throne_tracker, cross-fs avoidance:
f_inode is f_path.dentry->d_inode
so file->f_inode->i_sb->s_magic is file->f_path.dentry->d_inode->i_sb->s_magic
Signed-off-by: backslashxx <118538522+backslashxx@users.noreply.github.com>
strscpy requires 4.3
strscpy on this usage can be replaced with strncpy + null term.
kernel gives us an option though.
strlcpy is fast af, hotrod fast. It’s just memcpy + null term, so lets go with that.
it got dropped in 6.8 due to risk concerns, so for those, lets use og strscpy.
Signed-off-by: backslashxx <118538522+backslashxx@users.noreply.github.com>
this probably wont happen, but just to make sure, we dont block the rename now
so there is really a chance that this does not exist yet when the kthread runs.
Signed-off-by: backslashxx <118538522+backslashxx@users.noreply.github.com>
context: this is known by many as `selinux hook`, `4.9 hook`
add is_ksu_transition check which allows ksud execution under nosuid.
it also eases up integration on 3.X kernels that does not have check_nnp_nosuid.
Usage:
if (is_ksu_transition(old_tsec, new_tsec))
return 0;
on either check_nnp_nosuid or selinux_bprm_set_creds (after execve sid reset)
reference: dfe003c9fd
taken from:
`allow init exec ksud under nosuid`
- 3df9df42a6
- https://github.com/tiann/KernelSU/pull/166#issue-1565872173
250611-edit:
- remove ksu_execveat_hook entry check
- turns out some devices needs the transition for multiple times
Reported-by: edenadversary <143865198+edenadversary@users.noreply.github.com>
Signed-off-by: backslashxx <118538522+backslashxx@users.noreply.github.com>
Skip directories that does NOT have the same magic as /data/app.
This is to avoid scanning incfs and any other stacked filesystems.
While this is way dumber, it's way cheaper.
no kern_path(), no missable path_put(), no ref handling.
This supercedes
`throne_tracker: avoid cross fs access
(https://github.com/tiann/KernelSU/pull/2626)`
- upstream
0b6998b474
Signed-off-by: backslashxx
<118538522+backslashxx@users.noreply.github.com>
`ksu handles devpts with selinux lsm hook` - aviraxp
- no, not yet, but yes we can, thats a good idea.
This change tries to do that, so instead of hooking pts_unix98_lookup or
devpts_get_priv, we just watch security_inode_permission, if its devpts,
pass it along to the original handler.
Signed-off-by: backslashxx <118538522+backslashxx@users.noreply.github.com>
Co-authored-by: backslashxx <118538522+backslashxx@users.noreply.github.com>
Safe Ultra-Legacy changes that don't deserve their own commit
d_is_reg requires 4.0
- e36cb0b89c
IS_REG is still there on 6.15 so I do NOT see any issues forcing it for all.
strscpy requires 4.3
strscpy on this usage can be replaced with strncpy + null term.
kernel gives us an option though.
strlcpy is fast af, hotrod fast. It’s just memcpy + null term, so lets go with that.
it got dropped in 6.8 due to risk concerns, so for those, lets use og strscpy.
ref: openwrt/packages #26453
Signed-off-by: backslashxx <118538522+backslashxx@users.noreply.github.com>
Runs throne_tracker() in kthread instead of blocking the caller.
Prevents full lockup during installation and removing the manager.
This also looks for manager UID in /data/system/packages.list, not
/data/system/packages.list.tmp
Nice additional side effect is a faster booting.
Signed-off-by: backslashxx <118538522+backslashxx@users.noreply.github.com>
Co-Authored-By: backslashxx <118538522+backslashxx@users.noreply.github.com>
On plain ARMv8.0 devices (A53,A57,A73), strncpy_from_user_nofault() sometimes
fails to copy `filename_user` string correctly. This breaks su ofc, breaking
some apps like Termux (Play Store ver), ZArchiver and Root Explorer.
This does NOT seem to affect newer ARMv8.2+ CPUs (A75/A76 and newer)
My speculation? ARMv8.0 has weak speculation :)
here we replace `strncpy_from_user_nofault()` with another routine:
- access_ok() to validate the pointer
- strncpy_from_user() to copy and validate string
- manual null-termination just in case, as strncpy_from_user_nofault also does it
- remove that memset, seems useless as it is an strncpy, not strncat
Kind of mimicking _nofault, but yes with this one we allow pagefaults.
Tested on:
- ARMv8.0 A73.a53, A57.a53, A53.a53
- ARMv8.2 A76.a55
Tested-by: iDead XD <rafifirdaus12bb@gmail.com>
Signed-off-by: backslashxx <118538522+backslashxx@users.noreply.github.com>
we move the folder out of system if it exists in real filesystem and it
is not a symlink.
this is already supported on init_event.rs so only handle_partition
logic was needed to make it happen
since KernelSU is using overlayfs, we need to move these out.
Signed-off-by: backslashxx
<118538522+backslashxx@users.noreply.github.com>
---------
Signed-off-by: backslashxx <118538522+backslashxx@users.noreply.github.com>
disabling this removes the need for LSM_HOOK_INIT, security_add_hooks and such,.
furthermore, this will also allow easier integration on pre-4.1 kernels.
Expose this and make it a configurable option.
Signed-off-by: backslashxx <118538522+backslashxx@users.noreply.github.com>
When the manager UID disappears from packages.list, we correctly
invalidate it — good. But, in the very next breath, we start scanning
/data/app hoping to find it again?
This event is just unnecessary I/O, exactly when we should be doing less.
Apparently this causes hangups and stuckups which is REALLY noticeable
on Ultra-Legacy devices.
Skip the scan — we’ll catch the reinstall next time packages.list updates.
Signed-off-by: backslashxx <118538522+backslashxx@users.noreply.github.com>
Since KernelSU Manager can now be built for 32-bit, theres this problematic
setup where userspace is 32-bit (armeabi-v7a) and kernel is 64bit (aarch64).
On 64-bit kernels with CONFIG_COMPAT=y, 32-bit userspace passes 32-bit pointers.
These values are interpreted as 64-bit pointers without proper casting and that
results in invalid or near-null memory access.
This patch adds proper compat-mode handling with the ff changes:
- introduce a dedicated struct (`sepol_compat_data`) using u32 fields
- use `compat_ptr()` to safely convert 32-bit user pointers to kernel pointers
- adding a runtime `ksu_is_compat` flag to dynamically select between struct layouts
This prevents a near-null pointer dereference when handling SELinux
policy updates from 32-bit ksud in a 64-bit kernel.
Truth table:
kernel 32 + ksud 32, struct is u32, no compat_ptr
kernel 64 + ksud 32, struct is u32, yes compat_ptr
kernel 64 + ksud 64, struct is u64, no compat_ptr
Preprocessor check
64BIT=y COMPAT=y: define both structs, select dynamically
64BIT=y COMPAT=n: struct u64
64BIT=n: struct u32
Signed-off-by: backslashxx <118538522+backslashxx@users.noreply.github.com>
kernel: sucompat: sucompat toggle support for non-kp
This is done like how vfs_read_hook, input_hook and execve_hook is disabled.
While this is not exactly the same thing, this CAN achieve the same results.
The complete disabling of all KernelSU hooks.
While this is likely unneeded, It keeps feature parity to non-kprobe builds.
adapted from upstream:
kernel: Allow to re-enable sucompat - 4593ae81c7
Rejected: https://github.com/tiann/KernelSU/pull/2506
Signed-off-by: backslashxx <118538522+backslashxx@users.noreply.github.com>
kernel: sucompat: fix compile issue on kprobe builds, unused variable
When the manager is already running, if other programs / kernel toggle
the sucompat enable status,
The manager "Disable SU Compat" toggle button can not work, kmesg print
"cmd enable su but no need to change."
I think we should still return reply_ok when the syscall value is
consistent with the kernel, which would fix the issue.
I have no idea if this is needed or any useful for manual fs hooks users.
Upstream, this is likely to, well, simply disable hooking of those functions,
to remove and mitigate timing issues as some detection methods can actually
differentiate these.
This is done like how vfs_read_hook, input_hook and execve_hook is disabled.
While this is not exactly the same thing, this *CAN* achieve the same results.
The complete disabling of all KernelSU hooks.
While this is probably not so useful for us, honestly, I have no idea for shit
what I am doing, but lets still port it for the sake of feature parity.
cherry pick from:
kernel: backport support for sucompat disable/enable
https://github.com/backslashxx/KernelSU/commit/20ffabb
Signed-off-by: backslashxx <118538522+backslashxx@users.noreply.github.com>
Since upstream is now making kprobes a requirement, we adapt this tree to still allow
building with manual hooks in an easier way. Furthermore, this also allows a user to
build with manual hooks even with kprobes enabled.
Offending commit:
kernel: remove unused CONFIG guard becuase GKI kernel enable kprobe by default
upstream: https://github.com/tiann/KernelSU/commit/500ff9b
Other changes:
ksud.c, stop_input_hook(), short-circuit redundant logic left by this change.
cherry pick from: https://github.com/backslashxx/KernelSU/commit/a3d3e93
Signed-off-by: backslashxx <118538522+backslashxx@users.noreply.github.com>
