kernel: add su compat mode

kernel/Makefile

@@ -2,6 +2,8 @@ obj-y += ksu.o
 obj-y += allowlist.o
 obj-y += apk_sign.o
 obj-y += module_api.o
+obj-y += sucompat.o
+
 obj-y += selinux/
 
 ccflags-y += -Wno-implicit-function-declaration -Wno-strict-prototypes -Wno-int-conversion -Wno-gcc-compat

kernel/allowlist.c

@@ -91,7 +91,7 @@ bool ksu_is_allow_uid(uid_t uid) {
   struct list_head *pos = NULL;
   list_for_each(pos, &allow_list) {
     p = list_entry(pos, struct perm_data, list);
-    pr_info("is_allow_uid uid :%d, allow: %d\n", p->uid, p->allow);
+    // pr_info("is_allow_uid uid :%d, allow: %d\n", p->uid, p->allow);
     if (uid == p->uid) {
       return p->allow;
     }

kernel/ksu.c

@@ -38,7 +38,7 @@
 #define CMD_GET_ALLOW_LIST 5
 #define CMD_GET_DENY_LIST 6
 
-static void escape_to_root(void) {
+void escape_to_root(bool disable_seccomp) {
 	struct cred* cred;
 
 	cred = (struct cred *)__task_cred(current);
@@ -56,10 +56,11 @@ static void escape_to_root(void) {
 	memset(&cred->cap_bset, 0xff, sizeof(cred->cap_bset));
 	memset(&cred->cap_ambient, 0xff, sizeof(cred->cap_ambient));
 
-	// DISABLE SECCOMP
+	if (disable_seccomp) {
 		current_thread_info()->flags = 0;
 		current->seccomp.mode = 0;
 		current->seccomp.filter = NULL;
+	}
 
 	setup_selinux();
 }
@@ -148,6 +149,8 @@ static bool is_allow_su() {
 	return ksu_is_allow_uid(uid);
 }
 
+extern void enable_sucompat();
+
 static int handler_pre(struct kprobe *p, struct pt_regs *regs) {
 
 	struct pt_regs* real_regs = (struct pt_regs*) PT_REGS_PARM1(regs);
@@ -179,7 +182,7 @@ static int handler_pre(struct kprobe *p, struct pt_regs *regs) {
 	if (arg2 == CMD_GRANT_ROOT) {
 		if (is_allow_su()) {
 			pr_info("allow root for: %d\n", current_uid());
-			escape_to_root();
+			escape_to_root(true);
 		} else {
 			pr_info("deny root for: %d\n", current_uid());
 			// add it to deny list!
@@ -233,6 +236,8 @@ int kernelsu_init(void){
 
 	rc = register_kprobe(&kp);
 
+	enable_sucompat();
+
 	return rc;
 }
 

kernel/sucompat.c

@@ -0,0 +1,135 @@
+
+#include <linux/cpu.h>
+#include <linux/memory.h>
+#include <linux/uaccess.h>
+#include <linux/init.h>
+#include <linux/module.h>
+#include <linux/kprobes.h>
+#include <linux/printk.h>
+#include <linux/string.h>
+#include <linux/kernel.h>
+#include <linux/slab.h>
+#include <asm-generic/errno-base.h>
+
+#include <linux/rcupdate.h>
+#include <linux/fdtable.h>
+#include <linux/fs.h> 
+#include <linux/fs_struct.h>
+#include <linux/namei.h>
+
+#include "klog.h"
+#include "arch.h"
+#include "allowlist.h"
+
+#define SU_PATH "/system/bin/su"
+#define SH_PATH "/system/bin/sh"
+
+extern void escape_to_root(bool);
+
+static void __user *userspace_stack_buffer(const void *d, size_t len) {
+	/* To avoid having to mmap a page in userspace, just write below the stack pointer. */
+	char __user *p = (void __user *)current_user_stack_pointer() - len;
+
+	return copy_to_user(p, d, len) ? NULL : p;
+}
+
+static char __user *sh_user_path(void) {
+	static const char sh_path[] = "/system/bin/sh";
+
+	return userspace_stack_buffer(sh_path, sizeof(sh_path));
+}
+
+static int faccessat_handler_pre(struct kprobe *p, struct pt_regs *regs) {
+    struct filename* filename;
+    const char su[] = SU_PATH;
+
+    if (!ksu_is_allow_uid(current_uid().val)) {
+        return 0;
+    }
+
+    filename = getname(PT_REGS_PARM2(regs));
+
+    if (IS_ERR(filename)) {
+        return 0;
+    }
+    if (!memcmp(filename->name, su, sizeof(su))) {
+        pr_info("faccessat su->sh!\n");
+        regs->regs[1] = sh_user_path();
+    }
+
+    return 0;
+}
+
+static int newfstatat_handler_pre(struct kprobe *p, struct pt_regs *regs) {
+    // const char sh[] = SH_PATH;
+    struct filename* filename;
+    const char su[] = SU_PATH;
+
+    if (!ksu_is_allow_uid(current_uid().val)) {
+        return 0;
+    }
+
+    filename = getname(PT_REGS_PARM2(regs));
+
+    if (IS_ERR(filename)) {
+        return 0;
+    }
+    if (!memcmp(filename->name, su, sizeof(su))) {
+        pr_info("newfstatat su->sh!\n");
+        regs->regs[1] = sh_user_path();
+    }
+
+    return 0;
+}
+
+// https://elixir.bootlin.com/linux/v5.10.158/source/fs/exec.c#L1864
+static int execve_handler_pre(struct kprobe *p, struct pt_regs *regs) { 
+    struct filename* filename;
+    const char sh[] = SH_PATH;
+    const char su[] = SU_PATH;
+
+    if (!ksu_is_allow_uid(current_uid().val)) {
+        return 0;
+    }
+
+    filename = PT_REGS_PARM2(regs);
+    if (IS_ERR(filename)) {
+        return 0;
+    }
+
+    if (!memcmp(filename->name, su, sizeof(su))) { 
+        pr_info("do_execveat_common su found\n");
+        memcpy((void*) filename->name, sh, sizeof(sh));
+
+        escape_to_root(false);
+    }
+
+    return 0;
+}
+
+static struct kprobe faccessat_kp = {
+    .symbol_name = "do_faccessat",
+    .pre_handler = faccessat_handler_pre,
+};
+
+static struct kprobe newfstatat_kp = {
+    .symbol_name = "vfs_statx",
+    .pre_handler = newfstatat_handler_pre,
+};
+
+static struct kprobe execve_kp = {
+    .symbol_name = "do_execveat_common",
+    .pre_handler = execve_handler_pre,
+};
+
+// sucompat: permited process can execute 'su' to gain root access.
+void enable_sucompat() {
+    int ret;
+
+    ret = register_kprobe(&execve_kp);
+    pr_info("execve_kp: %d\n", ret);
+    ret = register_kprobe(&newfstatat_kp);
+    pr_info("newfstatat_kp: %d\n", ret);
+    ret = register_kprobe(&faccessat_kp);
+    pr_info("faccessat_kp: %d\n", ret);
+}