From 8ff469d00e161aa6b8bc68112d39163c2ca2e27c Mon Sep 17 00:00:00 2001 From: AlexLiuDev233 Date: Sat, 8 Nov 2025 12:46:25 +0800 Subject: [PATCH] kernel: core_hook: disable seccomp in 5.10.2- for allowed uids (#545) * kernel: core_hook: disable seccomp in 5.10.2- for allowed uids we dont have those new fancy things upstream has lets just do original thing where we disable seccomp * Update kernel/core_hook.c * fmt --------- Co-authored-by: backslashxx <118538522+backslashxx@users.noreply.github.com> Co-authored-by: Saksham Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- kernel/core_hook.c | 38 +++++++++++++++++++++++++++++++------- kernel/kernel_compat.c | 4 +++- kernel/kernel_compat.h | 2 ++ 3 files changed, 36 insertions(+), 8 deletions(-) diff --git a/kernel/core_hook.c b/kernel/core_hook.c index 623c4cb6..d47e3e37 100644 --- a/kernel/core_hook.c +++ b/kernel/core_hook.c @@ -1087,16 +1087,22 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old) } // if on private space, see if its possibly the manager - if (new_uid.val > 100000 && new_uid.val % 100000 == ksu_get_manager_uid()) { + if (unlikely(new_uid.val > 100000 && new_uid.val % 100000 == ksu_get_manager_uid())) { ksu_set_manager_uid(new_uid.val); } - if (ksu_get_manager_uid() == new_uid.val) { + if (unlikely(ksu_get_manager_uid() == new_uid.val)) { pr_info("install fd for: %d\n", new_uid.val); ksu_install_fd(); spin_lock_irq(¤t->sighand->siglock); +#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 2) // Android backport this feature in 5.10.2 ksu_seccomp_allow_cache(current->seccomp.filter, __NR_reboot); +#else + // we dont have those new fancy things upstream has + // lets just do original thing where we disable seccomp + disable_seccomp(); +#endif if (ksu_su_compat_enabled) { ksu_set_task_tracepoint_flag(current); } @@ -1104,11 +1110,17 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old) return 0; } - if (ksu_is_allow_uid_for_current(new_uid.val)) { + if (unlikely(ksu_is_allow_uid_for_current(new_uid.val))) { if (current->seccomp.mode == SECCOMP_MODE_FILTER && current->seccomp.filter) { spin_lock_irq(¤t->sighand->siglock); +#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 2) // Android backport this feature in 5.10.2 ksu_seccomp_allow_cache(current->seccomp.filter, __NR_reboot); +#else + // we don't have those new fancy things upstream has + // lets just do original thing where we disable seccomp + disable_seccomp(); +#endif spin_unlock_irq(¤t->sighand->siglock); } if (ksu_su_compat_enabled) { @@ -1117,7 +1129,7 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old) } else { // Disable syscall tracepoint sucompat for non-allowed processes if (ksu_su_compat_enabled) { - clear_tsk_thread_flag(current, TIF_SYSCALL_TRACEPOINT); + ksu_clear_task_tracepoint_flag(current); } } @@ -1256,16 +1268,22 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old) } // if on private space, see if its possibly the manager - if (new_uid.val > 100000 && new_uid.val % 100000 == ksu_get_manager_uid()) { + if (unlikely(new_uid.val > 100000 && new_uid.val % 100000 == ksu_get_manager_uid())) { ksu_set_manager_uid(new_uid.val); } - if (ksu_get_manager_uid() == new_uid.val) { + if (unlikely(ksu_get_manager_uid() == new_uid.val)) { pr_info("install fd for: %d\n", new_uid.val); ksu_install_fd(); spin_lock_irq(¤t->sighand->siglock); +#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 2) // Android backport this feature in 5.10.2 ksu_seccomp_allow_cache(current->seccomp.filter, __NR_reboot); +#else + // we dont have those new fancy things upstream has + // lets just do original thing where we disable seccomp + disable_seccomp(); +#endif if (ksu_su_compat_enabled) { ksu_set_task_tracepoint_flag(current); } @@ -1273,11 +1291,17 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old) return 0; } - if (ksu_is_allow_uid_for_current(new_uid.val)) { + if (unlikely(ksu_is_allow_uid_for_current(new_uid.val))) { if (current->seccomp.mode == SECCOMP_MODE_FILTER && current->seccomp.filter) { spin_lock_irq(¤t->sighand->siglock); +#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 2) // Android backport this feature in 5.10.2 ksu_seccomp_allow_cache(current->seccomp.filter, __NR_reboot); +#else + // we don't have those new fancy things upstream has + // lets just do original thing where we disable seccomp + disable_seccomp(); +#endif spin_unlock_irq(¤t->sighand->siglock); } if (ksu_su_compat_enabled) { diff --git a/kernel/kernel_compat.c b/kernel/kernel_compat.c index e5f11b07..0442a212 100644 --- a/kernel/kernel_compat.c +++ b/kernel/kernel_compat.c @@ -241,6 +241,7 @@ long ksu_copy_from_user_nofault(void *dst, const void __user *src, size_t size) #endif } +#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 2) // Android backport this feature in 5.10.2 struct action_cache { DECLARE_BITMAP(allow_native, NR_syscalls); #ifdef SECCOMP_ARCH_COMPAT @@ -295,4 +296,5 @@ void ksu_seccomp_allow_cache(struct seccomp_filter *filter, int nr) set_bit(nr, filter->cache.allow_compat); } #endif -} \ No newline at end of file +} +#endif diff --git a/kernel/kernel_compat.h b/kernel/kernel_compat.h index ee9acb57..c9ce5844 100644 --- a/kernel/kernel_compat.h +++ b/kernel/kernel_compat.h @@ -80,7 +80,9 @@ static long ksu_copy_from_user_retry(void *to, #define ksu_access_ok(addr, size) access_ok(VERIFY_READ, addr, size) #endif +#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 2) // Android backport this feature in 5.10.2 extern void ksu_seccomp_clear_cache(struct seccomp_filter *filter, int nr); extern void ksu_seccomp_allow_cache(struct seccomp_filter *filter, int nr); +#endif #endif