kernel: Update sucompat.c to improve hook state management and code clarity

Co-authored-by: rsuntk <90097027+rsuntk@users.noreply.github.com>
2025-06-12 15:53:17 +08:00
parent ad2721c050
commit 87b57d9eba
1 changed files with 80 additions and 96 deletions
--- a/kernel/sucompat.c
+++ b/kernel/sucompat.c
@@ -8,14 +8,15 @@
 #include <linux/types.h>
 #include <linux/uaccess.h>
 #include <linux/version.h>
+#include <linux/ptrace.h>
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 11, 0)
 #include <linux/sched/task_stack.h>
-#ifdef CONFIG_KSU_SUSFS_SUS_SU
-#include <linux/susfs_def.h>
-#endif
 #else
 #include <linux/sched.h>
 #endif
+#ifdef CONFIG_KSU_SUSFS_SUS_SU
+#include <linux/susfs_def.h>
+#endif

 #include "objsec.h"
 #include "allowlist.h"
@@ -27,16 +28,10 @@
 #define SU_PATH "/system/bin/su"
 #define SH_PATH "/system/bin/sh"

-#ifndef CONFIG_KSU_KPROBES_HOOK
-static bool ksu_sucompat_non_kp __read_mostly = true;
-#endif
-
-#ifndef CONFIG_KSU_SUSFS_SUS_SU
-bool ksu_devpts_hook __read_mostly = true;
-#endif
-
 extern void ksu_escape_to_root();

+bool ksu_sucompat_hook_state __read_mostly = true;
+
 static void __user *userspace_stack_buffer(const void *d, size_t len)
 {
 	/* To avoid having to mmap a page in userspace, just write below the stack
@@ -48,8 +43,9 @@ static void __user *userspace_stack_buffer(const void *d, size_t len)

 static char __user *sh_user_path(void)
 {
-    static const char sh_path[] = SH_PATH;
-    return userspace_stack_buffer(sh_path, sizeof(sh_path));
+	static const char sh_path[] = "/system/bin/sh";
+
+	return userspace_stack_buffer(sh_path, sizeof(sh_path));
 }

 static char __user *ksud_user_path(void)
@@ -59,14 +55,16 @@ static char __user *ksud_user_path(void)
 	return userspace_stack_buffer(ksud_path, sizeof(ksud_path));
 }

-int ksu_handle_faccessat(int *dfd, const char __user **filename_user, int *mode, int *__unused_flags)
+int ksu_handle_faccessat(int *dfd, const char __user **filename_user, int *mode,
+			 int *__unused_flags)
 {
+
 	const char su[] = SU_PATH;

 #ifndef CONFIG_KSU_KPROBES_HOOK
-	if (!ksu_sucompat_non_kp) {
- 		return 0;
- 	}
+	if (!ksu_sucompat_hook_state) {
+		return 0;
+	}
 #endif

 	if (!ksu_is_allow_uid(current_uid().val)) {
@@ -87,25 +85,26 @@ int ksu_handle_faccessat(int *dfd, const char __user **filename_user, int *mode,

 #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0) && defined(CONFIG_KSU_SUSFS_SUS_SU)
 struct filename* susfs_ksu_handle_stat(int *dfd, const char __user **filename_user, int *flags) {
-    const char su[] = SU_PATH;
-    struct filename *name = getname_flags(*filename_user, getname_statx_lookup_flags(*flags), NULL);
+	// const char sh[] = SH_PATH;
+	const char su[] = SU_PATH;
+	struct filename *name = getname_flags(*filename_user, getname_statx_lookup_flags(*flags), NULL);

-    if (unlikely(IS_ERR(name) || name->name == NULL)) {
-        return name;
-    }
+	if (unlikely(IS_ERR(name) || name->name == NULL)) {
+		return name;
+	}

-    if (!ksu_is_allow_uid(current_uid().val)) {
-        return name;
-    }
+	if (!ksu_is_allow_uid(current_uid().val)) {
+		return name;
+	}

-    if (likely(memcmp(name->name, su, sizeof(su)))) {
-        return name;
-    }
+	if (likely(memcmp(name->name, su, sizeof(su)))) {
+		return name;
+	}

-    const char sh[] = SH_PATH;
-    pr_info("vfs_fstatat su->sh!\n");
-    memcpy((void *)name->name, sh, sizeof(sh));
-    return name;
+	const char sh[] = SH_PATH;
+	pr_info("vfs_fstatat su->sh!\n");
+	memcpy((void *)name->name, sh, sizeof(sh));
+	return name;
 }
 #endif

@@ -115,9 +114,9 @@ int ksu_handle_stat(int *dfd, const char __user **filename_user, int *flags)
 	const char su[] = SU_PATH;

 #ifndef CONFIG_KSU_KPROBES_HOOK
-	if (!ksu_sucompat_non_kp) {
- 		return 0;
- 	}
+	if (!ksu_sucompat_hook_state) {
+		return 0;
+	}
 #endif

 	if (!ksu_is_allow_uid(current_uid().val)) {
@@ -130,79 +129,61 @@ int ksu_handle_stat(int *dfd, const char __user **filename_user, int *flags)

 	char path[sizeof(su) + 1];
 	memset(path, 0, sizeof(path));
-// Remove this later!! we use syscall hook, so this will never happen!!!!!
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 18, 0) && 0
-	// it becomes a `struct filename *` after 5.18
-	// https://elixir.bootlin.com/linux/v5.18/source/fs/stat.c#L216
-	const char sh[] = SH_PATH;
-	struct filename *filename = *((struct filename **)filename_user);
-	if (IS_ERR(filename)) {
-		return 0;
-	}
-	if (likely(memcmp(filename->name, su, sizeof(su))))
-		return 0;
-	pr_info("vfs_statx su->sh!\n");
-	memcpy((void *)filename->name, sh, sizeof(sh));
-#else
+
 	ksu_strncpy_from_user_nofault(path, *filename_user, sizeof(path));

 	if (unlikely(!memcmp(path, su, sizeof(su)))) {
 		pr_info("newfstatat su->sh!\n");
 		*filename_user = sh_user_path();
 	}
-#endif

 	return 0;
 }

-int ksu_handle_execveat_sucompat(int *fd, struct filename **filename_ptr, void *__never_use_argv, void *__never_use_envp, int *__never_use_flags)
+// the call from execve_handler_pre won't provided correct value for __never_use_argument, use them after fix execve_handler_pre, keeping them for consistence for manually patched code
+int ksu_handle_execveat_sucompat(int *fd, struct filename **filename_ptr,
+				 void *__never_use_argv, void *__never_use_envp,
+				 int *__never_use_flags)
 {
 	struct filename *filename;
-    const char su[] = SU_PATH;
-    const char ksud[] = KSUD_PATH;
+	const char sh[] = KSUD_PATH;
+	const char su[] = SU_PATH;

 #ifndef CONFIG_KSU_KPROBES_HOOK
-	if (!ksu_sucompat_non_kp) {
- 		return 0;
- 	}
+	if (!ksu_sucompat_hook_state) {
+		return 0;
+	}
 #endif

-	if (unlikely(!filename_ptr)) {
-    return 0;
-	}
+	if (unlikely(!filename_ptr))
+		return 0;

 	filename = *filename_ptr;
-
 	if (IS_ERR(filename)) {
 		return 0;
 	}

-    if (likely(memcmp(filename->name, su, sizeof(su))))
-        return 0;
+	if (likely(memcmp(filename->name, su, sizeof(su))))
+		return 0;

-    if (!ksu_is_allow_uid(current_uid().val))
-        return 0;
+	if (!ksu_is_allow_uid(current_uid().val))
+		return 0;

-    pr_info("do_execveat_common su found\n");
-    memcpy((void *)filename->name, ksud, sizeof(ksud));
+	pr_info("do_execveat_common su found\n");
+	memcpy((void *)filename->name, sh, sizeof(sh));

-    ksu_escape_to_root();
+	ksu_escape_to_root();

-    return 0;
+	return 0;
 }

-int ksu_handle_execve_sucompat(int *fd, const char __user **filename_user, void *__never_use_argv, void *__never_use_envp, int *__never_use_flags)
+int ksu_handle_execve_sucompat(int *fd, const char __user **filename_user,
+			       void *__never_use_argv, void *__never_use_envp,
+			       int *__never_use_flags)
 {
 	const char su[] = SU_PATH;
 	char path[sizeof(su) + 1];

-
-#ifndef CONFIG_KSU_KPROBES_HOOK
-	if (!ksu_sucompat_non_kp){
- 		return 0;
- 	}
-#endif
-
 	if (unlikely(!filename_user))
 		return 0;

@@ -211,7 +192,7 @@ int ksu_handle_execve_sucompat(int *fd, const char __user **filename_user, void
 	 * some cpus dont really have that good speculative execution
 	 * access_ok to substitute set_fs, we check if pointer is accessible
 	 */
-#if LINUX_VERSION_CODE < KERNEL_VERSION(5,0,0)
+#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 0, 0)
 	if (!access_ok(VERIFY_READ, *filename_user, sizeof(path)))
 		return 0;
 #else
@@ -226,24 +207,24 @@ int ksu_handle_execve_sucompat(int *fd, const char __user **filename_user, void
 	// strncpy_from_user_nofault does this too
 	path[sizeof(path) - 1] = '\0';

-    if (likely(memcmp(path, su, sizeof(su))))
-        return 0;
+	if (likely(memcmp(path, su, sizeof(su))))
+		return 0;

-    if (!ksu_is_allow_uid(current_uid().val))
-        return 0;
+	if (!ksu_is_allow_uid(current_uid().val))
+		return 0;

-    pr_info("sys_execve su found\n");
-    *filename_user = ksud_user_path();
+	pr_info("sys_execve su found\n");
+	*filename_user = ksud_user_path();

-    ksu_escape_to_root();
+	ksu_escape_to_root();

-    return 0;
+	return 0;
 }

 int ksu_handle_devpts(struct inode *inode)
 {
 #ifndef CONFIG_KSU_KPROBES_HOOK
-	if (!ksu_sucompat_non_kp) {
+	if (!ksu_sucompat_hook_state) {
 		return 0;
 	}
 #endif
@@ -252,10 +233,11 @@ int ksu_handle_devpts(struct inode *inode)
 		return 0;
 	}

-    uid_t uid = current_uid().val;
-    if (uid % 100000 < 10000) {
-        return 0;
-    }
+	uid_t uid = current_uid().val;
+	if (uid % 100000 < 10000) {
+		// not untrusted_app, ignore it
+		return 0;
+	}

 	if (!ksu_is_allow_uid(uid))
 		return 0;
@@ -264,7 +246,8 @@ int ksu_handle_devpts(struct inode *inode)
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 1, 0)
 		struct inode_security_struct *sec = selinux_inode(inode);
 #else
-        struct inode_security_struct *sec = (struct inode_security_struct *)inode->i_security;
+		struct inode_security_struct *sec =
+			(struct inode_security_struct *)inode->i_security;
 #endif
 		if (sec) {
 			sec->sid = ksu_devpts_sid;
@@ -275,6 +258,7 @@ int ksu_handle_devpts(struct inode *inode)
 }

 #ifdef CONFIG_KSU_KPROBES_HOOK
+
 static int faccessat_handler_pre(struct kprobe *p, struct pt_regs *regs)
 {
 	struct pt_regs *real_regs = PT_REAL_REGS(regs);
@@ -364,8 +348,8 @@ void ksu_sucompat_init()
 	su_kps[4] = init_kprobe(SYS_FSTATAT64_SYMBOL, newfstatat_handler_pre);
 	su_kps[5] = init_kprobe("pts_unix98_lookup", pts_unix98_lookup_pre);
 #else
-	ksu_sucompat_non_kp = true;
-	pr_info("ksu_sucompat_init: hooks enabled: execve/execveat_su, faccessat, stat\n");
+	ksu_sucompat_hook_state = true;
+	pr_info("ksu_sucompat init\n");
 #endif
 }

@@ -377,8 +361,8 @@ void ksu_sucompat_exit()
 		destroy_kprobe(&su_kps[i]);
 	}
 #else
-	ksu_sucompat_non_kp = false;
-	pr_info("ksu_sucompat_exit: hooks disabled: execve/execveat_su, faccessat, stat\n");
+	ksu_sucompat_hook_state = false;
+	pr_info("ksu_sucompat exit\n");
 #endif
 }

@@ -418,4 +402,4 @@ void ksu_susfs_enable_sus_su(void) {
 	ksu_devpts_hook = true;
 	susfs_sus_su_working_mode = SUS_SU_WITH_HOOKS;
 }
-#endif // CONFIG_KSU_SUSFS_SUS_SU
+#endif // #ifdef CONFIG_KSU_SUSFS_SUS_SU