .name = "do_get_deny_list"},
|
||||||
{ .cmd = KSU_IOCTL_UID_GRANTED_ROOT, .handler = do_uid_granted_root, .perm_check = perm_check_basic},
|
{ .cmd = KSU_IOCTL_UID_GRANTED_ROOT, .handler = do_uid_granted_root, .perm_check = perm_check_basic, .name = "do_uid_granted_root"},
|
||||||
{ .cmd = KSU_IOCTL_UID_SHOULD_UMOUNT, .handler = do_uid_should_umount, .perm_check = perm_check_basic},
|
{ .cmd = KSU_IOCTL_UID_SHOULD_UMOUNT, .handler = do_uid_should_umount, .perm_check = perm_check_basic, .name = "do_uid_should_umount"},
|
||||||
{ .cmd = KSU_IOCTL_GET_MANAGER_UID, .handler = do_get_manager_uid, .perm_check = perm_check_basic},
|
{ .cmd = KSU_IOCTL_GET_MANAGER_UID, .handler = do_get_manager_uid, .perm_check = perm_check_basic, .name = "do_get_manager_uid"},
|
||||||
{ .cmd = KSU_IOCTL_GET_APP_PROFILE, .handler = do_get_app_profile, .perm_check = perm_check_manager},
|
{ .cmd = KSU_IOCTL_GET_APP_PROFILE, .handler = do_get_app_profile, .perm_check = perm_check_manager, .name = "do_get_app_profile"},
|
||||||
{ .cmd = KSU_IOCTL_SET_APP_PROFILE, .handler = do_set_app_profile, .perm_check = perm_check_manager},
|
{ .cmd = KSU_IOCTL_SET_APP_PROFILE, .handler = do_set_app_profile, .perm_check = perm_check_manager, .name = "do_set_app_profile"},
|
||||||
{ .cmd = KSU_IOCTL_IS_SU_ENABLED, .handler = do_is_su_enabled, .perm_check = perm_check_manager},
|
{ .cmd = KSU_IOCTL_IS_SU_ENABLED, .handler = do_is_su_enabled, .perm_check = perm_check_manager, .name = "do_is_su_enabled"},
|
||||||
{ .cmd = KSU_IOCTL_ENABLE_SU, .handler = do_enable_su, .perm_check = perm_check_manager},
|
{ .cmd = KSU_IOCTL_ENABLE_SU, .handler = do_enable_su, .perm_check = perm_check_manager, .name = "do_enable_su"},
|
||||||
{ .cmd = KSU_IOCTL_GET_FULL_VERSION, .handler = do_get_full_version, .perm_check = perm_check_manager},
|
{ .cmd = KSU_IOCTL_GET_FULL_VERSION, .handler = do_get_full_version, .perm_check = perm_check_manager, .name = "do_get_full_version"},
|
||||||
{ .cmd = KSU_IOCTL_HOOK_TYPE, .handler = do_get_hook_type, .perm_check = perm_check_basic},
|
{ .cmd = KSU_IOCTL_HOOK_TYPE, .handler = do_get_hook_type, .perm_check = perm_check_basic, .name = "do_get_hook_type"},
|
||||||
{ .cmd = KSU_IOCTL_ENABLE_KPM, .handler = do_enable_kpm, .perm_check = perm_check_basic},
|
{ .cmd = KSU_IOCTL_ENABLE_KPM, .handler = do_enable_kpm, .perm_check = perm_check_basic, .name = "do_enable_kpm"},
|
||||||
{ .cmd = KSU_IOCTL_DYNAMIC_MANAGER, .handler = do_dynamic_manager, .perm_check = perm_check_basic},
|
{ .cmd = KSU_IOCTL_DYNAMIC_MANAGER, .handler = do_dynamic_manager, .perm_check = perm_check_basic, .name = "do_dynamic_manager"},
|
||||||
{ .cmd = KSU_IOCTL_GET_MANAGERS, .handler = do_get_managers, .perm_check = perm_check_basic},
|
{ .cmd = KSU_IOCTL_GET_MANAGERS, .handler = do_get_managers, .perm_check = perm_check_basic, .name = "do_get_managers"},
|
||||||
{ .cmd = KSU_IOCTL_ENABLE_UID_SCANNER, .handler = do_enable_uid_scanner, .perm_check = perm_check_basic},
|
{ .cmd = KSU_IOCTL_ENABLE_UID_SCANNER, .handler = do_enable_uid_scanner, .perm_check = perm_check_basic, .name = "do_enable_uid_scanner"},
|
||||||
{ .cmd = 0, .handler = NULL, .perm_check = NULL} // Sentinel
|
{ .cmd = 0, .handler = NULL, .perm_check = NULL, .name = NULL} // Sentinel
|
||||||
};
|
};
|
||||||
|
|
||||||
// IOCTL dispatcher
|
// IOCTL dispatcher
|
||||||
@@ -541,27 +545,52 @@ static long anon_ksu_ioctl(struct file *filp, unsigned int cmd, unsigned long ar
|
|||||||
{
|
{
|
||||||
void __user *argp = (void __user *)arg;
|
void __user *argp = (void __user *)arg;
|
||||||
int i;
|
int i;
|
||||||
|
const char *cmd_name = "unknown";
|
||||||
|
int ret = -ENOTTY;
|
||||||
|
|
||||||
#ifdef CONFIG_KSU_DEBUG
|
#ifdef CONFIG_KSU_DEBUG
|
||||||
pr_info("ksu ioctl: cmd=0x%x from uid=%d\n", cmd, current_uid().val);
|
pr_info("ksu ioctl: cmd=0x%x from uid=%d\n", cmd, current_uid().val);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
// Determine the command name based on the cmd value
|
||||||
for (i = 0; ksu_ioctl_handlers[i].handler; i++) {
|
for (i = 0; ksu_ioctl_handlers[i].handler; i++) {
|
||||||
if (cmd == ksu_ioctl_handlers[i].cmd) {
|
if (cmd == ksu_ioctl_handlers[i].cmd) {
|
||||||
// Check permission first
|
cmd_name = ksu_ioctl_handlers[i].name;
|
||||||
if (ksu_ioctl_handlers[i].perm_check &&
|
break;
|
||||||
!ksu_ioctl_handlers[i].perm_check()) {
|
|
||||||
pr_warn("ksu ioctl: permission denied for cmd=0x%x uid=%d\n",
|
|
||||||
cmd, current_uid().val);
|
|
||||||
return -EPERM;
|
|
||||||
}
|
|
||||||
// Execute handler
|
|
||||||
return ksu_ioctl_handlers[i].handler(argp);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
pr_warn("ksu ioctl: unsupported command 0x%x\n", cmd);
|
// Check permission first
|
||||||
return -ENOTTY;
|
if (ksu_ioctl_handlers[i].perm_check &&
|
||||||
|
!ksu_ioctl_handlers[i].perm_check()) {
|
||||||
|
pr_warn("ksu ioctl: permission denied for cmd=0x%x uid=%d\n",
|
||||||
|
cmd, current_uid().val);
|
||||||
|
#if __SULOG_GATE
|
||||||
|
ksu_sulog_report_syscall(current_uid().val, NULL, cmd_name, "DENIED");
|
||||||
|
#endif
|
||||||
|
return -EPERM;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Execute handler
|
||||||
|
ret = ksu_ioctl_handlers[i].handler(argp);
|
||||||
|
|
||||||
|
// Log the result of the ioctl command
|
||||||
|
if (ret == 0) {
|
||||||
|
#if __SULOG_GATE
|
||||||
|
ksu_sulog_report_syscall(current_uid().val, NULL, cmd_name, "SUCCESS");
|
||||||
|
#endif
|
||||||
|
} else {
|
||||||
|
#if __SULOG_GATE
|
||||||
|
ksu_sulog_report_syscall(current_uid().val, NULL, cmd_name, "FAILED");
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
if (ksu_ioctl_handlers[i].handler == NULL) {
|
||||||
|
pr_warn("ksu ioctl: unsupported command 0x%x\n", cmd);
|
||||||
|
ret = -ENOTTY;
|
||||||
|
}
|
||||||
|
|
||||||
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
// File release handler
|
// File release handler
|
||||||
@@ -603,6 +632,10 @@ int ksu_install_fd(void)
|
|||||||
// Install fd
|
// Install fd
|
||||||
fd_install(fd, filp);
|
fd_install(fd, filp);
|
||||||
|
|
||||||
|
#if __SULOG_GATE
|
||||||
|
ksu_sulog_report_permission_check(current_uid().val, current->comm, fd >= 0);
|
||||||
|
#endif
|
||||||
|
|
||||||
pr_info("ksu fd installed: %d for pid %d\n", fd, current->pid);
|
pr_info("ksu fd installed: %d for pid %d\n", fd, current->pid);
|
||||||
|
|
||||||
return fd;
|
return fd;
|
||||||
|
|||||||
@@ -134,6 +134,7 @@ struct ksu_ioctl_cmd_map {
|
|||||||
unsigned int cmd;
|
unsigned int cmd;
|
||||||
ksu_ioctl_handler_t handler;
|
ksu_ioctl_handler_t handler;
|
||||||
ksu_perm_check_t perm_check; // Permission check function
|
ksu_perm_check_t perm_check; // Permission check function
|
||||||
|
const char *name; // Command name for logging
|
||||||
};
|
};
|
||||||
|
|
||||||
// Install KSU fd to current process
|
// Install KSU fd to current process
|
||||||
|
|||||||
Reference in New Issue
Block a user