kernel(lsm_hooks):fix misding __init (#641)

Co-authored-by: weishu <twsxtd@gmail.com>

.gitattributes

@@ -1 +0,0 @@
-*.bat eol=crlf

.github/FUNDING.yml

@@ -1,4 +0,0 @@
-github: tiann
-patreon: weishu
-open_collective: sukisu-ultra
-

.github/ISSUE_TEMPLATE/add_device.yml

@@ -1,33 +0,0 @@
-name: Contribute to Unofficially Supported Device
-description: Add your device kernel source to KernelSU's Unofficially Supported Device List
-title: "[Add Device]: "
-labels: ["add-device"]
-body:
-  - type: markdown
-    attributes:
-      value: |
-        Thanks for supporting KernelSU!
-  - type: input
-    id: repo-url
-    attributes:
-      label: Repository URL
-      description: Your repository URL
-      placeholder: https://github.com/tiann/KernelSU
-    validations:
-      required: true
-  - type: input
-    id: device
-    attributes:
-      label: Device
-      description: Please describe the device maintained by you.
-      placeholder: GKI 2.0 Device
-    validations:
-      required: true
-  - type: checkboxes
-    id: terms
-    attributes:
-      label: Code of Conduct
-      description: By submitting this issue, you should be the maintainer of the repository.
-      options:
-        - label: I'm the maintainer of this repository
-          required: true

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -1,72 +0,0 @@
-name: Bug report
-description: Create a report to help us improve KernelSU
-labels: [Bug]
-
-body:
-  - type: checkboxes
-    attributes:
-       label: Please check before submitting an issue
-       options:
-          - label: I have searched the issues and haven't found anything relevant
-            required: true
-            
-          - label: I will upload bugreport file in KernelSU Manager - Settings - Report log
-            required: true
-            
-          - label: I know how to reproduce the issue which may not be specific to my device
-            required: false
-
-
-  - type: textarea
-    attributes:
-        label: Describe the bug
-        description: A clear and concise description of what the bug is
-    validations:
-        required: true
-      
-
-  - type: textarea
-    attributes:
-        label: To Reproduce
-        description: Steps to reproduce the behaviour
-        placeholder: |
-          - 1. Go to '...'
-          - 2. Click on '....'
-          - 3. Scroll down to '....'
-          - 4. See error
-          
-
-  - type: textarea
-    attributes:
-        label: Expected behavior
-        description: A clear and concise description of what you expected to happen.
-    
-    
-  - type: textarea
-    attributes:
-        label: Screenshots
-        description: If applicable, add screenshots to help explain your problem.
-        
-        
-  - type: textarea
-    attributes:
-        label: Logs
-        description: If applicable, add crash or any other logs to help us figure out the problem.
-        
-        
-  - type: textarea
-    attributes:
-        label: Device info
-        value: |
-          - Device:
-          - OS Version:
-          - KernelSU Version:
-          - Kernel Version:
-    validations:
-        required: true
-
-
-  - type: textarea
-    attributes:
-        label: Additional context
-        description: Add any other context about the problem here.

.github/ISSUE_TEMPLATE/custom.yml

@@ -1,11 +0,0 @@
-name: Custom issue template
-description: WARNING! If you are reporting a bug but use this template, the issue will be closed directly.
-title: '[Custom]'
-body:
-  - type: textarea
-    id: description
-    attributes:
-      label: "Describe your problem."
-    validations:
-      required: true
-

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -1,39 +0,0 @@
-name: Feature Request
-description: "Suggest an idea for this project"
-title: "[Feature]"
-labels: "feature"
-body:
-  - type: markdown
-    id: feature-info
-    attributes:
-      value: "## Feature Infomation"
-  - type: textarea
-    id: feature-main
-    validations:
-      required: true
-    attributes:
-      label: "Is your feature request related to a problem? Please describe."
-      description: "A clear and concise description of what the problem is."
-      placeholder: "I'm always frustrated when [...]"
-  - type: textarea
-    id: feature-solution
-    validations:
-      required: true
-    attributes:
-      label: "Describe the solution you'd like."
-      description: "A clear and concise description of what you want to happen."
-  - type: textarea
-    id: feature-describe
-    validations:
-      required: true
-    attributes:
-      label: "Describe alternatives you've considered."
-      description: "A clear and concise description of any alternative solutions or features you've considered."
-  - type: textarea
-    id: feature-extra
-    validations:
-      required: false
-    attributes:
-      label: "Additional context"
-      description: "Add any other context or screenshots about the feature request here."
-

.github/scripts/build_a12.sh

@@ -1,64 +0,0 @@
-#!/bin/bash
-set -euo pipefail
-
-build_from_image() {
-	export TITLE
-	TITLE=kernel-aarch64-${1//Image-/}
-	echo "[+] title: $TITLE"
-
-	export PATCH_LEVEL
-	PATCH_LEVEL=$(echo "$1" | awk -F_ '{ print $2}')
-	echo "[+] patch level: $PATCH_LEVEL"
-
-	echo '[+] Download prebuilt ramdisk'
-    GKI_URL=https://dl.google.com/android/gki/gki-certified-boot-android12-5.10-"${PATCH_LEVEL}"_r1.zip
-    FALLBACK_URL=https://dl.google.com/android/gki/gki-certified-boot-android12-5.10-2023-01_r1.zip
-    status=$(curl -sL -w "%{http_code}" "$GKI_URL" -o /dev/null)
-    if [ "$status" = "200" ]; then
-        curl -Lo gki-kernel.zip "$GKI_URL"
-    else
-        echo "[+] $GKI_URL not found, using $FALLBACK_URL"
-        curl -Lo gki-kernel.zip "$FALLBACK_URL"
-    fi
-	unzip gki-kernel.zip && rm gki-kernel.zip
-
-	echo '[+] Unpack prebuilt boot.img'
-	BOOT_IMG=$(find . -maxdepth 1 -name "boot*.img")
-	$UNPACK_BOOTIMG --boot_img="$BOOT_IMG"
-	rm "$BOOT_IMG"
-
-	echo '[+] Building Image.gz'
-	$GZIP -n -k -f -9 Image >Image.gz
-
-	echo '[+] Building boot.img'
-	$MKBOOTIMG --header_version 4 --kernel Image --output boot.img --ramdisk out/ramdisk --os_version 12.0.0 --os_patch_level "${PATCH_LEVEL}"
-	$AVBTOOL add_hash_footer --partition_name boot --partition_size $((64 * 1024 * 1024)) --image boot.img --algorithm SHA256_RSA2048 --key ../kernel-build-tools/linux-x86/share/avb/testkey_rsa2048.pem
-
-	echo '[+] Building boot-gz.img'
-	$MKBOOTIMG --header_version 4 --kernel Image.gz --output boot-gz.img --ramdisk out/ramdisk --os_version 12.0.0 --os_patch_level "${PATCH_LEVEL}"
-	$AVBTOOL add_hash_footer --partition_name boot --partition_size $((64 * 1024 * 1024)) --image boot-gz.img --algorithm SHA256_RSA2048 --key ../kernel-build-tools/linux-x86/share/avb/testkey_rsa2048.pem
-
-	echo '[+] Building boot-lz4.img'
-	$MKBOOTIMG --header_version 4 --kernel Image.lz4 --output boot-lz4.img --ramdisk out/ramdisk --os_version 12.0.0 --os_patch_level "${PATCH_LEVEL}"
-	$AVBTOOL add_hash_footer --partition_name boot --partition_size $((64 * 1024 * 1024)) --image boot-lz4.img --algorithm SHA256_RSA2048 --key ../kernel-build-tools/linux-x86/share/avb/testkey_rsa2048.pem
-
-	echo '[+] Compress images'
-	for image in boot*.img; do
-		$GZIP -n -f -9 "$image"
-		mv "$image".gz "${1//Image-/}"-"$image".gz
-	done
-
-	echo "[+] Images to upload"
-	find . -type f -name "*.gz"
-
-	# find . -type f -name "*.gz" -exec python3 "$GITHUB_WORKSPACE"/KernelSU/scripts/ksubot.py {} +
-}
-
-for dir in Image*; do
-	if [ -d "$dir" ]; then
-		echo "----- Building $dir -----"
-		cd "$dir"
-		build_from_image "$dir"
-		cd ..
-	fi
-done

.github/scripts/build_a13.sh

@@ -1,43 +0,0 @@
-#!/bin/bash
-set -euo pipefail
-
-build_from_image() {
-	export TITLE
-	TITLE=kernel-aarch64-${1//Image-/}
-
-	echo "[+] title: $TITLE"
-	echo '[+] Building Image.gz'
-	$GZIP -n -k -f -9 Image >Image.gz
-
-	echo '[+] Building boot.img'
-	$MKBOOTIMG --header_version 4 --kernel Image --output boot.img
-	$AVBTOOL add_hash_footer --partition_name boot --partition_size $((64 * 1024 * 1024)) --image boot.img --algorithm SHA256_RSA2048 --key ../kernel-build-tools/linux-x86/share/avb/testkey_rsa2048.pem
-
-	echo '[+] Building boot-gz.img'
-	$MKBOOTIMG --header_version 4 --kernel Image.gz --output boot-gz.img
-	$AVBTOOL add_hash_footer --partition_name boot --partition_size $((64 * 1024 * 1024)) --image boot-gz.img --algorithm SHA256_RSA2048 --key ../kernel-build-tools/linux-x86/share/avb/testkey_rsa2048.pem
-
-	echo '[+] Building boot-lz4.img'
-	$MKBOOTIMG --header_version 4 --kernel Image.lz4 --output boot-lz4.img
-	$AVBTOOL add_hash_footer --partition_name boot --partition_size $((64 * 1024 * 1024)) --image boot-lz4.img --algorithm SHA256_RSA2048 --key ../kernel-build-tools/linux-x86/share/avb/testkey_rsa2048.pem
-
-	echo '[+] Compress images'
-	for image in boot*.img; do
-		$GZIP -n -f -9 "$image"
-        mv "$image".gz "${1//Image-/}"-"$image".gz
-	done
-
-	echo '[+] Images to upload'
-	find . -type f -name "*.gz"
-
-	# find . -type f -name "*.gz" -exec python3 "$GITHUB_WORKSPACE"/KernelSU/scripts/ksubot.py {} +
-}
-
-for dir in Image*; do
-	if [ -d "$dir" ]; then
-		echo "----- Building $dir -----"
-		cd "$dir"
-		build_from_image "$dir"
-		cd ..
-	fi
-done

.github/workflows/add-device.yml

@@ -1,60 +0,0 @@
-name: handle-add-device-issue
-
-on:
-  issues:
-    types: [labeled]
-
-jobs:
-  handle-add-device:
-    if: github.event.label.name == 'add-device'
-    runs-on: ubuntu-latest
-    env:
-      ISSUE_CONTENT: ${{ github.event.issue.body }}
-    steps:
-      - uses: actions/checkout@v4
-      - name: Parse issue body
-        id: handle-add-device
-        run: |
-          python3 scripts/add_device_handler.py website/docs/repos.json || true
-      - name: Commit
-        if: steps.handle-add-device.outputs.success == 'true'
-        run: |
-          git config --local user.name "GitHub Actions"
-          git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git add website/docs/repos.json
-          git commit -m "add device: ${{ steps.handle-add-device.outputs.device }}"
-      - name: Make pull request
-        if: steps.handle-add-device.outputs.success == 'true'
-        id: cpr
-        uses: peter-evans/create-pull-request@v7
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          commit-message: "[add device]: ${{ steps.handle-add-device.outputs.device }}"
-          title: "[add device]: ${{ steps.handle-add-device.outputs.device }}"
-          body: |
-            ${{ steps.handle-add-device.outputs.device }} has been added to the website.
-            Related issue: ${{ github.event.issue.html_url }}
-          branch: "add-device-${{ github.event.issue.number }}"
-          labels: add-device
-          delete-branch: true
-          sign-commits: true
-      - name: Check outputs
-        if: ${{ steps.cpr.outputs.pull-request-number }}
-        run: |
-          echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}"
-          echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"
-      - uses: Kernel-SU/actions-comment-on-issue@master
-        if: ${{ steps.cpr.outputs.pull-request-number }}
-        with:
-          message: "Automatically created pull request: ${{ steps.cpr.outputs.pull-request-url }}"
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - uses: Kernel-SU/actions-comment-on-issue@master
-        if: steps.handle-add-device.outputs.success != 'true'
-        with:
-          message: "Cannot create pull request. Please check the issue content. Or you can create a pull request manually."
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: close issue
-        uses: peter-evans/close-issue@v3
-        with:
-          issue-number: ${{ github.event.issue.number }}
-          token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/build-gki-image.yml

@@ -1,20 +0,0 @@
-name: Build Android GKI Image
-on:
-  workflow_call:
-
-jobs:
-  build-a12-kernel:
-    uses: ./.github/workflows/build-kernel-a12.yml
-    secrets: inherit
-  build-a13-kernel:
-    uses: ./.github/workflows/build-kernel-a13.yml
-    secrets: inherit
-  build-a14-kernel:
-    uses: ./.github/workflows/build-kernel-a14.yml
-    secrets: inherit
-  build-a15-kernel:
-    uses: ./.github/workflows/build-kernel-a15.yml
-    secrets: inherit
-  build-a16-kernel:
-    uses: ./.github/workflows/build-kernel-a16.yml
-    secrets: inherit

.github/workflows/build-kernel-a12.yml

@@ -1,111 +0,0 @@
-name: Build Kernel - Android 12
-on:
-  # push:
-  #   branches: ["main", "ci", "checkci"]
-  #   paths:
-  #     - ".github/workflows/deps/gki/build-kernel-a12.yml"
-  #     - ".github/workflows/deps/gki/gki-kernel.yml"
-  #     - ".github/scripts/build_a12.sh"
-  #     - "kernel/**"
-  workflow_call:
-    inputs:
-      debug:
-        description: 'Build debug kernel'
-        required: false
-        type: boolean
-        default: false
-  workflow_dispatch:
-    inputs:
-      debug:
-        description: 'Build debug kernel'
-        required: false
-        type: boolean
-        default: false
-jobs:
-  build-kernel:
-    if: github.event_name != 'pull_request' && github.ref != 'refs/heads/checkci'
-    strategy:
-      matrix:
-        include:
-          - sub_level: 209
-            os_patch_level: 2024-05
-          - sub_level: 218
-            os_patch_level: 2024-08
-          - sub_level: 226
-            os_patch_level: 2024-11
-          - sub_level: 233
-            os_patch_level: 2025-02
-          - sub_level: 236
-            os_patch_level: 2025-05
-    uses: ./.github/workflows/gki-kernel.yml
-    secrets: inherit
-    with:
-      version: android12-5.10
-      version_name: android12-5.10.${{ matrix.sub_level }}
-      tag: android12-5.10-${{ matrix.os_patch_level }}
-      os_patch_level: ${{ matrix.os_patch_level }}
-      patch_path: "5.10"
-      debug: ${{ inputs.debug || false }}
-  
-  upload-artifacts:
-    needs: build-kernel
-    runs-on: ubuntu-latest
-    if: ${{ ( github.event_name != 'pull_request' && github.ref == 'refs/heads/main' ) || github.ref_type == 'tag' || github.ref == 'refs/heads/ci' }}
-    env:
-      CHAT_ID: ${{ secrets.CHAT_ID }}
-      BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
-      MESSAGE_THREAD_ID: ${{ secrets.MESSAGE_THREAD_ID }}
-      COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
-      COMMIT_URL: ${{ github.event.head_commit.url }}
-      RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
-    steps:
-      - name: Download artifacts
-        uses: actions/download-artifact@v4
-
-      - uses: actions/checkout@v4
-        with:
-          path: KernelSU
-          fetch-depth: 0
-
-      - name: List artifacts
-        run: |
-          tree
-
-      - name: Download prebuilt toolchain
-        run: |
-          AOSP_MIRROR=https://android.googlesource.com
-          BRANCH=main-kernel-build-2024
-          git clone $AOSP_MIRROR/platform/prebuilts/build-tools -b $BRANCH --depth 1 build-tools
-          git clone $AOSP_MIRROR/kernel/prebuilts/build-tools -b $BRANCH --depth 1 kernel-build-tools
-          git clone $AOSP_MIRROR/platform/system/tools/mkbootimg -b $BRANCH --depth 1
-          pip3 install telethon
-
-      - name: Set boot sign key
-        env:
-          BOOT_SIGN_KEY: ${{ secrets.BOOT_SIGN_KEY }}
-        run: |
-          if [ ! -z "$BOOT_SIGN_KEY" ]; then
-            echo "$BOOT_SIGN_KEY" > ./kernel-build-tools/linux-x86/share/avb/testkey_rsa2048.pem
-          fi
-
-      - name: Build boot images
-        run: |
-          export AVBTOOL=$GITHUB_WORKSPACE/kernel-build-tools/linux-x86/bin/avbtool
-          export GZIP=$GITHUB_WORKSPACE/build-tools/path/linux-x86/gzip
-          export LZ4=$GITHUB_WORKSPACE/build-tools/path/linux-x86/lz4
-          export MKBOOTIMG=$GITHUB_WORKSPACE/mkbootimg/mkbootimg.py
-          export UNPACK_BOOTIMG=$GITHUB_WORKSPACE/mkbootimg/unpack_bootimg.py
-          cd $GITHUB_WORKSPACE/KernelSU
-          export VERSION=$(($(git rev-list --count HEAD) + 10200))
-          echo "VERSION: $VERSION"
-          cd -
-          bash $GITHUB_WORKSPACE/KernelSU/.github/scripts/build_a12.sh
-
-      - name: Display structure of boot files
-        run: ls -R
-
-      - name: Upload images artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: boot-images-android12
-          path: Image-android12*/*.img.gz

.github/workflows/build-kernel-a13.yml

@@ -1,146 +0,0 @@
-name: Build Kernel - Android 13
-on:
-  # push:
-  #   branches: ["main", "ci", "checkci"]
-  #   paths:
-  #     - ".github/workflows/deps/gki/build-kernel-a13.yml"
-  #     - ".github/workflows/deps/gki/gki-kernel.yml"
-  #     - ".github/scripts/build_a13.sh"
-  #     - "kernel/**"
-  workflow_call:
-    inputs:
-      debug:
-        description: 'Build debug kernel'
-        required: false
-        type: boolean
-        default: false
-  workflow_dispatch:
-    inputs:
-      debug:
-        description: 'Build debug kernel'
-        required: false
-        type: boolean
-        default: false
-jobs:
-  build-kernel:
-    if: github.event_name != 'pull_request' && github.ref != 'refs/heads/checkci'
-    strategy:
-      matrix:
-        include:
-          - version: "5.10"
-            sub_level: 209
-            os_patch_level: 2024-05
-          - version: "5.10"
-            sub_level: 210
-            os_patch_level: 2024-06
-          - version: "5.10"
-            sub_level: 214
-            os_patch_level: 2024-07
-          - version: "5.10"
-            sub_level: 218
-            os_patch_level: 2024-08
-          - version: "5.10"
-            sub_level: 223
-            os_patch_level: 2024-11
-          - version: "5.10"
-            sub_level: 228
-            os_patch_level: 2025-01
-          - version: "5.10"
-            sub_level: 234
-            os_patch_level: 2025-03
-          - version: "5.15"
-            sub_level: 148
-            os_patch_level: 2024-05
-          - version: "5.15"
-            sub_level: 149
-            os_patch_level: 2024-07
-          - version: "5.15"
-            sub_level: 151
-            os_patch_level: 2024-08
-          - version: "5.15"
-            sub_level: 153
-            os_patch_level: 2024-09
-          - version: "5.15"
-            sub_level: 167
-            os_patch_level: 2024-11
-          - version: "5.15"
-            sub_level: 178
-            os_patch_level: 2024-11
-          - version: "5.15"
-            sub_level: 170
-            os_patch_level: 2025-01
-          - version: "5.15"
-            sub_level: 178
-            os_patch_level: 2025-03
-    uses: ./.github/workflows/gki-kernel.yml
-    secrets: inherit
-    with:
-      version: android13-${{ matrix.version }}
-      version_name: android13-${{ matrix.version }}.${{ matrix.sub_level }}
-      tag: android13-${{ matrix.version }}-${{ matrix.os_patch_level }}
-      os_patch_level: ${{ matrix.os_patch_level }}
-      patch_path: ${{ matrix.version }}
-      debug: ${{ inputs.debug || false }}
-  
-  upload-artifacts:
-    needs: build-kernel
-    runs-on: ubuntu-latest
-    if: ${{ ( github.event_name != 'pull_request' && github.ref == 'refs/heads/main' ) || github.ref_type == 'tag' || github.ref == 'refs/heads/ci' }}
-    env:
-      CHAT_ID: ${{ secrets.CHAT_ID }}
-      BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
-      MESSAGE_THREAD_ID: ${{ secrets.MESSAGE_THREAD_ID }}
-      COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
-      COMMIT_URL: ${{ github.event.head_commit.url }}
-      RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
-    steps:
-      - name: Download artifacts
-        uses: actions/download-artifact@v4
-
-      - uses: actions/checkout@v4
-        with:
-          path: KernelSU
-          fetch-depth: 0
-
-      - name: List artifacts
-        run: |
-          tree
-
-      - name: Download prebuilt toolchain
-        run: |
-          AOSP_MIRROR=https://android.googlesource.com
-          BRANCH=main-kernel-build-2024
-          git clone $AOSP_MIRROR/platform/prebuilts/build-tools -b $BRANCH --depth 1 build-tools
-          git clone $AOSP_MIRROR/kernel/prebuilts/build-tools -b $BRANCH --depth 1 kernel-build-tools
-          git clone $AOSP_MIRROR/platform/system/tools/mkbootimg -b $BRANCH --depth 1
-          pip3 install telethon
-
-      - name: Set boot sign key
-        env:
-          BOOT_SIGN_KEY: ${{ secrets.BOOT_SIGN_KEY }}
-        run: |
-          if [ ! -z "$BOOT_SIGN_KEY" ]; then
-            echo "$BOOT_SIGN_KEY" > ./kernel-build-tools/linux-x86/share/avb/testkey_rsa2048.pem
-          fi
-
-      - name: Build boot images
-        run: |
-          export AVBTOOL=$GITHUB_WORKSPACE/kernel-build-tools/linux-x86/bin/avbtool
-          export GZIP=$GITHUB_WORKSPACE/build-tools/path/linux-x86/gzip
-          export LZ4=$GITHUB_WORKSPACE/build-tools/path/linux-x86/lz4
-          export MKBOOTIMG=$GITHUB_WORKSPACE/mkbootimg/mkbootimg.py
-          export UNPACK_BOOTIMG=$GITHUB_WORKSPACE/mkbootimg/unpack_bootimg.py
-          cd $GITHUB_WORKSPACE/KernelSU
-          export VERSION=$(($(git rev-list --count HEAD) + 10200))
-          echo "VERSION: $VERSION"
-          cd -
-          bash $GITHUB_WORKSPACE/KernelSU/.github/scripts/build_a13.sh
-
-      - name: Display structure of boot files
-        run: ls -R
-
-      - name: Upload images artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: boot-images-android13
-          path: Image-android13*/*.img.gz

.github/workflows/build-kernel-a14.yml

@@ -1,158 +0,0 @@
-name: Build Kernel - Android 14
-on:
-  # push:
-  #   branches: ["main", "ci", "checkci"]
-  #   paths:
-  #     - ".github/workflows/deps/gki/build-kernel-a14.yml"
-  #     - ".github/workflows/deps/gki/gki-kernel.yml"
-  #     - ".github/scripts/build_a13.sh"
-  #     - "kernel/**"
-  workflow_call:
-    inputs:
-      debug:
-        description: 'Build debug kernel'
-        required: false
-        type: boolean
-        default: false
-  workflow_dispatch:
-    inputs:
-      debug:
-        description: 'Build debug kernel'
-        required: false
-        type: boolean
-        default: false
-jobs:
-  build-kernel:
-    if: github.event_name != 'pull_request' && github.ref != 'refs/heads/checkci'
-    strategy:
-      matrix:
-        include:
-          - version: "5.15"
-            sub_level: 148
-            os_patch_level: 2024-05
-          - version: "5.15"
-            sub_level: 149
-            os_patch_level: 2024-06
-          - version: "5.15"
-            sub_level: 153
-            os_patch_level: 2024-07
-          - version: "5.15"
-            sub_level: 158
-            os_patch_level: 2024-08
-          - version: "5.15"
-            sub_level: 164
-            os_patch_level: 2024-09
-          - version: "5.15"
-            sub_level: 167
-            os_patch_level: 2024-11
-          - version: "5.15"
-            sub_level: 170
-            os_patch_level: 2025-01
-          - version: "5.15"
-            sub_level: 178
-            os_patch_level: 2025-03
-          - version: "6.1"
-            sub_level: 75
-            os_patch_level: 2024-05
-          - version: "6.1"
-            sub_level: 78
-            os_patch_level: 2024-06
-          - version: "6.1"
-            sub_level: 84
-            os_patch_level: 2024-07
-          - version: "6.1"
-            sub_level: 90
-            os_patch_level: 2024-08
-          - version: "6.1"
-            sub_level: 93
-            os_patch_level: 2024-09
-          - version: "6.1"
-            sub_level: 99
-            os_patch_level: 2024-10
-          - version: "6.1"
-            sub_level: 112
-            os_patch_level: 2024-11
-          - version: "6.1"
-            sub_level: 115
-            os_patch_level: 2024-12
-          - version: "6.1"
-            sub_level: 118
-            os_patch_level: 2025-01
-          - version: "6.1"
-            sub_level: 128
-            os_patch_level: 2025-03
-          - version: "6.1"
-            sub_level: 134
-            os_patch_level: 2025-05
-    uses: ./.github/workflows/gki-kernel.yml
-    secrets: inherit
-    with:
-      version: android14-${{ matrix.version }}
-      version_name: android14-${{ matrix.version }}.${{ matrix.sub_level }}
-      tag: android14-${{ matrix.version }}-${{ matrix.os_patch_level }}
-      os_patch_level: ${{ matrix.os_patch_level }}
-      patch_path: ${{ matrix.version }}
-      debug: ${{ inputs.debug || false }}
-  
-  upload-artifacts:
-    needs: build-kernel
-    runs-on: ubuntu-latest
-    if: ${{ ( github.event_name != 'pull_request' && github.ref == 'refs/heads/main' ) || github.ref_type == 'tag' || github.ref == 'refs/heads/ci' }}
-    env:
-      CHAT_ID: ${{ secrets.CHAT_ID }}
-      BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
-      MESSAGE_THREAD_ID: ${{ secrets.MESSAGE_THREAD_ID }}
-      COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
-      COMMIT_URL: ${{ github.event.head_commit.url }}
-      RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
-    steps:
-      - name: Download artifacts
-        uses: actions/download-artifact@v4
-
-      - uses: actions/checkout@v4
-        with:
-          path: KernelSU
-          fetch-depth: 0
-
-      - name: List artifacts
-        run: |
-          tree
-
-      - name: Download prebuilt toolchain
-        run: |
-          AOSP_MIRROR=https://android.googlesource.com
-          BRANCH=main-kernel-build-2024
-          git clone $AOSP_MIRROR/platform/prebuilts/build-tools -b $BRANCH --depth 1 build-tools
-          git clone $AOSP_MIRROR/kernel/prebuilts/build-tools -b $BRANCH --depth 1 kernel-build-tools
-          git clone $AOSP_MIRROR/platform/system/tools/mkbootimg -b $BRANCH --depth 1
-          pip3 install telethon
-
-      - name: Set boot sign key
-        env:
-          BOOT_SIGN_KEY: ${{ secrets.BOOT_SIGN_KEY }}
-        run: |
-          if [ ! -z "$BOOT_SIGN_KEY" ]; then
-            echo "$BOOT_SIGN_KEY" > ./kernel-build-tools/linux-x86/share/avb/testkey_rsa2048.pem
-          fi
-
-      - name: Build boot images
-        run: |
-          export AVBTOOL=$GITHUB_WORKSPACE/kernel-build-tools/linux-x86/bin/avbtool
-          export GZIP=$GITHUB_WORKSPACE/build-tools/path/linux-x86/gzip
-          export LZ4=$GITHUB_WORKSPACE/build-tools/path/linux-x86/lz4
-          export MKBOOTIMG=$GITHUB_WORKSPACE/mkbootimg/mkbootimg.py
-          export UNPACK_BOOTIMG=$GITHUB_WORKSPACE/mkbootimg/unpack_bootimg.py
-          cd $GITHUB_WORKSPACE/KernelSU
-          export VERSION=$(($(git rev-list --count HEAD) + 10200))
-          echo "VERSION: $VERSION"
-          cd -
-          bash $GITHUB_WORKSPACE/KernelSU/.github/scripts/build_a13.sh
-
-      - name: Display structure of boot files
-        run: ls -R
-
-      - name: Upload images artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: boot-images-android14
-          path: Image-android14*/*.img.gz

.github/workflows/build-kernel-a15.yml

@@ -1,131 +0,0 @@
-name: Build Kernel - Android 15
-on:
-  # push:
-  #   branches: ["main", "ci", "checkci"]
-  #   paths:
-  #     - ".github/workflows/deps/gki/build-kernel-a15.yml"
-  #     - ".github/workflows/deps/gki/gki-kernel.yml"
-  #     - ".github/scripts/build_a13.sh"
-  #     - "kernel/**"
-  workflow_call:
-    inputs:
-      debug:
-        description: 'Build debug kernel'
-        required: false
-        type: boolean
-        default: false
-  workflow_dispatch:
-    inputs:
-      debug:
-        description: 'Build debug kernel'
-        required: false
-        type: boolean
-        default: false
-jobs:
-  build-kernel:
-    if: github.event_name != 'pull_request' && github.ref != 'refs/heads/checkci'
-    strategy:
-      matrix:
-        include:
-          - version: "6.6"
-            sub_level: 30
-            os_patch_level: 2024-08
-          - version: "6.6"
-            sub_level: 46
-            os_patch_level: 2024-09
-          - version: "6.6"
-            sub_level: 50
-            os_patch_level: 2024-10
-          - version: "6.6"
-            sub_level: 56
-            os_patch_level: 2024-11
-          - version: "6.6"
-            sub_level: 57
-            os_patch_level: 2024-12
-          - version: "6.6"
-            sub_level: 58
-            os_patch_level: 2025-01
-          - version: "6.6"
-            sub_level: 66
-            os_patch_level: 2025-02
-          - version: "6.6"
-            sub_level: 77
-            os_patch_level: 2025-03
-          - version: "6.6"
-            sub_level: 82
-            os_patch_level: 2025-04
-          - version: "6.6"
-            sub_level: 87
-            os_patch_level: 2025-05
-    uses: ./.github/workflows/gki-kernel.yml
-    secrets: inherit
-    with:
-      version: android15-${{ matrix.version }}
-      version_name: android15-${{ matrix.version }}.${{ matrix.sub_level }}
-      tag: android15-${{ matrix.version }}-${{ matrix.os_patch_level }}
-      os_patch_level: ${{ matrix.os_patch_level }}
-      patch_path: ${{ matrix.version }}
-      debug: ${{ inputs.debug || false }}
-  
-  upload-artifacts:
-    needs: build-kernel
-    runs-on: ubuntu-latest
-    if: ${{ ( github.event_name != 'pull_request' && github.ref == 'refs/heads/main' ) || github.ref_type == 'tag' || github.ref == 'refs/heads/ci' }}
-    env:
-      CHAT_ID: ${{ secrets.CHAT_ID }}
-      BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
-      MESSAGE_THREAD_ID: ${{ secrets.MESSAGE_THREAD_ID }}
-      COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
-      COMMIT_URL: ${{ github.event.head_commit.url }}
-      RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
-    steps:
-      - name: Download artifacts
-        uses: actions/download-artifact@v4
-
-      - uses: actions/checkout@v4
-        with:
-          path: KernelSU
-          fetch-depth: 0
-
-      - name: List artifacts
-        run: |
-          tree
-
-      - name: Download prebuilt toolchain
-        run: |
-          AOSP_MIRROR=https://android.googlesource.com
-          BRANCH=main-kernel-build-2024
-          git clone $AOSP_MIRROR/platform/prebuilts/build-tools -b $BRANCH --depth 1 build-tools
-          git clone $AOSP_MIRROR/kernel/prebuilts/build-tools -b $BRANCH --depth 1 kernel-build-tools
-          git clone $AOSP_MIRROR/platform/system/tools/mkbootimg -b $BRANCH --depth 1
-          pip3 install telethon
-
-      - name: Set boot sign key
-        env:
-          BOOT_SIGN_KEY: ${{ secrets.BOOT_SIGN_KEY }}
-        run: |
-          if [ ! -z "$BOOT_SIGN_KEY" ]; then
-            echo "$BOOT_SIGN_KEY" > ./kernel-build-tools/linux-x86/share/avb/testkey_rsa2048.pem
-          fi
-          
-      - name: Build boot images
-        run: |
-          export AVBTOOL=$GITHUB_WORKSPACE/kernel-build-tools/linux-x86/bin/avbtool
-          export GZIP=$GITHUB_WORKSPACE/build-tools/path/linux-x86/gzip
-          export LZ4=$GITHUB_WORKSPACE/build-tools/path/linux-x86/lz4
-          export MKBOOTIMG=$GITHUB_WORKSPACE/mkbootimg/mkbootimg.py
-          export UNPACK_BOOTIMG=$GITHUB_WORKSPACE/mkbootimg/unpack_bootimg.py
-          cd $GITHUB_WORKSPACE/KernelSU
-          export VERSION=$(($(git rev-list --count HEAD) + 10200))
-          echo "VERSION: $VERSION"
-          cd -
-          bash $GITHUB_WORKSPACE/KernelSU/.github/scripts/build_a13.sh
-
-      - name: Display structure of boot files
-        run: ls -R
-
-      - name: Upload images artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: boot-images-android15
-          path: Image-android15*/*.img.gz

.github/workflows/build-kernel-a16.yml

@@ -1,104 +0,0 @@
-name: Build Kernel - Android 16
-on:
-  # push:
-  #   branches: ["main", "ci", "checkci"]
-  #   paths:
-  #     - ".github/workflows/deps/gki/build-kernel-a16.yml"
-  #     - ".github/workflows/deps/gki/gki-kernel.yml"
-  #     - ".github/scripts/build_a13.sh"
-  #     - "kernel/**"
-  workflow_call:
-    inputs:
-      debug:
-        description: 'Build debug kernel'
-        required: false
-        type: boolean
-        default: false
-  workflow_dispatch:
-    inputs:
-      debug:
-        description: 'Build debug kernel'
-        required: false
-        type: boolean
-        default: false
-jobs:
-  build-kernel:
-    if: github.event_name != 'pull_request' && github.ref != 'refs/heads/checkci'
-    strategy:
-      matrix:
-        include:
-          - version: "6.12"
-            sub_level: 38
-            os_patch_level: 2025-08
-    uses: ./.github/workflows/gki-kernel.yml
-    secrets: inherit
-    with:
-      version: android16-${{ matrix.version }}
-      version_name: android16-${{ matrix.version }}.${{ matrix.sub_level }}
-      tag: android16-${{ matrix.version }}-${{ matrix.os_patch_level }}
-      os_patch_level: ${{ matrix.os_patch_level }}
-      patch_path: ${{ matrix.version }}
-      debug: ${{ inputs.debug || false }}
-  
-  upload-artifacts:
-    needs: build-kernel
-    runs-on: ubuntu-latest
-    if: ${{ ( github.event_name != 'pull_request' && github.ref == 'refs/heads/main' ) || github.ref_type == 'tag' || github.ref == 'refs/heads/ci' }}
-    env:
-      CHAT_ID: ${{ secrets.CHAT_ID }}
-      BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
-      MESSAGE_THREAD_ID: ${{ secrets.MESSAGE_THREAD_ID }}
-      COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
-      COMMIT_URL: ${{ github.event.head_commit.url }}
-      RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
-    steps:
-      - name: Download artifacts
-        uses: actions/download-artifact@v6
-
-      - uses: actions/checkout@v5
-        with:
-          path: KernelSU
-          fetch-depth: 0
-
-      - name: List artifacts
-        run: |
-          tree
-
-      - name: Download prebuilt toolchain
-        run: |
-          AOSP_MIRROR=https://android.googlesource.com
-          BRANCH=main-kernel-build-2024
-          git clone $AOSP_MIRROR/platform/prebuilts/build-tools -b $BRANCH --depth 1 build-tools
-          git clone $AOSP_MIRROR/kernel/prebuilts/build-tools -b $BRANCH --depth 1 kernel-build-tools
-          git clone $AOSP_MIRROR/platform/system/tools/mkbootimg -b $BRANCH --depth 1
-          pip3 install telethon
-
-      - name: Set boot sign key
-        env:
-          BOOT_SIGN_KEY: ${{ secrets.BOOT_SIGN_KEY }}
-        run: |
-          if [ ! -z "$BOOT_SIGN_KEY" ]; then
-            echo "$BOOT_SIGN_KEY" > ./kernel-build-tools/linux-x86/share/avb/testkey_rsa2048.pem
-          fi
-
-      - name: Build boot images
-        run: |
-          export AVBTOOL=$GITHUB_WORKSPACE/kernel-build-tools/linux-x86/bin/avbtool
-          export GZIP=$GITHUB_WORKSPACE/build-tools/path/linux-x86/gzip
-          export LZ4=$GITHUB_WORKSPACE/build-tools/path/linux-x86/lz4
-          export MKBOOTIMG=$GITHUB_WORKSPACE/mkbootimg/mkbootimg.py
-          export UNPACK_BOOTIMG=$GITHUB_WORKSPACE/mkbootimg/unpack_bootimg.py
-          cd $GITHUB_WORKSPACE/KernelSU
-          export VERSION=$(($(git rev-list --count HEAD) + 10200))
-          echo "VERSION: $VERSION"
-          cd -
-          bash $GITHUB_WORKSPACE/KernelSU/.github/scripts/build_a13.sh
-
-      - name: Display structure of boot files
-        run: ls -R
-
-      - name: Upload images artifact
-        uses: actions/upload-artifact@v5
-        with:
-          name: boot-images-android16
-          path: Image-android16*/*.img.gz

.github/workflows/build-lkm.yml

@@ -1,21 +0,0 @@
-name: Build LKM for KernelSU
-on:
-  workflow_call:
-  workflow_dispatch:
-jobs:
-  build-lkm:
-    strategy:
-      fail-fast: false
-      matrix:
-        kmi:
-          - android12-5.10
-          - android13-5.10
-          - android13-5.15
-          - android14-5.15
-          - android14-6.1
-          - android15-6.6
-          - android16-6.12
-    uses: ./.github/workflows/ddk-lkm.yml
-    with:
-      kmi: ${{ matrix.kmi }}
-      ddk_release: '20251104'

.github/workflows/build-manager.yml

@@ -1,209 +0,0 @@
-name: Build Manager
-
-on:
-  push:
-    branches: [ "main", "dev", "ci", "miuix" ]
-    paths:
-      - '.github/workflows/build-manager.yml'
-      - '.github/workflows/build-lkm.yml'
-      - 'manager/**'
-      - 'kernel/**'
-      - 'userspace/ksud/**'
-      - 'userspace/user_scanner/**'
-  pull_request:
-    branches: [ "main", "dev", "miuix" ]
-    paths:
-      - '.github/workflows/build-manager.yml'
-      - '.github/workflows/build-lkm.yml'
-      - 'manager/**'
-      - 'kernel/**'
-      - 'userspace/ksud/**'
-      - 'userspace/user_scanner/**'
-  workflow_call:
-
-jobs:
-  build-lkm:
-    uses: ./.github/workflows/build-lkm.yml
-    secrets: inherit
-  build-user_scanner:
-    needs: build-lkm
-    strategy:
-      matrix:
-        include:
-          - target: All-linux-android
-            os: ubuntu-latest
-    uses: ./.github/workflows/user_scanner.yml
-    with:
-      target: ${{ matrix.target }}
-      os: ${{ matrix.os }}
-
-  build-ksud:
-    needs: build-lkm
-    strategy:
-      matrix:
-        include:
-          - target: aarch64-linux-android
-            os: ubuntu-latest
-          - target: x86_64-linux-android
-            os: ubuntu-latest
-          - target: armv7-linux-androideabi
-            os: ubuntu-latest
-    uses: ./.github/workflows/ksud.yml
-    with:
-      target: ${{ matrix.target }}
-      os: ${{ matrix.os }}
-
-  build-manager:
-    needs: build-ksud
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        spoofed: ["true","false"]
-    defaults:
-      run:
-        working-directory: ./manager
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Setup need_upload
-        id: need_upload
-        run: |
-          if [ ! -z "${{ secrets.BOT_TOKEN }}" ]; then
-            echo "UPLOAD=true" >> $GITHUB_OUTPUT
-          else
-            echo "UPLOAD=false" >> $GITHUB_OUTPUT
-          fi
-
-
-      - name: Determine manager variant for telegram bot
-        id: determine
-        run: |
-          if [ "${{ github.ref_name }}" == "miuix" ] && [ "${{ matrix.spoofed }}" == "true" ]; then
-            echo "SKIP=true" >> $GITHUB_OUTPUT
-            exit 0
-          fi
-          if [ "${{ github.ref_name }}" == "miuix" ]; then
-            echo "title=Manager" >> $GITHUB_OUTPUT
-            echo "topicid=${{ vars.MESSAGE_MIUIX_THREAD_ID }}" >> $GITHUB_OUTPUT
-          elif [ "${{ matrix.spoofed }}" == "true" ]; then
-            echo "title=Spoofed-Manager" >> $GITHUB_OUTPUT
-            # maybe need a new var
-            echo "topicid=${{ vars.MESSAGE_SPOOFED_THREAD_ID }}" >> $GITHUB_OUTPUT
-          else
-            echo "title=Manager" >> $GITHUB_OUTPUT
-            echo "topicid=${{ vars.MESSAGE_THREAD_ID }}" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Run randomizer
-        if: ${{ matrix.spoofed == 'true' && steps.determine.outputs.SKIP != 'true' }}
-        run: |
-          chmod +x randomizer
-          ./randomizer
-
-      - name: Write key
-        if: ${{ ( github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev' )) || github.ref_type == 'tag' }}
-        run: |
-          if [ ! -z "${{ secrets.KEYSTORE }}" ]; then
-            {
-              echo KEYSTORE_PASSWORD='${{ secrets.KEYSTORE_PASSWORD }}'
-              echo KEY_ALIAS='${{ secrets.KEY_ALIAS }}'
-              echo KEY_PASSWORD='${{ secrets.KEY_PASSWORD }}'
-              echo KEYSTORE_FILE='key.jks'
-            } >> gradle.properties
-            echo "${{ secrets.KEYSTORE }}" | base64 -d > key.jks
-          fi
-
-      - name: Setup Java
-        uses: actions/setup-java@v4
-        with:
-          distribution: temurin
-          java-version: 21
-
-      - name: Setup Gradle
-        uses: gradle/actions/setup-gradle@v4
-
-      - name: Setup Android SDK
-        uses: android-actions/setup-android@v3
-
-      - name: Download all userscanner artifacts
-        uses: actions/download-artifact@v4
-        with:
-          name: userscanner-all-linux-android
-          path: .
-
-      - name: Download arm64 ksud
-        uses: actions/download-artifact@v4
-        with:
-          name: ksud-aarch64-linux-android
-          path: .
-
-      - name: Download x86_64 ksud
-        uses: actions/download-artifact@v4
-        with:
-          name: ksud-x86_64-linux-android
-          path: .
-
-      - name: Download arm ksud
-        uses: actions/download-artifact@v4
-        with:
-          name: ksud-armv7-linux-androideabi
-          path: .
-  
-      - name: Copy ksud to app jniLibs
-        run: |
-          mkdir -p app/src/main/jniLibs/arm64-v8a
-          mkdir -p app/src/main/jniLibs/x86_64
-          mkdir -p app/src/main/jniLibs/armeabi-v7a
-          cp -f ../aarch64-linux-android/release/ksud ../manager/app/src/main/jniLibs/arm64-v8a/libksud.so
-          cp -f ../x86_64-linux-android/release/ksud ../manager/app/src/main/jniLibs/x86_64/libksud.so
-          cp -f ../armv7-linux-androideabi/release/ksud ../manager/app/src/main/jniLibs/armeabi-v7a/libksud.so
-
-      - name: Copy user_scanner to app jniLibs
-        run: |
-          mkdir -p app/src/main/jniLibs/arm64-v8a
-          mkdir -p app/src/main/jniLibs/x86_64
-          mkdir -p app/src/main/jniLibs/armeabi-v7a
-          cp -f ../arm64-v8a/uid_scanner ../manager/app/src/main/jniLibs/arm64-v8a/libuid_scanner.so
-          cp -f ../x86_64/uid_scanner ../manager/app/src/main/jniLibs/x86_64/libuid_scanner.so
-          cp -f ../armeabi-v7a/uid_scanner ../manager/app/src/main/jniLibs/armeabi-v7a/libuid_scanner.so
-
-      - name: Build with Gradle
-        if: ${{ steps.determine.outputs.SKIP != 'true' }}
-        run: ./gradlew clean assembleRelease
-
-      - name: Upload build artifact
-        uses: actions/upload-artifact@v4
-        if: ${{ ( github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev' )) || github.ref_type == 'tag' }}
-        with:
-          name: ${{ steps.determine.outputs.title }}
-          path: manager/app/build/outputs/apk/release/*.apk
-
-      - name: Upload mappings
-        uses: actions/upload-artifact@v4
-        if: ${{ ( github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev' )) || github.ref_type == 'tag' }}
-        with:
-          name: "${{ steps.determine.outputs.title }}-mappings"
-          path: "manager/app/build/outputs/mapping/release/"
-
-      - name: Upload to telegram
-        if: github.event_name != 'pull_request' && steps.need_upload.outputs.UPLOAD == 'true' && steps.determine.outputs.SKIP != 'true'
-        env:
-          CHAT_ID: ${{ vars.CHAT_ID }}
-          BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
-          MESSAGE_THREAD_ID: ${{ steps.determine.outputs.topicid }}
-          COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
-          COMMIT_URL: ${{ github.event.head_commit.url }}
-          RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
-          TITLE: ${{ steps.determine.outputs.title }}
-          BRANCH: ${{ github.ref_name }}
-        run: |
-          if [ ! -z "${{ secrets.BOT_TOKEN }}" ]; then
-            export VERSION=$(git rev-list --count HEAD)
-            APK=$(find ./app/build/outputs/apk/release -name "*.apk")
-            pip3 install telethon
-            python3 $GITHUB_WORKSPACE/scripts/ksubot.py $APK
-          fi

.github/workflows/build-su.yml

@@ -1,36 +0,0 @@
-name: Build SU
-on:
-  push:
-    branches: [ "main", "ci" ]
-    paths:
-      - '.github/workflows/build-su.yml'
-      - 'userspace/su/**'
-      - 'scripts/ksubot.py'
-  pull_request:
-    branches: [ "main" ]
-    paths:
-      - 'userspace/su/**'
-jobs:
-  build-su:
-    name: Build userspace su
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v4
-      with:
-        fetch-depth: 0
-    - name: Setup need_upload
-      id: need_upload
-      run: |
-        if [ ! -z "${{ secrets.BOT_TOKEN }}" ]; then
-          echo "UPLOAD=true" >> $GITHUB_OUTPUT
-        else
-          echo "UPLOAD=false" >> $GITHUB_OUTPUT
-        fi
-    - name: Build su
-      working-directory: ./userspace/su
-      run: $ANDROID_NDK/ndk-build
-    - name: Upload a Build Artifact
-      uses: actions/upload-artifact@v4
-      with:
-        name: su
-        path: ./userspace/su/libs

.github/workflows/clippy.yml

@@ -1,37 +0,0 @@
-name: Clippy check
-
-on:
-  push:
-    branches:
-      - main
-    paths:
-      - '.github/workflows/clippy.yml'
-      - 'userspace/ksud/**'
-  pull_request:
-    branches:
-      - main
-    paths:
-      - '.github/workflows/clippy.yml'
-      - 'userspace/ksud/**'
-
-env:
-  RUSTFLAGS: '-Dwarnings'
-
-jobs:
-  clippy:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - run: rustup update stable
-      - uses: Swatinem/rust-cache@v2
-        with:
-          workspaces: userspace/ksud
-
-      - name: Install cross
-        run: |
-          RUSTFLAGS="" cargo install cross --git https://github.com/cross-rs/cross --rev 66845c1
-
-      - name: Run clippy
-        run: |
-          cross clippy --manifest-path userspace/ksud/Cargo.toml --target aarch64-linux-android --release
-          cross clippy --manifest-path userspace/ksud/Cargo.toml --target x86_64-linux-android --release

.github/workflows/crowdin.yml

@@ -1,40 +0,0 @@
-name: Crowdin Action
-
-on:
-  push:
-    branches: [ main ]
-    paths:
-      - 'manager/app/src/main/res/values/strings.xml'
-      - 'manager/app/src/main/res/values-*/strings.xml'
-  schedule:
-    - cron: '0 0 * * *'
-  workflow_dispatch:
-
-jobs:
-  synchronize-with-crowdin:
-    runs-on: ubuntu-latest
-    steps:
-    - name: Checkout
-      uses: actions/checkout@v4
-
-    - name: Crowdin Action
-      uses: crowdin/github-action@v2
-      with:
-        upload_sources: true
-        upload_translations: true
-        auto_approve_imported: true
-        download_translations: true
-        skip_untranslated_files: false
-        skip_untranslated_strings: true
-
-        create_pull_request: true
-        localization_branch_name: "Crowdin"
-        pull_request_labels: 'enhancement, translation'
-        pull_request_title: 'opt: sync translation from Crowdin'
-
-        config: 'crowdin.yml'
-        crowdin_branch_name: "main"
-      env:
-        GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
-        CROWDIN_PROJECT_ID: ${{ secrets.CROWDIN_PROJECT_ID }}
-        CROWDIN_API_TOKEN: ${{ secrets.CROWDIN_API_TOKEN }}

.github/workflows/ddk-lkm.yml

@@ -1,53 +0,0 @@
-name: Build KernelSU Kernel Module
-
-on:
-  workflow_call:
-    inputs:
-      kmi:
-        description: 'KMI version'
-        required: true
-        type: string
-      ddk_release:
-        description: 'DDK release version'
-        required: false
-        default: '20251104'
-        type: string
-
-jobs:
-  build-kernelsu-ko:
-    name: Build kernelsu.ko for ${{ inputs.kmi }}
-    runs-on: ubuntu-latest
-    container:
-      image: ghcr.io/ylarod/ddk:${{ inputs.kmi }}-${{ inputs.ddk_release }}
-      options: --privileged
-
-    steps:
-    - name: Checkout source code
-      uses: actions/checkout@v4
-
-    - name: Build kernelsu.ko
-      run: |
-        git config --global --add safe.directory /__w/SukiSU-Ultra/SukiSU-Ultra
-        cd kernel
-
-        echo "=== Building kernelsu.ko for KMI: ${{ inputs.kmi }} ==="
-        CONFIG_KSU=m CONFIG_KSU_MANUAL_SU=y make
-        
-        echo "=== Build completed ==="
-        # Create output directory in GitHub workspace
-        mkdir -p /github/workspace/out
-        # Copy with KMI-specific naming
-        OUTPUT_NAME="${{ inputs.kmi }}_kernelsu.ko"
-        cp kernelsu.ko "/github/workspace/out/$OUTPUT_NAME"
-        
-        echo "Copied to: /github/workspace/out/$OUTPUT_NAME"
-        ls -la "/github/workspace/out/$OUTPUT_NAME"
-        echo "Size: $(du -h "/github/workspace/out/$OUTPUT_NAME" | cut -f1)"
-        llvm-strip -d "/github/workspace/out/$OUTPUT_NAME"
-        echo "Size after stripping: $(du -h "/github/workspace/out/$OUTPUT_NAME" | cut -f1)"
-        
-    - name: Upload kernelsu.ko artifact
-      uses: actions/upload-artifact@v4
-      with:
-        name: ${{ inputs.kmi }}-lkm
-        path: /github/workspace/out/${{ inputs.kmi }}_kernelsu.ko

.github/workflows/deploy-website.yml

@@ -1,67 +0,0 @@
-name: Deploy Website
-
-on:
-  push:
-    branches:
-      - main
-      - website
-    paths:
-      - '.github/workflows/deploy-website.yml'
-      - 'website/**'
-  workflow_dispatch:
-
-# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
-permissions:
-  contents: read
-  pages: write
-  id-token: write
-
-# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
-# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
-concurrency:
-  group: pages
-  cancel-in-progress: false
-
-jobs:
-  # Build job
-  build:
-    runs-on: ubuntu-latest
-    defaults:
-      run:
-        working-directory: ./website
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0 # Not needed if lastUpdated is not enabled
-      - name: Setup Node
-        uses: actions/setup-node@v4
-        with:
-          node-version: latest
-          cache: yarn # or pnpm / yarn
-          cache-dependency-path: website/yarn.lock
-      - name: Setup Pages
-        uses: actions/configure-pages@v5
-      - name: Install dependencies
-        run: yarn install --frozen-lockfile
-      - name: Build with VitePress
-        run: |
-          yarn docs:build
-          touch docs/.vitepress/dist/.nojekyll
-      - name: Upload artifact
-        uses: actions/upload-pages-artifact@v3
-        with:
-          path: website/docs/.vitepress/dist
-
-  # Deployment job
-  deploy:
-    environment:
-      name: github-pages
-      url: ${{ steps.deployment.outputs.page_url }}
-    needs: build
-    runs-on: ubuntu-latest
-    name: Deploy
-    steps:
-      - name: Deploy to GitHub Pages
-        id: deployment
-        uses: actions/deploy-pages@v4

.github/workflows/gki-kernel.yml

@@ -1,288 +0,0 @@
-name: GKI Kernel Build
-
-on:
-  workflow_call:
-    inputs:
-      version:
-        required: true
-        type: string
-        description: >
-          Output directory of gki,
-          for example: android12-5.10
-      version_name:
-        required: true
-        type: string
-        description: >
-          With SUBLEVEL of kernel,
-          for example: android12-5.10.66
-      tag:
-        required: true
-        type: string
-        description: >
-          Part of branch name of common kernel manifest,
-          for example: android12-5.10-2021-11
-      os_patch_level:
-        required: false
-        type: string
-        description: >
-          Patch level of common kernel manifest,
-          for example: 2021-11
-        default: 2022-05
-      patch_path:
-        required: false
-        type: string
-        description: >
-          Directory name of .github/patches/<patch_path>
-          for example: 5.10
-      use_cache:
-        required: false
-        type: boolean
-        default: true
-      embed_ksud:
-        required: false
-        type: string
-        default: ksud-aarch64-linux-android
-        description: >
-          Artifact name of prebuilt ksud to be embedded
-          for example: ksud-aarch64-linux-android
-      debug:
-        required: false
-        type: boolean
-        default: false
-      build_lkm:
-        required: false
-        type: boolean
-        default: false
-    secrets:
-      BOOT_SIGN_KEY:
-        required: false
-      CHAT_ID:
-        required: false
-      BOT_TOKEN:
-        required: false
-      MESSAGE_THREAD_ID:
-        required: false
-
-jobs:
-  build:
-    name: Build ${{ inputs.version_name }}
-    runs-on: ubuntu-latest
-    env:
-      CCACHE_COMPILERCHECK: "%compiler% -dumpmachine; %compiler% -dumpversion"
-      CCACHE_NOHASHDIR: "true"
-      CCACHE_HARDLINK: "true"
-    steps:
-      - name: Maximize build space
-        uses: easimon/maximize-build-space@master
-        with:
-          root-reserve-mb: 8192
-          temp-reserve-mb: 2048
-          remove-dotnet: "true"
-          remove-android: "true"
-          remove-haskell: "true"
-          remove-codeql: "true"
-
-      - uses: actions/checkout@v4
-        with:
-          path: KernelSU
-          fetch-depth: 0
-
-      - name: Setup need_upload
-        id: need_upload
-        run: |
-          if [ ! -z "${{ secrets.BOT_TOKEN }}" ]; then
-            echo "UPLOAD=true" >> $GITHUB_OUTPUT
-          else
-            echo "UPLOAD=false" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Setup kernel source
-        run: |
-          echo "Free space:"
-          df -h
-          cd $GITHUB_WORKSPACE
-          sudo apt-get install repo -y
-          mkdir android-kernel && cd android-kernel
-          repo init --depth=1 --u https://android.googlesource.com/kernel/manifest -b common-${{ inputs.tag }} --repo-rev=v2.16
-          REMOTE_BRANCH=$(git ls-remote https://android.googlesource.com/kernel/common ${{ inputs.tag }})
-          DEFAULT_MANIFEST_PATH=.repo/manifests/default.xml
-          if grep -q deprecated <<< $REMOTE_BRANCH; then
-            echo "Found deprecated branch: ${{ inputs.tag }}"
-            sed -i 's/"${{ inputs.tag }}"/"deprecated\/${{ inputs.tag }}"/g' $DEFAULT_MANIFEST_PATH
-            cat $DEFAULT_MANIFEST_PATH
-          fi
-          repo --version
-          repo --trace sync -c -j$(nproc --all) --no-tags
-          df -h
-
-      - name: Setup KernelSU
-        env:
-          PATCH_PATH: ${{ inputs.patch_path }}
-          IS_DEBUG_KERNEL: ${{ inputs.debug }}
-        run: |
-          cd $GITHUB_WORKSPACE/android-kernel
-          echo "[+] KernelSU setup"
-          GKI_ROOT=$(pwd)
-          echo "[+] GKI_ROOT: $GKI_ROOT"
-          echo "[+] Copy KernelSU driver to $GKI_ROOT/common/drivers"
-          ln -sf $GITHUB_WORKSPACE/KernelSU/kernel $GKI_ROOT/common/drivers/kernelsu
-          echo "[+] Add KernelSU driver to Makefile"
-          DRIVER_MAKEFILE=$GKI_ROOT/common/drivers/Makefile
-          DRIVER_KCONFIG=$GKI_ROOT/common/drivers/Kconfig
-          grep -q "kernelsu" "$DRIVER_MAKEFILE" || printf "\nobj-\$(CONFIG_KSU) += kernelsu/\n" >> "$DRIVER_MAKEFILE"
-          grep -q "kernelsu" "$DRIVER_KCONFIG" || sed -i "/endmenu/i\\source \"drivers/kernelsu/Kconfig\"" "$DRIVER_KCONFIG"
-          echo "[+] Apply Compilation Patches"
-          if [ ! -e build/build.sh ]; then
-            GLIBC_VERSION=$(ldd --version 2>/dev/null | head -n 1 | awk '{print $NF}')
-            echo "GLIBC_VERSION: $GLIBC_VERSION"
-            if [ "$(printf '%s\n' "2.38" "$GLIBC_VERSION" | sort -V | head -n1)" = "2.38" ]; then
-              echo "Patching resolve_btfids/Makefile"
-              cd $GKI_ROOT/common/ && sed -i '/\$(Q)\$(MAKE) -C \$(SUBCMD_SRC) OUTPUT=\$(abspath \$(dir \$@))\/ \$(abspath \$@)/s//$(Q)$(MAKE) -C $(SUBCMD_SRC) EXTRA_CFLAGS="$(CFLAGS)" OUTPUT=$(abspath $(dir $@))\/ $(abspath $@)/' tools/bpf/resolve_btfids/Makefile || echo "No patch needed."
-            fi
-          fi
-
-          if [ "$IS_DEBUG_KERNEL" = "true" ]; then
-            echo "[+] Enable debug features for kernel"
-            printf "\nccflags-y += -DCONFIG_KSU_DEBUG\n" >> $GITHUB_WORKSPACE/KernelSU/kernel/Makefile
-          fi
-          repo status
-          echo "[+] KernelSU setup done."
-
-      - name: Symbol magic
-        run: |
-          echo "[+] Export all symbol from abi_gki_aarch64.xml"
-          COMMON_ROOT=$GITHUB_WORKSPACE/android-kernel/common
-          KSU_ROOT=$GITHUB_WORKSPACE/KernelSU
-          ABI_XML=$COMMON_ROOT/android/abi_gki_aarch64.xml
-          SYMBOL_LIST=$COMMON_ROOT/android/abi_gki_aarch64
-          # python3 $KSU_ROOT/scripts/abi_gki_all.py $ABI_XML > $SYMBOL_LIST
-          echo "[+] Add KernelSU symbols"
-          cat $KSU_ROOT/kernel/export_symbol.txt | awk '{sub("[ \t]+","");print "  "$0}' >> $SYMBOL_LIST
-
-      - name: Setup ccache
-        if: inputs.use_cache == true
-        uses: hendrikmuhs/ccache-action@v1
-        with:
-          key: gki-kernel-aarch64-${{ inputs.version_name }}
-          max-size: 2G
-          save: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
-
-      - name: Setup for LKM
-        if: ${{ inputs.build_lkm == true }}
-        working-directory: android-kernel
-        run: |
-          pip install ast-grep-cli
-          sudo apt-get install llvm-15 -y
-          ast-grep -U -p '$$$ check_exports($$$) {$$$}' -r '' common/scripts/mod/modpost.c
-          ast-grep -U -p 'check_exports($$$);' -r '' common/scripts/mod/modpost.c
-          sed -i '/config KSU/,/help/{s/default y/default m/}' common/drivers/kernelsu/Kconfig
-          echo "drivers/kernelsu/kernelsu.ko" >> common/android/gki_aarch64_modules
-
-          # bazel build, android14-5.15, android14-6.1 use bazel
-          if [ ! -e build/build.sh ]; then
-            sed -i 's/needs unknown symbol/Dont abort when unknown symbol/g' build/kernel/*.sh || echo "No unknown symbol scripts found"
-            if [ -e common/modules.bzl ]; then
-              sed -i 's/_COMMON_GKI_MODULES_LIST = \[/_COMMON_GKI_MODULES_LIST = \[ "drivers\/kernelsu\/kernelsu.ko",/g' common/modules.bzl
-            fi
-          else
-            TARGET_FILE="build/kernel/build.sh"
-            if [ ! -e "$TARGET_FILE" ]; then
-              TARGET_FILE="build/build.sh"
-            fi
-            sed -i 's/needs unknown symbol/Dont abort when unknown symbol/g' $TARGET_FILE || echo "No unknown symbol in $TARGET_FILE"
-            sed -i 's/if ! diff -u "\${KERNEL_DIR}\/\${MODULES_ORDER}" "\${OUT_DIR}\/modules\.order"; then/if false; then/g' $TARGET_FILE
-            sed -i 's@${ROOT_DIR}/build/abi/compare_to_symbol_list@echo@g' $TARGET_FILE
-            sed -i 's/needs unknown symbol/Dont abort when unknown symbol/g' build/kernel/*.sh || echo "No unknown symbol scripts found"
-          fi
-
-      - name: Append ashmem exports if missing
-        if: startsWith(inputs.version, 'android16-6.12')
-        working-directory: android-kernel
-        run: |
-          FILE=common/drivers/staging/android/ashmem.c
-          if [[ -f "$FILE" ]] && ! grep -q 'is_ashmem_file' "$FILE"; then
-          cat >>"$FILE" <<'EOF'
-
-          bool is_ashmem_file(struct file *file) { return false; }
-          int ashmem_area_name(struct file *file, char *name) { return 0; }
-          long ashmem_area_size(struct file *file) { return 0; }
-          struct file *ashmem_area_vmfile(struct file *file) { return NULL; }
-          EXPORT_SYMBOL_GPL(is_ashmem_file);
-          EXPORT_SYMBOL_GPL(ashmem_area_name);
-          EXPORT_SYMBOL_GPL(ashmem_area_size);
-          EXPORT_SYMBOL_GPL(ashmem_area_vmfile);
-          EOF
-          fi
-
-          sed -i -E 's/\$\(CONFIG_ANDROID_BINDER_IPC_RUST\)/m/g' common/drivers/android/Makefile
-
-      - name: Make working directory clean to avoid dirty
-        working-directory: android-kernel
-        run: |
-          # Fix bazel build error
-          if [ -f common/BUILD.bazel ]; then
-            [ -f android/abi_gki_protected_exports_aarch64 ] || sed -i '/^[[:space:]]*"protected_exports_list"[[:space:]]*:[[:space:]]*"android\/abi_gki_protected_exports_aarch64",$/d' common/BUILD.bazel
-          fi
-
-          rm common/android/abi_gki_protected_exports_* || echo "No protected exports!"
-          git config --global user.email "bot@kernelsu.org"
-          git config --global user.name "KernelSUBot"
-          cd common/ && git add -A && git commit -a -m "Add KernelSU"
-          repo status
-
-      - name: Build Kernel/LKM
-        working-directory: android-kernel
-        run: |
-          if [ ! -z ${{ vars.EXPECTED_SIZE }} ] && [ ! -z ${{ vars.EXPECTED_HASH }} ]; then
-            export KSU_EXPECTED_SIZE=${{ vars.EXPECTED_SIZE }}
-            export KSU_EXPECTED_HASH=${{ vars.EXPECTED_HASH }}
-          fi
-          if [ -e build/build.sh ]; then
-            LTO=thin BUILD_CONFIG=common/build.config.gki.aarch64 build/build.sh CC="/usr/bin/ccache clang"
-          else
-            if [ "${{ inputs.version }}" == "android16-6.12" ]; then
-              tools/bazel run --disk_cache=/home/runner/.cache/bazel --config=fast --config=stamp --lto=thin //common:kernel_aarch64_dist -- --destdir=dist
-            else
-              tools/bazel run --disk_cache=/home/runner/.cache/bazel --config=fast --config=stamp --lto=thin //common:kernel_aarch64_dist -- --dist_dir=dist
-            fi
-          fi
-
-      - name: Prepare artifacts
-        id: prepareArtifacts
-        run: |
-          OUTDIR=android-kernel/out/${{ inputs.version }}/dist
-          if [ ! -e $OUTDIR ]; then
-            OUTDIR=android-kernel/dist
-          fi
-          mkdir output
-          if [ "${{ inputs.build_lkm}}" = "true" ]; then
-            llvm-strip-15 -d $OUTDIR/kernelsu.ko
-            mv $OUTDIR/kernelsu.ko ./output/${{ inputs.version }}_kernelsu.ko
-          else
-            cp $OUTDIR/Image ./output/
-            cp $OUTDIR/Image.lz4 ./output/
-            git clone https://github.com/Kernel-SU/AnyKernel3
-            rm -rf ./AnyKernel3/.git
-            cp $OUTDIR/Image ./AnyKernel3/
-          fi
-
-      - name: Upload Image and Image.gz
-        uses: actions/upload-artifact@v4
-        if: ${{ inputs.build_lkm == false }}
-        with:
-          name: Image-${{ inputs.version_name }}_${{ inputs.os_patch_level }}
-          path: ./output/*
-
-      - name: Upload AnyKernel3
-        if: ${{ inputs.build_lkm == false }}
-        uses: actions/upload-artifact@v4
-        with:
-          name: AnyKernel3-${{ inputs.version_name }}_${{ inputs.os_patch_level }}
-          path: ./AnyKernel3/*
-
-      - name: Upload LKM
-        uses: actions/upload-artifact@v4
-        if: ${{ inputs.build_lkm == true }}
-        with:
-          name: ${{ inputs.version }}-lkm
-          path: ./output/*_kernelsu.ko

.github/workflows/ksud.yml

@@ -1,55 +0,0 @@
-name: Build ksud
-on:
-  workflow_call:
-    inputs:
-      target:
-        required: true
-        type: string
-      os:
-        required: false
-        type: string
-        default: ubuntu-latest
-      pack_lkm:
-        required: false
-        type: boolean
-        default: true
-      use_cache:
-        required: false
-        type: boolean
-        default: true
-env:
-  CARGO_TERM_COLOR: always
-jobs:
-  build:
-    runs-on: ${{ inputs.os }}
-    steps:
-    - uses: actions/checkout@v4
-      with:
-        fetch-depth: 0
-
-    - name: Download artifacts
-      uses: actions/download-artifact@v4
-    
-    - name: Prepare LKM fies
-      if: ${{ inputs.pack_lkm }}
-      run: |
-        cp android*-lkm/*_kernelsu.ko ./userspace/ksud/bin/aarch64/
-        
-    - name: Setup rustup
-      run: |
-        rustup update stable
-        rustup target add x86_64-apple-darwin
-        rustup target add aarch64-apple-darwin
-
-    - name: Install cross
-      run: |
-        RUSTFLAGS="" cargo install cross --git https://github.com/cross-rs/cross --rev 66845c1
-
-    - name: Build ksud
-      run: CROSS_NO_WARNINGS=0 cross build --target ${{ inputs.target }} --release --manifest-path ./userspace/ksud/Cargo.toml
-
-    - name: Upload ksud artifact
-      uses: actions/upload-artifact@v4
-      with:
-        name: ksud-${{ inputs.target }}
-        path: userspace/ksud/target/**/release/ksud*

.github/workflows/rustfmt.yml

@@ -1,33 +0,0 @@
-name: Rustfmt check
-
-on:
-  push:
-    branches:
-      - 'main'
-    paths:
-      - '.github/workflows/rustfmt.yml'
-      - 'userspace/ksud/**'
-  pull_request:
-    branches:
-      - 'main'
-    paths:
-      - '.github/workflows/rustfmt.yml'
-      - 'userspace/ksud/**'
-
-permissions:
-  checks: write
-
-jobs:
-  format:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - uses: dtolnay/rust-toolchain@nightly
-        with:
-          components: rustfmt
-
-      - uses: LoliGothick/rustfmt-check@master
-        with:
-          token: ${{ github.token }}
-          working-directory: userspace/ksud

.github/workflows/shellcheck.yml

@@ -1,27 +0,0 @@
-name: ShellCheck
-
-on:
-  push:
-    branches:
-      - 'main'
-    paths:
-      - '.github/workflows/shellcheck.yml'
-      - '**/*.sh'
-  pull_request:
-    branches:
-      - 'main'
-    paths:
-      - '.github/workflows/shellcheck.yml'
-      - '**/*.sh'
-
-jobs:
-  shellcheck:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Run ShellCheck
-        uses: ludeeus/action-shellcheck@2.0.0
-        with:
-          ignore_names: gradlew
-          ignore_paths: ./userspace/ksud/src/installer.sh

.github/workflows/user_scanner.yml

@@ -1,40 +0,0 @@
-name: Build user_scanner
-
-on:
-  push:
-    branches: [ "mian" ]
-    paths:
-      - '.github/workflows/user_scanner.yml'
-      - 'userspace/user_scanner/**'
-  workflow_dispatch:
-  workflow_call:
-    inputs:
-      target:
-        required: true
-        type: string
-      os:
-        required: false
-        type: string
-        default: self-hosted
-
-jobs:
-  build-user_scanner:
-    name: Build userspace user_scanner
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Build user_scanner
-        working-directory: ./userspace/user_scanner
-        run: |
-          $ANDROID_NDK_HOME/ndk-build
-
-      - name: Upload a Build Artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: userscanner-all-linux-android
-          path: ./userspace/user_scanner/libs

.gitignore

@@ -1,3 +1 @@
-.idea
-CLAUDE.md
-.DS_Store
+manager

SECURITY.md

@@ -1,7 +0,0 @@
-# Reporting Security Issues
-
-The KernelSU team and community take security bugs in KernelSU seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.
-
-To report a security issue, please use the GitHub Security Advisory ["Report a Vulnerability"](https://github.com/tiann/KernelSU/security/advisories/new) tab, or you can mailto [weishu](mailto:twsxtd@gmail.com) directly.
-
-The KernelSU team will send a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.

crowdin.yml

@@ -1,6 +0,0 @@
-project_id_env: CROWDIN_PROJECT_ID
-api_token_env: CROWDIN_API_TOKEN
-preserve_hierarchy: 1
-files:
-  - source: /manager/app/src/main/res/values/strings.xml
-    translation: /manager/app/src/main/res/values-%two_letters_code%/strings.xml

docs/README.md

@@ -1,102 +0,0 @@
-# SukiSU Ultra
-<img align='right' src='SukiSU-mini.svg' width='220px' alt="sukisu logo">
-
-
-**English** | [简体中文](./zh/README.md) | [日本語](./ja/README.md) | [Türkçe](./tr/README.md)
-
-A kernel-based root solution for Android devices, forked from [`tiann/KernelSU`](https://github.com/tiann/KernelSU), and added some interesting changes.
-
-[![Latest release](https://img.shields.io/github/v/release/SukiSU-Ultra/SukiSU-Ultra?label=Release&logo=github)](https://github.com/tiann/KernelSU/releases/latest)
-[![Channel](https://img.shields.io/badge/Follow-Telegram-blue.svg?logo=telegram)](https://t.me/Sukiksu)
-[![License: GPL v2](https://img.shields.io/badge/License-GPL%20v2-orange.svg?logo=gnu)](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
-[![GitHub License](https://img.shields.io/github/license/tiann/KernelSU?logo=gnu)](/LICENSE)
-
-## Features
-
-1. Kernel-based `su` and root access management
-2. Module system based on [Magic Mount](https://github.com/5ec1cff/KernelSU)
-   > **Note:** SukiSU now delegates all module mounting to the installed *metamodule*; the core no longer handles mount operations.
-3. [App Profile](https://kernelsu.org/guide/app-profile.html): Lock up the root power in a cage
-4. Support non-GKI and GKI 1.0
-5. KPM Support
-6. Tweaks to the manager theme and the built-in susfs management tool.
-
-## Compatibility Status
-
-- KernelSU (before v1.0.0) officially supports Android GKI 2.0 devices (kernel 5.10+).
-
-- Older kernels (4.4+) are also compatible, but the kernel will have to be built manually.
-
-- With more backports, KernelSU can supports 3.x kernel (3.4-3.18).
-
-- Currently, only `arm64-v8a`, `armeabi-v7a (bare)` and `X86_64`(some) are supported.
-
-## Installation
-
-See [`guide/installation.md`](guide/installation.md)
-
-## Integration
-
-See [`guide/how-to-integrate.md`](guide/how-to-integrate.md)
-
-## Translation
-
-If you need to submit a translation for the manager, please go to [Crowdin](https://crowdin.com/project/SukiSU-Ultra).
-
-## KPM Support
-
-- Based on KernelPatch, we removed features redundant with KSU and retained only KPM support.
-- Work in Progress: Expanding APatch compatibility by integrating additional functions to ensure compatibility across different implementations.
-
-**Open-source repository**: [https://github.com/ShirkNeko/SukiSU_KernelPatch_patch](https://github.com/ShirkNeko/SukiSU_KernelPatch_patch)
-
-**KPM template**: [https://github.com/udochina/KPM-Build-Anywhere](https://github.com/udochina/KPM-Build-Anywhere)
-
-> [!Note]
->
-> 1. Requires `CONFIG_KPM=y`
-> 2. Non-GKI devices requires `CONFIG_KALLSYMS=y` and `CONFIG_KALLSYMS_ALL=y`
-> 3. For kernels below `4.19`, backporting from `set_memory.h` from `4.19` is required.
-
-## Troubleshooting
-
-1. Device stuck upon manager app uninstallation?
-   Uninstall _com.sony.playmemories.mobile_
-
-## Sponsor
-
-- [ShirkNeko](https://afdian.com/a/shirkneko) (maintainer of SukiSU)
-- [weishu](https://github.com/sponsors/tiann) (author of KernelSU)
-
-## ShirkNeko's sponsorship list
-
-- [Ktouls](https://github.com/Ktouls) Thanks so much for bringing me support.
-- [zaoqi123](https://github.com/zaoqi123) Thanks for the milk tea.
-- [wswzgdg](https://github.com/wswzgdg) Many thanks for supporting this project.
-- [yspbwx2010](https://github.com/yspbwx2010) Many thanks.
-- [DARKWWEE](https://github.com/DARKWWEE) 100 USDT
-- [Saksham Singla](https://github.com/TypeFlu) Provide and maintain the website
-- [OukaroMF](https://github.com/OukaroMF) Donation of website domain name
-
-## License
-
-- The file in the “kernel” directory is under [GPL-2.0-only](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html) license.
-- The images of the files `ic_launcher(?!.*alt.*).*` with anime character sticker are copyrighted by [怡子曰曰](https://space.bilibili.com/10545509), the Brand Intellectual Property in the images is owned by [明风 OuO](https://space.bilibili.com/274939213), and the vectorization is done by @MiRinChan. Before using these files, in addition to complying with [Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International](https://creativecommons.org/licenses/by-nc-sa/4.0/legalcode.txt), you also need to comply with the authorization of the two authors to use these artistic contents.
-- Except for the files or directories mentioned above, all other parts are under [GPL-3.0 or later](https://www.gnu.org/licenses/gpl-3.0.html) license.
-
-## Credit
-
-- [KernelSU](https://github.com/tiann/KernelSU): upstream
-- [MKSU](https://github.com/5ec1cff/KernelSU): Magic Mount
-- [RKSU](https://github.com/rsuntk/KernelsU): support non-GKI
-- [susfs](https://gitlab.com/simonpunk/susfs4ksu): An addon root hiding kernel patches and userspace module for KernelSU.
-- [KernelPatch](https://github.com/bmax121/KernelPatch): KernelPatch is a key part of the APatch implementation of the kernel module
-
-<details>
-<summary>KernelSU's credit</summary>
-
-- [Kernel-Assisted Superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/): The KernelSU idea.
-- [Magisk](https://github.com/topjohnwu/Magisk): The powerful root tool.
-- [genuine](https://github.com/brevent/genuine/): APK v2 signature validation.
-- [Diamorphine](https://github.com/m0nad/Diamorphine): Some rootkit skills.
-</details>

docs/guide/how-to-integrate.md

@@ -1,97 +0,0 @@
-# Integrate
-
-SukiSU can be integrated into both _GKI_ and _non-GKI_ kernels and has been backported to _4.14_.
-
-<!-- It should be 3.4, but backslashxx's syscall manual hook cannot use in SukiSU-->
-
-Some OEMs' customization could result in as much as 50% of kernel code being out-of-tree code and not from upstream Linux kernels or ACKs. Due to this, the custom nature of _non-GKI_ kernels resulted in significant kernel fragmentation, and we lacked a universal method for building them. Therefore, we cannot provide boot images of _non-GKI_ kernels.
-
-Prerequisites: open source bootable kernel.
-
-### Hook method
-
-1. **KPROBES hook:**
-
-   - Default hook method on GKI kernels.
-   - Requires `# CONFIG_KSU_MANUAL_HOOK is not set` & `CONFIG_KPROBES=y`
-   - Used for Loadable Kernel Module (LKM).
-
-2. **Manual hook:**
-
-   <!-- - backslashxx's syscall manual hook: https://github.com/backslashxx/KernelSU/issues/5 (v1.5 version is not available at the moment, if you want to use it, please use v1.4 version, or standard KernelSU hooks)-->
-
-   - Requires `CONFIG_KSU_MANUAL_HOOK=y`
-   - Requires [`guide/how-to-integrate.md`](guide/how-to-integrate.md)
-   - Requires [https://github.com/~](https://github.com/tiann/KernelSU/blob/main/website/docs/guide/how-to-integrate-for-non-gki.md#manually-modify-the-kernel-source)
-
-3. **Tracepoint Hook:**
-
-   - Hook method introduced since SukiSU commit [49b01aad](https://github.com/SukiSU-Ultra/SukiSU-Ultra/commit/49b01aad74bcca6dba5a8a2e053bb54b648eb124)
-   - Requires `CONFIG_KSU_TRACEPOINT_HOOK=y`
-   - Requires [`guide/tracepoint-hook.md`](tracepoint-hook.md)
-
-<!-- This part refer to [rsuntk/KernelSU](https://github.com/rsuntk/KernelSU). -->
-
-If you're able to build a bootable kernel, there are two ways to integrate KernelSU into the kernel source code:
-
-1. Automatically with `kprobe`
-2. Manually
-
-## Integrate with kprobe
-
-Applicable:
-
-- _GKI_ kernel
-
-Not applicable:
-
-- _non-GKI_ kernel
-
-KernelSU uses kprobe to do kernel hooks. If kprobe runs well in your kernel, it's recommended to use it this way.
-
-Please refer to this document [https://github.com/~](https://github.com/tiann/KernelSU/blob/main/website/docs/guide/how-to-integrate-for-non-gki.md#integrate-with-kprobe). Although it is titled “for _non-GKI_,” it only applies to _GKI_.
-
-The execution command for the step that adds KernelSU to your kernel source tree is replaced with:
-
-```sh
-curl -LSs "https://raw.githubusercontent.com/SukiSU-Ultra/SukiSU-Ultra/main/kernel/setup.sh" | bash -s main
-```
-
-## Manually modify the kernel source
-
-Applicable:
-
-- GKI kernel
-- non-GKI kernel
-
-Please refer to this document [https://github.com/~ (Integrate for non-GKI)](https://github.com/tiann/KernelSU/blob/main/website/docs/guide/how-to-integrate-for-non-gki.md#manually-modify-the-kernel-source) and [https://github.com/~ (Build for GKI)](https://kernelsu.org/zh_CN/guide/how-to-build.html) to integrate manually, although first link is titled “for non-GKI,” it also applies to GKI. It can work on them both.
-
-There is another way to integrate but still work in the process.
-
-<!-- It is backslashxx's syscall manual hook, but it cannot be used now. -->
-
-Run command for the step that adds KernelSU(SukiSU) to your kernel source tree is replaced with:
-
-### GKI kernel
-
-```sh
-curl -LSs "https://raw.githubusercontent.com/SukiSU-Ultra/SukiSU-Ultra/main/kernel/setup.sh" | bash -s main
-```
-
-### non-GKI kernel
-
-```sh
-curl -LSs "https://raw.githubusercontent.com/SukiSU-Ultra/SukiSU-Ultra/main/kernel/setup.sh" | bash -s nongki
-```
-
-### GKI / non-GKI kernel with susfs (experiment)
-
-```sh
-curl -LSs "https://raw.githubusercontent.com/SukiSU-Ultra/SukiSU-Ultra/main/kernel/setup.sh" | bash -s susfs-{{branch}}
-```
-
-Branch:
-
-- `main` (susfs-main)
-- `test` (susfs-test)
-- version (for example: susfs-1.5.7, you should check the [branches](https://github.com/SukiSU-Ultra/SukiSU-Ultra/branches))

docs/guide/installation.md

@@ -1,34 +0,0 @@
-# Installation
-
-You can go to [KernelSU Documentation - Installation](https://kernelsu.org/guide/installation.html) for a reference on how to install it, here are just additional instructions.
-
-## Installation by loading the Loadable Kernel Module(LKM)
-
-See [KernelSU Documentation - LKM Installation](https://kernelsu.org/guide/installation.html#lkm-installation)
-
-Beginning with **Android™** (trademark meaning licensed Google Mobile Services) 12, devices shipping with kernel version 5.10 or higher must ship with the GKI kernel. You may be able to use LKM mode.
-
-## Installation by installing the kernel
-
-See [KernelSU Documentation - GKI mode Installation](https://kernelsu.org/guide/installation.html#gki-mode-installation)
-
-We provide pre-built kernels for you to use:
-
-- [ShirkNeko flavor kernel](https://github.com/ShirkNeko/GKI_KernelSU_SUSFS) (add ZRAM compression algorithm patch, susfs, KPM. Works on many devices.)
-- [MiRinFork flavored kernel](https://github.com/MiRinFork/GKI_SukiSU_SUSFS) (adds susfs, KPM. Closest kernel to GKI, works on most devices.)
-
-Although some devices can be installed using LKM mode, they cannot be installed on the device by using the GKI kernel; therefore, the kernel needs to be modified manually to compile it. For example:
-
-- OPPO(OnePlus, REALME)
-- Meizu
-
-Also, we provide pre-built kernels for your OnePlus device to use:
-
-- [ShirkNeko/Action_OnePlus_MKSU_SUSFS](https://github.com/ShirkNeko/Action_OnePlus_MKSU_SUSFS) (add ZRAM compression algorithm patch, susfs, KPM.)
-
-Using the link above, Fork into GitHub Action, fill in the build parameters, compile, and finally flush in the zip with the AnyKernel3 suffix.
-
-> [!Note]
->
-> - You only need to fill in the first two parts of the version number, e.g. `5.10`, `6.1`...
-> - Make sure you know the processor designation, kernel version, etc. before you use it.

docs/guide/tracepoint-hook.md

@@ -1,239 +0,0 @@
-# Tracepoint Hook Integration
-
-## Introduction
-
-Since commit [49b01aad](https://github.com/SukiSU-Ultra/SukiSU-Ultra/commit/49b01aad74bcca6dba5a8a2e053bb54b648eb124), SukiSU has introduced Tracepoint Hook
-
-This Hook theoretically has lower performance overhead compared to Kprobes Hook, but is inferior to Manual Hook / Syscall Hook
-
-> [!NOTE]
-> This tutorial references the syscall hook v1.4 version from [backslashxx/KernelSU#5](https://github.com/backslashxx/KernelSU/issues/5), as well as the original KernelSU's [Manual Hook](https://kernelsu.org/guide/how-to-integrate-for-non-gki.html#manually-modify-the-kernel-source)
-
-## Guide
-
-### execve Hook (`exec.c`)
-
-Generally need to modify the `do_execve` and `compat_do_execve` methods in `fs/exec.c`
-
-```patch
---- a/fs/exec.c
-+++ b/fs/exec.c
-@@ -78,6 +78,10 @@
- #include <trace/hooks/sched.h>
- #endif
- 
-+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
-+#include <../drivers/kernelsu/ksu_trace.h>
-+#endif
-+
- EXPORT_TRACEPOINT_SYMBOL_GPL(task_rename);
- 
- static int bprm_creds_from_file(struct linux_binprm *bprm);
-@@ -2037,6 +2041,9 @@ static int do_execve(struct filename *filename,
- {
- 	struct user_arg_ptr argv = { .ptr.native = __argv };
- 	struct user_arg_ptr envp = { .ptr.native = __envp };
-+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
-+    trace_ksu_trace_execveat_hook((int *)AT_FDCWD, &filename, &argv, &envp, 0);
-+#endif
- 	return do_execveat_common(AT_FDCWD, filename, argv, envp, 0);
- }
- 
-@@ -2064,6 +2071,9 @@ static int compat_do_execve(struct filename *filename,
- 		.is_compat = true,
- 		.ptr.compat = __envp,
- 	};
-+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
-+    trace_ksu_trace_execveat_hook((int *)AT_FDCWD, &filename, &argv, &envp, 0); // 32-bit su and 32-on-64 support
-+#endif
- 	return do_execveat_common(AT_FDCWD, filename, argv, envp, 0);
- }
-```
-
-### faccessat Hook (`open.c`)
-
-Generally need to modify the `do_faccessat` method in `/fs/open.c` 
-
-```patch
---- a/fs/open.c
-+++ b/fs/open.c
-@@ -37,6 +37,10 @@
- #include "internal.h"
- #include <trace/hooks/syscall_check.h>
- 
-+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
-+#include <../drivers/kernelsu/ksu_trace.h>
-+#endif
-+
- int do_truncate(struct user_namespace *mnt_userns, struct dentry *dentry,
- 		loff_t length, unsigned int time_attrs, struct file *filp)
- {
-@@ -468,6 +472,9 @@ static long do_faccessat(int dfd, const char __user *filename, int mode, int fla
- 
- SYSCALL_DEFINE3(faccessat, int, dfd, const char __user *, filename, int, mode)
- {
-+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
-+	trace_ksu_trace_faccessat_hook(&dfd, &filename, &mode, NULL);
-+#endif
- 	return do_faccessat(dfd, filename, mode, 0);
- }
-```
-
-If there's no `do_faccessat` method, you can find the `faccessat` SYSCALL definition (for kernels earlier than 4.17)
-
-```patch
---- a/fs/open.c
-+++ b/fs/open.c
-@@ -31,6 +31,9 @@
- #include <linux/ima.h>
- #include <linux/dnotify.h>
- #include <linux/compat.h>
-+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
-+#include <../drivers/kernelsu/ksu_trace.h>
-+#endif
- 
- #include "internal.h"
- 
-@@ -369,6 +372,9 @@ SYSCALL_DEFINE3(faccessat, int, dfd, const char __user *, filename, int, mode)
- 	int res;
- 	unsigned int lookup_flags = LOOKUP_FOLLOW;
- 
-+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
-+	trace_ksu_trace_faccessat_hook(&dfd, &filename, &mode, NULL);
-+#endif
- 	if (mode & ~S_IRWXO)	/* where's F_OK, X_OK, W_OK, R_OK? */
- 		return -EINVAL;
-```
-
-### sys_read Hook (`read_write.c`)
-
-Need to modify the `sys_read` method in `fs/read_write.c` (4.19 and above)
-
-```patch
---- a/fs/read_write.c
-+++ b/fs/read_write.c
-@@ -25,6 +25,10 @@
- #include <linux/uaccess.h>
- #include <asm/unistd.h>
- 
-+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
-+#include <../drivers/kernelsu/ksu_trace.h>
-+#endif
-+
- const struct file_operations generic_ro_fops = {
- 	.llseek		= generic_file_llseek,
- 	.read_iter	= generic_file_read_iter,
-@@ -630,6 +634,9 @@ ssize_t ksys_read(unsigned int fd, char __user *buf, size_t count)
- 
- SYSCALL_DEFINE3(read, unsigned int, fd, char __user *, buf, size_t, count)
- {
-+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
-+    trace_ksu_trace_sys_read_hook(fd, &buf, &count);
-+#endif
- 	return ksys_read(fd, buf, count);
- }
-```
-
-Or the `read` SYSCALL definition (4.14 and below)
-
-```patch
---- a/fs/read_write.c
-+++ b/fs/read_write.c
-@@ -25,6 +25,11 @@
- #include <linux/uaccess.h>
- #include <asm/unistd.h>
- 
-+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
-+#include <../drivers/kernelsu/ksu_trace.h>
-+#endif
-+
-+
- const struct file_operations generic_ro_fops = {
- 	.llseek		= generic_file_llseek,
- 	.read_iter	= generic_file_read_iter,
-@@ -575,6 +580,9 @@ SYSCALL_DEFINE3(read, unsigned int, fd, char __user *, buf, size_t, count)
- 
- 	if (f.file) {
- 		loff_t pos = file_pos_read(f.file);
-+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
-+		trace_ksu_trace_sys_read_hook(fd, &buf, &count);
-+#endif
- 		ret = vfs_read(f.file, buf, count, &pos);
- 		if (ret >= 0)
- 			file_pos_write(f.file, pos);
-```
-
-### fstatat Hook (`stat.c`)
-
-Need to modify the `newfstatat` SYSCALL definition in `stat.c`
-
-If 32-bit support is needed, also need to modify the `statat64` SYSCALL definition
-
-```patch
---- a/fs/stat.c
-+++ b/fs/stat.c
-@@ -24,6 +24,10 @@
- #include "internal.h"
- #include "mount.h"
- 
-+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
-+#include <../drivers/kernelsu/ksu_trace.h>
-+#endif
-+
- /**
-  * generic_fillattr - Fill in the basic attributes from the inode struct
-  * @mnt_userns:	user namespace of the mount the inode was found from
-@@ -408,6 +412,10 @@ SYSCALL_DEFINE4(newfstatat, int, dfd, const char __user *, filename,
- 	struct kstat stat;
- 	int error;
- 
-+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
-+	trace_ksu_trace_stat_hook(&dfd, &filename, &flag);
-+#endif
-+
- 	error = vfs_fstatat(dfd, filename, &stat, flag);
- 	if (error)
- 		return error;
-@@ -559,6 +567,10 @@ SYSCALL_DEFINE4(fstatat64, int, dfd, const char __user *, filename,
- 	struct kstat stat;
- 	int error;
- 
-+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
-+	trace_ksu_trace_stat_hook(&dfd, &filename, &flag); /* 32-bit su support */
-+#endif
-+
- 	error = vfs_fstatat(dfd, filename, &stat, flag);
- 	if (error)
- 		return error;
-```
-
-### input Hook (`input.c`, for entering KSU built-in security mode)
-
-Need to modify the `input_event` method in `drivers/input/input.c`, not `input_handle_event`
-
-```patch
---- a/drivers/input/input.c
-+++ b/drivers/input/input.c
-@@ -26,6 +26,10 @@
- #include "input-compat.h"
- #include "input-poller.h"
- 
-+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
-+#include <../../drivers/kernelsu/ksu_trace.h>
-+#endif
-+
- MODULE_AUTHOR("Vojtech Pavlik <vojtech@suse.cz>");
- MODULE_DESCRIPTION("Input core");
- MODULE_LICENSE("GPL");
-@@ -451,6 +455,10 @@ void input_event(struct input_dev *dev,
- {
- 	unsigned long flags;
- 
-+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
-+    trace_ksu_trace_input_hook(&type, &code, &value);
-+#endif
-+
- 	if (is_event_supported(type, dev->evbit, EV_MAX)) {
- 
- 		spin_lock_irqsave(&dev->event_lock, flags);
-```

docs/ja/README.md

@@ -1,153 +0,0 @@
-# SukiSU Ultra
-<img align='right' src='SukiSU-mini.svg' width='220px' alt="sukisu logo">
-
-
-[English](../README.md) | [简体中文](../zh/README.md) | **日本語** | [Türkçe](../tr/README.md)
-
-[KernelSU](https://github.com/tiann/KernelSU) をベースとした Android デバイスの root ソリューション
-
-**試験中なビルドです！自己責任で使用してください！**<br>
-このソリューションは [KernelSU](https://github.com/tiann/KernelSU) に基づいていますが、試験中なビルドです。
-
-> これは非公式なフォークです。すべての権利は [@tiann](https://github.com/tiann) に帰属します。
->
-> ただし、将来的には KSU とは別に管理されるブランチとなる予定です。
-
-## 追加する方法
-
-メインブランチを使用 (非 GKI のデバイスのビルドは非対応) (susfs を手動で統合が必要)
-
-```
-curl -LSs "https://raw.githubusercontent.com/SukiSU-Ultra/SukiSU-Ultra/main/kernel/setup.sh" | bash -s main
-```
-
-非 GKI のデバイスに対応するブランチを使用 (susfs を手動で統合が必要)
-
-```
-curl -LSs "https://raw.githubusercontent.com/SukiSU-Ultra/SukiSU-Ultra/main/kernel/setup.sh" | bash -s nongki
-```
-
-## 統合された susfs の使い方
-
-1. susfs-main または他の susfs-\* ブランチを直接で使用、susfs の統合は不要 (非 GKI デバイスのビルドに対応)
-
-```
-curl -LSs "https://raw.githubusercontent.com/SukiSU-Ultra/SukiSU-Ultra/main/kernel/setup.sh" | bash -s susfs-main
-```
-
-## フックの方式
-
-- この方式は (https://github.com/rsuntk/KernelSU) のフック方式を参照してください。
-
-1. **KPROBES でフック:**
-
-   - 読み込み可能なカーネルモジュールの場合 (LKM)
-   - GKI カーネルのデフォルトとなるフック方式
-   - `CONFIG_KPROBES=y` が必要です
-
-2. **手動でフック:**
-   - 標準の KernelSU フック: https://kernelsu.org/guide/how-to-integrate-for-non-gki.html#manually-modify-the-kernel-source
-   - backslashxx syscall フック: https://github.com/backslashxx/KernelSU/issues/5
-   - 非 GKI カーネル用のデフォルトフック方式
-   - `CONFIG_KSU_MANUAL_HOOK=y` が必要です
-
-## KPM に対応
-
-- KernelPatch に基づいて重複した KSU の機能を削除、KPM の対応を維持させています。
-- KPM 機能の整合性を確保するために、APatch の互換機能を更に向上させる予定です。
-
-オープンソースアドレス: https://github.com/ShirkNeko/SukiSU_KernelPatch_patch
-
-KPM テンプレートのアドレス: https://github.com/udochina/KPM-Build-Anywhere
-
-> [!Note]
->
-> 1. `CONFIG_KPM=y` が必要です。
-> 2. 非 GKI デバイスには `CONFIG_KALLSYMS=y` と `CONFIG_KALLSYMS_ALL=y` も必要です。
-> 3. いくつかのカーネル `4.19` およびそれ以降のソースコードでは、 `4.19` からバックポートされた `set_memory.h` ヘッダーファイルも必要です。
-
-## ROOT を保持した状態でのシステムアップデートの方法
-
-- 始めに OTA 後すぐに再起動せずにマネージャーのカーネルのフラッシュ、パッチのインターフェースを開いて`GKI/非 GKI のインストール`を見つけます。フラッシュする AnyKernel3 の zip ファイルを選択し、フラッシュする実行中のスロットと逆のスロットを選択後に再起動をして GKI モードの更新が保持できます (この方法はすべての非 GKI のデバイスが対応している訳ではないので、自分でお試しください。これは非 GKI のデバイスで TWRP を使用する最も安全な方法です)。
-- または LKM モードを使用して未使用のスロットにインストールします (OTA 後)。
-
-## 互換性の状態
-
-- KernelSU (v1.0.0 より前) は Android GKI 2.0 のデバイス (カーネル 5.10 以降) を公式に対応しています。
-
-- 古いカーネル (4.4 以降) も互換性がありますが、カーネルを手動で再ビルドする必要があります。
-
-- KernelSU は追加のリバースポートを通じて 3.x カーネル (3.4-3.18) で対応可能です。
-
-- 現在 `arm64-v8a`, `armeabi-v7a (bare)` および一部の `X86_64` に対応しています。
-
-## その他のリンク
-
-**マネージャーの翻訳を行う場合** https://crowdin.com/project/SukiSU-Ultra
-
-- [その他パッチ済み GKI](https://github.com/ShirkNeko/GKI_KernelSU_SUSFS) ZRAM パッチ、KPM、susfs が含まれています...
-- [パッチの少ない GKI](https://github.com/MiRinFork/GKI_SukiSU_SUSFS/releases) susfs のみ
-- [OnePlus](https://github.com/ShirkNeko/Action_OnePlus_MKSU_SUSFS)
-
-## 使い方
-
-### Universal GKI
-
-**すべて**参照してください https://kernelsu.org/ja_JP/guide/installation.html
-
-> [!Note]
->
-> 1. Xiaomi、Redmi、Samsung などの GKI 2.0 を搭載したデバイス向け (Meizu、OnePlus、Zenith、Oppo などカーネルが変更されているメーカーを除く)
-> 2. GKI のビルドは[その他のリンク](#その他のリンク)から入手できます。デバイスのカーネルバージョンを確認してください。ダウンロード後に TWRP またはカーネルフラッシュツールを使用して AnyKernel3 の接頭辞を持つ zip ファイルをフラッシュしてください。Pixel のユーザーは、パッチの少ない GKI を使用する必要があります。
-> 3. 接頭辞のない .zip アーカイブは圧縮されていません。.gz の接頭辞は Tenguet モデルで使用される圧縮になります。
-
-### OnePlus
-
-1. `その他のリンク`の項目に記載されているリンクを開き、デバイス情報を使用してカスタマイズされたカーネルをビルドし、AnyKernel3 の接頭辞を持つ .zip ファイルをフラッシュします。
-
-> [!Note]
->
-> - 5.10、5.15、6.1、6.6 などのカーネルバージョンの最初の 2 文字のみを入力する必要があります。
-> - SoC のコードネームは自分で検索してください。通常は、数字がなく英語表記のみです。
-> - ブランチと構成ファイルは、OnePlus オープンソースカーネルリポジトリから見つけることができます。
-
-## 機能
-
-1. カーネルベースな `su` および root アクセスの管理。
-2. [OverlayFS](https://en.wikipedia.org/wiki/OverlayFS) モジュールシステムではなく、 5ec1cff 氏の [Magic Mount](https://github.com/5ec1cff/KernelSU) に基づいています。
-3. [アプリプロファイル](https://kernelsu.org/guide/app-profile.html): root 権限をケージ内にロックします。
-4. 非 GKI / GKI 1.0 の対応を復活
-5. その他のカスタマイズ
-6. KPM カーネルモジュールに対応
-
-## トラブルシューティング
-
-1. KernelSU Manager のアンインストールが停止してしまう → com.sony.playmemories.mobile のアプリをアンインストールしてください。
-
-## ライセンス
-
-- 「kernel」のディレクトリ内のファイルは [GPL-2.0-only](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html) のライセンスに基づいています。
-- アニメキャラクター画像とスタンプを含むこれらのファイルの `ic_launcher(?!.*alt.*).*` は[怡子曰曰](https://space.bilibili.com/10545509)によって著作権保護されており、画像の Brand Intellectual Property は[明风 OuO](https://space.bilibili.com/274939213)によって所有され、ベクター化は @MiRinChan によって行われています。 これらのファイルを使用する前に、[Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International](https://creativecommons.org/licenses/by-nc-sa/4.0/legalcode.txt)を遵守することに加えて、アートコンテンツを使用するために前の 2 人の作者から許可を得る必要があります。
-- 上記のファイルまたはディレクトリを除き、その他のすべての部分は[GPL-3.0 以降](https://www.gnu.org/licenses/gpl-3.0.html)です。
-
-## スポンサーシップの一覧
-
-- [Ktouls](https://github.com/Ktouls) 応援してくれてありがとう
-- [zaoqi123](https://github.com/zaoqi123) ミルクティーを買ってあげるのも良い考えですね
-- [wswzgdg](https://github.com/wswzgdg) このプロジェクトにご支援いただき、ありがとうございます
-- [yspbwx2010](https://github.com/yspbwx2010) ありがとうございます
-- [DARKWWEE](https://github.com/DARKWWEE) ラオスから 100 USDT の支援に感謝します
-- [Saksham Singla](https://github.com/TypeFlu) ウェブサイトの提供とメンテナンス
-- [OukaroMF](https://github.com/OukaroMF) ウェブサイトのドメインと寄付
-
-## 貢献者
-
-- [KernelSU](https://github.com/tiann/KernelSU): オリジナルのプロジェクト
-- [MKSU](https://github.com/5ec1cff/KernelSU): 使用しているプロジェクト
-- [RKSU](https://github.com/rsuntk/KernelsU): このプロジェクトのカーネルを使用した非 GKI デバイスのサポートの再導入
-- [susfs](https://gitlab.com/simonpunk/susfs4ksu): susfs ファイルシステムの使用
-- [KernelSU](https://git.zx2c4.com/kernel-assisted-superuser/about/): KernelSU の概念化
-- [Magisk](https://github.com/topjohnwu/Magisk): パワフルな root ユーティリティ
-- [genuine](https://github.com/brevent/genuine/): APK v2 署名認証
-- [Diamorphine](https://github.com/m0nad/Diamorphine): いくつかの root キットユーティリティ
-- [KernelPatch](https://github.com/bmax121/KernelPatch): KernelPatch はカーネルモジュールの APatch 実装の重要な部分での活用

docs/tr/README.md

@@ -1,151 +0,0 @@
-# SukiSU Ultra
-<img align='right' src='SukiSU-mini.svg' width='250px' alt="sukisu logo">
-
-
-[English](../README.md) | [简体中文](../zh/README.md) | [日本語](../ja/README.md) | **Türkçe**
-
-[KernelSU](https://github.com/tiann/KernelSU) tabanlı Android cihaz root çözümü
-
-**Deneysel! Kullanım riski size aittir!**
-
-> Bu resmi olmayan bir daldır, tüm hakları saklıdır [@tiann](https://github.com/tiann)
->
-> Ancak, gelecekte ayrı bir KSU dalı olarak devam edeceğiz
-
-## Nasıl Eklenir
-
-Çekirdek kaynak kodunun kök dizininde aşağıdaki komutları çalıştırın:
-
-Ana dalı kullanın (GKI olmayan cihazlar için desteklenmez)
-
-```
-curl -LSs "https://raw.githubusercontent.com/SukiSU-Ultra/SukiSU-Ultra/main/kernel/setup.sh" | bash -s main
-```
-
-GKI olmayan cihazları destekleyen dalı kullanın
-
-```
-curl -LSs "https://raw.githubusercontent.com/SukiSU-Ultra/SukiSU-Ultra/main/kernel/setup.sh" | bash -s nongki
-```
-
-## susfs Nasıl Entegre Edilir
-
-1. Doğrudan susfs-main veya susfs-\* dalını kullanın, susfs entegrasyonuna gerek yok
-
-```
-curl -LSs "https://raw.githubusercontent.com/SukiSU-Ultra/SukiSU-Ultra/main/kernel/setup.sh" | bash -s susfs-main
-```
-
-## Kanca Yöntemleri
-
-- Bu bölüm [rsuntk\'nin kanca yöntemlerinden](https://github.com/rsuntk/KernelSU) alıntılanmıştır
-
-1. **KPROBES Kancası:**
-
-   - Yüklenebilir çekirdek modülleri (LKM) için kullanılır
-   - GKI 2.0 çekirdeğinin varsayılan kanca yöntemi
-   - `CONFIG_KPROBES=y` gerektirir
-
-2. **Manuel Kanca:**
-   - Standart KernelSU kancası: https://kernelsu.org/guide/how-to-integrate-for-non-gki.html#manually-modify-the-kernel-source
-   - backslashxx\'nin syscall manuel kancası: https://github.com/backslashxx/KernelSU/issues/5
-   - GKI olmayan çekirdeğin varsayılan kanca yöntemi
-   - `CONFIG_KSU_MANUAL_HOOK=y` gerektirir
-
-## KPM Desteği
-
-- KernelPatch tabanlı olarak KSU ile çakışan işlevleri kaldırdık ve yalnızca KPM desteğini koruduk
-- APatch ile daha fazla uyumlu fonksiyon ekleyerek KPM işlevlerinin bütünlüğünü sağlayacağız
-
-Kaynak kodu: https://github.com/ShirkNeko/SukiSU_KernelPatch_patch
-
-KPM şablonu: https://github.com/udochina/KPM-Build-Anywhere
-
-> [!Note]
->
-> 1. `CONFIG_KPM=y` gerektirir
-> 2. GKI olmayan cihazlar ayrıca `CONFIG_KALLSYMS=y` ve `CONFIG_KALLSYMS_ALL=y` gerektirir
-> 3. Bazı çekirdek `4.19` altı kaynak kodları, `4.19`dan geri taşınan başlık dosyası `set_memory.h` gerektirir
-
-## Sistem Güncellemesini Yaparak ROOT\'u Koruma
-
-- OTA\'dan sonra hemen yeniden başlatmayın, yöneticiye girin ve çekirdek yazma/onarma arayüzüne gidin, `GKI/non_GKI yükleme` seçeneğini bulun ve Anykernel3 çekirdek sıkıştırma dosyasını seçin, şu anda sistemin çalıştığı yuva ile zıt yuvaya yazın ve yeniden başlatın, böylece GKI modu güncellemesini koruyabilirsiniz (şu anda tüm GKI olmayan cihazlar bu yöntemi desteklemiyor, lütfen kendiniz deneyin. GKI olmayan cihazlar için TWRP kullanmak en güvenlidir)
-- Veya kullanılmayan yuvaya LKM modunu kullanarak yükleyin (OTA\'dan sonra)
-
-## Uyumluluk Durumu
-
-- KernelSU (v1.0.0 öncesi sürümler) resmi olarak Android GKI 2.0 cihazlarını destekler (çekirdek 5.10+)
-
-- Eski çekirdekler (4.4+) de uyumludur, ancak çekirdeği manuel olarak oluşturmanız gerekir
-
-- Daha fazla geri taşımayla KernelSU, 3.x çekirdeğini (3.4-3.18) destekleyebilir
-
-- Şu anda `arm64-v8a`, `armeabi-v7a (bare)` ve bazı `X86_64` desteklenmektedir
-
-## Daha Fazla Bağlantı
-
-SukiSU ve susfs tabanlı derlenen projeler
-
-- [GKI](https://github.com/ShirkNeko/GKI_KernelSU_SUSFS)
-- [OnePlus](https://github.com/ShirkNeko/Action_OnePlus_MKSU_SUSFS)
-
-## Kullanım Yöntemi
-
-### Evrensel GKI
-
-Lütfen **tümünü** https://kernelsu.org/zh_CN/guide/installation.html adresinden inceleyin
-
-> [!Note]
->
-> 1. Xiaomi, Redmi, Samsung gibi GKI 2.0 cihazlar için uygundur (Meizu, OnePlus, Realme ve Oppo gibi değiştirilmiş çekirdekli üreticiler hariç)
-> 2. [Daha fazla bağlantı](#daha-fazla-bağlantı) bölümündeki GKI tabanlı projeleri bulun. Cihaz çekirdek sürümünü bulun. Ardından indirin ve TWRP veya çekirdek yazma aracı kullanarak AnyKernel3 soneki olan sıkıştırılmış paketi yazın
-> 3. Genellikle sonek olmayan .zip sıkıştırılmış paketler sıkıştırılmamıştır, gz soneki olanlar ise Dimensity modelleri için kullanılan sıkıştırma yöntemidir
-
-### OnePlus
-
-1. Daha fazla bağlantı bölümündeki OnePlus projesini bulun ve kendiniz doldurun, ardından bulut derleme yapın ve AnyKernel3 soneki olan sıkıştırılmış paketi yazın
-
-> [!Note]
->
-> - Çekirdek sürümü için yalnızca ilk iki haneyi doldurmanız yeterlidir, örneğin 5.10, 5.15, 6.1, 6.6
-> - İşlemci kod adını kendiniz arayın, genellikle tamamen İngilizce ve sayı içermeden oluşur
-> - Dal ve yapılandırma dosyasını kendiniz OnePlus çekirdek kaynak kodundan doldurun
-
-## Özellikler
-
-1. Çekirdek tabanlı `su` ve root erişim yönetimi
-2. 5ec1cff\'nin [Magic Mount](https://github.com/5ec1cff/KernelSU) tabanlı modül sistemi
-3. [App Profile](https://kernelsu.org/guide/app-profile.html): root yetkilerini kafeste kilitleyin
-4. GKI 2.0 olmayan çekirdekler için desteğin geri getirilmesi
-5. Daha fazla özelleştirme özelliği
-6. KPM çekirdek modülleri için destek
-
-## Lisans
-
-- `kernel` dizinindeki dosyalar [GPL-2.0-only](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html) lisansı altındadır.
-- Anime karakter ifadeleri içeren `ic_launcher(?!.*alt.*).*` dosyalarının görüntüleri [怡子曰曰](https://space.bilibili.com/10545509) tarafından telif hakkıyla korunmaktadır, görüntülerdeki Marka Fikri Mülkiyeti [明风 OuO](https://space.bilibili.com/274939213)'ye aittir ve vektörleştirme @MiRinChan tarafından yapılmıştır. Bu dosyaları kullanmadan önce, [Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International](https://creativecommons.org/licenses/by-nc-sa/4.0/legalcode.txt) ile uyumlu olmanın yanı sıra, bu sanatsal içerikleri kullanmak için iki yazarın yetkilendirmesine de uymanız gerekir.
-- Yukarıda belirtilen dosyalar veya dizinler hariç, diğer tüm parçalar [GPL-3.0 veya üzeri](https://www.gnu.org/licenses/gpl-3.0.html)'dir.
-
-## Afdian Bağlantısı
-
-- https://afdian.com/a/shirkneko
-
-## Sponsor Listesi
-
-- [Ktouls](https://github.com/Ktouls) Bana sağladığınız destek için çok teşekkür ederim
-- [zaoqi123](https://github.com/zaoqi123) Bana sütlü çay ısmarlamanız da güzel
-- [wswzgdg](https://github.com/wswzgdg) Bu projeye olan desteğiniz için çok teşekkür ederim
-- [yspbwx2010](https://github.com/yspbwx2010) Çok teşekkür ederim
-- [DARKWWEE](https://github.com/DARKWWEE) 100 USDT için teşekkürler
-
-## Katkıda Bulunanlar
-
-- [KernelSU](https://github.com/tiann/KernelSU): Orijinal proje
-- [MKSU](https://github.com/5ec1cff/KernelSU): Kullanılan proje
-- [RKSU](https://github.com/rsuntk/KernelsU): GKI olmayan cihazlar için destek sağlayan proje
-- [susfs4ksu](https://gitlab.com/simonpunk/susfs4ksu): Kullanılan susfs dosya sistemi
-- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/): KernelSU fikri
-- [Magisk](https://github.com/topjohnwu/Magisk): Güçlü root aracı
-- [genuine](https://github.com/brevent/genuine/): APK v2 imza doğrulama
-- [Diamorphine](https://github.com/m0nad/Diamorphine): Bazı rootkit becerileri
-- [KernelPatch](https://github.com/bmax121/KernelPatch): KernelPatch, APatch\'in çekirdek modüllerini uygulamak için kritik bir parçadır

docs/zakomonochrome-128.svg

@@ -1,65 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<!-- Created with Inkscape (http://www.inkscape.org/) -->
-
-<svg
-   width="128"
-   height="128"
-   viewBox="0 0 128 128"
-   version="1.1"
-   id="svg1"
-   inkscape:version="1.4.2 (ebf0e940d0, 2025-05-08)"
-   sodipodi:docname="zakomonochrome-128.svg"
-   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
-   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
-   xmlns="http://www.w3.org/2000/svg"
-   xmlns:svg="http://www.w3.org/2000/svg">
-  <sodipodi:namedview
-     id="namedview1"
-     pagecolor="#ffffff"
-     bordercolor="#999999"
-     borderopacity="1"
-     inkscape:showpageshadow="2"
-     inkscape:pageopacity="0"
-     inkscape:pagecheckerboard="0"
-     inkscape:deskcolor="#d1d1d1"
-     inkscape:document-units="px"
-     inkscape:zoom="2.6185048"
-     inkscape:cx="59.957881"
-     inkscape:cy="71.032903"
-     inkscape:window-width="1280"
-     inkscape:window-height="696"
-     inkscape:window-x="0"
-     inkscape:window-y="0"
-     inkscape:window-maximized="1"
-     inkscape:current-layer="layer1" />
-  <defs
-     id="defs1" />
-  <g
-     inkscape:label="图层 1"
-     inkscape:groupmode="layer"
-     id="layer1">
-    <rect
-       style="fill:#ffffff;stroke:#000000;stroke-width:0;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:1.3;stroke-dasharray:none;paint-order:fill markers stroke;fill-opacity:1"
-       id="rect1"
-       width="128"
-       height="128"
-       x="0"
-       y="0"
-       rx="7.772471"
-       ry="7.772471" />
-    <path
-       id="path101"
-       style="fill:#ffffff;fill-opacity:0.734285;stroke:#000000;stroke-width:4.27504;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:1.3;stroke-dasharray:none;stroke-opacity:1;paint-order:fill markers stroke"
-       d="m 42.510282,81.796052 c 0,0 -7.224141,-5.638356 -10.043315,-9.338525 M 14.847106,81.97224 25.41902,71.576535 m 0.17619,-6.695549 2.819179,19.910444 M 11.675534,73.338532 38.281518,71.047931 M 43.567475,62.7666 34.40515,62.942814 M 34.22896,62.590425 33.524162,48.494537 m -18.500855,1.58577 17.972249,-1.409582 m -11.8053,-5.462154 0.352397,18.853251"
-       inkscape:label="杂" />
-    <path
-       id="path111"
-       style="fill:#ffffff;fill-opacity:0.734285;stroke:#000000;stroke-width:3.94824;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:1.3;stroke-dasharray:none;stroke-opacity:1;paint-order:fill markers stroke"
-       d="M 55.912937,82.876745 79.671596,81.412163 M 59.330273,75.391135 74.952411,74.089291 m -9.43837,-14.157553 1.139102,14.645756 m -8.299247,-7.160159 16.273048,-1.464569 m 0.650926,8.136525 0.325472,-14.808482 m -0.162747,0.162739 -17.900363,0.976379 m 0,-0.162738 1.952774,14.645756 m 12.042061,-21.154974 1.464576,-6.346492 m 0,-0.650928 -12.042063,0.650928 m -0.650918,6.509218 0.325459,-8.787441"
-       inkscape:label="鱼" />
-    <path
-       d="m 95.08569,51.121163 c -1.90515,0.116064 -3.64694,0.97349 -4.86738,2.391307 -1.34538,1.56738 -1.91476,3.733159 -1.59523,6.070852 0.40842,2.982962 2.1502,6.17135 5.13887,9.411078 0.63424,0.68546 1.08109,1.129773 1.98202,1.967071 1.58321,1.469144 3.01507,2.634638 4.9875,4.052454 0.70392,0.50905 2.09253,1.453525 2.61627,1.781734 l 0.15133,0.09594 0.22103,-0.140663 c 0.80481,-0.515755 2.23909,-1.504852 3.08956,-2.130057 3.21689,-2.364488 5.79232,-4.737902 7.70228,-7.100167 3.09676,-3.831409 4.4133,-7.562359 3.80549,-10.773058 -0.42043,-2.210414 -1.82588,-4.039057 -3.81992,-4.967887 -0.85767,-0.399664 -1.69132,-0.607312 -2.6355,-0.656431 -1.22285,-0.0647 -2.42648,0.178619 -3.57485,0.721182 -1.95561,0.922124 -3.58927,2.719503 -4.61752,5.081755 -0.072,0.165235 -0.1394,0.310355 -0.14895,0.319295 -0.0312,0.02902 -0.0648,-0.02679 -0.19458,-0.330457 -0.30752,-0.714476 -0.91055,-1.752718 -1.38382,-2.377871 -0.4853,-0.645282 -1.2661,-1.431214 -1.84749,-1.862143 -1.50155,-1.114153 -3.26013,-1.658924 -5.00914,-1.553996 z"
-       id="path1-4"
-       style="fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.00231605" />
-  </g>
-</svg>

docs/zh/README.md

@@ -1,101 +0,0 @@
-# SukiSU Ultra
-<img align='right' src='SukiSU-mini.svg' width='220px' alt="sukisu logo">
-
-
-[English](../README.md) | **简体中文** | [日本語](../ja/README.md) | [Türkçe](../tr/README.md)
-
-一个 Android 上基于内核的 root 方案，由 [`tiann/KernelSU`](https://github.com/tiann/KernelSU) 分叉而来，添加了一些有趣的变更。
-
-[![最新发行](https://img.shields.io/github/v/release/SukiSU-Ultra/SukiSU-Ultra?label=Release&logo=github)](https://github.com/tiann/KernelSU/releases/latest)
-[![频道](https://img.shields.io/badge/Follow-Telegram-blue.svg?logo=telegram)](https://t.me/Sukiksu)
-[![协议: GPL v2](https://img.shields.io/badge/License-GPL%20v2-orange.svg?logo=gnu)](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
-[![GitHub 协议](https://img.shields.io/github/license/tiann/KernelSU?logo=gnu)](/LICENSE)
-
-## 特性
-
-1. 基于内核的 `su` 和权限管理。
-2. 基于 [Magic Mount](https://github.com/5ec1cff/KernelSU) 的模块系统。
-3. [App Profile](https://kernelsu.org/zh_CN/guide/app-profile.html): 把 Root 权限关进笼子里。
-4. 支持 non-GKI 与 GKI 1.0。
-5. KPM 支持
-6. 可调整管理器外观，可自定义 susfs 配置。
-
-## 兼容状态
-
-- KernelSU 官方支持 GKI 2.0 的设备（内核版本 5.10 以上）。
-
-- 旧内核也是兼容的（最低 4.14+），不过需要自己编译内核。
-
-- 通过更多的反向移植，KernelSU 可以支持 3.x 内核（3.4-3.18）。
-
-- 目前支持架构 : `arm64-v8a`、`armeabi-v7a (bare)`、`X86_64`。
-
-## 安装指导
-
-查看 [`guide/installation.md`](guide/installation.md)
-
-## 集成指导
-
-查看 [`guide/how-to-integrate.md`](guide/how-to-integrate.md)
-
-## 参与翻译
-
-要将 SukiSU 翻译成您的语言，或完善现有的翻译，请使用 [Crowdin](https://crowdin.com/project/SukiSU-Ultra).
-
-## KPM 支持
-
-- 基于 KernelPatch 开发，移除了与 KernelSU 重复的功能。
-- 正在进行（WIP）：通过集成附加功能来扩展 APatch 兼容性，以确保跨不同实现的兼容性。
-
-**开源仓库**: [https://github.com/ShirkNeko/SukiSU_KernelPatch_patch](https://github.com/ShirkNeko/SukiSU_KernelPatch_patch)
-
-**KPM 模板**: [https://github.com/udochina/KPM-Build-Anywhere](https://github.com/udochina/KPM-Build-Anywhere)
-
-> [!Note]
->
-> 1. 需要 `CONFIG_KPM=y`
-> 2. Non-GKI 设备需要 `CONFIG_KALLSYMS=y` and `CONFIG_KALLSYMS_ALL=y`
-> 3. 对于低于 `4.19` 的内核，需要从 `4.19` 的 `set_memory.h` 进行反向移植。
-
-## 故障排除
-
-1. 卸载管理器后系统卡住？
-   卸载 _com.sony.playmemories.mobile_
-
-## 许可证
-
-- 目录 `kernel` 下所有文件为 [GPL-2.0-only](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)。
-- 有动漫人物图片表情包的这些文件 `ic_launcher(?!.*alt.*).*` 的图像版权为[怡子曰曰](https://space.bilibili.com/10545509)所有，图像中的知识产权由[明风 OuO](https://space.bilibili.com/274939213)所有，矢量化由 @MiRinChan 完成，在使用这些文件之前，除了必须遵守 [Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International](https://creativecommons.org/licenses/by-nc-sa/4.0/legalcode.txt) 以外，还需要遵守向前两者索要使用这些艺术内容的授权。
-- 除上述文件及目录的其他部分均为 [GPL-3.0-or-later](https://www.gnu.org/licenses/gpl-3.0.html)。
-
-## 赞助
-
-- [ShirkNeko](https://afdian.com/a/shirkneko) (SukiSU 主要维护者)
-- [weishu](https://github.com/sponsors/tiann) (KernelSU 作者)
-
-## ShirkNeko 的赞助列表
-
-- [Ktouls](https://github.com/Ktouls) 非常感谢你给我带来的支持
-- [zaoqi123](https://github.com/zaoqi123) 请我喝奶茶也不错
-- [wswzgdg](https://github.com/wswzgdg) 非常感谢对此项目的支持
-- [yspbwx2010](https://github.com/yspbwx2010) 非常感谢
-- [DARKWWEE](https://github.com/DARKWWEE) 感谢老哥的 100 USDT
-- [Saksham Singla](https://github.com/TypeFlu) 网站的提供以及维护
-- [OukaroMF](https://github.com/OukaroMF) 网站域名捐赠
-
-## 鸣谢
-
-- [KernelSU](https://github.com/tiann/KernelSU): 上游
-- [MKSU](https://github.com/5ec1cff/KernelSU): 魔法坐骑支持
-- [RKSU](https://github.com/rsuntk/KernelsU): non-GKI 支持
-- [susfs](https://gitlab.com/simonpunk/susfs4ksu): 隐藏内核补丁以及用户空间模组的 KernelSU 附件
-- [KernelPatch](https://github.com/bmax121/KernelPatch): KernelPatch 是内核模块 APatch 实现的关键部分
-
-<details>
-<summary>KernelSU 的鸣谢</summary>
-
-- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/)：KernelSU 的灵感。
-- [Magisk](https://github.com/topjohnwu/Magisk)：强大的 root 工具箱。
-- [genuine](https://github.com/brevent/genuine/)：apk v2 签名验证。
-- [Diamorphine](https://github.com/m0nad/Diamorphine)：一些 rootkit 技巧。
-</details>

docs/zh/guide/how-to-integrate.md

@@ -1,97 +0,0 @@
-# 集成指导
-
-SukiSU 可以集成到 GKI 和 non-GKI 内核中，并且已反向移植到 4.14 版本。
-
-<!-- 应该是 3.4 版本，但 backslashxx 的 syscall manual hook 无法在 SukiSU 中使用-->
-
-有些 OEM 定制可能导致多达 50% 的内核代码超出内核树代码，而非来自上游 Linux 内核或 ACK。因此，non-GKI 内核的定制特性导致了严重的内核碎片化，而且我们缺乏构建它们的通用方法。因此，我们无法提供 non-GKI 内核的启动映像。
-
-前提条件：开源的、可启动的内核。
-
-## Hook 方法
-
-1. **KPROBES hook:**
-
-   - GKI kernels 的默认 hook 方法。
-   - 需要 `# CONFIG_KSU_MANUAL_HOOK is not set`（未设定） & `CONFIG_KPROBES=y`
-   - 用作可加载的内核模块 (LKM).
-
-2. **Manual hook:**
-
-   <!-- - backslashxx's syscall manual hook: https://github.com/backslashxx/KernelSU/issues/5 (v1.5 version is not available at the moment, if you want to use it, please use v1.4 version, or standard KernelSU hooks)-->
-
-   - 需要 `CONFIG_KSU_MANUAL_HOOK=y`
-   - 需要 [`guide/how-to-integrate.md`](how-to-integrate.md)
-   - 需要 [https://github.com/~](https://github.com/tiann/KernelSU/blob/main/website/docs/guide/how-to-integrate-for-non-gki.md#manually-modify-the-kernel-source)
-
-3. **Tracepoint Hook:**
-
-   - 自 SukiSU commit [49b01aad](https://github.com/SukiSU-Ultra/SukiSU-Ultra/commit/49b01aad74bcca6dba5a8a2e053bb54b648eb124) 引入的 hook 方法
-   - 需要 `CONFIG_KSU_TRACEPOINT_HOOK=y`
-   - 需要 [`guide/tracepoint-hook.md`](tracepoint-hook.md)
-   
-<!-- This part refer to [rsuntk/KernelSU](https://github.com/rsuntk/KernelSU). -->
-
-如果您能够构建可启动内核，有两种方法可以将 KernelSU 集成到内核源代码中：
-
-1. 使用 `kprobe` 自动集成
-2. 手动集成
-
-## 与 kprobe 集成
-
-适用：
-
-- GKI 内核
-
-不适用：
-
-- non-GKI 内核
-
-KernelSU 使用 kprobe 机制来做内核的相关 hook，如果 _kprobe_ 可以在你编译的内核中正常运行，那么推荐用这个方法来集成。
-
-请参阅此文档 [https://github.com/~](https://github.com/tiann/KernelSU/blob/main/website/docs/guide/how-to-integrate-for-non-gki.md#integrate-with-kprobe)。虽然标题为“适用于 non-GKI”，但仅适用于 GKI。
-
-替换 KernelSU 添加到内核源代码树的步骤的执行命令为：
-
-```sh
-curl -LSs "https://raw.githubusercontent.com/SukiSU-Ultra/SukiSU-Ultra/main/kernel/setup.sh" | bash -s main
-```
-
-## 手动修改内核源代码
-
-适用：
-
-- GKI 内核
-- non-GKI 内核
-
-请参考此文档 [https://github.com/~ (non-GKI 内核集成)](https://github.com/tiann/KernelSU/blob/main/website/docs/guide/how-to-integrate-for-non-gki.md#manually-modify-the-kernel-source) 和 [https://github.com/~ (GKI 内核构建)](https://kernelsu.org/zh_CN/guide/how-to-build.html) 进行手动集成。虽然第一个链接的标题是“适用于 non-GKI”，但它也适用于 GKI。两者都可以正常工作。
-
-还有另一种集成方法，但是仍在开发中。
-
-<!-- 这是 backslashxx 的syscall manual hook，但目前无法使用。 -->
-
-将 KernelSU（SukiSU）添加到内核源代码树的步骤的运行命令将被替换为：
-
-### GKI 内核
-
-```sh
-curl -LSs "https://raw.githubusercontent.com/SukiSU-Ultra/SukiSU-Ultra/main/kernel/setup.sh" | bash -s main
-```
-
-### non-GKI 内核
-
-```sh
-curl -LSs "https://raw.githubusercontent.com/SukiSU-Ultra/SukiSU-Ultra/main/kernel/setup.sh" | bash -s nongki
-```
-
-### 带有 susfs 的 GKI / non-GKI 内核（实验）
-
-```sh
-curl -LSs "https://raw.githubusercontent.com/SukiSU-Ultra/SukiSU-Ultra/main/kernel/setup.sh" | bash -s susfs-{{branch}}
-```
-
-分支:
-
-- `main` (susfs-main)
-- `test` (susfs-test)
-- 版本号 (例如： susfs-1.5.7, 你需要在 [分支](https://github.com/SukiSU-Ultra/SukiSU-Ultra/branches) 里找到它)

docs/zh/guide/installation.md

@@ -1,34 +0,0 @@
-# 安装指导
-
-您可以前往 [KernelSU 文档 - 安装](https://kernelsu.org/guide/installation.html) 获取有关如何安装的参考，这里只是额外的说明。
-
-## 通过加载可加载内核模块 (LKM) 进行安装
-
-请参阅 [KernelSU 文档 - LKM 安装](https://kernelsu.org/guide/installation.html#lkm-installation)
-
-从 **Android™**（商标，意为获得 Google 移动服务的许可）12 开始，搭载内核版本 5.10 或更高版本的设备必须搭载 GKI 内核。因此你或许可以使用 LKM 模式。
-
-## 通过安装内核进行安装
-
-请参阅 [KernelSU 文档 - GKI 模式安装](https://kernelsu.org/guide/installation.html#gki-mode-installation)
-
-我们提供预编译的内核供您使用：
-
-- [ShirkNeko 内核](https://github.com/ShirkNeko/GKI_KernelSU_SUSFS)（添加了 ZRAM 压缩算法补丁、susfs 文件和 KPM 文件。适用于很多设备。）
-- [MiRinFork 内核](https://github.com/MiRinFork/GKI_SukiSU_SUSFS)（添加了 susfs 文件和 KPM 文件。最接近 GKI 的内核，适用于大多数设备。）
-
-虽然某些设备可以使用 LKM 模式安装，但无法使用 GKI 内核将其安装到设备上；因此，需要手动修改内核进行编译。例如：
-
-- 欧珀（一加、真我）
-- 魅族
-
-此外，我们还为您的 OnePlus 设备提供预编译的内核：
-
-- [ShirkNeko/Action_OnePlus_MKSU_SUSFS](https://github.com/ShirkNeko/Action_OnePlus_MKSU_SUSFS)（添加 ZRAM 压缩算法补丁、susfs 和 KPM。）
-
-使用上面的链接，Fork 到 GitHub Action，填写构建参数，进行编译，最后将 zip 文件以 AnyKernel3 后缀上传到 GitHub Action。
-
-> [!Note]
->
-> - 使用时，您只需填写版本号的前两部分，例如 `5.10`、`6.1`...
-> - 使用前请确保您了解处理器名称、内核版本等信息。

docs/zh/guide/tracepoint-hook.md

@@ -1,239 +0,0 @@
-# Tracepoint Hook 集成
-
-## 介绍
-
-自 commit [49b01aad](https://github.com/SukiSU-Ultra/SukiSU-Ultra/commit/49b01aad74bcca6dba5a8a2e053bb54b648eb124) 起，SukiSU 引入了 Tracepoint Hook
-
-该 Hook 理论上相比于 Kprobes Hook，性能开销更小，但次于 Manual Hook / Syscall Hook
-
-> [!NOTE]
-> 本教程参考了 [backslashxx/KernelSU#5](https://github.com/backslashxx/KernelSU/issues/5) 的 syscall hook v1.4 版本钩子，以及原版 KernelSU 的 [Manual Hook](https://kernelsu.org/guide/how-to-integrate-for-non-gki.html#manually-modify-the-kernel-source)
-
-## Guide
-
-### execve 钩子（`exec.c`）
-
-一般需要修改 `fs/exec.c` 的 `do_execve` 和 `compat_do_execve` 方法
-
-```patch
---- a/fs/exec.c
-+++ b/fs/exec.c
-@@ -78,6 +78,10 @@
- #include <trace/hooks/sched.h>
- #endif
- 
-+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
-+#include <../drivers/kernelsu/ksu_trace.h>
-+#endif
-+
- EXPORT_TRACEPOINT_SYMBOL_GPL(task_rename);
- 
- static int bprm_creds_from_file(struct linux_binprm *bprm);
-@@ -2037,6 +2041,9 @@ static int do_execve(struct filename *filename,
- {
- 	struct user_arg_ptr argv = { .ptr.native = __argv };
- 	struct user_arg_ptr envp = { .ptr.native = __envp };
-+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
-+    trace_ksu_trace_execveat_hook((int *)AT_FDCWD, &filename, &argv, &envp, 0);
-+#endif
- 	return do_execveat_common(AT_FDCWD, filename, argv, envp, 0);
- }
- 
-@@ -2064,6 +2071,9 @@ static int compat_do_execve(struct filename *filename,
- 		.is_compat = true,
- 		.ptr.compat = __envp,
- 	};
-+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
-+    trace_ksu_trace_execveat_hook((int *)AT_FDCWD, &filename, &argv, &envp, 0)); // 32-bit su and 32-on-64 support
-+#endif
- 	return do_execveat_common(AT_FDCWD, filename, argv, envp, 0);
- }
-```
-
-### faccessat 钩子 (`open.c`)
-
-一般需要修改 `/fs/open.c` 的 `do_faccessat` 方法 
-
-```patch
---- a/fs/open.c
-+++ b/fs/open.c
-@@ -37,6 +37,10 @@
- #include "internal.h"
- #include <trace/hooks/syscall_check.h>
- 
-+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
-+#include <../drivers/kernelsu/ksu_trace.h>
-+#endif
-+
- int do_truncate(struct user_namespace *mnt_userns, struct dentry *dentry,
- 		loff_t length, unsigned int time_attrs, struct file *filp)
- {
-@@ -468,6 +472,9 @@ static long do_faccessat(int dfd, const char __user *filename, int mode, int fla
- 
- SYSCALL_DEFINE3(faccessat, int, dfd, const char __user *, filename, int, mode)
- {
-+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
-+	trace_ksu_trace_faccessat_hook(&dfd, &filename, &mode, NULL);
-+#endif
- 	return do_faccessat(dfd, filename, mode, 0);
- }
-```
-
-如果没有 `do_faccessat` 方法，可以找 `faccessat` 的 SYSCALL 定义（对于早于 4.17 的内核）
-
-```patch
---- a/fs/open.c
-+++ b/fs/open.c
-@@ -31,6 +31,9 @@
- #include <linux/ima.h>
- #include <linux/dnotify.h>
- #include <linux/compat.h>
-+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
-+#include <../drivers/kernelsu/ksu_trace.h>
-+#endif
- 
- #include "internal.h"
- 
-@@ -369,6 +372,9 @@ SYSCALL_DEFINE3(faccessat, int, dfd, const char __user *, filename, int, mode)
- 	int res;
- 	unsigned int lookup_flags = LOOKUP_FOLLOW;
- 
-+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
-+	trace_ksu_trace_faccessat_hook(&dfd, &filename, &mode, NULL);
-+#endif
- 	if (mode & ~S_IRWXO)	/* where's F_OK, X_OK, W_OK, R_OK? */
- 		return -EINVAL;
-```
-
-###  sys_read 钩子 ( `read_write.c` )
-
-需要修改 `fs/read_write.c` 的 `sys_read` 方法（4.19 及以上）
-
-```patch
---- a/fs/read_write.c
-+++ b/fs/read_write.c
-@@ -25,6 +25,10 @@
- #include <linux/uaccess.h>
- #include <asm/unistd.h>
- 
-+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
-+#include <../drivers/kernelsu/ksu_trace.h>
-+#endif
-+
- const struct file_operations generic_ro_fops = {
- 	.llseek		= generic_file_llseek,
- 	.read_iter	= generic_file_read_iter,
-@@ -630,6 +634,9 @@ ssize_t ksys_read(unsigned int fd, char __user *buf, size_t count)
- 
- SYSCALL_DEFINE3(read, unsigned int, fd, char __user *, buf, size_t, count)
- {
-+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
-+    trace_ksu_trace_sys_read_hook(fd, &buf, &count);
-+#endif
- 	return ksys_read(fd, buf, count);
- }
-```
-
-或者是 `read` 的 SYSCALL 定义（4.14 及以下）
-
-```patch
---- a/fs/read_write.c
-+++ b/fs/read_write.c
-@@ -25,6 +25,11 @@
- #include <linux/uaccess.h>
- #include <asm/unistd.h>
- 
-+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
-+#include <../drivers/kernelsu/ksu_trace.h>
-+#endif
-+
-+
- const struct file_operations generic_ro_fops = {
- 	.llseek		= generic_file_llseek,
- 	.read_iter	= generic_file_read_iter,
-@@ -575,6 +580,9 @@ SYSCALL_DEFINE3(read, unsigned int, fd, char __user *, buf, size_t, count)
- 
- 	if (f.file) {
- 		loff_t pos = file_pos_read(f.file);
-+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
-+		trace_ksu_trace_sys_read_hook(fd, &buf, &count);
-+#endif
- 		ret = vfs_read(f.file, buf, count, &pos);
- 		if (ret >= 0)
- 			file_pos_write(f.file, pos);
-```
-
-### fstatat 钩子 ( `stat.c` )
-
-需要修改 `stat.c` 的 `newfstatat` SYSCALL 定义
-
-如果需要 32 位支持，还需要修改 `statat64` SYSCALL 定义
-
-```patch
---- a/fs/stat.c
-+++ b/fs/stat.c
-@@ -24,6 +24,10 @@
- #include "internal.h"
- #include "mount.h"
- 
-+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
-+#include <../drivers/kernelsu/ksu_trace.h>
-+#endif
-+
- /**
-  * generic_fillattr - Fill in the basic attributes from the inode struct
-  * @mnt_userns:	user namespace of the mount the inode was found from
-@@ -408,6 +412,10 @@ SYSCALL_DEFINE4(newfstatat, int, dfd, const char __user *, filename,
- 	struct kstat stat;
- 	int error;
- 
-+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
-+	trace_ksu_trace_stat_hook(&dfd, &filename, &flag);
-+#endif
-+
- 	error = vfs_fstatat(dfd, filename, &stat, flag);
- 	if (error)
- 		return error;
-@@ -559,6 +567,10 @@ SYSCALL_DEFINE4(fstatat64, int, dfd, const char __user *, filename,
- 	struct kstat stat;
- 	int error;
- 
-+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
-+	trace_ksu_trace_stat_hook(&dfd, &filename, &flag); /* 32-bit su support */
-+#endif
-+
- 	error = vfs_fstatat(dfd, filename, &stat, flag);
- 	if (error)
- 		return error;
-```
-
-### input 钩子 (`input.c` ,用于进入KSU系的内置安全模式)
-
-需要修改 `drivers/input/input.c` 的 `input_event` 方法，而不是 `input_handle_event`
-
-```patch
---- a/drivers/input/input.c
-+++ b/drivers/input/input.c
-@@ -26,6 +26,10 @@
- #include "input-compat.h"
- #include "input-poller.h"
- 
-+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
-+#include <../../drivers/kernelsu/ksu_trace.h>
-+#endif
-+
- MODULE_AUTHOR("Vojtech Pavlik <vojtech@suse.cz>");
- MODULE_DESCRIPTION("Input core");
- MODULE_LICENSE("GPL");
-@@ -451,6 +455,10 @@ void input_event(struct input_dev *dev,
- {
- 	unsigned long flags;
- 
-+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
-+    trace_ksu_trace_input_hook(&type, &code, &value);
-+#endif
-+
- 	if (is_event_supported(type, dev->evbit, EV_MAX)) {
- 
- 		spin_lock_irqsave(&dev->event_lock, flags);
-```

js/README.md

@@ -1,121 +0,0 @@
-# Library for KernelSU's module WebUI
-
-## Install
-
-```sh
-yarn add kernelsu
-```
-
-## API
-
-### exec
-
-Spawns a **root** shell and runs a command within that shell, returning a Promise that resolves with the `stdout` and `stderr` outputs upon completion.
-
-- `command` `<string>` The command to run, with space-separated arguments.
-- `options` `<Object>`
-  - `cwd` - Current working directory of the child process.
-  - `env` - Environment key-value pairs.
-
-```javascript
-import { exec } from 'kernelsu';
-
-const { errno, stdout, stderr } = await exec('ls -l', { cwd: '/tmp' });
-if (errno === 0) {
-    // success
-    console.log(stdout);
-}
-```
-
-### spawn
-
-Spawns a new process using the given `command` in **root** shell, with command-line arguments in `args`. If omitted, `args` defaults to an empty array.
-
-Returns a `ChildProcess` instance. Instances of `ChildProcess` represent spawned child processes.
-
-- `command` `<string>` The command to run.
-- `args` `<string[]>` List of string arguments.
-- `options` `<Object>`:
-  - `cwd` `<string>` - Current working directory of the child process.
-  - `env` `<Object>` - Environment key-value pairs.
-
-Example of running `ls -lh /data`, capturing `stdout`, `stderr`, and the exit code:
-
-```javascript
-import { spawn } from 'kernelsu';
-
-const ls = spawn('ls', ['-lh', '/data']);
-
-ls.stdout.on('data', (data) => {
-  console.log(`stdout: ${data}`);
-});
-
-ls.stderr.on('data', (data) => {
-  console.log(`stderr: ${data}`);
-});
-
-ls.on('exit', (code) => {
-  console.log(`child process exited with code ${code}`);
-});
-```
-
-#### ChildProcess
-
-##### Event 'exit'
-
-- `code` `<number>` The exit code if the child process exited on its own.
-
-The `'exit'` event is emitted when the child process ends. If the process exits, `code` contains the final exit code; otherwise, it is null.
-
-##### Event 'error'
-
-- `err` `<Error>` The error.
-
-The `'error'` event is emitted whenever:
-
-- The process could not be spawned.
-- The process could not be killed.
-
-##### `stdout`
-
-A `Readable Stream` that represents the child process's `stdout`.
-
-```javascript
-const subprocess = spawn('ls');
-
-subprocess.stdout.on('data', (data) => {
-  console.log(`Received chunk ${data}`);
-});
-```
-
-#### `stderr`
-
-A `Readable Stream` that represents the child process's `stderr`.
-
-### fullScreen
-
-Request the WebView enter/exit full screen.
-
-```javascript
-import { fullScreen } from 'kernelsu';
-fullScreen(true);
-```
-
-### toast
-
-Show a toast message.
-
-```javascript
-import { toast } from 'kernelsu';
-toast('Hello, world!');
-```
-
-### moduleInfo
-
-Get module info.
-
-```javascript
-import { moduleInfo } from 'kernelsu';
-// print moduleId in console
-console.log(moduleInfo());
-```

js/index.d.ts

@@ -1,48 +0,0 @@
-interface ExecOptions {
-    cwd?: string,
-    env?: { [key: string]: string }
-}
-
-interface ExecResults {
-    errno: number,
-    stdout: string,
-    stderr: string
-}
-
-declare function exec(command: string): Promise<ExecResults>;
-declare function exec(command: string, options: ExecOptions): Promise<ExecResults>;
-
-interface SpawnOptions {
-    cwd?: string,
-    env?: { [key: string]: string }
-}
-
-interface Stdio {
-    on(event: 'data', callback: (data: string) => void)
-}
-
-interface ChildProcess {
-    stdout: Stdio,
-    stderr: Stdio,
-    on(event: 'exit', callback: (code: number) => void)
-    on(event: 'error', callback: (err: any) => void)
-}
-
-declare function spawn(command: string): ChildProcess;
-declare function spawn(command: string, args: string[]): ChildProcess;
-declare function spawn(command: string, options: SpawnOptions): ChildProcess;
-declare function spawn(command: string, args: string[], options: SpawnOptions): ChildProcess;
-
-declare function fullScreen(isFullScreen: boolean);
-
-declare function toast(message: string);
-
-declare function moduleInfo(): string;
-
-export {
-    exec,
-    spawn,
-    fullScreen,
-    toast,
-    moduleInfo
-}

js/index.js

@@ -1,119 +0,0 @@
-let callbackCounter = 0;
-function getUniqueCallbackName(prefix) {
-  return `${prefix}_callback_${Date.now()}_${callbackCounter++}`;
-}
-
-export function exec(command, options) {
-  if (typeof options === "undefined") {
-    options = {};
-  }
-
-  return new Promise((resolve, reject) => {
-    // Generate a unique callback function name
-    const callbackFuncName = getUniqueCallbackName("exec");
-
-    // Define the success callback function
-    window[callbackFuncName] = (errno, stdout, stderr) => {
-      resolve({ errno, stdout, stderr });
-      cleanup(callbackFuncName);
-    };
-
-    function cleanup(successName) {
-      delete window[successName];
-    }
-
-    try {
-      ksu.exec(command, JSON.stringify(options), callbackFuncName);
-    } catch (error) {
-      reject(error);
-      cleanup(callbackFuncName);
-    }
-  });
-}
-
-function Stdio() {
-    this.listeners = {};
-  }
-  
-  Stdio.prototype.on = function (event, listener) {
-    if (!this.listeners[event]) {
-      this.listeners[event] = [];
-    }
-    this.listeners[event].push(listener);
-  };
-  
-  Stdio.prototype.emit = function (event, ...args) {
-    if (this.listeners[event]) {
-      this.listeners[event].forEach((listener) => listener(...args));
-    }
-  };
-  
-  function ChildProcess() {
-    this.listeners = {};
-    this.stdin = new Stdio();
-    this.stdout = new Stdio();
-    this.stderr = new Stdio();
-  }
-  
-  ChildProcess.prototype.on = function (event, listener) {
-    if (!this.listeners[event]) {
-      this.listeners[event] = [];
-    }
-    this.listeners[event].push(listener);
-  };
-  
-  ChildProcess.prototype.emit = function (event, ...args) {
-    if (this.listeners[event]) {
-      this.listeners[event].forEach((listener) => listener(...args));
-    }
-  };
-  
-  export function spawn(command, args, options) {
-    if (typeof args === "undefined") {
-      args = [];
-    } else if (!(args instanceof Array)) {
-        // allow for (command, options) signature
-        options = args;
-    }
-    
-    if (typeof options === "undefined") {
-      options = {};
-    }
-  
-    const child = new ChildProcess();
-    const childCallbackName = getUniqueCallbackName("spawn");
-    window[childCallbackName] = child;
-  
-    function cleanup(name) {
-      delete window[name];
-    }
-
-    child.on("exit", code => {
-        cleanup(childCallbackName);
-    });
-
-    try {
-      ksu.spawn(
-        command,
-        JSON.stringify(args),
-        JSON.stringify(options),
-        childCallbackName
-      );
-    } catch (error) {
-      child.emit("error", error);
-      cleanup(childCallbackName);
-    }
-    return child;
-  }
-
-export function fullScreen(isFullScreen) {
-  ksu.fullScreen(isFullScreen);
-}
-
-export function toast(message) {
-  ksu.toast(message);
-}
-
-export function moduleInfo() {
-  return ksu.moduleInfo();
-}

js/package.json

@@ -1,26 +0,0 @@
-{
-  "name": "kernelsu",
-  "version": "1.0.7",
-  "description": "Library for KernelSU's module WebUI",
-  "main": "index.js",
-  "types": "index.d.ts",
-  "scripts": {
-    "test": "npm run test"
-  },
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/tiann/KernelSU.git"
-  },
-  "keywords": [
-    "su",
-    "kernelsu",
-    "module",
-    "webui"
-  ],
-  "author": "weishu",
-  "license": "Apache-2.0",
-  "bugs": {
-    "url": "https://github.com/tiann/KernelSU/issues"
-  },
-  "homepage": "https://github.com/tiann/KernelSU#readme"
-}

justfile

@@ -1,14 +0,0 @@
-alias bk := build_ksud
-alias bm := build_manager
-
-build_ksud:
-    cross build --target aarch64-linux-android --release --manifest-path ./userspace/ksud/Cargo.toml
-
-build_manager: build_ksud
-    cp userspace/ksud/target/aarch64-linux-android/release/ksud manager/app/src/main/jniLibs/arm64-v8a/libksud.so
-    cd manager && ./gradlew aDebug
-
-clippy:
-    cargo fmt --manifest-path ./userspace/ksud/Cargo.toml
-    cross clippy --target x86_64-pc-windows-gnu --release --manifest-path ./userspace/ksud/Cargo.toml
-    cross clippy --target aarch64-linux-android --release --manifest-path ./userspace/ksud/Cargo.toml

kernel/.clang-format

@@ -56,8 +56,8 @@ ColumnLimit: 80
 CommentPragmas: '^ IWYU pragma:'
 #CompactNamespaces: false # Unknown to clang-format-4.0
 ConstructorInitializerAllOnOneLineOrOnePerLine: false
-ConstructorInitializerIndentWidth: 4
-ContinuationIndentWidth: 4
+ConstructorInitializerIndentWidth: 8
+ContinuationIndentWidth: 8
 Cpp11BracedListStyle: false
 DerivePointerAlignment: false
 DisableFormat: false
@@ -501,7 +501,7 @@ IncludeCategories:
 IncludeIsMainRegex: '(Test)?$'
 IndentCaseLabels: false
 #IndentPPDirectives: None # Unknown to clang-format-5.0
-IndentWidth: 4
+IndentWidth: 8
 IndentWrappedFunctionNames: false
 JavaScriptQuotes: Leave
 JavaScriptWrapImports: true
@@ -511,7 +511,7 @@ MacroBlockEnd: ''
 MaxEmptyLinesToKeep: 1
 NamespaceIndentation: None
 #ObjCBinPackProtocolList: Auto # Unknown to clang-format-5.0
-ObjCBlockIndentWidth: 4
+ObjCBlockIndentWidth: 8
 ObjCSpaceAfterProperty: true
 ObjCSpaceBeforeProtocolList: true
 
@@ -543,6 +543,6 @@ SpacesInCStyleCastParentheses: false
 SpacesInParentheses: false
 SpacesInSquareBrackets: false
 Standard: Cpp03
-TabWidth: 4
-UseTab: Never
+TabWidth: 8
+UseTab: Always
 ...

kernel/.vscode/c_cpp_properties.json

@@ -1,11 +0,0 @@
-{
-    "configurations": [
-        {
-            "name": "Linux",
-            "cStandard": "c11",
-            "intelliSenseMode": "gcc-arm64",
-            "compileCommands": "${workspaceFolder}/compile_commands.json"
-        }
-    ],
-    "version": 4
-}

kernel/.vscode/generate_compdb.py

@@ -1,92 +0,0 @@
-#!/usr/bin/env python3
-
-from __future__ import print_function, division
-
-import argparse
-import fnmatch
-import functools
-import json
-import math
-import multiprocessing
-import os
-import re
-import sys
-
-
-CMD_VAR_RE = re.compile(r'^\s*(?:saved)?cmd_(\S+)\s*:=\s*(.+)\s*$', re.MULTILINE)
-SOURCE_VAR_RE = re.compile(r'^\s*source_(\S+)\s*:=\s*(.+)\s*$', re.MULTILINE)
-
-
-def print_progress_bar(progress):
-    progress_bar = '[' + '|' * int(50 * progress) + '-' * int(50 * (1.0 - progress)) + ']'
-    print('\r', progress_bar, "{0:.1%}".format(progress), end='\r', file=sys.stderr)
-
-
-def parse_cmd_file(out_dir, cmdfile_path):
-    with open(cmdfile_path, 'r') as cmdfile:
-        cmdfile_content = cmdfile.read()
-
-    commands = { match.group(1): match.group(2) for match in CMD_VAR_RE.finditer(cmdfile_content) }
-    sources = { match.group(1): match.group(2) for match in SOURCE_VAR_RE.finditer(cmdfile_content) }
-
-    return [{
-            'directory': out_dir,
-            'command': commands[o_file_name],
-            'file': source,
-            'output': o_file_name
-        } for o_file_name, source in sources.items()]
-
-
-def gen_compile_commands(cmd_file_search_path, out_dir):
-    print("Building *.o.cmd file list...", file=sys.stderr)
-
-    out_dir = os.path.abspath(out_dir)
-
-    if not cmd_file_search_path:
-        cmd_file_search_path = [out_dir]
-
-    cmd_files = []
-    for search_path in cmd_file_search_path:
-        if (os.path.isdir(search_path)):
-            for cur_dir, subdir, files in os.walk(search_path):
-                cmd_files.extend(os.path.join(cur_dir, cmdfile_name) for cmdfile_name in fnmatch.filter(files, '*.o.cmd'))
-        else:
-            cmd_files.extend(search_path)
-
-    if not cmd_files:
-        print("No *.o.cmd files found in", ", ".join(cmd_file_search_path), file=sys.stderr)
-        return
-
-    print("Parsing *.o.cmd files...", file=sys.stderr)
-
-    n_processed = 0
-    print_progress_bar(0)
-
-    compdb = []
-    pool = multiprocessing.Pool()
-    try:
-        for compdb_chunk in pool.imap_unordered(functools.partial(parse_cmd_file, out_dir), cmd_files, chunksize=int(math.sqrt(len(cmd_files)))):
-            compdb.extend(compdb_chunk)
-            n_processed += 1
-            print_progress_bar(n_processed / len(cmd_files))
-
-    finally:
-        pool.terminate()
-        pool.join()
-
-    print(file=sys.stderr)
-    print("Writing compile_commands.json...", file=sys.stderr)
-
-    with open('compile_commands.json', 'w') as compdb_file:
-        json.dump(compdb, compdb_file, indent=1)
-
-
-def main():
-    cmd_parser = argparse.ArgumentParser()
-    cmd_parser.add_argument('-O', '--out-dir', type=str, default=os.getcwd(), help="Build output directory")
-    cmd_parser.add_argument('cmd_file_search_path', nargs='*', help="*.cmd file search path")
-    gen_compile_commands(**vars(cmd_parser.parse_args()))
-
-
-if __name__ == '__main__':
-    main()

kernel/.vscode/tasks.json

@@ -1,16 +0,0 @@
-{
-    // See https://go.microsoft.com/fwlink/?LinkId=733558
-    // for the documentation about the tasks.json format
-    "version": "2.0.0",
-    "tasks": [
-        {
-            "label": "Generate compile_commands.json",
-            "type": "process",
-            "command": "python",
-            "args": [
-                "${workspaceRoot}/.vscode/generate_compdb.py"
-            ],
-            "problemMatcher": []
-        }
-    ]
-}

kernel/Kconfig

@@ -1,42 +1,59 @@
 menu "KernelSU"
 
 config KSU
-    tristate "KernelSU function support"
-    default y
-    help
-      Enable kernel-level root privileges on Android System.
-      To compile as a module, choose M here: the
-      module will be called kernelsu.
+	tristate "KernelSU function support"
+	default y
+	help
+	  Enable kernel-level root privileges on Android System.
+	  To compile as a module, choose M here: the
+	  module will be called kernelsu.
+
+# For easier extern ifdef handling
+config RKSU
+	bool "RKSU compat, do not modify"
+	default y
 
 config KSU_DEBUG
-    bool "KernelSU debug mode"
-    depends on KSU
-    default n
-    help
-      Enable KernelSU debug mode.
+	bool "KernelSU debug mode"
+	depends on KSU
+	default n
+	help
+	  Enable KernelSU debug mode.
 
-config KSU_MANUAL_SU
-    bool "Use manual su"
-    depends on KSU
-    default y
-    help
-      Use manual su and authorize the corresponding command line and application via prctl
+config KSU_ALLOWLIST_WORKAROUND
+	bool "KernelSU allowlist workaround"
+	depends on KSU
+	default n
+	help
+	  Enable workaround for broken allowlist save
 
 config KPM
-    bool "Enable SukiSU KPM"
-    depends on KSU && 64BIT
-    default n
-    help
-      Enabling this option will activate the KPM feature of SukiSU.
-      This option is suitable for scenarios where you need to force KPM to be enabled.
-      but it may affect system stability.
-    select KALLSYMS
-    select KALLSYMS_ALL
+	bool "Enable SukiSU KPM"
+	depends on KSU && 64BIT
+	default n
+	help
+	  Enabling this option will activate the KPM feature of SukiSU.
+	  This option is suitable for scenarios where you need to force KPM to be enabled.
+	  but it may affect system stability.
+	select KALLSYMS
+	select KALLSYMS_ALL
 
 config KSU_MANUAL_HOOK
-    bool "Hook KernelSU manually"
-    depends on KSU != m
-    help
-      If enabled, Hook required KernelSU syscalls with manually-patched function.
+	bool "KernelSU manual hook mode."
+	depends on KSU && KSU != m
+	default y if !KPROBES
+	default n
+	help
+	  Enable manual hook support.
+
+config KSU_SHOULD_USE_NEW_TP
+	bool "KernelSU tracepoint+kretprobe hook"
+	depends on KSU && !KSU_MANUAL_HOOK
+	depends on KRETPROBES && KPROBES && HAVE_SYSCALL_TRACEPOINTS
+	default y if KPROBES && KRETPROBES && HAVE_SYSCALL_TRACEPOINTS
+	default n
+	help
+	  Enable KPROBES, KRETPROBES and TRACEPOINT hook for KernelSU core.
+	  This should not be used on kernel below 5.10.
 
 endmenu

kernel/Makefile

@@ -1,37 +1,34 @@
 kernelsu-objs := ksu.o
 kernelsu-objs += allowlist.o
-kernelsu-objs += app_profile.o
 kernelsu-objs += dynamic_manager.o
+kernelsu-objs += app_profile.o
 kernelsu-objs += apk_sign.o
 kernelsu-objs += sucompat.o
 kernelsu-objs += syscall_hook_manager.o
 kernelsu-objs += throne_tracker.o
 kernelsu-objs += pkg_observer.o
-kernelsu-objs += throne_tracker.o
-kernelsu-objs += umount_manager.o
 kernelsu-objs += setuid_hook.o
+kernelsu-objs += lsm_hooks.o
+kernelsu-objs += kernel_compat.o
 kernelsu-objs += kernel_umount.o
 kernelsu-objs += supercalls.o
 kernelsu-objs += feature.o
+kernelsu-objs += throne_tracker.o
 kernelsu-objs += ksud.o
 kernelsu-objs += embed_ksud.o
 kernelsu-objs += seccomp_cache.o
 kernelsu-objs += file_wrapper.o
 kernelsu-objs += throne_comm.o
-kernelsu-objs += sulog.o
-
-ifeq ($(CONFIG_KSU_MANUAL_SU), y)
-ccflags-y += -DCONFIG_KSU_MANUAL_SU
-kernelsu-objs += manual_su.o
-endif
 
 kernelsu-objs += selinux/selinux.o
 kernelsu-objs += selinux/sepolicy.o
 kernelsu-objs += selinux/rules.o
+
 ccflags-y += -I$(srctree)/security/selinux -I$(srctree)/security/selinux/include
 ccflags-y += -I$(objtree)/security/selinux -include $(srctree)/include/uapi/asm-generic/errno.h
 
 obj-$(CONFIG_KSU) += kernelsu.o
+obj-$(CONFIG_KSU_TRACEPOINT_HOOK) += ksu_trace_export.o
 
 obj-$(CONFIG_KPM) += kpm/
 
@@ -43,14 +40,6 @@ KSU_VERSION_API := 4.0.0
 GIT_BIN := /usr/bin/env PATH="$$PATH":/usr/bin:/usr/local/bin git
 CURL_BIN := /usr/bin/env PATH="$$PATH":/usr/bin:/usr/local/bin curl
 
-KDIR := $(KDIR)
-MDIR := $(realpath $(dir $(abspath $(lastword $(MAKEFILE_LIST)))))
-
-ifneq ($(KDIR),)
-$(info -- KDIR: $(KDIR))
-$(info -- MDIR: $(MDIR))
-endif
-
 KSU_GITHUB_VERSION := $(shell $(CURL_BIN) -s "https://api.github.com/repos/$(REPO_OWNER)/$(REPO_NAME)/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
 KSU_GITHUB_VERSION_COMMIT := $(shell $(CURL_BIN) -sI "https://api.github.com/repos/$(REPO_OWNER)/$(REPO_NAME)/commits?sha=$(REPO_BRANCH)&per_page=1" | grep -i "link:" | sed -n 's/.*page=\([0-9]*\)>; rel="last".*/\1/p')
 
@@ -60,10 +49,6 @@ else
   KSU_SRC := $(srctree)/$(src)
 endif
 
-ifneq ($(shell test -e $(KSU_SRC)/../.git && echo "in-tree"),in-tree)
-  KSU_SRC := $(MDIR)
-endif
-
 LOCAL_GIT_EXISTS := $(shell test -e $(KSU_SRC)/../.git && echo 1 || echo 0)
 
 define get_ksu_version_full
@@ -104,12 +89,94 @@ endif
 ccflags-y += -DKSU_VERSION=$(KSU_VERSION)
 ccflags-y += -DKSU_VERSION_FULL=\"$(KSU_VERSION_FULL)\"
 
+# RKSU: checks for available hook
+## Logic flipped for HAVE_KSU_HOOK: 0 is success, 1 is failure, but not with KSU_DRY_RUN
+HAVE_KSU_HOOK ?= 1
+KSU_DRY_RUN ?= 0
+
+# Checks hooks state
+ifeq ($(CONFIG_KSU_SHOULD_USE_NEW_TP), y)
+$(info -- KernelSU: SHOULD_USE_NEW_TP)
+ccflags-y += -DKSU_SHOULD_USE_NEW_TP
+# Let's make it 0, so it would pass.
+HAVE_KSU_HOOK := 0
+endif
+
+ifeq ($(CONFIG_KSU_MANUAL_HOOK), y)
+HAVE_KSU_HOOK := $(shell grep -q "ksu_handle_faccessat" $(srctree)/fs/open.c; echo $$?)
+ifeq ($(HAVE_KSU_HOOK),0)
+$(info -- KernelSU: CONFIG_KSU_MANUAL_HOOK)
+endif
+endif
+
+ifeq ($(KSU_DRY_RUN),0)
+ifneq ($(HAVE_KSU_HOOK),0)
+$(error -- KernelSU: No hooks were defined, bail!)
+endif
+else
+$(info -- KernelSU in dry run mode, skip hook checks)
+
+endif
+
+# SELinux drivers check
+ifeq ($(shell grep -q "current_sid(void)" $(srctree)/security/selinux/include/objsec.h; echo $$?),0)
+ccflags-y += -DKSU_COMPAT_HAS_CURRENT_SID
+endif
+ifeq ($(shell grep -q "struct selinux_state " $(srctree)/security/selinux/include/security.h; echo $$?),0)
+ccflags-y += -DKSU_COMPAT_HAS_SELINUX_STATE
+endif
+
+# Handle optional backports
+ifeq ($(shell grep -q "strncpy_from_user_nofault" $(srctree)/include/linux/uaccess.h; echo $$?),0)
+ccflags-y += -DKSU_OPTIONAL_STRNCPY
+endif
+ifeq ($(shell grep -q "ssize_t kernel_read" $(srctree)/fs/read_write.c; echo $$?),0)
+ccflags-y += -DKSU_OPTIONAL_KERNEL_READ
+endif
+ifeq ($(shell grep "ssize_t kernel_write" $(srctree)/fs/read_write.c | grep -q "const void" ; echo $$?),0)
+ccflags-y += -DKSU_OPTIONAL_KERNEL_WRITE
+endif
+ifeq ($(shell grep -q "int\s\+path_umount" $(srctree)/fs/namespace.c; echo $$?),0)
+ccflags-y += -DKSU_HAS_PATH_UMOUNT
+endif
+ifeq ($(shell grep -q "inode_security_struct\s\+\*selinux_inode" $(srctree)/security/selinux/include/objsec.h; echo $$?),0)
+ccflags-y += -DKSU_OPTIONAL_SELINUX_INODE
+endif
+ifeq ($(shell grep -q "task_security_struct\s\+\*selinux_cred" $(srctree)/security/selinux/include/objsec.h; echo $$?),0)
+ccflags-y += -DKSU_OPTIONAL_SELINUX_CRED
+endif
+# seccomp_types.h were added on 6.7
+ifeq ($(shell grep -q "atomic_t\s\+filter_count" $(srctree)/include/linux/seccomp.h $(srctree)/include/linux/seccomp_types.h; echo $$?),0)
+ccflags-y += -DKSU_OPTIONAL_SECCOMP_FILTER_CNT
+endif
+# some old kernel backport this, let's check if put_seccomp_filter still exist
+ifneq ($(shell grep -wq "put_seccomp_filter" $(srctree)/kernel/seccomp.c $(srctree)/include/linux/seccomp.h; echo $$?),0)
+ccflags-y += -DKSU_OPTIONAL_SECCOMP_FILTER_RELEASE
+endif
+ifeq ($(shell grep -q "anon_inode_getfd_secure" $(srctree)/fs/anon_inodes.c; echo $$?),0)
+ccflags-y += -DKSU_HAS_GETFD_SECURE
+endif
+ifeq ($(shell grep -A1 "^int vfs_getattr" $(srctree)/fs/stat.c | grep -q "query_flags"; echo $$?),0)
+ccflags-y += -DKSU_HAS_NEW_VFS_GETATTR
+endif
+
+# Checks Samsung
+ifeq ($(shell grep -q "CONFIG_KDP_CRED" $(srctree)/kernel/cred.c; echo $$?),0)
+ccflags-y += -DSAMSUNG_UH_DRIVER_EXIST
+endif
+ifeq ($(shell grep -q "SEC_SELINUX_PORTING_COMMON" $(srctree)/security/selinux/avc.c; echo $$?),0)
+ccflags-y += -DSAMSUNG_SELINUX_PORTING
+endif
+# Function proc_ops check
+ifeq ($(shell grep -q "struct proc_ops " $(srctree)/include/linux/proc_fs.h; echo $$?),0)
+ccflags-y += -DKSU_COMPAT_HAS_PROC_OPS
+endif
+
 # Custom Signs
 ifdef KSU_EXPECTED_SIZE
 ccflags-y += -DEXPECTED_SIZE=$(KSU_EXPECTED_SIZE)
 $(info -- Custom KernelSU Manager signature size: $(KSU_EXPECTED_SIZE))
 endif
-
 ifdef KSU_EXPECTED_HASH
 ccflags-y += -DEXPECTED_HASH=\"$(KSU_EXPECTED_HASH)\"
 $(info -- Custom KernelSU Manager signature hash: $(KSU_EXPECTED_HASH))
@@ -120,15 +187,8 @@ ccflags-y += -DKSU_MANAGER_PACKAGE=\"$(KSU_MANAGER_PACKAGE)\"
 $(info -- SukiSU Manager package name: $(KSU_MANAGER_PACKAGE))
 endif
 
-ifeq ($(CONFIG_KSU_MANUAL_HOOK), y)
-ccflags-y += -DKSU_MANUAL_HOOK
-$(info -- SukiSU: KSU_MANUAL_HOOK Temporarily discontinued）)
-else
-ccflags-y += -DKSU_KPROBES_HOOK
-ccflags-y += -DKSU_TP_HOOK
-$(info -- SukiSU: KSU_TRACEPOINT_HOOK)
-endif
-
+$(info -- Supported Unofficial Manager: 5ec1cff (GKI) ShirkNeko udochina (GKI and KPM))
+# Kernel version check
 KERNEL_VERSION := $(VERSION).$(PATCHLEVEL)
 KERNEL_TYPE := Non-GKI
 # Check for GKI 2.0 (5.10+ or 6.x+)
@@ -143,30 +203,14 @@ endif
 $(info -- KERNEL_VERSION: $(KERNEL_VERSION))
 $(info -- KERNEL_TYPE: $(KERNEL_TYPE))
 
+$(info -- KERNEL_VERSION: $(KERNEL_VERSION))
 ifeq ($(CONFIG_KPM), y)
 $(info -- KPM is enabled)
 else
 $(info -- KPM is disabled)
 endif
 
-# Check new vfs_getattr()
-ifeq ($(shell grep -A1 "^int vfs_getattr" $(srctree)/fs/stat.c | grep -q "query_flags" ; echo $$?),0)
-ccflags-y += -DKSU_HAS_NEW_VFS_GETATTR
-endif
-
-# Function proc_ops check
-ifeq ($(shell grep -q "struct proc_ops " $(srctree)/include/linux/proc_fs.h; echo $$?),0)
-ccflags-y += -DKSU_COMPAT_HAS_PROC_OPS
-endif
-
-ccflags-y += -Wno-strict-prototypes -Wno-int-conversion -Wno-gcc-compat -Wno-missing-prototypes
-ccflags-y += -Wno-declaration-after-statement -Wno-unused-function -Wno-unused-variable
-
-all:
-	make -C $(KDIR) M=$(MDIR) modules
-compdb:
-	python3 $(MDIR)/.vscode/generate_compdb.py -O $(KDIR) $(MDIR)
-clean:
-	make -C $(KDIR) M=$(MDIR) clean
+ccflags-y += -Wno-strict-prototypes -Wno-int-conversion -Wno-gcc-compat
+ccflags-y += -Wno-declaration-after-statement -Wno-unused-function -Wno-missing-prototypes
 
 # Keep a new line here!! Because someone may append config

kernel/allowlist.c

@@ -10,6 +10,11 @@
 #include <linux/slab.h>
 #include <linux/types.h>
 #include <linux/version.h>
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 11, 0)
+#include <linux/sched/task.h>
+#else
+#include <linux/sched.h>
+#endif
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 14, 0)
 #include <linux/compiler_types.h>
 #endif
@@ -19,6 +24,7 @@
 #include "selinux/selinux.h"
 #include "allowlist.h"
 #include "manager.h"
+#include "kernel_compat.h"
 #include "syscall_hook_manager.h"
 
 #define FILE_MAGIC 0x7f4b5355 // ' KSU', u32
@@ -33,61 +39,59 @@ static DEFINE_MUTEX(allowlist_mutex);
 static struct root_profile default_root_profile;
 static struct non_root_profile default_non_root_profile;
 
-void persistent_allow_list(void);
-
 static int allow_list_arr[PAGE_SIZE / sizeof(int)] __read_mostly
-    __aligned(PAGE_SIZE);
+	__aligned(PAGE_SIZE);
 static int allow_list_pointer __read_mostly = 0;
 
 static void remove_uid_from_arr(uid_t uid)
 {
-    int *temp_arr;
-    int i, j;
+	int *temp_arr;
+	int i, j;
 
-    if (allow_list_pointer == 0)
-        return;
+	if (allow_list_pointer == 0)
+		return;
 
-    temp_arr = kzalloc(sizeof(allow_list_arr), GFP_KERNEL);
-    if (temp_arr == NULL) {
-        pr_err("%s: unable to allocate memory\n", __func__);
-        return;
-    }
+	temp_arr = kzalloc(sizeof(allow_list_arr), GFP_KERNEL);
+	if (temp_arr == NULL) {
+		pr_err("%s: unable to allocate memory\n", __func__);
+		return;
+	}
 
-    for (i = j = 0; i < allow_list_pointer; i++) {
-        if (allow_list_arr[i] == uid)
-            continue;
-        temp_arr[j++] = allow_list_arr[i];
-    }
+	for (i = j = 0; i < allow_list_pointer; i++) {
+		if (allow_list_arr[i] == uid)
+			continue;
+		temp_arr[j++] = allow_list_arr[i];
+	}
 
-    allow_list_pointer = j;
+	allow_list_pointer = j;
 
-    for (; j < ARRAY_SIZE(allow_list_arr); j++)
-        temp_arr[j] = -1;
+	for (; j < ARRAY_SIZE(allow_list_arr); j++)
+		temp_arr[j] = -1;
 
-    memcpy(&allow_list_arr, temp_arr, PAGE_SIZE);
-    kfree(temp_arr);
+	memcpy(&allow_list_arr, temp_arr, PAGE_SIZE);
+	kfree(temp_arr);
 }
 
 static void init_default_profiles(void)
 {
-    kernel_cap_t full_cap = CAP_FULL_SET;
+	kernel_cap_t full_cap = CAP_FULL_SET;
 
-    default_root_profile.uid = 0;
-    default_root_profile.gid = 0;
-    default_root_profile.groups_count = 1;
-    default_root_profile.groups[0] = 0;
-    memcpy(&default_root_profile.capabilities.effective, &full_cap,
-           sizeof(default_root_profile.capabilities.effective));
-    default_root_profile.namespaces = 0;
-    strcpy(default_root_profile.selinux_domain, KSU_DEFAULT_SELINUX_DOMAIN);
+	default_root_profile.uid = 0;
+	default_root_profile.gid = 0;
+	default_root_profile.groups_count = 1;
+	default_root_profile.groups[0] = 0;
+	memcpy(&default_root_profile.capabilities.effective, &full_cap,
+	       sizeof(default_root_profile.capabilities.effective));
+	default_root_profile.namespaces = 0;
+	strcpy(default_root_profile.selinux_domain, KSU_DEFAULT_SELINUX_DOMAIN);
 
-    // This means that we will umount modules by default!
-    default_non_root_profile.umount_modules = true;
+	// This means that we will umount modules by default!
+	default_non_root_profile.umount_modules = true;
 }
 
 struct perm_data {
-    struct list_head list;
-    struct app_profile profile;
+	struct list_head list;
+	struct app_profile profile;
 };
 
 static struct list_head allow_list;
@@ -97,535 +101,468 @@ static uint8_t allow_list_bitmap[PAGE_SIZE] __read_mostly __aligned(PAGE_SIZE);
 
 #define KERNEL_SU_ALLOWLIST "/data/adb/ksu/.allowlist"
 
+void persistent_allow_list(void);
+
 void ksu_show_allow_list(void)
 {
-    struct perm_data *p = NULL;
-    struct list_head *pos = NULL;
-    pr_info("ksu_show_allow_list\n");
-    list_for_each (pos, &allow_list) {
-        p = list_entry(pos, struct perm_data, list);
-        pr_info("uid :%d, allow: %d\n", p->profile.current_uid,
-                p->profile.allow_su);
-    }
+	struct perm_data *p = NULL;
+	struct list_head *pos = NULL;
+	pr_info("ksu_show_allow_list\n");
+	list_for_each (pos, &allow_list) {
+		p = list_entry(pos, struct perm_data, list);
+		pr_info("uid :%d, allow: %d\n", p->profile.current_uid,
+			p->profile.allow_su);
+	}
 }
 
 #ifdef CONFIG_KSU_DEBUG
 static void ksu_grant_root_to_shell(void)
 {
-    struct app_profile profile = {
-        .version = KSU_APP_PROFILE_VER,
-        .allow_su = true,
-        .current_uid = 2000,
-    };
-    strcpy(profile.key, "com.android.shell");
-    strcpy(profile.rp_config.profile.selinux_domain,
-           KSU_DEFAULT_SELINUX_DOMAIN);
-    ksu_set_app_profile(&profile, false);
+	struct app_profile profile = {
+		.version = KSU_APP_PROFILE_VER,
+		.allow_su = true,
+		.current_uid = 2000,
+	};
+	strcpy(profile.key, "com.android.shell");
+	strcpy(profile.rp_config.profile.selinux_domain,
+	       KSU_DEFAULT_SELINUX_DOMAIN);
+	ksu_set_app_profile(&profile, false);
 }
 #endif
 
 bool ksu_get_app_profile(struct app_profile *profile)
 {
-    struct perm_data *p = NULL;
-    struct list_head *pos = NULL;
-    bool found = false;
+	struct perm_data *p = NULL;
+	struct list_head *pos = NULL;
+	bool found = false;
 
-    list_for_each (pos, &allow_list) {
-        p = list_entry(pos, struct perm_data, list);
-        bool uid_match = profile->current_uid == p->profile.current_uid;
-        if (uid_match) {
-            // found it, override it with ours
-            memcpy(profile, &p->profile, sizeof(*profile));
-            found = true;
-            goto exit;
-        }
-    }
+	list_for_each (pos, &allow_list) {
+		p = list_entry(pos, struct perm_data, list);
+		bool uid_match = profile->current_uid == p->profile.current_uid;
+		if (uid_match) {
+			// found it, override it with ours
+			memcpy(profile, &p->profile, sizeof(*profile));
+			found = true;
+			goto exit;
+		}
+	}
 
 exit:
-    return found;
+	return found;
 }
 
 static inline bool forbid_system_uid(uid_t uid)
 {
 #define SHELL_UID 2000
 #define SYSTEM_UID 1000
-    return uid < SHELL_UID && uid != SYSTEM_UID;
+	return uid < SHELL_UID && uid != SYSTEM_UID;
 }
 
 static bool profile_valid(struct app_profile *profile)
 {
-    if (!profile) {
-        return false;
-    }
+	if (!profile) {
+		return false;
+	}
 
-    if (profile->version < KSU_APP_PROFILE_VER) {
-        pr_info("Unsupported profile version: %d\n", profile->version);
-        return false;
-    }
+	if (profile->version < KSU_APP_PROFILE_VER) {
+		pr_info("Unsupported profile version: %d\n", profile->version);
+		return false;
+	}
 
-    if (profile->allow_su) {
-        if (profile->rp_config.profile.groups_count > KSU_MAX_GROUPS) {
-            return false;
-        }
+	if (profile->allow_su) {
+		if (profile->rp_config.profile.groups_count > KSU_MAX_GROUPS) {
+			return false;
+		}
 
-        if (strlen(profile->rp_config.profile.selinux_domain) == 0) {
-            return false;
-        }
-    }
+		if (strlen(profile->rp_config.profile.selinux_domain) == 0) {
+			return false;
+		}
+	}
 
-    return true;
+	return true;
 }
 
 bool ksu_set_app_profile(struct app_profile *profile, bool persist)
 {
-    struct perm_data *p = NULL;
-    struct list_head *pos = NULL;
-    bool result = false;
+	struct perm_data *p = NULL;
+	struct list_head *pos = NULL;
+	bool result = false;
 
-    if (!profile_valid(profile)) {
-        pr_err("Failed to set app profile: invalid profile!\n");
-        return false;
-    }
+	if (!profile_valid(profile)) {
+		pr_err("Failed to set app profile: invalid profile!\n");
+		return false;
+	}
 
-    list_for_each (pos, &allow_list) {
-        p = list_entry(pos, struct perm_data, list);
-        // both uid and package must match, otherwise it will break multiple package with different user id
-        if (profile->current_uid == p->profile.current_uid &&
-            !strcmp(profile->key, p->profile.key)) {
-            // found it, just override it all!
-            memcpy(&p->profile, profile, sizeof(*profile));
-            result = true;
-            goto out;
-        }
-    }
+	list_for_each (pos, &allow_list) {
+		p = list_entry(pos, struct perm_data, list);
+		// both uid and package must match, otherwise it will break multiple package with different user id
+		if (profile->current_uid == p->profile.current_uid &&
+		    !strcmp(profile->key, p->profile.key)) {
+			// found it, just override it all!
+			memcpy(&p->profile, profile, sizeof(*profile));
+			result = true;
+			goto out;
+		}
+	}
 
-    // not found, alloc a new node!
-    p = (struct perm_data *)kzalloc(sizeof(struct perm_data), GFP_KERNEL);
-    if (!p) {
-        pr_err("ksu_set_app_profile alloc failed\n");
-        return false;
-    }
+	// not found, alloc a new node!
+	p = (struct perm_data *)kzalloc(sizeof(struct perm_data), GFP_KERNEL);
+	if (!p) {
+		pr_err("ksu_set_app_profile alloc failed\n");
+		return false;
+	}
 
-    memcpy(&p->profile, profile, sizeof(*profile));
-    if (profile->allow_su) {
-        pr_info("set root profile, key: %s, uid: %d, gid: %d, context: %s\n",
-                profile->key, profile->current_uid,
-                profile->rp_config.profile.gid,
-                profile->rp_config.profile.selinux_domain);
-    } else {
-        pr_info("set app profile, key: %s, uid: %d, umount modules: %d\n",
-                profile->key, profile->current_uid,
-                profile->nrp_config.profile.umount_modules);
-    }
-    list_add_tail(&p->list, &allow_list);
+	memcpy(&p->profile, profile, sizeof(*profile));
+	if (profile->allow_su) {
+		pr_info("set root profile, key: %s, uid: %d, gid: %d, context: %s\n",
+			profile->key, profile->current_uid,
+			profile->rp_config.profile.gid,
+			profile->rp_config.profile.selinux_domain);
+	} else {
+		pr_info("set app profile, key: %s, uid: %d, umount modules: %d\n",
+			profile->key, profile->current_uid,
+			profile->nrp_config.profile.umount_modules);
+	}
+	list_add_tail(&p->list, &allow_list);
 
 out:
-    if (profile->current_uid <= BITMAP_UID_MAX) {
-        if (profile->allow_su)
-            allow_list_bitmap[profile->current_uid / BITS_PER_BYTE] |=
-                1 << (profile->current_uid % BITS_PER_BYTE);
-        else
-            allow_list_bitmap[profile->current_uid / BITS_PER_BYTE] &=
-                ~(1 << (profile->current_uid % BITS_PER_BYTE));
-    } else {
-        if (profile->allow_su) {
-            /*
+	if (profile->current_uid <= BITMAP_UID_MAX) {
+		if (profile->allow_su)
+			allow_list_bitmap[profile->current_uid / BITS_PER_BYTE] |=
+				1 << (profile->current_uid % BITS_PER_BYTE);
+		else
+			allow_list_bitmap[profile->current_uid / BITS_PER_BYTE] &=
+				~(1 << (profile->current_uid % BITS_PER_BYTE));
+	} else {
+		if (profile->allow_su) {
+			/*
              * 1024 apps with uid higher than BITMAP_UID_MAX
              * registered to request superuser?
              */
-            if (allow_list_pointer >= ARRAY_SIZE(allow_list_arr)) {
-                pr_err("too many apps registered\n");
-                WARN_ON(1);
-                return false;
-            }
-            allow_list_arr[allow_list_pointer++] = profile->current_uid;
-        } else {
-            remove_uid_from_arr(profile->current_uid);
-        }
-    }
-    result = true;
+			if (allow_list_pointer >= ARRAY_SIZE(allow_list_arr)) {
+				pr_err("too many apps registered\n");
+				WARN_ON(1);
+				return false;
+			}
+			allow_list_arr[allow_list_pointer++] =
+				profile->current_uid;
+		} else {
+			remove_uid_from_arr(profile->current_uid);
+		}
+	}
+	result = true;
 
-    // check if the default profiles is changed, cache it to a single struct to accelerate access.
-    if (unlikely(!strcmp(profile->key, "$"))) {
-        // set default non root profile
-        memcpy(&default_non_root_profile, &profile->nrp_config.profile,
-               sizeof(default_non_root_profile));
-    }
+	// check if the default profiles is changed, cache it to a single struct to accelerate access.
+	if (unlikely(!strcmp(profile->key, "$"))) {
+		// set default non root profile
+		memcpy(&default_non_root_profile, &profile->nrp_config.profile,
+		       sizeof(default_non_root_profile));
+	}
 
-    if (unlikely(!strcmp(profile->key, "#"))) {
-        // set default root profile
-        memcpy(&default_root_profile, &profile->rp_config.profile,
-               sizeof(default_root_profile));
-    }
+	if (unlikely(!strcmp(profile->key, "#"))) {
+		// set default root profile
+		memcpy(&default_root_profile, &profile->rp_config.profile,
+		       sizeof(default_root_profile));
+	}
 
-    if (persist) {
-        persistent_allow_list();
-        // FIXME: use a new flag
-        ksu_mark_running_process();
-    }
+	if (persist) {
+		persistent_allow_list();
+		// FIXME: use a new flag
+		ksu_mark_running_process();
+	}
 
-    return result;
+	return result;
 }
 
 bool __ksu_is_allow_uid(uid_t uid)
 {
-    int i;
+	int i;
 
-    if (forbid_system_uid(uid)) {
-        // do not bother going through the list if it's system
-        return false;
-    }
+	if (forbid_system_uid(uid)) {
+		// do not bother going through the list if it's system
+		return false;
+	}
 
-    if (likely(ksu_is_manager_uid_valid()) &&
-        unlikely(ksu_get_manager_uid() == uid)) {
-        // manager is always allowed!
-        return true;
-    }
+	if (likely(ksu_is_manager_uid_valid()) &&
+	    unlikely(ksu_get_manager_uid() == uid)) {
+		// manager is always allowed!
+		return true;
+	}
 
-    if (likely(uid <= BITMAP_UID_MAX)) {
-        return !!(allow_list_bitmap[uid / BITS_PER_BYTE] &
-                  (1 << (uid % BITS_PER_BYTE)));
-    } else {
-        for (i = 0; i < allow_list_pointer; i++) {
-            if (allow_list_arr[i] == uid)
-                return true;
-        }
-    }
+	if (likely(uid <= BITMAP_UID_MAX)) {
+		return !!(allow_list_bitmap[uid / BITS_PER_BYTE] &
+			  (1 << (uid % BITS_PER_BYTE)));
+	} else {
+		for (i = 0; i < allow_list_pointer; i++) {
+			if (allow_list_arr[i] == uid)
+				return true;
+		}
+	}
 
-    return false;
+	return false;
 }
 
 bool __ksu_is_allow_uid_for_current(uid_t uid)
 {
-    if (unlikely(uid == 0)) {
-        // already root, but only allow our domain.
-        return is_ksu_domain();
-    }
-    return __ksu_is_allow_uid(uid);
+	if (unlikely(uid == 0)) {
+		// already root, but only allow our domain.
+		return is_ksu_domain();
+	}
+	return __ksu_is_allow_uid(uid);
 }
 
 bool ksu_uid_should_umount(uid_t uid)
 {
-    struct app_profile profile = { .current_uid = uid };
-    if (likely(ksu_is_manager_uid_valid()) &&
-        unlikely(ksu_get_manager_uid() == uid)) {
-        // we should not umount on manager!
-        return false;
-    }
-    bool found = ksu_get_app_profile(&profile);
-    if (!found) {
-        // no app profile found, it must be non root app
-        return default_non_root_profile.umount_modules;
-    }
-    if (profile.allow_su) {
-        // if found and it is granted to su, we shouldn't umount for it
-        return false;
-    } else {
-        // found an app profile
-        if (profile.nrp_config.use_default) {
-            return default_non_root_profile.umount_modules;
-        } else {
-            return profile.nrp_config.profile.umount_modules;
-        }
-    }
+	struct app_profile profile = { .current_uid = uid };
+	if (likely(ksu_is_manager_uid_valid()) &&
+	    unlikely(ksu_get_manager_uid() == uid)) {
+		// we should not umount on manager!
+		return false;
+	}
+	bool found = ksu_get_app_profile(&profile);
+	if (!found) {
+		// no app profile found, it must be non root app
+		return default_non_root_profile.umount_modules;
+	}
+	if (profile.allow_su) {
+		// if found and it is granted to su, we shouldn't umount for it
+		return false;
+	} else {
+		// found an app profile
+		if (profile.nrp_config.use_default) {
+			return default_non_root_profile.umount_modules;
+		} else {
+			return profile.nrp_config.profile.umount_modules;
+		}
+	}
 }
 
 struct root_profile *ksu_get_root_profile(uid_t uid)
 {
-    struct perm_data *p = NULL;
-    struct list_head *pos = NULL;
+	struct perm_data *p = NULL;
+	struct list_head *pos = NULL;
 
-    list_for_each (pos, &allow_list) {
-        p = list_entry(pos, struct perm_data, list);
-        if (uid == p->profile.current_uid && p->profile.allow_su) {
-            if (!p->profile.rp_config.use_default) {
-                return &p->profile.rp_config.profile;
-            }
-        }
-    }
+	list_for_each (pos, &allow_list) {
+		p = list_entry(pos, struct perm_data, list);
+		if (uid == p->profile.current_uid && p->profile.allow_su) {
+			if (!p->profile.rp_config.use_default) {
+				return &p->profile.rp_config.profile;
+			}
+		}
+	}
 
-    // use default profile
-    return &default_root_profile;
+	// use default profile
+	return &default_root_profile;
 }
 
 bool ksu_get_allow_list(int *array, int *length, bool allow)
 {
-    struct perm_data *p = NULL;
-    struct list_head *pos = NULL;
-    int i = 0;
-    list_for_each (pos, &allow_list) {
-        p = list_entry(pos, struct perm_data, list);
-        // pr_info("get_allow_list uid: %d allow: %d\n", p->uid, p->allow);
-        if (p->profile.allow_su == allow) {
-            array[i++] = p->profile.current_uid;
-        }
-    }
-    *length = i;
+	struct perm_data *p = NULL;
+	struct list_head *pos = NULL;
+	int i = 0;
+	list_for_each (pos, &allow_list) {
+		p = list_entry(pos, struct perm_data, list);
+		// pr_info("get_allow_list uid: %d allow: %d\n", p->uid, p->allow);
+		if (p->profile.allow_su == allow) {
+			array[i++] = p->profile.current_uid;
+		}
+	}
+	*length = i;
 
-    return true;
+	return true;
 }
 
 static void do_persistent_allow_list(struct callback_head *_cb)
 {
-    u32 magic = FILE_MAGIC;
-    u32 version = FILE_FORMAT_VERSION;
-    struct perm_data *p = NULL;
-    struct list_head *pos = NULL;
-    loff_t off = 0;
+	u32 magic = FILE_MAGIC;
+	u32 version = FILE_FORMAT_VERSION;
+	struct perm_data *p = NULL;
+	struct list_head *pos = NULL;
+	loff_t off = 0;
 
-    mutex_lock(&allowlist_mutex);
-    struct file *fp =
-        filp_open(KERNEL_SU_ALLOWLIST, O_WRONLY | O_CREAT | O_TRUNC, 0644);
-    if (IS_ERR(fp)) {
-        pr_err("save_allow_list create file failed: %ld\n", PTR_ERR(fp));
-        goto unlock;
-    }
+	mutex_lock(&allowlist_mutex);
+	struct file *fp = ksu_filp_open_compat(
+		KERNEL_SU_ALLOWLIST, O_WRONLY | O_CREAT | O_TRUNC, 0644);
+	if (IS_ERR(fp)) {
+		pr_err("save_allow_list create file failed: %ld\n",
+		       PTR_ERR(fp));
+		goto unlock;
+	}
 
-    // store magic and version
-    if (kernel_write(fp, &magic, sizeof(magic), &off) != sizeof(magic)) {
-        pr_err("save_allow_list write magic failed.\n");
-        goto close_file;
-    }
+	// store magic and version
+	if (ksu_kernel_write_compat(fp, &magic, sizeof(magic), &off) !=
+	    sizeof(magic)) {
+		pr_err("save_allow_list write magic failed.\n");
+		goto close_file;
+	}
 
-    if (kernel_write(fp, &version, sizeof(version), &off) != sizeof(version)) {
-        pr_err("save_allow_list write version failed.\n");
-        goto close_file;
-    }
+	if (ksu_kernel_write_compat(fp, &version, sizeof(version), &off) !=
+	    sizeof(version)) {
+		pr_err("save_allow_list write version failed.\n");
+		goto close_file;
+	}
 
-    list_for_each (pos, &allow_list) {
-        p = list_entry(pos, struct perm_data, list);
-        pr_info("save allow list, name: %s uid :%d, allow: %d\n",
-                p->profile.key, p->profile.current_uid, p->profile.allow_su);
+	list_for_each (pos, &allow_list) {
+		p = list_entry(pos, struct perm_data, list);
+		pr_info("save allow list, name: %s uid :%d, allow: %d\n",
+			p->profile.key, p->profile.current_uid,
+			p->profile.allow_su);
 
-        kernel_write(fp, &p->profile, sizeof(p->profile), &off);
-    }
+		ksu_kernel_write_compat(fp, &p->profile, sizeof(p->profile),
+					&off);
+	}
 
 close_file:
-    filp_close(fp, 0);
+	filp_close(fp, 0);
 unlock:
-    mutex_unlock(&allowlist_mutex);
-    kfree(_cb);
+	mutex_unlock(&allowlist_mutex);
+	kfree(_cb);
 }
 
-void persistent_allow_list()
+void persistent_allow_list(void)
 {
-    struct task_struct *tsk;
+	struct task_struct *tsk;
 
-    tsk = get_pid_task(find_vpid(1), PIDTYPE_PID);
-    if (!tsk) {
-        pr_err("save_allow_list find init task err\n");
-        return;
-    }
+	tsk = get_pid_task(find_vpid(1), PIDTYPE_PID);
+	if (!tsk) {
+		pr_err("save_allow_list find init task err\n");
+		return;
+	}
 
-    struct callback_head *cb =
-        kzalloc(sizeof(struct callback_head), GFP_KERNEL);
-    if (!cb) {
-        pr_err("save_allow_list alloc cb err\b");
-        goto put_task;
-    }
-    cb->func = do_persistent_allow_list;
-    task_work_add(tsk, cb, TWA_RESUME);
+	struct callback_head *cb =
+		kzalloc(sizeof(struct callback_head), GFP_KERNEL);
+	if (!cb) {
+		pr_err("save_allow_list alloc cb err\b");
+		goto put_task;
+	}
+	cb->func = do_persistent_allow_list;
+	task_work_add(tsk, cb, TWA_RESUME);
 
 put_task:
-    put_task_struct(tsk);
+	put_task_struct(tsk);
 }
 
-void ksu_load_allow_list()
+void ksu_load_allow_list(void)
 {
-    loff_t off = 0;
-    ssize_t ret = 0;
-    struct file *fp = NULL;
-    u32 magic;
-    u32 version;
+	loff_t off = 0;
+	ssize_t ret = 0;
+	struct file *fp = NULL;
+	u32 magic;
+	u32 version;
 
 #ifdef CONFIG_KSU_DEBUG
-    // always allow adb shell by default
-    ksu_grant_root_to_shell();
+	// always allow adb shell by default
+	ksu_grant_root_to_shell();
 #endif
 
-    // load allowlist now!
-    fp = filp_open(KERNEL_SU_ALLOWLIST, O_RDONLY, 0);
-    if (IS_ERR(fp)) {
-        pr_err("load_allow_list open file failed: %ld\n", PTR_ERR(fp));
-        return;
-    }
+	// load allowlist now!
+	fp = ksu_filp_open_compat(KERNEL_SU_ALLOWLIST, O_RDONLY, 0);
+	if (IS_ERR(fp)) {
+		pr_err("load_allow_list open file failed: %ld\n", PTR_ERR(fp));
+		return;
+	}
 
-    // verify magic
-    if (kernel_read(fp, &magic, sizeof(magic), &off) != sizeof(magic) ||
-        magic != FILE_MAGIC) {
-        pr_err("allowlist file invalid: %d!\n", magic);
-        goto exit;
-    }
+	// verify magic
+	if (ksu_kernel_read_compat(fp, &magic, sizeof(magic), &off) !=
+		    sizeof(magic) ||
+	    magic != FILE_MAGIC) {
+		pr_err("allowlist file invalid: %d!\n", magic);
+		goto exit;
+	}
 
-    if (kernel_read(fp, &version, sizeof(version), &off) != sizeof(version)) {
-        pr_err("allowlist read version: %d failed\n", version);
-        goto exit;
-    }
+	if (ksu_kernel_read_compat(fp, &version, sizeof(version), &off) !=
+	    sizeof(version)) {
+		pr_err("allowlist read version: %d failed\n", version);
+		goto exit;
+	}
 
-    pr_info("allowlist version: %d\n", version);
+	pr_info("allowlist version: %d\n", version);
 
-    while (true) {
-        struct app_profile profile;
+	while (true) {
+		struct app_profile profile;
 
-        ret = kernel_read(fp, &profile, sizeof(profile), &off);
+		ret = ksu_kernel_read_compat(fp, &profile, sizeof(profile),
+					     &off);
 
-        if (ret <= 0) {
-            pr_info("load_allow_list read err: %zd\n", ret);
-            break;
-        }
+		if (ret <= 0) {
+			pr_info("load_allow_list read err: %zd\n", ret);
+			break;
+		}
 
-        pr_info("load_allow_uid, name: %s, uid: %d, allow: %d\n", profile.key,
-                profile.current_uid, profile.allow_su);
-        ksu_set_app_profile(&profile, false);
-    }
+		pr_info("load_allow_uid, name: %s, uid: %d, allow: %d\n",
+			profile.key, profile.current_uid, profile.allow_su);
+		ksu_set_app_profile(&profile, false);
+	}
 
 exit:
-    ksu_show_allow_list();
-    filp_close(fp, 0);
+	ksu_show_allow_list();
+	filp_close(fp, 0);
 }
 
 void ksu_prune_allowlist(bool (*is_uid_valid)(uid_t, char *, void *),
-                         void *data)
+			 void *data)
 {
-    struct perm_data *np = NULL;
-    struct perm_data *n = NULL;
+	struct perm_data *np = NULL;
+	struct perm_data *n = NULL;
 
-    if (!ksu_boot_completed) {
-        pr_info("boot not completed, skip prune\n");
-        return;
-    }
+	if (!ksu_boot_completed) {
+		pr_info("boot not completed, skip prune\n");
+		return;
+	}
 
-    bool modified = false;
-    // TODO: use RCU!
-    mutex_lock(&allowlist_mutex);
-    list_for_each_entry_safe (np, n, &allow_list, list) {
-        uid_t uid = np->profile.current_uid;
-        char *package = np->profile.key;
-        // we use this uid for special cases, don't prune it!
-        bool is_preserved_uid = uid == KSU_APP_PROFILE_PRESERVE_UID;
-        if (!is_preserved_uid && !is_uid_valid(uid, package, data)) {
-            modified = true;
-            pr_info("prune uid: %d, package: %s\n", uid, package);
-            list_del(&np->list);
-            if (likely(uid <= BITMAP_UID_MAX)) {
-                allow_list_bitmap[uid / BITS_PER_BYTE] &=
-                    ~(1 << (uid % BITS_PER_BYTE));
-            }
-            remove_uid_from_arr(uid);
-            smp_mb();
-            kfree(np);
-        }
-    }
-    mutex_unlock(&allowlist_mutex);
+	bool modified = false;
+	// TODO: use RCU!
+	mutex_lock(&allowlist_mutex);
+	list_for_each_entry_safe (np, n, &allow_list, list) {
+		uid_t uid = np->profile.current_uid;
+		char *package = np->profile.key;
+		// we use this uid for special cases, don't prune it!
+		bool is_preserved_uid = uid == KSU_APP_PROFILE_PRESERVE_UID;
+		if (!is_preserved_uid && !is_uid_valid(uid, package, data)) {
+			modified = true;
+			pr_info("prune uid: %d, package: %s\n", uid, package);
+			list_del(&np->list);
+			if (likely(uid <= BITMAP_UID_MAX)) {
+				allow_list_bitmap[uid / BITS_PER_BYTE] &=
+					~(1 << (uid % BITS_PER_BYTE));
+			}
+			remove_uid_from_arr(uid);
+			smp_mb();
+			kfree(np);
+		}
+	}
+	mutex_unlock(&allowlist_mutex);
 
-    if (modified) {
-        persistent_allow_list();
-    }
+	if (modified) {
+		persistent_allow_list();
+	}
 }
 
 void ksu_allowlist_init(void)
 {
-    int i;
+	int i;
 
-    BUILD_BUG_ON(sizeof(allow_list_bitmap) != PAGE_SIZE);
-    BUILD_BUG_ON(sizeof(allow_list_arr) != PAGE_SIZE);
+	BUILD_BUG_ON(sizeof(allow_list_bitmap) != PAGE_SIZE);
+	BUILD_BUG_ON(sizeof(allow_list_arr) != PAGE_SIZE);
 
-    for (i = 0; i < ARRAY_SIZE(allow_list_arr); i++)
-        allow_list_arr[i] = -1;
+	for (i = 0; i < ARRAY_SIZE(allow_list_arr); i++)
+		allow_list_arr[i] = -1;
 
-    INIT_LIST_HEAD(&allow_list);
+	INIT_LIST_HEAD(&allow_list);
 
-    init_default_profiles();
+	init_default_profiles();
 }
 
 void ksu_allowlist_exit(void)
 {
-    struct perm_data *np = NULL;
-    struct perm_data *n = NULL;
+	struct perm_data *np = NULL;
+	struct perm_data *n = NULL;
 
-    // free allowlist
-    mutex_lock(&allowlist_mutex);
-    list_for_each_entry_safe (np, n, &allow_list, list) {
-        list_del(&np->list);
-        kfree(np);
-    }
-    mutex_unlock(&allowlist_mutex);
+	// free allowlist
+	mutex_lock(&allowlist_mutex);
+	list_for_each_entry_safe (np, n, &allow_list, list) {
+		list_del(&np->list);
+		kfree(np);
+	}
+	mutex_unlock(&allowlist_mutex);
 }
-
-#ifdef CONFIG_KSU_MANUAL_SU
-bool ksu_temp_grant_root_once(uid_t uid)
-{
-    struct app_profile profile = {
-        .version = KSU_APP_PROFILE_VER,
-        .allow_su = true,
-        .current_uid = uid,
-    };
-
-    const char *default_key = "com.temp.once";
-
-    struct perm_data *p = NULL;
-    struct list_head *pos = NULL;
-    bool found = false;
-
-    list_for_each (pos, &allow_list) {
-        p = list_entry(pos, struct perm_data, list);
-        if (p->profile.current_uid == uid) {
-            strcpy(profile.key, p->profile.key);
-            found = true;
-            break;
-        }
-    }
-
-    if (!found) {
-        strcpy(profile.key, default_key);
-    }
-
-    profile.rp_config.profile.uid = default_root_profile.uid;
-    profile.rp_config.profile.gid = default_root_profile.gid;
-    profile.rp_config.profile.groups_count = default_root_profile.groups_count;
-    memcpy(profile.rp_config.profile.groups, default_root_profile.groups, sizeof(default_root_profile.groups));
-    memcpy(&profile.rp_config.profile.capabilities, &default_root_profile.capabilities, sizeof(default_root_profile.capabilities));
-    profile.rp_config.profile.namespaces = default_root_profile.namespaces;
-    strcpy(profile.rp_config.profile.selinux_domain, default_root_profile.selinux_domain);
-
-    bool ok = ksu_set_app_profile(&profile, false);
-    if (ok)
-        pr_info("pending_root: UID=%d granted and persisted\n", uid);
-    return ok;
-}
-
-void ksu_temp_revoke_root_once(uid_t uid)
-{
-    struct app_profile profile = {
-        .version = KSU_APP_PROFILE_VER,
-        .allow_su = false,
-        .current_uid = uid,
-    };
-
-    const char *default_key = "com.temp.once";
-
-    struct perm_data *p = NULL;
-    struct list_head *pos = NULL;
-    bool found = false;
-
-    list_for_each (pos, &allow_list) {
-        p = list_entry(pos, struct perm_data, list);
-        if (p->profile.current_uid == uid) {
-            strcpy(profile.key, p->profile.key);
-            found = true;
-            break;
-        }
-    }
-
-    if (!found) {
-        strcpy(profile.key, default_key);
-    }
-
-    profile.nrp_config.profile.umount_modules = default_non_root_profile.umount_modules;
-    strcpy(profile.rp_config.profile.selinux_domain, KSU_DEFAULT_SELINUX_DOMAIN);
-
-    ksu_set_app_profile(&profile, false);
-    persistent_allow_list();
-    pr_info("pending_root: UID=%d removed and persist updated\n", uid);
-}
-#endif

kernel/allowlist.h

@@ -8,8 +8,6 @@
 #define PER_USER_RANGE 100000
 #define FIRST_APPLICATION_UID 10000
 #define LAST_APPLICATION_UID 19999
-#define FIRST_ISOLATED_UID 99000
-#define LAST_ISOLATED_UID 99999
 
 void ksu_allowlist_init(void);
 
@@ -25,11 +23,13 @@ bool __ksu_is_allow_uid(uid_t uid);
 
 // Check if the uid is in allow list, or current is ksu domain root
 bool __ksu_is_allow_uid_for_current(uid_t uid);
-#define ksu_is_allow_uid_for_current(uid) unlikely(__ksu_is_allow_uid_for_current(uid))
+#define ksu_is_allow_uid_for_current(uid)                                      \
+	unlikely(__ksu_is_allow_uid_for_current(uid))
 
 bool ksu_get_allow_list(int *array, int *length, bool allow);
 
-void ksu_prune_allowlist(bool (*is_uid_exist)(uid_t, char *, void *), void *data);
+void ksu_prune_allowlist(bool (*is_uid_exist)(uid_t, char *, void *),
+			 void *data);
 
 bool ksu_get_app_profile(struct app_profile *);
 bool ksu_set_app_profile(struct app_profile *, bool persist);
@@ -39,19 +39,7 @@ struct root_profile *ksu_get_root_profile(uid_t uid);
 
 static inline bool is_appuid(uid_t uid)
 {
-    uid_t appid = uid % PER_USER_RANGE;
-    return appid >= FIRST_APPLICATION_UID && appid <= LAST_APPLICATION_UID;
+	uid_t appid = uid % PER_USER_RANGE;
+	return appid >= FIRST_APPLICATION_UID && appid <= LAST_APPLICATION_UID;
 }
-
-static inline bool is_isolated_process(uid_t uid)
-{
-    uid_t appid = uid % PER_USER_RANGE;
-    return appid >= FIRST_ISOLATED_UID && appid <= LAST_ISOLATED_UID;
-}
-
-#ifdef CONFIG_KSU_MANUAL_SU
-bool ksu_temp_grant_root_once(uid_t uid);
-void ksu_temp_revoke_root_once(uid_t uid);
-#endif
-
 #endif

kernel/apk_sign.c

@@ -17,373 +17,378 @@
 #include "apk_sign.h"
 #include "dynamic_manager.h"
 #include "klog.h" // IWYU pragma: keep
+#include "kernel_compat.h"
 #include "manager_sign.h"
 
 struct sdesc {
-    struct shash_desc shash;
-    char ctx[];
+	struct shash_desc shash;
+	char ctx[];
 };
 
 static apk_sign_key_t apk_sign_keys[] = {
-    {EXPECTED_SIZE_SHIRKNEKO, EXPECTED_HASH_SHIRKNEKO}, // ShirkNeko/SukiSU
+	{ EXPECTED_SIZE_SHIRKNEKO, EXPECTED_HASH_SHIRKNEKO }, // SukiSU
 #ifdef EXPECTED_SIZE
-    {EXPECTED_SIZE, EXPECTED_HASH}, // Custom
+	{ EXPECTED_SIZE, EXPECTED_HASH }, // Custom
 #endif
 };
 
 static struct sdesc *init_sdesc(struct crypto_shash *alg)
 {
-    struct sdesc *sdesc;
-    int size;
+	struct sdesc *sdesc;
+	int size;
 
-    size = sizeof(struct shash_desc) + crypto_shash_descsize(alg);
-    sdesc = kzalloc(size, GFP_KERNEL);
-    if (!sdesc)
-        return ERR_PTR(-ENOMEM);
-    sdesc->shash.tfm = alg;
-    return sdesc;
+	size = sizeof(struct shash_desc) + crypto_shash_descsize(alg);
+	sdesc = kzalloc(size, GFP_KERNEL);
+	if (!sdesc)
+		return ERR_PTR(-ENOMEM);
+	sdesc->shash.tfm = alg;
+	return sdesc;
 }
 
 static int calc_hash(struct crypto_shash *alg, const unsigned char *data,
-             unsigned int datalen, unsigned char *digest)
+		     unsigned int datalen, unsigned char *digest)
 {
-    struct sdesc *sdesc;
-    int ret;
+	struct sdesc *sdesc;
+	int ret;
 
-    sdesc = init_sdesc(alg);
-    if (IS_ERR(sdesc)) {
-        pr_info("can't alloc sdesc\n");
-        return PTR_ERR(sdesc);
-    }
+	sdesc = init_sdesc(alg);
+	if (IS_ERR(sdesc)) {
+		pr_info("can't alloc sdesc\n");
+		return PTR_ERR(sdesc);
+	}
 
-    ret = crypto_shash_digest(&sdesc->shash, data, datalen, digest);
-    kfree(sdesc);
-    return ret;
+	ret = crypto_shash_digest(&sdesc->shash, data, datalen, digest);
+	kfree(sdesc);
+	return ret;
 }
 
 static int ksu_sha256(const unsigned char *data, unsigned int datalen,
-              unsigned char *digest)
+		      unsigned char *digest)
 {
-    struct crypto_shash *alg;
-    char *hash_alg_name = "sha256";
-    int ret;
+	struct crypto_shash *alg;
+	char *hash_alg_name = "sha256";
+	int ret;
 
-    alg = crypto_alloc_shash(hash_alg_name, 0, 0);
-    if (IS_ERR(alg)) {
-        pr_info("can't alloc alg %s\n", hash_alg_name);
-        return PTR_ERR(alg);
-    }
-    ret = calc_hash(alg, data, datalen, digest);
-    crypto_free_shash(alg);
-    return ret;
+	alg = crypto_alloc_shash(hash_alg_name, 0, 0);
+	if (IS_ERR(alg)) {
+		pr_info("can't alloc alg %s\n", hash_alg_name);
+		return PTR_ERR(alg);
+	}
+	ret = calc_hash(alg, data, datalen, digest);
+	crypto_free_shash(alg);
+	return ret;
 }
 
-
 static struct dynamic_sign_key dynamic_sign = DYNAMIC_SIGN_DEFAULT_CONFIG;
 
 static bool check_dynamic_sign(struct file *fp, u32 size4, loff_t *pos, int *matched_index)
 {
-    struct dynamic_sign_key current_dynamic_key = dynamic_sign;
-    
-    if (ksu_get_dynamic_manager_config(&current_dynamic_key.size, &current_dynamic_key.hash)) {
-        pr_debug("Using dynamic manager config: size=0x%x, hash=%.16s...\n", 
-                 current_dynamic_key.size, current_dynamic_key.hash);
-    }
-    
-    if (size4 != current_dynamic_key.size) {
-        return false;
-    }
+	struct dynamic_sign_key current_dynamic_key = dynamic_sign;
+	
+	if (ksu_get_dynamic_manager_config(&current_dynamic_key.size, &current_dynamic_key.hash)) {
+		pr_debug("Using dynamic manager config: size=0x%x, hash=%.16s...\n", 
+		         current_dynamic_key.size, current_dynamic_key.hash);
+	}
+	
+	if (size4 != current_dynamic_key.size) {
+		return false;
+	}
 
 #define CERT_MAX_LENGTH 1024
-    char cert[CERT_MAX_LENGTH];
-    if (size4 > CERT_MAX_LENGTH) {
-        pr_info("cert length overlimit\n");
-        return false;
-    }
-    
-    kernel_read(fp, cert, size4, pos);
-    
-    unsigned char digest[SHA256_DIGEST_SIZE];
-    if (ksu_sha256(cert, size4, digest) < 0) {
-        pr_info("sha256 error\n");
-        return false;
-    }
+	char cert[CERT_MAX_LENGTH];
+	if (size4 > CERT_MAX_LENGTH) {
+		pr_info("cert length overlimit\n");
+		return false;
+	}
+	
+	ksu_kernel_read_compat(fp, cert, size4, pos);
+	
+	unsigned char digest[SHA256_DIGEST_SIZE];
+	if (ksu_sha256(cert, size4, digest) < 0) {
+		pr_info("sha256 error\n");
+		return false;
+	}
 
-    char hash_str[SHA256_DIGEST_SIZE * 2 + 1];
-    hash_str[SHA256_DIGEST_SIZE * 2] = '\0';
-    bin2hex(hash_str, digest, SHA256_DIGEST_SIZE);
-    
-    pr_info("sha256: %s, expected: %s, index: dynamic\n", hash_str, current_dynamic_key.hash);
-    
-    if (strcmp(current_dynamic_key.hash, hash_str) == 0) {
-        if (matched_index) {
-            *matched_index = DYNAMIC_SIGN_INDEX;
-        }
-        return true;
-    }
-    
-    return false;
+	char hash_str[SHA256_DIGEST_SIZE * 2 + 1];
+	hash_str[SHA256_DIGEST_SIZE * 2] = '\0';
+	bin2hex(hash_str, digest, SHA256_DIGEST_SIZE);
+	
+	pr_info("sha256: %s, expected: %s, index: dynamic\n", hash_str, current_dynamic_key.hash);
+	
+	if (strcmp(current_dynamic_key.hash, hash_str) == 0) {
+		if (matched_index) {
+			*matched_index = DYNAMIC_SIGN_INDEX;
+		}
+		return true;
+	}
+	
+	return false;
 }
 
-static bool check_block(struct file *fp, u32 *size4, loff_t *pos, u32 *offset, int *matched_index)
+static bool check_block(struct file *fp, u32 *size4, loff_t *pos, u32 *offset,
+			int *matched_index)
 {
-    int i;
-    apk_sign_key_t sign_key;
-    bool signature_valid = false;
+	int i;
+	apk_sign_key_t sign_key;
+	bool signature_valid = false;
 
-    kernel_read(fp, size4, 0x4, pos); // signer-sequence length
-    kernel_read(fp, size4, 0x4, pos); // signer length
-    kernel_read(fp, size4, 0x4, pos); // signed data length
+	ksu_kernel_read_compat(fp, size4, 0x4, pos); // signer-sequence length
+	ksu_kernel_read_compat(fp, size4, 0x4, pos); // signer length
+	ksu_kernel_read_compat(fp, size4, 0x4, pos); // signed data length
 
-    *offset += 0x4 * 3;
+	*offset += 0x4 * 3;
 
-    kernel_read(fp, size4, 0x4, pos); // digests-sequence length
+	ksu_kernel_read_compat(fp, size4, 0x4, pos); // digests-sequence length
 
-    *pos += *size4;
-    *offset += 0x4 + *size4;
+	*pos += *size4;
+	*offset += 0x4 + *size4;
 
-    kernel_read(fp, size4, 0x4, pos); // certificates length
-    kernel_read(fp, size4, 0x4, pos); // certificate length
-    *offset += 0x4 * 2;
+	ksu_kernel_read_compat(fp, size4, 0x4, pos); // certificates length
+	ksu_kernel_read_compat(fp, size4, 0x4, pos); // certificate length
+	*offset += 0x4 * 2;
 
-    if (ksu_is_dynamic_manager_enabled()) {
-        loff_t temp_pos = *pos;
-        if (check_dynamic_sign(fp, *size4, &temp_pos, matched_index)) {
-            *pos = temp_pos;
-            *offset += *size4;
-            return true;
-        }
-    }
+	if (ksu_is_dynamic_manager_enabled()) {
+		loff_t temp_pos = *pos;
+		if (check_dynamic_sign(fp, *size4, &temp_pos, matched_index)) {
+			*pos = temp_pos;
+			*offset += *size4;
+			return true;
+		}
+	}
 
-    for (i = 0; i < ARRAY_SIZE(apk_sign_keys); i++) {
-        sign_key = apk_sign_keys[i];
+	for (i = 0; i < ARRAY_SIZE(apk_sign_keys); i++) {
+		sign_key = apk_sign_keys[i];
 
-        if (*size4 != sign_key.size)
-            continue;
-        *offset += *size4;
+		if (*size4 != sign_key.size)
+			continue;
+		*offset += *size4;
 
 #define CERT_MAX_LENGTH 1024
-        char cert[CERT_MAX_LENGTH];
-        if (*size4 > CERT_MAX_LENGTH) {
-            pr_info("cert length overlimit\n");
-            return false;
-        }
-        kernel_read(fp, cert, *size4, pos);
-        unsigned char digest[SHA256_DIGEST_SIZE];
-        if (ksu_sha256(cert, *size4, digest) < 0 ) {
-            pr_info("sha256 error\n");
-            return false;
-        }
+		char cert[CERT_MAX_LENGTH];
+		if (*size4 > CERT_MAX_LENGTH) {
+			pr_info("cert length overlimit\n");
+			return false;
+		}
+		ksu_kernel_read_compat(fp, cert, *size4, pos);
+		unsigned char digest[SHA256_DIGEST_SIZE];
+		if (ksu_sha256(cert, *size4, digest) < 0) {
+			pr_info("sha256 error\n");
+			return false;
+		}
 
-        char hash_str[SHA256_DIGEST_SIZE * 2 + 1];
-        hash_str[SHA256_DIGEST_SIZE * 2] = '\0';
+		char hash_str[SHA256_DIGEST_SIZE * 2 + 1];
+		hash_str[SHA256_DIGEST_SIZE * 2] = '\0';
 
-        bin2hex(hash_str, digest, SHA256_DIGEST_SIZE);
-        pr_info("sha256: %s, expected: %s, index: %d\n", hash_str, sign_key.sha256, i);
-        
-        if (strcmp(sign_key.sha256, hash_str) == 0) {
-            signature_valid = true;
-            if (matched_index) {
-                *matched_index = i;
-            }
-            break;
-        }
-    }
-    return signature_valid;
+		bin2hex(hash_str, digest, SHA256_DIGEST_SIZE);
+		pr_info("sha256: %s, expected: %s, index: %d\n", hash_str,
+			sign_key.sha256, i);
+
+		if (strcmp(sign_key.sha256, hash_str) == 0) {
+			signature_valid = true;
+			if (matched_index) {
+				*matched_index = i;
+			}
+			break;
+		}
+	}
+	return signature_valid;
 }
 
 struct zip_entry_header {
-    uint32_t signature;
-    uint16_t version;
-    uint16_t flags;
-    uint16_t compression;
-    uint16_t mod_time;
-    uint16_t mod_date;
-    uint32_t crc32;
-    uint32_t compressed_size;
-    uint32_t uncompressed_size;
-    uint16_t file_name_length;
-    uint16_t extra_field_length;
+	uint32_t signature;
+	uint16_t version;
+	uint16_t flags;
+	uint16_t compression;
+	uint16_t mod_time;
+	uint16_t mod_date;
+	uint32_t crc32;
+	uint32_t compressed_size;
+	uint32_t uncompressed_size;
+	uint16_t file_name_length;
+	uint16_t extra_field_length;
 } __attribute__((packed));
 
 // This is a necessary but not sufficient condition, but it is enough for us
 static bool has_v1_signature_file(struct file *fp)
 {
-    struct zip_entry_header header;
-    const char MANIFEST[] = "META-INF/MANIFEST.MF";
+	struct zip_entry_header header;
+	const char MANIFEST[] = "META-INF/MANIFEST.MF";
 
-    loff_t pos = 0;
+	loff_t pos = 0;
 
-    while (kernel_read(fp, &header,
-                      sizeof(struct zip_entry_header), &pos) ==
-           sizeof(struct zip_entry_header)) {
-        if (header.signature != 0x04034b50) {
-            // ZIP magic: 'PK'
-            return false;
-        }
-        // Read the entry file name
-        if (header.file_name_length == sizeof(MANIFEST) - 1) {
-            char fileName[sizeof(MANIFEST)];
-            kernel_read(fp, fileName,
-                           header.file_name_length, &pos);
-            fileName[header.file_name_length] = '\0';
+	while (ksu_kernel_read_compat(fp, &header,
+				      sizeof(struct zip_entry_header), &pos) ==
+	       sizeof(struct zip_entry_header)) {
+		if (header.signature != 0x04034b50) {
+			// ZIP magic: 'PK'
+			return false;
+		}
+		// Read the entry file name
+		if (header.file_name_length == sizeof(MANIFEST) - 1) {
+			char fileName[sizeof(MANIFEST)];
+			ksu_kernel_read_compat(fp, fileName,
+					       header.file_name_length, &pos);
+			fileName[header.file_name_length] = '\0';
 
-            // Check if the entry matches META-INF/MANIFEST.MF
-            if (strncmp(MANIFEST, fileName, sizeof(MANIFEST) - 1) ==
-                0) {
-                return true;
-            }
-        } else {
-            // Skip the entry file name
-            pos += header.file_name_length;
-        }
+			// Check if the entry matches META-INF/MANIFEST.MF
+			if (strncmp(MANIFEST, fileName, sizeof(MANIFEST) - 1) ==
+			    0) {
+				return true;
+			}
+		} else {
+			// Skip the entry file name
+			pos += header.file_name_length;
+		}
 
-        // Skip to the next entry
-        pos += header.extra_field_length + header.compressed_size;
-    }
+		// Skip to the next entry
+		pos += header.extra_field_length + header.compressed_size;
+	}
 
-    return false;
+	return false;
 }
 
-static __always_inline bool check_v2_signature(char *path, bool check_multi_manager, int *signature_index)
+static __always_inline bool
+check_v2_signature(char *path, bool check_multi_manager, int *signature_index)
 {
-    unsigned char buffer[0x11] = { 0 };
-    u32 size4;
-    u64 size8, size_of_block;
+	unsigned char buffer[0x11] = { 0 };
+	u32 size4;
+	u64 size8, size_of_block;
 
-    loff_t pos;
+	loff_t pos;
 
-    bool v2_signing_valid = false;
-    int v2_signing_blocks = 0;
-    bool v3_signing_exist = false;
-    bool v3_1_signing_exist = false;
-    int matched_index = -1;
-    int i;
-    struct file *fp = filp_open(path, O_RDONLY, 0);
-    if (IS_ERR(fp)) {
-        pr_err("open %s error.\n", path);
-        return false;
-    }
+	bool v2_signing_valid = false;
+	int v2_signing_blocks = 0;
+	bool v3_signing_exist = false;
+	bool v3_1_signing_exist = false;
+	int matched_index = -1;
+	int i;
+	struct file *fp = ksu_filp_open_compat(path, O_RDONLY, 0);
+	if (IS_ERR(fp)) {
+		pr_err("open %s error.\n", path);
+		return false;
+	}
 
-    // If you want to check for multi-manager APK signing, but dynamic managering is not enabled, skip
-    if (check_multi_manager && !ksu_is_dynamic_manager_enabled()) {
-        filp_close(fp, 0);
-        return 0;
-    }
+	// If you want to check for multi-manager APK signing, but dynamic managering is not enabled, skip
+	if (check_multi_manager && !ksu_is_dynamic_manager_enabled()) {
+		filp_close(fp, 0);
+		return 0;
+	}
 
-    // disable inotify for this file
-    fp->f_mode |= FMODE_NONOTIFY;
+	// disable inotify for this file
+	fp->f_mode |= FMODE_NONOTIFY;
 
-    // https://en.wikipedia.org/wiki/Zip_(file_format)#End_of_central_directory_record_(EOCD)
-    for (i = 0;; ++i) {
-        unsigned short n;
-        pos = generic_file_llseek(fp, -i - 2, SEEK_END);
-        kernel_read(fp, &n, 2, &pos);
-        if (n == i) {
-            pos -= 22;
-            kernel_read(fp, &size4, 4, &pos);
-            if ((size4 ^ 0xcafebabeu) == 0xccfbf1eeu) {
-                break;
-            }
-        }
-        if (i == 0xffff) {
-            pr_info("error: cannot find eocd\n");
-            goto clean;
-        }
-    }
+	// https://en.wikipedia.org/wiki/Zip_(file_format)#End_of_central_directory_record_(EOCD)
+	for (i = 0;; ++i) {
+		unsigned short n;
+		pos = generic_file_llseek(fp, -i - 2, SEEK_END);
+		ksu_kernel_read_compat(fp, &n, 2, &pos);
+		if (n == i) {
+			pos -= 22;
+			ksu_kernel_read_compat(fp, &size4, 4, &pos);
+			if ((size4 ^ 0xcafebabeu) == 0xccfbf1eeu) {
+				break;
+			}
+		}
+		if (i == 0xffff) {
+			pr_info("error: cannot find eocd\n");
+			goto clean;
+		}
+	}
 
-    pos += 12;
-    // offset
-    kernel_read(fp, &size4, 0x4, &pos);
-    pos = size4 - 0x18;
+	pos += 12;
+	// offset
+	ksu_kernel_read_compat(fp, &size4, 0x4, &pos);
+	pos = size4 - 0x18;
 
-    kernel_read(fp, &size8, 0x8, &pos);
-    kernel_read(fp, buffer, 0x10, &pos);
-    if (strcmp((char *)buffer, "APK Sig Block 42")) {
-        goto clean;
-    }
+	ksu_kernel_read_compat(fp, &size8, 0x8, &pos);
+	ksu_kernel_read_compat(fp, buffer, 0x10, &pos);
+	if (strcmp((char *)buffer, "APK Sig Block 42")) {
+		goto clean;
+	}
 
-    pos = size4 - (size8 + 0x8);
-    kernel_read(fp, &size_of_block, 0x8, &pos);
-    if (size_of_block != size8) {
-        goto clean;
-    }
+	pos = size4 - (size8 + 0x8);
+	ksu_kernel_read_compat(fp, &size_of_block, 0x8, &pos);
+	if (size_of_block != size8) {
+		goto clean;
+	}
 
-    int loop_count = 0;
-    while (loop_count++ < 10) {
-        uint32_t id;
-        uint32_t offset;
-        kernel_read(fp, &size8, 0x8,
-                       &pos); // sequence length
-        if (size8 == size_of_block) {
-            break;
-        }
-        kernel_read(fp, &id, 0x4, &pos); // id
-        offset = 4;
-        if (id == 0x7109871au) {
-            v2_signing_blocks++;
-            bool result = check_block(fp, &size4, &pos, &offset, &matched_index);
-            if (result) {
-                v2_signing_valid = true;
-            }
-        } else if (id == 0xf05368c0u) {
-            // http://aospxref.com/android-14.0.0_r2/xref/frameworks/base/core/java/android/util/apk/ApkSignatureSchemeV3Verifier.java#73
-            v3_signing_exist = true;
-        } else if (id == 0x1b93ad61u) {
-            // http://aospxref.com/android-14.0.0_r2/xref/frameworks/base/core/java/android/util/apk/ApkSignatureSchemeV3Verifier.java#74
-            v3_1_signing_exist = true;
-        } else {
+	int loop_count = 0;
+	while (loop_count++ < 10) {
+		uint32_t id;
+		uint32_t offset;
+		ksu_kernel_read_compat(fp, &size8, 0x8,
+				       &pos); // sequence length
+		if (size8 == size_of_block) {
+			break;
+		}
+		ksu_kernel_read_compat(fp, &id, 0x4, &pos); // id
+		offset = 4;
+		if (id == 0x7109871au) {
+			v2_signing_blocks++;
+			bool result = check_block(fp, &size4, &pos, &offset,
+						  &matched_index);
+			if (result) {
+				v2_signing_valid = true;
+			}
+		} else if (id == 0xf05368c0u) {
+			// http://aospxref.com/android-14.0.0_r2/xref/frameworks/base/core/java/android/util/apk/ApkSignatureSchemeV3Verifier.java#73
+			v3_signing_exist = true;
+		} else if (id == 0x1b93ad61u) {
+			// http://aospxref.com/android-14.0.0_r2/xref/frameworks/base/core/java/android/util/apk/ApkSignatureSchemeV3Verifier.java#74
+			v3_1_signing_exist = true;
+		} else {
 #ifdef CONFIG_KSU_DEBUG
-            pr_info("Unknown id: 0x%08x\n", id);
+			pr_info("Unknown id: 0x%08x\n", id);
 #endif
-        }
-        pos += (size8 - offset);
-    }
+		}
+		pos += (size8 - offset);
+	}
 
-    if (v2_signing_blocks != 1) {
+	if (v2_signing_blocks != 1) {
 #ifdef CONFIG_KSU_DEBUG
-        pr_err("Unexpected v2 signature count: %d\n",
-               v2_signing_blocks);
+		pr_err("Unexpected v2 signature count: %d\n",
+		       v2_signing_blocks);
 #endif
-        v2_signing_valid = false;
-    }
+		v2_signing_valid = false;
+	}
 
-    if (v2_signing_valid) {
-        int has_v1_signing = has_v1_signature_file(fp);
-        if (has_v1_signing) {
-            pr_err("Unexpected v1 signature scheme found!\n");
-            filp_close(fp, 0);
-            return false;
-        }
-    }
+	if (v2_signing_valid) {
+		int has_v1_signing = has_v1_signature_file(fp);
+		if (has_v1_signing) {
+			pr_err("Unexpected v1 signature scheme found!\n");
+			filp_close(fp, 0);
+			return false;
+		}
+	}
 clean:
-    filp_close(fp, 0);
+	filp_close(fp, 0);
 
-    if (v3_signing_exist || v3_1_signing_exist) {
+	if (v3_signing_exist || v3_1_signing_exist) {
 #ifdef CONFIG_KSU_DEBUG
-        pr_err("Unexpected v3 signature scheme found!\n");
+		pr_err("Unexpected v3 signature scheme found!\n");
 #endif
-        return false;
-    }
+		return false;
+	}
 
-    if (v2_signing_valid) {
-        if (signature_index) {
-            *signature_index = matched_index;
-        }
-        
-        if (check_multi_manager) {
-            // 0: ShirkNeko/SukiSU, DYNAMIC_SIGN_INDEX : Dynamic Sign
-            if (matched_index == 0 || matched_index == DYNAMIC_SIGN_INDEX) {
-                pr_info("Multi-manager APK detected (dynamic_manager enabled): signature_index=%d\n", matched_index);
-                return true;
-            }
-            return false;
-        } else {
-            // Common manager check: any valid signature will do
-            return true;
-        }
-    }
-    return false;
+	if (v2_signing_valid) {
+		if (signature_index) {
+			*signature_index = matched_index;
+		}
+
+		if (check_multi_manager) {
+			// 0: ShirkNeko/SukiSU, DYNAMIC_SIGN_INDEX: Dynamic Sign
+			if (matched_index == 0 || matched_index == DYNAMIC_SIGN_INDEX) {
+				pr_info("Multi-manager APK detected (dynamic_manager enabled): signature_index=%d\n",
+					matched_index);
+				return true;
+			}
+			return false;
+		} else {
+			// Common manager check: any valid signature will do
+			return true;
+		}
+	}
+	return false;
 }
 
 #ifdef CONFIG_KSU_DEBUG
@@ -394,28 +399,28 @@ int ksu_debug_manager_uid = -1;
 
 static int set_expected_size(const char *val, const struct kernel_param *kp)
 {
-    int rv = param_set_uint(val, kp);
-    ksu_set_manager_uid(ksu_debug_manager_uid);
-    pr_info("ksu_manager_uid set to %d\n", ksu_debug_manager_uid);
-    return rv;
+	int rv = param_set_uint(val, kp);
+	ksu_set_manager_uid(ksu_debug_manager_uid);
+	pr_info("ksu_manager_uid set to %d\n", ksu_debug_manager_uid);
+	return rv;
 }
 
 static struct kernel_param_ops expected_size_ops = {
-    .set = set_expected_size,
-    .get = param_get_uint,
+	.set = set_expected_size,
+	.get = param_get_uint,
 };
 
 module_param_cb(ksu_debug_manager_uid, &expected_size_ops,
-        &ksu_debug_manager_uid, S_IRUSR | S_IWUSR);
+		&ksu_debug_manager_uid, S_IRUSR | S_IWUSR);
 
 #endif
 
 bool is_manager_apk(char *path)
 {
-    return check_v2_signature(path, false, NULL);
+	return check_v2_signature(path, false, NULL);
 }
 
 bool is_dynamic_manager_apk(char *path, int *signature_index)
 {
-    return check_v2_signature(path, true, signature_index);
-}
+	return check_v2_signature(path, true, signature_index);
+}

kernel/app_profile.c

@@ -1,71 +1,216 @@
+#include <linux/version.h>
 #include <linux/capability.h>
 #include <linux/cred.h>
+#include <linux/err.h>
+#include <linux/fdtable.h>
+#include <linux/file.h>
+#include <linux/fs.h>
+#include <linux/proc_ns.h>
+#include <linux/pid.h>
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0)
+#include <linux/sched/signal.h> // signal_struct
+#include <linux/sched/task.h>
+#endif
 #include <linux/sched.h>
-#include <linux/sched/signal.h>
 #include <linux/seccomp.h>
 #include <linux/thread_info.h>
 #include <linux/uidgid.h>
-#include <linux/version.h>
-#include "objsec.h"
+#include <linux/syscalls.h>
 
 #include "allowlist.h"
 #include "app_profile.h"
+#include "arch.h"
+#include "kernel_compat.h"
 #include "klog.h" // IWYU pragma: keep
 #include "selinux/selinux.h"
 #include "syscall_hook_manager.h"
-#include "sucompat.h"
 
-#include "sulog.h"
+static struct group_info root_groups = { .usage = ATOMIC_INIT(2) };
 
-#if LINUX_VERSION_CODE >= KERNEL_VERSION (6, 7, 0)
-    static struct group_info root_groups = { .usage = REFCOUNT_INIT(2), };
-#else 
-    static struct group_info root_groups = { .usage = ATOMIC_INIT(2) };
-#endif
-
-static void setup_groups(struct root_profile *profile, struct cred *cred)
+void setup_groups(struct root_profile *profile, struct cred *cred)
 {
-    if (profile->groups_count > KSU_MAX_GROUPS) {
-        pr_warn("Failed to setgroups, too large group: %d!\n",
-            profile->uid);
-        return;
-    }
+	if (profile->groups_count > KSU_MAX_GROUPS) {
+		pr_warn("Failed to setgroups, too large group: %d!\n",
+			profile->uid);
+		return;
+	}
 
-    if (profile->groups_count == 1 && profile->groups[0] == 0) {
-        // setgroup to root and return early.
-        if (cred->group_info)
-            put_group_info(cred->group_info);
-        cred->group_info = get_group_info(&root_groups);
-        return;
-    }
+	if (profile->groups_count == 1 && profile->groups[0] == 0) {
+		// setgroup to root and return early.
+		if (cred->group_info)
+			put_group_info(cred->group_info);
+		cred->group_info = get_group_info(&root_groups);
+		return;
+	}
 
-    u32 ngroups = profile->groups_count;
-    struct group_info *group_info = groups_alloc(ngroups);
-    if (!group_info) {
-        pr_warn("Failed to setgroups, ENOMEM for: %d\n", profile->uid);
-        return;
-    }
+	u32 ngroups = profile->groups_count;
+	struct group_info *group_info = groups_alloc(ngroups);
+	if (!group_info) {
+		pr_warn("Failed to setgroups, ENOMEM for: %d\n", profile->uid);
+		return;
+	}
 
-    int i;
-    for (i = 0; i < ngroups; i++) {
-        gid_t gid = profile->groups[i];
-        kgid_t kgid = make_kgid(current_user_ns(), gid);
-        if (!gid_valid(kgid)) {
-            pr_warn("Failed to setgroups, invalid gid: %d\n", gid);
-            put_group_info(group_info);
-            return;
-        }
-        group_info->gid[i] = kgid;
-    }
+	int i;
+	for (i = 0; i < ngroups; i++) {
+		gid_t gid = profile->groups[i];
+		kgid_t kgid = make_kgid(current_user_ns(), gid);
+		if (!gid_valid(kgid)) {
+			pr_warn("Failed to setgroups, invalid gid: %d\n", gid);
+			put_group_info(group_info);
+			return;
+		}
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 9, 0)
+		group_info->gid[i] = kgid;
+#else
+		GROUP_AT(group_info, i) = kgid;
+#endif
+	}
 
-    groups_sort(group_info);
-    set_groups(cred, group_info);
-    put_group_info(group_info);
+	groups_sort(group_info);
+	set_groups(cred, group_info);
+	put_group_info(group_info);
 }
 
-void disable_seccomp(void)
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 17, 0)
+extern long SYS_SETNS_SYMBOL(const struct pt_regs *regs);
+static long ksu_sys_setns(int fd, int flags)
 {
-	assert_spin_locked(&current->sighand->siglock);
+	struct pt_regs regs;
+	memset(&regs, 0, sizeof(regs));
+
+	PT_REGS_PARM1(&regs) = fd;
+	PT_REGS_PARM2(&regs) = flags;
+
+	// TODO: arm support
+#if (defined(__aarch64__) || defined(__x86_64__))
+	return SYS_SETNS_SYMBOL(&regs);
+#else
+	return -ENOSYS;
+#endif
+}
+#else
+static long ksu_sys_setns(int fd, int flags)
+{
+	return sys_setns(fd, flags);
+}
+
+__weak int ksys_unshare(unsigned long unshare_flags)
+{
+	return sys_unshare(unshare_flags);
+}
+#endif
+
+static void setup_mount_namespace(int32_t ns_mode)
+{
+	pr_info("setup mount namespace for pid: %d\n", current->pid);
+
+	if (ns_mode == 0) {
+		pr_info("mount namespace mode: inherit\n");
+		// do nothing
+		return;
+	}
+
+	if (ns_mode > 2) {
+		pr_warn("unknown mount namespace mode: %d\n", ns_mode);
+		return;
+	}
+
+	const struct cred *old_cred = NULL;
+	struct cred *new_cred = NULL;
+	if (!(capable(CAP_SYS_ADMIN) && capable(CAP_SYS_CHROOT))) {
+		pr_info("process dont have CAP_SYS_ADMIN or CAP_SYS_CHROOT, adding it temporarily.\n");
+		new_cred = prepare_creds();
+		if (!new_cred) {
+			pr_warn("failed to prepare new credentials\n");
+			return;
+		}
+		cap_raise(new_cred->cap_effective, CAP_SYS_ADMIN);
+		cap_raise(new_cred->cap_effective, CAP_SYS_CHROOT);
+		old_cred = override_creds(new_cred);
+	}
+
+	if (ns_mode == 1) {
+		pr_info("mount namespace mode: global\n");
+		struct file *ns_file;
+		struct path ns_path;
+		struct task_struct *pid1_task = NULL;
+		struct pid *pid_struct = NULL;
+		rcu_read_lock();
+		// find init
+		pid_struct = find_pid_ns(1, &init_pid_ns);
+		if (unlikely(!pid_struct)) {
+			rcu_read_unlock();
+			pr_warn("failed to find pid_struct for PID 1\n");
+			goto try_drop_caps;
+		}
+
+		pid1_task = get_pid_task(pid_struct, PIDTYPE_PID);
+		rcu_read_unlock();
+		if (unlikely(!pid1_task)) {
+			pr_warn("failed to get task_struct for PID 1\n");
+			goto try_drop_caps;
+		}
+		// mabe you can use &init_task for first stage init?
+		long ret = ns_get_path(&ns_path, pid1_task, &mntns_operations);
+		put_task_struct(pid1_task);
+		if (ret) {
+			pr_warn("failed to get path for init's mount namespace: %ld\n",
+				ret);
+			goto try_drop_caps;
+		}
+		ns_file = dentry_open(&ns_path, O_RDONLY, current_cred());
+
+		path_put(&ns_path);
+		if (IS_ERR(ns_file)) {
+			pr_warn("failed to open file for init's mount namespace: %ld\n",
+				PTR_ERR(ns_file));
+			goto try_drop_caps;
+		}
+
+		int fd = get_unused_fd_flags(O_CLOEXEC);
+		if (fd < 0) {
+			pr_warn("failed to get an unused fd: %d\n", fd);
+			fput(ns_file);
+			goto try_drop_caps;
+		}
+
+		fd_install(fd, ns_file);
+		pr_info("calling sys_setns with fd : %d\n", fd);
+
+		ret = ksu_sys_setns(fd, CLONE_NEWNS);
+		if (ret) {
+			pr_warn("sys_setns failed: %ld\n", ret);
+		}
+		do_close_fd(fd);
+	}
+
+	if (ns_mode == 2) {
+		long ret;
+		pr_info("mount namespace mode: independent\n");
+
+		ret = ksys_unshare(CLONE_NEWNS);
+		if (ret) {
+			pr_warn("call ksys_unshare failed: %ld\n", ret);
+		}
+	}
+
+try_drop_caps:
+	if (old_cred) {
+		pr_info("dropping temporarily capability.\n");
+		revert_creds(old_cred);
+		put_cred(new_cred);
+	}
+	return;
+}
+
+// RKSU: Use it wisely, not static.
+void disable_seccomp(struct task_struct *tsk)
+{
+	if (unlikely(!tsk))
+		return;
+
+	assert_spin_locked(&tsk->sighand->siglock);
+
 	// disable seccomp
 #if defined(CONFIG_GENERIC_ENTRY) &&                                           \
 	LINUX_VERSION_CODE >= KERNEL_VERSION(5, 11, 0)
@@ -75,229 +220,94 @@ void disable_seccomp(void)
 #endif
 
 #ifdef CONFIG_SECCOMP
-	current->seccomp.mode = 0;
-	current->seccomp.filter = NULL;
-	atomic_set(&current->seccomp.filter_count, 0);
+	tsk->seccomp.mode = 0;
+	if (tsk->seccomp.filter) {
+		// 5.9+ have filter_count, but optional.
+#ifdef KSU_OPTIONAL_SECCOMP_FILTER_CNT
+		atomic_set(&tsk->seccomp.filter_count, 0);
+#endif
+		// some old kernel backport seccomp_filter_release..
+#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 9, 0) &&                            \
+	defined(KSU_OPTIONAL_SECCOMP_FILTER_RELEASE)
+		seccomp_filter_release(tsk);
 #else
+		// never, ever call seccomp_filter_release on 6.10+ (no effect)
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5, 9, 0) &&                          \
+     LINUX_VERSION_CODE < KERNEL_VERSION(6, 10, 0))
+		seccomp_filter_release(tsk);
+#else
+#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 9, 0)
+		put_seccomp_filter(tsk);
+#endif
+		tsk->seccomp.filter = NULL;
+#endif
+#endif
+	}
 #endif
 }
 
 void escape_with_root_profile(void)
 {
-    struct cred *cred;
-    struct task_struct *p = current;
-    struct task_struct *t;
+	struct cred *cred;
+	// a bit useless, but we just want less ifdefs
+	struct task_struct *p = current;
 
-    cred = prepare_creds();
-    if (!cred) {
-        pr_warn("prepare_creds failed!\n");
-        return;
-    }
+	if (current_euid().val == 0) {
+		pr_warn("Already root, don't escape!\n");
+		return;
+	}
 
-    if (cred->euid.val == 0) {
-        pr_warn("Already root, don't escape!\n");
-#if __SULOG_GATE
-        ksu_sulog_report_su_grant(current_euid().val, NULL, "escape_to_root_failed");
-#endif
-        abort_creds(cred);
-        return;
-    }
+	cred = prepare_creds();
+	if (!cred) {
+		pr_warn("prepare_creds failed!\n");
+		return;
+	}
 
-    struct root_profile *profile = ksu_get_root_profile(cred->uid.val);
+	struct root_profile *profile = ksu_get_root_profile(cred->uid.val);
 
-    cred->uid.val = profile->uid;
-    cred->suid.val = profile->uid;
-    cred->euid.val = profile->uid;
-    cred->fsuid.val = profile->uid;
+	cred->uid.val = profile->uid;
+	cred->suid.val = profile->uid;
+	cred->euid.val = profile->uid;
+	cred->fsuid.val = profile->uid;
 
-    cred->gid.val = profile->gid;
-    cred->fsgid.val = profile->gid;
-    cred->sgid.val = profile->gid;
-    cred->egid.val = profile->gid;
-    cred->securebits = 0;
+	cred->gid.val = profile->gid;
+	cred->fsgid.val = profile->gid;
+	cred->sgid.val = profile->gid;
+	cred->egid.val = profile->gid;
+	cred->securebits = 0;
 
-    BUILD_BUG_ON(sizeof(profile->capabilities.effective) !=
-             sizeof(kernel_cap_t));
+	BUILD_BUG_ON(sizeof(profile->capabilities.effective) !=
+		     sizeof(kernel_cap_t));
 
-    // setup capabilities
-    // we need CAP_DAC_READ_SEARCH becuase `/data/adb/ksud` is not accessible for non root process
-    // we add it here but don't add it to cap_inhertiable, it would be dropped automaticly after exec!
-    u64 cap_for_ksud =
-        profile->capabilities.effective | CAP_DAC_READ_SEARCH;
-    memcpy(&cred->cap_effective, &cap_for_ksud,
-           sizeof(cred->cap_effective));
-    memcpy(&cred->cap_permitted, &profile->capabilities.effective,
-           sizeof(cred->cap_permitted));
-    memcpy(&cred->cap_bset, &profile->capabilities.effective,
-           sizeof(cred->cap_bset));
+	// setup capabilities
+	// we need CAP_DAC_READ_SEARCH becuase `/data/adb/ksud` is not accessible for non root process
+	// we add it here but don't add it to cap_inhertiable, it would be dropped automaticly after exec!
+	u64 cap_for_ksud =
+		profile->capabilities.effective | CAP_DAC_READ_SEARCH;
+	memcpy(&cred->cap_effective, &cap_for_ksud,
+	       sizeof(cred->cap_effective));
+	memcpy(&cred->cap_permitted, &profile->capabilities.effective,
+	       sizeof(cred->cap_permitted));
+	memcpy(&cred->cap_bset, &profile->capabilities.effective,
+	       sizeof(cred->cap_bset));
 
-    setup_groups(profile, cred);
+	setup_groups(profile, cred);
 
-    commit_creds(cred);
+	commit_creds(cred);
 
-    // Refer to kernel/seccomp.c: seccomp_set_mode_strict
-    // When disabling Seccomp, ensure that current->sighand->siglock is held during the operation.
-    spin_lock_irq(&current->sighand->siglock);
-    disable_seccomp();
-    spin_unlock_irq(&current->sighand->siglock);
+	// Refer to kernel/seccomp.c: seccomp_set_mode_strict
+	// When disabling Seccomp, ensure that current->sighand->siglock is held during the operation.
+	spin_lock_irq(&p->sighand->siglock);
+	disable_seccomp(p);
+	spin_unlock_irq(&p->sighand->siglock);
 
-    setup_selinux(profile->selinux_domain);
-#if __SULOG_GATE
-    ksu_sulog_report_su_grant(current_euid().val, NULL, "escape_to_root");
-#endif
+	setup_selinux(profile->selinux_domain);
+	setup_mount_namespace(profile->namespaces);
 
-    for_each_thread (p, t) {
-        ksu_set_task_tracepoint_flag(t);
-    }
-}
-
-#ifdef CONFIG_KSU_MANUAL_SU
-
-#include "ksud.h"
-
-#ifndef DEVPTS_SUPER_MAGIC
-#define DEVPTS_SUPER_MAGIC    0x1cd1
-#endif
-
-static int __manual_su_handle_devpts(struct inode *inode)
-{
-    if (!current->mm) {
-        return 0;
-    }
-
-    uid_t uid = current_uid().val;
-    if (uid % 100000 < 10000) {
-        // not untrusted_app, ignore it
-        return 0;
-    }
-
-    if (likely(!ksu_is_allow_uid_for_current(uid)))
-        return 0;
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 1, 0) || defined(KSU_OPTIONAL_SELINUX_INODE)
-        struct inode_security_struct *sec = selinux_inode(inode);
-#else
-        struct inode_security_struct *sec =
-            (struct inode_security_struct *)inode->i_security;
-#endif
-    if (ksu_file_sid && sec)
-        sec->sid = ksu_file_sid;
-
-    return 0;
-}
-
-static void disable_seccomp_for_task(struct task_struct *tsk)
-{
-    assert_spin_locked(&tsk->sighand->siglock);
-#ifdef CONFIG_SECCOMP
-    if (tsk->seccomp.mode == SECCOMP_MODE_DISABLED && !tsk->seccomp.filter)
-        return;
-#endif
-    clear_tsk_thread_flag(tsk, TIF_SECCOMP);
-#ifdef CONFIG_SECCOMP
-    tsk->seccomp.mode = SECCOMP_MODE_DISABLED;
-    if (tsk->seccomp.filter) {
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 0)
-        seccomp_filter_release(tsk);
-#else
-        put_seccomp_filter(tsk);
-        tsk->seccomp.filter = NULL;
-#endif
-    }
+#ifdef KSU_SHOULD_USE_NEW_TP
+	struct task_struct *t;
+	for_each_thread (p, t) {
+		ksu_set_task_tracepoint_flag(t);
+	}
 #endif
 }
-
-void escape_to_root_for_cmd_su(uid_t target_uid, pid_t target_pid)
-{
-    struct cred *newcreds;
-    struct task_struct *target_task;
-    unsigned long flags;
-    struct task_struct *p = current;
-    struct task_struct *t;
-
-    pr_info("cmd_su: escape_to_root_for_cmd_su called for UID: %d, PID: %d\n", target_uid, target_pid);
-
-    // Find target task by PID
-    rcu_read_lock();
-    target_task = pid_task(find_vpid(target_pid), PIDTYPE_PID);
-    if (!target_task) {
-        rcu_read_unlock(); 
-        pr_err("cmd_su: target task not found for PID: %d\n", target_pid);
-#if __SULOG_GATE
-        ksu_sulog_report_su_grant(target_uid, "cmd_su", "target_not_found");
-#endif
-        return;
-    }
-    get_task_struct(target_task);
-    rcu_read_unlock();
-
-    if (task_uid(target_task).val == 0) {
-        pr_warn("cmd_su: target task is already root, PID: %d\n", target_pid);
-        put_task_struct(target_task);
-        return;
-    }
-
-    newcreds = prepare_kernel_cred(target_task);
-    if (newcreds == NULL) {
-        pr_err("cmd_su: failed to allocate new cred for PID: %d\n", target_pid);
-#if __SULOG_GATE
-        ksu_sulog_report_su_grant(target_uid, "cmd_su", "cred_alloc_failed");
-#endif
-        put_task_struct(target_task);
-        return;
-    }
-
-    struct root_profile *profile = ksu_get_root_profile(target_uid);
-
-    newcreds->uid.val = profile->uid;
-    newcreds->suid.val = profile->uid;
-    newcreds->euid.val = profile->uid;
-    newcreds->fsuid.val = profile->uid;
-
-    newcreds->gid.val = profile->gid;
-    newcreds->fsgid.val = profile->gid;
-    newcreds->sgid.val = profile->gid;
-    newcreds->egid.val = profile->gid;
-    newcreds->securebits = 0;
-
-    u64 cap_for_cmd_su = profile->capabilities.effective | CAP_DAC_READ_SEARCH | CAP_SETUID | CAP_SETGID;
-    memcpy(&newcreds->cap_effective, &cap_for_cmd_su, sizeof(newcreds->cap_effective));
-    memcpy(&newcreds->cap_permitted, &profile->capabilities.effective, sizeof(newcreds->cap_permitted));
-    memcpy(&newcreds->cap_bset, &profile->capabilities.effective, sizeof(newcreds->cap_bset));
-
-    setup_groups(profile, newcreds);
-    task_lock(target_task);
-
-    const struct cred *old_creds = get_task_cred(target_task);
-
-    rcu_assign_pointer(target_task->real_cred, newcreds);
-    rcu_assign_pointer(target_task->cred, get_cred(newcreds));
-    task_unlock(target_task);
-
-    if (target_task->sighand) {
-        spin_lock_irqsave(&target_task->sighand->siglock, flags);
-        disable_seccomp_for_task(target_task);
-        spin_unlock_irqrestore(&target_task->sighand->siglock, flags);
-    }
-
-    setup_selinux(profile->selinux_domain);
-    put_cred(old_creds);
-    wake_up_process(target_task);
-
-    if (target_task->signal->tty) {
-        struct inode *inode = target_task->signal->tty->driver_data;
-        if (inode && inode->i_sb->s_magic == DEVPTS_SUPER_MAGIC) {
-            __manual_su_handle_devpts(inode);
-        }
-    }
-
-    put_task_struct(target_task);
-#if __SULOG_GATE
-    ksu_sulog_report_su_grant(target_uid, "cmd_su", "manual_escalation");
-#endif
-    for_each_thread (p, t) {
-        ksu_set_task_tracepoint_flag(t);
-    }
-    pr_info("cmd_su: privilege escalation completed for UID: %d, PID: %d\n", target_uid, target_pid);
-}
-#endif

kernel/app_profile.h

@@ -63,8 +63,4 @@ struct app_profile {
 // Escalate current process to root with the appropriate profile
 void escape_with_root_profile(void);
 
-void escape_to_root_for_cmd_su(uid_t target_uid, pid_t target_pid);
-
-void disable_seccomp(void);
-
 #endif

kernel/arch.h

@@ -18,9 +18,17 @@
 #define __PT_SP_REG sp
 #define __PT_IP_REG pc
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 16, 0)
 #define REBOOT_SYMBOL "__arm64_sys_reboot"
 #define SYS_READ_SYMBOL "__arm64_sys_read"
 #define SYS_EXECVE_SYMBOL "__arm64_sys_execve"
+#define SYS_SETNS_SYMBOL __arm64_sys_setns
+#else
+#define REBOOT_SYMBOL "sys_reboot"
+#define SYS_READ_SYMBOL "sys_read"
+#define SYS_EXECVE_SYMBOL "sys_execve"
+#define SYS_SETNS_SYMBOL sys_setns
+#endif
 
 #elif defined(__x86_64__)
 
@@ -37,13 +45,24 @@
 #define __PT_RC_REG ax
 #define __PT_SP_REG sp
 #define __PT_IP_REG ip
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 16, 0)
 #define REBOOT_SYMBOL "__x64_sys_reboot"
 #define SYS_READ_SYMBOL "__x64_sys_read"
 #define SYS_EXECVE_SYMBOL "__x64_sys_execve"
+#define SYS_SETNS_SYMBOL __x64_sys_setns
+#else
+#define REBOOT_SYMBOL "sys_reboot"
+#define SYS_READ_SYMBOL "sys_read"
+#define SYS_EXECVE_SYMBOL "sys_execve"
+#define SYS_SETNS_SYMBOL sys_setns
+#endif
 
 #else
+#ifdef KSU_SHOULD_USE_NEW_TP
 #error "Unsupported arch"
 #endif
+#endif
 
 /* allow some architecutres to override `struct pt_regs` */
 #ifndef __PT_REGS_CAST
@@ -63,6 +82,10 @@
 #define PT_REGS_SP(x) (__PT_REGS_CAST(x)->__PT_SP_REG)
 #define PT_REGS_IP(x) (__PT_REGS_CAST(x)->__PT_IP_REG)
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 16, 0)
 #define PT_REAL_REGS(regs) ((struct pt_regs *)PT_REGS_PARM1(regs))
+#else
+#define PT_REAL_REGS(regs) ((regs))
+#endif
 
 #endif

kernel/dynamic_manager.c

@@ -17,6 +17,7 @@
 
 #include "dynamic_manager.h"
 #include "klog.h" // IWYU pragma: keep
+#include "kernel_compat.h"
 #include "manager.h"
 
 #define MAX_MANAGERS 2
@@ -232,23 +233,23 @@ static void do_save_dynamic_manager(struct work_struct *work)
         return;
     }
 
-    fp = filp_open(KERNEL_SU_DYNAMIC_MANAGER, O_WRONLY | O_CREAT | O_TRUNC, 0644);
+    fp = ksu_filp_open_compat(KERNEL_SU_DYNAMIC_MANAGER, O_WRONLY | O_CREAT | O_TRUNC, 0644);
     if (IS_ERR(fp)) {
         pr_err("save_dynamic_manager create file failed: %ld\n", PTR_ERR(fp));
         return;
     }
 
-    if (kernel_write(fp, &magic, sizeof(magic), &off) != sizeof(magic)) {
+    if (ksu_kernel_write_compat(fp, &magic, sizeof(magic), &off) != sizeof(magic)) {
         pr_err("save_dynamic_manager write magic failed.\n");
         goto exit;
     }
 
-    if (kernel_write(fp, &version, sizeof(version), &off) != sizeof(version)) {
+    if (ksu_kernel_write_compat(fp, &version, sizeof(version), &off) != sizeof(version)) {
         pr_err("save_dynamic_manager write version failed.\n");
         goto exit;
     }
 
-    if (kernel_write(fp, &config_to_save, sizeof(config_to_save), &off) != sizeof(config_to_save)) {
+    if (ksu_kernel_write_compat(fp, &config_to_save, sizeof(config_to_save), &off) != sizeof(config_to_save)) {
         pr_err("save_dynamic_manager write config failed.\n");
         goto exit;
     }
@@ -270,7 +271,7 @@ static void do_load_dynamic_manager(struct work_struct *work)
     unsigned long flags;
     int i;
 
-    fp = filp_open(KERNEL_SU_DYNAMIC_MANAGER, O_RDONLY, 0);
+    fp = ksu_filp_open_compat(KERNEL_SU_DYNAMIC_MANAGER, O_RDONLY, 0);
     if (IS_ERR(fp)) {
         if (PTR_ERR(fp) == -ENOENT) {
             pr_info("No saved dynamic manager config found\n");
@@ -280,20 +281,20 @@ static void do_load_dynamic_manager(struct work_struct *work)
         return;
     }
 
-    if (kernel_read(fp, &magic, sizeof(magic), &off) != sizeof(magic) ||
+    if (ksu_kernel_read_compat(fp, &magic, sizeof(magic), &off) != sizeof(magic) ||
         magic != DYNAMIC_MANAGER_FILE_MAGIC) {
         pr_err("dynamic manager file invalid magic: %x!\n", magic);
         goto exit;
     }
 
-    if (kernel_read(fp, &version, sizeof(version), &off) != sizeof(version)) {
+    if (ksu_kernel_read_compat(fp, &version, sizeof(version), &off) != sizeof(version)) {
         pr_err("dynamic manager read version failed\n");
         goto exit;
     }
 
     pr_info("dynamic manager file version: %d\n", version);
 
-    ret = kernel_read(fp, &loaded_config, sizeof(loaded_config), &off);
+    ret = ksu_kernel_read_compat(fp, &loaded_config, sizeof(loaded_config), &off);
     if (ret <= 0) {
         pr_info("load_dynamic_manager read err: %zd\n", ret);
         goto exit;
@@ -347,14 +348,14 @@ static void do_clear_dynamic_manager(struct work_struct *work)
 
     memset(zero_buffer, 0, sizeof(zero_buffer));
 
-    fp = filp_open(KERNEL_SU_DYNAMIC_MANAGER, O_WRONLY | O_CREAT | O_TRUNC, 0644);
+    fp = ksu_filp_open_compat(KERNEL_SU_DYNAMIC_MANAGER, O_WRONLY | O_CREAT | O_TRUNC, 0644);
     if (IS_ERR(fp)) {
         pr_err("clear_dynamic_manager create file failed: %ld\n", PTR_ERR(fp));
         return;
     }
 
     // Write null bytes to overwrite the file content
-    if (kernel_write(fp, zero_buffer, sizeof(zero_buffer), &off) != sizeof(zero_buffer)) {
+    if (ksu_kernel_write_compat(fp, zero_buffer, sizeof(zero_buffer), &off) != sizeof(zero_buffer)) {
         pr_err("clear_dynamic_manager write null bytes failed.\n");
     } else {
         pr_info("Dynamic sign config file cleared successfully\n");

kernel/feature.c

@@ -9,165 +9,168 @@ static DEFINE_MUTEX(feature_mutex);
 
 int ksu_register_feature_handler(const struct ksu_feature_handler *handler)
 {
-    if (!handler) {
-        pr_err("feature: register handler is NULL\n");
-        return -EINVAL;
-    }
+	if (!handler) {
+		pr_err("feature: register handler is NULL\n");
+		return -EINVAL;
+	}
 
-    if (handler->feature_id >= KSU_FEATURE_MAX) {
-        pr_err("feature: invalid feature_id %u\n", handler->feature_id);
-        return -EINVAL;
-    }
+	if (handler->feature_id >= KSU_FEATURE_MAX) {
+		pr_err("feature: invalid feature_id %u\n", handler->feature_id);
+		return -EINVAL;
+	}
 
-    if (!handler->get_handler && !handler->set_handler) {
-        pr_err("feature: no handler provided for feature %u\n", handler->feature_id);
-        return -EINVAL;
-    }
+	if (!handler->get_handler && !handler->set_handler) {
+		pr_err("feature: no handler provided for feature %u\n",
+		       handler->feature_id);
+		return -EINVAL;
+	}
 
-    mutex_lock(&feature_mutex);
+	mutex_lock(&feature_mutex);
 
-    if (feature_handlers[handler->feature_id]) {
-        pr_warn("feature: handler for %u already registered, overwriting\n",
-                handler->feature_id);
-    }
+	if (feature_handlers[handler->feature_id]) {
+		pr_warn("feature: handler for %u already registered, overwriting\n",
+			handler->feature_id);
+	}
 
-    feature_handlers[handler->feature_id] = handler;
+	feature_handlers[handler->feature_id] = handler;
 
-    pr_info("feature: registered handler for %s (id=%u)\n",
-            handler->name ? handler->name : "unknown", handler->feature_id);
+	pr_info("feature: registered handler for %s (id=%u)\n",
+		handler->name ? handler->name : "unknown", handler->feature_id);
 
-    mutex_unlock(&feature_mutex);
-    return 0;
+	mutex_unlock(&feature_mutex);
+	return 0;
 }
 
 int ksu_unregister_feature_handler(u32 feature_id)
 {
-    int ret = 0;
+	int ret = 0;
 
-    if (feature_id >= KSU_FEATURE_MAX) {
-        pr_err("feature: invalid feature_id %u\n", feature_id);
-        return -EINVAL;
-    }
+	if (feature_id >= KSU_FEATURE_MAX) {
+		pr_err("feature: invalid feature_id %u\n", feature_id);
+		return -EINVAL;
+	}
 
-    mutex_lock(&feature_mutex);
+	mutex_lock(&feature_mutex);
 
-    if (!feature_handlers[feature_id]) {
-        pr_warn("feature: no handler registered for %u\n", feature_id);
-        ret = -ENOENT;
-        goto out;
-    }
+	if (!feature_handlers[feature_id]) {
+		pr_warn("feature: no handler registered for %u\n", feature_id);
+		ret = -ENOENT;
+		goto out;
+	}
 
-    feature_handlers[feature_id] = NULL;
+	feature_handlers[feature_id] = NULL;
 
-    pr_info("feature: unregistered handler for id=%u\n", feature_id);
+	pr_info("feature: unregistered handler for id=%u\n", feature_id);
 
 out:
-    mutex_unlock(&feature_mutex);
-    return ret;
+	mutex_unlock(&feature_mutex);
+	return ret;
 }
 
 int ksu_get_feature(u32 feature_id, u64 *value, bool *supported)
 {
-    int ret = 0;
-    const struct ksu_feature_handler *handler;
+	int ret = 0;
+	const struct ksu_feature_handler *handler;
 
-    if (feature_id >= KSU_FEATURE_MAX) {
-        pr_err("feature: invalid feature_id %u\n", feature_id);
-        return -EINVAL;
-    }
+	if (feature_id >= KSU_FEATURE_MAX) {
+		pr_err("feature: invalid feature_id %u\n", feature_id);
+		return -EINVAL;
+	}
 
-    if (!value || !supported) {
-        pr_err("feature: invalid parameters\n");
-        return -EINVAL;
-    }
+	if (!value || !supported) {
+		pr_err("feature: invalid parameters\n");
+		return -EINVAL;
+	}
 
-    mutex_lock(&feature_mutex);
+	mutex_lock(&feature_mutex);
 
-    handler = feature_handlers[feature_id];
+	handler = feature_handlers[feature_id];
 
-    if (!handler) {
-        *supported = false;
-        *value = 0;
-        pr_debug("feature: feature %u not supported\n", feature_id);
-        goto out;
-    }
+	if (!handler) {
+		*supported = false;
+		*value = 0;
+		pr_debug("feature: feature %u not supported\n", feature_id);
+		goto out;
+	}
 
-    *supported = true;
+	*supported = true;
 
-    if (!handler->get_handler) {
-        pr_warn("feature: no get_handler for feature %u\n", feature_id);
-        ret = -EOPNOTSUPP;
-        goto out;
-    }
+	if (!handler->get_handler) {
+		pr_warn("feature: no get_handler for feature %u\n", feature_id);
+		ret = -EOPNOTSUPP;
+		goto out;
+	}
 
-    ret = handler->get_handler(value);
-    if (ret) {
-        pr_err("feature: get_handler for %u failed: %d\n", feature_id, ret);
-    }
+	ret = handler->get_handler(value);
+	if (ret) {
+		pr_err("feature: get_handler for %u failed: %d\n", feature_id,
+		       ret);
+	}
 
 out:
-    mutex_unlock(&feature_mutex);
-    return ret;
+	mutex_unlock(&feature_mutex);
+	return ret;
 }
 
 int ksu_set_feature(u32 feature_id, u64 value)
 {
-    int ret = 0;
-    const struct ksu_feature_handler *handler;
+	int ret = 0;
+	const struct ksu_feature_handler *handler;
 
-    if (feature_id >= KSU_FEATURE_MAX) {
-        pr_err("feature: invalid feature_id %u\n", feature_id);
-        return -EINVAL;
-    }
+	if (feature_id >= KSU_FEATURE_MAX) {
+		pr_err("feature: invalid feature_id %u\n", feature_id);
+		return -EINVAL;
+	}
 
-    mutex_lock(&feature_mutex);
+	mutex_lock(&feature_mutex);
 
-    handler = feature_handlers[feature_id];
+	handler = feature_handlers[feature_id];
 
-    if (!handler) {
-        pr_err("feature: feature %u not registered\n", feature_id);
-        ret = -EOPNOTSUPP;
-        goto out;
-    }
+	if (!handler) {
+		pr_err("feature: feature %u not registered\n", feature_id);
+		ret = -EOPNOTSUPP;
+		goto out;
+	}
 
-    if (!handler->set_handler) {
-        pr_warn("feature: no set_handler for feature %u\n", feature_id);
-        ret = -EOPNOTSUPP;
-        goto out;
-    }
+	if (!handler->set_handler) {
+		pr_warn("feature: no set_handler for feature %u\n", feature_id);
+		ret = -EOPNOTSUPP;
+		goto out;
+	}
 
-    ret = handler->set_handler(value);
-    if (ret) {
-        pr_err("feature: set_handler for %u failed: %d\n", feature_id, ret);
-    }
+	ret = handler->set_handler(value);
+	if (ret) {
+		pr_err("feature: set_handler for %u failed: %d\n", feature_id,
+		       ret);
+	}
 
 out:
-    mutex_unlock(&feature_mutex);
-    return ret;
+	mutex_unlock(&feature_mutex);
+	return ret;
 }
 
 void ksu_feature_init(void)
 {
-    int i;
+	int i;
 
-    for (i = 0; i < KSU_FEATURE_MAX; i++) {
-        feature_handlers[i] = NULL;
-    }
+	for (i = 0; i < KSU_FEATURE_MAX; i++) {
+		feature_handlers[i] = NULL;
+	}
 
-    pr_info("feature: feature management initialized\n");
+	pr_info("feature: feature management initialized\n");
 }
 
 void ksu_feature_exit(void)
 {
-    int i;
+	int i;
 
-    mutex_lock(&feature_mutex);
+	mutex_lock(&feature_mutex);
 
-    for (i = 0; i < KSU_FEATURE_MAX; i++) {
-        feature_handlers[i] = NULL;
-    }
+	for (i = 0; i < KSU_FEATURE_MAX; i++) {
+		feature_handlers[i] = NULL;
+	}
 
-    mutex_unlock(&feature_mutex);
+	mutex_unlock(&feature_mutex);
 
-    pr_info("feature: feature management cleaned up\n");
+	pr_info("feature: feature management cleaned up\n");
 }

kernel/feature.h

@@ -4,22 +4,21 @@
 #include <linux/types.h>
 
 enum ksu_feature_id {
-    KSU_FEATURE_SU_COMPAT = 0,
-    KSU_FEATURE_KERNEL_UMOUNT = 1,
-    KSU_FEATURE_ENHANCED_SECURITY = 2,
-    KSU_FEATURE_SULOG = 3,
+	KSU_FEATURE_SU_COMPAT = 0,
+	KSU_FEATURE_KERNEL_UMOUNT = 1,
+	KSU_FEATURE_ENHANCED_SECURITY = 2,
 
-    KSU_FEATURE_MAX
+	KSU_FEATURE_MAX
 };
 
 typedef int (*ksu_feature_get_t)(u64 *value);
 typedef int (*ksu_feature_set_t)(u64 value);
 
 struct ksu_feature_handler {
-    u32 feature_id;
-    const char *name;
-    ksu_feature_get_t get_handler;
-    ksu_feature_set_t set_handler;
+	u32 feature_id;
+	const char *name;
+	ksu_feature_get_t get_handler;
+	ksu_feature_set_t set_handler;
 };
 
 int ksu_register_feature_handler(const struct ksu_feature_handler *handler);

kernel/file_wrapper.c

@@ -1,5 +1,6 @@
 #include <linux/export.h>
 #include <linux/anon_inodes.h>
+#include <linux/aio.h> // kernel 3.18
 #include <linux/capability.h>
 #include <linux/cred.h>
 #include <linux/err.h>
@@ -33,6 +34,7 @@ static ssize_t ksu_wrapper_write(struct file *fp, const char __user *ptr, size_t
 	return orig->f_op->write(orig, ptr, sz, off);
 }
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 16, 0)
 static ssize_t ksu_wrapper_read_iter(struct kiocb *iocb, struct iov_iter *iovi) {
 	struct ksu_file_wrapper* data = iocb->ki_filp->private_data;
 	struct file* orig = data->orig;
@@ -46,6 +48,7 @@ static ssize_t ksu_wrapper_write_iter(struct kiocb *iocb, struct iov_iter *iovi)
 	iocb->ki_filp = orig;
 	return orig->f_op->write_iter(iocb, iovi);
 }
+#endif
 
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0)
 static int ksu_wrapper_iopoll(struct kiocb *kiocb, struct io_comp_batch* icb, unsigned int v) {
@@ -54,7 +57,7 @@ static int ksu_wrapper_iopoll(struct kiocb *kiocb, struct io_comp_batch* icb, un
 	kiocb->ki_filp = orig;
 	return orig->f_op->iopoll(kiocb, icb, v);
 }
-#else
+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(5, 1, 0)
 static int ksu_wrapper_iopoll(struct kiocb *kiocb, bool spin) {
 	struct ksu_file_wrapper* data = kiocb->ki_filp->private_data;
 	struct file* orig = data->orig;
@@ -63,21 +66,33 @@ static int ksu_wrapper_iopoll(struct kiocb *kiocb, bool spin) {
 }
 #endif
 
-#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 6, 0)
+#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 6, 0) && (LINUX_VERSION_CODE > KERNEL_VERSION(3, 11, 0) || defined(KSU_HAS_ITERATE_DIR))
 static int ksu_wrapper_iterate (struct file *fp, struct dir_context *dc) {
 	struct ksu_file_wrapper* data = fp->private_data;
 	struct file* orig = data->orig;
 	return orig->f_op->iterate(orig, dc);
 }
+#endif 
+
+// int (*readdir) (struct file *, void *, filldir_t);
+#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 11, 0) && !defined(KSU_HAS_ITERATE_DIR)
+static int ksu_wrapper_readdir(struct file *fp, void *ptr, filldir_t filler) {
+	struct ksu_file_wrapper* data = fp->private_data;
+	struct file* orig = data->orig;
+	return orig->f_op->readdir(orig, ptr, filler);
+}
 #endif
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 7, 0)
 static int ksu_wrapper_iterate_shared(struct file *fp, struct dir_context *dc) {
 	struct ksu_file_wrapper* data = fp->private_data;
 	struct file* orig = data->orig;
 	return orig->f_op->iterate_shared(orig, dc);
 }
+#endif
 
-static __poll_t ksu_wrapper_poll(struct file *fp, struct poll_table_struct *pts) {
+// typedef unsigned __bitwise __poll_t;
+static unsigned __bitwise ksu_wrapper_poll(struct file *fp, struct poll_table_struct *pts) {
 	struct ksu_file_wrapper* data = fp->private_data;
 	struct file* orig = data->orig;
 	return orig->f_op->poll(orig, pts);
@@ -213,7 +228,7 @@ static int ksu_wrapper_setlease(struct file *fp, int arg1, struct file_lock **fl
 	}
 	return -EINVAL;
 }
-#else
+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(3, 18, 0) // int (*setlease)(struct file *, long, struct file_lock **, void **);
 static int ksu_wrapper_setlease(struct file *fp, long arg1, struct file_lock **fl, void **p) {
 	struct ksu_file_wrapper* data = fp->private_data;
 	struct file* orig = data->orig;
@@ -222,6 +237,15 @@ static int ksu_wrapper_setlease(struct file *fp, long arg1, struct file_lock **f
 	}
 	return -EINVAL;
 }
+#else // int (*setlease)(struct file *, long, struct file_lock **);
+static int ksu_wrapper_setlease(struct file *fp, long arg1, struct file_lock **fl) {
+	struct ksu_file_wrapper* data = fp->private_data;
+	struct file* orig = data->orig;
+	if (orig->f_op->setlease) {
+		return orig->f_op->setlease(orig, arg1, fl);
+	}
+	return -EINVAL;
+}
 #endif
 
 static long ksu_wrapper_fallocate(struct file *fp, int mode, loff_t offset, loff_t len) {
@@ -233,6 +257,7 @@ static long ksu_wrapper_fallocate(struct file *fp, int mode, loff_t offset, loff
 	return -EINVAL;
 }
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 19, 0)
 static void ksu_wrapper_show_fdinfo(struct seq_file *m, struct file *f) {
 	struct ksu_file_wrapper* data = f->private_data;
 	struct file* orig = data->orig;
@@ -240,30 +265,49 @@ static void ksu_wrapper_show_fdinfo(struct seq_file *m, struct file *f) {
 		orig->f_op->show_fdinfo(m, orig);
 	}
 }
-
-static ssize_t ksu_wrapper_copy_file_range(struct file *f1, loff_t off1, struct file *f2,
-		loff_t off2, size_t sz, unsigned int flags) {
-	// TODO: determine which file to use
-	struct ksu_file_wrapper* data = f1->private_data;
+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(3, 8, 0)
+static int ksu_wrapper_show_fdinfo(struct seq_file *m, struct file *f) {
+	struct ksu_file_wrapper* data = f->private_data;
 	struct file* orig = data->orig;
-	if (orig->f_op->copy_file_range) {
-		return orig->f_op->copy_file_range(orig, off1, f2, off2, sz, flags);
+	if (orig->f_op->show_fdinfo) {
+		orig->f_op->show_fdinfo(m, orig);
 	}
 	return -EINVAL;
 }
+#endif
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 7, 0)
+// https://cs.android.com/android/kernel/superproject/+/common-android-mainline:common/fs/read_write.c;l=1593-1606;drc=398da7defe218d3e51b0f3bdff75147e28125b60
+static ssize_t ksu_wrapper_copy_file_range(struct file *file_in, loff_t pos_in, struct file *file_out,
+		loff_t pos_out, size_t len, unsigned int flags) {
+	struct ksu_file_wrapper* data = file_out->private_data;
+	struct file* orig = data->orig;
+	return orig->f_op->copy_file_range(file_in, pos_in, orig, pos_out, len, flags);
+}
+#endif
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 20, 0)
+// no REMAP_FILE_DEDUP: use file_in
+// https://cs.android.com/android/kernel/superproject/+/common-android-mainline:common/fs/read_write.c;l=1598-1599;drc=398da7defe218d3e51b0f3bdff75147e28125b60
+// https://cs.android.com/android/kernel/superproject/+/common-android-mainline:common/fs/remap_range.c;l=403-404;drc=398da7defe218d3e51b0f3bdff75147e28125b60
+// REMAP_FILE_DEDUP: use file_out
+// https://cs.android.com/android/kernel/superproject/+/common-android-mainline:common/fs/remap_range.c;l=483-484;drc=398da7defe218d3e51b0f3bdff75147e28125b60
 static loff_t ksu_wrapper_remap_file_range(struct file *file_in, loff_t pos_in,
 				struct file *file_out, loff_t pos_out,
 				loff_t len, unsigned int remap_flags) {
-	// TODO: determine which file to use
-	struct ksu_file_wrapper* data = file_in->private_data;
-	struct file* orig = data->orig;
-	if (orig->f_op->remap_file_range) {
+	if (remap_flags & REMAP_FILE_DEDUP) {
+		struct ksu_file_wrapper* data = file_out->private_data;
+		struct file* orig = data->orig;
+		return orig->f_op->remap_file_range(file_in, pos_in, orig, pos_out, len, remap_flags);
+	} else {
+		struct ksu_file_wrapper* data = file_in->private_data;
+		struct file* orig = data->orig;
 		return orig->f_op->remap_file_range(orig, pos_in, file_out, pos_out, len, remap_flags);
 	}
-	return -EINVAL;
 }
+#endif
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 19, 0)
 static int ksu_wrapper_fadvise(struct file *fp, loff_t off1, loff_t off2, int flags) {
 	struct ksu_file_wrapper* data = fp->private_data;
 	struct file* orig = data->orig;
@@ -272,6 +316,7 @@ static int ksu_wrapper_fadvise(struct file *fp, loff_t off1, loff_t off2, int fl
 	}
 	return -EINVAL;
 }
+#endif
 
 static int ksu_wrapper_release(struct inode *inode, struct file *filp) {
 	ksu_delete_file_wrapper(filp->private_data);
@@ -291,20 +336,29 @@ struct ksu_file_wrapper* ksu_create_file_wrapper(struct file* fp) {
 	p->ops.llseek = fp->f_op->llseek ? ksu_wrapper_llseek : NULL;
 	p->ops.read = fp->f_op->read ? ksu_wrapper_read : NULL;
 	p->ops.write = fp->f_op->write ? ksu_wrapper_write : NULL;
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 16, 0)
 	p->ops.read_iter = fp->f_op->read_iter ? ksu_wrapper_read_iter : NULL;
 	p->ops.write_iter = fp->f_op->write_iter ? ksu_wrapper_write_iter : NULL;
+#endif
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0)
 	p->ops.iopoll = fp->f_op->iopoll ? ksu_wrapper_iopoll : NULL;
-#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 6, 0)
+#endif
+#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 6, 0) && (LINUX_VERSION_CODE > KERNEL_VERSION(3, 11, 0) || defined(KSU_HAS_ITERATE_DIR))
 	p->ops.iterate = fp->f_op->iterate ? ksu_wrapper_iterate : NULL;
 #endif
+#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 11, 0) && !defined(KSU_HAS_ITERATE_DIR)
+	p->ops.readdir = fp->f_op->readdir ? ksu_wrapper_readdir : NULL;
+#endif
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 7, 0)
 	p->ops.iterate_shared = fp->f_op->iterate_shared ? ksu_wrapper_iterate_shared : NULL;
+#endif
 	p->ops.poll = fp->f_op->poll ? ksu_wrapper_poll : NULL;
 	p->ops.unlocked_ioctl = fp->f_op->unlocked_ioctl ? ksu_wrapper_unlocked_ioctl : NULL;
 	p->ops.compat_ioctl = fp->f_op->compat_ioctl ? ksu_wrapper_compat_ioctl : NULL;
 	p->ops.mmap = fp->f_op->mmap ? ksu_wrapper_mmap : NULL;
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 12, 0)
 	p->ops.fop_flags = fp->f_op->fop_flags;
-#else
+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4, 15, 0)
 	p->ops.mmap_supported_flags = fp->f_op->mmap_supported_flags;
 #endif
 	p->ops.open = fp->f_op->open ? ksu_wrapper_open : NULL;
@@ -323,11 +377,18 @@ struct ksu_file_wrapper* ksu_create_file_wrapper(struct file* fp) {
 	p->ops.splice_read = fp->f_op->splice_read ? ksu_wrapper_splice_read : NULL;
 	p->ops.setlease = fp->f_op->setlease ? ksu_wrapper_setlease : NULL;
 	p->ops.fallocate = fp->f_op->fallocate ? ksu_wrapper_fallocate : NULL;
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 8, 0)
 	p->ops.show_fdinfo = fp->f_op->show_fdinfo ? ksu_wrapper_show_fdinfo : NULL;
+#endif
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 7, 0)
 	p->ops.copy_file_range = fp->f_op->copy_file_range ? ksu_wrapper_copy_file_range : NULL;
+#endif
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 20, 0)
 	p->ops.remap_file_range = fp->f_op->remap_file_range ? ksu_wrapper_remap_file_range : NULL;
+#endif
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 19, 0)
 	p->ops.fadvise = fp->f_op->fadvise ? ksu_wrapper_fadvise : NULL;
-
+#endif
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 6, 0)
 	p->ops.splice_eof = fp->f_op->splice_eof ? ksu_wrapper_splice_eof : NULL;
 #endif

kernel/file_wrapper.h

@@ -5,10 +5,11 @@
 #include <linux/fs.h>
 
 struct ksu_file_wrapper {
-	struct file* orig;
+	struct file *orig;
 	struct file_operations ops;
 };
 
-struct ksu_file_wrapper* ksu_create_file_wrapper(struct file* fp);
-void ksu_delete_file_wrapper(struct ksu_file_wrapper* data);
-#endif // KSU_FILE_WRAPPER_H
+struct ksu_file_wrapper *ksu_create_file_wrapper(struct file *fp);
+void ksu_delete_file_wrapper(struct ksu_file_wrapper *data);
+
+#endif // KSU_FILE_WRAPPER_H

kernel/kernel_compat.c

@@ -0,0 +1,149 @@
+#include <linux/version.h>
+#include <linux/fs.h>
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0)
+#include <linux/sched/task.h>
+#else
+#include <linux/sched.h>
+#endif
+#include <linux/uaccess.h>
+#include "klog.h" // IWYU pragma: keep
+#include "kernel_compat.h"
+
+#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0) ||                           \
+	defined(CONFIG_IS_HW_HISI) || defined(CONFIG_KSU_ALLOWLIST_WORKAROUND)
+#include <linux/key.h>
+#include <linux/errno.h>
+#include <linux/cred.h>
+#include <linux/lsm_hooks.h>
+
+extern int install_session_keyring_to_cred(struct cred *, struct key *);
+struct key *init_session_keyring = NULL;
+
+static int install_session_keyring(struct key *keyring)
+{
+	struct cred *new;
+	int ret;
+
+	new = prepare_creds();
+	if (!new)
+		return -ENOMEM;
+
+	ret = install_session_keyring_to_cred(new, keyring);
+	if (ret < 0) {
+		abort_creds(new);
+		return ret;
+	}
+
+	return commit_creds(new);
+}
+#endif
+
+struct file *ksu_filp_open_compat(const char *filename, int flags, umode_t mode)
+{
+#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0) ||                           \
+	defined(CONFIG_IS_HW_HISI) || defined(CONFIG_KSU_ALLOWLIST_WORKAROUND)
+	if (init_session_keyring != NULL && !current_cred()->session_keyring &&
+	    (current->flags & PF_WQ_WORKER)) {
+		pr_info("installing init session keyring for older kernel\n");
+		install_session_keyring(init_session_keyring);
+	}
+#endif
+	return filp_open(filename, flags, mode);
+}
+
+ssize_t ksu_kernel_read_compat(struct file *p, void *buf, size_t count,
+			       loff_t *pos)
+{
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 14, 0) ||                          \
+	defined(KSU_OPTIONAL_KERNEL_READ)
+	return kernel_read(p, buf, count, pos);
+#else
+	loff_t offset = pos ? *pos : 0;
+	ssize_t result = kernel_read(p, offset, (char *)buf, count);
+	if (pos && result > 0) {
+		*pos = offset + result;
+	}
+	return result;
+#endif
+}
+
+ssize_t ksu_kernel_write_compat(struct file *p, const void *buf, size_t count,
+				loff_t *pos)
+{
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 14, 0) ||                          \
+	defined(KSU_OPTIONAL_KERNEL_WRITE)
+	return kernel_write(p, buf, count, pos);
+#else
+	loff_t offset = pos ? *pos : 0;
+	ssize_t result = kernel_write(p, buf, count, offset);
+	if (pos && result > 0) {
+		*pos = offset + result;
+	}
+	return result;
+#endif
+}
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 8, 0) ||                           \
+	defined(KSU_OPTIONAL_STRNCPY)
+long ksu_strncpy_from_user_nofault(char *dst, const void __user *unsafe_addr,
+				   long count)
+{
+	return strncpy_from_user_nofault(dst, unsafe_addr, count);
+}
+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(5, 3, 0)
+long ksu_strncpy_from_user_nofault(char *dst, const void __user *unsafe_addr,
+				   long count)
+{
+	return strncpy_from_unsafe_user(dst, unsafe_addr, count);
+}
+#else
+// Copied from: https://elixir.bootlin.com/linux/v4.9.337/source/mm/maccess.c#L201
+long ksu_strncpy_from_user_nofault(char *dst, const void __user *unsafe_addr,
+				   long count)
+{
+	mm_segment_t old_fs = get_fs();
+	long ret;
+
+	if (unlikely(count <= 0))
+		return 0;
+
+	set_fs(USER_DS);
+	pagefault_disable();
+	ret = strncpy_from_user(dst, unsafe_addr, count);
+	pagefault_enable();
+	set_fs(old_fs);
+
+	if (ret >= count) {
+		ret = count;
+		dst[ret - 1] = '\0';
+	} else if (ret > 0) {
+		ret++;
+	}
+
+	return ret;
+}
+#endif
+
+long ksu_copy_from_user_nofault(void *dst, const void __user *src, size_t size)
+{
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 8, 0)
+    return copy_from_user_nofault(dst, src, size);
+#else
+    // https://elixir.bootlin.com/linux/v5.8/source/mm/maccess.c#L205
+    long ret = -EFAULT;
+    mm_segment_t old_fs = get_fs();
+
+    set_fs(USER_DS);
+    // tweaked to use ksu_access_ok
+    if (ksu_access_ok(src, size)) {
+        pagefault_disable();
+        ret = __copy_from_user_inatomic(dst, src, size);
+        pagefault_enable();
+    }
+    set_fs(old_fs);
+
+    if (ret)
+        return -EFAULT;
+    return 0;
+#endif
+}

kernel/kernel_compat.h

@@ -3,7 +3,43 @@
 
 #include <linux/fs.h>
 #include <linux/version.h>
+#include <linux/task_work.h>
+#include <linux/fdtable.h>
+#include "ss/policydb.h"
+#include "linux/key.h"
 
+/*
+ * Adapt to Huawei HISI kernel without affecting other kernels ,
+ * Huawei Hisi Kernel EBITMAP Enable or Disable Flag ,
+ * From ss/ebitmap.h
+ */
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(4, 9, 0)) &&                         \
+		(LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0)) ||             \
+	(LINUX_VERSION_CODE >= KERNEL_VERSION(4, 14, 0)) &&                    \
+		(LINUX_VERSION_CODE < KERNEL_VERSION(4, 15, 0))
+#ifdef HISI_SELINUX_EBITMAP_RO
+#define CONFIG_IS_HW_HISI
+#endif
+#endif
+
+// Checks for UH, KDP and RKP
+#ifdef SAMSUNG_UH_DRIVER_EXIST
+#if defined(CONFIG_UH) || defined(CONFIG_KDP) || defined(CONFIG_RKP)
+#error "CONFIG_UH, CONFIG_KDP and CONFIG_RKP is enabled! Please disable or remove it before compile a kernel with KernelSU!"
+#endif
+#endif
+
+extern long ksu_strncpy_from_user_nofault(char *dst,
+					  const void __user *unsafe_addr,
+					  long count);
+
+extern struct file *ksu_filp_open_compat(const char *filename, int flags,
+					 umode_t mode);
+extern ssize_t ksu_kernel_read_compat(struct file *p, void *buf, size_t count,
+				      loff_t *pos);
+extern ssize_t ksu_kernel_write_compat(struct file *p, const void *buf,
+				       size_t count, loff_t *pos);
+extern long ksu_copy_from_user_nofault(void *dst, const void __user *src, size_t size);
 /*
  * ksu_copy_from_user_retry
  * try nofault copy first, if it fails, try with plain
@@ -11,14 +47,44 @@
  * 0 = success
  */
 static long ksu_copy_from_user_retry(void *to, 
-        const void __user *from, unsigned long count)
+		const void __user *from, unsigned long count)
 {
-    long ret = copy_from_user_nofault(to, from, count);
-    if (likely(!ret))
-        return ret;
+	long ret = ksu_copy_from_user_nofault(to, from, count);
+	if (likely(!ret))
+		return ret;
 
-    // we faulted! fallback to slow path
-    return copy_from_user(to, from, count);
+	// we faulted! fallback to slow path
+	return copy_from_user(to, from, count);
+}
+
+#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0) ||                           \
+	defined(CONFIG_IS_HW_HISI) || defined(CONFIG_KSU_ALLOWLIST_WORKAROUND)
+extern struct key *init_session_keyring;
+#endif
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 0, 0)
+#define ksu_access_ok(addr, size) access_ok(addr, size)
+#else
+#define ksu_access_ok(addr, size) access_ok(VERIFY_READ, addr, size)
+#endif
+
+// Linux >= 5.7
+// task_work_add (struct, struct, enum)
+// Linux pre-5.7
+// task_work_add (struct, struct, bool)
+#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 7, 0)
+#ifndef TWA_RESUME
+#define TWA_RESUME	true
+#endif
+#endif
+
+static inline int do_close_fd(unsigned int fd)
+{
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 11, 0)
+	return close_fd(fd);
+#else
+	return __close_fd(current->files, fd);
+#endif
 }
 
 #endif

kernel/kernel_umount.c

@@ -9,173 +9,198 @@
 #include <linux/path.h>
 #include <linux/printk.h>
 #include <linux/types.h>
+#ifndef KSU_HAS_PATH_UMOUNT
+#include <linux/syscalls.h>
+#endif
 
 #include "kernel_umount.h"
 #include "klog.h" // IWYU pragma: keep
 #include "allowlist.h"
+#include "kernel_compat.h"
 #include "selinux/selinux.h"
 #include "feature.h"
 #include "ksud.h"
 
-#include "umount_manager.h"
-#include "sulog.h"
-
 static bool ksu_kernel_umount_enabled = true;
 
 static int kernel_umount_feature_get(u64 *value)
 {
-    *value = ksu_kernel_umount_enabled ? 1 : 0;
-    return 0;
+	*value = ksu_kernel_umount_enabled ? 1 : 0;
+	return 0;
 }
 
 static int kernel_umount_feature_set(u64 value)
 {
-    bool enable = value != 0;
-    ksu_kernel_umount_enabled = enable;
-    pr_info("kernel_umount: set to %d\n", enable);
-    return 0;
+	bool enable = value != 0;
+	ksu_kernel_umount_enabled = enable;
+	pr_info("kernel_umount: set to %d\n", enable);
+	return 0;
 }
 
 static const struct ksu_feature_handler kernel_umount_handler = {
-    .feature_id = KSU_FEATURE_KERNEL_UMOUNT,
-    .name = "kernel_umount",
-    .get_handler = kernel_umount_feature_get,
-    .set_handler = kernel_umount_feature_set,
+	.feature_id = KSU_FEATURE_KERNEL_UMOUNT,
+	.name = "kernel_umount",
+	.get_handler = kernel_umount_feature_get,
+	.set_handler = kernel_umount_feature_set,
 };
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 9, 0) ||                           \
+	defined(KSU_HAS_PATH_UMOUNT)
 extern int path_umount(struct path *path, int flags);
-
-static void ksu_umount_mnt(struct path *path, int flags)
+static void ksu_umount_mnt(const char *__never_use_mnt, struct path *path,
+			   int flags)
 {
-    int err = path_umount(path, flags);
-    if (err) {
-        pr_info("umount %s failed: %d\n", path->dentry->d_iname, err);
-    }
+	int err = path_umount(path, flags);
+	if (err) {
+		pr_info("umount %s failed: %d\n", path->dentry->d_iname, err);
+	}
+}
+#else
+static void ksu_sys_umount(const char *mnt, int flags)
+{
+	char __user *usermnt = (char __user *)mnt;
+	mm_segment_t old_fs;
+
+	old_fs = get_fs();
+	set_fs(KERNEL_DS);
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 17, 0)
+	ksys_umount(usermnt, flags);
+#else
+	sys_umount(usermnt, flags); // cuz asmlinkage long sys##name
+#endif
+	set_fs(old_fs);
 }
 
-void try_umount(const char *mnt, int flags)
+#define ksu_umount_mnt(mnt, __unused, flags)                                   \
+	({                                                                     \
+		path_put(__unused);                                            \
+		ksu_sys_umount(mnt, flags);                                    \
+	})
+
+#endif
+
+static void try_umount(const char *mnt, int flags)
 {
-    struct path path;
-    int err = kern_path(mnt, 0, &path);
-    if (err) {
-        return;
-    }
+	struct path path;
+	int err = kern_path(mnt, 0, &path);
+	if (err) {
+		return;
+	}
 
-    if (path.dentry != path.mnt->mnt_root) {
-        // it is not root mountpoint, maybe umounted by others already.
-        path_put(&path);
-        return;
-    }
+	if (path.dentry != path.mnt->mnt_root) {
+		// it is not root mountpoint, maybe umounted by others already.
+		path_put(&path);
+		return;
+	}
 
-    ksu_umount_mnt(&path, flags);
+	ksu_umount_mnt(mnt, &path, flags);
 }
 
+static inline void do_umount_work(void)
+{
+	struct mount_entry *entry;
+	list_for_each_entry (entry, &mount_list, list) {
+		pr_info("%s: unmounting: %s flags 0x%x\n", __func__,
+			entry->umountable, entry->flags);
+		try_umount(entry->umountable, entry->flags);
+	}
+}
+
+#ifdef KSU_SHOULD_USE_NEW_TP
 struct umount_tw {
-    struct callback_head cb;
-    const struct cred *old_cred;
+	struct callback_head cb;
+	const struct cred *old_cred;
 };
 
 static void umount_tw_func(struct callback_head *cb)
 {
-    struct umount_tw *tw = container_of(cb, struct umount_tw, cb);
-    const struct cred *saved = NULL;
-    if (tw->old_cred) {
-        saved = override_creds(tw->old_cred);
-    }
+	struct umount_tw *tw = container_of(cb, struct umount_tw, cb);
+	const struct cred *saved = NULL;
+	if (tw->old_cred) {
+		saved = override_creds(tw->old_cred);
+	}
 
-    struct mount_entry *entry;
-    down_read(&mount_list_lock);
-    list_for_each_entry(entry, &mount_list, list) {
-        pr_info("%s: unmounting: %s flags 0x%x\n", __func__, entry->umountable, entry->flags);
-        try_umount(entry->umountable, entry->flags);
-    }
-    up_read(&mount_list_lock);
+	down_read(&mount_list_lock);
+	do_umount_work();
+	up_read(&mount_list_lock);
 
-    ksu_umount_manager_execute_all(tw->old_cred);
+	if (saved)
+		revert_creds(saved);
 
-    if (saved)
-        revert_creds(saved);
+	if (tw->old_cred)
+		put_cred(tw->old_cred);
 
-    if (tw->old_cred)
-        put_cred(tw->old_cred);
-
-    kfree(tw);
+	kfree(tw);
 }
+#endif
 
 int ksu_handle_umount(uid_t old_uid, uid_t new_uid)
 {
-    struct umount_tw *tw;
+	// this hook is used for umounting overlayfs for some uid, if there isn't any module mounted, just ignore it!
+	if (!ksu_module_mounted) {
+		return 0;
+	}
 
-    // if there isn't any module mounted, just ignore it!
-    if (!ksu_module_mounted) {
-        return 0;
-    }
+	if (!ksu_kernel_umount_enabled) {
+		return 0;
+	}
 
-    if (!ksu_kernel_umount_enabled) {
-        return 0;
-    }
+	// FIXME: isolated process which directly forks from zygote is not handled
+	if (!is_appuid(new_uid)) {
+		return 0;
+	}
 
-    // There are 5 scenarios:
-    // 1. Normal app: zygote -> appuid
-    // 2. Isolated process forked from zygote: zygote -> isolated_process
-    // 3. App zygote forked from zygote: zygote -> appuid
-    // 4. Isolated process froked from app zygote: appuid -> isolated_process (already handled by 3)
-    // 5. Isolated process froked from webview zygote (no need to handle, app cannot run custom code)
-    if (!is_appuid(new_uid) && !is_isolated_process(new_uid)) {
-        return 0;
-    }
+	if (!ksu_uid_should_umount(new_uid)) {
+		return 0;
+	}
 
-    if (!ksu_uid_should_umount(new_uid) && !is_isolated_process(new_uid)) {
-        return 0;
-    }
+	// check old process's selinux context, if it is not zygote, ignore it!
+	// because some su apps may setuid to untrusted_app but they are in global mount namespace
+	// when we umount for such process, that is a disaster!
+	bool is_zygote_child = is_zygote(get_current_cred());
+	if (!is_zygote_child) {
+		pr_info("handle umount ignore non zygote child: %d\n",
+			current->pid);
+		return 0;
+	}
+	// umount the target mnt
+	pr_info("handle umount for uid: %d, pid: %d\n", new_uid, current->pid);
 
-    // check old process's selinux context, if it is not zygote, ignore it!
-    // because some su apps may setuid to untrusted_app but they are in global mount namespace
-    // when we umount for such process, that is a disaster!
-    // also handle case 4 and 5
-    bool is_zygote_child = is_zygote(get_current_cred());
-    if (!is_zygote_child) {
-        pr_info("handle umount ignore non zygote child: %d\n", current->pid);
-        return 0;
-    }
-#if __SULOG_GATE
-    ksu_sulog_report_syscall(new_uid, NULL, "setuid", NULL);
+#ifdef KSU_SHOULD_USE_NEW_TP
+	struct umount_tw *tw;
+	tw = kzalloc(sizeof(*tw), GFP_ATOMIC);
+	if (!tw)
+		return 0;
+
+	tw->old_cred = get_current_cred();
+	tw->cb.func = umount_tw_func;
+
+	int err = task_work_add(current, &tw->cb, TWA_RESUME);
+	if (err) {
+		if (tw->old_cred) {
+			put_cred(tw->old_cred);
+		}
+		kfree(tw);
+		pr_warn("unmount add task_work failed\n");
+	}
+#else
+	// Using task work for non-kp context is expansive?
+	down_read(&mount_list_lock);
+	do_umount_work();
+	up_read(&mount_list_lock);
 #endif
-    // umount the target mnt
-    pr_info("handle umount for uid: %d, pid: %d\n", new_uid, current->pid);
 
-    tw = kzalloc(sizeof(*tw), GFP_ATOMIC);
-    if (!tw)
-        return 0;
-
-    tw->old_cred = get_current_cred();
-    tw->cb.func = umount_tw_func;
-
-    int err = task_work_add(current, &tw->cb, TWA_RESUME);
-    if (err) {
-        if (tw->old_cred) {
-            put_cred(tw->old_cred);
-        }
-        kfree(tw);
-        pr_warn("unmount add task_work failed\n");
-    }
-
-    return 0;
+	return 0;
 }
 
 void ksu_kernel_umount_init(void)
 {
-    int rc = 0;
-    rc = ksu_umount_manager_init();
-    if (rc) {
-        pr_err("Failed to initialize umount manager: %d\n", rc);
-    }
-    if (ksu_register_feature_handler(&kernel_umount_handler)) {
-        pr_err("Failed to register kernel_umount feature handler\n");
-    }
+	if (ksu_register_feature_handler(&kernel_umount_handler)) {
+		pr_err("Failed to register kernel_umount feature handler\n");
+	}
 }
 
 void ksu_kernel_umount_exit(void)
 {
-    ksu_unregister_feature_handler(KSU_FEATURE_KERNEL_UMOUNT);
-}
+	ksu_unregister_feature_handler(KSU_FEATURE_KERNEL_UMOUNT);
+}

kernel/kernel_umount.h

@@ -8,16 +8,14 @@
 void ksu_kernel_umount_init(void);
 void ksu_kernel_umount_exit(void);
 
-void try_umount(const char *mnt, int flags);
-
 // Handler function to be called from setresuid hook
 int ksu_handle_umount(uid_t old_uid, uid_t new_uid);
 
 // for the umount list
 struct mount_entry {
-    char *umountable;
-    unsigned int flags;
-    struct list_head list;
+	char *umountable;
+	unsigned int flags;
+	struct list_head list;
 };
 extern struct list_head mount_list;
 extern struct rw_semaphore mount_list_lock;

kernel/kpm/Makefile

@@ -4,3 +4,6 @@ obj-y += super_access.o
 
 ccflags-y += -Wno-implicit-function-declaration -Wno-strict-prototypes -Wno-int-conversion -Wno-gcc-compat
 ccflags-y += -Wno-declaration-after-statement -Wno-unused-function
+
+ccflags-y += -I$(srctree)/security/selinux -I$(srctree)/security/selinux/include
+ccflags-y += -I$(objtree)/security/selinux -include $(srctree)/include/uapi/asm-generic/errno.h

kernel/kpm/compact.c

@@ -13,7 +13,7 @@
 #include <linux/list.h>
 #include <linux/spinlock.h>
 #include <linux/rcupdate.h>
-#include <asm/elf.h>
+#include <asm/elf.h> /* 包含 ARM64 重定位类型定义 */
 #include <linux/vmalloc.h>
 #include <linux/mm.h>
 #include <linux/string.h>
@@ -29,72 +29,77 @@
 #include "../allowlist.h"
 #include "../manager.h"
 
+unsigned long sukisu_compact_find_symbol(const char *name);
+
+// ======================================================================
+// 兼容函数 for KPM
+
 static int sukisu_is_su_allow_uid(uid_t uid)
 {
-    return ksu_is_allow_uid_for_current(uid) ? 1 : 0;
+	return ksu_is_allow_uid(uid) ? 1 : 0;
 }
 
 static int sukisu_get_ap_mod_exclude(uid_t uid)
 {
-    return 0; /* Not supported */
+	// Not supported
+	return 0;
 }
 
 static int sukisu_is_uid_should_umount(uid_t uid)
 {
-    return ksu_uid_should_umount(uid) ? 1 : 0;
+	return ksu_uid_should_umount(uid) ? 1 : 0;
 }
 
-static int sukisu_is_current_uid_manager(void)
+static int sukisu_is_current_uid_manager()
 {
-    return is_manager();
+	return is_manager();
 }
 
-static uid_t sukisu_get_manager_uid(void)
+static uid_t sukisu_get_manager_uid()
 {
-    return ksu_manager_uid;
+	return ksu_manager_uid;
 }
 
-static void sukisu_set_manager_uid(uid_t uid, int force)
-{
-    if (force || ksu_manager_uid == -1)
-        ksu_manager_uid = uid;
-}
+// ======================================================================
 
 struct CompactAddressSymbol {
-    const char *symbol_name;
-    void *addr;
+	const char *symbol_name;
+	void *addr;
 };
 
-unsigned long sukisu_compact_find_symbol(const char *name);
-
 static struct CompactAddressSymbol address_symbol[] = {
-    { "kallsyms_lookup_name", &kallsyms_lookup_name },
-    { "compact_find_symbol", &sukisu_compact_find_symbol },
-    { "is_run_in_sukisu_ultra", (void *)1 },
-    { "is_su_allow_uid", &sukisu_is_su_allow_uid },
-    { "get_ap_mod_exclude", &sukisu_get_ap_mod_exclude },
-    { "is_uid_should_umount", &sukisu_is_uid_should_umount },
-    { "is_current_uid_manager", &sukisu_is_current_uid_manager },
-    { "get_manager_uid", &sukisu_get_manager_uid },
-    { "sukisu_set_manager_uid", &sukisu_set_manager_uid }
+	{ "kallsyms_lookup_name", &kallsyms_lookup_name },
+	{ "compact_find_symbol", &sukisu_compact_find_symbol },
+	{ "is_run_in_sukisu_ultra", (void *)1 },
+	{ "is_su_allow_uid", &sukisu_is_su_allow_uid },
+	{ "get_ap_mod_exclude", &sukisu_get_ap_mod_exclude },
+	{ "is_uid_should_umount", &sukisu_is_uid_should_umount },
+	{ "is_current_uid_manager", &sukisu_is_current_uid_manager },
+	{ "get_manager_uid", &sukisu_get_manager_uid }
 };
 
-unsigned long sukisu_compact_find_symbol(const char* name)
+unsigned long sukisu_compact_find_symbol(const char *name)
 {
-    int i;
-    unsigned long addr;
+	int i;
+	unsigned long addr;
 
-    for (i = 0; i < (sizeof(address_symbol) / sizeof(struct CompactAddressSymbol)); i++) {
-        struct CompactAddressSymbol *symbol = &address_symbol[i];
-        
-        if (strcmp(name, symbol->symbol_name) == 0)
-            return (unsigned long)symbol->addr;
-    }
+	// 先自己在地址表部分查出来
+	for (i = 0;
+	     i < (sizeof(address_symbol) / sizeof(struct CompactAddressSymbol));
+	     i++) {
+		struct CompactAddressSymbol *symbol = &address_symbol[i];
+		if (strcmp(name, symbol->symbol_name) == 0) {
+			return (unsigned long)symbol->addr;
+		}
+	}
 
-    addr = kallsyms_lookup_name(name);
-    if (addr)
-        return addr;
+	// 通过内核来查
+	addr = kallsyms_lookup_name(name);
+	if (addr) {
+		return addr;
+	}
 
-    return 0;
+	return 0;
 }
+
 EXPORT_SYMBOL(sukisu_compact_find_symbol);

kernel/kpm/compact.h

@@ -1,6 +1,6 @@
-#ifndef __SUKISU_KPM_COMPACT_H
-#define __SUKISU_KPM_COMPACT_H
+#ifndef ___SUKISU_KPM_COMPACT_H
+#define ___SUKISU_KPM_COMPACT_H
 
-extern unsigned long sukisu_compact_find_symbol(const char *name);
+unsigned long sukisu_compact_find_symbol(const char *name);
 
-#endif
+#endif

kernel/kpm/kpm.c

@@ -37,6 +37,7 @@
 #endif
 #include "kpm.h"
 #include "compact.h"
+#include "../kernel_compat.h"
 
 #define KPM_NAME_LEN 32
 #define KPM_ARGS_LEN 1024
@@ -127,18 +128,18 @@ noinline int sukisu_handle_kpm(unsigned long control_code, unsigned long arg1, u
             goto exit;
         }
 
-        if (!access_ok(arg1, 255)) {
+        if (!ksu_access_ok(arg1, sizeof(kernel_load_path))) {
             goto invalid_arg;
         }
         
-        strncpy_from_user((char *)&kernel_load_path, (const char *)arg1, 255);
+        strncpy_from_user((char *)&kernel_load_path, (const char *)arg1, sizeof(kernel_load_path));
         
         if (arg2 != 0) {
-            if (!access_ok(arg2, 255)) {
+            if (!ksu_access_ok(arg2, sizeof(kernel_args_buffer))) {
                 goto invalid_arg;
             }
 
-            strncpy_from_user((char *)&kernel_args_buffer, (const char *)arg2, 255);
+            strncpy_from_user((char *)&kernel_args_buffer, (const char *)arg2, sizeof(kernel_args_buffer));
         }
 
         sukisu_kpm_load_module_path((const char *)&kernel_load_path,
@@ -151,7 +152,7 @@ noinline int sukisu_handle_kpm(unsigned long control_code, unsigned long arg1, u
             goto exit;
         }
 
-        if (!access_ok(arg1, sizeof(kernel_name_buffer))) {
+        if (!ksu_access_ok(arg1, sizeof(kernel_name_buffer))) {
             goto invalid_arg;
         }
         
@@ -170,7 +171,7 @@ noinline int sukisu_handle_kpm(unsigned long control_code, unsigned long arg1, u
             goto exit;
         }
 
-        if (!access_ok(arg1, sizeof(kernel_name_buffer))) {
+        if (!ksu_access_ok(arg1, sizeof(kernel_name_buffer))) {
             goto invalid_arg;
         }
         
@@ -178,7 +179,7 @@ noinline int sukisu_handle_kpm(unsigned long control_code, unsigned long arg1, u
         
         sukisu_kpm_info((const char *)&kernel_name_buffer, (char *)&buf, sizeof(buf), &size);
 
-        if (!access_ok(arg2, size)) {
+        if (!ksu_access_ok(arg2, size)) {
             goto invalid_arg;
         }
 
@@ -193,7 +194,7 @@ noinline int sukisu_handle_kpm(unsigned long control_code, unsigned long arg1, u
             goto exit;
         }
 
-        if (!access_ok(arg2, len)) {
+        if (!ksu_access_ok(arg2, len)) {
             goto invalid_arg;
         }
         
@@ -211,11 +212,11 @@ noinline int sukisu_handle_kpm(unsigned long control_code, unsigned long arg1, u
         char kpm_name[KPM_NAME_LEN] = { 0 };
         char kpm_args[KPM_ARGS_LEN] = { 0 };
 
-        if (!access_ok(arg1, sizeof(kpm_name))) {
+        if (!ksu_access_ok(arg1, sizeof(kpm_name))) {
             goto invalid_arg;
         }
 
-        if (!access_ok(arg2, sizeof(kpm_args))) {
+        if (!ksu_access_ok(arg2, sizeof(kpm_args))) {
             goto invalid_arg;
         }
 
@@ -267,16 +268,15 @@ int do_kpm(void __user *arg)
         return -EFAULT;
     }
 
-    if (!access_ok(cmd.control_code, sizeof(int))) {
+    if (!ksu_access_ok(cmd.control_code, sizeof(int))) {
         pr_err("kpm: invalid control_code pointer %px\n", (void *)cmd.control_code);
         return -EFAULT;
     }
 
-    if (!access_ok(cmd.result_code, sizeof(int))) {
+    if (!ksu_access_ok(cmd.result_code, sizeof(int))) {
         pr_err("kpm: invalid result_code pointer %px\n", (void *)cmd.result_code);
         return -EFAULT;
     }
 
     return sukisu_handle_kpm(cmd.control_code, cmd.arg1, cmd.arg2, cmd.result_code);
 }
-

kernel/kpm/kpm.h

@@ -11,7 +11,7 @@ struct ksu_kpm_cmd {
     __aligned_u64 __user result_code;
 };
 
-int sukisu_handle_kpm(unsigned long control_code, unsigned long arg3, unsigned long arg4, unsigned long result_code);
+int sukisu_handle_kpm(unsigned long control_code, unsigned long arg1, unsigned long arg2, unsigned long result_code);
 int sukisu_is_kpm_control_code(unsigned long control_code);
 int do_kpm(void __user *arg);
 
@@ -67,4 +67,4 @@ int do_kpm(void __user *arg);
  */
 #define SUKISU_KPM_VERSION 7
 
-#endif
+#endif

kernel/kpm/super_access.c

@@ -13,7 +13,7 @@
 #include <linux/list.h>
 #include <linux/spinlock.h>
 #include <linux/rcupdate.h>
-#include <asm/elf.h>
+#include <asm/elf.h> /* 包含 ARM64 重定位类型定义 */
 #include <linux/vmalloc.h>
 #include <linux/mm.h>
 #include <linux/string.h>
@@ -24,255 +24,277 @@
 #include <linux/version.h>
 #include <linux/export.h>
 #include <linux/slab.h>
-#include <linux/types.h>
-#include <linux/stddef.h>
-#include <linux/mount.h>
-#include <linux/kprobes.h>
-#include <linux/mm_types.h>
-#include <linux/netlink.h>
-#include <linux/sched.h>
-#include <../fs/mount.h>
 #include "kpm.h"
 #include "compact.h"
+#include <linux/types.h>
+#include <linux/stddef.h>
 
+// 结构体成员元数据
 struct DynamicStructMember {
-    const char *name;
-    size_t size;
-    size_t offset;
+	const char *name;
+	size_t size;
+	size_t offset;
 };
 
+// 结构体元数据（包含总大小）
 struct DynamicStructInfo {
-    const char *name;
-    size_t count;
-    size_t total_size;
-    struct DynamicStructMember *members;
+	const char *name;
+	size_t count;
+	size_t total_size;
+	struct DynamicStructMember *members;
 };
 
+// 定义结构体元数据的宏（直接使用 struct 名称）
 #define DYNAMIC_STRUCT_BEGIN(struct_name) \
-    static struct DynamicStructMember struct_name##_members[] = {
+	static struct DynamicStructMember struct_name##_members[] = {
+#define DEFINE_MEMBER(struct_name, member)                   \
+	{ .name = #member,                                   \
+	  .size = sizeof(((struct struct_name *)0)->member), \
+	  .offset = offsetof(struct struct_name, member) },
 
-#define DEFINE_MEMBER(struct_name, member) \
-    { \
-        .name = #member, \
-        .size = sizeof(((struct struct_name *)0)->member), \
-        .offset = offsetof(struct struct_name, member) \
-    },
+#define DYNAMIC_STRUCT_END(struct_name)                        \
+	}                                                      \
+	;                                                      \
+	static struct DynamicStructInfo struct_name##_info = { \
+		.name = #struct_name,                          \
+		.count = sizeof(struct_name##_members) /       \
+			 sizeof(struct DynamicStructMember),   \
+		.total_size = sizeof(struct struct_name),      \
+		.members = struct_name##_members               \
+	};
 
-#define DYNAMIC_STRUCT_END(struct_name) \
-    }; \
-    static struct DynamicStructInfo struct_name##_info = { \
-        .name = #struct_name, \
-        .count = sizeof(struct_name##_members) / sizeof(struct DynamicStructMember), \
-        .total_size = sizeof(struct struct_name), \
-        .members = struct_name##_members \
-    };
+// ==================================================================================
 
+#include <linux/version.h>
+
+#define KERNEL_VERSION_6_1 KERNEL_VERSION(6, 1, 0)
+#define KERNEL_VERSION_5_15 KERNEL_VERSION(5, 15, 0)
+
+#include <../fs/mount.h>
+#include <linux/mount.h>
+
+// 定义元数据
 DYNAMIC_STRUCT_BEGIN(mount)
-    DEFINE_MEMBER(mount, mnt_parent)
-    DEFINE_MEMBER(mount, mnt)
-    DEFINE_MEMBER(mount, mnt_id)
-    DEFINE_MEMBER(mount, mnt_group_id)
-    DEFINE_MEMBER(mount, mnt_expiry_mark)
-    DEFINE_MEMBER(mount, mnt_master)
-    DEFINE_MEMBER(mount, mnt_devname)
+DEFINE_MEMBER(mount, mnt_parent)
+DEFINE_MEMBER(mount, mnt)
+DEFINE_MEMBER(mount, mnt_id)
+DEFINE_MEMBER(mount, mnt_group_id)
+DEFINE_MEMBER(mount, mnt_expiry_mark)
+DEFINE_MEMBER(mount, mnt_master)
+DEFINE_MEMBER(mount, mnt_devname)
 DYNAMIC_STRUCT_END(mount)
 
 DYNAMIC_STRUCT_BEGIN(vfsmount)
-    DEFINE_MEMBER(vfsmount, mnt_root)
-    DEFINE_MEMBER(vfsmount, mnt_sb)
-    DEFINE_MEMBER(vfsmount, mnt_flags)
+DEFINE_MEMBER(vfsmount, mnt_root)
+DEFINE_MEMBER(vfsmount, mnt_sb)
+DEFINE_MEMBER(vfsmount, mnt_flags)
 DYNAMIC_STRUCT_END(vfsmount)
 
 DYNAMIC_STRUCT_BEGIN(mnt_namespace)
-    DEFINE_MEMBER(mnt_namespace, ns)
-    DEFINE_MEMBER(mnt_namespace, root)
-    DEFINE_MEMBER(mnt_namespace, seq)
-    DEFINE_MEMBER(mnt_namespace, mounts)
-#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 15, 0)
-    DEFINE_MEMBER(mnt_namespace, count)
+DEFINE_MEMBER(mnt_namespace, ns)
+DEFINE_MEMBER(mnt_namespace, root)
+DEFINE_MEMBER(mnt_namespace, seq)
+DEFINE_MEMBER(mnt_namespace, mounts)
+#if LINUX_VERSION_CODE < KERNEL_VERSION_5_15
+DEFINE_MEMBER(mnt_namespace, count)
 #endif
 DYNAMIC_STRUCT_END(mnt_namespace)
 
+#include <linux/kprobes.h>
+
 #ifdef CONFIG_KPROBES
 DYNAMIC_STRUCT_BEGIN(kprobe)
-    DEFINE_MEMBER(kprobe, addr)
-    DEFINE_MEMBER(kprobe, symbol_name)
-    DEFINE_MEMBER(kprobe, offset)
-    DEFINE_MEMBER(kprobe, pre_handler)
-    DEFINE_MEMBER(kprobe, post_handler)
-#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 15, 0)
-    DEFINE_MEMBER(kprobe, fault_handler)
+DEFINE_MEMBER(kprobe, addr)
+DEFINE_MEMBER(kprobe, symbol_name)
+DEFINE_MEMBER(kprobe, offset)
+DEFINE_MEMBER(kprobe, pre_handler)
+DEFINE_MEMBER(kprobe, post_handler)
+#if LINUX_VERSION_CODE < KERNEL_VERSION_5_15
+DEFINE_MEMBER(kprobe, fault_handler)
 #endif
-    DEFINE_MEMBER(kprobe, flags)
+DEFINE_MEMBER(kprobe, flags)
 DYNAMIC_STRUCT_END(kprobe)
 #endif
 
+#include <linux/mm.h>
+#include <linux/mm_types.h>
+
 DYNAMIC_STRUCT_BEGIN(vm_area_struct)
-    DEFINE_MEMBER(vm_area_struct,vm_start)
-    DEFINE_MEMBER(vm_area_struct,vm_end)
-    DEFINE_MEMBER(vm_area_struct,vm_flags)
-    DEFINE_MEMBER(vm_area_struct,anon_vma)
-    DEFINE_MEMBER(vm_area_struct,vm_pgoff)
-    DEFINE_MEMBER(vm_area_struct,vm_file)
-    DEFINE_MEMBER(vm_area_struct,vm_private_data)
+DEFINE_MEMBER(vm_area_struct, vm_start)
+DEFINE_MEMBER(vm_area_struct, vm_end)
+DEFINE_MEMBER(vm_area_struct, vm_flags)
+DEFINE_MEMBER(vm_area_struct, anon_vma)
+DEFINE_MEMBER(vm_area_struct, vm_pgoff)
+DEFINE_MEMBER(vm_area_struct, vm_file)
+DEFINE_MEMBER(vm_area_struct, vm_private_data)
 #ifdef CONFIG_ANON_VMA_NAME
-    DEFINE_MEMBER(vm_area_struct, anon_name)
+DEFINE_MEMBER(vm_area_struct, anon_name)
 #endif
-    DEFINE_MEMBER(vm_area_struct, vm_ops)
+DEFINE_MEMBER(vm_area_struct, vm_ops)
 DYNAMIC_STRUCT_END(vm_area_struct)
 
 DYNAMIC_STRUCT_BEGIN(vm_operations_struct)
-    DEFINE_MEMBER(vm_operations_struct, open)
-    DEFINE_MEMBER(vm_operations_struct, close)
-    DEFINE_MEMBER(vm_operations_struct, name)
-    DEFINE_MEMBER(vm_operations_struct, access)
+DEFINE_MEMBER(vm_operations_struct, open)
+DEFINE_MEMBER(vm_operations_struct, close)
+DEFINE_MEMBER(vm_operations_struct, name)
+DEFINE_MEMBER(vm_operations_struct, access)
 DYNAMIC_STRUCT_END(vm_operations_struct)
 
+#include <linux/netlink.h>
+
 DYNAMIC_STRUCT_BEGIN(netlink_kernel_cfg)
-    DEFINE_MEMBER(netlink_kernel_cfg, groups)
-    DEFINE_MEMBER(netlink_kernel_cfg, flags)
-    DEFINE_MEMBER(netlink_kernel_cfg, input)
-    DEFINE_MEMBER(netlink_kernel_cfg, cb_mutex)
-    DEFINE_MEMBER(netlink_kernel_cfg, bind)
-    DEFINE_MEMBER(netlink_kernel_cfg, unbind)
-#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 1, 0)
-    DEFINE_MEMBER(netlink_kernel_cfg, compare)
+DEFINE_MEMBER(netlink_kernel_cfg, groups)
+DEFINE_MEMBER(netlink_kernel_cfg, flags)
+DEFINE_MEMBER(netlink_kernel_cfg, input)
+DEFINE_MEMBER(netlink_kernel_cfg, cb_mutex)
+DEFINE_MEMBER(netlink_kernel_cfg, bind)
+DEFINE_MEMBER(netlink_kernel_cfg, unbind)
+#if LINUX_VERSION_CODE < KERNEL_VERSION_6_1
+DEFINE_MEMBER(netlink_kernel_cfg, compare)
 #endif
 DYNAMIC_STRUCT_END(netlink_kernel_cfg)
 
+#include <linux/sched.h>
 DYNAMIC_STRUCT_BEGIN(task_struct)
-    DEFINE_MEMBER(task_struct, pid)
-    DEFINE_MEMBER(task_struct, tgid)
-    DEFINE_MEMBER(task_struct, cred)
-    DEFINE_MEMBER(task_struct, real_cred)
-    DEFINE_MEMBER(task_struct, comm)
-    DEFINE_MEMBER(task_struct, parent)
-    DEFINE_MEMBER(task_struct, group_leader)
-    DEFINE_MEMBER(task_struct, mm)
-    DEFINE_MEMBER(task_struct, active_mm)
-#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 19, 0) 
-    DEFINE_MEMBER(task_struct, pids[PIDTYPE_PID].pid)
+DEFINE_MEMBER(task_struct, pid)
+DEFINE_MEMBER(task_struct, tgid)
+DEFINE_MEMBER(task_struct, cred)
+DEFINE_MEMBER(task_struct, real_cred)
+DEFINE_MEMBER(task_struct, comm)
+DEFINE_MEMBER(task_struct, parent)
+DEFINE_MEMBER(task_struct, group_leader)
+DEFINE_MEMBER(task_struct, mm)
+DEFINE_MEMBER(task_struct, active_mm)
+#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 19, 0)
+DEFINE_MEMBER(task_struct, pids[PIDTYPE_PID].pid)
 #else
-    DEFINE_MEMBER(task_struct, thread_pid)
+DEFINE_MEMBER(task_struct, thread_pid)
 #endif
-    DEFINE_MEMBER(task_struct, files)
-    DEFINE_MEMBER(task_struct, seccomp)
+DEFINE_MEMBER(task_struct, files)
+DEFINE_MEMBER(task_struct, seccomp)
 #ifdef CONFIG_THREAD_INFO_IN_TASK
-    DEFINE_MEMBER(task_struct, thread_info)
+DEFINE_MEMBER(task_struct, thread_info)
 #endif
 #ifdef CONFIG_CGROUPS
-    DEFINE_MEMBER(task_struct, cgroups)
+DEFINE_MEMBER(task_struct, cgroups)
 #endif
 #ifdef CONFIG_SECURITY
-    DEFINE_MEMBER(task_struct, security)
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(4, 9, 0))
+DEFINE_MEMBER(task_struct, security)
+#else
+DEFINE_MEMBER(task_struct, cred)
+#endif
+#endif
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(4, 9, 0))
+DEFINE_MEMBER(task_struct, thread)
+#else
+DEFINE_MEMBER(task_struct, thread_info)
 #endif
-    DEFINE_MEMBER(task_struct, thread)
 DYNAMIC_STRUCT_END(task_struct)
 
+// =====================================================================================================================
+
 #define STRUCT_INFO(name) &(name##_info)
 
 static struct DynamicStructInfo *dynamic_struct_infos[] = {
-    STRUCT_INFO(mount),
-    STRUCT_INFO(vfsmount),
-    STRUCT_INFO(mnt_namespace),
+	STRUCT_INFO(mount),
+	STRUCT_INFO(vfsmount),
+	STRUCT_INFO(mnt_namespace),
 #ifdef CONFIG_KPROBES
-    STRUCT_INFO(kprobe),
+	STRUCT_INFO(kprobe),
 #endif
-    STRUCT_INFO(vm_area_struct),
-    STRUCT_INFO(vm_operations_struct),
-    STRUCT_INFO(netlink_kernel_cfg),
-    STRUCT_INFO(task_struct)
+	STRUCT_INFO(vm_area_struct),
+	STRUCT_INFO(vm_operations_struct),
+	STRUCT_INFO(netlink_kernel_cfg),
+	STRUCT_INFO(task_struct)
 };
 
-/*
- * return 0 if successful
- * return -1 if struct not defined
- */
-int sukisu_super_find_struct(const char *struct_name, size_t *out_size, int *out_members)
+// return 0 if successful
+// return -1 if struct not defined
+int sukisu_super_find_struct(const char *struct_name, size_t *out_size,
+			     int *out_members)
 {
-    for (size_t i = 0; i < (sizeof(dynamic_struct_infos) / sizeof(dynamic_struct_infos[0])); i++) {
-        struct DynamicStructInfo *info = dynamic_struct_infos[i];
-        
-        if (strcmp(struct_name, info->name) == 0) {
-            if (out_size)
-                *out_size = info->total_size;
-                
-            if (out_members)
-                *out_members = info->count;
-                
-            return 0;
-        }
-    }
-    
-    return -1;
+	for (size_t i = 0; i < (sizeof(dynamic_struct_infos) /
+				sizeof(dynamic_struct_infos[0]));
+	     i++) {
+		struct DynamicStructInfo *info = dynamic_struct_infos[i];
+		if (strcmp(struct_name, info->name) == 0) {
+			if (out_size)
+				*out_size = info->total_size;
+			if (out_members)
+				*out_members = info->count;
+			return 0;
+		}
+	}
+	return -1;
 }
 EXPORT_SYMBOL(sukisu_super_find_struct);
 
-/*
- * Dynamic access struct
- * return 0 if successful
- * return -1 if struct not defined
- * return -2 if member not defined
- */
-int sukisu_super_access(const char *struct_name, const char *member_name, size_t *out_offset,
-                size_t *out_size)
+// Dynamic access struct
+// return 0 if successful
+// return -1 if struct not defined
+// return -2 if member not defined
+int sukisu_super_access(const char *struct_name, const char *member_name,
+			size_t *out_offset, size_t *out_size)
 {
-    for (size_t i = 0; i < (sizeof(dynamic_struct_infos) / sizeof(dynamic_struct_infos[0])); i++) {
-        struct DynamicStructInfo *info = dynamic_struct_infos[i];
-        
-        if (strcmp(struct_name, info->name) == 0) {
-            for (size_t i1 = 0; i1 < info->count; i1++) {
-                if (strcmp(info->members[i1].name, member_name) == 0) {
-                    if (out_offset)
-                        *out_offset = info->members[i].offset;
-                        
-                    if (out_size)
-                        *out_size = info->members[i].size;
-                        
-                    return 0;
-                }
-            }
-            
-            return -2;
-        }
-    }
-    
-    return -1;
+	for (size_t i = 0; i < (sizeof(dynamic_struct_infos) /
+				sizeof(dynamic_struct_infos[0]));
+	     i++) {
+		struct DynamicStructInfo *info = dynamic_struct_infos[i];
+		if (strcmp(struct_name, info->name) == 0) {
+			for (size_t i1 = 0; i1 < info->count; i1++) {
+				if (strcmp(info->members[i1].name,
+					   member_name) == 0) {
+					if (out_offset)
+						*out_offset =
+							info->members[i].offset;
+					if (out_size)
+						*out_size =
+							info->members[i].size;
+					return 0;
+				}
+			}
+			return -2;
+		}
+	}
+	return -1;
 }
 EXPORT_SYMBOL(sukisu_super_access);
 
-#define DYNAMIC_CONTAINER_OF(offset, member_ptr) ({ \
-    (offset != (size_t)-1) ? (void*)((char*)(member_ptr) - offset) : NULL; \
-})
+// 动态 container_of 宏
+#define DYNAMIC_CONTAINER_OF(offset, member_ptr)                  \
+	({                                                        \
+		(offset != (size_t)-1) ?                          \
+			(void *)((char *)(member_ptr) - offset) : \
+			NULL;                                     \
+	})
 
-/*
- * Dynamic container_of
- * return 0 if success
- * return -1 if current struct not defined
- * return -2 if target member not defined
- */
-int sukisu_super_container_of(const char *struct_name, const char *member_name, void *ptr,
-                void **out_ptr)
+// Dynamic container_of
+// return 0 if success
+// return -1 if current struct not defined
+// return -2 if target member not defined
+int sukisu_super_container_of(const char *struct_name, const char *member_name,
+			      void *ptr, void **out_ptr)
 {
-    if (ptr == NULL)
-        return -3;
-
-    for (size_t i = 0; i < (sizeof(dynamic_struct_infos) / sizeof(dynamic_struct_infos[0])); i++) {
-        struct DynamicStructInfo *info = dynamic_struct_infos[i];
-        
-        if (strcmp(struct_name, info->name) == 0) {
-            for (size_t i1 = 0; i1 < info->count; i1++) {
-                if (strcmp(info->members[i1].name, member_name) == 0) {
-                    *out_ptr = (void *)DYNAMIC_CONTAINER_OF(info->members[i1].offset, ptr);
-                    
-                    return 0;
-                }
-            }
-            
-            return -2;
-        }
-    }
-    
-    return -1;
+	if (ptr == NULL) {
+		return -3;
+	}
+	for (size_t i = 0; i < (sizeof(dynamic_struct_infos) /
+				sizeof(dynamic_struct_infos[0]));
+	     i++) {
+		struct DynamicStructInfo *info = dynamic_struct_infos[i];
+		if (strcmp(struct_name, info->name) == 0) {
+			for (size_t i1 = 0; i1 < info->count; i1++) {
+				if (strcmp(info->members[i1].name,
+					   member_name) == 0) {
+					*out_ptr = (void *)DYNAMIC_CONTAINER_OF(
+						info->members[i1].offset, ptr);
+					return 0;
+				}
+			}
+			return -2;
+		}
+	}
+	return -1;
 }
-EXPORT_SYMBOL(sukisu_super_container_of);
+EXPORT_SYMBOL(sukisu_super_container_of);

kernel/kpm/super_access.h

@@ -6,10 +6,23 @@
 #include "kpm.h"
 #include "compact.h"
 
-extern int sukisu_super_find_struct(const char *struct_name, size_t *out_size, int *out_members);
-extern int sukisu_super_access(const char *struct_name, const char *member_name, size_t *out_offset,
-                size_t *out_size);
-extern int sukisu_super_container_of(const char *struct_name, const char *member_name, void *ptr,
-                void **out_ptr);
+// return 0 if successful
+// return -1 if struct not defined
+int sukisu_super_find_struct(const char *struct_name, size_t *out_size,
+			     int *out_members);
+
+// Dynamic access struct
+// return 0 if successful
+// return -1 if struct not defined
+// return -2 if member not defined
+int sukisu_super_access(const char *struct_name, const char *member_name,
+			size_t *out_offset, size_t *out_size);
+
+// Dynamic container_of
+// return 0 if success
+// return -1 if current struct not defined
+// return -2 if target member not defined
+int sukisu_super_container_of(const char *struct_name, const char *member_name,
+			      void *ptr, void **out_ptr);
 
 #endif

kernel/ksu.c

@@ -1,19 +1,23 @@
 #include <linux/export.h>
 #include <linux/fs.h>
+#include <linux/printk.h>
 #include <linux/kobject.h>
 #include <linux/module.h>
 #include <linux/workqueue.h>
-#include <linux/version.h>
+#include <generated/utsrelease.h>
+#include <generated/compile.h>
+#include <linux/version.h> /* LINUX_VERSION_CODE, KERNEL_VERSION macros */
 
 #include "allowlist.h"
+#include "arch.h"
 #include "feature.h"
 #include "klog.h" // IWYU pragma: keep
+#include "ksu.h"
 #include "throne_tracker.h"
 #include "syscall_hook_manager.h"
 #include "ksud.h"
 #include "supercalls.h"
 
-#include "sulog.h"
 #include "throne_comm.h"
 #include "dynamic_manager.h"
 
@@ -33,73 +37,81 @@ void sukisu_custom_config_exit(void)
     ksu_uid_exit();
     ksu_throne_comm_exit();
     ksu_dynamic_manager_exit();
-#if __SULOG_GATE
-    ksu_sulog_exit();
-#endif
+}
+
+extern int ksu_handle_execveat_sucompat(int *fd, struct filename **filename_ptr,
+					void *argv, void *envp, int *flags);
+extern int ksu_handle_execveat_ksud(int *fd, struct filename **filename_ptr,
+				    void *argv, void *envp, int *flags);
+int ksu_handle_execveat(int *fd, struct filename **filename_ptr, void *argv,
+			void *envp, int *flags)
+{
+	ksu_handle_execveat_ksud(fd, filename_ptr, argv, envp, flags);
+	return ksu_handle_execveat_sucompat(fd, filename_ptr, argv, envp,
+					    flags);
 }
 
 int __init kernelsu_init(void)
 {
+#ifndef DDK_ENV
+	pr_info("Initialized on: %s (%s) with driver version: %u\n",
+		UTS_RELEASE, UTS_MACHINE, KSU_VERSION);
+#endif
+
 #ifdef CONFIG_KSU_DEBUG
-    pr_alert("*************************************************************");
-    pr_alert("**     NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE    **");
-    pr_alert("**                                                         **");
-    pr_alert("**         You are running KernelSU in DEBUG mode          **");
-    pr_alert("**                                                         **");
-    pr_alert("**     NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE    **");
-    pr_alert("*************************************************************");
+	pr_alert("*************************************************************");
+	pr_alert("**     NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE    **");
+	pr_alert("**                                                         **");
+	pr_alert("**         You are running KernelSU in DEBUG mode          **");
+	pr_alert("**                                                         **");
+	pr_alert("**     NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE    **");
+	pr_alert("*************************************************************");
 #endif
 
-    ksu_feature_init();
+	ksu_feature_init();
 
-    ksu_supercalls_init();
+	ksu_supercalls_init();
 
-    sukisu_custom_config_init();
+	sukisu_custom_config_init();
 
-    ksu_syscall_hook_manager_init();
+	ksu_syscall_hook_manager_init();
 
-    ksu_workqueue = alloc_ordered_workqueue("kernelsu_work_queue", 0);
+	ksu_workqueue = alloc_ordered_workqueue("kernelsu_work_queue", 0);
 
-    ksu_allowlist_init();
+	ksu_allowlist_init();
 
-    ksu_throne_tracker_init();
+	ksu_throne_tracker_init();
 
-#ifdef KSU_KPROBES_HOOK
-    ksu_ksud_init();
-#else
-     pr_alert("KPROBES is disabled, KernelSU may not work, please check https://kernelsu.org/guide/how-to-integrate-for-non-gki.html");
-#endif
+	ksu_ksud_init();
 
 #ifdef MODULE
 #ifndef CONFIG_KSU_DEBUG
-    kobject_del(&THIS_MODULE->mkobj.kobj);
+	kobject_del(&THIS_MODULE->mkobj.kobj);
 #endif
 #endif
-    return 0;
+	return 0;
 }
 
 extern void ksu_observer_exit(void);
 void kernelsu_exit(void)
 {
-    ksu_allowlist_exit();
+	ksu_allowlist_exit();
 
-    ksu_observer_exit();
+	ksu_throne_tracker_exit();
 
-    ksu_throne_tracker_exit();
+	ksu_observer_exit();
 
-    destroy_workqueue(ksu_workqueue);
+	destroy_workqueue(ksu_workqueue);
 
-#ifdef KSU_KPROBES_HOOK
-    ksu_ksud_exit();
-#endif
+	ksu_ksud_exit();
 
-    ksu_syscall_hook_manager_exit();
+	ksu_syscall_hook_manager_exit();
 
-    sukisu_custom_config_exit();
+	sukisu_custom_config_exit();
 
-    ksu_supercalls_exit();
-    
-    ksu_feature_exit();
+	ksu_supercalls_exit();
+
+	ksu_feature_exit();
 }
 
 module_init(kernelsu_init);
@@ -109,8 +121,10 @@ MODULE_LICENSE("GPL");
 MODULE_AUTHOR("weishu");
 MODULE_DESCRIPTION("Android KernelSU");
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 0, 0)
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 13, 0)
 MODULE_IMPORT_NS("VFS_internal_I_am_really_a_filesystem_and_am_NOT_a_driver");
 #else
 MODULE_IMPORT_NS(VFS_internal_I_am_really_a_filesystem_and_am_NOT_a_driver);
 #endif
+#endif

kernel/ksu.h

@@ -59,4 +59,4 @@ static inline int endswith(const char *s, const char *t)
 }
 #endif
 
-#endif
+#endif

kernel/ksud.h

@@ -1,10 +1,12 @@
 #ifndef __KSU_H_KSUD
 #define __KSU_H_KSUD
 
+#include <linux/types.h>
+
 #define KSUD_PATH "/data/adb/ksud"
 
-void ksu_ksud_init();
-void ksu_ksud_exit();
+void ksu_ksud_init(void);
+void ksu_ksud_exit(void);
 
 void on_post_fs_data(void);
 void on_module_mounted(void);
@@ -18,4 +20,7 @@ extern u32 ksu_file_sid;
 extern bool ksu_module_mounted;
 extern bool ksu_boot_completed;
 
+extern bool ksu_execveat_hook __read_mostly;
+extern int ksu_handle_pre_ksud(const char *filename);
+
 #endif

kernel/lsm_hooks.c

@@ -0,0 +1,123 @@
+#include <linux/lsm_hooks.h>
+#include <linux/uidgid.h>
+#include <linux/version.h>
+#include <linux/binfmts.h>
+#include <linux/err.h>
+
+#include "klog.h" // IWYU pragma: keep
+#include "ksud.h"
+#include "kernel_compat.h"
+#include "setuid_hook.h"
+
+#ifndef KSU_SHOULD_USE_NEW_TP
+
+#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0) ||                           \
+	defined(CONFIG_IS_HW_HISI) || defined(CONFIG_KSU_ALLOWLIST_WORKAROUND)
+static int ksu_key_permission(key_ref_t key_ref, const struct cred *cred,
+			      unsigned perm)
+{
+	if (init_session_keyring != NULL) {
+		return 0;
+	}
+	if (strcmp(current->comm, "init")) {
+		// we are only interested in `init` process
+		return 0;
+	}
+	init_session_keyring = cred->session_keyring;
+	pr_info("kernel_compat: got init_session_keyring\n");
+	return 0;
+}
+#endif
+
+static int ksu_task_fix_setuid(struct cred *new, const struct cred *old,
+			       int flags)
+{
+	kuid_t new_uid = new->uid;
+	kuid_t new_euid = new->euid;
+
+	return ksu_handle_setresuid((uid_t)new_uid.val, (uid_t)new_euid.val,
+				    (uid_t)new_uid.val);
+}
+
+#ifndef DEVPTS_SUPER_MAGIC
+#define DEVPTS_SUPER_MAGIC	0x1cd1
+#endif
+
+extern int __ksu_handle_devpts(struct inode *inode); // sucompat.c
+
+#ifdef CONFIG_COMPAT
+bool ksu_is_compat __read_mostly = false;
+#endif
+
+int ksu_inode_permission(struct inode *inode, int mask)
+{
+	if (inode && inode->i_sb 
+		&& unlikely(inode->i_sb->s_magic == DEVPTS_SUPER_MAGIC)) {
+		//pr_info("%s: handling devpts for: %s \n", __func__, current->comm);
+		__ksu_handle_devpts(inode);
+	}
+	return 0;
+}
+
+int ksu_bprm_check(struct linux_binprm *bprm)
+{
+	char *filename = (char *)bprm->filename;
+	
+	if (likely(!ksu_execveat_hook))
+		return 0;
+
+#ifdef CONFIG_COMPAT
+	static bool compat_check_done __read_mostly = false;
+	if ( unlikely(!compat_check_done) && unlikely(!strcmp(filename, "/data/adb/ksud"))
+		&& !memcmp(bprm->buf, "\x7f\x45\x4c\x46", 4) ) {
+		if (bprm->buf[4] == 0x01 )
+			ksu_is_compat = true;
+
+		pr_info("%s: %s ELF magic found! ksu_is_compat: %d \n", __func__, filename, ksu_is_compat);
+		compat_check_done = true;
+	}
+#endif
+
+	ksu_handle_pre_ksud(filename);
+
+	return 0;
+
+}
+
+static struct security_hook_list ksu_hooks[] = {
+#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0) ||                           \
+	defined(CONFIG_IS_HW_HISI) || defined(CONFIG_KSU_ALLOWLIST_WORKAROUND)
+	LSM_HOOK_INIT(key_permission, ksu_key_permission),
+#endif
+	LSM_HOOK_INIT(inode_permission, ksu_inode_permission),
+#ifndef KSU_SHOULD_USE_NEW_TP
+	LSM_HOOK_INIT(bprm_check_security, ksu_bprm_check),
+#endif
+	LSM_HOOK_INIT(task_fix_setuid, ksu_task_fix_setuid)
+};
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 8, 0)
+static const struct lsm_id ksu_lsmid = {
+	.name = "ksu",
+	.id = 912,
+};
+#endif
+
+void __init ksu_lsm_hook_init(void)
+{
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 8, 0)
+	security_add_hooks(ksu_hooks, ARRAY_SIZE(ksu_hooks), &ksu_lsmid);
+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4, 11, 0)
+	security_add_hooks(ksu_hooks, ARRAY_SIZE(ksu_hooks), "ksu");
+#else
+	// https://elixir.bootlin.com/linux/v4.10.17/source/include/linux/lsm_hooks.h#L1892
+	security_add_hooks(ksu_hooks, ARRAY_SIZE(ksu_hooks));
+#endif
+	pr_info("LSM hooks initialized.\n");
+}
+#else
+void ksu_lsm_hook_init(void)
+{
+	return;
+}
+#endif

kernel/manager.h

@@ -15,28 +15,28 @@ extern int ksu_get_manager_signature_index(uid_t uid);
 
 static inline bool ksu_is_manager_uid_valid(void)
 {
-    return ksu_manager_uid != KSU_INVALID_UID;
+	return ksu_manager_uid != KSU_INVALID_UID;
 }
 
 static inline bool is_manager(void)
 {
-    return unlikely(ksu_is_any_manager(current_uid().val) || 
-            (ksu_manager_uid != KSU_INVALID_UID && ksu_manager_uid == current_uid().val));
+	return unlikely(ksu_is_any_manager(current_uid().val) || 
+			(ksu_manager_uid != KSU_INVALID_UID && ksu_manager_uid == current_uid().val));
 }
 
 static inline uid_t ksu_get_manager_uid(void)
 {
-    return ksu_manager_uid;
+	return ksu_manager_uid;
 }
 
 static inline void ksu_set_manager_uid(uid_t uid)
 {
-    ksu_manager_uid = uid;
+	ksu_manager_uid = uid;
 }
 
 static inline void ksu_invalidate_manager_uid(void)
 {
-    ksu_manager_uid = KSU_INVALID_UID;
+	ksu_manager_uid = KSU_INVALID_UID;
 }
 
 int ksu_observer_init(void);

kernel/manager_sign.h

@@ -1,17 +1,19 @@
 #ifndef MANAGER_SIGN_H
 #define MANAGER_SIGN_H
 
-// ShirkNeko/SukiSU
-#define EXPECTED_SIZE_SHIRKNEKO   0x35c
-#define EXPECTED_HASH_SHIRKNEKO   "947ae944f3de4ed4c21a7e4f7953ecf351bfa2b36239da37a34111ad29993eef"
+// ShirkNeko/KernelSU
+#define EXPECTED_SIZE_SHIRKNEKO 0x35c
+#define EXPECTED_HASH_SHIRKNEKO \
+	"947ae944f3de4ed4c21a7e4f7953ecf351bfa2b36239da37a34111ad29993eef"
 
 // Dynamic Sign
-#define EXPECTED_SIZE_OTHER   0x300
-#define EXPECTED_HASH_OTHER   "0000000000000000000000000000000000000000000000000000000000000000"
+#define EXPECTED_SIZE_OTHER 0x300
+#define EXPECTED_HASH_OTHER \
+	"0000000000000000000000000000000000000000000000000000000000000000"
 
 typedef struct {
-    unsigned size;
-    const char *sha256;
+	unsigned size;
+	const char *sha256;
 } apk_sign_key_t;
 
 #endif /* MANAGER_SIGN_H */

kernel/manual_su.c

@@ -1,357 +0,0 @@
-#include <linux/string.h>
-#include <linux/uaccess.h>
-#include <linux/printk.h>
-#include <linux/cred.h>
-#include <linux/fs.h>
-#include <linux/uaccess.h>
-#include <linux/file.h>
-#include <linux/mm.h>
-#include <linux/slab.h>
-#include <linux/binfmts.h>
-
-#include "manual_su.h"
-#include "ksu.h"
-#include "allowlist.h"
-#include "manager.h"
-#include "app_profile.h"
-
-static bool current_verified = false;
-static void ksu_cleanup_expired_tokens(void);
-static bool is_current_verified(void);
-static void add_pending_root(uid_t uid);
-
-static struct pending_uid pending_uids[MAX_PENDING] = {0};
-static int pending_cnt = 0;
-static struct ksu_token_entry auth_tokens[MAX_TOKENS] = {0};
-static int token_count = 0;
-static DEFINE_SPINLOCK(token_lock);
-
-static char* get_token_from_envp(void)
-{
-    struct mm_struct *mm;
-    char *envp_start, *envp_end;
-    char *env_ptr, *token = NULL;
-    unsigned long env_len;
-    char *env_copy = NULL;
-    
-    if (!current->mm)
-        return NULL;
-        
-    mm = current->mm;
-    
-    down_read(&mm->mmap_lock);
-    
-    envp_start = (char *)mm->env_start;
-    envp_end = (char *)mm->env_end;
-    env_len = envp_end - envp_start;
-    
-    if (env_len <= 0 || env_len > PAGE_SIZE * 32) {
-        up_read(&mm->mmap_lock);
-        return NULL;
-    }
-    
-    env_copy = kzalloc(env_len + 1, GFP_KERNEL);
-    if (!env_copy) {
-        up_read(&mm->mmap_lock);
-        return NULL;
-    }
-    
-    if (copy_from_user(env_copy, envp_start, env_len)) {
-        kfree(env_copy);
-        up_read(&mm->mmap_lock);
-        return NULL;
-    }
-    
-    up_read(&mm->mmap_lock);
-    
-    env_copy[env_len] = '\0';
-    env_ptr = env_copy;
-    
-    while (env_ptr < env_copy + env_len) {
-        if (strncmp(env_ptr, KSU_TOKEN_ENV_NAME "=", strlen(KSU_TOKEN_ENV_NAME) + 1) == 0) {
-            char *token_start = env_ptr + strlen(KSU_TOKEN_ENV_NAME) + 1;
-            char *token_end = strchr(token_start, '\0');
-            
-            if (token_end && (token_end - token_start) == KSU_TOKEN_LENGTH) {
-                token = kzalloc(KSU_TOKEN_LENGTH + 1, GFP_KERNEL);
-                if (token) {
-                    memcpy(token, token_start, KSU_TOKEN_LENGTH);
-                    token[KSU_TOKEN_LENGTH] = '\0';
-                    pr_info("manual_su: found auth token in environment\n");
-                }
-            }
-            break;
-        }
-        
-        env_ptr += strlen(env_ptr) + 1;
-    }
-    
-    kfree(env_copy);
-    return token;
-}
-
-static char* ksu_generate_auth_token(void)
-{
-    static char token_buffer[KSU_TOKEN_LENGTH + 1];
-    unsigned long flags;
-    int i;
-    
-    ksu_cleanup_expired_tokens();
-    
-    spin_lock_irqsave(&token_lock, flags);
-    
-    if (token_count >= MAX_TOKENS) {
-        for (i = 0; i < MAX_TOKENS - 1; i++) {
-            auth_tokens[i] = auth_tokens[i + 1];
-        }
-        token_count = MAX_TOKENS - 1;
-    }
-    
-    for (i = 0; i < KSU_TOKEN_LENGTH; i++) {
-        u8 rand_byte;
-        get_random_bytes(&rand_byte, 1);
-        int char_type = rand_byte % 3;
-        if (char_type == 0) {
-            token_buffer[i] = 'A' + (rand_byte % 26);
-        } else if (char_type == 1) {
-            token_buffer[i] = 'a' + (rand_byte % 26);
-        } else {
-            token_buffer[i] = '0' + (rand_byte % 10);
-        }
-    }
-    
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 13, 0)
-        strscpy(auth_tokens[token_count].token, token_buffer, KSU_TOKEN_LENGTH + 1);
-#else
-        strlcpy(auth_tokens[token_count].token, token_buffer, KSU_TOKEN_LENGTH + 1);
-#endif
-    auth_tokens[token_count].expire_time = jiffies + KSU_TOKEN_EXPIRE_TIME * HZ;
-    auth_tokens[token_count].used = false;
-    token_count++;
-    
-    spin_unlock_irqrestore(&token_lock, flags);
-    
-    pr_info("manual_su: generated new auth token (expires in %d seconds)\n", KSU_TOKEN_EXPIRE_TIME);
-    return token_buffer;
-}
-
-static bool ksu_verify_auth_token(const char *token)
-{
-    unsigned long flags;
-    bool valid = false;
-    int i;
-    
-    if (!token || strlen(token) != KSU_TOKEN_LENGTH) {
-        return false;
-    }
-    
-    spin_lock_irqsave(&token_lock, flags);
-    
-    for (i = 0; i < token_count; i++) {
-        if (!auth_tokens[i].used && 
-            time_before(jiffies, auth_tokens[i].expire_time) &&
-            strcmp(auth_tokens[i].token, token) == 0) {
-            
-            auth_tokens[i].used = true;
-            valid = true;
-            pr_info("manual_su: auth token verified successfully\n");
-            break;
-        }
-    }
-    
-    spin_unlock_irqrestore(&token_lock, flags);
-    
-    if (!valid) {
-        pr_warn("manual_su: invalid or expired auth token\n");
-    }
-    
-    return valid;
-}
-
-static void ksu_cleanup_expired_tokens(void)
-{
-    unsigned long flags;
-    int i, j;
-    
-    spin_lock_irqsave(&token_lock, flags);
-    
-    for (i = 0; i < token_count; ) {
-        if (time_after(jiffies, auth_tokens[i].expire_time) || auth_tokens[i].used) {
-            for (j = i; j < token_count - 1; j++) {
-                auth_tokens[j] = auth_tokens[j + 1];
-            }
-            token_count--;
-            pr_debug("manual_su: cleaned up expired/used token\n");
-        } else {
-            i++;
-        }
-    }
-    
-    spin_unlock_irqrestore(&token_lock, flags);
-}
-
-static int handle_token_generation(struct manual_su_request *request)
-{
-    if (current_uid().val > 2000) {
-        pr_warn("manual_su: token generation denied for app UID %d\n", current_uid().val);
-        return -EPERM;
-    }
-    
-    char *new_token = ksu_generate_auth_token();
-    if (!new_token) {
-        pr_err("manual_su: failed to generate token\n");
-        return -ENOMEM;
-    }
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 13, 0)
-        strscpy(request->token_buffer, new_token, KSU_TOKEN_LENGTH + 1);
-#else
-        strlcpy(request->token_buffer, new_token, KSU_TOKEN_LENGTH + 1);
-#endif
-
-    pr_info("manual_su: auth token generated successfully\n");
-    return 0;
-}
-
-static int handle_escalation_request(struct manual_su_request *request)
-{
-    uid_t target_uid = request->target_uid;
-    pid_t target_pid = request->target_pid;
-    struct task_struct *tsk;
-    
-    rcu_read_lock();
-    tsk = pid_task(find_vpid(target_pid), PIDTYPE_PID);
-    if (!tsk || ksu_task_is_dead(tsk)) {
-        rcu_read_unlock();
-        pr_err("cmd_su: PID %d is invalid or dead\n", target_pid);
-        return -ESRCH;
-    }
-    rcu_read_unlock();
-    
-    if (current_uid().val == 0 || is_manager() || ksu_is_allow_uid_for_current(current_uid().val))
-        goto allowed;
-
-    char *env_token = get_token_from_envp();
-    if (!env_token) {
-        pr_warn("manual_su: no auth token found in environment\n");
-        return -EACCES;
-    }
-    
-    bool token_valid = ksu_verify_auth_token(env_token);
-    kfree(env_token);
-    
-    if (!token_valid) {
-        pr_warn("manual_su: token verification failed\n");
-        return -EACCES;
-    }
-
-allowed:
-    current_verified = true;
-    escape_to_root_for_cmd_su(target_uid, target_pid);
-    return 0;
-}
-
-static int handle_add_pending_request(struct manual_su_request *request)
-{
-    uid_t target_uid = request->target_uid;
-    
-    if (!is_current_verified()) {
-        pr_warn("manual_su: add_pending denied, not verified\n");
-        return -EPERM;
-    }
-
-    add_pending_root(target_uid);
-    current_verified = false;
-    pr_info("manual_su: pending root added for UID %d\n", target_uid);
-    return 0;
-}
-
-int ksu_handle_manual_su_request(int option, struct manual_su_request *request)
-{
-    if (!request) {
-        pr_err("manual_su: invalid request pointer\n");
-        return -EINVAL;
-    }
-
-    switch (option) {
-    case MANUAL_SU_OP_GENERATE_TOKEN:
-        pr_info("manual_su: handling token generation request\n");
-        return handle_token_generation(request);
-
-    case MANUAL_SU_OP_ESCALATE:
-        pr_info("manual_su: handling escalation request for UID %d, PID %d\n", 
-                request->target_uid, request->target_pid);
-        return handle_escalation_request(request);
-        
-    case MANUAL_SU_OP_ADD_PENDING:
-        pr_info("manual_su: handling add pending request for UID %d\n", request->target_uid);
-        return handle_add_pending_request(request);
-        
-    default:
-        pr_err("manual_su: unknown option %d\n", option);
-        return -EINVAL;
-    }
-}
-
-static bool is_current_verified(void)
-{
-    return current_verified;
-}
-
-bool is_pending_root(uid_t uid)
-{
-    for (int i = 0; i < pending_cnt; i++) {
-        if (pending_uids[i].uid == uid) {
-            pending_uids[i].use_count++;
-            pending_uids[i].remove_calls++;
-            return true;
-        }
-    }
-    return false;
-}
-
-void remove_pending_root(uid_t uid)
-{
-    for (int i = 0; i < pending_cnt; i++) {
-        if (pending_uids[i].uid == uid) {
-            pending_uids[i].remove_calls++;
-
-            if (pending_uids[i].remove_calls >= REMOVE_DELAY_CALLS) {
-                pending_uids[i] = pending_uids[--pending_cnt];
-                pr_info("pending_root: removed UID %d after %d calls\n", uid, REMOVE_DELAY_CALLS);
-                ksu_temp_revoke_root_once(uid);
-            } else {
-                pr_info("pending_root: UID %d remove_call=%d (<%d)\n",
-                        uid, pending_uids[i].remove_calls, REMOVE_DELAY_CALLS);
-            }
-            return;
-        }
-    }
-}
-
-static void add_pending_root(uid_t uid)
-{
-    if (pending_cnt >= MAX_PENDING) {
-        pr_warn("pending_root: cache full\n");
-        return;
-    }
-    for (int i = 0; i < pending_cnt; i++) {
-        if (pending_uids[i].uid == uid) {
-            pending_uids[i].use_count = 0;
-            pending_uids[i].remove_calls = 0;
-            return;
-        }
-    }
-    pending_uids[pending_cnt++] = (struct pending_uid){uid, 0};
-    ksu_temp_grant_root_once(uid);
-    pr_info("pending_root: cached UID %d\n", uid);
-}
-
-void ksu_try_escalate_for_uid(uid_t uid)
-{
-    if (!is_pending_root(uid))
-        return;
-    
-    pr_info("pending_root: UID=%d temporarily allowed\n", uid);
-    remove_pending_root(uid);
-}

kernel/manual_su.h

@@ -1,49 +0,0 @@
-#ifndef __KSU_MANUAL_SU_H
-#define __KSU_MANUAL_SU_H
-
-#include <linux/types.h>
-#include <linux/sched.h>
-#include <linux/version.h>
-
-#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 7, 0)
-#define mmap_lock mmap_sem
-#endif
-
-#define ksu_task_is_dead(t) ((t)->exit_state != 0)
-
-#define MAX_PENDING 16
-#define REMOVE_DELAY_CALLS 150
-#define MAX_TOKENS 10
-
-#define KSU_SU_VERIFIED_BIT (1UL << 0)
-#define KSU_TOKEN_LENGTH 32
-#define KSU_TOKEN_ENV_NAME "KSU_AUTH_TOKEN"
-#define KSU_TOKEN_EXPIRE_TIME 150
-
-#define MANUAL_SU_OP_GENERATE_TOKEN 0
-#define MANUAL_SU_OP_ESCALATE 1
-#define MANUAL_SU_OP_ADD_PENDING 2
-
-struct pending_uid {
-    uid_t uid;
-    int use_count;
-    int remove_calls;
-};
-
-struct manual_su_request {
-    uid_t target_uid;
-    pid_t target_pid;
-    char token_buffer[KSU_TOKEN_LENGTH + 1];
-};
-
-struct ksu_token_entry {
-    char token[KSU_TOKEN_LENGTH + 1];
-    unsigned long expire_time;
-    bool used;
-};
-
-int ksu_handle_manual_su_request(int option, struct manual_su_request *request);
-bool is_pending_root(uid_t uid);
-void remove_pending_root(uid_t uid);
-void ksu_try_escalate_for_uid(uid_t uid);
-#endif

kernel/pkg_observer.c

@@ -2,132 +2,150 @@
 #include <linux/module.h>
 #include <linux/fs.h>
 #include <linux/namei.h>
-#include <linux/fsnotify_backend.h>
+#include <linux/fsnotify.h>
 #include <linux/slab.h>
+#include <linux/string.h>
 #include <linux/rculist.h>
 #include <linux/version.h>
 #include "klog.h" // IWYU pragma: keep
-#include "ksu.h"
 #include "throne_tracker.h"
-#include "throne_comm.h"
 
 #define MASK_SYSTEM (FS_CREATE | FS_MOVE | FS_EVENT_ON_CHILD)
 
 struct watch_dir {
-    const char *path;
-    u32 mask;
-    struct path kpath;
-    struct inode *inode;
-    struct fsnotify_mark *mark;
+	const char *path;
+	u32 mask;
+	struct path kpath;
+	struct inode *inode;
+	struct fsnotify_mark *mark;
 };
 
 static struct fsnotify_group *g;
 
-static int ksu_handle_inode_event(struct fsnotify_mark *mark, u32 mask,
-                  struct inode *inode, struct inode *dir,
-                  const struct qstr *file_name, u32 cookie)
+#include "pkg_observer_defs.h" // KSU_DECL_FSNOTIFY_OPS
+static KSU_DECL_FSNOTIFY_OPS(ksu_handle_generic_event)
 {
-    if (!file_name)
-        return 0;
-    if (mask & FS_ISDIR)
-        return 0;
-    if (file_name->len == 13 &&
-        !memcmp(file_name->name, "packages.list", 13)) {
-        pr_info("packages.list detected: %d\n", mask);
-        if (ksu_uid_scanner_enabled) {
-            ksu_request_userspace_scan();
-        }
-        track_throne(false);
-    }
-    return 0;
+	if (!file_name || (mask & FS_ISDIR))
+		return 0;
+
+	if (ksu_fname_len(file_name) == 13 &&
+	    !memcmp(ksu_fname_arg(file_name), "packages.list", 13)) {
+		pr_info("packages.list detected (mask=%d)\n", mask);
+		track_throne(false);
+	}
+	return 0;
 }
 
 static const struct fsnotify_ops ksu_ops = {
-    .handle_inode_event = ksu_handle_inode_event,
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 9, 0)
+	.handle_inode_event = ksu_handle_generic_event,
+#else
+	.handle_event = ksu_handle_generic_event,
+#endif
 };
 
-static int add_mark_on_inode(struct inode *inode, u32 mask,
-                 struct fsnotify_mark **out)
+static void __maybe_unused m_free(struct fsnotify_mark *m)
 {
-    struct fsnotify_mark *m;
+	if (m) {
+		kfree(m);
+	}
+}
 
-    m = kzalloc(sizeof(*m), GFP_KERNEL);
-    if (!m)
-        return -ENOMEM;
+static int add_mark_on_inode(struct inode *inode, u32 mask,
+			     struct fsnotify_mark **out)
+{
+	struct fsnotify_mark *m;
+	int ret;
 
-    fsnotify_init_mark(m, g);
-    m->mask = mask;
+	m = kzalloc(sizeof(*m), GFP_KERNEL);
+	if (!m)
+		return -ENOMEM;
 
-    if (fsnotify_add_inode_mark(m, inode, 0)) {
-        fsnotify_put_mark(m);
-        return -EINVAL;
-    }
-    *out = m;
-    return 0;
+#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 12, 0)
+	fsnotify_init_mark(m, m_free);
+	m->mask = mask;
+	ret = fsnotify_add_mark(m, g, inode, NULL, 0);
+#else
+	fsnotify_init_mark(m, g);
+	m->mask = mask;
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 18, 0)
+	ret = fsnotify_add_inode_mark(m, inode, 0);
+#else
+	ret = fsnotify_add_mark(m, inode, NULL, 0);
+#endif
+#endif
+
+	if (ret < 0) {
+		fsnotify_put_mark(m);
+		return ret;
+	}
+
+	*out = m;
+	return 0;
 }
 
 static int watch_one_dir(struct watch_dir *wd)
 {
-    int ret = kern_path(wd->path, LOOKUP_FOLLOW, &wd->kpath);
-    if (ret) {
-        pr_info("path not ready: %s (%d)\n", wd->path, ret);
-        return ret;
-    }
-    wd->inode = d_inode(wd->kpath.dentry);
-    ihold(wd->inode);
+	int ret = kern_path(wd->path, LOOKUP_FOLLOW, &wd->kpath);
+	if (ret) {
+		pr_info("path not ready: %s (%d)\n", wd->path, ret);
+		return ret;
+	}
+	wd->inode = d_inode(wd->kpath.dentry);
+	ihold(wd->inode);
 
-    ret = add_mark_on_inode(wd->inode, wd->mask, &wd->mark);
-    if (ret) {
-        pr_err("Add mark failed for %s (%d)\n", wd->path, ret);
-        path_put(&wd->kpath);
-        iput(wd->inode);
-        wd->inode = NULL;
-        return ret;
-    }
-    pr_info("watching %s\n", wd->path);
-    return 0;
+	ret = add_mark_on_inode(wd->inode, wd->mask, &wd->mark);
+	if (ret) {
+		pr_err("Add mark failed for %s (%d)\n", wd->path, ret);
+		path_put(&wd->kpath);
+		iput(wd->inode);
+		wd->inode = NULL;
+		return ret;
+	}
+	pr_info("watching %s\n", wd->path);
+	return 0;
 }
 
 static void unwatch_one_dir(struct watch_dir *wd)
 {
-    if (wd->mark) {
-        fsnotify_destroy_mark(wd->mark, g);
-        fsnotify_put_mark(wd->mark);
-        wd->mark = NULL;
-    }
-    if (wd->inode) {
-        iput(wd->inode);
-        wd->inode = NULL;
-    }
-    if (wd->kpath.dentry) {
-        path_put(&wd->kpath);
-        memset(&wd->kpath, 0, sizeof(wd->kpath));
-    }
+	if (wd->mark) {
+		fsnotify_destroy_mark(wd->mark, g);
+		fsnotify_put_mark(wd->mark);
+		wd->mark = NULL;
+	}
+	if (wd->inode) {
+		iput(wd->inode);
+		wd->inode = NULL;
+	}
+	if (wd->kpath.dentry) {
+		path_put(&wd->kpath);
+		memset(&wd->kpath, 0, sizeof(wd->kpath));
+	}
 }
 
 static struct watch_dir g_watch = { .path = "/data/system",
-                    .mask = MASK_SYSTEM };
+				    .mask = MASK_SYSTEM };
 
 int ksu_observer_init(void)
 {
-    int ret = 0;
+	int ret = 0;
 
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 0, 0)
-    g = fsnotify_alloc_group(&ksu_ops, 0);
+	g = fsnotify_alloc_group(&ksu_ops, 0);
 #else
-    g = fsnotify_alloc_group(&ksu_ops);
+	g = fsnotify_alloc_group(&ksu_ops);
 #endif
-    if (IS_ERR(g))
-        return PTR_ERR(g);
+	if (IS_ERR(g))
+		return PTR_ERR(g);
 
-    ret = watch_one_dir(&g_watch);
-    pr_info("observer init done\n");
-    return 0;
+	ret = watch_one_dir(&g_watch);
+	pr_info("%s: done.\n", __func__);
+	return 0;
 }
 
 void ksu_observer_exit(void)
 {
-    unwatch_one_dir(&g_watch);
-    fsnotify_put_group(g);
-    pr_info("observer exit done\n");
-}
+	unwatch_one_dir(&g_watch);
+	fsnotify_put_group(g);
+	pr_info("%s: done.\n", __func__);
+}

kernel/pkg_observer_defs.h

@@ -0,0 +1,42 @@
+// This header should not be used outside of pkg_observer.c!
+
+#include <linux/version.h>
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 2, 0)
+typedef const struct qstr *ksu_fname_t;
+#define ksu_fname_len(f) ((f)->len)
+#define ksu_fname_arg(f) ((f)->name)
+#else
+typedef const unsigned char *ksu_fname_t;
+#define ksu_fname_len(f) (strlen(f))
+#define ksu_fname_arg(f) (f)
+#endif
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 9, 0)
+#define KSU_DECL_FSNOTIFY_OPS(name)                                            \
+	int name(struct fsnotify_mark *mark, u32 mask, struct inode *inode,    \
+		 struct inode *dir, const struct qstr *file_name, u32 cookie)
+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(5, 2, 0)
+#define KSU_DECL_FSNOTIFY_OPS(name)                                            \
+	int name(struct fsnotify_group *group, struct inode *inode, u32 mask,  \
+		 const void *data, int data_type, ksu_fname_t file_name,       \
+		 u32 cookie, struct fsnotify_iter_info *iter_info)
+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4, 18, 0)
+#define KSU_DECL_FSNOTIFY_OPS(name)                                            \
+	int name(struct fsnotify_group *group, struct inode *inode, u32 mask,  \
+		 const void *data, int data_type, ksu_fname_t file_name,       \
+		 u32 cookie, struct fsnotify_iter_info *iter_info)
+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4, 12, 0)
+#define KSU_DECL_FSNOTIFY_OPS(name)                                            \
+	int name(struct fsnotify_group *group, struct inode *inode,            \
+		 struct fsnotify_mark *inode_mark,                             \
+		 struct fsnotify_mark *vfsmount_mark, u32 mask,                \
+		 const void *data, int data_type, ksu_fname_t file_name,       \
+		 u32 cookie, struct fsnotify_iter_info *iter_info)
+#else
+#define KSU_DECL_FSNOTIFY_OPS(name)                                            \
+	int name(struct fsnotify_group *group, struct inode *inode,            \
+		 struct fsnotify_mark *inode_mark,                             \
+		 struct fsnotify_mark *vfsmount_mark, u32 mask, void *data,    \
+		 int data_type, ksu_fname_t file_name, u32 cookie)
+#endif

kernel/seccomp_cache.c

@@ -1,6 +1,7 @@
 #include <linux/version.h>
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 0)
 #include <linux/fs.h>
-#include <linux/nsproxy.h>
 #include <linux/sched/task.h>
 #include <linux/uaccess.h>
 #include <linux/filter.h>
@@ -8,62 +9,59 @@
 #include "klog.h" // IWYU pragma: keep
 #include "seccomp_cache.h"
 
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 2) // Android backport this feature in 5.10.2
 struct action_cache {
-    DECLARE_BITMAP(allow_native, SECCOMP_ARCH_NATIVE_NR);
+	DECLARE_BITMAP(allow_native, SECCOMP_ARCH_NATIVE_NR);
 #ifdef SECCOMP_ARCH_COMPAT
-    DECLARE_BITMAP(allow_compat, SECCOMP_ARCH_COMPAT_NR);
+	DECLARE_BITMAP(allow_compat, SECCOMP_ARCH_COMPAT_NR);
 #endif
 };
 
 struct seccomp_filter {
-    refcount_t refs;
-    refcount_t users;
-    bool log;
+	refcount_t refs;
+	refcount_t users;
+	bool log;
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0)
-    bool wait_killable_recv;
+	bool wait_killable_recv;
 #endif
-    struct action_cache cache;
-    struct seccomp_filter *prev;
-    struct bpf_prog *prog;
-    struct notification *notif;
-    struct mutex notify_lock;
-    wait_queue_head_t wqh;
+	struct action_cache cache;
+	struct seccomp_filter *prev;
+	struct bpf_prog *prog;
+	struct notification *notif;
+	struct mutex notify_lock;
+	wait_queue_head_t wqh;
 };
 
 void ksu_seccomp_clear_cache(struct seccomp_filter *filter, int nr)
 {
-    if (!filter) {
-        return;
-    }
+	if (!filter) {
+		return;
+	}
 
-    if (nr >= 0 && nr < SECCOMP_ARCH_NATIVE_NR) {
-        clear_bit(nr, filter->cache.allow_native);
-    }
+	if (nr >= 0 && nr < SECCOMP_ARCH_NATIVE_NR) {
+		clear_bit(nr, filter->cache.allow_native);
+	}
 
 #ifdef SECCOMP_ARCH_COMPAT
-    if (nr >= 0 && nr < SECCOMP_ARCH_COMPAT_NR) {
-        clear_bit(nr, filter->cache.allow_compat);
-    }
+	if (nr >= 0 && nr < SECCOMP_ARCH_COMPAT_NR) {
+		clear_bit(nr, filter->cache.allow_compat);
+	}
 #endif
 }
 
 void ksu_seccomp_allow_cache(struct seccomp_filter *filter, int nr)
 {
-    if (!filter) {
-        return;
-    }
+	if (!filter) {
+		return;
+	}
 
-    if (nr >= 0 && nr < SECCOMP_ARCH_NATIVE_NR) {
-        set_bit(nr, filter->cache.allow_native);
-    }
+	if (nr >= 0 && nr < SECCOMP_ARCH_NATIVE_NR) {
+		set_bit(nr, filter->cache.allow_native);
+	}
 
 #ifdef SECCOMP_ARCH_COMPAT
-    if (nr >= 0 && nr < SECCOMP_ARCH_COMPAT_NR) {
-        set_bit(nr, filter->cache.allow_compat);
-    }
+	if (nr >= 0 && nr < SECCOMP_ARCH_COMPAT_NR) {
+		set_bit(nr, filter->cache.allow_compat);
+	}
 #endif
 }
-
-#endif
+#endif

kernel/seccomp_cache.h

@@ -4,9 +4,9 @@
 #include <linux/fs.h>
 #include <linux/version.h>
 
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 2) // Android backport this feature in 5.10.2
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 0)
 extern void ksu_seccomp_clear_cache(struct seccomp_filter *filter, int nr);
 extern void ksu_seccomp_allow_cache(struct seccomp_filter *filter, int nr);
 #endif
 
-#endif
+#endif

kernel/selinux/Makefile

@@ -1,8 +0,0 @@
-obj-y += selinux.o
-obj-y += sepolicy.o
-obj-y += rules.o
-
-ccflags-y += -Wno-strict-prototypes -Wno-int-conversion
-ccflags-y += -Wno-declaration-after-statement -Wno-unused-function
-ccflags-y += -I$(srctree)/security/selinux -I$(srctree)/security/selinux/include
-ccflags-y += -I$(objtree)/security/selinux -include $(srctree)/include/uapi/asm-generic/errno.h

kernel/selinux/rules.c

@@ -9,7 +9,9 @@
 #include "linux/lsm_audit.h" // IWYU pragma: keep
 #include "xfrm.h"
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 0)
 #define SELINUX_POLICY_INSTEAD_SELINUX_SS
+#endif
 
 #define KERNEL_SU_DOMAIN "su"
 #define KERNEL_SU_FILE "ksu_file"
@@ -18,119 +20,126 @@
 
 static struct policydb *get_policydb(void)
 {
-    struct policydb *db;
-    struct selinux_policy *policy = selinux_state.policy;
-    db = &policy->policydb;
-    return db;
+	struct policydb *db;
+// selinux_state does not exists before 4.19
+#ifdef KSU_COMPAT_USE_SELINUX_STATE
+#ifdef SELINUX_POLICY_INSTEAD_SELINUX_SS
+	struct selinux_policy *policy = selinux_state.policy;
+	db = &policy->policydb;
+#else
+	struct selinux_ss *ss = selinux_state.ss;
+	db = &ss->policydb;
+#endif
+#else
+	db = &policydb;
+#endif
+	return db;
 }
 
 static DEFINE_MUTEX(ksu_rules);
 
-void apply_kernelsu_rules()
+void apply_kernelsu_rules(void)
 {
-    struct policydb *db;
+	struct policydb *db;
 
-    if (!getenforce()) {
-        pr_info("SELinux permissive or disabled, apply rules!\n");
-    }
+	if (!getenforce()) {
+		pr_info("SELinux permissive or disabled, apply rules!\n");
+	}
 
-    mutex_lock(&ksu_rules);
+	mutex_lock(&ksu_rules);
 
-    db = get_policydb();
+	db = get_policydb();
 
-    ksu_permissive(db, KERNEL_SU_DOMAIN);
-    ksu_typeattribute(db, KERNEL_SU_DOMAIN, "mlstrustedsubject");
-    ksu_typeattribute(db, KERNEL_SU_DOMAIN, "netdomain");
-    ksu_typeattribute(db, KERNEL_SU_DOMAIN, "bluetoothdomain");
+	ksu_permissive(db, KERNEL_SU_DOMAIN);
+	ksu_typeattribute(db, KERNEL_SU_DOMAIN, "mlstrustedsubject");
+	ksu_typeattribute(db, KERNEL_SU_DOMAIN, "netdomain");
+	ksu_typeattribute(db, KERNEL_SU_DOMAIN, "bluetoothdomain");
 
-    // Create unconstrained file type
-    ksu_type(db, KERNEL_SU_FILE, "file_type");
-    ksu_typeattribute(db, KERNEL_SU_FILE, "mlstrustedobject");
-    ksu_allow(db, ALL, KERNEL_SU_FILE, ALL, ALL);
+	// Create unconstrained file type
+	ksu_type(db, KERNEL_SU_FILE, "file_type");
+	ksu_typeattribute(db, KERNEL_SU_FILE, "mlstrustedobject");
+	ksu_allow(db, ALL, KERNEL_SU_FILE, ALL, ALL);
 
-    // allow all!
-    ksu_allow(db, KERNEL_SU_DOMAIN, ALL, ALL, ALL);
+	// allow all!
+	ksu_allow(db, KERNEL_SU_DOMAIN, ALL, ALL, ALL);
 
-    // allow us do any ioctl
-    if (db->policyvers >= POLICYDB_VERSION_XPERMS_IOCTL) {
-        ksu_allowxperm(db, KERNEL_SU_DOMAIN, ALL, "blk_file", ALL);
-        ksu_allowxperm(db, KERNEL_SU_DOMAIN, ALL, "fifo_file", ALL);
-        ksu_allowxperm(db, KERNEL_SU_DOMAIN, ALL, "chr_file", ALL);
-        ksu_allowxperm(db, KERNEL_SU_DOMAIN, ALL, "file", ALL);
-    }
+	// allow us do any ioctl
+	if (db->policyvers >= POLICYDB_VERSION_XPERMS_IOCTL) {
+		ksu_allowxperm(db, KERNEL_SU_DOMAIN, ALL, "blk_file", ALL);
+		ksu_allowxperm(db, KERNEL_SU_DOMAIN, ALL, "fifo_file", ALL);
+		ksu_allowxperm(db, KERNEL_SU_DOMAIN, ALL, "chr_file", ALL);
+		ksu_allowxperm(db, KERNEL_SU_DOMAIN, ALL, "file", ALL);
+	}
 
-    // we need to save allowlist in /data/adb/ksu
-    ksu_allow(db, "kernel", "adb_data_file", "dir", ALL);
-    ksu_allow(db, "kernel", "adb_data_file", "file", ALL);
-    // we need to search /data/app
-    ksu_allow(db, "kernel", "apk_data_file", "file", "open");
-    ksu_allow(db, "kernel", "apk_data_file", "dir", "open");
-    ksu_allow(db, "kernel", "apk_data_file", "dir", "read");
-    ksu_allow(db, "kernel", "apk_data_file", "dir", "search");
-    // we may need to do mount on shell
-    ksu_allow(db, "kernel", "shell_data_file", "file", ALL);
-    // we need to read /data/system/packages.list
-    ksu_allow(db, "kernel", "kernel", "capability", "dac_override");
-    // Android 10+:
-    // http://aospxref.com/android-12.0.0_r3/xref/system/sepolicy/private/file_contexts#512
-    ksu_allow(db, "kernel", "packages_list_file", "file", ALL);
-    // Kernel 4.4
-    ksu_allow(db, "kernel", "packages_list_file", "dir", ALL);
-    // Android 9-:
-    // http://aospxref.com/android-9.0.0_r61/xref/system/sepolicy/private/file_contexts#360
-    ksu_allow(db, "kernel", "system_data_file", "file", ALL);
-    ksu_allow(db, "kernel", "system_data_file", "dir", ALL);
-    // our ksud triggered by init
-    ksu_allow(db, "init", "adb_data_file", "file", ALL);
-    ksu_allow(db, "init", "adb_data_file", "dir", ALL); // #1289
-    ksu_allow(db, "init", KERNEL_SU_DOMAIN, ALL, ALL);
-    // we need to umount modules in zygote
-    ksu_allow(db, "zygote", "adb_data_file", "dir", "search");
+	// we need to save allowlist in /data/adb/ksu
+	ksu_allow(db, "kernel", "adb_data_file", "dir", ALL);
+	ksu_allow(db, "kernel", "adb_data_file", "file", ALL);
+	// we need to search /data/app
+	ksu_allow(db, "kernel", "apk_data_file", "file", "open");
+	ksu_allow(db, "kernel", "apk_data_file", "dir", "open");
+	ksu_allow(db, "kernel", "apk_data_file", "dir", "read");
+	ksu_allow(db, "kernel", "apk_data_file", "dir", "search");
+	// we may need to do mount on shell
+	ksu_allow(db, "kernel", "shell_data_file", "file", ALL);
+	// we need to read /data/system/packages.list
+	ksu_allow(db, "kernel", "kernel", "capability", "dac_override");
+	// Android 10+:
+	// http://aospxref.com/android-12.0.0_r3/xref/system/sepolicy/private/file_contexts#512
+	ksu_allow(db, "kernel", "packages_list_file", "file", ALL);
+	// Kernel 4.4
+	ksu_allow(db, "kernel", "packages_list_file", "dir", ALL);
+	// Android 9-:
+	// http://aospxref.com/android-9.0.0_r61/xref/system/sepolicy/private/file_contexts#360
+	ksu_allow(db, "kernel", "system_data_file", "file", ALL);
+	ksu_allow(db, "kernel", "system_data_file", "dir", ALL);
+	// our ksud triggered by init
+	ksu_allow(db, "init", "adb_data_file", "file", ALL);
+	ksu_allow(db, "init", "adb_data_file", "dir", ALL); // #1289
+	ksu_allow(db, "init", KERNEL_SU_DOMAIN, ALL, ALL);
+	// we need to umount modules in zygote
+	ksu_allow(db, "zygote", "adb_data_file", "dir", "search");
 
-    // copied from Magisk rules
-    // suRights
-    ksu_allow(db, "servicemanager", KERNEL_SU_DOMAIN, "dir", "search");
-    ksu_allow(db, "servicemanager", KERNEL_SU_DOMAIN, "dir", "read");
-    ksu_allow(db, "servicemanager", KERNEL_SU_DOMAIN, "file", "open");
-    ksu_allow(db, "servicemanager", KERNEL_SU_DOMAIN, "file", "read");
-    ksu_allow(db, "servicemanager", KERNEL_SU_DOMAIN, "process", "getattr");
-    ksu_allow(db, ALL, KERNEL_SU_DOMAIN, "process", "sigchld");
+	// copied from Magisk rules
+	// suRights
+	ksu_allow(db, "servicemanager", KERNEL_SU_DOMAIN, "dir", "search");
+	ksu_allow(db, "servicemanager", KERNEL_SU_DOMAIN, "dir", "read");
+	ksu_allow(db, "servicemanager", KERNEL_SU_DOMAIN, "file", "open");
+	ksu_allow(db, "servicemanager", KERNEL_SU_DOMAIN, "file", "read");
+	ksu_allow(db, "servicemanager", KERNEL_SU_DOMAIN, "process", "getattr");
+	ksu_allow(db, ALL, KERNEL_SU_DOMAIN, "process", "sigchld");
 
-    // allowLog
-    ksu_allow(db, "logd", KERNEL_SU_DOMAIN, "dir", "search");
-    ksu_allow(db, "logd", KERNEL_SU_DOMAIN, "file", "read");
-    ksu_allow(db, "logd", KERNEL_SU_DOMAIN, "file", "open");
-    ksu_allow(db, "logd", KERNEL_SU_DOMAIN, "file", "getattr");
+	// allowLog
+	ksu_allow(db, "logd", KERNEL_SU_DOMAIN, "dir", "search");
+	ksu_allow(db, "logd", KERNEL_SU_DOMAIN, "file", "read");
+	ksu_allow(db, "logd", KERNEL_SU_DOMAIN, "file", "open");
+	ksu_allow(db, "logd", KERNEL_SU_DOMAIN, "file", "getattr");
 
-    // dumpsys
-    ksu_allow(db, ALL, KERNEL_SU_DOMAIN, "fd", "use");
-    ksu_allow(db, ALL, KERNEL_SU_DOMAIN, "fifo_file", "write");
-    ksu_allow(db, ALL, KERNEL_SU_DOMAIN, "fifo_file", "read");
-    ksu_allow(db, ALL, KERNEL_SU_DOMAIN, "fifo_file", "open");
-    ksu_allow(db, ALL, KERNEL_SU_DOMAIN, "fifo_file", "getattr");
+	// dumpsys
+	ksu_allow(db, ALL, KERNEL_SU_DOMAIN, "fd", "use");
+	ksu_allow(db, ALL, KERNEL_SU_DOMAIN, "fifo_file", "write");
+	ksu_allow(db, ALL, KERNEL_SU_DOMAIN, "fifo_file", "read");
+	ksu_allow(db, ALL, KERNEL_SU_DOMAIN, "fifo_file", "open");
+	ksu_allow(db, ALL, KERNEL_SU_DOMAIN, "fifo_file", "getattr");
 
-    // bootctl
-    ksu_allow(db, "hwservicemanager", KERNEL_SU_DOMAIN, "dir", "search");
-    ksu_allow(db, "hwservicemanager", KERNEL_SU_DOMAIN, "file", "read");
-    ksu_allow(db, "hwservicemanager", KERNEL_SU_DOMAIN, "file", "open");
-    ksu_allow(db, "hwservicemanager", KERNEL_SU_DOMAIN, "process",
-          "getattr");
+	// bootctl
+	ksu_allow(db, "hwservicemanager", KERNEL_SU_DOMAIN, "dir", "search");
+	ksu_allow(db, "hwservicemanager", KERNEL_SU_DOMAIN, "file", "read");
+	ksu_allow(db, "hwservicemanager", KERNEL_SU_DOMAIN, "file", "open");
+	ksu_allow(db, "hwservicemanager", KERNEL_SU_DOMAIN, "process",
+		  "getattr");
 
-    // For mounting loop devices, mirrors, tmpfs
-    ksu_allow(db, "kernel", ALL, "file", "read");
-    ksu_allow(db, "kernel", ALL, "file", "write");
+	// For mounting loop devices, mirrors, tmpfs
+	ksu_allow(db, "kernel", ALL, "file", "read");
+	ksu_allow(db, "kernel", ALL, "file", "write");
 
-    // Allow all binder transactions
-    ksu_allow(db, ALL, KERNEL_SU_DOMAIN, "binder", ALL);
+	// Allow all binder transactions
+	ksu_allow(db, ALL, KERNEL_SU_DOMAIN, "binder", ALL);
 
-    // Allow system server kill su process
-    ksu_allow(db, "system_server", KERNEL_SU_DOMAIN, "process", "getpgid");
-    ksu_allow(db, "system_server", KERNEL_SU_DOMAIN, "process", "sigkill");
+	// Allow system server kill su process
+	ksu_allow(db, "system_server", KERNEL_SU_DOMAIN, "process", "getpgid");
+	ksu_allow(db, "system_server", KERNEL_SU_DOMAIN, "process", "sigkill");
 
-    // https://android-review.googlesource.com/c/platform/system/logging/+/3725346
-    ksu_dontaudit(db, "untrusted_app", KERNEL_SU_DOMAIN, "dir", "getattr");
-
-    mutex_unlock(&ksu_rules);
+	mutex_unlock(&ksu_rules);
 }
 
 #define MAX_SEPOL_LEN 128
@@ -146,332 +155,369 @@ void apply_kernelsu_rules()
 #define CMD_GENFSCON 9
 
 struct sepol_data {
-    u32 cmd;
-    u32 subcmd;
-    char __user *sepol1;
-    char __user *sepol2;
-    char __user *sepol3;
-    char __user *sepol4;
-    char __user *sepol5;
-    char __user *sepol6;
-    char __user *sepol7;
+	u32 cmd;
+	u32 subcmd;
+	u64 sepol1;
+	u64 sepol2;
+	u64 sepol3;
+	u64 sepol4;
+	u64 sepol5;
+	u64 sepol6;
+	u64 sepol7;
 };
 
 static int get_object(char *buf, char __user *user_object, size_t buf_sz,
-              char **object)
+		      char **object)
 {
-    if (!user_object) {
-        *object = ALL;
-        return 0;
-    }
+	if (!user_object) {
+		*object = ALL;
+		return 0;
+	}
 
-    if (strncpy_from_user(buf, user_object, buf_sz) < 0) {
-        return -EINVAL;
-    }
+	if (strncpy_from_user(buf, user_object, buf_sz) < 0) {
+		return -EINVAL;
+	}
 
-    *object = buf;
+	*object = buf;
 
-    return 0;
+	return 0;
 }
-#if (LINUX_VERSION_CODE >= KERNEL_VERSION(6, 4, 0))
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 4, 0) ||                           \
+	!defined(KSU_COMPAT_USE_SELINUX_STATE)
 extern int avc_ss_reset(u32 seqno);
 #else
 extern int avc_ss_reset(struct selinux_avc *avc, u32 seqno);
 #endif
 // reset avc cache table, otherwise the new rules will not take effect if already denied
-static void reset_avc_cache()
+static void reset_avc_cache(void)
 {
-#if (LINUX_VERSION_CODE >= KERNEL_VERSION(6, 4, 0))
-    avc_ss_reset(0);
-    selnl_notify_policyload(0);
-    selinux_status_update_policyload(0);
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 4, 0) ||                           \
+	!defined(KSU_COMPAT_USE_SELINUX_STATE)
+	avc_ss_reset(0);
+	selnl_notify_policyload(0);
+	selinux_status_update_policyload(0);
 #else
-    struct selinux_avc *avc = selinux_state.avc;
-    avc_ss_reset(avc, 0);
-    selnl_notify_policyload(0);
-    selinux_status_update_policyload(&selinux_state, 0);
+	struct selinux_avc *avc = selinux_state.avc;
+	avc_ss_reset(avc, 0);
+	selnl_notify_policyload(0);
+	selinux_status_update_policyload(&selinux_state, 0);
 #endif
-    selinux_xfrm_notify_policyload();
+	selinux_xfrm_notify_policyload();
 }
 
 int handle_sepolicy(unsigned long arg3, void __user *arg4)
 {
-    struct policydb *db;
+	struct policydb *db;
 
-    if (!arg4) {
-        return -EINVAL;
-    }
+	if (!arg4) {
+		return -EINVAL;
+	}
 
-    if (!getenforce()) {
-        pr_info("SELinux permissive or disabled when handle policy!\n");
-    }
+	if (!getenforce()) {
+		pr_info("SELinux permissive or disabled when handle policy!\n");
+	}
 
-    struct sepol_data data;
-    if (copy_from_user(&data, arg4, sizeof(struct sepol_data))) {
-        pr_err("sepol: copy sepol_data failed.\n");
-        return -EINVAL;
-    }
+	struct sepol_data data;
+	if (copy_from_user(&data, arg4, sizeof(struct sepol_data))) {
+		pr_err("sepol: copy sepol_data failed.\n");
+		return -EINVAL;
+	}
 
-    u32 cmd = data.cmd;
-    u32 subcmd = data.subcmd;
+	u32 cmd = data.cmd;
+	u32 subcmd = data.subcmd;
 
-    mutex_lock(&ksu_rules);
+	mutex_lock(&ksu_rules);
 
-    db = get_policydb();
+	db = get_policydb();
 
-    int ret = -EINVAL;
-    if (cmd == CMD_NORMAL_PERM) {
-        char src_buf[MAX_SEPOL_LEN];
-        char tgt_buf[MAX_SEPOL_LEN];
-        char cls_buf[MAX_SEPOL_LEN];
-        char perm_buf[MAX_SEPOL_LEN];
+	int ret = -EINVAL;
+	switch (cmd) {
+	case CMD_NORMAL_PERM: {
+		char src_buf[MAX_SEPOL_LEN];
+		char tgt_buf[MAX_SEPOL_LEN];
+		char cls_buf[MAX_SEPOL_LEN];
+		char perm_buf[MAX_SEPOL_LEN];
 
-        char *s, *t, *c, *p;
-        if (get_object(src_buf, data.sepol1, sizeof(src_buf), &s) < 0) {
-            pr_err("sepol: copy src failed.\n");
-            goto exit;
-        }
+		char *s, *t, *c, *p;
+		if (get_object(src_buf, (void __user *)data.sepol1,
+			       sizeof(src_buf), &s) < 0) {
+			pr_err("sepol: copy src failed.\n");
+			goto exit;
+		}
 
-        if (get_object(tgt_buf, data.sepol2, sizeof(tgt_buf), &t) < 0) {
-            pr_err("sepol: copy tgt failed.\n");
-            goto exit;
-        }
+		if (get_object(tgt_buf, (void __user *)data.sepol2,
+			       sizeof(tgt_buf), &t) < 0) {
+			pr_err("sepol: copy tgt failed.\n");
+			goto exit;
+		}
 
-        if (get_object(cls_buf, data.sepol3, sizeof(cls_buf), &c) < 0) {
-            pr_err("sepol: copy cls failed.\n");
-            goto exit;
-        }
+		if (get_object(cls_buf, (void __user *)data.sepol3,
+			       sizeof(cls_buf), &c) < 0) {
+			pr_err("sepol: copy cls failed.\n");
+			goto exit;
+		}
 
-        if (get_object(perm_buf, data.sepol4, sizeof(perm_buf), &p) <
-            0) {
-            pr_err("sepol: copy perm failed.\n");
-            goto exit;
-        }
+		if (get_object(perm_buf, (void __user *)data.sepol4,
+			       sizeof(perm_buf), &p) < 0) {
+			pr_err("sepol: copy perm failed.\n");
+			goto exit;
+		}
 
-        bool success = false;
-        if (subcmd == 1) {
-            success = ksu_allow(db, s, t, c, p);
-        } else if (subcmd == 2) {
-            success = ksu_deny(db, s, t, c, p);
-        } else if (subcmd == 3) {
-            success = ksu_auditallow(db, s, t, c, p);
-        } else if (subcmd == 4) {
-            success = ksu_dontaudit(db, s, t, c, p);
-        } else {
-            pr_err("sepol: unknown subcmd: %d\n", subcmd);
-        }
-        ret = success ? 0 : -EINVAL;
+		bool success = false;
 
-    } else if (cmd == CMD_XPERM) {
-        char src_buf[MAX_SEPOL_LEN];
-        char tgt_buf[MAX_SEPOL_LEN];
-        char cls_buf[MAX_SEPOL_LEN];
+		if (subcmd == 1) {
+			success = ksu_allow(db, s, t, c, p);
+		} else if (subcmd == 2) {
+			success = ksu_deny(db, s, t, c, p);
+		} else if (subcmd == 3) {
+			success = ksu_auditallow(db, s, t, c, p);
+		} else if (subcmd == 4) {
+			success = ksu_dontaudit(db, s, t, c, p);
+		} else {
+			pr_err("sepol: unknown subcmd: %d\n", subcmd);
+		}
+		ret = success ? 0 : -EINVAL;
+		break;
+	}
+	case CMD_XPERM: {
+		char src_buf[MAX_SEPOL_LEN];
+		char tgt_buf[MAX_SEPOL_LEN];
+		char cls_buf[MAX_SEPOL_LEN];
 
-        char __maybe_unused
-            operation[MAX_SEPOL_LEN]; // it is always ioctl now!
-        char perm_set[MAX_SEPOL_LEN];
+		char __maybe_unused
+			operation[MAX_SEPOL_LEN]; // it is always ioctl now!
+		char perm_set[MAX_SEPOL_LEN];
 
-        char *s, *t, *c;
-        if (get_object(src_buf, data.sepol1, sizeof(src_buf), &s) < 0) {
-            pr_err("sepol: copy src failed.\n");
-            goto exit;
-        }
-        if (get_object(tgt_buf, data.sepol2, sizeof(tgt_buf), &t) < 0) {
-            pr_err("sepol: copy tgt failed.\n");
-            goto exit;
-        }
-        if (get_object(cls_buf, data.sepol3, sizeof(cls_buf), &c) < 0) {
-            pr_err("sepol: copy cls failed.\n");
-            goto exit;
-        }
-        if (strncpy_from_user(operation, data.sepol4,
-                      sizeof(operation)) < 0) {
-            pr_err("sepol: copy operation failed.\n");
-            goto exit;
-        }
-        if (strncpy_from_user(perm_set, data.sepol5, sizeof(perm_set)) <
-            0) {
-            pr_err("sepol: copy perm_set failed.\n");
-            goto exit;
-        }
+		char *s, *t, *c;
+		if (get_object(src_buf, (void __user *)data.sepol1,
+			       sizeof(src_buf), &s) < 0) {
+			pr_err("sepol: copy src failed.\n");
+			goto exit;
+		}
+		if (get_object(tgt_buf, (void __user *)data.sepol2,
+			       sizeof(tgt_buf), &t) < 0) {
+			pr_err("sepol: copy tgt failed.\n");
+			goto exit;
+		}
+		if (get_object(cls_buf, (void __user *)data.sepol3,
+			       sizeof(cls_buf), &c) < 0) {
+			pr_err("sepol: copy cls failed.\n");
+			goto exit;
+		}
+		if (strncpy_from_user(operation, (void __user *)data.sepol4,
+				      sizeof(operation)) < 0) {
+			pr_err("sepol: copy operation failed.\n");
+			goto exit;
+		}
+		if (strncpy_from_user(perm_set, (void __user *)data.sepol5,
+				      sizeof(perm_set)) < 0) {
+			pr_err("sepol: copy perm_set failed.\n");
+			goto exit;
+		}
 
-        bool success = false;
-        if (subcmd == 1) {
-            success = ksu_allowxperm(db, s, t, c, perm_set);
-        } else if (subcmd == 2) {
-            success = ksu_auditallowxperm(db, s, t, c, perm_set);
-        } else if (subcmd == 3) {
-            success = ksu_dontauditxperm(db, s, t, c, perm_set);
-        } else {
-            pr_err("sepol: unknown subcmd: %d\n", subcmd);
-        }
-        ret = success ? 0 : -EINVAL;
-    } else if (cmd == CMD_TYPE_STATE) {
-        char src[MAX_SEPOL_LEN];
+		bool success = false;
+		if (subcmd == 1) {
+			success = ksu_allowxperm(db, s, t, c, perm_set);
+		} else if (subcmd == 2) {
+			success = ksu_auditallowxperm(db, s, t, c, perm_set);
+		} else if (subcmd == 3) {
+			success = ksu_dontauditxperm(db, s, t, c, perm_set);
+		} else {
+			pr_err("sepol: unknown subcmd: %d\n", subcmd);
+		}
+		ret = success ? 0 : -EINVAL;
+		break;
+	}
+	case CMD_TYPE_STATE: {
+		char src[MAX_SEPOL_LEN];
 
-        if (strncpy_from_user(src, data.sepol1, sizeof(src)) < 0) {
-            pr_err("sepol: copy src failed.\n");
-            goto exit;
-        }
+		if (strncpy_from_user(src, (void __user *)data.sepol1,
+				      sizeof(src)) < 0) {
+			pr_err("sepol: copy src failed.\n");
+			goto exit;
+		}
 
-        bool success = false;
-        if (subcmd == 1) {
-            success = ksu_permissive(db, src);
-        } else if (subcmd == 2) {
-            success = ksu_enforce(db, src);
-        } else {
-            pr_err("sepol: unknown subcmd: %d\n", subcmd);
-        }
-        if (success)
-            ret = 0;
+		bool success = false;
+		if (subcmd == 1) {
+			success = ksu_permissive(db, src);
+		} else if (subcmd == 2) {
+			success = ksu_enforce(db, src);
+		} else {
+			pr_err("sepol: unknown subcmd: %d\n", subcmd);
+		}
+		if (success)
+			ret = 0;
+		break;
+	}
+	case CMD_TYPE:
+	case CMD_TYPE_ATTR: {
+		char type[MAX_SEPOL_LEN];
+		char attr[MAX_SEPOL_LEN];
 
-    } else if (cmd == CMD_TYPE || cmd == CMD_TYPE_ATTR) {
-        char type[MAX_SEPOL_LEN];
-        char attr[MAX_SEPOL_LEN];
+		if (strncpy_from_user(type, (void __user *)data.sepol1,
+				      sizeof(type)) < 0) {
+			pr_err("sepol: copy type failed.\n");
+			goto exit;
+		}
+		if (strncpy_from_user(attr, (void __user *)data.sepol2,
+				      sizeof(attr)) < 0) {
+			pr_err("sepol: copy attr failed.\n");
+			goto exit;
+		}
 
-        if (strncpy_from_user(type, data.sepol1, sizeof(type)) < 0) {
-            pr_err("sepol: copy type failed.\n");
-            goto exit;
-        }
-        if (strncpy_from_user(attr, data.sepol2, sizeof(attr)) < 0) {
-            pr_err("sepol: copy attr failed.\n");
-            goto exit;
-        }
+		bool success = false;
+		if (cmd == CMD_TYPE) {
+			success = ksu_type(db, type, attr);
+		} else {
+			success = ksu_typeattribute(db, type, attr);
+		}
+		if (!success) {
+			pr_err("sepol: %d failed.\n", cmd);
+			goto exit;
+		}
+		ret = 0;
+		break;
+	}
+	case CMD_ATTR: {
+		char attr[MAX_SEPOL_LEN];
 
-        bool success = false;
-        if (cmd == CMD_TYPE) {
-            success = ksu_type(db, type, attr);
-        } else {
-            success = ksu_typeattribute(db, type, attr);
-        }
-        if (!success) {
-            pr_err("sepol: %d failed.\n", cmd);
-            goto exit;
-        }
-        ret = 0;
+		if (strncpy_from_user(attr, (void __user *)data.sepol1,
+				      sizeof(attr)) < 0) {
+			pr_err("sepol: copy attr failed.\n");
+			goto exit;
+		}
+		if (!ksu_attribute(db, attr)) {
+			pr_err("sepol: %d failed.\n", cmd);
+			goto exit;
+		}
+		ret = 0;
+		break;
+	}
+	case CMD_TYPE_TRANSITION: {
+		char src[MAX_SEPOL_LEN];
+		char tgt[MAX_SEPOL_LEN];
+		char cls[MAX_SEPOL_LEN];
+		char default_type[MAX_SEPOL_LEN];
+		char object[MAX_SEPOL_LEN];
 
-    } else if (cmd == CMD_ATTR) {
-        char attr[MAX_SEPOL_LEN];
+		if (strncpy_from_user(src, (void __user *)data.sepol1,
+				      sizeof(src)) < 0) {
+			pr_err("sepol: copy src failed.\n");
+			goto exit;
+		}
+		if (strncpy_from_user(tgt, (void __user *)data.sepol2,
+				      sizeof(tgt)) < 0) {
+			pr_err("sepol: copy tgt failed.\n");
+			goto exit;
+		}
+		if (strncpy_from_user(cls, (void __user *)data.sepol3,
+				      sizeof(cls)) < 0) {
+			pr_err("sepol: copy cls failed.\n");
+			goto exit;
+		}
+		if (strncpy_from_user(default_type, (void __user *)data.sepol4,
+				      sizeof(default_type)) < 0) {
+			pr_err("sepol: copy default_type failed.\n");
+			goto exit;
+		}
+		char *real_object;
+		if ((void __user *)data.sepol5 == NULL) {
+			real_object = NULL;
+		} else {
+			if (strncpy_from_user(object,
+					      (void __user *)data.sepol5,
+					      sizeof(object)) < 0) {
+				pr_err("sepol: copy object failed.\n");
+				goto exit;
+			}
+			real_object = object;
+		}
 
-        if (strncpy_from_user(attr, data.sepol1, sizeof(attr)) < 0) {
-            pr_err("sepol: copy attr failed.\n");
-            goto exit;
-        }
-        if (!ksu_attribute(db, attr)) {
-            pr_err("sepol: %d failed.\n", cmd);
-            goto exit;
-        }
-        ret = 0;
+		bool success = ksu_type_transition(db, src, tgt, cls,
+						   default_type, real_object);
+		if (success)
+			ret = 0;
+		break;
+	}
+	case CMD_TYPE_CHANGE: {
+		char src[MAX_SEPOL_LEN];
+		char tgt[MAX_SEPOL_LEN];
+		char cls[MAX_SEPOL_LEN];
+		char default_type[MAX_SEPOL_LEN];
 
-    } else if (cmd == CMD_TYPE_TRANSITION) {
-        char src[MAX_SEPOL_LEN];
-        char tgt[MAX_SEPOL_LEN];
-        char cls[MAX_SEPOL_LEN];
-        char default_type[MAX_SEPOL_LEN];
-        char object[MAX_SEPOL_LEN];
+		if (strncpy_from_user(src, (void __user *)data.sepol1,
+				      sizeof(src)) < 0) {
+			pr_err("sepol: copy src failed.\n");
+			goto exit;
+		}
+		if (strncpy_from_user(tgt, (void __user *)data.sepol2,
+				      sizeof(tgt)) < 0) {
+			pr_err("sepol: copy tgt failed.\n");
+			goto exit;
+		}
+		if (strncpy_from_user(cls, (void __user *)data.sepol3,
+				      sizeof(cls)) < 0) {
+			pr_err("sepol: copy cls failed.\n");
+			goto exit;
+		}
+		if (strncpy_from_user(default_type, (void __user *)data.sepol4,
+				      sizeof(default_type)) < 0) {
+			pr_err("sepol: copy default_type failed.\n");
+			goto exit;
+		}
+		bool success = false;
+		if (subcmd == 1) {
+			success = ksu_type_change(db, src, tgt, cls,
+						  default_type);
+		} else if (subcmd == 2) {
+			success = ksu_type_member(db, src, tgt, cls,
+						  default_type);
+		} else {
+			pr_err("sepol: unknown subcmd: %d\n", subcmd);
+		}
+		if (success)
+			ret = 0;
+		break;
+	}
+	case CMD_GENFSCON: {
+		char name[MAX_SEPOL_LEN];
+		char path[MAX_SEPOL_LEN];
+		char context[MAX_SEPOL_LEN];
+		if (strncpy_from_user(name, (void __user *)data.sepol1,
+				      sizeof(name)) < 0) {
+			pr_err("sepol: copy name failed.\n");
+			goto exit;
+		}
+		if (strncpy_from_user(path, (void __user *)data.sepol2,
+				      sizeof(path)) < 0) {
+			pr_err("sepol: copy path failed.\n");
+			goto exit;
+		}
+		if (strncpy_from_user(context, (void __user *)data.sepol3,
+				      sizeof(context)) < 0) {
+			pr_err("sepol: copy context failed.\n");
+			goto exit;
+		}
 
-        if (strncpy_from_user(src, data.sepol1, sizeof(src)) < 0) {
-            pr_err("sepol: copy src failed.\n");
-            goto exit;
-        }
-        if (strncpy_from_user(tgt, data.sepol2, sizeof(tgt)) < 0) {
-            pr_err("sepol: copy tgt failed.\n");
-            goto exit;
-        }
-        if (strncpy_from_user(cls, data.sepol3, sizeof(cls)) < 0) {
-            pr_err("sepol: copy cls failed.\n");
-            goto exit;
-        }
-        if (strncpy_from_user(default_type, data.sepol4,
-                      sizeof(default_type)) < 0) {
-            pr_err("sepol: copy default_type failed.\n");
-            goto exit;
-        }
-        char *real_object;
-        if (data.sepol5 == NULL) {
-            real_object = NULL;
-        } else {
-            if (strncpy_from_user(object, data.sepol5,
-                          sizeof(object)) < 0) {
-                pr_err("sepol: copy object failed.\n");
-                goto exit;
-            }
-            real_object = object;
-        }
-
-        bool success = ksu_type_transition(db, src, tgt, cls,
-                           default_type, real_object);
-        if (success)
-            ret = 0;
-
-    } else if (cmd == CMD_TYPE_CHANGE) {
-        char src[MAX_SEPOL_LEN];
-        char tgt[MAX_SEPOL_LEN];
-        char cls[MAX_SEPOL_LEN];
-        char default_type[MAX_SEPOL_LEN];
-
-        if (strncpy_from_user(src, data.sepol1, sizeof(src)) < 0) {
-            pr_err("sepol: copy src failed.\n");
-            goto exit;
-        }
-        if (strncpy_from_user(tgt, data.sepol2, sizeof(tgt)) < 0) {
-            pr_err("sepol: copy tgt failed.\n");
-            goto exit;
-        }
-        if (strncpy_from_user(cls, data.sepol3, sizeof(cls)) < 0) {
-            pr_err("sepol: copy cls failed.\n");
-            goto exit;
-        }
-        if (strncpy_from_user(default_type, data.sepol4,
-                      sizeof(default_type)) < 0) {
-            pr_err("sepol: copy default_type failed.\n");
-            goto exit;
-        }
-        bool success = false;
-        if (subcmd == 1) {
-            success = ksu_type_change(db, src, tgt, cls,
-                          default_type);
-        } else if (subcmd == 2) {
-            success = ksu_type_member(db, src, tgt, cls,
-                          default_type);
-        } else {
-            pr_err("sepol: unknown subcmd: %d\n", subcmd);
-        }
-        if (success)
-            ret = 0;
-    } else if (cmd == CMD_GENFSCON) {
-        char name[MAX_SEPOL_LEN];
-        char path[MAX_SEPOL_LEN];
-        char context[MAX_SEPOL_LEN];
-        if (strncpy_from_user(name, data.sepol1, sizeof(name)) < 0) {
-            pr_err("sepol: copy name failed.\n");
-            goto exit;
-        }
-        if (strncpy_from_user(path, data.sepol2, sizeof(path)) < 0) {
-            pr_err("sepol: copy path failed.\n");
-            goto exit;
-        }
-        if (strncpy_from_user(context, data.sepol3, sizeof(context)) <
-            0) {
-            pr_err("sepol: copy context failed.\n");
-            goto exit;
-        }
-
-        if (!ksu_genfscon(db, name, path, context)) {
-            pr_err("sepol: %d failed.\n", cmd);
-            goto exit;
-        }
-        ret = 0;
-    } else {
-        pr_err("sepol: unknown cmd: %d\n", cmd);
-    }
+		if (!ksu_genfscon(db, name, path, context)) {
+			pr_err("sepol: %d failed.\n", cmd);
+			goto exit;
+		}
+		ret = 0;
+		break;
+	}
+	default: {
+		pr_err("sepol: unknown cmd: %d\n", cmd);
+		break;
+	}
+	}
 
 exit:
-    mutex_unlock(&ksu_rules);
+	mutex_unlock(&ksu_rules);
 
-    // only allow and xallow needs to reset avc cache, but we cannot do that because
-    // we are in atomic context. so we just reset it every time.
-    reset_avc_cache();
+	// only allow and xallow needs to reset avc cache, but we cannot do that because
+	// we are in atomic context. so we just reset it every time.
+	reset_avc_cache();
 
-    return ret;
-}
+	return ret;
+}

kernel/selinux/selinux.c

@@ -1,154 +1,184 @@
-#include "selinux.h"
 #include "linux/cred.h"
 #include "linux/sched.h"
-#include "objsec.h"
+#include "linux/security.h"
 #include "linux/version.h"
+#include "selinux_defs.h"
 #include "../klog.h" // IWYU pragma: keep
 
 #define KERNEL_SU_DOMAIN "u:r:su:s0"
 
 static int transive_to_domain(const char *domain)
 {
-    struct cred *cred;
-    struct task_security_struct *tsec;
-    u32 sid;
-    int error;
+	struct cred *cred;
+	struct task_security_struct *tsec;
+	u32 sid;
+	int error;
 
-    cred = (struct cred *)__task_cred(current);
+	cred = (struct cred *)__task_cred(current);
 
-    tsec = cred->security;
-    if (!tsec) {
-        pr_err("tsec == NULL!\n");
-        return -1;
-    }
+	tsec = cred->security;
+	if (!tsec) {
+		pr_err("tsec == NULL!\n");
+		return -1;
+	}
 
-    error = security_secctx_to_secid(domain, strlen(domain), &sid);
-    if (error) {
-        pr_info("security_secctx_to_secid %s -> sid: %d, error: %d\n",
-            domain, sid, error);
-    }
-    if (!error) {
-        tsec->sid = sid;
-        tsec->create_sid = 0;
-        tsec->keycreate_sid = 0;
-        tsec->sockcreate_sid = 0;
-    }
-    return error;
+	error = security_secctx_to_secid(domain, strlen(domain), &sid);
+	if (error) {
+		pr_info("security_secctx_to_secid %s -> sid: %d, error: %d\n",
+			domain, sid, error);
+	}
+	if (!error) {
+		tsec->sid = sid;
+		tsec->create_sid = 0;
+		tsec->keycreate_sid = 0;
+		tsec->sockcreate_sid = 0;
+	}
+	return error;
 }
 
+#if LINUX_VERSION_CODE <= KERNEL_VERSION(4, 19, 0)
+bool __maybe_unused
+is_ksu_transition(const struct task_security_struct *old_tsec,
+		  const struct task_security_struct *new_tsec)
+{
+	static u32 ksu_sid;
+	char *secdata;
+	u32 seclen;
+	bool allowed = false;
+
+	if (!ksu_sid)
+		security_secctx_to_secid(KERNEL_SU_DOMAIN,
+					 strlen(KERNEL_SU_DOMAIN), &ksu_sid);
+
+	if (security_secid_to_secctx(old_tsec->sid, &secdata, &seclen))
+		return false;
+
+	allowed = (!strcmp("u:r:init:s0", secdata) && new_tsec->sid == ksu_sid);
+	security_release_secctx(secdata, seclen);
+	return allowed;
+}
+#endif
+
+
 void setup_selinux(const char *domain)
 {
-    if (transive_to_domain(domain)) {
-        pr_err("transive domain failed.\n");
-        return;
-    }
+	if (transive_to_domain(domain)) {
+		pr_err("transive domain failed.\n");
+		return;
+	}
 }
 
 void setenforce(bool enforce)
 {
-#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
-    selinux_state.enforcing = enforce;
-#endif
+	__setenforce(enforce);
 }
 
-bool getenforce()
+bool getenforce(void)
 {
-#ifdef CONFIG_SECURITY_SELINUX_DISABLE
-    if (selinux_state.disabled) {
-        return false;
-    }
-#endif
+	if (is_selinux_disabled()) {
+		return false;
+	}
 
-#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
-    return selinux_state.enforcing;
-#else
-    return true;
-#endif
+	return __is_selinux_enforcing();
 }
 
+#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 10, 0)) &&                         \
+	!defined(KSU_COMPAT_HAS_CURRENT_SID)
+/*
+ * get the subjective security ID of the current task
+ */
+static inline u32 current_sid(void)
+{
+	const struct task_security_struct *tsec = current_security();
+
+	return tsec->sid;
+}
+#endif
+
 #if LINUX_VERSION_CODE < KERNEL_VERSION(6, 14, 0)
 struct lsm_context {
-    char *context;
-    u32 len;
+	char *context;
+	u32 len;
 };
 
 static int __security_secid_to_secctx(u32 secid, struct lsm_context *cp)
 {
-    return security_secid_to_secctx(secid, &cp->context, &cp->len);
+	return security_secid_to_secctx(secid, &cp->context, &cp->len);
 }
 static void __security_release_secctx(struct lsm_context *cp)
 {
-    return security_release_secctx(cp->context, cp->len);
+	security_release_secctx(cp->context, cp->len);
 }
 #else
 #define __security_secid_to_secctx security_secid_to_secctx
 #define __security_release_secctx security_release_secctx
 #endif
 
-bool is_task_ksu_domain(const struct cred* cred)
+bool is_task_ksu_domain(const struct cred *cred)
 {
-    struct lsm_context ctx;
-    bool result;
-    if (!cred) {
-        return false;
-    }
-    const struct task_security_struct *tsec = selinux_cred(cred);
-    if (!tsec) {
-        return false;
-    }
-    int err = __security_secid_to_secctx(tsec->sid, &ctx);
-    if (err) {
-        return false;
-    }
-    result = strncmp(KERNEL_SU_DOMAIN, ctx.context, ctx.len) == 0;
-    __security_release_secctx(&ctx);
-    return result;
+	struct lsm_context ctx;
+	bool result;
+	if (!cred) {
+		return false;
+	}
+	const struct task_security_struct *tsec = __selinux_cred(cred);
+	if (!tsec) {
+		return false;
+	}
+	int err = __security_secid_to_secctx(tsec->sid, &ctx);
+	if (err) {
+		return false;
+	}
+	result = strncmp(KERNEL_SU_DOMAIN, ctx.context, ctx.len) == 0;
+	__security_release_secctx(&ctx);
+	return result;
 }
 
-bool is_ksu_domain()
+bool is_ksu_domain(void)
 {
-    current_sid();
-    return is_task_ksu_domain(current_cred());
+	current_sid();
+	return is_task_ksu_domain(current_cred());
 }
 
-bool is_context(const struct cred* cred, const char* context)
+bool is_context(const struct cred *cred, const char *context)
 {
-    if (!cred) {
-        return false;
-    }
-    const struct task_security_struct * tsec = selinux_cred(cred);
-    if (!tsec) {
-        return false;
-    }
-    struct lsm_context ctx;
-    bool result;
-    int err = __security_secid_to_secctx(tsec->sid, &ctx);
-    if (err) {
-        return false;
-    }
-    result = strncmp(context, ctx.context, ctx.len) == 0;
-    __security_release_secctx(&ctx);
-    return result;
+	if (!cred) {
+		return false;
+	}
+	const struct task_security_struct *tsec = __selinux_cred(cred);
+	if (!tsec) {
+		return false;
+	}
+	struct lsm_context ctx;
+	bool result;
+	int err = __security_secid_to_secctx(tsec->sid, &ctx);
+	if (err) {
+		return false;
+	}
+	result = strncmp(context, ctx.context, ctx.len) == 0;
+	__security_release_secctx(&ctx);
+	return result;
 }
 
-bool is_zygote(const struct cred* cred)
+bool is_zygote(const struct cred *cred)
 {
-    return is_context(cred, "u:r:zygote:s0");
+	return is_context(cred, "u:r:zygote:s0");
 }
 
-bool is_init(const struct cred* cred) {
-    return is_context(cred, "u:r:init:s0");
+bool is_init(const struct cred *cred)
+{
+	return is_context(cred, "u:r:init:s0");
 }
 
 #define KSU_FILE_DOMAIN "u:object_r:ksu_file:s0"
 
-u32 ksu_get_ksu_file_sid()
+u32 ksu_get_ksu_file_sid(void)
 {
-    u32 ksu_file_sid = 0;
-    int err = security_secctx_to_secid(KSU_FILE_DOMAIN, strlen(KSU_FILE_DOMAIN),
-                       &ksu_file_sid);
-    if (err) {
-        pr_info("get ksufile sid err %d\n", err);
-    }
-    return ksu_file_sid;
+	u32 ksu_file_sid = 0;
+	int err = security_secctx_to_secid(
+		KSU_FILE_DOMAIN, strlen(KSU_FILE_DOMAIN), &ksu_file_sid);
+	if (err) {
+		pr_info("get ksufile sid err %d\n", err);
+	}
+	return ksu_file_sid;
 }

kernel/selinux/selinux.h

@@ -5,23 +5,28 @@
 #include "linux/version.h"
 #include "linux/cred.h"
 
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 0)) ||                        \
+	defined(KSU_COMPAT_HAS_SELINUX_STATE)
+#define KSU_COMPAT_USE_SELINUX_STATE
+#endif
+
 void setup_selinux(const char *);
 
 void setenforce(bool);
 
-bool getenforce();
+bool getenforce(void);
 
-bool is_task_ksu_domain(const struct cred* cred);
+bool is_task_ksu_domain(const struct cred *cred);
 
-bool is_ksu_domain();
+bool is_ksu_domain(void);
 
-bool is_zygote(const struct cred* cred);
+bool is_zygote(const struct cred *cred);
 
-bool is_init(const struct cred* cred);
+bool is_init(const struct cred *cred);
 
-void apply_kernelsu_rules();
+void apply_kernelsu_rules(void);
 
-u32 ksu_get_ksu_file_sid();
+u32 ksu_get_ksu_file_sid(void);
 
 int handle_sepolicy(unsigned long arg3, void __user *arg4);
 

kernel/selinux/selinux_defs.h

@@ -0,0 +1,42 @@
+#ifndef __KSU_H_SELINUX_DEFS
+#define __KSU_H_SELINUX_DEFS
+
+#include "selinux.h"
+#include "objsec.h"
+#ifdef SAMSUNG_SELINUX_PORTING
+#include "security.h" // Samsung SELinux Porting
+#endif
+#ifndef KSU_COMPAT_USE_SELINUX_STATE
+#include "avc.h"
+#endif
+
+#ifdef CONFIG_SECURITY_SELINUX_DISABLE
+#ifdef KSU_COMPAT_USE_SELINUX_STATE
+#define is_selinux_disabled() (selinux_state.disabled)
+#else
+#define is_selinux_disabled() (selinux_disabled)
+#endif
+#else
+#define is_selinux_disabled() (0)
+#endif
+
+#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
+#ifdef KSU_COMPAT_USE_SELINUX_STATE
+#define __is_selinux_enforcing() (selinux_state.enforcing)
+#define __setenforce(val) selinux_state.enforcing = val
+#elif defined(SAMSUNG_SELINUX_PORTING) || !defined(KSU_COMPAT_USE_SELINUX_STATE)
+#define __is_selinux_enforcing() (selinux_enforcing)
+#define __setenforce(val) selinux_enforcing = val
+#endif
+#else
+#define __is_selinux_enforcing() (1)
+#define __setenforce(val)
+#endif
+
+#ifdef KSU_OPTIONAL_SELINUX_CRED
+#define __selinux_cred(cred) (selinux_cred(cred))
+#else
+#define __selinux_cred(cred) (cred->security)
+#endif
+
+#endif

kernel/selinux/sepolicy.h

@@ -15,32 +15,32 @@ bool ksu_exists(struct policydb *db, const char *type);
 
 // Access vector rules
 bool ksu_allow(struct policydb *db, const char *src, const char *tgt,
-           const char *cls, const char *perm);
+	       const char *cls, const char *perm);
 bool ksu_deny(struct policydb *db, const char *src, const char *tgt,
-          const char *cls, const char *perm);
+	      const char *cls, const char *perm);
 bool ksu_auditallow(struct policydb *db, const char *src, const char *tgt,
-            const char *cls, const char *perm);
+		    const char *cls, const char *perm);
 bool ksu_dontaudit(struct policydb *db, const char *src, const char *tgt,
-           const char *cls, const char *perm);
+		   const char *cls, const char *perm);
 
 // Extended permissions access vector rules
 bool ksu_allowxperm(struct policydb *db, const char *src, const char *tgt,
-            const char *cls, const char *range);
+		    const char *cls, const char *range);
 bool ksu_auditallowxperm(struct policydb *db, const char *src, const char *tgt,
-             const char *cls, const char *range);
+			 const char *cls, const char *range);
 bool ksu_dontauditxperm(struct policydb *db, const char *src, const char *tgt,
-            const char *cls, const char *range);
+			const char *cls, const char *range);
 
 // Type rules
 bool ksu_type_transition(struct policydb *db, const char *src, const char *tgt,
-             const char *cls, const char *def, const char *obj);
+			 const char *cls, const char *def, const char *obj);
 bool ksu_type_change(struct policydb *db, const char *src, const char *tgt,
-             const char *cls, const char *def);
+		     const char *cls, const char *def);
 bool ksu_type_member(struct policydb *db, const char *src, const char *tgt,
-             const char *cls, const char *def);
+		     const char *cls, const char *def);
 
 // File system labeling
 bool ksu_genfscon(struct policydb *db, const char *fs_name, const char *path,
-          const char *ctx);
+		  const char *ctx);
 
 #endif