From d542fd06729a2a53e8a6249b0c4fdeedb89cadee Mon Sep 17 00:00:00 2001 From: ShirkNeko <109797057+ShirkNeko@users.noreply.github.com> Date: Sun, 21 Sep 2025 17:37:43 +0800 Subject: [PATCH] kernel: Added legacy throne tracker support, using packages.list to scan application UIDs --- kernel/Kconfig | 9 + kernel/Makefile | 9 +- kernel/throne_tracker_legacy.c | 609 +++++++++++++++++++++++++++++++++ 3 files changed, 626 insertions(+), 1 deletion(-) create mode 100644 kernel/throne_tracker_legacy.c diff --git a/kernel/Kconfig b/kernel/Kconfig index 927dcfff..2bd538f1 100644 --- a/kernel/Kconfig +++ b/kernel/Kconfig @@ -22,6 +22,15 @@ config KSU_MULTI_MANAGER_SUPPORT help Enable multi KernelSU manager support +config KSU_THRONE_TRACKER_LEGACY + bool "Use legacy throne tracker (packages.list scanning)" + depends on KSU + default n + help + Use legacy throne tracker that scans packages.list for app UIDs. + This is kept for Ultra-Legacy Linux 4.4-3.X kernels which are prone to deadlocks. + Enable this if default scanning deadlocks/crashes on you. + config KSU_ALLOWLIST_WORKAROUND bool "KernelSU Session Keyring Init workaround" depends on KSU diff --git a/kernel/Makefile b/kernel/Makefile index 0dfe0138..8fe9dde3 100644 --- a/kernel/Makefile +++ b/kernel/Makefile @@ -3,7 +3,6 @@ kernelsu-objs += allowlist.o kernelsu-objs += dynamic_manager.o kernelsu-objs += apk_sign.o kernelsu-objs += sucompat.o -kernelsu-objs += throne_tracker.o kernelsu-objs += core_hook.o kernelsu-objs += ksud.o kernelsu-objs += embed_ksud.o @@ -14,6 +13,14 @@ ifeq ($(CONFIG_KSU_TRACEPOINT_HOOK), y) kernelsu-objs += ksu_trace.o endif +ifeq ($(CONFIG_KSU_THRONE_TRACKER_LEGACY),y) +$(info -- KernelSU/compat: using legacy throne tracker) +kernelsu-objs += throne_tracker_legacy.o +else +$(info -- KernelSU/compat: using new throne tracker) +kernelsu-objs += throne_tracker.o +endif + kernelsu-objs += selinux/selinux.o kernelsu-objs += selinux/sepolicy.o kernelsu-objs += selinux/rules.o diff --git a/kernel/throne_tracker_legacy.c b/kernel/throne_tracker_legacy.c new file mode 100644 index 00000000..f244f219 --- /dev/null +++ b/kernel/throne_tracker_legacy.c @@ -0,0 +1,609 @@ +#include +#include +#include +#include +#include +#include +#include + +#include "allowlist.h" +#include "klog.h" // IWYU pragma: keep +#include "ksu.h" +#include "manager.h" +#include "throne_tracker.h" +#include "kernel_compat.h" +#include "dynamic_manager.h" +#include "throne_comm.h" + +uid_t ksu_manager_uid = KSU_INVALID_UID; + +#define SYSTEM_PACKAGES_LIST_PATH "/data/system/packages.list.tmp" +#define KSU_UID_LIST_PATH "/data/misc/user_uid/uid_list" + +struct uid_data { + struct list_head list; + u32 uid; + char package[KSU_MAX_PACKAGE_NAME]; +}; + +// Try read whitelist first, fallback if failed +static int read_uid_whitelist(struct list_head *uid_list) +{ + struct file *fp; + char *file_content = NULL; + char *line, *next_line; + loff_t file_size; + loff_t pos = 0; + int count = 0; + ssize_t bytes_read; + + fp = ksu_filp_open_compat(KSU_UID_LIST_PATH, O_RDONLY, 0); + if (IS_ERR(fp)) { + pr_info("whitelist not found, fallback needed\n"); + return -ENOENT; + } + + file_size = fp->f_inode->i_size; + if (file_size <= 0) { + pr_info("whitelist file is empty\n"); + filp_close(fp, NULL); + return -ENODATA; + } + + file_content = kzalloc(file_size + 1, GFP_ATOMIC); + if (!file_content) { + pr_err("failed to allocate memory for whitelist file (%lld bytes)\n", file_size); + filp_close(fp, NULL); + return -ENOMEM; + } + + bytes_read = ksu_kernel_read_compat(fp, file_content, file_size, &pos); + if (bytes_read != file_size) { + pr_err("failed to read whitelist file: read %zd bytes, expected %lld bytes\n", + bytes_read, file_size); + kfree(file_content); + filp_close(fp, NULL); + return -EIO; + } + + file_content[file_size] = '\0'; + filp_close(fp, NULL); + + pr_info("successfully read whitelist file (%lld bytes), parsing lines...\n", file_size); + + line = file_content; + while (line && *line) { + next_line = strchr(line, '\n'); + if (next_line) { + *next_line = '\0'; + next_line++; + } + + char *trimmed_line = line; + while (*trimmed_line == ' ' || *trimmed_line == '\t' || *trimmed_line == '\r') { + trimmed_line++; + } + + if (strlen(trimmed_line) > 0) { + char *line_copy = trimmed_line; + char *uid_str = strsep(&line_copy, " \t"); + char *package_name = line_copy; + + if (package_name) { + while (*package_name == ' ' || *package_name == '\t') { + package_name++; + } + } + + if (uid_str && package_name && strlen(package_name) > 0) { + u32 uid; + if (!kstrtou32(uid_str, 10, &uid)) { + struct uid_data *data = kzalloc(sizeof(struct uid_data), GFP_ATOMIC); + if (data) { + data->uid = uid; + size_t pkg_len = strlen(package_name); + size_t copy_len = min(pkg_len, (size_t)(KSU_MAX_PACKAGE_NAME - 1)); + strncpy(data->package, package_name, copy_len); + data->package[copy_len] = '\0'; + + list_add_tail(&data->list, uid_list); + count++; + + if (count % 100 == 0) { + pr_info("parsed %d packages so far...\n", count); + } + } else { + pr_err("failed to allocate memory for uid_data\n"); + } + } else { + pr_warn("invalid uid format in line: %s\n", trimmed_line); + } + } else { + pr_warn("invalid line format: %s\n", trimmed_line); + } + } + + line = next_line; + } + + kfree(file_content); + pr_info("successfully loaded %d uids from whitelist\n", count); + return count > 0 ? 0 : -ENODATA; +} + +static int get_pkg_from_apk_path(char *pkg, const char *path) +{ + int len = strlen(path); + if (len >= KSU_MAX_PACKAGE_NAME || len < 1) + return -1; + + const char *last_slash = NULL; + const char *second_last_slash = NULL; + + int i; + for (i = len - 1; i >= 0; i--) { + if (path[i] == '/') { + if (!last_slash) { + last_slash = &path[i]; + } else { + second_last_slash = &path[i]; + break; + } + } + } + + if (!last_slash || !second_last_slash) + return -1; + + const char *last_hyphen = strchr(second_last_slash, '-'); + if (!last_hyphen || last_hyphen > last_slash) + return -1; + + int pkg_len = last_hyphen - second_last_slash - 1; + if (pkg_len >= KSU_MAX_PACKAGE_NAME || pkg_len <= 0) + return -1; + + // Copying the package name + strncpy(pkg, second_last_slash + 1, pkg_len); + pkg[pkg_len] = '\0'; + + return 0; +} + +static void crown_manager(const char *apk, struct list_head *uid_data, + int signature_index) +{ + char pkg[KSU_MAX_PACKAGE_NAME]; + if (get_pkg_from_apk_path(pkg, apk) < 0) { + pr_err("Failed to get package name from apk path: %s\n", apk); + return; + } + + pr_info("manager pkg: %s, signature_index: %d\n", pkg, signature_index); + +#ifdef KSU_MANAGER_PACKAGE + // pkg is `/` + if (strncmp(pkg, KSU_MANAGER_PACKAGE, sizeof(KSU_MANAGER_PACKAGE))) { + pr_info("manager package is inconsistent with kernel build: %s\n", + KSU_MANAGER_PACKAGE); + return; + } +#endif + struct list_head *list = (struct list_head *)uid_data; + struct uid_data *np; + + list_for_each_entry(np, list, list) { + if (strncmp(np->package, pkg, KSU_MAX_PACKAGE_NAME) == 0) { + pr_info("Crowning manager: %s(uid=%d, signature_index=%d)\n", + pkg, np->uid, signature_index); + + // Dynamic Sign index (1) or multi-manager signatures (2+) + if (signature_index == DYNAMIC_SIGN_INDEX || signature_index >= 2) { + ksu_add_manager(np->uid, signature_index); + + if (!ksu_is_manager_uid_valid()) { + ksu_set_manager_uid(np->uid); + } + } else { + ksu_set_manager_uid(np->uid); + } + break; + } + } +} + +#define DATA_PATH_LEN 384 // 384 is enough for /data/app//base.apk + +struct data_path { + char dirpath[DATA_PATH_LEN]; + int depth; + struct list_head list; +}; + +struct apk_path_hash { + unsigned int hash; + bool exists; + struct list_head list; +}; + +static struct list_head apk_path_hash_list; + +struct my_dir_context { + struct dir_context ctx; + struct list_head *data_path_list; + char *parent_dir; + void *private_data; + int depth; + int *stop; +}; +// https://docs.kernel.org/filesystems/porting.html +// filldir_t (readdir callbacks) calling conventions have changed. Instead of returning 0 or -E... it returns bool now. false means "no more" (as -E... used to) and true - "keep going" (as 0 in old calling conventions). Rationale: callers never looked at specific -E... values anyway. -> iterate_shared() instances require no changes at all, all filldir_t ones in the tree converted. +#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0) +#define FILLDIR_RETURN_TYPE bool +#define FILLDIR_ACTOR_CONTINUE true +#define FILLDIR_ACTOR_STOP false +#else +#define FILLDIR_RETURN_TYPE int +#define FILLDIR_ACTOR_CONTINUE 0 +#define FILLDIR_ACTOR_STOP -EINVAL +#endif +FILLDIR_RETURN_TYPE my_actor(struct dir_context *ctx, const char *name, + int namelen, loff_t off, u64 ino, + unsigned int d_type) +{ + struct my_dir_context *my_ctx = + container_of(ctx, struct my_dir_context, ctx); + char dirpath[DATA_PATH_LEN]; + + if (!my_ctx) { + pr_err("Invalid context\n"); + return FILLDIR_ACTOR_STOP; + } + if (my_ctx->stop && *my_ctx->stop) { + pr_info("Stop searching\n"); + return FILLDIR_ACTOR_STOP; + } + + if (!strncmp(name, "..", namelen) || !strncmp(name, ".", namelen)) + return FILLDIR_ACTOR_CONTINUE; // Skip "." and ".." + + if (d_type == DT_DIR && namelen >= 8 && !strncmp(name, "vmdl", 4) && + !strncmp(name + namelen - 4, ".tmp", 4)) { + pr_info("Skipping directory: %.*s\n", namelen, name); + return FILLDIR_ACTOR_CONTINUE; // Skip staging package + } + + if (snprintf(dirpath, DATA_PATH_LEN, "%s/%.*s", my_ctx->parent_dir, + namelen, name) >= DATA_PATH_LEN) { + pr_err("Path too long: %s/%.*s\n", my_ctx->parent_dir, namelen, + name); + return FILLDIR_ACTOR_CONTINUE; + } + + if (d_type == DT_DIR && my_ctx->depth > 0 && + (my_ctx->stop && !*my_ctx->stop)) { + struct data_path *data = + kmalloc(sizeof(struct data_path), GFP_ATOMIC); + + if (!data) { + pr_err("Failed to allocate memory for %s\n", dirpath); + return FILLDIR_ACTOR_CONTINUE; + } + + strscpy(data->dirpath, dirpath, DATA_PATH_LEN); + data->depth = my_ctx->depth - 1; + list_add_tail(&data->list, my_ctx->data_path_list); + } else { + if ((namelen == 8) && + (strncmp(name, "base.apk", namelen) == 0)) { + struct apk_path_hash *pos, *n; +#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 8, 0) + unsigned int hash = + full_name_hash(dirpath, strlen(dirpath)); +#else + unsigned int hash = + full_name_hash(NULL, dirpath, strlen(dirpath)); +#endif + list_for_each_entry(pos, &apk_path_hash_list, list) { + if (hash == pos->hash) { + pos->exists = true; + return FILLDIR_ACTOR_CONTINUE; + } + } + + int signature_index = -1; + bool is_multi_manager = is_dynamic_manager_apk( + dirpath, &signature_index); + + pr_info("Found new base.apk at path: %s, is_multi_manager: %d, signature_index: %d\n", + dirpath, is_multi_manager, signature_index); + // Check for dynamic sign or multi-manager signatures + if (is_multi_manager && + (signature_index == DYNAMIC_SIGN_INDEX || signature_index >= 2)) { + crown_manager(dirpath, my_ctx->private_data, + signature_index); + + struct apk_path_hash *apk_data = + kmalloc(sizeof(struct apk_path_hash), + GFP_ATOMIC); + + if (apk_data) { + apk_data->hash = hash; + apk_data->exists = true; + list_add_tail(&apk_data->list, + &apk_path_hash_list); + } + + } else if (is_manager_apk(dirpath)) { + crown_manager(dirpath, my_ctx->private_data, 0); + *my_ctx->stop = 1; + + // Manager found, clear APK cache list + list_for_each_entry_safe( + pos, n, &apk_path_hash_list, list) { + list_del(&pos->list); + kfree(pos); + } + } else { + struct apk_path_hash *apk_data = + kmalloc(sizeof(struct apk_path_hash), + GFP_ATOMIC); + if (apk_data) { + apk_data->hash = hash; + apk_data->exists = true; + list_add_tail(&apk_data->list, + &apk_path_hash_list); + } + } + } + } + + return FILLDIR_ACTOR_CONTINUE; +} + +void search_manager(const char *path, int depth, struct list_head *uid_data) +{ + int i, stop = 0; + struct list_head data_path_list; + INIT_LIST_HEAD(&data_path_list); + INIT_LIST_HEAD(&apk_path_hash_list); + unsigned long data_app_magic = 0; + + // Initialize APK cache list + struct apk_path_hash *pos, *n; + list_for_each_entry(pos, &apk_path_hash_list, list) { + pos->exists = false; + } + + // First depth + struct data_path data; + strscpy(data.dirpath, path, DATA_PATH_LEN); + data.depth = depth; + list_add_tail(&data.list, &data_path_list); + + for (i = depth; i >= 0; i--) { + struct data_path *pos, *n; + + list_for_each_entry_safe(pos, n, &data_path_list, list) { + struct my_dir_context ctx = { + .ctx.actor = my_actor, + .data_path_list = &data_path_list, + .parent_dir = pos->dirpath, + .private_data = uid_data, + .depth = pos->depth, + .stop = &stop + }; + struct file *file; + + if (!stop) { + file = ksu_filp_open_compat( + pos->dirpath, O_RDONLY | O_NOFOLLOW, 0); + if (IS_ERR(file)) { + pr_err("Failed to open directory: %s, err: %ld\n", + pos->dirpath, PTR_ERR(file)); + goto skip_iterate; + } + + // grab magic on first folder, which is /data/app + if (!data_app_magic) { + if (file->f_inode->i_sb->s_magic) { + data_app_magic = + file->f_inode->i_sb + ->s_magic; + pr_info("%s: dir: %s got magic! 0x%lx\n", + __func__, pos->dirpath, + data_app_magic); + } else { + filp_close(file, NULL); + goto skip_iterate; + } + } + + if (file->f_inode->i_sb->s_magic != + data_app_magic) { + pr_info("%s: skip: %s magic: 0x%lx expected: 0x%lx\n", + __func__, pos->dirpath, + file->f_inode->i_sb->s_magic, + data_app_magic); + filp_close(file, NULL); + goto skip_iterate; + } + + iterate_dir(file, &ctx.ctx); + filp_close(file, NULL); + } +skip_iterate: + list_del(&pos->list); + if (pos != &data) + kfree(pos); + } + } + + // clear apk_path_hash_list unconditionally + pr_info("search manager: cleanup!\n"); + list_for_each_entry_safe(pos, n, &apk_path_hash_list, list) { + list_del(&pos->list); + kfree(pos); + } +} + +static bool is_uid_exist(uid_t uid, char *package, void *data) +{ + struct list_head *list = (struct list_head *)data; + struct uid_data *np; + + bool exist = false; + list_for_each_entry(np, list, list) { + if (np->uid == uid % 100000 && + strncmp(np->package, package, KSU_MAX_PACKAGE_NAME) == 0) { + exist = true; + break; + } + } + return exist; +} + +void track_throne(void) +{ + struct list_head uid_list; + INIT_LIST_HEAD(&uid_list); + + pr_info("track_throne triggered, attempting whitelist read\n"); + + // Try read whitelist first + int ret = read_uid_whitelist(&uid_list); + + if (ret < 0) { + pr_info("whitelist read failed (%d), request userspace scan\n", ret); + + // Request userspace to rescan + ksu_request_userspace_scan(); + + // fallback to packages.list method + struct file *fp = ksu_filp_open_compat(SYSTEM_PACKAGES_LIST_PATH, O_RDONLY, 0); + if (IS_ERR(fp)) { + pr_err("%s: open " SYSTEM_PACKAGES_LIST_PATH " failed: %ld\n", + __func__, PTR_ERR(fp)); + goto out; + } + + char chr = 0; + loff_t pos = 0; + loff_t line_start = 0; + char buf[KSU_MAX_PACKAGE_NAME]; + size_t fallback_count = 0; + + for (;;) { + ssize_t count = + ksu_kernel_read_compat(fp, &chr, sizeof(chr), &pos); + if (count != sizeof(chr)) + break; + if (chr != '\n') + continue; + + count = ksu_kernel_read_compat(fp, buf, sizeof(buf), + &line_start); + + struct uid_data *data = + kzalloc(sizeof(struct uid_data), GFP_ATOMIC); + if (!data) { + filp_close(fp, 0); + goto out; + } + + char *tmp = buf; + const char *delim = " "; + char *package = strsep(&tmp, delim); + char *uid = strsep(&tmp, delim); + if (!uid || !package) { + pr_err("update_uid: package or uid is NULL!\n"); + kfree(data); + break; + } + + u32 res; + if (kstrtou32(uid, 10, &res)) { + pr_err("update_uid: uid parse err\n"); + kfree(data); + break; + } + data->uid = res; + strncpy(data->package, package, KSU_MAX_PACKAGE_NAME); + list_add_tail(&data->list, &uid_list); + fallback_count++; + + // reset line start + line_start = pos; + } + filp_close(fp, 0); + pr_info("Loaded %zu packages from packages.list fallback\n", fallback_count); + } else { + pr_info("loaded uids from whitelist successfully\n"); + } + + // now update uid list + struct uid_data *np; + struct uid_data *n; + + // first, check if manager_uid exist! + bool manager_exist = false; + bool dynamic_manager_exist = false; + + list_for_each_entry(np, &uid_list, list) { + // if manager is installed in work profile, the uid in packages.list is still equals main profile + // don't delete it in this case! + int manager_uid = ksu_get_manager_uid() % 100000; + if (np->uid == manager_uid) { + manager_exist = true; + break; + } + } + + // Check for dynamic managers + if (!dynamic_manager_exist && ksu_is_dynamic_manager_enabled()) { + list_for_each_entry(np, &uid_list, list) { + // Check if this uid is a dynamic manager (not the traditional manager) + if (ksu_is_any_manager(np->uid) && + np->uid != ksu_get_manager_uid()) { + dynamic_manager_exist = true; + break; + } + } + } + + if (!manager_exist) { + if (ksu_is_manager_uid_valid()) { + pr_info("manager is uninstalled, invalidate it!\n"); + ksu_invalidate_manager_uid(); + goto prune; + } + pr_info("Searching manager...\n"); + search_manager("/data/app", 2, &uid_list); + pr_info("Search manager finished\n"); + } else if (!dynamic_manager_exist && ksu_is_dynamic_manager_enabled()) { + // Always perform search when called from dynamic manager rescan + pr_info("Dynamic sign enabled, Searching manager...\n"); + search_manager("/data/app", 2, &uid_list); + pr_info("Search Dynamic sign manager finished\n"); + } + +prune: + // then prune the allowlist + ksu_prune_allowlist(is_uid_exist, &uid_list); +out: + // free uid_list + list_for_each_entry_safe(np, n, &uid_list, list) { + list_del(&np->list); + kfree(np); + } +} + +void ksu_throne_tracker_init(void) +{ + // nothing to do +} + +void ksu_throne_tracker_exit(void) +{ + // nothing to do +}