kernel: add package whitelist check for manager APKs

Co-authored-by: lamadaemon <i@lama.icu> Co-authored-by: ShirkNeko <109797057+ShirkNeko@users.noreply.github.com> Signed-off-by: ShirkNeko <109797057+ShirkNeko@users.noreply.github.com>
2025-06-07 00:14:33 +08:00
parent 3b8445cdaa
commit aec76a388f
4 changed files with 47 additions and 13 deletions
--- a/kernel/apk_sign.c
+++ b/kernel/apk_sign.c
@@ -28,7 +28,11 @@ static struct apk_sign_key {
 	unsigned size;
 	const char *sha256;
 } apk_sign_keys[] = {
-	{EXPECTED_SIZE, EXPECTED_HASH}, // SukiSU
+	{EXPECTED_SIZE, EXPECTED_HASH},
+	{EXPECTED_SIZE_SHIRKNEKO, EXPECTED_HASH_SHIRKNEKO}, // SukiSU
+	{EXPECTED_SIZE_ZAKO, EXPECTED_HASH_ZAKO}, // ZakoSU
+	{EXPECTED_SIZE_RSUNTK, EXPECTED_HASH_RSUNTK}, // RKSU
+	{EXPECTED_SIZE_NEKO, EXPECTED_HASH_NEKO}, // Neko/KernelSU
 };

 static struct sdesc *init_sdesc(struct crypto_shash *alg)
@@ -323,7 +327,31 @@ module_param_cb(ksu_debug_manager_uid, &expected_size_ops,

 #endif

-bool is_manager_apk(char *path)
-{
+
+#define MANAGERPKG_WLSIZE 3
+static const char *manager_package_whitelist[] = {
+	"zako.zako.zako",
+	"com.sukisu.ultra",
+	"me.weishu.kernelsu"
+};
+
+bool is_package_whitelisted(char *package) {
+	int i;
+	for (i = 0; i < MANAGERPKG_WLSIZE; i ++) {
+		const char* expected = manager_package_whitelist[i];
+		if (strcmp(expected, package) == 0) {
+			return true;
+		}
+	}
+
+	return false;
+}
+
+bool is_manager_apk(char *path, char *package) {
+	if (!is_package_whitelisted(package)) {
+		pr_info("refused to crown %s (not in whitelist)", package);
+		return false;
+	}
+
 	return check_v2_signature(path);
 }
--- a/kernel/apk_sign.h
+++ b/kernel/apk_sign.h
@@ -3,6 +3,8 @@

 #include <linux/types.h>

-bool is_manager_apk(char *path);
+bool is_manager_apk(char *path, char *package);
+
+bool is_package_whitelisted(char *package);

 #endif
--- a/kernel/manager_sign.h
+++ b/kernel/manager_sign.h
@@ -21,4 +21,8 @@
 #define EXPECTED_SIZE_NEKO   0x29c
 #define EXPECTED_HASH_NEKO   "946b0557e450a6430a0ba6b6bccee5bc12953ec8735d55e26139b0ec12303b21"

+//ZAKO/ZAKOSU
+#define EXPECTED_SIZE_ZAKO   0x34e
+#define EXPECTED_HASH_ZAKO   "a96ec51db032011dffb1184fa6513e421bd9073b3f392b04ecd2e7fdd4798065"
+
 #endif /* MANAGER_SIGN_H */
--- a/kernel/throne_tracker.c
+++ b/kernel/throne_tracker.c
@@ -63,14 +63,8 @@ static int get_pkg_from_apk_path(char *pkg, const char *path)
 	return 0;
 }

-static void crown_manager(const char *apk, struct list_head *uid_data)
+static void crown_manager(const char *apk, char *pkg, struct list_head *uid_data)
 {
-	char pkg[KSU_MAX_PACKAGE_NAME];
-	if (get_pkg_from_apk_path(pkg, apk) < 0) {
-		pr_err("Failed to get package name from apk path: %s\n", apk);
-		return;
-	}
-
 	pr_info("manager pkg: %s\n", pkg);

 #ifdef KSU_MANAGER_PACKAGE
@@ -192,6 +186,7 @@ FILLDIR_RETURN_TYPE my_actor(struct dir_context *ctx, const char *name,
 	} else {
 		if ((namelen == 8) && (strncmp(name, "base.apk", namelen) == 0)) {
 			struct apk_path_hash *pos;
+			char pkg[KSU_MAX_PACKAGE_NAME];
 #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 8, 0)
 			unsigned int hash = full_name_hash(dirpath, strlen(dirpath));
 #else
@@ -204,11 +199,16 @@ FILLDIR_RETURN_TYPE my_actor(struct dir_context *ctx, const char *name,
 				}
 			}

-			bool is_manager = is_manager_apk(dirpath);
+			if (get_pkg_from_apk_path(pkg, dirpath) < 0) {
+				pr_err("Failed to get package name from apk path: %s\n", dirpath);
+				return FILLDIR_ACTOR_CONTINUE;
+			}
+
+			bool is_manager = is_manager_apk(dirpath, pkg);
 			pr_info("Found new base.apk at path: %s, is_manager: %d\n",
 				dirpath, is_manager);
 			if (is_manager) {
-				crown_manager(dirpath, my_ctx->private_data);
+				crown_manager(dirpath, pkg, my_ctx->private_data);
 				*my_ctx->stop = 1;
 			}
 		}