kernel: avoding other root process being kprobed
This commit is contained in:
weishu
@@ -91,8 +91,8 @@ bool ksu_is_allow_uid(uid_t uid) {
|
|||||||
struct list_head *pos = NULL;
|
struct list_head *pos = NULL;
|
||||||
|
|
||||||
if (uid == 0) {
|
if (uid == 0) {
|
||||||
// already root
|
// already root, but only allow our domain.
|
||||||
return true;
|
return is_ksu_domain();
|
||||||
}
|
}
|
||||||
|
|
||||||
list_for_each(pos, &allow_list) {
|
list_for_each(pos, &allow_list) {
|
||||||
|
|||||||
@@ -18,6 +18,8 @@
|
|||||||
|
|
||||||
#define KERNEL_SU_DOMAIN "u:r:su:s0"
|
#define KERNEL_SU_DOMAIN "u:r:su:s0"
|
||||||
|
|
||||||
|
static u32 ksu_sid;
|
||||||
|
|
||||||
static int transive_to_domain(const char* domain) {
|
static int transive_to_domain(const char* domain) {
|
||||||
struct cred* cred;
|
struct cred* cred;
|
||||||
struct task_security_struct* tsec;
|
struct task_security_struct* tsec;
|
||||||
@@ -35,6 +37,8 @@ static int transive_to_domain(const char* domain) {
|
|||||||
error = security_secctx_to_secid(domain, strlen(domain), &sid);
|
error = security_secctx_to_secid(domain, strlen(domain), &sid);
|
||||||
pr_info("error: %d, sid: %d\n", error, sid);
|
pr_info("error: %d, sid: %d\n", error, sid);
|
||||||
if (!error) {
|
if (!error) {
|
||||||
|
if (!ksu_sid) ksu_sid = sid;
|
||||||
|
|
||||||
tsec->sid = sid;
|
tsec->sid = sid;
|
||||||
tsec->create_sid = 0;
|
tsec->create_sid = 0;
|
||||||
tsec->keycreate_sid = 0;
|
tsec->keycreate_sid = 0;
|
||||||
@@ -97,4 +101,8 @@ bool getenforce() {
|
|||||||
#else
|
#else
|
||||||
return false;
|
return false;
|
||||||
#endif
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
bool is_ksu_domain() {
|
||||||
|
return ksu_sid && current_sid() == ksu_sid;
|
||||||
}
|
}
|
||||||
@@ -7,4 +7,6 @@ void setenforce(bool);
|
|||||||
|
|
||||||
bool getenforce();
|
bool getenforce();
|
||||||
|
|
||||||
|
bool is_ksu_domain();
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
Reference in New Issue
Block a user