Brought back the toggle of umount for zygote spawned isolated service; Synced with KernelSU main branch with latest commit 37ef0d27067d3d7e7bf07a80547a1949864789c4
Co-authored-by: simonpunk <simonpunk2016@gmail.com>
Changes:
1. Simplified the flow of mnt_id reorder, now it happens only after all sus mounts are umounted in ksu_handle_setuid()
2. All mounts mounted by ksu process will be flagged as sus mount and allocated with a fake mnt_id/mnt_group_id
during ONLY the post-fs-data and service stage, which means other ksu mounts during/after boot-completed stage
will not be handled by susfs.
3. Renaming:
- susfs_mnt_id_ida => susfs_ksu_mnt_id_ida
- susfs_mnt_group_ida => susfs_ksu_mnt_group_ida
- DEFAULT_SUS_MNT_ID => DEFAULT_KSU_MNT_ID
- DEFAULT_SUS_MNT_GROUP_ID => DEFAULT_KSU_MNT_GROUP_ID
4. Increased the default fake mnt_id to 300000, and default fake mnt_group_id to 3000.
5. Unify susfs_is_current_non_root_user_app_proc() and susfs_is_current_proc_su_not_allowed() as susfs_is_current_proc_umounted()
Unify susfs_set_current_non_root_user_app_proc() and susfs_set_current_proc_su_not_allowed() as susfs_set_current_proc_umounted()
Unify TIF_NON_ROOT_USER_APP_PROC and TIF_PROC_SU_NOT_ALLOWED as TIF_PROC_UMOUNTED
6. Removed unused susfs_is_allow_su()
7. Reworked a custom ksu_handle_setuid() which will be used if CONFIG_KSU_SUSFS is defined
Co-authored-by: simonpunk <simonpunk2016@gmail.com>
reorder ksu_handle_prctl checks a bit to allow non-manager to use CMD 15
this allows us to piggyback a small su to KernelSU's permission system after
disabling kernel sucompat
from:
Relax prctl perm check
- 95125c32f9
Allow prctl only for root or manager or su binary
- fa7af67d94
Refine prctl access check, allow /product/bin/su
- dd466dc1b6
Refine prctl check a little bit more
- e7c5b24efa
Signed-off-by: backslashxx <118538522+backslashxx@users.noreply.github.com>
Co-authored-by: nampud <nampud@users.noreply.github.com>
`ksu handles devpts with selinux lsm hook` - aviraxp
- no, not yet, but yes we can, thats a good idea.
This change tries to do that, so instead of hooking pts_unix98_lookup or
devpts_get_priv, we just watch security_inode_permission, if its devpts,
pass it along to the original handler.
EDIT: define devpts super magic if its undefined
- yeah I aint gonna include a conditional include of a header just for this
- while we can just fully remove the macro and inline, readability loss is bad
Co-authored-by: backslashxx <118538522+backslashxx@users.noreply.github.com>
Since KernelSU Manager can now be built for 32-bit, theres this problematic
setup where userspace is 32-bit (armeabi-v7a) and kernel is 64bit (aarch64).
On 64-bit kernels with CONFIG_COMPAT=y, 32-bit userspace passes 32-bit pointers.
These values are interpreted as 64-bit pointers without proper casting and that
results in invalid or near-null memory access.
This patch adds proper compat-mode handling with the ff changes:
- introduce a dedicated struct (`sepol_compat_data`) using u32 fields
- use `compat_ptr()` to safely convert 32-bit user pointers to kernel pointers
- adding a runtime `ksu_is_compat` flag to dynamically select between struct layouts
This prevents a near-null pointer dereference when handling SELinux
policy updates from 32-bit ksud in a 64-bit kernel.
Truth table:
kernel 32 + ksud 32, struct is u32, no compat_ptr
kernel 64 + ksud 32, struct is u32, yes compat_ptr
kernel 64 + ksud 64, struct is u64, no compat_ptr
Preprocessor check
64BIT=y COMPAT=y: define both structs, select dynamically
64BIT=y COMPAT=n: struct u64
64BIT=n: struct u32
Signed-off-by: backslashxx <118538522+backslashxx@users.noreply.github.com>
This migrates ksud execution decision-making to bprm_check_security.
This requires passing proper argv and envp to a modified _ksud handler
aptly named 'ksu_handle_bprm_ksud'.
Introduces:
int ksu_handle_bprm_ksud(const char *filename, const char *argv1,
const char *envp, size_t envp_len)
which is adapted from:
int ksu_handle_execveat_ksud(int *fd, struct filename **filename_ptr,
struct user_arg_ptr *argv,
struct user_arg_ptr *envp,
int *flags)
ksu_handle_bprm_ksud handles all the decision making, it decides when it is
time to apply_kernelsu_rules depending if it sees "second_stage".
For LSM hook, turns out we can pull out argv and envp from mm_struct.
The code in here explains itself on how to do it.
whole blob exists on arg_start to arg_end, so we just pull it out and grab next
array after the first null terminator.
as for envp, we pass the pointer then hunt for it when needed
My reasoning on adding a fallback on usercopy is that on some devices a fault
happens, and it copies garbled data. On my creation of this, I actually had to lock
that _nofault copy on a spinlock as a way to mimic preempt_disable/enable without
actually doing it. As per user reports, no failed _nofault copies anyway but we
have-to-have a fallback for resilience.
References:
- old version1 6efcd8193e
- old version2 37d5938e66
- bad usercopy #21
This now provides a small helper function, ksu_copy_from_user_retry, which explains
itself. First we attempt a _nofault copy, if that fails, we try plain.
With that, It also provides an inlined copy_from_user_nofault for < 5.8.
While using strncpy_from_user_nofault was considered, this wont do, this will
only copy up to the first \0.
devlog:
16e5dce9e7...16c1f5f52128642e60d7...728de0c571
References:
https://elixir.bootlin.com/linux/v4.14.1/source/include/linux/mm_types.h#L429https://elixir.bootlin.com/linux/v4.14.1/source/include/linux/lsm_hooks.h
Stale: https://github.com/tiann/KernelSU/pull/2653
Signed-off-by: backslashxx <118538522+backslashxx@users.noreply.github.com>
Rethink about this patch, isolated process which directly forks from
zygote is just like normal app, so there is no reason apps won't crash
but Isolated process will. Also zygote reopens fd before actually fork,
so it should be fine.
This reverts commit 2a1741de96a789957555053cf5a397cbef1eb3e4.
* On newer kernel for some reason -Wno-strict-prototypes still does not fix the errors or warnings.
* To fix it, we just need to add void type.
Signed-off-by: rsuntk <rsuntk@yukiprjkt.my.id>
- In order to reduce the extra patch code and increase the rate of hunk succeed, we do not rename the symbols in KernelSU drvier but instead do it all in kernel/kallsym.c
- Make susfs_starts_with() global as it maybe useful in future
Co-authored-by: simonpunk <simonpunk2016@gmail.com>
* path_umount pretty much guaranteed to work as is, so it would not need
much logging.
Unlike sys_umount which is an alternative to path_umount for older kernel, so, sys_umount need constant logging.
Signed-off-by: rsuntk <rsuntk@yukiprjkt.my.id>
Tracepoint is a predefined hook point in the kernel, compared to Kprobe,
it is more stable and has lower performance overhead, although compatibility
is relatively poor, it is still worth trying
By the way, we have also included the config definitions related to hook types
in Kconfig, to enhance cleanliness
These patches is based on https://github.com/backslashxx/KernelSU/issues/5
Co-authored-by: Cloud_Yun <1770669041@qq.com>
Co-authored-by: Prslc <prslc113@gmail.com>
Isolated processes can be directly forked from zygote, but current code doesn't handle it well. Fix it by unmounting unconditionally if isolated process is forked from zygote.
Signed-off-by: rsuntk <rsuntk@yukiprjkt.my.id>
kernel & KernelSU & ksu_susfs: Temp fix for avc log message being leaked by logd and added new toggle for enabling or disabling avc log spoofing
- See full details:
https://android-review.googlesource.com/c/platform/system/logging/+/3725346/2https://github.com/aviraxp/ZN-AuditPatch
- Since spoofing avc log in kernel may make things harder when users trying to debug with some permission issues or selinux issues, so thats why the toggle is created here and this is just a temp fix implemented in kernel side
- usage: ksu_susfs enable_avc_log_spoofing <0|1>
Co-authored-by: simonpunk <simonpunk2016@gmail.com>
- When path is added via add_sus_path_loop, the path will be re-flagged as SUS_PATH on each non-root user app or isolated service starts,
this may address some issues that the added path via add_sus_path getting its inode status reset or inode re-created in kernel for whatever reason.
- Please also note that only path NOT inside /storage/ and /sdcard/ can be added via add_sus_path_loop.
- usage: ksu_susfs add_sus_path_loop </path/that/is/not/inside/sdcard/>
Co-authored-by: simonpunk <simonpunk2016@gmail.com>
1. kernel & KernelSU: More optimization for SUS_SU mode 2 (Experimental)
2. Always flag zygote spawned isolated service as non-root user app process and no su allowed process
3. Change susfs_fake_qstr_name, shorter length
4. KernelSU: SUS_SU: Initiate path with 0 and no memset is needed
Co-authored-by: simonpunk <simonpunk2016@gmail.com>
kernel & KernelSU: Replace kabi member susfs_task_state of tast_struct and use tast_struct->thread_info.flags instead; Fix for sus_path not working on some OEM devices; KSU_SUSFS requires CONFIG_THREAD_INFO_IN_TASK now;
- Since the kabi member is not guaranteed to be unused by OEM, that is why some deivces may conflict with the kabi member added by susfs, we should use less kabi member as much as possible.
- Luckily we have task_struct->thread_info that is enabled by all gki kernels just like kprobes, so we can utilize thread_info->flags for faster check, but it needs CONFIG_THREAD_INFO_IN_TASK to be on which should always be enabled
- Big thanks to fatalcoder524 (https://github.com/fatalcoder524) who did an excellent debug process for me
Co-authored-by: simonpunk <simonpunk2016@gmail.com>
- This simplies the logic in ksu_susfs tool, and it should be more convenient for some ksu manager variants that integrate susfs since they can just pass the char buffer and its size to get the result now, which means they no longer need to update the bit value each time a new susfs features deprecated or added.
Co-authored-by: simonpunk <simonpunk2016@gmail.com>
kernel & KernelSU: Added switch for enabling/disabling umount for zygote spawned isolated service process
- Some modules that overlay sysyem files like framework or other overlay apk may crash when all iso services are umounted by susfs, so a switch is made here for users to switch on/off this funtion at anytime when they need it or want to test it
- By default it is disabled in kernel, run "ksu_susfs umount_for_zygote_iso_service <0|1>" to switch on/off the function in userspace
- Also user can create new file to "/data/adb/susfs_umount_for_zygote_iso_service" to enable it in kernel on each boot
- Alternatively, disable this function and use other modules to handle the umount for iso services until a better solution is found
Co-authored-by: simonpunk <simonpunk2016@gmail.com>
* Since it's interceptable from LSM Hook,
then we just need to remove ksu_handle_devpts and
make a decoy for it.
Signed-off-by: rsuntk <rsuntk@yukiprjkt.my.id>
Use strscpy()/strlcpy() to populate the version buffer in CMD_GET_FULL_VERSION
instead of relying on uninitialized memory. This ensures the returned string
is null-terminated and avoids exposing garbage data to user space.
Signed-off-by: schqiushui <orochi9999@gmail.com>
