kernel: add initial 6.8+/6.14 kernel support

* This is a squashed of un-merged pull requests of Official KernelSU
* LKM support are not available.
* Require this additional patch to avoid kernel panic because of "Too many LSMs registered":
7042991a5c

* Un-merged pull requests of Official KernelSU:
https://github.com/tiann/KernelSU/pull/1785
https://github.com/tiann/KernelSU/pull/2662

* This commit probably not 100% completed.

Signed-off-by: rsuntk <rsuntk@yukiprjkt.my.id>

kernel/core_hook.c

@@ -143,13 +143,15 @@ static void disable_seccomp(struct task_struct *tsk)
 #ifdef CONFIG_SECCOMP
 	tsk->seccomp.mode = 0;
 	if (tsk->seccomp.filter) {
-	// TODO: Add kernel 6.11+ support
 	// 5.9+ have filter_count and use seccomp_filter_release
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 9, 0)
 		seccomp_filter_release(tsk);
 		atomic_set(&tsk->seccomp.filter_count, 0);
 #else
+	// for 6.11+ kernel support?
+#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 9, 0)
 		put_seccomp_filter(tsk);
+#endif
 		tsk->seccomp.filter = NULL;
 #endif
 	}
@@ -992,9 +994,19 @@ static struct security_hook_list ksu_hooks[] = {
 #endif
 };
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 8, 0)
+const struct lsm_id ksu_lsmid = {
+	.name = "ksu",
+	.id = 912,
+};
+#endif
+
 void __init ksu_lsm_hook_init(void)
 {
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 11, 0)
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 8, 0)
+	// https://elixir.bootlin.com/linux/v6.8/source/include/linux/lsm_hooks.h#L120
+	security_add_hooks(ksu_hooks, ARRAY_SIZE(ksu_hooks), &ksu_lsmid);
+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4, 11, 0)
 	security_add_hooks(ksu_hooks, ARRAY_SIZE(ksu_hooks), "ksu");
 #else
 	// https://elixir.bootlin.com/linux/v4.10.17/source/include/linux/lsm_hooks.h#L1892

kernel/selinux/selinux.c

@@ -95,17 +95,30 @@ static inline u32 current_sid(void)
 
 bool is_ksu_domain(void)
 {
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0)
+	struct lsm_context ctx;
+#else
 	char *domain;
 	u32 seclen;
+#endif
 	bool result;
-
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0)
+	int err = security_secid_to_secctx(current_sid(), &ctx);
+#else
 	int err = security_secid_to_secctx(current_sid(), &domain, &seclen);
+#endif
+
 	if (err) {
 		return false;
 	}
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0)
+	result = strncmp(KERNEL_SU_DOMAIN, ctx.context, ctx.len) == 0;
+	security_release_secctx(&ctx);
+#else
 	result = strncmp(KERNEL_SU_DOMAIN, domain, seclen) == 0;
 	security_release_secctx(domain, seclen);
+#endif
 	return result;
 }
 
@@ -115,18 +128,30 @@ bool is_zygote(void *sec)
 	if (!tsec) {
 		return false;
 	}
-
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0)
+	struct lsm_context ctx;
+#else
 	char *domain;
 	u32 seclen;
+#endif
 	bool result;
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0)
+	int err = security_secid_to_secctx(tsec->sid, &ctx);
+#else
 	int err = security_secid_to_secctx(tsec->sid, &domain, &seclen);
+#endif
 	if (err) {
 		return false;
 	}
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 14, 0)
+	result = strncmp("u:r:zygote:s0", ctx.context, ctx.len) == 0;
+	security_release_secctx(&ctx);
+#else
 	result = strncmp("u:r:zygote:s0", domain, seclen) == 0;
 	security_release_secctx(domain, seclen);
+#endif
 	return result;
 }