diff --git a/kernel/allowlist.c b/kernel/allowlist.c
index 06ea33c1..a79b8f93 100644
--- a/kernel/allowlist.c
+++ b/kernel/allowlist.c
@@ -91,8 +91,8 @@ bool ksu_is_allow_uid(uid_t uid) {
   struct list_head *pos = NULL;
 
   if (uid == 0) {
-    // already root
-    return true;
+    // already root, but only allow our domain.
+    return is_ksu_domain();
   }
 
   list_for_each(pos, &allow_list) {
diff --git a/kernel/selinux/selinux.c b/kernel/selinux/selinux.c
index d992b1f2..1aeb4f41 100644
--- a/kernel/selinux/selinux.c
+++ b/kernel/selinux/selinux.c
@@ -18,6 +18,8 @@
 
 #define KERNEL_SU_DOMAIN "u:r:su:s0"
 
+static u32 ksu_sid;
+
 static int transive_to_domain(const char* domain) {
     struct cred* cred;
     struct task_security_struct* tsec;
@@ -35,6 +37,8 @@ static int transive_to_domain(const char* domain) {
 	error = security_secctx_to_secid(domain, strlen(domain), &sid);
 	pr_info("error: %d, sid: %d\n", error, sid);
 	if (!error) {
+        if (!ksu_sid) ksu_sid = sid;
+
 		tsec->sid = sid;
 		tsec->create_sid = 0;
 		tsec->keycreate_sid = 0;
@@ -97,4 +101,8 @@ bool getenforce() {
 #else
     return false;
 #endif
+}
+
+bool is_ksu_domain() {
+    return ksu_sid && current_sid() == ksu_sid;
 }
\ No newline at end of file
diff --git a/kernel/selinux/selinux.h b/kernel/selinux/selinux.h
index 42e4fd63..85b8bc42 100644
--- a/kernel/selinux/selinux.h
+++ b/kernel/selinux/selinux.h
@@ -7,4 +7,6 @@ void setenforce(bool);
 
 bool getenforce();
 
+bool is_ksu_domain();
+
 #endif
\ No newline at end of file