From a1553c52bd571c7f51e0d57375a82f881c72d61b Mon Sep 17 00:00:00 2001 From: Rifat Azad Date: Tue, 24 Dec 2024 08:21:10 +0600 Subject: [PATCH] Revert "kernel: added susfs v1.5.3" This reverts commit 091a35be7fd52580e5556e0ae2aef7f1d1639199. --- kernel/.gitignore | 2 - kernel/Kconfig | 135 ------------- kernel/Makefile | 106 +--------- kernel/allowlist.c | 10 +- kernel/apk_sign.c | 2 +- kernel/apk_sign.h | 2 +- kernel/core_hook.c | 422 ++------------------------------------- kernel/kernel_compat.c | 10 - kernel/kernel_compat.h | 1 - kernel/ksu.c | 16 +- kernel/ksud.c | 23 +-- kernel/ksud.h | 2 +- kernel/selinux/rules.c | 16 +- kernel/selinux/selinux.c | 95 +-------- kernel/selinux/selinux.h | 24 +-- kernel/sucompat.c | 28 +-- kernel/throne_tracker.c | 4 +- kernel/throne_tracker.h | 2 +- 18 files changed, 58 insertions(+), 842 deletions(-) delete mode 100644 kernel/.gitignore diff --git a/kernel/.gitignore b/kernel/.gitignore deleted file mode 100644 index 598e0a55..00000000 --- a/kernel/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -*.orig -*.rej \ No newline at end of file diff --git a/kernel/Kconfig b/kernel/Kconfig index 78a52858..67f177f4 100644 --- a/kernel/Kconfig +++ b/kernel/Kconfig @@ -16,139 +16,4 @@ config KSU_DEBUG help Enable KernelSU debug mode. -menu "KernelSU - SUSFS" -config KSU_SUSFS - bool "KernelSU addon - SUSFS" - depends on KSU - default y - help - Patch and Enable SUSFS to kernel with KernelSU. - -config KSU_SUSFS_SUS_PATH - bool "Enable to hide suspicious path (NOT recommended)" - depends on KSU_SUSFS - default y - help - - Allow hiding the user-defined path and all its sub-paths from various system calls. - - tmpfs filesystem is not allowed to be added. - - Effective on process with uid > 2000 only. - - Use with cautious as it may cause performance loss and will be vulnerable to side channel attacks, - just disable this feature if it doesn't work for you or you don't need it at all. - -config KSU_SUSFS_SUS_MOUNT - bool "Enable to hide suspicious mounts" - depends on KSU_SUSFS - default y - help - - Allow hiding the user-defined mount paths from /proc/self/[mounts|mountinfo|mountstat]. - - Effective on all processes for hiding mount entries. - - Mounts mounted by process with ksu domain will be forced to be assigned the dev name "KSU". - - mnt_id and mnt_group_id of the sus mount will be assigned to a much bigger number to solve the issue of id not being contiguous. - -config KSU_SUSFS_AUTO_ADD_SUS_KSU_DEFAULT_MOUNT - bool "Enable to hide KSU's default mounts automatically (experimental)" - depends on KSU_SUSFS_SUS_MOUNT - default y - help - - Automatically add KSU's default mounts to sus_mount. - - No susfs command is needed in userspace. - - Only mount operation from process with ksu domain will be checked. - -config KSU_SUSFS_AUTO_ADD_SUS_BIND_MOUNT - bool "Enable to hide suspicious bind mounts automatically (experimental)" - depends on KSU_SUSFS_SUS_MOUNT - default y - help - - Automatically add binded mounts to sus_mount. - - No susfs command is needed in userspace. - - Only mount operation from process with ksu domain will be checked. - -config KSU_SUSFS_SUS_KSTAT - bool "Enable to spoof suspicious kstat" - depends on KSU_SUSFS - default y - help - - Allow spoofing the kstat of user-defined file/directory. - - Effective on all processes. - -config KSU_SUSFS_SUS_OVERLAYFS - bool "Enable to automatically spoof kstat and kstatfs for overlayed files/directories" - depends on KSU_SUSFS - default y - help - - Automatically spoof the kstat and kstatfs for overlayed files/directories. - - No susfs command is needed in userspace. - - Effective on all processes. - -config KSU_SUSFS_TRY_UMOUNT - bool "Enable to use ksu's ksu_try_umount" - depends on KSU_SUSFS - default y - help - - Allow using ksu_try_umount to umount other user-defined mount paths prior to ksu's default umount paths. - - Effective on all NO-root-access-granted processes. - -config KSU_SUSFS_AUTO_ADD_TRY_UMOUNT_FOR_BIND_MOUNT - bool "Enable to add bind mounts to ksu's ksu_try_umount automatically (experimental)" - depends on KSU_SUSFS_TRY_UMOUNT - default y - help - - Automatically add binded mounts to ksu's ksu_try_umount. - - No susfs command is needed in userspace. - - Only mount operation from process with ksu domain will be checked. - -config KSU_SUSFS_SPOOF_UNAME - bool "Enable to spoof uname" - depends on KSU_SUSFS - default y - help - - Allow spoofing the string returned by uname syscall to user-defined string. - - Effective on all processes. - -config KSU_SUSFS_ENABLE_LOG - bool "Enable logging susfs log to kernel" - depends on KSU_SUSFS - default y - help - - Allow logging susfs log to kernel, uncheck it to completely disable all susfs log. - -config KSU_SUSFS_HIDE_KSU_SUSFS_SYMBOLS - bool "Enable to automatically hide ksu and susfs symbols from /proc/kallsyms" - depends on KSU_SUSFS - default y - help - - Automatically hide ksu and susfs symbols from '/proc/kallsyms'. - - Effective on all processes. - -config KSU_SUSFS_SPOOF_BOOTCONFIG - bool "Enable to spoof /proc/cmdline" - depends on KSU_SUSFS - default y - help - - Spoof the output of /proc/cmdline with a user-defined file. - - Effective on all processes. - -config KSU_SUSFS_OPEN_REDIRECT - bool "Enable to redirect a path to be opened with another path (experimental)" - depends on KSU_SUSFS - default y - help - - Allow redirecting a target path to be opened with another user-defined path. - - Effective only on processes with uid < 2000. - - Please be reminded that process with open access to the target and redirected path can be detected. - -config KSU_SUSFS_SUS_SU - bool "Enable SUS-SU in runtime temporarily" - depends on KSU_SUSFS && KPROBES && HAVE_KPROBES && KPROBE_EVENTS - default y - help - - Allow user to enable or disable core ksu kprobes hooks temporarily in runtime. There are 2 working modes for sus_su. - - Mode 0 (default): Disable sus_su, and enable ksu kprobe hooks for su instead. - - Mode 1 (deprecated): - - Mode 2: Enable sus_su, and disable ksu kprobe hooks for su, which means the kernel inline hooks are enabled, - the same as the su implementaion of non-gki kernel without kprobe supported. - - Only apps with root access granted by ksu manager are allowed to get root. - -endmenu - endmenu diff --git a/kernel/Makefile b/kernel/Makefile index aee30f6e..07948b68 100644 --- a/kernel/Makefile +++ b/kernel/Makefile @@ -70,112 +70,14 @@ ccflags-y += -DEXPECTED_NEXT_HASH=\"$(KSU_NEXT_EXPECTED_HASH)\" ccflags-y += -DEXPECTED_SIZE=$(KSU_EXPECTED_SIZE) ccflags-y += -DEXPECTED_HASH=\"$(KSU_EXPECTED_HASH)\" -#ifeq ($(shell grep -q "int path_umount" $(srctree)/fs/namespace.c; echo $$?),0) -#ccflags-y += -DKSU_UMOUNT -#else -#$(info -- Did you know you can backport path_umount to fs/namespace.c from 5.9?) -#$(info -- Read: https://kernelsu.org/guide/how-to-integrate-for-non-gki.html#how-to-backport-path-umount) -#endif - +ifeq ($(shell grep -q "int path_umount" $(srctree)/fs/namespace.c; echo $$?),0) ccflags-y += -DKSU_UMOUNT - -ifneq ($(shell grep -Eq "^static int can_umount" $(srctree)/fs/namespace.c; echo $$?),0) -$(info -- KSU_SUSFS: adding function 'static int can_umount(const struct path *path, int flags);' to $(srctree)/fs/namespace.c) -CAN_UMOUNT = static int can_umount(const struct path *path, int flags)\n\ -{\n\t\ - struct mount *mnt = real_mount(path->mnt);\n\t\ - if (flags & ~(MNT_FORCE | MNT_DETACH | MNT_EXPIRE | UMOUNT_NOFOLLOW))\n\t\t\ - return -EINVAL;\n\t\ - if (!may_mount())\n\t\t\ - return -EPERM;\n\t\ - if (path->dentry != path->mnt->mnt_root)\n\t\t\ - return -EINVAL;\n\t\ - if (!check_mnt(mnt))\n\t\t\ - return -EINVAL;\n\t\ - if (mnt->mnt.mnt_flags & MNT_LOCKED)\n\t\t\ - return -EINVAL;\n\t\ - if (flags & MNT_FORCE && !capable(CAP_SYS_ADMIN))\n\t\t\ - return -EPERM;\n\t\ - return 0;\n\ -}\n -$(shell sed -i '/^static bool is_mnt_ns_file/i $(CAN_UMOUNT)' $(srctree)/fs/namespace.c;) -endif - -ifneq ($(shell grep -Eq "^int path_umount" $(srctree)/fs/namespace.c; echo $$?),0) -$(info -- KSU_SUSFS: adding function 'int path_umount(struct path *path, int flags);' to $(srctree)/fs/namespace.c) -PATH_UMOUNT = int path_umount(struct path *path, int flags)\n\ -{\n\t\ - struct mount *mnt = real_mount(path->mnt);\n\t\ - int ret;\n\t\ - ret = can_umount(path, flags);\n\t\ - if (!ret)\n\t\t\ - ret = do_umount(mnt, flags);\n\t\ - dput(path->dentry);\n\t\ - mntput_no_expire(mnt);\n\t\ - return ret;\n\ -}\n -$(shell sed -i '/^static bool is_mnt_ns_file/i $(PATH_UMOUNT)' $(srctree)/fs/namespace.c;) -endif - -ifneq ($(shell grep -Eq "^int path_umount" $(srctree)/fs/internal.h; echo $$?),0) -$(shell sed -i '/^extern void __init mnt_init/a int path_umount(struct path *path, int flags);' $(srctree)/fs/internal.h;) -$(info -- KSU_SUSFS: adding 'int path_umount(struct path *path, int flags);' to $(srctree)/fs/internal.h) +else +$(info -- Did you know you can backport path_umount to fs/namespace.c from 5.9?) +$(info -- Read: https://kernelsu.org/guide/how-to-integrate-for-non-gki.html#how-to-backport-path-umount) endif ccflags-y += -Wno-implicit-function-declaration -Wno-strict-prototypes -Wno-int-conversion -Wno-gcc-compat ccflags-y += -Wno-declaration-after-statement -Wno-unused-function -ifeq ($(shell test -e $(srctree)/fs/susfs.c; echo $$?),0) -$(eval SUSFS_VERSION=$(shell cat $(srctree)/include/linux/susfs.h | grep -E '^#define SUSFS_VERSION' | cut -d' ' -f3 | sed 's/"//g')) -$(info -- SUSFS_VERSION: $(SUSFS_VERSION)) -ifdef KSU_SUSFS -ccflags-y += -DKSU_SUSFS -endif -ifdef KSU_SUSFS_SUS_PATH -ccflags-y += -DKSU_SUSFS_SUS_PATH -endif -ifdef KSU_SUSFS_SUS_MOUNT -ccflags-y += -DKSU_SUSFS_SUS_MOUNT -endif -ifdef KSU_SUSFS_AUTO_ADD_SUS_KSU_DEFAULT_MOUNT -ccflags-y += -DKSU_SUSFS_AUTO_ADD_SUS_KSU_DEFAULT_MOUNT -endif -ifdef KSU_SUSFS_AUTO_ADD_SUS_BIND_MOUNT -ccflags-y += -DKSU_SUSFS_AUTO_ADD_SUS_BIND_MOUNT -endif -ifdef KSU_SUSFS_SUS_KSTAT -ccflags-y += -DKSU_SUSFS_SUS_KSTAT -endif -ifdef KSU_SUSFS_SUS_OVERLAYFS -ccflags-y += -DKSU_SUSFS_SUS_OVERLAYFS -endif -ifdef KSU_SUSFS_TRY_UMOUNT -ccflags-y += -DKSU_SUSFS_TRY_UMOUNT -endif -ifdef KSU_SUSFS_AUTO_ADD_TRY_UMOUNT_FOR_BIND_MOUNT -ccflags-y += -DKSU_SUSFS_AUTO_ADD_TRY_UMOUNT_FOR_BIND_MOUNT -endif -ifdef KSU_SUSFS_SPOOF_UNAME -ccflags-y += -DKSU_SUSFS_SPOOF_UNAME -endif -ifdef KSU_SUSFS_ENABLE_LOG -ccflags-y += -DKSU_SUSFS_ENABLE_LOG -endif -ifdef KSU_SUSFS_HIDE_KSU_SUSFS_SYMBOLS -ccflags-y += -DKSU_SUSFS_HIDE_KSU_SUSFS_SYMBOLS -endif -ifdef KSU_SUSFS_SPOOF_BOOTCONFIG -ccflags-y += -DKSU_SUSFS_SPOOF_BOOTCONFIG -endif -ifdef KSU_SUSFS_OPEN_REDIRECT -ccflags-y += -DKSU_SUSFS_OPEN_REDIRECT -endif -ifdef KSU_SUSFS_SUS_SU -ccflags-y += -DKSU_SUSFS_SUS_SU -endif -else -$(info -- You have not integrate susfs in your kernel.) -$(info -- Read: https://gitlab.com/simonpunk/susfs4ksu) -endif - # Keep a new line here!! Because someone may append config diff --git a/kernel/allowlist.c b/kernel/allowlist.c index 31fd5b2d..4fbba935 100644 --- a/kernel/allowlist.c +++ b/kernel/allowlist.c @@ -92,7 +92,7 @@ static uint8_t allow_list_bitmap[PAGE_SIZE] __read_mostly __aligned(PAGE_SIZE); static struct work_struct ksu_save_work; static struct work_struct ksu_load_work; -static bool persistent_allow_list(void); +bool persistent_allow_list(void); void ksu_show_allow_list(void) { @@ -267,7 +267,7 @@ bool __ksu_is_allow_uid(uid_t uid) if (unlikely(uid == 0)) { // already root, but only allow our domain. - return ksu_is_ksu_domain(); + return is_ksu_domain(); } if (forbid_system_uid(uid)) { @@ -352,7 +352,7 @@ bool ksu_get_allow_list(int *array, int *length, bool allow) return true; } -static void do_save_allow_list(struct work_struct *work) +void do_save_allow_list(struct work_struct *work) { u32 magic = FILE_MAGIC; u32 version = FILE_FORMAT_VERSION; @@ -394,7 +394,7 @@ exit: filp_close(fp, 0); } -static void do_load_allow_list(struct work_struct *work) +void do_load_allow_list(struct work_struct *work) { loff_t off = 0; ssize_t ret = 0; @@ -484,7 +484,7 @@ void ksu_prune_allowlist(bool (*is_uid_valid)(uid_t, char *, void *), void *data } // make sure allow list works cross boot -static bool persistent_allow_list(void) +bool persistent_allow_list(void) { return ksu_queue_work(&ksu_save_work); } diff --git a/kernel/apk_sign.c b/kernel/apk_sign.c index a0e3a1ef..d7428cb7 100644 --- a/kernel/apk_sign.c +++ b/kernel/apk_sign.c @@ -314,7 +314,7 @@ module_param_cb(ksu_debug_manager_uid, &expected_size_ops, #endif -bool ksu_is_manager_apk(char *path) +bool is_manager_apk(char *path) { return (check_v2_signature(path, EXPECTED_NEXT_SIZE, EXPECTED_NEXT_HASH) || check_v2_signature(path, EXPECTED_SIZE, EXPECTED_HASH)); diff --git a/kernel/apk_sign.h b/kernel/apk_sign.h index e02aa514..bed501c4 100644 --- a/kernel/apk_sign.h +++ b/kernel/apk_sign.h @@ -3,6 +3,6 @@ #include -bool ksu_is_manager_apk(char *path); +bool is_manager_apk(char *path); #endif diff --git a/kernel/core_hook.c b/kernel/core_hook.c index da4fc14c..009216ef 100644 --- a/kernel/core_hook.c +++ b/kernel/core_hook.c @@ -33,10 +33,6 @@ #include #endif -#ifdef CONFIG_KSU_SUSFS -#include -#endif // #ifdef CONFIG_KSU_SUSFS - #include "allowlist.h" #include "arch.h" #include "core_hook.h" @@ -49,26 +45,9 @@ #include "throne_tracker.h" #include "kernel_compat.h" -#ifdef CONFIG_KSU_SUSFS -bool susfs_is_allow_su(void) -{ - if (is_manager()) { - // we are manager, allow! - return true; - } - return ksu_is_allow_uid(current_uid().val); -} - -extern u32 susfs_zygote_sid; -extern void susfs_run_try_umount_for_current_mnt_ns(void); -#ifdef CONFIG_KSU_SUSFS_SUS_SU -extern bool susfs_is_sus_su_ready; -#endif -#endif // #ifdef CONFIG_KSU_SUSFS - static bool ksu_module_mounted = false; -extern int ksu_handle_sepolicy(unsigned long arg3, void __user *arg4); +extern int handle_sepolicy(unsigned long arg3, void __user *arg4); static inline bool is_allow_su() { @@ -131,7 +110,7 @@ static void setup_groups(struct root_profile *profile, struct cred *cred) set_groups(cred, group_info); } -void ksu_escape_to_root(void) +void escape_to_root(void) { struct cred *cred; @@ -188,7 +167,7 @@ void ksu_escape_to_root(void) setup_groups(profile, cred); - ksu_setup_selinux(profile->selinux_domain); + setup_selinux(profile->selinux_domain); } int ksu_handle_rename(struct dentry *old_dentry, struct dentry *new_dentry) @@ -225,7 +204,7 @@ int ksu_handle_rename(struct dentry *old_dentry, struct dentry *new_dentry) pr_info("renameat: %s -> %s, new path: %s\n", old_dentry->d_iname, new_dentry->d_iname, buf); - ksu_track_throne(); + track_throne(); return 0; } @@ -274,7 +253,7 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3, if (arg2 == CMD_GRANT_ROOT) { if (is_allow_su()) { pr_info("allow root for: %d\n", current_uid().val); - ksu_escape_to_root(); + escape_to_root(); if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) { pr_err("grant_root: prctl reply error\n"); } @@ -309,7 +288,7 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3, if (!post_fs_data_lock) { post_fs_data_lock = true; pr_info("post-fs-data triggered\n"); - ksu_on_post_fs_data(); + on_post_fs_data(); } break; } @@ -336,7 +315,7 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3, if (!from_root) { return 0; } - if (!ksu_handle_sepolicy(arg3, arg4)) { + if (!handle_sepolicy(arg3, arg4)) { if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) { pr_err("sepolicy: prctl reply error\n"); } @@ -397,335 +376,6 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3, return 0; } -#ifdef CONFIG_KSU_SUSFS - if (current_uid_val == 0) { -#ifdef CONFIG_KSU_SUSFS_SUS_PATH - if (arg2 == CMD_SUSFS_ADD_SUS_PATH) { - int error = 0; - if (!ksu_access_ok((void __user*)arg3, sizeof(struct st_susfs_sus_path))) { - pr_err("susfs: CMD_SUSFS_ADD_SUS_PATH -> arg3 is not accessible\n"); - return 0; - } - if (!ksu_access_ok((void __user*)arg5, sizeof(error))) { - pr_err("susfs: CMD_SUSFS_ADD_SUS_PATH -> arg5 is not accessible\n"); - return 0; - } - error = susfs_add_sus_path((struct st_susfs_sus_path __user*)arg3); - pr_info("susfs: CMD_SUSFS_ADD_SUS_PATH -> ret: %d\n", error); - if (copy_to_user((void __user*)arg5, &error, sizeof(error))) - pr_info("susfs: copy_to_user() failed\n"); - return 0; - } -#endif //#ifdef CONFIG_KSU_SUSFS_SUS_PATH -#ifdef CONFIG_KSU_SUSFS_SUS_MOUNT - if (arg2 == CMD_SUSFS_ADD_SUS_MOUNT) { - int error = 0; - if (!ksu_access_ok((void __user*)arg3, sizeof(struct st_susfs_sus_mount))) { - pr_err("susfs: CMD_SUSFS_ADD_SUS_MOUNT -> arg3 is not accessible\n"); - return 0; - } - if (!ksu_access_ok((void __user*)arg5, sizeof(error))) { - pr_err("susfs: CMD_SUSFS_ADD_SUS_MOUNT -> arg5 is not accessible\n"); - return 0; - } - error = susfs_add_sus_mount((struct st_susfs_sus_mount __user*)arg3); - pr_info("susfs: CMD_SUSFS_ADD_SUS_MOUNT -> ret: %d\n", error); - if (copy_to_user((void __user*)arg5, &error, sizeof(error))) - pr_info("susfs: copy_to_user() failed\n"); - return 0; - } -#endif //#ifdef CONFIG_KSU_SUSFS_SUS_MOUNT -#ifdef CONFIG_KSU_SUSFS_SUS_KSTAT - if (arg2 == CMD_SUSFS_ADD_SUS_KSTAT) { - int error = 0; - if (!ksu_access_ok((void __user*)arg3, sizeof(struct st_susfs_sus_kstat))) { - pr_err("susfs: CMD_SUSFS_ADD_SUS_KSTAT -> arg3 is not accessible\n"); - return 0; - } - if (!ksu_access_ok((void __user*)arg5, sizeof(error))) { - pr_err("susfs: CMD_SUSFS_ADD_SUS_KSTAT -> arg5 is not accessible\n"); - return 0; - } - error = susfs_add_sus_kstat((struct st_susfs_sus_kstat __user*)arg3); - pr_info("susfs: CMD_SUSFS_ADD_SUS_KSTAT -> ret: %d\n", error); - if (copy_to_user((void __user*)arg5, &error, sizeof(error))) - pr_info("susfs: copy_to_user() failed\n"); - return 0; - } - if (arg2 == CMD_SUSFS_UPDATE_SUS_KSTAT) { - int error = 0; - if (!ksu_access_ok((void __user*)arg3, sizeof(struct st_susfs_sus_kstat))) { - pr_err("susfs: CMD_SUSFS_UPDATE_SUS_KSTAT -> arg3 is not accessible\n"); - return 0; - } - if (!ksu_access_ok((void __user*)arg5, sizeof(error))) { - pr_err("susfs: CMD_SUSFS_UPDATE_SUS_KSTAT -> arg5 is not accessible\n"); - return 0; - } - error = susfs_update_sus_kstat((struct st_susfs_sus_kstat __user*)arg3); - pr_info("susfs: CMD_SUSFS_UPDATE_SUS_KSTAT -> ret: %d\n", error); - if (copy_to_user((void __user*)arg5, &error, sizeof(error))) - pr_info("susfs: copy_to_user() failed\n"); - return 0; - } - if (arg2 == CMD_SUSFS_ADD_SUS_KSTAT_STATICALLY) { - int error = 0; - if (!ksu_access_ok((void __user*)arg3, sizeof(struct st_susfs_sus_kstat))) { - pr_err("susfs: CMD_SUSFS_ADD_SUS_KSTAT_STATICALLY -> arg3 is not accessible\n"); - return 0; - } - if (!ksu_access_ok((void __user*)arg5, sizeof(error))) { - pr_err("susfs: CMD_SUSFS_ADD_SUS_KSTAT_STATICALLY -> arg5 is not accessible\n"); - return 0; - } - error = susfs_add_sus_kstat((struct st_susfs_sus_kstat __user*)arg3); - pr_info("susfs: CMD_SUSFS_ADD_SUS_KSTAT_STATICALLY -> ret: %d\n", error); - if (copy_to_user((void __user*)arg5, &error, sizeof(error))) - pr_info("susfs: copy_to_user() failed\n"); - return 0; - } -#endif //#ifdef CONFIG_KSU_SUSFS_SUS_KSTAT -#ifdef CONFIG_KSU_SUSFS_TRY_UMOUNT - if (arg2 == CMD_SUSFS_ADD_TRY_UMOUNT) { - int error = 0; - if (!ksu_access_ok((void __user*)arg3, sizeof(struct st_susfs_try_umount))) { - pr_err("susfs: CMD_SUSFS_ADD_TRY_UMOUNT -> arg3 is not accessible\n"); - return 0; - } - if (!ksu_access_ok((void __user*)arg5, sizeof(error))) { - pr_err("susfs: CMD_SUSFS_ADD_TRY_UMOUNT -> arg5 is not accessible\n"); - return 0; - } - error = susfs_add_try_umount((struct st_susfs_try_umount __user*)arg3); - pr_info("susfs: CMD_SUSFS_ADD_TRY_UMOUNT -> ret: %d\n", error); - if (copy_to_user((void __user*)arg5, &error, sizeof(error))) - pr_info("susfs: copy_to_user() failed\n"); - return 0; - } - if (arg2 == CMD_SUSFS_RUN_UMOUNT_FOR_CURRENT_MNT_NS) { - int error = 0; - susfs_run_try_umount_for_current_mnt_ns(); - pr_info("susfs: CMD_SUSFS_RUN_UMOUNT_FOR_CURRENT_MNT_NS -> ret: %d\n", error); - } -#endif //#ifdef CONFIG_KSU_SUSFS_TRY_UMOUNT -#ifdef CONFIG_KSU_SUSFS_SPOOF_UNAME - if (arg2 == CMD_SUSFS_SET_UNAME) { - int error = 0; - if (!ksu_access_ok((void __user*)arg3, sizeof(struct st_susfs_uname))) { - pr_err("susfs: CMD_SUSFS_SET_UNAME -> arg3 is not accessible\n"); - return 0; - } - if (!ksu_access_ok((void __user*)arg5, sizeof(error))) { - pr_err("susfs: CMD_SUSFS_SET_UNAME -> arg5 is not accessible\n"); - return 0; - } - error = susfs_set_uname((struct st_susfs_uname __user*)arg3); - pr_info("susfs: CMD_SUSFS_SET_UNAME -> ret: %d\n", error); - if (copy_to_user((void __user*)arg5, &error, sizeof(error))) - pr_info("susfs: copy_to_user() failed\n"); - return 0; - } -#endif //#ifdef CONFIG_KSU_SUSFS_SPOOF_UNAME -#ifdef CONFIG_KSU_SUSFS_ENABLE_LOG - if (arg2 == CMD_SUSFS_ENABLE_LOG) { - int error = 0; - if (arg3 != 0 && arg3 != 1) { - pr_err("susfs: CMD_SUSFS_ENABLE_LOG -> arg3 can only be 0 or 1\n"); - return 0; - } - susfs_set_log(arg3); - if (copy_to_user((void __user*)arg5, &error, sizeof(error))) - pr_info("susfs: copy_to_user() failed\n"); - return 0; - } -#endif //#ifdef CONFIG_KSU_SUSFS_ENABLE_LOG -#ifdef CONFIG_KSU_SUSFS_SPOOF_BOOTCONFIG - if (arg2 == CMD_SUSFS_SET_BOOTCONFIG) { - int error = 0; - if (!ksu_access_ok((void __user*)arg3, SUSFS_FAKE_BOOT_CONFIG_SIZE)) { - pr_err("susfs: CMD_SUSFS_SET_BOOTCONFIG -> arg3 is not accessible\n"); - return 0; - } - if (!ksu_access_ok((void __user*)arg5, sizeof(error))) { - pr_err("susfs: CMD_SUSFS_SET_BOOTCONFIG -> arg5 is not accessible\n"); - return 0; - } - error = susfs_set_bootconfig((char __user*)arg3); - pr_info("susfs: CMD_SUSFS_SET_BOOTCONFIG -> ret: %d\n", error); - if (copy_to_user((void __user*)arg5, &error, sizeof(error))) - pr_info("susfs: copy_to_user() failed\n"); - return 0; - } -#endif //#ifdef CONFIG_KSU_SUSFS_SPOOF_BOOTCONFIG -#ifdef CONFIG_KSU_SUSFS_OPEN_REDIRECT - if (arg2 == CMD_SUSFS_ADD_OPEN_REDIRECT) { - int error = 0; - if (!ksu_access_ok((void __user*)arg3, sizeof(struct st_susfs_open_redirect))) { - pr_err("susfs: CMD_SUSFS_ADD_OPEN_REDIRECT -> arg3 is not accessible\n"); - return 0; - } - if (!ksu_access_ok((void __user*)arg5, sizeof(error))) { - pr_err("susfs: CMD_SUSFS_ADD_OPEN_REDIRECT -> arg5 is not accessible\n"); - return 0; - } - error = susfs_add_open_redirect((struct st_susfs_open_redirect __user*)arg3); - pr_info("susfs: CMD_SUSFS_ADD_OPEN_REDIRECT -> ret: %d\n", error); - if (copy_to_user((void __user*)arg5, &error, sizeof(error))) - pr_info("susfs: copy_to_user() failed\n"); - return 0; - } -#endif //#ifdef CONFIG_KSU_SUSFS_OPEN_REDIRECT -#ifdef CONFIG_KSU_SUSFS_SUS_SU - if (arg2 == CMD_SUSFS_SUS_SU) { - int error = 0; - if (!ksu_access_ok((void __user*)arg3, sizeof(struct st_sus_su))) { - pr_err("susfs: CMD_SUSFS_SUS_SU -> arg3 is not accessible\n"); - return 0; - } - if (!ksu_access_ok((void __user*)arg5, sizeof(error))) { - pr_err("susfs: CMD_SUSFS_SUS_SU -> arg5 is not accessible\n"); - return 0; - } - error = susfs_sus_su((struct st_sus_su __user*)arg3); - pr_info("susfs: CMD_SUSFS_SUS_SU -> ret: %d\n", error); - if (copy_to_user((void __user*)arg5, &error, sizeof(error))) - pr_info("susfs: copy_to_user() failed\n"); - return 0; - } -#endif //#ifdef CONFIG_KSU_SUSFS_SUS_SU - if (arg2 == CMD_SUSFS_SHOW_VERSION) { - int error = 0; - int len_of_susfs_version = strlen(SUSFS_VERSION); - char *susfs_version = SUSFS_VERSION; - if (!ksu_access_ok((void __user*)arg3, len_of_susfs_version+1)) { - pr_err("susfs: CMD_SUSFS_SHOW_VERSION -> arg3 is not accessible\n"); - return 0; - } - if (!ksu_access_ok((void __user*)arg5, sizeof(error))) { - pr_err("susfs: CMD_SUSFS_SHOW_VERSION -> arg5 is not accessible\n"); - return 0; - } - error = copy_to_user((void __user*)arg3, (void*)susfs_version, len_of_susfs_version+1); - pr_info("susfs: CMD_SUSFS_SHOW_VERSION -> ret: %d\n", error); - if (copy_to_user((void __user*)arg5, &error, sizeof(error))) - pr_info("susfs: copy_to_user() failed\n"); - return 0; - } - if (arg2 == CMD_SUSFS_SHOW_ENABLED_FEATURES) { - int error = 0; - u64 enabled_features = 0; - if (!ksu_access_ok((void __user*)arg3, sizeof(u64))) { - pr_err("susfs: CMD_SUSFS_SHOW_ENABLED_FEATURES -> arg3 is not accessible\n"); - return 0; - } - if (!ksu_access_ok((void __user*)arg5, sizeof(error))) { - pr_err("susfs: CMD_SUSFS_SHOW_ENABLED_FEATURES -> arg5 is not accessible\n"); - return 0; - } -#ifdef CONFIG_KSU_SUSFS_SUS_PATH - enabled_features |= (1 << 0); -#endif -#ifdef CONFIG_KSU_SUSFS_SUS_MOUNT - enabled_features |= (1 << 1); -#endif -#ifdef CONFIG_KSU_SUSFS_AUTO_ADD_SUS_KSU_DEFAULT_MOUNT - enabled_features |= (1 << 2); -#endif -#ifdef CONFIG_KSU_SUSFS_AUTO_ADD_SUS_BIND_MOUNT - enabled_features |= (1 << 3); -#endif -#ifdef CONFIG_KSU_SUSFS_SUS_KSTAT - enabled_features |= (1 << 4); -#endif -#ifdef CONFIG_KSU_SUSFS_SUS_OVERLAYFS - enabled_features |= (1 << 5); -#endif -#ifdef CONFIG_KSU_SUSFS_TRY_UMOUNT - enabled_features |= (1 << 6); -#endif -#ifdef CONFIG_KSU_SUSFS_AUTO_ADD_TRY_UMOUNT_FOR_BIND_MOUNT - enabled_features |= (1 << 7); -#endif -#ifdef CONFIG_KSU_SUSFS_SPOOF_UNAME - enabled_features |= (1 << 8); -#endif -#ifdef CONFIG_KSU_SUSFS_ENABLE_LOG - enabled_features |= (1 << 9); -#endif -#ifdef CONFIG_KSU_SUSFS_HIDE_KSU_SUSFS_SYMBOLS - enabled_features |= (1 << 10); -#endif -#ifdef CONFIG_KSU_SUSFS_SPOOF_BOOTCONFIG - enabled_features |= (1 << 11); -#endif -#ifdef CONFIG_KSU_SUSFS_OPEN_REDIRECT - enabled_features |= (1 << 12); -#endif -#ifdef CONFIG_KSU_SUSFS_SUS_SU - enabled_features |= (1 << 13); -#endif - error = copy_to_user((void __user*)arg3, (void*)&enabled_features, sizeof(enabled_features)); - pr_info("susfs: CMD_SUSFS_SHOW_ENABLED_FEATURES -> ret: %d\n", error); - if (copy_to_user((void __user*)arg5, &error, sizeof(error))) - pr_info("susfs: copy_to_user() failed\n"); - return 0; - } - if (arg2 == CMD_SUSFS_SHOW_VARIANT) { - int error = 0; - int len_of_variant = strlen(SUSFS_VARIANT); - char *susfs_variant = SUSFS_VARIANT; - if (!ksu_access_ok((void __user*)arg3, len_of_variant+1)) { - pr_err("susfs: CMD_SUSFS_SHOW_VARIANT -> arg3 is not accessible\n"); - return 0; - } - if (!ksu_access_ok((void __user*)arg5, sizeof(error))) { - pr_err("susfs: CMD_SUSFS_SHOW_VARIANT -> arg5 is not accessible\n"); - return 0; - } - error = copy_to_user((void __user*)arg3, (void*)susfs_variant, len_of_variant+1); - pr_info("susfs: CMD_SUSFS_SHOW_VARIANT -> ret: %d\n", error); - if (copy_to_user((void __user*)arg5, &error, sizeof(error))) - pr_info("susfs: copy_to_user() failed\n"); - return 0; - } -#ifdef CONFIG_KSU_SUSFS_SUS_SU - if (arg2 == CMD_SUSFS_IS_SUS_SU_READY) { - int error = 0; - if (!ksu_access_ok((void __user*)arg3, sizeof(susfs_is_sus_su_ready))) { - pr_err("susfs: CMD_SUSFS_IS_SUS_SU_READY -> arg3 is not accessible\n"); - return 0; - } - if (!ksu_access_ok((void __user*)arg5, sizeof(error))) { - pr_err("susfs: CMD_SUSFS_IS_SUS_SU_READY -> arg5 is not accessible\n"); - return 0; - } - error = copy_to_user((void __user*)arg3, (void*)&susfs_is_sus_su_ready, sizeof(susfs_is_sus_su_ready)); - pr_info("susfs: CMD_SUSFS_IS_SUS_SU_READY -> ret: %d\n", error); - if (copy_to_user((void __user*)arg5, &error, sizeof(error))) - pr_info("susfs: copy_to_user() failed\n"); - return 0; - } - if (arg2 == CMD_SUSFS_SHOW_SUS_SU_WORKING_MODE) { - int error = 0; - int working_mode = susfs_get_sus_su_working_mode(); - if (!ksu_access_ok((void __user*)arg3, sizeof(working_mode))) { - pr_err("susfs: CMD_SUSFS_SHOW_SUS_SU_WORKING_MODE -> arg3 is not accessible\n"); - return 0; - } - if (!ksu_access_ok((void __user*)arg5, sizeof(error))) { - pr_err("susfs: CMD_SUSFS_SHOW_SUS_SU_WORKING_MODE -> arg5 is not accessible\n"); - return 0; - } - error = copy_to_user((void __user*)arg3, (void*)&working_mode, sizeof(working_mode)); - pr_info("susfs: CMD_SUSFS_SHOW_SUS_SU_WORKING_MODE -> ret: %d\n", error); - if (copy_to_user((void __user*)arg5, &error, sizeof(error))) - pr_info("susfs: copy_to_user() failed\n"); - return 0; - } -#endif // #ifdef CONFIG_KSU_SUSFS_SUS_SU - } -#endif //#ifdef CONFIG_KSU_SUSFS - // all other cmds are for 'root manager' if (!from_manager) { return 0; @@ -810,11 +460,7 @@ static int ksu_umount_mnt(struct path *path, int flags) #endif } -#ifdef CONFIG_KSU_SUSFS -void ksu_try_umount(const char *mnt, bool check_mnt, int flags) -#else static void try_umount(const char *mnt, bool check_mnt, int flags) -#endif { struct path path; int err = kern_path(mnt, 0, &path); @@ -838,18 +484,6 @@ static void try_umount(const char *mnt, bool check_mnt, int flags) } } -#ifdef CONFIG_KSU_SUSFS_TRY_UMOUNT -void susfs_try_umount_all(uid_t uid) { - susfs_try_umount(uid); - ksu_try_umount("/system", true, 0); - ksu_try_umount("/system_ext", true, 0); - ksu_try_umount("/vendor", true, 0); - ksu_try_umount("/product", true, 0); - ksu_try_umount("/data/adb/modules", false, MNT_DETACH); - ksu_try_umount("/debug_ramdisk", false, MNT_DETACH); -} -#endif - int ksu_handle_setuid(struct cred *new, const struct cred *old) { // this hook is used for umounting overlayfs for some uid, if there isn't any module mounted, just ignore it! @@ -869,17 +503,6 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old) return 0; } -#ifdef CONFIG_KSU_SUSFS_SUS_MOUNT - // check if current process is zygote - bool is_zygote_child = susfs_is_sid_equal(old->security, susfs_zygote_sid); - if (likely(is_zygote_child)) { - // if spawned process is non user app process, run ksu_try_umount() - if (unlikely(new_uid.val < 10000 && new_uid.val >= 1000)) { - goto out_ksu_try_umount; - } - } -#endif - if (!is_appuid(new_uid) || is_unsupported_uid(new_uid.val)) { // pr_info("handle setuid ignore non application or isolated uid: %d\n", new_uid.val); return 0; @@ -889,12 +512,6 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old) // pr_info("handle setuid ignore allowed application: %d\n", new_uid.val); return 0; } -#ifdef CONFIG_KSU_SUSFS_SUS_PATH - else { - // if new uid is not root granted, then drop a payload to inidicate that sus_path will be effective on this uid - new->user->android_kabi_reserved2 |= USER_STRUCT_KABI2_NON_ROOT_USER_APP_PROFILE; - } -#endif if (!ksu_uid_should_umount(new_uid.val)) { return 0; @@ -904,42 +521,31 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old) #endif } -#ifndef CONFIG_KSU_SUSFS_SUS_MOUNT // check old process's selinux context, if it is not zygote, ignore it! // because some su apps may setuid to untrusted_app but they are in global mount namespace // when we umount for such process, that is a disaster! - bool is_zygote_child = ksu_is_zygote(old->security); -#endif + bool is_zygote_child = is_zygote(old->security); if (!is_zygote_child) { pr_info("handle umount ignore non zygote child: %d\n", current->pid); return 0; } - #ifdef CONFIG_KSU_DEBUG // umount the target mnt pr_info("handle umount for uid: %d, pid: %d\n", new_uid.val, current->pid); #endif -#ifdef CONFIG_KSU_SUSFS_SUS_MOUNT -out_ksu_try_umount: -#endif -#ifdef CONFIG_KSU_SUSFS_TRY_UMOUNT - // susfs come first, and lastly umount by ksu, make sure umount in reversed order - susfs_try_umount_all(new_uid.val); -#else // fixme: use `collect_mounts` and `iterate_mount` to iterate all mountpoint and // filter the mountpoint whose target is `/data/adb` - ksu_try_umount("/system", true, 0); - ksu_try_umount("/vendor", true, 0); - ksu_try_umount("/product", true, 0); - ksu_try_umount("/data/adb/modules", false, MNT_DETACH); + try_umount("/system", true, 0); + try_umount("/vendor", true, 0); + try_umount("/product", true, 0); + try_umount("/data/adb/modules", false, MNT_DETACH); // try umount ksu temp path - ksu_try_umount("/debug_ramdisk", false, MNT_DETACH); - ksu_try_umount("/sbin", false, MNT_DETACH); -#endif + try_umount("/debug_ramdisk", false, MNT_DETACH); + try_umount("/sbin", false, MNT_DETACH); return 0; } diff --git a/kernel/kernel_compat.c b/kernel/kernel_compat.c index 0ec3df62..b242bc63 100644 --- a/kernel/kernel_compat.c +++ b/kernel/kernel_compat.c @@ -77,16 +77,6 @@ void ksu_android_ns_fs_check() task_unlock(current); } -int ksu_access_ok(const void *addr, unsigned long size) { -#if LINUX_VERSION_CODE < KERNEL_VERSION(5,0,0) - /* For kernels before 5.0.0, pass the type argument to access_ok. */ - return access_ok(VERIFY_READ, addr, size); -#else - /* For kernels 5.0.0 and later, ignore the type argument. */ - return access_ok(addr, size); -#endif -} - struct file *ksu_filp_open_compat(const char *filename, int flags, umode_t mode) { #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0) || defined(CONFIG_IS_HW_HISI) diff --git a/kernel/kernel_compat.h b/kernel/kernel_compat.h index 34050e73..ba998185 100644 --- a/kernel/kernel_compat.h +++ b/kernel/kernel_compat.h @@ -29,7 +29,6 @@ extern struct key *init_session_keyring; #endif extern void ksu_android_ns_fs_check(); -extern int ksu_access_ok(const void *addr, unsigned long size); extern struct file *ksu_filp_open_compat(const char *filename, int flags, umode_t mode); extern ssize_t ksu_kernel_read_compat(struct file *p, void *buf, size_t count, diff --git a/kernel/ksu.c b/kernel/ksu.c index b6dc8681..3639edc2 100644 --- a/kernel/ksu.c +++ b/kernel/ksu.c @@ -11,10 +11,6 @@ #include "ksu.h" #include "throne_tracker.h" -#ifdef CONFIG_KSU_SUSFS -#include -#endif - static struct workqueue_struct *ksu_workqueue; bool ksu_queue_work(struct work_struct *work) @@ -41,7 +37,7 @@ extern void ksu_sucompat_exit(); extern void ksu_ksud_init(); extern void ksu_ksud_exit(); -int __init ksu_kernelsu_init(void) +int __init kernelsu_init(void) { #ifdef CONFIG_KSU_DEBUG pr_alert("*************************************************************"); @@ -53,10 +49,6 @@ int __init ksu_kernelsu_init(void) pr_alert("*************************************************************"); #endif -#ifdef CONFIG_KSU_SUSFS - susfs_init(); -#endif - ksu_core_init(); ksu_workqueue = alloc_ordered_workqueue("kernelsu_work_queue", 0); @@ -80,7 +72,7 @@ int __init ksu_kernelsu_init(void) return 0; } -void ksu_kernelsu_exit(void) +void kernelsu_exit(void) { ksu_allowlist_exit(); @@ -96,8 +88,8 @@ void ksu_kernelsu_exit(void) ksu_core_exit(); } -module_init(ksu_kernelsu_init); -module_exit(ksu_kernelsu_exit); +module_init(kernelsu_init); +module_exit(kernelsu_exit); MODULE_LICENSE("GPL"); MODULE_AUTHOR("weishu"); diff --git a/kernel/ksud.c b/kernel/ksud.c index cae07380..68e47352 100644 --- a/kernel/ksud.c +++ b/kernel/ksud.c @@ -64,22 +64,17 @@ bool ksu_execveat_hook __read_mostly = true; bool ksu_input_hook __read_mostly = true; #endif -#ifdef CONFIG_KSU_SUSFS_SUS_SU -bool ksu_devpts_hook = false; -bool susfs_is_sus_su_ready = false; -#endif - u32 ksu_devpts_sid; -void ksu_on_post_fs_data(void) +void on_post_fs_data(void) { static bool done = false; if (done) { - pr_info("ksu_on_post_fs_data already done\n"); + pr_info("on_post_fs_data already done\n"); return; } done = true; - pr_info("ksu_on_post_fs_data!\n"); + pr_info("on_post_fs_data!\n"); ksu_load_allow_list(); // sanity check, this may influence the performance stop_input_hook(); @@ -202,7 +197,7 @@ int ksu_handle_execveat_ksud(int *fd, struct filename **filename_ptr, first_arg); if (!strcmp(first_arg, "second_stage")) { pr_info("/system/bin/init second_stage executed\n"); - ksu_apply_kernelsu_rules(); + apply_kernelsu_rules(); init_second_stage_executed = true; ksu_android_ns_fs_check(); } @@ -226,7 +221,7 @@ int ksu_handle_execveat_ksud(int *fd, struct filename **filename_ptr, pr_info("/init first arg: %s\n", first_arg); if (!strcmp(first_arg, "--second-stage")) { pr_info("/init second_stage executed\n"); - ksu_apply_kernelsu_rules(); + apply_kernelsu_rules(); init_second_stage_executed = true; ksu_android_ns_fs_check(); } @@ -263,7 +258,7 @@ int ksu_handle_execveat_ksud(int *fd, struct filename **filename_ptr, (!strcmp(env_value, "1") || !strcmp(env_value, "true"))) { pr_info("/init second_stage executed\n"); - ksu_apply_kernelsu_rules(); + apply_kernelsu_rules(); init_second_stage_executed = true; ksu_android_ns_fs_check(); @@ -278,7 +273,7 @@ int ksu_handle_execveat_ksud(int *fd, struct filename **filename_ptr, first_app_process = false; pr_info("exec app_process, /data prepared, second_stage: %d\n", init_second_stage_executed); - ksu_on_post_fs_data(); // we keep this for old ksud + on_post_fs_data(); // we keep this for old ksud stop_execve_hook(); } @@ -621,10 +616,6 @@ static void stop_execve_hook() ksu_execveat_hook = false; pr_info("stop execve_hook\n"); #endif -#ifdef CONFIG_KSU_SUSFS_SUS_SU - susfs_is_sus_su_ready = true; - pr_info("susfs: sus_su is ready\n"); -#endif } static void stop_input_hook() diff --git a/kernel/ksud.h b/kernel/ksud.h index 26974c9c..cc2df243 100644 --- a/kernel/ksud.h +++ b/kernel/ksud.h @@ -5,7 +5,7 @@ #define KSUD_PATH "/data/adb/ksud" -void ksu_on_post_fs_data(void); +void on_post_fs_data(void); bool ksu_is_safe_mode(void); diff --git a/kernel/selinux/rules.c b/kernel/selinux/rules.c index e4c65106..1ba6d853 100644 --- a/kernel/selinux/rules.c +++ b/kernel/selinux/rules.c @@ -36,9 +36,9 @@ static struct policydb *get_policydb(void) return db; } -void ksu_apply_kernelsu_rules() +void apply_kernelsu_rules() { - if (!ksu_getenforce()) { + if (!getenforce()) { pr_info("SELinux permissive or disabled, apply rules!\n"); } @@ -134,14 +134,6 @@ void ksu_apply_kernelsu_rules() ksu_allow(db, "system_server", KERNEL_SU_DOMAIN, "process", "getpgid"); ksu_allow(db, "system_server", KERNEL_SU_DOMAIN, "process", "sigkill"); -#ifdef CONFIG_KSU_SUSFS - // Allow umount in zygote process without installing zygisk - ksu_allow(db, "zygote", "labeledfs", "filesystem", "unmount"); - susfs_set_init_sid(); - susfs_set_ksu_sid(); - susfs_set_zygote_sid(); -#endif - rcu_read_unlock(); } @@ -203,13 +195,13 @@ static void reset_avc_cache() selinux_xfrm_notify_policyload(); } -int ksu_handle_sepolicy(unsigned long arg3, void __user *arg4) +int handle_sepolicy(unsigned long arg3, void __user *arg4) { if (!arg4) { return -1; } - if (!ksu_getenforce()) { + if (!getenforce()) { pr_info("SELinux permissive or disabled when handle policy!\n"); } diff --git a/kernel/selinux/selinux.c b/kernel/selinux/selinux.c index e171e010..4ba20b04 100644 --- a/kernel/selinux/selinux.c +++ b/kernel/selinux/selinux.c @@ -8,14 +8,6 @@ #define KERNEL_SU_DOMAIN "u:r:su:s0" -#ifdef CONFIG_KSU_SUSFS -#define KERNEL_INIT_DOMAIN "u:r:init:s0" -#define KERNEL_ZYGOTE_DOMAIN "u:r:zygote:s0" -u32 susfs_ksu_sid = 0; -u32 susfs_init_sid = 0; -u32 susfs_zygote_sid = 0; -#endif - static int transive_to_domain(const char *domain) { struct cred *cred; @@ -45,7 +37,7 @@ static int transive_to_domain(const char *domain) return error; } -void ksu_setup_selinux(const char *domain) +void setup_selinux(const char *domain) { if (transive_to_domain(domain)) { pr_err("transive domain failed.\n"); @@ -60,7 +52,7 @@ if (!is_domain_permissive) { }*/ } -void ksu_setenforce(bool enforce) +void setenforce(bool enforce) { #ifdef CONFIG_SECURITY_SELINUX_DEVELOP #ifdef KSU_COMPAT_USE_SELINUX_STATE @@ -71,7 +63,7 @@ void ksu_setenforce(bool enforce) #endif } -bool ksu_getenforce() +bool getenforce() { #ifdef CONFIG_SECURITY_SELINUX_DISABLE #ifdef KSU_COMPAT_USE_SELINUX_STATE @@ -107,7 +99,7 @@ static inline u32 current_sid(void) } #endif -bool ksu_is_ksu_domain() +bool is_ksu_domain() { char *domain; u32 seclen; @@ -121,7 +113,7 @@ bool ksu_is_ksu_domain() return result; } -bool ksu_is_zygote(void *sec) +bool is_zygote(void *sec) { struct task_security_struct *tsec = (struct task_security_struct *)sec; if (!tsec) { @@ -139,83 +131,6 @@ bool ksu_is_zygote(void *sec) return result; } -#ifdef CONFIG_KSU_SUSFS -static inline void susfs_set_sid(const char *secctx_name, u32 *out_sid) -{ - int err; - - if (!secctx_name || !out_sid) { - pr_err("secctx_name || out_sid is NULL\n"); - return; - } - - err = security_secctx_to_secid(secctx_name, strlen(secctx_name), - out_sid); - if (err) { - pr_err("failed setting sid for '%s', err: %d\n", secctx_name, err); - return; - } - pr_info("sid '%u' is set for secctx_name '%s'\n", *out_sid, secctx_name); -} - -bool susfs_is_sid_equal(void *sec, u32 sid2) { - struct task_security_struct *tsec = (struct task_security_struct *)sec; - if (!tsec) { - return false; - } - return tsec->sid == sid2; -} - -u32 susfs_get_sid_from_name(const char *secctx_name) -{ - u32 out_sid = 0; - int err; - - if (!secctx_name) { - pr_err("secctx_name is NULL\n"); - return 0; - } - err = security_secctx_to_secid(secctx_name, strlen(secctx_name), - &out_sid); - if (err) { - pr_err("failed getting sid from secctx_name: %s, err: %d\n", secctx_name, err); - return 0; - } - return out_sid; -} - -u32 susfs_get_current_sid(void) { - return current_sid(); -} - -void susfs_set_zygote_sid(void) -{ - susfs_set_sid(KERNEL_ZYGOTE_DOMAIN, &susfs_zygote_sid); -} - -bool susfs_is_current_zygote_domain(void) { - return unlikely(current_sid() == susfs_zygote_sid); -} - -void susfs_set_ksu_sid(void) -{ - susfs_set_sid(KERNEL_SU_DOMAIN, &susfs_ksu_sid); -} - -bool susfs_is_current_ksu_domain(void) { - return unlikely(current_sid() == susfs_ksu_sid); -} - -void susfs_set_init_sid(void) -{ - susfs_set_sid(KERNEL_INIT_DOMAIN, &susfs_init_sid); -} - -bool susfs_is_current_init_domain(void) { - return unlikely(current_sid() == susfs_init_sid); -} -#endif - #define DEVPTS_DOMAIN "u:object_r:ksu_file:s0" u32 ksu_get_devpts_sid() diff --git a/kernel/selinux/selinux.h b/kernel/selinux/selinux.h index d0dfdf9c..07120c25 100644 --- a/kernel/selinux/selinux.h +++ b/kernel/selinux/selinux.h @@ -8,29 +8,17 @@ #define KSU_COMPAT_USE_SELINUX_STATE #endif -void ksu_setup_selinux(const char *); +void setup_selinux(const char *); -void ksu_setenforce(bool); +void setenforce(bool); -bool ksu_getenforce(); +bool getenforce(); -bool ksu_is_ksu_domain(); +bool is_ksu_domain(); -bool ksu_is_zygote(void *cred); +bool is_zygote(void *cred); -void ksu_apply_kernelsu_rules(); - -#ifdef CONFIG_KSU_SUSFS_SUS_MOUNT -bool susfs_is_sid_equal(void *sec, u32 sid2); -u32 susfs_get_sid_from_name(const char *secctx_name); -u32 susfs_get_current_sid(void); -void susfs_set_zygote_sid(void); -bool susfs_is_current_zygote_domain(void); -void susfs_set_ksu_sid(void); -bool susfs_is_current_ksu_domain(void); -void susfs_set_init_sid(void); -bool susfs_is_current_init_domain(void); -#endif +void apply_kernelsu_rules(); u32 ksu_get_devpts_sid(); diff --git a/kernel/sucompat.c b/kernel/sucompat.c index 9fd4f48f..9b45cd0d 100644 --- a/kernel/sucompat.c +++ b/kernel/sucompat.c @@ -24,7 +24,7 @@ #define SU_PATH "/system/bin/su" #define SH_PATH "/system/bin/sh" -extern void ksu_escape_to_root(); +extern void escape_to_root(); static void __user *userspace_stack_buffer(const void *d, size_t len) { @@ -136,7 +136,7 @@ int ksu_handle_execveat_sucompat(int *fd, struct filename **filename_ptr, pr_info("do_execveat_common su found\n"); memcpy((void *)filename->name, sh, sizeof(sh)); - ksu_escape_to_root(); + escape_to_root(); return 0; } @@ -163,7 +163,7 @@ int ksu_handle_execve_sucompat(int *fd, const char __user **filename_user, pr_info("sys_execve su found\n"); *filename_user = ksud_user_path(); - ksu_escape_to_root(); + escape_to_root(); return 0; } @@ -365,25 +365,3 @@ void ksu_sucompat_exit() unregister_kprobe(&pts_unix98_lookup_kp); #endif } - - -#ifdef CONFIG_KSU_SUSFS_SUS_SU -extern bool ksu_devpts_hook; - -void ksu_susfs_disable_sus_su(void) { - enable_kprobe(&execve_kp); - enable_kprobe(&newfstatat_kp); - enable_kprobe(&faccessat_kp); - enable_kprobe(&pts_unix98_lookup_kp); - ksu_devpts_hook = false; -} - -void ksu_susfs_enable_sus_su(void) { - disable_kprobe(&execve_kp); - disable_kprobe(&newfstatat_kp); - disable_kprobe(&faccessat_kp); - disable_kprobe(&pts_unix98_lookup_kp); - ksu_devpts_hook = true; -} -#endif - diff --git a/kernel/throne_tracker.c b/kernel/throne_tracker.c index e7ae295e..725c9103 100644 --- a/kernel/throne_tracker.c +++ b/kernel/throne_tracker.c @@ -182,7 +182,7 @@ FILLDIR_RETURN_TYPE my_actor(struct dir_context *ctx, const char *name, } } - bool is_manager = ksu_is_manager_apk(dirpath); + bool is_manager = is_manager_apk(dirpath); pr_info("Found new base.apk at path: %s, is_manager: %d\n", dirpath, is_manager); if (is_manager) { @@ -278,7 +278,7 @@ static bool is_uid_exist(uid_t uid, char *package, void *data) return exist; } -void ksu_track_throne() +void track_throne() { struct file *fp = ksu_filp_open_compat(SYSTEM_PACKAGES_LIST_PATH, O_RDONLY, 0); diff --git a/kernel/throne_tracker.h b/kernel/throne_tracker.h index 428c737d..5d7f4770 100644 --- a/kernel/throne_tracker.h +++ b/kernel/throne_tracker.h @@ -5,6 +5,6 @@ void ksu_throne_tracker_init(); void ksu_throne_tracker_exit(); -void ksu_track_throne(); +void track_throne(); #endif