kernel: use sys_enter tracepoint for sucompat (#533)

* use sys_enter tracepoint for sucompat * update sucompat rules * clean tif mark * mark tif after load allow list * clear all tif first, then mark target * Fix shell su * allow when escape * fix bugs * kernel: Resolve logical inconsistencies --------- Co-authored-by: Ylarod <me@ylarod.cn> Co-authored-by: weishu <twsxtd@gmail.com>
2025-11-06 12:45:37 +08:00
parent ee9c20f62a
commit 71353a70d4
16 changed files with 262 additions and 302 deletions
--- a/kernel/selinux/selinux.c
+++ b/kernel/selinux/selinux.c
@@ -1,3 +1,5 @@
+#include "linux/cred.h"
+#include "linux/sched.h"
 #include <linux/version.h>
 #include "selinux_defs.h"
 #include "../klog.h" // IWYU pragma: keep
@@ -101,7 +103,7 @@ static inline u32 current_sid(void)
 }
 #endif

-bool is_ksu_domain(void)
+bool is_task_ksu_domain(const struct cred* cred)
 {
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0)
    struct lsm_context ctx;
@@ -110,10 +112,17 @@ bool is_ksu_domain(void)
    u32 seclen;
 #endif
    bool result;
+    if (!cred) {
+        return false;
+    }
+    const struct task_security_struct *tsec = selinux_cred(cred);
+    if (!tsec) {
+        return false;
+    }
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0)
-    int err = security_secid_to_secctx(current_sid(), &ctx);
+    int err = security_secid_to_secctx(tsec->sid, &ctx);
 #else
-    int err = security_secid_to_secctx(current_sid(), &domain, &seclen);
+    int err = security_secid_to_secctx(tsec->sid, &domain, &seclen);
 #endif

    if (err) {
@@ -130,9 +139,18 @@ bool is_ksu_domain(void)
    return result;
 }

-bool is_zygote(void *sec)
+bool is_ksu_domain()
 {
-    struct task_security_struct *tsec = (struct task_security_struct *)sec;
+    current_sid();
+    return is_task_ksu_domain(current_cred());
+}
+
+bool is_zygote(const struct cred* cred)
+{
+    if (!cred) {
+        return false;
+    }
+    const struct task_security_struct * tsec = selinux_cred(cred);
    if (!tsec) {
        return false;
    }
--- a/kernel/selinux/selinux.h
+++ b/kernel/selinux/selinux.h
@@ -3,6 +3,7 @@

 #include <linux/types.h>
 #include <linux/version.h>
+#include "linux/sched.h"

 #if (LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 0)) || defined(KSU_COMPAT_HAS_SELINUX_STATE)
 #define KSU_COMPAT_USE_SELINUX_STATE
@@ -14,9 +15,11 @@ void setenforce(bool);

 bool getenforce(void);

+bool is_task_ksu_domain(const struct cred* cred);
+
 bool is_ksu_domain(void);

-bool is_zygote(void *cred);
+bool is_zygote(const struct cred* cred);

 void apply_kernelsu_rules(void);