#include #include #include #include #include #include #include #include #include #include #include #include "objsec.h" #include "allowlist.h" #include "arch.h" #include "feature.h" #include "klog.h" // IWYU pragma: keep #include "ksud.h" #include "kernel_compat.h" #include "sulog.h" #define SU_PATH "/system/bin/su" #define SH_PATH "/system/bin/sh" extern void escape_to_root(); void ksu_sucompat_enable(); void ksu_sucompat_disable(); bool ksu_su_compat_enabled = true; static int su_compat_feature_get(u64 *value) { *value = ksu_su_compat_enabled ? 1 : 0; return 0; } static int su_compat_feature_set(u64 value) { bool enable = value != 0; if (enable == ksu_su_compat_enabled) { pr_info("su_compat: no need to change\n"); return 0; } if (enable) { ksu_sucompat_enable(); } else { ksu_sucompat_disable(); } ksu_su_compat_enabled = enable; pr_info("su_compat: set to %d\n", enable); return 0; } static const struct ksu_feature_handler su_compat_handler = { .feature_id = KSU_FEATURE_SU_COMPAT, .name = "su_compat", .get_handler = su_compat_feature_get, .set_handler = su_compat_feature_set, }; #ifndef CONFIG_KSU_KPROBES_HOOK static bool ksu_sucompat_hook_state __read_mostly = true; #endif static void __user *userspace_stack_buffer(const void *d, size_t len) { /* To avoid having to mmap a page in userspace, just write below the stack * pointer. */ char __user *p = (void __user *)current_user_stack_pointer() - len; return copy_to_user(p, d, len) ? NULL : p; } static char __user *sh_user_path(void) { static const char sh_path[] = "/system/bin/sh"; return userspace_stack_buffer(sh_path, sizeof(sh_path)); } static char __user *ksud_user_path(void) { static const char ksud_path[] = KSUD_PATH; return userspace_stack_buffer(ksud_path, sizeof(ksud_path)); } int ksu_handle_faccessat(int *dfd, const char __user **filename_user, int *mode, int *__unused_flags) { const char su[] = SU_PATH; #ifndef CONFIG_KSU_KPROBES_HOOK if (!ksu_sucompat_hook_state) { return 0; } #endif if (!ksu_is_allow_uid(current_uid().val)) { return 0; } char path[sizeof(su) + 1]; memset(path, 0, sizeof(path)); ksu_strncpy_from_user_nofault(path, *filename_user, sizeof(path)); if (unlikely(!memcmp(path, su, sizeof(su)))) { #if __SULOG_GATE ksu_sulog_report_syscall(current_uid().val, NULL, "faccessat", path); #endif pr_info("faccessat su->sh!\n"); *filename_user = sh_user_path(); } return 0; } int ksu_handle_stat(int *dfd, const char __user **filename_user, int *flags) { // const char sh[] = SH_PATH; const char su[] = SU_PATH; #ifndef CONFIG_KSU_KPROBES_HOOK if (!ksu_sucompat_hook_state) { return 0; } #endif if (!ksu_is_allow_uid(current_uid().val)) { return 0; } if (unlikely(!filename_user)) { return 0; } char path[sizeof(su) + 1]; memset(path, 0, sizeof(path)); // Remove this later!! we use syscall hook, so this will never happen!!!!! #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 18, 0) && 0 // it becomes a `struct filename *` after 5.18 // https://elixir.bootlin.com/linux/v5.18/source/fs/stat.c#L216 const char sh[] = SH_PATH; struct filename *filename = *((struct filename **)filename_user); if (IS_ERR(filename)) { return 0; } if (likely(memcmp(filename->name, su, sizeof(su)))) return 0; pr_info("vfs_statx su->sh!\n"); memcpy((void *)filename->name, sh, sizeof(sh)); #else ksu_strncpy_from_user_nofault(path, *filename_user, sizeof(path)); if (unlikely(!memcmp(path, su, sizeof(su)))) { #if __SULOG_GATE ksu_sulog_report_syscall(current_uid().val, NULL, "newfstatat", path); #endif pr_info("newfstatat su->sh!\n"); *filename_user = sh_user_path(); } #endif return 0; } int ksu_handle_execveat(int *fd, struct filename **filename_ptr, void *argv, void *envp, int *flags) { return ksu_handle_execveat_sucompat(fd, filename_ptr, argv, envp, flags); } // the call from execve_handler_pre won't provided correct value for __never_use_argument, use them after fix execve_handler_pre, keeping them for consistence for manually patched code int ksu_handle_execveat_sucompat(int *fd, struct filename **filename_ptr, void *__never_use_argv, void *__never_use_envp, int *__never_use_flags) { struct filename *filename; const char sh[] = KSUD_PATH; const char su[] = SU_PATH; #ifndef CONFIG_KSU_KPROBES_HOOK if (!ksu_sucompat_hook_state) { return 0; } #endif if (unlikely(!filename_ptr)) return 0; filename = *filename_ptr; if (IS_ERR(filename)) { return 0; } if (likely(memcmp(filename->name, su, sizeof(su)))) return 0; #if __SULOG_GATE bool is_allowed = ksu_is_allow_uid(current_uid().val); ksu_sulog_report_syscall(current_uid().val, NULL, "execve", filename->name); if (!is_allowed) { return 0; } ksu_sulog_report_su_attempt(current_uid().val, NULL, filename->name, is_allowed); #else if (!ksu_is_allow_uid(current_uid().val)) { return 0; } #endif pr_info("do_execveat_common su found\n"); memcpy((void *)filename->name, sh, sizeof(sh)); escape_to_root(); return 0; } int ksu_handle_execve_sucompat(int *fd, const char __user **filename_user, void *__never_use_argv, void *__never_use_envp, int *__never_use_flags) { const char su[] = SU_PATH; char path[sizeof(su) + 1]; #ifndef CONFIG_KSU_KPROBES_HOOK if (!ksu_sucompat_hook_state){ return 0; } #endif if (unlikely(!filename_user)) return 0; memset(path, 0, sizeof(path)); ksu_strncpy_from_user_nofault(path, *filename_user, sizeof(path)); if (likely(memcmp(path, su, sizeof(su)))) return 0; #if __SULOG_GATE bool is_allowed = ksu_is_allow_uid(current_uid().val); ksu_sulog_report_syscall(current_uid().val, NULL, "execve", path); if (!is_allowed) return 0; ksu_sulog_report_su_attempt(current_uid().val, NULL, path, is_allowed); #else if (!ksu_is_allow_uid(current_uid().val)) { return 0; } #endif pr_info("sys_execve su found\n"); *filename_user = ksud_user_path(); escape_to_root(); return 0; } // dummified int ksu_handle_devpts(struct inode *inode) { return 0; } int __ksu_handle_devpts(struct inode *inode) { #ifndef CONFIG_KSU_KPROBES_HOOK if (!ksu_sucompat_hook_state) return 0; #endif if (!current->mm) { return 0; } uid_t uid = current_uid().val; if (uid % 100000 < 10000) { // not untrusted_app, ignore it return 0; } if (likely(!ksu_is_allow_uid(uid))) return 0; struct inode_security_struct *sec = selinux_inode(inode); if (ksu_devpts_sid && sec) sec->sid = ksu_devpts_sid; return 0; } #ifdef CONFIG_KSU_KPROBES_HOOK static int faccessat_handler_pre(struct kprobe *p, struct pt_regs *regs) { struct pt_regs *real_regs = PT_REAL_REGS(regs); int *dfd = (int *)&PT_REGS_PARM1(real_regs); const char __user **filename_user = (const char **)&PT_REGS_PARM2(real_regs); int *mode = (int *)&PT_REGS_PARM3(real_regs); return ksu_handle_faccessat(dfd, filename_user, mode, NULL); } static int newfstatat_handler_pre(struct kprobe *p, struct pt_regs *regs) { struct pt_regs *real_regs = PT_REAL_REGS(regs); int *dfd = (int *)&PT_REGS_PARM1(real_regs); const char __user **filename_user = (const char **)&PT_REGS_PARM2(real_regs); int *flags = (int *)&PT_REGS_SYSCALL_PARM4(real_regs); return ksu_handle_stat(dfd, filename_user, flags); } static int execve_handler_pre(struct kprobe *p, struct pt_regs *regs) { struct pt_regs *real_regs = PT_REAL_REGS(regs); const char __user **filename_user = (const char **)&PT_REGS_PARM1(real_regs); return ksu_handle_execve_sucompat(AT_FDCWD, filename_user, NULL, NULL, NULL); } static struct kprobe *su_kps[4]; static int pts_unix98_lookup_pre(struct kprobe *p, struct pt_regs *regs) { struct inode *inode; #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 6, 0) struct file *file = (struct file *)PT_REGS_PARM2(regs); inode = file->f_path.dentry->d_inode; #else inode = (struct inode *)PT_REGS_PARM2(regs); #endif return ksu_handle_devpts(inode); } static struct kprobe *init_kprobe(const char *name, kprobe_pre_handler_t handler) { struct kprobe *kp = kzalloc(sizeof(struct kprobe), GFP_KERNEL); if (!kp) return NULL; kp->symbol_name = name; kp->pre_handler = handler; int ret = register_kprobe(kp); pr_info("sucompat: register_%s kprobe: %d\n", name, ret); if (ret) { kfree(kp); return NULL; } return kp; } static void destroy_kprobe(struct kprobe **kp_ptr) { struct kprobe *kp = *kp_ptr; if (!kp) return; unregister_kprobe(kp); synchronize_rcu(); kfree(kp); *kp_ptr = NULL; } #endif // sucompat: permited process can execute 'su' to gain root access. void ksu_sucompat_enable() { #ifdef CONFIG_KSU_KPROBES_HOOK su_kps[0] = init_kprobe(SYS_EXECVE_SYMBOL, execve_handler_pre); su_kps[1] = init_kprobe(SYS_FACCESSAT_SYMBOL, faccessat_handler_pre); su_kps[2] = init_kprobe(SYS_NEWFSTATAT_SYMBOL, newfstatat_handler_pre); su_kps[3] = init_kprobe("pts_unix98_lookup", pts_unix98_lookup_pre); #else ksu_sucompat_hook_state = true; pr_info("ksu_sucompat_init: hooks enabled: execve/execveat_su, faccessat, stat\n"); #endif } void ksu_sucompat_disable() { #ifdef CONFIG_KSU_KPROBES_HOOK int i; for (i = 0; i < ARRAY_SIZE(su_kps); i++) { destroy_kprobe(&su_kps[i]); } #else ksu_sucompat_hook_state = false; pr_info("ksu_sucompat_exit: hooks disabled: execve/execveat_su, faccessat, stat\n"); #endif } // sucompat: permited process can execute 'su' to gain root access. void ksu_sucompat_init() { if (ksu_register_feature_handler(&su_compat_handler)) { pr_err("Failed to register su_compat feature handler\n"); } if (ksu_su_compat_enabled) { ksu_sucompat_enable(); } } void ksu_sucompat_exit() { if (ksu_su_compat_enabled) { ksu_sucompat_disable(); } ksu_unregister_feature_handler(KSU_FEATURE_SU_COMPAT); }