fix lot (#518)

* refact: use feature subsystem * use 64bit feature * fix * add fixme * add feature max to get_info * use 32bit feature id * allow root to get/set feature * more clean perm_check functions * fix * add feature command to ksud kernel: do not expose perm checker * fix security_task_fix_setuid_handler_pre * add android16-6.12 ci * manager: add kernel_umount switch Co-authored-by: YuKongA <70465933+YuKongA@users.noreply.github.com> * manager: Reinstate the LKM selection function * kernel: add name and print command value - Optimise sulog log display Co-authored-by: Ylarod <me@ylarod.cn> Co-authored-by: ShirkNeko <109797057+ShirkNeko@users.noreply.github.com> * fix * ksud: clippy --------- Co-authored-by: Ylarod <me@ylarod.cn> Co-authored-by: YuKongA <70465933+YuKongA@users.noreply.github.com> Co-authored-by: weishu <twsxtd@gmail.com>
2025-11-02 20:01:24 +08:00
parent 00de4e1c64
commit 47bcc956a3
26 changed files with 963 additions and 852 deletions
--- a/kernel/sucompat.c
+++ b/kernel/sucompat.c
@@ -13,6 +13,7 @@
 #include "objsec.h"
 #include "allowlist.h"
 #include "arch.h"
+#include "feature.h"
 #include "klog.h" // IWYU pragma: keep
 #include "ksud.h"
 #include "kernel_compat.h"
@@ -22,6 +23,44 @@
 #define SH_PATH "/system/bin/sh"

 extern void escape_to_root();
+void ksu_sucompat_enable();
+void ksu_sucompat_disable();
+
+bool ksu_su_compat_enabled = true;
+
+static int su_compat_feature_get(u64 *value)
+{
+    *value = ksu_su_compat_enabled ? 1 : 0;
+    return 0;
+}
+
+static int su_compat_feature_set(u64 value)
+{
+    bool enable = value != 0;
+
+    if (enable == ksu_su_compat_enabled) {
+        pr_info("su_compat: no need to change\n");
+        return 0;
+    }
+
+    if (enable) {
+        ksu_sucompat_enable();
+    } else {
+        ksu_sucompat_disable();
+    }
+
+    ksu_su_compat_enabled = enable;
+    pr_info("su_compat: set to %d\n", enable);
+
+    return 0;
+}
+
+static const struct ksu_feature_handler su_compat_handler = {
+    .feature_id = KSU_FEATURE_SU_COMPAT,
+    .name = "su_compat",
+    .get_handler = su_compat_feature_get,
+    .set_handler = su_compat_feature_set,
+};

 #ifndef CONFIG_KSU_KPROBES_HOOK
 static bool ksu_sucompat_hook_state __read_mostly = true;
@@ -340,7 +379,7 @@ static void destroy_kprobe(struct kprobe **kp_ptr)
 #endif

 // sucompat: permited process can execute 'su' to gain root access.
-void ksu_sucompat_init()
+void ksu_sucompat_enable()
 {
 #ifdef CONFIG_KSU_KPROBES_HOOK
    su_kps[0] = init_kprobe(SYS_EXECVE_SYMBOL, execve_handler_pre);
@@ -353,7 +392,7 @@ void ksu_sucompat_init()
 #endif
 }

-void ksu_sucompat_exit()
+void ksu_sucompat_disable()
 {
 #ifdef CONFIG_KSU_KPROBES_HOOK
    int i;
@@ -365,3 +404,23 @@ void ksu_sucompat_exit()
     pr_info("ksu_sucompat_exit: hooks disabled: execve/execveat_su, faccessat, stat\n");
 #endif
 }
+
+// sucompat: permited process can execute 'su' to gain root access.
+void ksu_sucompat_init()
+{
+    if (ksu_register_feature_handler(&su_compat_handler)) {
+        pr_err("Failed to register su_compat feature handler\n");
+    }
+    if (ksu_su_compat_enabled) {
+        ksu_sucompat_enable();
+    }
+}
+
+void ksu_sucompat_exit()
+{
+    if (ksu_su_compat_enabled) {
+        ksu_sucompat_disable();
+    }
+    ksu_unregister_feature_handler(KSU_FEATURE_SU_COMPAT);
+}
+