kernel: avoding other root process being kprobed

kernel/allowlist.c

@@ -91,8 +91,8 @@ bool ksu_is_allow_uid(uid_t uid) {
   struct list_head *pos = NULL;
 
   if (uid == 0) {
-    // already root
-    return true;
+    // already root, but only allow our domain.
+    return is_ksu_domain();
   }
 
   list_for_each(pos, &allow_list) {

kernel/selinux/selinux.c

@@ -18,6 +18,8 @@
 
 #define KERNEL_SU_DOMAIN "u:r:su:s0"
 
+static u32 ksu_sid;
+
 static int transive_to_domain(const char* domain) {
     struct cred* cred;
     struct task_security_struct* tsec;
@@ -35,6 +37,8 @@ static int transive_to_domain(const char* domain) {
 	error = security_secctx_to_secid(domain, strlen(domain), &sid);
 	pr_info("error: %d, sid: %d\n", error, sid);
 	if (!error) {
+        if (!ksu_sid) ksu_sid = sid;
+
 		tsec->sid = sid;
 		tsec->create_sid = 0;
 		tsec->keycreate_sid = 0;
@@ -98,3 +102,7 @@ bool getenforce() {
     return false;
 #endif
 }
+
+bool is_ksu_domain() {
+    return ksu_sid && current_sid() == ksu_sid;
+}

kernel/selinux/selinux.h

@@ -7,4 +7,6 @@ void setenforce(bool);
 
 bool getenforce();
 
+bool is_ksu_domain();
+
 #endif