kernel: Syncronize upstream changes (#198)
* Cherry-picked range: (kernel)
ebea31daa8..6915b62b9a
* Also merged unmerged pr:
https://github.com/tiann/KernelSU/pull/ 2909
Co-authored-by: Ylarod <me@ylarod.cn>
Co-authored-by: 5ec1cff <56485584+5ec1cff@users.noreply.github.com>
Co-authored-by: backslashxx <118538522+backslashxx@users.noreply.github.com>
Co-authored-by: u9521 <63995396+u9521@users.noreply.github.com>
Co-authored-by: Wang Han <416810799@qq.com>
This commit is contained in:
fc5b87cf
ShirkNeko
@@ -6,7 +6,7 @@
|
||||
#include "selinux.h"
|
||||
#include "sepolicy.h"
|
||||
#include "ss/services.h"
|
||||
#include "linux/lsm_audit.h"
|
||||
#include "linux/lsm_audit.h" // IWYU pragma: keep
|
||||
#include "xfrm.h"
|
||||
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 0)
|
||||
@@ -37,6 +37,7 @@ static struct policydb *get_policydb(void)
|
||||
}
|
||||
|
||||
static DEFINE_MUTEX(ksu_rules);
|
||||
|
||||
void apply_kernelsu_rules(void)
|
||||
{
|
||||
struct policydb *db;
|
||||
@@ -95,7 +96,6 @@ void apply_kernelsu_rules(void)
|
||||
ksu_allow(db, "init", "adb_data_file", "file", ALL);
|
||||
ksu_allow(db, "init", "adb_data_file", "dir", ALL); // #1289
|
||||
ksu_allow(db, "init", KERNEL_SU_DOMAIN, ALL, ALL);
|
||||
|
||||
// we need to umount modules in zygote
|
||||
ksu_allow(db, "zygote", "adb_data_file", "dir", "search");
|
||||
|
||||
@@ -139,9 +139,6 @@ void apply_kernelsu_rules(void)
|
||||
ksu_allow(db, "system_server", KERNEL_SU_DOMAIN, "process", "getpgid");
|
||||
ksu_allow(db, "system_server", KERNEL_SU_DOMAIN, "process", "sigkill");
|
||||
|
||||
// https://android-review.googlesource.com/c/platform/system/logging/+/3725346
|
||||
ksu_dontaudit(db, "untrusted_app", KERNEL_SU_DOMAIN, "dir", "getattr");
|
||||
|
||||
mutex_unlock(&ksu_rules);
|
||||
}
|
||||
|
||||
@@ -158,15 +155,15 @@ void apply_kernelsu_rules(void)
|
||||
#define CMD_GENFSCON 9
|
||||
|
||||
struct sepol_data {
|
||||
uint32_t cmd;
|
||||
uint32_t subcmd;
|
||||
uint64_t sepol1;
|
||||
uint64_t sepol2;
|
||||
uint64_t sepol3;
|
||||
uint64_t sepol4;
|
||||
uint64_t sepol5;
|
||||
uint64_t sepol6;
|
||||
uint64_t sepol7;
|
||||
u32 cmd;
|
||||
u32 subcmd;
|
||||
u64 sepol1;
|
||||
u64 sepol2;
|
||||
u64 sepol3;
|
||||
u64 sepol4;
|
||||
u64 sepol5;
|
||||
u64 sepol6;
|
||||
u64 sepol7;
|
||||
};
|
||||
|
||||
static int get_object(char *buf, char __user *user_object, size_t buf_sz,
|
||||
@@ -185,14 +182,12 @@ static int get_object(char *buf, char __user *user_object, size_t buf_sz,
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 4, 0) || \
|
||||
!defined(KSU_COMPAT_USE_SELINUX_STATE)
|
||||
extern int avc_ss_reset(u32 seqno);
|
||||
#else
|
||||
extern int avc_ss_reset(struct selinux_avc *avc, u32 seqno);
|
||||
#endif
|
||||
|
||||
// reset avc cache table, otherwise the new rules will not take effect if already denied
|
||||
static void reset_avc_cache(void)
|
||||
{
|
||||
@@ -222,7 +217,7 @@ int handle_sepolicy(unsigned long arg3, void __user *arg4)
|
||||
pr_info("SELinux permissive or disabled when handle policy!\n");
|
||||
}
|
||||
|
||||
struct sepol_data data = { 0 };
|
||||
struct sepol_data data;
|
||||
if (copy_from_user(&data, arg4, sizeof(struct sepol_data))) {
|
||||
pr_err("sepol: copy sepol_data failed.\n");
|
||||
return -EINVAL;
|
||||
@@ -236,7 +231,6 @@ int handle_sepolicy(unsigned long arg3, void __user *arg4)
|
||||
db = get_policydb();
|
||||
|
||||
int ret = -EINVAL;
|
||||
|
||||
switch (cmd) {
|
||||
case CMD_NORMAL_PERM: {
|
||||
char src_buf[MAX_SEPOL_LEN];
|
||||
|
||||
@@ -59,6 +59,7 @@ is_ksu_transition(const struct task_security_struct *old_tsec,
|
||||
}
|
||||
#endif
|
||||
|
||||
|
||||
void setup_selinux(const char *domain)
|
||||
{
|
||||
if (transive_to_domain(domain)) {
|
||||
@@ -106,7 +107,7 @@ static int __security_secid_to_secctx(u32 secid, struct lsm_context *cp)
|
||||
}
|
||||
static void __security_release_secctx(struct lsm_context *cp)
|
||||
{
|
||||
return security_release_secctx(cp->context, cp->len);
|
||||
security_release_secctx(cp->context, cp->len);
|
||||
}
|
||||
#else
|
||||
#define __security_secid_to_secctx security_secid_to_secctx
|
||||
@@ -139,7 +140,7 @@ bool is_ksu_domain(void)
|
||||
return is_task_ksu_domain(current_cred());
|
||||
}
|
||||
|
||||
bool is_zygote(const struct cred *cred)
|
||||
bool is_context(const struct cred *cred, const char *context)
|
||||
{
|
||||
if (!cred) {
|
||||
return false;
|
||||
@@ -154,11 +155,21 @@ bool is_zygote(const struct cred *cred)
|
||||
if (err) {
|
||||
return false;
|
||||
}
|
||||
result = strncmp("u:r:zygote:s0", ctx.context, ctx.len) == 0;
|
||||
result = strncmp(context, ctx.context, ctx.len) == 0;
|
||||
__security_release_secctx(&ctx);
|
||||
return result;
|
||||
}
|
||||
|
||||
bool is_zygote(const struct cred *cred)
|
||||
{
|
||||
return is_context(cred, "u:r:zygote:s0");
|
||||
}
|
||||
|
||||
bool is_init(const struct cred *cred)
|
||||
{
|
||||
return is_context(cred, "u:r:init:s0");
|
||||
}
|
||||
|
||||
#define KSU_FILE_DOMAIN "u:object_r:ksu_file:s0"
|
||||
|
||||
u32 ksu_get_ksu_file_sid(void)
|
||||
|
||||
@@ -3,7 +3,7 @@
|
||||
|
||||
#include "linux/types.h"
|
||||
#include "linux/version.h"
|
||||
#include "linux/sched.h"
|
||||
#include "linux/cred.h"
|
||||
|
||||
#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 0)) || \
|
||||
defined(KSU_COMPAT_HAS_SELINUX_STATE)
|
||||
@@ -14,14 +14,16 @@ void setup_selinux(const char *);
|
||||
|
||||
void setenforce(bool);
|
||||
|
||||
bool is_task_ksu_domain(const struct cred *cred);
|
||||
|
||||
bool getenforce(void);
|
||||
|
||||
bool is_task_ksu_domain(const struct cred *cred);
|
||||
|
||||
bool is_ksu_domain(void);
|
||||
|
||||
bool is_zygote(const struct cred *cred);
|
||||
|
||||
bool is_init(const struct cred *cred);
|
||||
|
||||
void apply_kernelsu_rules(void);
|
||||
|
||||
u32 ksu_get_ksu_file_sid(void);
|
||||
|
||||
@@ -355,7 +355,7 @@ static void add_xperm_rule_raw(struct policydb *db, struct type_datum *src,
|
||||
|
||||
if (datum->u.xperms == NULL) {
|
||||
datum->u.xperms =
|
||||
(struct avtab_extended_perms *)(kmalloc(
|
||||
(struct avtab_extended_perms *)(kzalloc(
|
||||
sizeof(xperms), GFP_KERNEL));
|
||||
if (!datum->u.xperms) {
|
||||
pr_err("alloc xperms failed\n");
|
||||
@@ -555,7 +555,7 @@ static bool add_filename_trans(struct policydb *db, const char *s,
|
||||
trans = (struct filename_trans_datum *)kcalloc(sizeof(*trans),
|
||||
1, GFP_ATOMIC);
|
||||
struct filename_trans_key *new_key =
|
||||
(struct filename_trans_key *)kmalloc(sizeof(*new_key),
|
||||
(struct filename_trans_key *)kzalloc(sizeof(*new_key),
|
||||
GFP_ATOMIC);
|
||||
*new_key = key;
|
||||
new_key->name = kstrdup(key.name, GFP_ATOMIC);
|
||||
@@ -585,7 +585,7 @@ static bool add_filename_trans(struct policydb *db, const char *s,
|
||||
return false;
|
||||
}
|
||||
struct filename_trans *new_key =
|
||||
(struct filename_trans *)kmalloc(sizeof(*new_key),
|
||||
(struct filename_trans *)kzalloc(sizeof(*new_key),
|
||||
GFP_ATOMIC);
|
||||
if (!new_key) {
|
||||
pr_err("add_filename_trans: Failed to alloc new_key\n");
|
||||
|
||||
Reference in New Issue
Block a user