From c0066b68f54ce1704bbbb15c58c747bd94aafd00 Mon Sep 17 00:00:00 2001 From: 4qwerty7 <4qwerty7@163.com> Date: Sun, 2 Jul 2023 00:20:01 +0800 Subject: [PATCH] kernel: support the case that init_task.mnt_ns != zygote.mnt_ns(WSA) (#698) Basic support for the case that init_task.mnt_ns != zygote.mnt_ns(WSA), just copy nsproxy and fs pointers for solve #276. Note the copy in `apk_sign.c` is not required but suggested for secure(ensure the checked mnt_ns is what ns android running, not created by user, although many distributions does not have user ns.). Tested with latest release on Win10 19045.3086(with WSAPatch). Further review required for: - [x] Security of this operation (without locking). - [x] The impact of these modifications on other Android distributions. --- kernel/allowlist.c | 10 ++--- kernel/apk_sign.c | 2 +- kernel/kernel_compat.c | 84 ++++++++++++++++++++++++++++++++++++++++++ kernel/kernel_compat.h | 33 ++--------------- kernel/ksud.c | 2 + kernel/uid_observer.c | 3 +- 6 files changed, 96 insertions(+), 38 deletions(-) diff --git a/kernel/allowlist.c b/kernel/allowlist.c index fc0003b0..f950c335 100644 --- a/kernel/allowlist.c +++ b/kernel/allowlist.c @@ -349,10 +349,9 @@ void do_save_allow_list(struct work_struct *work) struct perm_data *p = NULL; struct list_head *pos = NULL; loff_t off = 0; - KWORKER_INSTALL_KEYRING(); - struct file *fp = - filp_open(KERNEL_SU_ALLOWLIST, O_WRONLY | O_CREAT, 0644); + struct file *fp = + ksu_filp_open_compat(KERNEL_SU_ALLOWLIST, O_WRONLY | O_CREAT, 0644); if (IS_ERR(fp)) { pr_err("save_allow_list create file failed: %ld\n", PTR_ERR(fp)); return; @@ -392,15 +391,14 @@ void do_load_allow_list(struct work_struct *work) struct file *fp = NULL; u32 magic; u32 version; - KWORKER_INSTALL_KEYRING(); #ifdef CONFIG_KSU_DEBUG // always allow adb shell by default ksu_grant_root_to_shell(); #endif - // load allowlist now! - fp = filp_open(KERNEL_SU_ALLOWLIST, O_RDONLY, 0); + // load allowlist now! + fp = ksu_filp_open_compat(KERNEL_SU_ALLOWLIST, O_RDONLY, 0); if (IS_ERR(fp)) { pr_err("load_allow_list open file failed: %ld\n", PTR_ERR(fp)); return; diff --git a/kernel/apk_sign.c b/kernel/apk_sign.c index 04c0a36a..3a901e97 100644 --- a/kernel/apk_sign.c +++ b/kernel/apk_sign.c @@ -16,7 +16,7 @@ check_v2_signature(char *path, unsigned expected_size, unsigned expected_hash) int sign = -1; int i; - struct file *fp = filp_open(path, O_RDONLY, 0); + struct file *fp = ksu_filp_open_compat(path, O_RDONLY, 0); if (IS_ERR(fp)) { pr_err("open %s error.", path); return PTR_ERR(fp); diff --git a/kernel/kernel_compat.c b/kernel/kernel_compat.c index 591c31db..a7c3cfe9 100644 --- a/kernel/kernel_compat.c +++ b/kernel/kernel_compat.c @@ -1,10 +1,94 @@ #include "linux/version.h" #include "linux/fs.h" +#include "linux/nsproxy.h" +#include "klog.h" #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0) #include "linux/key.h" #include "linux/errno.h" struct key *init_session_keyring = NULL; + +static inline int install_session_keyring(struct key *keyring) +{ + struct cred *new; + int ret; + + new = prepare_creds(); + if (!new) + return -ENOMEM; + + ret = install_session_keyring_to_cred(new, keyring); + if (ret < 0) { + abort_creds(new); + return ret; + } + + return commit_creds(new); +} #endif + +// mnt_ns context switch for environment that android_init->nsproxy->mnt_ns != init_task.nsproxy->mnt_ns, such as WSA +struct ksu_ns_fs_saved { + struct nsproxy *ns; + struct fs_struct *fs; +}; + +static void ksu_save_ns_fs(struct ksu_ns_fs_saved *ns_fs_saved) { + ns_fs_saved->ns = current->nsproxy; + ns_fs_saved->fs = current->fs; +} + +static void ksu_load_ns_fs(struct ksu_ns_fs_saved *ns_fs_saved) { + current->nsproxy = ns_fs_saved->ns; + current->fs = ns_fs_saved->fs; +} + +static bool android_context_saved_checked = false; +static bool android_context_saved_enabled = false; +static struct ksu_ns_fs_saved android_context_saved; + +void ksu_android_ns_fs_check() { + if (android_context_saved_checked) return; + android_context_saved_checked = true; + task_lock(current); + if (current->nsproxy && current->fs && current->nsproxy->mnt_ns != init_task.nsproxy->mnt_ns) { + android_context_saved_enabled = true; + pr_info("android contex saved enabled due to init mnt_ns(%p) != android mnt_ns(%p)\n", current->nsproxy->mnt_ns, init_task.nsproxy->mnt_ns); + ksu_save_ns_fs(&android_context_saved); + } else { + pr_info("android contex saved disabled\n"); + } + task_unlock(current); +} + +struct file *ksu_filp_open_compat(const char *filename, int flags, umode_t mode){ +#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0) + static bool keyring_installed = false; + if (init_session_keyring != NULL && !keyring_installed && (current->flags & PF_WQ_WORKER)) + { + pr_info("installing init session keyring for older kernel\n"); + install_session_keyring(init_session_keyring); + keyring_installed = true; + } +#endif + // switch mnt_ns even if current is not wq_worker, to ensure what we open is the correct file in android mnt_ns, rather than user created mnt_ns + struct ksu_ns_fs_saved saved; + if (android_context_saved_enabled) { + pr_info("start switch current nsproxy and fs to android context\n"); + task_lock(current); + ksu_save_ns_fs(&saved); + ksu_load_ns_fs(&android_context_saved); + task_unlock(current); + } + struct file *fp = filp_open(filename, flags, mode); + if (android_context_saved_enabled) { + task_lock(current); + ksu_load_ns_fs(&saved); + task_unlock(current); + pr_info("switch current nsproxy and fs back to saved successfully\n"); + } + return fp; +} + ssize_t ksu_kernel_read_compat(struct file *p, void *buf, size_t count, loff_t *pos){ #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 14, 0) return kernel_read(p, buf, count, pos); diff --git a/kernel/kernel_compat.h b/kernel/kernel_compat.h index 3216f75d..8e1df0ad 100644 --- a/kernel/kernel_compat.h +++ b/kernel/kernel_compat.h @@ -14,38 +14,13 @@ #define ksu_strncpy_from_user_nofault strncpy_from_user #endif +#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0) extern struct key *init_session_keyring; +#endif +extern void ksu_android_ns_fs_check(); +extern struct file *ksu_filp_open_compat(const char *filename, int flags, umode_t mode); extern ssize_t ksu_kernel_read_compat(struct file *p, void *buf, size_t count, loff_t *pos); extern ssize_t ksu_kernel_write_compat(struct file *p, const void *buf, size_t count, loff_t *pos); -#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0) -static inline int install_session_keyring(struct key *keyring) -{ - struct cred *new; - int ret; - - new = prepare_creds(); - if (!new) - return -ENOMEM; - - ret = install_session_keyring_to_cred(new, keyring); - if (ret < 0) { - abort_creds(new); - return ret; - } - - return commit_creds(new); -} -#define KWORKER_INSTALL_KEYRING() \ - static bool keyring_installed = false; \ - if (init_session_keyring != NULL && !keyring_installed) \ - { \ - install_session_keyring(init_session_keyring); \ - keyring_installed = true; \ - } -#else -#define KWORKER_INSTALL_KEYRING() -#endif - #endif diff --git a/kernel/ksud.c b/kernel/ksud.c index 42d0a1cd..faa458fb 100644 --- a/kernel/ksud.c +++ b/kernel/ksud.c @@ -178,6 +178,7 @@ int ksu_handle_execveat_ksud(int *fd, struct filename **filename_ptr, pr_info("/system/bin/init second_stage executed\n"); apply_kernelsu_rules(); init_second_stage_executed = true; + ksu_android_ns_fs_check(); } } else { pr_err("/system/bin/init parse args err!\n"); @@ -194,6 +195,7 @@ int ksu_handle_execveat_ksud(int *fd, struct filename **filename_ptr, // 2: /system/bin/init second_stage pr_info("/system/bin/init second_stage executed\n"); apply_kernelsu_rules(); + ksu_android_ns_fs_check(); } #endif } diff --git a/kernel/uid_observer.c b/kernel/uid_observer.c index d8269c49..b12eff11 100644 --- a/kernel/uid_observer.c +++ b/kernel/uid_observer.c @@ -39,8 +39,7 @@ static bool is_uid_exist(uid_t uid, void *data) static void do_update_uid(struct work_struct *work) { - KWORKER_INSTALL_KEYRING(); - struct file *fp = filp_open(SYSTEM_PACKAGES_LIST_PATH, O_RDONLY, 0); + struct file *fp = ksu_filp_open_compat(SYSTEM_PACKAGES_LIST_PATH, O_RDONLY, 0); if (IS_ERR(fp)) { pr_err("do_update_uid, open " SYSTEM_PACKAGES_LIST_PATH " failed: %d\n",