From adce65758374e50b1c25f169736c73e53c2b31f9 Mon Sep 17 00:00:00 2001 From: F-19-F <58457605+F-19-F@users.noreply.github.com> Date: Sat, 7 Jun 2025 20:59:22 +0800 Subject: [PATCH] kernel: ksud: provide is_ksu_transition check v2 context: this is known by many as `selinux hook`, `4.9 hook` add is_ksu_transition check which allows ksud execution under nosuid. it also eases up integration on 3.X kernels that does not have check_nnp_nosuid. Usage: if (is_ksu_transition(old_tsec, new_tsec)) return 0; on either check_nnp_nosuid or selinux_bprm_set_creds (after execve sid reset) reference: https://github.com/backslashxx/msm8953-kernel/commits/dfe003c9fdfa394a2bffe74668987a19a0d2f546 taken from: `allow init exec ksud under nosuid` - https://github.com/LineageOS/android_kernel_oneplus_msm8998/commit/3df9df42a659f489091445d813b8c0477215ae3a - https://github.com/tiann/KernelSU/pull/166#issue-1565872173 250611-edit: - remove ksu_execveat_hook entry check - turns out some devices needs the transition for multiple times Reported-by: edenadversary <143865198+edenadversary@users.noreply.github.com> Signed-off-by: backslashxx <118538522+backslashxx@users.noreply.github.com> --- kernel/ksud.c | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/kernel/ksud.c b/kernel/ksud.c index 74538aeb..cdd32711 100644 --- a/kernel/ksud.c +++ b/kernel/ksud.c @@ -632,6 +632,29 @@ static void do_stop_input_hook(struct work_struct *work) } #endif +#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 14, 0) +#include "objsec.h" // task_security_struct +bool is_ksu_transition(const struct task_security_struct *old_tsec, + const struct task_security_struct *new_tsec) +{ + static u32 ksu_sid; + char *secdata; + u32 seclen; + bool allowed = false; + + if (!ksu_sid) + security_secctx_to_secid("u:r:su:s0", strlen("u:r:su:s0"), &ksu_sid); + + if (security_secid_to_secctx(old_tsec->sid, &secdata, &seclen)) + return false; + + allowed = (!strcmp("u:r:init:s0", secdata) && new_tsec->sid == ksu_sid); + security_release_secctx(secdata, seclen); + + return allowed; +} +#endif + static void stop_vfs_read_hook() { #ifdef CONFIG_KSU_KPROBES_HOOK