Otherwise we will rewrite paths for filenames that begins with
`/system/bin/su`.
This fix copies one extra byte from userspace filename so that when we
encounter filenames like `/system/bin/suasf`,
`/system/bin/su\0` gets compared with `/system/bin/sua`, which correctly
prevents the `su -> sh` path rewriting.
Close#957
According to the instructions in Kconfig, when the `CONFIG_KSU_DEBUG`
option is turned on, KernelSU will run in `debug mode` instead of the
`debug version` mentioned in kernel/ksu.c.
Basic support for the case that init_task.mnt_ns != zygote.mnt_ns(WSA),
just copy nsproxy and fs pointers for solve #276.
Note the copy in `apk_sign.c` is not required but suggested for
secure(ensure the checked mnt_ns is what ns android running, not created
by user, although many distributions does not have user ns.).
Tested with latest release on Win10 19045.3086(with WSAPatch).
Further review required for:
- [x] Security of this operation (without locking).
- [x] The impact of these modifications on other Android distributions.
This patch modifies the following:
- Move the version addition logic in ksu.h to Makefile processing
- Print the current version number of KernelSU during make build
build test (normal):
buildlog:
HOSTCC scripts/basic/bin2c Using .. as source for kernel -- KernelSU
version: 11055
CHK include/generated/utsrelease.h
UPD include/generated/utsrelease.h
KernelSU software:
KernelSU Working Version: 11055 (v) Superusers: 0 Modules: 0
build test (missing .git file):
buildlog:
HOSTCC scripts/basic/bin2c Using .. as source for kernel
../drivers/kernelsu/Makefile:23: "KSU_GIT_VERSION not defined! It is
better to make KernelSU a git submodule!"
CHK include/generated/utsrelease.h
CHK scripts/mod/devicetable-offsets.h
KernelSU software:
KernelSU Working Version: 16 (v) Superusers: 0 Modules: 0
The current kernel version 16 is too low for the manager to function
properly. Please upgrade to version 10977 or higher!
(cherry picked from commit 0c38a1614a77d80de752aba20908e3f9d21660a8)
Change-Id: I570f2ee33db224e1a36770f847137f290ba9bcfd
Co-authored-by: stic-server-open <1138705738@qq.com>
Hi @tiann.
Thanks for the great project, I had great fun playing around with it.
This PR mainly tries to further minimize the possible delays caused by
KernelSU hooking.
There are 3 major changes:
- Processes with 0 < UID < 2000 are blocked straight-up before going
through the allow_list.
I don't see any need for such processes to be interested in root, and
this allows returning early before going through a more expensive
lookup.
If there's an expected breakage due to this change, I'll remove it. Let
me know.
- A page-sized (4K) bitmap is added.
This allows O(1) lookup for UID <= 32767.
This speeds up `ksu_is_allow_uid()` by about 4.8x by sacrificing a 4K
memory. IMHO, a good trade-off.
Most notably, this reduces the 99.999% result previously from worrying
milliseconds scale to microseconds scale.
For UID > 32767, another page-sized (4K) sequential array is used to
cache allow_list.
Compared to the previous PR #557, this new approach gives another nice
25% performance boost in average, 63-96% boost in worst cases.
Benchmark results are available at
https://docs.google.com/spreadsheets/d/1w_tO1zRLPNMFRer49pL1TQfL6ndEhilRrDU1XFIcWXY/edit?usp=sharing
Thanks!
---------
Signed-off-by: Juhyung Park <qkrwngud825@gmail.com>
- Seen with Linux 4.14 kernel with error message:
In file included from ../drivers/android/kernelsu/selinux/sepolicy.c:1:
In file included from ../drivers/android/kernelsu/selinux/sepolicy.h:6:
In file included from ../security/selinux/ss/policydb.h:30: In file
included from ../security/selinux/ss/avtab.h:26:
../security/selinux/include/security.h:240:10: error: use of undeclared
identifier 'EIDRM'
return -EIDRM;
^
CC drivers/base/transport_class.o
CC kernel/rcu/update.o
../security/selinux/include/security.h:246:10: error: use of undeclared
identifier 'ENOENT'
return -ENOENT;
^
