kernel: add package whitelist check for manager APKs

Co-authored-by: lamadaemon <i@lama.icu> Co-authored-by: ShirkNeko <109797057+ShirkNeko@users.noreply.github.com> Signed-off-by: ShirkNeko <109797057+ShirkNeko@users.noreply.github.com>
2025-06-07 00:14:33 +08:00
parent 3b8445cdaa
commit aec76a388f
4 changed files with 47 additions and 13 deletions
--- a/kernel/apk_sign.c
+++ b/kernel/apk_sign.c
@@ -28,7 +28,11 @@ static struct apk_sign_key {
 	unsigned size;
 	const char *sha256;
 } apk_sign_keys[] = {
-	{EXPECTED_SIZE, EXPECTED_HASH}, // SukiSU
+	{EXPECTED_SIZE, EXPECTED_HASH},
 	{EXPECTED_SIZE_SHIRKNEKO, EXPECTED_HASH_SHIRKNEKO}, // SukiSU
 	{EXPECTED_SIZE_ZAKO, EXPECTED_HASH_ZAKO}, // ZakoSU
 	{EXPECTED_SIZE_RSUNTK, EXPECTED_HASH_RSUNTK}, // RKSU
 	{EXPECTED_SIZE_NEKO, EXPECTED_HASH_NEKO}, // Neko/KernelSU
 };
 static struct sdesc *init_sdesc(struct crypto_shash *alg)
@@ -323,7 +327,31 @@ module_param_cb(ksu_debug_manager_uid, &expected_size_ops,
 #endif
-bool is_manager_apk(char *path)
+
-{
+#define MANAGERPKG_WLSIZE 3
 static const char *manager_package_whitelist[] = {
 	"zako.zako.zako",
 	"com.sukisu.ultra",
 	"me.weishu.kernelsu"
 };
 bool is_package_whitelisted(char *package) {
 	int i;
 	for (i = 0; i < MANAGERPKG_WLSIZE; i ++) {
 		const char* expected = manager_package_whitelist[i];
 		if (strcmp(expected, package) == 0) {
 			return true;
 		}
 	}
 	return false;
 }
 bool is_manager_apk(char *path, char *package) {
 	if (!is_package_whitelisted(package)) {
 		pr_info("refused to crown %s (not in whitelist)", package);
 		return false;
 	}
 	return check_v2_signature(path);
 }
--- a/kernel/apk_sign.h
+++ b/kernel/apk_sign.h
@@ -3,6 +3,8 @@
 #include <linux/types.h>
-bool is_manager_apk(char *path);
+bool is_manager_apk(char *path, char *package);
 bool is_package_whitelisted(char *package);
 #endif
--- a/kernel/manager_sign.h
+++ b/kernel/manager_sign.h
@@ -21,4 +21,8 @@
 #define EXPECTED_SIZE_NEKO   0x29c
 #define EXPECTED_HASH_NEKO   "946b0557e450a6430a0ba6b6bccee5bc12953ec8735d55e26139b0ec12303b21"
 //ZAKO/ZAKOSU
 #define EXPECTED_SIZE_ZAKO   0x34e
 #define EXPECTED_HASH_ZAKO   "a96ec51db032011dffb1184fa6513e421bd9073b3f392b04ecd2e7fdd4798065"
 #endif /* MANAGER_SIGN_H */
--- a/kernel/throne_tracker.c
+++ b/kernel/throne_tracker.c
@@ -63,14 +63,8 @@ static int get_pkg_from_apk_path(char *pkg, const char *path)
 	return 0;
 }
-static void crown_manager(const char *apk, struct list_head *uid_data)
+static void crown_manager(const char *apk, char *pkg, struct list_head *uid_data)
 {
 	char pkg[KSU_MAX_PACKAGE_NAME];
 	if (get_pkg_from_apk_path(pkg, apk) < 0) {
 		pr_err("Failed to get package name from apk path: %s\n", apk);
 		return;
 	}
 	pr_info("manager pkg: %s\n", pkg);
 #ifdef KSU_MANAGER_PACKAGE
@@ -192,6 +186,7 @@ FILLDIR_RETURN_TYPE my_actor(struct dir_context *ctx, const char *name,
 	} else {
 		if ((namelen == 8) && (strncmp(name, "base.apk", namelen) == 0)) {
 			struct apk_path_hash *pos;
 			char pkg[KSU_MAX_PACKAGE_NAME];
 #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 8, 0)
 			unsigned int hash = full_name_hash(dirpath, strlen(dirpath));
 #else
@@ -204,11 +199,16 @@ FILLDIR_RETURN_TYPE my_actor(struct dir_context *ctx, const char *name,
 				}
 			}
-			bool is_manager = is_manager_apk(dirpath);
+			if (get_pkg_from_apk_path(pkg, dirpath) < 0) {
 				pr_err("Failed to get package name from apk path: %s\n", dirpath);
 				return FILLDIR_ACTOR_CONTINUE;
 			}
 			bool is_manager = is_manager_apk(dirpath, pkg);
 			pr_info("Found new base.apk at path: %s, is_manager: %d\n",
 				dirpath, is_manager);
 			if (is_manager) {
-				crown_manager(dirpath, my_ctx->private_data);
+				crown_manager(dirpath, pkg, my_ctx->private_data);
 				*my_ctx->stop = 1;
 			}
 		}