From 86cd05e206b6b97f5a7954560b327563e835cbee Mon Sep 17 00:00:00 2001 From: ShirkNeko <109797057+ShirkNeko@users.noreply.github.com> Date: Sun, 9 Nov 2025 04:35:29 +0800 Subject: [PATCH] Attempt to refactor and migrate `inode_permission`, `bprm_check_security`, and `task_alloc` entirely to `syscall_hook_manager` kernel: fix build --- kernel/Makefile | 3 +- kernel/app_profile.c | 2 - kernel/kernel_umount.c | 110 +++++++++++++++++++---- kernel/kernel_umount.h | 4 + kernel/kprobe_hook_manager.c | 163 ---------------------------------- kernel/kprobe_hook_manager.h | 23 ----- kernel/ksu.c | 3 - kernel/ksud.c | 12 +++ kernel/manual_su.c | 9 ++ kernel/manual_su.h | 1 + kernel/setuid_hook.c | 98 +------------------- kernel/sucompat.c | 1 + kernel/syscall_hook_manager.c | 97 ++++++++++++++++++++ kernel/syscall_hook_manager.h | 14 +++ 14 files changed, 237 insertions(+), 303 deletions(-) delete mode 100644 kernel/kprobe_hook_manager.c delete mode 100644 kernel/kprobe_hook_manager.h diff --git a/kernel/Makefile b/kernel/Makefile index c25ca643..8fa60590 100644 --- a/kernel/Makefile +++ b/kernel/Makefile @@ -7,9 +7,8 @@ kernelsu-objs += sucompat.o kernelsu-objs += syscall_hook_manager.o kernelsu-objs += throne_tracker.o kernelsu-objs += pkg_observer.o -kernelsu-objs += umount_manager.o -kernelsu-objs += kprobe_hook_manager.o kernelsu-objs += setuid_hook.o +kernelsu-objs += kernel_compat.o kernelsu-objs += kernel_umount.o kernelsu-objs += supercalls.o kernelsu-objs += feature.o diff --git a/kernel/app_profile.c b/kernel/app_profile.c index e8f040ed..b62b0ba5 100644 --- a/kernel/app_profile.c +++ b/kernel/app_profile.c @@ -15,8 +15,6 @@ #include "sucompat.h" #include "sulog.h" -#include "kprobe_hook_manager.h" - #if LINUX_VERSION_CODE >= KERNEL_VERSION (6, 7, 0) static struct group_info root_groups = { .usage = REFCOUNT_INIT(2), }; diff --git a/kernel/kernel_umount.c b/kernel/kernel_umount.c index b9e5c1f4..13d1b7a3 100644 --- a/kernel/kernel_umount.c +++ b/kernel/kernel_umount.c @@ -1,6 +1,7 @@ #include #include #include +#include #include #include #include @@ -10,6 +11,11 @@ #include #include +#ifdef CONFIG_KSU_SUSFS +#include +#include +#endif // #ifdef CONFIG_KSU_SUSFS + #include "kernel_umount.h" #include "klog.h" // IWYU pragma: keep #include "allowlist.h" @@ -17,6 +23,13 @@ #include "feature.h" #include "ksud.h" +#ifdef CONFIG_KSU_SUSFS +extern bool susfs_is_mnt_devname_ksu(struct path *path); +#ifdef CONFIG_KSU_SUSFS_ENABLE_LOG +extern bool susfs_is_log_enabled __read_mostly; +#endif // #ifdef CONFIG_KSU_SUSFS_ENABLE_LOG +#endif // #ifdef CONFIG_KSU_SUSFS + static bool ksu_kernel_umount_enabled = true; static int kernel_umount_feature_get(u64 *value) @@ -50,27 +63,61 @@ static bool should_umount(struct path *path) pr_info("ignore global mnt namespace process: %d\n", current_uid().val); return false; } - +#ifdef CONFIG_KSU_SUSFS + return susfs_is_mnt_devname_ksu(path); +#else if (path->mnt && path->mnt->mnt_sb && path->mnt->mnt_sb->s_type) { const char *fstype = path->mnt->mnt_sb->s_type->name; return strcmp(fstype, "overlay") == 0; } return false; +#endif } -extern int path_umount(struct path *path, int flags); - -static void ksu_umount_mnt(struct path *path, int flags) +#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 9, 0) || defined(KSU_HAS_PATH_UMOUNT) +static int ksu_path_umount(struct path *path, int flags) { - int err = path_umount(path, flags); - if (err) { - pr_info("umount %s failed: %d\n", path->dentry->d_iname, err); - } + return path_umount(path, flags); +} +#define ksu_umount_mnt(__unused, path, flags) (ksu_path_umount(path, flags)) +#else +// TODO: Search a way to make this works without set_fs functions +static int ksu_sys_umount(const char *mnt, int flags) +{ + char __user *usermnt = (char __user *)mnt; + mm_segment_t old_fs; + int ret; // although asmlinkage long + + old_fs = get_fs(); + set_fs(KERNEL_DS); +#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 17, 0) + ret = ksys_umount(usermnt, flags); +#else + ret = sys_umount(usermnt, flags); // cuz asmlinkage long sys##name +#endif + set_fs(old_fs); + pr_info("%s was called, ret: %d\n", __func__, ret); + return ret; } -static void try_umount(const char *mnt, bool check_mnt, int flags) +#define ksu_umount_mnt(mnt, __unused, flags) \ + ({ \ + int ret; \ + path_put(__unused); \ + ret = ksu_sys_umount(mnt, flags); \ + ret; \ + }) + +#endif + +#ifdef CONFIG_KSU_SUSFS_TRY_UMOUNT +void try_umount(const char *mnt, bool check_mnt, int flags, uid_t uid) +#else +void try_umount(const char *mnt, bool check_mnt, int flags) +#endif { struct path path; + int ret; int err = kern_path(mnt, 0, &path); if (err) { return; @@ -88,9 +135,46 @@ static void try_umount(const char *mnt, bool check_mnt, int flags) return; } - ksu_umount_mnt(&path, flags); +#if defined(CONFIG_KSU_SUSFS_TRY_UMOUNT) && defined(CONFIG_KSU_SUSFS_ENABLE_LOG) + if (susfs_is_log_enabled) { + pr_info("susfs: umounting '%s' for uid: %d\n", mnt, uid); + } +#endif + + ret = ksu_umount_mnt(mnt, &path, flags); + if (ret) { +#ifdef CONFIG_KSU_DEBUG + pr_info("%s: path: %s, ret: %d\n", __func__, mnt, ret); +#endif + } } +#ifdef CONFIG_KSU_SUSFS_TRY_UMOUNT +void susfs_try_umount_all(uid_t uid) { + susfs_try_umount(uid); + /* For Legacy KSU only */ + try_umount("/odm", true, 0, uid); + try_umount("/system", true, 0, uid); + try_umount("/vendor", true, 0, uid); + try_umount("/product", true, 0, uid); + try_umount("/system_ext", true, 0, uid); + // - For '/data/adb/modules' we pass 'false' here because it is a loop device that we can't determine whether + // its dev_name is KSU or not, and it is safe to just umount it if it is really a mountpoint + try_umount("/data/adb/modules", false, MNT_DETACH, uid); + try_umount("/data/adb/kpm", false, MNT_DETACH, uid); + /* For both Legacy KSU and Magic Mount KSU */ + try_umount("/debug_ramdisk", true, MNT_DETACH, uid); + try_umount("/sbin", false, MNT_DETACH, uid); + + // try umount hosts file + try_umount("/system/etc/hosts", false, MNT_DETACH, uid); + + // try umount lsposed dex2oat bins + try_umount("/apex/com.android.art/bin/dex2oat64", false, MNT_DETACH, uid); + try_umount("/apex/com.android.art/bin/dex2oat32", false, MNT_DETACH, uid); +} +#endif + struct umount_tw { struct callback_head cb; const struct cred *old_cred; @@ -171,6 +255,7 @@ static void umount_tw_func(struct callback_head *cb) kfree(tw); } +#endif static inline bool is_appuid(uid_t uid) { @@ -249,11 +334,6 @@ int ksu_handle_umount(uid_t old_uid, uid_t new_uid) void ksu_kernel_umount_init(void) { - int rc = 0; - rc = ksu_umount_manager_init(); - if (rc) { - pr_err("Failed to initialize umount manager: %d\n", rc); - } if (ksu_register_feature_handler(&kernel_umount_handler)) { pr_err("Failed to register kernel_umount feature handler\n"); } diff --git a/kernel/kernel_umount.h b/kernel/kernel_umount.h index 4c7a158c..e172d5b2 100644 --- a/kernel/kernel_umount.h +++ b/kernel/kernel_umount.h @@ -6,6 +6,10 @@ void ksu_kernel_umount_init(void); void ksu_kernel_umount_exit(void); +#ifdef CONFIG_KSU_SUSFS_TRY_UMOUNT +void susfs_try_umount_all(uid_t uid); +#endif + // Handler function to be called from setresuid hook int ksu_handle_umount(uid_t old_uid, uid_t new_uid); diff --git a/kernel/kprobe_hook_manager.c b/kernel/kprobe_hook_manager.c deleted file mode 100644 index 7326aa5d..00000000 --- a/kernel/kprobe_hook_manager.c +++ /dev/null @@ -1,163 +0,0 @@ -#include "kprobe_hook_manager.h" -#include -#include -#include -#include -#include -#include -#include - -#include "arch.h" -#include "klog.h" -#include "ksud.h" - -#ifdef CONFIG_KSU_MANUAL_SU -#include "manual_su.h" -#endif - -#ifdef CONFIG_COMPAT -bool ksu_is_compat __read_mostly = false; -#endif - -#ifdef CONFIG_KSU_MANUAL_SU -static void ksu_try_escalate_for_uid(uid_t uid) -{ - if (!is_pending_root(uid)) - return; - - pr_info("pending_root: UID=%d temporarily allowed\n", uid); - remove_pending_root(uid); -} -#endif - -// inode_permission hook for handling devpts -static int ksu_inode_permission_handler_pre(struct kprobe *p, struct pt_regs *regs) -{ - struct inode *inode = (struct inode *)PT_REGS_PARM1(regs); - - if (inode && inode->i_sb && unlikely(inode->i_sb->s_magic == DEVPTS_SUPER_MAGIC)) { - // pr_info("%s: handling devpts for: %s \n", __func__, current->comm); - __ksu_handle_devpts(inode); - } - - return 0; -} - -static struct kprobe ksu_inode_permission_kp = { - .symbol_name = "security_inode_permission", - .pre_handler = ksu_inode_permission_handler_pre, -}; - - -// bprm_check_security hook for handling ksud compatibility -static int ksu_bprm_check_handler_pre(struct kprobe *p, struct pt_regs *regs) -{ - struct linux_binprm *bprm = (struct linux_binprm *)PT_REGS_PARM1(regs); - char *filename = (char *)bprm->filename; - - if (likely(!ksu_execveat_hook)) - return 0; - -#ifdef CONFIG_COMPAT - static bool compat_check_done __read_mostly = false; - if (unlikely(!compat_check_done) && unlikely(!strcmp(filename, "/data/adb/ksud")) - && !memcmp(bprm->buf, "\x7f\x45\x4c\x46", 4)) { - if (bprm->buf[4] == 0x01) - ksu_is_compat = true; - - pr_info("%s: %s ELF magic found! ksu_is_compat: %d \n", __func__, filename, ksu_is_compat); - compat_check_done = true; - } -#endif - - ksu_handle_pre_ksud(filename); - -#ifdef CONFIG_KSU_MANUAL_SU - ksu_try_escalate_for_uid(current_uid().val); -#endif - - return 0; -} - -static struct kprobe ksu_bprm_check_kp = { - .symbol_name = "security_bprm_check", - .pre_handler = ksu_bprm_check_handler_pre, -}; - -#ifdef CONFIG_KSU_MANUAL_SU -// task_alloc hook for handling manual su escalation -static int ksu_task_alloc_handler_pre(struct kprobe *p, struct pt_regs *regs) -{ - struct task_struct *task = (struct task_struct *)PT_REGS_PARM1(regs); - - ksu_try_escalate_for_uid(task_uid(task).val); - return 0; -} - -static struct kprobe ksu_task_alloc_kp = { - .symbol_name = "security_task_alloc", - .pre_handler = ksu_task_alloc_handler_pre, -}; -#endif - -__maybe_unused int ksu_kprobe_init(void) -{ - int rc = 0; - - // Register inode_permission kprobe - rc = register_kprobe(&ksu_inode_permission_kp); - if (rc) { - pr_err("inode_permission kprobe failed: %d\n", rc); - } else { - pr_info("inode_permission kprobe registered successfully\n"); - } - - // Register bprm_check_security kprobe - rc = register_kprobe(&ksu_bprm_check_kp); - if (rc) { - pr_err("bprm_check_security kprobe failed: %d\n", rc); - } else { - pr_info("bprm_check_security kprobe registered successfully\n"); - } - -#ifdef CONFIG_KSU_MANUAL_SU - // Register task_alloc kprobe - rc = register_kprobe(&ksu_task_alloc_kp); - if (rc) { - pr_err("task_alloc kprobe failed: %d\n", rc); - } else { - pr_info("task_alloc kprobe registered successfully\n"); - } -#endif - - return 0; -} - -__maybe_unused int ksu_kprobe_exit(void) -{ - unregister_kprobe(&ksu_inode_permission_kp); - unregister_kprobe(&ksu_bprm_check_kp); -#ifdef CONFIG_KSU_MANUAL_SU - unregister_kprobe(&ksu_task_alloc_kp); -#endif - return 0; -} - -void ksu_kprobe_hook_init(void) -{ - int rc = 0; -#ifdef CONFIG_KPROBES - rc = ksu_kprobe_init(); - if (rc) { - pr_err("ksu_kprobe_init failed: %d\n", rc); - } -#endif -} - -void ksu_kprobe_hook_exit(void) -{ -#ifdef CONFIG_KPROBES - pr_info("ksu_core_exit\n"); - ksu_kprobe_exit(); -#endif -} \ No newline at end of file diff --git a/kernel/kprobe_hook_manager.h b/kernel/kprobe_hook_manager.h deleted file mode 100644 index 2a610cc1..00000000 --- a/kernel/kprobe_hook_manager.h +++ /dev/null @@ -1,23 +0,0 @@ -#ifndef __KSU_H_KSU_KBROBES_HOOK_MANAGER -#define __KSU_H_KSU_KBROBES_HOOK_MANAGER - -#include -#include -#include -#include -#include -#include "selinux/selinux.h" -#include "objsec.h" - -#ifndef DEVPTS_SUPER_MAGIC -#define DEVPTS_SUPER_MAGIC 0x1cd1 -#endif - -extern bool ksu_is_compat __read_mostly; - -extern int __ksu_handle_devpts(struct inode *inode); // sucompat.c - -void ksu_kprobe_hook_init(void); -void ksu_kprobe_hook_exit(void); - -#endif \ No newline at end of file diff --git a/kernel/ksu.c b/kernel/ksu.c index 74fb2f1a..ad52ec68 100644 --- a/kernel/ksu.c +++ b/kernel/ksu.c @@ -16,7 +16,6 @@ #include "sulog.h" #include "throne_comm.h" #include "dynamic_manager.h" -#include "kprobe_hook_manager.h" #ifdef CONFIG_KSU_SUSFS #include @@ -31,12 +30,10 @@ bool ksu_queue_work(struct work_struct *work) void sukisu_custom_config_init(void) { - ksu_kprobe_hook_init(); } void sukisu_custom_config_exit(void) { - ksu_kprobe_hook_exit(); ksu_uid_exit(); ksu_throne_comm_exit(); ksu_dynamic_manager_exit(); diff --git a/kernel/ksud.c b/kernel/ksud.c index 0b3efa68..e2d2cfe5 100644 --- a/kernel/ksud.c +++ b/kernel/ksud.c @@ -107,6 +107,18 @@ void on_post_fs_data(void) pr_info("ksu_file sid: %d\n", ksu_file_sid); } +struct user_arg_ptr { +#ifdef CONFIG_COMPAT + bool is_compat; +#endif + union { + const char __user *const __user *native; +#ifdef CONFIG_COMPAT + const compat_uptr_t __user *compat; +#endif + } ptr; +}; + extern void ext4_unregister_sysfs(struct super_block *sb); static void nuke_ext4_sysfs(void) { diff --git a/kernel/manual_su.c b/kernel/manual_su.c index c721e430..f3c327ba 100644 --- a/kernel/manual_su.c +++ b/kernel/manual_su.c @@ -346,3 +346,12 @@ static void add_pending_root(uid_t uid) ksu_temp_grant_root_once(uid); pr_info("pending_root: cached UID %d\n", uid); } + +void ksu_try_escalate_for_uid(uid_t uid) +{ + if (!is_pending_root(uid)) + return; + + pr_info("pending_root: UID=%d temporarily allowed\n", uid); + remove_pending_root(uid); +} diff --git a/kernel/manual_su.h b/kernel/manual_su.h index 4833b923..ae8af6e6 100644 --- a/kernel/manual_su.h +++ b/kernel/manual_su.h @@ -45,4 +45,5 @@ struct ksu_token_entry { int ksu_handle_manual_su_request(int option, struct manual_su_request *request); bool is_pending_root(uid_t uid); void remove_pending_root(uid_t uid); +void ksu_try_escalate_for_uid(uid_t uid); #endif diff --git a/kernel/setuid_hook.c b/kernel/setuid_hook.c index 5b322c33..39e95207 100644 --- a/kernel/setuid_hook.c +++ b/kernel/setuid_hook.c @@ -488,98 +488,6 @@ static bool is_appuid(uid_t uid) return appid >= FIRST_APPLICATION_UID && appid <= LAST_APPLICATION_UID; } -static bool should_umount(struct path *path) -{ - if (!path) { - return false; - } - - if (current->nsproxy->mnt_ns == init_nsproxy.mnt_ns) { - pr_info("ignore global mnt namespace process: %d\n", - current_uid().val); - return false; - } - - if (path->mnt && path->mnt->mnt_sb && path->mnt->mnt_sb->s_type) { - const char *fstype = path->mnt->mnt_sb->s_type->name; - return strcmp(fstype, "overlay") == 0; - } - return false; -} -extern int path_umount(struct path *path, int flags); -static void ksu_umount_mnt(struct path *path, int flags) -{ - int err = path_umount(path, flags); - if (err) { - pr_info("umount %s failed: %d\n", path->dentry->d_iname, err); - } -} - -#ifdef CONFIG_KSU_SUSFS_TRY_UMOUNT -void try_umount(const char *mnt, bool check_mnt, int flags, uid_t uid) -#else -static void try_umount(const char *mnt, bool check_mnt, int flags) -#endif -{ - struct path path; - int ret; - int err = kern_path(mnt, 0, &path); - if (err) { - return; - } - - if (path.dentry != path.mnt->mnt_root) { - // it is not root mountpoint, maybe umounted by others already. - path_put(&path); - return; - } - - // we are only interest in some specific mounts - if (check_mnt && !should_umount(&path)) { - path_put(&path); - return; - } - -#if defined(CONFIG_KSU_SUSFS_TRY_UMOUNT) && defined(CONFIG_KSU_SUSFS_ENABLE_LOG) - if (susfs_is_log_enabled) { - pr_info("susfs: umounting '%s' for uid: %d\n", mnt, uid); - } -#endif - - ret = ksu_umount_mnt(mnt, &path, flags); - if (ret) { -#ifdef CONFIG_KSU_DEBUG - pr_info("%s: path: %s, ret: %d\n", __func__, mnt, ret); -#endif - } -} - -#ifdef CONFIG_KSU_SUSFS_TRY_UMOUNT -void susfs_try_umount_all(uid_t uid) { - susfs_try_umount(uid); - /* For Legacy KSU only */ - try_umount("/odm", true, 0, uid); - try_umount("/system", true, 0, uid); - try_umount("/vendor", true, 0, uid); - try_umount("/product", true, 0, uid); - try_umount("/system_ext", true, 0, uid); - // - For '/data/adb/modules' we pass 'false' here because it is a loop device that we can't determine whether - // its dev_name is KSU or not, and it is safe to just umount it if it is really a mountpoint - try_umount("/data/adb/modules", false, MNT_DETACH, uid); - try_umount("/data/adb/kpm", false, MNT_DETACH, uid); - /* For both Legacy KSU and Magic Mount KSU */ - try_umount("/debug_ramdisk", true, MNT_DETACH, uid); - try_umount("/sbin", false, MNT_DETACH, uid); - - // try umount hosts file - try_umount("/system/etc/hosts", false, MNT_DETACH, uid); - - // try umount lsposed dex2oat bins - try_umount("/apex/com.android.art/bin/dex2oat64", false, MNT_DETACH, uid); - try_umount("/apex/com.android.art/bin/dex2oat32", false, MNT_DETACH, uid); -} -#endif - #ifdef CONFIG_KSU_SUSFS int ksu_handle_setresuid(uid_t ruid, uid_t euid, uid_t suid) { @@ -672,7 +580,7 @@ int ksu_handle_setresuid(uid_t ruid, uid_t euid, uid_t suid) // Handle kernel umount // We only interest in process spwaned by zygote - if (!susfs_is_sid_equal(old->security, susfs_zygote_sid)) { + if (!susfs_is_sid_equal(current->cred->security, susfs_zygote_sid)) { return 0; } @@ -682,7 +590,7 @@ int ksu_handle_setresuid(uid_t ruid, uid_t euid, uid_t suid) } // - Since ksu maanger app uid is excluded in allow_list_arr, so ksu_uid_should_umount(manager_uid) - // will always return true, that's why we need to explicitly check if new_uid.val belongs to + // will always return true, that's why we need to explicitly check if new_uid belongs to // ksu manager if (ksu_is_manager_uid_valid() && (new_uid % 1000000 == ksu_get_manager_uid())) // % 1000000 in case it is private space uid @@ -726,7 +634,7 @@ do_umount: put_task_struct(current); #ifdef CONFIG_KSU_SUSFS_SUS_PATH - susfs_run_sus_path_loop(new_uid.val); + susfs_run_sus_path_loop(new_uid); #endif // #ifdef CONFIG_KSU_SUSFS_SUS_PATH return 0; } diff --git a/kernel/sucompat.c b/kernel/sucompat.c index 7d360331..eb36b094 100644 --- a/kernel/sucompat.c +++ b/kernel/sucompat.c @@ -264,6 +264,7 @@ int ksu_handle_execve_sucompat(int *fd, const char __user **filename_user, if (!ksu_su_compat_enabled) { return 0; } +#endif if (unlikely(!filename_user)) return 0; diff --git a/kernel/syscall_hook_manager.c b/kernel/syscall_hook_manager.c index de0822b6..a29bc2c3 100644 --- a/kernel/syscall_hook_manager.c +++ b/kernel/syscall_hook_manager.c @@ -9,6 +9,7 @@ #include #include #include +#include #include "allowlist.h" #include "arch.h" @@ -207,6 +208,10 @@ static inline bool check_syscall_fastpath(int nr) case __NR_faccessat: case __NR_execve: case __NR_setresuid: + case __NR_faccessat2: + case __NR_execveat: + case __NR_clone: + case __NR_clone3: return true; default: return false; @@ -232,6 +237,84 @@ int ksu_handle_init_mark_tracker(int *fd, const char __user **filename_user, return 0; } +#include "ksud.h" +#ifdef CONFIG_KSU_MANUAL_SU +#include "manual_su.h" +#endif + +#ifdef CONFIG_COMPAT +bool ksu_is_compat __read_mostly = false; +#endif + +#ifndef LOOKUP_FOLLOW +#define LOOKUP_FOLLOW 0x0001 +#endif + +static inline void ksu_handle_inode_permission(struct pt_regs *regs) +{ + struct inode *inode = NULL; + struct path path; + int dfd = (int)PT_REGS_PARM1(regs); + const char __user *filename = (const char __user *)PT_REGS_PARM2(regs); + + if (!user_path_at(dfd, filename, LOOKUP_FOLLOW, &path)) { + inode = path.dentry->d_inode; + if (inode && inode->i_sb && + unlikely(inode->i_sb->s_magic == DEVPTS_SUPER_MAGIC)) + __ksu_handle_devpts(inode); + path_put(&path); + } +} + +static inline void ksu_handle_bprm_check_security(struct pt_regs *regs, long id) +{ + const char __user *filename; + char path_buf[256]; + + if (id == __NR_execve) + filename = (const char __user *)PT_REGS_PARM1(regs); + else /* __NR_execveat */ + filename = (const char __user *)PT_REGS_PARM2(regs); + + if (!ksu_execveat_hook) + return; + + memset(path_buf, 0, sizeof(path_buf)); + strncpy_from_user_nofault(path_buf, filename, sizeof(path_buf)); + +#ifdef CONFIG_COMPAT + static bool compat_check_done __read_mostly = false; + if (unlikely(!compat_check_done) && + unlikely(!strcmp(path_buf, "/data/adb/ksud"))) { + char buf[4]; + struct file *file = filp_open(path_buf, O_RDONLY, 0); + if (!IS_ERR(file)) { + loff_t pos = 0; + kernel_read(file, buf, 4, &pos); + if (!memcmp(buf, "\x7f\x45\x4c\x46", 4)) { + char elf_class; + pos = 4; + kernel_read(file, &elf_class, 1, &pos); + if (elf_class == 0x01) + ksu_is_compat = true; + pr_info("%s: %s ELF magic found! ksu_is_compat: %d\n", + __func__, path_buf, ksu_is_compat); + compat_check_done = true; + } + filp_close(file, NULL); + } + } +#endif + ksu_handle_pre_ksud(path_buf); +} + +static inline void ksu_handle_task_alloc(struct pt_regs *regs) +{ +#ifdef CONFIG_KSU_MANUAL_SU + ksu_try_escalate_for_uid(current_uid().val); +#endif +} + #ifdef KSU_HAVE_SYSCALL_TRACEPOINTS_HOOK // Generic sys_enter handler that dispatches to specific handlers static void ksu_sys_enter_handler(void *data, struct pt_regs *regs, long id) @@ -281,6 +364,20 @@ static void ksu_sys_enter_handler(void *data, struct pt_regs *regs, long id) ksu_handle_setresuid(ruid, euid, suid); return; } + + // Handle inode_permission via faccessat + if (id == __NR_faccessat || id == __NR_faccessat2) + return ksu_handle_inode_permission(regs); + + // Handle bprm_check_security via execve/execveat + if (id == __NR_execve || id == __NR_execveat) + return ksu_handle_bprm_check_security(regs, id); + +#ifdef CONFIG_KSU_MANUAL_SU + // Handle task_alloc via clone/fork + if (id == __NR_clone || id == __NR_clone3) + return ksu_handle_task_alloc(regs); +#endif } } #endif diff --git a/kernel/syscall_hook_manager.h b/kernel/syscall_hook_manager.h index d8703345..19b4e24f 100644 --- a/kernel/syscall_hook_manager.h +++ b/kernel/syscall_hook_manager.h @@ -4,6 +4,20 @@ #include #include #include +#include +#include +#include +#include +#include "selinux/selinux.h" +#include "objsec.h" + +#ifndef DEVPTS_SUPER_MAGIC +#define DEVPTS_SUPER_MAGIC 0x1cd1 +#endif + +extern bool ksu_is_compat __read_mostly; + +extern int __ksu_handle_devpts(struct inode *inode); // sucompat.c // Hook manager initialization and cleanup void ksu_syscall_hook_manager_init(void);