Synchronise some modifications

Co-authored-by: Ylarod <me@ylarod.cn>
Co-authored-by: 5ec1cff <56485584+5ec1cff@users.noreply.github.com>
Co-authored-by: backslashxx <118538522+backslashxx@users.noreply.github.com>
Co-authored-by: u9521 <63995396+u9521@users.noreply.github.com>
Co-authored-by: Wang Han <416810799@qq.com>
Co-authored-by: ShirkNeko <109797057+ShirkNeko@users.noreply.github.com>
Co-authored-by: Faris <rissu.ntk@gmail.com>

kernel/app_profile.c

@@ -1,21 +1,31 @@
+#include <linux/version.h>
 #include <linux/capability.h>
 #include <linux/cred.h>
+#include <linux/err.h>
+#include <linux/fdtable.h>
+#include <linux/file.h>
+#include <linux/fs.h>
+#include <linux/proc_ns.h>
+#include <linux/pid.h>
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0)
+#include <linux/sched/signal.h> // signal_struct
+#include <linux/sched/task.h>
+#endif
 #include <linux/sched.h>
-#include <linux/sched/signal.h>
 #include <linux/seccomp.h>
 #include <linux/thread_info.h>
 #include <linux/uidgid.h>
-#include <linux/version.h>
-#include "objsec.h"
+#include <linux/syscalls.h>
 
 #include "allowlist.h"
 #include "app_profile.h"
+#include "arch.h"
+#include "kernel_compat.h"
 #include "klog.h" // IWYU pragma: keep
 #include "selinux/selinux.h"
 #ifndef CONFIG_KSU_SUSFS
 #include "syscall_hook_manager.h"
 #endif
-#include "sucompat.h"
 #include "sulog.h"
 
 #if LINUX_VERSION_CODE >= KERNEL_VERSION (6, 7, 0)
@@ -26,51 +36,55 @@
 
 static void setup_groups(struct root_profile *profile, struct cred *cred)
 {
-    if (profile->groups_count > KSU_MAX_GROUPS) {
-        pr_warn("Failed to setgroups, too large group: %d!\n",
-            profile->uid);
-        return;
-    }
+	if (profile->groups_count > KSU_MAX_GROUPS) {
+		pr_warn("Failed to setgroups, too large group: %d!\n",
+			profile->uid);
+		return;
+	}
 
-    if (profile->groups_count == 1 && profile->groups[0] == 0) {
-        // setgroup to root and return early.
-        if (cred->group_info)
-            put_group_info(cred->group_info);
-        cred->group_info = get_group_info(&root_groups);
-        return;
-    }
+	if (profile->groups_count == 1 && profile->groups[0] == 0) {
+		// setgroup to root and return early.
+		if (cred->group_info)
+			put_group_info(cred->group_info);
+		cred->group_info = get_group_info(&root_groups);
+		return;
+	}
 
-    u32 ngroups = profile->groups_count;
-    struct group_info *group_info = groups_alloc(ngroups);
-    if (!group_info) {
-        pr_warn("Failed to setgroups, ENOMEM for: %d\n", profile->uid);
-        return;
-    }
+	u32 ngroups = profile->groups_count;
+	struct group_info *group_info = groups_alloc(ngroups);
+	if (!group_info) {
+		pr_warn("Failed to setgroups, ENOMEM for: %d\n", profile->uid);
+		return;
+	}
 
-    int i;
-    for (i = 0; i < ngroups; i++) {
-        gid_t gid = profile->groups[i];
-        kgid_t kgid = make_kgid(current_user_ns(), gid);
-        if (!gid_valid(kgid)) {
-            pr_warn("Failed to setgroups, invalid gid: %d\n", gid);
-            put_group_info(group_info);
-            return;
-        }
+	int i;
+	for (i = 0; i < ngroups; i++) {
+		gid_t gid = profile->groups[i];
+		kgid_t kgid = make_kgid(current_user_ns(), gid);
+		if (!gid_valid(kgid)) {
+			pr_warn("Failed to setgroups, invalid gid: %d\n", gid);
+			put_group_info(group_info);
+			return;
+		}
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 9, 0)
-        group_info->gid[i] = kgid;
+		group_info->gid[i] = kgid;
 #else
-        GROUP_AT(group_info, i) = kgid;
+		GROUP_AT(group_info, i) = kgid;
 #endif
-    }
+	}
 
-    groups_sort(group_info);
-    set_groups(cred, group_info);
-    put_group_info(group_info);
+	groups_sort(group_info);
+	set_groups(cred, group_info);
+	put_group_info(group_info);
 }
 
-void disable_seccomp(void)
+void disable_seccomp(struct task_struct *tsk)
 {
-	assert_spin_locked(&current->sighand->siglock);
+	if (unlikely(!tsk))
+		return;
+
+	assert_spin_locked(&tsk->sighand->siglock);
+
 	// disable seccomp
 #if defined(CONFIG_GENERIC_ENTRY) &&                                           \
 	LINUX_VERSION_CODE >= KERNEL_VERSION(5, 11, 0)
@@ -80,83 +94,97 @@ void disable_seccomp(void)
 #endif
 
 #ifdef CONFIG_SECCOMP
-	current->seccomp.mode = 0;
-	current->seccomp.filter = NULL;
-	atomic_set(&current->seccomp.filter_count, 0);
+	tsk->seccomp.mode = 0;
+	if (tsk->seccomp.filter) {
+		// 5.9+ have filter_count, but optional.
+#ifdef KSU_OPTIONAL_SECCOMP_FILTER_CNT
+		atomic_set(&tsk->seccomp.filter_count, 0);
+#endif
+		// some old kernel backport seccomp_filter_release..
+#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 9, 0) &&                            \
+	defined(KSU_OPTIONAL_SECCOMP_FILTER_RELEASE)
+		seccomp_filter_release(tsk);
 #else
+		// never, ever call seccomp_filter_release on 6.10+ (no effect)
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5, 9, 0) &&                          \
+     LINUX_VERSION_CODE < KERNEL_VERSION(6, 10, 0))
+		seccomp_filter_release(tsk);
+#else
+#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 9, 0)
+		put_seccomp_filter(tsk);
+#endif
+		tsk->seccomp.filter = NULL;
+#endif
+#endif
+	}
 #endif
 }
 
 void escape_with_root_profile(void)
 {
-    struct cred *cred;
-#ifndef CONFIG_KSU_SUSFS
-    struct task_struct *p = current;
-    struct task_struct *t;
-#endif
+	struct cred *cred;
+	// a bit useless, but we just want less ifdefs
+	struct task_struct *p = current;
 
-    cred = prepare_creds();
-    if (!cred) {
-        pr_warn("prepare_creds failed!\n");
-        return;
-    }
+	if (current_euid().val == 0) {
+		pr_warn("Already root, don't escape!\n");
+		return;
+	}
 
-    if (cred->euid.val == 0) {
-        pr_warn("Already root, don't escape!\n");
-#if __SULOG_GATE
-        ksu_sulog_report_su_grant(current_euid().val, NULL, "escape_to_root_failed");
-#endif
-        abort_creds(cred);
-        return;
-    }
+	cred = prepare_creds();
+	if (!cred) {
+		pr_warn("prepare_creds failed!\n");
+		return;
+	}
 
-    struct root_profile *profile = ksu_get_root_profile(cred->uid.val);
+	struct root_profile *profile = ksu_get_root_profile(cred->uid.val);
 
-    cred->uid.val = profile->uid;
-    cred->suid.val = profile->uid;
-    cred->euid.val = profile->uid;
-    cred->fsuid.val = profile->uid;
+	cred->uid.val = profile->uid;
+	cred->suid.val = profile->uid;
+	cred->euid.val = profile->uid;
+	cred->fsuid.val = profile->uid;
 
-    cred->gid.val = profile->gid;
-    cred->fsgid.val = profile->gid;
-    cred->sgid.val = profile->gid;
-    cred->egid.val = profile->gid;
-    cred->securebits = 0;
+	cred->gid.val = profile->gid;
+	cred->fsgid.val = profile->gid;
+	cred->sgid.val = profile->gid;
+	cred->egid.val = profile->gid;
+	cred->securebits = 0;
 
-    BUILD_BUG_ON(sizeof(profile->capabilities.effective) !=
-             sizeof(kernel_cap_t));
+	BUILD_BUG_ON(sizeof(profile->capabilities.effective) !=
+		     sizeof(kernel_cap_t));
 
-    // setup capabilities
-    // we need CAP_DAC_READ_SEARCH becuase `/data/adb/ksud` is not accessible for non root process
-    // we add it here but don't add it to cap_inhertiable, it would be dropped automaticly after exec!
-    u64 cap_for_ksud =
-        profile->capabilities.effective | CAP_DAC_READ_SEARCH;
-    memcpy(&cred->cap_effective, &cap_for_ksud,
-           sizeof(cred->cap_effective));
-    memcpy(&cred->cap_permitted, &profile->capabilities.effective,
-           sizeof(cred->cap_permitted));
-    memcpy(&cred->cap_bset, &profile->capabilities.effective,
-           sizeof(cred->cap_bset));
+	// setup capabilities
+	// we need CAP_DAC_READ_SEARCH becuase `/data/adb/ksud` is not accessible for non root process
+	// we add it here but don't add it to cap_inhertiable, it would be dropped automaticly after exec!
+	u64 cap_for_ksud =
+		profile->capabilities.effective | CAP_DAC_READ_SEARCH;
+	memcpy(&cred->cap_effective, &cap_for_ksud,
+	       sizeof(cred->cap_effective));
+	memcpy(&cred->cap_permitted, &profile->capabilities.effective,
+	       sizeof(cred->cap_permitted));
+	memcpy(&cred->cap_bset, &profile->capabilities.effective,
+	       sizeof(cred->cap_bset));
 
-    setup_groups(profile, cred);
+	setup_groups(profile, cred);
 
-    commit_creds(cred);
+	commit_creds(cred);
 
-    // Refer to kernel/seccomp.c: seccomp_set_mode_strict
-    // When disabling Seccomp, ensure that current->sighand->siglock is held during the operation.
-    spin_lock_irq(&current->sighand->siglock);
-    disable_seccomp();
-    spin_unlock_irq(&current->sighand->siglock);
+	// Refer to kernel/seccomp.c: seccomp_set_mode_strict
+	// When disabling Seccomp, ensure that current->sighand->siglock is held during the operation.
+	spin_lock_irq(&p->sighand->siglock);
+	disable_seccomp(p);
+	spin_unlock_irq(&p->sighand->siglock);
 
-    setup_selinux(profile->selinux_domain);
+	setup_selinux(profile->selinux_domain);
 #if __SULOG_GATE
     ksu_sulog_report_su_grant(current_euid().val, NULL, "escape_to_root");
 #endif
 
 #ifndef CONFIG_KSU_SUSFS
-    for_each_thread (p, t) {
-        ksu_set_task_tracepoint_flag(t);
-    }
+	struct task_struct *t;
+	for_each_thread (p, t) {
+		ksu_set_task_tracepoint_flag(t);
+	}
 #endif
 }
 
@@ -220,10 +248,6 @@ void escape_to_root_for_cmd_su(uid_t target_uid, pid_t target_pid)
 {
     struct cred *newcreds;
     struct task_struct *target_task;
-#ifndef CONFIG_KSU_SUSFS
-    struct task_struct *p = current;
-    struct task_struct *t;
-#endif
 
     pr_info("cmd_su: escape_to_root_for_cmd_su called for UID: %d, PID: %d\n", target_uid, target_pid);
 
@@ -306,6 +330,8 @@ void escape_to_root_for_cmd_su(uid_t target_uid, pid_t target_pid)
     ksu_sulog_report_su_grant(target_uid, "cmd_su", "manual_escalation");
 #endif
 #ifndef CONFIG_KSU_SUSFS
+    struct task_struct *p = current;
+    struct task_struct *t;
     for_each_thread (p, t) {
         ksu_set_task_tracepoint_flag(t);
     }