* path_umount pretty much guaranteed to work as is, so it would not need
much logging.
Unlike sys_umount which is an alternative to path_umount for older kernel, so, sys_umount need constant logging.
Signed-off-by: rsuntk <rsuntk@yukiprjkt.my.id>
upstream used IS_ERR to check for negative return and that is int,
so correct it.
This is one headache for old compilers.
Signed-off-by: backslashxx <118538522+backslashxx@users.noreply.github.com>
* Much cleaner code, although setenforce is not used anymore
* Guard is_ksu_transition only for 4.19 and under.
Signed-off-by: rsuntk <rsuntk@yukiprjkt.my.id>
* Following the advice that was given by member in rksu group, by replacing ALL to untrusted_app.
$ /system/bin/stat /proc/1
Result:
08-15 14:57:54.370 20062 20062 W stat : type=1400 audit(0.0:9564): avc: denied { getattr } for path="/proc/1" dev="proc" ino=12308 scontext=u:r:untrusted_app_27:s0:c27,c258,c512,c768 tcontext=u:r:init:s0 tclass=dir permissive=0 app=com.termux
(issue
438bd5f#commitcomment-163785768)
Test: Checker pass.
* Any issue? Let me know.
Tested-by: rsuntk <rsuntk@yukiprjkt.my.id>
Co-authored-by: rsuntk <rsuntk@yukiprjkt.my.id>
Tracepoint is a predefined hook point in the kernel, compared to Kprobe,
it is more stable and has lower performance overhead, although compatibility
is relatively poor, it is still worth trying
By the way, we have also included the config definitions related to hook types
in Kconfig, to enhance cleanliness
These patches is based on https://github.com/backslashxx/KernelSU/issues/5
Co-authored-by: Cloud_Yun <1770669041@qq.com>
Co-authored-by: Prslc <prslc113@gmail.com>
Isolated processes can be directly forked from zygote, but current code doesn't handle it well. Fix it by unmounting unconditionally if isolated process is forked from zygote.
Signed-off-by: rsuntk <rsuntk@yukiprjkt.my.id>
get_policydb() uses rcu_dereference() to read pointers to selinux_state.policy.
But in the SELinux implementation, these pointers are assigned once during
initialization and never changed with rcu_assign_pointer(), rendering the
rcu_dereference() call in get_policydb() completely useless. This just adds
unwanted overhead and implies concurrency pattern that is not even present in
the kernel.
Therefore, read the pointers directly since it's safe.
* selinux_state.ss needs more context.
Signed-off-by: Tashfin Shakeer Rhythm <tashfinshakeerrhythm@gmail.com>
Currently, handle_sepolicy() holds an RCU read lock across the entire
function including calls to strncpy_from_user() which can sleep, which
is illegal in RCU semantics.
This triggers the following warning when the kernel is compiled with
CONFIG_DEBUG_ATOMIC_SLEEP enabled:
[ 8.526345] BUG: sleeping function called from invalid context at lib/strncpy_from_user.c:40
[ 8.526349] in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 683, name: ksud
[ 8.526351] preempt_count: 0, expected: 0
[ 8.526352] RCU nest depth: 1, expected: 0
[ 8.526354] 1 lock held by ksud/683:
[ 8.526355] #0: ffffffe013e1b970 (rcu_read_lock){....}, at: handle_sepolicy+0xe4/0xaa0
[ 8.526365] CPU: 6 PID: 683 Comm: ksud Tainted: G W 5.4.289-Scarlet-v2.2-beta2 #1
[ 8.526366] Hardware name: redwood based Qualcomm Technologies, Inc. SM7325 (DT)
[ 8.526367] Call trace:
[ 8.526371] dump_backtrace+0x0/0x1c0
[ 8.526374] dump_stack+0x90/0xcc
[ 8.526376] __might_sleep+0x1a0/0x200
[ 8.526378] __might_fault+0x28/0x40
[ 8.526381] strncpy_from_user+0xac/0x300
[ 8.526383] handle_sepolicy+0x588/0xaa0
[ 8.526385] ksu_handle_prctl+0x368/0xd60
[ 8.526386] ksu_task_prctl+0xc/0x20
[ 8.526389] security_task_prctl+0x5c/0xa0
[ 8.526391] __arm64_sys_prctl+0x58/0x7e0
[ 8.526393] do_el0_svc+0x68/0x120
[ 8.526394] el0_sync_handler+0x11c/0x1c0
[ 8.526395] el0_sync+0x140/0x180
To fix this, replace the rcu_read_lock() with the `ksu_rules` mutex_lock()
introduced with commit 9014c663d1eb4 ("kernel: selinux: rules: Fix illegal RCU
lock usage in apply_kernelsu_rules()") which allows sleeping.
This mutex_lock() ensures mutual exclusion between threads invoking dynamic
policy modifications via handle_sepolicy() and those applying KernelSU rules
via apply_kernelsu_rules(), both of which access the policydb structure through
get_policydb().
Signed-off-by: Tashfin Shakeer Rhythm <tashfinshakeerrhythm@gmail.com>
* We got a splat related to atomic sleep.
* The trace is from strncpy_from_user and might_fault
Same case:
e47115e009
Signed-off-by: rsuntk <rsuntk@yukiprjkt.my.id>
kernel & KernelSU & ksu_susfs: Temp fix for avc log message being leaked by logd and added new toggle for enabling or disabling avc log spoofing
- See full details:
https://android-review.googlesource.com/c/platform/system/logging/+/3725346/2https://github.com/aviraxp/ZN-AuditPatch
- Since spoofing avc log in kernel may make things harder when users trying to debug with some permission issues or selinux issues, so thats why the toggle is created here and this is just a temp fix implemented in kernel side
- usage: ksu_susfs enable_avc_log_spoofing <0|1>
Co-authored-by: simonpunk <simonpunk2016@gmail.com>
- There must be a reason for doing [sizeof(su) + 1 ] wthin the syscall handlers in the original sucompat.c but I dont know why, but it does fix the bootloop for some devices.
- I will be shocked if sizeof(su) produces different result on different kernel, since it works on pixel8 and no bootloops whatsoever.
Co-authored-by: simonpunk <simonpunk2016@gmail.com>
- When path is added via add_sus_path_loop, the path will be re-flagged as SUS_PATH on each non-root user app or isolated service starts,
this may address some issues that the added path via add_sus_path getting its inode status reset or inode re-created in kernel for whatever reason.
- Please also note that only path NOT inside /storage/ and /sdcard/ can be added via add_sus_path_loop.
- usage: ksu_susfs add_sus_path_loop </path/that/is/not/inside/sdcard/>
Co-authored-by: simonpunk <simonpunk2016@gmail.com>
1. kernel & KernelSU: More optimization for SUS_SU mode 2 (Experimental)
2. Always flag zygote spawned isolated service as non-root user app process and no su allowed process
3. Change susfs_fake_qstr_name, shorter length
4. KernelSU: SUS_SU: Initiate path with 0 and no memset is needed
Co-authored-by: simonpunk <simonpunk2016@gmail.com>
kernel & KernelSU: Replace kabi member susfs_task_state of tast_struct and use tast_struct->thread_info.flags instead; Fix for sus_path not working on some OEM devices; KSU_SUSFS requires CONFIG_THREAD_INFO_IN_TASK now;
- Since the kabi member is not guaranteed to be unused by OEM, that is why some deivces may conflict with the kabi member added by susfs, we should use less kabi member as much as possible.
- Luckily we have task_struct->thread_info that is enabled by all gki kernels just like kprobes, so we can utilize thread_info->flags for faster check, but it needs CONFIG_THREAD_INFO_IN_TASK to be on which should always be enabled
- Big thanks to fatalcoder524 (https://github.com/fatalcoder524) who did an excellent debug process for me
Co-authored-by: simonpunk <simonpunk2016@gmail.com>
- This simplies the logic in ksu_susfs tool, and it should be more convenient for some ksu manager variants that integrate susfs since they can just pass the char buffer and its size to get the result now, which means they no longer need to update the bit value each time a new susfs features deprecated or added.
Co-authored-by: simonpunk <simonpunk2016@gmail.com>
Revise the explanation for KSU_MULTI_MANAGER_SUPPORT
Change-Id: I097b4e0d1a30c02fadd75d4123c7bcf346782f18
Signed-off-by: WenHao2130 <wenhao2130@outlook.com>
kernel & KernelSU: Added switch for enabling/disabling umount for zygote spawned isolated service process
- Some modules that overlay sysyem files like framework or other overlay apk may crash when all iso services are umounted by susfs, so a switch is made here for users to switch on/off this funtion at anytime when they need it or want to test it
- By default it is disabled in kernel, run "ksu_susfs umount_for_zygote_iso_service <0|1>" to switch on/off the function in userspace
- Also user can create new file to "/data/adb/susfs_umount_for_zygote_iso_service" to enable it in kernel on each boot
- Alternatively, disable this function and use other modules to handle the umount for iso services until a better solution is found
Co-authored-by: simonpunk <simonpunk2016@gmail.com>
* Since it's interceptable from LSM Hook,
then we just need to remove ksu_handle_devpts and
make a decoy for it.
Signed-off-by: rsuntk <rsuntk@yukiprjkt.my.id>
When kernel is compiled with CONFIG_DEBUG_ATOMIC_SLEEP enabled, it prints
the following splat in dmesg during post boot:
[ 6.739169] init: Opening SELinux policy
[ 6.751520] init: Loading SELinux policy
[ 6.894684] SELinux: policy capability network_peer_controls=1
[ 6.894688] SELinux: policy capability open_perms=1
[ 6.894690] SELinux: policy capability extended_socket_class=1
[ 6.894691] SELinux: policy capability always_check_network=0
[ 6.894693] SELinux: policy capability cgroup_seclabel=0
[ 6.894695] SELinux: policy capability nnp_nosuid_transition=1
[ 7.214323] selinux: SELinux: Loaded file context from:
[ 7.214332] selinux: /system/etc/selinux/plat_file_contexts
[ 7.214339] selinux: /system_ext/etc/selinux/system_ext_file_contexts
[ 7.214345] selinux: /product/etc/selinux/product_file_contexts
[ 7.214350] selinux: /vendor/etc/selinux/vendor_file_contexts
[ 7.214356] selinux: /odm/etc/selinux/odm_file_contexts
[ 7.216398] KernelSU: /system/bin/init argc: 2
[ 7.216401] KernelSU: /system/bin/init first arg: second_stage
[ 7.216403] KernelSU: /system/bin/init second_stage executed
[ 7.216506] BUG: sleeping function called from invalid context at security/selinux/ss/hashtab.c:47
[ 7.216512] in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 1, name: init
[ 7.216516] preempt_count: 0, expected: 0
[ 7.216518] RCU nest depth: 1, expected: 0
[ 7.216524] CPU: 6 PID: 1 Comm: init Not tainted 5.4.289-Scarlet-v2.0-beta3 #1
[ 7.216526] Hardware name: redwood based Qualcomm Technologies, Inc. SM7325 (DT)
[ 7.216528] Call trace:
[ 7.216536] dump_backtrace+0x0/0x210
[ 7.216539] show_stack+0x14/0x20
[ 7.216544] dump_stack+0x9c/0xec
[ 7.216548] __might_resched+0x1f0/0x210
[ 7.216552] hashtab_insert+0x38/0x230
[ 7.216557] add_type+0xd4/0x2e0
[ 7.216559] ksu_type+0x24/0x60
[ 7.216562] apply_kernelsu_rules+0xa8/0x650
[ 7.216565] ksu_handle_execveat_ksud+0x2a8/0x460
[ 7.216568] ksu_handle_execveat+0x2c/0x60
[ 7.216571] __arm64_sys_execve+0xe8/0xf0
[ 7.216574] el0_svc_common+0xf4/0x1a0
[ 7.216577] do_el0_svc+0x2c/0x40
[ 7.216579] el0_sync_handler+0x18c/0x200
[ 7.216582] el0_sync+0x140/0x180
This is because apply_kernelsu_rules() uses rcu_read_lock() to protect
SELinux policy modifications. However, cond_resched() from
hashtab_insert() at security/selinux/ss/hashtab.c is internally called
and it sleeps which is illegal under an RCU read-side critical section.
While replacing it with a spinlock would suppress the warning, this is
fundamentally incorrect because sleeping is illegal while holding a
spinlock and spinlock would turn off preemption which isn't an ideal
solution since it intentionally turns off rescheduling, and can lead
to deadlocks.
Instead, replace the RCU lock with a mutex lock. Mutex lock allows
sleeping when necessary, which is appropriate here because
apply_kernelsu_rules() runs in process context, not in atomic or
interrupt context. As apply_kernelsu_rules() is invoked only once during
post boot (SYSTEM_RUNNING), the mutex lock does not introduce any major
runtime performance regression and provides correct synchronization.
Fixes: tiann#2637
Signed-off-by: Tashfin Shakeer Rhythm <tashfinshakeerrhythm@gmail.com>
Use strscpy()/strlcpy() to populate the version buffer in CMD_GET_FULL_VERSION
instead of relying on uninitialized memory. This ensures the returned string
is null-terminated and avoids exposing garbage data to user space.
Signed-off-by: schqiushui <orochi9999@gmail.com>
