kernel, manager: Track upstream changes (#195)

* These commits are carefully picked from upstream (tiann/KernelSU) - Picked range: 8c5f485f27..e5f43a3427 Signed-off-by: Faris <rissu.ntk@gmail.com> Co-authored-by: Wang Han <416810799@qq.com> Co-authored-by: TwinbornPlate75 <3342733415@qq.com> Co-authored-by: KOWX712 <leecc0503@gmail.com> Co-authored-by: Ylarod <me@ylarod.cn> Co-authored-by: YuKongA <70465933+YuKongA@users.noreply.github.com> Co-authored-by: backslashxx <118538522+backslashxx@users.noreply.github.com> Co-authored-by: 5ec1cff <56485584+5ec1cff@users.noreply.github.com> Co-authored-by: weishu <twsxtd@gmail.com>
2025-11-09 07:35:42 +07:00
parent 00ea078da7
commit a2211e2909
20 changed files with 565 additions and 257 deletions
--- a/kernel/selinux/rules.c
+++ b/kernel/selinux/rules.c
@@ -186,6 +186,13 @@ static int get_object(char *buf, char __user *user_object, size_t buf_sz,
 	return 0;
 }

+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 4, 0) ||                           \
+	!defined(KSU_COMPAT_USE_SELINUX_STATE)
+extern int avc_ss_reset(u32 seqno);
+#else
+extern int avc_ss_reset(struct selinux_avc *avc, u32 seqno);
+#endif
+
 // reset avc cache table, otherwise the new rules will not take effect if already denied
 static void reset_avc_cache(void)
 {
--- a/kernel/selinux/selinux.c
+++ b/kernel/selinux/selinux.c
@@ -1,4 +1,7 @@
-#include <linux/version.h>
+#include "linux/cred.h"
+#include "linux/sched.h"
+#include "linux/security.h"
+#include "linux/version.h"
 #include "selinux_defs.h"
 #include "../klog.h" // IWYU pragma: keep

@@ -24,14 +27,12 @@ static int transive_to_domain(const char *domain)
 		pr_info("security_secctx_to_secid %s -> sid: %d, error: %d\n",
 			domain, sid, error);
 	}
-
 	if (!error) {
 		tsec->sid = sid;
 		tsec->create_sid = 0;
 		tsec->keycreate_sid = 0;
 		tsec->sockcreate_sid = 0;
 	}
-
 	return error;
 }

@@ -93,65 +94,68 @@ static inline u32 current_sid(void)
 }
 #endif

-bool is_ksu_domain(void)
+#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 14, 0)
+struct lsm_context {
+	char *context;
+	u32 len;
+};
+
+static int __security_secid_to_secctx(u32 secid, struct lsm_context *cp)
 {
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0)
-	struct lsm_context ctx;
+	return security_secid_to_secctx(secid, &cp->context, &cp->len);
+}
+static void __security_release_secctx(struct lsm_context *cp)
+{
+	return security_release_secctx(cp->context, cp->len);
+}
 #else
-	char *domain;
-	u32 seclen;
-#endif
-	bool result;
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0)
-	int err = security_secid_to_secctx(current_sid(), &ctx);
-#else
-	int err = security_secid_to_secctx(current_sid(), &domain, &seclen);
+#define __security_secid_to_secctx security_secid_to_secctx
+#define __security_release_secctx security_release_secctx
 #endif

-	if (err) {
+bool is_task_ksu_domain(const struct cred *cred)
+{
+	struct lsm_context ctx;
+	bool result;
+	if (!cred) {
 		return false;
 	}
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0)
-	result = strncmp(KERNEL_SU_DOMAIN, ctx.context, ctx.len) == 0;
-	security_release_secctx(&ctx);
-#else
-	result = strncmp(KERNEL_SU_DOMAIN, domain, seclen) == 0;
-	security_release_secctx(domain, seclen);
-#endif
-	return result;
-}
-
-bool is_zygote(void *sec)
-{
-	struct task_security_struct *tsec = (struct task_security_struct *)sec;
+	const struct task_security_struct *tsec = __selinux_cred(cred);
 	if (!tsec) {
 		return false;
 	}
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0)
-	struct lsm_context ctx;
-#else
-	char *domain;
-	u32 seclen;
-#endif
-	bool result;
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0)
-	int err = security_secid_to_secctx(tsec->sid, &ctx);
-#else
-	int err = security_secid_to_secctx(tsec->sid, &domain, &seclen);
-#endif
+	int err = __security_secid_to_secctx(tsec->sid, &ctx);
 	if (err) {
 		return false;
 	}
+	result = strncmp(KERNEL_SU_DOMAIN, ctx.context, ctx.len) == 0;
+	__security_release_secctx(&ctx);
+	return result;
+}

-#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0)
+bool is_ksu_domain(void)
+{
+	current_sid();
+	return is_task_ksu_domain(current_cred());
+}
+
+bool is_zygote(const struct cred *cred)
+{
+	if (!cred) {
+		return false;
+	}
+	const struct task_security_struct *tsec = __selinux_cred(cred);
+	if (!tsec) {
+		return false;
+	}
+	struct lsm_context ctx;
+	bool result;
+	int err = __security_secid_to_secctx(tsec->sid, &ctx);
+	if (err) {
+		return false;
+	}
 	result = strncmp("u:r:zygote:s0", ctx.context, ctx.len) == 0;
-	security_release_secctx(&ctx);
-#else
-	result = strncmp("u:r:zygote:s0", domain, seclen) == 0;
-	security_release_secctx(domain, seclen);
-#endif
+	__security_release_secctx(&ctx);
 	return result;
 }

--- a/kernel/selinux/selinux.h
+++ b/kernel/selinux/selinux.h
@@ -1,8 +1,9 @@
 #ifndef __KSU_H_SELINUX
 #define __KSU_H_SELINUX

-#include <linux/types.h>
-#include <linux/version.h>
+#include "linux/types.h"
+#include "linux/version.h"
+#include "linux/sched.h"

 #if (LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 0)) ||                        \
 	defined(KSU_COMPAT_HAS_SELINUX_STATE)
@@ -13,11 +14,13 @@ void setup_selinux(const char *);

 void setenforce(bool);

+bool is_task_ksu_domain(const struct cred *cred);
+
 bool getenforce(void);

 bool is_ksu_domain(void);

-bool is_zygote(void *cred);
+bool is_zygote(const struct cred *cred);

 void apply_kernelsu_rules(void);

--- a/kernel/selinux/selinux_defs.h
+++ b/kernel/selinux/selinux_defs.h
@@ -33,4 +33,10 @@
 #define __setenforce(val)
 #endif

+#ifdef KSU_OPTIONAL_SELINUX_CRED
+#define __selinux_cred(cred) (selinux_cred(cred))
+#else
+#define __selinux_cred(cred) (cred->security)
+#endif
+
 #endif