From 44834f0172cc20f4811b0934339658372ddb6b64 Mon Sep 17 00:00:00 2001
From: Huy Minh <buingoc67@gmail.com>
Date: Fri, 3 Oct 2025 16:08:23 +0700
Subject: [PATCH] kernel: add initial 6.8+/6.14 kernel support

* This is a squashed of un-merged pull requests of Official KernelSU
* LKM support are not available.
* Require this additional patch to avoid kernel panic because of "Too many LSMs registered":
https://github.com/android-generic/kernel-zenith/commit/7042991a5c9ddae256f3864a598017310bb5ff2c

* Un-merged pull requests of Official KernelSU:
https://github.com/tiann/KernelSU/pull/1785
https://github.com/tiann/KernelSU/pull/2662

* This commit probably not 100% completed.

Signed-off-by: rsuntk <rsuntk@yukiprjkt.my.id>
---
 kernel/core_hook.c       | 16 ++++++++++++++--
 kernel/selinux/selinux.c | 31 ++++++++++++++++++++++++++++---
 2 files changed, 42 insertions(+), 5 deletions(-)

diff --git a/kernel/core_hook.c b/kernel/core_hook.c
index 9c9581e8..5fc9b60f 100644
--- a/kernel/core_hook.c
+++ b/kernel/core_hook.c
@@ -230,13 +230,15 @@ static void disable_seccomp(struct task_struct *tsk)
 #ifdef CONFIG_SECCOMP
 	tsk->seccomp.mode = 0;
 	if (tsk->seccomp.filter) {
-	// TODO: Add kernel 6.11+ support
 	// 5.9+ have filter_count and use seccomp_filter_release
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 9, 0)
 		seccomp_filter_release(tsk);
 		atomic_set(&tsk->seccomp.filter_count, 0);
 #else
+	// for 6.11+ kernel support?
+#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 9, 0)
 		put_seccomp_filter(tsk);
+#endif
 		tsk->seccomp.filter = NULL;
 #endif
 	}
@@ -1827,9 +1829,19 @@ static struct security_hook_list ksu_hooks[] = {
 #endif
 };
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 8, 0)
+const struct lsm_id ksu_lsmid = {
+	.name = "ksu",
+	.id = 912,
+};
+#endif
+
 void __init ksu_lsm_hook_init(void)
 {
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 11, 0)
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 8, 0)
+	// https://elixir.bootlin.com/linux/v6.8/source/include/linux/lsm_hooks.h#L120
+	security_add_hooks(ksu_hooks, ARRAY_SIZE(ksu_hooks), &ksu_lsmid);
+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4, 11, 0)
 	security_add_hooks(ksu_hooks, ARRAY_SIZE(ksu_hooks), "ksu");
 #else
 	// https://elixir.bootlin.com/linux/v4.10.17/source/include/linux/lsm_hooks.h#L1892
diff --git a/kernel/selinux/selinux.c b/kernel/selinux/selinux.c
index f1a544e9..2637f57e 100644
--- a/kernel/selinux/selinux.c
+++ b/kernel/selinux/selinux.c
@@ -84,7 +84,7 @@ bool getenforce(void)
 	if (is_selinux_disabled()) {
 		return false;
 	}
-	
+
 	return __is_selinux_enforcing();
 }
 
@@ -103,17 +103,30 @@ static inline u32 current_sid(void)
 
 bool is_ksu_domain(void)
 {
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0)
+	struct lsm_context ctx;
+#else
 	char *domain;
 	u32 seclen;
+#endif
 	bool result;
-
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0)
+	int err = security_secid_to_secctx(current_sid(), &ctx);
+#else
 	int err = security_secid_to_secctx(current_sid(), &domain, &seclen);
+#endif
+
 	if (err) {
 		return false;
 	}
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0)
+	result = strncmp(KERNEL_SU_DOMAIN, ctx.context, ctx.len) == 0;
+	security_release_secctx(&ctx);
+#else
 	result = strncmp(KERNEL_SU_DOMAIN, domain, seclen) == 0;
 	security_release_secctx(domain, seclen);
+#endif
 	return result;
 }
 
@@ -123,18 +136,30 @@ bool is_zygote(void *sec)
 	if (!tsec) {
 		return false;
 	}
-
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0)
+	struct lsm_context ctx;
+#else
 	char *domain;
 	u32 seclen;
+#endif
 	bool result;
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0)
+	int err = security_secid_to_secctx(tsec->sid, &ctx);
+#else
 	int err = security_secid_to_secctx(tsec->sid, &domain, &seclen);
+#endif
 	if (err) {
 		return false;
 	}
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0)
+	result = strncmp("u:r:zygote:s0", ctx.context, ctx.len) == 0;
+	security_release_secctx(&ctx);
+#else
 	result = strncmp("u:r:zygote:s0", domain, seclen) == 0;
 	security_release_secctx(domain, seclen);
+#endif
 	return result;
 }