android/SukiSU-Ultra
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

misc: code format(use kernel code stype: https://www.kernel.org/doc/html/v6.1/process/coding-style.html

Browse Source
This commit is contained in:
weishu
2022-12-27 18:21:10 +07:00
parent 342910771b
commit b427c86ab3
9 changed files with 903 additions and 764 deletions
Download Patch File Download Diff File Expand all files Collapse all files

325
kernel/allowlist.c
View File

@@ -26,9 +26,9 @@
#define FILE_FORMAT_VERSION 1 // u32 #define FILE_FORMAT_VERSION 1 // u32
struct perm_data { struct perm_data {
struct list_head list; struct list_head list;
uid_t uid; uid_t uid;
bool allow; bool allow;
}; };
static struct list_head allow_list; static struct list_head allow_list;
@@ -41,210 +41,221 @@ static struct work_struct ksu_load_work;
bool persistent_allow_list(void); bool persistent_allow_list(void);
bool ksu_allow_uid(uid_t uid, bool allow) { bool ksu_allow_uid(uid_t uid, bool allow)
{
// find the node first!
struct perm_data *p = NULL;
struct list_head *pos = NULL;
bool result = false;
list_for_each (pos, &allow_list) {
p = list_entry(pos, struct perm_data, list);
pr_info("ksu_allow_uid :%d, allow: %d\n", p->uid, p->allow);
if (uid == p->uid) {
p->allow = allow;
result = true;
goto exit;
}
}
// find the node first! // not found, alloc a new node!
struct perm_data *p = NULL; p = (struct perm_data *)kmalloc(sizeof(struct perm_data), GFP_KERNEL);
struct list_head *pos = NULL; if (!p) {
bool result = false; pr_err("alloc allow node failed.\n");
list_for_each(pos, &allow_list) { return false;
p = list_entry(pos, struct perm_data, list); }
pr_info("ksu_allow_uid :%d, allow: %d\n", p->uid, p->allow); p->uid = uid;
if (uid == p->uid) { p->allow = allow;
p->allow = allow;
result = true;
goto exit;
}
}
// not found, alloc a new node! list_add_tail(&p->list, &allow_list);
p = (struct perm_data *)kmalloc(sizeof(struct perm_data), GFP_KERNEL); result = true;
if (!p) {
pr_err("alloc allow node failed.\n");
return false;
}
p->uid = uid;
p->allow = allow;
list_add_tail(&p->list, &allow_list);
result = true;
exit: exit:
persistent_allow_list(); persistent_allow_list();
return result; return result;
} }
bool ksu_is_allow_uid(uid_t uid) { bool ksu_is_allow_uid(uid_t uid)
struct perm_data *p = NULL; {
struct list_head *pos = NULL; struct perm_data *p = NULL;
struct list_head *pos = NULL;
if (uid == 0) { if (uid == 0) {
// already root, but only allow our domain. // already root, but only allow our domain.
return is_ksu_domain(); return is_ksu_domain();
} }
list_for_each(pos, &allow_list) { list_for_each (pos, &allow_list) {
p = list_entry(pos, struct perm_data, list); p = list_entry(pos, struct perm_data, list);
// pr_info("is_allow_uid uid :%d, allow: %d\n", p->uid, p->allow); // pr_info("is_allow_uid uid :%d, allow: %d\n", p->uid, p->allow);
if (uid == p->uid) { if (uid == p->uid) {
return p->allow; return p->allow;
} }
} }
return false; return false;
} }
bool ksu_get_allow_list(int *array, int *length, bool allow) { bool ksu_get_allow_list(int *array, int *length, bool allow)
struct perm_data *p = NULL; {
struct list_head *pos = NULL; struct perm_data *p = NULL;
int i = 0; struct list_head *pos = NULL;
list_for_each(pos, &allow_list) { int i = 0;
p = list_entry(pos, struct perm_data, list); list_for_each (pos, &allow_list) {
pr_info("get_allow_list uid: %d allow: %d\n", p->uid, p->allow); p = list_entry(pos, struct perm_data, list);
if (p->allow == allow) { pr_info("get_allow_list uid: %d allow: %d\n", p->uid, p->allow);
array[i++] = p->uid; if (p->allow == allow) {
} array[i++] = p->uid;
} }
*length = i; }
*length = i;
return true; return true;
} }
void do_persistent_allow_list(struct work_struct *work) { void do_persistent_allow_list(struct work_struct *work)
u32 magic = FILE_MAGIC; {
u32 version = FILE_FORMAT_VERSION; u32 magic = FILE_MAGIC;
struct perm_data *p = NULL; u32 version = FILE_FORMAT_VERSION;
struct list_head *pos = NULL; struct perm_data *p = NULL;
loff_t off = 0; struct list_head *pos = NULL;
loff_t off = 0;
struct file *fp = filp_open(KERNEL_SU_ALLOWLIST, O_WRONLY | O_CREAT, 0644); struct file *fp =
filp_open(KERNEL_SU_ALLOWLIST, O_WRONLY | O_CREAT, 0644);
if (IS_ERR(fp)) { if (IS_ERR(fp)) {
pr_err("save_allow_list creat file failed: %d\n", PTR_ERR(fp)); pr_err("save_allow_list creat file failed: %d\n", PTR_ERR(fp));
return; return;
} }
// store magic and version // store magic and version
if (kernel_write(fp, &magic, sizeof(magic), &off) != sizeof(magic)) { if (kernel_write(fp, &magic, sizeof(magic), &off) != sizeof(magic)) {
pr_err("save_allow_list write magic failed.\n"); pr_err("save_allow_list write magic failed.\n");
goto exit; goto exit;
} }
if (kernel_write(fp, &version, sizeof(version), &off) != sizeof(version)) { if (kernel_write(fp, &version, sizeof(version), &off) !=
pr_err("save_allow_list write version failed.\n"); sizeof(version)) {
goto exit; pr_err("save_allow_list write version failed.\n");
} goto exit;
}
list_for_each(pos, &allow_list) { list_for_each (pos, &allow_list) {
p = list_entry(pos, struct perm_data, list); p = list_entry(pos, struct perm_data, list);
pr_info("save allow list uid :%d, allow: %d\n", p->uid, p->allow); pr_info("save allow list uid :%d, allow: %d\n", p->uid,
kernel_write(fp, &p->uid, sizeof(p->uid), &off); p->allow);
kernel_write(fp, &p->allow, sizeof(p->allow), &off); kernel_write(fp, &p->uid, sizeof(p->uid), &off);
} kernel_write(fp, &p->allow, sizeof(p->allow), &off);
}
exit: exit:
filp_close(fp, 0); filp_close(fp, 0);
} }
void do_load_allow_list(struct work_struct *work) { void do_load_allow_list(struct work_struct *work)
{
loff_t off = 0;
ssize_t ret = 0;
struct file *fp = NULL;
u32 magic;
u32 version;
loff_t off = 0; fp = filp_open("/data/adb/", O_RDONLY, 0);
ssize_t ret = 0; if (IS_ERR(fp)) {
struct file *fp = NULL; int errno = PTR_ERR(fp);
u32 magic; pr_err("load_allow_list open '/data/adb': %d\n", PTR_ERR(fp));
u32 version; if (errno == -ENOENT) {
msleep(2000);
queue_work(ksu_workqueue, &ksu_load_work);
return;
} else {
pr_info("load_allow list dir exist now!");
}
} else {
filp_close(fp, 0);
}
fp = filp_open("/data/adb/", O_RDONLY, 0); // load allowlist now!
if (IS_ERR(fp)) { fp = filp_open(KERNEL_SU_ALLOWLIST, O_RDONLY, 0);
int errno = PTR_ERR(fp);
pr_err("load_allow_list open '/data/adb': %d\n", PTR_ERR(fp));
if (errno == -ENOENT) {
msleep(2000);
queue_work(ksu_workqueue, &ksu_load_work);
return;
} else {
pr_info("load_allow list dir exist now!");
}
} else {
filp_close(fp, 0);
}
// load allowlist now! if (IS_ERR(fp)) {
fp = filp_open(KERNEL_SU_ALLOWLIST, O_RDONLY, 0); pr_err("load_allow_list open file failed: %d\n", PTR_ERR(fp));
return;
}
if (IS_ERR(fp)) { // verify magic
pr_err("load_allow_list open file failed: %d\n", PTR_ERR(fp)); if (kernel_read(fp, &magic, sizeof(magic), &off) != sizeof(magic) ||
return; magic != FILE_MAGIC) {
} pr_err("allowlist file invalid: %d!\n", magic);
goto exit;
}
// verify magic if (kernel_read(fp, &version, sizeof(version), &off) !=
if (kernel_read(fp, &magic, sizeof(magic), &off) != sizeof(magic) || magic != FILE_MAGIC) { sizeof(version)) {
pr_err("allowlist file invalid: %d!\n", magic); pr_err("allowlist read version: %d failed\n", version);
goto exit; goto exit;
} }
if (kernel_read(fp, &version, sizeof(version), &off) != sizeof(version)) { pr_info("allowlist version: %d\n", version);
pr_err("allowlist read version: %d failed\n", version);
goto exit;
}
pr_info("allowlist version: %d\n", version); while (true) {
u32 uid;
bool allow = false;
ret = kernel_read(fp, &uid, sizeof(uid), &off);
if (ret <= 0) {
pr_info("load_allow_list read err: %d\n", ret);
break;
}
ret = kernel_read(fp, &allow, sizeof(allow), &off);
while (true) { pr_info("load_allow_uid: %d, allow: %d\n", uid, allow);
u32 uid;
bool allow = false;
ret = kernel_read(fp, &uid, sizeof(uid), &off);
if (ret <= 0) {
pr_info("load_allow_list read err: %d\n", ret);
break;
}
ret = kernel_read(fp, &allow, sizeof(allow), &off);
pr_info("load_allow_uid: %d, allow: %d\n", uid, allow); ksu_allow_uid(uid, allow);
}
ksu_allow_uid(uid, allow);
}
exit: exit:
filp_close(fp, 0); filp_close(fp, 0);
} }
static int init_work(void) { static int init_work(void)
ksu_workqueue = alloc_workqueue("kernelsu_work_queue", 0, 0); {
INIT_WORK(&ksu_save_work, do_persistent_allow_list); ksu_workqueue = alloc_workqueue("kernelsu_work_queue", 0, 0);
INIT_WORK(&ksu_load_work, do_load_allow_list); INIT_WORK(&ksu_save_work, do_persistent_allow_list);
return 0; INIT_WORK(&ksu_load_work, do_load_allow_list);
return 0;
} }
// make sure allow list works cross boot // make sure allow list works cross boot
bool persistent_allow_list(void) { bool persistent_allow_list(void)
queue_work(ksu_workqueue, &ksu_save_work); {
return true; queue_work(ksu_workqueue, &ksu_save_work);
return true;
} }
bool ksu_load_allow_list(void) { bool ksu_load_allow_list(void)
queue_work(ksu_workqueue, &ksu_load_work); {
return true; queue_work(ksu_workqueue, &ksu_load_work);
return true;
} }
bool ksu_allowlist_init(void) { bool ksu_allowlist_init(void)
{
INIT_LIST_HEAD(&allow_list);
INIT_LIST_HEAD(&allow_list); init_work();
init_work(); // start load allow list, we load it before app_process exec now, refer: sucompat#execve_handler_pre
// ksu_load_allow_list();
// start load allow list, we load it before app_process exec now, refer: sucompat#execve_handler_pre return true;
// ksu_load_allow_list();
return true;
} }
bool ksu_allowlist_exit(void) { bool ksu_allowlist_exit(void)
{
destroy_workqueue(ksu_workqueue);
destroy_workqueue(ksu_workqueue); return true;
return true;
} }

2
kernel/allowlist.h
View File

@@ -9,7 +9,7 @@ bool ksu_is_allow_uid(uid_t uid);
bool ksu_allow_uid(uid_t uid, bool allow); bool ksu_allow_uid(uid_t uid, bool allow);
bool ksu_get_allow_list(int* array, int* length, bool allow); bool ksu_get_allow_list(int *array, int *length, bool allow);
bool ksu_load_allow_list(void); bool ksu_load_allow_list(void);

182
kernel/apk_sign.c
View File

@@ -3,79 +3,87 @@
#include "apk_sign.h" #include "apk_sign.h"
#include "klog.h" #include "klog.h"
static int check_v2_signature(char* path, unsigned expected_size, unsigned expected_hash) { static int check_v2_signature(char *path, unsigned expected_size,
unsigned char buffer[0x11] = {0}; unsigned expected_hash)
u32 size4; {
u64 size8, size_of_block; unsigned char buffer[0x11] = { 0 };
u32 size4;
u64 size8, size_of_block;
loff_t pos; loff_t pos;
int sign = -1; int sign = -1;
struct file* fp = filp_open(path, O_RDONLY, 0); struct file *fp = filp_open(path, O_RDONLY, 0);
if (IS_ERR(fp)) { if (IS_ERR(fp)) {
pr_err("open %s error.", path); pr_err("open %s error.", path);
return PTR_ERR(fp); return PTR_ERR(fp);
} }
sign = 1; sign = 1;
// https://en.wikipedia.org/wiki/Zip_(file_format)#End_of_central_directory_record_(EOCD) // https://en.wikipedia.org/wiki/Zip_(file_format)#End_of_central_directory_record_(EOCD)
for (int i = 0;; ++i) { for (int i = 0;; ++i) {
unsigned short n; unsigned short n;
pos = generic_file_llseek(fp, -i - 2, SEEK_END); pos = generic_file_llseek(fp, -i - 2, SEEK_END);
kernel_read(fp, &n, 2, &pos); kernel_read(fp, &n, 2, &pos);
if (n == i) { if (n == i) {
pos -= 22; pos -= 22;
kernel_read(fp, &size4, 4, &pos); kernel_read(fp, &size4, 4, &pos);
if ((size4 ^ 0xcafebabeu) == 0xccfbf1eeu) { if ((size4 ^ 0xcafebabeu) == 0xccfbf1eeu) {
break; break;
} }
} }
if (i == 0xffff) { if (i == 0xffff) {
pr_info("error: cannot find eocd\n"); pr_info("error: cannot find eocd\n");
goto clean; goto clean;
} }
} }
pos += 12; pos += 12;
// offset // offset
kernel_read(fp, &size4, 0x4, &pos); kernel_read(fp, &size4, 0x4, &pos);
pos = size4 - 0x18; pos = size4 - 0x18;
kernel_read(fp, &size8, 0x8, &pos); kernel_read(fp, &size8, 0x8, &pos);
kernel_read(fp, buffer, 0x10, &pos); kernel_read(fp, buffer, 0x10, &pos);
if (strcmp((char *) buffer, "APK Sig Block 42")) { if (strcmp((char *)buffer, "APK Sig Block 42")) {
goto clean; goto clean;
} }
pos = size4 - (size8 + 0x8); pos = size4 - (size8 + 0x8);
kernel_read(fp, &size_of_block, 0x8, &pos); kernel_read(fp, &size_of_block, 0x8, &pos);
if (size_of_block != size8) { if (size_of_block != size8) {
goto clean; goto clean;
} }
for (;;) { for (;;) {
uint32_t id; uint32_t id;
uint32_t offset; uint32_t offset;
kernel_read(fp, &size8, 0x8, &pos); // sequence length kernel_read(fp, &size8, 0x8, &pos); // sequence length
if (size8 == size_of_block) { if (size8 == size_of_block) {
break; break;
} }
kernel_read(fp, &id, 0x4, &pos); // id kernel_read(fp, &id, 0x4, &pos); // id
offset = 4; offset = 4;
pr_info("id: 0x%08x\n", id); pr_info("id: 0x%08x\n", id);
if ((id ^ 0xdeadbeefu) == 0xafa439f5u || (id ^ 0xdeadbeefu) == 0x2efed62f) { if ((id ^ 0xdeadbeefu) == 0xafa439f5u ||
kernel_read(fp, &size4, 0x4, &pos); // signer-sequence length (id ^ 0xdeadbeefu) == 0x2efed62f) {
kernel_read(fp, &size4, 0x4, &pos); // signer length kernel_read(fp, &size4, 0x4,
kernel_read(fp, &size4, 0x4, &pos); // signed data length &pos); // signer-sequence length
offset += 0x4 * 3; kernel_read(fp, &size4, 0x4, &pos); // signer length
kernel_read(fp, &size4, 0x4,
&pos); // signed data length
offset += 0x4 * 3;
kernel_read(fp, &size4, 0x4, &pos); // digests-sequence length kernel_read(fp, &size4, 0x4,
pos += size4; &pos); // digests-sequence length
offset += 0x4 + size4; pos += size4;
offset += 0x4 + size4;
kernel_read(fp, &size4, 0x4, &pos); // certificates length kernel_read(fp, &size4, 0x4,
kernel_read(fp, &size4, 0x4, &pos); // certificate length &pos); // certificates length
offset += 0x4 * 2; kernel_read(fp, &size4, 0x4,
&pos); // certificate length
offset += 0x4 * 2;
#if 0 #if 0
int hash = 1; int hash = 1;
signed char c; signed char c;
@@ -86,32 +94,34 @@ static int check_v2_signature(char* path, unsigned expected_size, unsigned expec
offset += size4; offset += size4;
pr_info(" size: 0x%04x, hash: 0x%08x\n", size4, ((unsigned) hash) ^ 0x14131211u); pr_info(" size: 0x%04x, hash: 0x%08x\n", size4, ((unsigned) hash) ^ 0x14131211u);
#else #else
if (size4 == expected_size) { if (size4 == expected_size) {
int hash = 1; int hash = 1;
signed char c; signed char c;
for (unsigned i = 0; i < size4; ++i) { for (unsigned i = 0; i < size4; ++i) {
kernel_read(fp, &c, 0x1, &pos); kernel_read(fp, &c, 0x1, &pos);
hash = 31 * hash + c; hash = 31 * hash + c;
} }
offset += size4; offset += size4;
if ((((unsigned) hash) ^ 0x14131211u) == expected_hash) { if ((((unsigned)hash) ^ 0x14131211u) ==
sign = 0; expected_hash) {
break; sign = 0;
} break;
} }
// don't try again. }
break; // don't try again.
break;
#endif #endif
} }
pos += (size8 - offset); pos += (size8 - offset);
} }
clean: clean:
filp_close(fp, 0); filp_close(fp, 0);
return sign; return sign;
} }
int is_manager_apk(char* path) { int is_manager_apk(char *path)
return check_v2_signature(path, EXPECTED_SIZE, EXPECTED_HASH); {
return check_v2_signature(path, EXPECTED_SIZE, EXPECTED_HASH);
} }

4
kernel/arch.h
View File

@@ -1,7 +1,6 @@
#ifndef __KSU_H_ARCH #ifndef __KSU_H_ARCH
#define __KSU_H_ARCH #define __KSU_H_ARCH
#if defined(__aarch64__) #if defined(__aarch64__)
#define __PT_PARM1_REG regs[0] #define __PT_PARM1_REG regs[0]
@@ -10,7 +9,7 @@
#define __PT_PARM4_REG regs[3] #define __PT_PARM4_REG regs[3]
#define __PT_PARM5_REG regs[4] #define __PT_PARM5_REG regs[4]
#define __PT_RET_REG regs[30] #define __PT_RET_REG regs[30]
#define __PT_FP_REG regs[29] /* Works only with CONFIG_FRAME_POINTER */ #define __PT_FP_REG regs[29] /* Works only with CONFIG_FRAME_POINTER */
#define __PT_RC_REG regs[0] #define __PT_RC_REG regs[0]
#define __PT_SP_REG sp #define __PT_SP_REG sp
#define __PT_IP_REG pc #define __PT_IP_REG pc
@@ -54,5 +53,4 @@
#define PT_REGS_SP(x) (__PT_REGS_CAST(x)->__PT_SP_REG) #define PT_REGS_SP(x) (__PT_REGS_CAST(x)->__PT_SP_REG)
#define PT_REGS_IP(x) (__PT_REGS_CAST(x)->__PT_IP_REG) #define PT_REGS_IP(x) (__PT_REGS_CAST(x)->__PT_IP_REG)
#endif #endif

114
kernel/ksu.c
View File

@@ -14,7 +14,7 @@
#include <linux/rcupdate.h> #include <linux/rcupdate.h>
#include <linux/fdtable.h> #include <linux/fdtable.h>
#include <linux/fs.h> #include <linux/fs.h>
#include <linux/fs_struct.h> #include <linux/fs_struct.h>
#include <linux/namei.h> #include <linux/namei.h>
@@ -39,8 +39,9 @@
#define CMD_GET_ALLOW_LIST 5 #define CMD_GET_ALLOW_LIST 5
#define CMD_GET_DENY_LIST 6 #define CMD_GET_DENY_LIST 6
void escape_to_root() { void escape_to_root()
struct cred* cred; {
struct cred *cred;
cred = (struct cred *)__task_cred(current); cred = (struct cred *)__task_cred(current);
@@ -69,30 +70,34 @@ void escape_to_root() {
setup_selinux(); setup_selinux();
} }
int startswith(char* s, char* prefix) { int startswith(char *s, char *prefix)
{
return strncmp(s, prefix, strlen(prefix)); return strncmp(s, prefix, strlen(prefix));
} }
int endswith(const char *s, const char *t) int endswith(const char *s, const char *t)
{ {
size_t slen = strlen(s); size_t slen = strlen(s);
size_t tlen = strlen(t); size_t tlen = strlen(t);
if (tlen > slen) return 1; if (tlen > slen)
return strcmp(s + slen - tlen, t); return 1;
return strcmp(s + slen - tlen, t);
} }
static uid_t __manager_uid; static uid_t __manager_uid;
static bool is_manager() { static bool is_manager()
{
return __manager_uid == current_uid().val; return __manager_uid == current_uid().val;
} }
static bool become_manager(char* pkg) { static bool become_manager(char *pkg)
struct fdtable *files_table; {
int i = 0; struct fdtable *files_table;
struct path files_path; int i = 0;
struct path files_path;
char *cwd; char *cwd;
char *buf; char *buf;
bool result = false; bool result = false;
// must be zygote's direct child, otherwise any app can fork a new process and open manager's apk // must be zygote's direct child, otherwise any app can fork a new process and open manager's apk
@@ -106,23 +111,24 @@ static bool become_manager(char* pkg) {
return true; return true;
} }
buf = (char *) kmalloc(PATH_MAX, GFP_ATOMIC); buf = (char *)kmalloc(PATH_MAX, GFP_ATOMIC);
if (!buf) { if (!buf) {
pr_err("kalloc path failed.\n"); pr_err("kalloc path failed.\n");
return false; return false;
} }
files_table = files_fdtable(current->files); files_table = files_fdtable(current->files);
// todo: use iterate_fd // todo: use iterate_fd
while(files_table->fd[i] != NULL) { while (files_table->fd[i] != NULL) {
files_path = files_table->fd[i]->f_path; files_path = files_table->fd[i]->f_path;
if (!d_is_reg(files_path.dentry)) { if (!d_is_reg(files_path.dentry)) {
i++; i++;
continue; continue;
} }
cwd = d_path(&files_path, buf, PATH_MAX); cwd = d_path(&files_path, buf, PATH_MAX);
if (startswith(cwd, "/data/app/") == 0 && endswith(cwd, "/base.apk") == 0) { if (startswith(cwd, "/data/app/") == 0 &&
endswith(cwd, "/base.apk") == 0) {
// we have found the apk! // we have found the apk!
pr_info("found apk: %s", cwd); pr_info("found apk: %s", cwd);
if (!strstr(cwd, pkg)) { if (!strstr(cwd, pkg)) {
@@ -145,15 +151,16 @@ static bool become_manager(char* pkg) {
break; break;
} }
i++; i++;
} }
clean: clean:
kfree(buf); kfree(buf);
return result; return result;
} }
static bool is_allow_su() { static bool is_allow_su()
{
uid_t uid = current_uid().val; uid_t uid = current_uid().val;
if (uid == __manager_uid) { if (uid == __manager_uid) {
// we are manager, allow! // we are manager, allow!
@@ -165,20 +172,20 @@ static bool is_allow_su() {
extern void enable_sucompat(); extern void enable_sucompat();
static int handler_pre(struct kprobe *p, struct pt_regs *regs) { static int handler_pre(struct kprobe *p, struct pt_regs *regs)
{
struct pt_regs* real_regs = (struct pt_regs*) PT_REGS_PARM1(regs); struct pt_regs *real_regs = (struct pt_regs *)PT_REGS_PARM1(regs);
int option = (int) PT_REGS_PARM1(real_regs); int option = (int)PT_REGS_PARM1(real_regs);
unsigned long arg2 = (unsigned long) PT_REGS_PARM2(real_regs); unsigned long arg2 = (unsigned long)PT_REGS_PARM2(real_regs);
unsigned long arg3 = (unsigned long) PT_REGS_PARM3(real_regs); unsigned long arg3 = (unsigned long)PT_REGS_PARM3(real_regs);
unsigned long arg4 = (unsigned long) PT_REGS_PARM4(real_regs); unsigned long arg4 = (unsigned long)PT_REGS_PARM4(real_regs);
unsigned long arg5 = (unsigned long) PT_REGS_PARM5(real_regs); unsigned long arg5 = (unsigned long)PT_REGS_PARM5(real_regs);
// if success, we modify the arg5 as result! // if success, we modify the arg5 as result!
u32* result = (u32*) arg5; u32 *result = (u32 *)arg5;
u32 reply_ok = KERNEL_SU_OPTION; u32 reply_ok = KERNEL_SU_OPTION;
if (KERNEL_SU_OPTION != option) { if (KERNEL_SU_OPTION != option) {
return 0; return 0;
} }
@@ -188,13 +195,13 @@ static int handler_pre(struct kprobe *p, struct pt_regs *regs) {
// someone wants to be root manager, just check it! // someone wants to be root manager, just check it!
// arg3 should be `/data/data/<manager_package_name>` // arg3 should be `/data/data/<manager_package_name>`
char param[128]; char param[128];
const char* prefix = "/data/data/"; const char *prefix = "/data/data/";
if (copy_from_user(param, arg3, sizeof(param))) { if (copy_from_user(param, arg3, sizeof(param))) {
pr_err("become_manager: copy param err\n"); pr_err("become_manager: copy param err\n");
return 0; return 0;
} }
if (startswith(param, (char*) prefix) != 0) { if (startswith(param, (char *)prefix) != 0) {
pr_info("become_manager: invalid param: %s\n", param); pr_info("become_manager: invalid param: %s\n", param);
return 0; return 0;
} }
@@ -211,7 +218,7 @@ static int handler_pre(struct kprobe *p, struct pt_regs *regs) {
path_put(&path); path_put(&path);
return 0; return 0;
} }
char* pkg = param + strlen(prefix); char *pkg = param + strlen(prefix);
pr_info("become_manager: param pkg: %s\n", pkg); pr_info("become_manager: param pkg: %s\n", pkg);
bool success = become_manager(pkg); bool success = become_manager(pkg);
@@ -246,22 +253,27 @@ static int handler_pre(struct kprobe *p, struct pt_regs *regs) {
if (arg2 == CMD_ALLOW_SU || arg2 == CMD_DENY_SU) { if (arg2 == CMD_ALLOW_SU || arg2 == CMD_DENY_SU) {
bool allow = arg2 == CMD_ALLOW_SU; bool allow = arg2 == CMD_ALLOW_SU;
bool success = false; bool success = false;
uid_t uid = (uid_t) arg3; uid_t uid = (uid_t)arg3;
success = ksu_allow_uid(uid, allow); success = ksu_allow_uid(uid, allow);
if (success) { if (success) {
if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) { if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) {
pr_err("prctl reply error, cmd: %d\n", arg2); pr_err("prctl reply error, cmd: %d\n", arg2);
} }
} }
} else if (arg2 == CMD_GET_ALLOW_LIST || arg2 == CMD_GET_DENY_LIST) { } else if (arg2 == CMD_GET_ALLOW_LIST || arg2 == CMD_GET_DENY_LIST) {
u32 array[128]; u32 array[128];
u32 array_length; u32 array_length;
bool success = ksu_get_allow_list(array, &array_length, arg2 == CMD_GET_ALLOW_LIST); bool success = ksu_get_allow_list(array, &array_length,
arg2 == CMD_GET_ALLOW_LIST);
if (success) { if (success) {
if (!copy_to_user(arg4, &array_length, sizeof(array_length)) && if (!copy_to_user(arg4, &array_length,
!copy_to_user(arg3, array, sizeof(u32) * array_length)) { sizeof(array_length)) &&
if (!copy_to_user(result, &reply_ok, sizeof(reply_ok))) { !copy_to_user(arg3, array,
pr_err("prctl reply error, cmd: %d\n", arg2); sizeof(u32) * array_length)) {
if (!copy_to_user(result, &reply_ok,
sizeof(reply_ok))) {
pr_err("prctl reply error, cmd: %d\n",
arg2);
} }
} else { } else {
pr_err("prctl copy allowlist error\n"); pr_err("prctl copy allowlist error\n");
@@ -274,22 +286,24 @@ static int handler_pre(struct kprobe *p, struct pt_regs *regs) {
} }
} }
return 0; return 0;
} }
static struct kprobe kp = { static struct kprobe kp = {
.symbol_name = PRCTL_SYMBOL, .symbol_name = PRCTL_SYMBOL,
.pre_handler = handler_pre, .pre_handler = handler_pre,
}; };
int kernelsu_init(void){ int kernelsu_init(void)
{
int rc = 0; int rc = 0;
ksu_allowlist_init(); ksu_allowlist_init();
rc = register_kprobe(&kp); rc = register_kprobe(&kp);
if (rc) { if (rc) {
pr_info("prctl kprobe failed: %d, please check your kernel config.\n", rc); pr_info("prctl kprobe failed: %d, please check your kernel config.\n",
rc);
return rc; return rc;
} }
@@ -298,7 +312,8 @@ int kernelsu_init(void){
return 0; return 0;
} }
void kernelsu_exit(void){ void kernelsu_exit(void)
{
// should never happen... // should never happen...
unregister_kprobe(&kp); unregister_kprobe(&kp);
@@ -315,4 +330,5 @@ module_exit(kernelsu_exit);
MODULE_LICENSE("GPL"); MODULE_LICENSE("GPL");
MODULE_AUTHOR("weishu"); MODULE_AUTHOR("weishu");
MODULE_DESCRIPTION("Android GKI KernelSU"); MODULE_DESCRIPTION("Android GKI KernelSU");
MODULE_IMPORT_NS(VFS_internal_I_am_really_a_filesystem_and_am_NOT_a_driver); // 5+才需要导出命名空间 MODULE_IMPORT_NS(
VFS_internal_I_am_really_a_filesystem_and_am_NOT_a_driver); // 5+才需要导出命名空间

8
kernel/selinux/rules.c
View File

@@ -4,8 +4,8 @@
#define KERNEL_SU_DOMAIN "su" #define KERNEL_SU_DOMAIN "su"
#define ALL NULL #define ALL NULL
void apply_kernelsu_rules() { void apply_kernelsu_rules()
{
struct selinux_policy *policy; struct selinux_policy *policy;
struct policydb *db; struct policydb *db;
@@ -25,14 +25,14 @@ void apply_kernelsu_rules() {
// allow all! // allow all!
allow(db, KERNEL_SU_DOMAIN, ALL, ALL, ALL); allow(db, KERNEL_SU_DOMAIN, ALL, ALL, ALL);
// allow us do any ioctl // allow us do any ioctl
if (db->policyvers >= POLICYDB_VERSION_XPERMS_IOCTL) { if (db->policyvers >= POLICYDB_VERSION_XPERMS_IOCTL) {
allowxperm(db, KERNEL_SU_DOMAIN, ALL, "blk_file", ALL); allowxperm(db, KERNEL_SU_DOMAIN, ALL, "blk_file", ALL);
allowxperm(db, KERNEL_SU_DOMAIN, ALL, "fifo_file", ALL); allowxperm(db, KERNEL_SU_DOMAIN, ALL, "fifo_file", ALL);
allowxperm(db, KERNEL_SU_DOMAIN, ALL, "chr_file", ALL); allowxperm(db, KERNEL_SU_DOMAIN, ALL, "chr_file", ALL);
} }
// we need to save allowlist in /data/adb // we need to save allowlist in /data/adb
allow(db, "kernel", "adb_data_file", "dir", ALL); allow(db, "kernel", "adb_data_file", "dir", ALL);
allow(db, "kernel", "adb_data_file", "file", ALL); allow(db, "kernel", "adb_data_file", "file", ALL);

55
kernel/selinux/selinux.c
View File

@@ -20,43 +20,45 @@
static u32 ksu_sid; static u32 ksu_sid;
static int transive_to_domain(const char* domain) { static int transive_to_domain(const char *domain)
struct cred* cred; {
struct task_security_struct* tsec; struct cred *cred;
struct task_security_struct *tsec;
u32 sid; u32 sid;
int error; int error;
cred = (struct cred *)__task_cred(current); cred = (struct cred *)__task_cred(current);
tsec = cred->security; tsec = cred->security;
if (!tsec) { if (!tsec) {
pr_err("tsec == NULL!\n"); pr_err("tsec == NULL!\n");
return -1; return -1;
} }
error = security_secctx_to_secid(domain, strlen(domain), &sid); error = security_secctx_to_secid(domain, strlen(domain), &sid);
pr_info("error: %d, sid: %d\n", error, sid); pr_info("error: %d, sid: %d\n", error, sid);
if (!error) { if (!error) {
if (!ksu_sid) ksu_sid = sid; if (!ksu_sid)
ksu_sid = sid;
tsec->sid = sid; tsec->sid = sid;
tsec->create_sid = 0; tsec->create_sid = 0;
tsec->keycreate_sid = 0; tsec->keycreate_sid = 0;
tsec->sockcreate_sid = 0; tsec->sockcreate_sid = 0;
} }
return error; return error;
} }
static bool is_domain_permissive; static bool is_domain_permissive;
void setup_selinux() { void setup_selinux()
{
if (transive_to_domain(KERNEL_SU_DOMAIN)) {
pr_err("transive domain failed.");
return;
}
if (transive_to_domain(KERNEL_SU_DOMAIN)) { /* we didn't need this now, we have change selinux rules when boot!
pr_err("transive domain failed.");
return;
}
/* we didn't need this now, we have change selinux rules when boot!
if (!is_domain_permissive) { if (!is_domain_permissive) {
if (set_domain_permissive() == 0) { if (set_domain_permissive() == 0) {
is_domain_permissive = true; is_domain_permissive = true;
@@ -64,26 +66,29 @@ void setup_selinux() {
}*/ }*/
} }
void setenforce(bool enforce) { void setenforce(bool enforce)
{
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
selinux_state.enforcing = enforce; selinux_state.enforcing = enforce;
#endif #endif
} }
bool getenforce() { bool getenforce()
{
#ifdef CONFIG_SECURITY_SELINUX_DISABLE #ifdef CONFIG_SECURITY_SELINUX_DISABLE
if (selinux_state.disabled) { if (selinux_state.disabled) {
return false; return false;
} }
#endif #endif
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
return selinux_state.enforcing; return selinux_state.enforcing;
#else #else
return false; return false;
#endif #endif
} }
bool is_ksu_domain() { bool is_ksu_domain()
return ksu_sid && current_sid() == ksu_sid; {
return ksu_sid && current_sid() == ksu_sid;
} }

820
kernel/selinux/sepolicy.c
View File

@@ -4,278 +4,321 @@
// Invert is adding rules for auditdeny; in other cases, invert is removing rules // Invert is adding rules for auditdeny; in other cases, invert is removing rules
#define strip_av(effect, invert) ((effect == AVTAB_AUDITDENY) == !invert) #define strip_av(effect, invert) ((effect == AVTAB_AUDITDENY) == !invert)
#define hash_for_each(node_ptr, n_slot, cur) \ #define hash_for_each(node_ptr, n_slot, cur) \
int i; \ int i; \
for (i = 0; i < n_slot; ++i) \ for (i = 0; i < n_slot; ++i) \
for (cur = node_ptr[i]; cur; cur = cur->next) \ for (cur = node_ptr[i]; cur; cur = cur->next)
#define hashtab_for_each(htab, cur) \ #define hashtab_for_each(htab, cur) hash_for_each (htab.htable, htab.size, cur)
hash_for_each(htab.htable, htab.size, cur) \
#define avtab_for_each(avtab, cur) \ #define avtab_for_each(avtab, cur) \
hash_for_each(avtab.htable, avtab.nslot, cur); \ hash_for_each (avtab.htable, avtab.nslot, cur) \
;
static bool is_redundant(struct avtab_node* node) { static bool is_redundant(struct avtab_node *node)
switch (node->key.specified) { {
case AVTAB_AUDITDENY: switch (node->key.specified) {
return node->datum.u.data == ~0U; case AVTAB_AUDITDENY:
case AVTAB_XPERMS: return node->datum.u.data == ~0U;
return node->datum.u.xperms == NULL; case AVTAB_XPERMS:
default: return node->datum.u.xperms == NULL;
return node->datum.u.data == 0U; default:
} return node->datum.u.data == 0U;
}
} }
struct avtab_node* get_avtab_node(struct policydb* db, struct avtab_key *key, struct avtab_extended_perms *xperms) { struct avtab_node *get_avtab_node(struct policydb *db, struct avtab_key *key,
struct avtab_node* node; struct avtab_extended_perms *xperms)
{
struct avtab_node *node;
/* AVTAB_XPERMS entries are not necessarily unique */ /* AVTAB_XPERMS entries are not necessarily unique */
if (key->specified & AVTAB_XPERMS) { if (key->specified & AVTAB_XPERMS) {
bool match = false; bool match = false;
node = avtab_search_node(&db->te_avtab, key); node = avtab_search_node(&db->te_avtab, key);
while (node) { while (node) {
if ((node->datum.u.xperms->specified == xperms->specified) && if ((node->datum.u.xperms->specified ==
(node->datum.u.xperms->driver == xperms->driver)) { xperms->specified) &&
match = true; (node->datum.u.xperms->driver == xperms->driver)) {
break; match = true;
} break;
node = avtab_search_node_next(node, key->specified); }
} node = avtab_search_node_next(node, key->specified);
if (!match) }
node = NULL; if (!match)
} else { node = NULL;
node = avtab_search_node(&db->te_avtab, key); } else {
} node = avtab_search_node(&db->te_avtab, key);
}
if (!node) { if (!node) {
struct avtab_datum avdatum = {}; struct avtab_datum avdatum = {};
/* /*
* AUDITDENY, aka DONTAUDIT, are &= assigned, versus |= for * AUDITDENY, aka DONTAUDIT, are &= assigned, versus |= for
* others. Initialize the data accordingly. * others. Initialize the data accordingly.
*/ */
if (key->specified & AVTAB_XPERMS) { if (key->specified & AVTAB_XPERMS) {
avdatum.u.xperms = xperms; avdatum.u.xperms = xperms;
} else { } else {
avdatum.u.data = key->specified == AVTAB_AUDITDENY ? ~0U : 0U; avdatum.u.data =
key->specified == AVTAB_AUDITDENY ? ~0U : 0U;
}
/* this is used to get the node - insertion is actually unique */
node = avtab_insert_nonunique(&db->te_avtab, key, &avdatum);
int grow_size = sizeof(u16) * 4;
if (key->specified & AVTAB_XPERMS) {
grow_size += sizeof(u8);
grow_size += sizeof(u8);
grow_size += sizeof(u32) *
ARRAY_SIZE(avdatum.u.xperms->perms.p);
} else {
grow_size += sizeof(u32) * 1;
}
db->len += grow_size;
} }
/* this is used to get the node - insertion is actually unique */
node = avtab_insert_nonunique(&db->te_avtab, key, &avdatum);
int grow_size = sizeof(u16) * 4; return node;
if (key->specified & AVTAB_XPERMS) { }
grow_size += sizeof(u8);
grow_size += sizeof(u8); bool add_rule(struct policydb *db, const char *s, const char *t, const char *c,
grow_size += sizeof(u32) * ARRAY_SIZE(avdatum.u.xperms->perms.p); const char *p, int effect, bool invert)
} else { {
grow_size += sizeof(u32) * 1; struct type_datum *src = NULL, *tgt = NULL;
struct class_datum *cls = NULL;
struct perm_datum *perm = NULL;
if (s) {
src = symtab_search(&db->p_types, s);
if (src == NULL) {
pr_info("source type %s does not exist\n", s);
return false;
}
} }
db->len += grow_size;
}
return node; if (t) {
tgt = symtab_search(&db->p_types, t);
if (tgt == NULL) {
pr_info("target type %s does not exist\n", t);
return false;
}
}
if (c) {
cls = symtab_search(&db->p_classes, c);
if (cls == NULL) {
pr_info("class %s does not exist\n", c);
return false;
}
}
if (p) {
if (c == NULL) {
pr_info("No class is specified, cannot add perm [%s] \n",
p);
return false;
}
perm = symtab_search(&cls->permissions, p);
if (perm == NULL && cls->comdatum != NULL) {
perm = symtab_search(&cls->comdatum->permissions, p);
}
if (perm == NULL) {
pr_info("perm %s does not exist in class %s\n", p, c);
return false;
}
}
add_rule_raw(db, src, tgt, cls, perm, effect, invert);
return true;
} }
bool add_rule(struct policydb* db, const char *s, const char *t, const char *c, const char *p, int effect, bool invert) { void add_rule_raw(struct policydb *db, struct type_datum *src,
struct type_datum *src = NULL, *tgt = NULL; struct type_datum *tgt, struct class_datum *cls,
struct class_datum *cls = NULL; struct perm_datum *perm, int effect, bool invert)
struct perm_datum *perm = NULL; {
if (src == NULL) {
struct hashtab_node *node;
if (strip_av(effect, invert)) {
hashtab_for_each(db->p_types.table, node)
{
add_rule_raw(db,
(struct type_datum *)node->datum,
tgt, cls, perm, effect, invert);
};
} else {
hashtab_for_each(db->p_types.table, node)
{
struct type_datum *type =
(struct type_datum *)(node->datum);
if (type->attribute) {
add_rule_raw(db, type, tgt, cls, perm,
effect, invert);
}
};
}
} else if (tgt == NULL) {
struct hashtab_node *node;
if (strip_av(effect, invert)) {
hashtab_for_each(db->p_types.table, node)
{
add_rule_raw(db, src,
(struct type_datum *)node->datum,
cls, perm, effect, invert);
};
} else {
hashtab_for_each(db->p_types.table, node)
{
struct type_datum *type =
(struct type_datum *)(node->datum);
if (type->attribute) {
add_rule_raw(db, src, type, cls, perm,
effect, invert);
}
};
}
} else if (cls == NULL) {
struct hashtab_node *node;
hashtab_for_each(db->p_classes.table, node)
{
add_rule_raw(db, src, tgt,
(struct class_datum *)node->datum, perm,
effect, invert);
}
} else {
struct avtab_key key;
key.source_type = src->value;
key.target_type = tgt->value;
key.target_class = cls->value;
key.specified = effect;
if (s) { struct avtab_node *node = get_avtab_node(db, &key, NULL);
src = symtab_search(&db->p_types, s); if (invert) {
if (src == NULL) { if (perm)
pr_info("source type %s does not exist\n", s); node->datum.u.data &=
return false; ~(1U << (perm->value - 1));
} else
} node->datum.u.data = 0U;
} else {
if (t) { if (perm)
tgt = symtab_search(&db->p_types, t); node->datum.u.data |= 1U << (perm->value - 1);
if (tgt == NULL) { else
pr_info("target type %s does not exist\n", t); node->datum.u.data = ~0U;
return false; }
} }
}
if (c) {
cls = symtab_search(&db->p_classes, c);
if (cls == NULL) {
pr_info("class %s does not exist\n", c);
return false;
}
}
if (p) {
if (c == NULL) {
pr_info("No class is specified, cannot add perm [%s] \n", p);
return false;
}
perm = symtab_search(&cls->permissions, p);
if (perm == NULL && cls->comdatum != NULL) {
perm = symtab_search(&cls->comdatum->permissions, p);
}
if (perm == NULL) {
pr_info("perm %s does not exist in class %s\n", p, c);
return false;
}
}
add_rule_raw(db, src, tgt, cls, perm, effect, invert);
return true;
} }
void add_rule_raw(struct policydb* db, struct type_datum *src, struct type_datum *tgt, struct class_datum *cls, struct perm_datum *perm, int effect, bool invert) { #define ioctl_driver(x) (x >> 8 & 0xFF)
if (src == NULL) {
struct hashtab_node* node;
if (strip_av(effect, invert)) {
hashtab_for_each(db->p_types.table, node) {
add_rule_raw(db, (struct type_datum*)node->datum, tgt, cls, perm, effect, invert);
};
} else {
hashtab_for_each(db->p_types.table, node) {
struct type_datum* type = (struct type_datum*)(node->datum);
if (type->attribute) {
add_rule_raw(db, type, tgt, cls, perm, effect, invert);
}
};
}
} else if (tgt == NULL) {
struct hashtab_node* node;
if (strip_av(effect, invert)) {
hashtab_for_each(db->p_types.table, node) {
add_rule_raw(db, src, (struct type_datum*)node->datum, cls, perm, effect, invert);
};
} else {
hashtab_for_each(db->p_types.table, node) {
struct type_datum* type = (struct type_datum*)(node->datum);
if (type->attribute) {
add_rule_raw(db, src, type, cls, perm, effect, invert);
}
};
}
} else if (cls == NULL) {
struct hashtab_node* node;
hashtab_for_each(db->p_classes.table, node) {
add_rule_raw(db, src, tgt, (struct class_datum*)node->datum, perm, effect, invert);
}
} else {
struct avtab_key key;
key.source_type = src->value;
key.target_type = tgt->value;
key.target_class = cls->value;
key.specified = effect;
struct avtab_node* node = get_avtab_node(db, &key, NULL);
if (invert) {
if (perm)
node->datum.u.data &= ~(1U << (perm->value - 1));
else
node->datum.u.data = 0U;
} else {
if (perm)
node->datum.u.data |= 1U << (perm->value - 1);
else
node->datum.u.data = ~0U;
}
}
}
#define ioctl_driver(x) (x>>8 & 0xFF)
#define ioctl_func(x) (x & 0xFF) #define ioctl_func(x) (x & 0xFF)
#define xperm_test(x, p) (1 & (p[x >> 5] >> (x & 0x1f))) #define xperm_test(x, p) (1 & (p[x >> 5] >> (x & 0x1f)))
#define xperm_set(x, p) (p[x >> 5] |= (1 << (x & 0x1f))) #define xperm_set(x, p) (p[x >> 5] |= (1 << (x & 0x1f)))
#define xperm_clear(x, p) (p[x >> 5] &= ~(1 << (x & 0x1f))) #define xperm_clear(x, p) (p[x >> 5] &= ~(1 << (x & 0x1f)))
void add_xperm_rule_raw(struct policydb* db, struct type_datum *src, struct type_datum *tgt, void add_xperm_rule_raw(struct policydb *db, struct type_datum *src,
struct class_datum *cls, uint16_t low, uint16_t high, int effect, bool invert) { struct type_datum *tgt, struct class_datum *cls,
uint16_t low, uint16_t high, int effect, bool invert)
{
if (src == NULL) {
struct hashtab_node *node;
hashtab_for_each(db->p_types.table, node)
{
struct type_datum *type =
(struct type_datum *)(node->datum);
if (type->attribute) {
add_xperm_rule_raw(db, type, tgt, cls, low,
high, effect, invert);
}
};
} else if (tgt == NULL) {
struct hashtab_node *node;
hashtab_for_each(db->p_types.table, node)
{
struct type_datum *type =
(struct type_datum *)(node->datum);
if (type->attribute) {
add_xperm_rule_raw(db, src, type, cls, low,
high, effect, invert);
}
};
} else if (cls == NULL) {
struct hashtab_node *node;
hashtab_for_each(db->p_classes.table, node)
{
add_xperm_rule_raw(db, src, tgt,
(struct class_datum *)(node->datum),
low, high, effect, invert);
};
} else {
struct avtab_key key;
key.source_type = src->value;
key.target_type = tgt->value;
key.target_class = cls->value;
key.specified = effect;
if (src == NULL) { struct avtab_datum *datum;
struct hashtab_node* node; struct avtab_node *node;
hashtab_for_each(db->p_types.table, node) { struct avtab_extended_perms xperms;
struct type_datum* type = (struct type_datum*)(node->datum);
if (type->attribute) { memset(&xperms, 0, sizeof(xperms));
add_xperm_rule_raw(db, type, tgt, cls, low, high, effect, invert); if (ioctl_driver(low) != ioctl_driver(high)) {
xperms.specified = AVTAB_XPERMS_IOCTLDRIVER;
xperms.driver = 0;
} else {
xperms.specified = AVTAB_XPERMS_IOCTLFUNCTION;
xperms.driver = ioctl_driver(low);
} }
};
} else if (tgt == NULL) { if (xperms.specified == AVTAB_XPERMS_IOCTLDRIVER) {
struct hashtab_node* node; for (int i = ioctl_driver(low); i <= ioctl_driver(high);
hashtab_for_each(db->p_types.table, node) { ++i) {
struct type_datum* type = (struct type_datum*)(node->datum); if (invert)
if (type->attribute) { xperm_clear(i, xperms.perms.p);
add_xperm_rule_raw(db, src, type, cls, low, high, effect, invert); else
xperm_set(i, xperms.perms.p);
}
} else {
for (int i = ioctl_func(low); i <= ioctl_func(high);
++i) {
if (invert)
xperm_clear(i, xperms.perms.p);
else
xperm_set(i, xperms.perms.p);
}
} }
};
} else if (cls == NULL) {
struct hashtab_node* node;
hashtab_for_each(db->p_classes.table, node) {
add_xperm_rule_raw(db, src, tgt, (struct class_datum*)(node->datum), low, high, effect, invert);
};
} else {
struct avtab_key key;
key.source_type = src->value;
key.target_type = tgt->value;
key.target_class = cls->value;
key.specified = effect;
struct avtab_datum *datum; node = get_avtab_node(db, &key, &xperms);
struct avtab_node *node; if (!node) {
struct avtab_extended_perms xperms; pr_warn("add_xperm_rule_raw cannot found node!\n");
memset(&xperms, 0, sizeof(xperms));
if (ioctl_driver(low) != ioctl_driver(high)) {
xperms.specified = AVTAB_XPERMS_IOCTLDRIVER;
xperms.driver = 0;
} else {
xperms.specified = AVTAB_XPERMS_IOCTLFUNCTION;
xperms.driver = ioctl_driver(low);
}
if (xperms.specified == AVTAB_XPERMS_IOCTLDRIVER) {
for (int i = ioctl_driver(low); i <= ioctl_driver(high); ++i) {
if (invert)
xperm_clear(i, xperms.perms.p);
else
xperm_set(i, xperms.perms.p);
}
} else {
for (int i = ioctl_func(low); i <= ioctl_func(high); ++i) {
if (invert)
xperm_clear(i, xperms.perms.p);
else
xperm_set(i, xperms.perms.p);
}
}
node = get_avtab_node(db, &key, &xperms);
if (!node) {
pr_warn("add_xperm_rule_raw cannot found node!\n");
return;
}
datum = &node->datum;
if (datum->u.xperms == NULL) {
datum->u.xperms = (struct avtab_extended_perms*)(kmalloc(sizeof(xperms), GFP_KERNEL));
if (!datum->u.xperms) {
pr_err("alloc xperms failed\n");
return; return;
} }
memcpy(datum->u.xperms, &xperms, sizeof(xperms)); datum = &node->datum;
}
} if (datum->u.xperms == NULL) {
datum->u.xperms =
(struct avtab_extended_perms *)(kmalloc(
sizeof(xperms), GFP_KERNEL));
if (!datum->u.xperms) {
pr_err("alloc xperms failed\n");
return;
}
memcpy(datum->u.xperms, &xperms, sizeof(xperms));
}
}
} }
bool add_xperm_rule(struct policydb* db, const char *s, const char *t, const char *c, const char *range, int effect, bool invert) { bool add_xperm_rule(struct policydb *db, const char *s, const char *t,
const char *c, const char *range, int effect, bool invert)
{
struct type_datum *src = NULL, *tgt = NULL; struct type_datum *src = NULL, *tgt = NULL;
struct class_datum *cls = NULL; struct class_datum *cls = NULL;
if (s) { if (s) {
src = symtab_search(&db->p_types, s); src = symtab_search(&db->p_types, s);
if (src == NULL) { if (src == NULL) {
pr_info("source type %s does not exist\n", s); pr_info("source type %s does not exist\n", s);
return false; return false;
} }
} }
if (t) { if (t) {
tgt = symtab_search(&db->p_types, t); tgt = symtab_search(&db->p_types, t);
@@ -296,7 +339,7 @@ bool add_xperm_rule(struct policydb* db, const char *s, const char *t, const cha
u16 low, high; u16 low, high;
if (range) { if (range) {
if (strchr(range, '-')){ if (strchr(range, '-')) {
sscanf(range, "%hx-%hx", &low, &high); sscanf(range, "%hx-%hx", &low, &high);
} else { } else {
sscanf(range, "%hx", &low); sscanf(range, "%hx", &low);
@@ -311,187 +354,236 @@ bool add_xperm_rule(struct policydb* db, const char *s, const char *t, const cha
return true; return true;
} }
bool add_type_rule(struct policydb* db, const char *s, const char *t, const char *c, const char *d, int effect) { bool add_type_rule(struct policydb *db, const char *s, const char *t,
struct type_datum *src, *tgt, *def; const char *c, const char *d, int effect)
struct class_datum *cls; {
struct type_datum *src, *tgt, *def;
struct class_datum *cls;
src = symtab_search(&db->p_types, s); src = symtab_search(&db->p_types, s);
if (src == NULL) { if (src == NULL) {
pr_info("source type %s does not exist\n", s); pr_info("source type %s does not exist\n", s);
return false; return false;
} }
tgt = symtab_search(&db->p_types, t); tgt = symtab_search(&db->p_types, t);
if (tgt == NULL) { if (tgt == NULL) {
pr_info("target type %s does not exist\n", t); pr_info("target type %s does not exist\n", t);
return false; return false;
} }
cls = symtab_search(&db->p_classes, c); cls = symtab_search(&db->p_classes, c);
if (cls == NULL) { if (cls == NULL) {
pr_info("class %s does not exist\n", c); pr_info("class %s does not exist\n", c);
return false; return false;
} }
def = symtab_search(&db->p_types, d); def = symtab_search(&db->p_types, d);
if (def == NULL) { if (def == NULL) {
pr_info("default type %s does not exist\n", d); pr_info("default type %s does not exist\n", d);
return false; return false;
} }
struct avtab_key key; struct avtab_key key;
key.source_type = src->value; key.source_type = src->value;
key.target_type = tgt->value; key.target_type = tgt->value;
key.target_class = cls->value; key.target_class = cls->value;
key.specified = effect; key.specified = effect;
struct avtab_node* node = get_avtab_node(db, &key, NULL); struct avtab_node *node = get_avtab_node(db, &key, NULL);
node->datum.u.data = def->value; node->datum.u.data = def->value;
return true; return true;
} }
bool add_filename_trans(const char *s, const char *t, const char *c, const char *d, const char *o) { bool add_filename_trans(const char *s, const char *t, const char *c,
return false; const char *d, const char *o)
{
return false;
} }
bool add_genfscon(const char *fs_name, const char *path, const char *context) { bool add_genfscon(const char *fs_name, const char *path, const char *context)
return false; {
return false;
} }
bool add_type(struct policydb* db, const char *type_name, bool attr) { bool add_type(struct policydb *db, const char *type_name, bool attr)
return false; {
return false;
} }
bool set_type_state(struct policydb* db, const char *type_name, bool permissive) { bool set_type_state(struct policydb *db, const char *type_name, bool permissive)
struct type_datum *type; {
if (type_name == NULL) { struct type_datum *type;
struct hashtab_node* node; if (type_name == NULL) {
hashtab_for_each(db->p_types.table, node) { struct hashtab_node *node;
type = (struct type_datum *)(node->datum); hashtab_for_each(db->p_types.table, node)
if (ebitmap_set_bit(&db->permissive_map, type->value, permissive)) {
pr_info("Could not set bit in permissive map\n"); type = (struct type_datum *)(node->datum);
}; if (ebitmap_set_bit(&db->permissive_map, type->value,
} else { permissive))
type = (struct type_datum *) symtab_search(&db->p_types, type_name); pr_info("Could not set bit in permissive map\n");
if (type == NULL) { };
pr_info("type %s does not exist\n", type_name); } else {
return false; type = (struct type_datum *)symtab_search(&db->p_types,
} type_name);
if (ebitmap_set_bit(&db->permissive_map, type->value, permissive)) { if (type == NULL) {
pr_info("Could not set bit in permissive map\n"); pr_info("type %s does not exist\n", type_name);
return false; return false;
} }
} if (ebitmap_set_bit(&db->permissive_map, type->value,
return true; permissive)) {
pr_info("Could not set bit in permissive map\n");
return false;
}
}
return true;
} }
void add_typeattribute_raw(struct policydb* db, struct type_datum *type, struct type_datum *attr) { void add_typeattribute_raw(struct policydb *db, struct type_datum *type,
ebitmap_set_bit(&db->type_attr_map_array[type->value - 1], attr->value - 1, 1); struct type_datum *attr)
{
ebitmap_set_bit(&db->type_attr_map_array[type->value - 1],
attr->value - 1, 1);
struct hashtab_node* node; struct hashtab_node *node;
struct constraint_node* n; struct constraint_node *n;
struct constraint_expr* e; struct constraint_expr *e;
hashtab_for_each(db->p_classes.table, node) { hashtab_for_each(db->p_classes.table, node)
struct class_datum* cls = (struct class_datum*)(node->datum); {
for (n = cls->constraints; n ; n = n->next) { struct class_datum *cls = (struct class_datum *)(node->datum);
for (e = n->expr; e; e = e->next) { for (n = cls->constraints; n; n = n->next) {
if (e->expr_type == CEXPR_NAMES && for (e = n->expr; e; e = e->next) {
ebitmap_get_bit(&e->type_names->types, attr->value - 1)) { if (e->expr_type == CEXPR_NAMES &&
ebitmap_set_bit(&e->names, type->value - 1, 1); ebitmap_get_bit(&e->type_names->types,
} attr->value - 1)) {
} ebitmap_set_bit(&e->names,
} type->value - 1, 1);
}; }
}
}
};
} }
bool add_typeattribute(struct policydb* db, const char *type, const char *attr) { bool add_typeattribute(struct policydb *db, const char *type, const char *attr)
struct type_datum *type_d = symtab_search(&db->p_types, type); {
if (type_d == NULL) { struct type_datum *type_d = symtab_search(&db->p_types, type);
pr_info("type %s does not exist\n", type); if (type_d == NULL) {
return false; pr_info("type %s does not exist\n", type);
} else if (type_d->attribute) { return false;
pr_info("type %s is an attribute\n", attr); } else if (type_d->attribute) {
return false; pr_info("type %s is an attribute\n", attr);
} return false;
}
struct type_datum *attr_d = symtab_search(&db->p_types, attr); struct type_datum *attr_d = symtab_search(&db->p_types, attr);
if (attr_d == NULL) { if (attr_d == NULL) {
pr_info("attribute %s does not exist\n", type); pr_info("attribute %s does not exist\n", type);
return false; return false;
} else if (!attr_d->attribute) { } else if (!attr_d->attribute) {
pr_info("type %s is not an attribute \n", attr); pr_info("type %s is not an attribute \n", attr);
return false; return false;
} }
add_typeattribute_raw(db, type_d, attr_d); add_typeattribute_raw(db, type_d, attr_d);
return true; return true;
} }
// Operation on types // Operation on types
bool type(struct policydb* db, const char* name, const char* attr) { bool type(struct policydb *db, const char *name, const char *attr)
return add_type(db, name, false) && add_typeattribute(db, name, attr); {
return add_type(db, name, false) && add_typeattribute(db, name, attr);
} }
bool attribute(struct policydb* db, const char* name) { bool attribute(struct policydb *db, const char *name)
return add_type(db, name, true); {
return add_type(db, name, true);
} }
bool permissive(struct policydb* db, const char* type) { bool permissive(struct policydb *db, const char *type)
return set_type_state(db, type, true); {
return set_type_state(db, type, true);
} }
bool enforce(struct policydb* db, const char* type) { bool enforce(struct policydb *db, const char *type)
return set_type_state(db, type, false); {
return set_type_state(db, type, false);
} }
bool typeattribute(struct policydb* db, const char* type, const char* attr) { bool typeattribute(struct policydb *db, const char *type, const char *attr)
return add_typeattribute(db, type, attr); {
return add_typeattribute(db, type, attr);
} }
bool exists(struct policydb* db, const char* type) { bool exists(struct policydb *db, const char *type)
return symtab_search(&db->p_types, type) != NULL; {
return symtab_search(&db->p_types, type) != NULL;
} }
// Access vector rules // Access vector rules
bool allow(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* perm) { bool allow(struct policydb *db, const char *src, const char *tgt,
return add_rule(db, src, tgt, cls, perm, AVTAB_ALLOWED, false); const char *cls, const char *perm)
{
return add_rule(db, src, tgt, cls, perm, AVTAB_ALLOWED, false);
} }
bool deny(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* perm) { bool deny(struct policydb *db, const char *src, const char *tgt,
return add_rule(db, src, tgt, cls, perm, AVTAB_ALLOWED, true); const char *cls, const char *perm)
{
return add_rule(db, src, tgt, cls, perm, AVTAB_ALLOWED, true);
} }
bool auditallow(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* perm) { bool auditallow(struct policydb *db, const char *src, const char *tgt,
return add_rule(db, src, tgt, cls, perm, AVTAB_AUDITALLOW, false); const char *cls, const char *perm)
{
return add_rule(db, src, tgt, cls, perm, AVTAB_AUDITALLOW, false);
} }
bool dontaudit(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* perm) { bool dontaudit(struct policydb *db, const char *src, const char *tgt,
return add_rule(db, src, tgt, cls, perm, AVTAB_AUDITDENY, true); const char *cls, const char *perm)
{
return add_rule(db, src, tgt, cls, perm, AVTAB_AUDITDENY, true);
} }
// Extended permissions access vector rules // Extended permissions access vector rules
bool allowxperm(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* range) { bool allowxperm(struct policydb *db, const char *src, const char *tgt,
return add_xperm_rule(db, src, tgt, cls, range, AVTAB_XPERMS_ALLOWED, false); const char *cls, const char *range)
{
return add_xperm_rule(db, src, tgt, cls, range, AVTAB_XPERMS_ALLOWED,
false);
} }
bool auditallowxperm(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* range) { bool auditallowxperm(struct policydb *db, const char *src, const char *tgt,
return add_xperm_rule(db, src, tgt, cls, range, AVTAB_XPERMS_AUDITALLOW, false); const char *cls, const char *range)
{
return add_xperm_rule(db, src, tgt, cls, range, AVTAB_XPERMS_AUDITALLOW,
false);
} }
bool dontauditxperm(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* range) { bool dontauditxperm(struct policydb *db, const char *src, const char *tgt,
return add_xperm_rule(db, src, tgt, cls, range, AVTAB_XPERMS_DONTAUDIT, false); const char *cls, const char *range)
{
return add_xperm_rule(db, src, tgt, cls, range, AVTAB_XPERMS_DONTAUDIT,
false);
} }
// Type rules // Type rules
bool type_transition(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* def, const char* obj) { bool type_transition(struct policydb *db, const char *src, const char *tgt,
return false; const char *cls, const char *def, const char *obj)
{
return false;
} }
bool type_change(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* def) { bool type_change(struct policydb *db, const char *src, const char *tgt,
return false; const char *cls, const char *def)
{
return false;
} }
bool type_member(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* def) { bool type_member(struct policydb *db, const char *src, const char *tgt,
return false; const char *cls, const char *def)
{
return false;
} }
// File system labeling // File system labeling
bool genfscon(struct policydb* db, const char* fs_name, const char* path, const char* ctx) { bool genfscon(struct policydb *db, const char *fs_name, const char *path,
return false; const char *ctx)
{
return false;
} }

157
kernel/sucompat.c
View File

@@ -14,7 +14,7 @@
#include <linux/rcupdate.h> #include <linux/rcupdate.h>
#include <linux/fdtable.h> #include <linux/fdtable.h>
#include <linux/fs.h> #include <linux/fs.h>
#include <linux/fs_struct.h> #include <linux/fs_struct.h>
#include <linux/namei.h> #include <linux/namei.h>
@@ -28,124 +28,131 @@
extern void escape_to_root(); extern void escape_to_root();
static void __user *userspace_stack_buffer(const void *d, size_t len) { static void __user *userspace_stack_buffer(const void *d, size_t len)
{
/* To avoid having to mmap a page in userspace, just write below the stack pointer. */ /* To avoid having to mmap a page in userspace, just write below the stack pointer. */
char __user *p = (void __user *)current_user_stack_pointer() - len; char __user *p = (void __user *)current_user_stack_pointer() - len;
return copy_to_user(p, d, len) ? NULL : p; return copy_to_user(p, d, len) ? NULL : p;
} }
static char __user *sh_user_path(void) { static char __user *sh_user_path(void)
{
static const char sh_path[] = "/system/bin/sh"; static const char sh_path[] = "/system/bin/sh";
return userspace_stack_buffer(sh_path, sizeof(sh_path)); return userspace_stack_buffer(sh_path, sizeof(sh_path));
} }
static int faccessat_handler_pre(struct kprobe *p, struct pt_regs *regs) { static int faccessat_handler_pre(struct kprobe *p, struct pt_regs *regs)
struct filename* filename; {
const char su[] = SU_PATH; struct filename *filename;
const char su[] = SU_PATH;
if (!ksu_is_allow_uid(current_uid().val)) { if (!ksu_is_allow_uid(current_uid().val)) {
return 0; return 0;
} }
filename = getname(PT_REGS_PARM2(regs)); filename = getname(PT_REGS_PARM2(regs));
if (IS_ERR(filename)) { if (IS_ERR(filename)) {
return 0; return 0;
} }
if (!memcmp(filename->name, su, sizeof(su))) { if (!memcmp(filename->name, su, sizeof(su))) {
pr_info("faccessat su->sh!\n"); pr_info("faccessat su->sh!\n");
PT_REGS_PARM2(regs) = sh_user_path(); PT_REGS_PARM2(regs) = sh_user_path();
} }
putname(filename); putname(filename);
return 0; return 0;
} }
static int newfstatat_handler_pre(struct kprobe *p, struct pt_regs *regs) { static int newfstatat_handler_pre(struct kprobe *p, struct pt_regs *regs)
// const char sh[] = SH_PATH; {
struct filename* filename; // const char sh[] = SH_PATH;
const char su[] = SU_PATH; struct filename *filename;
const char su[] = SU_PATH;
if (!ksu_is_allow_uid(current_uid().val)) { if (!ksu_is_allow_uid(current_uid().val)) {
return 0; return 0;
} }
filename = getname(PT_REGS_PARM2(regs)); filename = getname(PT_REGS_PARM2(regs));
if (IS_ERR(filename)) { if (IS_ERR(filename)) {
return 0; return 0;
} }
if (!memcmp(filename->name, su, sizeof(su))) { if (!memcmp(filename->name, su, sizeof(su))) {
pr_info("newfstatat su->sh!\n"); pr_info("newfstatat su->sh!\n");
PT_REGS_PARM2(regs) = sh_user_path(); PT_REGS_PARM2(regs) = sh_user_path();
} }
putname(filename); putname(filename);
return 0; return 0;
} }
// https://elixir.bootlin.com/linux/v5.10.158/source/fs/exec.c#L1864 // https://elixir.bootlin.com/linux/v5.10.158/source/fs/exec.c#L1864
static int execve_handler_pre(struct kprobe *p, struct pt_regs *regs) { static int execve_handler_pre(struct kprobe *p, struct pt_regs *regs)
struct filename* filename; {
const char sh[] = SH_PATH; struct filename *filename;
const char su[] = SU_PATH; const char sh[] = SH_PATH;
const char su[] = SU_PATH;
static const char app_process[] = "/system/bin/app_process"; static const char app_process[] = "/system/bin/app_process";
static bool first_app_process = true; static bool first_app_process = true;
filename = PT_REGS_PARM2(regs); filename = PT_REGS_PARM2(regs);
if (IS_ERR(filename)) { if (IS_ERR(filename)) {
return 0; return 0;
} }
if (first_app_process && !memcmp(filename->name, app_process, sizeof(app_process) - 1)) { if (first_app_process &&
first_app_process = false; !memcmp(filename->name, app_process, sizeof(app_process) - 1)) {
pr_info("exec app_process, /data prepared!\n"); first_app_process = false;
apply_kernelsu_rules(); pr_info("exec app_process, /data prepared!\n");
ksu_load_allow_list(); apply_kernelsu_rules();
} ksu_load_allow_list();
}
if (!ksu_is_allow_uid(current_uid().val)) { if (!ksu_is_allow_uid(current_uid().val)) {
return 0; return 0;
} }
if (!memcmp(filename->name, su, sizeof(su))) { if (!memcmp(filename->name, su, sizeof(su))) {
pr_info("do_execveat_common su found\n"); pr_info("do_execveat_common su found\n");
memcpy((void*) filename->name, sh, sizeof(sh)); memcpy((void *)filename->name, sh, sizeof(sh));
escape_to_root(); escape_to_root();
} }
return 0; return 0;
} }
static struct kprobe faccessat_kp = { static struct kprobe faccessat_kp = {
.symbol_name = "do_faccessat", .symbol_name = "do_faccessat",
.pre_handler = faccessat_handler_pre, .pre_handler = faccessat_handler_pre,
}; };
static struct kprobe newfstatat_kp = { static struct kprobe newfstatat_kp = {
.symbol_name = "vfs_statx", .symbol_name = "vfs_statx",
.pre_handler = newfstatat_handler_pre, .pre_handler = newfstatat_handler_pre,
}; };
static struct kprobe execve_kp = { static struct kprobe execve_kp = {
.symbol_name = "do_execveat_common", .symbol_name = "do_execveat_common",
.pre_handler = execve_handler_pre, .pre_handler = execve_handler_pre,
}; };
// sucompat: permited process can execute 'su' to gain root access. // sucompat: permited process can execute 'su' to gain root access.
void enable_sucompat() { void enable_sucompat()
int ret; {
int ret;
ret = register_kprobe(&execve_kp); ret = register_kprobe(&execve_kp);
pr_info("execve_kp: %d\n", ret); pr_info("execve_kp: %d\n", ret);
ret = register_kprobe(&newfstatat_kp); ret = register_kprobe(&newfstatat_kp);
pr_info("newfstatat_kp: %d\n", ret); pr_info("newfstatat_kp: %d\n", ret);
ret = register_kprobe(&faccessat_kp); ret = register_kprobe(&faccessat_kp);
pr_info("faccessat_kp: %d\n", ret); pr_info("faccessat_kp: %d\n", ret);
} }