kernel: use sys_enter tracepoint for sucompat (#533)

* use sys_enter tracepoint for sucompat

* update sucompat rules

* clean tif mark

* mark tif after load allow list

* clear all tif first, then mark target

* Fix shell su

* allow when escape

* fix bugs

* kernel: Resolve logical inconsistencies

---------

Co-authored-by: Ylarod <me@ylarod.cn>
Co-authored-by: weishu <twsxtd@gmail.com>

kernel/selinux/selinux.c

@@ -1,4 +1,6 @@
 #include "selinux.h"
+#include "linux/cred.h"
+#include "linux/sched.h"
 #include "objsec.h"
 #include "linux/version.h"
 #include "../klog.h" // IWYU pragma: keep
@@ -84,7 +86,7 @@ static inline u32 current_sid(void)
 }
 #endif
 
-bool is_ksu_domain()
+bool is_task_ksu_domain(const struct cred* cred)
 {
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0)
     struct lsm_context ctx;
@@ -93,10 +95,17 @@ bool is_ksu_domain()
     u32 seclen;
 #endif
     bool result;
+    if (!cred) {
+        return false;
+    }
+    const struct task_security_struct *tsec = selinux_cred(cred);
+    if (!tsec) {
+        return false;
+    }
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0)
-    int err = security_secid_to_secctx(current_sid(), &ctx);
+    int err = security_secid_to_secctx(tsec->sid, &ctx);
 #else
-    int err = security_secid_to_secctx(current_sid(), &domain, &seclen);
+    int err = security_secid_to_secctx(tsec->sid, &domain, &seclen);
 #endif
 
     if (err) {
@@ -113,9 +122,18 @@ bool is_ksu_domain()
     return result;
 }
 
-bool is_zygote(void *sec)
+bool is_ksu_domain()
 {
-    struct task_security_struct *tsec = (struct task_security_struct *)sec;
+    current_sid();
+    return is_task_ksu_domain(current_cred());
+}
+
+bool is_zygote(const struct cred* cred)
+{
+    if (!cred) {
+        return false;
+    }
+    const struct task_security_struct * tsec = selinux_cred(cred);
     if (!tsec) {
         return false;
     }