android/SukiSU-Ultra
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

kernel: handle seccomp_filter_release compat (#203)

Browse Source 
* It's actually very excessive that we provide this thing
- Stale: https://github.com/rsuntk/KernelSU/pull/199

Signed-off-by: TwinbornPlate75 <3342733415@qq.com>
Signed-off-by: fc5b87cf <rissu.ntk@gmail.com>
Co-authored-by: TwinbornPlate75 <3342733415@qq.com>
This commit is contained in:
fc5b87cf
2025-11-17 22:20:18 +07:00
committed by ShirkNeko
parent dc3de58aa6
commit 7782c00275
2 changed files with 21 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
kernel/Makefile
View File

@@ -145,7 +145,14 @@ endif
ifeq ($(shell grep -q "task_security_struct\s\+\*selinux_cred" $(srctree)/security/selinux/include/objsec.h; echo $$?),0) ifeq ($(shell grep -q "task_security_struct\s\+\*selinux_cred" $(srctree)/security/selinux/include/objsec.h; echo $$?),0)
ccflags-y += -DKSU_OPTIONAL_SELINUX_CRED ccflags-y += -DKSU_OPTIONAL_SELINUX_CRED
endif endif
# seccomp_types.h were added on 6.7
ifeq ($(shell grep -q "atomic_t\s\+filter_count" $(srctree)/include/linux/seccomp.h $(srctree)/include/linux/seccomp_types.h; echo $$?),0)
ccflags-y += -DKSU_OPTIONAL_SECCOMP_FILTER_CNT
endif
# some old kernel backport this, let's check if put_seccomp_filter still exist
ifneq ($(shell grep -wq "put_seccomp_filter" $(srctree)/kernel/seccomp.c $(srctree)/include/linux/seccomp.h; echo $$?),0)
ccflags-y += -DKSU_OPTIONAL_SECCOMP_FILTER_RELEASE
endif
ifeq ($(shell grep -q "anon_inode_getfd_secure" $(srctree)/fs/anon_inodes.c; echo $$?),0) ifeq ($(shell grep -q "anon_inode_getfd_secure" $(srctree)/fs/anon_inodes.c; echo $$?),0)
ccflags-y += -DKSU_HAS_GETFD_SECURE ccflags-y += -DKSU_HAS_GETFD_SECURE
endif endif

17
kernel/app_profile.c
View File

@@ -222,16 +222,25 @@ void disable_seccomp(struct task_struct *tsk)
#ifdef CONFIG_SECCOMP #ifdef CONFIG_SECCOMP
tsk->seccomp.mode = 0; tsk->seccomp.mode = 0;
if (tsk->seccomp.filter) { if (tsk->seccomp.filter) {
// 5.9+ have filter_count and use seccomp_filter_release // 5.9+ have filter_count, but optional.
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 9, 0) #ifdef KSU_OPTIONAL_SECCOMP_FILTER_CNT
seccomp_filter_release(tsk);
atomic_set(&tsk->seccomp.filter_count, 0); atomic_set(&tsk->seccomp.filter_count, 0);
#endif
// some old kernel backport seccomp_filter_release..
#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 9, 0) && \
defined(KSU_OPTIONAL_SECCOMP_FILTER_RELEASE)
seccomp_filter_release(tsk);
#else
// never, ever call seccomp_filter_release on 6.10+ (no effect)
#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5, 9, 0) && \
LINUX_VERSION_CODE < KERNEL_VERSION(6, 10, 0))
seccomp_filter_release(tsk);
#else #else
// for 6.11+ kernel support?
#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 9, 0) #if LINUX_VERSION_CODE < KERNEL_VERSION(5, 9, 0)
put_seccomp_filter(tsk); put_seccomp_filter(tsk);
#endif #endif
tsk->seccomp.filter = NULL; tsk->seccomp.filter = NULL;
#endif
#endif #endif
} }
#endif #endif