kernel: core_hook: disable seccomp in 5.10.2- for allowed uids (#545)
* kernel: core_hook: disable seccomp in 5.10.2- for allowed uids we dont have those new fancy things upstream has lets just do original thing where we disable seccomp * Update kernel/core_hook.c * fmt --------- Co-authored-by: backslashxx <118538522+backslashxx@users.noreply.github.com> Co-authored-by: Saksham <saksham.mac@icloud.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This commit is contained in:
AlexLiuDev233
ShirkNeko
@@ -1087,16 +1087,22 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old)
|
|||||||
}
|
}
|
||||||
|
|
||||||
// if on private space, see if its possibly the manager
|
// if on private space, see if its possibly the manager
|
||||||
if (new_uid.val > 100000 && new_uid.val % 100000 == ksu_get_manager_uid()) {
|
if (unlikely(new_uid.val > 100000 && new_uid.val % 100000 == ksu_get_manager_uid())) {
|
||||||
ksu_set_manager_uid(new_uid.val);
|
ksu_set_manager_uid(new_uid.val);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (ksu_get_manager_uid() == new_uid.val) {
|
if (unlikely(ksu_get_manager_uid() == new_uid.val)) {
|
||||||
pr_info("install fd for: %d\n", new_uid.val);
|
pr_info("install fd for: %d\n", new_uid.val);
|
||||||
|
|
||||||
ksu_install_fd();
|
ksu_install_fd();
|
||||||
spin_lock_irq(¤t->sighand->siglock);
|
spin_lock_irq(¤t->sighand->siglock);
|
||||||
|
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 2) // Android backport this feature in 5.10.2
|
||||||
ksu_seccomp_allow_cache(current->seccomp.filter, __NR_reboot);
|
ksu_seccomp_allow_cache(current->seccomp.filter, __NR_reboot);
|
||||||
|
#else
|
||||||
|
// we dont have those new fancy things upstream has
|
||||||
|
// lets just do original thing where we disable seccomp
|
||||||
|
disable_seccomp();
|
||||||
|
#endif
|
||||||
if (ksu_su_compat_enabled) {
|
if (ksu_su_compat_enabled) {
|
||||||
ksu_set_task_tracepoint_flag(current);
|
ksu_set_task_tracepoint_flag(current);
|
||||||
}
|
}
|
||||||
@@ -1104,11 +1110,17 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (ksu_is_allow_uid_for_current(new_uid.val)) {
|
if (unlikely(ksu_is_allow_uid_for_current(new_uid.val))) {
|
||||||
if (current->seccomp.mode == SECCOMP_MODE_FILTER &&
|
if (current->seccomp.mode == SECCOMP_MODE_FILTER &&
|
||||||
current->seccomp.filter) {
|
current->seccomp.filter) {
|
||||||
spin_lock_irq(¤t->sighand->siglock);
|
spin_lock_irq(¤t->sighand->siglock);
|
||||||
|
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 2) // Android backport this feature in 5.10.2
|
||||||
ksu_seccomp_allow_cache(current->seccomp.filter, __NR_reboot);
|
ksu_seccomp_allow_cache(current->seccomp.filter, __NR_reboot);
|
||||||
|
#else
|
||||||
|
// we don't have those new fancy things upstream has
|
||||||
|
// lets just do original thing where we disable seccomp
|
||||||
|
disable_seccomp();
|
||||||
|
#endif
|
||||||
spin_unlock_irq(¤t->sighand->siglock);
|
spin_unlock_irq(¤t->sighand->siglock);
|
||||||
}
|
}
|
||||||
if (ksu_su_compat_enabled) {
|
if (ksu_su_compat_enabled) {
|
||||||
@@ -1117,7 +1129,7 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old)
|
|||||||
} else {
|
} else {
|
||||||
// Disable syscall tracepoint sucompat for non-allowed processes
|
// Disable syscall tracepoint sucompat for non-allowed processes
|
||||||
if (ksu_su_compat_enabled) {
|
if (ksu_su_compat_enabled) {
|
||||||
clear_tsk_thread_flag(current, TIF_SYSCALL_TRACEPOINT);
|
ksu_clear_task_tracepoint_flag(current);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1256,16 +1268,22 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old)
|
|||||||
}
|
}
|
||||||
|
|
||||||
// if on private space, see if its possibly the manager
|
// if on private space, see if its possibly the manager
|
||||||
if (new_uid.val > 100000 && new_uid.val % 100000 == ksu_get_manager_uid()) {
|
if (unlikely(new_uid.val > 100000 && new_uid.val % 100000 == ksu_get_manager_uid())) {
|
||||||
ksu_set_manager_uid(new_uid.val);
|
ksu_set_manager_uid(new_uid.val);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (ksu_get_manager_uid() == new_uid.val) {
|
if (unlikely(ksu_get_manager_uid() == new_uid.val)) {
|
||||||
pr_info("install fd for: %d\n", new_uid.val);
|
pr_info("install fd for: %d\n", new_uid.val);
|
||||||
|
|
||||||
ksu_install_fd();
|
ksu_install_fd();
|
||||||
spin_lock_irq(¤t->sighand->siglock);
|
spin_lock_irq(¤t->sighand->siglock);
|
||||||
|
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 2) // Android backport this feature in 5.10.2
|
||||||
ksu_seccomp_allow_cache(current->seccomp.filter, __NR_reboot);
|
ksu_seccomp_allow_cache(current->seccomp.filter, __NR_reboot);
|
||||||
|
#else
|
||||||
|
// we dont have those new fancy things upstream has
|
||||||
|
// lets just do original thing where we disable seccomp
|
||||||
|
disable_seccomp();
|
||||||
|
#endif
|
||||||
if (ksu_su_compat_enabled) {
|
if (ksu_su_compat_enabled) {
|
||||||
ksu_set_task_tracepoint_flag(current);
|
ksu_set_task_tracepoint_flag(current);
|
||||||
}
|
}
|
||||||
@@ -1273,11 +1291,17 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (ksu_is_allow_uid_for_current(new_uid.val)) {
|
if (unlikely(ksu_is_allow_uid_for_current(new_uid.val))) {
|
||||||
if (current->seccomp.mode == SECCOMP_MODE_FILTER &&
|
if (current->seccomp.mode == SECCOMP_MODE_FILTER &&
|
||||||
current->seccomp.filter) {
|
current->seccomp.filter) {
|
||||||
spin_lock_irq(¤t->sighand->siglock);
|
spin_lock_irq(¤t->sighand->siglock);
|
||||||
|
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 2) // Android backport this feature in 5.10.2
|
||||||
ksu_seccomp_allow_cache(current->seccomp.filter, __NR_reboot);
|
ksu_seccomp_allow_cache(current->seccomp.filter, __NR_reboot);
|
||||||
|
#else
|
||||||
|
// we don't have those new fancy things upstream has
|
||||||
|
// lets just do original thing where we disable seccomp
|
||||||
|
disable_seccomp();
|
||||||
|
#endif
|
||||||
spin_unlock_irq(¤t->sighand->siglock);
|
spin_unlock_irq(¤t->sighand->siglock);
|
||||||
}
|
}
|
||||||
if (ksu_su_compat_enabled) {
|
if (ksu_su_compat_enabled) {
|
||||||
|
|||||||
@@ -241,6 +241,7 @@ long ksu_copy_from_user_nofault(void *dst, const void __user *src, size_t size)
|
|||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 2) // Android backport this feature in 5.10.2
|
||||||
struct action_cache {
|
struct action_cache {
|
||||||
DECLARE_BITMAP(allow_native, NR_syscalls);
|
DECLARE_BITMAP(allow_native, NR_syscalls);
|
||||||
#ifdef SECCOMP_ARCH_COMPAT
|
#ifdef SECCOMP_ARCH_COMPAT
|
||||||
@@ -296,3 +297,4 @@ void ksu_seccomp_allow_cache(struct seccomp_filter *filter, int nr)
|
|||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
|
|||||||
@@ -80,7 +80,9 @@ static long ksu_copy_from_user_retry(void *to,
|
|||||||
#define ksu_access_ok(addr, size) access_ok(VERIFY_READ, addr, size)
|
#define ksu_access_ok(addr, size) access_ok(VERIFY_READ, addr, size)
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 2) // Android backport this feature in 5.10.2
|
||||||
extern void ksu_seccomp_clear_cache(struct seccomp_filter *filter, int nr);
|
extern void ksu_seccomp_clear_cache(struct seccomp_filter *filter, int nr);
|
||||||
extern void ksu_seccomp_allow_cache(struct seccomp_filter *filter, int nr);
|
extern void ksu_seccomp_allow_cache(struct seccomp_filter *filter, int nr);
|
||||||
|
#endif
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
|||||||
Reference in New Issue
Block a user