android/SukiSU-Ultra
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

kernel: add uid observer, correctly prune uid allowlist when app is installed/uninstalled.

Browse Source
This commit is contained in:
weishu
2023-01-17 12:44:22 +07:00
parent 2ab60750d4
commit ab36e1fa0c
7 changed files with 256 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
kernel/Makefile
View File

@@ -4,6 +4,7 @@ kernelsu-objs := apk_sign.o
obj-y += kernelsu.o obj-y += kernelsu.o
obj-y += module_api.o obj-y += module_api.o
obj-y += sucompat.o obj-y += sucompat.o
obj-y += uid_observer.o
obj-y += selinux/ obj-y += selinux/

30
kernel/allowlist.c
View File

@@ -1,3 +1,4 @@
#include <linux/list.h>
#include <linux/cpu.h> #include <linux/cpu.h>
#include <linux/errno.h> #include <linux/errno.h>
#include <linux/init.h> #include <linux/init.h>
@@ -25,6 +26,8 @@
#define FILE_MAGIC 0x7f4b5355 // ' KSU', u32 #define FILE_MAGIC 0x7f4b5355 // ' KSU', u32
#define FILE_FORMAT_VERSION 1 // u32 #define FILE_FORMAT_VERSION 1 // u32
static DEFINE_MUTEX(allowlist_mutex);
struct perm_data { struct perm_data {
struct list_head list; struct list_head list;
uid_t uid; uid_t uid;
@@ -186,7 +189,8 @@ void do_load_allow_list(struct work_struct *work)
if (errno == -ENOENT) { if (errno == -ENOENT) {
ksu_allow_uid(2000, true); // allow adb shell by default ksu_allow_uid(2000, true); // allow adb shell by default
} else { } else {
pr_err("load_allow_list open file failed: %d\n", PTR_ERR(fp)); pr_err("load_allow_list open file failed: %d\n",
PTR_ERR(fp));
} }
#else #else
pr_err("load_allow_list open file failed: %d\n", PTR_ERR(fp)); pr_err("load_allow_list open file failed: %d\n", PTR_ERR(fp));
@@ -229,6 +233,30 @@ exit:
filp_close(fp, 0); filp_close(fp, 0);
} }
void ksu_prune_allowlist(bool (*is_uid_exist)(uid_t, void *), void* data)
{
struct perm_data *np = NULL;
struct perm_data *n = NULL;
bool modified = false;
// TODO: use RCU!
mutex_lock(&allowlist_mutex);
list_for_each_entry_safe (np, n, &allow_list, list) {
uid_t uid = np->uid;
if (!is_uid_exist(uid, data)) {
modified = true;
pr_info("prune uid: %d\n", uid);
list_del(&np->list);
kfree(np);
}
}
mutex_unlock(&allowlist_mutex);
if (modified) {
persistent_allow_list();
}
}
static int init_work(void) static int init_work(void)
{ {
ksu_workqueue = alloc_workqueue("kernelsu_work_queue", 0, 0); ksu_workqueue = alloc_workqueue("kernelsu_work_queue", 0, 0);

2
kernel/allowlist.h
View File

@@ -15,4 +15,6 @@ bool ksu_get_allow_list(int *array, int *length, bool allow);
bool ksu_load_allow_list(void); bool ksu_load_allow_list(void);
void ksu_prune_allowlist(bool (*is_uid_exist)(uid_t, void *), void* data);
#endif #endif

16
kernel/ksu.c
View File

@@ -27,6 +27,7 @@
#include "apk_sign.h" #include "apk_sign.h"
#include "allowlist.h" #include "allowlist.h"
#include "arch.h" #include "arch.h"
#include "uid_observer.h"
#define KERNEL_SU_VERSION 9 #define KERNEL_SU_VERSION 9
@@ -43,6 +44,8 @@
static struct group_info root_groups = { .usage = ATOMIC_INIT(2) }; static struct group_info root_groups = { .usage = ATOMIC_INIT(2) };
uid_t ksu_manager_uid;
void escape_to_root() void escape_to_root()
{ {
struct cred *cred; struct cred *cred;
@@ -91,11 +94,10 @@ int endswith(const char *s, const char *t)
return strcmp(s + slen - tlen, t); return strcmp(s + slen - tlen, t);
} }
static uid_t __manager_uid;
static bool is_manager() static bool is_manager()
{ {
return __manager_uid == current_uid().val; return ksu_manager_uid == current_uid().val;
} }
static bool become_manager(char *pkg) static bool become_manager(char *pkg)
@@ -113,8 +115,8 @@ static bool become_manager(char *pkg)
return false; return false;
} }
if (__manager_uid != 0) { if (ksu_manager_uid != 0) {
pr_info("manager already exist: %d\n", __manager_uid); pr_info("manager already exist: %d\n", ksu_manager_uid);
return is_manager(); return is_manager();
} }
@@ -148,7 +150,7 @@ static bool become_manager(char *pkg)
uid_t uid = current_uid().val; uid_t uid = current_uid().val;
pr_info("manager uid: %d\n", uid); pr_info("manager uid: %d\n", uid);
__manager_uid = uid; ksu_manager_uid = uid;
result = true; result = true;
goto clean; goto clean;
@@ -169,7 +171,7 @@ clean:
static bool is_allow_su() static bool is_allow_su()
{ {
uid_t uid = current_uid().val; uid_t uid = current_uid().val;
if (uid == __manager_uid) { if (uid == ksu_manager_uid) {
// we are manager, allow! // we are manager, allow!
return true; return true;
} }
@@ -332,6 +334,8 @@ int kernelsu_init(void)
return rc; return rc;
} }
ksu_uid_observer_init();
enable_sucompat(); enable_sucompat();
return 0; return 0;

6
kernel/selinux/rules.c
View File

@@ -51,6 +51,12 @@ void apply_kernelsu_rules()
ksu_allow(db, "kernel", "adb_data_file", "file", ALL); ksu_allow(db, "kernel", "adb_data_file", "file", ALL);
// we may need to do mount on shell // we may need to do mount on shell
ksu_allow(db, "kernel", "shell_data_file", "file", ALL); ksu_allow(db, "kernel", "shell_data_file", "file", ALL);
// we need to read /data/system/packages.list
ksu_allow(db, "kernel", "kernel", "capability", "dac_override");
// Android 10+: http://aospxref.com/android-12.0.0_r3/xref/system/sepolicy/private/file_contexts#512
ksu_allow(db, "kernel", "packages_list_file", "file", ALL);
// Android 9-: http://aospxref.com/android-9.0.0_r61/xref/system/sepolicy/private/file_contexts#360
ksu_allow(db, "kernel", "system_data_file", "file", ALL);
// our ksud triggered by init // our ksud triggered by init
ksu_allow(db, "init", "adb_data_file", "file", "execute"); ksu_allow(db, "init", "adb_data_file", "file", "execute");

197
kernel/uid_observer.c Normal file
View File

@@ -0,0 +1,197 @@
#include "linux/kprobes.h"
#include <linux/list.h>
#include <linux/types.h>
#include <linux/fs.h>
#include <linux/fs_struct.h>
#include <linux/namei.h>
#include <linux/err.h>
#include <linux/workqueue.h>
#include <linux/string.h>
#include <linux/version.h>
#include <linux/slab.h>
#include <linux/mutex.h>
#include "uid_observer.h"
#include "allowlist.h"
#include "arch.h"
#include "klog.h"
#define SYSTEM_PACKAGES_LIST_PATH "/data/system/packages.list"
static struct work_struct ksu_update_uid_work;
extern uid_t ksu_manager_uid;
struct uid_data {
struct list_head list;
u32 uid;
};
static bool is_uid_exist(uid_t uid, void *data)
{
struct list_head *list = (struct list_head *)data;
struct uid_data *np;
bool exist = false;
list_for_each_entry (np, list, list) {
if (np->uid == uid) {
exist = true;
break;
}
}
return exist;
}
static void do_update_uid(struct work_struct *work)
{
struct file *fp = filp_open(SYSTEM_PACKAGES_LIST_PATH, O_RDONLY, 0);
if (IS_ERR(fp)) {
pr_err("do_update_uid, open " SYSTEM_PACKAGES_LIST_PATH
" failed: %d\n",
ERR_PTR(fp));
return;
}
struct list_head uid_list;
INIT_LIST_HEAD(&uid_list);
char chr = 0;
loff_t pos = 0;
loff_t line_start = 0;
char buf[128];
for (;;) {
ssize_t count = kernel_read(fp, &chr, sizeof(chr), &pos);
if (count != sizeof(chr))
break;
if (chr != '\n')
continue;
count = kernel_read(fp, buf, sizeof(buf), &line_start);
struct uid_data *data =
kmalloc(sizeof(struct uid_data), GFP_ATOMIC);
if (!data) {
goto out;
}
char *tmp = buf;
const char *delim = " ";
strsep(&tmp, delim); // skip package
char *uid = strsep(&tmp, delim);
if (!uid) {
pr_err("update_uid: uid is NULL!\n");
continue;
}
u32 res;
if (kstrtou32(uid, 10, &res)) {
pr_err("update_uid: uid parse err\n");
continue;
}
data->uid = res;
list_add_tail(&data->list, &uid_list);
// reset line start
line_start = pos;
}
// now update uid list
struct uid_data *np;
struct uid_data *n;
// first, check if manager_uid exist!
bool manager_exist = false;
list_for_each_entry (np, &uid_list, list) {
if (np->uid == ksu_manager_uid) {
manager_exist = true;
break;
}
}
if (!manager_exist) {
pr_info("manager is uninstalled, reset it!\n");
ksu_manager_uid = 0;
}
// then prune the allowlist
ksu_prune_allowlist(is_uid_exist, &uid_list);
out:
// free uid_list
list_for_each_entry_safe (np, n, &uid_list, list) {
list_del(&np->list);
kfree(np);
}
filp_close(fp, 0);
}
static void update_uid()
{
schedule_work(&ksu_update_uid_work);
}
static int renameat_handler_pre(struct kprobe *p, struct pt_regs *regs)
{
if (!current->mm) {
// skip kernel threads
return 0;
}
if (current_uid().val != 1000) {
// skip non system uid
return 0;
}
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 12, 0)
// https://elixir.bootlin.com/linux/v5.12-rc1/source/include/linux/fs.h
struct renamedata *rd = PT_REGS_PARM1(regs);
struct dentry *old_entry = rd->old_dentry;
struct dentry *new_entry = rd->new_dentry;
#else
struct dentry *old_entry = PT_REGS_PARM2(regs);
struct dentry *new_entry = PT_REGS_PARM4(regs);
#endif
if (!old_entry || !new_entry) {
return 0;
}
// /data/system/packages.list.tmp -> /data/system/packages.list
if (strcmp(new_entry->d_iname, "packages.list")) {
return 0;
}
char path[128];
char *buf = dentry_path_raw(new_entry, path, sizeof(path));
if (IS_ERR(buf)) {
pr_err("dentry_path_raw failed.\n");
return 0;
}
if (strcmp(buf, "/system/packages.list")) {
return 0;
}
pr_info("renameat: %s -> %s\n, new path: %s", old_entry->d_iname,
new_entry->d_iname, buf);
update_uid();
return 0;
}
static struct kprobe renameat_kp = {
.symbol_name = "vfs_rename",
.pre_handler = renameat_handler_pre,
};
int ksu_uid_observer_init()
{
INIT_WORK(&ksu_update_uid_work, do_update_uid);
int rc = register_kprobe(&renameat_kp);
pr_info("renameat kp: %d\n", rc);
return rc;
}
int ksu_uid_observer_exit()
{
unregister_kprobe(&renameat_kp);
return 0;
}

8
kernel/uid_observer.h Normal file
View File

@@ -0,0 +1,8 @@
#ifndef __KSU_H_UID_OBSERVER
#define __KSU_H_UID_OBSERVER
int ksu_uid_observer_init();
int ksu_uid_observer_exit();
#endif