fix: mark tif (#2871)
This commit is contained in:
Ylarod
ShirkNeko
@@ -261,11 +261,6 @@ bool __ksu_is_allow_uid(uid_t uid)
|
|||||||
{
|
{
|
||||||
int i;
|
int i;
|
||||||
|
|
||||||
if (unlikely(uid == 0)) {
|
|
||||||
// already root, but only allow our domain.
|
|
||||||
return is_ksu_domain();
|
|
||||||
}
|
|
||||||
|
|
||||||
if (forbid_system_uid(uid)) {
|
if (forbid_system_uid(uid)) {
|
||||||
// do not bother going through the list if it's system
|
// do not bother going through the list if it's system
|
||||||
return false;
|
return false;
|
||||||
@@ -288,6 +283,15 @@ bool __ksu_is_allow_uid(uid_t uid)
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
bool __ksu_is_allow_uid_for_current(uid_t uid)
|
||||||
|
{
|
||||||
|
if (unlikely(uid == 0)) {
|
||||||
|
// already root, but only allow our domain.
|
||||||
|
return is_ksu_domain();
|
||||||
|
}
|
||||||
|
return __ksu_is_allow_uid(uid);
|
||||||
|
}
|
||||||
|
|
||||||
bool ksu_uid_should_umount(uid_t uid)
|
bool ksu_uid_should_umount(uid_t uid)
|
||||||
{
|
{
|
||||||
struct app_profile profile = { .current_uid = uid };
|
struct app_profile profile = { .current_uid = uid };
|
||||||
|
|||||||
@@ -12,9 +12,14 @@ void ksu_load_allow_list(void);
|
|||||||
|
|
||||||
void ksu_show_allow_list(void);
|
void ksu_show_allow_list(void);
|
||||||
|
|
||||||
|
// Check if the uid is in allow list
|
||||||
bool __ksu_is_allow_uid(uid_t uid);
|
bool __ksu_is_allow_uid(uid_t uid);
|
||||||
#define ksu_is_allow_uid(uid) unlikely(__ksu_is_allow_uid(uid))
|
#define ksu_is_allow_uid(uid) unlikely(__ksu_is_allow_uid(uid))
|
||||||
|
|
||||||
|
// Check if the uid is in allow list, or current is ksu domain root
|
||||||
|
bool __ksu_is_allow_uid_for_current(uid_t uid);
|
||||||
|
#define ksu_is_allow_uid_for_current(uid) unlikely(__ksu_is_allow_uid_for_current(uid))
|
||||||
|
|
||||||
bool ksu_get_allow_list(int *array, int *length, bool allow);
|
bool ksu_get_allow_list(int *array, int *length, bool allow);
|
||||||
|
|
||||||
void ksu_prune_allowlist(bool (*is_uid_exist)(uid_t, char *, void *), void *data);
|
void ksu_prune_allowlist(bool (*is_uid_exist)(uid_t, char *, void *), void *data);
|
||||||
|
|||||||
@@ -543,7 +543,7 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (ksu_is_allow_uid(new_uid.val)) {
|
if (ksu_is_allow_uid_for_current(new_uid.val)) {
|
||||||
if (current->seccomp.mode == SECCOMP_MODE_FILTER &&
|
if (current->seccomp.mode == SECCOMP_MODE_FILTER &&
|
||||||
current->seccomp.filter) {
|
current->seccomp.filter) {
|
||||||
spin_lock_irq(¤t->sighand->siglock);
|
spin_lock_irq(¤t->sighand->siglock);
|
||||||
|
|||||||
@@ -31,7 +31,7 @@
|
|||||||
|
|
||||||
static int sukisu_is_su_allow_uid(uid_t uid)
|
static int sukisu_is_su_allow_uid(uid_t uid)
|
||||||
{
|
{
|
||||||
return ksu_is_allow_uid(uid) ? 1 : 0;
|
return ksu_is_allow_uid_for_current(uid) ? 1 : 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int sukisu_get_ap_mod_exclude(uid_t uid)
|
static int sukisu_get_ap_mod_exclude(uid_t uid)
|
||||||
|
|||||||
@@ -227,7 +227,7 @@ static int handle_escalation_request(struct manual_su_request *request)
|
|||||||
}
|
}
|
||||||
rcu_read_unlock();
|
rcu_read_unlock();
|
||||||
|
|
||||||
if (current_uid().val == 0 || is_manager() || ksu_is_allow_uid(current_uid().val))
|
if (current_uid().val == 0 || is_manager() || ksu_is_allow_uid_for_current(current_uid().val))
|
||||||
goto allowed;
|
goto allowed;
|
||||||
|
|
||||||
char *env_token = get_token_from_envp();
|
char *env_token = get_token_from_envp();
|
||||||
|
|||||||
@@ -106,7 +106,7 @@ int ksu_handle_faccessat(int *dfd, const char __user **filename_user, int *mode,
|
|||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
if (!ksu_is_allow_uid(current_uid().val)) {
|
if (!ksu_is_allow_uid_for_current(current_uid().val)) {
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -135,7 +135,7 @@ int ksu_handle_stat(int *dfd, const char __user **filename_user, int *flags)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
if (!ksu_is_allow_uid(current_uid().val)) {
|
if (!ksu_is_allow_uid_for_current(current_uid().val)) {
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -205,7 +205,7 @@ int ksu_handle_execveat_sucompat(int *fd, struct filename **filename_ptr,
|
|||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
#if __SULOG_GATE
|
#if __SULOG_GATE
|
||||||
bool is_allowed = ksu_is_allow_uid(current_uid().val);
|
bool is_allowed = ksu_is_allow_uid_for_current(current_uid().val);
|
||||||
ksu_sulog_report_syscall(current_uid().val, NULL, "execve", filename->name);
|
ksu_sulog_report_syscall(current_uid().val, NULL, "execve", filename->name);
|
||||||
|
|
||||||
if (!is_allowed) {
|
if (!is_allowed) {
|
||||||
@@ -214,7 +214,7 @@ int ksu_handle_execveat_sucompat(int *fd, struct filename **filename_ptr,
|
|||||||
|
|
||||||
ksu_sulog_report_su_attempt(current_uid().val, NULL, filename->name, is_allowed);
|
ksu_sulog_report_su_attempt(current_uid().val, NULL, filename->name, is_allowed);
|
||||||
#else
|
#else
|
||||||
if (!ksu_is_allow_uid(current_uid().val)) {
|
if (!ksu_is_allow_uid_for_current(current_uid().val)) {
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
@@ -249,7 +249,7 @@ int ksu_handle_execve_sucompat(int *fd, const char __user **filename_user,
|
|||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
#if __SULOG_GATE
|
#if __SULOG_GATE
|
||||||
bool is_allowed = ksu_is_allow_uid(current_uid().val);
|
bool is_allowed = ksu_is_allow_uid_for_current(current_uid().val);
|
||||||
ksu_sulog_report_syscall(current_uid().val, NULL, "execve", path);
|
ksu_sulog_report_syscall(current_uid().val, NULL, "execve", path);
|
||||||
|
|
||||||
if (!is_allowed)
|
if (!is_allowed)
|
||||||
@@ -257,7 +257,7 @@ int ksu_handle_execve_sucompat(int *fd, const char __user **filename_user,
|
|||||||
|
|
||||||
ksu_sulog_report_su_attempt(current_uid().val, NULL, path, is_allowed);
|
ksu_sulog_report_su_attempt(current_uid().val, NULL, path, is_allowed);
|
||||||
#else
|
#else
|
||||||
if (!ksu_is_allow_uid(current_uid().val)) {
|
if (!ksu_is_allow_uid_for_current(current_uid().val)) {
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
@@ -294,7 +294,7 @@ int __ksu_handle_devpts(struct inode *inode)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (likely(!ksu_is_allow_uid(uid)))
|
if (likely(!ksu_is_allow_uid_for_current(uid)))
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
struct inode_security_struct *sec = selinux_inode(inode);
|
struct inode_security_struct *sec = selinux_inode(inode);
|
||||||
|
|||||||
@@ -58,7 +58,7 @@ bool always_allow(void)
|
|||||||
|
|
||||||
bool allowed_for_su(void)
|
bool allowed_for_su(void)
|
||||||
{
|
{
|
||||||
bool is_allowed = is_manager() || ksu_is_allow_uid(current_uid().val);
|
bool is_allowed = is_manager() || ksu_is_allow_uid_for_current(current_uid().val);
|
||||||
#if __SULOG_GATE
|
#if __SULOG_GATE
|
||||||
ksu_sulog_report_permission_check(current_uid().val, current->comm, is_allowed);
|
ksu_sulog_report_permission_check(current_uid().val, current->comm, is_allowed);
|
||||||
#endif
|
#endif
|
||||||
@@ -233,7 +233,7 @@ static int do_uid_granted_root(void __user *arg)
|
|||||||
return -EFAULT;
|
return -EFAULT;
|
||||||
}
|
}
|
||||||
|
|
||||||
cmd.granted = ksu_is_allow_uid(cmd.uid);
|
cmd.granted = ksu_is_allow_uid_for_current(cmd.uid);
|
||||||
|
|
||||||
if (copy_to_user(arg, &cmd, sizeof(cmd))) {
|
if (copy_to_user(arg, &cmd, sizeof(cmd))) {
|
||||||
pr_err("uid_granted_root: copy_to_user failed\n");
|
pr_err("uid_granted_root: copy_to_user failed\n");
|
||||||
|
|||||||
Reference in New Issue
Block a user