br0kenpixel/KernelSU-Next
1
0
Fork 0
mirror of https://github.com/KernelSU-Next/KernelSU-Next.git synced 2025-08-27 23:46:34 +00:00
Code Issues Packages Projects Releases 1 Wiki Activity

kernel: core_hook: intercept devpts via security_inode_permission LSM (#480)

Browse Source 
`ksu handles devpts with selinux lsm hook` - aviraxp

- no, not yet, but yes we can, thats a good idea.

This change tries to do that, so instead of hooking pts_unix98_lookup or
devpts_get_priv, we just watch security_inode_permission, if its devpts,
pass it along to the original handler.

Signed-off-by: backslashxx <118538522+backslashxx@users.noreply.github.com>
Co-authored-by: backslashxx <118538522+backslashxx@users.noreply.github.com>
This commit is contained in:
Paul
2025-06-05 02:20:53 +02:00
committed by GitHub
parent 84fdcf8bf5
commit 3921175e4c
1 changed files with 17 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
kernel/core_hook.c
View File

@@ -197,7 +197,7 @@ void escape_to_root(void)
sizeof(cred->cap_ambient)); sizeof(cred->cap_ambient));
setup_groups(profile, cred); setup_groups(profile, cred);
#ifdef KSU_GET_CRED_RCU #ifdef KSU_GET_CRED_RCU
rcu_read_unlock(); rcu_read_unlock();
#endif #endif
@@ -658,7 +658,7 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old)
// try umount ksu temp path // try umount ksu temp path
try_umount("/debug_ramdisk", false, MNT_DETACH); try_umount("/debug_ramdisk", false, MNT_DETACH);
try_umount("/sbin", false, MNT_DETACH); try_umount("/sbin", false, MNT_DETACH);
// try umount hosts file // try umount hosts file
try_umount("/system/etc/hosts", false, MNT_DETACH); try_umount("/system/etc/hosts", false, MNT_DETACH);
@@ -738,6 +738,19 @@ __maybe_unused int ksu_kprobe_exit(void)
return 0; return 0;
} }
extern int ksu_handle_devpts(struct inode *inode); // sucompat.c
static int ksu_inode_permission(struct inode *inode, int mask)
{
if (unlikely(inode->i_sb && inode->i_sb->s_magic == DEVPTS_SUPER_MAGIC)) {
#ifdef CONFIG_KSU_DEBUG
pr_info("%s: devpts inode accessed with mask: %x\n", __func__, mask);
#endif
ksu_handle_devpts(inode);
}
return 0;
}
// kernel 4.9 and older // kernel 4.9 and older
#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0) || defined(CONFIG_IS_HW_HISI) || defined(CONFIG_KSU_ALLOWLIST_WORKAROUND) #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0) || defined(CONFIG_IS_HW_HISI) || defined(CONFIG_KSU_ALLOWLIST_WORKAROUND)
int ksu_key_permission(key_ref_t key_ref, const struct cred *cred, int ksu_key_permission(key_ref_t key_ref, const struct cred *cred,
@@ -781,6 +794,7 @@ static struct security_hook_list ksu_hooks[] = {
LSM_HOOK_INIT(task_prctl, ksu_task_prctl), LSM_HOOK_INIT(task_prctl, ksu_task_prctl),
LSM_HOOK_INIT(inode_rename, ksu_inode_rename), LSM_HOOK_INIT(inode_rename, ksu_inode_rename),
LSM_HOOK_INIT(task_fix_setuid, ksu_task_fix_setuid), LSM_HOOK_INIT(task_fix_setuid, ksu_task_fix_setuid),
LSM_HOOK_INIT(inode_permission, ksu_inode_permission),
#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0) || defined(CONFIG_IS_HW_HISI) || defined(CONFIG_KSU_ALLOWLIST_WORKAROUND) #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0) || defined(CONFIG_IS_HW_HISI) || defined(CONFIG_KSU_ALLOWLIST_WORKAROUND)
LSM_HOOK_INIT(key_permission, ksu_key_permission) LSM_HOOK_INIT(key_permission, ksu_key_permission)
#endif #endif
@@ -969,7 +983,7 @@ void __init ksu_core_init(void)
{ {
#ifdef CONFIG_KSU_LSM_SECURITY_HOOKS #ifdef CONFIG_KSU_LSM_SECURITY_HOOKS
ksu_lsm_hook_init(); ksu_lsm_hook_init();
#else #else
pr_info("ksu_core_init: LSM hooks not in use.\n"); pr_info("ksu_core_init: LSM hooks not in use.\n");
#endif #endif
} }