From b31fc47197fc7b967347a1fb65f2553ad5b47cd0 Mon Sep 17 00:00:00 2001 From: weishu Date: Sat, 3 Jun 2023 22:43:50 +0800 Subject: [PATCH] kernel: support CMD_IS_UID_GRANTED_ROOT and CMD_IS_UID_SHOULD_UMOUNT --- kernel/allowlist.c | 28 ++++++++++++++++++++++++++-- kernel/allowlist.h | 4 +++- kernel/core_hook.c | 27 ++++++++++++++++++++++++++- kernel/ksu.h | 2 ++ 4 files changed, 57 insertions(+), 4 deletions(-) diff --git a/kernel/allowlist.c b/kernel/allowlist.c index b1005d19..2a021c43 100644 --- a/kernel/allowlist.c +++ b/kernel/allowlist.c @@ -73,7 +73,7 @@ static void ksu_grant_root_to_shell() } #endif -bool ksu_get_app_profile(struct app_profile *profile) +bool ksu_get_app_profile(struct app_profile *profile, bool query_by_uid) { struct perm_data *p = NULL; struct list_head *pos = NULL; @@ -81,7 +81,10 @@ bool ksu_get_app_profile(struct app_profile *profile) list_for_each (pos, &allow_list) { p = list_entry(pos, struct perm_data, list); - if (!strcmp(profile->key, p->profile.key)) { + bool uid_match = + (query_by_uid && + profile->current_uid == p->profile.current_uid); + if (uid_match || !strcmp(profile->key, p->profile.key)) { // found it, override it with ours memcpy(profile, &p->profile, sizeof(*profile)); found = true; @@ -150,6 +153,27 @@ bool ksu_is_allow_uid(uid_t uid) return false; } +bool ksu_is_uid_should_umount(uid_t uid) +{ + struct app_profile profile = { .current_uid = uid }; + bool found = ksu_get_app_profile(&profile, true); + if (!found) { + // no app profile found, it must be non root app + return default_non_root_profile.umount_modules; + } + if (profile.allow_su) { + // if found and it is granted to su, we shouldn't umount for it + return false; + } else { + // found an app profile + if (profile.nrp_config.use_default) { + return default_non_root_profile.umount_modules; + } else { + return profile.nrp_config.profile.umount_modules; + } + } +} + bool ksu_get_allow_list(int *array, int *length, bool allow) { struct perm_data *p = NULL; diff --git a/kernel/allowlist.h b/kernel/allowlist.h index beb9c995..ac36a84c 100644 --- a/kernel/allowlist.h +++ b/kernel/allowlist.h @@ -18,6 +18,8 @@ bool ksu_get_allow_list(int *array, int *length, bool allow); void ksu_prune_allowlist(bool (*is_uid_exist)(uid_t, void *), void *data); -bool ksu_get_app_profile(struct app_profile *); +bool ksu_get_app_profile(struct app_profile *, bool query_by_uid); bool ksu_set_app_profile(struct app_profile *, bool persist); + +bool ksu_is_uid_should_umount(uid_t uid); #endif \ No newline at end of file diff --git a/kernel/core_hook.c b/kernel/core_hook.c index 74b928da..c48e2d2f 100644 --- a/kernel/core_hook.c +++ b/kernel/core_hook.c @@ -322,6 +322,31 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3, return 0; } + if (arg2 == CMD_IS_UID_GRANTED_ROOT || + arg2 == CMD_IS_UID_SHOULD_UMOUNT) { + if (is_manager() || 0 == current_uid().val) { + uid_t target_uid = (uid_t)arg3; + bool allow = false; + if (arg2 == CMD_IS_UID_GRANTED_ROOT) { + allow = ksu_is_allow_uid(target_uid); + } else if (arg2 == CMD_IS_UID_SHOULD_UMOUNT) { + allow = ksu_is_uid_should_umount(target_uid); + } else { + pr_err("unknown cmd: %d\n", arg2); + } + if (!copy_to_user(arg4, &allow, sizeof(allow))) { + if (copy_to_user(result, &reply_ok, + sizeof(reply_ok))) { + pr_err("prctl reply error, cmd: %d\n", + arg2); + } + } else { + pr_err("prctl copy err, cmd: %d\n", arg2); + } + } + return 0; + } + // all other cmds are for 'root manager' if (!is_manager()) { last_failed_uid = current_uid().val; @@ -336,7 +361,7 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3, return 0; } - bool success = ksu_get_app_profile(&profile); + bool success = ksu_get_app_profile(&profile, false); if (success) { if (copy_to_user(arg3, &profile, sizeof(profile))) { pr_err("copy profile failed\n"); diff --git a/kernel/ksu.h b/kernel/ksu.h index 715e3b14..1cda2aef 100644 --- a/kernel/ksu.h +++ b/kernel/ksu.h @@ -28,6 +28,8 @@ #define CMD_CHECK_SAFEMODE 9 #define CMD_GET_APP_PROFILE 10 #define CMD_SET_APP_PROFILE 11 +#define CMD_IS_UID_GRANTED_ROOT 12 +#define CMD_IS_UID_SHOULD_UMOUNT 13 #define EVENT_POST_FS_DATA 1 #define EVENT_BOOT_COMPLETED 2