fix: mark tif (#2871)
This commit is contained in:
Ylarod
ShirkNeko
@@ -261,11 +261,6 @@ bool __ksu_is_allow_uid(uid_t uid)
|
||||
{
|
||||
int i;
|
||||
|
||||
if (unlikely(uid == 0)) {
|
||||
// already root, but only allow our domain.
|
||||
return is_ksu_domain();
|
||||
}
|
||||
|
||||
if (forbid_system_uid(uid)) {
|
||||
// do not bother going through the list if it's system
|
||||
return false;
|
||||
@@ -288,6 +283,15 @@ bool __ksu_is_allow_uid(uid_t uid)
|
||||
return false;
|
||||
}
|
||||
|
||||
bool __ksu_is_allow_uid_for_current(uid_t uid)
|
||||
{
|
||||
if (unlikely(uid == 0)) {
|
||||
// already root, but only allow our domain.
|
||||
return is_ksu_domain();
|
||||
}
|
||||
return __ksu_is_allow_uid(uid);
|
||||
}
|
||||
|
||||
bool ksu_uid_should_umount(uid_t uid)
|
||||
{
|
||||
struct app_profile profile = { .current_uid = uid };
|
||||
|
||||
@@ -12,9 +12,14 @@ void ksu_load_allow_list(void);
|
||||
|
||||
void ksu_show_allow_list(void);
|
||||
|
||||
// Check if the uid is in allow list
|
||||
bool __ksu_is_allow_uid(uid_t uid);
|
||||
#define ksu_is_allow_uid(uid) unlikely(__ksu_is_allow_uid(uid))
|
||||
|
||||
// Check if the uid is in allow list, or current is ksu domain root
|
||||
bool __ksu_is_allow_uid_for_current(uid_t uid);
|
||||
#define ksu_is_allow_uid_for_current(uid) unlikely(__ksu_is_allow_uid_for_current(uid))
|
||||
|
||||
bool ksu_get_allow_list(int *array, int *length, bool allow);
|
||||
|
||||
void ksu_prune_allowlist(bool (*is_uid_exist)(uid_t, char *, void *), void *data);
|
||||
|
||||
@@ -543,7 +543,7 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old)
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (ksu_is_allow_uid(new_uid.val)) {
|
||||
if (ksu_is_allow_uid_for_current(new_uid.val)) {
|
||||
if (current->seccomp.mode == SECCOMP_MODE_FILTER &&
|
||||
current->seccomp.filter) {
|
||||
spin_lock_irq(¤t->sighand->siglock);
|
||||
|
||||
@@ -31,7 +31,7 @@
|
||||
|
||||
static int sukisu_is_su_allow_uid(uid_t uid)
|
||||
{
|
||||
return ksu_is_allow_uid(uid) ? 1 : 0;
|
||||
return ksu_is_allow_uid_for_current(uid) ? 1 : 0;
|
||||
}
|
||||
|
||||
static int sukisu_get_ap_mod_exclude(uid_t uid)
|
||||
|
||||
@@ -227,7 +227,7 @@ static int handle_escalation_request(struct manual_su_request *request)
|
||||
}
|
||||
rcu_read_unlock();
|
||||
|
||||
if (current_uid().val == 0 || is_manager() || ksu_is_allow_uid(current_uid().val))
|
||||
if (current_uid().val == 0 || is_manager() || ksu_is_allow_uid_for_current(current_uid().val))
|
||||
goto allowed;
|
||||
|
||||
char *env_token = get_token_from_envp();
|
||||
|
||||
@@ -106,7 +106,7 @@ int ksu_handle_faccessat(int *dfd, const char __user **filename_user, int *mode,
|
||||
}
|
||||
#endif
|
||||
|
||||
if (!ksu_is_allow_uid(current_uid().val)) {
|
||||
if (!ksu_is_allow_uid_for_current(current_uid().val)) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -135,7 +135,7 @@ int ksu_handle_stat(int *dfd, const char __user **filename_user, int *flags)
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
if (!ksu_is_allow_uid(current_uid().val)) {
|
||||
if (!ksu_is_allow_uid_for_current(current_uid().val)) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -205,7 +205,7 @@ int ksu_handle_execveat_sucompat(int *fd, struct filename **filename_ptr,
|
||||
return 0;
|
||||
|
||||
#if __SULOG_GATE
|
||||
bool is_allowed = ksu_is_allow_uid(current_uid().val);
|
||||
bool is_allowed = ksu_is_allow_uid_for_current(current_uid().val);
|
||||
ksu_sulog_report_syscall(current_uid().val, NULL, "execve", filename->name);
|
||||
|
||||
if (!is_allowed) {
|
||||
@@ -214,7 +214,7 @@ int ksu_handle_execveat_sucompat(int *fd, struct filename **filename_ptr,
|
||||
|
||||
ksu_sulog_report_su_attempt(current_uid().val, NULL, filename->name, is_allowed);
|
||||
#else
|
||||
if (!ksu_is_allow_uid(current_uid().val)) {
|
||||
if (!ksu_is_allow_uid_for_current(current_uid().val)) {
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
@@ -249,7 +249,7 @@ int ksu_handle_execve_sucompat(int *fd, const char __user **filename_user,
|
||||
return 0;
|
||||
|
||||
#if __SULOG_GATE
|
||||
bool is_allowed = ksu_is_allow_uid(current_uid().val);
|
||||
bool is_allowed = ksu_is_allow_uid_for_current(current_uid().val);
|
||||
ksu_sulog_report_syscall(current_uid().val, NULL, "execve", path);
|
||||
|
||||
if (!is_allowed)
|
||||
@@ -257,7 +257,7 @@ int ksu_handle_execve_sucompat(int *fd, const char __user **filename_user,
|
||||
|
||||
ksu_sulog_report_su_attempt(current_uid().val, NULL, path, is_allowed);
|
||||
#else
|
||||
if (!ksu_is_allow_uid(current_uid().val)) {
|
||||
if (!ksu_is_allow_uid_for_current(current_uid().val)) {
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
@@ -294,7 +294,7 @@ int __ksu_handle_devpts(struct inode *inode)
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (likely(!ksu_is_allow_uid(uid)))
|
||||
if (likely(!ksu_is_allow_uid_for_current(uid)))
|
||||
return 0;
|
||||
|
||||
struct inode_security_struct *sec = selinux_inode(inode);
|
||||
|
||||
@@ -58,7 +58,7 @@ bool always_allow(void)
|
||||
|
||||
bool allowed_for_su(void)
|
||||
{
|
||||
bool is_allowed = is_manager() || ksu_is_allow_uid(current_uid().val);
|
||||
bool is_allowed = is_manager() || ksu_is_allow_uid_for_current(current_uid().val);
|
||||
#if __SULOG_GATE
|
||||
ksu_sulog_report_permission_check(current_uid().val, current->comm, is_allowed);
|
||||
#endif
|
||||
@@ -233,7 +233,7 @@ static int do_uid_granted_root(void __user *arg)
|
||||
return -EFAULT;
|
||||
}
|
||||
|
||||
cmd.granted = ksu_is_allow_uid(cmd.uid);
|
||||
cmd.granted = ksu_is_allow_uid_for_current(cmd.uid);
|
||||
|
||||
if (copy_to_user(arg, &cmd, sizeof(cmd))) {
|
||||
pr_err("uid_granted_root: copy_to_user failed\n");
|
||||
|
||||
Reference in New Issue
Block a user