Kernel: Implement sulog for enhanced logging of SU attempts and permissions

kernel/core_hook.c

@@ -47,6 +47,7 @@
 #include "throne_comm.h"
 #include "kernel_compat.h"
 #include "dynamic_manager.h"
+#include "sulog.h"
 
 #ifdef CONFIG_KSU_MANUAL_SU
 #include "manual_su.h"
@@ -148,6 +149,7 @@ static void disable_seccomp()
 void escape_to_root(void)
 {
 	struct cred *cred;
+	uid_t original_uid = current_euid().val;
 
 	cred = prepare_creds();
 	if (!cred) {
@@ -157,6 +159,7 @@ void escape_to_root(void)
 
 	if (cred->euid.val == 0) {
 		pr_warn("Already root, don't escape!\n");
+		ksu_sulog_report_su_grant(original_uid, NULL, "escape_to_root_failed");
 		abort_creds(cred);
 		return;
 	}
@@ -200,6 +203,8 @@ void escape_to_root(void)
 	spin_unlock_irq(&current->sighand->siglock);
 
 	setup_selinux(profile->selinux_domain);
+
+	ksu_sulog_report_su_grant(original_uid, NULL, "escape_to_root");
 }
 
 #ifdef CONFIG_KSU_MANUAL_SU
@@ -242,6 +247,7 @@ void escape_to_root_for_cmd_su(uid_t target_uid, pid_t target_pid)
 	if (!target_task) {
 		rcu_read_unlock(); 
 		pr_err("cmd_su: target task not found for PID: %d\n", target_pid);
+		ksu_sulog_report_su_grant(target_uid, "cmd_su", "target_not_found");
 		return;
 	}
 	get_task_struct(target_task);
@@ -256,6 +262,7 @@ void escape_to_root_for_cmd_su(uid_t target_uid, pid_t target_pid)
 	newcreds = prepare_kernel_cred(target_task);
 	if (newcreds == NULL) {
 		pr_err("cmd_su: failed to allocate new cred for PID: %d\n", target_pid);
+		ksu_sulog_report_su_grant(target_uid, "cmd_su", "cred_alloc_failed");
 		put_task_struct(target_task);
 		return;
 	}
@@ -306,6 +313,7 @@ void escape_to_root_for_cmd_su(uid_t target_uid, pid_t target_pid)
 
 	put_task_struct(target_task);
 
+	ksu_sulog_report_su_grant(target_uid, "cmd_su", "manual_escalation");
 	pr_info("cmd_su: privilege escalation completed for UID: %d, PID: %d\n", target_uid, target_pid);
 }
 #endif
@@ -474,7 +482,10 @@ skip_check:
 	}
 
 	if (arg2 == CMD_GRANT_ROOT) {
-		if (is_allow_su()) {
+		bool is_allowed = is_allow_su();
+		ksu_sulog_report_permission_check(current_uid().val, current->comm, is_allowed);
+		
+		if (is_allowed) {
 			pr_info("allow root for: %d\n", current_uid().val);
 			escape_to_root();
 			if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) {
@@ -578,6 +589,7 @@ skip_check:
 				post_fs_data_lock = true;
 				pr_info("post-fs-data triggered\n");
 				on_post_fs_data();
+				ksu_sulog_init();
 				// Initialize UID scanner if enabled
 				init_uid_scanner();
 				// Initializing Dynamic Signatures
@@ -813,6 +825,9 @@ skip_check:
 
 		// todo: validate the params
 		if (ksu_set_app_profile(&profile, true)) {
+			ksu_sulog_report_manager_operation("SET_APP_PROFILE", 
+				current_uid().val, profile.current_uid);
+			
 			if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) {
 				pr_err("prctl reply error, cmd: %lu\n", arg2);
 			}
@@ -1376,6 +1391,7 @@ void ksu_core_exit(void)
 {
 	ksu_uid_exit();
 	ksu_throne_comm_exit();
+	ksu_sulog_exit();
 #ifdef CONFIG_KPROBE
 	pr_info("ksu_core_kprobe_exit\n");
 	// we dont use this now