From d52fc57fc45537bec6f090633de91104a6d8997d Mon Sep 17 00:00:00 2001 From: Paul Date: Wed, 4 Jun 2025 14:24:10 +0200 Subject: [PATCH] kernel: core_hook: intercept devpts via security_inode_permission LSM (#137) `ksu handles devpts with selinux lsm hook` - aviraxp - no, not yet, but yes we can, thats a good idea. This change tries to do that, so instead of hooking pts_unix98_lookup or devpts_get_priv, we just watch security_inode_permission, if its devpts, pass it along to the original handler. Signed-off-by: backslashxx <118538522+backslashxx@users.noreply.github.com> Co-authored-by: backslashxx <118538522+backslashxx@users.noreply.github.com> --- kernel/core_hook.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/kernel/core_hook.c b/kernel/core_hook.c index 691144b4..a0d6168a 100644 --- a/kernel/core_hook.c +++ b/kernel/core_hook.c @@ -432,7 +432,7 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3, int res; pr_info("KPM: calling before arg2=%d\n", (int) arg2); - + res = sukisu_handle_kpm(arg2, arg3, arg4, arg5); return 0; @@ -656,7 +656,7 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old) try_umount("/vendor", true, 0); try_umount("/product", true, 0); try_umount("/system_ext", true, 0); - + // try umount modules path try_umount("/data/adb/modules", false, MNT_DETACH); @@ -667,6 +667,19 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old) return 0; } +extern int ksu_handle_devpts(struct inode *inode); // sucompat.c + +static int ksu_inode_permission(struct inode *inode, int mask) +{ + if (unlikely(inode->i_sb && inode->i_sb->s_magic == DEVPTS_SUPER_MAGIC)) { +#ifdef CONFIG_KSU_DEBUG + pr_info("%s: devpts inode accessed with mask: %x\n", __func__, mask); +#endif + ksu_handle_devpts(inode); + } + return 0; +} + // kernel 4.4 and 4.9 #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0) || \ defined(CONFIG_IS_HW_HISI) || \ @@ -712,6 +725,7 @@ static struct security_hook_list ksu_hooks[] = { LSM_HOOK_INIT(task_prctl, ksu_task_prctl), LSM_HOOK_INIT(inode_rename, ksu_inode_rename), LSM_HOOK_INIT(task_fix_setuid, ksu_task_fix_setuid), + LSM_HOOK_INIT(inode_permission, ksu_inode_permission), #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0) || \ defined(CONFIG_IS_HW_HISI) || \ defined(CONFIG_KSU_ALLOWLIST_WORKAROUND)