diff --git a/kernel/throne_tracker.c b/kernel/throne_tracker.c index 1bbe04fd..1bfd43fb 100644 --- a/kernel/throne_tracker.c +++ b/kernel/throne_tracker.c @@ -20,7 +20,7 @@ uid_t ksu_manager_uid = KSU_INVALID_UID; #define USER_DATA_BASE_PATH "/data/user_de" #define MAX_SUPPORTED_USERS 32 // Supports up to 32 users -#define USER_DATA_PATH_LEN 384 // 384 is enough for /data/user_de/{userid}/ +#define DATA_PATH_LEN 384 // 384 is enough for /data/app//base.apk and /data/user_de/{userid}/ struct uid_data { struct list_head list; @@ -28,13 +28,59 @@ struct uid_data { char package[KSU_MAX_PACKAGE_NAME]; }; -struct user_scan_context { +struct user_scan_ctx { struct list_head *uid_list; uid_t user_id; - size_t packages_found; - size_t errors_count; + size_t pkg_count; + size_t error_count; }; +struct user_dir_ctx { + struct dir_context ctx; + struct user_scan_ctx *scan_ctx; +}; + +struct user_id_ctx { + struct dir_context ctx; + uid_t *user_ids; + size_t count; + size_t max_count; +}; + +struct data_path { + char dirpath[DATA_PATH_LEN]; + int depth; + struct list_head list; +}; + +struct apk_path_hash { + unsigned int hash; + bool exists; + struct list_head list; +}; + +static struct list_head apk_path_hash_list; + +struct my_dir_context { + struct dir_context ctx; + struct list_head *data_path_list; + char *parent_dir; + void *private_data; + int depth; + int *stop; +}; +// https://docs.kernel.org/filesystems/porting.html +// filldir_t (readdir callbacks) calling conventions have changed. Instead of returning 0 or -E... it returns bool now. false means "no more" (as -E... used to) and true - "keep going" (as 0 in old calling conventions). Rationale: callers never looked at specific -E... values anyway. -> iterate_shared() instances require no changes at all, all filldir_t ones in the tree converted. +#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0) +#define FILLDIR_RETURN_TYPE bool +#define FILLDIR_ACTOR_CONTINUE true +#define FILLDIR_ACTOR_STOP false +#else +#define FILLDIR_RETURN_TYPE int +#define FILLDIR_ACTOR_CONTINUE 0 +#define FILLDIR_ACTOR_STOP -EINVAL +#endif + static int get_pkg_from_apk_path(char *pkg, const char *path) { int len = strlen(path); @@ -74,7 +120,8 @@ static int get_pkg_from_apk_path(char *pkg, const char *path) return 0; } -static void crown_manager(const char *apk, struct list_head *uid_data, int signature_index) +static void crown_manager(const char *apk, struct list_head *uid_data, + int signature_index) { char pkg[KSU_MAX_PACKAGE_NAME]; if (get_pkg_from_apk_path(pkg, apk) < 0) { @@ -95,14 +142,15 @@ static void crown_manager(const char *apk, struct list_head *uid_data, int signa struct list_head *list = (struct list_head *)uid_data; struct uid_data *np; - list_for_each_entry (np, list, list) { + list_for_each_entry(np, list, list) { if (strncmp(np->package, pkg, KSU_MAX_PACKAGE_NAME) == 0) { - pr_info("Crowning manager: %s(uid=%d, signature_index=%d)\n", pkg, np->uid, signature_index); - + pr_info("Crowning manager: %s(uid=%d, signature_index=%d)\n", + pkg, np->uid, signature_index); + // Dynamic Sign index (1) or multi-manager signatures (2+) if (signature_index == DYNAMIC_SIGN_INDEX || signature_index >= 2) { ksu_add_manager(np->uid, signature_index); - + if (!ksu_is_manager_uid_valid()) { ksu_set_manager_uid(np->uid); } @@ -114,162 +162,101 @@ static void crown_manager(const char *apk, struct list_head *uid_data, int signa } } -#define DATA_PATH_LEN 384 // 384 is enough for /data/app//base.apk - -struct data_path { - char dirpath[DATA_PATH_LEN]; - int depth; - struct list_head list; -}; - -struct apk_path_hash { - unsigned int hash; - bool exists; - struct list_head list; -}; - -static struct list_head apk_path_hash_list = LIST_HEAD_INIT(apk_path_hash_list); - -struct my_dir_context { - struct dir_context ctx; - struct list_head *data_path_list; - char *parent_dir; - void *private_data; - int depth; - int *stop; -}; -// https://docs.kernel.org/filesystems/porting.html -// filldir_t (readdir callbacks) calling conventions have changed. Instead of returning 0 or -E... it returns bool now. false means "no more" (as -E... used to) and true - "keep going" (as 0 in old calling conventions). Rationale: callers never looked at specific -E... values anyway. -> iterate_shared() instances require no changes at all, all filldir_t ones in the tree converted. -#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0) -#define FILLDIR_RETURN_TYPE bool -#define FILLDIR_ACTOR_CONTINUE true -#define FILLDIR_ACTOR_STOP false -#else -#define FILLDIR_RETURN_TYPE int -#define FILLDIR_ACTOR_CONTINUE 0 -#define FILLDIR_ACTOR_STOP -EINVAL -#endif - -struct uid_scan_stats { - size_t total_found; - size_t errors_encountered; -}; - -struct user_data_context { - struct dir_context ctx; - struct user_scan_context *scan_ctx; -}; - -struct user_de_context { - struct dir_context ctx; - uid_t *user_ids; - size_t count; - size_t max_users; -}; - -// Actor function to collect user IDs from /data/user_de -FILLDIR_RETURN_TYPE user_de_actor(struct dir_context *ctx, const char *name, - int namelen, loff_t off, u64 ino, - unsigned int d_type) +FILLDIR_RETURN_TYPE collect_user_ids(struct dir_context *ctx, const char *name, + int namelen, loff_t off, u64 ino, unsigned int d_type) { - struct user_de_context *data = container_of(ctx, struct user_de_context, ctx); + struct user_id_ctx *uctx = container_of(ctx, struct user_id_ctx, ctx); - if (d_type != DT_DIR) - return FILLDIR_ACTOR_CONTINUE; + // Skip non-directories and dot entries + if (d_type != DT_DIR || namelen <= 0) + return FILLDIR_ACTOR_CONTINUE; + if (name[0] == '.' && (namelen == 1 || (namelen == 2 && name[1] == '.'))) + return FILLDIR_ACTOR_CONTINUE;; - if (strncmp(name, ".", namelen) == 0 || strncmp(name, "..", namelen) == 0) - return FILLDIR_ACTOR_CONTINUE; - - uid_t uid = 0; - for (int i = 0; i < namelen; i++) { - if (name[i] < '0' || name[i] > '9') - return FILLDIR_ACTOR_CONTINUE; - uid = uid * 10 + (name[i] - '0'); - } - - if (data->count >= data->max_users) - return FILLDIR_ACTOR_STOP; - - data->user_ids[data->count++] = uid; - return FILLDIR_ACTOR_CONTINUE; -} - -// Retrieve a list of all active Android user IDs in the system -static int get_active_user_ids(uid_t *user_ids, size_t max_users, size_t *found_users) -{ - struct file *dir_file; - int ret = 0; - - *found_users = 0; - - dir_file = ksu_filp_open_compat(USER_DATA_BASE_PATH, O_RDONLY, 0); - if (IS_ERR(dir_file)) { - pr_err("Failed to open user data path %s: %ld\n", - USER_DATA_BASE_PATH, PTR_ERR(dir_file)); - return PTR_ERR(dir_file); - } - - struct { - struct dir_context ctx; - uid_t *user_ids; - size_t count; - size_t max_users; - } ctx = { - .ctx.actor = user_de_actor, - .user_ids = user_ids, - .count = 0, - .max_users = max_users - }; - - ret = iterate_dir(dir_file, &ctx.ctx); - filp_close(dir_file, NULL); - - *found_users = ctx.count; - - if (ctx.count > 0) - pr_info("UserDE UID: Found %zu active users\n", ctx.count); - - return ret; -} - -FILLDIR_RETURN_TYPE user_data_actor(struct dir_context *ctx, const char *name, - int namelen, loff_t off, u64 ino, - unsigned int d_type) -{ - struct user_data_context *my_ctx = - container_of(ctx, struct user_data_context, ctx); - - if (!my_ctx || !my_ctx->scan_ctx || !my_ctx->scan_ctx->uid_list) { - return FILLDIR_ACTOR_STOP; + // Parse numeric user ID + uid_t uid = 0; + for (int i = 0; i < namelen; i++) { + if (name[i] < '0' || name[i] > '9') + return FILLDIR_ACTOR_CONTINUE; // Skip non-numeric entries + uid = uid * 10 + (name[i] - '0'); } - struct user_scan_context *scan_ctx = my_ctx->scan_ctx; + // Store user ID if space available + if (uctx->count >= uctx->max_count) + return FILLDIR_ACTOR_STOP; - if (!strncmp(name, "..", namelen) || !strncmp(name, ".", namelen)) - return FILLDIR_ACTOR_CONTINUE; - - if (d_type != DT_DIR) + uctx->user_ids[uctx->count++] = uid; + return FILLDIR_ACTOR_CONTINUE; +} + +// Get all active Android user IDs +static int get_active_user_ids(uid_t *user_ids, size_t max_users, size_t *found_count) +{ + struct file *dir_file; + int ret; + + *found_count = 0; + + dir_file = ksu_filp_open_compat(USER_DATA_BASE_PATH, O_RDONLY, 0); + if (IS_ERR(dir_file)) { + pr_err("Cannot open %s: %ld\n", USER_DATA_BASE_PATH, PTR_ERR(dir_file)); + return PTR_ERR(dir_file); + } + + struct user_id_ctx uctx = { + .ctx.actor = collect_user_ids, + .user_ids = user_ids, + .count = 0, + .max_count = max_users + }; + + ret = iterate_dir(dir_file, &uctx.ctx); + filp_close(dir_file, NULL); + + *found_count = uctx.count; + if (uctx.count > 0) + pr_info("Found %zu active users\n", uctx.count); + + return ret; +} + +FILLDIR_RETURN_TYPE scan_user_packages(struct dir_context *ctx, const char *name, + int namelen, loff_t off, u64 ino, unsigned int d_type) +{ + struct user_dir_ctx *uctx = container_of(ctx, struct user_dir_ctx, ctx); + struct user_scan_ctx *scan_ctx = uctx->scan_ctx; + + // Validate context and skip dot entries + if (!scan_ctx || !scan_ctx->uid_list) + return FILLDIR_ACTOR_STOP; + if (d_type != DT_DIR || namelen <= 0) + return FILLDIR_ACTOR_CONTINUE; + if (name[0] == '.' && (namelen == 1 || (namelen == 2 && name[1] == '.'))) return FILLDIR_ACTOR_CONTINUE; + // Check package name length if (namelen >= KSU_MAX_PACKAGE_NAME) { pr_warn("Package name too long: %.*s (user %u)\n", namelen, name, scan_ctx->user_id); - scan_ctx->errors_count++; + scan_ctx->error_count++; return FILLDIR_ACTOR_CONTINUE; } - char package_path[USER_DATA_PATH_LEN]; - if (snprintf(package_path, sizeof(package_path), "%s/%u/%.*s", - USER_DATA_BASE_PATH, scan_ctx->user_id, namelen, name) >= sizeof(package_path)) { - pr_err("Path too long for package: %.*s (user %u)\n", namelen, name, scan_ctx->user_id); - scan_ctx->errors_count++; + // Build package path + char pkg_path[DATA_PATH_LEN]; + int path_len = snprintf(pkg_path, sizeof(pkg_path), "%s/%u/%.*s", + USER_DATA_BASE_PATH, scan_ctx->user_id, namelen, name); + if (path_len >= sizeof(pkg_path)) { + pr_err("Path too long for: %.*s (user %u)\n", namelen, name, scan_ctx->user_id); + scan_ctx->error_count++; return FILLDIR_ACTOR_CONTINUE; } + // Get package path attributes struct path path; - int err = kern_path(package_path, LOOKUP_FOLLOW, &path); + int err = kern_path(pkg_path, LOOKUP_FOLLOW, &path); if (err) { - pr_debug("Package path lookup failed: %s (err: %d)\n", package_path, err); - scan_ctx->errors_count++; + pr_debug("Path lookup failed: %s (%d)\n", pkg_path, err); + scan_ctx->error_count++; return FILLDIR_ACTOR_CONTINUE; } @@ -291,81 +278,79 @@ basically no mask and flags for =< 4.10 err = vfs_getattr(&path, &stat); #endif path_put(&path); - + if (err) { - pr_debug("Failed to get attributes for: %s (err: %d)\n", package_path, err); - scan_ctx->errors_count++; + pr_debug("Failed to get attributes: %s (%d)\n", pkg_path, err); + scan_ctx->error_count++; return FILLDIR_ACTOR_CONTINUE; } + // Extract UID and validate uid_t uid = from_kuid(&init_user_ns, stat.uid); if (uid == (uid_t)-1) { - pr_warn("Invalid UID for package: %.*s (user %u)\n", namelen, name, scan_ctx->user_id); - scan_ctx->errors_count++; + pr_warn("Invalid UID for: %.*s (user %u)\n", namelen, name, scan_ctx->user_id); + scan_ctx->error_count++; return FILLDIR_ACTOR_CONTINUE; } - struct uid_data *data = kzalloc(sizeof(struct uid_data), GFP_KERNEL); - if (!data) { - pr_err("Failed to allocate memory for package: %.*s (user %u)\n", namelen, name, scan_ctx->user_id); - scan_ctx->errors_count++; + // Allocate and populate UID data entry + struct uid_data *uid_entry = kzalloc(sizeof(struct uid_data), GFP_KERNEL); + if (!uid_entry) { + pr_err("Memory allocation failed for: %.*s\n", namelen, name); + scan_ctx->error_count++; return FILLDIR_ACTOR_CONTINUE; } - data->uid = uid; + uid_entry->uid = uid; size_t copy_len = min_t(size_t, namelen, KSU_MAX_PACKAGE_NAME - 1); - strncpy(data->package, name, copy_len); - data->package[copy_len] = '\0'; - - list_add_tail(&data->list, scan_ctx->uid_list); - scan_ctx->packages_found++; - - pr_info("UserDE UID: Found package: %s, uid: %u (user %u)\n", - data->package, data->uid, scan_ctx->user_id); - + strncpy(uid_entry->package, name, copy_len); + uid_entry->package[copy_len] = '\0'; + + list_add_tail(&uid_entry->list, scan_ctx->uid_list); + scan_ctx->pkg_count++; + + pr_info("Package: %s, UID: %u (user %u)\n", uid_entry->package, uid, scan_ctx->user_id); return FILLDIR_ACTOR_CONTINUE; } -static int scan_user_data_for_user(uid_t user_id, struct list_head *uid_list, - size_t *packages_found, size_t *errors_count) +static int scan_user_directory(uid_t user_id, struct list_head *uid_list, + size_t *pkg_count, size_t *error_count) { + char user_path[DATA_PATH_LEN]; struct file *dir_file; - char user_path[USER_DATA_PATH_LEN]; - int ret = 0; - - *packages_found = 0; - *errors_count = 0; - + int ret; + + *pkg_count = *error_count = 0; + snprintf(user_path, sizeof(user_path), "%s/%u", USER_DATA_BASE_PATH, user_id); - + dir_file = ksu_filp_open_compat(user_path, O_RDONLY, 0); if (IS_ERR(dir_file)) { - pr_debug("Failed to open user data path: %s (%ld)\n", user_path, PTR_ERR(dir_file)); + pr_debug("Cannot open user path: %s (%ld)\n", user_path, PTR_ERR(dir_file)); return PTR_ERR(dir_file); } - struct user_scan_context scan_ctx = { + struct user_scan_ctx scan_ctx = { .uid_list = uid_list, .user_id = user_id, - .packages_found = 0, - .errors_count = 0 + .pkg_count = 0, + .error_count = 0 }; - - struct user_data_context ctx = { - .ctx.actor = user_data_actor, + + struct user_dir_ctx uctx = { + .ctx.actor = scan_user_packages, .scan_ctx = &scan_ctx }; - ret = iterate_dir(dir_file, &ctx.ctx); + ret = iterate_dir(dir_file, &uctx.ctx); filp_close(dir_file, NULL); - *packages_found = scan_ctx.packages_found; - *errors_count = scan_ctx.errors_count; - - if (scan_ctx.packages_found > 0 && scan_ctx.errors_count > 0) { - pr_info("UserDE UID: Scanned user %u, found %zu packages with %zu errors\n", - user_id, scan_ctx.packages_found, scan_ctx.errors_count); - } + *pkg_count = scan_ctx.pkg_count; + *error_count = scan_ctx.error_count; + + if (scan_ctx.pkg_count > 0 || scan_ctx.error_count > 0) + pr_info("User %u: %zu packages, %zu errors\n", + user_id, scan_ctx.pkg_count, scan_ctx.error_count); return ret; } @@ -373,48 +358,38 @@ static int scan_user_data_for_user(uid_t user_id, struct list_head *uid_list, int scan_user_data_for_uids(struct list_head *uid_list) { uid_t user_ids[MAX_SUPPORTED_USERS]; - size_t active_users = 0; - size_t total_packages = 0; - size_t total_errors = 0; - int ret = 0; - - if (!uid_list) { - return -EINVAL; - } + size_t active_users, total_packages = 0, total_errors = 0; + int ret; - // Retrieve all active user IDs + if (!uid_list) + return -EINVAL; + + // Get all active user IDs ret = get_active_user_ids(user_ids, ARRAY_SIZE(user_ids), &active_users); if (ret < 0 || active_users == 0) { - pr_err("Failed to get active user IDs or no users found: %d\n", ret); - return -ENOENT; + pr_err("No active users found: %d\n", ret); + return ret < 0 ? ret : -ENOENT; } - // Scan each user's data directory + // Scan each user's directory for (size_t i = 0; i < active_users; i++) { - uid_t user_id = user_ids[i]; - size_t packages_found = 0; - size_t errors_count = 0; - - ret = scan_user_data_for_user(user_id, uid_list, &packages_found, &errors_count); - + size_t pkg_count, error_count; + + ret = scan_user_directory(user_ids[i], uid_list, &pkg_count, &error_count); if (ret < 0) { - pr_warn("Failed to scan user %u data directory: %d\n", user_id, ret); + pr_warn("Scan failed for user %u: %d\n", user_ids[i], ret); total_errors++; continue; } - - total_packages += packages_found; - total_errors += errors_count; + + total_packages += pkg_count; + total_errors += error_count; } - if (total_errors > 0) { - pr_warn("UserDE UID: Encountered %zu errors while scanning user data directories\n", - total_errors); - } - - pr_info("UserDE UID: Scan completed - %zu users, %zu packages found\n", - active_users, total_packages); + if (total_errors > 0) + pr_warn("Scan completed with %zu errors\n", total_errors); + pr_info("Scanned %zu users, found %zu packages\n", active_users, total_packages); return total_packages > 0 ? 0 : -ENOENT; } @@ -439,11 +414,11 @@ FILLDIR_RETURN_TYPE my_actor(struct dir_context *ctx, const char *name, return FILLDIR_ACTOR_CONTINUE; // Skip "." and ".." if (d_type == DT_DIR && namelen >= 8 && !strncmp(name, "vmdl", 4) && - !strncmp(name + namelen - 4, ".tmp", 4)) { - pr_info("Skipping directory: %.*s\n", namelen, name); - return FILLDIR_ACTOR_CONTINUE; // Skip staging package - } - + !strncmp(name + namelen - 4, ".tmp", 4)) { + pr_info("Skipping directory: %.*s\n", namelen, name); + return FILLDIR_ACTOR_CONTINUE; // Skip staging package + } + if (snprintf(dirpath, DATA_PATH_LEN, "%s/%.*s", my_ctx->parent_dir, namelen, name) >= DATA_PATH_LEN) { pr_err("Path too long: %s/%.*s\n", my_ctx->parent_dir, namelen, @@ -488,7 +463,7 @@ FILLDIR_RETURN_TYPE my_actor(struct dir_context *ctx, const char *name, // Check for dynamic sign or multi-manager signatures if (is_multi_manager && (signature_index == DYNAMIC_SIGN_INDEX || signature_index >= 2)) { crown_manager(dirpath, my_ctx->private_data, signature_index); - + struct apk_path_hash *apk_data = kmalloc(sizeof(struct apk_path_hash), GFP_ATOMIC); if (apk_data) { apk_data->hash = hash; @@ -523,8 +498,9 @@ void search_manager(const char *path, int depth, struct list_head *uid_data) int i, stop = 0; struct list_head data_path_list; INIT_LIST_HEAD(&data_path_list); + INIT_LIST_HEAD(&apk_path_hash_list); unsigned long data_app_magic = 0; - + // Initialize APK cache list struct apk_path_hash *pos, *n; list_for_each_entry(pos, &apk_path_hash_list, list) { @@ -542,10 +518,10 @@ void search_manager(const char *path, int depth, struct list_head *uid_data) list_for_each_entry_safe(pos, n, &data_path_list, list) { struct my_dir_context ctx = { .ctx.actor = my_actor, - .data_path_list = &data_path_list, - .parent_dir = pos->dirpath, - .private_data = uid_data, - .depth = pos->depth, + .data_path_list = &data_path_list, + .parent_dir = pos->dirpath, + .private_data = uid_data, + .depth = pos->depth, .stop = &stop }; struct file *file; @@ -555,7 +531,7 @@ void search_manager(const char *path, int depth, struct list_head *uid_data) pr_err("Failed to open directory: %s, err: %ld\n", pos->dirpath, PTR_ERR(file)); goto skip_iterate; } - + // grab magic on first folder, which is /data/app if (!data_app_magic) { if (file->f_inode->i_sb->s_magic) { @@ -566,7 +542,7 @@ void search_manager(const char *path, int depth, struct list_head *uid_data) goto skip_iterate; } } - + if (file->f_inode->i_sb->s_magic != data_app_magic) { pr_info("%s: skip: %s magic: 0x%lx expected: 0x%lx\n", __func__, pos->dirpath, file->f_inode->i_sb->s_magic, data_app_magic); @@ -584,12 +560,11 @@ skip_iterate: } } - // Remove stale cached APK entries + // clear apk_path_hash_list unconditionally + pr_info("search manager: cleanup!\n"); list_for_each_entry_safe(pos, n, &apk_path_hash_list, list) { - if (!pos->exists) { - list_del(&pos->list); - kfree(pos); - } + list_del(&pos->list); + kfree(pos); } } @@ -628,7 +603,7 @@ void track_throne(void) // first, check if manager_uid exist! bool manager_exist = false; bool dynamic_manager_exist = false; - + list_for_each_entry (np, &uid_list, list) { // if manager is installed in work profile, the uid in packages.list is still equals main profile // don't delete it in this case! @@ -638,7 +613,7 @@ void track_throne(void) break; } } - + // Check for dynamic managers if (!dynamic_manager_exist && ksu_is_dynamic_manager_enabled()) { list_for_each_entry (np, &uid_list, list) { @@ -665,7 +640,7 @@ void track_throne(void) search_manager("/data/app", 2, &uid_list); pr_info("Search Dynamic sign manager finished\n"); } - + prune: // then prune the allowlist ksu_prune_allowlist(is_uid_exist, &uid_list);