back to kprobe setuid hook

2025-11-02 10:56:29 +08:00
parent c06d694ebc
commit 7e446efac4
3 changed files with 53 additions and 97 deletions
--- a/kernel/.gitignore
+++ b/kernel/.gitignore
@@ -0,0 +1,21 @@
+.cache/
+.thinlto-cache/
+compile_commands.json
+*.ko
+*.o
+*.mod
+*.lds
+*.mod.o
+.*.o*
+.*.mod*
+*.ko*
+*.mod.c
+*.symvers*
+*.order
+.*.ko.cmd
+.tmp_versions/
+libs/
+obj/
+
+CLAUDE.md
+.ddk-version
--- a/kernel/arch.h
+++ b/kernel/arch.h
@@ -18,18 +18,12 @@
 #define __PT_SP_REG sp
 #define __PT_IP_REG pc

-#define PRCTL_SYMBOL "__arm64_sys_prctl"
 #define REBOOT_SYMBOL "__arm64_sys_reboot"
+#define PRCTL_SYMBOL "__arm64_sys_prctl"
 #define SYS_READ_SYMBOL "__arm64_sys_read"
 #define SYS_NEWFSTATAT_SYMBOL "__arm64_sys_newfstatat"
 #define SYS_FACCESSAT_SYMBOL "__arm64_sys_faccessat"
 #define SYS_EXECVE_SYMBOL "__arm64_sys_execve"
-/*LSM HOOK*/
-#define SECURITY_TASK_FIX_SETUID_SYMBOL "security_task_fix_setuid"
-#define PRCTL_SYMBOL "__arm64_sys_prctl"
-#define INODE_PERMISSION_SYMBOL "security_inode_permission"
-#define BPRM_CHECK_SECURITY_SYMBOL "security_bprm_check"
-#define TASK_ALLOC_SYMBOL "security_task_alloc"

 #elif defined(__x86_64__)

@@ -46,18 +40,12 @@
 #define __PT_RC_REG ax
 #define __PT_SP_REG sp
 #define __PT_IP_REG ip
-#define PRCTL_SYMBOL "__x64_sys_prctl"
 #define REBOOT_SYMBOL "__x64_sys_reboot"
+#define PRCTL_SYMBOL "__x64_sys_prctl"
 #define SYS_READ_SYMBOL "__x64_sys_read"
 #define SYS_NEWFSTATAT_SYMBOL "__x64_sys_newfstatat"
 #define SYS_FACCESSAT_SYMBOL "__x64_sys_faccessat"
 #define SYS_EXECVE_SYMBOL "__x64_sys_execve"
-/*LSM HOOK*/
-#define SECURITY_TASK_FIX_SETUID_SYMBOL "security_task_fix_setuid"
-#define PRCTL_SYMBOL "__x64_sys_prctl"
-#define INODE_PERMISSION_SYMBOL "security_inode_permission"
-#define BPRM_CHECK_SECURITY_SYMBOL "security_bprm_check"
-#define TASK_ALLOC_SYMBOL "security_task_alloc"

 #else
 #error "Unsupported arch"
--- a/kernel/core_hook.c
+++ b/kernel/core_hook.c
@@ -23,7 +23,6 @@
 #include <linux/uaccess.h>
 #include <linux/uidgid.h>
 #include <linux/version.h>
-#include <linux/lsm_hooks.h>
 #include <linux/binfmts.h>
 #include <linux/tty.h>

@@ -70,9 +69,6 @@ static void ksu_try_escalate_for_uid(uid_t uid)
 }
 #endif

-static int (*original_cap_task_fix_setuid)(struct cred *new, const struct cred *old, int flags);
-static struct security_hook_list *ksu_hooked_security_hook;
-
 static inline bool is_allow_su()
 {
    if (is_manager()) {
@@ -604,17 +600,6 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old)
    return 0;
 }

-static int ksu_task_fix_setuid_hook(struct cred *new, const struct cred *old, int flags)
-{
-    ksu_handle_setuid(new, old);
-
-    if (original_cap_task_fix_setuid) {
-        return original_cap_task_fix_setuid(new, old, flags);
-    }
-
-    return 0;
-}
-
 // Init functons - kprobe hooks

 // 1. Reboot hook for installing fd
@@ -644,6 +629,22 @@ static struct kprobe reboot_kp = {
    .pre_handler = reboot_handler_pre,
 };

+// 2. security_task_fix_setuid hook for handling setuid
+static int security_task_fix_setuid_handler_pre(struct kprobe *p, struct pt_regs *regs)
+{
+    struct pt_regs *real_regs = PT_REAL_REGS(regs);
+    struct cred *new = (struct cred *)PT_REGS_PARM1(real_regs);
+    const struct cred *old = (const struct cred *)PT_REGS_PARM2(real_regs);
+
+    ksu_handle_setuid(new, old);
+
+    return 0;
+}
+
+static struct kprobe security_task_fix_setuid_kp = {
+    .symbol_name = "security_task_fix_setuid",
+    .pre_handler = security_task_fix_setuid_handler_pre,
+};

 // 3. prctl hook for handling ksu prctl commands
 static int handler_pre(struct kprobe *p, struct pt_regs *regs)
@@ -678,7 +679,7 @@ static int ksu_inode_permission_handler_pre(struct kprobe *p, struct pt_regs *re
 }

 static struct kprobe ksu_inode_permission_kp = {
-    .symbol_name = INODE_PERMISSION_SYMBOL,
+    .symbol_name = "security_inode_permission",
    .pre_handler = ksu_inode_permission_handler_pre,
 };

@@ -714,7 +715,7 @@ static int ksu_bprm_check_handler_pre(struct kprobe *p, struct pt_regs *regs)
 }

 static struct kprobe ksu_bprm_check_kp = {
-    .symbol_name = BPRM_CHECK_SECURITY_SYMBOL,
+    .symbol_name = "security_bprm_check",
    .pre_handler = ksu_bprm_check_handler_pre,
 };

@@ -729,73 +730,11 @@ static int ksu_task_alloc_handler_pre(struct kprobe *p, struct pt_regs *regs)
 }

 static struct kprobe ksu_task_alloc_kp = {
-    .symbol_name = TASK_ALLOC_SYMBOL,
+    .symbol_name = "security_task_alloc",
    .pre_handler = ksu_task_alloc_handler_pre,
 };
 #endif

-#define GET_SYMBOL_ADDR(sym)                                                   \
-    ({                                                                         \
-        void *addr = kallsyms_lookup_name(#sym ".cfi_jt");                     \
-        if (!addr) {                                                           \
-            addr = kallsyms_lookup_name(#sym);                                 \
-        }                                                                      \
-        addr;                                                                  \
-    })
-
-
-void ksu_lsm_hook_init(void)
-{
-    void *cap_setuid = GET_SYMBOL_ADDR(cap_task_fix_setuid);
-    if (!cap_setuid) {
-        pr_err("Failed to find cap_task_fix_setuid symbol\n");
-        return;
-    }
-
-
-    struct security_hook_list *hp;
-    hlist_for_each_entry(hp, &security_hook_heads.task_fix_setuid, list) {
-        if (hp->hook.task_fix_setuid == cap_setuid) {
-            pr_info("Found original task_fix_setuid LSM hook, patching it\n");
-
-            original_cap_task_fix_setuid = cap_setuid;
-            ksu_hooked_security_hook = hp;
-
-            u64 page_addr = (u64)&hp->hook.task_fix_setuid & PAGE_MASK;
-            set_memory_rw(page_addr, 1);
-            hp->hook.task_fix_setuid = ksu_task_fix_setuid_hook;
-            set_memory_ro(page_addr, 1);
-
-            pr_info("LSM hook patched successfully\n");
-            break;
-        }
-    }
-
-    smp_mb();
-}
-
-void ksu_lsm_hook_exit(void)
-{
-    if (!ksu_hooked_security_hook || !original_cap_task_fix_setuid) {
-        pr_info("No LSM hook to restore\n");
-        return;
-    }
-
-    pr_info("Restoring original task_fix_setuid LSM hook\n");
-
-    u64 page_addr = (u64)&ksu_hooked_security_hook->hook.task_fix_setuid & PAGE_MASK;
-    set_memory_rw(page_addr, 1);
-    ksu_hooked_security_hook->hook.task_fix_setuid = original_cap_task_fix_setuid;
-    set_memory_ro(page_addr, 1);
-
-    smp_mb();
-
-    original_cap_task_fix_setuid = NULL;
-    ksu_hooked_security_hook = NULL;
-
-    pr_info("LSM hook restored successfully\n");
-}
-
 __maybe_unused int ksu_kprobe_init(void)
 {
    int rc = 0;
@@ -808,6 +747,15 @@ __maybe_unused int ksu_kprobe_init(void)
        pr_info("reboot kprobe registered successfully\n");
    }

+    rc = register_kprobe(&security_task_fix_setuid_kp);
+    if (rc) {
+        pr_err("security_task_fix_setuid kprobe failed: %d\n", rc);
+        unregister_kprobe(&reboot_kp);
+    } else {
+        pr_info("security_task_fix_setuid kprobe registered successfully\n");
+    }
+    
+
    // Register prctl kprobe
    rc = register_kprobe(&prctl_kp);
    if (rc) {
@@ -848,6 +796,7 @@ __maybe_unused int ksu_kprobe_init(void)
 __maybe_unused int ksu_kprobe_exit(void)
 {
    unregister_kprobe(&reboot_kp);
+    unregister_kprobe(&security_task_fix_setuid_kp);
    unregister_kprobe(&prctl_kp);
    unregister_kprobe(&ksu_inode_permission_kp);
    unregister_kprobe(&ksu_bprm_check_kp);
@@ -859,7 +808,6 @@ __maybe_unused int ksu_kprobe_exit(void)

 void __init ksu_core_init(void)
 {
-    ksu_lsm_hook_init();
 #ifdef CONFIG_KPROBES
    int rc = ksu_kprobe_init();
    if (rc) {
@@ -875,9 +823,8 @@ void ksu_core_exit(void)
 #if __SULOG_GATE
    ksu_sulog_exit();
 #endif
-    pr_info("ksu_core_exit\n");
-    ksu_lsm_hook_exit();
 #ifdef CONFIG_KPROBES
+    pr_info("ksu_core_exit\n");
    ksu_kprobe_exit();
 #endif
 }