#include "linux/compiler.h" #include "linux/printk.h" #include #include #include #include #include #include #include #include #include "allowlist.h" #include "feature.h" #include "klog.h" // IWYU pragma: keep #include "ksud.h" #include "sucompat.h" #include "app_profile.h" #include "syscall_hook_manager.h" #include "sulog.h" #define SU_PATH "/system/bin/su" #define SH_PATH "/system/bin/sh" bool ksu_su_compat_enabled __read_mostly = true; static int su_compat_feature_get(u64 *value) { *value = ksu_su_compat_enabled ? 1 : 0; return 0; } static int su_compat_feature_set(u64 value) { bool enable = value != 0; ksu_su_compat_enabled = enable; pr_info("su_compat: set to %d\n", enable); return 0; } static const struct ksu_feature_handler su_compat_handler = { .feature_id = KSU_FEATURE_SU_COMPAT, .name = "su_compat", .get_handler = su_compat_feature_get, .set_handler = su_compat_feature_set, }; static void __user *userspace_stack_buffer(const void *d, size_t len) { // To avoid having to mmap a page in userspace, just write below the stack // pointer. char __user *p = (void __user *)current_user_stack_pointer() - len; return copy_to_user(p, d, len) ? NULL : p; } static char __user *sh_user_path(void) { static const char sh_path[] = "/system/bin/sh"; return userspace_stack_buffer(sh_path, sizeof(sh_path)); } static char __user *ksud_user_path(void) { static const char ksud_path[] = KSUD_PATH; return userspace_stack_buffer(ksud_path, sizeof(ksud_path)); } int ksu_handle_faccessat(int *dfd, const char __user **filename_user, int *mode, int *__unused_flags) { const char su[] = SU_PATH; if (!ksu_is_allow_uid_for_current(current_uid().val)) { return 0; } char path[sizeof(su) + 1]; memset(path, 0, sizeof(path)); strncpy_from_user_nofault(path, *filename_user, sizeof(path)); if (unlikely(!memcmp(path, su, sizeof(su)))) { #if __SULOG_GATE ksu_sulog_report_syscall(current_uid().val, NULL, "faccessat", path); #endif pr_info("faccessat su->sh!\n"); *filename_user = sh_user_path(); } return 0; } int ksu_handle_stat(int *dfd, const char __user **filename_user, int *flags) { // const char sh[] = SH_PATH; const char su[] = SU_PATH; if (!ksu_is_allow_uid_for_current(current_uid().val)) { return 0; } if (unlikely(!filename_user)) { return 0; } char path[sizeof(su) + 1]; memset(path, 0, sizeof(path)); strncpy_from_user_nofault(path, *filename_user, sizeof(path)); if (unlikely(!memcmp(path, su, sizeof(su)))) { #if __SULOG_GATE ksu_sulog_report_syscall(current_uid().val, NULL, "newfstatat", path); #endif pr_info("newfstatat su->sh!\n"); *filename_user = sh_user_path(); } return 0; } int ksu_handle_execve_sucompat(const char __user **filename_user, void *__never_use_argv, void *__never_use_envp, int *__never_use_flags) { const char su[] = SU_PATH; char path[sizeof(su) + 1]; if (unlikely(!filename_user)) return 0; memset(path, 0, sizeof(path)); strncpy_from_user_nofault(path, *filename_user, sizeof(path)); if (likely(memcmp(path, su, sizeof(su)))) return 0; #if __SULOG_GATE bool is_allowed = ksu_is_allow_uid_for_current(current_uid().val); ksu_sulog_report_syscall(current_uid().val, NULL, "execve", path); if (!is_allowed) return 0; ksu_sulog_report_su_attempt(current_uid().val, NULL, path, is_allowed); #else if (!ksu_is_allow_uid_for_current(current_uid().val)) { return 0; } #endif pr_info("sys_execve su found\n"); *filename_user = ksud_user_path(); escape_with_root_profile(); return 0; } // sucompat: permitted process can execute 'su' to gain root access. void ksu_sucompat_init() { if (ksu_register_feature_handler(&su_compat_handler)) { pr_err("Failed to register su_compat feature handler\n"); } } void ksu_sucompat_exit() { ksu_unregister_feature_handler(KSU_FEATURE_SU_COMPAT); }