kernel: core_hook: disable seccomp in 5.10.2- for allowed uids (#545)
* kernel: core_hook: disable seccomp in 5.10.2- for allowed uids we dont have those new fancy things upstream has lets just do original thing where we disable seccomp * Update kernel/core_hook.c * fmt --------- Co-authored-by: backslashxx <118538522+backslashxx@users.noreply.github.com> Co-authored-by: Saksham <saksham.mac@icloud.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This commit is contained in:
AlexLiuDev233
ShirkNeko
@@ -1087,16 +1087,22 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old)
|
||||
}
|
||||
|
||||
// if on private space, see if its possibly the manager
|
||||
if (new_uid.val > 100000 && new_uid.val % 100000 == ksu_get_manager_uid()) {
|
||||
if (unlikely(new_uid.val > 100000 && new_uid.val % 100000 == ksu_get_manager_uid())) {
|
||||
ksu_set_manager_uid(new_uid.val);
|
||||
}
|
||||
|
||||
if (ksu_get_manager_uid() == new_uid.val) {
|
||||
if (unlikely(ksu_get_manager_uid() == new_uid.val)) {
|
||||
pr_info("install fd for: %d\n", new_uid.val);
|
||||
|
||||
ksu_install_fd();
|
||||
spin_lock_irq(¤t->sighand->siglock);
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 2) // Android backport this feature in 5.10.2
|
||||
ksu_seccomp_allow_cache(current->seccomp.filter, __NR_reboot);
|
||||
#else
|
||||
// we dont have those new fancy things upstream has
|
||||
// lets just do original thing where we disable seccomp
|
||||
disable_seccomp();
|
||||
#endif
|
||||
if (ksu_su_compat_enabled) {
|
||||
ksu_set_task_tracepoint_flag(current);
|
||||
}
|
||||
@@ -1104,11 +1110,17 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old)
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (ksu_is_allow_uid_for_current(new_uid.val)) {
|
||||
if (unlikely(ksu_is_allow_uid_for_current(new_uid.val))) {
|
||||
if (current->seccomp.mode == SECCOMP_MODE_FILTER &&
|
||||
current->seccomp.filter) {
|
||||
spin_lock_irq(¤t->sighand->siglock);
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 2) // Android backport this feature in 5.10.2
|
||||
ksu_seccomp_allow_cache(current->seccomp.filter, __NR_reboot);
|
||||
#else
|
||||
// we don't have those new fancy things upstream has
|
||||
// lets just do original thing where we disable seccomp
|
||||
disable_seccomp();
|
||||
#endif
|
||||
spin_unlock_irq(¤t->sighand->siglock);
|
||||
}
|
||||
if (ksu_su_compat_enabled) {
|
||||
@@ -1117,7 +1129,7 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old)
|
||||
} else {
|
||||
// Disable syscall tracepoint sucompat for non-allowed processes
|
||||
if (ksu_su_compat_enabled) {
|
||||
clear_tsk_thread_flag(current, TIF_SYSCALL_TRACEPOINT);
|
||||
ksu_clear_task_tracepoint_flag(current);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1256,16 +1268,22 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old)
|
||||
}
|
||||
|
||||
// if on private space, see if its possibly the manager
|
||||
if (new_uid.val > 100000 && new_uid.val % 100000 == ksu_get_manager_uid()) {
|
||||
if (unlikely(new_uid.val > 100000 && new_uid.val % 100000 == ksu_get_manager_uid())) {
|
||||
ksu_set_manager_uid(new_uid.val);
|
||||
}
|
||||
|
||||
if (ksu_get_manager_uid() == new_uid.val) {
|
||||
if (unlikely(ksu_get_manager_uid() == new_uid.val)) {
|
||||
pr_info("install fd for: %d\n", new_uid.val);
|
||||
|
||||
ksu_install_fd();
|
||||
spin_lock_irq(¤t->sighand->siglock);
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 2) // Android backport this feature in 5.10.2
|
||||
ksu_seccomp_allow_cache(current->seccomp.filter, __NR_reboot);
|
||||
#else
|
||||
// we dont have those new fancy things upstream has
|
||||
// lets just do original thing where we disable seccomp
|
||||
disable_seccomp();
|
||||
#endif
|
||||
if (ksu_su_compat_enabled) {
|
||||
ksu_set_task_tracepoint_flag(current);
|
||||
}
|
||||
@@ -1273,11 +1291,17 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old)
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (ksu_is_allow_uid_for_current(new_uid.val)) {
|
||||
if (unlikely(ksu_is_allow_uid_for_current(new_uid.val))) {
|
||||
if (current->seccomp.mode == SECCOMP_MODE_FILTER &&
|
||||
current->seccomp.filter) {
|
||||
spin_lock_irq(¤t->sighand->siglock);
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 2) // Android backport this feature in 5.10.2
|
||||
ksu_seccomp_allow_cache(current->seccomp.filter, __NR_reboot);
|
||||
#else
|
||||
// we don't have those new fancy things upstream has
|
||||
// lets just do original thing where we disable seccomp
|
||||
disable_seccomp();
|
||||
#endif
|
||||
spin_unlock_irq(¤t->sighand->siglock);
|
||||
}
|
||||
if (ksu_su_compat_enabled) {
|
||||
|
||||
@@ -241,6 +241,7 @@ long ksu_copy_from_user_nofault(void *dst, const void __user *src, size_t size)
|
||||
#endif
|
||||
}
|
||||
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 2) // Android backport this feature in 5.10.2
|
||||
struct action_cache {
|
||||
DECLARE_BITMAP(allow_native, NR_syscalls);
|
||||
#ifdef SECCOMP_ARCH_COMPAT
|
||||
@@ -295,4 +296,5 @@ void ksu_seccomp_allow_cache(struct seccomp_filter *filter, int nr)
|
||||
set_bit(nr, filter->cache.allow_compat);
|
||||
}
|
||||
#endif
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
@@ -80,7 +80,9 @@ static long ksu_copy_from_user_retry(void *to,
|
||||
#define ksu_access_ok(addr, size) access_ok(VERIFY_READ, addr, size)
|
||||
#endif
|
||||
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 2) // Android backport this feature in 5.10.2
|
||||
extern void ksu_seccomp_clear_cache(struct seccomp_filter *filter, int nr);
|
||||
extern void ksu_seccomp_allow_cache(struct seccomp_filter *filter, int nr);
|
||||
#endif
|
||||
|
||||
#endif
|
||||
|
||||
Reference in New Issue
Block a user