Attempt to refactor and migrate inode_permission, bprm_check_security, and task_alloc entirely to syscall_hook_manager

2025-11-09 02:52:46 +08:00
parent 548258f922
commit 88135d8363
10 changed files with 121 additions and 193 deletions
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -9,7 +9,6 @@ kernelsu-objs += throne_tracker.o
 kernelsu-objs += pkg_observer.o
 kernelsu-objs += throne_tracker.o
 kernelsu-objs += umount_manager.o
-kernelsu-objs += kprobe_hook_manager.o
 kernelsu-objs += setuid_hook.o
 kernelsu-objs += kernel_umount.o
 kernelsu-objs += supercalls.o
--- a/kernel/app_profile.c
+++ b/kernel/app_profile.c
@@ -15,8 +15,6 @@
 #include "sucompat.h"

 #include "sulog.h"
-#include "kprobe_hook_manager.h"
-

 #if LINUX_VERSION_CODE >= KERNEL_VERSION (6, 7, 0)
    static struct group_info root_groups = { .usage = REFCOUNT_INIT(2), };
--- a/kernel/kprobe_hook_manager.c
+++ b/kernel/kprobe_hook_manager.c
@@ -1,163 +0,0 @@
-#include "kprobe_hook_manager.h"
-#include <linux/err.h>
-#include <linux/slab.h>
-#include <linux/init.h>
-#include <linux/kernel.h>
-#include <linux/kprobes.h>
-#include <linux/sched.h>
-#include <linux/uidgid.h>
-
-#include "arch.h"
-#include "klog.h"
-#include "ksud.h"
-
-#ifdef CONFIG_KSU_MANUAL_SU
-#include "manual_su.h"
-#endif
-
-#ifdef CONFIG_COMPAT
-bool ksu_is_compat __read_mostly = false;
-#endif
-
-#ifdef CONFIG_KSU_MANUAL_SU
-static void ksu_try_escalate_for_uid(uid_t uid)
-{
-    if (!is_pending_root(uid))
-        return;
-    
-    pr_info("pending_root: UID=%d temporarily allowed\n", uid);
-    remove_pending_root(uid);
-}
-#endif
-
-// inode_permission hook for handling devpts
-static int ksu_inode_permission_handler_pre(struct kprobe *p, struct pt_regs *regs)
-{
-    struct inode *inode = (struct inode *)PT_REGS_PARM1(regs);
-
-    if (inode && inode->i_sb && unlikely(inode->i_sb->s_magic == DEVPTS_SUPER_MAGIC)) {
-        // pr_info("%s: handling devpts for: %s \n", __func__, current->comm);
-        __ksu_handle_devpts(inode);
-    }
-
-    return 0;
-}
-
-static struct kprobe ksu_inode_permission_kp = {
-    .symbol_name = "security_inode_permission",
-    .pre_handler = ksu_inode_permission_handler_pre,
-};
-
-
-// bprm_check_security hook for handling ksud compatibility
-static int ksu_bprm_check_handler_pre(struct kprobe *p, struct pt_regs *regs)
-{
-    struct linux_binprm *bprm = (struct linux_binprm *)PT_REGS_PARM1(regs);
-    char *filename = (char *)bprm->filename;
-
-    if (likely(!ksu_execveat_hook))
-        return 0;
-
-#ifdef CONFIG_COMPAT
-    static bool compat_check_done __read_mostly = false;
-    if (unlikely(!compat_check_done) && unlikely(!strcmp(filename, "/data/adb/ksud"))
-        && !memcmp(bprm->buf, "\x7f\x45\x4c\x46", 4)) {
-        if (bprm->buf[4] == 0x01)
-            ksu_is_compat = true;
-
-        pr_info("%s: %s ELF magic found! ksu_is_compat: %d \n", __func__, filename, ksu_is_compat);
-        compat_check_done = true;
-    }
-#endif
-
-    ksu_handle_pre_ksud(filename);
-
-#ifdef CONFIG_KSU_MANUAL_SU
-    ksu_try_escalate_for_uid(current_uid().val);
-#endif
-
-    return 0;
-}
-
-static struct kprobe ksu_bprm_check_kp = {
-    .symbol_name = "security_bprm_check",
-    .pre_handler = ksu_bprm_check_handler_pre,
-};
-
-#ifdef CONFIG_KSU_MANUAL_SU
-// task_alloc hook for handling manual su escalation
-static int ksu_task_alloc_handler_pre(struct kprobe *p, struct pt_regs *regs)
-{
-    struct task_struct *task = (struct task_struct *)PT_REGS_PARM1(regs);
-
-    ksu_try_escalate_for_uid(task_uid(task).val);
-    return 0;
-}
-
-static struct kprobe ksu_task_alloc_kp = {
-    .symbol_name = "security_task_alloc",
-    .pre_handler = ksu_task_alloc_handler_pre,
-};
-#endif
-
-__maybe_unused int ksu_kprobe_init(void)
-{
-    int rc = 0;
-
-    // Register inode_permission kprobe
-    rc = register_kprobe(&ksu_inode_permission_kp);
-    if (rc) {
-        pr_err("inode_permission kprobe failed: %d\n", rc);
-    } else {
-        pr_info("inode_permission kprobe registered successfully\n");
-    }
-
-    // Register bprm_check_security kprobe
-    rc = register_kprobe(&ksu_bprm_check_kp);
-    if (rc) {
-        pr_err("bprm_check_security kprobe failed: %d\n", rc);
-    } else {
-        pr_info("bprm_check_security kprobe registered successfully\n");
-    }
-
-#ifdef CONFIG_KSU_MANUAL_SU
-    // Register task_alloc kprobe
-    rc = register_kprobe(&ksu_task_alloc_kp);
-    if (rc) {
-        pr_err("task_alloc kprobe failed: %d\n", rc);
-    } else {
-        pr_info("task_alloc kprobe registered successfully\n");
-    }
-#endif
-
-    return 0;
-}
-
-__maybe_unused int ksu_kprobe_exit(void)
-{
-    unregister_kprobe(&ksu_inode_permission_kp);
-    unregister_kprobe(&ksu_bprm_check_kp);
-#ifdef CONFIG_KSU_MANUAL_SU
-    unregister_kprobe(&ksu_task_alloc_kp);
-#endif
-    return 0;
-}
-
-void ksu_kprobe_hook_init(void)
-{
-    int rc = 0;
-#ifdef CONFIG_KPROBES
-    rc = ksu_kprobe_init();
-    if (rc) {
-        pr_err("ksu_kprobe_init failed: %d\n", rc);
-    }
-#endif
-}
-
-void ksu_kprobe_hook_exit(void)
-{
-#ifdef CONFIG_KPROBES
-    pr_info("ksu_core_exit\n");
-    ksu_kprobe_exit();
-#endif
-}
--- a/kernel/kprobe_hook_manager.h
+++ b/kernel/kprobe_hook_manager.h
@@ -1,23 +0,0 @@
-#ifndef __KSU_H_KSU_KBROBES_HOOK_MANAGER
-#define __KSU_H_KSU_KBROBES_HOOK_MANAGER
-
-#include <linux/init.h>
-#include <linux/version.h>
-#include <linux/binfmts.h>
-#include <linux/tty.h>
-#include <linux/fs.h>
-#include "selinux/selinux.h"
-#include "objsec.h"
-
-#ifndef DEVPTS_SUPER_MAGIC
-#define DEVPTS_SUPER_MAGIC    0x1cd1
-#endif
-
-extern bool ksu_is_compat __read_mostly;
-
-extern int __ksu_handle_devpts(struct inode *inode); // sucompat.c
-
-void ksu_kprobe_hook_init(void);
-void ksu_kprobe_hook_exit(void);
-
-#endif
--- a/kernel/ksu.c
+++ b/kernel/ksu.c
@@ -16,7 +16,6 @@
 #include "sulog.h"
 #include "throne_comm.h"
 #include "dynamic_manager.h"
-#include "kprobe_hook_manager.h"

 static struct workqueue_struct *ksu_workqueue;

@@ -27,12 +26,10 @@ bool ksu_queue_work(struct work_struct *work)

 void sukisu_custom_config_init(void)
 {
-    ksu_kprobe_hook_init();
 }

 void sukisu_custom_config_exit(void)
 {
-    ksu_kprobe_hook_exit();
    ksu_uid_exit();
    ksu_throne_comm_exit();
    ksu_dynamic_manager_exit();
--- a/kernel/manual_su.c
+++ b/kernel/manual_su.c
@@ -345,3 +345,12 @@ static void add_pending_root(uid_t uid)
    ksu_temp_grant_root_once(uid);
    pr_info("pending_root: cached UID %d\n", uid);
 }
+
+void ksu_try_escalate_for_uid(uid_t uid)
+{
+    if (!is_pending_root(uid))
+        return;
+    
+    pr_info("pending_root: UID=%d temporarily allowed\n", uid);
+    remove_pending_root(uid);
+}
--- a/kernel/manual_su.h
+++ b/kernel/manual_su.h
@@ -45,4 +45,5 @@ struct ksu_token_entry {
 int ksu_handle_manual_su_request(int option, struct manual_su_request *request);
 bool is_pending_root(uid_t uid);
 void remove_pending_root(uid_t uid);
+void ksu_try_escalate_for_uid(uid_t uid);
 #endif
--- a/kernel/sucompat.c
+++ b/kernel/sucompat.c
@@ -19,7 +19,6 @@


 #include "sulog.h"
-#include "kprobe_hook_manager.h"

 #define SU_PATH "/system/bin/su"
 #define SH_PATH "/system/bin/sh"
--- a/kernel/syscall_hook_manager.c
+++ b/kernel/syscall_hook_manager.c
@@ -9,6 +9,7 @@
 #include <linux/slab.h>
 #include <linux/ptrace.h>
 #include <trace/events/syscalls.h>
+#include <linux/namei.h>

 #include "allowlist.h"
 #include "arch.h"
@@ -207,6 +208,10 @@ static inline bool check_syscall_fastpath(int nr)
    case __NR_faccessat:
    case __NR_execve:
    case __NR_setresuid:
+    case __NR_faccessat2:
+    case __NR_execveat:
+    case __NR_clone:
+    case __NR_clone3:
        return true;
    default:
        return false;
@@ -232,6 +237,84 @@ int ksu_handle_init_mark_tracker(int *fd, const char __user **filename_user,
    return 0;
 }

+#include "ksud.h"
+#ifdef CONFIG_KSU_MANUAL_SU
+#include "manual_su.h"
+#endif
+
+#ifdef CONFIG_COMPAT
+bool ksu_is_compat __read_mostly = false;
+#endif
+
+#ifndef LOOKUP_FOLLOW
+#define LOOKUP_FOLLOW 0x0001
+#endif
+
+static inline void ksu_handle_inode_permission(struct pt_regs *regs)
+{
+    struct inode *inode = NULL;
+    struct path path;
+    int dfd = (int)PT_REGS_PARM1(regs);
+    const char __user *filename = (const char __user *)PT_REGS_PARM2(regs);
+
+    if (!user_path_at(dfd, filename, LOOKUP_FOLLOW, &path)) {
+        inode = path.dentry->d_inode;
+        if (inode && inode->i_sb &&
+            unlikely(inode->i_sb->s_magic == DEVPTS_SUPER_MAGIC))
+            __ksu_handle_devpts(inode);
+        path_put(&path);
+    }
+}
+
+static inline void ksu_handle_bprm_check_security(struct pt_regs *regs, long id)
+{
+    const char __user *filename;
+    char path_buf[256];
+
+    if (id == __NR_execve)
+        filename = (const char __user *)PT_REGS_PARM1(regs);
+    else /* __NR_execveat */
+        filename = (const char __user *)PT_REGS_PARM2(regs);
+
+    if (!ksu_execveat_hook)
+        return;
+
+    memset(path_buf, 0, sizeof(path_buf));
+    strncpy_from_user_nofault(path_buf, filename, sizeof(path_buf));
+
+#ifdef CONFIG_COMPAT
+    static bool compat_check_done __read_mostly = false;
+    if (unlikely(!compat_check_done) &&
+        unlikely(!strcmp(path_buf, "/data/adb/ksud"))) {
+        char buf[4];
+        struct file *file = filp_open(path_buf, O_RDONLY, 0);
+        if (!IS_ERR(file)) {
+            loff_t pos = 0;
+            kernel_read(file, buf, 4, &pos);
+            if (!memcmp(buf, "\x7f\x45\x4c\x46", 4)) {
+                char elf_class;
+                pos = 4;
+                kernel_read(file, &elf_class, 1, &pos);
+                if (elf_class == 0x01)
+                    ksu_is_compat = true;
+                pr_info("%s: %s ELF magic found! ksu_is_compat: %d\n",
+                        __func__, path_buf, ksu_is_compat);
+                compat_check_done = true;
+            }
+            filp_close(file, NULL);
+        }
+    }
+#endif
+    ksu_handle_pre_ksud(path_buf);
+}
+
+static inline void ksu_handle_task_alloc(struct pt_regs *regs)
+{
+#ifdef CONFIG_KSU_MANUAL_SU
+    ksu_try_escalate_for_uid(current_uid().val);
+#endif
+}
+
 #ifdef KSU_HAVE_SYSCALL_TRACEPOINTS_HOOK
 // Generic sys_enter handler that dispatches to specific handlers
 static void ksu_sys_enter_handler(void *data, struct pt_regs *regs, long id)
@@ -281,6 +364,20 @@ static void ksu_sys_enter_handler(void *data, struct pt_regs *regs, long id)
 			ksu_handle_setresuid(ruid, euid, suid);
 			return;
 		}
+
+		// Handle inode_permission via faccessat
+		if (id == __NR_faccessat || id == __NR_faccessat2)
+        	return ksu_handle_inode_permission(regs);
+
+		// Handle bprm_check_security via execve/execveat
+		if (id == __NR_execve || id == __NR_execveat)
+        	return ksu_handle_bprm_check_security(regs, id);
+
+#ifdef CONFIG_KSU_MANUAL_SU
+		// Handle task_alloc via clone/fork
+    	if (id == __NR_clone || id == __NR_clone3)
+        	return ksu_handle_task_alloc(regs);
+#endif
 	}
 }
 #endif
--- a/kernel/syscall_hook_manager.h
+++ b/kernel/syscall_hook_manager.h
@@ -4,6 +4,20 @@
 #include <linux/version.h>
 #include <linux/sched.h>
 #include <linux/thread_info.h>
+#include <linux/init.h>
+#include <linux/binfmts.h>
+#include <linux/tty.h>
+#include <linux/fs.h>
+#include "selinux/selinux.h"
+#include "objsec.h"
+
+#ifndef DEVPTS_SUPER_MAGIC
+#define DEVPTS_SUPER_MAGIC    0x1cd1
+#endif
+
+extern bool ksu_is_compat __read_mostly;
+
+extern int __ksu_handle_devpts(struct inode *inode); // sucompat.c

 // Hook manager initialization and cleanup
 void ksu_syscall_hook_manager_init(void);