From 704f7cba3209a0a208699d8db416786b92a96583 Mon Sep 17 00:00:00 2001 From: AlexLiuDev233 Date: Sat, 8 Nov 2025 12:46:25 +0800 Subject: [PATCH] kernel: core_hook: disable seccomp in 5.10.2- for allowed uids (#545) * kernel: core_hook: disable seccomp in 5.10.2- for allowed uids we dont have those new fancy things upstream has lets just do original thing where we disable seccomp * Update kernel/core_hook.c * fmt --------- Co-authored-by: backslashxx <118538522+backslashxx@users.noreply.github.com> Co-authored-by: Saksham Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- kernel/core_hook.c | 18 +++++++++++++++--- kernel/kernel_compat.c | 3 +++ kernel/kernel_compat.h | 2 ++ 3 files changed, 20 insertions(+), 3 deletions(-) diff --git a/kernel/core_hook.c b/kernel/core_hook.c index 4ba5eb5b..cb54978d 100644 --- a/kernel/core_hook.c +++ b/kernel/core_hook.c @@ -561,16 +561,22 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old) } // if on private space, see if its possibly the manager - if (new_uid.val > 100000 && new_uid.val % 100000 == ksu_get_manager_uid()) { + if (unlikely(new_uid.val > 100000 && new_uid.val % 100000 == ksu_get_manager_uid())) { ksu_set_manager_uid(new_uid.val); } - if (ksu_get_manager_uid() == new_uid.val) { + if (unlikely(ksu_get_manager_uid() == new_uid.val)) { pr_info("install fd for: %d\n", new_uid.val); ksu_install_fd(); spin_lock_irq(¤t->sighand->siglock); +#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 2) // Android backport this feature in 5.10.2 ksu_seccomp_allow_cache(current->seccomp.filter, __NR_reboot); +#else + // we dont have those new fancy things upstream has + // lets just do original thing where we disable seccomp + disable_seccomp(); +#endif if (ksu_su_compat_enabled) { ksu_set_task_tracepoint_flag(current); } @@ -578,11 +584,17 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old) return 0; } - if (ksu_is_allow_uid_for_current(new_uid.val)) { + if (unlikely(ksu_is_allow_uid_for_current(new_uid.val))) { if (current->seccomp.mode == SECCOMP_MODE_FILTER && current->seccomp.filter) { spin_lock_irq(¤t->sighand->siglock); +#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 2) // Android backport this feature in 5.10.2 ksu_seccomp_allow_cache(current->seccomp.filter, __NR_reboot); +#else + // we don't have those new fancy things upstream has + // lets just do original thing where we disable seccomp + disable_seccomp(); +#endif spin_unlock_irq(¤t->sighand->siglock); } if (ksu_su_compat_enabled) { diff --git a/kernel/kernel_compat.c b/kernel/kernel_compat.c index c8d3f4b9..9b3c7b99 100644 --- a/kernel/kernel_compat.c +++ b/kernel/kernel_compat.c @@ -95,6 +95,7 @@ long ksu_strncpy_from_user_nofault(char *dst, const void __user *unsafe_addr, return strncpy_from_user_nofault(dst, unsafe_addr, count); } +#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 2) // Android backport this feature in 5.10.2 struct action_cache { DECLARE_BITMAP(allow_native, SECCOMP_ARCH_NATIVE_NR); #ifdef SECCOMP_ARCH_COMPAT @@ -150,3 +151,5 @@ void ksu_seccomp_allow_cache(struct seccomp_filter *filter, int nr) } #endif } + +#endif \ No newline at end of file diff --git a/kernel/kernel_compat.h b/kernel/kernel_compat.h index 671ce558..dc4c3996 100644 --- a/kernel/kernel_compat.h +++ b/kernel/kernel_compat.h @@ -48,7 +48,9 @@ static long ksu_copy_from_user_retry(void *to, return copy_from_user(to, from, count); } +#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 2) // Android backport this feature in 5.10.2 extern void ksu_seccomp_clear_cache(struct seccomp_filter *filter, int nr); extern void ksu_seccomp_allow_cache(struct seccomp_filter *filter, int nr); +#endif #endif