From 455b725248f7318caec3b53e6fe9b3e607f11534 Mon Sep 17 00:00:00 2001 From: ShirkNeko <109797057+ShirkNeko@users.noreply.github.com> Date: Sat, 22 Nov 2025 22:17:45 +0800 Subject: [PATCH] Deprecated AUTO_ADD_TRY_UMOUNT_FOR_BIND_MOUNT, the leftover add_sus_mount cli and umount_for_zygote_system_process Reason: - AUTO_ADD_TRY_UMOUNT_FOR_BIND_MOUNT is also causing a bit more performance overheads and still it cannot catch all the sus mounts in all situations. Actually it can easily be done in boot-completed.sh, and it should be more accurate, see module templates for more details. - Official KernelSU also allows ksud to add custom path to try_umount list as well, users can use their own way to add only the desired sus mounts to try_umount list, but remember to disable susfs ADD_TRY_UMOUNT in kernel if users want to use the official one. - There are less use cases for umount_for_zygote_system_process, and sometimes enabling this may cause bootloop with some modules enabled, instead user can use busybox nsenter to umount the sus mounts for specific process later by themmselves. Co-authored-by: simonpunk --- kernel/Kconfig | 11 +---------- kernel/kernel_umount.c | 16 ---------------- kernel/setuid_hook.c | 30 +++++++----------------------- kernel/supercalls.c | 35 +++++------------------------------ 4 files changed, 13 insertions(+), 79 deletions(-) diff --git a/kernel/Kconfig b/kernel/Kconfig index c1623c3a..a2d6469a 100644 --- a/kernel/Kconfig +++ b/kernel/Kconfig @@ -99,16 +99,7 @@ config KSU_SUSFS_TRY_UMOUNT default y help - Allow using try_umount to umount other user-defined mount paths prior to ksu's default umount paths. - - Effective on all NO-root-access-granted processes. - -config KSU_SUSFS_AUTO_ADD_TRY_UMOUNT_FOR_BIND_MOUNT - bool "Enable to add bind mounts to ksu's try_umount automatically (experimental)" - depends on KSU_SUSFS_TRY_UMOUNT - default y - help - - Automatically add binded mounts to ksu's try_umount. - - No susfs command is needed in userspace. - - Only mount operation from process with ksu domain will be checked. + - Effective only on zygote spawned umounted user app process. config KSU_SUSFS_SPOOF_UNAME bool "Enable to spoof uname" diff --git a/kernel/kernel_umount.c b/kernel/kernel_umount.c index 2eea68c2..60a87eeb 100644 --- a/kernel/kernel_umount.c +++ b/kernel/kernel_umount.c @@ -55,12 +55,7 @@ static const struct ksu_feature_handler kernel_umount_handler = { }; #ifdef CONFIG_KSU_SUSFS -#if defined(CONFIG_KSU_SUSFS_TRY_UMOUNT) && defined(CONFIG_KSU_SUSFS_ENABLE_LOG) extern bool susfs_is_log_enabled; -#endif // #if defined(CONFIG_KSU_SUSFS_TRY_UMOUNT) && defined(CONFIG_KSU_SUSFS_ENABLE_LOG) -#ifdef CONFIG_KSU_SUSFS_TRY_UMOUNT -extern void susfs_try_umount(void); -#endif // #ifdef CONFIG_KSU_SUSFS_TRY_UMOUNT #endif // #ifdef CONFIG_KSU_SUSFS #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 9, 0) || \ @@ -116,20 +111,9 @@ void try_umount(const char *mnt, int flags) return; } -#if defined(CONFIG_KSU_SUSFS_TRY_UMOUNT) && defined(CONFIG_KSU_SUSFS_ENABLE_LOG) - if (susfs_is_log_enabled) { - pr_info("susfs: umounting '%s'\n", mnt); - } -#endif // #if defined(CONFIG_KSU_SUSFS_TRY_UMOUNT) && defined(CONFIG_KSU_SUSFS_ENABLE_LOG) - ksu_umount_mnt(mnt, &path, flags); } -#ifdef CONFIG_KSU_SUSFS_TRY_UMOUNT -void susfs_try_umount_all(void) { - susfs_try_umount(); -} -#endif // #ifdef CONFIG_KSU_SUSFS_TRY_UMOUNT #if !defined(CONFIG_KSU_SUSFS) || !defined(CONFIG_KSU_SUSFS_TRY_UMOUNT) struct umount_tw { diff --git a/kernel/setuid_hook.c b/kernel/setuid_hook.c index e7867ec8..e29a868e 100644 --- a/kernel/setuid_hook.c +++ b/kernel/setuid_hook.c @@ -48,12 +48,6 @@ #include "sulog.h" #ifdef CONFIG_KSU_SUSFS -static inline bool is_some_system_uid(uid_t uid) -{ - uid %= 100000; - return (uid >= 1000 && uid < 10000); -} - static inline bool is_zygote_isolated_service_uid(uid_t uid) { uid %= 100000; @@ -66,8 +60,6 @@ static inline bool is_zygote_normal_app_uid(uid_t uid) return (uid >= 10000 && uid < 19999); } -bool susfs_is_umount_for_zygote_system_process_enabled = false; - extern u32 susfs_zygote_sid; #ifdef CONFIG_KSU_SUSFS_SUS_PATH extern void susfs_run_sus_path_loop(uid_t uid); @@ -77,7 +69,7 @@ extern bool susfs_is_umount_for_zygote_iso_service_enabled; extern void susfs_reorder_mnt_id(void); #endif // #ifdef CONFIG_KSU_SUSFS_SUS_MOUNT #ifdef CONFIG_KSU_SUSFS_TRY_UMOUNT -extern void susfs_try_umount_all(void); +extern void susfs_try_umount(uid_t uid); #endif #endif // #ifdef CONFIG_KSU_SUSFS @@ -210,8 +202,6 @@ int ksu_handle_setresuid(uid_t ruid, uid_t euid, uid_t suid) return 0; } #else -extern bool ksu_kernel_umount_enabled; -extern bool ksu_module_mounted; int ksu_handle_setresuid(uid_t ruid, uid_t euid, uid_t suid){ // we rely on the fact that zygote always call setresuid(3) with same uids uid_t new_uid = ruid; @@ -302,27 +292,21 @@ int ksu_handle_setresuid(uid_t ruid, uid_t euid, uid_t suid){ goto do_umount; } - // Lastly, Check if spawned process is some system process and needs to be umounted - if (unlikely(is_some_system_uid(new_uid) && susfs_is_umount_for_zygote_system_process_enabled)) { - goto do_umount; - } - return 0; do_umount: +#ifndef CONFIG_KSU_SUSFS_TRY_UMOUNT if (!ksu_kernel_umount_enabled || !ksu_module_mounted) { - goto skip_try_umount; + goto skip_ksu_handle_umount; } -#ifdef CONFIG_KSU_SUSFS_TRY_UMOUNT - pr_info("susfs: running susfs_try_umount_all() for uid: %u\n", new_uid); - susfs_try_umount_all(); -#else // Handle kernel umount ksu_handle_umount(old_uid, new_uid); -#endif // #ifdef CONFIG_KSU_SUSFS_TRY_UMOUNT -skip_try_umount: +skip_ksu_handle_umount: +#else + susfs_try_umount(new_uid); +#endif // #ifndef CONFIG_KSU_SUSFS_TRY_UMOUNT get_task_struct(current); diff --git a/kernel/supercalls.c b/kernel/supercalls.c index d3b642f1..cf372291 100644 --- a/kernel/supercalls.c +++ b/kernel/supercalls.c @@ -12,6 +12,11 @@ #include #include +#ifdef CONFIG_KSU_SUSFS +#include +#include +#endif // #ifdef CONFIG_KSU_SUSFS + #include "supercalls.h" #include "arch.h" #include "allowlist.h" @@ -36,33 +41,7 @@ #endif #ifdef CONFIG_KSU_SUSFS -#include -#include - bool susfs_is_boot_completed_triggered = false; - -extern bool susfs_is_umount_for_zygote_system_process_enabled; -#ifdef CONFIG_KSU_SUSFS_AUTO_ADD_TRY_UMOUNT_FOR_BIND_MOUNT -extern bool susfs_is_auto_add_try_umount_for_bind_mount_enabled; -#endif // #ifdef CONFIG_KSU_SUSFS_AUTO_ADD_TRY_UMOUNT_FOR_BIND_MOUNT - -static void susfs_on_post_fs_data(void) { - struct path path; -#ifdef CONFIG_KSU_SUSFS_SUS_MOUNT - if (!kern_path(DATA_ADB_UMOUNT_FOR_ZYGOTE_SYSTEM_PROCESS, 0, &path)) { - susfs_is_umount_for_zygote_system_process_enabled = true; - path_put(&path); - } - pr_info("susfs_is_umount_for_zygote_system_process_enabled: %d\n", susfs_is_umount_for_zygote_system_process_enabled); -#endif // #ifdef CONFIG_KSU_SUSFS_SUS_MOUNT -#ifdef CONFIG_KSU_SUSFS_AUTO_ADD_TRY_UMOUNT_FOR_BIND_MOUNT - if (!kern_path(DATA_ADB_NO_AUTO_ADD_TRY_UMOUNT_FOR_BIND_MOUNT, 0, &path)) { - susfs_is_auto_add_try_umount_for_bind_mount_enabled = false; - path_put(&path); - } - pr_info("susfs_is_auto_add_try_umount_for_bind_mount_enabled: %d\n", susfs_is_auto_add_try_umount_for_bind_mount_enabled); -#endif // #ifdef CONFIG_KSU_SUSFS_AUTO_ADD_TRY_UMOUNT_FOR_BIND_MOUNT -} #endif // #ifdef CONFIG_KSU_SUSFS bool ksu_uid_scanner_enabled = false; @@ -154,10 +133,6 @@ static int do_report_event(void __user *arg) if (!post_fs_data_lock) { post_fs_data_lock = true; pr_info("post-fs-data triggered\n"); -#ifdef CONFIG_KSU_SUSFS - susfs_on_post_fs_data(); - pr_info("susfs_on_post_fs_data triggered\n"); -#endif on_post_fs_data(); init_uid_scanner(); #if __SULOG_GATE