`ksu handles devpts with selinux lsm hook` - aviraxp
- no, not yet, but yes we can, thats a good idea.
This change tries to do that, so instead of hooking pts_unix98_lookup or
devpts_get_priv, we just watch security_inode_permission, if its devpts,
pass it along to the original handler.
EDIT: define devpts super magic if its undefined
- yeah I aint gonna include a conditional include of a header just for this
- while we can just fully remove the macro and inline, readability loss is bad
Co-authored-by: backslashxx <118538522+backslashxx@users.noreply.github.com>
Since KernelSU Manager can now be built for 32-bit, theres this problematic
setup where userspace is 32-bit (armeabi-v7a) and kernel is 64bit (aarch64).
On 64-bit kernels with CONFIG_COMPAT=y, 32-bit userspace passes 32-bit pointers.
These values are interpreted as 64-bit pointers without proper casting and that
results in invalid or near-null memory access.
This patch adds proper compat-mode handling with the ff changes:
- introduce a dedicated struct (`sepol_compat_data`) using u32 fields
- use `compat_ptr()` to safely convert 32-bit user pointers to kernel pointers
- adding a runtime `ksu_is_compat` flag to dynamically select between struct layouts
This prevents a near-null pointer dereference when handling SELinux
policy updates from 32-bit ksud in a 64-bit kernel.
Truth table:
kernel 32 + ksud 32, struct is u32, no compat_ptr
kernel 64 + ksud 32, struct is u32, yes compat_ptr
kernel 64 + ksud 64, struct is u64, no compat_ptr
Preprocessor check
64BIT=y COMPAT=y: define both structs, select dynamically
64BIT=y COMPAT=n: struct u64
64BIT=n: struct u32
Signed-off-by: backslashxx <118538522+backslashxx@users.noreply.github.com>
This migrates ksud execution decision-making to bprm_check_security.
This requires passing proper argv and envp to a modified _ksud handler
aptly named 'ksu_handle_bprm_ksud'.
Introduces:
int ksu_handle_bprm_ksud(const char *filename, const char *argv1,
const char *envp, size_t envp_len)
which is adapted from:
int ksu_handle_execveat_ksud(int *fd, struct filename **filename_ptr,
struct user_arg_ptr *argv,
struct user_arg_ptr *envp,
int *flags)
ksu_handle_bprm_ksud handles all the decision making, it decides when it is
time to apply_kernelsu_rules depending if it sees "second_stage".
For LSM hook, turns out we can pull out argv and envp from mm_struct.
The code in here explains itself on how to do it.
whole blob exists on arg_start to arg_end, so we just pull it out and grab next
array after the first null terminator.
as for envp, we pass the pointer then hunt for it when needed
My reasoning on adding a fallback on usercopy is that on some devices a fault
happens, and it copies garbled data. On my creation of this, I actually had to lock
that _nofault copy on a spinlock as a way to mimic preempt_disable/enable without
actually doing it. As per user reports, no failed _nofault copies anyway but we
have-to-have a fallback for resilience.
References:
- old version1 6efcd8193e
- old version2 37d5938e66
- bad usercopy #21
This now provides a small helper function, ksu_copy_from_user_retry, which explains
itself. First we attempt a _nofault copy, if that fails, we try plain.
With that, It also provides an inlined copy_from_user_nofault for < 5.8.
While using strncpy_from_user_nofault was considered, this wont do, this will
only copy up to the first \0.
devlog:
16e5dce9e7...16c1f5f52128642e60d7...728de0c571
References:
https://elixir.bootlin.com/linux/v4.14.1/source/include/linux/mm_types.h#L429https://elixir.bootlin.com/linux/v4.14.1/source/include/linux/lsm_hooks.h
Stale: https://github.com/tiann/KernelSU/pull/2653
Signed-off-by: backslashxx <118538522+backslashxx@users.noreply.github.com>
- Introduced a new module `uid_scanner` in userspace for managing UID scanning.
- Created a new GitHub Actions workflow for building the `user_scanner`.
- Implemented kernel communication in `throne_comm.c` and `throne_comm.h` to handle user space updates and rescan requests.
- Developed the `uid_scanner` daemon in C to scan user directories and manage UID whitelists.
- Added configuration management for the UID scanner with support for multiple users and auto-scanning.
- Implemented logging and error handling throughout the UID scanning process.
- Created necessary build files for the `user_scanner` JNI integration.
- Added a `.gitignore` file to exclude build artifacts.
Rethink about this patch, isolated process which directly forks from
zygote is just like normal app, so there is no reason apps won't crash
but Isolated process will. Also zygote reopens fd before actually fork,
so it should be fine.
This reverts commit 2a1741de96a789957555053cf5a397cbef1eb3e4.
Tracepoint is a predefined hook point in the kernel, compared to Kprobe,
it is more stable and has lower performance overhead, although compatibility
is relatively poor, it is still worth trying
By the way, we have also included the config definitions related to hook types
in Kconfig, to enhance cleanliness
Improve and merge types that do not require hooks
Introducing the hook type prctl
These patches is based on https://github.com/backslashxx/KernelSU/issues/5
Co-authored-by: Cloud_Yun <1770669041@qq.com>
Co-authored-by: Prslc <prslc113@gmail.com>
Co-authored-by: ShirkNeko <109797057+ShirkNeko@users.noreply.github.com>
Signed-off-by: ShirkNeko <109797057+ShirkNeko@users.noreply.github.com>
reorder ksu_handle_prctl checks a bit to allow non-manager to use CMD 15
this allows us to piggyback a small su to KernelSU's permission system after
disabling kernel sucompat
from:
Relax prctl perm check
- 95125c32f9
Allow prctl only for root or manager or su binary
- fa7af67d94
Refine prctl access check, allow /product/bin/su
- dd466dc1b6
Refine prctl check a little bit more
- e7c5b24efa
Signed-off-by: backslashxx <118538522+backslashxx@users.noreply.github.com>
Co-authored-by: nampud <nampud@users.noreply.github.com>
Use strscpy()/strlcpy() to populate the version buffer in CMD_GET_FULL_VERSION
instead of relying on uninitialized memory. This ensures the returned string
is null-terminated and avoids exposing garbage data to user space.
Signed-off-by: schqiushui <orochi9999@gmail.com>
When the manager is already running, if other programs / kernel toggle
the sucompat enable status,
The manager "Disable SU Compat" toggle button can not work, kmesg print
"cmd enable su but no need to change."
I think we should still return reply_ok when the syscall value is
consistent with the kernel, which would fix the issue.
- When disabling Seccomp, ensure that current->sighand->siglock is held
during the operation.
- Locking to ensure safe access and modification of the `cred` structure
within the `escape_to_root` function.
---
I think this issue described in #2236 may have been caused by concurrent
read-write access without proper locking.
---------
Signed-off-by: SsageParuders<qinqingqing1025@gmail.com>
Signed-off-by: SsageParuders <qinqingqing1025@gmail.com>"
On Android-x86 (or BlissOS) it initialize Android by using switch_root
or chroot, when checking a path with dentry_path_raw() it will show the
whole real path instead of the path that we want.
Relax the checking requirement by using strstr to look for
"/system/packages.list" in the string instead of requiring the path to
be "/system/packages.list"
This fixes#1783
Signed-off-by: hmtheboy154 <buingoc67@gmail.com>
Use huawei_hisi_check.h to determine whether it is an old Huawei
HiSilicon device.
Solve:
1. Compatible with non-GKI Huawei HiSilicon devices
2. Solve different bugs in EMUI of different system versions
3. Does not affect other devices
