* ksud: Address pagefault in ksu_handle_execveat_ksud
As pointed out by @backslashxx, when strncpy pagefaults, it causes
the first_arg to be completely NULL in some systems. This causes
second_stage initialization to fail hence causing SU to be
non-functional.
This patch copies ksu_strncpy_from_user_retry from @backslashxx's
commit:
e2fe25e485
This adds a fallback to perform a normal strncpy_from_user when nofault
fails which allows us to get the first_arg in such cases.
Co-authored-by: backslashxx <118538522+backslashxx@users.noreply.github.com>
Signed-off-by: Edrick Sinsuan <evcsinsuan@gmail.com>
* Revert "ksud: Add second_stage init variant (#653)"
This reverts commit c6b60a24e8.
---------
Signed-off-by: Edrick Sinsuan <evcsinsuan@gmail.com>
Co-authored-by: backslashxx <118538522+backslashxx@users.noreply.github.com>
There are some ROMs based on AOSP that calls on second stage init
with argc: 2 but with first_arg: "". This causes KSU to not work
properly on those systems.
Signed-off-by: Edrick Sinsuan <evcsinsuan@gmail.com>
context: this is known by many as `selinux hook`, `4.9 hook`
add is_ksu_transition check which allows ksud execution under nosuid.
it also eases up integration on 3.X kernels that does not have check_nnp_nosuid.
Usage:
if (is_ksu_transition(old_tsec, new_tsec))
return 0;
on either check_nnp_nosuid or selinux_bprm_set_creds (after execve sid reset)
reference: dfe003c9fd
taken from:
`allow init exec ksud under nosuid`
- 3df9df42a6
- https://github.com/tiann/KernelSU/pull/166#issue-1565872173
250611-edit:
- remove ksu_execveat_hook entry check
- turns out some devices needs the transition for multiple times
Reported-by: edenadversary <143865198+edenadversary@users.noreply.github.com>
Signed-off-by: backslashxx <118538522+backslashxx@users.noreply.github.com>
Safe Ultra-Legacy changes that don't deserve their own commit
d_is_reg requires 4.0
- e36cb0b89c
IS_REG is still there on 6.15 so I do NOT see any issues forcing it for all.
strscpy requires 4.3
strscpy on this usage can be replaced with strncpy + null term.
kernel gives us an option though.
strlcpy is fast af, hotrod fast. It’s just memcpy + null term, so lets go with that.
it got dropped in 6.8 due to risk concerns, so for those, lets use og strscpy.
ref: openwrt/packages #26453
Signed-off-by: backslashxx <118538522+backslashxx@users.noreply.github.com>
Since KernelSU Manager can now be built for 32-bit, theres this problematic
setup where userspace is 32-bit (armeabi-v7a) and kernel is 64bit (aarch64).
On 64-bit kernels with CONFIG_COMPAT=y, 32-bit userspace passes 32-bit pointers.
These values are interpreted as 64-bit pointers without proper casting and that
results in invalid or near-null memory access.
This patch adds proper compat-mode handling with the ff changes:
- introduce a dedicated struct (`sepol_compat_data`) using u32 fields
- use `compat_ptr()` to safely convert 32-bit user pointers to kernel pointers
- adding a runtime `ksu_is_compat` flag to dynamically select between struct layouts
This prevents a near-null pointer dereference when handling SELinux
policy updates from 32-bit ksud in a 64-bit kernel.
Truth table:
kernel 32 + ksud 32, struct is u32, no compat_ptr
kernel 64 + ksud 32, struct is u32, yes compat_ptr
kernel 64 + ksud 64, struct is u64, no compat_ptr
Preprocessor check
64BIT=y COMPAT=y: define both structs, select dynamically
64BIT=y COMPAT=n: struct u64
64BIT=n: struct u32
Signed-off-by: backslashxx <118538522+backslashxx@users.noreply.github.com>
Since upstream is now making kprobes a requirement, we adapt this tree to still allow
building with manual hooks in an easier way. Furthermore, this also allows a user to
build with manual hooks even with kprobes enabled.
Offending commit:
kernel: remove unused CONFIG guard becuase GKI kernel enable kprobe by default
upstream: https://github.com/tiann/KernelSU/commit/500ff9b
Other changes:
ksud.c, stop_input_hook(), short-circuit redundant logic left by this change.
cherry pick from: https://github.com/backslashxx/KernelSU/commit/a3d3e93
Signed-off-by: backslashxx <118538522+backslashxx@users.noreply.github.com>
1. Replace `do_execveat_common` with `sys_execve` and `sys_execveat`
2. Replace `input_handle_event` with `input_event` and
`input_inject_event`
Tested on android12-5.10-2024-04, android13-5.15-2024-04.
android14-6.1-2024-04
input-event-codes.h:
Input: add input-event-codes header file
(f902dd8934)
This was in 4.4-rc, so 4.4.0 or above has it else no.
aio.h:
fs: move struct kiocb to fs.h
(e2e40f2c1e)
Below this version, we need to explicitly include aio.h for struct kiocb
This was in 4.1-rc, so 4.0 or below should do the include
uaccess.h, sched.h was present for long times, but 4.10 splited out to
include/sched/ but the current ifdef is not including uaccess.h for
lower versions than 4.4. Fix it.
Basic support for the case that init_task.mnt_ns != zygote.mnt_ns(WSA),
just copy nsproxy and fs pointers for solve #276.
Note the copy in `apk_sign.c` is not required but suggested for
secure(ensure the checked mnt_ns is what ns android running, not created
by user, although many distributions does not have user ns.).
Tested with latest release on Win10 19045.3086(with WSAPatch).
Further review required for:
- [x] Security of this operation (without locking).
- [x] The impact of these modifications on other Android distributions.
Hi @tiann.
Thanks for the great project, I had great fun playing around with it.
This PR mainly tries to further minimize the possible delays caused by
KernelSU hooking.
There are 3 major changes:
- Processes with 0 < UID < 2000 are blocked straight-up before going
through the allow_list.
I don't see any need for such processes to be interested in root, and
this allows returning early before going through a more expensive
lookup.
If there's an expected breakage due to this change, I'll remove it. Let
me know.
- A page-sized (4K) bitmap is added.
This allows O(1) lookup for UID <= 32767.
This speeds up `ksu_is_allow_uid()` by about 4.8x by sacrificing a 4K
memory. IMHO, a good trade-off.
Most notably, this reduces the 99.999% result previously from worrying
milliseconds scale to microseconds scale.
For UID > 32767, another page-sized (4K) sequential array is used to
cache allow_list.
Compared to the previous PR #557, this new approach gives another nice
25% performance boost in average, 63-96% boost in worst cases.
Benchmark results are available at
https://docs.google.com/spreadsheets/d/1w_tO1zRLPNMFRer49pL1TQfL6ndEhilRrDU1XFIcWXY/edit?usp=sharing
Thanks!
---------
Signed-off-by: Juhyung Park <qkrwngud825@gmail.com>
