kernel: core_hook: intercept devpts via security_inode_permission LSM

`ksu handles devpts with selinux lsm hook` - aviraxp - no, not yet, but yes we can, thats a good idea. This change tries to do that, so instead of hooking pts_unix98_lookup or devpts_get_priv, we just watch security_inode_permission, if its devpts, pass it along to the original handler. EDIT: define devpts super magic if its undefined - yeah I aint gonna include a conditional include of a header just for this - while we can just fully remove the macro and inline, readability loss is bad Co-authored-by: backslashxx <118538522+backslashxx@users.noreply.github.com>
2025-09-22 23:54:51 +08:00
parent de92cc4bad
commit b4bdd17e4e
2 changed files with 29 additions and 9 deletions
--- a/kernel/sucompat.c
+++ b/kernel/sucompat.c
@@ -143,7 +143,13 @@ int ksu_handle_execveat_sucompat(int *fd, struct filename **filename_ptr,
 	return 0;
 }

+// dummified
 int ksu_handle_devpts(struct inode *inode)
+{
+	return 0;
+}
+
+int __ksu_handle_devpts(struct inode *inode)
 {
 #ifndef CONFIG_KSU_KPROBES_HOOK
 	if (!ksu_sucompat_hook_state)
@@ -160,20 +166,17 @@ int ksu_handle_devpts(struct inode *inode)
 		return 0;
 	}

-	if (!ksu_is_allow_uid(uid))
+	if (likely(!ksu_is_allow_uid(uid)))
 		return 0;

-	if (ksu_devpts_sid) {
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 1, 0) || defined(KSU_OPTIONAL_SELINUX_INODE)
 		struct inode_security_struct *sec = selinux_inode(inode);
 #else
 		struct inode_security_struct *sec =
 			(struct inode_security_struct *)inode->i_security;
 #endif
-		if (sec) {
-			sec->sid = ksu_devpts_sid;
-		}
-	}
+	if (ksu_devpts_sid && sec)
+		sec->sid = ksu_devpts_sid;

 	return 0;
 }