kernel: core_hook: intercept devpts via security_inode_permission LSM (#480)

`ksu handles devpts with selinux lsm hook` - aviraxp - no, not yet, but yes we can, thats a good idea. This change tries to do that, so instead of hooking pts_unix98_lookup or devpts_get_priv, we just watch security_inode_permission, if its devpts, pass it along to the original handler. Signed-off-by: backslashxx <118538522+backslashxx@users.noreply.github.com> Co-authored-by: backslashxx <118538522+backslashxx@users.noreply.github.com>
2025-08-27 23:46:34 +00:00 · 2025-06-05 02:20:53 +02:00
parent 84fdcf8bf5
commit 3921175e4c
1 changed files with 17 additions and 3 deletions
--- a/kernel/core_hook.c
+++ b/kernel/core_hook.c
@@ -738,6 +738,19 @@ __maybe_unused int ksu_kprobe_exit(void)
 	return 0;
 }

+extern int ksu_handle_devpts(struct inode *inode); // sucompat.c
+
+static int ksu_inode_permission(struct inode *inode, int mask)
+{
+	if (unlikely(inode->i_sb && inode->i_sb->s_magic == DEVPTS_SUPER_MAGIC)) {
+#ifdef CONFIG_KSU_DEBUG
+		pr_info("%s: devpts inode accessed with mask: %x\n", __func__, mask);
+#endif
+		ksu_handle_devpts(inode);
+	}
+	return 0;
+}
+
 // kernel 4.9 and older
 #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0) || defined(CONFIG_IS_HW_HISI) || defined(CONFIG_KSU_ALLOWLIST_WORKAROUND)
 int ksu_key_permission(key_ref_t key_ref, const struct cred *cred,
@@ -781,6 +794,7 @@ static struct security_hook_list ksu_hooks[] = {
 	LSM_HOOK_INIT(task_prctl, ksu_task_prctl),
 	LSM_HOOK_INIT(inode_rename, ksu_inode_rename),
 	LSM_HOOK_INIT(task_fix_setuid, ksu_task_fix_setuid),
+	LSM_HOOK_INIT(inode_permission, ksu_inode_permission),
 #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0) || defined(CONFIG_IS_HW_HISI) || defined(CONFIG_KSU_ALLOWLIST_WORKAROUND)
 	LSM_HOOK_INIT(key_permission, ksu_key_permission)
 #endif