kernel: Introducing Tracepoint Hook Type Support

Tracepoint is a predefined hook point in the kernel, compared to Kprobe,
it is more stable and has lower performance overhead, although compatibility
is relatively poor, it is still worth trying

By the way, we have also included the config definitions related to hook types
in Kconfig, to enhance cleanliness

Improve and merge types that do not require hooks

Introducing the hook type prctl

These patches is based on backslashxx/KernelSU#5

Co-authored-by: Cloud_Yun <1770669041@qq.com>
Co-authored-by: Prslc <prslc113@gmail.com>
Co-authored-by: ShirkNeko <109797057+ShirkNeko@users.noreply.github.com>

Signed-off-by: ShirkNeko <109797057+ShirkNeko@users.noreply.github.com>

kernel/Kconfig

@@ -31,15 +31,6 @@ config KSU_CMDLINE
 	  Enable a cmdline called kernelsu.enabled
 	  Value 1 means enabled, value 0 means disabled.
 
-config KSU_MANUAL_HOOK
-	bool "Manual hooking GKI kernels without kprobes"
-	depends on KSU && KSU != m
-	default y if !KPROBES
-	default n
-	help
-	  If enabled, Hook required KernelSU syscalls with manually-patched function.
-	  If disabled, Hook required KernelSU syscalls with Kernel-probe.
-
 config KPM
 	bool "Enable SukiSU KPM"
 	depends on KSU && 64BIT
@@ -59,4 +50,31 @@ config KSU_LSM_SECURITY_HOOKS
 	  Disabling this is mostly only useful for kernel 4.1 and older.
 	  Make sure to implement manual hooks on security/security.c.
 
+choice
+	prompt "KernelSU hook type"
+	depends on KSU
+	default KSU_KPROBES_HOOK
+	help
+	  Hook type for KernelSU
+  
+config KSU_KPROBES_HOOK
+	bool "Hook KernelSU with Kprobes"
+	depends on KPROBES
+	help
+	  If enabled, Hook required KernelSU syscalls with Kernel-probe.
+  
+config KSU_TRACEPOINT_HOOK
+	bool "Hook KernelSU with Tracepoint"
+	depends on TRACEPOINTS
+	help
+	  If enabled, Hook required KernelSU syscalls with Tracepoint.
+  
+  config KSU_MANUAL_HOOK
+	bool "Hook KernelSU manually"
+	depends on KSU != m
+	help
+	  If enabled, Hook required KernelSU syscalls with manually-patched function.
+
+endchoice
+
 endmenu

kernel/Makefile

@@ -9,6 +9,10 @@ kernelsu-objs += ksud.o
 kernelsu-objs += embed_ksud.o
 kernelsu-objs += kernel_compat.o
 
+ifeq ($(strip $(CONFIG_KSU_TRACEPOINT_HOOK)),y)
+kernelsu-objs += ksu_trace.o
+endif
+
 kernelsu-objs += selinux/selinux.o
 kernelsu-objs += selinux/sepolicy.o
 kernelsu-objs += selinux/rules.o
@@ -16,6 +20,7 @@ ccflags-y += -I$(srctree)/security/selinux -I$(srctree)/security/selinux/include
 ccflags-y += -I$(objtree)/security/selinux -include $(srctree)/include/uapi/asm-generic/errno.h
 
 obj-$(CONFIG_KSU) += kernelsu.o
+obj-$(CONFIG_KSU_TRACEPOINT_HOOK) += ksu_trace_export.o
 
 obj-$(CONFIG_KPM) += kpm/
 
@@ -71,11 +76,14 @@ ccflags-y += -DKSU_VERSION=$(KSU_VERSION)
 ccflags-y += -DKSU_VERSION_FULL=\"$(KSU_VERSION_FULL)\"
 
 # Checks hooks state
-ifeq ($(strip $(CONFIG_KSU_MANUAL_HOOK)),y)
-$(info -- KernelSU: CONFIG_KSU_MANUAL_HOOK)
-else
-$(info -- KernelSU: CONFIG_KSU_KPROBES_HOOK)
-ccflags-y += -DCONFIG_KSU_KPROBES_HOOK
+ifeq ($(strip $(CONFIG_KSU_KPROBES_HOOK)),y)
+
+
+$(info -- SukiSU: CONFIG_KSU_KPROBES_HOOK)
+else ifeq ($(strip $(CONFIG_KSU_TRACEPOINT_HOOK)),y)
+$(info -- SukiSU: CONFIG_KSU_TRACEPOINT_HOOK)
+else ifeq ($(strip $(CONFIG_KSU_MANUAL_HOOK)),y)
+$(info -- SukiSU: CONFIG_KSU_MANUAL_HOOK)
 endif
 
 # SELinux drivers check

kernel/core_hook.c

@@ -494,6 +494,34 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,
 		return 0;
 	}
 
+	// Checking hook usage
+	if (arg2 == CMD_HOOK_TYPE) {
+		const char *hook_type;
+
+#if defined(CONFIG_KSU_KPROBES_HOOK)
+
+
+		hook_type = "Kprobes";
+#elif defined(CONFIG_KSU_TRACEPOINT_HOOK)
+		hook_type = "Tracepoint";
+#elif defined(CONFIG_KSU_MANUAL_HOOK)
+		hook_type = "Manual";
+#else
+		hook_type = "Unknown";
+#endif
+
+		size_t len = strlen(hook_type) + 1;
+		if (copy_to_user((void __user *)arg3, hook_type, len)) {
+			pr_err("hook_type: copy_to_user failed\n");
+			return 0;
+		}
+
+		if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) {
+			pr_err("hook_type: prctl reply error\n");
+		}
+		return 0;
+	}
+
 	#ifdef CONFIG_KPM
 	// ADD: 添加KPM模块控制
 	if(sukisu_is_kpm_control_code(arg2)) {

kernel/ksu.c

@@ -54,6 +54,10 @@ extern void ksu_sucompat_init();
 extern void ksu_sucompat_exit();
 extern void ksu_ksud_init();
 extern void ksu_ksud_exit();
+#ifdef CONFIG_KSU_TRACEPOINT_HOOK
+extern void ksu_trace_register();
+extern void ksu_trace_unregister();
+#endif
 
 int __init kernelsu_init(void)
 {
@@ -93,6 +97,10 @@ int __init kernelsu_init(void)
 	pr_debug("init ksu driver\n");
 #endif
 
+#ifdef CONFIG_KSU_TRACEPOINT_HOOK
+    ksu_trace_register();
+#endif
+
 #ifdef MODULE
 #ifndef CONFIG_KSU_DEBUG
 	kobject_del(&THIS_MODULE->mkobj.kobj);
@@ -117,6 +125,11 @@ void kernelsu_exit(void)
 #ifdef CONFIG_KSU_KPROBES_HOOK
 	ksu_ksud_exit();
 #endif
+
+#ifdef CONFIG_KSU_TRACEPOINT_HOOK
+    ksu_trace_unregister();
+#endif
+
 	ksu_sucompat_exit();
 
 	ksu_core_exit();

kernel/ksu.h

@@ -27,6 +27,7 @@
 #define CMD_GET_FULL_VERSION 0xC0FFEE1A
 
 #define CMD_ENABLE_KPM 100
+#define CMD_HOOK_TYPE 101
 #define CMD_DYNAMIC_SIGN 103
 #define CMD_GET_MANAGERS 104
 

kernel/ksu_trace.c

@@ -0,0 +1,90 @@
+#include "ksu_trace.h"
+
+
+// extern kernelsu functions
+extern bool ksu_execveat_hook __read_mostly;
+extern int ksu_handle_execveat(int *fd, struct filename **filename_ptr, void *argv, void *envp, int *flags);
+extern int ksu_handle_execveat_sucompat(int *fd, struct filename **filename_ptr, void *argv, void *envp, int *flags);
+extern int ksu_handle_faccessat(int *dfd, const char __user **filename_user, int *mode, int *flags);
+extern bool ksu_vfs_read_hook __read_mostly;
+extern int ksu_handle_sys_read(unsigned int fd, char __user **buf_ptr, size_t *count_ptr);
+extern int ksu_handle_stat(int *dfd, const char __user **filename_user, int *flags);
+extern bool ksu_input_hook __read_mostly;
+extern int ksu_handle_input_handle_event(unsigned int *type, unsigned int *code, int *value);
+extern int ksu_handle_devpts(struct inode*);
+// end kernelsu functions
+
+
+// tracepoint callback functions
+void ksu_trace_execveat_hook_callback(void *data, int *fd, struct filename **filename_ptr,
+                void *argv, void *envp, int *flags)
+{
+	if (unlikely(ksu_execveat_hook))
+		ksu_handle_execveat(fd, filename_ptr, argv, envp, flags);
+	else
+		ksu_handle_execveat_sucompat(fd, filename_ptr, NULL, NULL, NULL);
+}
+
+void ksu_trace_execveat_sucompat_hook_callback(void *data, int *fd, struct filename **filename_ptr,
+                void *argv, void *envp, int *flags)
+{
+	if (!ksu_execveat_hook)
+		ksu_handle_execveat_sucompat(fd, filename_ptr, argv, envp, flags);
+}
+
+void ksu_trace_faccessat_hook_callback(void *data, int *dfd, const char __user **filename_user,
+                int *mode, int *flags)
+{
+    ksu_handle_faccessat(dfd, filename_user, mode, flags);
+}
+
+void ksu_trace_sys_read_hook_callback(void *data, unsigned int fd, char __user **buf_ptr,
+                size_t *count_ptr)
+{
+	if (unlikely(ksu_vfs_read_hook))
+		ksu_handle_sys_read(fd, buf_ptr, count_ptr);
+}
+
+void ksu_trace_stat_hook_callback(void *data, int *dfd, const char __user **filename_user,
+                int *flags)
+{
+    ksu_handle_stat(dfd, filename_user, flags);
+}
+
+void ksu_trace_input_hook_callback(void *data, unsigned int *type, unsigned int *code,
+                int *value)
+{
+	if (unlikely(ksu_input_hook))
+		ksu_handle_input_handle_event(type, code, value);
+}
+
+void ksu_trace_devpts_hook_callback(void *data, struct inode *inode)
+{
+    ksu_handle_devpts(inode);
+}
+// end tracepoint callback functions
+
+
+// register tracepoint callback functions
+void ksu_trace_register(void)
+{
+    register_trace_ksu_trace_execveat_hook(ksu_trace_execveat_hook_callback, NULL);
+    register_trace_ksu_trace_execveat_sucompat_hook(ksu_trace_execveat_sucompat_hook_callback, NULL);
+    register_trace_ksu_trace_faccessat_hook(ksu_trace_faccessat_hook_callback, NULL);
+    register_trace_ksu_trace_sys_read_hook(ksu_trace_sys_read_hook_callback, NULL);
+    register_trace_ksu_trace_stat_hook(ksu_trace_stat_hook_callback, NULL);
+    register_trace_ksu_trace_input_hook(ksu_trace_input_hook_callback, NULL);
+    register_trace_ksu_trace_devpts_hook(ksu_trace_devpts_hook_callback, NULL);
+}
+
+// unregister tracepoint callback functions
+void ksu_trace_unregister(void)
+{
+    unregister_trace_ksu_trace_execveat_hook(ksu_trace_execveat_hook_callback, NULL);
+    unregister_trace_ksu_trace_execveat_sucompat_hook(ksu_trace_execveat_sucompat_hook_callback, NULL);
+    unregister_trace_ksu_trace_faccessat_hook(ksu_trace_faccessat_hook_callback, NULL);
+    unregister_trace_ksu_trace_sys_read_hook(ksu_trace_sys_read_hook_callback, NULL);
+    unregister_trace_ksu_trace_stat_hook(ksu_trace_stat_hook_callback, NULL);
+    unregister_trace_ksu_trace_input_hook(ksu_trace_input_hook_callback, NULL);
+    unregister_trace_ksu_trace_devpts_hook(ksu_trace_devpts_hook_callback, NULL);
+}

kernel/ksu_trace.h

@@ -0,0 +1,45 @@
+#undef TRACE_SYSTEM
+#define TRACE_SYSTEM ksu_trace
+
+#if !defined(_KSU_TRACE_H) || defined(TRACE_HEADER_MULTI_READ)
+#define _KSU_TRACE_H
+
+#include <linux/fs.h>
+#include <linux/tracepoint.h>
+
+DECLARE_TRACE(ksu_trace_execveat_hook,
+	TP_PROTO(int *fd, struct filename **filename_ptr, void *argv, void *envp, int *flags),
+	TP_ARGS(fd, filename_ptr, argv, envp, flags));
+
+DECLARE_TRACE(ksu_trace_execveat_sucompat_hook,
+	TP_PROTO(int *fd, struct filename **filename_ptr, void *argv, void *envp, int *flags),
+	TP_ARGS(fd, filename_ptr, argv, envp, flags));
+
+DECLARE_TRACE(ksu_trace_faccessat_hook,
+	TP_PROTO(int *dfd, const char __user **filename_user, int *mode, int *flags),
+	TP_ARGS(dfd, filename_user, mode, flags));
+
+DECLARE_TRACE(ksu_trace_sys_read_hook,
+	TP_PROTO(unsigned int fd, char __user **buf_ptr, size_t *count_ptr),
+	TP_ARGS(fd, buf_ptr, count_ptr));
+
+DECLARE_TRACE(ksu_trace_stat_hook,
+	TP_PROTO(int *dfd, const char __user **filename_user, int *flags),
+	TP_ARGS(dfd, filename_user, flags));
+
+DECLARE_TRACE(ksu_trace_input_hook,
+	TP_PROTO(unsigned int *type, unsigned int *code, int *value),
+	TP_ARGS(type, code, value));
+
+DECLARE_TRACE(ksu_trace_devpts_hook,
+	TP_PROTO(struct inode *inode),
+	TP_ARGS(inode));
+
+#endif /* _KSU_TRACE_H */
+
+#undef TRACE_INCLUDE_PATH
+#define TRACE_INCLUDE_PATH .
+#undef TRACE_INCLUDE_FILE
+#define TRACE_INCLUDE_FILE ksu_trace
+
+#include <trace/define_trace.h>

kernel/ksu_trace_export.c

@@ -0,0 +1,10 @@
+#define CREATE_TRACE_POINTS
+#include "ksu_trace.h"
+
+EXPORT_TRACEPOINT_SYMBOL_GPL(ksu_trace_execveat_hook);
+EXPORT_TRACEPOINT_SYMBOL_GPL(ksu_trace_execveat_sucompat_hook);
+EXPORT_TRACEPOINT_SYMBOL_GPL(ksu_trace_faccessat_hook);
+EXPORT_TRACEPOINT_SYMBOL_GPL(ksu_trace_sys_read_hook);
+EXPORT_TRACEPOINT_SYMBOL_GPL(ksu_trace_stat_hook);
+EXPORT_TRACEPOINT_SYMBOL_GPL(ksu_trace_input_hook);
+EXPORT_TRACEPOINT_SYMBOL_GPL(ksu_trace_devpts_hook);