android/SukiSU-Ultra
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

feature: add enhanced security (#2873)

Browse Source
This commit is contained in:
Ylarod
2025-11-06 11:33:35 +08:00
committed by ShirkNeko
parent 3f07ea29ae
commit dece57cacf
2 changed files with 44 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
kernel/core_hook.c
View File

@@ -73,6 +73,7 @@ static void ksu_try_escalate_for_uid(uid_t uid)
#endif #endif
static bool ksu_kernel_umount_enabled = true; static bool ksu_kernel_umount_enabled = true;
static bool ksu_enhanced_security_enabled = false;
static int kernel_umount_feature_get(u64 *value) static int kernel_umount_feature_get(u64 *value)
{ {
@@ -95,13 +96,34 @@ static const struct ksu_feature_handler kernel_umount_handler = {
.set_handler = kernel_umount_feature_set, .set_handler = kernel_umount_feature_set,
}; };
static int enhanced_security_feature_get(u64 *value)
{
*value = ksu_enhanced_security_enabled ? 1 : 0;
return 0;
}
static int enhanced_security_feature_set(u64 value)
{
bool enable = value != 0;
ksu_enhanced_security_enabled = enable;
pr_info("enhanced_security: set to %d\n", enable);
return 0;
}
static const struct ksu_feature_handler enhanced_security_handler = {
.feature_id = KSU_FEATURE_ENHANCED_SECURITY,
.name = "enhanced_security",
.get_handler = enhanced_security_feature_get,
.set_handler = enhanced_security_feature_set,
};
static inline bool is_allow_su() static inline bool is_allow_su()
{ {
if (is_manager()) { if (is_manager()) {
// we are manager, allow! // we are manager, allow!
return true; return true;
} }
return ksu_is_allow_uid(current_uid().val); return ksu_is_allow_uid_for_current(current_uid().val);
} }
static inline bool is_unsupported_uid(uid_t uid) static inline bool is_unsupported_uid(uid_t uid)
@@ -511,6 +533,26 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old)
if (0 != old_uid.val) { if (0 != old_uid.val) {
// old process is not root, ignore it. // old process is not root, ignore it.
if (ksu_enhanced_security_enabled) {
// disallow any non-ksu domain escalation from non-root to root!
if (unlikely(new_uid.val) == 0) {
if (!is_ksu_domain()) {
pr_warn("find suspicious EoP: %d %s, from %d to %d\n",
current->pid, current->comm, old_uid.val, new_uid.val);
send_sig(SIGKILL, current, 0);
return 0;
}
}
// disallow appuid decrease to any other uid if it is allowed to su
if (is_appuid(old_uid)) {
if (new_uid.val < old_uid.val && ksu_is_allow_uid_for_current(old_uid.val)) {
pr_warn("find suspicious EoP: %d %s, from %d to %d\n",
current->pid, current->comm, old_uid.val, new_uid.val);
send_sig(SIGKILL, current, 0);
return 0;
}
}
}
return 0; return 0;
} }

1
kernel/feature.h
View File

@@ -6,6 +6,7 @@
enum ksu_feature_id { enum ksu_feature_id {
KSU_FEATURE_SU_COMPAT = 0, KSU_FEATURE_SU_COMPAT = 0,
KSU_FEATURE_KERNEL_UMOUNT = 1, KSU_FEATURE_KERNEL_UMOUNT = 1,
KSU_FEATURE_ENHANCED_SECURITY = 2,
KSU_FEATURE_MAX KSU_FEATURE_MAX
}; };