kernel: core_hook: intercept devpts via security_inode_permission LSM
`ksu handles devpts with selinux lsm hook` - aviraxp - no, not yet, but yes we can, thats a good idea. This change tries to do that, so instead of hooking pts_unix98_lookup or devpts_get_priv, we just watch security_inode_permission, if its devpts, pass it along to the original handler. EDIT: define devpts super magic if its undefined - yeah I aint gonna include a conditional include of a header just for this - while we can just fully remove the macro and inline, readability loss is bad Co-authored-by: backslashxx <118538522+backslashxx@users.noreply.github.com>
This commit is contained in:
ShirkNeko
@@ -828,6 +828,22 @@ __maybe_unused int ksu_kprobe_exit(void)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifndef DEVPTS_SUPER_MAGIC
|
||||||
|
#define DEVPTS_SUPER_MAGIC 0x1cd1
|
||||||
|
#endif
|
||||||
|
|
||||||
|
extern int __ksu_handle_devpts(struct inode *inode); // sucompat.c
|
||||||
|
|
||||||
|
int ksu_inode_permission(struct inode *inode, int mask)
|
||||||
|
{
|
||||||
|
if (inode && inode->i_sb
|
||||||
|
&& unlikely(inode->i_sb->s_magic == DEVPTS_SUPER_MAGIC)) {
|
||||||
|
//pr_info("%s: handling devpts for: %s \n", __func__, current->comm);
|
||||||
|
__ksu_handle_devpts(inode);
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
#ifdef CONFIG_COMPAT
|
#ifdef CONFIG_COMPAT
|
||||||
bool ksu_is_compat __read_mostly = false;
|
bool ksu_is_compat __read_mostly = false;
|
||||||
#endif
|
#endif
|
||||||
@@ -881,6 +897,7 @@ static struct security_hook_list ksu_hooks[] = {
|
|||||||
LSM_HOOK_INIT(task_prctl, ksu_task_prctl),
|
LSM_HOOK_INIT(task_prctl, ksu_task_prctl),
|
||||||
LSM_HOOK_INIT(inode_rename, ksu_inode_rename),
|
LSM_HOOK_INIT(inode_rename, ksu_inode_rename),
|
||||||
LSM_HOOK_INIT(task_fix_setuid, ksu_task_fix_setuid),
|
LSM_HOOK_INIT(task_fix_setuid, ksu_task_fix_setuid),
|
||||||
|
LSM_HOOK_INIT(inode_permission, ksu_inode_permission),
|
||||||
#ifndef CONFIG_KSU_KPROBES_HOOK
|
#ifndef CONFIG_KSU_KPROBES_HOOK
|
||||||
LSM_HOOK_INIT(bprm_check_security, ksu_bprm_check),
|
LSM_HOOK_INIT(bprm_check_security, ksu_bprm_check),
|
||||||
#endif
|
#endif
|
||||||
|
|||||||
@@ -195,8 +195,15 @@ int ksu_handle_execve_sucompat(int *fd, const char __user **filename_user,
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// dummified
|
||||||
int ksu_handle_devpts(struct inode *inode)
|
int ksu_handle_devpts(struct inode *inode)
|
||||||
{
|
{
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
int __ksu_handle_devpts(struct inode *inode)
|
||||||
|
{
|
||||||
|
|
||||||
#ifndef CONFIG_KSU_KPROBES_HOOK
|
#ifndef CONFIG_KSU_KPROBES_HOOK
|
||||||
if (!ksu_sucompat_hook_state)
|
if (!ksu_sucompat_hook_state)
|
||||||
return 0;
|
return 0;
|
||||||
@@ -212,15 +219,12 @@ int ksu_handle_devpts(struct inode *inode)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!ksu_is_allow_uid(uid))
|
if (likely(!ksu_is_allow_uid(uid)))
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
if (ksu_devpts_sid) {
|
|
||||||
struct inode_security_struct *sec = selinux_inode(inode);
|
struct inode_security_struct *sec = selinux_inode(inode);
|
||||||
if (sec) {
|
if (ksu_devpts_sid && sec)
|
||||||
sec->sid = ksu_devpts_sid;
|
sec->sid = ksu_devpts_sid;
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user