kernel: use sys_enter tracepoint for sucompat (#533)

* use sys_enter tracepoint for sucompat

* update sucompat rules

* clean tif mark

* mark tif after load allow list

* clear all tif first, then mark target

* Fix shell su

* allow when escape

* fix bugs

* kernel: Resolve logical inconsistencies

---------

Co-authored-by: Ylarod <me@ylarod.cn>
Co-authored-by: weishu <twsxtd@gmail.com>

kernel/core_hook.c

@@ -1,3 +1,5 @@
+#include "linux/compiler.h"
+#include "linux/sched/signal.h"
 #include <linux/slab.h>
 #include <linux/task_work.h>
 #include <linux/thread_info.h>
@@ -47,6 +49,7 @@
 #endif
 
 bool ksu_module_mounted = false;
+extern bool ksu_su_compat_enabled;
 
 #ifdef CONFIG_COMPAT
 bool ksu_is_compat __read_mostly = false;
@@ -175,6 +178,8 @@ static void disable_seccomp()
 void escape_to_root(void)
 {
     struct cred *cred;
+    struct task_struct *p = current;
+    struct task_struct *t;
 
     cred = prepare_creds();
     if (!cred) {
@@ -233,6 +238,10 @@ void escape_to_root(void)
 #if __SULOG_GATE
     ksu_sulog_report_su_grant(current_euid().val, NULL, "escape_to_root");
 #endif
+
+    for_each_thread(p, t){
+        set_tsk_thread_flag(t, TIF_SYSCALL_TRACEPOINT);
+    }
 }
 
 #ifdef CONFIG_KSU_MANUAL_SU
@@ -266,6 +275,8 @@ void escape_to_root_for_cmd_su(uid_t target_uid, pid_t target_pid)
 {
     struct cred *newcreds;
     struct task_struct *target_task;
+    struct task_struct *p = current;
+    struct task_struct *t;
 
     pr_info("cmd_su: escape_to_root_for_cmd_su called for UID: %d, PID: %d\n", target_uid, target_pid);
 
@@ -347,6 +358,9 @@ void escape_to_root_for_cmd_su(uid_t target_uid, pid_t target_pid)
 #if __SULOG_GATE
     ksu_sulog_report_su_grant(target_uid, "cmd_su", "manual_escalation");
 #endif
+    for_each_thread(p, t){
+        set_tsk_thread_flag(t, TIF_SYSCALL_TRACEPOINT);
+    }
     pr_info("cmd_su: privilege escalation completed for UID: %d, PID: %d\n", target_uid, target_pid);
 }
 #endif
@@ -500,6 +514,12 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old)
         return 0;
     }
 
+    if (new_uid.val == 2000) {
+        if (ksu_su_compat_enabled) {
+            set_tsk_thread_flag(current, TIF_SYSCALL_TRACEPOINT);
+        }
+    }
+
     if (!is_appuid(new_uid) || is_unsupported_uid(new_uid.val)) {
         // pr_info("handle setuid ignore non application or isolated uid: %d\n", new_uid.val);
         return 0;
@@ -516,6 +536,9 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old)
         ksu_install_fd();
         spin_lock_irq(&current->sighand->siglock);
         ksu_seccomp_allow_cache(current->seccomp.filter, __NR_reboot);
+        if (ksu_su_compat_enabled) {
+            set_tsk_thread_flag(current, TIF_SYSCALL_TRACEPOINT);
+        }
         spin_unlock_irq(&current->sighand->siglock);
         return 0;
     }
@@ -527,6 +550,14 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old)
             ksu_seccomp_allow_cache(current->seccomp.filter, __NR_reboot);
             spin_unlock_irq(&current->sighand->siglock);
         }
+        if (ksu_su_compat_enabled) {
+            set_tsk_thread_flag(current, TIF_SYSCALL_TRACEPOINT);
+        }
+    } else {
+        // Disable syscall tracepoint sucompat for non-allowed processes
+        if (ksu_su_compat_enabled) {
+            clear_tsk_thread_flag(current, TIF_SYSCALL_TRACEPOINT);
+        }
     }
 
     // this hook is used for umounting overlayfs for some uid, if there isn't any module mounted, just ignore it!
@@ -549,7 +580,7 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old)
     // check old process's selinux context, if it is not zygote, ignore it!
     // because some su apps may setuid to untrusted_app but they are in global mount namespace
     // when we umount for such process, that is a disaster!
-    bool is_zygote_child = is_zygote(old->security);
+    bool is_zygote_child = is_zygote(old);
     if (!is_zygote_child) {
         pr_info("handle umount ignore non zygote child: %d\n", current->pid);
         return 0;