kernel: Apply the susfs patch

Co-authored-by: simonpunk <simonpunk2016@gmail.com> Co-authored-by: ShirkNeko <109797057+ShirkNeko@users.noreply.github.com>
2025-11-14 18:36:04 +08:00
parent 4920877dd8
commit 4c04508267
20 changed files with 982 additions and 77 deletions
--- a/kernel/setuid_hook.c
+++ b/kernel/setuid_hook.c
@@ -29,10 +29,13 @@
 #include <linux/uaccess.h>
 #include <linux/uidgid.h>
 #include <linux/version.h>
-#include <linux/lsm_hooks.h>
 #include <linux/binfmts.h>
 #include <linux/tty.h>

+#ifdef CONFIG_KSU_SUSFS
+#include <linux/susfs.h>
+#endif // #ifdef CONFIG_KSU_SUSFS
+
 #ifndef KSU_HAS_PATH_UMOUNT
 #include <linux/syscalls.h> // sys_umount (<4.17) & ksys_umount (4.17+)
 #endif
@@ -54,12 +57,48 @@
 #include "selinux/selinux.h"
 #include "seccomp_cache.h"
 #include "supercalls.h"
+#ifndef CONFIG_KSU_SUSFS
 #include "syscall_hook_manager.h"
+#endif
 #include "kernel_umount.h"
 #include "app_profile.h"

 #include "sulog.h"

+#ifdef CONFIG_KSU_SUSFS
+static inline bool is_some_system_uid(uid_t uid)
+{
+    uid %= 100000;
+    return (uid >= 1000 && uid < 10000);
+}
+
+static inline bool is_zygote_isolated_service_uid(uid_t uid)
+{
+    uid %= 100000;
+    return (uid >= 90000 && uid < 100000);
+}
+
+static inline bool is_zygote_normal_app_uid(uid_t uid)
+{
+    uid %= 100000;
+    return (uid >= 10000 && uid < 19999);
+}
+
+bool susfs_is_umount_for_zygote_system_process_enabled = false;
+
+extern bool susfs_is_umount_for_zygote_iso_service_enabled;
+extern u32 susfs_zygote_sid;
+#ifdef CONFIG_KSU_SUSFS_SUS_PATH
+extern void susfs_run_sus_path_loop(uid_t uid);
+#endif // #ifdef CONFIG_KSU_SUSFS_SUS_PATH
+#ifdef CONFIG_KSU_SUSFS_SUS_MOUNT
+extern void susfs_reorder_mnt_id(void);
+#endif // #ifdef CONFIG_KSU_SUSFS_SUS_MOUNT
+#ifdef CONFIG_KSU_SUSFS_TRY_UMOUNT
+extern void susfs_try_umount_all(void);
+#endif
+#endif // #ifdef CONFIG_KSU_SUSFS
+
 static bool ksu_enhanced_security_enabled = false;

 static int enhanced_security_feature_get(u64 *value)
@@ -92,6 +131,7 @@ static inline bool is_allow_su(void)
    return ksu_is_allow_uid_for_current(current_uid().val);
 }

+#ifndef CONFIG_KSU_SUSFS
 int ksu_handle_setresuid(uid_t ruid, uid_t euid, uid_t suid)
 {
    uid_t new_uid = ruid;
@@ -171,59 +211,114 @@ int ksu_handle_setresuid(uid_t ruid, uid_t euid, uid_t suid)

    return 0;
 }
+#else
+extern bool ksu_kernel_umount_enabled;
+extern bool ksu_module_mounted;
+int ksu_handle_setresuid(uid_t ruid, uid_t euid, uid_t suid){
+    // we rely on the fact that zygote always call setresuid(3) with same uids
+    uid_t new_uid = ruid;
+    uid_t old_uid = current_uid().val;

-// kernel 4.4 and 4.9
-#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0) ||    \
-    defined(CONFIG_IS_HW_HISI) ||    \
-    defined(CONFIG_KSU_ALLOWLIST_WORKAROUND)
-static int ksu_key_permission(key_ref_t key_ref, const struct cred *cred,
-                  unsigned perm)
-{
-    if (init_session_keyring != NULL) {
+    // if old process is root, ignore it.
+    if (old_uid != 0 && ksu_enhanced_security_enabled) {
+        // disallow any non-ksu domain escalation from non-root to root!
+        // euid is what we care about here as it controls permission
+        if (unlikely(euid == 0)) {
+            if (!is_ksu_domain()) {
+                pr_warn("find suspicious EoP: %d %s, from %d to %d\n", 
+                    current->pid, current->comm, old_uid, new_uid);
+                force_sig(SIGKILL);
+                return 0;
+            }
+        }
+        // disallow appuid decrease to any other uid if it is not allowed to su
+        if (is_appuid(old_uid)) {
+            if (euid < current_euid().val && !ksu_is_allow_uid_for_current(old_uid)) {
+                pr_warn("find suspicious EoP: %d %s, from %d to %d\n", 
+                    current->pid, current->comm, old_uid, new_uid);
+                force_sig(SIGKILL);
+                return 0;
+            }
+        }
        return 0;
    }
-    if (strcmp(current->comm, "init")) {
-        // we are only interested in `init` process
+
+    // We only interest in process spwaned by zygote
+    if (!susfs_is_sid_equal(current_cred()->security, susfs_zygote_sid)) {
        return 0;
    }
-    init_session_keyring = cred->session_keyring;
-    pr_info("kernel_compat: got init_session_keyring\n");
+
+    // Check if spawned process is isolated service first, and force to do umount if so  
+    if (is_zygote_isolated_service_uid(new_uid) && susfs_is_umount_for_zygote_iso_service_enabled) {
+        goto do_umount;
+    }
+
+    // - Since ksu maanger app uid is excluded in allow_list_arr, so ksu_uid_should_umount(manager_uid)
+    //   will always return true, that's why we need to explicitly check if new_uid belongs to
+    //   ksu manager
+    if (ksu_get_manager_uid() == new_uid % 100000) {
+        pr_info("install fd for manager: %d\n", new_uid);
+        ksu_install_fd();
+        spin_lock_irq(&current->sighand->siglock);
+        ksu_seccomp_allow_cache(current->seccomp.filter, __NR_reboot);
+        spin_unlock_irq(&current->sighand->siglock);
+        return 0;
+    }
+
+    // Check if spawned process is normal user app and needs to be umounted
+    if (likely(is_zygote_normal_app_uid(new_uid) && ksu_uid_should_umount(new_uid))) {
+        goto do_umount;
+    }
+
+    // Lastly, Check if spawned process is some system process and needs to be umounted
+    if (unlikely(is_some_system_uid(new_uid) && susfs_is_umount_for_zygote_system_process_enabled)) {
+        goto do_umount;
+    }
+
+    if (ksu_is_allow_uid_for_current(new_uid)) {
+        if (current->seccomp.mode == SECCOMP_MODE_FILTER &&
+            current->seccomp.filter) {
+            spin_lock_irq(&current->sighand->siglock);
+            ksu_seccomp_allow_cache(current->seccomp.filter, __NR_reboot);
+            spin_unlock_irq(&current->sighand->siglock);
+        }
+    }
+
+    return 0;
+
+do_umount:
+#ifdef CONFIG_KSU_SUSFS_TRY_UMOUNT
+    if (!ksu_kernel_umount_enabled || !ksu_module_mounted) {
+        goto skip_try_umount;
+        
+    }
+
+    pr_info("susfs: running susfs_try_umount_all() for uid: %u\n", new_uid);
+    susfs_try_umount_all();
+
+skip_try_umount:
+#endif // #ifdef CONFIG_KSU_SUSFS_TRY_UMOUNT
+
+    get_task_struct(current);
+
+#ifdef CONFIG_KSU_SUSFS_SUS_MOUNT
+    // We can reorder the mnt_id now after all sus mounts are umounted
+    susfs_reorder_mnt_id();
+#endif // #ifdef CONFIG_KSU_SUSFS_SUS_MOUNT
+
+    susfs_set_current_proc_umounted();
+
+    put_task_struct(current);
+
+#ifdef CONFIG_KSU_SUSFS_SUS_PATH
+    susfs_run_sus_path_loop(new_uid);
+#endif // #ifdef CONFIG_KSU_SUSFS_SUS_PATH
    return 0;
 }
-#endif
-
-#ifndef MODULE
-static struct security_hook_list ksu_hooks[] = {
-#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0) || \
-    defined(CONFIG_IS_HW_HISI) || defined(CONFIG_KSU_ALLOWLIST_WORKAROUND)
-    LSM_HOOK_INIT(key_permission, ksu_key_permission)
-#endif
-};
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 8, 0)
-const struct lsm_id ksu_lsmid = {
-    .name = "ksu",
-    .id = 912,
-};
-#endif
-
-void __init ksu_lsm_hook_init(void)
-{
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 8, 0)
-    // https://elixir.bootlin.com/linux/v6.8/source/include/linux/lsm_hooks.h#L120
-    security_add_hooks(ksu_hooks, ARRAY_SIZE(ksu_hooks), &ksu_lsmid);
-#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4, 11, 0)
-    security_add_hooks(ksu_hooks, ARRAY_SIZE(ksu_hooks), "ksu");
-#else
-    // https://elixir.bootlin.com/linux/v4.10.17/source/include/linux/lsm_hooks.h#L1892
-    security_add_hooks(ksu_hooks, ARRAY_SIZE(ksu_hooks));
-#endif
-}
-#endif
+#endif // #ifndef CONFIG_KSU_SUSFS

 void ksu_setuid_hook_init(void)
 {
-    ksu_lsm_hook_init();
    ksu_kernel_umount_init();
    if (ksu_register_feature_handler(&enhanced_security_handler)) {
        pr_err("Failed to register enhanced security feature handler\n");