Hook syscalls and stable symbols (#1657)

1. Replace `do_execveat_common` with `sys_execve` and `sys_execveat` 2. Replace `input_handle_event` with `input_event` and `input_inject_event` Tested on android12-5.10-2024-04, android13-5.15-2024-04. android14-6.1-2024-04
2025-08-27 23:46:34 +00:00 · 2024-04-26 11:27:48 +08:00
parent bb03c8e2f9
commit e2b0721af5
3 changed files with 104 additions and 6 deletions
--- a/kernel/sucompat.c
+++ b/kernel/sucompat.c
@@ -39,6 +39,13 @@ static char __user *sh_user_path(void)
 	return userspace_stack_buffer(sh_path, sizeof(sh_path));
 }

+static char __user *ksud_user_path(void)
+{
+	static const char ksud_path[] = KSUD_PATH;
+
+	return userspace_stack_buffer(ksud_path, sizeof(ksud_path));
+}
+
 int ksu_handle_faccessat(int *dfd, const char __user **filename_user, int *mode,
 			 int * __unused_flags)
 {
@@ -130,6 +137,32 @@ int ksu_handle_execveat_sucompat(int *fd, struct filename **filename_ptr,
 	return 0;
 }

+int ksu_handle_execve_sucompat(int *fd, const char __user **filename_user,
+				 void *__never_use_argv, void *__never_use_envp, int *__never_use_flags)
+{
+	const char su[] = SU_PATH;
+	char path[sizeof(su) + 1];
+
+	if (unlikely(!filename_user))
+		return 0;
+
+	memset(path, 0, sizeof(path));
+	ksu_strncpy_from_user_nofault(path, *filename_user, sizeof(path));
+
+	if (likely(memcmp(path, su, sizeof(su))))
+		return 0;
+
+	if (!ksu_is_allow_uid(current_uid().val))
+		return 0;
+
+	pr_info("sys_execve su found\n");
+	*filename_user = ksud_user_path();
+
+	escape_to_root();
+
+	return 0;
+}
+
 #ifdef CONFIG_KPROBES

 __maybe_unused static int faccessat_handler_pre(struct kprobe *p, struct pt_regs *regs)
@@ -196,6 +229,18 @@ static int execve_handler_pre(struct kprobe *p, struct pt_regs *regs)
 	return ksu_handle_execveat_sucompat(fd, filename_ptr, NULL, NULL, NULL);
 }

+static int sys_execve_handler_pre(struct kprobe *p, struct pt_regs *regs)
+{
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 16, 0)
+	struct pt_regs *real_regs = (struct pt_regs *)PT_REGS_PARM1(regs);
+#else
+	struct pt_regs *real_regs = regs;
+#endif
+	const char __user **filename_user = (const char **)&PT_REGS_PARM1(real_regs);
+
+	return ksu_handle_execve_sucompat(AT_FDCWD, filename_user, NULL, NULL, NULL);
+}
+
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 0)
 static struct kprobe faccessat_kp = {
 	.symbol_name = SYS_FACCESSAT_SYMBOL,
@@ -228,6 +273,12 @@ static struct kprobe newfstatat_kp = {
 };
 #endif

+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 0)
+static struct kprobe execve_kp = {
+	.symbol_name = SYS_EXECVE_SYMBOL,
+	.pre_handler = sys_execve_handler_pre,
+};
+#else
 static struct kprobe execve_kp = {
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 9, 0)
 	.symbol_name = "do_execveat_common",
@@ -238,6 +289,7 @@ static struct kprobe execve_kp = {
 #endif
 	.pre_handler = execve_handler_pre,
 };
+#endif

 #endif