You've already forked KernelSU
mirror of
https://github.com/tiann/KernelSU.git
synced 2025-08-27 23:46:34 +00:00
Compare commits
3 Commits
20b37d9659
...
aviraxp-pa
| Author | SHA1 | Date | |
|---|---|---|---|
|
9d5c501970 | ||
|
|
031f41e6be | ||
|
|
c3e9322ac6 |
@@ -62,7 +62,7 @@ static inline bool is_allow_su()
|
|||||||
return ksu_is_allow_uid(current_uid().val);
|
return ksu_is_allow_uid(current_uid().val);
|
||||||
}
|
}
|
||||||
|
|
||||||
static inline bool is_unsupported_uid(uid_t uid)
|
static inline bool is_unsupported_app_uid(uid_t uid)
|
||||||
{
|
{
|
||||||
#define LAST_APPLICATION_UID 19999
|
#define LAST_APPLICATION_UID 19999
|
||||||
uid_t appid = uid % 100000;
|
uid_t appid = uid % 100000;
|
||||||
@@ -505,14 +505,13 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool is_appuid(kuid_t uid)
|
static bool is_non_appuid(kuid_t uid)
|
||||||
{
|
{
|
||||||
#define PER_USER_RANGE 100000
|
#define PER_USER_RANGE 100000
|
||||||
#define FIRST_APPLICATION_UID 10000
|
#define FIRST_APPLICATION_UID 10000
|
||||||
#define LAST_APPLICATION_UID 19999
|
|
||||||
|
|
||||||
uid_t appid = uid.val % PER_USER_RANGE;
|
uid_t appid = uid.val % PER_USER_RANGE;
|
||||||
return appid >= FIRST_APPLICATION_UID && appid <= LAST_APPLICATION_UID;
|
return appid < FIRST_APPLICATION_UID;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool should_umount(struct path *path)
|
static bool should_umount(struct path *path)
|
||||||
@@ -584,13 +583,25 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!is_appuid(new_uid) || is_unsupported_uid(new_uid.val)) {
|
if (is_non_appuid(new_uid)) {
|
||||||
// pr_info("handle setuid ignore non application or isolated uid: %d\n", new_uid.val);
|
#ifdef CONFIG_KSU_DEBUG
|
||||||
|
pr_info("handle setuid ignore non application uid: %d\n", new_uid.val);
|
||||||
|
#endif
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// isolated process may be directly forked from zygote, always unmount
|
||||||
|
if (is_unsupported_app_uid(new_uid.val)) {
|
||||||
|
#ifdef CONFIG_KSU_DEBUG
|
||||||
|
pr_info("handle umount for unsupported application uid: %d\n", new_uid.val);
|
||||||
|
#endif
|
||||||
|
goto do_umount;
|
||||||
|
}
|
||||||
|
|
||||||
if (ksu_is_allow_uid(new_uid.val)) {
|
if (ksu_is_allow_uid(new_uid.val)) {
|
||||||
// pr_info("handle setuid ignore allowed application: %d\n", new_uid.val);
|
#ifdef CONFIG_KSU_DEBUG
|
||||||
|
pr_info("handle setuid ignore allowed application: %d\n", new_uid.val);
|
||||||
|
#endif
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -602,11 +613,11 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old)
|
|||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
|
do_umount:
|
||||||
// check old process's selinux context, if it is not zygote, ignore it!
|
// check old process's selinux context, if it is not zygote, ignore it!
|
||||||
// because some su apps may setuid to untrusted_app but they are in global mount namespace
|
// because some su apps may setuid to untrusted_app but they are in global mount namespace
|
||||||
// when we umount for such process, that is a disaster!
|
// when we umount for such process, that is a disaster!
|
||||||
bool is_zygote_child = is_zygote(old->security);
|
if (!is_zygote(old->security)) {
|
||||||
if (!is_zygote_child) {
|
|
||||||
pr_info("handle umount ignore non zygote child: %d\n",
|
pr_info("handle umount ignore non zygote child: %d\n",
|
||||||
current->pid);
|
current->pid);
|
||||||
return 0;
|
return 0;
|
||||||
|
|||||||
Reference in New Issue
Block a user