From a89985f33e2a2cf810f3d69e4cb30c0f1a82f30b Mon Sep 17 00:00:00 2001
From: Wang Han <416810799@qq.com>
Date: Tue, 18 Feb 2025 11:07:52 +0800
Subject: [PATCH] Allow toggling unmount setting for all apps (#2450)

This fixes https://github.com/tiann/KernelSU/issues/2416.
---
 kernel/allowlist.c                                     |  5 -----
 .../java/com/rifsxd/ksunext/ui/screen/AppProfile.kt    | 10 ++++++++--
 manager/app/src/main/res/values/strings.xml            |  1 +
 3 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/kernel/allowlist.c b/kernel/allowlist.c
index 443ce430..8a6a64ec 100644
--- a/kernel/allowlist.c
+++ b/kernel/allowlist.c
@@ -155,11 +155,6 @@ static bool profile_valid(struct app_profile *profile)
 		return false;
 	}
 
-	if (forbid_system_uid(profile->current_uid)) {
-		pr_err("uid lower than 2000 is unsupported: %d\n", profile->current_uid);
-		return false;
-	}
-
 	if (profile->version < KSU_APP_PROFILE_VER) {
 		pr_info("Unsupported profile version: %d\n", profile->version);
 		return false;
diff --git a/manager/app/src/main/java/com/rifsxd/ksunext/ui/screen/AppProfile.kt b/manager/app/src/main/java/com/rifsxd/ksunext/ui/screen/AppProfile.kt
index d771c46f..1b0ca3ca 100644
--- a/manager/app/src/main/java/com/rifsxd/ksunext/ui/screen/AppProfile.kt
+++ b/manager/app/src/main/java/com/rifsxd/ksunext/ui/screen/AppProfile.kt
@@ -95,6 +95,7 @@ fun AppProfileScreen(
     val scope = rememberCoroutineScope()
     val failToUpdateAppProfile = stringResource(R.string.failed_to_update_app_profile).format(appInfo.label)
     val failToUpdateSepolicy = stringResource(R.string.failed_to_update_sepolicy).format(appInfo.label)
+    val suNotAllowed = stringResource(R.string.su_not_allowed).format(appInfo.label)
 
     val packageName = appInfo.packageName
     val initialProfile = Natives.getAppProfile(packageName, appInfo.uid)
@@ -143,8 +144,13 @@ fun AppProfileScreen(
             },
             onProfileChange = {
                 scope.launch {
-                    if (it.allowSu && !it.rootUseDefault && it.rules.isNotEmpty()) {
-                        if (!setSepolicy(profile.name, it.rules)) {
+                    if (it.allowSu) {
+                        // sync with allowlist.c - forbid_system_uid
+                        if (appInfo.uid < 2000 && appInfo.uid != 1000) {
+                            snackBarHost.showSnackbar(suNotAllowed)
+                            return@launch
+                        }
+                        if (!it.rootUseDefault && it.rules.isNotEmpty() && !setSepolicy(profile.name, it.rules)) {
                             snackBarHost.showSnackbar(failToUpdateSepolicy)
                             return@launch
                         }
diff --git a/manager/app/src/main/res/values/strings.xml b/manager/app/src/main/res/values/strings.xml
index 98ec6c5e..35feaa19 100644
--- a/manager/app/src/main/res/values/strings.xml
+++ b/manager/app/src/main/res/values/strings.xml
@@ -134,6 +134,7 @@
     <string name="force_stop_app">Force stop</string>
     <string name="restart_app">Restart</string>
     <string name="failed_to_update_sepolicy">Failed to update SELinux rules for: %s</string>
+    <string name="su_not_allowed">Granting superuser is not allowed for: %s</string>
     <string name="module_changelog">Changelog</string>
     <string name="settings_profile_template">App Profile Template</string>
     <string name="settings_profile_template_summary">Manage local and online template of App Profile</string>