Clean unused

clean unused
Update README with SukiSU module mounting note
2025-11-30 11:06:38 +05:30 · 2025-11-30 11:05:51 +05:30 · 2025-11-29 19:04:18 +08:00 · 2025-11-26 17:15:08 +08:00 · 2025-11-24 11:33:12 +08:00 · 2025-11-24 11:32:19 +08:00
430 changed files with 32183 additions and 29699 deletions
--- a/.github/workflows/avd-kernel.yml
+++ b/.github/workflows/avd-kernel.yml
@@ -1,137 +0,0 @@
-name: GKI Kernel Build
-
-on:
-  workflow_call:
-    inputs:
-      version_name:
-        required: true
-        type: string
-        description: >
-          With SUBLEVEL of kernel,
-          for example: android12-5.10.66
-      arch:
-        required: true
-        type: string
-        description: >
-          Build arch: aarch64/x86_64
-      debug:
-        required: false
-        type: boolean
-        default: true
-      manifest_name:
-        required: false
-        type: string
-        description: >
-          Local repo manifest xml path,
-          typically for AVD kernel build.
-    secrets:
-      BOOT_SIGN_KEY:
-        required: false
-      CHAT_ID:
-        required: false
-      BOT_TOKEN:
-        required: false
-      MESSAGE_THREAD_ID:
-        required: false
-
-jobs:
-  build:
-    name: Build ${{ inputs.version_name }}
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Maximize build space
-        uses: easimon/maximize-build-space@master
-        with:
-          root-reserve-mb: 8192
-          temp-reserve-mb: 2048
-          remove-dotnet: 'true'
-          remove-android: 'true'
-          remove-haskell: 'true'
-          remove-codeql: 'true'
-
-      - uses: actions/checkout@v4
-        with:
-          path: KernelSU
-          fetch-depth: 0
-
-      - name: Setup need_upload
-        id: need_upload
-        run: |
-          if [ ! -z "${{ secrets.BOT_TOKEN }}" ]; then
-            echo "UPLOAD=true" >> $GITHUB_OUTPUT
-          else
-            echo "UPLOAD=false" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Setup kernel source
-        run: |
-          echo "Free space:"
-          df -h
-          cd $GITHUB_WORKSPACE
-          sudo apt-get install repo -y
-          mkdir android-kernel && cd android-kernel
-          repo init --depth=1 -u https://android.googlesource.com/kernel/manifest -m "$GITHUB_WORKSPACE/KernelSU/.github/manifests/${{ inputs.manifest_name }}" --repo-rev=v2.16
-          repo --version
-          repo --trace sync -c -j$(nproc --all) --no-tags
-          df -h
-
-      - name: Setup KernelSU
-        env:
-          PATCH_PATH: ${{ inputs.patch_path }}
-          IS_DEBUG_KERNEL: ${{ inputs.debug }}
-        run: |
-          cd $GITHUB_WORKSPACE/android-kernel
-          echo "[+] KernelSU setup"
-          GKI_ROOT=$(pwd)
-          echo "[+] GKI_ROOT: $GKI_ROOT"
-          echo "[+] Copy KernelSU driver to $GKI_ROOT/common/drivers"
-          ln -sf $GITHUB_WORKSPACE/KernelSU/kernel $GKI_ROOT/common/drivers/kernelsu
-          echo "[+] Add KernelSU driver to Makefile"
-          DRIVER_MAKEFILE=$GKI_ROOT/common/drivers/Makefile
-          DRIVER_KCONFIG=$GKI_ROOT/common/drivers/Kconfig
-          grep -q "kernelsu" "$DRIVER_MAKEFILE" || printf "\nobj-\$(CONFIG_KSU) += kernelsu/\n" >> "$DRIVER_MAKEFILE"
-          grep -q "kernelsu" "$DRIVER_KCONFIG" || sed -i "/endmenu/i\\source \"drivers/kernelsu/Kconfig\"" "$DRIVER_KCONFIG"
-          echo "[+] Apply KernelSU patches"
-          cd $GKI_ROOT/common/ && git apply $GITHUB_WORKSPACE/KernelSU/.github/patches/$PATCH_PATH/*.patch || echo "[-] No patch found"
-
-          if [ "$IS_DEBUG_KERNEL" = "true" ]; then
-            echo "[+] Enable debug features for kernel"
-            printf "\nccflags-y += -DCONFIG_KSU_DEBUG\n" >> $GITHUB_WORKSPACE/KernelSU/kernel/Makefile
-          fi
-          repo status
-          echo "[+] KernelSU setup done."
-          cd $GITHUB_WORKSPACE/KernelSU
-          VERSION=$(($(git rev-list --count HEAD) + 10200))
-          echo "VERSION: $VERSION"
-          echo "kernelsu_version=$VERSION" >> $GITHUB_ENV
-
-      - name: Make working directory clean to avoid dirty
-        working-directory: android-kernel
-        run: |
-          rm common/android/abi_gki_protected_exports_* || echo "No protected exports!"
-          git config --global user.email "bot@kernelsu.org"
-          git config --global user.name "KernelSUBot"
-          cd common/ && git add -A && git commit -a -m "Add KernelSU"
-          repo status
-
-      - name: Build kernel
-        working-directory: android-kernel
-        run: |
-          if [ ! -z ${{ vars.EXPECTED_SIZE }} ] && [ ! -z ${{ vars.EXPECTED_HASH }} ]; then
-            export KSU_EXPECTED_SIZE=${{ vars.EXPECTED_SIZE }}
-            export KSU_EXPECTED_HASH=${{ vars.EXPECTED_HASH }}
-          fi
-          tools/bazel run --config=fast --config=stamp --lto=thin //common-modules/virtual-device:virtual_device_${{ inputs.arch }}_dist -- --dist_dir=dist
-          NAME=kernel-${{ inputs.arch }}-avd-${{ inputs.version_name }}-${{ env.kernelsu_version }}
-          TARGET_IMAGE=dist/bzImage
-          if [ ! -e $TARGET_IMAGE ]; then
-            TARGET_IMAGE=dist/Image
-          fi
-          mv $TARGET_IMAGE $NAME
-          echo "file_path=android-kernel/$NAME" >> $GITHUB_ENV
-
-      - name: Upload Kernel
-        uses: actions/upload-artifact@v4
-        with:
-          name: kernel-${{ inputs.arch }}-avd-${{ inputs.version_name }}-${{ env.kernelsu_version }}
-          path: "${{ env.file_path }}"
--- a/.github/workflows/build-gki-image.yml
+++ b/.github/workflows/build-gki-image.yml
@@ -0,0 +1,20 @@
+name: Build Android GKI Image
+on:
+  workflow_call:
+
+jobs:
+  build-a12-kernel:
+    uses: ./.github/workflows/build-kernel-a12.yml
+    secrets: inherit
+  build-a13-kernel:
+    uses: ./.github/workflows/build-kernel-a13.yml
+    secrets: inherit
+  build-a14-kernel:
+    uses: ./.github/workflows/build-kernel-a14.yml
+    secrets: inherit
+  build-a15-kernel:
+    uses: ./.github/workflows/build-kernel-a15.yml
+    secrets: inherit
+  build-a16-kernel:
+    uses: ./.github/workflows/build-kernel-a16.yml
+    secrets: inherit
--- a/.github/workflows/build-kernel-a12.yml
+++ b/.github/workflows/build-kernel-a12.yml
@@ -0,0 +1,111 @@
+name: Build Kernel - Android 12
+on:
+  # push:
+  #   branches: ["main", "ci", "checkci"]
+  #   paths:
+  #     - ".github/workflows/deps/gki/build-kernel-a12.yml"
+  #     - ".github/workflows/deps/gki/gki-kernel.yml"
+  #     - ".github/scripts/build_a12.sh"
+  #     - "kernel/**"
+  workflow_call:
+    inputs:
+      debug:
+        description: 'Build debug kernel'
+        required: false
+        type: boolean
+        default: false
+  workflow_dispatch:
+    inputs:
+      debug:
+        description: 'Build debug kernel'
+        required: false
+        type: boolean
+        default: false
+jobs:
+  build-kernel:
+    if: github.event_name != 'pull_request' && github.ref != 'refs/heads/checkci'
+    strategy:
+      matrix:
+        include:
+          - sub_level: 209
+            os_patch_level: 2024-05
+          - sub_level: 218
+            os_patch_level: 2024-08
+          - sub_level: 226
+            os_patch_level: 2024-11
+          - sub_level: 233
+            os_patch_level: 2025-02
+          - sub_level: 236
+            os_patch_level: 2025-05
+    uses: ./.github/workflows/gki-kernel.yml
+    secrets: inherit
+    with:
+      version: android12-5.10
+      version_name: android12-5.10.${{ matrix.sub_level }}
+      tag: android12-5.10-${{ matrix.os_patch_level }}
+      os_patch_level: ${{ matrix.os_patch_level }}
+      patch_path: "5.10"
+      debug: ${{ inputs.debug || false }}
+  
+  upload-artifacts:
+    needs: build-kernel
+    runs-on: ubuntu-latest
+    if: ${{ ( github.event_name != 'pull_request' && github.ref == 'refs/heads/main' ) || github.ref_type == 'tag' || github.ref == 'refs/heads/ci' }}
+    env:
+      CHAT_ID: ${{ secrets.CHAT_ID }}
+      BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
+      MESSAGE_THREAD_ID: ${{ secrets.MESSAGE_THREAD_ID }}
+      COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
+      COMMIT_URL: ${{ github.event.head_commit.url }}
+      RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+
+      - uses: actions/checkout@v4
+        with:
+          path: KernelSU
+          fetch-depth: 0
+
+      - name: List artifacts
+        run: |
+          tree
+
+      - name: Download prebuilt toolchain
+        run: |
+          AOSP_MIRROR=https://android.googlesource.com
+          BRANCH=main-kernel-build-2024
+          git clone $AOSP_MIRROR/platform/prebuilts/build-tools -b $BRANCH --depth 1 build-tools
+          git clone $AOSP_MIRROR/kernel/prebuilts/build-tools -b $BRANCH --depth 1 kernel-build-tools
+          git clone $AOSP_MIRROR/platform/system/tools/mkbootimg -b $BRANCH --depth 1
+          pip3 install telethon
+
+      - name: Set boot sign key
+        env:
+          BOOT_SIGN_KEY: ${{ secrets.BOOT_SIGN_KEY }}
+        run: |
+          if [ ! -z "$BOOT_SIGN_KEY" ]; then
+            echo "$BOOT_SIGN_KEY" > ./kernel-build-tools/linux-x86/share/avb/testkey_rsa2048.pem
+          fi
+
+      - name: Build boot images
+        run: |
+          export AVBTOOL=$GITHUB_WORKSPACE/kernel-build-tools/linux-x86/bin/avbtool
+          export GZIP=$GITHUB_WORKSPACE/build-tools/path/linux-x86/gzip
+          export LZ4=$GITHUB_WORKSPACE/build-tools/path/linux-x86/lz4
+          export MKBOOTIMG=$GITHUB_WORKSPACE/mkbootimg/mkbootimg.py
+          export UNPACK_BOOTIMG=$GITHUB_WORKSPACE/mkbootimg/unpack_bootimg.py
+          cd $GITHUB_WORKSPACE/KernelSU
+          export VERSION=$(($(git rev-list --count HEAD) + 10200))
+          echo "VERSION: $VERSION"
+          cd -
+          bash $GITHUB_WORKSPACE/KernelSU/.github/scripts/build_a12.sh
+
+      - name: Display structure of boot files
+        run: ls -R
+
+      - name: Upload images artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: boot-images-android12
+          path: Image-android12*/*.img.gz
--- a/.github/workflows/build-kernel-a13.yml
+++ b/.github/workflows/build-kernel-a13.yml
@@ -0,0 +1,146 @@
+name: Build Kernel - Android 13
+on:
+  # push:
+  #   branches: ["main", "ci", "checkci"]
+  #   paths:
+  #     - ".github/workflows/deps/gki/build-kernel-a13.yml"
+  #     - ".github/workflows/deps/gki/gki-kernel.yml"
+  #     - ".github/scripts/build_a13.sh"
+  #     - "kernel/**"
+  workflow_call:
+    inputs:
+      debug:
+        description: 'Build debug kernel'
+        required: false
+        type: boolean
+        default: false
+  workflow_dispatch:
+    inputs:
+      debug:
+        description: 'Build debug kernel'
+        required: false
+        type: boolean
+        default: false
+jobs:
+  build-kernel:
+    if: github.event_name != 'pull_request' && github.ref != 'refs/heads/checkci'
+    strategy:
+      matrix:
+        include:
+          - version: "5.10"
+            sub_level: 209
+            os_patch_level: 2024-05
+          - version: "5.10"
+            sub_level: 210
+            os_patch_level: 2024-06
+          - version: "5.10"
+            sub_level: 214
+            os_patch_level: 2024-07
+          - version: "5.10"
+            sub_level: 218
+            os_patch_level: 2024-08
+          - version: "5.10"
+            sub_level: 223
+            os_patch_level: 2024-11
+          - version: "5.10"
+            sub_level: 228
+            os_patch_level: 2025-01
+          - version: "5.10"
+            sub_level: 234
+            os_patch_level: 2025-03
+          - version: "5.15"
+            sub_level: 148
+            os_patch_level: 2024-05
+          - version: "5.15"
+            sub_level: 149
+            os_patch_level: 2024-07
+          - version: "5.15"
+            sub_level: 151
+            os_patch_level: 2024-08
+          - version: "5.15"
+            sub_level: 153
+            os_patch_level: 2024-09
+          - version: "5.15"
+            sub_level: 167
+            os_patch_level: 2024-11
+          - version: "5.15"
+            sub_level: 178
+            os_patch_level: 2024-11
+          - version: "5.15"
+            sub_level: 170
+            os_patch_level: 2025-01
+          - version: "5.15"
+            sub_level: 178
+            os_patch_level: 2025-03
+    uses: ./.github/workflows/gki-kernel.yml
+    secrets: inherit
+    with:
+      version: android13-${{ matrix.version }}
+      version_name: android13-${{ matrix.version }}.${{ matrix.sub_level }}
+      tag: android13-${{ matrix.version }}-${{ matrix.os_patch_level }}
+      os_patch_level: ${{ matrix.os_patch_level }}
+      patch_path: ${{ matrix.version }}
+      debug: ${{ inputs.debug || false }}
+  
+  upload-artifacts:
+    needs: build-kernel
+    runs-on: ubuntu-latest
+    if: ${{ ( github.event_name != 'pull_request' && github.ref == 'refs/heads/main' ) || github.ref_type == 'tag' || github.ref == 'refs/heads/ci' }}
+    env:
+      CHAT_ID: ${{ secrets.CHAT_ID }}
+      BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
+      MESSAGE_THREAD_ID: ${{ secrets.MESSAGE_THREAD_ID }}
+      COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
+      COMMIT_URL: ${{ github.event.head_commit.url }}
+      RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+
+      - uses: actions/checkout@v4
+        with:
+          path: KernelSU
+          fetch-depth: 0
+
+      - name: List artifacts
+        run: |
+          tree
+
+      - name: Download prebuilt toolchain
+        run: |
+          AOSP_MIRROR=https://android.googlesource.com
+          BRANCH=main-kernel-build-2024
+          git clone $AOSP_MIRROR/platform/prebuilts/build-tools -b $BRANCH --depth 1 build-tools
+          git clone $AOSP_MIRROR/kernel/prebuilts/build-tools -b $BRANCH --depth 1 kernel-build-tools
+          git clone $AOSP_MIRROR/platform/system/tools/mkbootimg -b $BRANCH --depth 1
+          pip3 install telethon
+
+      - name: Set boot sign key
+        env:
+          BOOT_SIGN_KEY: ${{ secrets.BOOT_SIGN_KEY }}
+        run: |
+          if [ ! -z "$BOOT_SIGN_KEY" ]; then
+            echo "$BOOT_SIGN_KEY" > ./kernel-build-tools/linux-x86/share/avb/testkey_rsa2048.pem
+          fi
+
+      - name: Build boot images
+        run: |
+          export AVBTOOL=$GITHUB_WORKSPACE/kernel-build-tools/linux-x86/bin/avbtool
+          export GZIP=$GITHUB_WORKSPACE/build-tools/path/linux-x86/gzip
+          export LZ4=$GITHUB_WORKSPACE/build-tools/path/linux-x86/lz4
+          export MKBOOTIMG=$GITHUB_WORKSPACE/mkbootimg/mkbootimg.py
+          export UNPACK_BOOTIMG=$GITHUB_WORKSPACE/mkbootimg/unpack_bootimg.py
+          cd $GITHUB_WORKSPACE/KernelSU
+          export VERSION=$(($(git rev-list --count HEAD) + 10200))
+          echo "VERSION: $VERSION"
+          cd -
+          bash $GITHUB_WORKSPACE/KernelSU/.github/scripts/build_a13.sh
+
+      - name: Display structure of boot files
+        run: ls -R
+
+      - name: Upload images artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: boot-images-android13
+          path: Image-android13*/*.img.gz
--- a/.github/workflows/build-kernel-a14.yml
+++ b/.github/workflows/build-kernel-a14.yml
@@ -0,0 +1,158 @@
+name: Build Kernel - Android 14
+on:
+  # push:
+  #   branches: ["main", "ci", "checkci"]
+  #   paths:
+  #     - ".github/workflows/deps/gki/build-kernel-a14.yml"
+  #     - ".github/workflows/deps/gki/gki-kernel.yml"
+  #     - ".github/scripts/build_a13.sh"
+  #     - "kernel/**"
+  workflow_call:
+    inputs:
+      debug:
+        description: 'Build debug kernel'
+        required: false
+        type: boolean
+        default: false
+  workflow_dispatch:
+    inputs:
+      debug:
+        description: 'Build debug kernel'
+        required: false
+        type: boolean
+        default: false
+jobs:
+  build-kernel:
+    if: github.event_name != 'pull_request' && github.ref != 'refs/heads/checkci'
+    strategy:
+      matrix:
+        include:
+          - version: "5.15"
+            sub_level: 148
+            os_patch_level: 2024-05
+          - version: "5.15"
+            sub_level: 149
+            os_patch_level: 2024-06
+          - version: "5.15"
+            sub_level: 153
+            os_patch_level: 2024-07
+          - version: "5.15"
+            sub_level: 158
+            os_patch_level: 2024-08
+          - version: "5.15"
+            sub_level: 164
+            os_patch_level: 2024-09
+          - version: "5.15"
+            sub_level: 167
+            os_patch_level: 2024-11
+          - version: "5.15"
+            sub_level: 170
+            os_patch_level: 2025-01
+          - version: "5.15"
+            sub_level: 178
+            os_patch_level: 2025-03
+          - version: "6.1"
+            sub_level: 75
+            os_patch_level: 2024-05
+          - version: "6.1"
+            sub_level: 78
+            os_patch_level: 2024-06
+          - version: "6.1"
+            sub_level: 84
+            os_patch_level: 2024-07
+          - version: "6.1"
+            sub_level: 90
+            os_patch_level: 2024-08
+          - version: "6.1"
+            sub_level: 93
+            os_patch_level: 2024-09
+          - version: "6.1"
+            sub_level: 99
+            os_patch_level: 2024-10
+          - version: "6.1"
+            sub_level: 112
+            os_patch_level: 2024-11
+          - version: "6.1"
+            sub_level: 115
+            os_patch_level: 2024-12
+          - version: "6.1"
+            sub_level: 118
+            os_patch_level: 2025-01
+          - version: "6.1"
+            sub_level: 128
+            os_patch_level: 2025-03
+          - version: "6.1"
+            sub_level: 134
+            os_patch_level: 2025-05
+    uses: ./.github/workflows/gki-kernel.yml
+    secrets: inherit
+    with:
+      version: android14-${{ matrix.version }}
+      version_name: android14-${{ matrix.version }}.${{ matrix.sub_level }}
+      tag: android14-${{ matrix.version }}-${{ matrix.os_patch_level }}
+      os_patch_level: ${{ matrix.os_patch_level }}
+      patch_path: ${{ matrix.version }}
+      debug: ${{ inputs.debug || false }}
+  
+  upload-artifacts:
+    needs: build-kernel
+    runs-on: ubuntu-latest
+    if: ${{ ( github.event_name != 'pull_request' && github.ref == 'refs/heads/main' ) || github.ref_type == 'tag' || github.ref == 'refs/heads/ci' }}
+    env:
+      CHAT_ID: ${{ secrets.CHAT_ID }}
+      BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
+      MESSAGE_THREAD_ID: ${{ secrets.MESSAGE_THREAD_ID }}
+      COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
+      COMMIT_URL: ${{ github.event.head_commit.url }}
+      RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+
+      - uses: actions/checkout@v4
+        with:
+          path: KernelSU
+          fetch-depth: 0
+
+      - name: List artifacts
+        run: |
+          tree
+
+      - name: Download prebuilt toolchain
+        run: |
+          AOSP_MIRROR=https://android.googlesource.com
+          BRANCH=main-kernel-build-2024
+          git clone $AOSP_MIRROR/platform/prebuilts/build-tools -b $BRANCH --depth 1 build-tools
+          git clone $AOSP_MIRROR/kernel/prebuilts/build-tools -b $BRANCH --depth 1 kernel-build-tools
+          git clone $AOSP_MIRROR/platform/system/tools/mkbootimg -b $BRANCH --depth 1
+          pip3 install telethon
+
+      - name: Set boot sign key
+        env:
+          BOOT_SIGN_KEY: ${{ secrets.BOOT_SIGN_KEY }}
+        run: |
+          if [ ! -z "$BOOT_SIGN_KEY" ]; then
+            echo "$BOOT_SIGN_KEY" > ./kernel-build-tools/linux-x86/share/avb/testkey_rsa2048.pem
+          fi
+
+      - name: Build boot images
+        run: |
+          export AVBTOOL=$GITHUB_WORKSPACE/kernel-build-tools/linux-x86/bin/avbtool
+          export GZIP=$GITHUB_WORKSPACE/build-tools/path/linux-x86/gzip
+          export LZ4=$GITHUB_WORKSPACE/build-tools/path/linux-x86/lz4
+          export MKBOOTIMG=$GITHUB_WORKSPACE/mkbootimg/mkbootimg.py
+          export UNPACK_BOOTIMG=$GITHUB_WORKSPACE/mkbootimg/unpack_bootimg.py
+          cd $GITHUB_WORKSPACE/KernelSU
+          export VERSION=$(($(git rev-list --count HEAD) + 10200))
+          echo "VERSION: $VERSION"
+          cd -
+          bash $GITHUB_WORKSPACE/KernelSU/.github/scripts/build_a13.sh
+
+      - name: Display structure of boot files
+        run: ls -R
+
+      - name: Upload images artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: boot-images-android14
+          path: Image-android14*/*.img.gz
--- a/.github/workflows/build-kernel-a15.yml
+++ b/.github/workflows/build-kernel-a15.yml
@@ -0,0 +1,131 @@
+name: Build Kernel - Android 15
+on:
+  # push:
+  #   branches: ["main", "ci", "checkci"]
+  #   paths:
+  #     - ".github/workflows/deps/gki/build-kernel-a15.yml"
+  #     - ".github/workflows/deps/gki/gki-kernel.yml"
+  #     - ".github/scripts/build_a13.sh"
+  #     - "kernel/**"
+  workflow_call:
+    inputs:
+      debug:
+        description: 'Build debug kernel'
+        required: false
+        type: boolean
+        default: false
+  workflow_dispatch:
+    inputs:
+      debug:
+        description: 'Build debug kernel'
+        required: false
+        type: boolean
+        default: false
+jobs:
+  build-kernel:
+    if: github.event_name != 'pull_request' && github.ref != 'refs/heads/checkci'
+    strategy:
+      matrix:
+        include:
+          - version: "6.6"
+            sub_level: 30
+            os_patch_level: 2024-08
+          - version: "6.6"
+            sub_level: 46
+            os_patch_level: 2024-09
+          - version: "6.6"
+            sub_level: 50
+            os_patch_level: 2024-10
+          - version: "6.6"
+            sub_level: 56
+            os_patch_level: 2024-11
+          - version: "6.6"
+            sub_level: 57
+            os_patch_level: 2024-12
+          - version: "6.6"
+            sub_level: 58
+            os_patch_level: 2025-01
+          - version: "6.6"
+            sub_level: 66
+            os_patch_level: 2025-02
+          - version: "6.6"
+            sub_level: 77
+            os_patch_level: 2025-03
+          - version: "6.6"
+            sub_level: 82
+            os_patch_level: 2025-04
+          - version: "6.6"
+            sub_level: 87
+            os_patch_level: 2025-05
+    uses: ./.github/workflows/gki-kernel.yml
+    secrets: inherit
+    with:
+      version: android15-${{ matrix.version }}
+      version_name: android15-${{ matrix.version }}.${{ matrix.sub_level }}
+      tag: android15-${{ matrix.version }}-${{ matrix.os_patch_level }}
+      os_patch_level: ${{ matrix.os_patch_level }}
+      patch_path: ${{ matrix.version }}
+      debug: ${{ inputs.debug || false }}
+  
+  upload-artifacts:
+    needs: build-kernel
+    runs-on: ubuntu-latest
+    if: ${{ ( github.event_name != 'pull_request' && github.ref == 'refs/heads/main' ) || github.ref_type == 'tag' || github.ref == 'refs/heads/ci' }}
+    env:
+      CHAT_ID: ${{ secrets.CHAT_ID }}
+      BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
+      MESSAGE_THREAD_ID: ${{ secrets.MESSAGE_THREAD_ID }}
+      COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
+      COMMIT_URL: ${{ github.event.head_commit.url }}
+      RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+
+      - uses: actions/checkout@v4
+        with:
+          path: KernelSU
+          fetch-depth: 0
+
+      - name: List artifacts
+        run: |
+          tree
+
+      - name: Download prebuilt toolchain
+        run: |
+          AOSP_MIRROR=https://android.googlesource.com
+          BRANCH=main-kernel-build-2024
+          git clone $AOSP_MIRROR/platform/prebuilts/build-tools -b $BRANCH --depth 1 build-tools
+          git clone $AOSP_MIRROR/kernel/prebuilts/build-tools -b $BRANCH --depth 1 kernel-build-tools
+          git clone $AOSP_MIRROR/platform/system/tools/mkbootimg -b $BRANCH --depth 1
+          pip3 install telethon
+
+      - name: Set boot sign key
+        env:
+          BOOT_SIGN_KEY: ${{ secrets.BOOT_SIGN_KEY }}
+        run: |
+          if [ ! -z "$BOOT_SIGN_KEY" ]; then
+            echo "$BOOT_SIGN_KEY" > ./kernel-build-tools/linux-x86/share/avb/testkey_rsa2048.pem
+          fi
+          
+      - name: Build boot images
+        run: |
+          export AVBTOOL=$GITHUB_WORKSPACE/kernel-build-tools/linux-x86/bin/avbtool
+          export GZIP=$GITHUB_WORKSPACE/build-tools/path/linux-x86/gzip
+          export LZ4=$GITHUB_WORKSPACE/build-tools/path/linux-x86/lz4
+          export MKBOOTIMG=$GITHUB_WORKSPACE/mkbootimg/mkbootimg.py
+          export UNPACK_BOOTIMG=$GITHUB_WORKSPACE/mkbootimg/unpack_bootimg.py
+          cd $GITHUB_WORKSPACE/KernelSU
+          export VERSION=$(($(git rev-list --count HEAD) + 10200))
+          echo "VERSION: $VERSION"
+          cd -
+          bash $GITHUB_WORKSPACE/KernelSU/.github/scripts/build_a13.sh
+
+      - name: Display structure of boot files
+        run: ls -R
+
+      - name: Upload images artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: boot-images-android15
+          path: Image-android15*/*.img.gz
--- a/.github/workflows/build-kernel-a16.yml
+++ b/.github/workflows/build-kernel-a16.yml
@@ -0,0 +1,104 @@
+name: Build Kernel - Android 16
+on:
+  # push:
+  #   branches: ["main", "ci", "checkci"]
+  #   paths:
+  #     - ".github/workflows/deps/gki/build-kernel-a16.yml"
+  #     - ".github/workflows/deps/gki/gki-kernel.yml"
+  #     - ".github/scripts/build_a13.sh"
+  #     - "kernel/**"
+  workflow_call:
+    inputs:
+      debug:
+        description: 'Build debug kernel'
+        required: false
+        type: boolean
+        default: false
+  workflow_dispatch:
+    inputs:
+      debug:
+        description: 'Build debug kernel'
+        required: false
+        type: boolean
+        default: false
+jobs:
+  build-kernel:
+    if: github.event_name != 'pull_request' && github.ref != 'refs/heads/checkci'
+    strategy:
+      matrix:
+        include:
+          - version: "6.12"
+            sub_level: 38
+            os_patch_level: 2025-08
+    uses: ./.github/workflows/gki-kernel.yml
+    secrets: inherit
+    with:
+      version: android16-${{ matrix.version }}
+      version_name: android16-${{ matrix.version }}.${{ matrix.sub_level }}
+      tag: android16-${{ matrix.version }}-${{ matrix.os_patch_level }}
+      os_patch_level: ${{ matrix.os_patch_level }}
+      patch_path: ${{ matrix.version }}
+      debug: ${{ inputs.debug || false }}
+  
+  upload-artifacts:
+    needs: build-kernel
+    runs-on: ubuntu-latest
+    if: ${{ ( github.event_name != 'pull_request' && github.ref == 'refs/heads/main' ) || github.ref_type == 'tag' || github.ref == 'refs/heads/ci' }}
+    env:
+      CHAT_ID: ${{ secrets.CHAT_ID }}
+      BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
+      MESSAGE_THREAD_ID: ${{ secrets.MESSAGE_THREAD_ID }}
+      COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
+      COMMIT_URL: ${{ github.event.head_commit.url }}
+      RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@v6
+
+      - uses: actions/checkout@v5
+        with:
+          path: KernelSU
+          fetch-depth: 0
+
+      - name: List artifacts
+        run: |
+          tree
+
+      - name: Download prebuilt toolchain
+        run: |
+          AOSP_MIRROR=https://android.googlesource.com
+          BRANCH=main-kernel-build-2024
+          git clone $AOSP_MIRROR/platform/prebuilts/build-tools -b $BRANCH --depth 1 build-tools
+          git clone $AOSP_MIRROR/kernel/prebuilts/build-tools -b $BRANCH --depth 1 kernel-build-tools
+          git clone $AOSP_MIRROR/platform/system/tools/mkbootimg -b $BRANCH --depth 1
+          pip3 install telethon
+
+      - name: Set boot sign key
+        env:
+          BOOT_SIGN_KEY: ${{ secrets.BOOT_SIGN_KEY }}
+        run: |
+          if [ ! -z "$BOOT_SIGN_KEY" ]; then
+            echo "$BOOT_SIGN_KEY" > ./kernel-build-tools/linux-x86/share/avb/testkey_rsa2048.pem
+          fi
+
+      - name: Build boot images
+        run: |
+          export AVBTOOL=$GITHUB_WORKSPACE/kernel-build-tools/linux-x86/bin/avbtool
+          export GZIP=$GITHUB_WORKSPACE/build-tools/path/linux-x86/gzip
+          export LZ4=$GITHUB_WORKSPACE/build-tools/path/linux-x86/lz4
+          export MKBOOTIMG=$GITHUB_WORKSPACE/mkbootimg/mkbootimg.py
+          export UNPACK_BOOTIMG=$GITHUB_WORKSPACE/mkbootimg/unpack_bootimg.py
+          cd $GITHUB_WORKSPACE/KernelSU
+          export VERSION=$(($(git rev-list --count HEAD) + 10200))
+          echo "VERSION: $VERSION"
+          cd -
+          bash $GITHUB_WORKSPACE/KernelSU/.github/scripts/build_a13.sh
+
+      - name: Display structure of boot files
+        run: ls -R
+
+      - name: Upload images artifact
+        uses: actions/upload-artifact@v5
+        with:
+          name: boot-images-android16
+          path: Image-android16*/*.img.gz
--- a/.github/workflows/build-lkm-local.yml
+++ b/.github/workflows/build-lkm-local.yml
@@ -1,74 +0,0 @@
-name: Build LKM for KernelSU Local
-on:
-  workflow_call:
-    inputs:
-      upload:
-        required: true
-        type: boolean
-        default: true
-        description: "Whether to upload to branch"
-    secrets:
-      # username:github_pat
-      TOKEN:
-        required: true
-  workflow_dispatch:
-    inputs:
-      upload:
-        required: true
-        type: boolean
-        default: true
-        description: "Whether to upload to branch"
-jobs:
-  build-lkm:
-    strategy:
-      matrix:
-        include:
-          - version: "android12-5.10"
-            sub_level: 236
-            os_patch_level: 2025-05
-          - version: "android13-5.10"
-            sub_level: 234
-            os_patch_level: 2025-03
-          - version: "android13-5.15"
-            sub_level: 178
-            os_patch_level: 2025-03
-          - version: "android14-5.15"
-            sub_level: 178
-            os_patch_level: 2025-03
-          - version: "android14-6.1"
-            sub_level: 134
-            os_patch_level: 2025-05
-          - version: "android15-6.6"
-            sub_level: 87
-            os_patch_level: 2025-05
-    # uses: ./.github/workflows/gki-kernel-mock.yml when debugging
-    uses: ./.github/workflows/gki-kernel-local.yml
-    with:
-      version: ${{ matrix.version }}
-      version_name: ${{ matrix.version }}.${{ matrix.sub_level }}
-      tag: ${{ matrix.version }}-${{ matrix.os_patch_level }}
-      os_patch_level: ${{ matrix.os_patch_level }}
-      build_lkm: true
-
-  push-to-branch:
-    needs: [build-lkm]
-    runs-on: self-hosted
-    if: ${{ inputs.upload }}
-    steps:
-      - name: Download all workflow run artifacts
-        uses: actions/download-artifact@v4
-        with:
-          path: bin/
-          merge-multiple: true
-      - name: Push to branch LKM
-        run: |
-          cd bin
-          git config --global init.defaultBranch lkm
-          git init
-          git remote add origin https://${{ secrets.TOKEN }}@github.com/${{ github.repository }}
-          git config --local user.name "github-actions[bot]"
-          git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          find . -type f
-          git add .
-          git commit -m "Upload LKM from ${{ github.sha }}" -m "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
-          git push --force --set-upstream origin lkm
--- a/.github/workflows/build-lkm.yml
+++ b/.github/workflows/build-lkm.yml
@@ -1,74 +1,21 @@
 name: Build LKM for KernelSU
 on:
  workflow_call:
-    inputs:
-      upload:
-        required: true
-        type: boolean
-        default: true
-        description: "Whether to upload to branch"
-    secrets:
-      # username:github_pat
-      TOKEN:
-        required: true
  workflow_dispatch:
-    inputs:
-      upload:
-        required: true
-        type: boolean
-        default: true
-        description: "Whether to upload to branch"
 jobs:
  build-lkm:
    strategy:
+      fail-fast: false
      matrix:
-        include:
-          - version: "android12-5.10"
-            sub_level: 237
-            os_patch_level: 2025-06
-          - version: "android13-5.10"
-            sub_level: 236
-            os_patch_level: 2025-05
-          - version: "android13-5.15"
-            sub_level: 180
-            os_patch_level: 2025-05
-          - version: "android14-5.15"
-            sub_level: 180
-            os_patch_level: 2025-05
-          - version: "android14-6.1"
-            sub_level: 138
-            os_patch_level: 2025-06
-          - version: "android15-6.6"
-            sub_level: 89
-            os_patch_level: 2025-06
-    # uses: ./.github/workflows/gki-kernel-mock.yml when debugging
-    uses: ./.github/workflows/gki-kernel.yml
+        kmi:
+          - android12-5.10
+          - android13-5.10
+          - android13-5.15
+          - android14-5.15
+          - android14-6.1
+          - android15-6.6
+          - android16-6.12
+    uses: ./.github/workflows/ddk-lkm.yml
    with:
-      version: ${{ matrix.version }}
-      version_name: ${{ matrix.version }}.${{ matrix.sub_level }}
-      tag: ${{ matrix.version }}-${{ matrix.os_patch_level }}
-      os_patch_level: ${{ matrix.os_patch_level }}
-      build_lkm: true
-
-  push-to-branch:
-    needs: [build-lkm]
-    runs-on: ubuntu-latest
-    if: ${{ inputs.upload }}
-    steps:
-      - name: Download all workflow run artifacts
-        uses: actions/download-artifact@v4
-        with:
-          path: bin/
-          merge-multiple: true
-      - name: Push to branch LKM
-        run: |
-          cd bin
-          git config --global init.defaultBranch lkm
-          git init
-          git remote add origin https://${{ secrets.TOKEN }}@github.com/${{ github.repository }}
-          git config --local user.name "github-actions[bot]"
-          git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          find . -type f
-          git add .
-          git commit -m "Upload LKM from ${{ github.sha }}" -m "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
-          git push --force --set-upstream origin lkm
+      kmi: ${{ matrix.kmi }}
+      ddk_release: '20251104'
--- a/.github/workflows/build-manager-manual.yml
+++ b/.github/workflows/build-manager-manual.yml
@@ -1,252 +0,0 @@
-name: Build Manager Manual
-
-on:
-  workflow_dispatch:
-    inputs:
-      build_lkm:
-        required: true
-        type: choice
-        default: "auto"
-        options:
-          - "true"
-          - "false"
-          - "auto"
-        description: "Whether to build lkm"
-      upload_lkm:
-        required: true
-        type: boolean
-        default: true
-        description: "Whether to upload lkm"
-jobs:
-  check-build-lkm:
-    runs-on: self-hosted
-    outputs:
-      build_lkm: ${{ steps.check-build.outputs.build_lkm }}
-      upload_lkm: ${{ steps.check-build.outputs.upload_lkm }}
-    steps:
-      - name: check build
-        id: check-build
-        run: |
-          if [ "${{ github.event_name }}" == "workflow_dispatch" ] && [ "${{ inputs.build_lkm }}" != "auto" ]; then
-            kernel_changed="${{ inputs.build_lkm }}"
-          else
-            kernel_changed=true
-            mkdir tmp
-            cd tmp
-            git config --global init.defaultBranch bot
-            git config --global user.name 'Bot'
-            git config --global user.email 'bot@github.shirkneko.io'
-            git init .
-            git remote add origin https://github.com/${{ github.repository }}
-            CURRENT_COMMIT="${{ github.event.head_commit.id }}"
-            git fetch origin $CURRENT_COMMIT --depth=1
-            git fetch origin lkm --depth=1
-            LKM_COMMIT="$(git log --format=%B -n 1 origin/lkm | head -n 1)"
-            LKM_COMMIT="${LKM_COMMIT#Upload LKM from }"
-            LKM_COMMIT=$(echo "$LKM_COMMIT" | tr -d '[:space:]')
-            echo "LKM_COMMIT=$LKM_COMMIT"
-            git fetch origin "$LKM_COMMIT" --depth=1
-            git diff --quiet "$LKM_COMMIT" "$CURRENT_COMMIT" -- kernel :!kernel/setup.sh .github/workflows/build-lkm-local.yml .github/workflows/build-kernel-*.yml && kernel_changed=false
-            cd ..
-            rm -rf tmp
-          fi
-          if [ "${{ github.event_name }}" == "push" ] && [ "${{ github.ref }}" == 'refs/heads/main' ]; then
-            need_upload=true
-          elif [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
-            need_upload="${{ inputs.upload_lkm }}"
-          else
-            need_upload=false
-          fi
-          echo "kernel changed: $kernel_changed"
-          echo "need upload: $need_upload"
-          echo "build_lkm=$kernel_changed" >> "$GITHUB_OUTPUT"
-          echo "upload_lkm=$need_upload" >> "$GITHUB_OUTPUT"
-
-  build-lkm:
-    needs: check-build-lkm
-    uses: ./.github/workflows/build-lkm-local.yml
-    if: ${{ needs.check-build-lkm.outputs.build_lkm == 'true' }}
-    with:
-      upload: ${{ needs.check-build-lkm.outputs.upload_lkm == 'true' }}
-    secrets: inherit
-  build-susfs:
-    if: ${{ always() }}
-    needs: [ check-build-lkm, build-lkm ]
-    strategy:
-      matrix:
-        include:
-          - target: aarch64-linux-android
-            os: ubuntu-latest
-    uses: ./.github/workflows/susfs.yml
-    with:
-      target: ${{ matrix.target }}
-      os: ${{ matrix.os }}
-      
-  build-kpmmgr:
-    if: ${{ always() }}
-    needs: [ check-build-lkm, build-lkm ]
-    strategy:
-      matrix:
-        include:
-          - target: aarch64-linux-android
-            os: ubuntu-latest
-    uses: ./.github/workflows/kpmmgr.yml
-    with:
-      target: ${{ matrix.target }}
-      os: ${{ matrix.os }}
-
-  build-ksud:
-    if: ${{ always() }}
-    needs: [ check-build-lkm, build-lkm ]
-    strategy:
-      matrix:
-        include:
-          - target: aarch64-linux-android
-            os: ubuntu-latest
-          - target: x86_64-linux-android
-            os: ubuntu-latest
-          - target: armv7-linux-androideabi
-            os: ubuntu-latest
-    uses: ./.github/workflows/ksud.yml
-    with:
-      target: ${{ matrix.target }}
-      os: ${{ matrix.os }}
-      pack_lkm: true
-      pull_lkm: ${{ needs.check-build-lkm.outputs.build_lkm != 'true' }}
-
-  build-manager:
-    if: ${{ always() }}
-    needs: build-ksud
-    runs-on: self-hosted
-    defaults:
-      run:
-        working-directory: ./manager
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Setup need_upload
-        id: need_upload
-        run: |
-          if [ ! -z "${{ secrets.BOT_TOKEN }}" ]; then
-            echo "UPLOAD=true" >> $GITHUB_OUTPUT
-          else
-            echo "UPLOAD=false" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Write key
-        if: ${{ ( github.event_name != 'pull_request' && github.ref == 'refs/heads/main' ) || github.ref == 'refs/heads/susfs' || github.ref_type == 'tag' }}
-        run: |
-          if [ ! -z "${{ secrets.KEYSTORE }}" ]; then
-            {
-              echo KEYSTORE_PASSWORD='${{ secrets.KEYSTORE_PASSWORD }}'
-              echo KEY_ALIAS='${{ secrets.KEY_ALIAS }}'
-              echo KEY_PASSWORD='${{ secrets.KEY_PASSWORD }}'
-              echo KEYSTORE_FILE='key.jks'
-            } >> gradle.properties
-            echo "${{ secrets.KEYSTORE }}" | base64 -d > key.jks
-          fi
-                  
-      - name: Download arm64 susfs
-        uses: actions/download-artifact@v4
-        with:
-          name: susfs-aarch64-linux-android
-          path: .
-
-      - name: Download arm64 kpmmgr
-        uses: actions/download-artifact@v4
-        with:
-          name: kpmmgr-aarch64-linux-android
-          path: .
-
-      - name: Download arm64 ksud
-        uses: actions/download-artifact@v4
-        with:
-          name: ksud-aarch64-linux-android
-          path: .
-
-      - name: Download x86_64 ksud
-        uses: actions/download-artifact@v4
-        with:
-          name: ksud-x86_64-linux-android
-          path: .
-
-      - name: Download arm ksud
-        uses: actions/download-artifact@v4
-        with:
-          name: ksud-armv7-linux-androideabi
-          path: .
-  
-      - name: Copy ksud to app jniLibs
-        run: |
-          mkdir -p app/src/main/jniLibs/arm64-v8a
-          mkdir -p app/src/main/jniLibs/x86_64
-          mkdir -p app/src/main/jniLibs/armeabi-v7a
-          cp -f ../aarch64-linux-android/release/zakozako ../manager/app/src/main/jniLibs/arm64-v8a/libzakozako.so
-          cp -f ../x86_64-linux-android/release/zakozako ../manager/app/src/main/jniLibs/x86_64/libzakozako.so
-          cp -f ../armv7-linux-androideabi/release/zakozako ../manager/app/src/main/jniLibs/armeabi-v7a/libzakozako.so
-
-      - name: Copy kpmmgr to app jniLibs
-        run: |
-          mkdir -p app/src/main/jniLibs/arm64-v8a
-          cp -f ../arm64-v8a/kpmmgr ../manager/app/src/main/jniLibs/arm64-v8a/libkpmmgr.so
-      
-      - name: Copy susfs to app jniLibs
-        run: |
-          mkdir -p app/src/main/jniLibs/arm64-v8a
-          cp -f ../arm64-v8a/zakozakozako ../manager/app/src/main/jniLibs/arm64-v8a/libzakozakozako.so
-
-      - name: Build with Gradle
-        run: |
-          export ANDROID_HOME=/root/.android/sdk
-          export PATH=$ANDROID_HOME/platform-tools:$ANDROID_HOME/tools:$ANDROID_HOME/tools/bin:$PATH
-          {
-            echo 'org.gradle.parallel=true'
-            echo 'org.gradle.vfs.watch=true'
-            echo 'org.gradle.jvmargs=-Xmx2048m'
-            echo 'android.native.buildOutput=verbose'
-          } >> gradle.properties
-          sed -i 's/org.gradle.configuration-cache=true//g' gradle.properties
-          ./gradlew clean assembleRelease
-
-      - name: Upload build artifact
-        uses: actions/upload-artifact@v4
-        if: ${{ ( github.event_name != 'pull_request' && github.ref == 'refs/heads/main' ) || github.ref_type == 'tag' }}
-        with:
-          name: manager
-          path: manager/app/build/outputs/apk/release/*.apk
-
-      - name: Upload mappings
-        uses: actions/upload-artifact@v4
-        if: ${{ ( github.event_name != 'pull_request' && github.ref == 'refs/heads/main' ) || github.ref_type == 'tag' }}
-        with:
-          name: "mappings"
-          path: "manager/app/build/outputs/mapping/release/"
-      
-      - name: Bot session cache
-        if: github.event_name != 'pull_request' && steps.need_upload.outputs.UPLOAD == 'true'
-        id: bot_session_cache
-        uses: actions/cache@v4
-        with:
-          path: scripts/ksubot.session
-          key: ${{ runner.os }}-bot-session
-
-      - name: Upload to telegram
-        if: github.event_name != 'pull_request' && steps.need_upload.outputs.UPLOAD == 'true'
-        env:
-          CHAT_ID: ${{ vars.CHAT_ID }}
-          BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
-          MESSAGE_THREAD_ID: ${{ vars.MESSAGE_THREAD_ID }}
-          COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
-          COMMIT_URL: ${{ github.event.head_commit.url }}
-          RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
-          TITLE: Manager
-        run: |
-          if [ ! -z "${{ secrets.BOT_TOKEN }}" ]; then
-            export VERSION=$(git rev-list --count HEAD)
-            APK=$(find ./app/build/outputs/apk/release -name "*.apk")
-            python3 $GITHUB_WORKSPACE/scripts/ksubot.py $APK
-          fi
--- a/.github/workflows/build-manager.yml
+++ b/.github/workflows/build-manager.yml
@@ -2,116 +2,43 @@ name: Build Manager

 on:
  push:
-    branches: [ "main", "ci" ]
+    branches: [ "main", "dev", "ci", "miuix" ]
    paths:
      - '.github/workflows/build-manager.yml'
+      - '.github/workflows/build-lkm.yml'
      - 'manager/**'
      - 'kernel/**'
      - 'userspace/ksud/**'
-      - 'userspace/susfs/**'
-      - 'userspace/kpmmgr/**'
+      - 'userspace/user_scanner/**'
  pull_request:
-    branches: [ "main" ]
+    branches: [ "main", "dev", "miuix" ]
    paths:
+      - '.github/workflows/build-manager.yml'
+      - '.github/workflows/build-lkm.yml'
      - 'manager/**'
+      - 'kernel/**'
+      - 'userspace/ksud/**'
+      - 'userspace/user_scanner/**'
  workflow_call:
-  workflow_dispatch:
-    inputs:
-      build_lkm:
-        required: true
-        type: choice
-        default: "auto"
-        options:
-          - "true"
-          - "false"
-          - "auto"
-        description: "Whether to build lkm"
-      upload_lkm:
-        required: true
-        type: boolean
-        default: true
-        description: "Whether to upload lkm"
+
 jobs:
-  check-build-lkm:
-    runs-on: ubuntu-latest
-    outputs:
-      build_lkm: ${{ steps.check-build.outputs.build_lkm }}
-      upload_lkm: ${{ steps.check-build.outputs.upload_lkm }}
-    steps:
-      - name: check build
-        id: check-build
-        run: |
-          if [ "${{ github.event_name }}" == "workflow_dispatch" ] && [ "${{ inputs.build_lkm }}" != "auto" ]; then
-            kernel_changed="${{ inputs.build_lkm }}"
-          else
-            kernel_changed=true
-            mkdir tmp
-            cd tmp
-            git config --global init.defaultBranch bot
-            git config --global user.name 'Bot'
-            git config --global user.email 'bot@github.shirkneko.io'
-            git init .
-            git remote add origin https://github.com/${{ github.repository }}
-            CURRENT_COMMIT="${{ github.event.head_commit.id }}"
-            git fetch origin $CURRENT_COMMIT --depth=1
-            git fetch origin lkm --depth=1
-            LKM_COMMIT="$(git log --format=%B -n 1 origin/lkm | head -n 1)"
-            LKM_COMMIT="${LKM_COMMIT#Upload LKM from }"
-            LKM_COMMIT=$(echo "$LKM_COMMIT" | tr -d '[:space:]')
-            echo "LKM_COMMIT=$LKM_COMMIT"
-            git fetch origin "$LKM_COMMIT" --depth=1
-            git diff --quiet "$LKM_COMMIT" "$CURRENT_COMMIT" -- kernel :!kernel/setup.sh .github/workflows/build-lkm.yml .github/workflows/build-kernel-*.yml && kernel_changed=false
-            cd ..
-            rm -rf tmp
-          fi
-          if [ "${{ github.event_name }}" == "push" ] && [ "${{ github.ref }}" == 'refs/heads/main' ]; then
-            need_upload=true
-          elif [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
-            need_upload="${{ inputs.upload_lkm }}"
-          else
-            need_upload=false
-          fi
-          echo "kernel changed: $kernel_changed"
-          echo "need upload: $need_upload"
-          echo "build_lkm=$kernel_changed" >> "$GITHUB_OUTPUT"
-          echo "upload_lkm=$need_upload" >> "$GITHUB_OUTPUT"
-
  build-lkm:
-    needs: check-build-lkm
    uses: ./.github/workflows/build-lkm.yml
-    if: ${{ needs.check-build-lkm.outputs.build_lkm == 'true' }}
-    with:
-      upload: ${{ needs.check-build-lkm.outputs.upload_lkm == 'true' }}
    secrets: inherit
-  build-susfs:
-    if: ${{ always() }}
-    needs: [ check-build-lkm, build-lkm ]
+  build-user_scanner:
+    needs: build-lkm
    strategy:
      matrix:
        include:
-          - target: aarch64-linux-android
+          - target: All-linux-android
            os: ubuntu-latest
-    uses: ./.github/workflows/susfs.yml
-    with:
-      target: ${{ matrix.target }}
-      os: ${{ matrix.os }}
-      
-  build-kpmmgr:
-    if: ${{ always() }}
-    needs: [ check-build-lkm, build-lkm ]
-    strategy:
-      matrix:
-        include:
-          - target: aarch64-linux-android
-            os: ubuntu-latest
-    uses: ./.github/workflows/kpmmgr.yml
+    uses: ./.github/workflows/user_scanner.yml
    with:
      target: ${{ matrix.target }}
      os: ${{ matrix.os }}

  build-ksud:
-    if: ${{ always() }}
-    needs: [ check-build-lkm, build-lkm ]
+    needs: build-lkm
    strategy:
      matrix:
        include:
@@ -125,13 +52,13 @@ jobs:
    with:
      target: ${{ matrix.target }}
      os: ${{ matrix.os }}
-      pack_lkm: true
-      pull_lkm: ${{ needs.check-build-lkm.outputs.build_lkm != 'true' }}

  build-manager:
-    if: ${{ always() }}
    needs: build-ksud
    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        spoofed: ["true","false"]
    defaults:
      run:
        working-directory: ./manager
@@ -151,8 +78,34 @@ jobs:
            echo "UPLOAD=false" >> $GITHUB_OUTPUT
          fi

+
+      - name: Determine manager variant for telegram bot
+        id: determine
+        run: |
+          if [ "${{ github.ref_name }}" == "miuix" ] && [ "${{ matrix.spoofed }}" == "true" ]; then
+            echo "SKIP=true" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+          if [ "${{ github.ref_name }}" == "miuix" ]; then
+            echo "title=Manager" >> $GITHUB_OUTPUT
+            echo "topicid=${{ vars.MESSAGE_MIUIX_THREAD_ID }}" >> $GITHUB_OUTPUT
+          elif [ "${{ matrix.spoofed }}" == "true" ]; then
+            echo "title=Spoofed-Manager" >> $GITHUB_OUTPUT
+            # maybe need a new var
+            echo "topicid=${{ vars.MESSAGE_SPOOFED_THREAD_ID }}" >> $GITHUB_OUTPUT
+          else
+            echo "title=Manager" >> $GITHUB_OUTPUT
+            echo "topicid=${{ vars.MESSAGE_THREAD_ID }}" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Run randomizer
+        if: ${{ matrix.spoofed == 'true' && steps.determine.outputs.SKIP != 'true' }}
+        run: |
+          chmod +x randomizer
+          ./randomizer
+
      - name: Write key
-        if: ${{ ( github.event_name != 'pull_request' && github.ref == 'refs/heads/main' ) || github.ref == 'refs/heads/susfs' || github.ref_type == 'tag' }}
+        if: ${{ ( github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev' )) || github.ref_type == 'tag' }}
        run: |
          if [ ! -z "${{ secrets.KEYSTORE }}" ]; then
            {
@@ -176,16 +129,10 @@ jobs:
      - name: Setup Android SDK
        uses: android-actions/setup-android@v3

-      - name: Download arm64 susfs
+      - name: Download all userscanner artifacts
        uses: actions/download-artifact@v4
        with:
-          name: susfs-aarch64-linux-android
-          path: .
-
-      - name: Download arm64 kpmmgr
-        uses: actions/download-artifact@v4
-        with:
-          name: kpmmgr-aarch64-linux-android
+          name: userscanner-all-linux-android
          path: .

      - name: Download arm64 ksud
@@ -211,62 +158,48 @@ jobs:
          mkdir -p app/src/main/jniLibs/arm64-v8a
          mkdir -p app/src/main/jniLibs/x86_64
          mkdir -p app/src/main/jniLibs/armeabi-v7a
-          cp -f ../aarch64-linux-android/release/zakozako ../manager/app/src/main/jniLibs/arm64-v8a/libzakozako.so
-          cp -f ../x86_64-linux-android/release/zakozako ../manager/app/src/main/jniLibs/x86_64/libzakozako.so
-          cp -f ../armv7-linux-androideabi/release/zakozako ../manager/app/src/main/jniLibs/armeabi-v7a/libzakozako.so
+          cp -f ../aarch64-linux-android/release/ksud ../manager/app/src/main/jniLibs/arm64-v8a/libksud.so
+          cp -f ../x86_64-linux-android/release/ksud ../manager/app/src/main/jniLibs/x86_64/libksud.so
+          cp -f ../armv7-linux-androideabi/release/ksud ../manager/app/src/main/jniLibs/armeabi-v7a/libksud.so

-      - name: Copy kpmmgr to app jniLibs
+      - name: Copy user_scanner to app jniLibs
        run: |
          mkdir -p app/src/main/jniLibs/arm64-v8a
-          cp -f ../arm64-v8a/kpmmgr ../manager/app/src/main/jniLibs/arm64-v8a/libkpmmgr.so
-      
-      - name: Copy susfs to app jniLibs
-        run: |
-          mkdir -p app/src/main/jniLibs/arm64-v8a
-          cp -f ../arm64-v8a/zakozakozako ../manager/app/src/main/jniLibs/arm64-v8a/libzakozakozako.so
+          mkdir -p app/src/main/jniLibs/x86_64
+          mkdir -p app/src/main/jniLibs/armeabi-v7a
+          cp -f ../arm64-v8a/uid_scanner ../manager/app/src/main/jniLibs/arm64-v8a/libuid_scanner.so
+          cp -f ../x86_64/uid_scanner ../manager/app/src/main/jniLibs/x86_64/libuid_scanner.so
+          cp -f ../armeabi-v7a/uid_scanner ../manager/app/src/main/jniLibs/armeabi-v7a/libuid_scanner.so

      - name: Build with Gradle
-        run: |
-          {
-            echo 'org.gradle.parallel=true'
-            echo 'org.gradle.vfs.watch=true'
-            echo 'org.gradle.jvmargs=-Xmx2048m'
-            echo 'android.native.buildOutput=verbose'
-          } >> gradle.properties
-          sed -i 's/org.gradle.configuration-cache=true//g' gradle.properties
-          ./gradlew clean assembleRelease
+        if: ${{ steps.determine.outputs.SKIP != 'true' }}
+        run: ./gradlew clean assembleRelease
+
      - name: Upload build artifact
        uses: actions/upload-artifact@v4
-        if: ${{ ( github.event_name != 'pull_request' && github.ref == 'refs/heads/main' ) || github.ref_type == 'tag' }}
+        if: ${{ ( github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev' )) || github.ref_type == 'tag' }}
        with:
-          name: manager
+          name: ${{ steps.determine.outputs.title }}
          path: manager/app/build/outputs/apk/release/*.apk

      - name: Upload mappings
        uses: actions/upload-artifact@v4
-        if: ${{ ( github.event_name != 'pull_request' && github.ref == 'refs/heads/main' ) || github.ref_type == 'tag' }}
+        if: ${{ ( github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev' )) || github.ref_type == 'tag' }}
        with:
-          name: "mappings"
+          name: "${{ steps.determine.outputs.title }}-mappings"
          path: "manager/app/build/outputs/mapping/release/"

-      - name: Bot session cache
-        if: github.event_name != 'pull_request' && steps.need_upload.outputs.UPLOAD == 'true'
-        id: bot_session_cache
-        uses: actions/cache@v4
-        with:
-          path: scripts/ksubot.session
-          key: ${{ runner.os }}-bot-session
-
      - name: Upload to telegram
-        if: github.event_name != 'pull_request' && steps.need_upload.outputs.UPLOAD == 'true'
+        if: github.event_name != 'pull_request' && steps.need_upload.outputs.UPLOAD == 'true' && steps.determine.outputs.SKIP != 'true'
        env:
          CHAT_ID: ${{ vars.CHAT_ID }}
          BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
-          MESSAGE_THREAD_ID: ${{ vars.MESSAGE_THREAD_ID }}
+          MESSAGE_THREAD_ID: ${{ steps.determine.outputs.topicid }}
          COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
          COMMIT_URL: ${{ github.event.head_commit.url }}
          RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
-          TITLE: Manager
+          TITLE: ${{ steps.determine.outputs.title }}
+          BRANCH: ${{ github.ref_name }}
        run: |
          if [ ! -z "${{ secrets.BOT_TOKEN }}" ]; then
            export VERSION=$(git rev-list --count HEAD)
--- a/.github/workflows/ddk-lkm.yml
+++ b/.github/workflows/ddk-lkm.yml
@@ -0,0 +1,53 @@
+name: Build KernelSU Kernel Module
+
+on:
+  workflow_call:
+    inputs:
+      kmi:
+        description: 'KMI version'
+        required: true
+        type: string
+      ddk_release:
+        description: 'DDK release version'
+        required: false
+        default: '20251104'
+        type: string
+
+jobs:
+  build-kernelsu-ko:
+    name: Build kernelsu.ko for ${{ inputs.kmi }}
+    runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/ylarod/ddk:${{ inputs.kmi }}-${{ inputs.ddk_release }}
+      options: --privileged
+
+    steps:
+    - name: Checkout source code
+      uses: actions/checkout@v4
+
+    - name: Build kernelsu.ko
+      run: |
+        git config --global --add safe.directory /__w/SukiSU-Ultra/SukiSU-Ultra
+        cd kernel
+
+        echo "=== Building kernelsu.ko for KMI: ${{ inputs.kmi }} ==="
+        CONFIG_KSU=m CONFIG_KSU_MANUAL_SU=y make
+        
+        echo "=== Build completed ==="
+        # Create output directory in GitHub workspace
+        mkdir -p /github/workspace/out
+        # Copy with KMI-specific naming
+        OUTPUT_NAME="${{ inputs.kmi }}_kernelsu.ko"
+        cp kernelsu.ko "/github/workspace/out/$OUTPUT_NAME"
+        
+        echo "Copied to: /github/workspace/out/$OUTPUT_NAME"
+        ls -la "/github/workspace/out/$OUTPUT_NAME"
+        echo "Size: $(du -h "/github/workspace/out/$OUTPUT_NAME" | cut -f1)"
+        llvm-strip -d "/github/workspace/out/$OUTPUT_NAME"
+        echo "Size after stripping: $(du -h "/github/workspace/out/$OUTPUT_NAME" | cut -f1)"
+        
+    - name: Upload kernelsu.ko artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: ${{ inputs.kmi }}-lkm
+        path: /github/workspace/out/${{ inputs.kmi }}_kernelsu.ko
--- a/.github/workflows/gki-kernel-local.yml
+++ b/.github/workflows/gki-kernel-local.yml
@@ -1,252 +0,0 @@
-name: GKI Kernel Build Local
-
-on:
-  workflow_call:
-    inputs:
-      version:
-        required: true
-        type: string
-        description: >
-          Output directory of gki,
-          for example: android12-5.10
-      version_name:
-        required: true
-        type: string
-        description: >
-          With SUBLEVEL of kernel,
-          for example: android12-5.10.66
-      tag:
-        required: true
-        type: string
-        description: >
-          Part of branch name of common kernel manifest,
-          for example: android12-5.10-2021-11
-      os_patch_level:
-        required: false
-        type: string
-        description: >
-          Patch level of common kernel manifest,
-          for example: 2021-11
-        default: 2022-05
-      patch_path:
-        required: false
-        type: string
-        description: >
-          Directory name of .github/patches/<patch_path>
-          for example: 5.10
-      use_cache:
-        required: false
-        type: boolean
-        default: true
-      embed_ksud:
-        required: false
-        type: string
-        default: ksud-aarch64-linux-android
-        description: >
-          Artifact name of prebuilt ksud to be embedded
-          for example: ksud-aarch64-linux-android
-      debug:
-        required: false
-        type: boolean
-        default: false
-      build_lkm:
-        required: false
-        type: boolean
-        default: false
-    secrets:
-      BOOT_SIGN_KEY:
-        required: false
-      CHAT_ID:
-        required: false
-      BOT_TOKEN:
-        required: false
-      MESSAGE_THREAD_ID:
-        required: false
-
-jobs:
-  build:
-    name: Build ${{ inputs.version_name }}
-    runs-on: self-hosted
-    env:
-      CCACHE_COMPILERCHECK: "%compiler% -dumpmachine; %compiler% -dumpversion"
-      CCACHE_NOHASHDIR: "true"
-      CCACHE_HARDLINK: "true"
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          path: KernelSU
-          fetch-depth: 0
-
-      - name: Setup need_upload
-        id: need_upload
-        run: |
-          if [ ! -z "${{ secrets.BOT_TOKEN }}" ]; then
-            echo "UPLOAD=true" >> $GITHUB_OUTPUT
-          else
-            echo "UPLOAD=false" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Setup kernel source
-        run: |
-          echo "Free space:"
-          df -h
-          cd $GITHUB_WORKSPACE
-          sudo apt-get install repo -y
-          export REPO_URL='https://mirrors.tuna.tsinghua.edu.cn/git/git-repo'
-          mkdir android-kernel && cd android-kernel
-          repo init --depth=1 --u https://mirrors.tuna.tsinghua.edu.cn/git/AOSP/kernel/manifest -b common-${{ inputs.tag }} --repo-rev=v2.35
-          REMOTE_BRANCH=$(git ls-remote https://mirrors.tuna.tsinghua.edu.cn/git/AOSP/kernel/common ${{ inputs.tag }})
-          DEFAULT_MANIFEST_PATH=.repo/manifests/default.xml
-          if grep -q deprecated <<< $REMOTE_BRANCH; then
-            echo "Found deprecated branch: ${{ inputs.tag }}"
-            sed -i 's/"${{ inputs.tag }}"/"deprecated\/${{ inputs.tag }}"/g' $DEFAULT_MANIFEST_PATH
-            cat $DEFAULT_MANIFEST_PATH
-          fi
-          repo --version
-          repo --trace sync -c -j$(nproc --all) --no-tags
-          df -h
-
-      - name: Setup KernelSU
-        env:
-          PATCH_PATH: ${{ inputs.patch_path }}
-          IS_DEBUG_KERNEL: ${{ inputs.debug }}
-        run: |
-          cd $GITHUB_WORKSPACE/android-kernel
-          echo "[+] KernelSU setup"
-          GKI_ROOT=$(pwd)
-          echo "[+] GKI_ROOT: $GKI_ROOT"
-          echo "[+] Copy KernelSU driver to $GKI_ROOT/common/drivers"
-          ln -sf $GITHUB_WORKSPACE/KernelSU/kernel $GKI_ROOT/common/drivers/kernelsu
-          echo "[+] Add KernelSU driver to Makefile"
-          DRIVER_MAKEFILE=$GKI_ROOT/common/drivers/Makefile
-          DRIVER_KCONFIG=$GKI_ROOT/common/drivers/Kconfig
-          grep -q "kernelsu" "$DRIVER_MAKEFILE" || printf "\nobj-\$(CONFIG_KSU) += kernelsu/\n" >> "$DRIVER_MAKEFILE"
-          grep -q "kernelsu" "$DRIVER_KCONFIG" || sed -i "/endmenu/i\\source \"drivers/kernelsu/Kconfig\"" "$DRIVER_KCONFIG"
-          echo "[+] Apply Compilation Patches"
-          if [ ! -e build/build.sh ]; then
-            GLIBC_VERSION=$(ldd --version 2>/dev/null | head -n 1 | awk '{print $NF}')
-            echo "GLIBC_VERSION: $GLIBC_VERSION"
-            if [ "$(printf '%s\n' "2.38" "$GLIBC_VERSION" | sort -V | head -n1)" = "2.38" ]; then
-              echo "Patching resolve_btfids/Makefile"
-              cd $GKI_ROOT/common/ && sed -i '/\$(Q)\$(MAKE) -C \$(SUBCMD_SRC) OUTPUT=\$(abspath \$(dir \$@))\/ \$(abspath \$@)/s//$(Q)$(MAKE) -C $(SUBCMD_SRC) EXTRA_CFLAGS="$(CFLAGS)" OUTPUT=$(abspath $(dir $@))\/ $(abspath $@)/' tools/bpf/resolve_btfids/Makefile || echo "No patch needed."
-            fi
-          fi
-
-          if [ "$IS_DEBUG_KERNEL" = "true" ]; then
-            echo "[+] Enable debug features for kernel"
-            printf "\nccflags-y += -DCONFIG_KSU_DEBUG\n" >> $GITHUB_WORKSPACE/KernelSU/kernel/Makefile
-          fi
-          repo status
-          echo "[+] KernelSU setup done."
-
-      - name: Symbol magic
-        run: |
-          echo "[+] Export all symbol from abi_gki_aarch64.xml"
-          COMMON_ROOT=$GITHUB_WORKSPACE/android-kernel/common
-          KSU_ROOT=$GITHUB_WORKSPACE/KernelSU
-          ABI_XML=$COMMON_ROOT/android/abi_gki_aarch64.xml
-          SYMBOL_LIST=$COMMON_ROOT/android/abi_gki_aarch64
-          # python3 $KSU_ROOT/scripts/abi_gki_all.py $ABI_XML > $SYMBOL_LIST
-          echo "[+] Add KernelSU symbols"
-          cat $KSU_ROOT/kernel/export_symbol.txt | awk '{sub("[ \t]+","");print "  "$0}' >> $SYMBOL_LIST
-
-      - name: Setup ccache
-        if: inputs.use_cache == true
-        uses: hendrikmuhs/ccache-action@v1
-        with:
-          key: gki-kernel-aarch64-${{ inputs.version_name }}
-          max-size: 2G
-          save: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
-
-      - name: Setup for LKM
-        if: ${{ inputs.build_lkm == true }}
-        working-directory: android-kernel
-        run: |
-          pip install ast-grep-cli
-          sudo apt-get install llvm-15 -y
-          ast-grep -U -p '$$$ check_exports($$$) {$$$}' -r '' common/scripts/mod/modpost.c
-          ast-grep -U -p 'check_exports($$$);' -r '' common/scripts/mod/modpost.c
-          sed -i '/config KSU/,/help/{s/default y/default m/}' common/drivers/kernelsu/Kconfig
-          echo "drivers/kernelsu/kernelsu.ko" >> common/android/gki_aarch64_modules
-
-          # bazel build, android14-5.15, android14-6.1 use bazel
-          if [ ! -e build/build.sh ]; then
-            sed -i 's/needs unknown symbol/Dont abort when unknown symbol/g' build/kernel/*.sh || echo "No unknown symbol scripts found"
-            if [ -e common/modules.bzl ]; then
-              sed -i 's/_COMMON_GKI_MODULES_LIST = \[/_COMMON_GKI_MODULES_LIST = \[ "drivers\/kernelsu\/kernelsu.ko",/g' common/modules.bzl
-            fi
-          else
-            TARGET_FILE="build/kernel/build.sh"
-            if [ ! -e "$TARGET_FILE" ]; then
-              TARGET_FILE="build/build.sh"
-            fi
-            sed -i 's/needs unknown symbol/Dont abort when unknown symbol/g' $TARGET_FILE || echo "No unknown symbol in $TARGET_FILE"
-            sed -i 's/if ! diff -u "\${KERNEL_DIR}\/\${MODULES_ORDER}" "\${OUT_DIR}\/modules\.order"; then/if false; then/g' $TARGET_FILE
-            sed -i 's@${ROOT_DIR}/build/abi/compare_to_symbol_list@echo@g' $TARGET_FILE
-            sed -i 's/needs unknown symbol/Dont abort when unknown symbol/g' build/kernel/*.sh || echo "No unknown symbol scripts found"
-          fi
-
-      - name: Make working directory clean to avoid dirty
-        working-directory: android-kernel
-        run: |
-          if [  -e common/BUILD.bazel ]; then
-            sed -i '/^[[:space:]]*"protected_exports_list"[[:space:]]*:[[:space:]]*"android\/abi_gki_protected_exports_aarch64",$/d' common/BUILD.bazel
-          fi
-          rm common/android/abi_gki_protected_exports_* || echo "No protected exports!"
-          git config --global user.email "bot@kernelsu.org"
-          git config --global user.name "KernelSUBot"
-          cd common/ && git add -A && git commit -a -m "Add KernelSU"
-          repo status
-
-      - name: Build Kernel/LKM
-        working-directory: android-kernel
-        run: |
-          if [ ! -z ${{ vars.EXPECTED_SIZE }} ] && [ ! -z ${{ vars.EXPECTED_HASH }} ]; then
-            export KSU_EXPECTED_SIZE=${{ vars.EXPECTED_SIZE }}
-            export KSU_EXPECTED_HASH=${{ vars.EXPECTED_HASH }}
-          fi
-          if [ -e build/build.sh ]; then
-            LTO=thin BUILD_CONFIG=common/build.config.gki.aarch64 build/build.sh CC="/usr/bin/ccache clang"
-          else
-            tools/bazel run --disk_cache=/home/runner/.cache/bazel --config=fast --config=stamp --lto=thin //common:kernel_aarch64_dist -- --dist_dir=dist
-          fi
-
-      - name: Prepare artifacts
-        id: prepareArtifacts
-        run: |
-          OUTDIR=android-kernel/out/${{ inputs.version }}/dist
-          if [ ! -e $OUTDIR ]; then
-            OUTDIR=android-kernel/dist
-          fi
-          mkdir output
-          if [ "${{ inputs.build_lkm}}" = "true" ]; then 
-            llvm-strip-15 -d $OUTDIR/kernelsu.ko
-            mv $OUTDIR/kernelsu.ko ./output/${{ inputs.version }}_kernelsu.ko
-          else
-            cp $OUTDIR/Image ./output/
-            cp $OUTDIR/Image.lz4 ./output/
-            git clone https://github.com/Kernel-SU/AnyKernel3
-            rm -rf ./AnyKernel3/.git
-            cp $OUTDIR/Image ./AnyKernel3/
-          fi
-
-      - name: Upload Image and Image.gz
-        uses: actions/upload-artifact@v4
-        if: ${{ inputs.build_lkm == false }}
-        with:
-          name: Image-${{ inputs.version_name }}_${{ inputs.os_patch_level }}
-          path: ./output/*
-
-      - name: Upload AnyKernel3
-        if: ${{ inputs.build_lkm == false }}
-        uses: actions/upload-artifact@v4
-        with:
-          name: AnyKernel3-${{ inputs.version_name }}_${{ inputs.os_patch_level }}
-          path: ./AnyKernel3/*
-
-      - name: Upload LKM
-        uses: actions/upload-artifact@v4
-        if: ${{ inputs.build_lkm == true }}
-        with:
-          name: ${{ inputs.version }}-lkm
-          path: ./output/*_kernelsu.ko
--- a/.github/workflows/gki-kernel-mock.yml
+++ b/.github/workflows/gki-kernel-mock.yml
@@ -1,79 +0,0 @@
-name: GKI Kernel Build
-
-on:
-  workflow_call:
-    inputs:
-      version:
-        required: true
-        type: string
-        description: >
-          Output directory of gki,
-          for example: android12-5.10
-      version_name:
-        required: true
-        type: string
-        description: >
-          With SUBLEVEL of kernel,
-          for example: android12-5.10.66
-      tag:
-        required: true
-        type: string
-        description: >
-          Part of branch name of common kernel manifest,
-          for example: android12-5.10-2021-11
-      os_patch_level:
-        required: false
-        type: string
-        description: >
-          Patch level of common kernel manifest,
-          for example: 2021-11
-        default: 2022-05
-      patch_path:
-        required: false
-        type: string
-        description: >
-          Directory name of .github/patches/<patch_path>
-          for example: 5.10
-      use_cache:
-        required: false
-        type: boolean
-        default: true
-      embed_ksud:
-        required: false
-        type: string
-        default: ksud-aarch64-linux-android
-        description: >
-          Artifact name of prebuilt ksud to be embedded
-          for example: ksud-aarch64-linux-android
-      debug:
-        required: false
-        type: boolean
-        default: false
-      build_lkm:
-        required: false
-        type: boolean
-        default: false
-    secrets:
-      BOOT_SIGN_KEY:
-        required: false
-      CHAT_ID:
-        required: false
-      BOT_TOKEN:
-        required: false
-      MESSAGE_THREAD_ID:
-        required: false
-
-jobs:
-  mock_build:
-    name: Mock build ${{ inputs.version_name }}
-    runs-on: ubuntu-latest
-    steps:
-      - name: Create mocking ko
-        run: |
-          echo "${{ inputs.version }}_kernelsu.ko" > ${{ inputs.version }}_kernelsu.ko
-      - name: Upload LKM
-        uses: actions/upload-artifact@v4
-        if: ${{ inputs.build_lkm == true }}
-        with:
-          name: ${{ inputs.version }}-lkm
-          path: ./*_kernelsu.ko
--- a/.github/workflows/gki-kernel.yml
+++ b/.github/workflows/gki-kernel.yml
@@ -77,10 +77,10 @@ jobs:
        with:
          root-reserve-mb: 8192
          temp-reserve-mb: 2048
-          remove-dotnet: 'true'
-          remove-android: 'true'
-          remove-haskell: 'true'
-          remove-codeql: 'true'
+          remove-dotnet: "true"
+          remove-android: "true"
+          remove-haskell: "true"
+          remove-codeql: "true"

      - uses: actions/checkout@v4
        with:
@@ -103,7 +103,7 @@ jobs:
          cd $GITHUB_WORKSPACE
          sudo apt-get install repo -y
          mkdir android-kernel && cd android-kernel
-          repo init --depth=1 --u https://android.googlesource.com/kernel/manifest -b common-${{ inputs.tag }} --repo-rev=v2.35
+          repo init --depth=1 --u https://android.googlesource.com/kernel/manifest -b common-${{ inputs.tag }} --repo-rev=v2.16
          REMOTE_BRANCH=$(git ls-remote https://android.googlesource.com/kernel/common ${{ inputs.tag }})
          DEFAULT_MANIFEST_PATH=.repo/manifests/default.xml
          if grep -q deprecated <<< $REMOTE_BRANCH; then
@@ -195,12 +195,35 @@ jobs:
            sed -i 's/needs unknown symbol/Dont abort when unknown symbol/g' build/kernel/*.sh || echo "No unknown symbol scripts found"
          fi

+      - name: Append ashmem exports if missing
+        if: startsWith(inputs.version, 'android16-6.12')
+        working-directory: android-kernel
+        run: |
+          FILE=common/drivers/staging/android/ashmem.c
+          if [[ -f "$FILE" ]] && ! grep -q 'is_ashmem_file' "$FILE"; then
+          cat >>"$FILE" <<'EOF'
+
+          bool is_ashmem_file(struct file *file) { return false; }
+          int ashmem_area_name(struct file *file, char *name) { return 0; }
+          long ashmem_area_size(struct file *file) { return 0; }
+          struct file *ashmem_area_vmfile(struct file *file) { return NULL; }
+          EXPORT_SYMBOL_GPL(is_ashmem_file);
+          EXPORT_SYMBOL_GPL(ashmem_area_name);
+          EXPORT_SYMBOL_GPL(ashmem_area_size);
+          EXPORT_SYMBOL_GPL(ashmem_area_vmfile);
+          EOF
+          fi
+
+          sed -i -E 's/\$\(CONFIG_ANDROID_BINDER_IPC_RUST\)/m/g' common/drivers/android/Makefile
+
      - name: Make working directory clean to avoid dirty
        working-directory: android-kernel
        run: |
-          if [  -e common/BUILD.bazel ]; then
-            sed -i '/^[[:space:]]*"protected_exports_list"[[:space:]]*:[[:space:]]*"android\/abi_gki_protected_exports_aarch64",$/d' common/BUILD.bazel
+          # Fix bazel build error
+          if [ -f common/BUILD.bazel ]; then
+            [ -f android/abi_gki_protected_exports_aarch64 ] || sed -i '/^[[:space:]]*"protected_exports_list"[[:space:]]*:[[:space:]]*"android\/abi_gki_protected_exports_aarch64",$/d' common/BUILD.bazel
          fi
+
          rm common/android/abi_gki_protected_exports_* || echo "No protected exports!"
          git config --global user.email "bot@kernelsu.org"
          git config --global user.name "KernelSUBot"
@@ -216,9 +239,13 @@ jobs:
          fi
          if [ -e build/build.sh ]; then
            LTO=thin BUILD_CONFIG=common/build.config.gki.aarch64 build/build.sh CC="/usr/bin/ccache clang"
+          else
+            if [ "${{ inputs.version }}" == "android16-6.12" ]; then
+              tools/bazel run --disk_cache=/home/runner/.cache/bazel --config=fast --config=stamp --lto=thin //common:kernel_aarch64_dist -- --destdir=dist
            else
              tools/bazel run --disk_cache=/home/runner/.cache/bazel --config=fast --config=stamp --lto=thin //common:kernel_aarch64_dist -- --dist_dir=dist
            fi
+          fi

      - name: Prepare artifacts
        id: prepareArtifacts
--- a/.github/workflows/ksud.yml
+++ b/.github/workflows/ksud.yml
@@ -9,10 +9,6 @@ on:
        required: false
        type: string
        default: ubuntu-latest
-      pull_lkm:
-        required: false
-        type: boolean
-        default: true
      pack_lkm:
        required: false
        type: boolean
@@ -21,6 +17,8 @@ on:
        required: false
        type: boolean
        default: true
+env:
+  CARGO_TERM_COLOR: always
 jobs:
  build:
    runs-on: ${{ inputs.os }}
@@ -29,24 +27,11 @@ jobs:
      with:
        fetch-depth: 0

-    - name: Pull lkms from branch
-      if: ${{ inputs.pack_lkm && inputs.pull_lkm }}
-      uses: actions/checkout@v4
-      with:
-        ref: lkm
-        path: lkm
-
-    - name: Download lkms from artifacts
-      if: ${{ inputs.pack_lkm && !inputs.pull_lkm }}
+    - name: Download artifacts
      uses: actions/download-artifact@v4
    
-    - name: Prepare LKM files
-      if: ${{ inputs.pack_lkm && inputs.pull_lkm }}
-      run: |
-        cp lkm/*_kernelsu.ko ./userspace/ksud/bin/aarch64/
-
-    - name: Prepare LKM files
-      if: ${{ inputs.pack_lkm && !inputs.pull_lkm }}
+    - name: Prepare LKM fies
+      if: ${{ inputs.pack_lkm }}
      run: |
        cp android*-lkm/*_kernelsu.ko ./userspace/ksud/bin/aarch64/
        
@@ -55,10 +40,6 @@ jobs:
        rustup update stable
        rustup target add x86_64-apple-darwin
        rustup target add aarch64-apple-darwin
-    - uses: Swatinem/rust-cache@v2
-      with:
-        workspaces: userspace/ksud
-        cache-targets: false

    - name: Install cross
      run: |
@@ -71,4 +52,4 @@ jobs:
      uses: actions/upload-artifact@v4
      with:
        name: ksud-${{ inputs.target }}
-        path: userspace/ksud/target/**/release/zakozako*
+        path: userspace/ksud/target/**/release/ksud*
--- a/.github/workflows/shellcheck.yml
+++ b/.github/workflows/shellcheck.yml
@@ -16,7 +16,7 @@ on:

 jobs:
  shellcheck:
-    runs-on: self-hosted
+    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

--- a/.github/workflows/susfs.yml
+++ b/.github/workflows/susfs.yml
@@ -1,40 +0,0 @@
-name: Build susfs
-
-on:
-  push:
-    branches: [ "mian" ]
-    paths:
-      - '.github/workflows/susfs.yml'
-      - 'userspace/susfs/**'
-  workflow_dispatch:
-  workflow_call:
-    inputs:
-      target:
-        required: true
-        type: string
-      os:
-        required: false
-        type: string
-        default: self-hosted
-
-jobs:
-  build-susfs:
-    name: Build userspace susfs
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Build susfs
-        working-directory: ./userspace/susfs
-        run: |
-          $ANDROID_NDK_HOME/ndk-build
-
-      - name: Upload a Build Artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: susfs-aarch64-linux-android
-          path: ./userspace/susfs/libs
--- a/.github/workflows/user_scanner.yml
+++ b/.github/workflows/user_scanner.yml
@@ -1,11 +1,11 @@
-name: Build kpmmgr
+name: Build user_scanner

 on:
  push:
    branches: [ "mian" ]
    paths:
-      - '.github/workflows/kpmmgr.yml'
-      - 'userspace/kpmmgr/**'
+      - '.github/workflows/user_scanner.yml'
+      - 'userspace/user_scanner/**'
  workflow_dispatch:
  workflow_call:
    inputs:
@@ -18,8 +18,8 @@ on:
        default: self-hosted

 jobs:
-  build-susfs:
-    name: Build userspace kpmmgr
+  build-user_scanner:
+    name: Build userspace user_scanner
    runs-on: ubuntu-latest

    steps:
@@ -28,13 +28,13 @@ jobs:
        with:
          fetch-depth: 0

-      - name: Build kpmmgr
-        working-directory: ./userspace/kpmmgr
+      - name: Build user_scanner
+        working-directory: ./userspace/user_scanner
        run: |
          $ANDROID_NDK_HOME/ndk-build

      - name: Upload a Build Artifact
        uses: actions/upload-artifact@v4
        with:
-          name: kpmmgr-aarch64-linux-android
-          path: ./userspace/kpmmgr/libs
+          name: userscanner-all-linux-android
+          path: ./userspace/user_scanner/libs
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,3 @@
 .idea
-.vscode
+CLAUDE.md
 .DS_Store
--- a/docs/README.md
+++ b/docs/README.md
@@ -1,6 +1,6 @@
-<img align='right' src='zakomonochrome-128.svg' width='100px' alt="logo">
-
 # SukiSU Ultra
+<img align='right' src='SukiSU-mini.svg' width='220px' alt="sukisu logo">
+

 **English** | [简体中文](./zh/README.md) | [日本語](./ja/README.md) | [Türkçe](./tr/README.md)

@@ -15,6 +15,7 @@ A kernel-based root solution for Android devices, forked from [`tiann/KernelSU`]

 1. Kernel-based `su` and root access management
 2. Module system based on [Magic Mount](https://github.com/5ec1cff/KernelSU)
+   > **Note:** SukiSU now delegates all module mounting to the installed *metamodule*; the core no longer handles mount operations.
 3. [App Profile](https://kernelsu.org/guide/app-profile.html): Lock up the root power in a cage
 4. Support non-GKI and GKI 1.0
 5. KPM Support
--- a/docs/SukiSU-mini.svg
+++ b/docs/SukiSU-mini.svg
--- a/docs/SukiSU.svg
+++ b/docs/SukiSU.svg
--- a/docs/guide/how-to-integrate.md
+++ b/docs/guide/how-to-integrate.md
@@ -24,6 +24,12 @@ Prerequisites: open source bootable kernel.
   - Requires [`guide/how-to-integrate.md`](guide/how-to-integrate.md)
   - Requires [https://github.com/~](https://github.com/tiann/KernelSU/blob/main/website/docs/guide/how-to-integrate-for-non-gki.md#manually-modify-the-kernel-source)

+3. **Tracepoint Hook:**
+
+   - Hook method introduced since SukiSU commit [49b01aad](https://github.com/SukiSU-Ultra/SukiSU-Ultra/commit/49b01aad74bcca6dba5a8a2e053bb54b648eb124)
+   - Requires `CONFIG_KSU_TRACEPOINT_HOOK=y`
+   - Requires [`guide/tracepoint-hook.md`](tracepoint-hook.md)
+
 <!-- This part refer to [rsuntk/KernelSU](https://github.com/rsuntk/KernelSU). -->

 If you're able to build a bootable kernel, there are two ways to integrate KernelSU into the kernel source code:
--- a/docs/guide/tracepoint-hook.md
+++ b/docs/guide/tracepoint-hook.md
@@ -0,0 +1,239 @@
+# Tracepoint Hook Integration
+
+## Introduction
+
+Since commit [49b01aad](https://github.com/SukiSU-Ultra/SukiSU-Ultra/commit/49b01aad74bcca6dba5a8a2e053bb54b648eb124), SukiSU has introduced Tracepoint Hook
+
+This Hook theoretically has lower performance overhead compared to Kprobes Hook, but is inferior to Manual Hook / Syscall Hook
+
+> [!NOTE]
+> This tutorial references the syscall hook v1.4 version from [backslashxx/KernelSU#5](https://github.com/backslashxx/KernelSU/issues/5), as well as the original KernelSU's [Manual Hook](https://kernelsu.org/guide/how-to-integrate-for-non-gki.html#manually-modify-the-kernel-source)
+
+## Guide
+
+### execve Hook (`exec.c`)
+
+Generally need to modify the `do_execve` and `compat_do_execve` methods in `fs/exec.c`
+
+```patch
+--- a/fs/exec.c
+++ b/fs/exec.c
+@@ -78,6 +78,10 @@
+ #include <trace/hooks/sched.h>
+ #endif
+ 
+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
+#include <../drivers/kernelsu/ksu_trace.h>
+#endif
+
+ EXPORT_TRACEPOINT_SYMBOL_GPL(task_rename);
+ 
+ static int bprm_creds_from_file(struct linux_binprm *bprm);
+@@ -2037,6 +2041,9 @@ static int do_execve(struct filename *filename,
+ {
+ 	struct user_arg_ptr argv = { .ptr.native = __argv };
+ 	struct user_arg_ptr envp = { .ptr.native = __envp };
+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
+    trace_ksu_trace_execveat_hook((int *)AT_FDCWD, &filename, &argv, &envp, 0);
+#endif
+ 	return do_execveat_common(AT_FDCWD, filename, argv, envp, 0);
+ }
+ 
+@@ -2064,6 +2071,9 @@ static int compat_do_execve(struct filename *filename,
+ 		.is_compat = true,
+ 		.ptr.compat = __envp,
+ 	};
+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
+    trace_ksu_trace_execveat_hook((int *)AT_FDCWD, &filename, &argv, &envp, 0); // 32-bit su and 32-on-64 support
+#endif
+ 	return do_execveat_common(AT_FDCWD, filename, argv, envp, 0);
+ }
+```
+
+### faccessat Hook (`open.c`)
+
+Generally need to modify the `do_faccessat` method in `/fs/open.c` 
+
+```patch
+--- a/fs/open.c
+++ b/fs/open.c
+@@ -37,6 +37,10 @@
+ #include "internal.h"
+ #include <trace/hooks/syscall_check.h>
+ 
+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
+#include <../drivers/kernelsu/ksu_trace.h>
+#endif
+
+ int do_truncate(struct user_namespace *mnt_userns, struct dentry *dentry,
+ 		loff_t length, unsigned int time_attrs, struct file *filp)
+ {
+@@ -468,6 +472,9 @@ static long do_faccessat(int dfd, const char __user *filename, int mode, int fla
+ 
+ SYSCALL_DEFINE3(faccessat, int, dfd, const char __user *, filename, int, mode)
+ {
+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
+	trace_ksu_trace_faccessat_hook(&dfd, &filename, &mode, NULL);
+#endif
+ 	return do_faccessat(dfd, filename, mode, 0);
+ }
+```
+
+If there's no `do_faccessat` method, you can find the `faccessat` SYSCALL definition (for kernels earlier than 4.17)
+
+```patch
+--- a/fs/open.c
+++ b/fs/open.c
+@@ -31,6 +31,9 @@
+ #include <linux/ima.h>
+ #include <linux/dnotify.h>
+ #include <linux/compat.h>
+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
+#include <../drivers/kernelsu/ksu_trace.h>
+#endif
+ 
+ #include "internal.h"
+ 
+@@ -369,6 +372,9 @@ SYSCALL_DEFINE3(faccessat, int, dfd, const char __user *, filename, int, mode)
+ 	int res;
+ 	unsigned int lookup_flags = LOOKUP_FOLLOW;
+ 
+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
+	trace_ksu_trace_faccessat_hook(&dfd, &filename, &mode, NULL);
+#endif
+ 	if (mode & ~S_IRWXO)	/* where's F_OK, X_OK, W_OK, R_OK? */
+ 		return -EINVAL;
+```
+
+### sys_read Hook (`read_write.c`)
+
+Need to modify the `sys_read` method in `fs/read_write.c` (4.19 and above)
+
+```patch
+--- a/fs/read_write.c
+++ b/fs/read_write.c
+@@ -25,6 +25,10 @@
+ #include <linux/uaccess.h>
+ #include <asm/unistd.h>
+ 
+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
+#include <../drivers/kernelsu/ksu_trace.h>
+#endif
+
+ const struct file_operations generic_ro_fops = {
+ 	.llseek		= generic_file_llseek,
+ 	.read_iter	= generic_file_read_iter,
+@@ -630,6 +634,9 @@ ssize_t ksys_read(unsigned int fd, char __user *buf, size_t count)
+ 
+ SYSCALL_DEFINE3(read, unsigned int, fd, char __user *, buf, size_t, count)
+ {
+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
+    trace_ksu_trace_sys_read_hook(fd, &buf, &count);
+#endif
+ 	return ksys_read(fd, buf, count);
+ }
+```
+
+Or the `read` SYSCALL definition (4.14 and below)
+
+```patch
+--- a/fs/read_write.c
+++ b/fs/read_write.c
+@@ -25,6 +25,11 @@
+ #include <linux/uaccess.h>
+ #include <asm/unistd.h>
+ 
+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
+#include <../drivers/kernelsu/ksu_trace.h>
+#endif
+
+
+ const struct file_operations generic_ro_fops = {
+ 	.llseek		= generic_file_llseek,
+ 	.read_iter	= generic_file_read_iter,
+@@ -575,6 +580,9 @@ SYSCALL_DEFINE3(read, unsigned int, fd, char __user *, buf, size_t, count)
+ 
+ 	if (f.file) {
+ 		loff_t pos = file_pos_read(f.file);
+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
+		trace_ksu_trace_sys_read_hook(fd, &buf, &count);
+#endif
+ 		ret = vfs_read(f.file, buf, count, &pos);
+ 		if (ret >= 0)
+ 			file_pos_write(f.file, pos);
+```
+
+### fstatat Hook (`stat.c`)
+
+Need to modify the `newfstatat` SYSCALL definition in `stat.c`
+
+If 32-bit support is needed, also need to modify the `statat64` SYSCALL definition
+
+```patch
+--- a/fs/stat.c
+++ b/fs/stat.c
+@@ -24,6 +24,10 @@
+ #include "internal.h"
+ #include "mount.h"
+ 
+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
+#include <../drivers/kernelsu/ksu_trace.h>
+#endif
+
+ /**
+  * generic_fillattr - Fill in the basic attributes from the inode struct
+  * @mnt_userns:	user namespace of the mount the inode was found from
+@@ -408,6 +412,10 @@ SYSCALL_DEFINE4(newfstatat, int, dfd, const char __user *, filename,
+ 	struct kstat stat;
+ 	int error;
+ 
+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
+	trace_ksu_trace_stat_hook(&dfd, &filename, &flag);
+#endif
+
+ 	error = vfs_fstatat(dfd, filename, &stat, flag);
+ 	if (error)
+ 		return error;
+@@ -559,6 +567,10 @@ SYSCALL_DEFINE4(fstatat64, int, dfd, const char __user *, filename,
+ 	struct kstat stat;
+ 	int error;
+ 
+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
+	trace_ksu_trace_stat_hook(&dfd, &filename, &flag); /* 32-bit su support */
+#endif
+
+ 	error = vfs_fstatat(dfd, filename, &stat, flag);
+ 	if (error)
+ 		return error;
+```
+
+### input Hook (`input.c`, for entering KSU built-in security mode)
+
+Need to modify the `input_event` method in `drivers/input/input.c`, not `input_handle_event`
+
+```patch
+--- a/drivers/input/input.c
+++ b/drivers/input/input.c
+@@ -26,6 +26,10 @@
+ #include "input-compat.h"
+ #include "input-poller.h"
+ 
+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
+#include <../../drivers/kernelsu/ksu_trace.h>
+#endif
+
+ MODULE_AUTHOR("Vojtech Pavlik <vojtech@suse.cz>");
+ MODULE_DESCRIPTION("Input core");
+ MODULE_LICENSE("GPL");
+@@ -451,6 +455,10 @@ void input_event(struct input_dev *dev,
+ {
+ 	unsigned long flags;
+ 
+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
+    trace_ksu_trace_input_hook(&type, &code, &value);
+#endif
+
+ 	if (is_event_supported(type, dev->evbit, EV_MAX)) {
+ 
+ 		spin_lock_irqsave(&dev->event_lock, flags);
+```
--- a/docs/ja/README.md
+++ b/docs/ja/README.md
@@ -1,4 +1,6 @@
 # SukiSU Ultra
+<img align='right' src='SukiSU-mini.svg' width='220px' alt="sukisu logo">
+

 [English](../README.md) | [简体中文](../zh/README.md) | **日本語** | [Türkçe](../tr/README.md)

--- a/docs/ja/SukiSU-mini.svg
+++ b/docs/ja/SukiSU-mini.svg
--- a/docs/tr/README.md
+++ b/docs/tr/README.md
@@ -1,4 +1,6 @@
 # SukiSU Ultra
+<img align='right' src='SukiSU-mini.svg' width='250px' alt="sukisu logo">
+

 [English](../README.md) | [简体中文](../zh/README.md) | [日本語](../ja/README.md) | **Türkçe**

--- a/docs/tr/SukiSU-mini.svg
+++ b/docs/tr/SukiSU-mini.svg
--- a/docs/zh/README.md
+++ b/docs/zh/README.md
@@ -1,6 +1,6 @@
-<img align='right' src='zakomonochrome-128.svg' width='100px' alt="logo">
-
 # SukiSU Ultra
+<img align='right' src='SukiSU-mini.svg' width='220px' alt="sukisu logo">
+

 [English](../README.md) | **简体中文** | [日本語](../ja/README.md) | [Türkçe](../tr/README.md)

--- a/docs/zh/SukiSU-mini.svg
+++ b/docs/zh/SukiSU-mini.svg
--- a/docs/zh/SukiSU.svg
+++ b/docs/zh/SukiSU.svg
--- a/docs/zh/guide/how-to-integrate.md
+++ b/docs/zh/guide/how-to-integrate.md
@@ -21,9 +21,15 @@ SukiSU 可以集成到 GKI 和 non-GKI 内核中，并且已反向移植到 4.14
   <!-- - backslashxx's syscall manual hook: https://github.com/backslashxx/KernelSU/issues/5 (v1.5 version is not available at the moment, if you want to use it, please use v1.4 version, or standard KernelSU hooks)-->

   - 需要 `CONFIG_KSU_MANUAL_HOOK=y`
-   - 需要 [`guide/how-to-integrate.md`](guide/how-to-integrate.md)
+   - 需要 [`guide/how-to-integrate.md`](how-to-integrate.md)
   - 需要 [https://github.com/~](https://github.com/tiann/KernelSU/blob/main/website/docs/guide/how-to-integrate-for-non-gki.md#manually-modify-the-kernel-source)

+3. **Tracepoint Hook:**
+
+   - 自 SukiSU commit [49b01aad](https://github.com/SukiSU-Ultra/SukiSU-Ultra/commit/49b01aad74bcca6dba5a8a2e053bb54b648eb124) 引入的 hook 方法
+   - 需要 `CONFIG_KSU_TRACEPOINT_HOOK=y`
+   - 需要 [`guide/tracepoint-hook.md`](tracepoint-hook.md)
+   
 <!-- This part refer to [rsuntk/KernelSU](https://github.com/rsuntk/KernelSU). -->

 如果您能够构建可启动内核，有两种方法可以将 KernelSU 集成到内核源代码中：
--- a/docs/zh/guide/tracepoint-hook.md
+++ b/docs/zh/guide/tracepoint-hook.md
@@ -0,0 +1,239 @@
+# Tracepoint Hook 集成
+
+## 介绍
+
+自 commit [49b01aad](https://github.com/SukiSU-Ultra/SukiSU-Ultra/commit/49b01aad74bcca6dba5a8a2e053bb54b648eb124) 起，SukiSU 引入了 Tracepoint Hook
+
+该 Hook 理论上相比于 Kprobes Hook，性能开销更小，但次于 Manual Hook / Syscall Hook
+
+> [!NOTE]
+> 本教程参考了 [backslashxx/KernelSU#5](https://github.com/backslashxx/KernelSU/issues/5) 的 syscall hook v1.4 版本钩子，以及原版 KernelSU 的 [Manual Hook](https://kernelsu.org/guide/how-to-integrate-for-non-gki.html#manually-modify-the-kernel-source)
+
+## Guide
+
+### execve 钩子（`exec.c`）
+
+一般需要修改 `fs/exec.c` 的 `do_execve` 和 `compat_do_execve` 方法
+
+```patch
+--- a/fs/exec.c
+++ b/fs/exec.c
+@@ -78,6 +78,10 @@
+ #include <trace/hooks/sched.h>
+ #endif
+ 
+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
+#include <../drivers/kernelsu/ksu_trace.h>
+#endif
+
+ EXPORT_TRACEPOINT_SYMBOL_GPL(task_rename);
+ 
+ static int bprm_creds_from_file(struct linux_binprm *bprm);
+@@ -2037,6 +2041,9 @@ static int do_execve(struct filename *filename,
+ {
+ 	struct user_arg_ptr argv = { .ptr.native = __argv };
+ 	struct user_arg_ptr envp = { .ptr.native = __envp };
+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
+    trace_ksu_trace_execveat_hook((int *)AT_FDCWD, &filename, &argv, &envp, 0);
+#endif
+ 	return do_execveat_common(AT_FDCWD, filename, argv, envp, 0);
+ }
+ 
+@@ -2064,6 +2071,9 @@ static int compat_do_execve(struct filename *filename,
+ 		.is_compat = true,
+ 		.ptr.compat = __envp,
+ 	};
+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
+    trace_ksu_trace_execveat_hook((int *)AT_FDCWD, &filename, &argv, &envp, 0)); // 32-bit su and 32-on-64 support
+#endif
+ 	return do_execveat_common(AT_FDCWD, filename, argv, envp, 0);
+ }
+```
+
+### faccessat 钩子 (`open.c`)
+
+一般需要修改 `/fs/open.c` 的 `do_faccessat` 方法 
+
+```patch
+--- a/fs/open.c
+++ b/fs/open.c
+@@ -37,6 +37,10 @@
+ #include "internal.h"
+ #include <trace/hooks/syscall_check.h>
+ 
+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
+#include <../drivers/kernelsu/ksu_trace.h>
+#endif
+
+ int do_truncate(struct user_namespace *mnt_userns, struct dentry *dentry,
+ 		loff_t length, unsigned int time_attrs, struct file *filp)
+ {
+@@ -468,6 +472,9 @@ static long do_faccessat(int dfd, const char __user *filename, int mode, int fla
+ 
+ SYSCALL_DEFINE3(faccessat, int, dfd, const char __user *, filename, int, mode)
+ {
+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
+	trace_ksu_trace_faccessat_hook(&dfd, &filename, &mode, NULL);
+#endif
+ 	return do_faccessat(dfd, filename, mode, 0);
+ }
+```
+
+如果没有 `do_faccessat` 方法，可以找 `faccessat` 的 SYSCALL 定义（对于早于 4.17 的内核）
+
+```patch
+--- a/fs/open.c
+++ b/fs/open.c
+@@ -31,6 +31,9 @@
+ #include <linux/ima.h>
+ #include <linux/dnotify.h>
+ #include <linux/compat.h>
+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
+#include <../drivers/kernelsu/ksu_trace.h>
+#endif
+ 
+ #include "internal.h"
+ 
+@@ -369,6 +372,9 @@ SYSCALL_DEFINE3(faccessat, int, dfd, const char __user *, filename, int, mode)
+ 	int res;
+ 	unsigned int lookup_flags = LOOKUP_FOLLOW;
+ 
+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
+	trace_ksu_trace_faccessat_hook(&dfd, &filename, &mode, NULL);
+#endif
+ 	if (mode & ~S_IRWXO)	/* where's F_OK, X_OK, W_OK, R_OK? */
+ 		return -EINVAL;
+```
+
+###  sys_read 钩子 ( `read_write.c` )
+
+需要修改 `fs/read_write.c` 的 `sys_read` 方法（4.19 及以上）
+
+```patch
+--- a/fs/read_write.c
+++ b/fs/read_write.c
+@@ -25,6 +25,10 @@
+ #include <linux/uaccess.h>
+ #include <asm/unistd.h>
+ 
+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
+#include <../drivers/kernelsu/ksu_trace.h>
+#endif
+
+ const struct file_operations generic_ro_fops = {
+ 	.llseek		= generic_file_llseek,
+ 	.read_iter	= generic_file_read_iter,
+@@ -630,6 +634,9 @@ ssize_t ksys_read(unsigned int fd, char __user *buf, size_t count)
+ 
+ SYSCALL_DEFINE3(read, unsigned int, fd, char __user *, buf, size_t, count)
+ {
+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
+    trace_ksu_trace_sys_read_hook(fd, &buf, &count);
+#endif
+ 	return ksys_read(fd, buf, count);
+ }
+```
+
+或者是 `read` 的 SYSCALL 定义（4.14 及以下）
+
+```patch
+--- a/fs/read_write.c
+++ b/fs/read_write.c
+@@ -25,6 +25,11 @@
+ #include <linux/uaccess.h>
+ #include <asm/unistd.h>
+ 
+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
+#include <../drivers/kernelsu/ksu_trace.h>
+#endif
+
+
+ const struct file_operations generic_ro_fops = {
+ 	.llseek		= generic_file_llseek,
+ 	.read_iter	= generic_file_read_iter,
+@@ -575,6 +580,9 @@ SYSCALL_DEFINE3(read, unsigned int, fd, char __user *, buf, size_t, count)
+ 
+ 	if (f.file) {
+ 		loff_t pos = file_pos_read(f.file);
+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
+		trace_ksu_trace_sys_read_hook(fd, &buf, &count);
+#endif
+ 		ret = vfs_read(f.file, buf, count, &pos);
+ 		if (ret >= 0)
+ 			file_pos_write(f.file, pos);
+```
+
+### fstatat 钩子 ( `stat.c` )
+
+需要修改 `stat.c` 的 `newfstatat` SYSCALL 定义
+
+如果需要 32 位支持，还需要修改 `statat64` SYSCALL 定义
+
+```patch
+--- a/fs/stat.c
+++ b/fs/stat.c
+@@ -24,6 +24,10 @@
+ #include "internal.h"
+ #include "mount.h"
+ 
+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
+#include <../drivers/kernelsu/ksu_trace.h>
+#endif
+
+ /**
+  * generic_fillattr - Fill in the basic attributes from the inode struct
+  * @mnt_userns:	user namespace of the mount the inode was found from
+@@ -408,6 +412,10 @@ SYSCALL_DEFINE4(newfstatat, int, dfd, const char __user *, filename,
+ 	struct kstat stat;
+ 	int error;
+ 
+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
+	trace_ksu_trace_stat_hook(&dfd, &filename, &flag);
+#endif
+
+ 	error = vfs_fstatat(dfd, filename, &stat, flag);
+ 	if (error)
+ 		return error;
+@@ -559,6 +567,10 @@ SYSCALL_DEFINE4(fstatat64, int, dfd, const char __user *, filename,
+ 	struct kstat stat;
+ 	int error;
+ 
+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
+	trace_ksu_trace_stat_hook(&dfd, &filename, &flag); /* 32-bit su support */
+#endif
+
+ 	error = vfs_fstatat(dfd, filename, &stat, flag);
+ 	if (error)
+ 		return error;
+```
+
+### input 钩子 (`input.c` ,用于进入KSU系的内置安全模式)
+
+需要修改 `drivers/input/input.c` 的 `input_event` 方法，而不是 `input_handle_event`
+
+```patch
+--- a/drivers/input/input.c
+++ b/drivers/input/input.c
+@@ -26,6 +26,10 @@
+ #include "input-compat.h"
+ #include "input-poller.h"
+ 
+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
+#include <../../drivers/kernelsu/ksu_trace.h>
+#endif
+
+ MODULE_AUTHOR("Vojtech Pavlik <vojtech@suse.cz>");
+ MODULE_DESCRIPTION("Input core");
+ MODULE_LICENSE("GPL");
+@@ -451,6 +455,10 @@ void input_event(struct input_dev *dev,
+ {
+ 	unsigned long flags;
+ 
+#if defined(CONFIG_KSU) && defined(CONFIG_KSU_TRACEPOINT_HOOK)
+    trace_ksu_trace_input_hook(&type, &code, &value);
+#endif
+
+ 	if (is_event_supported(type, dev->evbit, EV_MAX)) {
+ 
+ 		spin_lock_irqsave(&dev->event_lock, flags);
+```
--- a/docs/zh/zakomonochrome-128.svg
+++ b/docs/zh/zakomonochrome-128.svg
@@ -1,65 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<!-- Created with Inkscape (http://www.inkscape.org/) -->
-
-<svg
-   width="128"
-   height="128"
-   viewBox="0 0 128 128"
-   version="1.1"
-   id="svg1"
-   inkscape:version="1.4.2 (ebf0e940d0, 2025-05-08)"
-   sodipodi:docname="zakomonochrome-128.svg"
-   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
-   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
-   xmlns="http://www.w3.org/2000/svg"
-   xmlns:svg="http://www.w3.org/2000/svg">
-  <sodipodi:namedview
-     id="namedview1"
-     pagecolor="#ffffff"
-     bordercolor="#999999"
-     borderopacity="1"
-     inkscape:showpageshadow="2"
-     inkscape:pageopacity="0"
-     inkscape:pagecheckerboard="0"
-     inkscape:deskcolor="#d1d1d1"
-     inkscape:document-units="px"
-     inkscape:zoom="2.6185048"
-     inkscape:cx="59.957881"
-     inkscape:cy="71.032903"
-     inkscape:window-width="1280"
-     inkscape:window-height="696"
-     inkscape:window-x="0"
-     inkscape:window-y="0"
-     inkscape:window-maximized="1"
-     inkscape:current-layer="layer1" />
-  <defs
-     id="defs1" />
-  <g
-     inkscape:label="图层 1"
-     inkscape:groupmode="layer"
-     id="layer1">
-    <rect
-       style="fill:#ffffff;stroke:#000000;stroke-width:0;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:1.3;stroke-dasharray:none;paint-order:fill markers stroke;fill-opacity:1"
-       id="rect1"
-       width="128"
-       height="128"
-       x="0"
-       y="0"
-       rx="7.772471"
-       ry="7.772471" />
-    <path
-       id="path101"
-       style="fill:#ffffff;fill-opacity:0.734285;stroke:#000000;stroke-width:4.27504;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:1.3;stroke-dasharray:none;stroke-opacity:1;paint-order:fill markers stroke"
-       d="m 42.510282,81.796052 c 0,0 -7.224141,-5.638356 -10.043315,-9.338525 M 14.847106,81.97224 25.41902,71.576535 m 0.17619,-6.695549 2.819179,19.910444 M 11.675534,73.338532 38.281518,71.047931 M 43.567475,62.7666 34.40515,62.942814 M 34.22896,62.590425 33.524162,48.494537 m -18.500855,1.58577 17.972249,-1.409582 m -11.8053,-5.462154 0.352397,18.853251"
-       inkscape:label="杂" />
-    <path
-       id="path111"
-       style="fill:#ffffff;fill-opacity:0.734285;stroke:#000000;stroke-width:3.94824;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:1.3;stroke-dasharray:none;stroke-opacity:1;paint-order:fill markers stroke"
-       d="M 55.912937,82.876745 79.671596,81.412163 M 59.330273,75.391135 74.952411,74.089291 m -9.43837,-14.157553 1.139102,14.645756 m -8.299247,-7.160159 16.273048,-1.464569 m 0.650926,8.136525 0.325472,-14.808482 m -0.162747,0.162739 -17.900363,0.976379 m 0,-0.162738 1.952774,14.645756 m 12.042061,-21.154974 1.464576,-6.346492 m 0,-0.650928 -12.042063,0.650928 m -0.650918,6.509218 0.325459,-8.787441"
-       inkscape:label="鱼" />
-    <path
-       d="m 95.08569,51.121163 c -1.90515,0.116064 -3.64694,0.97349 -4.86738,2.391307 -1.34538,1.56738 -1.91476,3.733159 -1.59523,6.070852 0.40842,2.982962 2.1502,6.17135 5.13887,9.411078 0.63424,0.68546 1.08109,1.129773 1.98202,1.967071 1.58321,1.469144 3.01507,2.634638 4.9875,4.052454 0.70392,0.50905 2.09253,1.453525 2.61627,1.781734 l 0.15133,0.09594 0.22103,-0.140663 c 0.80481,-0.515755 2.23909,-1.504852 3.08956,-2.130057 3.21689,-2.364488 5.79232,-4.737902 7.70228,-7.100167 3.09676,-3.831409 4.4133,-7.562359 3.80549,-10.773058 -0.42043,-2.210414 -1.82588,-4.039057 -3.81992,-4.967887 -0.85767,-0.399664 -1.69132,-0.607312 -2.6355,-0.656431 -1.22285,-0.0647 -2.42648,0.178619 -3.57485,0.721182 -1.95561,0.922124 -3.58927,2.719503 -4.61752,5.081755 -0.072,0.165235 -0.1394,0.310355 -0.14895,0.319295 -0.0312,0.02902 -0.0648,-0.02679 -0.19458,-0.330457 -0.30752,-0.714476 -0.91055,-1.752718 -1.38382,-2.377871 -0.4853,-0.645282 -1.2661,-1.431214 -1.84749,-1.862143 -1.50155,-1.114153 -3.26013,-1.658924 -5.00914,-1.553996 z"
-       id="path1-4"
-       style="fill:#000000;fill-opacity:1;stroke:none;stroke-width:0.00231605" />
-  </g>
-</svg>
--- a/kernel/.clang-format
+++ b/kernel/.clang-format
@@ -56,8 +56,8 @@ ColumnLimit: 80
 CommentPragmas: '^ IWYU pragma:'
 #CompactNamespaces: false # Unknown to clang-format-4.0
 ConstructorInitializerAllOnOneLineOrOnePerLine: false
-ConstructorInitializerIndentWidth: 8
-ContinuationIndentWidth: 8
+ConstructorInitializerIndentWidth: 4
+ContinuationIndentWidth: 4
 Cpp11BracedListStyle: false
 DerivePointerAlignment: false
 DisableFormat: false
@@ -501,7 +501,7 @@ IncludeCategories:
 IncludeIsMainRegex: '(Test)?$'
 IndentCaseLabels: false
 #IndentPPDirectives: None # Unknown to clang-format-5.0
-IndentWidth: 8
+IndentWidth: 4
 IndentWrappedFunctionNames: false
 JavaScriptQuotes: Leave
 JavaScriptWrapImports: true
@@ -511,7 +511,7 @@ MacroBlockEnd: ''
 MaxEmptyLinesToKeep: 1
 NamespaceIndentation: None
 #ObjCBinPackProtocolList: Auto # Unknown to clang-format-5.0
-ObjCBlockIndentWidth: 8
+ObjCBlockIndentWidth: 4
 ObjCSpaceAfterProperty: true
 ObjCSpaceBeforeProtocolList: true

@@ -543,6 +543,6 @@ SpacesInCStyleCastParentheses: false
 SpacesInParentheses: false
 SpacesInSquareBrackets: false
 Standard: Cpp03
-TabWidth: 8
-UseTab: Always
+TabWidth: 4
+UseTab: Never
 ...
--- a/kernel/.gitignore
+++ b/kernel/.gitignore
@@ -0,0 +1,22 @@
+.cache/
+.thinlto-cache/
+compile_commands.json
+*.ko
+*.o
+*.mod
+*.lds
+*.mod.o
+.*.o*
+.*.mod*
+*.ko*
+*.mod.c
+*.symvers*
+*.order
+.*.ko.cmd
+.tmp_versions/
+libs/
+obj/
+
+CLAUDE.md
+.ddk-version
+.vscode/settings.json
--- a/kernel/.vscode/c_cpp_properties.json
+++ b/kernel/.vscode/c_cpp_properties.json
@@ -0,0 +1,11 @@
+{
+    "configurations": [
+        {
+            "name": "Linux",
+            "cStandard": "c11",
+            "intelliSenseMode": "gcc-arm64",
+            "compileCommands": "${workspaceFolder}/compile_commands.json"
+        }
+    ],
+    "version": 4
+}
--- a/kernel/.vscode/generate_compdb.py
+++ b/kernel/.vscode/generate_compdb.py
@@ -0,0 +1,92 @@
+#!/usr/bin/env python3
+
+from __future__ import print_function, division
+
+import argparse
+import fnmatch
+import functools
+import json
+import math
+import multiprocessing
+import os
+import re
+import sys
+
+
+CMD_VAR_RE = re.compile(r'^\s*(?:saved)?cmd_(\S+)\s*:=\s*(.+)\s*$', re.MULTILINE)
+SOURCE_VAR_RE = re.compile(r'^\s*source_(\S+)\s*:=\s*(.+)\s*$', re.MULTILINE)
+
+
+def print_progress_bar(progress):
+    progress_bar = '[' + '|' * int(50 * progress) + '-' * int(50 * (1.0 - progress)) + ']'
+    print('\r', progress_bar, "{0:.1%}".format(progress), end='\r', file=sys.stderr)
+
+
+def parse_cmd_file(out_dir, cmdfile_path):
+    with open(cmdfile_path, 'r') as cmdfile:
+        cmdfile_content = cmdfile.read()
+
+    commands = { match.group(1): match.group(2) for match in CMD_VAR_RE.finditer(cmdfile_content) }
+    sources = { match.group(1): match.group(2) for match in SOURCE_VAR_RE.finditer(cmdfile_content) }
+
+    return [{
+            'directory': out_dir,
+            'command': commands[o_file_name],
+            'file': source,
+            'output': o_file_name
+        } for o_file_name, source in sources.items()]
+
+
+def gen_compile_commands(cmd_file_search_path, out_dir):
+    print("Building *.o.cmd file list...", file=sys.stderr)
+
+    out_dir = os.path.abspath(out_dir)
+
+    if not cmd_file_search_path:
+        cmd_file_search_path = [out_dir]
+
+    cmd_files = []
+    for search_path in cmd_file_search_path:
+        if (os.path.isdir(search_path)):
+            for cur_dir, subdir, files in os.walk(search_path):
+                cmd_files.extend(os.path.join(cur_dir, cmdfile_name) for cmdfile_name in fnmatch.filter(files, '*.o.cmd'))
+        else:
+            cmd_files.extend(search_path)
+
+    if not cmd_files:
+        print("No *.o.cmd files found in", ", ".join(cmd_file_search_path), file=sys.stderr)
+        return
+
+    print("Parsing *.o.cmd files...", file=sys.stderr)
+
+    n_processed = 0
+    print_progress_bar(0)
+
+    compdb = []
+    pool = multiprocessing.Pool()
+    try:
+        for compdb_chunk in pool.imap_unordered(functools.partial(parse_cmd_file, out_dir), cmd_files, chunksize=int(math.sqrt(len(cmd_files)))):
+            compdb.extend(compdb_chunk)
+            n_processed += 1
+            print_progress_bar(n_processed / len(cmd_files))
+
+    finally:
+        pool.terminate()
+        pool.join()
+
+    print(file=sys.stderr)
+    print("Writing compile_commands.json...", file=sys.stderr)
+
+    with open('compile_commands.json', 'w') as compdb_file:
+        json.dump(compdb, compdb_file, indent=1)
+
+
+def main():
+    cmd_parser = argparse.ArgumentParser()
+    cmd_parser.add_argument('-O', '--out-dir', type=str, default=os.getcwd(), help="Build output directory")
+    cmd_parser.add_argument('cmd_file_search_path', nargs='*', help="*.cmd file search path")
+    gen_compile_commands(**vars(cmd_parser.parse_args()))
+
+
+if __name__ == '__main__':
+    main()
--- a/kernel/.vscode/tasks.json
+++ b/kernel/.vscode/tasks.json
@@ -0,0 +1,16 @@
+{
+    // See https://go.microsoft.com/fwlink/?LinkId=733558
+    // for the documentation about the tasks.json format
+    "version": "2.0.0",
+    "tasks": [
+        {
+            "label": "Generate compile_commands.json",
+            "type": "process",
+            "command": "python",
+            "args": [
+                "${workspaceRoot}/.vscode/generate_compdb.py"
+            ],
+            "problemMatcher": []
+        }
+    ]
+}
--- a/kernel/Kconfig
+++ b/kernel/Kconfig
@@ -2,7 +2,6 @@ menu "KernelSU"

 config KSU
    tristate "KernelSU function support"
-	depends on OVERLAY_FS
    default y
    help
      Enable kernel-level root privileges on Android System.
@@ -16,6 +15,13 @@ config KSU_DEBUG
    help
      Enable KernelSU debug mode.

+config KSU_MANUAL_SU
+    bool "Use manual su"
+    depends on KSU
+    default y
+    help
+      Use manual su and authorize the corresponding command line and application via prctl
+
 config KPM
    bool "Enable SukiSU KPM"
    depends on KSU && 64BIT
@@ -26,4 +32,11 @@ config KPM
      but it may affect system stability.
    select KALLSYMS
    select KALLSYMS_ALL
+
+config KSU_MANUAL_HOOK
+    bool "Hook KernelSU manually"
+    depends on KSU != m
+    help
+      If enabled, Hook required KernelSU syscalls with manually-patched function.
+
 endmenu
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -1,12 +1,29 @@
 kernelsu-objs := ksu.o
 kernelsu-objs += allowlist.o
+kernelsu-objs += app_profile.o
+kernelsu-objs += dynamic_manager.o
 kernelsu-objs += apk_sign.o
 kernelsu-objs += sucompat.o
+kernelsu-objs += syscall_hook_manager.o
 kernelsu-objs += throne_tracker.o
-kernelsu-objs += core_hook.o
+kernelsu-objs += pkg_observer.o
+kernelsu-objs += throne_tracker.o
+kernelsu-objs += umount_manager.o
+kernelsu-objs += setuid_hook.o
+kernelsu-objs += kernel_umount.o
+kernelsu-objs += supercalls.o
+kernelsu-objs += feature.o
 kernelsu-objs += ksud.o
 kernelsu-objs += embed_ksud.o
-kernelsu-objs += kernel_compat.o
+kernelsu-objs += seccomp_cache.o
+kernelsu-objs += file_wrapper.o
+kernelsu-objs += throne_comm.o
+kernelsu-objs += sulog.o
+
+ifeq ($(CONFIG_KSU_MANUAL_SU), y)
+ccflags-y += -DCONFIG_KSU_MANUAL_SU
+kernelsu-objs += manual_su.o
+endif

 kernelsu-objs += selinux/selinux.o
 kernelsu-objs += selinux/sepolicy.o
@@ -18,42 +35,59 @@ obj-$(CONFIG_KSU) += kernelsu.o

 obj-$(CONFIG_KPM) += kpm/

-
 REPO_OWNER := SukiSU-Ultra
 REPO_NAME := SukiSU-Ultra
 REPO_BRANCH := main
-KSU_VERSION_API := 3.1.8
+KSU_VERSION_API := 4.0.0

 GIT_BIN := /usr/bin/env PATH="$$PATH":/usr/bin:/usr/local/bin git
 CURL_BIN := /usr/bin/env PATH="$$PATH":/usr/bin:/usr/local/bin curl

+KDIR := $(KDIR)
+MDIR := $(realpath $(dir $(abspath $(lastword $(MAKEFILE_LIST)))))
+
+ifneq ($(KDIR),)
+$(info -- KDIR: $(KDIR))
+$(info -- MDIR: $(MDIR))
+endif
+
 KSU_GITHUB_VERSION := $(shell $(CURL_BIN) -s "https://api.github.com/repos/$(REPO_OWNER)/$(REPO_NAME)/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
 KSU_GITHUB_VERSION_COMMIT := $(shell $(CURL_BIN) -sI "https://api.github.com/repos/$(REPO_OWNER)/$(REPO_NAME)/commits?sha=$(REPO_BRANCH)&per_page=1" | grep -i "link:" | sed -n 's/.*page=\([0-9]*\)>; rel="last".*/\1/p')

-LOCAL_GIT_EXISTS := $(shell test -e $(srctree)/$(src)/../.git && echo 1 || echo 0)
+ifeq ($(findstring $(srctree),$(src)),$(srctree))
+  KSU_SRC := $(src)
+else
+  KSU_SRC := $(srctree)/$(src)
+endif
+
+ifneq ($(shell test -e $(KSU_SRC)/../.git && echo "in-tree"),in-tree)
+  KSU_SRC := $(MDIR)
+endif
+
+LOCAL_GIT_EXISTS := $(shell test -e $(KSU_SRC)/../.git && echo 1 || echo 0)

 define get_ksu_version_full
-v$1-$(shell cd $(srctree)/$(src); $(GIT_BIN) rev-parse --short=8 HEAD)@$(shell cd $(srctree)/$(src); $(GIT_BIN) rev-parse --abbrev-ref HEAD)
+v$1-$(shell cd $(KSU_SRC); $(GIT_BIN) rev-parse --short=8 HEAD)@$(shell cd $(KSU_SRC); $(GIT_BIN) rev-parse --abbrev-ref HEAD)
 endef

 ifeq ($(KSU_GITHUB_VERSION_COMMIT),)
  ifeq ($(LOCAL_GIT_EXISTS),1)
-    $(shell cd $(srctree)/$(src); [ -f ../.git/shallow ] && $(GIT_BIN) fetch --unshallow)
-    KSU_LOCAL_VERSION := $(shell cd $(srctree)/$(src); $(GIT_BIN) rev-list --count $(REPO_BRANCH))
-    KSU_VERSION := $(shell expr 10000 + $(KSU_LOCAL_VERSION) + 700)
+    $(shell cd $(KSU_SRC); [ -f ../.git/shallow ] && $(GIT_BIN) fetch --unshallow)
+    KSU_LOCAL_VERSION := $(shell cd $(KSU_SRC); $(GIT_BIN) rev-list --count $(REPO_BRANCH))
+    KSU_VERSION := $(shell expr 40000 + $(KSU_LOCAL_VERSION) - 2815)
    $(info -- $(REPO_NAME) version (local .git): $(KSU_VERSION))
  else
    KSU_VERSION := 13000
    $(warning -- Could not fetch version online or via local .git! Using fallback version: $(KSU_VERSION))
  endif
 else
-  KSU_VERSION := $(shell expr 10000 + $(KSU_GITHUB_VERSION_COMMIT) + 700)
+  KSU_VERSION := $(shell expr 40000 + $(KSU_GITHUB_VERSION_COMMIT) - 2815)
  $(info -- $(REPO_NAME) version (GitHub): $(KSU_VERSION))
 endif

 ifeq ($(KSU_GITHUB_VERSION),)
  ifeq ($(LOCAL_GIT_EXISTS),1)
-    $(shell cd $(srctree)/$(src); [ -f ../.git/shallow ] && $(GIT_BIN) fetch --unshallow)
+    $(shell cd $(KSU_SRC); [ -f ../.git/shallow ] && $(GIT_BIN) fetch --unshallow)
    KSU_VERSION_FULL := $(call get_ksu_version_full,$(KSU_VERSION_API))
    $(info -- $(REPO_NAME) version (local .git): $(KSU_VERSION_FULL))
    $(info -- $(REPO_NAME) Formatted version (local .git): $(KSU_VERSION))
@@ -62,7 +96,7 @@ ifeq ($(KSU_GITHUB_VERSION),)
    $(warning -- $(REPO_NAME) version: $(KSU_VERSION_FULL))
  endif
 else
-  $(shell cd $(srctree)/$(src); [ -f ../.git/shallow ] && $(GIT_BIN) fetch --unshallow)
+  $(shell cd $(KSU_SRC); [ -f ../.git/shallow ] && $(GIT_BIN) fetch --unshallow)
  KSU_VERSION_FULL := $(call get_ksu_version_full,$(KSU_GITHUB_VERSION))
  $(info -- $(REPO_NAME) version (Github): $(KSU_VERSION_FULL))
 endif
@@ -70,12 +104,15 @@ endif
 ccflags-y += -DKSU_VERSION=$(KSU_VERSION)
 ccflags-y += -DKSU_VERSION_FULL=\"$(KSU_VERSION_FULL)\"

-ifndef KSU_EXPECTED_SIZE
-KSU_EXPECTED_SIZE := 0x35c
+# Custom Signs
+ifdef KSU_EXPECTED_SIZE
+ccflags-y += -DEXPECTED_SIZE=$(KSU_EXPECTED_SIZE)
+$(info -- Custom KernelSU Manager signature size: $(KSU_EXPECTED_SIZE))
 endif

-ifndef KSU_EXPECTED_HASH
-KSU_EXPECTED_HASH := 947ae944f3de4ed4c21a7e4f7953ecf351bfa2b36239da37a34111ad29993eef
+ifdef KSU_EXPECTED_HASH
+ccflags-y += -DEXPECTED_HASH=\"$(KSU_EXPECTED_HASH)\"
+$(info -- Custom KernelSU Manager signature hash: $(KSU_EXPECTED_HASH))
 endif

 ifdef KSU_MANAGER_PACKAGE
@@ -83,9 +120,15 @@ ccflags-y += -DKSU_MANAGER_PACKAGE=\"$(KSU_MANAGER_PACKAGE)\"
 $(info -- SukiSU Manager package name: $(KSU_MANAGER_PACKAGE))
 endif

-$(info -- SukiSU Manager signature size: $(KSU_EXPECTED_SIZE))
-$(info -- SukiSU Manager signature hash: $(KSU_EXPECTED_HASH))
-$(info -- Supported Unofficial Manager: 5ec1cff (GKI) ShirkNeko udochina (GKI and KPM))
+ifeq ($(CONFIG_KSU_MANUAL_HOOK), y)
+ccflags-y += -DKSU_MANUAL_HOOK
+$(info -- SukiSU: KSU_MANUAL_HOOK Temporarily discontinued）)
+else
+ccflags-y += -DKSU_KPROBES_HOOK
+ccflags-y += -DKSU_TP_HOOK
+$(info -- SukiSU: KSU_TRACEPOINT_HOOK)
+endif
+
 KERNEL_VERSION := $(VERSION).$(PATCHLEVEL)
 KERNEL_TYPE := Non-GKI
 # Check for GKI 2.0 (5.10+ or 6.x+)
@@ -100,18 +143,30 @@ endif
 $(info -- KERNEL_VERSION: $(KERNEL_VERSION))
 $(info -- KERNEL_TYPE: $(KERNEL_TYPE))

-$(info -- KERNEL_VERSION: $(KERNEL_VERSION))
-ifeq ($(CONFIG_KPM),y)
+ifeq ($(CONFIG_KPM), y)
 $(info -- KPM is enabled)
 else
 $(info -- KPM is disabled)
 endif

+# Check new vfs_getattr()
+ifeq ($(shell grep -A1 "^int vfs_getattr" $(srctree)/fs/stat.c | grep -q "query_flags" ; echo $$?),0)
+ccflags-y += -DKSU_HAS_NEW_VFS_GETATTR
+endif

-ccflags-y += -DEXPECTED_SIZE=$(KSU_EXPECTED_SIZE)
-ccflags-y += -DEXPECTED_HASH=\"$(KSU_EXPECTED_HASH)\"
+# Function proc_ops check
+ifeq ($(shell grep -q "struct proc_ops " $(srctree)/include/linux/proc_fs.h; echo $$?),0)
+ccflags-y += -DKSU_COMPAT_HAS_PROC_OPS
+endif

-ccflags-y += -Wno-implicit-function-declaration -Wno-strict-prototypes -Wno-int-conversion -Wno-gcc-compat
-ccflags-y += -Wno-declaration-after-statement -Wno-unused-function
+ccflags-y += -Wno-strict-prototypes -Wno-int-conversion -Wno-gcc-compat -Wno-missing-prototypes
+ccflags-y += -Wno-declaration-after-statement -Wno-unused-function -Wno-unused-variable
+
+all:
+	make -C $(KDIR) M=$(MDIR) modules
+compdb:
+	python3 $(MDIR)/.vscode/generate_compdb.py -O $(KDIR) $(MDIR)
+clean:
+	make -C $(KDIR) M=$(MDIR) clean

 # Keep a new line here!! Because someone may append config
--- a/kernel/allowlist.c
+++ b/kernel/allowlist.c
@@ -1,3 +1,5 @@
+#include <linux/mutex.h>
+#include <linux/task_work.h>
 #include <linux/capability.h>
 #include <linux/compiler.h>
 #include <linux/fs.h>
@@ -8,14 +10,16 @@
 #include <linux/slab.h>
 #include <linux/types.h>
 #include <linux/version.h>
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 14, 0)
 #include <linux/compiler_types.h>
+#endif

-#include "ksu.h"
 #include "klog.h" // IWYU pragma: keep
+#include "ksud.h"
 #include "selinux/selinux.h"
-#include "kernel_compat.h"
 #include "allowlist.h"
 #include "manager.h"
+#include "syscall_hook_manager.h"

 #define FILE_MAGIC 0x7f4b5355 // ' KSU', u32
 #define FILE_FORMAT_VERSION 3 // u32
@@ -29,7 +33,10 @@ static DEFINE_MUTEX(allowlist_mutex);
 static struct root_profile default_root_profile;
 static struct non_root_profile default_non_root_profile;

-static int allow_list_arr[PAGE_SIZE / sizeof(int)] __read_mostly __aligned(PAGE_SIZE);
+void persistent_allow_list(void);
+
+static int allow_list_arr[PAGE_SIZE / sizeof(int)] __read_mostly
+    __aligned(PAGE_SIZE);
 static int allow_list_pointer __read_mostly = 0;

 static void remove_uid_from_arr(uid_t uid)
@@ -40,7 +47,7 @@ static void remove_uid_from_arr(uid_t uid)
    if (allow_list_pointer == 0)
        return;

-	temp_arr = kmalloc(sizeof(allow_list_arr), GFP_KERNEL);
+    temp_arr = kzalloc(sizeof(allow_list_arr), GFP_KERNEL);
    if (temp_arr == NULL) {
        pr_err("%s: unable to allocate memory\n", __func__);
        return;
@@ -61,7 +68,7 @@ static void remove_uid_from_arr(uid_t uid)
    kfree(temp_arr);
 }

-static void init_default_profiles()
+static void init_default_profiles(void)
 {
    kernel_cap_t full_cap = CAP_FULL_SET;

@@ -90,11 +97,6 @@ static uint8_t allow_list_bitmap[PAGE_SIZE] __read_mostly __aligned(PAGE_SIZE);

 #define KERNEL_SU_ALLOWLIST "/data/adb/ksu/.allowlist"

-static struct work_struct ksu_save_work;
-static struct work_struct ksu_load_work;
-
-bool persistent_allow_list(void);
-
 void ksu_show_allow_list(void)
 {
    struct perm_data *p = NULL;
@@ -108,7 +110,7 @@ void ksu_show_allow_list(void)
 }

 #ifdef CONFIG_KSU_DEBUG
-static void ksu_grant_root_to_shell()
+static void ksu_grant_root_to_shell(void)
 {
    struct app_profile profile = {
        .version = KSU_APP_PROFILE_VER,
@@ -116,7 +118,8 @@ static void ksu_grant_root_to_shell()
        .current_uid = 2000,
    };
    strcpy(profile.key, "com.android.shell");
-	strcpy(profile.rp_config.profile.selinux_domain, KSU_DEFAULT_SELINUX_DOMAIN);
+    strcpy(profile.rp_config.profile.selinux_domain,
+           KSU_DEFAULT_SELINUX_DOMAIN);
    ksu_set_app_profile(&profile, false);
 }
 #endif
@@ -142,9 +145,10 @@ exit:
    return found;
 }

-static inline bool forbid_system_uid(uid_t uid) {
-	#define SHELL_UID 2000
-	#define SYSTEM_UID 1000
+static inline bool forbid_system_uid(uid_t uid)
+{
+#define SHELL_UID 2000
+#define SYSTEM_UID 1000
    return uid < SHELL_UID && uid != SYSTEM_UID;
 }

@@ -196,7 +200,7 @@ bool ksu_set_app_profile(struct app_profile *profile, bool persist)
    }

    // not found, alloc a new node!
-	p = (struct perm_data *)kmalloc(sizeof(struct perm_data), GFP_KERNEL);
+    p = (struct perm_data *)kzalloc(sizeof(struct perm_data), GFP_KERNEL);
    if (!p) {
        pr_err("ksu_set_app_profile alloc failed\n");
        return false;
@@ -218,9 +222,11 @@ bool ksu_set_app_profile(struct app_profile *profile, bool persist)
 out:
    if (profile->current_uid <= BITMAP_UID_MAX) {
        if (profile->allow_su)
-			allow_list_bitmap[profile->current_uid / BITS_PER_BYTE] |= 1 << (profile->current_uid % BITS_PER_BYTE);
+            allow_list_bitmap[profile->current_uid / BITS_PER_BYTE] |=
+                1 << (profile->current_uid % BITS_PER_BYTE);
        else
-			allow_list_bitmap[profile->current_uid / BITS_PER_BYTE] &= ~(1 << (profile->current_uid % BITS_PER_BYTE));
+            allow_list_bitmap[profile->current_uid / BITS_PER_BYTE] &=
+                ~(1 << (profile->current_uid % BITS_PER_BYTE));
    } else {
        if (profile->allow_su) {
            /*
@@ -252,8 +258,11 @@ out:
               sizeof(default_root_profile));
    }

-	if (persist)
+    if (persist) {
        persistent_allow_list();
+        // FIXME: use a new flag
+        ksu_mark_running_process();
+    }

    return result;
 }
@@ -262,23 +271,20 @@ bool __ksu_is_allow_uid(uid_t uid)
 {
    int i;

-	if (unlikely(uid == 0)) {
-		// already root, but only allow our domain.
-		return is_ksu_domain();
-	}
-
    if (forbid_system_uid(uid)) {
        // do not bother going through the list if it's system
        return false;
    }

-	if (likely(ksu_is_manager_uid_valid()) && unlikely(ksu_get_manager_uid() == uid)) {
+    if (likely(ksu_is_manager_uid_valid()) &&
+        unlikely(ksu_get_manager_uid() == uid)) {
        // manager is always allowed!
        return true;
    }

    if (likely(uid <= BITMAP_UID_MAX)) {
-		return !!(allow_list_bitmap[uid / BITS_PER_BYTE] & (1 << (uid % BITS_PER_BYTE)));
+        return !!(allow_list_bitmap[uid / BITS_PER_BYTE] &
+                  (1 << (uid % BITS_PER_BYTE)));
    } else {
        for (i = 0; i < allow_list_pointer; i++) {
            if (allow_list_arr[i] == uid)
@@ -289,10 +295,20 @@ bool __ksu_is_allow_uid(uid_t uid)
    return false;
 }

+bool __ksu_is_allow_uid_for_current(uid_t uid)
+{
+    if (unlikely(uid == 0)) {
+        // already root, but only allow our domain.
+        return is_ksu_domain();
+    }
+    return __ksu_is_allow_uid(uid);
+}
+
 bool ksu_uid_should_umount(uid_t uid)
 {
    struct app_profile profile = { .current_uid = uid };
-	if (likely(ksu_is_manager_uid_valid()) && unlikely(ksu_get_manager_uid() == uid)) {
+    if (likely(ksu_is_manager_uid_valid()) &&
+        unlikely(ksu_get_manager_uid() == uid)) {
        // we should not umount on manager!
        return false;
    }
@@ -349,7 +365,7 @@ bool ksu_get_allow_list(int *array, int *length, bool allow)
    return true;
 }

-void do_save_allow_list(struct work_struct *work)
+static void do_persistent_allow_list(struct callback_head *_cb)
 {
    u32 magic = FILE_MAGIC;
    u32 version = FILE_FORMAT_VERSION;
@@ -357,41 +373,64 @@ void do_save_allow_list(struct work_struct *work)
    struct list_head *pos = NULL;
    loff_t off = 0;

+    mutex_lock(&allowlist_mutex);
    struct file *fp =
-		ksu_filp_open_compat(KERNEL_SU_ALLOWLIST, O_WRONLY | O_CREAT | O_TRUNC, 0644);
+        filp_open(KERNEL_SU_ALLOWLIST, O_WRONLY | O_CREAT | O_TRUNC, 0644);
    if (IS_ERR(fp)) {
        pr_err("save_allow_list create file failed: %ld\n", PTR_ERR(fp));
-		return;
+        goto unlock;
    }

    // store magic and version
-	if (ksu_kernel_write_compat(fp, &magic, sizeof(magic), &off) !=
-	    sizeof(magic)) {
+    if (kernel_write(fp, &magic, sizeof(magic), &off) != sizeof(magic)) {
        pr_err("save_allow_list write magic failed.\n");
-		goto exit;
+        goto close_file;
    }

-	if (ksu_kernel_write_compat(fp, &version, sizeof(version), &off) !=
-	    sizeof(version)) {
+    if (kernel_write(fp, &version, sizeof(version), &off) != sizeof(version)) {
        pr_err("save_allow_list write version failed.\n");
-		goto exit;
+        goto close_file;
    }

    list_for_each (pos, &allow_list) {
        p = list_entry(pos, struct perm_data, list);
        pr_info("save allow list, name: %s uid :%d, allow: %d\n",
-			p->profile.key, p->profile.current_uid,
-			p->profile.allow_su);
+                p->profile.key, p->profile.current_uid, p->profile.allow_su);

-		ksu_kernel_write_compat(fp, &p->profile, sizeof(p->profile),
-					&off);
+        kernel_write(fp, &p->profile, sizeof(p->profile), &off);
    }

-exit:
+close_file:
    filp_close(fp, 0);
+unlock:
+    mutex_unlock(&allowlist_mutex);
+    kfree(_cb);
 }

-void do_load_allow_list(struct work_struct *work)
+void persistent_allow_list()
+{
+    struct task_struct *tsk;
+
+    tsk = get_pid_task(find_vpid(1), PIDTYPE_PID);
+    if (!tsk) {
+        pr_err("save_allow_list find init task err\n");
+        return;
+    }
+
+    struct callback_head *cb =
+        kzalloc(sizeof(struct callback_head), GFP_KERNEL);
+    if (!cb) {
+        pr_err("save_allow_list alloc cb err\b");
+        goto put_task;
+    }
+    cb->func = do_persistent_allow_list;
+    task_work_add(tsk, cb, TWA_RESUME);
+
+put_task:
+    put_task_struct(tsk);
+}
+
+void ksu_load_allow_list()
 {
    loff_t off = 0;
    ssize_t ret = 0;
@@ -405,22 +444,20 @@ void do_load_allow_list(struct work_struct *work)
 #endif

    // load allowlist now!
-	fp = ksu_filp_open_compat(KERNEL_SU_ALLOWLIST, O_RDONLY, 0);
+    fp = filp_open(KERNEL_SU_ALLOWLIST, O_RDONLY, 0);
    if (IS_ERR(fp)) {
        pr_err("load_allow_list open file failed: %ld\n", PTR_ERR(fp));
        return;
    }

    // verify magic
-	if (ksu_kernel_read_compat(fp, &magic, sizeof(magic), &off) !=
-		    sizeof(magic) ||
+    if (kernel_read(fp, &magic, sizeof(magic), &off) != sizeof(magic) ||
        magic != FILE_MAGIC) {
        pr_err("allowlist file invalid: %d!\n", magic);
        goto exit;
    }

-	if (ksu_kernel_read_compat(fp, &version, sizeof(version), &off) !=
-	    sizeof(version)) {
+    if (kernel_read(fp, &version, sizeof(version), &off) != sizeof(version)) {
        pr_err("allowlist read version: %d failed\n", version);
        goto exit;
    }
@@ -430,16 +467,15 @@ void do_load_allow_list(struct work_struct *work)
    while (true) {
        struct app_profile profile;

-		ret = ksu_kernel_read_compat(fp, &profile, sizeof(profile),
-					     &off);
+        ret = kernel_read(fp, &profile, sizeof(profile), &off);

        if (ret <= 0) {
            pr_info("load_allow_list read err: %zd\n", ret);
            break;
        }

-		pr_info("load_allow_uid, name: %s, uid: %d, allow: %d\n",
-			profile.key, profile.current_uid, profile.allow_su);
+        pr_info("load_allow_uid, name: %s, uid: %d, allow: %d\n", profile.key,
+                profile.current_uid, profile.allow_su);
        ksu_set_app_profile(&profile, false);
    }

@@ -448,11 +484,17 @@ exit:
    filp_close(fp, 0);
 }

-void ksu_prune_allowlist(bool (*is_uid_valid)(uid_t, char *, void *), void *data)
+void ksu_prune_allowlist(bool (*is_uid_valid)(uid_t, char *, void *),
+                         void *data)
 {
    struct perm_data *np = NULL;
    struct perm_data *n = NULL;

+    if (!ksu_boot_completed) {
+        pr_info("boot not completed, skip prune\n");
+        return;
+    }
+
    bool modified = false;
    // TODO: use RCU!
    mutex_lock(&allowlist_mutex);
@@ -466,7 +508,8 @@ void ksu_prune_allowlist(bool (*is_uid_valid)(uid_t, char *, void *), void *data
            pr_info("prune uid: %d, package: %s\n", uid, package);
            list_del(&np->list);
            if (likely(uid <= BITMAP_UID_MAX)) {
-				allow_list_bitmap[uid / BITS_PER_BYTE] &= ~(1 << (uid % BITS_PER_BYTE));
+                allow_list_bitmap[uid / BITS_PER_BYTE] &=
+                    ~(1 << (uid % BITS_PER_BYTE));
            }
            remove_uid_from_arr(uid);
            smp_mb();
@@ -480,17 +523,6 @@ void ksu_prune_allowlist(bool (*is_uid_valid)(uid_t, char *, void *), void *data
    }
 }

-// make sure allow list works cross boot
-bool persistent_allow_list(void)
-{
-	return ksu_queue_work(&ksu_save_work);
-}
-
-bool ksu_load_allow_list(void)
-{
-	return ksu_queue_work(&ksu_load_work);
-}
-
 void ksu_allowlist_init(void)
 {
    int i;
@@ -503,9 +535,6 @@ void ksu_allowlist_init(void)

    INIT_LIST_HEAD(&allow_list);

-	INIT_WORK(&ksu_save_work, do_save_allow_list);
-	INIT_WORK(&ksu_load_work, do_load_allow_list);
-
    init_default_profiles();
 }

@@ -514,8 +543,6 @@ void ksu_allowlist_exit(void)
    struct perm_data *np = NULL;
    struct perm_data *n = NULL;

-	do_save_allow_list(NULL);
-
    // free allowlist
    mutex_lock(&allowlist_mutex);
    list_for_each_entry_safe (np, n, &allow_list, list) {
@@ -524,3 +551,81 @@ void ksu_allowlist_exit(void)
    }
    mutex_unlock(&allowlist_mutex);
 }
+
+#ifdef CONFIG_KSU_MANUAL_SU
+bool ksu_temp_grant_root_once(uid_t uid)
+{
+    struct app_profile profile = {
+        .version = KSU_APP_PROFILE_VER,
+        .allow_su = true,
+        .current_uid = uid,
+    };
+
+    const char *default_key = "com.temp.once";
+
+    struct perm_data *p = NULL;
+    struct list_head *pos = NULL;
+    bool found = false;
+
+    list_for_each (pos, &allow_list) {
+        p = list_entry(pos, struct perm_data, list);
+        if (p->profile.current_uid == uid) {
+            strcpy(profile.key, p->profile.key);
+            found = true;
+            break;
+        }
+    }
+
+    if (!found) {
+        strcpy(profile.key, default_key);
+    }
+
+    profile.rp_config.profile.uid = default_root_profile.uid;
+    profile.rp_config.profile.gid = default_root_profile.gid;
+    profile.rp_config.profile.groups_count = default_root_profile.groups_count;
+    memcpy(profile.rp_config.profile.groups, default_root_profile.groups, sizeof(default_root_profile.groups));
+    memcpy(&profile.rp_config.profile.capabilities, &default_root_profile.capabilities, sizeof(default_root_profile.capabilities));
+    profile.rp_config.profile.namespaces = default_root_profile.namespaces;
+    strcpy(profile.rp_config.profile.selinux_domain, default_root_profile.selinux_domain);
+
+    bool ok = ksu_set_app_profile(&profile, false);
+    if (ok)
+        pr_info("pending_root: UID=%d granted and persisted\n", uid);
+    return ok;
+}
+
+void ksu_temp_revoke_root_once(uid_t uid)
+{
+    struct app_profile profile = {
+        .version = KSU_APP_PROFILE_VER,
+        .allow_su = false,
+        .current_uid = uid,
+    };
+
+    const char *default_key = "com.temp.once";
+
+    struct perm_data *p = NULL;
+    struct list_head *pos = NULL;
+    bool found = false;
+
+    list_for_each (pos, &allow_list) {
+        p = list_entry(pos, struct perm_data, list);
+        if (p->profile.current_uid == uid) {
+            strcpy(profile.key, p->profile.key);
+            found = true;
+            break;
+        }
+    }
+
+    if (!found) {
+        strcpy(profile.key, default_key);
+    }
+
+    profile.nrp_config.profile.umount_modules = default_non_root_profile.umount_modules;
+    strcpy(profile.rp_config.profile.selinux_domain, KSU_DEFAULT_SELINUX_DOMAIN);
+
+    ksu_set_app_profile(&profile, false);
+    persistent_allow_list();
+    pr_info("pending_root: UID=%d removed and persist updated\n", uid);
+}
+#endif
--- a/kernel/allowlist.h
+++ b/kernel/allowlist.h
@@ -2,19 +2,31 @@
 #define __KSU_H_ALLOWLIST

 #include <linux/types.h>
-#include "ksu.h"
+#include <linux/uidgid.h>
+#include "app_profile.h"
+
+#define PER_USER_RANGE 100000
+#define FIRST_APPLICATION_UID 10000
+#define LAST_APPLICATION_UID 19999
+#define FIRST_ISOLATED_UID 99000
+#define LAST_ISOLATED_UID 99999

 void ksu_allowlist_init(void);

 void ksu_allowlist_exit(void);

-bool ksu_load_allow_list(void);
+void ksu_load_allow_list(void);

 void ksu_show_allow_list(void);

+// Check if the uid is in allow list
 bool __ksu_is_allow_uid(uid_t uid);
 #define ksu_is_allow_uid(uid) unlikely(__ksu_is_allow_uid(uid))

+// Check if the uid is in allow list, or current is ksu domain root
+bool __ksu_is_allow_uid_for_current(uid_t uid);
+#define ksu_is_allow_uid_for_current(uid) unlikely(__ksu_is_allow_uid_for_current(uid))
+
 bool ksu_get_allow_list(int *array, int *length, bool allow);

 void ksu_prune_allowlist(bool (*is_uid_exist)(uid_t, char *, void *), void *data);
@@ -24,4 +36,22 @@ bool ksu_set_app_profile(struct app_profile *, bool persist);

 bool ksu_uid_should_umount(uid_t uid);
 struct root_profile *ksu_get_root_profile(uid_t uid);
+
+static inline bool is_appuid(uid_t uid)
+{
+    uid_t appid = uid % PER_USER_RANGE;
+    return appid >= FIRST_APPLICATION_UID && appid <= LAST_APPLICATION_UID;
+}
+
+static inline bool is_isolated_process(uid_t uid)
+{
+    uid_t appid = uid % PER_USER_RANGE;
+    return appid >= FIRST_ISOLATED_UID && appid <= LAST_ISOLATED_UID;
+}
+
+#ifdef CONFIG_KSU_MANUAL_SU
+bool ksu_temp_grant_root_once(uid_t uid);
+void ksu_temp_revoke_root_once(uid_t uid);
+#endif
+
 #endif
--- a/kernel/apk_sign.c
+++ b/kernel/apk_sign.c
@@ -4,7 +4,6 @@
 #include <linux/kernel.h>
 #include <linux/slab.h>
 #include <linux/version.h>
-#include <linux/workqueue.h>
 #ifdef CONFIG_KSU_DEBUG
 #include <linux/moduleparam.h>
 #endif
@@ -16,483 +15,20 @@
 #endif

 #include "apk_sign.h"
+#include "dynamic_manager.h"
 #include "klog.h" // IWYU pragma: keep
-#include "kernel_compat.h"
 #include "manager_sign.h"

-// Expected sizes and hashes for various APK signatures
-#define DYNAMIC_SIGN_FILE_MAGIC 0x7f445347 // 'DSG', u32
-#define DYNAMIC_SIGN_FILE_VERSION 1 // u32
-#define KERNEL_SU_DYNAMIC_SIGN "/data/adb/ksu/.dynamic_sign"
-
-#define MAX_MANAGERS 2
-static struct manager_info active_managers[MAX_MANAGERS];
-static DEFINE_SPINLOCK(managers_lock);
-
-static struct dynamic_sign_config dynamic_sign = {
-    .size = 0x300, 
-    .hash = "0000000000000000000000000000000000000000000000000000000000000000",
-    .is_set = 0
-};
-
-static DEFINE_SPINLOCK(dynamic_sign_lock);
-static struct work_struct ksu_save_dynamic_sign_work;
-static struct work_struct ksu_load_dynamic_sign_work;
-static struct work_struct ksu_clear_dynamic_sign_work;
-
-static inline bool is_dynamic_sign_enabled(void)
-{
-    unsigned long flags;
-    bool enabled;
-    
-    spin_lock_irqsave(&dynamic_sign_lock, flags);
-    enabled = dynamic_sign.is_set;
-    spin_unlock_irqrestore(&dynamic_sign_lock, flags);
-    
-    return enabled;
-}
-
-void ksu_add_manager(uid_t uid, int signature_index)
-{
-    unsigned long flags;
-    int i;
-    
-    if (!is_dynamic_sign_enabled()) {
-        pr_info("Dynamic sign not enabled, skipping multi-manager add\n");
-        return;
-    }
-    
-    spin_lock_irqsave(&managers_lock, flags);
-    
-    for (i = 0; i < MAX_MANAGERS; i++) {
-        if (active_managers[i].is_active && active_managers[i].uid == uid) {
-            active_managers[i].signature_index = signature_index;
-            spin_unlock_irqrestore(&managers_lock, flags);
-            pr_info("Updated manager uid=%d, signature_index=%d\n", uid, signature_index);
-            return;
-        }
-    }
-    
-    for (i = 0; i < MAX_MANAGERS; i++) {
-        if (!active_managers[i].is_active) {
-            active_managers[i].uid = uid;
-            active_managers[i].signature_index = signature_index;
-            active_managers[i].is_active = true;
-            spin_unlock_irqrestore(&managers_lock, flags);
-            pr_info("Added manager uid=%d, signature_index=%d\n", uid, signature_index);
-            return;
-        }
-    }
-    
-    spin_unlock_irqrestore(&managers_lock, flags);
-    pr_warn("Failed to add manager, no free slots\n");
-}
-
-void ksu_remove_manager(uid_t uid)
-{
-    unsigned long flags;
-    int i;
-    
-    if (!is_dynamic_sign_enabled()) {
-        return;
-    }
-    
-    spin_lock_irqsave(&managers_lock, flags);
-    
-    for (i = 0; i < MAX_MANAGERS; i++) {
-        if (active_managers[i].is_active && active_managers[i].uid == uid) {
-            active_managers[i].is_active = false;
-            pr_info("Removed manager uid=%d\n", uid);
-            break;
-        }
-    }
-    
-    spin_unlock_irqrestore(&managers_lock, flags);
-}
-
-bool ksu_is_any_manager(uid_t uid)
-{
-    unsigned long flags;
-    bool is_manager = false;
-    int i;
-    
-    if (!is_dynamic_sign_enabled()) {
-        return false;
-    }
-    
-    spin_lock_irqsave(&managers_lock, flags);
-    
-    for (i = 0; i < MAX_MANAGERS; i++) {
-        if (active_managers[i].is_active && active_managers[i].uid == uid) {
-            is_manager = true;
-            break;
-        }
-    }
-    
-    spin_unlock_irqrestore(&managers_lock, flags);
-    return is_manager;
-}
-
-int ksu_get_manager_signature_index(uid_t uid)
-{
-    unsigned long flags;
-    int signature_index = -1;
-    int i;
-    
-    if (ksu_manager_uid != KSU_INVALID_UID && uid == ksu_manager_uid) {
-        return 1;
-    }
-    
-    if (!is_dynamic_sign_enabled()) {
-        return -1;
-    }
-    
-    spin_lock_irqsave(&managers_lock, flags);
-    
-    for (i = 0; i < MAX_MANAGERS; i++) {
-        if (active_managers[i].is_active && active_managers[i].uid == uid) {
-            signature_index = active_managers[i].signature_index;
-            break;
-        }
-    }
-    
-    spin_unlock_irqrestore(&managers_lock, flags);
-    return signature_index;
-}
-
-
-static void clear_all_managers(void)
-{
-    unsigned long flags;
-    int i;
-    
-    spin_lock_irqsave(&managers_lock, flags);
-    
-    for (i = 0; i < MAX_MANAGERS; i++) {
-        if (active_managers[i].is_active) {
-            pr_info("Clearing manager uid=%d due to dynamic_sign disable\n", 
-                    active_managers[i].uid);
-            active_managers[i].is_active = false;
-        }
-    }
-    
-    spin_unlock_irqrestore(&managers_lock, flags);
-}
-
-static void do_save_dynamic_sign(struct work_struct *work)
-{
-    u32 magic = DYNAMIC_SIGN_FILE_MAGIC;
-    u32 version = DYNAMIC_SIGN_FILE_VERSION;
-    struct dynamic_sign_config config_to_save;
-    loff_t off = 0;
-    unsigned long flags;
-    struct file *fp;
-
-    spin_lock_irqsave(&dynamic_sign_lock, flags);
-    config_to_save = dynamic_sign;
-    spin_unlock_irqrestore(&dynamic_sign_lock, flags);
-
-    if (!config_to_save.is_set) {
-        pr_info("Dynamic sign config not set, skipping save\n");
-        return;
-    }
-
-    fp = ksu_filp_open_compat(KERNEL_SU_DYNAMIC_SIGN, O_WRONLY | O_CREAT | O_TRUNC, 0644);
-    if (IS_ERR(fp)) {
-        pr_err("save_dynamic_sign create file failed: %ld\n", PTR_ERR(fp));
-        return;
-    }
-
-    if (ksu_kernel_write_compat(fp, &magic, sizeof(magic), &off) != sizeof(magic)) {
-        pr_err("save_dynamic_sign write magic failed.\n");
-        goto exit;
-    }
-
-    if (ksu_kernel_write_compat(fp, &version, sizeof(version), &off) != sizeof(version)) {
-        pr_err("save_dynamic_sign write version failed.\n");
-        goto exit;
-    }
-
-    if (ksu_kernel_write_compat(fp, &config_to_save, sizeof(config_to_save), &off) != sizeof(config_to_save)) {
-        pr_err("save_dynamic_sign write config failed.\n");
-        goto exit;
-    }
-
-    pr_info("Dynamic sign config saved successfully\n");
-
-exit:
-    filp_close(fp, 0);
-}
-
-// Loading dynamic signatures from persistent storage
-static void do_load_dynamic_sign(struct work_struct *work)
-{
-    loff_t off = 0;
-    ssize_t ret = 0;
-    struct file *fp = NULL;
-    u32 magic;
-    u32 version;
-    struct dynamic_sign_config loaded_config;
-    unsigned long flags;
-    int i;
-
-    fp = ksu_filp_open_compat(KERNEL_SU_DYNAMIC_SIGN, O_RDONLY, 0);
-    if (IS_ERR(fp)) {
-        if (PTR_ERR(fp) == -ENOENT) {
-            pr_info("No saved dynamic sign config found\n");
-        } else {
-            pr_err("load_dynamic_sign open file failed: %ld\n", PTR_ERR(fp));
-        }
-        return;
-    }
-
-    if (ksu_kernel_read_compat(fp, &magic, sizeof(magic), &off) != sizeof(magic) ||
-        magic != DYNAMIC_SIGN_FILE_MAGIC) {
-        pr_err("dynamic sign file invalid magic: %x!\n", magic);
-        goto exit;
-    }
-
-    if (ksu_kernel_read_compat(fp, &version, sizeof(version), &off) != sizeof(version)) {
-        pr_err("dynamic sign read version failed\n");
-        goto exit;
-    }
-
-    pr_info("dynamic sign file version: %d\n", version);
-
-    ret = ksu_kernel_read_compat(fp, &loaded_config, sizeof(loaded_config), &off);
-    if (ret <= 0) {
-        pr_info("load_dynamic_sign read err: %zd\n", ret);
-        goto exit;
-    }
-
-    if (ret != sizeof(loaded_config)) {
-        pr_err("load_dynamic_sign read incomplete config: %zd/%zu\n", ret, sizeof(loaded_config));
-        goto exit;
-    }
-
-    if (loaded_config.size < 0x100 || loaded_config.size > 0x1000) {
-        pr_err("Invalid saved config size: 0x%x\n", loaded_config.size);
-        goto exit;
-    }
-
-    if (strlen(loaded_config.hash) != 64) {
-        pr_err("Invalid saved config hash length: %zu\n", strlen(loaded_config.hash));
-        goto exit;
-    }
-
-    for (i = 0; i < 64; i++) {
-        char c = loaded_config.hash[i];
-        if (!((c >= '0' && c <= '9') || (c >= 'a' && c <= 'f'))) {
-            pr_err("Invalid saved config hash character at position %d: %c\n", i, c);
-            goto exit;
-        }
-    }
-
-    spin_lock_irqsave(&dynamic_sign_lock, flags);
-    dynamic_sign = loaded_config;
-    spin_unlock_irqrestore(&dynamic_sign_lock, flags);
-
-    pr_info("Dynamic sign config loaded: size=0x%x, hash=%.16s...\n", 
-            loaded_config.size, loaded_config.hash);
-
-exit:
-    filp_close(fp, 0);
-}
-
-static bool persistent_dynamic_sign(void)
-{
-    return ksu_queue_work(&ksu_save_dynamic_sign_work);
-}
-
-// Clear dynamic sign config file using the same method as do_save_dynamic_sign
-static void do_clear_dynamic_sign_file(struct work_struct *work)
-{
-    loff_t off = 0;
-    struct file *fp;
-    char zero_buffer[512];
-
-    memset(zero_buffer, 0, sizeof(zero_buffer));
-
-    fp = ksu_filp_open_compat(KERNEL_SU_DYNAMIC_SIGN, O_WRONLY | O_CREAT | O_TRUNC, 0644);
-    if (IS_ERR(fp)) {
-        pr_err("clear_dynamic_sign create file failed: %ld\n", PTR_ERR(fp));
-        return;
-    }
-
-    // Write null bytes to overwrite the file content
-    if (ksu_kernel_write_compat(fp, zero_buffer, sizeof(zero_buffer), &off) != sizeof(zero_buffer)) {
-        pr_err("clear_dynamic_sign write null bytes failed.\n");
-    } else {
-        pr_info("Dynamic sign config file cleared successfully\n");
-    }
-
-    filp_close(fp, 0);
-}
-
-static bool clear_dynamic_sign_file(void)
-{
-    return ksu_queue_work(&ksu_clear_dynamic_sign_work);
-}
-
-int ksu_handle_dynamic_sign(struct dynamic_sign_user_config *config)
-{
-    unsigned long flags;
-    int ret = 0;
-    int i;
-    
-    if (!config) {
-        return -EINVAL;
-    }
-    
-    switch (config->operation) {
-    case DYNAMIC_SIGN_OP_SET:
-        if (config->size < 0x100 || config->size > 0x1000) {
-            pr_err("invalid size: 0x%x\n", config->size);
-            return -EINVAL;
-        }
-        
-        if (strlen(config->hash) != 64) {
-            pr_err("invalid hash length: %zu\n", strlen(config->hash));
-            return -EINVAL;
-        }
-        
-        for (i = 0; i < 64; i++) {
-            char c = config->hash[i];
-            if (!((c >= '0' && c <= '9') || (c >= 'a' && c <= 'f'))) {
-                pr_err("invalid hash character at position %d: %c\n", i, c);
-                return -EINVAL;
-            }
-        }
-        
-        spin_lock_irqsave(&dynamic_sign_lock, flags);
-        dynamic_sign.size = config->size;
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 13, 0)
-        strscpy(dynamic_sign.hash, config->hash, sizeof(dynamic_sign.hash));
-#else
-        strlcpy(dynamic_sign.hash, config->hash, sizeof(dynamic_sign.hash));
-#endif
-        dynamic_sign.is_set = 1;
-        spin_unlock_irqrestore(&dynamic_sign_lock, flags);
-        
-        persistent_dynamic_sign();
-        pr_info("dynamic sign updated: size=0x%x, hash=%.16s... (multi-manager enabled)\n", 
-                config->size, config->hash);
-        break;
-        
-    case DYNAMIC_SIGN_OP_GET:
-        // Getting Dynamic Signatures
-        spin_lock_irqsave(&dynamic_sign_lock, flags);
-        if (dynamic_sign.is_set) {
-            config->size = dynamic_sign.size;
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 13, 0)
-            strscpy(config->hash, dynamic_sign.hash, sizeof(config->hash));
-#else
-            strlcpy(config->hash, dynamic_sign.hash, sizeof(config->hash));
-#endif
-            ret = 0;
-        } else {
-            ret = -ENODATA;
-        }
-        spin_unlock_irqrestore(&dynamic_sign_lock, flags);
-        break;
-        
-    case DYNAMIC_SIGN_OP_CLEAR:
-        // Clearing dynamic signatures
-        spin_lock_irqsave(&dynamic_sign_lock, flags);
-        dynamic_sign.size = 0x300;
-        strcpy(dynamic_sign.hash, "0000000000000000000000000000000000000000000000000000000000000000");
-        dynamic_sign.is_set = 0;
-        spin_unlock_irqrestore(&dynamic_sign_lock, flags);
-        clear_all_managers();
-        
-        // Clear file using the same method as save
-        clear_dynamic_sign_file();
-        
-        pr_info("Dynamic sign config cleared (multi-manager disabled)\n");
-        break;
-        
-    default:
-        pr_err("Invalid dynamic sign operation: %d\n", config->operation);
-        return -EINVAL;
-    }
-
-    return ret;
-}
-
-bool ksu_load_dynamic_sign(void)
-{
-    return ksu_queue_work(&ksu_load_dynamic_sign_work);
-}
-
-void ksu_dynamic_sign_init(void)
-{
-    int i;
-    
-    INIT_WORK(&ksu_save_dynamic_sign_work, do_save_dynamic_sign);
-    INIT_WORK(&ksu_load_dynamic_sign_work, do_load_dynamic_sign);
-    INIT_WORK(&ksu_clear_dynamic_sign_work, do_clear_dynamic_sign_file);
-    
-    for (i = 0; i < MAX_MANAGERS; i++) {
-        active_managers[i].is_active = false;
-    }
-    
-    pr_info("Dynamic sign initialized with conditional multi-manager support\n");
-}
-
-void ksu_dynamic_sign_exit(void)
-{
-    clear_all_managers();
-    
-    do_save_dynamic_sign(NULL);
-    pr_info("Dynamic sign exited with persistent storage\n");
-}
-
-// Get active managers for multi-manager APKs
-int ksu_get_active_managers(struct manager_list_info *info)
-{
-    unsigned long flags;
-    int i, count = 0;
-    
-    if (!info) {
-        return -EINVAL;
-    }
-    
-    if (ksu_manager_uid != KSU_INVALID_UID && count < 2) {
-        info->managers[count].uid = ksu_manager_uid;
-        info->managers[count].signature_index = 1;
-        count++;
-    }
-    
-    if (is_dynamic_sign_enabled()) {
-        spin_lock_irqsave(&managers_lock, flags);
-        
-        for (i = 0; i < MAX_MANAGERS && count < 2; i++) {
-            if (active_managers[i].is_active) {
-                info->managers[count].uid = active_managers[i].uid;
-                info->managers[count].signature_index = active_managers[i].signature_index;
-                count++;
-            }
-        }
-        
-        spin_unlock_irqrestore(&managers_lock, flags);
-    }
-    
-    info->count = count;
-    return 0;
-}
-
 struct sdesc {
    struct shash_desc shash;
    char ctx[];
 };

-static struct apk_sign_key {
-	unsigned size;
-	const char *sha256;
-} apk_sign_keys[] = {
-	{EXPECTED_SIZE, EXPECTED_HASH},
+static apk_sign_key_t apk_sign_keys[] = {
    {EXPECTED_SIZE_SHIRKNEKO, EXPECTED_HASH_SHIRKNEKO}, // ShirkNeko/SukiSU
-	{EXPECTED_SIZE_OTHER, EXPECTED_HASH_OTHER}, // Dynamic Sign
+#ifdef EXPECTED_SIZE
+    {EXPECTED_SIZE, EXPECTED_HASH}, // Custom
+#endif
 };

 static struct sdesc *init_sdesc(struct crypto_shash *alg)
@@ -501,7 +37,7 @@ static struct sdesc *init_sdesc(struct crypto_shash *alg)
    int size;

    size = sizeof(struct shash_desc) + crypto_shash_descsize(alg);
-	sdesc = kmalloc(size, GFP_KERNEL);
+    sdesc = kzalloc(size, GFP_KERNEL);
    if (!sdesc)
        return ERR_PTR(-ENOMEM);
    sdesc->shash.tfm = alg;
@@ -542,6 +78,120 @@ static int ksu_sha256(const unsigned char *data, unsigned int datalen,
    return ret;
 }

+
+static struct dynamic_sign_key dynamic_sign = DYNAMIC_SIGN_DEFAULT_CONFIG;
+
+static bool check_dynamic_sign(struct file *fp, u32 size4, loff_t *pos, int *matched_index)
+{
+    struct dynamic_sign_key current_dynamic_key = dynamic_sign;
+    
+    if (ksu_get_dynamic_manager_config(&current_dynamic_key.size, &current_dynamic_key.hash)) {
+        pr_debug("Using dynamic manager config: size=0x%x, hash=%.16s...\n", 
+                 current_dynamic_key.size, current_dynamic_key.hash);
+    }
+    
+    if (size4 != current_dynamic_key.size) {
+        return false;
+    }
+
+#define CERT_MAX_LENGTH 1024
+    char cert[CERT_MAX_LENGTH];
+    if (size4 > CERT_MAX_LENGTH) {
+        pr_info("cert length overlimit\n");
+        return false;
+    }
+    
+    kernel_read(fp, cert, size4, pos);
+    
+    unsigned char digest[SHA256_DIGEST_SIZE];
+    if (ksu_sha256(cert, size4, digest) < 0) {
+        pr_info("sha256 error\n");
+        return false;
+    }
+
+    char hash_str[SHA256_DIGEST_SIZE * 2 + 1];
+    hash_str[SHA256_DIGEST_SIZE * 2] = '\0';
+    bin2hex(hash_str, digest, SHA256_DIGEST_SIZE);
+    
+    pr_info("sha256: %s, expected: %s, index: dynamic\n", hash_str, current_dynamic_key.hash);
+    
+    if (strcmp(current_dynamic_key.hash, hash_str) == 0) {
+        if (matched_index) {
+            *matched_index = DYNAMIC_SIGN_INDEX;
+        }
+        return true;
+    }
+    
+    return false;
+}
+
+static bool check_block(struct file *fp, u32 *size4, loff_t *pos, u32 *offset, int *matched_index)
+{
+    int i;
+    apk_sign_key_t sign_key;
+    bool signature_valid = false;
+
+    kernel_read(fp, size4, 0x4, pos); // signer-sequence length
+    kernel_read(fp, size4, 0x4, pos); // signer length
+    kernel_read(fp, size4, 0x4, pos); // signed data length
+
+    *offset += 0x4 * 3;
+
+    kernel_read(fp, size4, 0x4, pos); // digests-sequence length
+
+    *pos += *size4;
+    *offset += 0x4 + *size4;
+
+    kernel_read(fp, size4, 0x4, pos); // certificates length
+    kernel_read(fp, size4, 0x4, pos); // certificate length
+    *offset += 0x4 * 2;
+
+    if (ksu_is_dynamic_manager_enabled()) {
+        loff_t temp_pos = *pos;
+        if (check_dynamic_sign(fp, *size4, &temp_pos, matched_index)) {
+            *pos = temp_pos;
+            *offset += *size4;
+            return true;
+        }
+    }
+
+    for (i = 0; i < ARRAY_SIZE(apk_sign_keys); i++) {
+        sign_key = apk_sign_keys[i];
+
+        if (*size4 != sign_key.size)
+            continue;
+        *offset += *size4;
+
+#define CERT_MAX_LENGTH 1024
+        char cert[CERT_MAX_LENGTH];
+        if (*size4 > CERT_MAX_LENGTH) {
+            pr_info("cert length overlimit\n");
+            return false;
+        }
+        kernel_read(fp, cert, *size4, pos);
+        unsigned char digest[SHA256_DIGEST_SIZE];
+        if (ksu_sha256(cert, *size4, digest) < 0 ) {
+            pr_info("sha256 error\n");
+            return false;
+        }
+
+        char hash_str[SHA256_DIGEST_SIZE * 2 + 1];
+        hash_str[SHA256_DIGEST_SIZE * 2] = '\0';
+
+        bin2hex(hash_str, digest, SHA256_DIGEST_SIZE);
+        pr_info("sha256: %s, expected: %s, index: %d\n", hash_str, sign_key.sha256, i);
+        
+        if (strcmp(sign_key.sha256, hash_str) == 0) {
+            signature_valid = true;
+            if (matched_index) {
+                *matched_index = i;
+            }
+            break;
+        }
+    }
+    return signature_valid;
+}
+
 struct zip_entry_header {
    uint32_t signature;
    uint16_t version;
@@ -564,7 +214,7 @@ static bool has_v1_signature_file(struct file *fp)

    loff_t pos = 0;

-	while (ksu_kernel_read_compat(fp, &header,
+    while (kernel_read(fp, &header,
                      sizeof(struct zip_entry_header), &pos) ==
           sizeof(struct zip_entry_header)) {
        if (header.signature != 0x04034b50) {
@@ -574,7 +224,7 @@ static bool has_v1_signature_file(struct file *fp)
        // Read the entry file name
        if (header.file_name_length == sizeof(MANIFEST) - 1) {
            char fileName[sizeof(MANIFEST)];
-			ksu_kernel_read_compat(fp, fileName,
+            kernel_read(fp, fileName,
                           header.file_name_length, &pos);
            fileName[header.file_name_length] = '\0';

@@ -595,101 +245,28 @@ static bool has_v1_signature_file(struct file *fp)
    return false;
 }

-// Generic Signature Block Verification
-static int verify_signature_block(struct file *fp, u32 *size4, loff_t *pos, u32 *offset, int *matched_index)
-{
-	int i;
-	struct apk_sign_key sign_key;
-	bool signature_valid = false;
-
-	ksu_kernel_read_compat(fp, size4, 0x4, pos); // signer-sequence length
-	ksu_kernel_read_compat(fp, size4, 0x4, pos); // signer length
-	ksu_kernel_read_compat(fp, size4, 0x4, pos); // signed data length
-
-	*offset += 0x4 * 3;
-
-	ksu_kernel_read_compat(fp, size4, 0x4, pos); // digests-sequence length
-
-	*pos += *size4;
-	*offset += 0x4 + *size4;
-
-	ksu_kernel_read_compat(fp, size4, 0x4, pos); // certificates length
-	ksu_kernel_read_compat(fp, size4, 0x4, pos); // certificate length
-	*offset += 0x4 * 2;
-
-	for (i = 0; i < ARRAY_SIZE(apk_sign_keys); i++) {
-		sign_key = apk_sign_keys[i];
-
-		if (i == 2) {
-			unsigned long flags;
-			spin_lock_irqsave(&dynamic_sign_lock, flags);
-			if (dynamic_sign.is_set) {
-				sign_key.size = dynamic_sign.size;
-				sign_key.sha256 = dynamic_sign.hash;
-			}
-			spin_unlock_irqrestore(&dynamic_sign_lock, flags);
-		}
-
-		if (*size4 != sign_key.size)
-			continue;
-
-#define CERT_MAX_LENGTH 1024
-		char cert[CERT_MAX_LENGTH];
-		if (*size4 > CERT_MAX_LENGTH) {
-			pr_info("cert length overlimit\n");
-			continue;
-		}
-		
-		loff_t cert_pos = *pos;
-		ksu_kernel_read_compat(fp, cert, *size4, &cert_pos);
-		unsigned char digest[SHA256_DIGEST_SIZE];
-		if (IS_ERR(ksu_sha256(cert, *size4, digest))) {
-			pr_info("sha256 error\n");
-			continue;
-		}
-
-		char hash_str[SHA256_DIGEST_SIZE * 2 + 1];
-		hash_str[SHA256_DIGEST_SIZE * 2] = '\0';
-
-		bin2hex(hash_str, digest, SHA256_DIGEST_SIZE);
-		pr_info("sha256: %s, expected: %s, index: %d\n", hash_str, sign_key.sha256, i);
-		
-		if (strcmp(sign_key.sha256, hash_str) == 0) {
-			signature_valid = true;
-			if (matched_index) {
-				*matched_index = i;
-			}
-			break;
-		}
-	}
-	
-	*offset += *size4;
-	*pos += *size4;
-	
-	return signature_valid ? 1 : 0;
-}
-
-// Generic APK signature parsing
-static int parse_apk_signature(char *path, bool check_multi_manager, int *signature_index)
+static __always_inline bool check_v2_signature(char *path, bool check_multi_manager, int *signature_index)
 {
    unsigned char buffer[0x11] = { 0 };
    u32 size4;
    u64 size8, size_of_block;
+
    loff_t pos;
+
    bool v2_signing_valid = false;
    int v2_signing_blocks = 0;
    bool v3_signing_exist = false;
    bool v3_1_signing_exist = false;
    int matched_index = -1;
    int i;
-	struct file *fp = ksu_filp_open_compat(path, O_RDONLY, 0);
+    struct file *fp = filp_open(path, O_RDONLY, 0);
    if (IS_ERR(fp)) {
        pr_err("open %s error.\n", path);
-		return -1;
+        return false;
    }

-	// If you want to check for multi-manager APK signing, but dynamic signing is not enabled, skip the
-	if (check_multi_manager && !is_dynamic_sign_enabled()) {
+    // If you want to check for multi-manager APK signing, but dynamic managering is not enabled, skip
+    if (check_multi_manager && !ksu_is_dynamic_manager_enabled()) {
        filp_close(fp, 0);
        return 0;
    }
@@ -701,10 +278,10 @@ static int parse_apk_signature(char *path, bool check_multi_manager, int *signat
    for (i = 0;; ++i) {
        unsigned short n;
        pos = generic_file_llseek(fp, -i - 2, SEEK_END);
-		ksu_kernel_read_compat(fp, &n, 2, &pos);
+        kernel_read(fp, &n, 2, &pos);
        if (n == i) {
            pos -= 22;
-			ksu_kernel_read_compat(fp, &size4, 4, &pos);
+            kernel_read(fp, &size4, 4, &pos);
            if ((size4 ^ 0xcafebabeu) == 0xccfbf1eeu) {
                break;
            }
@@ -717,36 +294,36 @@ static int parse_apk_signature(char *path, bool check_multi_manager, int *signat

    pos += 12;
    // offset
-	ksu_kernel_read_compat(fp, &size4, 0x4, &pos);
+    kernel_read(fp, &size4, 0x4, &pos);
    pos = size4 - 0x18;

-	ksu_kernel_read_compat(fp, &size8, 0x8, &pos);
-	ksu_kernel_read_compat(fp, buffer, 0x10, &pos);
+    kernel_read(fp, &size8, 0x8, &pos);
+    kernel_read(fp, buffer, 0x10, &pos);
    if (strcmp((char *)buffer, "APK Sig Block 42")) {
        goto clean;
    }

    pos = size4 - (size8 + 0x8);
-	ksu_kernel_read_compat(fp, &size_of_block, 0x8, &pos);
+    kernel_read(fp, &size_of_block, 0x8, &pos);
    if (size_of_block != size8) {
        goto clean;
    }

-	// Parsing the signature block
    int loop_count = 0;
    while (loop_count++ < 10) {
        uint32_t id;
        uint32_t offset;
-		ksu_kernel_read_compat(fp, &size8, 0x8, &pos); // sequence length
+        kernel_read(fp, &size8, 0x8,
+                       &pos); // sequence length
        if (size8 == size_of_block) {
            break;
        }
-		ksu_kernel_read_compat(fp, &id, 0x4, &pos); // id
+        kernel_read(fp, &id, 0x4, &pos); // id
        offset = 4;
        if (id == 0x7109871au) {
            v2_signing_blocks++;
-			int result = verify_signature_block(fp, &size4, &pos, &offset, &matched_index);
-			if (result == 1) {
+            bool result = check_block(fp, &size4, &pos, &offset, &matched_index);
+            if (result) {
                v2_signing_valid = true;
            }
        } else if (id == 0xf05368c0u) {
@@ -765,21 +342,20 @@ static int parse_apk_signature(char *path, bool check_multi_manager, int *signat

    if (v2_signing_blocks != 1) {
 #ifdef CONFIG_KSU_DEBUG
-		pr_err("Unexpected v2 signature count: %d\n", v2_signing_blocks);
+        pr_err("Unexpected v2 signature count: %d\n",
+               v2_signing_blocks);
 #endif
        v2_signing_valid = false;
    }

-	// Check v1 signatures
    if (v2_signing_valid) {
-		bool has_v1_signing = has_v1_signature_file(fp);
+        int has_v1_signing = has_v1_signature_file(fp);
        if (has_v1_signing) {
            pr_err("Unexpected v1 signature scheme found!\n");
            filp_close(fp, 0);
-			return -1;
+            return false;
        }
    }
-
 clean:
    filp_close(fp, 0);

@@ -787,7 +363,7 @@ clean:
 #ifdef CONFIG_KSU_DEBUG
        pr_err("Unexpected v3 signature scheme found!\n");
 #endif
-		return -1;
+        return false;
    }

    if (v2_signing_valid) {
@@ -796,37 +372,18 @@ clean:
        }
        
        if (check_multi_manager) {
-			// 1: ShirkNeko/SukiSU, 2: Dynamic Sign
-			if (matched_index == 1 || matched_index == 2) {
-				pr_info("Multi-manager APK detected (dynamic_sign enabled): signature_index=%d\n", matched_index);
-				return 1;
+            // 0: ShirkNeko/SukiSU, DYNAMIC_SIGN_INDEX : Dynamic Sign
+            if (matched_index == 0 || matched_index == DYNAMIC_SIGN_INDEX) {
+                pr_info("Multi-manager APK detected (dynamic_manager enabled): signature_index=%d\n", matched_index);
+                return true;
            }
-			return 0;
+            return false;
        } else {
            // Common manager check: any valid signature will do
-			return 1;
+            return true;
        }
    }
-
-	return 0;
-}
-
-bool ksu_is_multi_manager_apk(char *path, int *signature_index)
-{
-	int result = parse_apk_signature(path, true, signature_index);
-	return result == 1;
-}
-
-static bool check_block(struct file *fp, u32 *size4, loff_t *pos, u32 *offset)
-{
-	int result = verify_signature_block(fp, size4, pos, offset, NULL);
-	return result == 1;
-}
-
-static __always_inline bool check_v2_signature(char *path)
-{
-	int result = parse_apk_signature(path, false, NULL);
-	return result == 1;
+    return false;
 }

 #ifdef CONFIG_KSU_DEBUG
@@ -855,5 +412,10 @@ module_param_cb(ksu_debug_manager_uid, &expected_size_ops,

 bool is_manager_apk(char *path)
 {
-	return check_v2_signature(path);
+    return check_v2_signature(path, false, NULL);
+}
+
+bool is_dynamic_manager_apk(char *path, int *signature_index)
+{
+    return check_v2_signature(path, true, signature_index);
 }
--- a/kernel/apk_sign.h
+++ b/kernel/apk_sign.h
@@ -3,32 +3,9 @@

 #include <linux/types.h>
 #include "ksu.h"
-#include "manager.h"

 bool is_manager_apk(char *path);

-struct dynamic_sign_config {
-    unsigned int size;
-    char hash[65];
-    int is_set;
-};
-
-struct manager_info {
-    uid_t uid;
-    int signature_index;
-    bool is_active;
-};
-
-bool ksu_is_multi_manager_apk(char *path, int *signature_index);
-void ksu_add_manager(uid_t uid, int signature_index);
-void ksu_remove_manager(uid_t uid);
-bool ksu_is_any_manager(uid_t uid);
-int ksu_get_manager_signature_index(uid_t uid);
-int ksu_get_active_managers(struct manager_list_info *info);
-
-int ksu_handle_dynamic_sign(struct dynamic_sign_user_config *config);
-void ksu_dynamic_sign_init(void);
-void ksu_dynamic_sign_exit(void);
-bool ksu_load_dynamic_sign(void);
+bool is_dynamic_manager_apk(char *path, int *signature_index);

 #endif
--- a/kernel/app_profile.c
+++ b/kernel/app_profile.c
@@ -0,0 +1,303 @@
+#include <linux/capability.h>
+#include <linux/cred.h>
+#include <linux/sched.h>
+#include <linux/sched/signal.h>
+#include <linux/seccomp.h>
+#include <linux/thread_info.h>
+#include <linux/uidgid.h>
+#include <linux/version.h>
+#include "objsec.h"
+
+#include "allowlist.h"
+#include "app_profile.h"
+#include "klog.h" // IWYU pragma: keep
+#include "selinux/selinux.h"
+#include "syscall_hook_manager.h"
+#include "sucompat.h"
+
+#include "sulog.h"
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION (6, 7, 0)
+    static struct group_info root_groups = { .usage = REFCOUNT_INIT(2), };
+#else 
+    static struct group_info root_groups = { .usage = ATOMIC_INIT(2) };
+#endif
+
+static void setup_groups(struct root_profile *profile, struct cred *cred)
+{
+    if (profile->groups_count > KSU_MAX_GROUPS) {
+        pr_warn("Failed to setgroups, too large group: %d!\n",
+            profile->uid);
+        return;
+    }
+
+    if (profile->groups_count == 1 && profile->groups[0] == 0) {
+        // setgroup to root and return early.
+        if (cred->group_info)
+            put_group_info(cred->group_info);
+        cred->group_info = get_group_info(&root_groups);
+        return;
+    }
+
+    u32 ngroups = profile->groups_count;
+    struct group_info *group_info = groups_alloc(ngroups);
+    if (!group_info) {
+        pr_warn("Failed to setgroups, ENOMEM for: %d\n", profile->uid);
+        return;
+    }
+
+    int i;
+    for (i = 0; i < ngroups; i++) {
+        gid_t gid = profile->groups[i];
+        kgid_t kgid = make_kgid(current_user_ns(), gid);
+        if (!gid_valid(kgid)) {
+            pr_warn("Failed to setgroups, invalid gid: %d\n", gid);
+            put_group_info(group_info);
+            return;
+        }
+        group_info->gid[i] = kgid;
+    }
+
+    groups_sort(group_info);
+    set_groups(cred, group_info);
+    put_group_info(group_info);
+}
+
+void disable_seccomp(void)
+{
+	assert_spin_locked(&current->sighand->siglock);
+	// disable seccomp
+#if defined(CONFIG_GENERIC_ENTRY) &&                                           \
+	LINUX_VERSION_CODE >= KERNEL_VERSION(5, 11, 0)
+	clear_syscall_work(SECCOMP);
+#else
+	clear_thread_flag(TIF_SECCOMP);
+#endif
+
+#ifdef CONFIG_SECCOMP
+	current->seccomp.mode = 0;
+	current->seccomp.filter = NULL;
+	atomic_set(&current->seccomp.filter_count, 0);
+#else
+#endif
+}
+
+void escape_with_root_profile(void)
+{
+    struct cred *cred;
+    struct task_struct *p = current;
+    struct task_struct *t;
+
+    cred = prepare_creds();
+    if (!cred) {
+        pr_warn("prepare_creds failed!\n");
+        return;
+    }
+
+    if (cred->euid.val == 0) {
+        pr_warn("Already root, don't escape!\n");
+#if __SULOG_GATE
+        ksu_sulog_report_su_grant(current_euid().val, NULL, "escape_to_root_failed");
+#endif
+        abort_creds(cred);
+        return;
+    }
+
+    struct root_profile *profile = ksu_get_root_profile(cred->uid.val);
+
+    cred->uid.val = profile->uid;
+    cred->suid.val = profile->uid;
+    cred->euid.val = profile->uid;
+    cred->fsuid.val = profile->uid;
+
+    cred->gid.val = profile->gid;
+    cred->fsgid.val = profile->gid;
+    cred->sgid.val = profile->gid;
+    cred->egid.val = profile->gid;
+    cred->securebits = 0;
+
+    BUILD_BUG_ON(sizeof(profile->capabilities.effective) !=
+             sizeof(kernel_cap_t));
+
+    // setup capabilities
+    // we need CAP_DAC_READ_SEARCH becuase `/data/adb/ksud` is not accessible for non root process
+    // we add it here but don't add it to cap_inhertiable, it would be dropped automaticly after exec!
+    u64 cap_for_ksud =
+        profile->capabilities.effective | CAP_DAC_READ_SEARCH;
+    memcpy(&cred->cap_effective, &cap_for_ksud,
+           sizeof(cred->cap_effective));
+    memcpy(&cred->cap_permitted, &profile->capabilities.effective,
+           sizeof(cred->cap_permitted));
+    memcpy(&cred->cap_bset, &profile->capabilities.effective,
+           sizeof(cred->cap_bset));
+
+    setup_groups(profile, cred);
+
+    commit_creds(cred);
+
+    // Refer to kernel/seccomp.c: seccomp_set_mode_strict
+    // When disabling Seccomp, ensure that current->sighand->siglock is held during the operation.
+    spin_lock_irq(&current->sighand->siglock);
+    disable_seccomp();
+    spin_unlock_irq(&current->sighand->siglock);
+
+    setup_selinux(profile->selinux_domain);
+#if __SULOG_GATE
+    ksu_sulog_report_su_grant(current_euid().val, NULL, "escape_to_root");
+#endif
+
+    for_each_thread (p, t) {
+        ksu_set_task_tracepoint_flag(t);
+    }
+}
+
+#ifdef CONFIG_KSU_MANUAL_SU
+
+#include "ksud.h"
+
+#ifndef DEVPTS_SUPER_MAGIC
+#define DEVPTS_SUPER_MAGIC    0x1cd1
+#endif
+
+static int __manual_su_handle_devpts(struct inode *inode)
+{
+    if (!current->mm) {
+        return 0;
+    }
+
+    uid_t uid = current_uid().val;
+    if (uid % 100000 < 10000) {
+        // not untrusted_app, ignore it
+        return 0;
+    }
+
+    if (likely(!ksu_is_allow_uid_for_current(uid)))
+        return 0;
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 1, 0) || defined(KSU_OPTIONAL_SELINUX_INODE)
+        struct inode_security_struct *sec = selinux_inode(inode);
+#else
+        struct inode_security_struct *sec =
+            (struct inode_security_struct *)inode->i_security;
+#endif
+    if (ksu_file_sid && sec)
+        sec->sid = ksu_file_sid;
+
+    return 0;
+}
+
+static void disable_seccomp_for_task(struct task_struct *tsk)
+{
+    assert_spin_locked(&tsk->sighand->siglock);
+#ifdef CONFIG_SECCOMP
+    if (tsk->seccomp.mode == SECCOMP_MODE_DISABLED && !tsk->seccomp.filter)
+        return;
+#endif
+    clear_tsk_thread_flag(tsk, TIF_SECCOMP);
+#ifdef CONFIG_SECCOMP
+    tsk->seccomp.mode = SECCOMP_MODE_DISABLED;
+    if (tsk->seccomp.filter) {
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 0)
+        seccomp_filter_release(tsk);
+#else
+        put_seccomp_filter(tsk);
+        tsk->seccomp.filter = NULL;
+#endif
+    }
+#endif
+}
+
+void escape_to_root_for_cmd_su(uid_t target_uid, pid_t target_pid)
+{
+    struct cred *newcreds;
+    struct task_struct *target_task;
+    unsigned long flags;
+    struct task_struct *p = current;
+    struct task_struct *t;
+
+    pr_info("cmd_su: escape_to_root_for_cmd_su called for UID: %d, PID: %d\n", target_uid, target_pid);
+
+    // Find target task by PID
+    rcu_read_lock();
+    target_task = pid_task(find_vpid(target_pid), PIDTYPE_PID);
+    if (!target_task) {
+        rcu_read_unlock(); 
+        pr_err("cmd_su: target task not found for PID: %d\n", target_pid);
+#if __SULOG_GATE
+        ksu_sulog_report_su_grant(target_uid, "cmd_su", "target_not_found");
+#endif
+        return;
+    }
+    get_task_struct(target_task);
+    rcu_read_unlock();
+
+    if (task_uid(target_task).val == 0) {
+        pr_warn("cmd_su: target task is already root, PID: %d\n", target_pid);
+        put_task_struct(target_task);
+        return;
+    }
+
+    newcreds = prepare_kernel_cred(target_task);
+    if (newcreds == NULL) {
+        pr_err("cmd_su: failed to allocate new cred for PID: %d\n", target_pid);
+#if __SULOG_GATE
+        ksu_sulog_report_su_grant(target_uid, "cmd_su", "cred_alloc_failed");
+#endif
+        put_task_struct(target_task);
+        return;
+    }
+
+    struct root_profile *profile = ksu_get_root_profile(target_uid);
+
+    newcreds->uid.val = profile->uid;
+    newcreds->suid.val = profile->uid;
+    newcreds->euid.val = profile->uid;
+    newcreds->fsuid.val = profile->uid;
+
+    newcreds->gid.val = profile->gid;
+    newcreds->fsgid.val = profile->gid;
+    newcreds->sgid.val = profile->gid;
+    newcreds->egid.val = profile->gid;
+    newcreds->securebits = 0;
+
+    u64 cap_for_cmd_su = profile->capabilities.effective | CAP_DAC_READ_SEARCH | CAP_SETUID | CAP_SETGID;
+    memcpy(&newcreds->cap_effective, &cap_for_cmd_su, sizeof(newcreds->cap_effective));
+    memcpy(&newcreds->cap_permitted, &profile->capabilities.effective, sizeof(newcreds->cap_permitted));
+    memcpy(&newcreds->cap_bset, &profile->capabilities.effective, sizeof(newcreds->cap_bset));
+
+    setup_groups(profile, newcreds);
+    task_lock(target_task);
+
+    const struct cred *old_creds = get_task_cred(target_task);
+
+    rcu_assign_pointer(target_task->real_cred, newcreds);
+    rcu_assign_pointer(target_task->cred, get_cred(newcreds));
+    task_unlock(target_task);
+
+    if (target_task->sighand) {
+        spin_lock_irqsave(&target_task->sighand->siglock, flags);
+        disable_seccomp_for_task(target_task);
+        spin_unlock_irqrestore(&target_task->sighand->siglock, flags);
+    }
+
+    setup_selinux(profile->selinux_domain);
+    put_cred(old_creds);
+    wake_up_process(target_task);
+
+    if (target_task->signal->tty) {
+        struct inode *inode = target_task->signal->tty->driver_data;
+        if (inode && inode->i_sb->s_magic == DEVPTS_SUPER_MAGIC) {
+            __manual_su_handle_devpts(inode);
+        }
+    }
+
+    put_task_struct(target_task);
+#if __SULOG_GATE
+    ksu_sulog_report_su_grant(target_uid, "cmd_su", "manual_escalation");
+#endif
+    for_each_thread (p, t) {
+        ksu_set_task_tracepoint_flag(t);
+    }
+    pr_info("cmd_su: privilege escalation completed for UID: %d, PID: %d\n", target_uid, target_pid);
+}
+#endif
--- a/kernel/app_profile.h
+++ b/kernel/app_profile.h
@@ -0,0 +1,70 @@
+#ifndef __KSU_H_APP_PROFILE
+#define __KSU_H_APP_PROFILE
+
+#include <linux/types.h>
+
+// Forward declarations
+struct cred;
+
+#define KSU_APP_PROFILE_VER 2
+#define KSU_MAX_PACKAGE_NAME 256
+// NGROUPS_MAX for Linux is 65535 generally, but we only supports 32 groups.
+#define KSU_MAX_GROUPS 32
+#define KSU_SELINUX_DOMAIN 64
+
+struct root_profile {
+	int32_t uid;
+	int32_t gid;
+
+	int32_t groups_count;
+	int32_t groups[KSU_MAX_GROUPS];
+
+	// kernel_cap_t is u32[2] for capabilities v3
+	struct {
+		u64 effective;
+		u64 permitted;
+		u64 inheritable;
+	} capabilities;
+
+	char selinux_domain[KSU_SELINUX_DOMAIN];
+
+	int32_t namespaces;
+};
+
+struct non_root_profile {
+	bool umount_modules;
+};
+
+struct app_profile {
+	// It may be utilized for backward compatibility, although we have never explicitly made any promises regarding this.
+	u32 version;
+
+	// this is usually the package of the app, but can be other value for special apps
+	char key[KSU_MAX_PACKAGE_NAME];
+	int32_t current_uid;
+	bool allow_su;
+
+	union {
+		struct {
+			bool use_default;
+			char template_name[KSU_MAX_PACKAGE_NAME];
+
+			struct root_profile profile;
+		} rp_config;
+
+		struct {
+			bool use_default;
+
+			struct non_root_profile profile;
+		} nrp_config;
+	};
+};
+
+// Escalate current process to root with the appropriate profile
+void escape_with_root_profile(void);
+
+void escape_to_root_for_cmd_su(uid_t target_uid, pid_t target_pid);
+
+void disable_seccomp(void);
+
+#endif
--- a/kernel/arch.h
+++ b/kernel/arch.h
@@ -18,10 +18,8 @@
 #define __PT_SP_REG sp
 #define __PT_IP_REG pc

-#define PRCTL_SYMBOL "__arm64_sys_prctl"
+#define REBOOT_SYMBOL "__arm64_sys_reboot"
 #define SYS_READ_SYMBOL "__arm64_sys_read"
-#define SYS_NEWFSTATAT_SYMBOL "__arm64_sys_newfstatat"
-#define SYS_FACCESSAT_SYMBOL "__arm64_sys_faccessat"
 #define SYS_EXECVE_SYMBOL "__arm64_sys_execve"

 #elif defined(__x86_64__)
@@ -39,10 +37,8 @@
 #define __PT_RC_REG ax
 #define __PT_SP_REG sp
 #define __PT_IP_REG ip
-#define PRCTL_SYMBOL "__x64_sys_prctl"
+#define REBOOT_SYMBOL "__x64_sys_reboot"
 #define SYS_READ_SYMBOL "__x64_sys_read"
-#define SYS_NEWFSTATAT_SYMBOL "__x64_sys_newfstatat"
-#define SYS_FACCESSAT_SYMBOL "__x64_sys_faccessat"
 #define SYS_EXECVE_SYMBOL "__x64_sys_execve"

 #else
--- a/kernel/core_hook.c
+++ b/kernel/core_hook.c
--- a/kernel/core_hook.h
+++ b/kernel/core_hook.h
@@ -1,10 +0,0 @@
-#ifndef __KSU_H_KSU_CORE
-#define __KSU_H_KSU_CORE
-
-#include <linux/init.h>
-#include "apk_sign.h"
-
-void __init ksu_core_init(void);
-void ksu_core_exit(void);
-
-#endif
--- a/kernel/dynamic_manager.c
+++ b/kernel/dynamic_manager.c
@@ -0,0 +1,504 @@
+#include <linux/err.h>
+#include <linux/fs.h>
+#include <linux/gfp.h>
+#include <linux/kernel.h>
+#include <linux/slab.h>
+#include <linux/version.h>
+#include <linux/workqueue.h>
+#ifdef CONFIG_KSU_DEBUG
+#include <linux/moduleparam.h>
+#endif
+#include <crypto/hash.h>
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 11, 0)
+#include <crypto/sha2.h>
+#else
+#include <crypto/sha.h>
+#endif
+
+#include "dynamic_manager.h"
+#include "klog.h" // IWYU pragma: keep
+#include "manager.h"
+
+#define MAX_MANAGERS 2
+
+// Dynamic sign configuration
+static struct dynamic_manager_config dynamic_manager = {
+    .size = 0x300, 
+    .hash = "0000000000000000000000000000000000000000000000000000000000000000",
+    .is_set = 0
+};
+
+// Multi-manager state
+static struct manager_info active_managers[MAX_MANAGERS];
+static DEFINE_SPINLOCK(managers_lock);
+static DEFINE_SPINLOCK(dynamic_manager_lock);
+
+// Work queues for persistent storage
+static struct work_struct save_dynamic_manager_work;
+static struct work_struct load_dynamic_manager_work;
+static struct work_struct clear_dynamic_manager_work;
+
+bool ksu_is_dynamic_manager_enabled(void)
+{
+    unsigned long flags;
+    bool enabled;
+    
+    spin_lock_irqsave(&dynamic_manager_lock, flags);
+    enabled = dynamic_manager.is_set;
+    spin_unlock_irqrestore(&dynamic_manager_lock, flags);
+    
+    return enabled;
+}
+
+void ksu_add_manager(uid_t uid, int signature_index)
+{
+    unsigned long flags;
+    int i;
+    
+    if (!ksu_is_dynamic_manager_enabled()) {
+        pr_info("Dynamic sign not enabled, skipping multi-manager add\n");
+        return;
+    }
+    
+    spin_lock_irqsave(&managers_lock, flags);
+    
+    // Check if manager already exists and update
+    for (i = 0; i < MAX_MANAGERS; i++) {
+        if (active_managers[i].is_active && active_managers[i].uid == uid) {
+            active_managers[i].signature_index = signature_index;
+            spin_unlock_irqrestore(&managers_lock, flags);
+            pr_info("Updated manager uid=%d, signature_index=%d\n", uid, signature_index);
+            return;
+        }
+    }
+    
+    // Find free slot for new manager
+    for (i = 0; i < MAX_MANAGERS; i++) {
+        if (!active_managers[i].is_active) {
+            active_managers[i].uid = uid;
+            active_managers[i].signature_index = signature_index;
+            active_managers[i].is_active = true;
+            spin_unlock_irqrestore(&managers_lock, flags);
+            pr_info("Added manager uid=%d, signature_index=%d\n", uid, signature_index);
+            return;
+        }
+    }
+    
+    spin_unlock_irqrestore(&managers_lock, flags);
+    pr_warn("Failed to add manager, no free slots\n");
+}
+
+void ksu_remove_manager(uid_t uid)
+{
+    unsigned long flags;
+    int i;
+    
+    if (!ksu_is_dynamic_manager_enabled()) {
+        return;
+    }
+    
+    spin_lock_irqsave(&managers_lock, flags);
+    
+    for (i = 0; i < MAX_MANAGERS; i++) {
+        if (active_managers[i].is_active && active_managers[i].uid == uid) {
+            active_managers[i].is_active = false;
+            pr_info("Removed manager uid=%d\n", uid);
+            break;
+        }
+    }
+    
+    spin_unlock_irqrestore(&managers_lock, flags);
+}
+
+bool ksu_is_any_manager(uid_t uid)
+{
+    unsigned long flags;
+    bool is_manager = false;
+    int i;
+    
+    if (!ksu_is_dynamic_manager_enabled()) {
+        return false;
+    }
+    
+    spin_lock_irqsave(&managers_lock, flags);
+    
+    for (i = 0; i < MAX_MANAGERS; i++) {
+        if (active_managers[i].is_active && active_managers[i].uid == uid) {
+            is_manager = true;
+            break;
+        }
+    }
+    
+    spin_unlock_irqrestore(&managers_lock, flags);
+    return is_manager;
+}
+
+int ksu_get_manager_signature_index(uid_t uid)
+{
+    unsigned long flags;
+    int signature_index = -1;
+    int i;
+    
+    // Check traditional manager first
+    if (ksu_manager_uid != KSU_INVALID_UID && uid == ksu_manager_uid) {
+        return DYNAMIC_SIGN_INDEX;
+    }
+    
+    if (!ksu_is_dynamic_manager_enabled()) {
+        return -1;
+    }
+    
+    spin_lock_irqsave(&managers_lock, flags);
+    
+    for (i = 0; i < MAX_MANAGERS; i++) {
+        if (active_managers[i].is_active && active_managers[i].uid == uid) {
+            signature_index = active_managers[i].signature_index;
+            break;
+        }
+    }
+    
+    spin_unlock_irqrestore(&managers_lock, flags);
+    return signature_index;
+}
+
+static void clear_dynamic_manager(void)
+{
+    unsigned long flags;
+    int i;
+    
+    spin_lock_irqsave(&managers_lock, flags);
+    
+    for (i = 0; i < MAX_MANAGERS; i++) {
+        if (active_managers[i].is_active) {
+            pr_info("Clearing dynamic manager uid=%d (signature_index=%d) for rescan\n", 
+                    active_managers[i].uid, active_managers[i].signature_index);
+            active_managers[i].is_active = false;
+        }
+    }
+    
+    spin_unlock_irqrestore(&managers_lock, flags);
+}
+
+int ksu_get_active_managers(struct manager_list_info *info)
+{
+    unsigned long flags;
+    int i, count = 0;
+    
+    if (!info) {
+        return -EINVAL;
+    }
+
+    // Add traditional manager first
+    if (ksu_manager_uid != KSU_INVALID_UID && count < 2) {
+        info->managers[count].uid = ksu_manager_uid;
+        info->managers[count].signature_index = 0;
+        count++;
+    }
+    
+    // Add dynamic managers
+    if (ksu_is_dynamic_manager_enabled()) {
+        spin_lock_irqsave(&managers_lock, flags);
+        
+        for (i = 0; i < MAX_MANAGERS && count < 2; i++) {
+            if (active_managers[i].is_active) {
+                info->managers[count].uid = active_managers[i].uid;
+                info->managers[count].signature_index = active_managers[i].signature_index;
+                count++;
+            }
+        }
+        
+        spin_unlock_irqrestore(&managers_lock, flags);
+    }
+    
+    info->count = count;
+    return 0;
+}
+
+static void do_save_dynamic_manager(struct work_struct *work)
+{
+    u32 magic = DYNAMIC_MANAGER_FILE_MAGIC;
+    u32 version = DYNAMIC_MANAGER_FILE_VERSION;
+    struct dynamic_manager_config config_to_save;
+    loff_t off = 0;
+    unsigned long flags;
+    struct file *fp;
+
+    spin_lock_irqsave(&dynamic_manager_lock, flags);
+    config_to_save = dynamic_manager;
+    spin_unlock_irqrestore(&dynamic_manager_lock, flags);
+
+    if (!config_to_save.is_set) {
+        pr_info("Dynamic sign config not set, skipping save\n");
+        return;
+    }
+
+    fp = filp_open(KERNEL_SU_DYNAMIC_MANAGER, O_WRONLY | O_CREAT | O_TRUNC, 0644);
+    if (IS_ERR(fp)) {
+        pr_err("save_dynamic_manager create file failed: %ld\n", PTR_ERR(fp));
+        return;
+    }
+
+    if (kernel_write(fp, &magic, sizeof(magic), &off) != sizeof(magic)) {
+        pr_err("save_dynamic_manager write magic failed.\n");
+        goto exit;
+    }
+
+    if (kernel_write(fp, &version, sizeof(version), &off) != sizeof(version)) {
+        pr_err("save_dynamic_manager write version failed.\n");
+        goto exit;
+    }
+
+    if (kernel_write(fp, &config_to_save, sizeof(config_to_save), &off) != sizeof(config_to_save)) {
+        pr_err("save_dynamic_manager write config failed.\n");
+        goto exit;
+    }
+
+    pr_info("Dynamic sign config saved successfully\n");
+
+exit:
+    filp_close(fp, 0);
+}
+
+static void do_load_dynamic_manager(struct work_struct *work)
+{
+    loff_t off = 0;
+    ssize_t ret = 0;
+    struct file *fp = NULL;
+    u32 magic;
+    u32 version;
+    struct dynamic_manager_config loaded_config;
+    unsigned long flags;
+    int i;
+
+    fp = filp_open(KERNEL_SU_DYNAMIC_MANAGER, O_RDONLY, 0);
+    if (IS_ERR(fp)) {
+        if (PTR_ERR(fp) == -ENOENT) {
+            pr_info("No saved dynamic manager config found\n");
+        } else {
+            pr_err("load_dynamic_manager open file failed: %ld\n", PTR_ERR(fp));
+        }
+        return;
+    }
+
+    if (kernel_read(fp, &magic, sizeof(magic), &off) != sizeof(magic) ||
+        magic != DYNAMIC_MANAGER_FILE_MAGIC) {
+        pr_err("dynamic manager file invalid magic: %x!\n", magic);
+        goto exit;
+    }
+
+    if (kernel_read(fp, &version, sizeof(version), &off) != sizeof(version)) {
+        pr_err("dynamic manager read version failed\n");
+        goto exit;
+    }
+
+    pr_info("dynamic manager file version: %d\n", version);
+
+    ret = kernel_read(fp, &loaded_config, sizeof(loaded_config), &off);
+    if (ret <= 0) {
+        pr_info("load_dynamic_manager read err: %zd\n", ret);
+        goto exit;
+    }
+
+    if (ret != sizeof(loaded_config)) {
+        pr_err("load_dynamic_manager read incomplete config: %zd/%zu\n", ret, sizeof(loaded_config));
+        goto exit;
+    }
+
+    if (loaded_config.size < 0x100 || loaded_config.size > 0x1000) {
+        pr_err("Invalid saved config size: 0x%x\n", loaded_config.size);
+        goto exit;
+    }
+
+    if (strlen(loaded_config.hash) != 64) {
+        pr_err("Invalid saved config hash length: %zu\n", strlen(loaded_config.hash));
+        goto exit;
+    }
+
+    // Validate hash format
+    for (i = 0; i < 64; i++) {
+        char c = loaded_config.hash[i];
+        if (!((c >= '0' && c <= '9') || (c >= 'a' && c <= 'f'))) {
+            pr_err("Invalid saved config hash character at position %d: %c\n", i, c);
+            goto exit;
+        }
+    }
+
+    spin_lock_irqsave(&dynamic_manager_lock, flags);
+    dynamic_manager = loaded_config;
+    spin_unlock_irqrestore(&dynamic_manager_lock, flags);
+
+    pr_info("Dynamic sign config loaded: size=0x%x, hash=%.16s...\n", 
+            loaded_config.size, loaded_config.hash);
+
+exit:
+    filp_close(fp, 0);
+}
+
+static bool persistent_dynamic_manager(void)
+{
+    return ksu_queue_work(&save_dynamic_manager_work);
+}
+
+static void do_clear_dynamic_manager(struct work_struct *work)
+{
+    loff_t off = 0;
+    struct file *fp;
+    char zero_buffer[512];
+
+    memset(zero_buffer, 0, sizeof(zero_buffer));
+
+    fp = filp_open(KERNEL_SU_DYNAMIC_MANAGER, O_WRONLY | O_CREAT | O_TRUNC, 0644);
+    if (IS_ERR(fp)) {
+        pr_err("clear_dynamic_manager create file failed: %ld\n", PTR_ERR(fp));
+        return;
+    }
+
+    // Write null bytes to overwrite the file content
+    if (kernel_write(fp, zero_buffer, sizeof(zero_buffer), &off) != sizeof(zero_buffer)) {
+        pr_err("clear_dynamic_manager write null bytes failed.\n");
+    } else {
+        pr_info("Dynamic sign config file cleared successfully\n");
+    }
+
+    filp_close(fp, 0);
+}
+
+static bool clear_dynamic_manager_file(void)
+{
+    return ksu_queue_work(&clear_dynamic_manager_work);
+}
+
+int ksu_handle_dynamic_manager(struct dynamic_manager_user_config *config)
+{
+    unsigned long flags;
+    int ret = 0;
+    int i;
+    
+    if (!config) {
+        return -EINVAL;
+    }
+    
+    switch (config->operation) {
+    case DYNAMIC_MANAGER_OP_SET:
+        if (config->size < 0x100 || config->size > 0x1000) {
+            pr_err("invalid size: 0x%x\n", config->size);
+            return -EINVAL;
+        }
+        
+        if (strlen(config->hash) != 64) {
+            pr_err("invalid hash length: %zu\n", strlen(config->hash));
+            return -EINVAL;
+        }
+        
+        // Validate hash format
+        for (i = 0; i < 64; i++) {
+            char c = config->hash[i];
+            if (!((c >= '0' && c <= '9') || (c >= 'a' && c <= 'f'))) {
+                pr_err("invalid hash character at position %d: %c\n", i, c);
+                return -EINVAL;
+            }
+        }
+        
+        spin_lock_irqsave(&dynamic_manager_lock, flags);
+        dynamic_manager.size = config->size;
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 13, 0)
+        strscpy(dynamic_manager.hash, config->hash, sizeof(dynamic_manager.hash));
+#else
+        strlcpy(dynamic_manager.hash, config->hash, sizeof(dynamic_manager.hash));
+#endif
+        dynamic_manager.is_set = 1;
+        spin_unlock_irqrestore(&dynamic_manager_lock, flags);
+        
+        persistent_dynamic_manager();
+        pr_info("dynamic manager updated: size=0x%x, hash=%.16s... (multi-manager enabled)\n", 
+                config->size, config->hash);
+        break;
+        
+    case DYNAMIC_MANAGER_OP_GET:
+        spin_lock_irqsave(&dynamic_manager_lock, flags);
+        if (dynamic_manager.is_set) {
+            config->size = dynamic_manager.size;
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 13, 0)
+            strscpy(config->hash, dynamic_manager.hash, sizeof(config->hash));
+#else
+            strlcpy(config->hash, dynamic_manager.hash, sizeof(config->hash));
+#endif
+            ret = 0;
+        } else {
+            ret = -ENODATA;
+        }
+        spin_unlock_irqrestore(&dynamic_manager_lock, flags);
+        break;
+        
+    case DYNAMIC_MANAGER_OP_CLEAR:
+        spin_lock_irqsave(&dynamic_manager_lock, flags);
+        dynamic_manager.size = 0x300;
+        strcpy(dynamic_manager.hash, "0000000000000000000000000000000000000000000000000000000000000000");
+        dynamic_manager.is_set = 0;
+        spin_unlock_irqrestore(&dynamic_manager_lock, flags);
+        
+        // Clear only dynamic managers, preserve default manager
+        clear_dynamic_manager();
+        
+        // Clear file using the same method as save
+        clear_dynamic_manager_file();
+        
+        pr_info("Dynamic sign config cleared (multi-manager disabled)\n");
+        break;
+        
+    default:
+        pr_err("Invalid dynamic manager operation: %d\n", config->operation);
+        return -EINVAL;
+    }
+
+    return ret;
+}
+
+bool ksu_load_dynamic_manager(void)
+{
+    return ksu_queue_work(&load_dynamic_manager_work);
+}
+
+void ksu_dynamic_manager_init(void)
+{
+    int i;
+    
+    INIT_WORK(&save_dynamic_manager_work, do_save_dynamic_manager);
+    INIT_WORK(&load_dynamic_manager_work, do_load_dynamic_manager);
+    INIT_WORK(&clear_dynamic_manager_work, do_clear_dynamic_manager);
+    
+    // Initialize manager slots
+    for (i = 0; i < MAX_MANAGERS; i++) {
+        active_managers[i].is_active = false;
+    }
+
+    ksu_load_dynamic_manager();
+    
+    pr_info("Dynamic sign initialized with conditional multi-manager support\n");
+}
+
+void ksu_dynamic_manager_exit(void)
+{
+    clear_dynamic_manager();
+    
+    // Save current config before exit
+    do_save_dynamic_manager(NULL);
+    pr_info("Dynamic sign exited with persistent storage\n");
+}
+
+// Get dynamic manager configuration for signature verification
+bool ksu_get_dynamic_manager_config(unsigned int *size, const char **hash)
+{
+    unsigned long flags;
+    bool valid = false;
+    
+    spin_lock_irqsave(&dynamic_manager_lock, flags);
+    if (dynamic_manager.is_set) {
+        if (size) *size = dynamic_manager.size;
+        if (hash) *hash = dynamic_manager.hash;
+        valid = true;
+    }
+    spin_unlock_irqrestore(&dynamic_manager_lock, flags);
+    
+    return valid;
+}
--- a/kernel/dynamic_manager.h
+++ b/kernel/dynamic_manager.h
@@ -0,0 +1,51 @@
+#ifndef __KSU_H_DYNAMIC_MANAGER
+#define __KSU_H_DYNAMIC_MANAGER
+
+#include <linux/types.h>
+#include "ksu.h"
+
+#define DYNAMIC_MANAGER_FILE_MAGIC 0x7f445347 // 'DSG', u32
+#define DYNAMIC_MANAGER_FILE_VERSION 1 // u32
+#define KERNEL_SU_DYNAMIC_MANAGER "/data/adb/ksu/.dynamic_manager"
+#define DYNAMIC_SIGN_INDEX 100
+
+struct dynamic_sign_key {
+    unsigned int size;
+    const char *hash;
+};
+
+#define DYNAMIC_SIGN_DEFAULT_CONFIG { \
+    .size = 0x300, \
+    .hash = "0000000000000000000000000000000000000000000000000000000000000000" \
+}
+
+struct dynamic_manager_config {
+    unsigned int size;
+    char hash[65];
+    int is_set;
+};
+
+struct manager_info {
+    uid_t uid;
+    int signature_index;
+    bool is_active;
+};
+
+// Dynamic sign operations
+void ksu_dynamic_manager_init(void);
+void ksu_dynamic_manager_exit(void);
+int ksu_handle_dynamic_manager(struct dynamic_manager_user_config *config);
+bool ksu_load_dynamic_manager(void);
+bool ksu_is_dynamic_manager_enabled(void);
+
+// Multi-manager operations
+void ksu_add_manager(uid_t uid, int signature_index);
+void ksu_remove_manager(uid_t uid);
+bool ksu_is_any_manager(uid_t uid);
+int ksu_get_manager_signature_index(uid_t uid);
+int ksu_get_active_managers(struct manager_list_info *info);
+
+// Configuration access for signature verification
+bool ksu_get_dynamic_manager_config(unsigned int *size, const char **hash);
+
+#endif
--- a/kernel/feature.c
+++ b/kernel/feature.c
@@ -0,0 +1,173 @@
+#include "feature.h"
+#include "klog.h" // IWYU pragma: keep
+
+#include <linux/mutex.h>
+
+static const struct ksu_feature_handler *feature_handlers[KSU_FEATURE_MAX];
+
+static DEFINE_MUTEX(feature_mutex);
+
+int ksu_register_feature_handler(const struct ksu_feature_handler *handler)
+{
+    if (!handler) {
+        pr_err("feature: register handler is NULL\n");
+        return -EINVAL;
+    }
+
+    if (handler->feature_id >= KSU_FEATURE_MAX) {
+        pr_err("feature: invalid feature_id %u\n", handler->feature_id);
+        return -EINVAL;
+    }
+
+    if (!handler->get_handler && !handler->set_handler) {
+        pr_err("feature: no handler provided for feature %u\n", handler->feature_id);
+        return -EINVAL;
+    }
+
+    mutex_lock(&feature_mutex);
+
+    if (feature_handlers[handler->feature_id]) {
+        pr_warn("feature: handler for %u already registered, overwriting\n",
+                handler->feature_id);
+    }
+
+    feature_handlers[handler->feature_id] = handler;
+
+    pr_info("feature: registered handler for %s (id=%u)\n",
+            handler->name ? handler->name : "unknown", handler->feature_id);
+
+    mutex_unlock(&feature_mutex);
+    return 0;
+}
+
+int ksu_unregister_feature_handler(u32 feature_id)
+{
+    int ret = 0;
+
+    if (feature_id >= KSU_FEATURE_MAX) {
+        pr_err("feature: invalid feature_id %u\n", feature_id);
+        return -EINVAL;
+    }
+
+    mutex_lock(&feature_mutex);
+
+    if (!feature_handlers[feature_id]) {
+        pr_warn("feature: no handler registered for %u\n", feature_id);
+        ret = -ENOENT;
+        goto out;
+    }
+
+    feature_handlers[feature_id] = NULL;
+
+    pr_info("feature: unregistered handler for id=%u\n", feature_id);
+
+out:
+    mutex_unlock(&feature_mutex);
+    return ret;
+}
+
+int ksu_get_feature(u32 feature_id, u64 *value, bool *supported)
+{
+    int ret = 0;
+    const struct ksu_feature_handler *handler;
+
+    if (feature_id >= KSU_FEATURE_MAX) {
+        pr_err("feature: invalid feature_id %u\n", feature_id);
+        return -EINVAL;
+    }
+
+    if (!value || !supported) {
+        pr_err("feature: invalid parameters\n");
+        return -EINVAL;
+    }
+
+    mutex_lock(&feature_mutex);
+
+    handler = feature_handlers[feature_id];
+
+    if (!handler) {
+        *supported = false;
+        *value = 0;
+        pr_debug("feature: feature %u not supported\n", feature_id);
+        goto out;
+    }
+
+    *supported = true;
+
+    if (!handler->get_handler) {
+        pr_warn("feature: no get_handler for feature %u\n", feature_id);
+        ret = -EOPNOTSUPP;
+        goto out;
+    }
+
+    ret = handler->get_handler(value);
+    if (ret) {
+        pr_err("feature: get_handler for %u failed: %d\n", feature_id, ret);
+    }
+
+out:
+    mutex_unlock(&feature_mutex);
+    return ret;
+}
+
+int ksu_set_feature(u32 feature_id, u64 value)
+{
+    int ret = 0;
+    const struct ksu_feature_handler *handler;
+
+    if (feature_id >= KSU_FEATURE_MAX) {
+        pr_err("feature: invalid feature_id %u\n", feature_id);
+        return -EINVAL;
+    }
+
+    mutex_lock(&feature_mutex);
+
+    handler = feature_handlers[feature_id];
+
+    if (!handler) {
+        pr_err("feature: feature %u not registered\n", feature_id);
+        ret = -EOPNOTSUPP;
+        goto out;
+    }
+
+    if (!handler->set_handler) {
+        pr_warn("feature: no set_handler for feature %u\n", feature_id);
+        ret = -EOPNOTSUPP;
+        goto out;
+    }
+
+    ret = handler->set_handler(value);
+    if (ret) {
+        pr_err("feature: set_handler for %u failed: %d\n", feature_id, ret);
+    }
+
+out:
+    mutex_unlock(&feature_mutex);
+    return ret;
+}
+
+void ksu_feature_init(void)
+{
+    int i;
+
+    for (i = 0; i < KSU_FEATURE_MAX; i++) {
+        feature_handlers[i] = NULL;
+    }
+
+    pr_info("feature: feature management initialized\n");
+}
+
+void ksu_feature_exit(void)
+{
+    int i;
+
+    mutex_lock(&feature_mutex);
+
+    for (i = 0; i < KSU_FEATURE_MAX; i++) {
+        feature_handlers[i] = NULL;
+    }
+
+    mutex_unlock(&feature_mutex);
+
+    pr_info("feature: feature management cleaned up\n");
+}
--- a/kernel/feature.h
+++ b/kernel/feature.h
@@ -0,0 +1,37 @@
+#ifndef __KSU_H_FEATURE
+#define __KSU_H_FEATURE
+
+#include <linux/types.h>
+
+enum ksu_feature_id {
+    KSU_FEATURE_SU_COMPAT = 0,
+    KSU_FEATURE_KERNEL_UMOUNT = 1,
+    KSU_FEATURE_ENHANCED_SECURITY = 2,
+    KSU_FEATURE_SULOG = 3,
+
+    KSU_FEATURE_MAX
+};
+
+typedef int (*ksu_feature_get_t)(u64 *value);
+typedef int (*ksu_feature_set_t)(u64 value);
+
+struct ksu_feature_handler {
+    u32 feature_id;
+    const char *name;
+    ksu_feature_get_t get_handler;
+    ksu_feature_set_t set_handler;
+};
+
+int ksu_register_feature_handler(const struct ksu_feature_handler *handler);
+
+int ksu_unregister_feature_handler(u32 feature_id);
+
+int ksu_get_feature(u32 feature_id, u64 *value, bool *supported);
+
+int ksu_set_feature(u32 feature_id, u64 value);
+
+void ksu_feature_init(void);
+
+void ksu_feature_exit(void);
+
+#endif // __KSU_H_FEATURE
--- a/kernel/file_wrapper.c
+++ b/kernel/file_wrapper.c
@@ -0,0 +1,341 @@
+#include <linux/export.h>
+#include <linux/anon_inodes.h>
+#include <linux/capability.h>
+#include <linux/cred.h>
+#include <linux/err.h>
+#include <linux/file.h>
+#include <linux/fs.h>
+#include <linux/seq_file.h>
+#include <linux/slab.h>
+#include <linux/uaccess.h>
+#include <linux/version.h>
+
+#include "klog.h" // IWYU pragma: keep
+#include "selinux/selinux.h"
+
+#include "file_wrapper.h"
+
+static loff_t ksu_wrapper_llseek(struct file *fp, loff_t off, int flags) {
+	struct ksu_file_wrapper* data = fp->private_data;
+	struct file* orig = data->orig;
+	return orig->f_op->llseek(data->orig, off, flags);
+}
+
+static ssize_t ksu_wrapper_read(struct file *fp, char __user *ptr, size_t sz, loff_t *off) {
+	struct ksu_file_wrapper* data = fp->private_data;
+	struct file* orig = data->orig;
+	return orig->f_op->read(orig, ptr, sz, off);
+}
+
+static ssize_t ksu_wrapper_write(struct file *fp, const char __user *ptr, size_t sz, loff_t *off) {
+	struct ksu_file_wrapper* data = fp->private_data;
+	struct file* orig = data->orig;
+	return orig->f_op->write(orig, ptr, sz, off);
+}
+
+static ssize_t ksu_wrapper_read_iter(struct kiocb *iocb, struct iov_iter *iovi) {
+	struct ksu_file_wrapper* data = iocb->ki_filp->private_data;
+	struct file* orig = data->orig;
+	iocb->ki_filp = orig;
+	return orig->f_op->read_iter(iocb, iovi);
+}
+
+static ssize_t ksu_wrapper_write_iter(struct kiocb *iocb, struct iov_iter *iovi) {
+	struct ksu_file_wrapper* data = iocb->ki_filp->private_data;
+	struct file* orig = data->orig;
+	iocb->ki_filp = orig;
+	return orig->f_op->write_iter(iocb, iovi);
+}
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0)
+static int ksu_wrapper_iopoll(struct kiocb *kiocb, struct io_comp_batch* icb, unsigned int v) {
+	struct ksu_file_wrapper* data = kiocb->ki_filp->private_data;
+	struct file* orig = data->orig;
+	kiocb->ki_filp = orig;
+	return orig->f_op->iopoll(kiocb, icb, v);
+}
+#else
+static int ksu_wrapper_iopoll(struct kiocb *kiocb, bool spin) {
+	struct ksu_file_wrapper* data = kiocb->ki_filp->private_data;
+	struct file* orig = data->orig;
+	kiocb->ki_filp = orig;
+	return orig->f_op->iopoll(kiocb, spin);
+}
+#endif
+
+#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 6, 0)
+static int ksu_wrapper_iterate (struct file *fp, struct dir_context *dc) {
+	struct ksu_file_wrapper* data = fp->private_data;
+	struct file* orig = data->orig;
+	return orig->f_op->iterate(orig, dc);
+}
+#endif
+
+static int ksu_wrapper_iterate_shared(struct file *fp, struct dir_context *dc) {
+	struct ksu_file_wrapper* data = fp->private_data;
+	struct file* orig = data->orig;
+	return orig->f_op->iterate_shared(orig, dc);
+}
+
+static __poll_t ksu_wrapper_poll(struct file *fp, struct poll_table_struct *pts) {
+	struct ksu_file_wrapper* data = fp->private_data;
+	struct file* orig = data->orig;
+	return orig->f_op->poll(orig, pts);
+}
+
+static long ksu_wrapper_unlocked_ioctl(struct file *fp, unsigned int cmd, unsigned long arg) {
+	struct ksu_file_wrapper* data = fp->private_data;
+	struct file* orig = data->orig;
+	return orig->f_op->unlocked_ioctl(orig, cmd, arg);
+}
+
+static long ksu_wrapper_compat_ioctl(struct file *fp, unsigned int cmd, unsigned long arg) {
+	struct ksu_file_wrapper* data = fp->private_data;
+	struct file* orig = data->orig;
+	return orig->f_op->compat_ioctl(orig, cmd, arg);
+}
+
+static int ksu_wrapper_mmap(struct file *fp, struct vm_area_struct * vma) {
+	struct ksu_file_wrapper* data = fp->private_data;
+	struct file* orig = data->orig;
+	return orig->f_op->mmap(orig, vma);
+}
+
+// static unsigned long mmap_supported_flags {}
+
+static int ksu_wrapper_open(struct inode *ino, struct file *fp) {
+	struct ksu_file_wrapper* data = fp->private_data;
+	struct file* orig = data->orig;
+	struct inode *orig_ino = file_inode(orig);
+	return orig->f_op->open(orig_ino, orig);
+}
+
+static int ksu_wrapper_flush(struct file *fp, fl_owner_t id) {
+	struct ksu_file_wrapper* data = fp->private_data;
+	struct file* orig = data->orig;
+	return orig->f_op->flush(orig, id);
+}
+
+
+static int ksu_wrapper_fsync(struct file *fp, loff_t off1, loff_t off2, int datasync) {
+	struct ksu_file_wrapper* data = fp->private_data;
+	struct file* orig = data->orig;
+	return orig->f_op->fsync(orig, off1, off2, datasync);
+}
+
+static int ksu_wrapper_fasync(int arg, struct file *fp, int arg2) {
+	struct ksu_file_wrapper* data = fp->private_data;
+	struct file* orig = data->orig;
+	return orig->f_op->fasync(arg, orig, arg2);
+}
+
+static int ksu_wrapper_lock(struct file *fp, int arg1, struct file_lock *fl) {
+	struct ksu_file_wrapper* data = fp->private_data;
+	struct file* orig = data->orig;
+	return orig->f_op->lock(orig, arg1, fl);
+}
+
+
+#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 6, 0)
+static ssize_t ksu_wrapper_sendpage(struct file *fp, struct page *pg, int arg1, size_t sz, loff_t *off, int arg2) {
+	struct ksu_file_wrapper* data = fp->private_data;
+	struct file* orig = data->orig;
+	if (orig->f_op->sendpage) {
+		return orig->f_op->sendpage(orig, pg, arg1, sz, off, arg2);
+	}
+	return -EINVAL;
+}
+#endif
+
+static unsigned long ksu_wrapper_get_unmapped_area(struct file *fp, unsigned long arg1, unsigned long arg2, unsigned long arg3, unsigned long arg4) {
+	struct ksu_file_wrapper* data = fp->private_data;
+	struct file* orig = data->orig;
+	if (orig->f_op->get_unmapped_area) {
+		return orig->f_op->get_unmapped_area(orig, arg1, arg2, arg3, arg4);
+	}
+	return -EINVAL;
+}
+
+// static int ksu_wrapper_check_flags(int arg) {}
+
+static int ksu_wrapper_flock(struct file *fp, int arg1, struct file_lock *fl) {
+	struct ksu_file_wrapper* data = fp->private_data;
+	struct file* orig = data->orig;
+	if (orig->f_op->flock) {
+		return orig->f_op->flock(orig, arg1, fl);
+	}
+	return -EINVAL;
+}
+
+static ssize_t ksu_wrapper_splice_write(struct pipe_inode_info * pii, struct file *fp, loff_t *off, size_t sz, unsigned int arg1) {
+	struct ksu_file_wrapper* data = fp->private_data;
+	struct file* orig = data->orig;
+	if (orig->f_op->splice_write) {
+		return orig->f_op->splice_write(pii, orig, off, sz, arg1);
+	}
+	return -EINVAL;
+}
+
+static ssize_t ksu_wrapper_splice_read(struct file *fp, loff_t *off, struct pipe_inode_info *pii, size_t sz, unsigned int arg1) {
+	struct ksu_file_wrapper* data = fp->private_data;
+	struct file* orig = data->orig;
+	if (orig->f_op->splice_read) {
+		return orig->f_op->splice_read(orig, off, pii, sz, arg1);
+	}
+	return -EINVAL;
+}
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 6, 0)
+void ksu_wrapper_splice_eof(struct file *fp) {
+	struct ksu_file_wrapper* data = fp->private_data;
+	struct file* orig = data->orig;
+	if (orig->f_op->splice_eof) {
+		return orig->f_op->splice_eof(orig);
+	}
+}
+#endif
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 12, 0)
+static int ksu_wrapper_setlease(struct file *fp, int arg1, struct file_lease **fl, void **p) {
+	struct ksu_file_wrapper* data = fp->private_data;
+	struct file* orig = data->orig;
+	if (orig->f_op->setlease) {
+		return orig->f_op->setlease(orig, arg1, fl, p);
+	}
+	return -EINVAL;
+}
+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(6, 6, 0)
+static int ksu_wrapper_setlease(struct file *fp, int arg1, struct file_lock **fl, void **p) {
+	struct ksu_file_wrapper* data = fp->private_data;
+	struct file* orig = data->orig;
+	if (orig->f_op->setlease) {
+		return orig->f_op->setlease(orig, arg1, fl, p);
+	}
+	return -EINVAL;
+}
+#else
+static int ksu_wrapper_setlease(struct file *fp, long arg1, struct file_lock **fl, void **p) {
+	struct ksu_file_wrapper* data = fp->private_data;
+	struct file* orig = data->orig;
+	if (orig->f_op->setlease) {
+		return orig->f_op->setlease(orig, arg1, fl, p);
+	}
+	return -EINVAL;
+}
+#endif
+
+static long ksu_wrapper_fallocate(struct file *fp, int mode, loff_t offset, loff_t len) {
+	struct ksu_file_wrapper* data = fp->private_data;
+	struct file* orig = data->orig;
+	if (orig->f_op->fallocate) {
+		return orig->f_op->fallocate(orig, mode, offset, len);
+	}
+	return -EINVAL;
+}
+
+static void ksu_wrapper_show_fdinfo(struct seq_file *m, struct file *f) {
+	struct ksu_file_wrapper* data = f->private_data;
+	struct file* orig = data->orig;
+	if (orig->f_op->show_fdinfo) {
+		orig->f_op->show_fdinfo(m, orig);
+	}
+}
+
+static ssize_t ksu_wrapper_copy_file_range(struct file *f1, loff_t off1, struct file *f2,
+		loff_t off2, size_t sz, unsigned int flags) {
+	// TODO: determine which file to use
+	struct ksu_file_wrapper* data = f1->private_data;
+	struct file* orig = data->orig;
+	if (orig->f_op->copy_file_range) {
+		return orig->f_op->copy_file_range(orig, off1, f2, off2, sz, flags);
+	}
+	return -EINVAL;
+}
+
+static loff_t ksu_wrapper_remap_file_range(struct file *file_in, loff_t pos_in,
+				struct file *file_out, loff_t pos_out,
+				loff_t len, unsigned int remap_flags) {
+	// TODO: determine which file to use
+	struct ksu_file_wrapper* data = file_in->private_data;
+	struct file* orig = data->orig;
+	if (orig->f_op->remap_file_range) {
+		return orig->f_op->remap_file_range(orig, pos_in, file_out, pos_out, len, remap_flags);
+	}
+	return -EINVAL;
+}
+
+static int ksu_wrapper_fadvise(struct file *fp, loff_t off1, loff_t off2, int flags) {
+	struct ksu_file_wrapper* data = fp->private_data;
+	struct file* orig = data->orig;
+	if (orig->f_op->fadvise) {
+		return orig->f_op->fadvise(orig, off1, off2, flags);
+	}
+	return -EINVAL;
+}
+
+static int ksu_wrapper_release(struct inode *inode, struct file *filp) {
+	ksu_delete_file_wrapper(filp->private_data);
+    return 0;
+}
+
+struct ksu_file_wrapper* ksu_create_file_wrapper(struct file* fp) {
+	struct ksu_file_wrapper* p = kcalloc(sizeof(struct ksu_file_wrapper), 1, GFP_KERNEL);
+	if (!p) {
+		return NULL;
+	}
+
+	get_file(fp);
+
+	p->orig = fp;
+	p->ops.owner = THIS_MODULE;
+	p->ops.llseek = fp->f_op->llseek ? ksu_wrapper_llseek : NULL;
+	p->ops.read = fp->f_op->read ? ksu_wrapper_read : NULL;
+	p->ops.write = fp->f_op->write ? ksu_wrapper_write : NULL;
+	p->ops.read_iter = fp->f_op->read_iter ? ksu_wrapper_read_iter : NULL;
+	p->ops.write_iter = fp->f_op->write_iter ? ksu_wrapper_write_iter : NULL;
+	p->ops.iopoll = fp->f_op->iopoll ? ksu_wrapper_iopoll : NULL;
+#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 6, 0)
+	p->ops.iterate = fp->f_op->iterate ? ksu_wrapper_iterate : NULL;
+#endif
+	p->ops.iterate_shared = fp->f_op->iterate_shared ? ksu_wrapper_iterate_shared : NULL;
+	p->ops.poll = fp->f_op->poll ? ksu_wrapper_poll : NULL;
+	p->ops.unlocked_ioctl = fp->f_op->unlocked_ioctl ? ksu_wrapper_unlocked_ioctl : NULL;
+	p->ops.compat_ioctl = fp->f_op->compat_ioctl ? ksu_wrapper_compat_ioctl : NULL;
+	p->ops.mmap = fp->f_op->mmap ? ksu_wrapper_mmap : NULL;
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 12, 0)
+	p->ops.fop_flags = fp->f_op->fop_flags;
+#else
+	p->ops.mmap_supported_flags = fp->f_op->mmap_supported_flags;
+#endif
+	p->ops.open = fp->f_op->open ? ksu_wrapper_open : NULL;
+	p->ops.flush = fp->f_op->flush ? ksu_wrapper_flush : NULL;
+	p->ops.release = ksu_wrapper_release;
+	p->ops.fsync = fp->f_op->fsync ? ksu_wrapper_fsync : NULL;
+	p->ops.fasync = fp->f_op->fasync ? ksu_wrapper_fasync : NULL;
+	p->ops.lock = fp->f_op->lock ? ksu_wrapper_lock : NULL;
+#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 6, 0)
+	p->ops.sendpage = fp->f_op->sendpage ? ksu_wrapper_sendpage : NULL;
+#endif
+	p->ops.get_unmapped_area = fp->f_op->get_unmapped_area ? ksu_wrapper_get_unmapped_area : NULL;
+	p->ops.check_flags = fp->f_op->check_flags;
+	p->ops.flock = fp->f_op->flock ? ksu_wrapper_flock : NULL;
+	p->ops.splice_write = fp->f_op->splice_write ? ksu_wrapper_splice_write : NULL;
+	p->ops.splice_read = fp->f_op->splice_read ? ksu_wrapper_splice_read : NULL;
+	p->ops.setlease = fp->f_op->setlease ? ksu_wrapper_setlease : NULL;
+	p->ops.fallocate = fp->f_op->fallocate ? ksu_wrapper_fallocate : NULL;
+	p->ops.show_fdinfo = fp->f_op->show_fdinfo ? ksu_wrapper_show_fdinfo : NULL;
+	p->ops.copy_file_range = fp->f_op->copy_file_range ? ksu_wrapper_copy_file_range : NULL;
+	p->ops.remap_file_range = fp->f_op->remap_file_range ? ksu_wrapper_remap_file_range : NULL;
+	p->ops.fadvise = fp->f_op->fadvise ? ksu_wrapper_fadvise : NULL;
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 6, 0)
+	p->ops.splice_eof = fp->f_op->splice_eof ? ksu_wrapper_splice_eof : NULL;
+#endif
+
+	return p;
+}
+
+void ksu_delete_file_wrapper(struct ksu_file_wrapper* data) {
+	fput((struct file*) data->orig);
+	kfree(data);
+}
--- a/kernel/file_wrapper.h
+++ b/kernel/file_wrapper.h
@@ -0,0 +1,14 @@
+#ifndef KSU_FILE_WRAPPER_H
+#define KSU_FILE_WRAPPER_H
+
+#include <linux/file.h>
+#include <linux/fs.h>
+
+struct ksu_file_wrapper {
+	struct file* orig;
+	struct file_operations ops;
+};
+
+struct ksu_file_wrapper* ksu_create_file_wrapper(struct file* fp);
+void ksu_delete_file_wrapper(struct ksu_file_wrapper* data);
+#endif // KSU_FILE_WRAPPER_H
--- a/kernel/include/ksu_hook.h
+++ b/kernel/include/ksu_hook.h
@@ -1,28 +0,0 @@
-#ifndef __KSU_H_KSHOOK
-#define __KSU_H_KSHOOK
-
-#include <linux/fs.h>
-#include <linux/types.h>
-
-// For sucompat
-
-int ksu_handle_faccessat(int *dfd, const char __user **filename_user, int *mode,
-			 int *flags);
-
-int ksu_handle_stat(int *dfd, const char __user **filename_user, int *flags);
-
-// For ksud
-
-int ksu_handle_vfs_read(struct file **file_ptr, char __user **buf_ptr,
-			size_t *count_ptr, loff_t **pos);
-
-// For ksud and sucompat
-
-int ksu_handle_execveat(int *fd, struct filename **filename_ptr, void *argv,
-			void *envp, int *flags);
-
-// For volume button
-int ksu_handle_input_handle_event(unsigned int *type, unsigned int *code, 
-				  int *value);
-
-#endif
--- a/kernel/kernel_compat.c
+++ b/kernel/kernel_compat.c
@@ -1,88 +0,0 @@
-#include <linux/version.h>
-#include <linux/fs.h>
-#include <linux/nsproxy.h>
-#include <linux/sched/task.h>
-#include <linux/uaccess.h>
-#include "klog.h" // IWYU pragma: keep
-#include "kernel_compat.h"
-
-extern struct task_struct init_task;
-
-// mnt_ns context switch for environment that android_init->nsproxy->mnt_ns != init_task.nsproxy->mnt_ns, such as WSA
-struct ksu_ns_fs_saved {
-	struct nsproxy *ns;
-	struct fs_struct *fs;
-};
-
-static void ksu_save_ns_fs(struct ksu_ns_fs_saved *ns_fs_saved)
-{
-	ns_fs_saved->ns = current->nsproxy;
-	ns_fs_saved->fs = current->fs;
-}
-
-static void ksu_load_ns_fs(struct ksu_ns_fs_saved *ns_fs_saved)
-{
-	current->nsproxy = ns_fs_saved->ns;
-	current->fs = ns_fs_saved->fs;
-}
-
-static bool android_context_saved_checked = false;
-static bool android_context_saved_enabled = false;
-static struct ksu_ns_fs_saved android_context_saved;
-
-void ksu_android_ns_fs_check()
-{
-	if (android_context_saved_checked)
-		return;
-	android_context_saved_checked = true;
-	task_lock(current);
-	if (current->nsproxy && current->fs &&
-	    current->nsproxy->mnt_ns != init_task.nsproxy->mnt_ns) {
-		android_context_saved_enabled = true;
-		pr_info("android context saved enabled due to init mnt_ns(%p) != android mnt_ns(%p)\n",
-			current->nsproxy->mnt_ns, init_task.nsproxy->mnt_ns);
-		ksu_save_ns_fs(&android_context_saved);
-	} else {
-		pr_info("android context saved disabled\n");
-	}
-	task_unlock(current);
-}
-
-struct file *ksu_filp_open_compat(const char *filename, int flags, umode_t mode)
-{
-	// switch mnt_ns even if current is not wq_worker, to ensure what we open is the correct file in android mnt_ns, rather than user created mnt_ns
-	struct ksu_ns_fs_saved saved;
-	if (android_context_saved_enabled) {
-		pr_info("start switch current nsproxy and fs to android context\n");
-		task_lock(current);
-		ksu_save_ns_fs(&saved);
-		ksu_load_ns_fs(&android_context_saved);
-		task_unlock(current);
-	}
-	struct file *fp = filp_open(filename, flags, mode);
-	if (android_context_saved_enabled) {
-		task_lock(current);
-		ksu_load_ns_fs(&saved);
-		task_unlock(current);
-		pr_info("switch current nsproxy and fs back to saved successfully\n");
-	}
-	return fp;
-}
-
-ssize_t ksu_kernel_read_compat(struct file *p, void *buf, size_t count,
-			       loff_t *pos)
-{
-	return kernel_read(p, buf, count, pos);
-}
-
-ssize_t ksu_kernel_write_compat(struct file *p, const void *buf, size_t count,
-				loff_t *pos)
-{
-	return kernel_write(p, buf, count, pos);
-}
-
-long ksu_strncpy_from_user_nofault(char *dst, const void __user *unsafe_addr,
-				   long count)
-{
-	return strncpy_from_user_nofault(dst, unsafe_addr, count);
-}
--- a/kernel/kernel_compat.h
+++ b/kernel/kernel_compat.h
@@ -3,33 +3,22 @@

 #include <linux/fs.h>
 #include <linux/version.h>
-#include "ss/policydb.h"
-#include "linux/key.h"

 /*
- * Adapt to Huawei HISI kernel without affecting other kernels ,
- * Huawei Hisi Kernel EBITMAP Enable or Disable Flag ,
- * From ss/ebitmap.h
+ * ksu_copy_from_user_retry
+ * try nofault copy first, if it fails, try with plain
+ * paramters are the same as copy_from_user
+ * 0 = success
 */
-#if (LINUX_VERSION_CODE >= KERNEL_VERSION(4, 9, 0)) &&                           \
-		(LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0)) ||               \
-	(LINUX_VERSION_CODE >= KERNEL_VERSION(4, 14, 0)) &&                      \
-		(LINUX_VERSION_CODE < KERNEL_VERSION(4, 15, 0))
-#ifdef HISI_SELINUX_EBITMAP_RO
-#define CONFIG_IS_HW_HISI
-#endif
-#endif
+static long ksu_copy_from_user_retry(void *to, 
+        const void __user *from, unsigned long count)
+{
+    long ret = copy_from_user_nofault(to, from, count);
+    if (likely(!ret))
+        return ret;

-extern long ksu_strncpy_from_user_nofault(char *dst,
-					  const void __user *unsafe_addr,
-					  long count);
-
-extern void ksu_android_ns_fs_check();
-extern struct file *ksu_filp_open_compat(const char *filename, int flags,
-					 umode_t mode);
-extern ssize_t ksu_kernel_read_compat(struct file *p, void *buf, size_t count,
-				      loff_t *pos);
-extern ssize_t ksu_kernel_write_compat(struct file *p, const void *buf,
-				       size_t count, loff_t *pos);
+    // we faulted! fallback to slow path
+    return copy_from_user(to, from, count);
+}

 #endif
--- a/kernel/kernel_umount.c
+++ b/kernel/kernel_umount.c
@@ -0,0 +1,181 @@
+#include <linux/sched.h>
+#include <linux/slab.h>
+#include <linux/task_work.h>
+#include <linux/cred.h>
+#include <linux/fs.h>
+#include <linux/mount.h>
+#include <linux/namei.h>
+#include <linux/nsproxy.h>
+#include <linux/path.h>
+#include <linux/printk.h>
+#include <linux/types.h>
+
+#include "kernel_umount.h"
+#include "klog.h" // IWYU pragma: keep
+#include "allowlist.h"
+#include "selinux/selinux.h"
+#include "feature.h"
+#include "ksud.h"
+
+#include "umount_manager.h"
+#include "sulog.h"
+
+static bool ksu_kernel_umount_enabled = true;
+
+static int kernel_umount_feature_get(u64 *value)
+{
+    *value = ksu_kernel_umount_enabled ? 1 : 0;
+    return 0;
+}
+
+static int kernel_umount_feature_set(u64 value)
+{
+    bool enable = value != 0;
+    ksu_kernel_umount_enabled = enable;
+    pr_info("kernel_umount: set to %d\n", enable);
+    return 0;
+}
+
+static const struct ksu_feature_handler kernel_umount_handler = {
+    .feature_id = KSU_FEATURE_KERNEL_UMOUNT,
+    .name = "kernel_umount",
+    .get_handler = kernel_umount_feature_get,
+    .set_handler = kernel_umount_feature_set,
+};
+
+extern int path_umount(struct path *path, int flags);
+
+static void ksu_umount_mnt(struct path *path, int flags)
+{
+    int err = path_umount(path, flags);
+    if (err) {
+        pr_info("umount %s failed: %d\n", path->dentry->d_iname, err);
+    }
+}
+
+void try_umount(const char *mnt, int flags)
+{
+    struct path path;
+    int err = kern_path(mnt, 0, &path);
+    if (err) {
+        return;
+    }
+
+    if (path.dentry != path.mnt->mnt_root) {
+        // it is not root mountpoint, maybe umounted by others already.
+        path_put(&path);
+        return;
+    }
+
+    ksu_umount_mnt(&path, flags);
+}
+
+struct umount_tw {
+    struct callback_head cb;
+    const struct cred *old_cred;
+};
+
+static void umount_tw_func(struct callback_head *cb)
+{
+    struct umount_tw *tw = container_of(cb, struct umount_tw, cb);
+    const struct cred *saved = NULL;
+    if (tw->old_cred) {
+        saved = override_creds(tw->old_cred);
+    }
+
+    struct mount_entry *entry;
+    down_read(&mount_list_lock);
+    list_for_each_entry(entry, &mount_list, list) {
+        pr_info("%s: unmounting: %s flags 0x%x\n", __func__, entry->umountable, entry->flags);
+        try_umount(entry->umountable, entry->flags);
+    }
+    up_read(&mount_list_lock);
+
+    ksu_umount_manager_execute_all(tw->old_cred);
+
+    if (saved)
+        revert_creds(saved);
+
+    if (tw->old_cred)
+        put_cred(tw->old_cred);
+
+    kfree(tw);
+}
+
+int ksu_handle_umount(uid_t old_uid, uid_t new_uid)
+{
+    struct umount_tw *tw;
+
+    // if there isn't any module mounted, just ignore it!
+    if (!ksu_module_mounted) {
+        return 0;
+    }
+
+    if (!ksu_kernel_umount_enabled) {
+        return 0;
+    }
+
+    // There are 5 scenarios:
+    // 1. Normal app: zygote -> appuid
+    // 2. Isolated process forked from zygote: zygote -> isolated_process
+    // 3. App zygote forked from zygote: zygote -> appuid
+    // 4. Isolated process froked from app zygote: appuid -> isolated_process (already handled by 3)
+    // 5. Isolated process froked from webview zygote (no need to handle, app cannot run custom code)
+    if (!is_appuid(new_uid) && !is_isolated_process(new_uid)) {
+        return 0;
+    }
+
+    if (!ksu_uid_should_umount(new_uid) && !is_isolated_process(new_uid)) {
+        return 0;
+    }
+
+    // check old process's selinux context, if it is not zygote, ignore it!
+    // because some su apps may setuid to untrusted_app but they are in global mount namespace
+    // when we umount for such process, that is a disaster!
+    // also handle case 4 and 5
+    bool is_zygote_child = is_zygote(get_current_cred());
+    if (!is_zygote_child) {
+        pr_info("handle umount ignore non zygote child: %d\n", current->pid);
+        return 0;
+    }
+#if __SULOG_GATE
+    ksu_sulog_report_syscall(new_uid, NULL, "setuid", NULL);
+#endif
+    // umount the target mnt
+    pr_info("handle umount for uid: %d, pid: %d\n", new_uid, current->pid);
+
+    tw = kzalloc(sizeof(*tw), GFP_ATOMIC);
+    if (!tw)
+        return 0;
+
+    tw->old_cred = get_current_cred();
+    tw->cb.func = umount_tw_func;
+
+    int err = task_work_add(current, &tw->cb, TWA_RESUME);
+    if (err) {
+        if (tw->old_cred) {
+            put_cred(tw->old_cred);
+        }
+        kfree(tw);
+        pr_warn("unmount add task_work failed\n");
+    }
+
+    return 0;
+}
+
+void ksu_kernel_umount_init(void)
+{
+    int rc = 0;
+    rc = ksu_umount_manager_init();
+    if (rc) {
+        pr_err("Failed to initialize umount manager: %d\n", rc);
+    }
+    if (ksu_register_feature_handler(&kernel_umount_handler)) {
+        pr_err("Failed to register kernel_umount feature handler\n");
+    }
+}
+
+void ksu_kernel_umount_exit(void)
+{
+    ksu_unregister_feature_handler(KSU_FEATURE_KERNEL_UMOUNT);
+}
--- a/kernel/kernel_umount.h
+++ b/kernel/kernel_umount.h
@@ -0,0 +1,25 @@
+#ifndef __KSU_H_KERNEL_UMOUNT
+#define __KSU_H_KERNEL_UMOUNT
+
+#include <linux/types.h>
+#include <linux/list.h>
+#include <linux/rwsem.h>
+
+void ksu_kernel_umount_init(void);
+void ksu_kernel_umount_exit(void);
+
+void try_umount(const char *mnt, int flags);
+
+// Handler function to be called from setresuid hook
+int ksu_handle_umount(uid_t old_uid, uid_t new_uid);
+
+// for the umount list
+struct mount_entry {
+    char *umountable;
+    unsigned int flags;
+    struct list_head list;
+};
+extern struct list_head mount_list;
+extern struct rw_semaphore mount_list_lock;
+
+#endif
--- a/kernel/kpm/compact.c
+++ b/kernel/kpm/compact.c
@@ -13,7 +13,7 @@
 #include <linux/list.h>
 #include <linux/spinlock.h>
 #include <linux/rcupdate.h>
-#include <asm/elf.h>    /* 包含 ARM64 重定位类型定义 */
+#include <asm/elf.h>
 #include <linux/vmalloc.h>
 #include <linux/mm.h>
 #include <linux/string.h>
@@ -29,55 +29,48 @@
 #include "../allowlist.h"
 #include "../manager.h"

-unsigned long sukisu_compact_find_symbol(const char* name);
-
-// ======================================================================
-// 兼容函数 for KPM
-
-static
-int sukisu_is_su_allow_uid(uid_t uid) {
-    return ksu_is_allow_uid(uid) ? 1 : 0;
+static int sukisu_is_su_allow_uid(uid_t uid)
+{
+    return ksu_is_allow_uid_for_current(uid) ? 1 : 0;
 }

-static
-int sukisu_get_ap_mod_exclude(uid_t uid) {
-    // Not supported
-    return 0;
+static int sukisu_get_ap_mod_exclude(uid_t uid)
+{
+    return 0; /* Not supported */
 }

-static
-int sukisu_is_uid_should_umount(uid_t uid) {
+static int sukisu_is_uid_should_umount(uid_t uid)
+{
    return ksu_uid_should_umount(uid) ? 1 : 0;
 }

-static
-int sukisu_is_current_uid_manager() {
+static int sukisu_is_current_uid_manager(void)
+{
    return is_manager();
 }

-static
-uid_t sukisu_get_manager_uid() {
+static uid_t sukisu_get_manager_uid(void)
+{
    return ksu_manager_uid;
 }

-static
-void sukisu_set_manager_uid(uid_t uid, int force) {
-    if(force || ksu_manager_uid == -1) {
+static void sukisu_set_manager_uid(uid_t uid, int force)
+{
+    if (force || ksu_manager_uid == -1)
        ksu_manager_uid = uid;
-    }
 }

-// ======================================================================
-
 struct CompactAddressSymbol {
-    const char* symbol_name;
-    void* addr;
+    const char *symbol_name;
+    void *addr;
 };

-static struct CompactAddressSymbol address_symbol [] = {
+unsigned long sukisu_compact_find_symbol(const char *name);
+
+static struct CompactAddressSymbol address_symbol[] = {
    { "kallsyms_lookup_name", &kallsyms_lookup_name },
    { "compact_find_symbol", &sukisu_compact_find_symbol },
-    { "is_run_in_sukisu_ultra", (void*)1 },
+    { "is_run_in_sukisu_ultra", (void *)1 },
    { "is_su_allow_uid", &sukisu_is_su_allow_uid },
    { "get_ap_mod_exclude", &sukisu_get_ap_mod_exclude },
    { "is_uid_should_umount", &sukisu_is_uid_should_umount },
@@ -86,25 +79,22 @@ static struct CompactAddressSymbol address_symbol [] = {
    { "sukisu_set_manager_uid", &sukisu_set_manager_uid }
 };

-unsigned long sukisu_compact_find_symbol(const char* name) {
+unsigned long sukisu_compact_find_symbol(const char* name)
+{
    int i;
    unsigned long addr;

-    // 先自己在地址表部分查出来
-    for(i = 0; i < (sizeof(address_symbol) / sizeof(struct CompactAddressSymbol)); i++) {
-        struct CompactAddressSymbol* symbol = &address_symbol[i];
-        if(strcmp(name, symbol->symbol_name) == 0) {
-            return (unsigned long) symbol->addr;
-        }
+    for (i = 0; i < (sizeof(address_symbol) / sizeof(struct CompactAddressSymbol)); i++) {
+        struct CompactAddressSymbol *symbol = &address_symbol[i];
+        
+        if (strcmp(name, symbol->symbol_name) == 0)
+            return (unsigned long)symbol->addr;
    }

-    // 通过内核来查
    addr = kallsyms_lookup_name(name);
-    if(addr) {
+    if (addr)
        return addr;
-    }

    return 0;
 }
-
 EXPORT_SYMBOL(sukisu_compact_find_symbol);
--- a/kernel/kpm/compact.h
+++ b/kernel/kpm/compact.h
@@ -1,6 +1,6 @@
-#ifndef ___SUKISU_KPM_COMPACT_H
-#define ___SUKISU_KPM_COMPACT_H
+#ifndef __SUKISU_KPM_COMPACT_H
+#define __SUKISU_KPM_COMPACT_H

-unsigned long sukisu_compact_find_symbol(const char* name);
+extern unsigned long sukisu_compact_find_symbol(const char *name);

 #endif
--- a/kernel/kpm/kpm.c
+++ b/kernel/kpm/kpm.c
@@ -8,13 +8,11 @@
 * 集成了 ELF 解析、内存布局、符号处理、重定位（支持 ARM64 重定位类型）
 * 并参照KernelPatch的标准KPM格式实现加载和控制
 */
-#include <linux/export.h>
-#include <linux/module.h>
+
 #include <linux/kernel.h>
 #include <linux/fs.h>
 #include <linux/kernfs.h>
 #include <linux/file.h>
-#include <linux/slab.h>
 #include <linux/vmalloc.h>
 #include <linux/uaccess.h>
 #include <linux/elf.h>
@@ -23,27 +21,26 @@
 #include <linux/list.h>
 #include <linux/spinlock.h>
 #include <linux/rcupdate.h>
-#include <asm/elf.h>    /* 包含 ARM64 重定位类型定义 */
-#include <linux/vmalloc.h>
+#include <asm/elf.h>
 #include <linux/mm.h>
 #include <linux/string.h>
 #include <asm/cacheflush.h>
 #include <linux/module.h>
-#include <linux/vmalloc.h>
 #include <linux/set_memory.h>
-#include <linux/version.h>
 #include <linux/export.h>
 #include <linux/slab.h>
 #include <asm/insn.h>
 #include <linux/kprobes.h>
 #include <linux/stacktrace.h>
-#include <linux/kallsyms.h>
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5,0,0) && defined(CONFIG_MODULES)
-#include <linux/moduleloader.h> // 需要启用 CONFIG_MODULES
+#include <linux/moduleloader.h>
 #endif
 #include "kpm.h"
 #include "compact.h"

+#define KPM_NAME_LEN 32
+#define KPM_ARGS_LEN 1024
+
 #ifndef NO_OPTIMIZE
 #if defined(__GNUC__) && !defined(__clang__)
    #define NO_OPTIMIZE __attribute__((optimize("O0")))
@@ -54,131 +51,232 @@
 #endif
 #endif

-// ============================================================================================
+noinline NO_OPTIMIZE void sukisu_kpm_load_module_path(const char *path,
+                const char *args, void *ptr, int *result)
+{
+    pr_info("kpm: Stub function called (sukisu_kpm_load_module_path). "
+                    "path=%s args=%s ptr=%p\n", path, args, ptr);

-noinline
-NO_OPTIMIZE
-void sukisu_kpm_load_module_path(const char* path, const char* args, void* ptr, void __user* result) {
-    // This is a KPM module stub.
-    int res = -1;
-    printk("KPM: Stub function called (sukisu_kpm_load_module_path). path=%s args=%s ptr=%p\n", path, args, ptr);
-    __asm__ volatile("nop");  // 精确控制循环不被优化
-    if(copy_to_user(result, &res, sizeof(res)) < 1) printk("KPM: Copy to user faild.");
+    __asm__ volatile("nop");
 }
-
-noinline
-NO_OPTIMIZE
-void sukisu_kpm_unload_module(const char* name, void* ptr, void __user* result) {
-    // This is a KPM module stub.
-    int res = -1;
-    printk("KPM: Stub function called (sukisu_kpm_unload_module). name=%s ptr=%p\n", name, ptr);
-    __asm__ volatile("nop");  // 精确控制循环不被优化
-    if(copy_to_user(result, &res, sizeof(res)) < 1) printk("KPM: Copy to user faild.");
-}
-
-noinline
-NO_OPTIMIZE
-void sukisu_kpm_num(void __user* result) {
-    // This is a KPM module stub.
-    int res = 0;
-    printk("KPM: Stub function called (sukisu_kpm_num).\n");
-    __asm__ volatile("nop");  // 精确控制循环不被优化
-    if(copy_to_user(result, &res, sizeof(res)) < 1) printk("KPM: Copy to user faild.");
-}
-
-noinline
-NO_OPTIMIZE
-void sukisu_kpm_info(const char* name, void __user* out, void __user* result) {
-    // This is a KPM module stub.
-    int res = -1;
-    printk("KPM: Stub function called (sukisu_kpm_info). name=%s buffer=%p\n", name, out);
-    __asm__ volatile("nop");  // 精确控制循环不被优化
-    if(copy_to_user(result, &res, sizeof(res)) < 1) printk("KPM: Copy to user faild.");
-}
-
-noinline
-NO_OPTIMIZE
-void sukisu_kpm_list(void __user* out, unsigned int bufferSize, void __user* result) {
-    // This is a KPM module stub.
-    int res = -1;
-    printk("KPM: Stub function called (sukisu_kpm_list). buffer=%p size=%d\n", out, bufferSize);
-    if(copy_to_user(result, &res, sizeof(res)) < 1) printk("KPM: Copy to user faild.");
-}
-
-noinline
-NO_OPTIMIZE
-void sukisu_kpm_control(void __user* name, void __user* args, void __user* result) {
-    // This is a KPM module stub.
-    int res = -1;
-    printk("KPM: Stub function called (sukisu_kpm_control). name=%p args=%p\n", name, args);
-    __asm__ volatile("nop");  // 精确控制循环不被优化
-    if(copy_to_user(result, &res, sizeof(res)) < 1) printk("KPM: Copy to user faild.");
-}
-
-noinline
-NO_OPTIMIZE
-void sukisu_kpm_version(void __user* out, unsigned int bufferSize, void __user* result) {
-    int res = -1;
-    printk("KPM: Stub function called (sukisu_kpm_version). buffer=%p size=%d\n", out, bufferSize);
-    if(copy_to_user(result, &res, sizeof(res)) < 1) printk("KPM: Copy to user faild.");
-}
-
 EXPORT_SYMBOL(sukisu_kpm_load_module_path);
+
+noinline NO_OPTIMIZE void sukisu_kpm_unload_module(const char *name,
+                void *ptr, int *result)
+{
+    pr_info("kpm: Stub function called (sukisu_kpm_unload_module). "
+                    "name=%s ptr=%p\n", name, ptr);
+
+    __asm__ volatile("nop");
+}
 EXPORT_SYMBOL(sukisu_kpm_unload_module);
+
+noinline NO_OPTIMIZE void sukisu_kpm_num(int *result)
+{
+    pr_info("kpm: Stub function called (sukisu_kpm_num).\n");
+
+    __asm__ volatile("nop");
+}
 EXPORT_SYMBOL(sukisu_kpm_num);
+
+noinline NO_OPTIMIZE void sukisu_kpm_info(const char *name, char *buf, int bufferSize,
+                int *size)
+{
+    pr_info("kpm: Stub function called (sukisu_kpm_info). "
+                    "name=%s buffer=%p\n", name, buf);
+
+    __asm__ volatile("nop");
+}
 EXPORT_SYMBOL(sukisu_kpm_info);
+
+noinline NO_OPTIMIZE void sukisu_kpm_list(void *out, int bufferSize,
+                int *result)
+{
+    pr_info("kpm: Stub function called (sukisu_kpm_list). "
+                    "buffer=%p size=%d\n", out, bufferSize);
+}
 EXPORT_SYMBOL(sukisu_kpm_list);
-EXPORT_SYMBOL(sukisu_kpm_version);
+
+noinline NO_OPTIMIZE void sukisu_kpm_control(const char *name, const char *args, long arg_len,
+                int *result)
+{
+    pr_info("kpm: Stub function called (sukisu_kpm_control). "
+                    "name=%p args=%p arg_len=%ld\n", name, args, arg_len);
+
+    __asm__ volatile("nop");
+}
 EXPORT_SYMBOL(sukisu_kpm_control);

-noinline
-int sukisu_handle_kpm(unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5)
+noinline NO_OPTIMIZE void sukisu_kpm_version(char *buf, int bufferSize)
 {
-    if(arg2 == SUKISU_KPM_LOAD) {
-        char kernel_load_path[256] = { 0 };
-        char kernel_args_buffer[256] = { 0 };
+    pr_info("kpm: Stub function called (sukisu_kpm_version). "
+                    "buffer=%p\n", buf);
+}
+EXPORT_SYMBOL(sukisu_kpm_version);

-        if(arg3 == 0) {
-            return -1;
+noinline int sukisu_handle_kpm(unsigned long control_code, unsigned long arg1, unsigned long arg2,
+                unsigned long result_code)
+{
+    int res = -1;
+    if (control_code == SUKISU_KPM_LOAD) {
+        char kernel_load_path[256];
+        char kernel_args_buffer[256];
+
+        if (arg1 == 0) {
+            res = -EINVAL;
+            goto exit;
        }

-        strncpy_from_user((char*)&kernel_load_path, (const char __user *)arg3, 255);
-        if(arg4 != 0) {
-            strncpy_from_user((char*)&kernel_args_buffer, (const char __user *)arg4, 255);
-        }
-        sukisu_kpm_load_module_path((const char*)&kernel_load_path, (const char*) &kernel_args_buffer, NULL, (void __user*) arg5);
-    } else if(arg2 == SUKISU_KPM_UNLOAD) {
-        char kernel_name_buffer[256] = { 0 };
-
-        if(arg3 == 0) {
-            return -1;
+        if (!access_ok(arg1, 255)) {
+            goto invalid_arg;
        }
        
-        strncpy_from_user((char*)&kernel_name_buffer, (const char __user *)arg3, 255);
-        sukisu_kpm_unload_module((const char*) &kernel_name_buffer, NULL, (void __user*) arg5);
-    } else if(arg2 == SUKISU_KPM_NUM) {
-        sukisu_kpm_num((void __user*) arg5);
-    } else if(arg2 == SUKISU_KPM_INFO) {
-        char kernel_name_buffer[256] = { 0 };
+        strncpy_from_user((char *)&kernel_load_path, (const char *)arg1, 255);
        
-        if(arg3 == 0 || arg4 == 0) {
-            return -1;
+        if (arg2 != 0) {
+            if (!access_ok(arg2, 255)) {
+                goto invalid_arg;
            }

-        strncpy_from_user((char*)&kernel_name_buffer, (const char __user *)arg3, 255);
-        sukisu_kpm_info((const char*) &kernel_name_buffer, (char __user*) arg4, (void __user*) arg5);
-    } else if(arg2 == SUKISU_KPM_LIST) {
-        sukisu_kpm_list((char __user*) arg3, (unsigned int) arg4, (void __user*) arg5);
-    } else if(arg2 == SUKISU_KPM_VERSION) {
-        sukisu_kpm_version((char __user*) arg3, (unsigned int) arg4, (void __user*) arg5);
-    } else if(arg2 == SUKISU_KPM_CONTROL) {
-        sukisu_kpm_control((char __user*) arg3, (char __user*) arg4, (void __user*) arg5);
+            strncpy_from_user((char *)&kernel_args_buffer, (const char *)arg2, 255);
        }
+
+        sukisu_kpm_load_module_path((const char *)&kernel_load_path,
+                        (const char *)&kernel_args_buffer, NULL, &res);
+    } else if (control_code == SUKISU_KPM_UNLOAD) {
+        char kernel_name_buffer[256];
+
+        if (arg1 == 0) {
+            res = -EINVAL;
+            goto exit;
+        }
+
+        if (!access_ok(arg1, sizeof(kernel_name_buffer))) {
+            goto invalid_arg;
+        }
+        
+        strncpy_from_user((char *)&kernel_name_buffer, (const char *)arg1, sizeof(kernel_name_buffer));
+        
+        sukisu_kpm_unload_module((const char *)&kernel_name_buffer, NULL, &res);
+    } else if (control_code == SUKISU_KPM_NUM) {
+        sukisu_kpm_num(&res);
+    } else if (control_code == SUKISU_KPM_INFO) {
+        char kernel_name_buffer[256];
+        char buf[256];
+        int size;
+
+        if (arg1 == 0 || arg2 == 0) {
+            res = -EINVAL;
+            goto exit;
+        }
+
+        if (!access_ok(arg1, sizeof(kernel_name_buffer))) {
+            goto invalid_arg;
+        }
+        
+        strncpy_from_user((char *)&kernel_name_buffer, (const char __user *)arg1, sizeof(kernel_name_buffer));
+        
+        sukisu_kpm_info((const char *)&kernel_name_buffer, (char *)&buf, sizeof(buf), &size);
+
+        if (!access_ok(arg2, size)) {
+            goto invalid_arg;
+        }
+
+        res = copy_to_user(arg2, &buf, size);
+
+    } else if (control_code == SUKISU_KPM_LIST) {
+        char buf[1024];
+        int len = (int) arg2;
+
+        if (len <= 0) {
+            res = -EINVAL;
+            goto exit;
+        }
+
+        if (!access_ok(arg2, len)) {
+            goto invalid_arg;
+        }
+        
+        sukisu_kpm_list((char *)&buf, sizeof(buf), &res);
+
+        if (res > len) {
+            res = -ENOBUFS;
+            goto exit;
+        }
+
+        if (copy_to_user(arg1, &buf, len) != 0) 
+            pr_info("kpm: Copy to user failed.");
+        
+    } else if (control_code == SUKISU_KPM_CONTROL) {
+        char kpm_name[KPM_NAME_LEN] = { 0 };
+        char kpm_args[KPM_ARGS_LEN] = { 0 };
+
+        if (!access_ok(arg1, sizeof(kpm_name))) {
+            goto invalid_arg;
+        }
+
+        if (!access_ok(arg2, sizeof(kpm_args))) {
+            goto invalid_arg;
+        }
+
+        long name_len = strncpy_from_user((char *)&kpm_name, (const char __user *)arg1, sizeof(kpm_name));
+        if (name_len <= 0) {
+            res = -EINVAL;
+            goto exit;
+        }
+
+        long arg_len = strncpy_from_user((char *)&kpm_args, (const char __user *)arg2, sizeof(kpm_args));
+
+        sukisu_kpm_control((const char *)&kpm_name, (const char *)&kpm_args, arg_len, &res);
+
+    } else if (control_code == SUKISU_KPM_VERSION) {
+        char buffer[256] = {0};
+
+        sukisu_kpm_version((char*) &buffer, sizeof(buffer));
+
+        unsigned int outlen = (unsigned int) arg2;
+        int len = strlen(buffer);
+        if (len >= outlen) len = outlen - 1;
+        
+        res = copy_to_user(arg1, &buffer, len + 1);
+    }
+
+exit:
+    if (copy_to_user(result_code, &res, sizeof(res)) != 0)
+        pr_info("kpm: Copy to user failed.");
+    
    return 0;
+invalid_arg:
+    pr_err("kpm: invalid pointer detected! arg1: %px arg2: %px\n", (void *)arg1, (void *)arg2);
+    res = -EFAULT;
+    goto exit;
 }
-
-int sukisu_is_kpm_control_code(unsigned long arg2) {
-    return (arg2 >= CMD_KPM_CONTROL && arg2 <= CMD_KPM_CONTROL_MAX) ? 1 : 0;
-}
-
 EXPORT_SYMBOL(sukisu_handle_kpm);
+
+int sukisu_is_kpm_control_code(unsigned long control_code) {
+    return (control_code >= CMD_KPM_CONTROL &&
+                    control_code <= CMD_KPM_CONTROL_MAX) ? 1 : 0;
+}
+
+int do_kpm(void __user *arg)
+{
+    struct ksu_kpm_cmd cmd;
+
+    if (copy_from_user(&cmd, arg, sizeof(cmd))) {
+        pr_err("kpm: copy_from_user failed\n");
+        return -EFAULT;
+    }
+
+    if (!access_ok(cmd.control_code, sizeof(int))) {
+        pr_err("kpm: invalid control_code pointer %px\n", (void *)cmd.control_code);
+        return -EFAULT;
+    }
+
+    if (!access_ok(cmd.result_code, sizeof(int))) {
+        pr_err("kpm: invalid result_code pointer %px\n", (void *)cmd.result_code);
+        return -EFAULT;
+    }
+
+    return sukisu_handle_kpm(cmd.control_code, cmd.arg1, cmd.arg2, cmd.result_code);
+}
+
--- a/kernel/kpm/kpm.h
+++ b/kernel/kpm/kpm.h
@@ -1,44 +1,70 @@
-#ifndef ___SUKISU_KPM_H
-#define ___SUKISU_KPM_H
+#ifndef __SUKISU_KPM_H
+#define __SUKISU_KPM_H

-int sukisu_handle_kpm(unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5);
-int sukisu_is_kpm_control_code(unsigned long arg2);
+#include <linux/types.h>
+#include <linux/ioctl.h>

-// KPM控制代码
-#define CMD_KPM_CONTROL 28
-#define CMD_KPM_CONTROL_MAX 35
+struct ksu_kpm_cmd {
+    __aligned_u64 __user control_code;
+    __aligned_u64 __user arg1;
+    __aligned_u64 __user arg2;
+    __aligned_u64 __user result_code;
+};

-// 控制代码
+int sukisu_handle_kpm(unsigned long control_code, unsigned long arg3, unsigned long arg4, unsigned long result_code);
+int sukisu_is_kpm_control_code(unsigned long control_code);
+int do_kpm(void __user *arg);

-// prctl(xxx, 28, "PATH", "ARGS")
-// success return 0, error return -N
-#define SUKISU_KPM_LOAD 28
+#define KSU_IOCTL_KPM _IOC(_IOC_READ|_IOC_WRITE, 'K', 200, 0)

-// prctl(xxx, 29, "NAME")
-// success return 0, error return -N
-#define SUKISU_KPM_UNLOAD 29
+/* KPM Control Code */
+#define CMD_KPM_CONTROL 1
+#define CMD_KPM_CONTROL_MAX 10

-// num = prctl(xxx, 30)
-// error return -N
-// success return +num or 0
-#define SUKISU_KPM_NUM 30
+/* Control Code */
+/*
+ * prctl(xxx, 1, "PATH", "ARGS")
+ * success return 0, error return -N
+ */
+#define SUKISU_KPM_LOAD 1

-// prctl(xxx, 31, Buffer, BufferSize)
-// success return +out, error return -N
-#define SUKISU_KPM_LIST 31
+/*
+ * prctl(xxx, 2, "NAME")
+ * success return 0, error return -N
+ */
+#define SUKISU_KPM_UNLOAD 2

-// prctl(xxx, 32, "NAME", Buffer[256])
-// success return +out, error return -N
-#define SUKISU_KPM_INFO 32
+/*
+ * num = prctl(xxx, 3)
+ * error return -N
+ * success return +num or 0
+ */
+#define SUKISU_KPM_NUM 3

-// prctl(xxx, 33, "NAME", "ARGS")
-// success return KPM's result value
-// error return -N
-#define SUKISU_KPM_CONTROL 33
+/*
+ * prctl(xxx, 4, Buffer, BufferSize)
+ * success return +out, error return -N
+ */
+#define SUKISU_KPM_LIST 4

-// prctl(xxx, 34, buffer, bufferSize)
-// success return KPM's result value
-// error return -N
-#define SUKISU_KPM_VERSION 34
+/*
+ * prctl(xxx, 5, "NAME", Buffer[256])
+ * success return +out, error return -N
+ */
+#define SUKISU_KPM_INFO 5
+
+/*
+ * prctl(xxx, 6, "NAME", "ARGS")
+ * success return KPM's result value
+ * error return -N
+ */
+#define SUKISU_KPM_CONTROL 6
+
+/*
+ * prctl(xxx, 7, buffer, bufferSize)
+ * success return KPM's result value
+ * error return -N
+ */
+#define SUKISU_KPM_VERSION 7

 #endif
--- a/kernel/kpm/super_access.c
+++ b/kernel/kpm/super_access.c
@@ -13,7 +13,7 @@
 #include <linux/list.h>
 #include <linux/spinlock.h>
 #include <linux/rcupdate.h>
-#include <asm/elf.h>    /* 包含 ARM64 重定位类型定义 */
+#include <asm/elf.h>
 #include <linux/vmalloc.h>
 #include <linux/mm.h>
 #include <linux/string.h>
@@ -24,34 +24,37 @@
 #include <linux/version.h>
 #include <linux/export.h>
 #include <linux/slab.h>
-#include "kpm.h"
-#include "compact.h"
 #include <linux/types.h>
 #include <linux/stddef.h>
+#include <linux/mount.h>
+#include <linux/kprobes.h>
+#include <linux/mm_types.h>
+#include <linux/netlink.h>
+#include <linux/sched.h>
+#include <../fs/mount.h>
+#include "kpm.h"
+#include "compact.h"

-// 结构体成员元数据
 struct DynamicStructMember {
-    const char* name;
+    const char *name;
    size_t size;
    size_t offset;
 };

-// 结构体元数据（包含总大小）
 struct DynamicStructInfo {
-    const char* name;
+    const char *name;
    size_t count;
    size_t total_size;
-    struct DynamicStructMember* members;
+    struct DynamicStructMember *members;
 };

-// 定义结构体元数据的宏（直接使用 struct 名称）
 #define DYNAMIC_STRUCT_BEGIN(struct_name) \
    static struct DynamicStructMember struct_name##_members[] = {

 #define DEFINE_MEMBER(struct_name, member) \
    { \
        .name = #member, \
-        .size = sizeof(((struct struct_name*)0)->member), \
+        .size = sizeof(((struct struct_name *)0)->member), \
        .offset = offsetof(struct struct_name, member) \
    },

@@ -64,17 +67,6 @@ struct DynamicStructInfo {
        .members = struct_name##_members \
    };

-// ==================================================================================
-
-#include <linux/version.h>
-
-#define KERNEL_VERSION_6_1 KERNEL_VERSION(6, 1, 0)
-#define KERNEL_VERSION_5_15 KERNEL_VERSION(5, 15, 0)
-
-#include <../fs/mount.h>
-#include <linux/mount.h>
-
-// 定义元数据
 DYNAMIC_STRUCT_BEGIN(mount)
    DEFINE_MEMBER(mount, mnt_parent)
    DEFINE_MEMBER(mount, mnt)
@@ -96,13 +88,11 @@ DYNAMIC_STRUCT_BEGIN(mnt_namespace)
    DEFINE_MEMBER(mnt_namespace, root)
    DEFINE_MEMBER(mnt_namespace, seq)
    DEFINE_MEMBER(mnt_namespace, mounts)
-#if LINUX_VERSION_CODE < KERNEL_VERSION_5_15
+#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 15, 0)
    DEFINE_MEMBER(mnt_namespace, count)
 #endif
 DYNAMIC_STRUCT_END(mnt_namespace)

-#include <linux/kprobes.h>
-
 #ifdef CONFIG_KPROBES
 DYNAMIC_STRUCT_BEGIN(kprobe)
    DEFINE_MEMBER(kprobe, addr)
@@ -110,16 +100,13 @@ DYNAMIC_STRUCT_BEGIN(kprobe)
    DEFINE_MEMBER(kprobe, offset)
    DEFINE_MEMBER(kprobe, pre_handler)
    DEFINE_MEMBER(kprobe, post_handler)
-#if LINUX_VERSION_CODE < KERNEL_VERSION_5_15
+#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 15, 0)
    DEFINE_MEMBER(kprobe, fault_handler)
 #endif
    DEFINE_MEMBER(kprobe, flags)
 DYNAMIC_STRUCT_END(kprobe)
 #endif

-#include <linux/mm.h>
-#include <linux/mm_types.h>
-
 DYNAMIC_STRUCT_BEGIN(vm_area_struct)
    DEFINE_MEMBER(vm_area_struct,vm_start)
    DEFINE_MEMBER(vm_area_struct,vm_end)
@@ -128,9 +115,9 @@ DYNAMIC_STRUCT_BEGIN(vm_area_struct)
    DEFINE_MEMBER(vm_area_struct,vm_pgoff)
    DEFINE_MEMBER(vm_area_struct,vm_file)
    DEFINE_MEMBER(vm_area_struct,vm_private_data)
-    #ifdef CONFIG_ANON_VMA_NAME
+#ifdef CONFIG_ANON_VMA_NAME
    DEFINE_MEMBER(vm_area_struct, anon_name)
-    #endif
+#endif
    DEFINE_MEMBER(vm_area_struct, vm_ops)
 DYNAMIC_STRUCT_END(vm_area_struct)

@@ -141,8 +128,6 @@ DYNAMIC_STRUCT_BEGIN(vm_operations_struct)
    DEFINE_MEMBER(vm_operations_struct, access)
 DYNAMIC_STRUCT_END(vm_operations_struct)

-#include <linux/netlink.h>
-
 DYNAMIC_STRUCT_BEGIN(netlink_kernel_cfg)
    DEFINE_MEMBER(netlink_kernel_cfg, groups)
    DEFINE_MEMBER(netlink_kernel_cfg, flags)
@@ -150,13 +135,11 @@ DYNAMIC_STRUCT_BEGIN(netlink_kernel_cfg)
    DEFINE_MEMBER(netlink_kernel_cfg, cb_mutex)
    DEFINE_MEMBER(netlink_kernel_cfg, bind)
    DEFINE_MEMBER(netlink_kernel_cfg, unbind)
-#if LINUX_VERSION_CODE < KERNEL_VERSION_6_1
+#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 1, 0)
    DEFINE_MEMBER(netlink_kernel_cfg, compare)
 #endif
 DYNAMIC_STRUCT_END(netlink_kernel_cfg)

-
-#include <linux/sched.h>
 DYNAMIC_STRUCT_BEGIN(task_struct)
    DEFINE_MEMBER(task_struct, pid)
    DEFINE_MEMBER(task_struct, tgid)
@@ -186,104 +169,110 @@ DYNAMIC_STRUCT_BEGIN(task_struct)
    DEFINE_MEMBER(task_struct, thread)
 DYNAMIC_STRUCT_END(task_struct)

-// =====================================================================================================================
-
 #define STRUCT_INFO(name) &(name##_info)

-static
-struct DynamicStructInfo* dynamic_struct_infos[] = {
+static struct DynamicStructInfo *dynamic_struct_infos[] = {
    STRUCT_INFO(mount),
    STRUCT_INFO(vfsmount),
    STRUCT_INFO(mnt_namespace),
-    #ifdef CONFIG_KPROBES
+#ifdef CONFIG_KPROBES
    STRUCT_INFO(kprobe),
-    #endif
+#endif
    STRUCT_INFO(vm_area_struct),
    STRUCT_INFO(vm_operations_struct),
    STRUCT_INFO(netlink_kernel_cfg),
    STRUCT_INFO(task_struct)
 };

-// return 0 if successful
-// return -1 if struct not defined
-int sukisu_super_find_struct(
-    const char* struct_name,
-    size_t* out_size,
-    int* out_members
-) {
-    for(size_t i = 0; i < (sizeof(dynamic_struct_infos) / sizeof(dynamic_struct_infos[0])); i++) {
-        struct DynamicStructInfo* info = dynamic_struct_infos[i];
-        if(strcmp(struct_name, info->name) == 0) {
-            if(out_size)
+/*
+ * return 0 if successful
+ * return -1 if struct not defined
+ */
+int sukisu_super_find_struct(const char *struct_name, size_t *out_size, int *out_members)
+{
+    for (size_t i = 0; i < (sizeof(dynamic_struct_infos) / sizeof(dynamic_struct_infos[0])); i++) {
+        struct DynamicStructInfo *info = dynamic_struct_infos[i];
+        
+        if (strcmp(struct_name, info->name) == 0) {
+            if (out_size)
                *out_size = info->total_size;
-            if(out_members)
+                
+            if (out_members)
                *out_members = info->count;
+                
            return 0;
        }
    }
+    
    return -1;
 }
 EXPORT_SYMBOL(sukisu_super_find_struct);

-// Dynamic access struct
-// return 0 if successful
-// return -1 if struct not defined
-// return -2 if member not defined
-int sukisu_super_access (
-    const char* struct_name,
-    const char* member_name,
-    size_t* out_offset,
-    size_t* out_size
-) {
-    for(size_t i = 0; i < (sizeof(dynamic_struct_infos) / sizeof(dynamic_struct_infos[0])); i++) {
-        struct DynamicStructInfo* info = dynamic_struct_infos[i];
-        if(strcmp(struct_name, info->name) == 0) {
+/*
+ * Dynamic access struct
+ * return 0 if successful
+ * return -1 if struct not defined
+ * return -2 if member not defined
+ */
+int sukisu_super_access(const char *struct_name, const char *member_name, size_t *out_offset,
+                size_t *out_size)
+{
+    for (size_t i = 0; i < (sizeof(dynamic_struct_infos) / sizeof(dynamic_struct_infos[0])); i++) {
+        struct DynamicStructInfo *info = dynamic_struct_infos[i];
+        
+        if (strcmp(struct_name, info->name) == 0) {
            for (size_t i1 = 0; i1 < info->count; i1++) {
                if (strcmp(info->members[i1].name, member_name) == 0) {
-                    if(out_offset)
+                    if (out_offset)
                        *out_offset = info->members[i].offset;
-                    if(out_size)
+                        
+                    if (out_size)
                        *out_size = info->members[i].size;
+                        
                    return 0;
                }
            }
+            
            return -2;
        }
    }
+    
    return -1;
 }
 EXPORT_SYMBOL(sukisu_super_access);

-// 动态 container_of 宏
 #define DYNAMIC_CONTAINER_OF(offset, member_ptr) ({ \
    (offset != (size_t)-1) ? (void*)((char*)(member_ptr) - offset) : NULL; \
 })

-// Dynamic container_of
-// return 0 if success
-// return -1 if current struct not defined
-// return -2 if target member not defined
-int sukisu_super_container_of(
-    const char* struct_name,
-    const char* member_name,
-    void* ptr,
-    void** out_ptr
-) {
-    if(ptr == NULL) {
+/*
+ * Dynamic container_of
+ * return 0 if success
+ * return -1 if current struct not defined
+ * return -2 if target member not defined
+ */
+int sukisu_super_container_of(const char *struct_name, const char *member_name, void *ptr,
+                void **out_ptr)
+{
+    if (ptr == NULL)
        return -3;
-    }
-    for(size_t i = 0; i < (sizeof(dynamic_struct_infos) / sizeof(dynamic_struct_infos[0])); i++) {
-        struct DynamicStructInfo* info = dynamic_struct_infos[i];
-        if(strcmp(struct_name, info->name) == 0) {
+
+    for (size_t i = 0; i < (sizeof(dynamic_struct_infos) / sizeof(dynamic_struct_infos[0])); i++) {
+        struct DynamicStructInfo *info = dynamic_struct_infos[i];
+        
+        if (strcmp(struct_name, info->name) == 0) {
            for (size_t i1 = 0; i1 < info->count; i1++) {
                if (strcmp(info->members[i1].name, member_name) == 0) {
-                    *out_ptr = (void*) DYNAMIC_CONTAINER_OF(info->members[i1].offset, ptr);
+                    *out_ptr = (void *)DYNAMIC_CONTAINER_OF(info->members[i1].offset, ptr);
+                    
                    return 0;
                }
            }
+            
            return -2;
        }
    }
+    
    return -1;
 }
 EXPORT_SYMBOL(sukisu_super_container_of);
--- a/kernel/kpm/super_access.h
+++ b/kernel/kpm/super_access.h
@@ -6,34 +6,10 @@
 #include "kpm.h"
 #include "compact.h"

-// return 0 if successful
-// return -1 if struct not defined
-int sukisu_super_find_struct(
-    const char* struct_name,
-    size_t* out_size,
-    int* out_members
-);
-
-// Dynamic access struct
-// return 0 if successful
-// return -1 if struct not defined
-// return -2 if member not defined
-int sukisu_super_access (
-    const char* struct_name,
-    const char* member_name,
-    size_t* out_offset,
-    size_t* out_size
-);
-
-// Dynamic container_of
-// return 0 if success
-// return -1 if current struct not defined
-// return -2 if target member not defined
-int sukisu_super_container_of(
-    const char* struct_name,
-    const char* member_name,
-    void* ptr,
-    void** out_ptr
-);
+extern int sukisu_super_find_struct(const char *struct_name, size_t *out_size, int *out_members);
+extern int sukisu_super_access(const char *struct_name, const char *member_name, size_t *out_offset,
+                size_t *out_size);
+extern int sukisu_super_container_of(const char *struct_name, const char *member_name, void *ptr,
+                void **out_ptr);

 #endif
--- a/kernel/ksu.c
+++ b/kernel/ksu.c
@@ -3,13 +3,19 @@
 #include <linux/kobject.h>
 #include <linux/module.h>
 #include <linux/workqueue.h>
+#include <linux/version.h>

 #include "allowlist.h"
-#include "arch.h"
-#include "core_hook.h"
+#include "feature.h"
 #include "klog.h" // IWYU pragma: keep
-#include "ksu.h"
 #include "throne_tracker.h"
+#include "syscall_hook_manager.h"
+#include "ksud.h"
+#include "supercalls.h"
+
+#include "sulog.h"
+#include "throne_comm.h"
+#include "dynamic_manager.h"

 static struct workqueue_struct *ksu_workqueue;

@@ -18,24 +24,19 @@ bool ksu_queue_work(struct work_struct *work)
    return queue_work(ksu_workqueue, work);
 }

-extern int ksu_handle_execveat_sucompat(int *fd, struct filename **filename_ptr,
-					void *argv, void *envp, int *flags);
-
-extern int ksu_handle_execveat_ksud(int *fd, struct filename **filename_ptr,
-				    void *argv, void *envp, int *flags);
-
-int ksu_handle_execveat(int *fd, struct filename **filename_ptr, void *argv,
-			void *envp, int *flags)
+void sukisu_custom_config_init(void)
 {
-	ksu_handle_execveat_ksud(fd, filename_ptr, argv, envp, flags);
-	return ksu_handle_execveat_sucompat(fd, filename_ptr, argv, envp,
-					    flags);
 }

-extern void ksu_sucompat_init();
-extern void ksu_sucompat_exit();
-extern void ksu_ksud_init();
-extern void ksu_ksud_exit();
+void sukisu_custom_config_exit(void)
+{
+    ksu_uid_exit();
+    ksu_throne_comm_exit();
+    ksu_dynamic_manager_exit();
+#if __SULOG_GATE
+    ksu_sulog_exit();
+#endif
+}

 int __init kernelsu_init(void)
 {
@@ -49,15 +50,21 @@ int __init kernelsu_init(void)
    pr_alert("*************************************************************");
 #endif

-	ksu_core_init();
+    ksu_feature_init();
+
+    ksu_supercalls_init();
+
+    sukisu_custom_config_init();
+
+    ksu_syscall_hook_manager_init();

    ksu_workqueue = alloc_ordered_workqueue("kernelsu_work_queue", 0);

    ksu_allowlist_init();

    ksu_throne_tracker_init();
-#ifdef CONFIG_KPROBES
-	ksu_sucompat_init();
+
+#ifdef KSU_KPROBES_HOOK
    ksu_ksud_init();
 #else
     pr_alert("KPROBES is disabled, KernelSU may not work, please check https://kernelsu.org/guide/how-to-integrate-for-non-gki.html");
@@ -71,20 +78,28 @@ int __init kernelsu_init(void)
    return 0;
 }

+extern void ksu_observer_exit(void);
 void kernelsu_exit(void)
 {
    ksu_allowlist_exit();

+    ksu_observer_exit();
+
    ksu_throne_tracker_exit();

    destroy_workqueue(ksu_workqueue);

-#ifdef CONFIG_KPROBES
+#ifdef KSU_KPROBES_HOOK
    ksu_ksud_exit();
-	ksu_sucompat_exit();
 #endif

-	ksu_core_exit();
+    ksu_syscall_hook_manager_exit();
+
+    sukisu_custom_config_exit();
+
+    ksu_supercalls_exit();
+    
+    ksu_feature_exit();
 }

 module_init(kernelsu_init);
@@ -93,4 +108,9 @@ module_exit(kernelsu_exit);
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("weishu");
 MODULE_DESCRIPTION("Android KernelSU");
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 13, 0)
+MODULE_IMPORT_NS("VFS_internal_I_am_really_a_filesystem_and_am_NOT_a_driver");
+#else
 MODULE_IMPORT_NS(VFS_internal_I_am_really_a_filesystem_and_am_NOT_a_driver);
+#endif
--- a/kernel/ksu.h
+++ b/kernel/ksu.h
@@ -7,50 +7,27 @@
 #define KERNEL_SU_VERSION KSU_VERSION
 #define KERNEL_SU_OPTION 0xDEADBEEF

-#define CMD_GRANT_ROOT 0
-#define CMD_BECOME_MANAGER 1
-#define CMD_GET_VERSION 2
-#define CMD_ALLOW_SU 3
-#define CMD_DENY_SU 4
-#define CMD_GET_ALLOW_LIST 5
-#define CMD_GET_DENY_LIST 6
-#define CMD_REPORT_EVENT 7
-#define CMD_SET_SEPOLICY 8
-#define CMD_CHECK_SAFEMODE 9
-#define CMD_GET_APP_PROFILE 10
-#define CMD_SET_APP_PROFILE 11
-#define CMD_UID_GRANTED_ROOT 12
-#define CMD_UID_SHOULD_UMOUNT 13
-#define CMD_IS_SU_ENABLED 14
-#define CMD_ENABLE_SU 15
-
-#define CMD_GET_FULL_VERSION 0xC0FFEE1A
-
-#define CMD_ENABLE_KPM 100
-#define CMD_DYNAMIC_SIGN 103
-#define CMD_GET_MANAGERS 104
+extern bool ksu_uid_scanner_enabled;

 #define EVENT_POST_FS_DATA 1
 #define EVENT_BOOT_COMPLETED 2
 #define EVENT_MODULE_MOUNTED 3

-#define KSU_APP_PROFILE_VER 2
-#define KSU_MAX_PACKAGE_NAME 256
-// NGROUPS_MAX for Linux is 65535 generally, but we only supports 32 groups.
-#define KSU_MAX_GROUPS 32
-#define KSU_SELINUX_DOMAIN 64
-
 // SukiSU Ultra kernel su version full strings
 #ifndef KSU_VERSION_FULL 
 #define KSU_VERSION_FULL "v3.x-00000000@unknown"
 #endif
 #define KSU_FULL_VERSION_STRING 255

-#define DYNAMIC_SIGN_OP_SET 0
-#define DYNAMIC_SIGN_OP_GET 1
-#define DYNAMIC_SIGN_OP_CLEAR 2
+#define DYNAMIC_MANAGER_OP_SET 0
+#define DYNAMIC_MANAGER_OP_GET 1
+#define DYNAMIC_MANAGER_OP_CLEAR 2

-struct dynamic_sign_user_config {
+#define UID_SCANNER_OP_GET_STATUS 0
+#define UID_SCANNER_OP_TOGGLE 1
+#define UID_SCANNER_OP_CLEAR_ENV 2
+
+struct dynamic_manager_user_config {
    unsigned int operation;
    unsigned int size;
    char hash[65];
@@ -64,56 +41,9 @@ struct manager_list_info {
    } managers[2];
 };

-struct root_profile {
-	int32_t uid;
-	int32_t gid;
-
-	int32_t groups_count;
-	int32_t groups[KSU_MAX_GROUPS];
-
-	// kernel_cap_t is u32[2] for capabilities v3
-	struct {
-		u64 effective;
-		u64 permitted;
-		u64 inheritable;
-	} capabilities;
-
-	char selinux_domain[KSU_SELINUX_DOMAIN];
-
-	int32_t namespaces;
-};
-
-struct non_root_profile {
-	bool umount_modules;
-};
-
-struct app_profile {
-	// It may be utilized for backward compatibility, although we have never explicitly made any promises regarding this.
-	u32 version;
-
-	// this is usually the package of the app, but can be other value for special apps
-	char key[KSU_MAX_PACKAGE_NAME];
-	int32_t current_uid;
-	bool allow_su;
-
-	union {
-		struct {
-			bool use_default;
-			char template_name[KSU_MAX_PACKAGE_NAME];
-
-			struct root_profile profile;
-		} rp_config;
-
-		struct {
-			bool use_default;
-
-			struct non_root_profile profile;
-		} nrp_config;
-	};
-};
-
 bool ksu_queue_work(struct work_struct *work);

+#if 0
 static inline int startswith(char *s, char *prefix)
 {
    return strncmp(s, prefix, strlen(prefix));
@@ -127,5 +57,6 @@ static inline int endswith(const char *s, const char *t)
        return 1;
    return strcmp(s + slen - tlen, t);
 }
+#endif

 #endif
--- a/kernel/ksud.c
+++ b/kernel/ksud.c
@@ -1,3 +1,6 @@
+#include <linux/rcupdate.h>
+#include <linux/slab.h>
+#include <linux/task_work.h>
 #include <asm/current.h>
 #include <linux/compat.h>
 #include <linux/cred.h>
@@ -11,15 +14,19 @@
 #include <linux/printk.h>
 #include <linux/types.h>
 #include <linux/uaccess.h>
+#include <linux/namei.h>
 #include <linux/workqueue.h>

+#include "manager.h"
 #include "allowlist.h"
 #include "arch.h"
 #include "klog.h" // IWYU pragma: keep
 #include "ksud.h"
-#include "kernel_compat.h"
 #include "selinux/selinux.h"
+#include "throne_tracker.h"

+bool ksu_module_mounted __read_mostly = false;
+bool ksu_boot_completed __read_mostly = false;

 static const char KERNEL_SU_RC[] =
    "\n"
@@ -48,7 +55,7 @@ static void stop_vfs_read_hook();
 static void stop_execve_hook();
 static void stop_input_hook();

-#ifdef CONFIG_KPROBES
+#ifdef KSU_KPROBES_HOOK
 static struct work_struct stop_vfs_read_work;
 static struct work_struct stop_execve_hook_work;
 static struct work_struct stop_input_hook_work;
@@ -58,15 +65,11 @@ bool ksu_execveat_hook __read_mostly = true;
 bool ksu_input_hook __read_mostly = true;
 #endif

-u32 ksu_devpts_sid;
+u32 ksu_file_sid;

 // Detect whether it is on or not
 static bool is_boot_phase = true;

-#ifdef CONFIG_COMPAT
-bool ksu_is_compat __read_mostly = false;
-#endif
-
 void on_post_fs_data(void)
 {
    static bool done = false;
@@ -77,14 +80,52 @@ void on_post_fs_data(void)
    done = true;
    pr_info("on_post_fs_data!\n");
    ksu_load_allow_list();
+    ksu_observer_init();
    // sanity check, this may influence the performance
    stop_input_hook();

-	ksu_devpts_sid = ksu_get_devpts_sid();
-	pr_info("devpts sid: %d\n", ksu_devpts_sid);
-
    // End of boot state
    is_boot_phase = false;
+
+    ksu_file_sid = ksu_get_ksu_file_sid();
+	pr_info("ksu_file sid: %d\n", ksu_file_sid);
+}
+
+extern void ext4_unregister_sysfs(struct super_block *sb);
+int nuke_ext4_sysfs(const char* mnt)
+{
+#ifdef CONFIG_EXT4_FS
+    struct path path;
+    int err = kern_path(mnt, 0, &path);
+    if (err) {
+        pr_err("nuke path err: %d\n", err);
+        return err;
+    }
+
+    struct super_block *sb = path.dentry->d_inode->i_sb;
+    const char *name = sb->s_type->name;
+    if (strcmp(name, "ext4") != 0) {
+        pr_info("nuke but module aren't mounted\n");
+        path_put(&path);
+        return -EINVAL;
+    }
+
+    ext4_unregister_sysfs(sb);
+    path_put(&path);
+
+    return 0;
+#endif
+}
+
+void on_module_mounted(void){
+    pr_info("on_module_mounted!\n");
+    ksu_module_mounted = true;
+}
+
+void on_boot_completed(void){
+    ksu_boot_completed = true;
+    pr_info("on_boot_completed!\n");
+    track_throne(true);
 }

 #define MAX_ARG_STRINGS 0x7FFFFFFF
@@ -111,7 +152,6 @@ static const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr)
        if (get_user(compat, argv.ptr.compat + nr))
            return ERR_PTR(-EFAULT);

-		ksu_is_compat = true;
        return compat_ptr(compat);
    }
 #endif
@@ -151,22 +191,29 @@ static int __maybe_unused count(struct user_arg_ptr argv, int max)

            if (fatal_signal_pending(current))
                return -ERESTARTNOHAND;
-			cond_resched();
        }
    }
    return i;
 }

+static void on_post_fs_data_cbfun(struct callback_head *cb)
+{
+    on_post_fs_data();
+}
+
+static struct callback_head on_post_fs_data_cb = { .func =
+                                                       on_post_fs_data_cbfun };
+
 // IMPORTANT NOTE: the call from execve_handler_pre WON'T provided correct value for envp and flags in GKI version
 int ksu_handle_execveat_ksud(int *fd, struct filename **filename_ptr,
                             struct user_arg_ptr *argv,
                             struct user_arg_ptr *envp, int *flags)
 {
-#ifndef CONFIG_KPROBES
+#ifndef KSU_KPROBES_HOOK
    if (!ksu_execveat_hook) {
        return 0;
    }
- #endif
+#endif
    struct filename *filename;

    static const char app_process[] = "/system/bin/app_process";
@@ -196,15 +243,12 @@ int ksu_handle_execveat_ksud(int *fd, struct filename **filename_ptr,
            const char __user *p = get_user_arg_ptr(*argv, 1);
            if (p && !IS_ERR(p)) {
                char first_arg[16];
-				ksu_strncpy_from_user_nofault(
-					first_arg, p, sizeof(first_arg));
-				pr_info("/system/bin/init first arg: %s\n",
-					first_arg);
+                strncpy_from_user_nofault(first_arg, p, sizeof(first_arg));
+                pr_info("/system/bin/init first arg: %s\n", first_arg);
                if (!strcmp(first_arg, "second_stage")) {
                    pr_info("/system/bin/init second_stage executed\n");
                    apply_kernelsu_rules();
                    init_second_stage_executed = true;
-					ksu_android_ns_fs_check();
                }
            } else {
                pr_err("/system/bin/init parse args err!\n");
@@ -221,14 +265,12 @@ int ksu_handle_execveat_ksud(int *fd, struct filename **filename_ptr,
            const char __user *p = get_user_arg_ptr(*argv, 1);
            if (p && !IS_ERR(p)) {
                char first_arg[16];
-				ksu_strncpy_from_user_nofault(
-					first_arg, p, sizeof(first_arg));
+                strncpy_from_user_nofault(first_arg, p, sizeof(first_arg));
                pr_info("/init first arg: %s\n", first_arg);
                if (!strcmp(first_arg, "--second-stage")) {
                    pr_info("/init second_stage executed\n");
                    apply_kernelsu_rules();
                    init_second_stage_executed = true;
-					ksu_android_ns_fs_check();
                }
            } else {
                pr_err("/init parse args err!\n");
@@ -239,15 +281,13 @@ int ksu_handle_execveat_ksud(int *fd, struct filename **filename_ptr,
            if (envc > 0) {
                int n;
                for (n = 1; n <= envc; n++) {
-					const char __user *p =
-						get_user_arg_ptr(*envp, n);
+                    const char __user *p = get_user_arg_ptr(*envp, n);
                    if (!p || IS_ERR(p)) {
                        continue;
                    }
                    char env[256];
                    // Reading environment variable strings from user space
-					if (ksu_strncpy_from_user_nofault(
-						    env, p, sizeof(env)) < 0)
+                    if (strncpy_from_user_nofault(env, p, sizeof(env)) < 0)
                        continue;
                    // Parsing environment variable names and values
                    char *env_name = env;
@@ -258,15 +298,12 @@ int ksu_handle_execveat_ksud(int *fd, struct filename **filename_ptr,
                    *env_value = '\0';
                    env_value++;
                    // Check if the environment variable name and value are matching
-					if (!strcmp(env_name,
-						    "INIT_SECOND_STAGE") &&
+                    if (!strcmp(env_name, "INIT_SECOND_STAGE") &&
                        (!strcmp(env_value, "1") ||
                         !strcmp(env_value, "true"))) {
                        pr_info("/init second_stage executed\n");
                        apply_kernelsu_rules();
-						init_second_stage_executed =
-							true;
-						ksu_android_ns_fs_check();
+                        init_second_stage_executed = true;
                    }
                }
            }
@@ -278,7 +315,14 @@ int ksu_handle_execveat_ksud(int *fd, struct filename **filename_ptr,
        first_app_process = false;
        pr_info("exec app_process, /data prepared, second_stage: %d\n",
                init_second_stage_executed);
-		on_post_fs_data(); // we keep this for old ksud
+        struct task_struct *init_task;
+        rcu_read_lock();
+        init_task = rcu_dereference(current->real_parent);
+        if (init_task) {
+            task_work_add(init_task, &on_post_fs_data_cb, TWA_RESUME);
+        }
+        rcu_read_unlock();
+
        stop_execve_hook();
    }

@@ -296,8 +340,7 @@ static ssize_t read_proxy(struct file *file, char __user *buf, size_t count,
    bool first_read = file->f_pos == 0;
    ssize_t ret = orig_read(file, buf, count, pos);
    if (first_read) {
-		pr_info("read_proxy append %ld + %ld\n", ret,
-			read_count_append);
+        pr_info("read_proxy append %ld + %ld\n", ret, read_count_append);
        ret += read_count_append;
    }
    return ret;
@@ -308,17 +351,16 @@ static ssize_t read_iter_proxy(struct kiocb *iocb, struct iov_iter *to)
    bool first_read = iocb->ki_pos == 0;
    ssize_t ret = orig_read_iter(iocb, to);
    if (first_read) {
-		pr_info("read_iter_proxy append %ld + %ld\n", ret,
-			read_count_append);
+        pr_info("read_iter_proxy append %ld + %ld\n", ret, read_count_append);
        ret += read_count_append;
    }
    return ret;
 }

-int ksu_handle_vfs_read(struct file **file_ptr, char __user **buf_ptr,
+static int ksu_handle_vfs_read(struct file **file_ptr, char __user **buf_ptr,
                               size_t *count_ptr, loff_t **pos)
 {
-#ifndef CONFIG_KPROBES
+#ifndef KSU_KPROBES_HOOK
    if (!ksu_vfs_read_hook) {
        return 0;
    }
@@ -431,7 +473,7 @@ static bool is_volumedown_enough(unsigned int count)
 int ksu_handle_input_handle_event(unsigned int *type, unsigned int *code,
                                  int *value)
 {
-#ifndef CONFIG_KPROBES
+#ifndef KSU_KPROBES_HOOK
    if (!ksu_input_hook) {
        return 0;
    }
@@ -473,7 +515,8 @@ bool ksu_is_safe_mode()
    return false;
 }

-#ifdef CONFIG_KPROBES
+#ifdef KSU_KPROBES_HOOK
+
 static int sys_execve_handler_pre(struct kprobe *p, struct pt_regs *regs)
 {
    struct pt_regs *real_regs = PT_REAL_REGS(regs);
@@ -489,12 +532,11 @@ static int sys_execve_handler_pre(struct kprobe *p, struct pt_regs *regs)
        return 0;

    memset(path, 0, sizeof(path));
-	ksu_strncpy_from_user_nofault(path, *filename_user, 32);
+    strncpy_from_user_nofault(path, *filename_user, 32);
    filename_in.name = path;

    filename_p = &filename_in;
-	return ksu_handle_execveat_ksud(AT_FDCWD, &filename_p, &argv, NULL,
-					NULL);
+    return ksu_handle_execveat_ksud(AT_FDCWD, &filename_p, &argv, NULL, NULL);
 }

 static int sys_read_handler_pre(struct kprobe *p, struct pt_regs *regs)
@@ -549,7 +591,7 @@ static void do_stop_input_hook(struct work_struct *work)

 static void stop_vfs_read_hook()
 {
-#ifdef CONFIG_KPROBES
+#ifdef KSU_KPROBES_HOOK
    bool ret = schedule_work(&stop_vfs_read_work);
    pr_info("unregister vfs_read kprobe: %d!\n", ret);
 #else
@@ -560,7 +602,7 @@ static void stop_vfs_read_hook()

 static void stop_execve_hook()
 {
-#ifdef CONFIG_KPROBES
+#ifdef KSU_KPROBES_HOOK
    bool ret = schedule_work(&stop_execve_hook_work);
    pr_info("unregister execve kprobe: %d!\n", ret);
 #else
@@ -576,7 +618,7 @@ static void stop_input_hook()
        return;
    }
    input_hook_stopped = true;
-#ifdef CONFIG_KPROBES
+#ifdef KSU_KPROBES_HOOK
    bool ret = schedule_work(&stop_input_hook_work);
    pr_info("unregister input kprobe: %d!\n", ret);
 #else
@@ -588,7 +630,7 @@ static void stop_input_hook()
 // ksud: module support
 void ksu_ksud_init()
 {
-#ifdef CONFIG_KPROBES
+#ifdef KSU_KPROBES_HOOK
    int ret;

    ret = register_kprobe(&execve_kp);
@@ -608,12 +650,11 @@ void ksu_ksud_init()

 void ksu_ksud_exit()
 {
-#ifdef CONFIG_KPROBES
+#ifdef KSU_KPROBES_HOOK
    unregister_kprobe(&execve_kp);
    // this should be done before unregister vfs_read_kp
    // unregister_kprobe(&vfs_read_kp);
    unregister_kprobe(&input_event_kp);
-
-	is_boot_phase = false;
 #endif
+    is_boot_phase = false;
 }
--- a/kernel/ksud.h
+++ b/kernel/ksud.h
@@ -3,9 +3,19 @@

 #define KSUD_PATH "/data/adb/ksud"

+void ksu_ksud_init();
+void ksu_ksud_exit();
+
 void on_post_fs_data(void);
+void on_module_mounted(void);
+void on_boot_completed(void);

 bool ksu_is_safe_mode(void);

-extern u32 ksu_devpts_sid;
+int nuke_ext4_sysfs(const char* mnt);
+
+extern u32 ksu_file_sid;
+extern bool ksu_module_mounted;
+extern bool ksu_boot_completed;
+
 #endif
--- a/kernel/manager.h
+++ b/kernel/manager.h
@@ -13,17 +13,18 @@ extern void ksu_add_manager(uid_t uid, int signature_index);
 extern void ksu_remove_manager(uid_t uid);
 extern int ksu_get_manager_signature_index(uid_t uid);

-static inline bool ksu_is_manager_uid_valid()
+static inline bool ksu_is_manager_uid_valid(void)
 {
    return ksu_manager_uid != KSU_INVALID_UID;
 }

-static inline bool is_manager()
+static inline bool is_manager(void)
 {
-	return unlikely(ksu_is_any_manager(current_uid().val) || ksu_manager_uid == current_uid().val);
+    return unlikely(ksu_is_any_manager(current_uid().val) || 
+            (ksu_manager_uid != KSU_INVALID_UID && ksu_manager_uid == current_uid().val));
 }

-static inline uid_t ksu_get_manager_uid()
+static inline uid_t ksu_get_manager_uid(void)
 {
    return ksu_manager_uid;
 }
@@ -33,9 +34,10 @@ static inline void ksu_set_manager_uid(uid_t uid)
    ksu_manager_uid = uid;
 }

-static inline void ksu_invalidate_manager_uid()
+static inline void ksu_invalidate_manager_uid(void)
 {
    ksu_manager_uid = KSU_INVALID_UID;
 }

+int ksu_observer_init(void);
 #endif
--- a/kernel/manager_sign.h
+++ b/kernel/manager_sign.h
@@ -9,5 +9,9 @@
 #define EXPECTED_SIZE_OTHER   0x300
 #define EXPECTED_HASH_OTHER   "0000000000000000000000000000000000000000000000000000000000000000"

+typedef struct {
+    unsigned size;
+    const char *sha256;
+} apk_sign_key_t;

 #endif /* MANAGER_SIGN_H */
--- a/kernel/manual_su.c
+++ b/kernel/manual_su.c
@@ -0,0 +1,357 @@
+#include <linux/string.h>
+#include <linux/uaccess.h>
+#include <linux/printk.h>
+#include <linux/cred.h>
+#include <linux/fs.h>
+#include <linux/uaccess.h>
+#include <linux/file.h>
+#include <linux/mm.h>
+#include <linux/slab.h>
+#include <linux/binfmts.h>
+
+#include "manual_su.h"
+#include "ksu.h"
+#include "allowlist.h"
+#include "manager.h"
+#include "app_profile.h"
+
+static bool current_verified = false;
+static void ksu_cleanup_expired_tokens(void);
+static bool is_current_verified(void);
+static void add_pending_root(uid_t uid);
+
+static struct pending_uid pending_uids[MAX_PENDING] = {0};
+static int pending_cnt = 0;
+static struct ksu_token_entry auth_tokens[MAX_TOKENS] = {0};
+static int token_count = 0;
+static DEFINE_SPINLOCK(token_lock);
+
+static char* get_token_from_envp(void)
+{
+    struct mm_struct *mm;
+    char *envp_start, *envp_end;
+    char *env_ptr, *token = NULL;
+    unsigned long env_len;
+    char *env_copy = NULL;
+    
+    if (!current->mm)
+        return NULL;
+        
+    mm = current->mm;
+    
+    down_read(&mm->mmap_lock);
+    
+    envp_start = (char *)mm->env_start;
+    envp_end = (char *)mm->env_end;
+    env_len = envp_end - envp_start;
+    
+    if (env_len <= 0 || env_len > PAGE_SIZE * 32) {
+        up_read(&mm->mmap_lock);
+        return NULL;
+    }
+    
+    env_copy = kzalloc(env_len + 1, GFP_KERNEL);
+    if (!env_copy) {
+        up_read(&mm->mmap_lock);
+        return NULL;
+    }
+    
+    if (copy_from_user(env_copy, envp_start, env_len)) {
+        kfree(env_copy);
+        up_read(&mm->mmap_lock);
+        return NULL;
+    }
+    
+    up_read(&mm->mmap_lock);
+    
+    env_copy[env_len] = '\0';
+    env_ptr = env_copy;
+    
+    while (env_ptr < env_copy + env_len) {
+        if (strncmp(env_ptr, KSU_TOKEN_ENV_NAME "=", strlen(KSU_TOKEN_ENV_NAME) + 1) == 0) {
+            char *token_start = env_ptr + strlen(KSU_TOKEN_ENV_NAME) + 1;
+            char *token_end = strchr(token_start, '\0');
+            
+            if (token_end && (token_end - token_start) == KSU_TOKEN_LENGTH) {
+                token = kzalloc(KSU_TOKEN_LENGTH + 1, GFP_KERNEL);
+                if (token) {
+                    memcpy(token, token_start, KSU_TOKEN_LENGTH);
+                    token[KSU_TOKEN_LENGTH] = '\0';
+                    pr_info("manual_su: found auth token in environment\n");
+                }
+            }
+            break;
+        }
+        
+        env_ptr += strlen(env_ptr) + 1;
+    }
+    
+    kfree(env_copy);
+    return token;
+}
+
+static char* ksu_generate_auth_token(void)
+{
+    static char token_buffer[KSU_TOKEN_LENGTH + 1];
+    unsigned long flags;
+    int i;
+    
+    ksu_cleanup_expired_tokens();
+    
+    spin_lock_irqsave(&token_lock, flags);
+    
+    if (token_count >= MAX_TOKENS) {
+        for (i = 0; i < MAX_TOKENS - 1; i++) {
+            auth_tokens[i] = auth_tokens[i + 1];
+        }
+        token_count = MAX_TOKENS - 1;
+    }
+    
+    for (i = 0; i < KSU_TOKEN_LENGTH; i++) {
+        u8 rand_byte;
+        get_random_bytes(&rand_byte, 1);
+        int char_type = rand_byte % 3;
+        if (char_type == 0) {
+            token_buffer[i] = 'A' + (rand_byte % 26);
+        } else if (char_type == 1) {
+            token_buffer[i] = 'a' + (rand_byte % 26);
+        } else {
+            token_buffer[i] = '0' + (rand_byte % 10);
+        }
+    }
+    
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 13, 0)
+        strscpy(auth_tokens[token_count].token, token_buffer, KSU_TOKEN_LENGTH + 1);
+#else
+        strlcpy(auth_tokens[token_count].token, token_buffer, KSU_TOKEN_LENGTH + 1);
+#endif
+    auth_tokens[token_count].expire_time = jiffies + KSU_TOKEN_EXPIRE_TIME * HZ;
+    auth_tokens[token_count].used = false;
+    token_count++;
+    
+    spin_unlock_irqrestore(&token_lock, flags);
+    
+    pr_info("manual_su: generated new auth token (expires in %d seconds)\n", KSU_TOKEN_EXPIRE_TIME);
+    return token_buffer;
+}
+
+static bool ksu_verify_auth_token(const char *token)
+{
+    unsigned long flags;
+    bool valid = false;
+    int i;
+    
+    if (!token || strlen(token) != KSU_TOKEN_LENGTH) {
+        return false;
+    }
+    
+    spin_lock_irqsave(&token_lock, flags);
+    
+    for (i = 0; i < token_count; i++) {
+        if (!auth_tokens[i].used && 
+            time_before(jiffies, auth_tokens[i].expire_time) &&
+            strcmp(auth_tokens[i].token, token) == 0) {
+            
+            auth_tokens[i].used = true;
+            valid = true;
+            pr_info("manual_su: auth token verified successfully\n");
+            break;
+        }
+    }
+    
+    spin_unlock_irqrestore(&token_lock, flags);
+    
+    if (!valid) {
+        pr_warn("manual_su: invalid or expired auth token\n");
+    }
+    
+    return valid;
+}
+
+static void ksu_cleanup_expired_tokens(void)
+{
+    unsigned long flags;
+    int i, j;
+    
+    spin_lock_irqsave(&token_lock, flags);
+    
+    for (i = 0; i < token_count; ) {
+        if (time_after(jiffies, auth_tokens[i].expire_time) || auth_tokens[i].used) {
+            for (j = i; j < token_count - 1; j++) {
+                auth_tokens[j] = auth_tokens[j + 1];
+            }
+            token_count--;
+            pr_debug("manual_su: cleaned up expired/used token\n");
+        } else {
+            i++;
+        }
+    }
+    
+    spin_unlock_irqrestore(&token_lock, flags);
+}
+
+static int handle_token_generation(struct manual_su_request *request)
+{
+    if (current_uid().val > 2000) {
+        pr_warn("manual_su: token generation denied for app UID %d\n", current_uid().val);
+        return -EPERM;
+    }
+    
+    char *new_token = ksu_generate_auth_token();
+    if (!new_token) {
+        pr_err("manual_su: failed to generate token\n");
+        return -ENOMEM;
+    }
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 13, 0)
+        strscpy(request->token_buffer, new_token, KSU_TOKEN_LENGTH + 1);
+#else
+        strlcpy(request->token_buffer, new_token, KSU_TOKEN_LENGTH + 1);
+#endif
+
+    pr_info("manual_su: auth token generated successfully\n");
+    return 0;
+}
+
+static int handle_escalation_request(struct manual_su_request *request)
+{
+    uid_t target_uid = request->target_uid;
+    pid_t target_pid = request->target_pid;
+    struct task_struct *tsk;
+    
+    rcu_read_lock();
+    tsk = pid_task(find_vpid(target_pid), PIDTYPE_PID);
+    if (!tsk || ksu_task_is_dead(tsk)) {
+        rcu_read_unlock();
+        pr_err("cmd_su: PID %d is invalid or dead\n", target_pid);
+        return -ESRCH;
+    }
+    rcu_read_unlock();
+    
+    if (current_uid().val == 0 || is_manager() || ksu_is_allow_uid_for_current(current_uid().val))
+        goto allowed;
+
+    char *env_token = get_token_from_envp();
+    if (!env_token) {
+        pr_warn("manual_su: no auth token found in environment\n");
+        return -EACCES;
+    }
+    
+    bool token_valid = ksu_verify_auth_token(env_token);
+    kfree(env_token);
+    
+    if (!token_valid) {
+        pr_warn("manual_su: token verification failed\n");
+        return -EACCES;
+    }
+
+allowed:
+    current_verified = true;
+    escape_to_root_for_cmd_su(target_uid, target_pid);
+    return 0;
+}
+
+static int handle_add_pending_request(struct manual_su_request *request)
+{
+    uid_t target_uid = request->target_uid;
+    
+    if (!is_current_verified()) {
+        pr_warn("manual_su: add_pending denied, not verified\n");
+        return -EPERM;
+    }
+
+    add_pending_root(target_uid);
+    current_verified = false;
+    pr_info("manual_su: pending root added for UID %d\n", target_uid);
+    return 0;
+}
+
+int ksu_handle_manual_su_request(int option, struct manual_su_request *request)
+{
+    if (!request) {
+        pr_err("manual_su: invalid request pointer\n");
+        return -EINVAL;
+    }
+
+    switch (option) {
+    case MANUAL_SU_OP_GENERATE_TOKEN:
+        pr_info("manual_su: handling token generation request\n");
+        return handle_token_generation(request);
+
+    case MANUAL_SU_OP_ESCALATE:
+        pr_info("manual_su: handling escalation request for UID %d, PID %d\n", 
+                request->target_uid, request->target_pid);
+        return handle_escalation_request(request);
+        
+    case MANUAL_SU_OP_ADD_PENDING:
+        pr_info("manual_su: handling add pending request for UID %d\n", request->target_uid);
+        return handle_add_pending_request(request);
+        
+    default:
+        pr_err("manual_su: unknown option %d\n", option);
+        return -EINVAL;
+    }
+}
+
+static bool is_current_verified(void)
+{
+    return current_verified;
+}
+
+bool is_pending_root(uid_t uid)
+{
+    for (int i = 0; i < pending_cnt; i++) {
+        if (pending_uids[i].uid == uid) {
+            pending_uids[i].use_count++;
+            pending_uids[i].remove_calls++;
+            return true;
+        }
+    }
+    return false;
+}
+
+void remove_pending_root(uid_t uid)
+{
+    for (int i = 0; i < pending_cnt; i++) {
+        if (pending_uids[i].uid == uid) {
+            pending_uids[i].remove_calls++;
+
+            if (pending_uids[i].remove_calls >= REMOVE_DELAY_CALLS) {
+                pending_uids[i] = pending_uids[--pending_cnt];
+                pr_info("pending_root: removed UID %d after %d calls\n", uid, REMOVE_DELAY_CALLS);
+                ksu_temp_revoke_root_once(uid);
+            } else {
+                pr_info("pending_root: UID %d remove_call=%d (<%d)\n",
+                        uid, pending_uids[i].remove_calls, REMOVE_DELAY_CALLS);
+            }
+            return;
+        }
+    }
+}
+
+static void add_pending_root(uid_t uid)
+{
+    if (pending_cnt >= MAX_PENDING) {
+        pr_warn("pending_root: cache full\n");
+        return;
+    }
+    for (int i = 0; i < pending_cnt; i++) {
+        if (pending_uids[i].uid == uid) {
+            pending_uids[i].use_count = 0;
+            pending_uids[i].remove_calls = 0;
+            return;
+        }
+    }
+    pending_uids[pending_cnt++] = (struct pending_uid){uid, 0};
+    ksu_temp_grant_root_once(uid);
+    pr_info("pending_root: cached UID %d\n", uid);
+}
+
+void ksu_try_escalate_for_uid(uid_t uid)
+{
+    if (!is_pending_root(uid))
+        return;
+    
+    pr_info("pending_root: UID=%d temporarily allowed\n", uid);
+    remove_pending_root(uid);
+}
--- a/kernel/manual_su.h
+++ b/kernel/manual_su.h
@@ -0,0 +1,49 @@
+#ifndef __KSU_MANUAL_SU_H
+#define __KSU_MANUAL_SU_H
+
+#include <linux/types.h>
+#include <linux/sched.h>
+#include <linux/version.h>
+
+#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 7, 0)
+#define mmap_lock mmap_sem
+#endif
+
+#define ksu_task_is_dead(t) ((t)->exit_state != 0)
+
+#define MAX_PENDING 16
+#define REMOVE_DELAY_CALLS 150
+#define MAX_TOKENS 10
+
+#define KSU_SU_VERIFIED_BIT (1UL << 0)
+#define KSU_TOKEN_LENGTH 32
+#define KSU_TOKEN_ENV_NAME "KSU_AUTH_TOKEN"
+#define KSU_TOKEN_EXPIRE_TIME 150
+
+#define MANUAL_SU_OP_GENERATE_TOKEN 0
+#define MANUAL_SU_OP_ESCALATE 1
+#define MANUAL_SU_OP_ADD_PENDING 2
+
+struct pending_uid {
+    uid_t uid;
+    int use_count;
+    int remove_calls;
+};
+
+struct manual_su_request {
+    uid_t target_uid;
+    pid_t target_pid;
+    char token_buffer[KSU_TOKEN_LENGTH + 1];
+};
+
+struct ksu_token_entry {
+    char token[KSU_TOKEN_LENGTH + 1];
+    unsigned long expire_time;
+    bool used;
+};
+
+int ksu_handle_manual_su_request(int option, struct manual_su_request *request);
+bool is_pending_root(uid_t uid);
+void remove_pending_root(uid_t uid);
+void ksu_try_escalate_for_uid(uid_t uid);
+#endif
--- a/kernel/pkg_observer.c
+++ b/kernel/pkg_observer.c
@@ -0,0 +1,133 @@
+// SPDX-License-Identifier: GPL-2.0
+#include <linux/module.h>
+#include <linux/fs.h>
+#include <linux/namei.h>
+#include <linux/fsnotify_backend.h>
+#include <linux/slab.h>
+#include <linux/rculist.h>
+#include <linux/version.h>
+#include "klog.h" // IWYU pragma: keep
+#include "ksu.h"
+#include "throne_tracker.h"
+#include "throne_comm.h"
+
+#define MASK_SYSTEM (FS_CREATE | FS_MOVE | FS_EVENT_ON_CHILD)
+
+struct watch_dir {
+    const char *path;
+    u32 mask;
+    struct path kpath;
+    struct inode *inode;
+    struct fsnotify_mark *mark;
+};
+
+static struct fsnotify_group *g;
+
+static int ksu_handle_inode_event(struct fsnotify_mark *mark, u32 mask,
+                  struct inode *inode, struct inode *dir,
+                  const struct qstr *file_name, u32 cookie)
+{
+    if (!file_name)
+        return 0;
+    if (mask & FS_ISDIR)
+        return 0;
+    if (file_name->len == 13 &&
+        !memcmp(file_name->name, "packages.list", 13)) {
+        pr_info("packages.list detected: %d\n", mask);
+        if (ksu_uid_scanner_enabled) {
+            ksu_request_userspace_scan();
+        }
+        track_throne(false);
+    }
+    return 0;
+}
+
+static const struct fsnotify_ops ksu_ops = {
+    .handle_inode_event = ksu_handle_inode_event,
+};
+
+static int add_mark_on_inode(struct inode *inode, u32 mask,
+                 struct fsnotify_mark **out)
+{
+    struct fsnotify_mark *m;
+
+    m = kzalloc(sizeof(*m), GFP_KERNEL);
+    if (!m)
+        return -ENOMEM;
+
+    fsnotify_init_mark(m, g);
+    m->mask = mask;
+
+    if (fsnotify_add_inode_mark(m, inode, 0)) {
+        fsnotify_put_mark(m);
+        return -EINVAL;
+    }
+    *out = m;
+    return 0;
+}
+
+static int watch_one_dir(struct watch_dir *wd)
+{
+    int ret = kern_path(wd->path, LOOKUP_FOLLOW, &wd->kpath);
+    if (ret) {
+        pr_info("path not ready: %s (%d)\n", wd->path, ret);
+        return ret;
+    }
+    wd->inode = d_inode(wd->kpath.dentry);
+    ihold(wd->inode);
+
+    ret = add_mark_on_inode(wd->inode, wd->mask, &wd->mark);
+    if (ret) {
+        pr_err("Add mark failed for %s (%d)\n", wd->path, ret);
+        path_put(&wd->kpath);
+        iput(wd->inode);
+        wd->inode = NULL;
+        return ret;
+    }
+    pr_info("watching %s\n", wd->path);
+    return 0;
+}
+
+static void unwatch_one_dir(struct watch_dir *wd)
+{
+    if (wd->mark) {
+        fsnotify_destroy_mark(wd->mark, g);
+        fsnotify_put_mark(wd->mark);
+        wd->mark = NULL;
+    }
+    if (wd->inode) {
+        iput(wd->inode);
+        wd->inode = NULL;
+    }
+    if (wd->kpath.dentry) {
+        path_put(&wd->kpath);
+        memset(&wd->kpath, 0, sizeof(wd->kpath));
+    }
+}
+
+static struct watch_dir g_watch = { .path = "/data/system",
+                    .mask = MASK_SYSTEM };
+
+int ksu_observer_init(void)
+{
+    int ret = 0;
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 0, 0)
+    g = fsnotify_alloc_group(&ksu_ops, 0);
+#else
+    g = fsnotify_alloc_group(&ksu_ops);
+#endif
+    if (IS_ERR(g))
+        return PTR_ERR(g);
+
+    ret = watch_one_dir(&g_watch);
+    pr_info("observer init done\n");
+    return 0;
+}
+
+void ksu_observer_exit(void)
+{
+    unwatch_one_dir(&g_watch);
+    fsnotify_put_group(g);
+    pr_info("observer exit done\n");
+}
--- a/kernel/seccomp_cache.c
+++ b/kernel/seccomp_cache.c
@@ -0,0 +1,69 @@
+#include <linux/version.h>
+#include <linux/fs.h>
+#include <linux/nsproxy.h>
+#include <linux/sched/task.h>
+#include <linux/uaccess.h>
+#include <linux/filter.h>
+#include <linux/seccomp.h>
+#include "klog.h" // IWYU pragma: keep
+#include "seccomp_cache.h"
+
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 2) // Android backport this feature in 5.10.2
+struct action_cache {
+    DECLARE_BITMAP(allow_native, SECCOMP_ARCH_NATIVE_NR);
+#ifdef SECCOMP_ARCH_COMPAT
+    DECLARE_BITMAP(allow_compat, SECCOMP_ARCH_COMPAT_NR);
+#endif
+};
+
+struct seccomp_filter {
+    refcount_t refs;
+    refcount_t users;
+    bool log;
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0)
+    bool wait_killable_recv;
+#endif
+    struct action_cache cache;
+    struct seccomp_filter *prev;
+    struct bpf_prog *prog;
+    struct notification *notif;
+    struct mutex notify_lock;
+    wait_queue_head_t wqh;
+};
+
+void ksu_seccomp_clear_cache(struct seccomp_filter *filter, int nr)
+{
+    if (!filter) {
+        return;
+    }
+
+    if (nr >= 0 && nr < SECCOMP_ARCH_NATIVE_NR) {
+        clear_bit(nr, filter->cache.allow_native);
+    }
+
+#ifdef SECCOMP_ARCH_COMPAT
+    if (nr >= 0 && nr < SECCOMP_ARCH_COMPAT_NR) {
+        clear_bit(nr, filter->cache.allow_compat);
+    }
+#endif
+}
+
+void ksu_seccomp_allow_cache(struct seccomp_filter *filter, int nr)
+{
+    if (!filter) {
+        return;
+    }
+
+    if (nr >= 0 && nr < SECCOMP_ARCH_NATIVE_NR) {
+        set_bit(nr, filter->cache.allow_native);
+    }
+
+#ifdef SECCOMP_ARCH_COMPAT
+    if (nr >= 0 && nr < SECCOMP_ARCH_COMPAT_NR) {
+        set_bit(nr, filter->cache.allow_compat);
+    }
+#endif
+}
+
+#endif
--- a/kernel/seccomp_cache.h
+++ b/kernel/seccomp_cache.h
@@ -0,0 +1,12 @@
+#ifndef __KSU_H_SECCOMP_CACHE
+#define __KSU_H_SECCOMP_CACHE
+
+#include <linux/fs.h>
+#include <linux/version.h>
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 2) // Android backport this feature in 5.10.2
+extern void ksu_seccomp_clear_cache(struct seccomp_filter *filter, int nr);
+extern void ksu_seccomp_allow_cache(struct seccomp_filter *filter, int nr);
+#endif
+
+#endif
--- a/kernel/selinux/Makefile
+++ b/kernel/selinux/Makefile
@@ -2,15 +2,7 @@ obj-y += selinux.o
 obj-y += sepolicy.o
 obj-y += rules.o

-ifeq ($(shell grep -q " current_sid(void)" $(srctree)/security/selinux/include/objsec.h; echo $$?),0)
-ccflags-y += -DKSU_COMPAT_HAS_CURRENT_SID
-endif
-
-ifeq ($(shell grep -q "struct selinux_state " $(srctree)/security/selinux/include/security.h; echo $$?),0)
-ccflags-y += -DKSU_COMPAT_HAS_SELINUX_STATE
-endif
-
-ccflags-y += -Wno-implicit-function-declaration -Wno-strict-prototypes -Wno-int-conversion
+ccflags-y += -Wno-strict-prototypes -Wno-int-conversion
 ccflags-y += -Wno-declaration-after-statement -Wno-unused-function
 ccflags-y += -I$(srctree)/security/selinux -I$(srctree)/security/selinux/include
 ccflags-y += -I$(objtree)/security/selinux -include $(srctree)/include/uapi/asm-generic/errno.h
--- a/kernel/selinux/rules.c
+++ b/kernel/selinux/rules.c
@@ -6,7 +6,7 @@
 #include "selinux.h"
 #include "sepolicy.h"
 #include "ss/services.h"
-#include "linux/lsm_audit.h"
+#include "linux/lsm_audit.h" // IWYU pragma: keep
 #include "xfrm.h"

 #define SELINUX_POLICY_INSTEAD_SELINUX_SS
@@ -19,19 +19,24 @@
 static struct policydb *get_policydb(void)
 {
    struct policydb *db;
-	struct selinux_policy *policy = rcu_dereference(selinux_state.policy);
+    struct selinux_policy *policy = selinux_state.policy;
    db = &policy->policydb;
    return db;
 }

+static DEFINE_MUTEX(ksu_rules);
+
 void apply_kernelsu_rules()
 {
+    struct policydb *db;
+
    if (!getenforce()) {
        pr_info("SELinux permissive or disabled, apply rules!\n");
    }

-	rcu_read_lock();
-	struct policydb *db = get_policydb();
+    mutex_lock(&ksu_rules);
+
+    db = get_policydb();

    ksu_permissive(db, KERNEL_SU_DOMAIN);
    ksu_typeattribute(db, KERNEL_SU_DOMAIN, "mlstrustedsubject");
@@ -122,7 +127,10 @@ void apply_kernelsu_rules()
    ksu_allow(db, "system_server", KERNEL_SU_DOMAIN, "process", "getpgid");
    ksu_allow(db, "system_server", KERNEL_SU_DOMAIN, "process", "sigkill");

-	rcu_read_unlock();
+    // https://android-review.googlesource.com/c/platform/system/logging/+/3725346
+    ksu_dontaudit(db, "untrusted_app", KERNEL_SU_DOMAIN, "dir", "getattr");
+
+    mutex_unlock(&ksu_rules);
 }

 #define MAX_SEPOL_LEN 128
@@ -137,45 +145,17 @@ void apply_kernelsu_rules()
 #define CMD_TYPE_CHANGE 8
 #define CMD_GENFSCON 9

-#ifdef CONFIG_64BIT
 struct sepol_data {
    u32 cmd;
    u32 subcmd;
-	u64 field_sepol1;
-	u64 field_sepol2;
-	u64 field_sepol3;
-	u64 field_sepol4;
-	u64 field_sepol5;
-	u64 field_sepol6;
-	u64 field_sepol7;
+    char __user *sepol1;
+    char __user *sepol2;
+    char __user *sepol3;
+    char __user *sepol4;
+    char __user *sepol5;
+    char __user *sepol6;
+    char __user *sepol7;
 };
-#ifdef CONFIG_COMPAT
-extern bool ksu_is_compat __read_mostly;
-struct sepol_compat_data {
-	u32 cmd;
-	u32 subcmd;
-	u32 field_sepol1;
-	u32 field_sepol2;
-	u32 field_sepol3;
-	u32 field_sepol4;
-	u32 field_sepol5;
-	u32 field_sepol6;
-	u32 field_sepol7;
-};
-#endif // CONFIG_COMPAT
-#else
-struct sepol_data {
-	u32 cmd;
-	u32 subcmd;
-	u32 field_sepol1;
-	u32 field_sepol2;
-	u32 field_sepol3;
-	u32 field_sepol4;
-	u32 field_sepol5;
-	u32 field_sepol6;
-	u32 field_sepol7;
-};
-#endif // CONFIG_64BIT

 static int get_object(char *buf, char __user *user_object, size_t buf_sz,
              char **object)
@@ -186,14 +166,18 @@ static int get_object(char *buf, char __user *user_object, size_t buf_sz,
    }

    if (strncpy_from_user(buf, user_object, buf_sz) < 0) {
-		return -1;
+        return -EINVAL;
    }

    *object = buf;

    return 0;
 }
-
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(6, 4, 0))
+extern int avc_ss_reset(u32 seqno);
+#else
+extern int avc_ss_reset(struct selinux_avc *avc, u32 seqno);
+#endif
 // reset avc cache table, otherwise the new rules will not take effect if already denied
 static void reset_avc_cache()
 {
@@ -212,72 +196,30 @@ static void reset_avc_cache()

 int handle_sepolicy(unsigned long arg3, void __user *arg4)
 {
+    struct policydb *db;
+
    if (!arg4) {
-		return -1;
+        return -EINVAL;
    }

    if (!getenforce()) {
        pr_info("SELinux permissive or disabled when handle policy!\n");
    }

-	u32 cmd, subcmd;
-	char __user *sepol1, *sepol2, *sepol3, *sepol4, *sepol5, *sepol6, *sepol7;
-
-#if defined(CONFIG_64BIT) && defined(CONFIG_COMPAT)
-	if (unlikely(ksu_is_compat)) {
-		struct sepol_compat_data compat_data;
-		if (copy_from_user(&compat_data, arg4, sizeof(struct sepol_compat_data))) {
-			pr_err("sepol: copy sepol_data failed.\n");
-			return -1;
-		}
-		sepol1 = compat_ptr(compat_data.field_sepol1);
-		sepol2 = compat_ptr(compat_data.field_sepol2);
-		sepol3 = compat_ptr(compat_data.field_sepol3);
-		sepol4 = compat_ptr(compat_data.field_sepol4);
-		sepol5 = compat_ptr(compat_data.field_sepol5);
-		sepol6 = compat_ptr(compat_data.field_sepol6);
-		sepol7 = compat_ptr(compat_data.field_sepol7);
-		cmd = compat_data.cmd;
-		subcmd = compat_data.subcmd;
-	} else {
    struct sepol_data data;
    if (copy_from_user(&data, arg4, sizeof(struct sepol_data))) {
        pr_err("sepol: copy sepol_data failed.\n");
-			return -1;
+        return -EINVAL;
    }
-		sepol1 = data.field_sepol1;
-		sepol2 = data.field_sepol2;
-		sepol3 = data.field_sepol3;
-		sepol4 = data.field_sepol4;
-		sepol5 = data.field_sepol5;
-		sepol6 = data.field_sepol6;
-		sepol7 = data.field_sepol7;
-		cmd = data.cmd;
-		subcmd = data.subcmd;
-	}
-#else 
-	// basically for full native, say (64BIT=y COMPAT=n) || (64BIT=n)
-	struct sepol_data data;
-	if (copy_from_user(&data, arg4, sizeof(struct sepol_data))) {
-		pr_err("sepol: copy sepol_data failed.\n");
-		return -1;
-	}
-	sepol1 = data.field_sepol1;
-	sepol2 = data.field_sepol2;
-	sepol3 = data.field_sepol3;
-	sepol4 = data.field_sepol4;
-	sepol5 = data.field_sepol5;
-	sepol6 = data.field_sepol6;
-	sepol7 = data.field_sepol7;
-	cmd = data.cmd;
-	subcmd = data.subcmd;
-#endif

-	rcu_read_lock();
+    u32 cmd = data.cmd;
+    u32 subcmd = data.subcmd;

-	struct policydb *db = get_policydb();
+    mutex_lock(&ksu_rules);

-	int ret = -1;
+    db = get_policydb();
+
+    int ret = -EINVAL;
    if (cmd == CMD_NORMAL_PERM) {
        char src_buf[MAX_SEPOL_LEN];
        char tgt_buf[MAX_SEPOL_LEN];
@@ -285,22 +227,22 @@ int handle_sepolicy(unsigned long arg3, void __user *arg4)
        char perm_buf[MAX_SEPOL_LEN];

        char *s, *t, *c, *p;
-		if (get_object(src_buf, sepol1, sizeof(src_buf), &s) < 0) {
+        if (get_object(src_buf, data.sepol1, sizeof(src_buf), &s) < 0) {
            pr_err("sepol: copy src failed.\n");
            goto exit;
        }

-		if (get_object(tgt_buf, sepol2, sizeof(tgt_buf), &t) < 0) {
+        if (get_object(tgt_buf, data.sepol2, sizeof(tgt_buf), &t) < 0) {
            pr_err("sepol: copy tgt failed.\n");
            goto exit;
        }

-		if (get_object(cls_buf, sepol3, sizeof(cls_buf), &c) < 0) {
+        if (get_object(cls_buf, data.sepol3, sizeof(cls_buf), &c) < 0) {
            pr_err("sepol: copy cls failed.\n");
            goto exit;
        }

-		if (get_object(perm_buf, sepol4, sizeof(perm_buf), &p) <
+        if (get_object(perm_buf, data.sepol4, sizeof(perm_buf), &p) <
            0) {
            pr_err("sepol: copy perm failed.\n");
            goto exit;
@@ -318,7 +260,7 @@ int handle_sepolicy(unsigned long arg3, void __user *arg4)
        } else {
            pr_err("sepol: unknown subcmd: %d\n", subcmd);
        }
-		ret = success ? 0 : -1;
+        ret = success ? 0 : -EINVAL;

    } else if (cmd == CMD_XPERM) {
        char src_buf[MAX_SEPOL_LEN];
@@ -330,24 +272,24 @@ int handle_sepolicy(unsigned long arg3, void __user *arg4)
        char perm_set[MAX_SEPOL_LEN];

        char *s, *t, *c;
-		if (get_object(src_buf, sepol1, sizeof(src_buf), &s) < 0) {
+        if (get_object(src_buf, data.sepol1, sizeof(src_buf), &s) < 0) {
            pr_err("sepol: copy src failed.\n");
            goto exit;
        }
-		if (get_object(tgt_buf, sepol2, sizeof(tgt_buf), &t) < 0) {
+        if (get_object(tgt_buf, data.sepol2, sizeof(tgt_buf), &t) < 0) {
            pr_err("sepol: copy tgt failed.\n");
            goto exit;
        }
-		if (get_object(cls_buf, sepol3, sizeof(cls_buf), &c) < 0) {
+        if (get_object(cls_buf, data.sepol3, sizeof(cls_buf), &c) < 0) {
            pr_err("sepol: copy cls failed.\n");
            goto exit;
        }
-		if (strncpy_from_user(operation, sepol4,
+        if (strncpy_from_user(operation, data.sepol4,
                      sizeof(operation)) < 0) {
            pr_err("sepol: copy operation failed.\n");
            goto exit;
        }
-		if (strncpy_from_user(perm_set, sepol5, sizeof(perm_set)) <
+        if (strncpy_from_user(perm_set, data.sepol5, sizeof(perm_set)) <
            0) {
            pr_err("sepol: copy perm_set failed.\n");
            goto exit;
@@ -363,11 +305,11 @@ int handle_sepolicy(unsigned long arg3, void __user *arg4)
        } else {
            pr_err("sepol: unknown subcmd: %d\n", subcmd);
        }
-		ret = success ? 0 : -1;
+        ret = success ? 0 : -EINVAL;
    } else if (cmd == CMD_TYPE_STATE) {
        char src[MAX_SEPOL_LEN];

-		if (strncpy_from_user(src, sepol1, sizeof(src)) < 0) {
+        if (strncpy_from_user(src, data.sepol1, sizeof(src)) < 0) {
            pr_err("sepol: copy src failed.\n");
            goto exit;
        }
@@ -387,11 +329,11 @@ int handle_sepolicy(unsigned long arg3, void __user *arg4)
        char type[MAX_SEPOL_LEN];
        char attr[MAX_SEPOL_LEN];

-		if (strncpy_from_user(type, sepol1, sizeof(type)) < 0) {
+        if (strncpy_from_user(type, data.sepol1, sizeof(type)) < 0) {
            pr_err("sepol: copy type failed.\n");
            goto exit;
        }
-		if (strncpy_from_user(attr, sepol2, sizeof(attr)) < 0) {
+        if (strncpy_from_user(attr, data.sepol2, sizeof(attr)) < 0) {
            pr_err("sepol: copy attr failed.\n");
            goto exit;
        }
@@ -411,7 +353,7 @@ int handle_sepolicy(unsigned long arg3, void __user *arg4)
    } else if (cmd == CMD_ATTR) {
        char attr[MAX_SEPOL_LEN];

-		if (strncpy_from_user(attr, sepol1, sizeof(attr)) < 0) {
+        if (strncpy_from_user(attr, data.sepol1, sizeof(attr)) < 0) {
            pr_err("sepol: copy attr failed.\n");
            goto exit;
        }
@@ -428,28 +370,28 @@ int handle_sepolicy(unsigned long arg3, void __user *arg4)
        char default_type[MAX_SEPOL_LEN];
        char object[MAX_SEPOL_LEN];

-		if (strncpy_from_user(src, sepol1, sizeof(src)) < 0) {
+        if (strncpy_from_user(src, data.sepol1, sizeof(src)) < 0) {
            pr_err("sepol: copy src failed.\n");
            goto exit;
        }
-		if (strncpy_from_user(tgt, sepol2, sizeof(tgt)) < 0) {
+        if (strncpy_from_user(tgt, data.sepol2, sizeof(tgt)) < 0) {
            pr_err("sepol: copy tgt failed.\n");
            goto exit;
        }
-		if (strncpy_from_user(cls, sepol3, sizeof(cls)) < 0) {
+        if (strncpy_from_user(cls, data.sepol3, sizeof(cls)) < 0) {
            pr_err("sepol: copy cls failed.\n");
            goto exit;
        }
-		if (strncpy_from_user(default_type, sepol4,
+        if (strncpy_from_user(default_type, data.sepol4,
                      sizeof(default_type)) < 0) {
            pr_err("sepol: copy default_type failed.\n");
            goto exit;
        }
        char *real_object;
-		if (sepol5 == NULL) {
+        if (data.sepol5 == NULL) {
            real_object = NULL;
        } else {
-			if (strncpy_from_user(object, sepol5,
+            if (strncpy_from_user(object, data.sepol5,
                          sizeof(object)) < 0) {
                pr_err("sepol: copy object failed.\n");
                goto exit;
@@ -468,19 +410,19 @@ int handle_sepolicy(unsigned long arg3, void __user *arg4)
        char cls[MAX_SEPOL_LEN];
        char default_type[MAX_SEPOL_LEN];

-		if (strncpy_from_user(src, sepol1, sizeof(src)) < 0) {
+        if (strncpy_from_user(src, data.sepol1, sizeof(src)) < 0) {
            pr_err("sepol: copy src failed.\n");
            goto exit;
        }
-		if (strncpy_from_user(tgt, sepol2, sizeof(tgt)) < 0) {
+        if (strncpy_from_user(tgt, data.sepol2, sizeof(tgt)) < 0) {
            pr_err("sepol: copy tgt failed.\n");
            goto exit;
        }
-		if (strncpy_from_user(cls, sepol3, sizeof(cls)) < 0) {
+        if (strncpy_from_user(cls, data.sepol3, sizeof(cls)) < 0) {
            pr_err("sepol: copy cls failed.\n");
            goto exit;
        }
-		if (strncpy_from_user(default_type, sepol4,
+        if (strncpy_from_user(default_type, data.sepol4,
                      sizeof(default_type)) < 0) {
            pr_err("sepol: copy default_type failed.\n");
            goto exit;
@@ -501,15 +443,15 @@ int handle_sepolicy(unsigned long arg3, void __user *arg4)
        char name[MAX_SEPOL_LEN];
        char path[MAX_SEPOL_LEN];
        char context[MAX_SEPOL_LEN];
-		if (strncpy_from_user(name, sepol1, sizeof(name)) < 0) {
+        if (strncpy_from_user(name, data.sepol1, sizeof(name)) < 0) {
            pr_err("sepol: copy name failed.\n");
            goto exit;
        }
-		if (strncpy_from_user(path, sepol2, sizeof(path)) < 0) {
+        if (strncpy_from_user(path, data.sepol2, sizeof(path)) < 0) {
            pr_err("sepol: copy path failed.\n");
            goto exit;
        }
-		if (strncpy_from_user(context, sepol3, sizeof(context)) <
+        if (strncpy_from_user(context, data.sepol3, sizeof(context)) <
            0) {
            pr_err("sepol: copy context failed.\n");
            goto exit;
@@ -525,7 +467,7 @@ int handle_sepolicy(unsigned long arg3, void __user *arg4)
    }

 exit:
-	rcu_read_unlock();
+    mutex_unlock(&ksu_rules);

    // only allow and xallow needs to reset avc cache, but we cannot do that because
    // we are in atomic context. so we just reset it every time.
--- a/kernel/selinux/selinux.c
+++ b/kernel/selinux/selinux.c
@@ -1,4 +1,6 @@
 #include "selinux.h"
+#include "linux/cred.h"
+#include "linux/sched.h"
 #include "objsec.h"
 #include "linux/version.h"
 #include "../klog.h" // IWYU pragma: keep
@@ -40,13 +42,6 @@ void setup_selinux(const char *domain)
        pr_err("transive domain failed.\n");
        return;
    }
-
-	/* we didn't need this now, we have change selinux rules when boot!
-if (!is_domain_permissive) {
-  if (set_domain_permissive() == 0) {
-      is_domain_permissive = true;
-  }
-}*/
 }

 void setenforce(bool enforce)
@@ -71,60 +66,89 @@ bool getenforce()
 #endif
 }

-#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 10, 0)) &&                         \
-	!defined(KSU_COMPAT_HAS_CURRENT_SID)
-/*
- * get the subjective security ID of the current task
- */
-static inline u32 current_sid(void)
-{
-	const struct task_security_struct *tsec = current_security();
+#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 14, 0)
+struct lsm_context {
+    char *context;
+    u32 len;
+};

-	return tsec->sid;
+static int __security_secid_to_secctx(u32 secid, struct lsm_context *cp)
+{
+    return security_secid_to_secctx(secid, &cp->context, &cp->len);
 }
+static void __security_release_secctx(struct lsm_context *cp)
+{
+    return security_release_secctx(cp->context, cp->len);
+}
+#else
+#define __security_secid_to_secctx security_secid_to_secctx
+#define __security_release_secctx security_release_secctx
 #endif

-bool is_ksu_domain()
+bool is_task_ksu_domain(const struct cred* cred)
 {
-	char *domain;
-	u32 seclen;
+    struct lsm_context ctx;
    bool result;
-	int err = security_secid_to_secctx(current_sid(), &domain, &seclen);
-	if (err) {
+    if (!cred) {
        return false;
    }
-	result = strncmp(KERNEL_SU_DOMAIN, domain, seclen) == 0;
-	security_release_secctx(domain, seclen);
-	return result;
-}
-
-bool is_zygote(void *sec)
-{
-	struct task_security_struct *tsec = (struct task_security_struct *)sec;
+    const struct task_security_struct *tsec = selinux_cred(cred);
    if (!tsec) {
        return false;
    }
-	char *domain;
-	u32 seclen;
-	bool result;
-	int err = security_secid_to_secctx(tsec->sid, &domain, &seclen);
+    int err = __security_secid_to_secctx(tsec->sid, &ctx);
    if (err) {
        return false;
    }
-	result = strncmp("u:r:zygote:s0", domain, seclen) == 0;
-	security_release_secctx(domain, seclen);
+    result = strncmp(KERNEL_SU_DOMAIN, ctx.context, ctx.len) == 0;
+    __security_release_secctx(&ctx);
    return result;
 }

-#define DEVPTS_DOMAIN "u:object_r:ksu_file:s0"
-
-u32 ksu_get_devpts_sid()
+bool is_ksu_domain()
 {
-	u32 devpts_sid = 0;
-	int err = security_secctx_to_secid(DEVPTS_DOMAIN, strlen(DEVPTS_DOMAIN),
-					   &devpts_sid);
-	if (err) {
-		pr_info("get devpts sid err %d\n", err);
-	}
-	return devpts_sid;
+    current_sid();
+    return is_task_ksu_domain(current_cred());
+}
+
+bool is_context(const struct cred* cred, const char* context)
+{
+    if (!cred) {
+        return false;
+    }
+    const struct task_security_struct * tsec = selinux_cred(cred);
+    if (!tsec) {
+        return false;
+    }
+    struct lsm_context ctx;
+    bool result;
+    int err = __security_secid_to_secctx(tsec->sid, &ctx);
+    if (err) {
+        return false;
+    }
+    result = strncmp(context, ctx.context, ctx.len) == 0;
+    __security_release_secctx(&ctx);
+    return result;
+}
+
+bool is_zygote(const struct cred* cred)
+{
+    return is_context(cred, "u:r:zygote:s0");
+}
+
+bool is_init(const struct cred* cred) {
+    return is_context(cred, "u:r:init:s0");
+}
+
+#define KSU_FILE_DOMAIN "u:object_r:ksu_file:s0"
+
+u32 ksu_get_ksu_file_sid()
+{
+    u32 ksu_file_sid = 0;
+    int err = security_secctx_to_secid(KSU_FILE_DOMAIN, strlen(KSU_FILE_DOMAIN),
+                       &ksu_file_sid);
+    if (err) {
+        pr_info("get ksufile sid err %d\n", err);
+    }
+    return ksu_file_sid;
 }
--- a/kernel/selinux/selinux.h
+++ b/kernel/selinux/selinux.h
@@ -3,6 +3,7 @@

 #include "linux/types.h"
 #include "linux/version.h"
+#include "linux/cred.h"

 void setup_selinux(const char *);

@@ -10,12 +11,18 @@ void setenforce(bool);

 bool getenforce();

+bool is_task_ksu_domain(const struct cred* cred);
+
 bool is_ksu_domain();

-bool is_zygote(void *cred);
+bool is_zygote(const struct cred* cred);
+
+bool is_init(const struct cred* cred);

 void apply_kernelsu_rules();

-u32 ksu_get_devpts_sid();
+u32 ksu_get_ksu_file_sid();
+
+int handle_sepolicy(unsigned long arg3, void __user *arg4);

 #endif
--- a/kernel/selinux/sepolicy.c
+++ b/kernel/selinux/sepolicy.c
@@ -6,7 +6,6 @@
 #include "sepolicy.h"
 #include "../klog.h" // IWYU pragma: keep
 #include "ss/symtab.h"
-#include "../kernel_compat.h" // Add check Huawei Device

 #define KSU_SUPPORT_ADD_TYPE

@@ -355,7 +354,7 @@ static void add_xperm_rule_raw(struct policydb *db, struct type_datum *src,

        if (datum->u.xperms == NULL) {
            datum->u.xperms =
-				(struct avtab_extended_perms *)(kmalloc(
+                (struct avtab_extended_perms *)(kzalloc(
                    sizeof(xperms), GFP_KERNEL));
            if (!datum->u.xperms) {
                pr_err("alloc xperms failed\n");
@@ -546,10 +545,10 @@ static bool add_filename_trans(struct policydb *db, const char *s,
    }

    if (trans == NULL) {
-		trans = (struct filename_trans_datum *)kcalloc(sizeof(*trans),
-							       1, GFP_ATOMIC);
+        trans = (struct filename_trans_datum *)kcalloc(1 ,sizeof(*trans),
+                                   GFP_ATOMIC);
        struct filename_trans_key *new_key =
-			(struct filename_trans_key *)kmalloc(sizeof(*new_key),
+            (struct filename_trans_key *)kzalloc(sizeof(*new_key),
                                 GFP_ATOMIC);
        *new_key = key;
        new_key->name = kstrdup(key.name, GFP_ATOMIC);
--- a/kernel/setuid_hook.c
+++ b/kernel/setuid_hook.c
@@ -0,0 +1,171 @@
+#include <linux/compiler.h>
+#include <linux/sched/signal.h>
+#include <linux/slab.h>
+#include <linux/task_work.h>
+#include <linux/thread_info.h>
+#include <linux/seccomp.h>
+#include <linux/bpf.h>
+#include <linux/capability.h>
+#include <linux/cred.h>
+#include <linux/dcache.h>
+#include <linux/err.h>
+#include <linux/fs.h>
+#include <linux/init.h>
+#include <linux/init_task.h>
+#include <linux/kernel.h>
+#include <linux/kprobes.h>
+#include <linux/mm.h>
+#include <linux/mount.h>
+#include <linux/namei.h>
+#include <linux/nsproxy.h>
+#include <linux/path.h>
+#include <linux/printk.h>
+#include <linux/sched.h>
+#include <linux/security.h>
+#include <linux/stddef.h>
+#include <linux/string.h>
+#include <linux/types.h>
+#include <linux/uaccess.h>
+#include <linux/uidgid.h>
+#include <linux/version.h>
+#include <linux/binfmts.h>
+#include <linux/tty.h>
+
+#include "allowlist.h"
+#include "setuid_hook.h"
+#include "feature.h"
+#include "klog.h" // IWYU pragma: keep
+#include "manager.h"
+#include "selinux/selinux.h"
+#include "seccomp_cache.h"
+#include "supercalls.h"
+#include "syscall_hook_manager.h"
+#include "kernel_umount.h"
+#include "app_profile.h"
+
+static bool ksu_enhanced_security_enabled = false;
+
+static int enhanced_security_feature_get(u64 *value)
+{
+    *value = ksu_enhanced_security_enabled ? 1 : 0;
+    return 0;
+}
+
+static int enhanced_security_feature_set(u64 value)
+{
+    bool enable = value != 0;
+    ksu_enhanced_security_enabled = enable;
+    pr_info("enhanced_security: set to %d\n", enable);
+    return 0;
+}
+
+static const struct ksu_feature_handler enhanced_security_handler = {
+    .feature_id = KSU_FEATURE_ENHANCED_SECURITY,
+    .name = "enhanced_security",
+    .get_handler = enhanced_security_feature_get,
+    .set_handler = enhanced_security_feature_set,
+};
+
+static inline bool is_allow_su()
+{
+    if (is_manager()) {
+        // we are manager, allow!
+        return true;
+    }
+    return ksu_is_allow_uid_for_current(current_uid().val);
+}
+
+int ksu_handle_setresuid(uid_t ruid, uid_t euid, uid_t suid)
+{
+    uid_t new_uid = ruid;
+	uid_t old_uid = current_uid().val;
+    
+    pr_info("handle_setresuid from %d to %d\n", old_uid, new_uid);
+
+    // if old process is root, ignore it.
+    if (old_uid != 0 && ksu_enhanced_security_enabled) {
+        // disallow any non-ksu domain escalation from non-root to root!
+        // euid is what we care about here as it controls permission
+        if (unlikely(euid == 0)) {
+            if (!is_ksu_domain()) {
+                pr_warn("find suspicious EoP: %d %s, from %d to %d\n", 
+                    current->pid, current->comm, old_uid, new_uid);
+                force_sig(SIGKILL);
+                return 0;
+            }
+        }
+        // disallow appuid decrease to any other uid if it is not allowed to su
+        if (is_appuid(old_uid)) {
+            if (euid < current_euid().val && !ksu_is_allow_uid_for_current(old_uid)) {
+                pr_warn("find suspicious EoP: %d %s, from %d to %d\n", 
+                    current->pid, current->comm, old_uid, new_uid);
+                force_sig(SIGKILL);
+                return 0;
+            }
+        }
+        return 0;
+    }
+
+    // if on private space, see if its possibly the manager
+    if (new_uid > PER_USER_RANGE && new_uid % PER_USER_RANGE == ksu_get_manager_uid()) {
+         ksu_set_manager_uid(new_uid);
+    }
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 0)
+    if (ksu_get_manager_uid() == new_uid) {
+        pr_info("install fd for manager: %d\n", new_uid);
+        ksu_install_fd();
+        spin_lock_irq(&current->sighand->siglock);
+        ksu_seccomp_allow_cache(current->seccomp.filter, __NR_reboot);
+        ksu_set_task_tracepoint_flag(current);
+        spin_unlock_irq(&current->sighand->siglock);
+        return 0;
+    }
+
+    if (ksu_is_allow_uid_for_current(new_uid)) {
+        if (current->seccomp.mode == SECCOMP_MODE_FILTER &&
+            current->seccomp.filter) {
+            spin_lock_irq(&current->sighand->siglock);
+            ksu_seccomp_allow_cache(current->seccomp.filter, __NR_reboot);
+            spin_unlock_irq(&current->sighand->siglock);
+        }
+        ksu_set_task_tracepoint_flag(current);
+    } else {
+        ksu_clear_task_tracepoint_flag_if_needed(current);
+    }
+#else
+    if (ksu_is_allow_uid_for_current(new_uid)) {
+		spin_lock_irq(&current->sighand->siglock);
+		disable_seccomp();
+		spin_unlock_irq(&current->sighand->siglock);
+
+		if (ksu_get_manager_uid() == new_uid) {
+			pr_info("install fd for ksu manager(uid=%d)\n",
+				new_uid);
+			ksu_install_fd();
+		}
+
+		return 0;
+	}
+#endif
+
+    // Handle kernel umount
+    ksu_handle_umount(old_uid, new_uid);
+
+    return 0;
+}
+
+void ksu_setuid_hook_init(void)
+{
+    ksu_kernel_umount_init();
+    if (ksu_register_feature_handler(&enhanced_security_handler)) {
+        pr_err("Failed to register enhanced security feature handler\n");
+    }
+}
+
+void ksu_setuid_hook_exit(void)
+{
+    pr_info("ksu_core_exit\n");
+    ksu_kernel_umount_exit();
+    ksu_unregister_feature_handler(KSU_FEATURE_ENHANCED_SECURITY);
+}
--- a/kernel/setuid_hook.h
+++ b/kernel/setuid_hook.h
@@ -0,0 +1,14 @@
+#ifndef __KSU_H_KSU_CORE
+#define __KSU_H_KSU_CORE
+
+#include <linux/init.h>
+#include <linux/types.h>
+#include "apk_sign.h"
+#include <linux/thread_info.h>
+
+void ksu_setuid_hook_init(void);
+void ksu_setuid_hook_exit(void);
+
+int ksu_handle_setresuid(uid_t ruid, uid_t euid, uid_t suid);
+
+#endif
--- a/kernel/sucompat.c
+++ b/kernel/sucompat.c
@@ -1,35 +1,54 @@
-#include <linux/dcache.h>
-#include <linux/security.h>
+#include "linux/compiler.h"
+#include "linux/printk.h"
 #include <asm/current.h>
 #include <linux/cred.h>
-#include <linux/err.h>
 #include <linux/fs.h>
-#include <linux/kprobes.h>
 #include <linux/types.h>
 #include <linux/uaccess.h>
 #include <linux/version.h>
 #include <linux/sched/task_stack.h>
+#include <linux/ptrace.h>

-#include "objsec.h"
 #include "allowlist.h"
-#include "arch.h"
+#include "feature.h"
 #include "klog.h" // IWYU pragma: keep
 #include "ksud.h"
-#include "kernel_compat.h"
+#include "sucompat.h"
+#include "app_profile.h"
+#include "syscall_hook_manager.h"
+
+#include "sulog.h"

 #define SU_PATH "/system/bin/su"
 #define SH_PATH "/system/bin/sh"

-extern void escape_to_root();
+bool ksu_su_compat_enabled __read_mostly = true;

-#ifndef CONFIG_KPROBES
-static bool ksu_sucompat_non_kp __read_mostly = true;
-#endif
+static int su_compat_feature_get(u64 *value)
+{
+    *value = ksu_su_compat_enabled ? 1 : 0;
+    return 0;
+}
+
+static int su_compat_feature_set(u64 value)
+{
+    bool enable = value != 0;
+    ksu_su_compat_enabled = enable;
+    pr_info("su_compat: set to %d\n", enable);
+    return 0;
+}
+
+static const struct ksu_feature_handler su_compat_handler = {
+    .feature_id = KSU_FEATURE_SU_COMPAT,
+    .name = "su_compat",
+    .get_handler = su_compat_feature_get,
+    .set_handler = su_compat_feature_set,
+};

 static void __user *userspace_stack_buffer(const void *d, size_t len)
 {
-	/* To avoid having to mmap a page in userspace, just write below the stack
-   * pointer. */
+    // To avoid having to mmap a page in userspace, just write below the stack
+    // pointer.
    char __user *p = (void __user *)current_user_stack_pointer() - len;

    return copy_to_user(p, d, len) ? NULL : p;
@@ -54,21 +73,18 @@ int ksu_handle_faccessat(int *dfd, const char __user **filename_user, int *mode,
 {
    const char su[] = SU_PATH;

-#ifndef CONFIG_KPROBES
-	if (!ksu_sucompat_non_kp) {
- 		return 0;
- 	}
-#endif
-
-	if (!ksu_is_allow_uid(current_uid().val)) {
+    if (!ksu_is_allow_uid_for_current(current_uid().val)) {
        return 0;
    }

    char path[sizeof(su) + 1];
    memset(path, 0, sizeof(path));
-	ksu_strncpy_from_user_nofault(path, *filename_user, sizeof(path));
+    strncpy_from_user_nofault(path, *filename_user, sizeof(path));

    if (unlikely(!memcmp(path, su, sizeof(su)))) {
+#if __SULOG_GATE
+        ksu_sulog_report_syscall(current_uid().val, NULL, "faccessat", path);
+#endif
        pr_info("faccessat su->sh!\n");
        *filename_user = sh_user_path();
    }
@@ -81,12 +97,7 @@ int ksu_handle_stat(int *dfd, const char __user **filename_user, int *flags)
    // const char sh[] = SH_PATH;
    const char su[] = SU_PATH;

-#ifndef CONFIG_KPROBES
-	if (!ksu_sucompat_non_kp) {
- 		return 0;
- 	}
-#endif
-	if (!ksu_is_allow_uid(current_uid().val)) {
+    if (!ksu_is_allow_uid_for_current(current_uid().val)) {
        return 0;
    }

@@ -96,186 +107,66 @@ int ksu_handle_stat(int *dfd, const char __user **filename_user, int *flags)

    char path[sizeof(su) + 1];
    memset(path, 0, sizeof(path));
-// Remove this later!! we use syscall hook, so this will never happen!!!!!
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 18, 0) && 0
-	// it becomes a `struct filename *` after 5.18
-	// https://elixir.bootlin.com/linux/v5.18/source/fs/stat.c#L216
-	const char sh[] = SH_PATH;
-	struct filename *filename = *((struct filename **)filename_user);
-	if (IS_ERR(filename)) {
-		return 0;
-	}
-	if (likely(memcmp(filename->name, su, sizeof(su))))
-		return 0;
-	pr_info("vfs_statx su->sh!\n");
-	memcpy((void *)filename->name, sh, sizeof(sh));
-#else
-	ksu_strncpy_from_user_nofault(path, *filename_user, sizeof(path));
+    strncpy_from_user_nofault(path, *filename_user, sizeof(path));

    if (unlikely(!memcmp(path, su, sizeof(su)))) {
+#if __SULOG_GATE
+        ksu_sulog_report_syscall(current_uid().val, NULL, "newfstatat", path);
+#endif
        pr_info("newfstatat su->sh!\n");
        *filename_user = sh_user_path();
    }
-#endif

    return 0;
 }

-// the call from execve_handler_pre won't provided correct value for __never_use_argument, use them after fix execve_handler_pre, keeping them for consistence for manually patched code
-int ksu_handle_execveat_sucompat(int *fd, struct filename **filename_ptr,
-				 void *__never_use_argv, void *__never_use_envp,
-				 int *__never_use_flags)
-{
-	struct filename *filename;
-	const char sh[] = KSUD_PATH;
-	const char su[] = SU_PATH;
-
-#ifndef CONFIG_KPROBES
-	if (!ksu_sucompat_non_kp) {
- 		return 0;
- 	}
-#endif
-	if (unlikely(!filename_ptr))
-		return 0;
-
-	filename = *filename_ptr;
-	if (IS_ERR(filename)) {
-		return 0;
-	}
-
-	if (likely(memcmp(filename->name, su, sizeof(su))))
-		return 0;
-
-	if (!ksu_is_allow_uid(current_uid().val))
-		return 0;
-
-	pr_info("do_execveat_common su found\n");
-	memcpy((void *)filename->name, sh, sizeof(sh));
-
-	escape_to_root();
-
-	return 0;
-}
-
-int ksu_handle_execve_sucompat(int *fd, const char __user **filename_user,
+int ksu_handle_execve_sucompat(const char __user **filename_user,
                   void *__never_use_argv, void *__never_use_envp,
                   int *__never_use_flags)
 {
    const char su[] = SU_PATH;
    char path[sizeof(su) + 1];

-#ifndef CONFIG_KPROBES
-	if (!ksu_sucompat_non_kp){
- 		return 0;
- 	}
-#endif
    if (unlikely(!filename_user))
        return 0;

    memset(path, 0, sizeof(path));
-	ksu_strncpy_from_user_nofault(path, *filename_user, sizeof(path));
+    strncpy_from_user_nofault(path, *filename_user, sizeof(path));

    if (likely(memcmp(path, su, sizeof(su))))
        return 0;

-	if (!ksu_is_allow_uid(current_uid().val))
+#if __SULOG_GATE
+    bool is_allowed = ksu_is_allow_uid_for_current(current_uid().val);
+    ksu_sulog_report_syscall(current_uid().val, NULL, "execve", path);
+    
+    if (!is_allowed)
        return 0;

+    ksu_sulog_report_su_attempt(current_uid().val, NULL, path, is_allowed);
+#else
+    if (!ksu_is_allow_uid_for_current(current_uid().val)) {
+        return 0;
+    }
+#endif
+
    pr_info("sys_execve su found\n");
    *filename_user = ksud_user_path();

-	escape_to_root();
+    escape_with_root_profile();

    return 0;
 }

-#ifdef CONFIG_KPROBES
-static int faccessat_handler_pre(struct kprobe *p, struct pt_regs *regs)
-{
-	struct pt_regs *real_regs = PT_REAL_REGS(regs);
-	int *dfd = (int *)&PT_REGS_PARM1(real_regs);
-	const char __user **filename_user =
-		(const char **)&PT_REGS_PARM2(real_regs);
-	int *mode = (int *)&PT_REGS_PARM3(real_regs);
-
-	return ksu_handle_faccessat(dfd, filename_user, mode, NULL);
-}
-
-static int newfstatat_handler_pre(struct kprobe *p, struct pt_regs *regs)
-{
-	struct pt_regs *real_regs = PT_REAL_REGS(regs);
-	int *dfd = (int *)&PT_REGS_PARM1(real_regs);
-	const char __user **filename_user =
-		(const char **)&PT_REGS_PARM2(real_regs);
-	int *flags = (int *)&PT_REGS_SYSCALL_PARM4(real_regs);
-
-	return ksu_handle_stat(dfd, filename_user, flags);
-}
-
-static int execve_handler_pre(struct kprobe *p, struct pt_regs *regs)
-{
-	struct pt_regs *real_regs = PT_REAL_REGS(regs);
-	const char __user **filename_user =
-		(const char **)&PT_REGS_PARM1(real_regs);
-
-	return ksu_handle_execve_sucompat(AT_FDCWD, filename_user, NULL, NULL,
-					  NULL);
-}
-
-static struct kprobe *init_kprobe(const char *name,
-				  kprobe_pre_handler_t handler)
-{
-	struct kprobe *kp = kzalloc(sizeof(struct kprobe), GFP_KERNEL);
-	if (!kp)
-		return NULL;
-	kp->symbol_name = name;
-	kp->pre_handler = handler;
-
-	int ret = register_kprobe(kp);
-	pr_info("sucompat: register_%s kprobe: %d\n", name, ret);
-	if (ret) {
-		kfree(kp);
-		return NULL;
-	}
-
-	return kp;
-}
-
-static void destroy_kprobe(struct kprobe **kp_ptr)
-{
-	struct kprobe *kp = *kp_ptr;
-	if (!kp)
-		return;
-	unregister_kprobe(kp);
-	synchronize_rcu();
-	kfree(kp);
-	*kp_ptr = NULL;
-}
-
-static struct kprobe *su_kps[3];
-#endif
-
-// sucompat: permited process can execute 'su' to gain root access.
+// sucompat: permitted process can execute 'su' to gain root access.
 void ksu_sucompat_init()
 {
-#ifdef CONFIG_KPROBES
-	su_kps[0] = init_kprobe(SYS_EXECVE_SYMBOL, execve_handler_pre);
-	su_kps[1] = init_kprobe(SYS_FACCESSAT_SYMBOL, faccessat_handler_pre);
-	su_kps[2] = init_kprobe(SYS_NEWFSTATAT_SYMBOL, newfstatat_handler_pre);
-#else
-	ksu_sucompat_non_kp = true;
- 	pr_info("ksu_sucompat_init: hooks enabled: execve/execveat_su, faccessat, stat\n");
-#endif
+    if (ksu_register_feature_handler(&su_compat_handler)) {
+        pr_err("Failed to register su_compat feature handler\n");
+    }
 }

 void ksu_sucompat_exit()
 {
-#ifdef CONFIG_KPROBES
-	for (int i = 0; i < ARRAY_SIZE(su_kps); i++) {
-		destroy_kprobe(&su_kps[i]);
-	}
-#else
-	ksu_sucompat_non_kp = false;
- 	pr_info("ksu_sucompat_exit: hooks disabled: execve/execveat_su, faccessat, stat\n");
-#endif
+    ksu_unregister_feature_handler(KSU_FEATURE_SU_COMPAT);
 }
--- a/kernel/sucompat.h
+++ b/kernel/sucompat.h
@@ -0,0 +1,18 @@
+#ifndef __KSU_H_SUCOMPAT
+#define __KSU_H_SUCOMPAT
+#include <linux/types.h>
+
+extern bool ksu_su_compat_enabled;
+
+void ksu_sucompat_init(void);
+void ksu_sucompat_exit(void);
+
+// Handler functions exported for hook_manager
+int ksu_handle_faccessat(int *dfd, const char __user **filename_user,
+			 int *mode, int *__unused_flags);
+int ksu_handle_stat(int *dfd, const char __user **filename_user, int *flags);
+int ksu_handle_execve_sucompat(const char __user **filename_user,
+			       void *__never_use_argv, void *__never_use_envp,
+			       int *__never_use_flags);
+
+#endif
--- a/kernel/sulog.c
+++ b/kernel/sulog.c
@@ -0,0 +1,369 @@
+#include <linux/fs.h>
+#include <linux/kernel.h>
+#include <linux/printk.h>
+#include <linux/slab.h>
+#include <linux/string.h>
+#include <linux/time.h>
+#include <linux/types.h>
+#include <linux/uaccess.h>
+#include <linux/workqueue.h>
+#include <linux/cred.h>
+#include <linux/sched.h>
+#include <linux/mm.h>
+#include <linux/mutex.h>
+#include <linux/spinlock.h>
+
+#include "klog.h"
+
+#include "sulog.h"
+#include "ksu.h"
+#include "feature.h"
+
+#if __SULOG_GATE
+
+struct dedup_entry dedup_tbl[SULOG_COMM_LEN];
+static DEFINE_SPINLOCK(dedup_lock);
+static LIST_HEAD(sulog_queue);
+static struct workqueue_struct *sulog_workqueue;
+static struct work_struct sulog_work;
+static bool sulog_enabled __read_mostly = true;
+
+static int sulog_feature_get(u64 *value)
+{
+    *value = sulog_enabled ? 1 : 0;
+    return 0;
+}
+
+static int sulog_feature_set(u64 value)
+{
+    bool enable = value != 0;
+    sulog_enabled = enable;
+    pr_info("sulog: set to %d\n", enable);
+    return 0;
+}
+
+static const struct ksu_feature_handler sulog_handler = {
+    .feature_id = KSU_FEATURE_SULOG,
+    .name = "sulog",
+    .get_handler = sulog_feature_get,
+    .set_handler = sulog_feature_set,
+};
+
+static void get_timestamp(char *buf, size_t len)
+{
+    struct timespec64 ts;
+    struct tm tm;
+
+    ktime_get_real_ts64(&ts);
+    time64_to_tm(ts.tv_sec - sys_tz.tz_minuteswest * 60, 0, &tm);
+
+    snprintf(buf, len, "%04ld-%02d-%02d %02d:%02d:%02d",
+        tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday,
+        tm.tm_hour, tm.tm_min, tm.tm_sec);
+}
+
+static void ksu_get_cmdline(char *full_comm, const char *comm, size_t buf_len)
+{
+    if (!full_comm || buf_len <= 0)
+        return;
+
+    if (comm && strlen(comm) > 0) {
+        KSU_STRSCPY(full_comm, comm, buf_len);
+        return;
+    }
+
+    if (in_atomic() || in_interrupt() || irqs_disabled()) {
+        KSU_STRSCPY(full_comm, current->comm, buf_len);
+        return;
+    }
+
+    if (!current->mm) {
+        KSU_STRSCPY(full_comm, current->comm, buf_len);
+        return;
+    }
+
+    int n = get_cmdline(current, full_comm, buf_len);
+    if (n <= 0) {
+        KSU_STRSCPY(full_comm, current->comm, buf_len);
+        return;
+    }
+
+    for (int i = 0; i < n && i < buf_len - 1; i++) {
+        if (full_comm[i] == '\0')
+            full_comm[i] = ' ';
+    }
+    full_comm[n < buf_len ? n : buf_len - 1] = '\0';
+}
+
+static void sanitize_string(char *str, size_t len)
+{
+    if (!str || len == 0)
+        return;
+    
+    size_t read_pos = 0, write_pos = 0;
+    
+    while (read_pos < len && str[read_pos] != '\0') {
+        char c = str[read_pos];
+        
+        if (c == '\n' || c == '\r') {
+            read_pos++;
+            continue;
+        }
+        
+        if (c == ' ' && write_pos > 0 && str[write_pos - 1] == ' ') {
+            read_pos++;
+            continue;
+        }
+        
+        str[write_pos++] = c;
+        read_pos++;
+    }
+    
+    str[write_pos] = '\0';
+}
+
+static bool dedup_should_print(uid_t uid, u8 type, const char *content, size_t len)
+{
+    struct dedup_key key = {
+        .crc = dedup_calc_hash(content, len),
+        .uid = uid,
+        .type = type,
+    };
+    u64 now = ktime_get_ns();
+    u64 delta_ns = DEDUP_SECS * NSEC_PER_SEC;
+
+    u32 idx = key.crc & (SULOG_COMM_LEN - 1);
+    spin_lock(&dedup_lock);
+
+    struct dedup_entry *e = &dedup_tbl[idx];
+    if (e->key.crc == key.crc &&
+        e->key.uid == key.uid &&
+        e->key.type == key.type &&
+        (now - e->ts_ns) < delta_ns) {
+        spin_unlock(&dedup_lock);
+        return false;
+    }
+
+    e->key = key;
+    e->ts_ns = now;
+    spin_unlock(&dedup_lock);
+    return true;
+}
+
+static void sulog_work_handler(struct work_struct *work)
+{
+    struct file *fp;
+    struct sulog_entry *entry, *tmp;
+    LIST_HEAD(local_queue);
+    loff_t pos = 0;
+    unsigned long flags;
+
+    spin_lock_irqsave(&dedup_lock, flags);
+    list_splice_init(&sulog_queue, &local_queue);
+    spin_unlock_irqrestore(&dedup_lock, flags);
+
+    if (list_empty(&local_queue))
+        return;
+
+    fp = filp_open(SULOG_PATH, O_WRONLY | O_CREAT | O_APPEND, 0640);
+    if (IS_ERR(fp)) {
+        pr_err("sulog: failed to open log file: %ld\n", PTR_ERR(fp));
+        goto cleanup;
+    }
+
+    if (fp->f_inode->i_size > SULOG_MAX_SIZE) {
+        if (vfs_truncate(&fp->f_path, 0))
+            pr_err("sulog: failed to truncate log file\n");
+        pos = 0;
+    } else {
+        pos = fp->f_inode->i_size;
+    }
+
+    list_for_each_entry(entry, &local_queue, list)
+        kernel_write(fp, entry->content, strlen(entry->content), &pos);
+
+    vfs_fsync(fp, 0);
+    filp_close(fp, 0);
+
+cleanup:
+    list_for_each_entry_safe(entry, tmp, &local_queue, list) {
+        list_del(&entry->list);
+        kfree(entry);
+    }
+}
+
+static void sulog_add_entry(char *log_buf, size_t len, uid_t uid, u8 dedup_type)
+{
+    struct sulog_entry *entry;
+    unsigned long flags;
+
+    if (!sulog_enabled || !log_buf || len == 0)
+        return;
+
+    if (!dedup_should_print(uid, dedup_type, log_buf, len))
+        return;
+
+    entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
+    if (!entry)
+        return;
+
+    KSU_STRSCPY(entry->content, log_buf, SULOG_ENTRY_MAX_LEN);
+
+    spin_lock_irqsave(&dedup_lock, flags);
+    list_add_tail(&entry->list, &sulog_queue);
+    spin_unlock_irqrestore(&dedup_lock, flags);
+
+    if (sulog_workqueue)
+        queue_work(sulog_workqueue, &sulog_work);
+}
+
+void ksu_sulog_report_su_grant(uid_t uid, const char *comm, const char *method)
+{
+    char log_buf[SULOG_ENTRY_MAX_LEN];
+    char timestamp[32];
+    char full_comm[SULOG_COMM_LEN];
+
+    if (!sulog_enabled)
+        return;
+
+    get_timestamp(timestamp, sizeof(timestamp));
+    ksu_get_cmdline(full_comm, comm, sizeof(full_comm));
+    
+    sanitize_string(full_comm, sizeof(full_comm));
+
+    snprintf(log_buf, sizeof(log_buf),
+        "[%s] SU_GRANT: UID=%d COMM=%s METHOD=%s PID=%d\n",
+        timestamp, uid, full_comm, method ? method : "unknown", current->pid);
+
+    sulog_add_entry(log_buf, strlen(log_buf), uid, DEDUP_SU_GRANT);
+}
+
+void ksu_sulog_report_su_attempt(uid_t uid, const char *comm, const char *target_path, bool success)
+{
+    char log_buf[SULOG_ENTRY_MAX_LEN];
+    char timestamp[32];
+    char full_comm[SULOG_COMM_LEN];
+
+    if (!sulog_enabled)
+        return;
+
+    get_timestamp(timestamp, sizeof(timestamp));
+    ksu_get_cmdline(full_comm, comm, sizeof(full_comm));
+    
+    sanitize_string(full_comm, sizeof(full_comm));
+
+    snprintf(log_buf, sizeof(log_buf),
+        "[%s] SU_EXEC: UID=%d COMM=%s TARGET=%s RESULT=%s PID=%d\n",
+        timestamp, uid, full_comm, target_path ? target_path : "unknown",
+        success ? "SUCCESS" : "DENIED", current->pid);
+
+    sulog_add_entry(log_buf, strlen(log_buf), uid, DEDUP_SU_ATTEMPT);
+}
+
+void ksu_sulog_report_permission_check(uid_t uid, const char *comm, bool allowed)
+{
+    char log_buf[SULOG_ENTRY_MAX_LEN];
+    char timestamp[32];
+    char full_comm[SULOG_COMM_LEN];
+
+    if (!sulog_enabled)
+        return;
+
+    get_timestamp(timestamp, sizeof(timestamp));
+    ksu_get_cmdline(full_comm, comm, sizeof(full_comm));
+    
+    sanitize_string(full_comm, sizeof(full_comm));
+
+    snprintf(log_buf, sizeof(log_buf),
+        "[%s] PERM_CHECK: UID=%d COMM=%s RESULT=%s PID=%d\n",
+        timestamp, uid, full_comm, allowed ? "ALLOWED" : "DENIED", current->pid);
+
+    sulog_add_entry(log_buf, strlen(log_buf), uid, DEDUP_PERM_CHECK);
+}
+
+void ksu_sulog_report_manager_operation(const char *operation, uid_t manager_uid, uid_t target_uid)
+{
+    char log_buf[SULOG_ENTRY_MAX_LEN];
+    char timestamp[32];
+    char full_comm[SULOG_COMM_LEN];
+
+    if (!sulog_enabled)
+        return;
+
+    get_timestamp(timestamp, sizeof(timestamp));
+    ksu_get_cmdline(full_comm, NULL, sizeof(full_comm));
+    
+    sanitize_string(full_comm, sizeof(full_comm));
+
+    snprintf(log_buf, sizeof(log_buf),
+        "[%s] MANAGER_OP: OP=%s MANAGER_UID=%d TARGET_UID=%d COMM=%s PID=%d\n",
+        timestamp, operation ? operation : "unknown", manager_uid, target_uid, full_comm, current->pid);
+
+    sulog_add_entry(log_buf, strlen(log_buf), manager_uid, DEDUP_MANAGER_OP);
+}
+
+void ksu_sulog_report_syscall(uid_t uid, const char *comm, const char *syscall, const char *args)
+{
+    char log_buf[SULOG_ENTRY_MAX_LEN];
+    char timestamp[32];
+    char full_comm[SULOG_COMM_LEN];
+
+    if (!sulog_enabled)
+        return;
+
+    get_timestamp(timestamp, sizeof(timestamp));
+    ksu_get_cmdline(full_comm, comm, sizeof(full_comm));
+    
+    sanitize_string(full_comm, sizeof(full_comm));
+
+    snprintf(log_buf, sizeof(log_buf),
+        "[%s] SYSCALL: UID=%d COMM=%s SYSCALL=%s ARGS=%s PID=%d\n",
+        timestamp, uid, full_comm, syscall ? syscall : "unknown",
+        args ? args : "none", current->pid);
+
+    sulog_add_entry(log_buf, strlen(log_buf), uid, DEDUP_SYSCALL);
+}
+
+int ksu_sulog_init(void)
+{
+    if (ksu_register_feature_handler(&sulog_handler)) {
+        pr_err("Failed to register sulog feature handler\n");
+    }
+
+    sulog_workqueue = alloc_workqueue("ksu_sulog", WQ_UNBOUND | WQ_HIGHPRI, 1);
+    if (!sulog_workqueue) {
+        pr_err("sulog: failed to create workqueue\n");
+        return -ENOMEM;
+    }
+
+    INIT_WORK(&sulog_work, sulog_work_handler);
+    pr_info("sulog: initialized successfully\n");
+    return 0;
+}
+
+void ksu_sulog_exit(void)
+{
+    struct sulog_entry *entry, *tmp;
+    unsigned long flags;
+
+    ksu_unregister_feature_handler(KSU_FEATURE_SULOG);
+
+    sulog_enabled = false;
+
+    if (sulog_workqueue) {
+        flush_workqueue(sulog_workqueue);
+        destroy_workqueue(sulog_workqueue);
+        sulog_workqueue = NULL;
+    }
+
+    spin_lock_irqsave(&dedup_lock, flags);
+    list_for_each_entry_safe(entry, tmp, &sulog_queue, list) {
+        list_del(&entry->list);
+        kfree(entry);
+    }
+    spin_unlock_irqrestore(&dedup_lock, flags);
+
+    pr_info("sulog: cleaned up successfully\n");
+}
+
+#endif // __SULOG_GATE
--- a/kernel/sulog.h
+++ b/kernel/sulog.h
@@ -0,0 +1,93 @@
+#ifndef __KSU_SULOG_H
+#define __KSU_SULOG_H
+
+#include <linux/types.h>
+#include <linux/version.h>
+#include <linux/crc32.h> // needed for function dedup_calc_hash
+
+#define __SULOG_GATE 1
+
+#if __SULOG_GATE
+
+extern struct timezone sys_tz;
+
+#define SULOG_PATH "/data/adb/ksu/log/sulog.log"
+#define SULOG_MAX_SIZE (32 * 1024 * 1024) // 128MB
+#define SULOG_ENTRY_MAX_LEN 512
+#define SULOG_COMM_LEN 256
+#define DEDUP_SECS 10
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 10, 0)
+static inline size_t strlcpy(char *dest, const char *src, size_t size)
+{
+    return strscpy(dest, src, size);
+}
+#endif
+
+#define KSU_STRSCPY(dst, src, size) \
+    do { \
+        if (LINUX_VERSION_CODE >= KERNEL_VERSION(4, 13, 0)) { \
+            strscpy(dst, src, size); \
+        } else { \
+            strlcpy(dst, src, size); \
+        } \
+    } while (0)
+
+#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 8, 0)
+#include <linux/rtc.h>
+
+static inline void time64_to_tm(time64_t totalsecs, int offset, struct tm *result)
+{
+    struct rtc_time rtc_tm;
+    rtc_time64_to_tm(totalsecs, &rtc_tm);
+
+    result->tm_sec = rtc_tm.tm_sec;
+    result->tm_min = rtc_tm.tm_min;
+    result->tm_hour = rtc_tm.tm_hour;
+    result->tm_mday = rtc_tm.tm_mday;
+    result->tm_mon = rtc_tm.tm_mon;
+    result->tm_year = rtc_tm.tm_year;
+}
+#endif
+
+struct dedup_key {
+    u32 crc;
+    uid_t uid;
+    u8 type;
+    u8 _pad[1];
+};
+
+struct dedup_entry {
+    struct dedup_key key;
+    u64 ts_ns;
+};
+
+enum {
+    DEDUP_SU_GRANT = 0,
+    DEDUP_SU_ATTEMPT,
+    DEDUP_PERM_CHECK,
+    DEDUP_MANAGER_OP,
+    DEDUP_SYSCALL,
+};
+
+static inline u32 dedup_calc_hash(const char *content, size_t len)
+{
+    return crc32(0, content, len);
+}
+
+struct sulog_entry {
+    struct list_head list;
+    char content[SULOG_ENTRY_MAX_LEN];
+};
+
+void ksu_sulog_report_su_grant(uid_t uid, const char *comm, const char *method);
+void ksu_sulog_report_su_attempt(uid_t uid, const char *comm, const char *target_path, bool success);
+void ksu_sulog_report_permission_check(uid_t uid, const char *comm, bool allowed);
+void ksu_sulog_report_manager_operation(const char *operation, uid_t manager_uid, uid_t target_uid);
+void ksu_sulog_report_syscall(uid_t uid, const char *comm, const char *syscall, const char *args);
+
+int ksu_sulog_init(void);
+void ksu_sulog_exit(void);
+#endif // __SULOG_GATE
+
+#endif /* __KSU_SULOG_H */
--- a/kernel/supercalls.c
+++ b/kernel/supercalls.c
--- a/kernel/supercalls.h
+++ b/kernel/supercalls.h
@@ -0,0 +1,197 @@
+#ifndef __KSU_H_SUPERCALLS
+#define __KSU_H_SUPERCALLS
+
+#include <linux/types.h>
+#include <linux/ioctl.h>
+#include "ksu.h"
+#include "app_profile.h"
+
+#ifdef CONFIG_KPM
+#include "kpm/kpm.h"
+#endif
+
+// Magic numbers for reboot hook to install fd
+#define KSU_INSTALL_MAGIC1 0xDEADBEEF
+#define KSU_INSTALL_MAGIC2 0xCAFEBABE
+
+// Command structures for ioctl
+
+struct ksu_become_daemon_cmd {
+    __u8 token[65]; // Input: daemon token (null-terminated)
+};
+
+struct ksu_get_info_cmd {
+    __u32 version; // Output: KERNEL_SU_VERSION
+    __u32 flags; // Output: flags (bit 0: MODULE mode)
+    __u32 features; // Output: max feature ID supported
+};
+
+struct ksu_report_event_cmd {
+    __u32 event; // Input: EVENT_POST_FS_DATA, EVENT_BOOT_COMPLETED, etc.
+};
+
+struct ksu_set_sepolicy_cmd {
+    __u64 cmd; // Input: sepolicy command
+    __aligned_u64 arg; // Input: sepolicy argument pointer
+};
+
+struct ksu_check_safemode_cmd {
+    __u8 in_safe_mode; // Output: true if in safe mode, false otherwise
+};
+
+struct ksu_get_allow_list_cmd {
+    __u32 uids[128]; // Output: array of allowed/denied UIDs
+    __u32 count; // Output: number of UIDs in array
+    __u8 allow; // Input: true for allow list, false for deny list
+};
+
+struct ksu_uid_granted_root_cmd {
+    __u32 uid; // Input: target UID to check
+    __u8 granted; // Output: true if granted, false otherwise
+};
+
+struct ksu_uid_should_umount_cmd {
+    __u32 uid; // Input: target UID to check
+    __u8 should_umount; // Output: true if should umount, false otherwise
+};
+
+struct ksu_get_manager_uid_cmd {
+    __u32 uid; // Output: manager UID
+};
+
+struct ksu_get_app_profile_cmd {
+    struct app_profile profile; // Input/Output: app profile structure
+};
+
+struct ksu_set_app_profile_cmd {
+    struct app_profile profile; // Input: app profile structure
+};
+
+struct ksu_get_feature_cmd {
+    __u32 feature_id; // Input: feature ID (enum ksu_feature_id)
+    __u64 value; // Output: feature value/state
+    __u8 supported; // Output: true if feature is supported, false otherwise
+};
+
+struct ksu_set_feature_cmd {
+    __u32 feature_id; // Input: feature ID (enum ksu_feature_id)
+    __u64 value; // Input: feature value/state to set
+};
+
+struct ksu_get_wrapper_fd_cmd {
+    __u32 fd; // Input: userspace fd
+    __u32 flags; // Input: flags of userspace fd
+};
+
+struct ksu_manage_mark_cmd {
+    __u32 operation; // Input: KSU_MARK_*
+    __s32 pid; // Input: target pid (0 for all processes)
+    __u32 result; // Output: for get operation - mark status or reg_count
+};
+
+#define KSU_MARK_GET 1
+#define KSU_MARK_MARK 2
+#define KSU_MARK_UNMARK 3
+#define KSU_MARK_REFRESH 4
+
+struct ksu_nuke_ext4_sysfs_cmd {
+    __aligned_u64 arg; // Input: mnt pointer
+};
+
+struct ksu_add_try_umount_cmd {
+	__aligned_u64 arg; // char ptr, this is the mountpoint
+	__u32 flags; // this is the flag we use for it
+	__u8 mode; // denotes what to do with it 0:wipe_list 1:add_to_list 2:delete_entry
+};
+
+#define KSU_UMOUNT_WIPE 0  // ignore everything and wipe list
+#define KSU_UMOUNT_ADD 1   // add entry (path + flags)
+#define KSU_UMOUNT_DEL 2   // delete entry, strcmp
+
+
+// Other command structures
+struct ksu_get_full_version_cmd {
+    char version_full[KSU_FULL_VERSION_STRING]; // Output: full version string
+};
+
+struct ksu_hook_type_cmd {
+    char hook_type[32]; // Output: hook type string
+};
+
+struct ksu_enable_kpm_cmd {
+    __u8 enabled; // Output: true if KPM is enabled
+};
+
+struct ksu_dynamic_manager_cmd {
+    struct dynamic_manager_user_config config; // Input/Output: dynamic manager config
+};
+
+struct ksu_get_managers_cmd {
+    struct manager_list_info manager_info; // Output: manager list information
+};
+
+struct ksu_enable_uid_scanner_cmd {
+    __u32 operation; // Input: operation type (UID_SCANNER_OP_GET_STATUS, UID_SCANNER_OP_TOGGLE, UID_SCANNER_OP_CLEAR_ENV)
+    __u32 enabled; // Input: enable or disable (for UID_SCANNER_OP_TOGGLE)
+    void __user *status_ptr; // Input: pointer to store status (for UID_SCANNER_OP_GET_STATUS)
+};
+
+#ifdef CONFIG_KSU_MANUAL_SU
+struct ksu_manual_su_cmd {
+    __u32 option; // Input: operation type (MANUAL_SU_OP_GENERATE_TOKEN, MANUAL_SU_OP_ESCALATE, MANUAL_SU_OP_ADD_PENDING)
+    __u32 target_uid; // Input: target UID
+    __u32 target_pid; // Input: target PID
+    char token_buffer[33]; // Input/Output: token buffer
+};
+#endif
+
+// IOCTL command definitions
+#define KSU_IOCTL_GRANT_ROOT _IOC(_IOC_NONE, 'K', 1, 0)
+#define KSU_IOCTL_GET_INFO _IOC(_IOC_READ, 'K', 2, 0)
+#define KSU_IOCTL_REPORT_EVENT _IOC(_IOC_WRITE, 'K', 3, 0)
+#define KSU_IOCTL_SET_SEPOLICY _IOC(_IOC_READ|_IOC_WRITE, 'K', 4, 0)
+#define KSU_IOCTL_CHECK_SAFEMODE _IOC(_IOC_READ, 'K', 5, 0)
+#define KSU_IOCTL_GET_ALLOW_LIST _IOC(_IOC_READ|_IOC_WRITE, 'K', 6, 0)
+#define KSU_IOCTL_GET_DENY_LIST _IOC(_IOC_READ|_IOC_WRITE, 'K', 7, 0)
+#define KSU_IOCTL_UID_GRANTED_ROOT _IOC(_IOC_READ|_IOC_WRITE, 'K', 8, 0)
+#define KSU_IOCTL_UID_SHOULD_UMOUNT _IOC(_IOC_READ|_IOC_WRITE, 'K', 9, 0)
+#define KSU_IOCTL_GET_MANAGER_UID _IOC(_IOC_READ, 'K', 10, 0)
+#define KSU_IOCTL_GET_APP_PROFILE _IOC(_IOC_READ|_IOC_WRITE, 'K', 11, 0)
+#define KSU_IOCTL_SET_APP_PROFILE _IOC(_IOC_WRITE, 'K', 12, 0)
+#define KSU_IOCTL_GET_FEATURE _IOC(_IOC_READ|_IOC_WRITE, 'K', 13, 0)
+#define KSU_IOCTL_SET_FEATURE _IOC(_IOC_WRITE, 'K', 14, 0)
+#define KSU_IOCTL_GET_WRAPPER_FD _IOC(_IOC_WRITE, 'K', 15, 0)
+#define KSU_IOCTL_MANAGE_MARK _IOC(_IOC_READ|_IOC_WRITE, 'K', 16, 0)
+#define KSU_IOCTL_NUKE_EXT4_SYSFS _IOC(_IOC_WRITE, 'K', 17, 0)
+#define KSU_IOCTL_ADD_TRY_UMOUNT _IOC(_IOC_WRITE, 'K', 18, 0)
+// Other IOCTL command definitions
+#define KSU_IOCTL_GET_FULL_VERSION _IOC(_IOC_READ, 'K', 100, 0)
+#define KSU_IOCTL_HOOK_TYPE _IOC(_IOC_READ, 'K', 101, 0)
+#define KSU_IOCTL_ENABLE_KPM _IOC(_IOC_READ, 'K', 102, 0)
+#define KSU_IOCTL_DYNAMIC_MANAGER _IOC(_IOC_READ|_IOC_WRITE, 'K', 103, 0)
+#define KSU_IOCTL_GET_MANAGERS _IOC(_IOC_READ|_IOC_WRITE, 'K', 104, 0)
+#define KSU_IOCTL_ENABLE_UID_SCANNER _IOC(_IOC_READ|_IOC_WRITE, 'K', 105, 0)
+#ifdef CONFIG_KSU_MANUAL_SU
+#define KSU_IOCTL_MANUAL_SU _IOC(_IOC_READ|_IOC_WRITE, 'K', 106, 0)
+#endif
+#define KSU_IOCTL_UMOUNT_MANAGER _IOC(_IOC_READ|_IOC_WRITE, 'K', 107, 0)
+
+// IOCTL handler types
+typedef int (*ksu_ioctl_handler_t)(void __user *arg);
+typedef bool (*ksu_perm_check_t)(void);
+
+// IOCTL command mapping
+struct ksu_ioctl_cmd_map {
+    unsigned int cmd;
+    const char *name;
+    ksu_ioctl_handler_t handler;
+    ksu_perm_check_t perm_check; // Permission check function
+};
+
+// Install KSU fd to current process
+int ksu_install_fd(void);
+
+void ksu_supercalls_init(void);
+void ksu_supercalls_exit(void);
+
+#endif // __KSU_H_SUPERCALLS
--- a/kernel/syscall_hook_manager.c
+++ b/kernel/syscall_hook_manager.c
@@ -0,0 +1,374 @@
+#include "linux/compiler.h"
+#include "linux/cred.h"
+#include "linux/printk.h"
+#include "selinux/selinux.h"
+#include <linux/spinlock.h>
+#include <linux/kprobes.h>
+#include <linux/tracepoint.h>
+#include <asm/syscall.h>
+#include <linux/slab.h>
+#include <linux/ptrace.h>
+#include <trace/events/syscalls.h>
+#include <linux/namei.h>
+
+#include "allowlist.h"
+#include "arch.h"
+#include "klog.h" // IWYU pragma: keep
+#include "syscall_hook_manager.h"
+#include "sucompat.h"
+#include "setuid_hook.h"
+#include "selinux/selinux.h"
+
+// Tracepoint registration count management
+// == 1: just us
+// >  1: someone else is also using syscall tracepoint e.g. ftrace
+static int tracepoint_reg_count = 0;
+static DEFINE_SPINLOCK(tracepoint_reg_lock);
+
+void ksu_clear_task_tracepoint_flag_if_needed(struct task_struct *t)
+{
+	unsigned long flags;
+	spin_lock_irqsave(&tracepoint_reg_lock, flags);
+	if (tracepoint_reg_count <= 1) {
+		ksu_clear_task_tracepoint_flag(t);
+	}
+	spin_unlock_irqrestore(&tracepoint_reg_lock, flags);
+}
+
+// Process marking management
+static void handle_process_mark(bool mark)
+{
+	struct task_struct *p, *t;
+	read_lock(&tasklist_lock);
+	for_each_process_thread(p, t) {
+		if (mark)
+			ksu_set_task_tracepoint_flag(t);
+		else
+			ksu_clear_task_tracepoint_flag(t);
+	}
+	read_unlock(&tasklist_lock);
+}
+
+void ksu_mark_all_process(void)
+{
+	handle_process_mark(true);
+	pr_info("hook_manager: mark all user process done!\n");
+}
+
+void ksu_unmark_all_process(void)
+{
+	handle_process_mark(false);
+	pr_info("hook_manager: unmark all user process done!\n");
+}
+
+static void ksu_mark_running_process_locked()
+{
+	struct task_struct *p, *t;
+	read_lock(&tasklist_lock);
+	for_each_process_thread (p, t) {
+		if (!t->mm) { // only user processes
+			continue;
+		}
+		int uid = task_uid(t).val;
+        const struct cred *cred = get_task_cred(t);
+		bool ksu_root_process =
+			uid == 0 && is_task_ksu_domain(cred);
+        bool is_zygote_process = is_zygote(cred);
+        bool is_shell = uid == 2000;
+        // before boot completed, we shall mark init for marking zygote
+        bool is_init = t->pid == 1;
+		if (ksu_root_process || is_zygote_process  || is_shell || is_init
+            || ksu_is_allow_uid(uid)) {
+			ksu_set_task_tracepoint_flag(t);
+			pr_info("hook_manager: mark process: pid:%d, uid: %d, comm:%s\n",
+					t->pid, uid, t->comm);
+		} else {
+			ksu_clear_task_tracepoint_flag(t);
+			pr_info("hook_manager: unmark process: pid:%d, uid: %d, comm:%s\n",
+					t->pid, uid, t->comm);
+		}
+        put_cred(cred);
+	}
+	read_unlock(&tasklist_lock);
+}
+
+void ksu_mark_running_process()
+{
+	unsigned long flags;
+	spin_lock_irqsave(&tracepoint_reg_lock, flags);
+	if (tracepoint_reg_count <= 1) {
+		ksu_mark_running_process_locked();
+	} else {
+		pr_info("hook_manager: not mark running process since syscall tracepoint is in use\n");
+	}
+	spin_unlock_irqrestore(&tracepoint_reg_lock, flags);
+}
+
+// Get task mark status
+// Returns: 1 if marked, 0 if not marked, -ESRCH if task not found
+int ksu_get_task_mark(pid_t pid)
+{
+	struct task_struct *task;
+	int marked = -ESRCH;
+
+	rcu_read_lock();
+	task = find_task_by_vpid(pid);
+	if (task) {
+		get_task_struct(task);
+		rcu_read_unlock();
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 11, 0)
+		marked = test_task_syscall_work(task, SYSCALL_TRACEPOINT) ? 1 : 0;
+#else
+		marked = test_tsk_thread_flag(task, TIF_SYSCALL_TRACEPOINT) ? 1 : 0;
+#endif
+		put_task_struct(task);
+	} else {
+		rcu_read_unlock();
+	}
+
+	return marked;
+}
+
+// Set task mark status
+// Returns: 0 on success, -ESRCH if task not found
+int ksu_set_task_mark(pid_t pid, bool mark)
+{
+	struct task_struct *task;
+	int ret = -ESRCH;
+
+	rcu_read_lock();
+	task = find_task_by_vpid(pid);
+	if (task) {
+		get_task_struct(task);
+		rcu_read_unlock();
+		if (mark) {
+			ksu_set_task_tracepoint_flag(task);
+			pr_info("hook_manager: marked task pid=%d comm=%s\n", pid, task->comm);
+		} else {
+			ksu_clear_task_tracepoint_flag(task);
+			pr_info("hook_manager: unmarked task pid=%d comm=%s\n", pid, task->comm);
+		}
+		put_task_struct(task);
+		ret = 0;
+	} else {
+		rcu_read_unlock();
+	}
+
+	return ret;
+}
+
+#ifdef CONFIG_KRETPROBES
+
+static struct kretprobe *init_kretprobe(const char *name,
+										kretprobe_handler_t handler)
+{
+	struct kretprobe *rp = kzalloc(sizeof(struct kretprobe), GFP_KERNEL);
+	if (!rp)
+		return NULL;
+	rp->kp.symbol_name = name;
+	rp->handler = handler;
+	rp->data_size = 0;
+	rp->maxactive = 0;
+
+	int ret = register_kretprobe(rp);
+	pr_info("hook_manager: register_%s kretprobe: %d\n", name, ret);
+	if (ret) {
+		kfree(rp);
+		return NULL;
+	}
+
+	return rp;
+}
+
+static void destroy_kretprobe(struct kretprobe **rp_ptr)
+{
+	struct kretprobe *rp = *rp_ptr;
+	if (!rp)
+		return;
+	unregister_kretprobe(rp);
+	synchronize_rcu();
+	kfree(rp);
+	*rp_ptr = NULL;
+}
+
+static int syscall_regfunc_handler(struct kretprobe_instance *ri, struct pt_regs *regs)
+{
+	unsigned long flags;
+	spin_lock_irqsave(&tracepoint_reg_lock, flags);
+	if (tracepoint_reg_count < 1) {
+		// while install our tracepoint, mark our processes
+		ksu_mark_running_process_locked();
+	} else if (tracepoint_reg_count == 1) {
+		// while other tracepoint first added, mark all processes
+		ksu_mark_all_process();
+	}
+	tracepoint_reg_count++;
+	spin_unlock_irqrestore(&tracepoint_reg_lock, flags);
+	return 0;
+}
+
+static int syscall_unregfunc_handler(struct kretprobe_instance *ri, struct pt_regs *regs)
+{
+	unsigned long flags;
+	spin_lock_irqsave(&tracepoint_reg_lock, flags);
+	tracepoint_reg_count--;
+	if (tracepoint_reg_count <= 0) {
+		// while no tracepoint left, unmark all processes
+		ksu_unmark_all_process();
+	} else if (tracepoint_reg_count == 1) {
+		// while just our tracepoint left, unmark disallowed processes
+		ksu_mark_running_process_locked();
+	}
+	spin_unlock_irqrestore(&tracepoint_reg_lock, flags);
+	return 0;
+}
+
+static struct kretprobe *syscall_regfunc_rp = NULL;
+static struct kretprobe *syscall_unregfunc_rp = NULL;
+#endif
+
+static inline bool check_syscall_fastpath(int nr)
+{
+    switch (nr) {
+    case __NR_newfstatat:
+    case __NR_faccessat:
+    case __NR_execve:
+    case __NR_setresuid:
+    case __NR_clone:
+    case __NR_clone3:
+        return true;
+    default:
+        return false;
+    }
+}
+
+// Unmark init's child that are not zygote, adbd or ksud
+int ksu_handle_init_mark_tracker(const char __user **filename_user)
+{
+    char path[64];
+
+    if (unlikely(!filename_user))
+        return 0;
+
+    memset(path, 0, sizeof(path));
+    strncpy_from_user_nofault(path, *filename_user, sizeof(path));
+
+    if (likely(strstr(path, "/app_process") == NULL && strstr(path, "/adbd") == NULL && strstr(path, "/ksud") == NULL)) {
+		pr_info("hook_manager: unmark %d exec %s", current->pid, path);
+        ksu_clear_task_tracepoint_flag_if_needed(current);
+    }
+
+    return 0;
+}
+#ifdef CONFIG_KSU_MANUAL_SU
+#include "manual_su.h"
+static inline void ksu_handle_task_alloc(struct pt_regs *regs)
+{
+    ksu_try_escalate_for_uid(current_uid().val);
+}
+#endif
+
+#ifdef CONFIG_HAVE_SYSCALL_TRACEPOINTS
+// Generic sys_enter handler that dispatches to specific handlers
+static void ksu_sys_enter_handler(void *data, struct pt_regs *regs, long id)
+{
+	if (unlikely(check_syscall_fastpath(id))) {
+#ifdef KSU_TP_HOOK
+		if (ksu_su_compat_enabled) {
+			// Handle newfstatat
+			if (id == __NR_newfstatat) {
+				int *dfd = (int *)&PT_REGS_PARM1(regs);
+				const char __user **filename_user =
+					(const char __user **)&PT_REGS_PARM2(regs);
+				int *flags = (int *)&PT_REGS_SYSCALL_PARM4(regs);
+				ksu_handle_stat(dfd, filename_user, flags);
+				return;
+			}
+
+			// Handle faccessat
+			if (id == __NR_faccessat) {
+				int *dfd = (int *)&PT_REGS_PARM1(regs);
+				const char __user **filename_user =
+					(const char __user **)&PT_REGS_PARM2(regs);
+				int *mode = (int *)&PT_REGS_PARM3(regs);
+				ksu_handle_faccessat(dfd, filename_user, mode, NULL);
+				return;
+			}
+
+			// Handle execve
+			if (id == __NR_execve) {
+				const char __user **filename_user =
+					(const char __user **)&PT_REGS_PARM1(regs);
+				if (current->pid != 1 && is_init(get_current_cred())) {
+					ksu_handle_init_mark_tracker(filename_user);
+				} else {
+                    ksu_handle_execve_sucompat(filename_user, NULL, NULL, NULL);
+                }
+				return;
+			}
+		}
+#endif
+
+        // Handle setresuid
+		if (id == __NR_setresuid) {
+			uid_t ruid = (uid_t)PT_REGS_PARM1(regs);
+			uid_t euid = (uid_t)PT_REGS_PARM2(regs);
+			uid_t suid = (uid_t)PT_REGS_PARM3(regs);
+			ksu_handle_setresuid(ruid, euid, suid);
+			return;
+		}
+
+#ifdef CONFIG_KSU_MANUAL_SU
+		// Handle task_alloc via clone/fork
+    	if (id == __NR_clone || id == __NR_clone3)
+        	return ksu_handle_task_alloc(regs);
+#endif
+	}
+}
+#endif
+
+void ksu_syscall_hook_manager_init(void)
+{
+	int ret;
+	pr_info("hook_manager: ksu_hook_manager_init called\n");
+
+#ifdef CONFIG_KRETPROBES
+	// Register kretprobe for syscall_regfunc
+	syscall_regfunc_rp = init_kretprobe("syscall_regfunc", syscall_regfunc_handler);
+	// Register kretprobe for syscall_unregfunc
+	syscall_unregfunc_rp = init_kretprobe("syscall_unregfunc", syscall_unregfunc_handler);
+#endif
+
+#ifdef CONFIG_HAVE_SYSCALL_TRACEPOINTS
+	ret = register_trace_sys_enter(ksu_sys_enter_handler, NULL);
+#ifndef CONFIG_KRETPROBES
+	ksu_mark_running_process_locked();
+#endif
+	if (ret) {
+		pr_err("hook_manager: failed to register sys_enter tracepoint: %d\n", ret);
+	} else {
+		pr_info("hook_manager: sys_enter tracepoint registered\n");
+	}
+#endif
+
+	ksu_setuid_hook_init();
+	ksu_sucompat_init();
+}
+
+void ksu_syscall_hook_manager_exit(void)
+{
+	pr_info("hook_manager: ksu_hook_manager_exit called\n");
+#ifdef CONFIG_HAVE_SYSCALL_TRACEPOINTS
+	unregister_trace_sys_enter(ksu_sys_enter_handler, NULL);
+	tracepoint_synchronize_unregister();
+	pr_info("hook_manager: sys_enter tracepoint unregistered\n");
+#endif
+
+#ifdef CONFIG_KRETPROBES
+	destroy_kretprobe(&syscall_regfunc_rp);
+	destroy_kretprobe(&syscall_unregfunc_rp);
+#endif
+
+	ksu_sucompat_exit();
+	ksu_setuid_hook_exit();
+}
--- a/kernel/syscall_hook_manager.h
+++ b/kernel/syscall_hook_manager.h
@@ -0,0 +1,47 @@
+#ifndef __KSU_H_HOOK_MANAGER
+#define __KSU_H_HOOK_MANAGER
+
+#include <linux/version.h>
+#include <linux/sched.h>
+#include <linux/thread_info.h>
+#include <linux/init.h>
+#include <linux/binfmts.h>
+#include <linux/tty.h>
+#include <linux/fs.h>
+#include "selinux/selinux.h"
+
+// Hook manager initialization and cleanup
+void ksu_syscall_hook_manager_init(void);
+void ksu_syscall_hook_manager_exit(void);
+
+// Process marking for tracepoint
+void ksu_mark_all_process(void);
+void ksu_unmark_all_process(void);
+void ksu_mark_running_process(void);
+
+// Per-task mark operations
+int ksu_get_task_mark(pid_t pid);
+int ksu_set_task_mark(pid_t pid, bool mark);
+
+
+static inline void ksu_set_task_tracepoint_flag(struct task_struct *t)
+{
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 11, 0)
+    set_task_syscall_work(t, SYSCALL_TRACEPOINT);
+#else
+    set_tsk_thread_flag(t, TIF_SYSCALL_TRACEPOINT);
+#endif
+}
+
+static inline void ksu_clear_task_tracepoint_flag(struct task_struct *t)
+{
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 11, 0)
+    clear_task_syscall_work(t, SYSCALL_TRACEPOINT);
+#else
+    clear_tsk_thread_flag(t, TIF_SYSCALL_TRACEPOINT);
+#endif
+}
+
+void ksu_clear_task_tracepoint_flag_if_needed(struct task_struct *t);
+
+#endif
--- a/kernel/throne_comm.c
+++ b/kernel/throne_comm.c
@@ -0,0 +1,214 @@
+#include <linux/fs.h>
+#include <linux/proc_fs.h>
+#include <linux/seq_file.h>
+#include <linux/uaccess.h>
+#include <linux/workqueue.h>
+#include <linux/version.h>
+
+#include "klog.h"
+#include "throne_comm.h"
+#include "ksu.h"
+
+#define PROC_UID_SCANNER "ksu_uid_scanner"
+#define UID_SCANNER_STATE_FILE "/data/adb/ksu/.uid_scanner"
+
+static struct proc_dir_entry *proc_entry = NULL;
+static struct workqueue_struct *scanner_wq = NULL;
+static struct work_struct scan_work;
+static struct work_struct ksu_state_save_work;
+static struct work_struct ksu_state_load_work;
+
+
+// Signal userspace to rescan
+static bool need_rescan = false;
+
+static void rescan_work_fn(struct work_struct *work)
+{
+    // Signal userspace through proc interface
+    need_rescan = true;
+    pr_info("requested userspace uid rescan\n");
+}
+
+void ksu_request_userspace_scan(void)
+{
+    if (scanner_wq) {
+        queue_work(scanner_wq, &scan_work);
+    }
+}
+
+void ksu_handle_userspace_update(void)
+{
+    // Called when userspace notifies update complete
+    need_rescan = false;
+    pr_info("userspace uid list updated\n");
+}
+
+static void do_save_throne_state(struct work_struct *work)
+{
+    struct file *fp;
+    char state_char = ksu_uid_scanner_enabled ? '1' : '0';
+    loff_t off = 0;
+
+    fp = filp_open(UID_SCANNER_STATE_FILE, O_WRONLY | O_CREAT | O_TRUNC, 0644);
+    if (IS_ERR(fp)) {
+        pr_err("save_throne_state create file failed: %ld\n", PTR_ERR(fp));
+        return;
+    }
+
+    if (kernel_write(fp, &state_char, sizeof(state_char), &off) != sizeof(state_char)) {
+        pr_err("save_throne_state write failed\n");
+        goto exit;
+    }
+
+    pr_info("throne state saved: %s\n", ksu_uid_scanner_enabled ? "enabled" : "disabled");
+
+exit:
+    filp_close(fp, 0);
+}
+
+void do_load_throne_state(struct work_struct *work)
+{
+    struct file *fp;
+    char state_char;
+    loff_t off = 0;
+    ssize_t ret;
+
+    fp = filp_open(UID_SCANNER_STATE_FILE, O_RDONLY, 0);
+    if (IS_ERR(fp)) {
+        pr_info("throne state file not found, using default: disabled\n");
+        ksu_uid_scanner_enabled = false;
+        return;
+    }
+
+    ret = kernel_read(fp, &state_char, sizeof(state_char), &off);
+    if (ret != sizeof(state_char)) {
+        pr_err("load_throne_state read err: %zd\n", ret);
+        ksu_uid_scanner_enabled = false;
+        goto exit;
+    }
+
+    ksu_uid_scanner_enabled = (state_char == '1');
+    pr_info("throne state loaded: %s\n", ksu_uid_scanner_enabled ? "enabled" : "disabled");
+
+exit:
+    filp_close(fp, 0);
+}
+
+bool ksu_throne_comm_load_state(void)
+{
+    return ksu_queue_work(&ksu_state_load_work);
+}
+
+void ksu_throne_comm_save_state(void)
+{
+    ksu_queue_work(&ksu_state_save_work);
+}
+
+static int uid_scanner_show(struct seq_file *m, void *v)
+{
+    if (need_rescan) {
+        seq_puts(m, "RESCAN\n");
+    } else {
+        seq_puts(m, "OK\n");
+    }
+    return 0;
+}
+
+static int uid_scanner_open(struct inode *inode, struct file *file)
+{
+    return single_open(file, uid_scanner_show, NULL);
+}
+
+static ssize_t uid_scanner_write(struct file *file, const char __user *buffer, 
+                                 size_t count, loff_t *pos)
+{
+    char cmd[16];
+    
+    if (count >= sizeof(cmd))
+        return -EINVAL;
+        
+    if (copy_from_user(cmd, buffer, count))
+        return -EFAULT;
+        
+    cmd[count] = '\0';
+    
+    // Remove newline if present
+    if (count > 0 && cmd[count-1] == '\n')
+        cmd[count-1] = '\0';
+    
+    if (strcmp(cmd, "UPDATED") == 0) {
+        ksu_handle_userspace_update();
+        pr_info("received userspace update notification\n");
+    }
+    
+    return count;
+}
+
+#ifdef KSU_COMPAT_HAS_PROC_OPS
+static const struct proc_ops uid_scanner_proc_ops = {
+    .proc_open = uid_scanner_open,
+    .proc_read = seq_read,
+    .proc_write = uid_scanner_write,
+    .proc_lseek = seq_lseek,
+    .proc_release = single_release,
+};
+#else
+static const struct file_operations uid_scanner_proc_ops = {
+    .owner = THIS_MODULE,
+    .open = uid_scanner_open,
+    .read = seq_read,
+    .write = uid_scanner_write,
+    .llseek = seq_lseek,
+    .release = single_release,
+};
+#endif
+
+int ksu_throne_comm_init(void)
+{
+    // Create workqueue
+    scanner_wq = alloc_workqueue("ksu_scanner", WQ_UNBOUND, 1);
+    if (!scanner_wq) {
+        pr_err("failed to create scanner workqueue\n");
+        return -ENOMEM;
+    }
+    
+    INIT_WORK(&scan_work, rescan_work_fn);
+    
+    // Create proc entry
+    proc_entry = proc_create(PROC_UID_SCANNER, 0600, NULL, &uid_scanner_proc_ops);
+    if (!proc_entry) {
+        pr_err("failed to create proc entry\n");
+        destroy_workqueue(scanner_wq);
+        return -ENOMEM;
+    }
+    
+    pr_info("throne communication initialized\n");
+    return 0;
+}
+
+void ksu_throne_comm_exit(void)
+{
+    if (proc_entry) {
+        proc_remove(proc_entry);
+        proc_entry = NULL;
+    }
+    
+    if (scanner_wq) {
+        destroy_workqueue(scanner_wq);
+        scanner_wq = NULL;
+    }
+    
+    pr_info("throne communication cleaned up\n");
+}
+
+int ksu_uid_init(void)
+{
+    INIT_WORK(&ksu_state_save_work, do_save_throne_state);
+    INIT_WORK(&ksu_state_load_work, do_load_throne_state);
+    return 0;
+}
+
+void ksu_uid_exit(void)
+{
+    do_save_throne_state(NULL);
+}
--- a/kernel/throne_comm.h
+++ b/kernel/throne_comm.h
@@ -0,0 +1,22 @@
+#ifndef __KSU_H_THRONE_COMM
+#define __KSU_H_THRONE_COMM
+
+void ksu_request_userspace_scan(void);
+
+void ksu_handle_userspace_update(void);
+
+int ksu_throne_comm_init(void);
+
+void ksu_throne_comm_exit(void);
+
+int ksu_uid_init(void);
+
+void ksu_uid_exit(void);
+
+bool ksu_throne_comm_load_state(void);
+
+void ksu_throne_comm_save_state(void);
+
+void do_load_throne_state(struct work_struct *work);
+
+#endif
--- a/kernel/throne_tracker.c
+++ b/kernel/throne_tracker.c
@@ -5,17 +5,23 @@
 #include <linux/string.h>
 #include <linux/types.h>
 #include <linux/version.h>
+#include <linux/stat.h>
+#include <linux/namei.h>

 #include "allowlist.h"
 #include "klog.h" // IWYU pragma: keep
-#include "ksu.h"
 #include "manager.h"
 #include "throne_tracker.h"
-#include "kernel_compat.h"
+#include "apk_sign.h"
+#include "dynamic_manager.h"
+#include "throne_comm.h"

 uid_t ksu_manager_uid = KSU_INVALID_UID;
+static uid_t locked_manager_uid = KSU_INVALID_UID;
+static uid_t locked_dynamic_manager_uid = KSU_INVALID_UID;

-#define SYSTEM_PACKAGES_LIST_PATH "/data/system/packages.list.tmp"
+#define KSU_UID_LIST_PATH "/data/misc/user_uid/uid_list"
+#define SYSTEM_PACKAGES_LIST_PATH "/data/system/packages.list"

 struct uid_data {
    struct list_head list;
@@ -23,6 +29,77 @@ struct uid_data {
    char package[KSU_MAX_PACKAGE_NAME];
 };

+// Try read /data/misc/user_uid/uid_list
+static int uid_from_um_list(struct list_head *uid_list)
+{
+    struct file *fp;
+    char *buf = NULL;
+    loff_t size, pos = 0;
+    ssize_t nr;
+    int cnt = 0;
+
+    fp = filp_open(KSU_UID_LIST_PATH, O_RDONLY, 0);
+    if (IS_ERR(fp))
+        return -ENOENT;
+
+    size = fp->f_inode->i_size;
+    if (size <= 0) {
+        filp_close(fp, NULL);
+        return -ENODATA;
+    }
+
+    buf = kzalloc(size + 1, GFP_ATOMIC);
+    if (!buf) {
+        pr_err("uid_list: OOM %lld B\n", size);
+        filp_close(fp, NULL);
+        return -ENOMEM;
+    }
+
+    nr = kernel_read(fp, buf, size, &pos);
+    filp_close(fp, NULL);
+    if (nr != size) {
+        pr_err("uid_list: short read %zd/%lld\n", nr, size);
+        kfree(buf);
+        return -EIO;
+    }
+    buf[size] = '\0';
+
+    for (char *line = buf, *next; line; line = next) {
+        next = strchr(line, '\n');
+        if (next) *next++ = '\0';
+
+        while (*line == ' ' || *line == '\t' || *line == '\r') ++line;
+        if (!*line) continue;
+
+        char *uid_str = strsep(&line, " \t");
+        char *pkg     = line;
+        if (!pkg) continue;
+        while (*pkg == ' ' || *pkg == '\t') ++pkg;
+        if (!*pkg)   continue;
+
+        u32 uid;
+        if (kstrtou32(uid_str, 10, &uid)) {
+            pr_warn_once("uid_list: bad uid <%s>\n", uid_str);
+            continue;
+        }
+
+        struct uid_data *d = kzalloc(sizeof(*d), GFP_ATOMIC);
+        if (unlikely(!d)) {
+            pr_err("uid_list: OOM uid=%u\n", uid);
+            continue;
+        }
+
+        d->uid = uid;
+        strscpy(d->package, pkg, KSU_MAX_PACKAGE_NAME);
+        list_add_tail(&d->list, uid_list);
+        ++cnt;
+    }
+
+    kfree(buf);
+    pr_info("uid_list: loaded %d entries\n", cnt);
+    return cnt > 0 ? 0 : -ENODATA;
+}
+
 static int get_pkg_from_apk_path(char *pkg, const char *path)
 {
    int len = strlen(path);
@@ -80,21 +157,41 @@ static void crown_manager(const char *apk, struct list_head *uid_data, int signa
        return;
    }
 #endif
-	struct list_head *list = (struct list_head *)uid_data;
    struct uid_data *np;

-	list_for_each_entry (np, list, list) {
+    list_for_each_entry(np, uid_data, list) {
        if (strncmp(np->package, pkg, KSU_MAX_PACKAGE_NAME) == 0) {
-			pr_info("Crowning manager: %s(uid=%d, signature_index=%d)\n", pkg, np->uid, signature_index);
+            bool is_dynamic = (signature_index == DYNAMIC_SIGN_INDEX || signature_index >= 2);

-			if (signature_index == 1 || signature_index == 2) {
-				ksu_add_manager(np->uid, signature_index);
-				
-				if (!ksu_is_manager_uid_valid()) {
-					ksu_set_manager_uid(np->uid);
+            if (is_dynamic) {
+                if (locked_dynamic_manager_uid != KSU_INVALID_UID && locked_dynamic_manager_uid != np->uid) {
+                    pr_info("Unlocking previous dynamic manager UID: %d\n", locked_dynamic_manager_uid);
+                    ksu_remove_manager(locked_dynamic_manager_uid);
+                    locked_dynamic_manager_uid = KSU_INVALID_UID;
                }
            } else {
+                if (locked_manager_uid != KSU_INVALID_UID && locked_manager_uid != np->uid) {
+                    pr_info("Unlocking previous manager UID: %d\n", locked_manager_uid);
+                    ksu_invalidate_manager_uid(); // unlock old one
+                    locked_manager_uid = KSU_INVALID_UID;
+                }
+            }
+
+            pr_info("Crowning %s manager: %s (uid=%d, signature_index=%d)\n",
+                    is_dynamic ? "dynamic" : "traditional", pkg, np->uid, signature_index);
+
+            if (is_dynamic) {
+                ksu_add_manager(np->uid, signature_index);
+                locked_dynamic_manager_uid = np->uid;
+
+                // If there is no traditional manager, set it to the current UID
+                if (!ksu_is_manager_uid_valid()) {
                    ksu_set_manager_uid(np->uid);
+                    locked_manager_uid = np->uid;
+                }
+            } else {
+                ksu_set_manager_uid(np->uid); // throne new UID
+                locked_manager_uid = np->uid; // store locked UID
            }
            break;
        }
@@ -136,7 +233,6 @@ struct my_dir_context {
 #define FILLDIR_ACTOR_CONTINUE 0
 #define FILLDIR_ACTOR_STOP -EINVAL
 #endif
-
 FILLDIR_RETURN_TYPE my_actor(struct dir_context *ctx, const char *name,
                             int namelen, loff_t off, u64 ino,
                             unsigned int d_type)
@@ -163,7 +259,6 @@ FILLDIR_RETURN_TYPE my_actor(struct dir_context *ctx, const char *name,
         return FILLDIR_ACTOR_CONTINUE; // Skip staging package
     }
    
-
    if (snprintf(dirpath, DATA_PATH_LEN, "%s/%.*s", my_ctx->parent_dir,
             namelen, name) >= DATA_PATH_LEN) {
        pr_err("Path too long: %s/%.*s\n", my_ctx->parent_dir, namelen,
@@ -173,7 +268,7 @@ FILLDIR_RETURN_TYPE my_actor(struct dir_context *ctx, const char *name,

    if (d_type == DT_DIR && my_ctx->depth > 0 &&
        (my_ctx->stop && !*my_ctx->stop)) {
-		struct data_path *data = kmalloc(sizeof(struct data_path), GFP_ATOMIC);
+        struct data_path *data = kzalloc(sizeof(struct data_path), GFP_ATOMIC);

        if (!data) {
            pr_err("Failed to allocate memory for %s\n", dirpath);
@@ -186,7 +281,11 @@ FILLDIR_RETURN_TYPE my_actor(struct dir_context *ctx, const char *name,
    } else {
        if ((namelen == 8) && (strncmp(name, "base.apk", namelen) == 0)) {
            struct apk_path_hash *pos, *n;
+#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 8, 0)
+            unsigned int hash = full_name_hash(dirpath, strlen(dirpath));
+#else
            unsigned int hash = full_name_hash(NULL, dirpath, strlen(dirpath));
+#endif
            list_for_each_entry(pos, &apk_path_hash_list, list) {
                if (hash == pos->hash) {
                    pos->exists = true;
@@ -195,37 +294,33 @@ FILLDIR_RETURN_TYPE my_actor(struct dir_context *ctx, const char *name,
            }

            int signature_index = -1;
-			bool is_multi_manager = ksu_is_multi_manager_apk(dirpath, &signature_index);
+            bool is_multi_manager = is_dynamic_manager_apk(
+                dirpath, &signature_index);

            pr_info("Found new base.apk at path: %s, is_multi_manager: %d, signature_index: %d\n",
                dirpath, is_multi_manager, signature_index);
                
-			if (is_multi_manager && (signature_index == 1 || signature_index == 2)) {
+            // Check for dynamic sign or multi-manager signatures
+            if (is_multi_manager && (signature_index == DYNAMIC_SIGN_INDEX || signature_index >= 2)) {
                crown_manager(dirpath, my_ctx->private_data, signature_index);
+            } else if (is_manager_apk(dirpath)) {
+                crown_manager(dirpath, my_ctx->private_data, 0);
+                *my_ctx->stop = 1;
+            }

-				struct apk_path_hash *apk_data = kmalloc(sizeof(struct apk_path_hash), GFP_ATOMIC);
+            struct apk_path_hash *apk_data = kzalloc(sizeof(*apk_data), GFP_ATOMIC);
            if (apk_data) {
                apk_data->hash  = hash;
                apk_data->exists = true;
                list_add_tail(&apk_data->list, &apk_path_hash_list);
            }

-			} else if (is_manager_apk(dirpath)) {
-				crown_manager(dirpath, my_ctx->private_data, 0);
-				*my_ctx->stop = 1;
-
+            if (is_manager_apk(dirpath)) {
                // Manager found, clear APK cache list
                list_for_each_entry_safe(pos, n, &apk_path_hash_list, list) {
                    list_del(&pos->list);
                    kfree(pos);
                }
-			} else {
-				struct apk_path_hash *apk_data = kmalloc(sizeof(struct apk_path_hash), GFP_ATOMIC);
-				if (apk_data) {
-					apk_data->hash = hash;
-					apk_data->exists = true;
-					list_add_tail(&apk_data->list, &apk_path_hash_list);
-				}
            }
        }
    }
@@ -242,7 +337,7 @@ void search_manager(const char *path, int depth, struct list_head *uid_data)
    
    // Initialize APK cache list
    struct apk_path_hash *pos, *n;
-	list_for_each_entry(pos, &apk_path_hash_list, list) {
+    list_for_each_entry (pos, &apk_path_hash_list, list) {
        pos->exists = false;
    }

@@ -255,7 +350,7 @@ void search_manager(const char *path, int depth, struct list_head *uid_data)
    for (i = depth; i >= 0; i--) {
        struct data_path *pos, *n;

-		list_for_each_entry_safe(pos, n, &data_path_list, list) {
+        list_for_each_entry_safe (pos, n, &data_path_list, list) {
            struct my_dir_context ctx = { .ctx.actor = my_actor,
                                          .data_path_list = &data_path_list,
                                          .parent_dir = pos->dirpath,
@@ -265,9 +360,10 @@ void search_manager(const char *path, int depth, struct list_head *uid_data)
            struct file *file;

            if (!stop) {
-				file = ksu_filp_open_compat(pos->dirpath, O_RDONLY | O_NOFOLLOW, 0);
+                file = filp_open(pos->dirpath, O_RDONLY | O_NOFOLLOW, 0);
                if (IS_ERR(file)) {
-					pr_err("Failed to open directory: %s, err: %ld\n", pos->dirpath, PTR_ERR(file));
+                    pr_err("Failed to open directory: %s, err: %ld\n",
+                           pos->dirpath, PTR_ERR(file));
                    goto skip_iterate;
                }

@@ -275,7 +371,8 @@ void search_manager(const char *path, int depth, struct list_head *uid_data)
                if (!data_app_magic) {
                    if (file->f_inode->i_sb->s_magic) {
                        data_app_magic = file->f_inode->i_sb->s_magic;
-						pr_info("%s: dir: %s got magic! 0x%lx\n", __func__, pos->dirpath, data_app_magic);
+                        pr_info("%s: dir: %s got magic! 0x%lx\n", __func__,
+                                pos->dirpath, data_app_magic);
                    } else {
                        filp_close(file, NULL);
                        goto skip_iterate;
@@ -283,7 +380,8 @@ void search_manager(const char *path, int depth, struct list_head *uid_data)
                }

                if (file->f_inode->i_sb->s_magic != data_app_magic) {
-					pr_info("%s: skip: %s magic: 0x%lx expected: 0x%lx\n", __func__, pos->dirpath, 
+                    pr_info("%s: skip: %s magic: 0x%lx expected: 0x%lx\n",
+                            __func__, pos->dirpath,
                            file->f_inode->i_sb->s_magic, data_app_magic);
                    filp_close(file, NULL);
                    goto skip_iterate;
@@ -292,7 +390,7 @@ void search_manager(const char *path, int depth, struct list_head *uid_data)
                iterate_dir(file, &ctx.ctx);
                filp_close(file, NULL);
            }
-skip_iterate:
+        skip_iterate:
            list_del(&pos->list);
            if (pos != &data)
                kfree(pos);
@@ -300,7 +398,7 @@ skip_iterate:
    }

    // Remove stale cached APK entries
-	list_for_each_entry_safe(pos, n, &apk_path_hash_list, list) {
+    list_for_each_entry_safe (pos, n, &apk_path_hash_list, list) {
        if (!pos->exists) {
            list_del(&pos->list);
            kfree(pos);
@@ -324,34 +422,51 @@ static bool is_uid_exist(uid_t uid, char *package, void *data)
    return exist;
 }

-void track_throne()
+void track_throne(bool prune_only)
 {
-	struct file *fp =
-		ksu_filp_open_compat(SYSTEM_PACKAGES_LIST_PATH, O_RDONLY, 0);
-	if (IS_ERR(fp)) {
-		pr_err("%s: open " SYSTEM_PACKAGES_LIST_PATH " failed: %ld\n",
-		       __func__, PTR_ERR(fp));
-		return;
-	}
-
    struct list_head uid_list;
-	INIT_LIST_HEAD(&uid_list);
-
+    struct uid_data *np, *n;
+    struct file *fp;
    char chr = 0;
    loff_t pos = 0;
    loff_t line_start = 0;
    char buf[KSU_MAX_PACKAGE_NAME];
+    static bool manager_exist = false;
+    static bool dynamic_manager_exist = false;
+    int current_manager_uid = ksu_get_manager_uid() % 100000;
+
+    // init uid list head
+    INIT_LIST_HEAD(&uid_list);
+
+    if (ksu_uid_scanner_enabled) {
+        pr_info("Scanning %s directory..\n", KSU_UID_LIST_PATH);
+
+        if (uid_from_um_list(&uid_list) == 0) {
+            pr_info("Loaded UIDs from %s success\n", KSU_UID_LIST_PATH);
+            goto uid_ready;
+        }
+
+        pr_warn("%s read failed, fallback to %s\n",
+            KSU_UID_LIST_PATH, SYSTEM_PACKAGES_LIST_PATH);
+    }
+
+    {
+        fp = filp_open(SYSTEM_PACKAGES_LIST_PATH, O_RDONLY, 0);
+        if (IS_ERR(fp)) {
+            pr_err("%s: open " SYSTEM_PACKAGES_LIST_PATH " failed: %ld\n", __func__, PTR_ERR(fp));
+            return;
+        }
+
        for (;;) {
            ssize_t count =
-			ksu_kernel_read_compat(fp, &chr, sizeof(chr), &pos);
+                kernel_read(fp, &chr, sizeof(chr), &pos);
            if (count != sizeof(chr))
                break;
            if (chr != '\n')
                continue;

-		count = ksu_kernel_read_compat(fp, buf, sizeof(buf),
+            count = kernel_read(fp, buf, sizeof(buf),
                            &line_start);
-
            struct uid_data *data =
                kzalloc(sizeof(struct uid_data), GFP_ATOMIC);
            if (!data) {
@@ -379,37 +494,55 @@ void track_throne()
            // reset line start
            line_start = pos;
        }
-	filp_close(fp, 0);

-	// now update uid list
-	struct uid_data *np;
-	struct uid_data *n;
+        filp_close(fp, 0);
+    }
+
+uid_ready:
+    if (prune_only)
+        goto prune;

    // first, check if manager_uid exist!
-	bool manager_exist = false;
-	list_for_each_entry (np, &uid_list, list) {
-		// if manager is installed in work profile, the uid in packages.list is still equals main profile
-		// don't delete it in this case!
-		int manager_uid = ksu_get_manager_uid() % 100000;
-		if (np->uid == manager_uid) {
+    list_for_each_entry(np, &uid_list, list) {
+        if (np->uid == current_manager_uid) {
            manager_exist = true;
            break;
        }
-		
-		if (ksu_is_any_manager(np->uid)) {
-			manager_exist = true;
-		}
    }

-	if (!manager_exist) {
-		if (ksu_is_manager_uid_valid()) {
-			pr_info("manager is uninstalled, invalidate it!\n");
+    if (!manager_exist && locked_manager_uid != KSU_INVALID_UID) {
+        pr_info("Manager APK removed, unlock previous UID: %d\n",
+                locked_manager_uid);
        ksu_invalidate_manager_uid();
-			goto prune;
+        locked_manager_uid = KSU_INVALID_UID;
    }
-		pr_info("Searching manager...\n");
+
+    // Check if the Dynamic Manager exists (only check locked UIDs)
+    if (ksu_is_dynamic_manager_enabled() &&
+        locked_dynamic_manager_uid != KSU_INVALID_UID) {
+        list_for_each_entry(np, &uid_list, list) {
+            if (np->uid == locked_dynamic_manager_uid) {
+                dynamic_manager_exist = true;
+                break;
+            }
+        }
+
+        if (!dynamic_manager_exist) {
+            pr_info("Dynamic manager APK removed, unlock previous UID: %d\n",
+                    locked_dynamic_manager_uid);
+            ksu_remove_manager(locked_dynamic_manager_uid);
+            locked_dynamic_manager_uid = KSU_INVALID_UID;
+        }
+    }
+
+    bool need_search = !manager_exist;
+    if (ksu_is_dynamic_manager_enabled() && !dynamic_manager_exist)
+        need_search = true;
+
+    if (need_search) {
+        pr_info("Searching for manager(s)...\n");
        search_manager("/data/app", 2, &uid_list);
-		pr_info("Search manager finished\n");
+        pr_info("Manager search finished\n");
    }
    
 prune:
@@ -417,18 +550,18 @@ prune:
    ksu_prune_allowlist(is_uid_exist, &uid_list);
 out:
    // free uid_list
-	list_for_each_entry_safe (np, n, &uid_list, list) {
+    list_for_each_entry_safe(np, n, &uid_list, list) {
        list_del(&np->list);
        kfree(np);
    }
 }

-void ksu_throne_tracker_init()
+void ksu_throne_tracker_init(void)
 {
    // nothing to do
 }

-void ksu_throne_tracker_exit()
+void ksu_throne_tracker_exit(void)
 {
    // nothing to do
 }
--- a/kernel/throne_tracker.h
+++ b/kernel/throne_tracker.h
@@ -5,6 +5,6 @@ void ksu_throne_tracker_init();

 void ksu_throne_tracker_exit();

-void track_throne();
+void track_throne(bool prune_only);

 #endif
--- a/kernel/umount_manager.c
+++ b/kernel/umount_manager.c
@@ -0,0 +1,353 @@
+#include <linux/slab.h>
+#include <linux/string.h>
+#include <linux/uaccess.h>
+#include <linux/namei.h>
+#include <linux/path.h>
+#include <linux/mount.h>
+#include <linux/cred.h>
+
+#include "klog.h"
+#include "kernel_umount.h"
+#include "umount_manager.h"
+
+static struct umount_manager g_umount_mgr = {
+    .entry_count = 0,
+    .max_entries = 512,
+};
+
+static void try_umount_path(struct umount_entry *entry)
+{
+    try_umount(entry->path, entry->flags);
+}
+
+static struct umount_entry *find_entry_locked(const char *path)
+{
+    struct umount_entry *entry;
+
+    list_for_each_entry(entry, &g_umount_mgr.entry_list, list) {
+        if (strcmp(entry->path, path) == 0) {
+            return entry;
+        }
+    }
+
+    return NULL;
+}
+
+static bool is_path_in_mount_list(const char *path)
+{
+    struct mount_entry *entry;
+    bool found = false;
+
+    down_read(&mount_list_lock);
+    list_for_each_entry(entry, &mount_list, list) {
+        if (entry->umountable && strcmp(entry->umountable, path) == 0) {
+            found = true;
+            break;
+        }
+    }
+    up_read(&mount_list_lock);
+
+    return found;
+}
+
+static int copy_mount_entry_to_user(struct ksu_umount_entry_info __user *entries,
+                                    u32 idx, const char *path, int flags)
+{
+    struct ksu_umount_entry_info info;
+
+    memset(&info, 0, sizeof(info));
+    strncpy(info.path, path, sizeof(info.path) - 1);
+    info.path[sizeof(info.path) - 1] = '\0';
+    info.flags = flags;
+    info.is_default = 1;
+    info.state = UMOUNT_STATE_IDLE;
+    info.ref_count = 0;
+
+    if (copy_to_user(&entries[idx], &info, sizeof(info))) {
+        return -EFAULT;
+    }
+
+    return 0;
+}
+
+static int copy_umount_entry_to_user(struct ksu_umount_entry_info __user *entries,
+                                      u32 idx, struct umount_entry *entry)
+{
+    struct ksu_umount_entry_info info;
+
+    memset(&info, 0, sizeof(info));
+    strncpy(info.path, entry->path, sizeof(info.path) - 1);
+    info.path[sizeof(info.path) - 1] = '\0';
+    info.flags = entry->flags;
+    info.is_default = entry->is_default;
+    info.state = entry->state;
+    info.ref_count = entry->ref_count;
+
+    if (copy_to_user(&entries[idx], &info, sizeof(info))) {
+        return -EFAULT;
+    }
+
+    return 0;
+}
+
+static int collect_mount_list_entries(struct ksu_umount_entry_info __user *entries,
+                                       u32 max_count, u32 *out_idx)
+{
+    struct mount_entry *mount_entry;
+    u32 idx = 0;
+
+    down_read(&mount_list_lock);
+    list_for_each_entry(mount_entry, &mount_list, list) {
+        if (idx >= max_count) {
+            break;
+        }
+
+        if (!mount_entry->umountable) {
+            continue;
+        }
+
+        if (copy_mount_entry_to_user(entries, idx, mount_entry->umountable,
+                                      mount_entry->flags)) {
+            up_read(&mount_list_lock);
+            return -EFAULT;
+        }
+
+        idx++;
+    }
+    up_read(&mount_list_lock);
+
+    *out_idx = idx;
+    return 0;
+}
+
+static int collect_umount_manager_entries(struct ksu_umount_entry_info __user *entries,
+                                          u32 start_idx, u32 max_count, u32 *out_idx)
+{
+    struct umount_entry *entry;
+    unsigned long flags;
+    u32 idx = start_idx;
+
+    spin_lock_irqsave(&g_umount_mgr.lock, flags);
+
+    list_for_each_entry(entry, &g_umount_mgr.entry_list, list) {
+        if (idx >= max_count) {
+            break;
+        }
+
+        if (is_path_in_mount_list(entry->path)) {
+            continue;
+        }
+
+        spin_unlock_irqrestore(&g_umount_mgr.lock, flags);
+
+        if (copy_umount_entry_to_user(entries, idx, entry)) {
+            return -EFAULT;
+        }
+
+        idx++;
+        spin_lock_irqsave(&g_umount_mgr.lock, flags);
+    }
+
+    spin_unlock_irqrestore(&g_umount_mgr.lock, flags);
+    *out_idx = idx;
+    return 0;
+}
+
+int ksu_umount_manager_init(void)
+{
+    INIT_LIST_HEAD(&g_umount_mgr.entry_list);
+    spin_lock_init(&g_umount_mgr.lock);
+
+    return 0;
+}
+
+void ksu_umount_manager_exit(void)
+{
+    struct umount_entry *entry, *tmp;
+    unsigned long flags;
+
+    spin_lock_irqsave(&g_umount_mgr.lock, flags);
+
+    list_for_each_entry_safe(entry, tmp, &g_umount_mgr.entry_list, list) {
+        list_del(&entry->list);
+        kfree(entry);
+        g_umount_mgr.entry_count--;
+    }
+
+    spin_unlock_irqrestore(&g_umount_mgr.lock, flags);
+
+    pr_info("Umount manager cleaned up\n");
+}
+
+int ksu_umount_manager_add(const char *path, int flags, bool is_default)
+{
+    struct umount_entry *entry;
+    unsigned long irqflags;
+    int ret = 0;
+
+    if (flags == -1)
+        flags = MNT_DETACH;
+
+    if (!path || strlen(path) == 0 || strlen(path) >= 256) {
+        return -EINVAL;
+    }
+
+    if (is_path_in_mount_list(path)) {
+        pr_warn("Umount manager: path already exists in mount_list: %s\n", path);
+        return -EEXIST;
+    }
+
+    spin_lock_irqsave(&g_umount_mgr.lock, irqflags);
+
+    if (g_umount_mgr.entry_count >= g_umount_mgr.max_entries) {
+        pr_err("Umount manager: max entries reached\n");
+        ret = -ENOMEM;
+        goto out;
+    }
+
+    if (find_entry_locked(path)) {
+        pr_warn("Umount manager: path already exists: %s\n", path);
+        ret = -EEXIST;
+        goto out;
+    }
+
+    entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
+    if (!entry) {
+        ret = -ENOMEM;
+        goto out;
+    }
+
+    strncpy(entry->path, path, sizeof(entry->path) - 1);
+    entry->flags = flags;
+    entry->state = UMOUNT_STATE_IDLE;
+    entry->is_default = is_default;
+    entry->ref_count = 0;
+
+    list_add_tail(&entry->list, &g_umount_mgr.entry_list);
+    g_umount_mgr.entry_count++;
+
+    pr_info("Umount manager: added %s entry: %s\n",
+            is_default ? "default" : "custom", path);
+
+out:
+    spin_unlock_irqrestore(&g_umount_mgr.lock, irqflags);
+    return ret;
+}
+
+int ksu_umount_manager_remove(const char *path)
+{
+    struct umount_entry *entry;
+    unsigned long flags;
+    int ret = 0;
+
+    if (!path) {
+        return -EINVAL;
+    }
+
+    spin_lock_irqsave(&g_umount_mgr.lock, flags);
+
+    entry = find_entry_locked(path);
+    if (!entry) {
+        ret = -ENOENT;
+        goto out;
+    }
+
+    if (entry->is_default) {
+        pr_err("Umount manager: cannot remove default entry: %s\n", path);
+        ret = -EPERM;
+        goto out;
+    }
+
+    if (entry->state == UMOUNT_STATE_BUSY || entry->ref_count > 0) {
+        pr_err("Umount manager: entry is busy: %s\n", path);
+        ret = -EBUSY;
+        goto out;
+    }
+
+    list_del(&entry->list);
+    g_umount_mgr.entry_count--;
+    kfree(entry);
+
+    pr_info("Umount manager: removed entry: %s\n", path);
+
+out:
+    spin_unlock_irqrestore(&g_umount_mgr.lock, flags);
+    return ret;
+}
+
+void ksu_umount_manager_execute_all(const struct cred *cred)
+{
+    struct umount_entry *entry;
+    unsigned long flags;
+
+    spin_lock_irqsave(&g_umount_mgr.lock, flags);
+
+    list_for_each_entry(entry, &g_umount_mgr.entry_list, list) {
+        if (entry->state == UMOUNT_STATE_IDLE) {
+            entry->ref_count++;
+        }
+    }
+
+    spin_unlock_irqrestore(&g_umount_mgr.lock, flags);
+
+    list_for_each_entry(entry, &g_umount_mgr.entry_list, list) {
+        if (entry->ref_count > 0 && entry->state == UMOUNT_STATE_IDLE) {
+            try_umount_path(entry);
+        }
+    }
+
+    spin_lock_irqsave(&g_umount_mgr.lock, flags);
+
+    list_for_each_entry(entry, &g_umount_mgr.entry_list, list) {
+        if (entry->ref_count > 0) {
+            entry->ref_count--;
+        }
+    }
+
+    spin_unlock_irqrestore(&g_umount_mgr.lock, flags);
+}
+
+int ksu_umount_manager_get_entries(struct ksu_umount_entry_info __user *entries, u32 *count)
+{
+    u32 max_count = *count;
+    u32 idx;
+    int ret;
+
+    ret = collect_mount_list_entries(entries, max_count, &idx);
+    if (ret) {
+        return ret;
+    }
+
+    if (idx < max_count) {
+        ret = collect_umount_manager_entries(entries, idx, max_count, &idx);
+        if (ret) {
+            return ret;
+        }
+    }
+
+    *count = idx;
+    return 0;
+}
+
+int ksu_umount_manager_clear_custom(void)
+{
+    struct umount_entry *entry, *tmp;
+    unsigned long flags;
+    u32 cleared = 0;
+
+    spin_lock_irqsave(&g_umount_mgr.lock, flags);
+
+    list_for_each_entry_safe(entry, tmp, &g_umount_mgr.entry_list, list) {
+        if (!entry->is_default && entry->state == UMOUNT_STATE_IDLE && entry->ref_count == 0) {
+            list_del(&entry->list);
+            kfree(entry);
+            g_umount_mgr.entry_count--;
+            cleared++;
+        }
+    }
+
+    spin_unlock_irqrestore(&g_umount_mgr.lock, flags);
+
+    pr_info("Umount manager: cleared %u custom entries\n", cleared);
+    return 0;
+}
--- a/kernel/umount_manager.h
+++ b/kernel/umount_manager.h
@@ -0,0 +1,63 @@
+#ifndef __KSU_H_UMOUNT_MANAGER
+#define __KSU_H_UMOUNT_MANAGER
+
+#include <linux/types.h>
+#include <linux/list.h>
+#include <linux/spinlock.h>
+
+struct cred;
+
+enum umount_entry_state {
+    UMOUNT_STATE_IDLE = 0,
+    UMOUNT_STATE_ACTIVE = 1,
+    UMOUNT_STATE_BUSY = 2,
+};
+
+struct umount_entry {
+    struct list_head list;
+    char path[256];
+    int flags;
+    enum umount_entry_state state;
+    bool is_default;
+    u32 ref_count;
+};
+
+struct umount_manager {
+    struct list_head entry_list;
+    spinlock_t lock;
+    u32 entry_count;
+    u32 max_entries;
+};
+
+enum umount_manager_op {
+    UMOUNT_OP_ADD = 0,
+    UMOUNT_OP_REMOVE = 1,
+    UMOUNT_OP_LIST = 2,
+    UMOUNT_OP_CLEAR_CUSTOM = 3,
+};
+
+struct ksu_umount_manager_cmd {
+    __u32 operation;
+    char path[256];
+    __s32 flags;
+    __u32 count;
+    __aligned_u64 entries_ptr;
+};
+
+struct ksu_umount_entry_info {
+    char path[256];
+    __s32 flags;
+    __u8 is_default;
+    __u32 state;
+    __u32 ref_count;
+};
+
+int ksu_umount_manager_init(void);
+void ksu_umount_manager_exit(void);
+int ksu_umount_manager_add(const char *path, int flags, bool is_default);
+int ksu_umount_manager_remove(const char *path);
+void ksu_umount_manager_execute_all(const struct cred *cred);
+int ksu_umount_manager_get_entries(struct ksu_umount_entry_info __user *entries, u32 *count);
+int ksu_umount_manager_clear_custom(void);
+
+#endif // __KSU_H_UMOUNT_MANAGER
--- a/Show More
+++ b/Show More