kernel: press KEY_VOLUMEDOWN over 2 seconds will enter safemode and disable all modules

Co-authored-by: Ylarod <me@ylarod.cn>
2023-02-13 21:23:18 +07:00
parent 20ff530962
commit ca950d909b
4 changed files with 142 additions and 4 deletions
--- a/kernel/core_hook.c
+++ b/kernel/core_hook.c
@@ -243,6 +243,16 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,
 		return 0;
 	}

+	if (arg2 == CMD_CHECK_SAFEMODE) {
+		if (ksu_is_safe_mode()) {
+			pr_warn("safemode enabled!\n");
+			if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) {
+				pr_err("safemode: prctl reply error\n");
+			}
+		}
+		return 0;
+	}
+
 	// all other cmds are for 'root manager'
 	if (!is_manager()) {
 		pr_info("Only manager can do cmd: %d\n", arg2);
--- a/kernel/ksu.h
+++ b/kernel/ksu.h
@@ -21,6 +21,7 @@
 #define CMD_GET_DENY_LIST 6
 #define CMD_REPORT_EVENT 7
 #define CMD_SET_SEPOLICY 8
+#define CMD_CHECK_SAFEMODE 9

 #define EVENT_POST_FS_DATA 1
 #define EVENT_BOOT_COMPLETED 2
--- a/kernel/ksud.c
+++ b/kernel/ksud.c
@@ -3,12 +3,15 @@
 #include "linux/dcache.h"
 #include "linux/err.h"
 #include "linux/fs.h"
+#include "linux/input-event-codes.h"
 #include "linux/kprobes.h"
 #include "linux/printk.h"
 #include "linux/types.h"
 #include "linux/uaccess.h"
 #include "linux/version.h"
 #include "linux/workqueue.h"
+#include "linux/input.h"
+#include "linux/time64.h"

 #include "allowlist.h"
 #include "arch.h"
@@ -21,32 +24,35 @@ static const char KERNEL_SU_RC[] =

 	"on post-fs-data\n"
 	// We should wait for the post-fs-data finish
-	"    exec u:r:su:s0 root -- "KSUD_PATH" post-fs-data\n"
+	"    exec u:r:su:s0 root -- " KSUD_PATH " post-fs-data\n"
 	"\n"

 	"on nonencrypted\n"
-	"    exec u:r:su:s0 root -- "KSUD_PATH" services\n"
+	"    exec u:r:su:s0 root -- " KSUD_PATH " services\n"
 	"\n"

 	"on property:vold.decrypt=trigger_restart_framework\n"
-	"    exec u:r:su:s0 root -- "KSUD_PATH" services\n"
+	"    exec u:r:su:s0 root -- " KSUD_PATH " services\n"
 	"\n"

 	"on property:sys.boot_completed=1\n"
-	"    exec u:r:su:s0 root -- "KSUD_PATH" boot-completed\n"
+	"    exec u:r:su:s0 root -- " KSUD_PATH " boot-completed\n"
 	"\n"

 	"\n";

 static void stop_vfs_read_hook();
 static void stop_execve_hook();
+static void stop_input_hook();

 #ifdef CONFIG_KPROBES
 static struct work_struct stop_vfs_read_work;
 static struct work_struct stop_execve_hook_work;
+static struct work_struct stop_input_hook_work;
 #else
 static bool vfs_read_hook = true;
 static bool execveat_hook = true;
+static bool input_hook = true;
 #endif

 void on_post_fs_data(void)
@@ -59,6 +65,8 @@ void on_post_fs_data(void)
 	done = true;
 	pr_info("ksu_load_allow_list");
 	ksu_load_allow_list();
+	// sanity check, this may influence the performance
+	stop_input_hook();
 }

 int ksu_handle_execveat_ksud(int *fd, struct filename **filename_ptr,
@@ -184,6 +192,85 @@ int ksu_handle_vfs_read(struct file **file_ptr, char __user **buf_ptr,
 	return 0;
 }

+static const time64_t UNINITIALIZED = -1;
+static time64_t last_vol_down_pressed = UNINITIALIZED;
+static time64_t last_vol_down_release = UNINITIALIZED;
+
+static bool is_time_initialized(time64_t t)
+{
+	return t != UNINITIALIZED;
+}
+
+int ksu_handle_input_handle_event(unsigned int *type, unsigned int *code,
+				  int *value)
+{
+#ifndef CONFIG_KPROBES
+	if (!input_hook) {
+		return 0;
+	}
+#endif
+	if (*type == EV_KEY && *code == KEY_VOLUMEDOWN) {
+		int val = *value;
+		pr_info("KEY_VOLUMEDOWN val: %d\n", val);
+		if (val) {
+			// key pressed
+			last_vol_down_pressed = ktime_get_seconds();
+		} else {
+			// key released
+			if (is_time_initialized(last_vol_down_pressed)) {
+				last_vol_down_release = ktime_get_seconds();
+				// when released, stop hook
+				stop_input_hook();
+			} else {
+				pr_info("KEY_VOLUMEDOWN released, but not pressed yet\n");
+			}
+		}
+		pr_info("last_vol_down_pressed: %ld, last_vol_down_release: %ld\n",
+			last_vol_down_pressed, last_vol_down_release);
+	}
+
+	return 0;
+}
+
+bool ksu_is_safe_mode() {
+
+	static bool safe_mode = false;
+	if (safe_mode) {
+		// don't need to check again, userspace may call multiple times
+		return true;
+	}
+	
+	// stop hook first!
+	stop_input_hook();
+
+	pr_info("ksu_is_safe_mode last_vol_down_pressed: %ld, last_vol_down_release: %ld\n",
+		last_vol_down_pressed, last_vol_down_release);
+	if (!is_time_initialized(last_vol_down_pressed)) {
+		// not pressed yet
+		return false;
+	}
+
+	// vol down pressed
+	time64_t vol_down_time;
+	if (!is_time_initialized(last_vol_down_release)) {
+		// not released yet, use current time
+		vol_down_time = ktime_get_seconds();
+	} else {
+		vol_down_time = last_vol_down_release;
+	}
+
+	pr_info("ksu_is_safe_mode vol_down_time: %ld, last_vol_down_pressed: %ld\n",
+		vol_down_time, last_vol_down_pressed);
+	if (vol_down_time - last_vol_down_pressed >= 2) {
+		// pressed over 2 seconds
+		pr_info("KEY_VOLUMEDOWN pressed over 2 seconds, safe mode detected!\n");
+		safe_mode = true;
+		return true;
+	}
+
+	return false;
+}
+
 #ifdef CONFIG_KPROBES

 // https://elixir.bootlin.com/linux/v5.10.158/source/fs/exec.c#L1864
@@ -209,6 +296,15 @@ static int read_handler_pre(struct kprobe *p, struct pt_regs *regs)
 	return ksu_handle_vfs_read(file_ptr, buf_ptr, count_ptr, pos_ptr);
 }

+static int input_handle_event_handler_pre(struct kprobe *p,
+					  struct pt_regs *regs)
+{
+	unsigned int *type = (unsigned int *)&PT_REGS_PARM2(regs);
+	unsigned int *code = (unsigned int *)&PT_REGS_PARM3(regs);
+	int *value = (int *)&PT_REGS_PARM4(regs);
+	return ksu_handle_input_handle_event(type, code, value);
+}
+
 static struct kprobe execve_kp = {
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 9, 0)
 	.symbol_name = "do_execveat_common",
@@ -225,6 +321,11 @@ static struct kprobe vfs_read_kp = {
 	.pre_handler = read_handler_pre,
 };

+static struct kprobe input_handle_event_kp = {
+	.symbol_name = "input_handle_event",
+	.pre_handler = input_handle_event_handler_pre,
+};
+
 static void do_stop_vfs_read_hook(struct work_struct *work)
 {
 	unregister_kprobe(&vfs_read_kp);
@@ -234,6 +335,11 @@ static void do_stop_execve_hook(struct work_struct *work)
 {
 	unregister_kprobe(&execve_kp);
 }
+
+static void do_stop_input_hook(struct work_struct *work)
+{
+	unregister_kprobe(&input_handle_event_kp);
+}
 #endif

 static void stop_vfs_read_hook()
@@ -256,6 +362,21 @@ static void stop_execve_hook()
 #endif
 }

+static void stop_input_hook()
+{
+	static bool input_hook_stopped = false;
+	if (input_hook_stopped) {
+		return;
+	}
+	input_hook_stopped = true;
+#ifdef CONFIG_KPROBES
+	bool ret = schedule_work(&stop_input_hook_work);
+	pr_info("unregister input kprobe: %d!\n", ret);
+#else
+	input_hook = false;
+#endif
+}
+
 // ksud: module support
 void ksu_enable_ksud()
 {
@@ -268,7 +389,11 @@ void ksu_enable_ksud()
 	ret = register_kprobe(&vfs_read_kp);
 	pr_info("ksud: vfs_read_kp: %d\n", ret);

+	ret = register_kprobe(&input_handle_event_kp);
+	pr_info("ksud: input_handle_event_kp: %d\n", ret);
+
 	INIT_WORK(&stop_vfs_read_work, do_stop_vfs_read_hook);
 	INIT_WORK(&stop_execve_hook_work, do_stop_execve_hook);
+	INIT_WORK(&stop_input_hook_work, do_stop_input_hook);
 #endif
 }
--- a/kernel/ksud.h
+++ b/kernel/ksud.h
@@ -5,4 +5,6 @@

 void on_post_fs_data(void);

+bool ksu_is_safe_mode(void);
+
 #endif