From a197600cb5ea0f808b518113510c222145479624 Mon Sep 17 00:00:00 2001 From: ShirkNeko <109797057+ShirkNeko@users.noreply.github.com> Date: Mon, 15 Sep 2025 19:14:55 +0800 Subject: [PATCH] kernel: Add optional full-user scanning capability using prctl --- kernel/allowlist.c | 47 ++++++++- kernel/allowlist.h | 5 + kernel/core_hook.c | 28 ++++++ kernel/ksu.h | 1 + kernel/throne_tracker.c | 204 ++++++++++++++++++++++++++-------------- 5 files changed, 211 insertions(+), 74 deletions(-) diff --git a/kernel/allowlist.c b/kernel/allowlist.c index 0820cd67..7a9c529e 100644 --- a/kernel/allowlist.c +++ b/kernel/allowlist.c @@ -20,7 +20,7 @@ #include "manager.h" #define FILE_MAGIC 0x7f4b5355 // ' KSU', u32 -#define FILE_FORMAT_VERSION 3 // u32 +#define FILE_FORMAT_VERSION 4 // u32 #define KSU_APP_PROFILE_PRESERVE_UID 9999 // NOBODY_UID #define KSU_DEFAULT_SELINUX_DOMAIN "u:r:su:s0" @@ -34,6 +34,8 @@ static struct non_root_profile default_non_root_profile; static int allow_list_arr[PAGE_SIZE / sizeof(int)] __read_mostly __aligned(PAGE_SIZE); static int allow_list_pointer __read_mostly = 0; +bool scan_all_users __read_mostly = false; + static void remove_uid_from_arr(uid_t uid) { int *temp_arr; @@ -351,10 +353,27 @@ bool ksu_get_allow_list(int *array, int *length, bool allow) return true; } +bool ksu_set_scan_all_users(bool enabled) +{ + mutex_lock(&allowlist_mutex); + scan_all_users = enabled; + mutex_unlock(&allowlist_mutex); + + pr_info("scan_all_users set to: %d\n", enabled); + + return persistent_allow_list(); +} + +bool ksu_get_scan_all_users(void) +{ + return scan_all_users; +} + static void do_save_allow_list(struct work_struct *work) { u32 magic = FILE_MAGIC; u32 version = FILE_FORMAT_VERSION; + u32 scan_setting = scan_all_users ? 1 : 0; struct perm_data *p = NULL; struct list_head *pos = NULL; loff_t off = 0; @@ -379,6 +398,13 @@ static void do_save_allow_list(struct work_struct *work) goto exit; } + // Save scan_all_users settings + if (ksu_kernel_write_compat(fp, &scan_setting, sizeof(scan_setting), &off) != + sizeof(scan_setting)) { + pr_err("save_allow_list write scan_setting failed.\n"); + goto exit; + } + list_for_each (pos, &allow_list) { p = list_entry(pos, struct perm_data, list); pr_info("save allow list, name: %s uid: %d, allow: %d\n", @@ -400,6 +426,7 @@ static void do_load_allow_list(struct work_struct *work) struct file *fp = NULL; u32 magic; u32 version; + u32 scan_setting = 0; #ifdef CONFIG_KSU_DEBUG // always allow adb shell by default @@ -429,6 +456,24 @@ static void do_load_allow_list(struct work_struct *work) pr_info("allowlist version: %d\n", version); + if (version >= 4) { + if (ksu_kernel_read_compat(fp, &scan_setting, sizeof(scan_setting), &off) != + sizeof(scan_setting)) { + pr_warn("allowlist read scan_setting failed, using default\n"); + scan_setting = 0; + } + + mutex_lock(&allowlist_mutex); + scan_all_users = (scan_setting != 0); + mutex_unlock(&allowlist_mutex); + + pr_info("loaded scan_all_users: %d\n", scan_all_users); + } else { + mutex_lock(&allowlist_mutex); + scan_all_users = false; + mutex_unlock(&allowlist_mutex); + } + while (true) { struct app_profile profile; diff --git a/kernel/allowlist.h b/kernel/allowlist.h index e89bf71f..e9f105ac 100644 --- a/kernel/allowlist.h +++ b/kernel/allowlist.h @@ -24,4 +24,9 @@ bool ksu_set_app_profile(struct app_profile *, bool persist); bool ksu_uid_should_umount(uid_t uid); struct root_profile *ksu_get_root_profile(uid_t uid); + +bool ksu_set_scan_all_users(bool enabled); +bool ksu_get_scan_all_users(void); + +extern bool scan_all_users __read_mostly; #endif diff --git a/kernel/core_hook.c b/kernel/core_hook.c index 40c5a7dd..de62d461 100644 --- a/kernel/core_hook.c +++ b/kernel/core_hook.c @@ -588,6 +588,34 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3, return 0; } + if (arg2 == CMD_SCAN_ALL_USERS) { + if (!from_root && !from_manager) { + return 0; + } + // Get or Set scan_all_users + if (arg3 == 0) { + bool current_state = ksu_get_scan_all_users(); + if (copy_to_user((void __user *)arg4, ¤t_state, sizeof(current_state))) { + pr_err("scan_all_users: copy current state failed\n"); + return 0; + } + } else { + // Set new state (arg3 = 1: Enable, arg3 = 2: Disable) + bool new_state = (arg3 == 1); + if (ksu_set_scan_all_users(new_state)) { + pr_info("scan_all_users set to: %d\n", new_state); + } else { + pr_err("Failed to set scan_all_users to: %d\n", new_state); + return 0; + } + } + + if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) { + pr_err("scan_all_users: prctl reply error\n"); + } + return 0; + } + #ifdef CONFIG_KPM // ADD: 添加KPM模块控制 if(sukisu_is_kpm_control_code(arg2)) { diff --git a/kernel/ksu.h b/kernel/ksu.h index 64163b87..ba643695 100644 --- a/kernel/ksu.h +++ b/kernel/ksu.h @@ -23,6 +23,7 @@ #define CMD_UID_SHOULD_UMOUNT 13 #define CMD_IS_SU_ENABLED 14 #define CMD_ENABLE_SU 15 +#define CMD_SCAN_ALL_USERS 17 #define CMD_GET_FULL_VERSION 0xC0FFEE1A diff --git a/kernel/throne_tracker.c b/kernel/throne_tracker.c index 85219254..153595d1 100644 --- a/kernel/throne_tracker.c +++ b/kernel/throne_tracker.c @@ -25,6 +25,7 @@ uid_t ksu_manager_uid = KSU_INVALID_UID; static struct task_struct *throne_thread; #define USER_DATA_BASE_PATH "/data/user_de" +#define PRIMARY_USER_PATH "/data/user_de/0" #define MAX_SUPPORTED_USERS 32 // Supports up to 32 users #define DATA_PATH_LEN 384 // 384 is enough for /data/app//base.apk and /data/user_de/{userid}/ @@ -32,6 +33,7 @@ struct uid_data { struct list_head list; u32 uid; char package[KSU_MAX_PACKAGE_NAME]; + uid_t user_id; }; struct user_scan_ctx { @@ -76,6 +78,7 @@ struct my_dir_context { int *stop; bool found_dynamic_manager; }; + // https://docs.kernel.org/filesystems/porting.html // filldir_t (readdir callbacks) calling conventions have changed. Instead of returning 0 or -E... it returns bool now. false means "no more" (as -E... used to) and true - "keep going" (as 0 in old calling conventions). Rationale: callers never looked at specific -E... values anyway. -> iterate_shared() instances require no changes at all, all filldir_t ones in the tree converted. #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0) @@ -88,6 +91,9 @@ struct my_dir_context { #define FILLDIR_ACTOR_STOP -EINVAL #endif +FILLDIR_RETURN_TYPE scan_user_packages(struct dir_context *ctx, const char *name, + int namelen, loff_t off, u64 ino, unsigned int d_type); + static int get_pkg_from_apk_path(char *pkg, const char *path) { int len = strlen(path); @@ -151,13 +157,12 @@ static void crown_manager(const char *apk, struct list_head *uid_data, list_for_each_entry(np, list, list) { if (strncmp(np->package, pkg, KSU_MAX_PACKAGE_NAME) == 0) { - pr_info("Crowning manager: %s(uid=%d, signature_index=%d)\n", - pkg, np->uid, signature_index); + pr_info("Crowning manager: %s(uid=%d, signature_index=%d, user=%u)\n", + pkg, np->uid, signature_index, np->user_id); // Dynamic Sign index (100) or multi-manager signatures (>= 2) if (signature_index == DYNAMIC_SIGN_INDEX || signature_index >= 2) { ksu_add_manager(np->uid, signature_index); - if (!ksu_is_manager_uid_valid()) { ksu_set_manager_uid(np->uid); } @@ -168,19 +173,56 @@ static void crown_manager(const char *apk, struct list_head *uid_data, } } } +// Scan the primary user +static int scan_primary_user_apps(struct list_head *uid_list, size_t *pkg_count, size_t *error_count) +{ + struct file *dir_file; + int ret; + + *pkg_count = *error_count = 0; + + pr_info("Step 1: Scanning primary user (0) applications in %s\n", PRIMARY_USER_PATH); + + dir_file = ksu_filp_open_compat(PRIMARY_USER_PATH, O_RDONLY, 0); + if (IS_ERR(dir_file)) { + pr_err("Cannot open primary user path: %s (%ld)\n", PRIMARY_USER_PATH, PTR_ERR(dir_file)); + return PTR_ERR(dir_file); + } + + struct user_scan_ctx scan_ctx = { + .uid_list = uid_list, + .user_id = 0, + .pkg_count = 0, + .error_count = 0 + }; + + struct user_dir_ctx uctx = { + .ctx.actor = scan_user_packages, + .scan_ctx = &scan_ctx + }; + + ret = iterate_dir(dir_file, &uctx.ctx); + filp_close(dir_file, NULL); + + *pkg_count = scan_ctx.pkg_count; + *error_count = scan_ctx.error_count; + + pr_info("Primary user scan completed: %zu packages found, %zu errors\n", + scan_ctx.pkg_count, scan_ctx.error_count); + + return ret; +} FILLDIR_RETURN_TYPE collect_user_ids(struct dir_context *ctx, const char *name, int namelen, loff_t off, u64 ino, unsigned int d_type) { struct user_id_ctx *uctx = container_of(ctx, struct user_id_ctx, ctx); - // Skip non-directories and dot entries if (d_type != DT_DIR || namelen <= 0) return FILLDIR_ACTOR_CONTINUE; if (name[0] == '.' && (namelen == 1 || (namelen == 2 && name[1] == '.'))) return FILLDIR_ACTOR_CONTINUE; - // Parse numeric user ID uid_t uid = 0; for (int i = 0; i < namelen; i++) { if (name[i] < '0' || name[i] > '9') @@ -188,7 +230,6 @@ FILLDIR_RETURN_TYPE collect_user_ids(struct dir_context *ctx, const char *name, uid = uid * 10 + (name[i] - '0'); } - // Store user ID if space available if (uctx->count >= uctx->max_count) return FILLDIR_ACTOR_STOP; @@ -196,8 +237,8 @@ FILLDIR_RETURN_TYPE collect_user_ids(struct dir_context *ctx, const char *name, return FILLDIR_ACTOR_CONTINUE; } -// Get all active Android user IDs -static int get_active_user_ids(uid_t *user_ids, size_t max_users, size_t *found_count) +// Retrieve all active users (optional) +static int get_all_active_users(uid_t *user_ids, size_t max_users, size_t *found_count) { struct file *dir_file; int ret; @@ -206,7 +247,7 @@ static int get_active_user_ids(uid_t *user_ids, size_t max_users, size_t *found_ dir_file = ksu_filp_open_compat(USER_DATA_BASE_PATH, O_RDONLY, 0); if (IS_ERR(dir_file)) { - pr_err("Cannot open %s: %ld\n", USER_DATA_BASE_PATH, PTR_ERR(dir_file)); + pr_err("Cannot open user data base path: %s (%ld)\n", USER_DATA_BASE_PATH, PTR_ERR(dir_file)); return PTR_ERR(dir_file); } @@ -221,8 +262,13 @@ static int get_active_user_ids(uid_t *user_ids, size_t max_users, size_t *found_ filp_close(dir_file, NULL); *found_count = uctx.count; - if (uctx.count > 0) - pr_info("Found %zu active users\n", uctx.count); + if (uctx.count > 0) { + pr_info("Found %zu active users: ", uctx.count); + for (size_t i = 0; i < uctx.count; i++) { + pr_cont("%u ", user_ids[i]); + } + pr_cont("\n"); + } return ret; } @@ -233,7 +279,6 @@ FILLDIR_RETURN_TYPE scan_user_packages(struct dir_context *ctx, const char *name struct user_dir_ctx *uctx = container_of(ctx, struct user_dir_ctx, ctx); struct user_scan_ctx *scan_ctx = uctx->scan_ctx; - // Validate context and skip dot entries if (!scan_ctx || !scan_ctx->uid_list) return FILLDIR_ACTOR_STOP; if (d_type != DT_DIR || namelen <= 0) @@ -241,14 +286,12 @@ FILLDIR_RETURN_TYPE scan_user_packages(struct dir_context *ctx, const char *name if (name[0] == '.' && (namelen == 1 || (namelen == 2 && name[1] == '.'))) return FILLDIR_ACTOR_CONTINUE; - // Check package name length if (namelen >= KSU_MAX_PACKAGE_NAME) { pr_warn("Package name too long: %.*s (user %u)\n", namelen, name, scan_ctx->user_id); scan_ctx->error_count++; return FILLDIR_ACTOR_CONTINUE; } - // Build package path char pkg_path[DATA_PATH_LEN]; int path_len = snprintf(pkg_path, sizeof(pkg_path), "%s/%u/%.*s", USER_DATA_BASE_PATH, scan_ctx->user_id, namelen, name); @@ -258,7 +301,6 @@ FILLDIR_RETURN_TYPE scan_user_packages(struct dir_context *ctx, const char *name return FILLDIR_ACTOR_CONTINUE; } - // Get package path attributes struct path path; int err = kern_path(pkg_path, LOOKUP_FOLLOW, &path); if (err) { @@ -292,7 +334,6 @@ basically no mask and flags for =< 4.10 return FILLDIR_ACTOR_CONTINUE; } - // Extract UID and validate uid_t uid = from_kuid(&init_user_ns, stat.uid); if (uid == (uid_t)-1) { pr_warn("Invalid UID for: %.*s (user %u)\n", namelen, name, scan_ctx->user_id); @@ -300,7 +341,6 @@ basically no mask and flags for =< 4.10 return FILLDIR_ACTOR_CONTINUE; } - // Allocate and populate UID data entry struct uid_data *uid_entry = kzalloc(sizeof(struct uid_data), GFP_KERNEL); if (!uid_entry) { pr_err("Memory allocation failed for: %.*s\n", namelen, name); @@ -309,6 +349,7 @@ basically no mask and flags for =< 4.10 } uid_entry->uid = uid; + uid_entry->user_id = scan_ctx->user_id; // Record user ID size_t copy_len = min_t(size_t, namelen, KSU_MAX_PACKAGE_NAME - 1); strncpy(uid_entry->package, name, copy_len); uid_entry->package[copy_len] = '\0'; @@ -316,87 +357,104 @@ basically no mask and flags for =< 4.10 list_add_tail(&uid_entry->list, scan_ctx->uid_list); scan_ctx->pkg_count++; - pr_info("User Package: %s, UID: %u (user %u)\n", uid_entry->package, uid, scan_ctx->user_id); + pr_debug("Package: %s, UID: %u, User: %u\n", uid_entry->package, uid, scan_ctx->user_id); return FILLDIR_ACTOR_CONTINUE; } -static int scan_user_directory(uid_t user_id, struct list_head *uid_list, - size_t *pkg_count, size_t *error_count) +// Scan other users' applications (optional) +static int scan_secondary_users_apps(struct list_head *uid_list, + const uid_t *user_ids, size_t user_count, + size_t *total_pkg_count, size_t *total_error_count) { - char user_path[DATA_PATH_LEN]; - struct file *dir_file; - int ret; + int ret = 0; + *total_pkg_count = *total_error_count = 0; - *pkg_count = *error_count = 0; + for (size_t i = 0; i < user_count; i++) { + // Skip the main user since it was already scanned in the first step. + if (user_ids[i] == 0) + continue; - snprintf(user_path, sizeof(user_path), "%s/%u", USER_DATA_BASE_PATH, user_id); + char user_path[DATA_PATH_LEN]; + struct file *dir_file; - dir_file = ksu_filp_open_compat(user_path, O_RDONLY, 0); - if (IS_ERR(dir_file)) { - pr_debug("Cannot open user path: %s (%ld)\n", user_path, PTR_ERR(dir_file)); - return PTR_ERR(dir_file); - } + snprintf(user_path, sizeof(user_path), "%s/%u", USER_DATA_BASE_PATH, user_ids[i]); - struct user_scan_ctx scan_ctx = { - .uid_list = uid_list, - .user_id = user_id, - .pkg_count = 0, - .error_count = 0 - }; + dir_file = ksu_filp_open_compat(user_path, O_RDONLY, 0); + if (IS_ERR(dir_file)) { + pr_debug("Cannot open user path: %s (%ld)\n", user_path, PTR_ERR(dir_file)); + (*total_error_count)++; + continue; + } - struct user_dir_ctx uctx = { - .ctx.actor = scan_user_packages, - .scan_ctx = &scan_ctx - }; + struct user_scan_ctx scan_ctx = { + .uid_list = uid_list, + .user_id = user_ids[i], + .pkg_count = 0, + .error_count = 0 + }; - ret = iterate_dir(dir_file, &uctx.ctx); - filp_close(dir_file, NULL); + struct user_dir_ctx uctx = { + .ctx.actor = scan_user_packages, + .scan_ctx = &scan_ctx + }; - *pkg_count = scan_ctx.pkg_count; - *error_count = scan_ctx.error_count; + ret = iterate_dir(dir_file, &uctx.ctx); + filp_close(dir_file, NULL); - if (scan_ctx.pkg_count > 0 || scan_ctx.error_count > 0) - pr_info("User %u: %zu packages, %zu errors\n", - user_id, scan_ctx.pkg_count, scan_ctx.error_count); + *total_pkg_count += scan_ctx.pkg_count; + *total_error_count += scan_ctx.error_count; + + if (scan_ctx.pkg_count > 0 || scan_ctx.error_count > 0) + pr_info("User %u: %zu packages, %zu errors\n", + user_ids[i], scan_ctx.pkg_count, scan_ctx.error_count); + } return ret; } -int scan_user_data_for_uids(struct list_head *uid_list) +int scan_user_data_for_uids(struct list_head *uid_list, bool scan_all_users) { - uid_t user_ids[MAX_SUPPORTED_USERS]; - size_t active_users, total_packages = 0, total_errors = 0; - int ret; - if (!uid_list) return -EINVAL; - // Get all active user IDs - ret = get_active_user_ids(user_ids, ARRAY_SIZE(user_ids), &active_users); + // Scan the primary user (User 0) + size_t primary_pkg_count, primary_error_count; + int ret = scan_primary_user_apps(uid_list, &primary_pkg_count, &primary_error_count); + if (ret < 0 && primary_pkg_count == 0) { + pr_err("Primary user scan failed completely: %d\n", ret); + return ret; + } + + // If you don't need to scan all users, stop here. + if (!scan_all_users) { + pr_info("Scan completed (primary user only): %zu packages, %zu errors\n", + primary_pkg_count, primary_error_count); + return primary_pkg_count > 0 ? 0 : -ENOENT; + } + + // Retrieve all active users + uid_t user_ids[MAX_SUPPORTED_USERS]; + size_t active_users; + ret = get_all_active_users(user_ids, ARRAY_SIZE(user_ids), &active_users); if (ret < 0 || active_users == 0) { - pr_err("No active users found: %d\n", ret); - return ret < 0 ? ret : -ENOENT; + pr_warn("Failed to get active users, using primary user only: %d\n", ret); + return primary_pkg_count > 0 ? 0 : -ENOENT; } - // Scan each user's directory - for (size_t i = 0; i < active_users; i++) { - size_t pkg_count, error_count; + // Scan other users' applications + size_t secondary_pkg_count, secondary_error_count; + ret = scan_secondary_users_apps(uid_list, user_ids, active_users, + &secondary_pkg_count, &secondary_error_count); - ret = scan_user_directory(user_ids[i], uid_list, &pkg_count, &error_count); - if (ret < 0) { - pr_warn("Scan failed for user %u: %d\n", user_ids[i], ret); - total_errors++; - continue; - } - - total_packages += pkg_count; - total_errors += error_count; - } + size_t total_packages = primary_pkg_count + secondary_pkg_count; + size_t total_errors = primary_error_count + secondary_error_count; if (total_errors > 0) pr_warn("Scan completed with %zu errors\n", total_errors); - pr_info("Scanned %zu users, found %zu packages\n", active_users, total_packages); + pr_info("Complete scan finished: %zu users, %zu total packages\n", + active_users, total_packages); + return total_packages > 0 ? 0 : -ENOENT; } @@ -537,7 +595,7 @@ void search_manager(const char *path, int depth, struct list_head *uid_data) .private_data = uid_data, .depth = pos->depth, .stop = &stop, - .found_dynamic_manager = false }; + .found_dynamic_manager = false }; struct file *file; if (!stop) { @@ -608,10 +666,10 @@ static void track_throne_function(void) struct list_head uid_list; INIT_LIST_HEAD(&uid_list); // scan user data for uids - int ret = scan_user_data_for_uids(&uid_list); + int ret = scan_user_data_for_uids(&uid_list, scan_all_users); if (ret < 0) { - pr_err("UserDE UID scan user data failed: %d.\n", ret); + pr_err("Improved UserDE UID scan failed: %d. scan_all_users=%d\n", ret, scan_all_users); goto out; }