kernel: don't umount for non zygote child process. fixes #1054,#1049,#1045
This commit is contained in:
weishu
@@ -531,8 +531,6 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
// todo: check old process's selinux context, if it is not zygote, ignore it!
|
|
||||||
|
|
||||||
if (!is_appuid(new_uid) || is_isolated_uid(new_uid.val)) {
|
if (!is_appuid(new_uid) || is_isolated_uid(new_uid.val)) {
|
||||||
// pr_info("handle setuid ignore non application or isolated uid: %d\n", new_uid.val);
|
// pr_info("handle setuid ignore non application or isolated uid: %d\n", new_uid.val);
|
||||||
return 0;
|
return 0;
|
||||||
@@ -551,8 +549,16 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old)
|
|||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// check old process's selinux context, if it is not zygote, ignore it!
|
||||||
|
// because some su apps may setuid to untrusted_app but they are in global mount namespace
|
||||||
|
// when we umount for such process, that is a disaster!
|
||||||
|
bool is_zygote_child = is_zygote(old->security);
|
||||||
|
if (!is_zygote_child) {
|
||||||
|
pr_info("handle umount ignore non zygote child: %d\n", current->pid);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
// umount the target mnt
|
// umount the target mnt
|
||||||
pr_info("handle umount for uid: %d\n", new_uid.val);
|
pr_info("handle umount for uid: %d, pid: %d\n", new_uid.val, current->pid);
|
||||||
|
|
||||||
// fixme: use `collect_mounts` and `iterate_mount` to iterate all mountpoint and
|
// fixme: use `collect_mounts` and `iterate_mount` to iterate all mountpoint and
|
||||||
// filter the mountpoint whose target is `/data/adb`
|
// filter the mountpoint whose target is `/data/adb`
|
||||||
|
|||||||
@@ -27,7 +27,8 @@ static int transive_to_domain(const char *domain)
|
|||||||
|
|
||||||
error = security_secctx_to_secid(domain, strlen(domain), &sid);
|
error = security_secctx_to_secid(domain, strlen(domain), &sid);
|
||||||
if (error) {
|
if (error) {
|
||||||
pr_info("security_secctx_to_secid %s -> sid: %d, error: %d\n", domain, sid, error);
|
pr_info("security_secctx_to_secid %s -> sid: %d, error: %d\n",
|
||||||
|
domain, sid, error);
|
||||||
}
|
}
|
||||||
if (!error) {
|
if (!error) {
|
||||||
if (!ksu_sid)
|
if (!ksu_sid)
|
||||||
@@ -107,3 +108,18 @@ bool is_ksu_domain()
|
|||||||
{
|
{
|
||||||
return ksu_sid && current_sid() == ksu_sid;
|
return ksu_sid && current_sid() == ksu_sid;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
bool is_zygote(void *sec)
|
||||||
|
{
|
||||||
|
struct task_security_struct *tsec = (struct task_security_struct *)sec;
|
||||||
|
if (!tsec) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
char *domain;
|
||||||
|
u32 seclen;
|
||||||
|
int err = security_secid_to_secctx(tsec->sid, &domain, &seclen);
|
||||||
|
if (err) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
return strncmp("u:r:zygote:s0", domain, seclen) == 0;
|
||||||
|
}
|
||||||
@@ -16,6 +16,8 @@ bool getenforce();
|
|||||||
|
|
||||||
bool is_ksu_domain();
|
bool is_ksu_domain();
|
||||||
|
|
||||||
|
bool is_zygote(void *cred);
|
||||||
|
|
||||||
void apply_kernelsu_rules();
|
void apply_kernelsu_rules();
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
|||||||
Reference in New Issue
Block a user