kernel: add uid observer, correctly prune uid allowlist when app is installed/uninstalled.

kernel/Makefile

@@ -4,6 +4,7 @@ kernelsu-objs := apk_sign.o
 obj-y += kernelsu.o
 obj-y += module_api.o
 obj-y += sucompat.o
+obj-y += uid_observer.o
 
 obj-y += selinux/
 

kernel/allowlist.c

@@ -1,3 +1,4 @@
+#include <linux/list.h>
 #include <linux/cpu.h>
 #include <linux/errno.h>
 #include <linux/init.h>
@@ -25,6 +26,8 @@
 #define FILE_MAGIC 0x7f4b5355 // ' KSU', u32
 #define FILE_FORMAT_VERSION 1 // u32
 
+static DEFINE_MUTEX(allowlist_mutex);
+
 struct perm_data {
 	struct list_head list;
 	uid_t uid;
@@ -186,7 +189,8 @@ void do_load_allow_list(struct work_struct *work)
 		if (errno == -ENOENT) {
 			ksu_allow_uid(2000, true); // allow adb shell by default
 		} else {
-			pr_err("load_allow_list open file failed: %d\n", PTR_ERR(fp));
+			pr_err("load_allow_list open file failed: %d\n",
+			       PTR_ERR(fp));
 		}
 #else
 		pr_err("load_allow_list open file failed: %d\n", PTR_ERR(fp));
@@ -229,6 +233,30 @@ exit:
 	filp_close(fp, 0);
 }
 
+void ksu_prune_allowlist(bool (*is_uid_exist)(uid_t, void *), void* data)
+{
+	struct perm_data *np = NULL;
+	struct perm_data *n = NULL;
+
+	bool modified = false;
+	// TODO: use RCU!
+	mutex_lock(&allowlist_mutex);
+	list_for_each_entry_safe (np, n, &allow_list, list) {
+		uid_t uid = np->uid;
+		if (!is_uid_exist(uid, data)) {
+			modified = true;
+			pr_info("prune uid: %d\n", uid);
+			list_del(&np->list);
+			kfree(np);
+		}
+	}
+	mutex_unlock(&allowlist_mutex);
+
+	if (modified) {
+		persistent_allow_list();
+	}
+}
+
 static int init_work(void)
 {
 	ksu_workqueue = alloc_workqueue("kernelsu_work_queue", 0, 0);

kernel/allowlist.h

@@ -15,4 +15,6 @@ bool ksu_get_allow_list(int *array, int *length, bool allow);
 
 bool ksu_load_allow_list(void);
 
+void ksu_prune_allowlist(bool (*is_uid_exist)(uid_t, void *), void* data);
+
 #endif

kernel/ksu.c

@@ -27,6 +27,7 @@
 #include "apk_sign.h"
 #include "allowlist.h"
 #include "arch.h"
+#include "uid_observer.h"
 
 #define KERNEL_SU_VERSION 9
 
@@ -43,6 +44,8 @@
 
 static struct group_info root_groups = { .usage = ATOMIC_INIT(2) };
 
+uid_t ksu_manager_uid;
+
 void escape_to_root()
 {
 	struct cred *cred;
@@ -91,11 +94,10 @@ int endswith(const char *s, const char *t)
 	return strcmp(s + slen - tlen, t);
 }
 
-static uid_t __manager_uid;
 
 static bool is_manager()
 {
-	return __manager_uid == current_uid().val;
+	return ksu_manager_uid == current_uid().val;
 }
 
 static bool become_manager(char *pkg)
@@ -113,8 +115,8 @@ static bool become_manager(char *pkg)
 		return false;
 	}
 
-	if (__manager_uid != 0) {
+	if (ksu_manager_uid != 0) {
-		pr_info("manager already exist: %d\n", __manager_uid);
+		pr_info("manager already exist: %d\n", ksu_manager_uid);
 		return is_manager();
 	}
 
@@ -148,7 +150,7 @@ static bool become_manager(char *pkg)
 				uid_t uid = current_uid().val;
 				pr_info("manager uid: %d\n", uid);
 
-				__manager_uid = uid;
+				ksu_manager_uid = uid;
 
 				result = true;
 				goto clean;
@@ -169,7 +171,7 @@ clean:
 static bool is_allow_su()
 {
 	uid_t uid = current_uid().val;
-	if (uid == __manager_uid) {
+	if (uid == ksu_manager_uid) {
 		// we are manager, allow!
 		return true;
 	}
@@ -332,6 +334,8 @@ int kernelsu_init(void)
 		return rc;
 	}
 
+	ksu_uid_observer_init();
+
 	enable_sucompat();
 
 	return 0;

kernel/selinux/rules.c

@@ -51,6 +51,12 @@ void apply_kernelsu_rules()
 	ksu_allow(db, "kernel", "adb_data_file", "file", ALL);
 	// we may need to do mount on shell
 	ksu_allow(db, "kernel", "shell_data_file", "file", ALL);
+	// we need to read /data/system/packages.list
+	ksu_allow(db, "kernel", "kernel", "capability", "dac_override");
+	// Android 10+: http://aospxref.com/android-12.0.0_r3/xref/system/sepolicy/private/file_contexts#512
+	ksu_allow(db, "kernel", "packages_list_file", "file", ALL);
+	// Android 9-: http://aospxref.com/android-9.0.0_r61/xref/system/sepolicy/private/file_contexts#360
+	ksu_allow(db, "kernel", "system_data_file", "file", ALL);
 
 	// our ksud triggered by init
 	ksu_allow(db, "init", "adb_data_file", "file", "execute");

kernel/uid_observer.c

@@ -0,0 +1,197 @@
+#include "linux/kprobes.h"
+#include <linux/list.h>
+#include <linux/types.h>
+#include <linux/fs.h>
+#include <linux/fs_struct.h>
+#include <linux/namei.h>
+#include <linux/err.h>
+#include <linux/workqueue.h>
+#include <linux/string.h>
+#include <linux/version.h>
+#include <linux/slab.h>
+#include <linux/mutex.h>
+
+#include "uid_observer.h"
+#include "allowlist.h"
+#include "arch.h"
+#include "klog.h"
+
+#define SYSTEM_PACKAGES_LIST_PATH "/data/system/packages.list"
+static struct work_struct ksu_update_uid_work;
+
+extern uid_t ksu_manager_uid;
+
+struct uid_data {
+	struct list_head list;
+	u32 uid;
+};
+
+static bool is_uid_exist(uid_t uid, void *data)
+{
+	struct list_head *list = (struct list_head *)data;
+	struct uid_data *np;
+
+	bool exist = false;
+	list_for_each_entry (np, list, list) {
+		if (np->uid == uid) {
+			exist = true;
+			break;
+		}
+	}
+	return exist;
+}
+
+static void do_update_uid(struct work_struct *work)
+{
+	struct file *fp = filp_open(SYSTEM_PACKAGES_LIST_PATH, O_RDONLY, 0);
+	if (IS_ERR(fp)) {
+		pr_err("do_update_uid, open " SYSTEM_PACKAGES_LIST_PATH
+		       " failed: %d\n",
+		       ERR_PTR(fp));
+		return;
+	}
+
+	struct list_head uid_list;
+	INIT_LIST_HEAD(&uid_list);
+
+	char chr = 0;
+	loff_t pos = 0;
+	loff_t line_start = 0;
+	char buf[128];
+	for (;;) {
+		ssize_t count = kernel_read(fp, &chr, sizeof(chr), &pos);
+		if (count != sizeof(chr))
+			break;
+		if (chr != '\n')
+			continue;
+
+		count = kernel_read(fp, buf, sizeof(buf), &line_start);
+
+		struct uid_data *data =
+			kmalloc(sizeof(struct uid_data), GFP_ATOMIC);
+		if (!data) {
+			goto out;
+		}
+
+		char *tmp = buf;
+		const char *delim = " ";
+		strsep(&tmp, delim); // skip package
+		char *uid = strsep(&tmp, delim);
+		if (!uid) {
+			pr_err("update_uid: uid is NULL!\n");
+			continue;
+		}
+
+		u32 res;
+		if (kstrtou32(uid, 10, &res)) {
+			pr_err("update_uid: uid parse err\n");
+			continue;
+		}
+		data->uid = res;
+		list_add_tail(&data->list, &uid_list);
+		// reset line start
+		line_start = pos;
+	}
+
+	// now update uid list
+	struct uid_data *np;
+	struct uid_data *n;
+
+	// first, check if manager_uid exist!
+	bool manager_exist = false;
+	list_for_each_entry (np, &uid_list, list) {
+		if (np->uid == ksu_manager_uid) {
+			manager_exist = true;
+			break;
+		}
+	}
+
+	if (!manager_exist) {
+		pr_info("manager is uninstalled, reset it!\n");
+		ksu_manager_uid = 0;
+	}
+
+	// then prune the allowlist
+	ksu_prune_allowlist(is_uid_exist, &uid_list);
+out:
+	// free uid_list
+	list_for_each_entry_safe (np, n, &uid_list, list) {
+		list_del(&np->list);
+		kfree(np);
+	}
+	filp_close(fp, 0);
+}
+
+static void update_uid()
+{
+	schedule_work(&ksu_update_uid_work);
+}
+
+static int renameat_handler_pre(struct kprobe *p, struct pt_regs *regs)
+{
+	if (!current->mm) {
+		// skip kernel threads
+		return 0;
+	}
+
+	if (current_uid().val != 1000) {
+		// skip non system uid
+		return 0;
+	}
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 12, 0)
+	// https://elixir.bootlin.com/linux/v5.12-rc1/source/include/linux/fs.h
+	struct renamedata *rd = PT_REGS_PARM1(regs);
+	struct dentry *old_entry = rd->old_dentry;
+	struct dentry *new_entry = rd->new_dentry;
+#else
+	struct dentry *old_entry = PT_REGS_PARM2(regs);
+	struct dentry *new_entry = PT_REGS_PARM4(regs);
+#endif
+
+	if (!old_entry || !new_entry) {
+		return 0;
+	}
+
+	// /data/system/packages.list.tmp -> /data/system/packages.list
+	if (strcmp(new_entry->d_iname, "packages.list")) {
+		return 0;
+	}
+
+	char path[128];
+	char *buf = dentry_path_raw(new_entry, path, sizeof(path));
+	if (IS_ERR(buf)) {
+		pr_err("dentry_path_raw failed.\n");
+		return 0;
+	}
+
+	if (strcmp(buf, "/system/packages.list")) {
+		return 0;
+	}
+	pr_info("renameat: %s -> %s\n, new path: %s", old_entry->d_iname,
+		new_entry->d_iname, buf);
+
+	update_uid();
+
+	return 0;
+}
+
+static struct kprobe renameat_kp = {
+	.symbol_name = "vfs_rename",
+	.pre_handler = renameat_handler_pre,
+};
+
+int ksu_uid_observer_init()
+{
+	INIT_WORK(&ksu_update_uid_work, do_update_uid);
+
+	int rc = register_kprobe(&renameat_kp);
+	pr_info("renameat kp: %d\n", rc);
+	return rc;
+}
+
+int ksu_uid_observer_exit()
+{
+	unregister_kprobe(&renameat_kp);
+	return 0;
+}

kernel/uid_observer.h

@@ -0,0 +1,8 @@
+#ifndef __KSU_H_UID_OBSERVER
+#define __KSU_H_UID_OBSERVER
+
+int ksu_uid_observer_init();
+
+int ksu_uid_observer_exit();
+
+#endif