c93cf58f48
* Cherry-picked range: (kernel)
ebea31daa8..6915b62b9a
* Also merged unmerged pr:
https://github.com/tiann/KernelSU/pull/ 2909
Co-authored-by: Ylarod <me@ylarod.cn>
Co-authored-by: 5ec1cff <56485584+5ec1cff@users.noreply.github.com>
Co-authored-by: backslashxx <118538522+backslashxx@users.noreply.github.com>
Co-authored-by: u9521 <63995396+u9521@users.noreply.github.com>
Co-authored-by: Wang Han <416810799@qq.com>
210 lines
4.8 KiB
C
210 lines
4.8 KiB
C
#include <asm/current.h>
|
|
#include <linux/cred.h>
|
|
#include <linux/err.h>
|
|
#include <linux/fs.h>
|
|
#include <linux/types.h>
|
|
#include <linux/uaccess.h>
|
|
#include <linux/version.h>
|
|
#include <linux/ptrace.h>
|
|
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 14, 0)
|
|
#include <linux/compiler.h>
|
|
#endif
|
|
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 11, 0)
|
|
#include <linux/sched/task_stack.h>
|
|
#else
|
|
#include <linux/sched.h>
|
|
#endif
|
|
|
|
#include "allowlist.h"
|
|
#include "feature.h"
|
|
#include "klog.h" // IWYU pragma: keep
|
|
#include "ksud.h"
|
|
#include "sucompat.h"
|
|
#include "app_profile.h"
|
|
#include "syscall_hook_manager.h"
|
|
|
|
#define SU_PATH "/system/bin/su"
|
|
#define SH_PATH "/system/bin/sh"
|
|
|
|
bool ksu_su_compat_enabled __read_mostly = true;
|
|
|
|
static const char su[] = SU_PATH;
|
|
static const char ksud_path[] = KSUD_PATH;
|
|
|
|
static int su_compat_feature_get(u64 *value)
|
|
{
|
|
*value = ksu_su_compat_enabled ? 1 : 0;
|
|
return 0;
|
|
}
|
|
|
|
static int su_compat_feature_set(u64 value)
|
|
{
|
|
bool enable = value != 0;
|
|
ksu_su_compat_enabled = enable;
|
|
pr_info("su_compat: set to %d\n", enable);
|
|
return 0;
|
|
}
|
|
|
|
static const struct ksu_feature_handler su_compat_handler = {
|
|
.feature_id = KSU_FEATURE_SU_COMPAT,
|
|
.name = "su_compat",
|
|
.get_handler = su_compat_feature_get,
|
|
.set_handler = su_compat_feature_set,
|
|
};
|
|
|
|
static void __user *userspace_stack_buffer(const void *d, size_t len)
|
|
{
|
|
// To avoid having to mmap a page in userspace, just write below the stack
|
|
// pointer.
|
|
char __user *p = (void __user *)current_user_stack_pointer() - len;
|
|
|
|
return copy_to_user(p, d, len) ? NULL : p;
|
|
}
|
|
|
|
static char __user *sh_user_path(void)
|
|
{
|
|
static const char sh_path[] = "/system/bin/sh";
|
|
|
|
return userspace_stack_buffer(sh_path, sizeof(sh_path));
|
|
}
|
|
|
|
static char __user *ksud_user_path(void)
|
|
{
|
|
return userspace_stack_buffer(ksud_path, sizeof(ksud_path));
|
|
}
|
|
|
|
static inline bool __is_su_allowed(const void *ptr_to_check)
|
|
{
|
|
#ifndef KSU_SHOULD_USE_NEW_TP
|
|
if (!ksu_su_compat_enabled)
|
|
return false;
|
|
#endif
|
|
if (!ksu_is_allow_uid_for_current(current_uid().val))
|
|
return false;
|
|
|
|
if (unlikely(!ptr_to_check))
|
|
return false;
|
|
|
|
return true;
|
|
}
|
|
#define is_su_allowed(ptr) __is_su_allowed((const void *)ptr)
|
|
|
|
static int ksu_sucompat_user_common(const char __user **filename_user,
|
|
const char *syscall_name,
|
|
const bool escalate)
|
|
{
|
|
char path[sizeof(su)]; // sizeof includes nullterm already!
|
|
memset(path, 0, sizeof(path));
|
|
|
|
ksu_strncpy_from_user_nofault(path, *filename_user, sizeof(path));
|
|
|
|
if (memcmp(path, su, sizeof(su)))
|
|
return 0;
|
|
|
|
if (escalate) {
|
|
pr_info("%s su found\n", syscall_name);
|
|
*filename_user = ksud_user_path();
|
|
escape_with_root_profile(); // escalate !!
|
|
} else {
|
|
pr_info("%s su->sh!\n", syscall_name);
|
|
*filename_user = sh_user_path();
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
int ksu_handle_faccessat(int *dfd, const char __user **filename_user, int *mode,
|
|
int *__unused_flags)
|
|
{
|
|
if (!is_su_allowed(filename_user))
|
|
return 0;
|
|
|
|
return ksu_sucompat_user_common(filename_user, "faccessat", false);
|
|
}
|
|
|
|
int ksu_handle_stat(int *dfd, const char __user **filename_user, int *flags)
|
|
{
|
|
if (!is_su_allowed(filename_user))
|
|
return 0;
|
|
|
|
return ksu_sucompat_user_common(filename_user, "newfstatat", false);
|
|
}
|
|
|
|
int ksu_handle_execve_sucompat(int *fd, const char __user **filename_user,
|
|
void *__never_use_argv, void *__never_use_envp,
|
|
int *__never_use_flags)
|
|
{
|
|
if (!is_su_allowed(filename_user))
|
|
return 0;
|
|
|
|
return ksu_sucompat_user_common(filename_user, "sys_execve", true);
|
|
}
|
|
|
|
int ksu_handle_execveat_sucompat(int *fd, struct filename **filename_ptr,
|
|
void *__never_use_argv, void *__never_use_envp,
|
|
int *__never_use_flags)
|
|
{
|
|
struct filename *filename;
|
|
|
|
if (!is_su_allowed(filename_ptr))
|
|
return 0;
|
|
|
|
filename = *filename_ptr;
|
|
if (IS_ERR(filename))
|
|
return 0;
|
|
|
|
if (likely(memcmp(filename->name, su, sizeof(su))))
|
|
return 0;
|
|
|
|
pr_info("do_execveat_common su found\n");
|
|
memcpy((void *)filename->name, ksud_path, sizeof(ksud_path));
|
|
|
|
escape_with_root_profile();
|
|
|
|
return 0;
|
|
}
|
|
|
|
int __ksu_handle_devpts(struct inode *inode)
|
|
{
|
|
#ifndef KSU_SHOULD_USE_NEW_TP
|
|
if (!ksu_su_compat_enabled)
|
|
return 0;
|
|
#endif
|
|
|
|
if (!current->mm) {
|
|
return 0;
|
|
}
|
|
|
|
uid_t uid = current_uid().val;
|
|
if (uid % 100000 < 10000) {
|
|
// not untrusted_app, ignore it
|
|
return 0;
|
|
}
|
|
|
|
if (likely(!ksu_is_allow_uid(uid)))
|
|
return 0;
|
|
|
|
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 1, 0) || defined(KSU_OPTIONAL_SELINUX_INODE)
|
|
struct inode_security_struct *sec = selinux_inode(inode);
|
|
#else
|
|
struct inode_security_struct *sec = (struct inode_security_struct *)inode->i_security;
|
|
#endif
|
|
|
|
if (ksu_file_sid && sec)
|
|
sec->sid = ksu_file_sid;
|
|
return 0;
|
|
}
|
|
|
|
// sucompat: permitted process can execute 'su' to gain root access.
|
|
void ksu_sucompat_init(void)
|
|
{
|
|
if (ksu_register_feature_handler(&su_compat_handler)) {
|
|
pr_err("Failed to register su_compat feature handler\n");
|
|
}
|
|
}
|
|
|
|
void ksu_sucompat_exit(void)
|
|
{
|
|
ksu_unregister_feature_handler(KSU_FEATURE_SU_COMPAT);
|
|
}
|