Synchronise some modifications
Co-authored-by: Ylarod <me@ylarod.cn> Co-authored-by: 5ec1cff <56485584+5ec1cff@users.noreply.github.com> Co-authored-by: backslashxx <118538522+backslashxx@users.noreply.github.com> Co-authored-by: u9521 <63995396+u9521@users.noreply.github.com> Co-authored-by: Wang Han <416810799@qq.com> Co-authored-by: ShirkNeko <109797057+ShirkNeko@users.noreply.github.com> Co-authored-by: Faris <rissu.ntk@gmail.com>
This commit is contained in:
ShirkNeko
@@ -1,10 +1,12 @@
|
||||
#include <linux/compiler.h>
|
||||
#include <linux/version.h>
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0)
|
||||
#include <linux/sched/signal.h>
|
||||
#endif
|
||||
#include <linux/slab.h>
|
||||
#include <linux/task_work.h>
|
||||
#include <linux/thread_info.h>
|
||||
#include <linux/seccomp.h>
|
||||
#include <linux/bpf.h>
|
||||
#include <linux/capability.h>
|
||||
#include <linux/cred.h>
|
||||
#include <linux/dcache.h>
|
||||
@@ -12,7 +14,6 @@
|
||||
#include <linux/fs.h>
|
||||
#include <linux/init.h>
|
||||
#include <linux/init_task.h>
|
||||
#include <linux/kallsyms.h>
|
||||
#include <linux/kernel.h>
|
||||
#include <linux/kprobes.h>
|
||||
#include <linux/mm.h>
|
||||
@@ -22,34 +23,20 @@
|
||||
#include <linux/path.h>
|
||||
#include <linux/printk.h>
|
||||
#include <linux/sched.h>
|
||||
#include <linux/security.h>
|
||||
#include <linux/stddef.h>
|
||||
#include <linux/string.h>
|
||||
#include <linux/types.h>
|
||||
#include <linux/uaccess.h>
|
||||
#include <linux/uidgid.h>
|
||||
#include <linux/version.h>
|
||||
#include <linux/binfmts.h>
|
||||
#include <linux/tty.h>
|
||||
|
||||
#ifdef CONFIG_KSU_SUSFS
|
||||
#include <linux/susfs.h>
|
||||
#endif // #ifdef CONFIG_KSU_SUSFS
|
||||
|
||||
#ifdef MODULE
|
||||
#include <linux/list.h>
|
||||
#include <linux/irqflags.h>
|
||||
#include <linux/mm_types.h>
|
||||
#include <linux/rcupdate.h>
|
||||
#include <linux/vmalloc.h>
|
||||
#endif
|
||||
|
||||
#include "allowlist.h"
|
||||
#include "setuid_hook.h"
|
||||
#include "feature.h"
|
||||
#include "klog.h" // IWYU pragma: keep
|
||||
#include "kernel_compat.h"
|
||||
#include "ksu.h"
|
||||
#include "manager.h"
|
||||
#include "selinux/selinux.h"
|
||||
#include "seccomp_cache.h"
|
||||
@@ -58,8 +45,6 @@
|
||||
#include "syscall_hook_manager.h"
|
||||
#endif
|
||||
#include "kernel_umount.h"
|
||||
#include "app_profile.h"
|
||||
|
||||
#include "sulog.h"
|
||||
|
||||
#ifdef CONFIG_KSU_SUSFS
|
||||
@@ -100,97 +85,113 @@ static bool ksu_enhanced_security_enabled = false;
|
||||
|
||||
static int enhanced_security_feature_get(u64 *value)
|
||||
{
|
||||
*value = ksu_enhanced_security_enabled ? 1 : 0;
|
||||
return 0;
|
||||
*value = ksu_enhanced_security_enabled ? 1 : 0;
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int enhanced_security_feature_set(u64 value)
|
||||
{
|
||||
bool enable = value != 0;
|
||||
ksu_enhanced_security_enabled = enable;
|
||||
pr_info("enhanced_security: set to %d\n", enable);
|
||||
return 0;
|
||||
bool enable = value != 0;
|
||||
ksu_enhanced_security_enabled = enable;
|
||||
pr_info("enhanced_security: set to %d\n", enable);
|
||||
return 0;
|
||||
}
|
||||
|
||||
static const struct ksu_feature_handler enhanced_security_handler = {
|
||||
.feature_id = KSU_FEATURE_ENHANCED_SECURITY,
|
||||
.name = "enhanced_security",
|
||||
.get_handler = enhanced_security_feature_get,
|
||||
.set_handler = enhanced_security_feature_set,
|
||||
.feature_id = KSU_FEATURE_ENHANCED_SECURITY,
|
||||
.name = "enhanced_security",
|
||||
.get_handler = enhanced_security_feature_get,
|
||||
.set_handler = enhanced_security_feature_set,
|
||||
};
|
||||
|
||||
static inline bool is_allow_su(void)
|
||||
{
|
||||
if (is_manager()) {
|
||||
// we are manager, allow!
|
||||
return true;
|
||||
}
|
||||
return ksu_is_allow_uid_for_current(current_uid().val);
|
||||
if (is_manager()) {
|
||||
// we are manager, allow!
|
||||
return true;
|
||||
}
|
||||
return ksu_is_allow_uid_for_current(current_uid().val);
|
||||
}
|
||||
|
||||
// force_sig kcompat, TODO: move it out of core_hook.c
|
||||
// https://elixir.bootlin.com/linux/v5.3-rc1/source/kernel/signal.c#L1613
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 3, 0)
|
||||
#define __force_sig(sig) force_sig(sig)
|
||||
#else
|
||||
#define __force_sig(sig) force_sig(sig, current)
|
||||
#endif
|
||||
extern void disable_seccomp(struct task_struct *tsk);
|
||||
|
||||
#ifndef CONFIG_KSU_SUSFS
|
||||
int ksu_handle_setresuid(uid_t ruid, uid_t euid, uid_t suid)
|
||||
{
|
||||
uid_t new_uid = ruid;
|
||||
// we rely on the fact that zygote always call setresuid(3) with same uids
|
||||
uid_t new_uid = ruid;
|
||||
uid_t old_uid = current_uid().val;
|
||||
|
||||
pr_info("handle_setresuid from %d to %d\n", old_uid, new_uid);
|
||||
|
||||
// if old process is root, ignore it.
|
||||
if (old_uid != 0 && ksu_enhanced_security_enabled) {
|
||||
// disallow any non-ksu domain escalation from non-root to root!
|
||||
// euid is what we care about here as it controls permission
|
||||
if (unlikely(euid == 0)) {
|
||||
if (!is_ksu_domain()) {
|
||||
pr_warn("find suspicious EoP: %d %s, from %d to %d\n",
|
||||
current->pid, current->comm, old_uid, new_uid);
|
||||
ksu_force_sig(SIGKILL);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
// disallow appuid decrease to any other uid if it is not allowed to su
|
||||
if (is_appuid(old_uid)) {
|
||||
if (euid < current_euid().val && !ksu_is_allow_uid_for_current(old_uid)) {
|
||||
pr_warn("find suspicious EoP: %d %s, from %d to %d\n",
|
||||
current->pid, current->comm, old_uid, new_uid);
|
||||
ksu_force_sig(SIGKILL);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
if (old_uid != new_uid)
|
||||
pr_info("handle_setresuid from %d to %d\n", old_uid, new_uid);
|
||||
|
||||
// if on private space, see if its possibly the manager
|
||||
if (new_uid > PER_USER_RANGE && new_uid % PER_USER_RANGE == ksu_get_manager_uid()) {
|
||||
ksu_set_manager_uid(new_uid);
|
||||
}
|
||||
// if old process is root, ignore it.
|
||||
if (old_uid != 0 && ksu_enhanced_security_enabled) {
|
||||
// disallow any non-ksu domain escalation from non-root to root!
|
||||
// euid is what we care about here as it controls permission
|
||||
if (unlikely(euid == 0)) {
|
||||
if (!is_ksu_domain()) {
|
||||
pr_warn("find suspicious EoP: %d %s, from %d to %d\n",
|
||||
current->pid, current->comm, old_uid,
|
||||
new_uid);
|
||||
__force_sig(SIGKILL);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
// disallow appuid decrease to any other uid if it is not allowed to su
|
||||
if (is_appuid(old_uid)) {
|
||||
if (euid < current_euid().val &&
|
||||
!ksu_is_allow_uid_for_current(old_uid)) {
|
||||
pr_warn("find suspicious EoP: %d %s, from %d to %d\n",
|
||||
current->pid, current->comm, old_uid,
|
||||
new_uid);
|
||||
__force_sig(SIGKILL);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
// if on private space, see if its possibly the manager
|
||||
if (new_uid > PER_USER_RANGE &&
|
||||
new_uid % PER_USER_RANGE == ksu_get_manager_uid()) {
|
||||
ksu_set_manager_uid(new_uid);
|
||||
}
|
||||
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 0)
|
||||
if (ksu_get_manager_uid() == new_uid) {
|
||||
pr_info("install fd for manager: %d\n", new_uid);
|
||||
ksu_install_fd();
|
||||
spin_lock_irq(¤t->sighand->siglock);
|
||||
ksu_seccomp_allow_cache(current->seccomp.filter, __NR_reboot);
|
||||
ksu_set_task_tracepoint_flag(current);
|
||||
spin_unlock_irq(¤t->sighand->siglock);
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (ksu_is_allow_uid_for_current(new_uid)) {
|
||||
if (current->seccomp.mode == SECCOMP_MODE_FILTER &&
|
||||
current->seccomp.filter) {
|
||||
spin_lock_irq(¤t->sighand->siglock);
|
||||
ksu_seccomp_allow_cache(current->seccomp.filter, __NR_reboot);
|
||||
spin_unlock_irq(¤t->sighand->siglock);
|
||||
}
|
||||
ksu_set_task_tracepoint_flag(current);
|
||||
} else {
|
||||
ksu_clear_task_tracepoint_flag_if_needed(current);
|
||||
}
|
||||
#else
|
||||
if (ksu_is_allow_uid_for_current(new_uid)) {
|
||||
if (ksu_get_manager_uid() == new_uid) {
|
||||
pr_info("install fd for ksu manager(uid=%d)\n", new_uid);
|
||||
ksu_install_fd();
|
||||
spin_lock_irq(¤t->sighand->siglock);
|
||||
disable_seccomp();
|
||||
ksu_seccomp_allow_cache(current->seccomp.filter, __NR_reboot);
|
||||
ksu_set_task_tracepoint_flag(current);
|
||||
spin_unlock_irq(¤t->sighand->siglock);
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (ksu_is_allow_uid_for_current(new_uid)) {
|
||||
if (current->seccomp.mode == SECCOMP_MODE_FILTER &&
|
||||
current->seccomp.filter) {
|
||||
spin_lock_irq(¤t->sighand->siglock);
|
||||
ksu_seccomp_allow_cache(current->seccomp.filter,
|
||||
__NR_reboot);
|
||||
spin_unlock_irq(¤t->sighand->siglock);
|
||||
}
|
||||
ksu_set_task_tracepoint_flag(current);
|
||||
} else {
|
||||
ksu_clear_task_tracepoint_flag_if_needed(current);
|
||||
}
|
||||
#else
|
||||
if (ksu_is_allow_uid_for_current(new_uid)) {
|
||||
spin_lock_irq(¤t->sighand->siglock);
|
||||
disable_seccomp(current);
|
||||
spin_unlock_irq(¤t->sighand->siglock);
|
||||
|
||||
if (ksu_get_manager_uid() == new_uid) {
|
||||
@@ -203,10 +204,10 @@ int ksu_handle_setresuid(uid_t ruid, uid_t euid, uid_t suid)
|
||||
}
|
||||
#endif
|
||||
|
||||
// Handle kernel umount
|
||||
ksu_handle_umount(old_uid, new_uid);
|
||||
// Handle kernel umount
|
||||
ksu_handle_umount(old_uid, new_uid);
|
||||
|
||||
return 0;
|
||||
return 0;
|
||||
}
|
||||
#else
|
||||
extern bool ksu_kernel_umount_enabled;
|
||||
@@ -224,7 +225,7 @@ int ksu_handle_setresuid(uid_t ruid, uid_t euid, uid_t suid){
|
||||
if (!is_ksu_domain()) {
|
||||
pr_warn("find suspicious EoP: %d %s, from %d to %d\n",
|
||||
current->pid, current->comm, old_uid, new_uid);
|
||||
ksu_force_sig(SIGKILL);
|
||||
__force_sig(SIGKILL);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
@@ -233,7 +234,7 @@ int ksu_handle_setresuid(uid_t ruid, uid_t euid, uid_t suid){
|
||||
if (euid < current_euid().val && !ksu_is_allow_uid_for_current(old_uid)) {
|
||||
pr_warn("find suspicious EoP: %d %s, from %d to %d\n",
|
||||
current->pid, current->comm, old_uid, new_uid);
|
||||
ksu_force_sig(SIGKILL);
|
||||
__force_sig(SIGKILL);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
@@ -260,18 +261,30 @@ int ksu_handle_setresuid(uid_t ruid, uid_t euid, uid_t suid){
|
||||
// will always return true, that's why we need to explicitly check if new_uid belongs to
|
||||
// ksu manager
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 0)
|
||||
if (ksu_get_manager_uid() == new_uid % 100000) {
|
||||
pr_info("install fd for manager: %d\n", new_uid);
|
||||
ksu_install_fd();
|
||||
spin_lock_irq(¤t->sighand->siglock);
|
||||
ksu_seccomp_allow_cache(current->seccomp.filter, __NR_reboot);
|
||||
spin_unlock_irq(¤t->sighand->siglock);
|
||||
return 0;
|
||||
}
|
||||
#else
|
||||
if (ksu_is_allow_uid_for_current(new_uid)) {
|
||||
if (ksu_get_manager_uid() == new_uid) {
|
||||
pr_info("install fd for ksu manager(uid=%d)\n", new_uid);
|
||||
ksu_install_fd();
|
||||
spin_lock_irq(¤t->sighand->siglock);
|
||||
disable_seccomp();
|
||||
ksu_seccomp_allow_cache(current->seccomp.filter, __NR_reboot);
|
||||
spin_unlock_irq(¤t->sighand->siglock);
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (ksu_is_allow_uid_for_current(new_uid)) {
|
||||
if (current->seccomp.mode == SECCOMP_MODE_FILTER &&
|
||||
current->seccomp.filter) {
|
||||
spin_lock_irq(¤t->sighand->siglock);
|
||||
ksu_seccomp_allow_cache(current->seccomp.filter,
|
||||
__NR_reboot);
|
||||
spin_unlock_irq(¤t->sighand->siglock);
|
||||
}
|
||||
} else {
|
||||
ksu_clear_task_tracepoint_flag_if_needed(current);
|
||||
}
|
||||
#else
|
||||
if (ksu_is_allow_uid_for_current(new_uid)) {
|
||||
spin_lock_irq(¤t->sighand->siglock);
|
||||
disable_seccomp(current);
|
||||
spin_unlock_irq(¤t->sighand->siglock);
|
||||
|
||||
if (ksu_get_manager_uid() == new_uid) {
|
||||
@@ -293,16 +306,6 @@ int ksu_handle_setresuid(uid_t ruid, uid_t euid, uid_t suid){
|
||||
if (unlikely(is_some_system_uid(new_uid) && susfs_is_umount_for_zygote_system_process_enabled)) {
|
||||
goto do_umount;
|
||||
}
|
||||
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 0)
|
||||
if (ksu_is_allow_uid_for_current(new_uid)) {
|
||||
if (current->seccomp.mode == SECCOMP_MODE_FILTER &&
|
||||
current->seccomp.filter) {
|
||||
spin_lock_irq(¤t->sighand->siglock);
|
||||
ksu_seccomp_allow_cache(current->seccomp.filter, __NR_reboot);
|
||||
spin_unlock_irq(¤t->sighand->siglock);
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
return 0;
|
||||
|
||||
@@ -341,15 +344,15 @@ skip_try_umount:
|
||||
|
||||
void ksu_setuid_hook_init(void)
|
||||
{
|
||||
ksu_kernel_umount_init();
|
||||
if (ksu_register_feature_handler(&enhanced_security_handler)) {
|
||||
pr_err("Failed to register enhanced security feature handler\n");
|
||||
}
|
||||
ksu_kernel_umount_init();
|
||||
if (ksu_register_feature_handler(&enhanced_security_handler)) {
|
||||
pr_err("Failed to register enhanced security feature handler\n");
|
||||
}
|
||||
}
|
||||
|
||||
void ksu_setuid_hook_exit(void)
|
||||
{
|
||||
pr_info("ksu_core_exit\n");
|
||||
ksu_kernel_umount_exit();
|
||||
ksu_unregister_feature_handler(KSU_FEATURE_ENHANCED_SECURITY);
|
||||
}
|
||||
pr_info("ksu_core_exit\n");
|
||||
ksu_kernel_umount_exit();
|
||||
ksu_unregister_feature_handler(KSU_FEATURE_ENHANCED_SECURITY);
|
||||
}
|
||||
Reference in New Issue
Block a user