From e4d7c292d6b7ad035c231ee9fc9f1cb935610cc0 Mon Sep 17 00:00:00 2001 From: ShirkNeko <109797057+ShirkNeko@users.noreply.github.com> Date: Sat, 8 Nov 2025 19:39:41 +0800 Subject: [PATCH] kernel: remove unused kernel_compat Co-authored-by: weishu --- kernel/Makefile | 1 + kernel/allowlist.c | 1 - kernel/apk_sign.c | 1 - kernel/core_hook.c | 4 + kernel/dynamic_manager.c | 1 - kernel/kernel_compat.c | 60 +----------- kernel/kernel_compat.h | 5 - kernel/ksud.c | 1 + kernel/manual_su.c | 1 - kernel/seccomp_cache.c | 192 ++++++++++++++++++++++++++++++++++++++ kernel/seccomp_cache.h | 12 +++ kernel/selinux/sepolicy.c | 1 - kernel/sucompat.c | 1 - kernel/sulog.c | 1 - kernel/supercalls.c | 1 - kernel/throne_comm.c | 2 +- kernel/throne_tracker.c | 2 +- 17 files changed, 213 insertions(+), 74 deletions(-) create mode 100644 kernel/seccomp_cache.c create mode 100644 kernel/seccomp_cache.h diff --git a/kernel/Makefile b/kernel/Makefile index a3fc2905..d70c52e5 100644 --- a/kernel/Makefile +++ b/kernel/Makefile @@ -9,6 +9,7 @@ kernelsu-objs += supercalls.o kernelsu-objs += feature.o kernelsu-objs += ksud.o kernelsu-objs += embed_ksud.o +kernelsu-objs += seccomp_cache.o kernelsu-objs += kernel_compat.o kernelsu-objs += file_wrapper.o kernelsu-objs += throne_tracker.o diff --git a/kernel/allowlist.c b/kernel/allowlist.c index 9eda5e42..3324b6c6 100644 --- a/kernel/allowlist.c +++ b/kernel/allowlist.c @@ -15,7 +15,6 @@ #include "ksu.h" #include "klog.h" // IWYU pragma: keep #include "selinux/selinux.h" -#include "kernel_compat.h" #include "allowlist.h" #include "manager.h" diff --git a/kernel/apk_sign.c b/kernel/apk_sign.c index 671b8523..5e4f4212 100644 --- a/kernel/apk_sign.c +++ b/kernel/apk_sign.c @@ -17,7 +17,6 @@ #include "apk_sign.h" #include "dynamic_manager.h" #include "klog.h" // IWYU pragma: keep -#include "kernel_compat.h" #include "manager_sign.h" struct sdesc { diff --git a/kernel/core_hook.c b/kernel/core_hook.c index 25fa46e0..23555f92 100644 --- a/kernel/core_hook.c +++ b/kernel/core_hook.c @@ -63,6 +63,10 @@ #include "supercalls.h" #include "sucompat.h" #include "sulog.h" +#include "seccomp_cache.h" + +#include "throne_comm.h" +#include "umount_manager.h" #ifdef CONFIG_KSU_SUSFS diff --git a/kernel/dynamic_manager.c b/kernel/dynamic_manager.c index 14f6c794..96bc710b 100644 --- a/kernel/dynamic_manager.c +++ b/kernel/dynamic_manager.c @@ -17,7 +17,6 @@ #include "dynamic_manager.h" #include "klog.h" // IWYU pragma: keep -#include "kernel_compat.h" #include "manager.h" #define MAX_MANAGERS 2 diff --git a/kernel/kernel_compat.c b/kernel/kernel_compat.c index a36cd560..00df8d67 100644 --- a/kernel/kernel_compat.c +++ b/kernel/kernel_compat.c @@ -10,7 +10,7 @@ #endif #include #include "klog.h" // IWYU pragma: keep -#include "kernel_compat.h" // Add check Huawei Device +#include "kernel_compat.h" #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0) || \ defined(CONFIG_IS_HW_HISI) || \ @@ -132,61 +132,3 @@ long ksu_copy_from_user_nofault(void *dst, const void __user *src, size_t size) return 0; #endif } - -#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 2) // Android backport this feature in 5.10.2 -struct action_cache { - DECLARE_BITMAP(allow_native, NR_syscalls); -#ifdef SECCOMP_ARCH_COMPAT - DECLARE_BITMAP(allow_compat, SECCOMP_ARCH_COMPAT_NR); -#endif -}; - -struct seccomp_filter { - refcount_t refs; - refcount_t users; - bool log; -#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0) - bool wait_killable_recv; -#endif - struct action_cache cache; - struct seccomp_filter *prev; - struct bpf_prog *prog; - struct notification *notif; - struct mutex notify_lock; - wait_queue_head_t wqh; -}; - -void ksu_seccomp_clear_cache(struct seccomp_filter *filter, int nr) -{ - if (!filter) { - return; - } - - if (nr >= 0 && nr < NR_syscalls) { - clear_bit(nr, filter->cache.allow_native); - } - -#ifdef SECCOMP_ARCH_COMPAT - if (nr >= 0 && nr < SECCOMP_ARCH_COMPAT_NR) { - clear_bit(nr, filter->cache.allow_compat); - } -#endif -} - -void ksu_seccomp_allow_cache(struct seccomp_filter *filter, int nr) -{ - if (!filter) { - return; - } - - if (nr >= 0 && nr < NR_syscalls) { - set_bit(nr, filter->cache.allow_native); - } - -#ifdef SECCOMP_ARCH_COMPAT - if (nr >= 0 && nr < SECCOMP_ARCH_COMPAT_NR) { - set_bit(nr, filter->cache.allow_compat); - } -#endif -} -#endif diff --git a/kernel/kernel_compat.h b/kernel/kernel_compat.h index 8faef13f..c4514b82 100644 --- a/kernel/kernel_compat.h +++ b/kernel/kernel_compat.h @@ -47,9 +47,4 @@ static long ksu_copy_from_user_retry(void *to, #define ksu_access_ok(addr, size) access_ok(VERIFY_READ, addr, size) #endif -#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 2) // Android backport this feature in 5.10.2 -extern void ksu_seccomp_clear_cache(struct seccomp_filter *filter, int nr); -extern void ksu_seccomp_allow_cache(struct seccomp_filter *filter, int nr); -#endif - #endif diff --git a/kernel/ksud.c b/kernel/ksud.c index 032d8dc4..fefad007 100644 --- a/kernel/ksud.c +++ b/kernel/ksud.c @@ -29,6 +29,7 @@ #include "arch.h" #include "klog.h" // IWYU pragma: keep #include "ksud.h" + #include "kernel_compat.h" #include "selinux/selinux.h" #include "sucompat.h" diff --git a/kernel/manual_su.c b/kernel/manual_su.c index b8c2f1a5..f04cabd1 100644 --- a/kernel/manual_su.c +++ b/kernel/manual_su.c @@ -7,7 +7,6 @@ #include #include #include -#include "kernel_compat.h" #include "manual_su.h" #include "ksu.h" #include "allowlist.h" diff --git a/kernel/seccomp_cache.c b/kernel/seccomp_cache.c new file mode 100644 index 00000000..07d4303f --- /dev/null +++ b/kernel/seccomp_cache.c @@ -0,0 +1,192 @@ +#include +#include +#include +#include +#include +#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0) +#include +#else +#include +#endif +#include +#include "klog.h" // IWYU pragma: keep +#include "seccomp_cache.h" + +#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0) || \ + defined(CONFIG_IS_HW_HISI) || \ + defined(CONFIG_KSU_ALLOWLIST_WORKAROUND) +#include +#include +#include +struct key *init_session_keyring = NULL; + +static inline int install_session_keyring(struct key *keyring) +{ + struct cred *new; + int ret; + + new = prepare_creds(); + if (!new) + return -ENOMEM; + + ret = install_session_keyring_to_cred(new, keyring); + if (ret < 0) { + abort_creds(new); + return ret; + } + + return commit_creds(new); +} +#endif + +#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 8, 0) || defined(KSU_OPTIONAL_STRNCPY) +long ksu_strncpy_from_user_nofault(char *dst, const void __user *unsafe_addr, + long count) +{ + return strncpy_from_user_nofault(dst, unsafe_addr, count); +} +#elif LINUX_VERSION_CODE >= KERNEL_VERSION(5, 3, 0) +long ksu_strncpy_from_user_nofault(char *dst, const void __user *unsafe_addr, + long count) +{ + return strncpy_from_unsafe_user(dst, unsafe_addr, count); +} +#else +// Copied from: https://elixir.bootlin.com/linux/v4.9.337/source/mm/maccess.c#L201 +long ksu_strncpy_from_user_nofault(char *dst, const void __user *unsafe_addr, + long count) +{ + mm_segment_t old_fs = get_fs(); + long ret; + + if (unlikely(count <= 0)) + return 0; + + set_fs(USER_DS); + pagefault_disable(); + ret = strncpy_from_user(dst, unsafe_addr, count); + pagefault_enable(); + set_fs(old_fs); + + if (ret >= count) { + ret = count; + dst[ret - 1] = '\0'; + } else if (ret > 0) { + ret++; + } + + return ret; +} +#endif + +long ksu_strncpy_from_user_retry(char *dst, const void __user *unsafe_addr, + long count) +{ + long ret; + + ret = ksu_strncpy_from_user_nofault(dst, unsafe_addr, count); + if (likely(ret >= 0)) + return ret; + + // we faulted! fallback to slow path + if (unlikely(!ksu_access_ok(unsafe_addr, count))) { +#ifdef CONFIG_KSU_DEBUG + pr_err("%s: faulted!\n", __func__); +#endif + return -EFAULT; + } + + // why we don't do like how strncpy_from_user_nofault? + ret = strncpy_from_user(dst, unsafe_addr, count); + + if (ret >= count) { + ret = count; + dst[ret - 1] = '\0'; + } else if (likely(ret >= 0)) { + ret++; + } + + return ret; +} + +long ksu_copy_from_user_nofault(void *dst, const void __user *src, size_t size) +{ +#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 8, 0) + return copy_from_user_nofault(dst, src, size); +#else + // https://elixir.bootlin.com/linux/v5.8/source/mm/maccess.c#L205 + long ret = -EFAULT; + mm_segment_t old_fs = get_fs(); + + set_fs(USER_DS); + // tweaked to use ksu_access_ok + if (ksu_access_ok(src, size)) { + pagefault_disable(); + ret = __copy_from_user_inatomic(dst, src, size); + pagefault_enable(); + } + set_fs(old_fs); + + if (ret) + return -EFAULT; + return 0; +#endif +} + +#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 2) // Android backport this feature in 5.10.2 +struct action_cache { + DECLARE_BITMAP(allow_native, NR_syscalls); +#ifdef SECCOMP_ARCH_COMPAT + DECLARE_BITMAP(allow_compat, SECCOMP_ARCH_COMPAT_NR); +#endif +}; + +struct seccomp_filter { + refcount_t refs; + refcount_t users; + bool log; +#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0) + bool wait_killable_recv; +#endif + struct action_cache cache; + struct seccomp_filter *prev; + struct bpf_prog *prog; + struct notification *notif; + struct mutex notify_lock; + wait_queue_head_t wqh; +}; + +void ksu_seccomp_clear_cache(struct seccomp_filter *filter, int nr) +{ + if (!filter) { + return; + } + + if (nr >= 0 && nr < NR_syscalls) { + clear_bit(nr, filter->cache.allow_native); + } + +#ifdef SECCOMP_ARCH_COMPAT + if (nr >= 0 && nr < SECCOMP_ARCH_COMPAT_NR) { + clear_bit(nr, filter->cache.allow_compat); + } +#endif +} + +void ksu_seccomp_allow_cache(struct seccomp_filter *filter, int nr) +{ + if (!filter) { + return; + } + + if (nr >= 0 && nr < NR_syscalls) { + set_bit(nr, filter->cache.allow_native); + } + +#ifdef SECCOMP_ARCH_COMPAT + if (nr >= 0 && nr < SECCOMP_ARCH_COMPAT_NR) { + set_bit(nr, filter->cache.allow_compat); + } +#endif +} +#endif diff --git a/kernel/seccomp_cache.h b/kernel/seccomp_cache.h new file mode 100644 index 00000000..ce883289 --- /dev/null +++ b/kernel/seccomp_cache.h @@ -0,0 +1,12 @@ +#ifndef __KSU_H_SECCOMP_CACHE +#define __KSU_H_SECCOMP_CACHE + +#include +#include + +#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 2) // Android backport this feature in 5.10.2 +extern void ksu_seccomp_clear_cache(struct seccomp_filter *filter, int nr); +extern void ksu_seccomp_allow_cache(struct seccomp_filter *filter, int nr); +#endif + +#endif \ No newline at end of file diff --git a/kernel/selinux/sepolicy.c b/kernel/selinux/sepolicy.c index a1d7334f..587413a1 100644 --- a/kernel/selinux/sepolicy.c +++ b/kernel/selinux/sepolicy.c @@ -6,7 +6,6 @@ #include "sepolicy.h" #include "../klog.h" // IWYU pragma: keep #include "ss/symtab.h" -#include "../kernel_compat.h" // Add check Huawei Device #define KSU_SUPPORT_ADD_TYPE diff --git a/kernel/sucompat.c b/kernel/sucompat.c index e2b84144..b8ed40c2 100644 --- a/kernel/sucompat.c +++ b/kernel/sucompat.c @@ -31,7 +31,6 @@ #include "feature.h" #include "klog.h" // IWYU pragma: keep #include "ksud.h" -#include "kernel_compat.h" #include "sucompat.h" #include "core_hook.h" #include "sulog.h" diff --git a/kernel/sulog.c b/kernel/sulog.c index c56e5c51..e31a79f4 100644 --- a/kernel/sulog.c +++ b/kernel/sulog.c @@ -15,7 +15,6 @@ #include #include "klog.h" -#include "kernel_compat.h" #include "sulog.h" #include "ksu.h" diff --git a/kernel/supercalls.c b/kernel/supercalls.c index 6beb7b88..897c7634 100644 --- a/kernel/supercalls.c +++ b/kernel/supercalls.c @@ -20,7 +20,6 @@ #include "core_hook.h" #include "objsec.h" #include "file_wrapper.h" -#include "kernel_compat.h" #include "throne_comm.h" #include "dynamic_manager.h" diff --git a/kernel/throne_comm.c b/kernel/throne_comm.c index 0b31ecb7..07de7d41 100644 --- a/kernel/throne_comm.c +++ b/kernel/throne_comm.c @@ -8,7 +8,7 @@ #include "klog.h" #include "throne_comm.h" -#include "kernel_compat.h" +#include "ksu.h" #define PROC_UID_SCANNER "ksu_uid_scanner" #define UID_SCANNER_STATE_FILE "/data/adb/ksu/.uid_scanner" diff --git a/kernel/throne_tracker.c b/kernel/throne_tracker.c index 8376880c..b1e15bbe 100644 --- a/kernel/throne_tracker.c +++ b/kernel/throne_tracker.c @@ -13,7 +13,7 @@ #include "ksu.h" #include "manager.h" #include "throne_tracker.h" -#include "kernel_compat.h" +#include "apk_sign.h" #include "dynamic_manager.h" #include "throne_comm.h"