diff --git a/kernel/core_hook.c b/kernel/core_hook.c index 6bf11895..d03ec7a0 100644 --- a/kernel/core_hook.c +++ b/kernel/core_hook.c @@ -143,13 +143,15 @@ static void disable_seccomp(struct task_struct *tsk) #ifdef CONFIG_SECCOMP tsk->seccomp.mode = 0; if (tsk->seccomp.filter) { - // TODO: Add kernel 6.11+ support // 5.9+ have filter_count and use seccomp_filter_release #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 9, 0) seccomp_filter_release(tsk); atomic_set(&tsk->seccomp.filter_count, 0); #else + // for 6.11+ kernel support? +#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 9, 0) put_seccomp_filter(tsk); +#endif tsk->seccomp.filter = NULL; #endif } @@ -992,9 +994,19 @@ static struct security_hook_list ksu_hooks[] = { #endif }; +#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 8, 0) +const struct lsm_id ksu_lsmid = { + .name = "ksu", + .id = 912, +}; +#endif + void __init ksu_lsm_hook_init(void) { -#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 11, 0) +#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 8, 0) + // https://elixir.bootlin.com/linux/v6.8/source/include/linux/lsm_hooks.h#L120 + security_add_hooks(ksu_hooks, ARRAY_SIZE(ksu_hooks), &ksu_lsmid); +#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4, 11, 0) security_add_hooks(ksu_hooks, ARRAY_SIZE(ksu_hooks), "ksu"); #else // https://elixir.bootlin.com/linux/v4.10.17/source/include/linux/lsm_hooks.h#L1892 diff --git a/kernel/selinux/selinux.c b/kernel/selinux/selinux.c index 4aa92d14..431c597a 100644 --- a/kernel/selinux/selinux.c +++ b/kernel/selinux/selinux.c @@ -95,17 +95,30 @@ static inline u32 current_sid(void) bool is_ksu_domain(void) { +#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0) + struct lsm_context ctx; +#else char *domain; u32 seclen; +#endif bool result; - +#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0) + int err = security_secid_to_secctx(current_sid(), &ctx); +#else int err = security_secid_to_secctx(current_sid(), &domain, &seclen); +#endif + if (err) { return false; } +#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0) + result = strncmp(KERNEL_SU_DOMAIN, ctx.context, ctx.len) == 0; + security_release_secctx(&ctx); +#else result = strncmp(KERNEL_SU_DOMAIN, domain, seclen) == 0; security_release_secctx(domain, seclen); +#endif return result; } @@ -115,18 +128,30 @@ bool is_zygote(void *sec) if (!tsec) { return false; } - +#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0) + struct lsm_context ctx; +#else char *domain; u32 seclen; +#endif bool result; +#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0) + int err = security_secid_to_secctx(tsec->sid, &ctx); +#else int err = security_secid_to_secctx(tsec->sid, &domain, &seclen); +#endif if (err) { return false; } +#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0) + result = strncmp("u:r:zygote:s0", ctx.context, ctx.len) == 0; + security_release_secctx(&ctx); +#else result = strncmp("u:r:zygote:s0", domain, seclen) == 0; security_release_secctx(domain, seclen); +#endif return result; }