#include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "allowlist.h" #include "setuid_hook.h" #include "feature.h" #include "klog.h" // IWYU pragma: keep #include "manager.h" #include "selinux/selinux.h" #include "seccomp_cache.h" #include "supercalls.h" #include "syscall_hook_manager.h" #include "kernel_umount.h" #include "app_profile.h" static bool ksu_enhanced_security_enabled = false; static int enhanced_security_feature_get(u64 *value) { *value = ksu_enhanced_security_enabled ? 1 : 0; return 0; } static int enhanced_security_feature_set(u64 value) { bool enable = value != 0; ksu_enhanced_security_enabled = enable; pr_info("enhanced_security: set to %d\n", enable); return 0; } static const struct ksu_feature_handler enhanced_security_handler = { .feature_id = KSU_FEATURE_ENHANCED_SECURITY, .name = "enhanced_security", .get_handler = enhanced_security_feature_get, .set_handler = enhanced_security_feature_set, }; static inline bool is_allow_su() { if (is_manager()) { // we are manager, allow! return true; } return ksu_is_allow_uid_for_current(current_uid().val); } int ksu_handle_setresuid(uid_t ruid, uid_t euid, uid_t suid) { uid_t new_uid = ruid; uid_t old_uid = current_uid().val; pr_info("handle_setresuid from %d to %d\n", old_uid, new_uid); // if old process is root, ignore it. if (old_uid != 0 && ksu_enhanced_security_enabled) { // disallow any non-ksu domain escalation from non-root to root! // euid is what we care about here as it controls permission if (unlikely(euid == 0)) { if (!is_ksu_domain()) { pr_warn("find suspicious EoP: %d %s, from %d to %d\n", current->pid, current->comm, old_uid, new_uid); force_sig(SIGKILL); return 0; } } // disallow appuid decrease to any other uid if it is not allowed to su if (is_appuid(old_uid)) { if (euid < current_euid().val && !ksu_is_allow_uid_for_current(old_uid)) { pr_warn("find suspicious EoP: %d %s, from %d to %d\n", current->pid, current->comm, old_uid, new_uid); force_sig(SIGKILL); return 0; } } return 0; } // if on private space, see if its possibly the manager if (new_uid > PER_USER_RANGE && new_uid % PER_USER_RANGE == ksu_get_manager_uid()) { ksu_set_manager_uid(new_uid); } #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 0) if (ksu_get_manager_uid() == new_uid) { pr_info("install fd for manager: %d\n", new_uid); ksu_install_fd(); spin_lock_irq(¤t->sighand->siglock); ksu_seccomp_allow_cache(current->seccomp.filter, __NR_reboot); ksu_set_task_tracepoint_flag(current); spin_unlock_irq(¤t->sighand->siglock); return 0; } if (ksu_is_allow_uid_for_current(new_uid)) { if (current->seccomp.mode == SECCOMP_MODE_FILTER && current->seccomp.filter) { spin_lock_irq(¤t->sighand->siglock); ksu_seccomp_allow_cache(current->seccomp.filter, __NR_reboot); spin_unlock_irq(¤t->sighand->siglock); } ksu_set_task_tracepoint_flag(current); } else { ksu_clear_task_tracepoint_flag_if_needed(current); } #else if (ksu_is_allow_uid_for_current(new_uid)) { spin_lock_irq(¤t->sighand->siglock); disable_seccomp(); spin_unlock_irq(¤t->sighand->siglock); if (ksu_get_manager_uid() == new_uid) { pr_info("install fd for ksu manager(uid=%d)\n", new_uid); ksu_install_fd(); } return 0; } #endif // Handle kernel umount ksu_handle_umount(old_uid, new_uid); return 0; } void ksu_setuid_hook_init(void) { ksu_kernel_umount_init(); if (ksu_register_feature_handler(&enhanced_security_handler)) { pr_err("Failed to register enhanced security feature handler\n"); } } void ksu_setuid_hook_exit(void) { pr_info("ksu_core_exit\n"); ksu_kernel_umount_exit(); ksu_unregister_feature_handler(KSU_FEATURE_ENHANCED_SECURITY); }