kernel: Apply the SUSFS patch

2025-11-09 18:32:16 +08:00
parent a2caa9432f
commit ad0f3f6025
11 changed files with 946 additions and 19 deletions
--- a/kernel/selinux/rules.c
+++ b/kernel/selinux/rules.c
@@ -142,6 +142,15 @@ void apply_kernelsu_rules(void)
    // https://android-review.googlesource.com/c/platform/system/logging/+/3725346
    ksu_dontaudit(db, "untrusted_app", KERNEL_SU_DOMAIN, "dir", "getattr");

+#ifdef CONFIG_KSU_SUSFS
+    // Allow umount in zygote process without installing zygisk
+    ksu_allow(db, "zygote", "labeledfs", "filesystem", "unmount");
+    susfs_set_kernel_sid();
+    susfs_set_init_sid();
+    susfs_set_ksu_sid();
+    susfs_set_zygote_sid();
+#endif
+
    mutex_unlock(&ksu_rules);
 }

--- a/kernel/selinux/selinux.c
+++ b/kernel/selinux/selinux.c
@@ -6,6 +6,16 @@

 #define KERNEL_SU_DOMAIN "u:r:su:s0"

+#ifdef CONFIG_KSU_SUSFS
+#define KERNEL_INIT_DOMAIN "u:r:init:s0"
+#define KERNEL_ZYGOTE_DOMAIN "u:r:zygote:s0"
+#define KERNEL_KERNEL_DOMAIN "u:r:kernel:s0"
+u32 susfs_ksu_sid = 0;
+u32 susfs_init_sid = 0;
+u32 susfs_zygote_sid = 0;
+u32 susfs_kernel_sid = 0;
+#endif
+
 static int transive_to_domain(const char *domain)
 {
    struct cred *cred;
@@ -145,6 +155,88 @@ bool is_zygote(const struct cred* cred)
    return result;
 }

+#ifdef CONFIG_KSU_SUSFS
+static inline void susfs_set_sid(const char *secctx_name, u32 *out_sid)
+{
+    int err;
+    
+    if (!secctx_name || !out_sid) {
+        pr_err("secctx_name || out_sid is NULL\n");
+        return;
+    }
+
+    err = security_secctx_to_secid(secctx_name, strlen(secctx_name),
+                       out_sid);
+    if (err) {
+        pr_err("failed setting sid for '%s', err: %d\n", secctx_name, err);
+        return;
+    }
+    pr_info("sid '%u' is set for secctx_name '%s'\n", *out_sid, secctx_name);
+}
+
+bool susfs_is_sid_equal(void *sec, u32 sid2) {
+    struct task_security_struct *tsec = (struct task_security_struct *)sec;
+    if (!tsec) {
+        return false;
+    }
+    return tsec->sid == sid2;
+}
+
+u32 susfs_get_sid_from_name(const char *secctx_name)
+{
+    u32 out_sid = 0;
+    int err;
+    
+    if (!secctx_name) {
+        pr_err("secctx_name is NULL\n");
+        return 0;
+    }
+    err = security_secctx_to_secid(secctx_name, strlen(secctx_name),
+                       &out_sid);
+    if (err) {
+        pr_err("failed getting sid from secctx_name: %s, err: %d\n", secctx_name, err);
+        return 0;
+    }
+    return out_sid;
+}
+
+u32 susfs_get_current_sid(void) {
+    return current_sid();
+}
+
+void susfs_set_zygote_sid(void)
+{
+    susfs_set_sid(KERNEL_ZYGOTE_DOMAIN, &susfs_zygote_sid);
+}
+
+bool susfs_is_current_zygote_domain(void) {
+    return unlikely(current_sid() == susfs_zygote_sid);
+}
+
+void susfs_set_ksu_sid(void)
+{
+    susfs_set_sid(KERNEL_SU_DOMAIN, &susfs_ksu_sid);
+}
+
+bool susfs_is_current_ksu_domain(void) {
+    return unlikely(current_sid() == susfs_ksu_sid);
+}
+
+void susfs_set_init_sid(void)
+{
+    susfs_set_sid(KERNEL_INIT_DOMAIN, &susfs_init_sid);
+}
+
+bool susfs_is_current_init_domain(void) {
+    return unlikely(current_sid() == susfs_init_sid);
+}
+
+void susfs_set_kernel_sid(void)
+{
+    susfs_set_sid(KERNEL_KERNEL_DOMAIN, &susfs_kernel_sid);
+}
+#endif
+
 #define KSU_FILE_DOMAIN "u:object_r:ksu_file:s0"

 u32 ksu_get_ksu_file_sid()
--- a/kernel/selinux/selinux.h
+++ b/kernel/selinux/selinux.h
@@ -23,6 +23,18 @@ bool is_zygote(const struct cred* cred);

 void apply_kernelsu_rules(void);

+#ifdef CONFIG_KSU_SUSFS_SUS_MOUNT
+bool susfs_is_sid_equal(void *sec, u32 sid2);
+u32 susfs_get_sid_from_name(const char *secctx_name);
+u32 susfs_get_current_sid(void);
+void susfs_set_zygote_sid(void);
+bool susfs_is_current_zygote_domain(void);
+void susfs_set_ksu_sid(void);
+bool susfs_is_current_ksu_domain(void);
+void susfs_set_init_sid(void);
+bool susfs_is_current_init_domain(void);
+#endif
+
 u32 ksu_get_ksu_file_sid(void);

 int handle_sepolicy(unsigned long arg3, void __user *arg4);