ci: fix WSA upload path (#372)

This reverts commit 273a0b0b99.

.github/ISSUE_TEMPLATE/add_device.yml

@@ -0,0 +1,33 @@
+name: Contribute to Unofficially Supported Device
+description: Add your device kernel source to KernelSU's Unofficially Supported Device List
+title: "[Add Device]: "
+labels: ["add-device"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for supporting KernelSU !
+  - type: input
+    id: repo-url
+    attributes:
+      label: Repository URL
+      description: Your repository URL
+      placeholder: https://github.com/tiann/KernelSU
+    validations:
+      required: true
+  - type: input
+    id: device
+    attributes:
+      label: Device
+      description: Please describe the device maintained by you.
+      placeholder: GKI 2.0 Device
+    validations:
+      required: true
+  - type: checkboxes
+    id: terms
+    attributes:
+      label: Code of Conduct
+      description: By submitting this issue, you should be the maintainer of the repository.
+      options:
+        - label: I'm the maintainer of this repository
+          required: true

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,32 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Smartphone (please complete the following information):**
+ - Device: [e.g. iPhone6]
+ - OS: [e.g. iOS8.1]
+ - Version [e.g. 22]
+
+**Additional context**
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/custom.md

@@ -0,0 +1,10 @@
+---
+name: Custom issue template
+about: Describe this issue template's purpose here.
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,20 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

.github/scripts/build_a12.sh

@@ -0,0 +1,56 @@
+#!/bin/bash
+set -euo pipefail
+
+build_from_image() {
+	export TITLE
+	TITLE=kernel-aarch64-${1//Image-/}
+	echo "[+] title: $TITLE"
+
+	export PATCH_LEVEL
+	PATCH_LEVEL=$(echo "$1" | awk -F_ '{ print $2}')
+	echo "[+] patch level: $PATCH_LEVEL"
+
+	echo '[+] Download prebuilt ramdisk'
+	curl -Lo gki-kernel.zip https://dl.google.com/android/gki/gki-certified-boot-android12-5.10-"${PATCH_LEVEL}"_r1.zip
+	unzip gki-kernel.zip && rm gki-kernel.zip
+
+	echo '[+] Unpack prebuilt boot.img'
+	BOOT_IMG=$(find . -maxdepth 1 -name "boot*.img")
+	$UNPACK_BOOTIMG --boot_img="$BOOT_IMG"
+	rm "$BOOT_IMG"
+
+	echo '[+] Building Image.gz'
+	$GZIP -n -k -f -9 Image >Image.gz
+
+	echo '[+] Building boot.img'
+	$MKBOOTIMG --header_version 4 --kernel Image --output boot.img --ramdisk out/ramdisk --os_version 12.0.0 --os_patch_level "${PATCH_LEVEL}"
+	$AVBTOOL add_hash_footer --partition_name boot --partition_size $((64 * 1024 * 1024)) --image boot.img --algorithm SHA256_RSA2048 --key ../kernel-build-tools/linux-x86/share/avb/testkey_rsa2048.pem
+
+	echo '[+] Building boot-gz.img'
+	$MKBOOTIMG --header_version 4 --kernel Image.gz --output boot-gz.img --ramdisk out/ramdisk --os_version 12.0.0 --os_patch_level "${PATCH_LEVEL}"
+	$AVBTOOL add_hash_footer --partition_name boot --partition_size $((64 * 1024 * 1024)) --image boot-gz.img --algorithm SHA256_RSA2048 --key ../kernel-build-tools/linux-x86/share/avb/testkey_rsa2048.pem
+
+	echo '[+] Building boot-lz4.img'
+	$MKBOOTIMG --header_version 4 --kernel Image.lz4 --output boot-lz4.img --ramdisk out/ramdisk --os_version 12.0.0 --os_patch_level "${PATCH_LEVEL}"
+	$AVBTOOL add_hash_footer --partition_name boot --partition_size $((64 * 1024 * 1024)) --image boot-lz4.img --algorithm SHA256_RSA2048 --key ../kernel-build-tools/linux-x86/share/avb/testkey_rsa2048.pem
+
+	echo '[+] Compress images'
+	for image in boot*.img; do
+		$GZIP -n -f -9 "$image"
+		mv "$image".gz "${1//Image-/}"-"$image".gz
+	done
+
+	echo "[+] Images to upload"
+	find . -type f -name "*.gz"
+
+	find . -type f -name "*.gz" -exec python3 "$GITHUB_WORKSPACE"/KernelSU/scripts/ksubot.py {} +
+}
+
+for dir in Image*; do
+	if [ -d "$dir" ]; then
+		echo "----- Building $dir -----"
+		cd "$dir"
+		build_from_image "$dir"
+		cd ..
+	fi
+done

.github/scripts/build_a13.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+set -euo pipefail
+
+build_from_image() {
+	export TITLE
+	TITLE=kernel-aarch64-${1//Image-/}
+
+	echo "[+] title: $TITLE"
+	echo '[+] Building Image.gz'
+	$GZIP -n -k -f -9 Image >Image.gz
+
+	echo '[+] Building boot.img'
+	$MKBOOTIMG --header_version 4 --kernel Image --output boot.img
+	$AVBTOOL add_hash_footer --partition_name boot --partition_size $((64 * 1024 * 1024)) --image boot.img --algorithm SHA256_RSA2048 --key ../kernel-build-tools/linux-x86/share/avb/testkey_rsa2048.pem
+
+	echo '[+] Building boot-gz.img'
+	$MKBOOTIMG --header_version 4 --kernel Image.gz --output boot-gz.img
+	$AVBTOOL add_hash_footer --partition_name boot --partition_size $((64 * 1024 * 1024)) --image boot-gz.img --algorithm SHA256_RSA2048 --key ../kernel-build-tools/linux-x86/share/avb/testkey_rsa2048.pem
+
+	echo '[+] Building boot-lz4.img'
+	$MKBOOTIMG --header_version 4 --kernel Image.lz4 --output boot-lz4.img
+	$AVBTOOL add_hash_footer --partition_name boot --partition_size $((64 * 1024 * 1024)) --image boot-lz4.img --algorithm SHA256_RSA2048 --key ../kernel-build-tools/linux-x86/share/avb/testkey_rsa2048.pem
+
+	echo '[+] Compress images'
+	for image in boot*.img; do
+		$GZIP -n -f -9 "$image"
+        mv "$image".gz "${1//Image-/}"-"$image".gz
+	done
+
+	echo '[+] Images to upload'
+	find . -type f -name "*.gz"
+
+	find . -type f -name "*.gz" -exec python3 "$GITHUB_WORKSPACE"/KernelSU/scripts/ksubot.py {} +
+}
+
+for dir in Image*; do
+	if [ -d "$dir" ]; then
+		echo "----- Building $dir -----"
+		cd "$dir"
+		build_from_image "$dir"
+		cd ..
+	fi
+done

.github/workflows/add-device.yml

@@ -0,0 +1,59 @@
+name: handle-add-device-issue
+
+on:
+  issues:
+    types: [labeled]
+
+jobs:
+  handle-add-device:
+    if: github.event.label.name == 'add-device'
+    runs-on: ubuntu-latest
+    env:
+      ISSUE_CONTENT: ${{ github.event.issue.body }}
+    steps:
+      - uses: actions/checkout@v3
+      - name: Parse issue body
+        id: handle-add-device
+        run: |
+          python3 scripts/add_device_handler.py website/docs/repos.json || true
+      - name: Commit
+        if: steps.handle-add-device.outputs.success == 'true'
+        run: |
+          git config --local user.name "GitHub Actions"
+          git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git add website/docs/repos.json
+          git commit -m "add device: ${{ steps.handle-add-device.outputs.device }}"
+      - name: Make pull request
+        if: steps.handle-add-device.outputs.success == 'true'
+        id: cpr
+        uses: peter-evans/create-pull-request@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: "[add device]: ${{ steps.handle-add-device.outputs.device }}"
+          title: "[add device]: ${{ steps.handle-add-device.outputs.device }}"
+          body: |
+            ${{ steps.handle-add-device.outputs.device }} has been added to the website.
+            Related issue: ${{ github.event.issue.html_url }}
+          branch: "add-device-${{ github.event.issue.number }}"
+          labels: add-device
+          delete-branch: true
+      - name: Check outputs
+        if: ${{ steps.cpr.outputs.pull-request-number }}
+        run: |
+          echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}"
+          echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"
+      - uses: ben-z/actions-comment-on-issue@1.0.2
+        if: ${{ steps.cpr.outputs.pull-request-number }}
+        with:
+          message: "Automatically created pull request: ${{ steps.cpr.outputs.pull-request-url }}"
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - uses: ben-z/actions-comment-on-issue@1.0.2
+        if: steps.handle-add-device.outputs.success != 'true'
+        with:
+          message: "Cannot create pull request. Please check the issue content. Or you can create a pull request manually."
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: close issue
+        uses: peter-evans/close-issue@v1
+        with:
+          issue-number: ${{ github.event.issue.number }}
+          token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/build-WSA-5.10.117-kernel.yml

@@ -1,98 +0,0 @@
-name: Build WSA-5.10.117-Kernel
-on:
-  push:
-    branches: [ "main" ]
-    paths: 
-      - '.github/workflows/build-WSA-5.10.117-kernel.yml'
-      - 'kernel/**'
-  pull_request:
-    branches: [ "main" ]
-    paths: 
-      - 'kernel/**'
-jobs:
-  build:
-    strategy:
-      matrix:
-        include:
-          - version: 5.10.117.2
-            arch: "x86_64"
-            out_file: "arch/x86/boot/bzImage"
-            kernel_make_cmd: "bzImage"
-            make_config: "config-wsa"
-            date: "20220906"
-          - version: 5.10.117.2
-            arch: "arm64"
-            out_file: "arch/arm64/boot/Image"
-            kernel_make_cmd: "ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu Image"
-            make_config: "config-wsa-arm64"
-            date: "20220906"
-
-    name: Build WSA-Kernel-${{ matrix.version }}
-    runs-on: ubuntu-18.04
-    env:
-      CCACHE_COMPILERCHECK: "%compiler% -dumpmachine; %compiler% -dumpversion"
-      CCACHE_NOHASHDIR: "true"
-      CCACHE_MAXSIZE: "2G"
-      CCACHE_HARDLINK: "true"
-    steps:
-    - uses: hendrikmuhs/ccache-action@v1.2
-      with:
-        key: ccache-WSA-Kernel-${{ matrix.version }}
-        append-timestamp: false
-        save: ${{ github.event_name != 'pull_request' }}
-    - uses: actions/checkout@v3
-      with:
-        path: KernelSU
-
-    - name: Install LLVM
-      run: |
-        sudo apt install -y --no-install-recommends bc bison build-essential ca-certificates flex git gnupg libelf-dev libssl-dev lsb-release software-properties-common wget libncurses-dev binutils-aarch64-linux-gnu gcc-aarch64-linux-gnu nuget
-        export LLVM_VERSION=10
-        wget https://apt.llvm.org/llvm.sh
-        chmod +x llvm.sh
-        sudo ./llvm.sh $LLVM_VERSION
-        rm ./llvm.sh
-        sudo ln -s --force /usr/bin/clang-$LLVM_VERSION /usr/bin/clang
-        sudo ln -s --force /usr/bin/ld.lld-$LLVM_VERSION /usr/bin/ld.lld
-        sudo ln -s --force /usr/bin/llvm-objdump-$LLVM_VERSION /usr/bin/llvm-objdump
-        sudo ln -s --force /usr/bin/llvm-ar-$LLVM_VERSION /usr/bin/llvm-ar
-        sudo ln -s --force /usr/bin/llvm-nm-$LLVM_VERSION /usr/bin/llvm-nm
-        sudo ln -s --force /usr/bin/llvm-strip-$LLVM_VERSION /usr/bin/llvm-strip
-        sudo ln -s --force /usr/bin/llvm-objcopy-$LLVM_VERSION /usr/bin/llvm-objcopy
-        sudo ln -s --force /usr/bin/llvm-readelf-$LLVM_VERSION /usr/bin/llvm-readelf
-        sudo ln -s --force /usr/bin/clang++-$LLVM_VERSION /usr/bin/clang++
-
-    - name: Download kernel source
-      run: |
-        cd $GITHUB_WORKSPACE
-        KERNEL_ROOT=$GITHUB_WORKSPACE/WSA-Linux-Kernel
-        echo "[+] 克隆远程仓库 WSA-Linux-Kernel..."
-        git clone https://github.com/microsoft/WSA-Linux-Kernel
-        cd WSA-Linux-Kernel && git checkout android-lts/latte/${{ matrix.version }}
-        echo "[+] 切换到分支 android-lts/latte/${{ matrix.version }}"
-        echo "[+] 导入 KernelSU"
-        echo "[+] KERNEL_ROOT: $KERNEL_ROOT"
-        echo "[+] 复制 kernel su driver 到路径：$KERNEL_ROOT/drivers"
-        ln -sf $GITHUB_WORKSPACE/KernelSU/kernel $KERNEL_ROOT/drivers/kernelsu
-        DRIVER_MAKEFILE=$KERNEL_ROOT/drivers/Makefile
-        echo "[+] 添加 kernel su driver 到文件：$DRIVER_MAKEFILE"
-        grep -q "kernelsu" $DRIVER_MAKEFILE || echo "obj-y += kernelsu/" >> $DRIVER_MAKEFILE
-        echo "[+] KernelSU 导入完成"
-        cd $KERNEL_ROOT && git apply $GITHUB_WORKSPACE/KernelSU/.github/patches/5.10/*.patch
-        cd -
-    
-    - name: Build Kernel
-      working-directory: WSA-Linux-Kernel
-      run: |
-        KERNEL_ROOT=$GITHUB_WORKSPACE/WSA-Linux-Kernel
-        echo "[+] 构建 kernel"
-        cp configs/wsa/${{ matrix.make_config }}-5.10 $KERNEL_ROOT/.config
-        echo "[+] 复制配置文件 configs/wsa/${{ matrix.make_config }}-5.10 到 $KERNEL_ROOT/.config"
-        echo "执行: make -j`nproc` LLVM=1 ${{ matrix.kernel_make_cmd }}"
-        make -j`nproc` LLVM=1 ${{ matrix.kernel_make_cmd }} CCACHE="/usr/bin/ccache" 
-
-    - name: Upload kernel-${{ matrix.arch }}-${{ matrix.version }}
-      uses: actions/upload-artifact@v3
-      with:
-        name: kernel-WSA-${{ matrix.arch }}-${{ matrix.version }}-${{ matrix.date }}
-        path: WSA-Linux-Kernel/${{ matrix.out_file }}

.github/workflows/build-kernel-5.10.yml

@@ -1,176 +0,0 @@
-name: Build Kernel 5.10
-on:
-  push:
-    branches: [ "main" ]
-    paths: 
-      - '.github/workflows/build-kernel-5.10.yml'
-      - 'kernel/**'
-  pull_request:
-    branches: [ "main" ]
-    paths: 
-      - 'kernel/**'
-jobs:
-  build:
-    strategy:
-      matrix:
-        include:
-          - version: android12-5.10-66
-            tag: android12-5.10-2021-11
-            os_version: 12.0.0
-            os_patch_level: 2021-11
-          - version: android12-5.10-81
-            tag: android12-5.10-2022-03
-            os_version: 12.0.0
-            os_patch_level: 2022-03
-          - version: android12-5.10-101
-            tag: android12-5.10-2022-05
-            os_version: 12.0.0
-            os_patch_level: 2022-05
-          - version: android12-5.10-110
-            tag: android12-5.10-2022-07
-            os_version: 12.0.0
-            os_patch_level: 2022-07
-          - version: android12-5.10-136
-            tag: android12-5.10-2022-11
-            os_version: 12.0.0
-            os_patch_level: 2022-11
-
-    name: Build aarch64-${{ matrix.version }}
-    runs-on: ubuntu-latest
-    env:
-      CCACHE_COMPILERCHECK: "%compiler% -dumpmachine; %compiler% -dumpversion"
-      CCACHE_NOHASHDIR: "true"
-      CCACHE_MAXSIZE: "2G"
-      CCACHE_HARDLINK: "true"
-    steps:
-    - uses: actions/checkout@v3
-      with:
-        path: KernelSU
-        fetch-depth: 0
-    - uses: hendrikmuhs/ccache-action@v1.2
-      with:
-        key: ccache-aarch64-${{ matrix.version }}
-        append-timestamp: false
-        save: ${{ github.event_name != 'pull_request' }}
-
-    - name: Setup need_upload
-      id: need_upload
-      run: |
-        if [ ! -z "${{ secrets.BOT_TOKEN }}" ]; then
-          echo "UPLOAD=true" >> $GITHUB_OUTPUT
-        else
-          echo "UPLOAD=false" >> $GITHUB_OUTPUT
-        fi
-
-    - name: Setup kernel source
-      run: |
-        cd $GITHUB_WORKSPACE
-        git clone https://gerrit.googlesource.com/git-repo
-        mkdir android-kernel && cd android-kernel
-        ../git-repo/repo init --depth=1 --u https://android.googlesource.com/kernel/manifest -b common-${{ matrix.tag }}
-        ../git-repo/repo sync -j$(nproc --all)
-        curl -Lo gki-kernel.zip https://dl.google.com/android/gki/gki-certified-boot-${{ matrix.tag }}_r1.zip
-        unzip gki-kernel.zip
-        tools/mkbootimg/unpack_bootimg.py --boot_img=$(find . -maxdepth 1 -name "*.img")
-    
-    - name: Setup KernelSU
-      env: 
-        PATCH_PATH: "5.10"
-      run: |
-        cd $GITHUB_WORKSPACE/android-kernel
-        echo "[+] KernelSU setup"
-        GKI_ROOT=$(pwd)
-        echo "[+] GKI_ROOT: $GKI_ROOT"
-        echo "[+] Copy kernel su driver to $GKI_ROOT/common/drivers"
-        ln -sf $GITHUB_WORKSPACE/KernelSU/kernel $GKI_ROOT/common/drivers/kernelsu
-        echo "[+] Add kernel su driver to Makefile"
-        DRIVER_MAKEFILE=$GKI_ROOT/common/drivers/Makefile
-        grep -q "kernelsu" $DRIVER_MAKEFILE || echo "obj-y += kernelsu/" >> $DRIVER_MAKEFILE
-        echo "[+] Apply KernelSU patches"
-        cd $GKI_ROOT/common/ && git apply $GITHUB_WORKSPACE/KernelSU/.github/patches/$PATCH_PATH/*.patch
-        cd -
-        echo "[+] KernelSU setup Done."
-    
-    - name: Symbol magic
-      run: |
-        echo "[+] Export all symbol from abi_gki_aarch64.xml"
-        COMMON_ROOT=$GITHUB_WORKSPACE/android-kernel/common
-        KSU_ROOT=$GITHUB_WORKSPACE/KernelSU
-        ABI_XML=$COMMON_ROOT/android/abi_gki_aarch64.xml
-        SYMBOL_LIST=$COMMON_ROOT/android/abi_gki_aarch64
-        # python3 $KSU_ROOT/scripts/abi_gki_all.py $ABI_XML > $SYMBOL_LIST
-        echo "[+] Add KernelSU symbols"
-        cat $KSU_ROOT/kernel/export_symbol.txt | awk '{sub("[ \t]+","");print "  "$0}' >> $SYMBOL_LIST
-
-    - name: Build boot.img
-      working-directory: android-kernel
-      run: CCACHE="/usr/bin/ccache" BUILD_BOOT_IMG=1 SKIP_VENDOR_BOOT=1 KERNEL_BINARY=Image GKI_RAMDISK_PREBUILT_BINARY=out/ramdisk AVB_SIGN_BOOT_IMG=1 AVB_BOOT_PARTITION_SIZE=$((64*1024*1024)) AVB_BOOT_ALGORITHM=SHA256_RSA2048 AVB_BOOT_KEY=prebuilts/kernel-build-tools/linux-x86/share/avb/testkey_rsa2048.pem BOOT_IMAGE_HEADER_VERSION=4 LTO=thin BUILD_CONFIG=common/build.config.gki.aarch64 build/build.sh
-    
-    - name: Build boot-lz4.img
-      working-directory: android-kernel
-      run: |
-        tools/mkbootimg/mkbootimg.py --header_version 4 --kernel ./out/android12-5.10/dist/Image.lz4 --ramdisk out/ramdisk --output ./out/android12-5.10/dist/boot-lz4.img --os_version ${{ matrix.os_version }} --os_patch_level ${{ matrix.os_patch_level }}
-        ./build/build-tools/path/linux-x86/avbtool add_hash_footer --partition_name boot --partition_size $((64*1024*1024)) --image out/android12-5.10/dist/boot-lz4.img --algorithm SHA256_RSA2048 --key ./prebuilts/kernel-build-tools/linux-x86/share/avb/testkey_rsa2048.pem
-
-    - name: Build boot-gz.img
-      working-directory: android-kernel
-      run: |
-        cat out/android12-5.10/dist/Image | ./prebuilts/build-tools/path/linux-x86/gzip -n -f -9 > out/android12-5.10/dist/Image.gz
-        tools/mkbootimg/mkbootimg.py --header_version 4 --kernel ./out/android12-5.10/dist/Image.gz --ramdisk out/ramdisk --output ./out/android12-5.10/dist/boot-gz.img --os_version ${{ matrix.os_version }} --os_patch_level ${{ matrix.os_patch_level }}
-        ./build/build-tools/path/linux-x86/avbtool add_hash_footer --partition_name boot --partition_size $((64*1024*1024)) --image out/android12-5.10/dist/boot-gz.img --algorithm SHA256_RSA2048 --key ./prebuilts/kernel-build-tools/linux-x86/share/avb/testkey_rsa2048.pem
-
-    - name: Upload Image.gz
-      uses: actions/upload-artifact@v3
-      with:
-        name: kernel-aarch64-${{ matrix.version }}-Image.gz
-        path: android-kernel/out/android12-5.10/dist/Image.gz
-
-    - name: Upload boot.img
-      uses: actions/upload-artifact@v3
-      with:
-        name: kernel-aarch64-${{ matrix.version }}-boot.img
-        path: android-kernel/out/android12-5.10/dist/boot.img
-
-    - name: Upload boot-lz4.img
-      uses: actions/upload-artifact@v3
-      with:
-        name: kernel-aarch64-${{ matrix.version }}-boot-lz4.img
-        path: android-kernel/out/android12-5.10/dist/boot-lz4.img
-
-    - name: Upload boot-gz.img
-      uses: actions/upload-artifact@v3
-      with:
-        name: kernel-aarch64-${{ matrix.version }}-boot-gz.img
-        path: android-kernel/out/android12-5.10/dist/boot-gz.img
-
-    - name: Setup mutex for uploading
-      if: github.event_name != 'pull_request' && steps.need_upload.outputs.UPLOAD == 'true'
-      uses: ben-z/gh-action-mutex@v1.0-alpha-7
-    - name: Upload to telegram
-      if: github.event_name != 'pull_request' && steps.need_upload.outputs.UPLOAD == 'true'
-      env:
-        CHAT_ID: ${{ secrets.CHAT_ID }}
-        CACHE_CHAT_ID: ${{ secrets.CACHE_CHAT_ID }}
-        BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
-        MESSAGE_THREAD_ID: ${{ secrets.MESSAGE_THREAD_ID }}
-        COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
-        COMMIT_URL: ${{ github.event.head_commit.url }}
-        RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
-        TITLE: kernel-aarch64-${{ matrix.version }}
-      run: |
-        if [ ! -z "${{ secrets.BOT_TOKEN }}" ]; then
-          cd $GITHUB_WORKSPACE/KernelSU
-          export VERSION=$(git rev-list --count HEAD)
-          cd -
-          OUTDIR=android-kernel/out/android12-5.10/dist
-          IMAGE_GZ=${{ matrix.version }}-Image.gz
-          BOOT=${{ matrix.version }}-boot.img.zip
-          BOOT_LZ4=${{ matrix.version }}-boot-lz4.img.zip
-          BOOT_GZ=${{ matrix.version }}-boot-gz.img.zip
-          mv $OUTDIR/Image.gz $IMAGE_GZ
-          zip $BOOT -j -r $OUTDIR/boot.img
-          zip $BOOT_LZ4 -j -r $OUTDIR/boot-lz4.img
-          zip $BOOT_GZ -j -r $OUTDIR/boot-gz.img
-          pip3 install python-telegram-bot
-          python3 $GITHUB_WORKSPACE/KernelSU/scripts/ksubot.py $IMAGE_GZ $BOOT $BOOT_LZ4 $BOOT_GZ
-        fi

.github/workflows/build-kernel-5.15.yml

@@ -1,127 +0,0 @@
-name: Build Kernel 5.15
-on:
-  push:
-    branches: [ "main" ]
-    paths: 
-      - '.github/workflows/build-kernel-5.15.yml'
-      - 'kernel/**'
-  pull_request:
-    branches: [ "main" ]
-    paths: 
-      - 'kernel/**'
-jobs:
-  build:
-    strategy:
-      matrix:
-        include:
-          - version: "android13-5.15-41"
-            tag: "android13-5.15-2022-11"
-            os_version: 13.0.0
-            os_version_level: "2022-11"
-          - version: "android13-5.15-74"
-            tag: "android13-5.15-2022-12"
-            os_version: 13.0.0
-            os_version_level: "2022-12"
-
-    name: Build aarch64-${{ matrix.version }}
-    runs-on: ubuntu-latest
-    env:
-      CCACHE_COMPILERCHECK: "%compiler% -dumpmachine; %compiler% -dumpversion"
-      CCACHE_NOHASHDIR: "true"
-      CCACHE_MAXSIZE: "2G"
-      CCACHE_HARDLINK: "true"
-    steps:
-    - uses: actions/checkout@v3
-      with:
-        path: KernelSU
-        fetch-depth: 0
-    - uses: hendrikmuhs/ccache-action@v1.2
-      with:
-        key: ccache-aarch64-${{ matrix.version }}
-        append-timestamp: false
-        save: ${{ github.event_name != 'pull_request' }}
-
-    - name: Setup need_upload
-      id: need_upload
-      run: |
-        if [ ! -z "${{ secrets.BOT_TOKEN }}" ]; then
-          echo "UPLOAD=true" >> $GITHUB_OUTPUT
-        else
-          echo "UPLOAD=false" >> $GITHUB_OUTPUT
-        fi
-
-    - name: Setup kernel source
-      run: |
-        cd $GITHUB_WORKSPACE
-        git clone https://gerrit.googlesource.com/git-repo
-        mkdir android-kernel && cd android-kernel
-        ../git-repo/repo init --depth=1 --u https://android.googlesource.com/kernel/manifest -b common-${{ matrix.tag }}
-        ../git-repo/repo sync -j$(nproc --all)
-        curl -Lo gki-kernel.zip https://dl.google.com/android/gki/gki-certified-boot-${{ matrix.tag }}_r1.zip
-        unzip gki-kernel.zip
-        tools/mkbootimg/unpack_bootimg.py --boot_img=$(find . -maxdepth 1 -name "*.img")
-    
-    - name: Setup KernelSU
-      env: 
-        PATCH_PATH: "5.15"
-      run: |
-        cd $GITHUB_WORKSPACE/android-kernel
-        echo "[+] KernelSU setup"
-        GKI_ROOT=$(pwd)
-        echo "[+] GKI_ROOT: $GKI_ROOT"
-        echo "[+] Copy kernel su driver to $GKI_ROOT/common/drivers"
-        ln -sf $GITHUB_WORKSPACE/KernelSU/kernel $GKI_ROOT/common/drivers/kernelsu
-        echo "[+] Add kernel su driver to Makefile"
-        DRIVER_MAKEFILE=$GKI_ROOT/common/drivers/Makefile
-        grep -q "kernelsu" $DRIVER_MAKEFILE || echo "obj-y += kernelsu/" >> $DRIVER_MAKEFILE
-        echo "[+] Apply KernelSU patches"
-        cd $GKI_ROOT/common/ && git apply $GITHUB_WORKSPACE/KernelSU/.github/patches/$PATCH_PATH/*.patch
-        cd -
-        echo "[+] KernelSU setup Done."
-    
-    - name: Symbol magic
-      run: |
-        echo "[+] Export all symbol from abi_gki_aarch64.xml"
-        COMMON_ROOT=$GITHUB_WORKSPACE/android-kernel/common
-        KSU_ROOT=$GITHUB_WORKSPACE/KernelSU
-        ABI_XML=$COMMON_ROOT/android/abi_gki_aarch64.xml
-        SYMBOL_LIST=$COMMON_ROOT/android/abi_gki_aarch64
-        # python3 $KSU_ROOT/scripts/abi_gki_all.py $ABI_XML > $SYMBOL_LIST
-        echo "[+] Add KernelSU symbols"
-        cat $KSU_ROOT/kernel/export_symbol.txt | awk '{sub("[ \t]+","");print "  "$0}' >> $SYMBOL_LIST
-
-    - name: Build boot.img
-      working-directory: android-kernel
-      run: CCACHE="/usr/bin/ccache" BUILD_BOOT_IMG=1 SKIP_VENDOR_BOOT=1 KERNEL_BINARY=Image AVB_SIGN_BOOT_IMG=1 AVB_BOOT_PARTITION_SIZE=$((64*1024*1024)) AVB_BOOT_ALGORITHM=SHA256_RSA2048 AVB_BOOT_KEY=prebuilts/kernel-build-tools/linux-x86/share/avb/testkey_rsa2048.pem BOOT_IMAGE_HEADER_VERSION=4 LTO=thin BUILD_CONFIG=common/build.config.gki.aarch64 build/build.sh
-
-    - name: Upload boot.img
-      uses: actions/upload-artifact@v3
-      with:
-        name: kernel-aarch64-${{ matrix.version }}-boot.img
-        path: android-kernel/out/*/dist/boot.img
-    
-    - name: Setup mutex for uploading
-      uses: ben-z/gh-action-mutex@v1.0-alpha-7
-      if: github.event_name != 'pull_request' && steps.need_upload.outputs.UPLOAD == 'true'
-    - name: Upload to telegram
-      if: github.event_name != 'pull_request' && steps.need_upload.outputs.UPLOAD == 'true'
-      env:
-        CHAT_ID: ${{ secrets.CHAT_ID }}
-        CACHE_CHAT_ID: ${{ secrets.CACHE_CHAT_ID }}
-        BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
-        MESSAGE_THREAD_ID: ${{ secrets.MESSAGE_THREAD_ID }}
-        COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
-        COMMIT_URL: ${{ github.event.head_commit.url }}
-        RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
-        TITLE: kernel-aarch64-${{ matrix.version }}
-      run: |
-        if [ ! -z "${{ secrets.BOT_TOKEN }}" ]; then
-          cd $GITHUB_WORKSPACE/KernelSU
-          export VERSION=$(git rev-list --count HEAD)
-          cd -
-          OUTDIR=android-kernel/out/android13-5.15/dist
-          BOOT=${{ matrix.version }}-boot.img.zip
-          zip $BOOT -j -r $OUTDIR/boot.img 
-          pip3 install python-telegram-bot
-          python3 $GITHUB_WORKSPACE/KernelSU/scripts/ksubot.py $BOOT
-        fi

.github/workflows/build-kernel-a12.yml

@@ -0,0 +1,121 @@
+name: Build Kernel - Android 12
+on:
+  push:
+    branches: ["main", "ci"]
+    paths:
+      - ".github/workflows/build-kernel-a12.yml"
+      - ".github/workflows/gki-kernel.yml"
+      - ".github/scripts/build_a12.sh"
+      - "kernel/**"
+  pull_request:
+    branches: ["main"]
+    paths:
+      - ".github/workflows/build-kernel-a12.yml"
+      - ".github/workflows/gki-kernel.yml"
+      - ".github/scripts/build-a12.sh"
+      - "kernel/**"
+  workflow_call:
+jobs:
+  build-kernel:
+    if: github.event_name != 'pull_request'
+    strategy:
+      matrix:
+        include:
+          - sub_level: 66
+            os_patch_level: 2021-11
+          - sub_level: 81
+            os_patch_level: 2022-03
+          - sub_level: 101
+            os_patch_level: 2022-05
+          - sub_level: 110
+            os_patch_level: 2022-07
+          - sub_level: 136
+            os_patch_level: 2022-11
+          - sub_level: 149
+            os_patch_level: 2023-01
+          - sub_level: 160
+            os_patch_level: 2023-02
+    uses: ./.github/workflows/gki-kernel.yml
+    secrets: inherit
+    with:
+      version: android12-5.10
+      version_name: android12-5.10.${{ matrix.sub_level }}
+      tag: android12-5.10-${{ matrix.os_patch_level }}
+      os_patch_level: ${{ matrix.os_patch_level }}
+      patch_path: "5.10"
+  upload-artifacts:
+    needs: build-kernel
+    runs-on: ubuntu-latest
+    if: ${{ ( github.event_name != 'pull_request' && github.ref == 'refs/heads/main' ) || github.ref_type == 'tag' || github.ref == 'refs/heads/ci' }}
+    env:
+      CHAT_ID: ${{ secrets.CHAT_ID }}
+      CACHE_CHAT_ID: ${{ secrets.CACHE_CHAT_ID }}
+      BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
+      MESSAGE_THREAD_ID: ${{ secrets.MESSAGE_THREAD_ID }}
+      COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
+      COMMIT_URL: ${{ github.event.head_commit.url }}
+      RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@v3
+
+      - uses: actions/checkout@v3
+        with:
+          path: KernelSU
+          fetch-depth: 0
+
+      - name: List artifacts
+        run: |
+          tree
+
+      - name: Download prebuilt toolchain
+        run: |
+          AOSP_MIRROR=https://android.googlesource.com
+          BRANCH=master-kernel-build-2022
+          git clone $AOSP_MIRROR/platform/prebuilts/build-tools -b $BRANCH --depth 1 build-tools
+          git clone $AOSP_MIRROR/kernel/prebuilts/build-tools -b $BRANCH --depth 1 kernel-build-tools
+          git clone $AOSP_MIRROR/platform/system/tools/mkbootimg -b $BRANCH --depth 1
+          pip3 install python-telegram-bot
+
+      - name: Set boot sign key
+        env:
+          BOOT_SIGN_KEY: ${{ secrets.BOOT_SIGN_KEY }}
+        run: |
+          if [ ! -z "$BOOT_SIGN_KEY" ]; then
+            echo "$BOOT_SIGN_KEY" > ./kernel-build-tools/linux-x86/share/avb/testkey_rsa2048.pem
+          fi
+
+      - name: Setup mutex for uploading
+        uses: ben-z/gh-action-mutex@v1.0-alpha-7
+
+      - name: Build boot images
+        run: |
+          export AVBTOOL=$GITHUB_WORKSPACE/kernel-build-tools/linux-x86/bin/avbtool
+          export GZIP=$GITHUB_WORKSPACE/build-tools/path/linux-x86/gzip
+          export LZ4=$GITHUB_WORKSPACE/build-tools/path/linux-x86/lz4
+          export MKBOOTIMG=$GITHUB_WORKSPACE/mkbootimg/mkbootimg.py
+          export UNPACK_BOOTIMG=$GITHUB_WORKSPACE/mkbootimg/unpack_bootimg.py
+          cd $GITHUB_WORKSPACE/KernelSU
+          export VERSION=$(($(git rev-list --count HEAD) + 10200))
+          echo "VERSION: $VERSION"
+          cd -
+          bash $GITHUB_WORKSPACE/KernelSU/.github/scripts/build_a12.sh
+
+      - name: Display structure of boot files
+        run: ls -R
+
+      - name: Upload images artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: boot-images-android12
+          path: Image-android12*/*.img.gz
+
+  check-build-kernel:
+    if: github.event_name == 'pull_request'
+    uses: ./.github/workflows/gki-kernel.yml
+    with:
+      version: android12-5.10
+      version_name: android12-5.10.160
+      tag: android12-5.10-2023-02
+      os_patch_level: 2023-02
+      patch_path: "5.10"

.github/workflows/build-kernel-a13.yml

@@ -0,0 +1,132 @@
+name: Build Kernel - Android 13
+on:
+  push:
+    branches: ["main", "ci"]
+    paths:
+      - ".github/workflows/build-kernel-a13.yml"
+      - ".github/workflows/gki-kernel.yml"
+      - ".github/scripts/build_a13.sh"
+      - "kernel/**"
+  pull_request:
+    branches: ["main"]
+    paths:
+      - ".github/workflows/build-kernel-a13.yml"
+      - ".github/workflows/gki-kernel.yml"
+      - ".github/scripts/build-a13.sh"
+      - "kernel/**"
+  workflow_call:
+jobs:
+  build-kernel:
+    if: github.event_name != 'pull_request'
+    strategy:
+      matrix:
+        include:
+          - version: "5.10"
+            sub_level: 107
+            os_patch_level: 2022-11
+          - version: "5.10"
+            sub_level: 149
+            os_patch_level: 2023-01
+          - version: "5.10"
+            sub_level: 157
+            os_patch_level: 2023-02
+          - version: "5.15"
+            sub_level: 41
+            os_patch_level: 2022-11
+          - version: "5.15"
+            sub_level: 74
+            os_patch_level: 2023-01
+          - version: "5.15"
+            sub_level: 78
+            os_patch_level: 2023-02
+    uses: ./.github/workflows/gki-kernel.yml
+    secrets: inherit
+    with:
+      version: android13-${{ matrix.version }}
+      version_name: android13-${{ matrix.version }}.${{ matrix.sub_level }}
+      tag: android13-${{ matrix.version }}-${{ matrix.os_patch_level }}
+      patch_path: ${{ matrix.version }}
+  upload-artifacts:
+    needs: build-kernel
+    runs-on: ubuntu-latest
+    if: ${{ ( github.event_name != 'pull_request' && github.ref == 'refs/heads/main' ) || github.ref_type == 'tag' || github.ref == 'refs/heads/ci' }}
+    env:
+      CHAT_ID: ${{ secrets.CHAT_ID }}
+      CACHE_CHAT_ID: ${{ secrets.CACHE_CHAT_ID }}
+      BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
+      MESSAGE_THREAD_ID: ${{ secrets.MESSAGE_THREAD_ID }}
+      COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
+      COMMIT_URL: ${{ github.event.head_commit.url }}
+      RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@v3
+
+      - uses: actions/checkout@v3
+        with:
+          path: KernelSU
+          fetch-depth: 0
+
+      - name: List artifacts
+        run: |
+          tree
+
+      - name: Download prebuilt toolchain
+        run: |
+          AOSP_MIRROR=https://android.googlesource.com
+          BRANCH=master-kernel-build-2022
+          git clone $AOSP_MIRROR/platform/prebuilts/build-tools -b $BRANCH --depth 1 build-tools
+          git clone $AOSP_MIRROR/kernel/prebuilts/build-tools -b $BRANCH --depth 1 kernel-build-tools
+          git clone $AOSP_MIRROR/platform/system/tools/mkbootimg -b $BRANCH --depth 1
+          pip3 install python-telegram-bot
+
+      - name: Set boot sign key
+        env:
+          BOOT_SIGN_KEY: ${{ secrets.BOOT_SIGN_KEY }}
+        run: |
+          if [ ! -z "$BOOT_SIGN_KEY" ]; then
+            echo "$BOOT_SIGN_KEY" > ./kernel-build-tools/linux-x86/share/avb/testkey_rsa2048.pem
+          fi
+
+      - name: Setup mutex for uploading
+        uses: ben-z/gh-action-mutex@v1.0-alpha-7
+
+      - name: Build boot images
+        run: |
+          export AVBTOOL=$GITHUB_WORKSPACE/kernel-build-tools/linux-x86/bin/avbtool
+          export GZIP=$GITHUB_WORKSPACE/build-tools/path/linux-x86/gzip
+          export LZ4=$GITHUB_WORKSPACE/build-tools/path/linux-x86/lz4
+          export MKBOOTIMG=$GITHUB_WORKSPACE/mkbootimg/mkbootimg.py
+          export UNPACK_BOOTIMG=$GITHUB_WORKSPACE/mkbootimg/unpack_bootimg.py
+          cd $GITHUB_WORKSPACE/KernelSU
+          export VERSION=$(($(git rev-list --count HEAD) + 10200))
+          echo "VERSION: $VERSION"
+          cd -
+          bash $GITHUB_WORKSPACE/KernelSU/.github/scripts/build_a13.sh
+      
+      - name: Display structure of boot files
+        run: ls -R
+
+      - name: Upload images artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: boot-images-android13
+          path: Image-android13*/*.img.gz
+
+  check-build-kernel:
+    if: github.event_name == 'pull_request'
+    strategy:
+      matrix:
+        include:
+          - version: "5.10"
+            sub_level: 149
+            os_patch_level: 2022-11
+          - version: "5.15"
+            sub_level: 74
+            os_patch_level: 2023-01
+    uses: ./.github/workflows/gki-kernel.yml
+    with:
+      version: android13-${{ matrix.version }}
+      version_name: android13-${{ matrix.version }}.${{ matrix.sub_level }}
+      tag: android13-${{ matrix.version }}-${{ matrix.os_patch_level }}
+      patch_path: ${{ matrix.version }}

.github/workflows/build-kernel-wsa.yml

@@ -0,0 +1,149 @@
+name: Build Kernel - WSA
+on:
+  push:
+    branches: ["main"]
+    paths:
+      - ".github/workflows/build-kernel-wsa.yml"
+      - "kernel/**"
+  pull_request:
+    branches: ["main"]
+    paths:
+      - ".github/workflows/build-kernel-wsa.yml"
+      - "kernel/**"
+  workflow_call:
+  workflow_dispatch:
+
+jobs:
+  build:
+    strategy:
+      matrix:
+        arch: [x86_64, arm64]
+        version: ["5.10.117.2", "5.15.78.1"]
+        include:
+          - arch: x86_64
+            file_name: "bzImage"
+          - arch: arm64
+            file_name: "Image"
+            cross_compile: "aarch64-linux-gnu"
+          - version: "5.10.117.2"
+            arch: x86_64
+            make_config: config-wsa-5.10
+          - version: "5.10.117.2"
+            arch: arm64
+            make_config: config-wsa-arm64-5.10
+          - version: "5.15.78.1"
+            arch: x86_64
+            make_config: config-wsa-x64
+          - version: "5.15.78.1"
+            arch: arm64
+            make_config: config-wsa-arm64
+          - version: "5.10.117.2"
+            device_code: latte
+            kernel_version: "5.10"
+          - version: "5.15.78.1"
+            device_code: latte-2
+            kernel_version: "5.15"
+
+    name: Build WSA-Kernel-${{ matrix.version }}-${{ matrix.arch }}
+    runs-on: ubuntu-20.04
+    env:
+      CCACHE_COMPILERCHECK: "%compiler% -dumpmachine; %compiler% -dumpversion"
+      CCACHE_NOHASHDIR: "true"
+      CCACHE_HARDLINK: "true"
+
+    steps:
+      - name: Install Build Tools
+        run: |
+          sudo apt update
+          sudo apt install -y --no-install-recommends bc bison build-essential ca-certificates flex git gnupg libelf-dev libssl-dev lsb-release software-properties-common wget libncurses-dev binutils-aarch64-linux-gnu gcc-aarch64-linux-gnu nuget gzip
+          export LLVM_VERSION=12
+          wget https://apt.llvm.org/llvm.sh
+          chmod +x llvm.sh
+          sudo ./llvm.sh $LLVM_VERSION
+          rm ./llvm.sh
+          sudo ln -s --force /usr/bin/clang-$LLVM_VERSION /usr/bin/clang
+          sudo ln -s --force /usr/bin/ld.lld-$LLVM_VERSION /usr/bin/ld.lld
+          sudo ln -s --force /usr/bin/llvm-objdump-$LLVM_VERSION /usr/bin/llvm-objdump
+          sudo ln -s --force /usr/bin/llvm-ar-$LLVM_VERSION /usr/bin/llvm-ar
+          sudo ln -s --force /usr/bin/llvm-nm-$LLVM_VERSION /usr/bin/llvm-nm
+          sudo ln -s --force /usr/bin/llvm-strip-$LLVM_VERSION /usr/bin/llvm-strip
+          sudo ln -s --force /usr/bin/llvm-objcopy-$LLVM_VERSION /usr/bin/llvm-objcopy
+          sudo ln -s --force /usr/bin/llvm-readelf-$LLVM_VERSION /usr/bin/llvm-readelf
+          sudo ln -s --force /usr/bin/clang++-$LLVM_VERSION /usr/bin/clang++
+
+      - name: Checkout KernelSU
+        uses: actions/checkout@v3
+        with:
+          path: KernelSU
+          ref: main
+          fetch-depth: 0
+
+      - name: Setup kernel source
+        uses: actions/checkout@v3
+        with:
+          repository: microsoft/WSA-Linux-Kernel
+          ref: android-lts/${{ matrix.device_code }}/${{ matrix.version }}
+          path: WSA-Linux-Kernel
+
+      - name: Setup Ccache
+        uses: hendrikmuhs/ccache-action@v1.2
+        with:
+          key: WSA-Kernel-${{ matrix.version }}-${{ matrix.arch }}
+          save: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+          max-size: 2G
+
+      - name: Setup KernelSU
+        working-directory: WSA-Linux-Kernel
+        run: |
+          echo "[+] KernelSU setup"
+          KERNEL_ROOT=$GITHUB_WORKSPACE/WSA-Linux-Kernel
+          echo "[+] KERNEL_ROOT: $KERNEL_ROOT"
+          echo "[+] Copy KernelSU driver to $KERNEL_ROOT/drivers"
+          ln -sf $GITHUB_WORKSPACE/KernelSU/kernel $KERNEL_ROOT/drivers/kernelsu
+          echo "[+] Add KernelSU driver to Makefile"
+          DRIVER_MAKEFILE=$KERNEL_ROOT/drivers/Makefile
+          grep -q "kernelsu" $DRIVER_MAKEFILE || echo "obj-y += kernelsu/" >> $DRIVER_MAKEFILE
+          echo "[+] Apply KernelSU patches"
+          cd $KERNEL_ROOT && git apply $GITHUB_WORKSPACE/KernelSU/.github/patches/${{ matrix.kernel_version }}/*.patch
+          echo "[+] KernelSU setup done."
+          cd $GITHUB_WORKSPACE/KernelSU
+          VERSION=$(($(git rev-list --count HEAD) + 10200))
+          echo "VERSION: $VERSION"
+          echo "kernelsu_version=$VERSION" >> $GITHUB_ENV
+
+      - name: Build Kernel
+        working-directory: WSA-Linux-Kernel
+        run: |
+          cp configs/wsa/${{ matrix.make_config }} .config
+          make olddefconfig
+          make -j`nproc` LLVM=1 ARCH=${{ matrix.arch }} CROSS_COMPILE=${{ matrix.cross_compile }} ${{ matrix.file_name }} CCACHE="/usr/bin/ccache"
+          echo "file_path=WSA-Linux-Kernel/arch/${{ matrix.arch }}/boot/${{ matrix.file_name }}" >> $GITHUB_ENV
+
+      - name: Upload kernel-${{ matrix.arch }}-${{ matrix.version }}
+        uses: actions/upload-artifact@v3
+        with:
+          name: kernel-WSA-${{ matrix.arch }}-${{ matrix.version }}
+          path: "${{ env.file_path }}"
+
+      - name: Post to Telegram
+        if: ${{ ( github.event_name == 'push' && github.ref == 'refs/heads/main' ) || github.ref_type == 'tag' }}
+        env:
+          CHAT_ID: ${{ secrets.CHAT_ID }}
+          CACHE_CHAT_ID: ${{ secrets.CACHE_CHAT_ID }}
+          BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
+          MESSAGE_THREAD_ID: ${{ secrets.MESSAGE_THREAD_ID }}
+          COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
+          COMMIT_URL: ${{ github.event.head_commit.url }}
+          RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}    
+        run: |
+          TITLE=kernel-${{ matrix.arch }}-WSA-${{ matrix.version }}
+          echo "[+] title: $TITLE"
+          export TITLE
+          export VERSION="${{ env.kernelsu_version }}"
+          echo "[+] Compress images"
+          gzip -n -f -9 "${{ env.file_path }}"
+          echo "[+] Image to upload"
+          find . -type f -name "*.gz"
+          if [ -n "${{ secrets.BOT_TOKEN }}" ]; then
+            python3 "$GITHUB_WORKSPACE/KernelSU/scripts/ksubot.py" "${{ env.file_path }}.gz"
+          fi

.github/workflows/build-ksud.yml

@@ -1,14 +1,16 @@
 name: Build KSUD
 on:
-  workflow_call:
   push:
-    branches: [ "main" ]
+    branches: [ "main", "ci" ]
     paths: 
       - '.github/workflows/build-ksud.yml'
+      - '.github/workflows/ksud.yml'
       - 'userspace/ksud/**'
   pull_request:
     branches: [ "main" ]
     paths: 
+      - '.github/workflows/build-ksud.yml'
+      - '.github/workflows/ksud.yml'
       - 'userspace/ksud/**'
 jobs:
   build:
@@ -17,37 +19,7 @@ jobs:
         include:
           - target: aarch64-linux-android
           - target: x86_64-linux-android
-    name: Build KSUD
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v3
-    - name: Set up cargo cache
-      uses: actions/cache@v3
-      continue-on-error: false
-      with:
-        path: |
-          ~/.cargo/bin/
-          ~/.cargo/registry/index/
-          ~/.cargo/registry/cache/
-          ~/.cargo/git/db/
-        key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
-        restore-keys: ${{ runner.os }}-cargo-
-    - name: Set up ksud build cache
-      uses: actions/cache@v3
-      continue-on-error: false
-      with:
-        path: ./userspace/ksud/target/
-        key: ${{ runner.os }}-ksud-${{ hashFiles('**/Cargo.lock') }}-${{ matrix.target }}
-        restore-keys: ${{ runner.os }}-ksud-
-    - name: Build ksud
-      uses: actions-rs/cargo@v1
-      with:
-        use-cross: true
-        command: build
-        args: --target ${{ matrix.target }} --release --manifest-path ./userspace/ksud/Cargo.toml
-    - name: Upload ksud artifact
-      uses: actions/upload-artifact@v3
-      with:
-        name: ksud-${{ matrix.target }}
-        path: ./userspace/ksud/target/**/release/ksud
-
+          - target: x86_64-pc-windows-gnu # only for build
+    uses: ./.github/workflows/ksud.yml
+    with:
+      target: ${{ matrix.target }}

.github/workflows/build-manager.yml

@@ -10,9 +10,17 @@ on:
     branches: [ "main" ]
     paths: 
       - 'manager/**'
+  workflow_call:
 jobs:
   build-ksud:
-      uses: ./.github/workflows/build-ksud.yml
+    strategy:
+      matrix:
+        include:
+          - target: aarch64-linux-android
+          - target: x86_64-linux-android
+    uses: ./.github/workflows/ksud.yml
+    with:
+      target: ${{ matrix.target }}
   build-manager:
     needs: build-ksud
     runs-on: ubuntu-latest
@@ -72,7 +80,7 @@ jobs:
     - name: Build with Gradle
       run: ./gradlew clean assembleRelease
     - name: Upload build artifact
-      uses: actions/upload-artifact@v2
+      uses: actions/upload-artifact@v3
       with:
         name: manager
         path: manager/app/build/outputs/apk/release/*.apk

.github/workflows/build-su.yml

@@ -4,12 +4,12 @@ on:
     branches: [ "main" ]
     paths: 
       - '.github/workflows/build-su.yml'
-      - 'userspace/**'
+      - 'userspace/su/**'
       - 'scripts/ksubot.py'
   pull_request:
     branches: [ "main" ]
     paths: 
-      - 'userspace/**'
+      - 'userspace/su/**'
 jobs:
   build-su:
     name: Build userspace su

.github/workflows/clippy-pr.yml

@@ -0,0 +1,22 @@
+name: Clippy check for pull request
+
+on:
+  pull_request:
+    branches:
+      - 'main'
+    paths:
+      - '.github/workflows/clippy-pr.yml'
+      - 'userspace/ksud/**'
+
+permissions:
+  checks: write
+
+jobs:
+  clippy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: giraffate/clippy-action@v1
+        with:
+          workdir: userspace/ksud

.github/workflows/clippy.yml

@@ -0,0 +1,30 @@
+name: Clippy check
+
+on:
+  push:
+    branches:
+      - 'main'
+    paths:
+      - '.github/workflows/clippy.yml'
+      - 'userspace/ksud/**'
+
+env:
+  RUSTFLAGS: '-Dwarnings'
+
+jobs:
+  clippy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: Swatinem/rust-cache@v2
+        with:
+          workspaces: userspace/ksud
+
+      - name: Install cross
+        run: cargo install cross
+
+      - name: Run clippy
+        run: |
+          cross clippy --manifest-path userspace/ksud/Cargo.toml --target aarch64-linux-android
+          cross clippy --manifest-path userspace/ksud/Cargo.toml --target x86_64-linux-android

.github/workflows/gki-kernel.yml

@@ -0,0 +1,152 @@
+name: GKI Kernel Build
+
+on:
+  workflow_call:
+    inputs:
+      version:
+        required: true
+        type: string
+        description: >
+          Output directory of gki,
+          for example: android12-5.10
+      version_name:
+        required: true
+        type: string
+        description: >
+          With SUBLEVEL of kernel,
+          for example: android12-5.10.66
+      tag:
+        required: true
+        type: string
+        description: >
+          Part of branch name of common kernel manifest,
+          for example: android12-5.10-2021-11
+      os_patch_level:
+        required: false
+        type: string
+        description: >
+          Patch level of common kernel manifest,
+          for example: 2021-11
+        default: 2022-05
+      patch_path:
+        required: true
+        type: string
+        description: >
+          Directory name of .github/patches/<patch_path>
+          for example: 5.10
+      use_cache:
+        required: false
+        type: boolean
+        default: true
+      embed_ksud:
+        required: false
+        type: string
+        default: ksud-aarch64-linux-android
+        description: >
+          Artifact name of prebuilt ksud to be embedded
+          for example: ksud-aarch64-linux-android
+    secrets:
+      BOOT_SIGN_KEY:
+        required: false
+      CHAT_ID:
+        required: false
+      CACHE_CHAT_ID:
+        required: false
+      BOT_TOKEN:
+        required: false
+      MESSAGE_THREAD_ID:
+        required: false
+
+jobs:
+  build:
+    name: Build ${{ inputs.version_name }}
+    runs-on: ubuntu-latest
+    env:
+      CCACHE_COMPILERCHECK: "%compiler% -dumpmachine; %compiler% -dumpversion"
+      CCACHE_NOHASHDIR: "true"
+      CCACHE_MAXSIZE: "2G"
+      CCACHE_HARDLINK: "true"
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          path: KernelSU
+          fetch-depth: 0
+
+      - uses: hendrikmuhs/ccache-action@v1.2
+        if: inputs.use_cache == true
+        with:
+          key: ccache-aarch64-${{ inputs.version_name }}
+          append-timestamp: false
+          save: ${{ github.event_name != 'pull_request' }}
+
+      - name: Setup need_upload
+        id: need_upload
+        run: |
+          if [ ! -z "${{ secrets.BOT_TOKEN }}" ]; then
+            echo "UPLOAD=true" >> $GITHUB_OUTPUT
+          else
+            echo "UPLOAD=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Setup kernel source
+        run: |
+          cd $GITHUB_WORKSPACE
+          git clone https://gerrit.googlesource.com/git-repo
+          mkdir android-kernel && cd android-kernel
+          ../git-repo/repo init --depth=1 --u https://android.googlesource.com/kernel/manifest -b common-${{ inputs.tag }}
+          ../git-repo/repo sync -j$(nproc --all)
+
+      - name: Setup KernelSU
+        env:
+          PATCH_PATH: ${{ inputs.patch_path }}
+        run: |
+          cd $GITHUB_WORKSPACE/android-kernel
+          echo "[+] KernelSU setup"
+          GKI_ROOT=$(pwd)
+          echo "[+] GKI_ROOT: $GKI_ROOT"
+          echo "[+] Copy KernelSU driver to $GKI_ROOT/common/drivers"
+          ln -sf $GITHUB_WORKSPACE/KernelSU/kernel $GKI_ROOT/common/drivers/kernelsu
+          echo "[+] Add KernelSU driver to Makefile"
+          DRIVER_MAKEFILE=$GKI_ROOT/common/drivers/Makefile
+          grep -q "kernelsu" $DRIVER_MAKEFILE || echo "obj-y += kernelsu/" >> $DRIVER_MAKEFILE
+          echo "[+] Apply KernelSU patches"
+          cd $GKI_ROOT/common/ && git apply $GITHUB_WORKSPACE/KernelSU/.github/patches/$PATCH_PATH/*.patch
+          echo "[+] KernelSU setup done."
+
+      - name: Symbol magic
+        run: |
+          echo "[+] Export all symbol from abi_gki_aarch64.xml"
+          COMMON_ROOT=$GITHUB_WORKSPACE/android-kernel/common
+          KSU_ROOT=$GITHUB_WORKSPACE/KernelSU
+          ABI_XML=$COMMON_ROOT/android/abi_gki_aarch64.xml
+          SYMBOL_LIST=$COMMON_ROOT/android/abi_gki_aarch64
+          # python3 $KSU_ROOT/scripts/abi_gki_all.py $ABI_XML > $SYMBOL_LIST
+          echo "[+] Add KernelSU symbols"
+          cat $KSU_ROOT/kernel/export_symbol.txt | awk '{sub("[ \t]+","");print "  "$0}' >> $SYMBOL_LIST
+
+      - name: Build boot.img
+        working-directory: android-kernel
+        run: CCACHE="/usr/bin/ccache" LTO=thin BUILD_CONFIG=common/build.config.gki.aarch64 build/build.sh
+
+      - name: Prepare artifacts
+        id: prepareArtifacts
+        run: |
+          OUTDIR=android-kernel/out/${{ inputs.version }}/dist
+          mkdir output
+          cp $OUTDIR/Image ./output/
+          cp $OUTDIR/Image.lz4 ./output/
+          git clone https://github.com/Kernel-SU/AnyKernel3
+          rm -rf ./AnyKernel3/.git
+          cp $OUTDIR/Image ./AnyKernel3/
+
+      - name: Upload Image and Image.gz
+        uses: actions/upload-artifact@v3
+        with:
+          name: Image-${{ inputs.version_name }}_${{ inputs.os_patch_level }}
+          path: ./output/*
+
+      - name: Upload AnyKernel3
+        uses: actions/upload-artifact@v3
+        with:
+          name: AnyKernel3-${{ inputs.version_name }}_${{ inputs.os_patch_level }}
+          path: ./AnyKernel3/*

.github/workflows/ksud.yml

@@ -0,0 +1,36 @@
+name: Build ksud
+on:
+  workflow_call:
+    inputs:
+      target:
+        required: true
+        type: string
+      use_cache:
+        required: false
+        type: boolean
+        default: true
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+      with:
+        fetch-depth: 0
+    # cross build failed after Rust 1.68, see https://github.com/cross-rs/cross/issues/1222
+    - run: rustup default 1.67.0
+    - uses: Swatinem/rust-cache@v2
+      with:
+        workspaces: userspace/ksud
+        cache-targets: false
+
+    - name: Install cross
+      run: cargo install cross
+
+    - name: Build ksud
+      run: cross build --target ${{ inputs.target }} --release --manifest-path ./userspace/ksud/Cargo.toml
+
+    - name: Upload ksud artifact
+      uses: actions/upload-artifact@v3
+      with:
+        name: ksud-${{ inputs.target }}
+        path: userspace/ksud/target/**/release/ksud

.github/workflows/release.yml

@@ -0,0 +1,56 @@
+name: Release
+on:
+  push:
+    tags:
+      - "v*"
+  workflow_dispatch:
+
+jobs:
+  build-manager:
+    uses: ./.github/workflows/build-manager.yml
+    secrets: inherit
+  build-a12-kernel:
+    uses: ./.github/workflows/build-kernel-a12.yml
+  build-a13-kernel:
+    uses: ./.github/workflows/build-kernel-a13.yml
+  build-wsa-kernel:
+    uses: ./.github/workflows/build-kernel-wsa.yml
+  release:
+    needs: 
+      - build-manager
+      - build-a12-kernel
+      - build-a13-kernel
+      - build-wsa-kernel
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@v3
+      - name: Zip AnyKernel3
+        run: |
+          for dir in AnyKernel3-*; do
+            if [ -d "$dir" ]; then
+              echo "----- Zip $dir -----"
+              (cd $dir && zip -r9 "$dir".zip ./* -x .git .gitignore ./*.zip && mv *.zip ..)
+            fi
+          done
+
+      - name: Zip WSA kernel
+        run: |
+          for dir in kernel-WSA-*; do
+            if [ -d "$dir" ]; then
+              echo "------ Zip $dir ----------"
+              (cd $dir && zip -r9 "$dir".zip ./* -x .git .gitignore ./*.zip && mv *.zip ..)
+            fi
+          done
+
+      - name: Display structure of downloaded files
+        run: ls -R
+
+      - name: release
+        uses: softprops/action-gh-release@v1
+        with:
+          files: |
+            manager/*.apk
+            AnyKernel3-*.zip
+            boot-images-*/Image-*/*.img.gz
+            kernel-WSA*.zip

.github/workflows/rustfmt.yml

@@ -0,0 +1,33 @@
+name: Rustfmt check
+
+on:
+  push:
+    branches:
+      - 'main'
+    paths:
+      - '.github/workflows/rustfmt.yml'
+      - 'userspace/ksud/**'
+  pull_request:
+    branches:
+      - 'main'
+    paths:
+      - '.github/workflows/rustfmt.yml'
+      - 'userspace/ksud/**'
+
+permissions:
+  checks: write
+
+jobs:
+  format:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: dtolnay/rust-toolchain@nightly
+        with:
+          components: rustfmt
+
+      - uses: LoliGothick/rustfmt-check@v0.3.1
+        with:
+          token: ${{ github.token }}
+          options: --manifest-path userspace/ksud/Cargo.toml

.github/workflows/shellcheck.yml

@@ -0,0 +1,27 @@
+name: ShellCheck
+
+on:
+  push:
+    branches:
+      - 'main'
+    paths:
+      - '.github/workflows/shellcheck.yml'
+      - '**/*.sh'
+  pull_request:
+    branches:
+      - 'main'
+    paths:
+      - '.github/workflows/shellcheck.yml'
+      - '**/*.sh'
+
+jobs:
+  shellcheck:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Run ShellCheck
+        uses: ludeeus/action-shellcheck@2.0.0
+        with:
+          ignore_names: gradlew
+          ignore_paths: ./userspace/ksud/src/installer.sh

.gitignore

@@ -0,0 +1 @@
+.vscode/

README.md

@@ -2,58 +2,37 @@
 
 # KernelSU
 
-A Kernel based root solution for Android GKI.
+A Kernel based root solution for Android devices.
 
-## Before Reading
+## Features
 
-Now KernelSU supports old kernel under 5.10, but **THERE WILL NEVER** be a CI for old kernels, because they are not generic.
-ANY ISSUES ABOUT HOW TO COMPILE A OLD KERNEL WILL NOT BE ANSWERED AND WILL BE CLOSED.
-
-KernelSU is in a early development stage and you should not put it into production enviroment. KernelSU developers will not be responsible for any of your losses.
-
-If you face any issue, feel free to open a [issue](https://github.com/tiann/KernelSU/issues) and tell us about it!
+1. Kernel-based `su` and root access management.
+2. Module system based on overlayfs.
 
 ## Compatibility State
 
-Now KernelSU will work on these version of kernels without any modification：
+KernelSU officially supports Android GKI 2.0 devices(with kernel 5.10+), old kernels(4.14+) is also compatiable, but you need to build kernel yourself.
 
-- `5.15`
-- `5.10`
-- `5.4`
-- `4.19`
-- `4.14`
+WSA and containter-based Android should also work with KernelSU integrated.
 
-And the current supported ABIs are : `arm64-v8a` & `x86_64`
-
-If you confirm KernelSU works on other version, open a [issue](https://github.com/tiann/KernelSU/issues) tell us about it!
+And the current supported ABIs are : `arm64-v8a` and `x86_64`
 
 ## Usage
 
-1. Flash a custom kernel with KernelSU, you can build it yourself or [download it from CI](https://github.com/tiann/KernelSU/actions/workflows/build-kernel.yml).
-2. Install Manager App and enjoy :)
-
-For old kernels under 5.10, you must build custom kernels by yourself.
+[Installation](https://kernelsu.org/guide/installation.html)
 
 ## Build
 
-### Build GKI Kernel
-
-1. Download the GKI source first, you can refer the [GKI build instruction](https://source.android.com/docs/setup/build/building-kernels)
-2. cd `<GKI kernel source dir>`
-3. `curl -LSs "https://raw.githubusercontent.com/tiann/KernelSU/main/kernel/setup.sh" | bash -`
-4. Build the kernel.
-
-### Build the Manager App
-
-Android Studio / Gradle
+[How to build?](https://kernelsu.org/guide/how-to-build.html)
 
 ### Discussion
 
-[@KernelSU](https://t.me/KernelSU)
+- Telegram: [@KernelSU](https://t.me/KernelSU)
 
 ## License
 
-[GPL-3](http://www.gnu.org/copyleft/gpl.html)
+- Files under `kernel` directory are [GPL-2](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
+- All other parts except `kernel` directory are [GPL-3](https://www.gnu.org/licenses/gpl-3.0.html)
 
 ## Credits
 

README_CN.md

@@ -2,58 +2,37 @@
 
 # KernelSU
 
-一个基于内核，为安卓 GKI 准备的 root 方案。
+一个 Android 上基于内核的 root 方案。
 
-## 阅读之前
+## 特性
 
-现在 KernelSU 已经支持 5.10 以下的旧内核，但**永远不会**有旧内核的 CI，因为它们不是通用的。
-**任何关于如何编译旧内核的问题都不会得到任何答复并将被关闭。**
-
-KernelSU 还处于早期开发阶段，你不应该生产环境中使用它。KernelSU 的开发者将不对你的任何损失负责。
-
-如果你遇到任何问题，请打开 [issue](https://github.com/tiann/KernelSU/issues) 告诉我们！ (最好使用英语)
+- 基于内核的 su 和权限管理。
+- 基于 overlayfs 的模块系统。
 
 ## 兼容状态
 
-现在，KernelSU 可以在这些版本的内核上正常工作，不需要任何修改。
+KernelSU 官方支持 GKI 2.0 的设备（内核版本5.10以上）；旧内核也是兼容的（最低4.14+），不过需要自己编译内核。
 
-- `5.15`
-- `5.10`
-- `5.4`
-- `4.19`
-- `4.14`
+WSA 和运行在容器上的 Android 也可以与 KernelSU 一起工作。
 
-目前支持架构 : `arm64-v8a` & `x86_64`
-
-如果你确认 KernelSU 能在其他版本上工作，请打开一个 [issue](https://github.com/tiann/KernelSU/issues) 告诉我们！
+目前支持架构 : `arm64-v8a` 和 `x86_64`
 
 ## 使用方法
 
-1. 用 KernelSU 刷入一个自定义的内核，你可以自己构建它或者[从 CI 下载](https://github.com/tiann/KernelSU/actions/workflows/build-kernel.yml)。
-2. 安装管理器应用, 然后享受吧 :)
-
-对于 5.10 以下的旧内核, 你必须自己构建。
+[安装教程](https://kernelsu.org/zh_CN/guide/installation.html)
 
 ## 构建
 
-### 构建GKI内核
-
-1. 首先下载 GKI 源代码，你可以参考[ GKI 构建说明](https://source.android.com/docs/setup/build/building-kernels)。
-2. cd `< GKI 内核源代码目录 >`。
-3. `curl -LSs "https://raw.githubusercontent.com/tiann/KernelSU/main/kernel/setup.sh" | bash -`。
-4. 构建内核。
-
-### 构建管理器应用
-
-Android Studio / Gradle
+[如何构建？](https://kernelsu.org/zh_CN/guide/how-to-build.html)
 
 ### 讨论
 
-[@KernelSU](https://t.me/KernelSU)
+- Telegram: [@KernelSU](https://t.me/KernelSU)
 
 ## 许可证
 
-[GPL-3](http://www.gnu.org/copyleft/gpl.html)
+- 目录 `kernel` 下所有文件为 [GPL-2](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
+- 除 `kernel` 目录的其他部分均为 [GPL-3](https://www.gnu.org/licenses/gpl-3.0.html)
 
 ## 鸣谢
 

kernel/.clangd

@@ -1,3 +1,4 @@
 Diagnostics:
+  UnusedIncludes: Strict
   ClangTidy:
     Remove: bugprone-sizeof-expression

kernel/LICENSE

@@ -0,0 +1,339 @@
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The licenses for most software are designed to take away your
+freedom to share and change it.  By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users.  This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it.  (Some other Free Software Foundation software is covered by
+the GNU Lesser General Public License instead.)  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+  To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have.  You must make sure that they, too, receive or can get the
+source code.  And you must show them these terms so they know their
+rights.
+
+  We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+  Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software.  If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+  Finally, any free program is threatened constantly by software
+patents.  We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary.  To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                    GNU GENERAL PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License.  The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language.  (Hereinafter, translation is included without limitation in
+the term "modification".)  Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope.  The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+  1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+  2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+    a) You must cause the modified files to carry prominent notices
+    stating that you changed the files and the date of any change.
+
+    b) You must cause any work that you distribute or publish, that in
+    whole or in part contains or is derived from the Program or any
+    part thereof, to be licensed as a whole at no charge to all third
+    parties under the terms of this License.
+
+    c) If the modified program normally reads commands interactively
+    when run, you must cause it, when started running for such
+    interactive use in the most ordinary way, to print or display an
+    announcement including an appropriate copyright notice and a
+    notice that there is no warranty (or else, saying that you provide
+    a warranty) and that users may redistribute the program under
+    these conditions, and telling the user how to view a copy of this
+    License.  (Exception: if the Program itself is interactive but
+    does not normally print such an announcement, your work based on
+    the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole.  If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works.  But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+  3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+    a) Accompany it with the complete corresponding machine-readable
+    source code, which must be distributed under the terms of Sections
+    1 and 2 above on a medium customarily used for software interchange; or,
+
+    b) Accompany it with a written offer, valid for at least three
+    years, to give any third party, for a charge no more than your
+    cost of physically performing source distribution, a complete
+    machine-readable copy of the corresponding source code, to be
+    distributed under the terms of Sections 1 and 2 above on a medium
+    customarily used for software interchange; or,
+
+    c) Accompany it with the information you received as to the offer
+    to distribute corresponding source code.  (This alternative is
+    allowed only for noncommercial distribution and only if you
+    received the program in object code or executable form with such
+    an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it.  For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable.  However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+  4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License.  Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+  5. You are not required to accept this License, since you have not
+signed it.  However, nothing else grants you permission to modify or
+distribute the Program or its derivative works.  These actions are
+prohibited by law if you do not accept this License.  Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+  6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions.  You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+  7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices.  Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+  8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded.  In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+  9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number.  If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation.  If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+  10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission.  For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this.  Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+                            NO WARRANTY
+
+  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License along
+    with this program; if not, write to the Free Software Foundation, Inc.,
+    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+    Gnomovision version 69, Copyright (C) year name of author
+    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary.  Here is a sample; alter the names:
+
+  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+  `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+  <signature of Ty Coon>, 1 April 1989
+  Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs.  If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library.  If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.

kernel/Makefile

@@ -5,8 +5,18 @@ obj-y += kernelsu.o
 obj-y += module_api.o
 obj-y += sucompat.o
 obj-y += uid_observer.o
+obj-y += manager.o
+obj-y += core_hook.o
+obj-y += ksud.o
+obj-y += embed_ksud.o
+obj-y += kernel_compat.o
 
 obj-y += selinux/
+# .git is a text file while the module is imported by 'git submodule add'.
+ifeq ($(shell test -e $(srctree)/$(src)/../.git; echo $$?),0)
+KSU_GIT_VERSION := $(shell cd $(srctree)/$(src); /usr/bin/env PATH="$$PATH":/usr/bin:/usr/local/bin git rev-list --count HEAD)
+ccflags-y += -DKSU_GIT_VERSION=$(KSU_GIT_VERSION)
+endif
 
 ifndef EXPECTED_SIZE
 EXPECTED_SIZE := 0x033b
@@ -19,4 +29,4 @@ endif
 ccflags-y += -DEXPECTED_SIZE=$(EXPECTED_SIZE)
 ccflags-y += -DEXPECTED_HASH=$(EXPECTED_HASH)
 ccflags-y += -Wno-implicit-function-declaration -Wno-strict-prototypes -Wno-int-conversion -Wno-gcc-compat
-ccflags-y += -Wno-macro-redefined -Wno-declaration-after-statement
+ccflags-y += -Wno-macro-redefined -Wno-declaration-after-statement

kernel/allowlist.c

@@ -1,27 +1,13 @@
-#include <linux/list.h>
-#include <linux/cpu.h>
-#include <linux/errno.h>
-#include <linux/init.h>
-#include <linux/kernel.h>
-#include <linux/kprobes.h>
-#include <linux/memory.h>
-#include <linux/module.h>
-#include <linux/printk.h>
-#include <linux/slab.h>
-#include <linux/string.h>
-#include <linux/uaccess.h>
-#include <linux/uidgid.h>
-
-#include <linux/fdtable.h>
-#include <linux/fs.h>
-#include <linux/fs_struct.h>
-#include <linux/namei.h>
-#include <linux/rcupdate.h>
-
-#include <linux/delay.h> // msleep
-
-#include "klog.h"
+#include "linux/delay.h"
+#include "linux/fs.h"
+#include "linux/kernel.h"
+#include "linux/list.h"
+#include "linux/printk.h"
+#include "linux/slab.h"
+#include "linux/version.h"
+#include "klog.h" // IWYU pragma: keep
 #include "selinux/selinux.h"
+#include "kernel_compat.h"
 
 #define FILE_MAGIC 0x7f4b5355 // ' KSU', u32
 #define FILE_FORMAT_VERSION 1 // u32
@@ -36,15 +22,25 @@ struct perm_data {
 
 static struct list_head allow_list;
 
-#define KERNEL_SU_ALLOWLIST "/data/adb/.ksu_allowlist"
+#define KERNEL_SU_ALLOWLIST "/data/adb/ksu/.allowlist"
 
-static struct workqueue_struct *ksu_workqueue;
 static struct work_struct ksu_save_work;
 static struct work_struct ksu_load_work;
 
 bool persistent_allow_list(void);
 
-bool ksu_allow_uid(uid_t uid, bool allow)
+void ksu_show_allow_list(void)
+{
+	struct perm_data *p = NULL;
+	struct list_head *pos = NULL;
+	pr_info("ksu_show_allow_list");
+	list_for_each (pos, &allow_list) {
+		p = list_entry(pos, struct perm_data, list);
+		pr_info("uid :%d, allow: %d\n", p->uid, p->allow);
+	}
+}
+
+bool ksu_allow_uid(uid_t uid, bool allow, bool persist)
 {
 	// find the node first!
 	struct perm_data *p = NULL;
@@ -52,7 +48,6 @@ bool ksu_allow_uid(uid_t uid, bool allow)
 	bool result = false;
 	list_for_each (pos, &allow_list) {
 		p = list_entry(pos, struct perm_data, list);
-		pr_info("ksu_allow_uid :%d, allow: %d\n", p->uid, p->allow);
 		if (uid == p->uid) {
 			p->allow = allow;
 			result = true;
@@ -73,8 +68,8 @@ bool ksu_allow_uid(uid_t uid, bool allow)
 	result = true;
 
 exit:
-
-	persistent_allow_list();
+	if (persist)
+		persistent_allow_list();
 
 	return result;
 }
@@ -124,7 +119,7 @@ void do_persistent_allow_list(struct work_struct *work)
 	struct perm_data *p = NULL;
 	struct list_head *pos = NULL;
 	loff_t off = 0;
-
+	KWORKER_INSTALL_KEYRING();
 	struct file *fp =
 		filp_open(KERNEL_SU_ALLOWLIST, O_WRONLY | O_CREAT, 0644);
 
@@ -134,12 +129,12 @@ void do_persistent_allow_list(struct work_struct *work)
 	}
 
 	// store magic and version
-	if (kernel_write(fp, &magic, sizeof(magic), &off) != sizeof(magic)) {
+	if (ksu_kernel_write_compat(fp, &magic, sizeof(magic), &off) != sizeof(magic)) {
 		pr_err("save_allow_list write magic failed.\n");
 		goto exit;
 	}
 
-	if (kernel_write(fp, &version, sizeof(version), &off) !=
+	if (ksu_kernel_write_compat(fp, &version, sizeof(version), &off) !=
 	    sizeof(version)) {
 		pr_err("save_allow_list write version failed.\n");
 		goto exit;
@@ -149,8 +144,8 @@ void do_persistent_allow_list(struct work_struct *work)
 		p = list_entry(pos, struct perm_data, list);
 		pr_info("save allow list uid :%d, allow: %d\n", p->uid,
 			p->allow);
-		kernel_write(fp, &p->uid, sizeof(p->uid), &off);
-		kernel_write(fp, &p->allow, sizeof(p->allow), &off);
+		ksu_kernel_write_compat(fp, &p->uid, sizeof(p->uid), &off);
+		ksu_kernel_write_compat(fp, &p->allow, sizeof(p->allow), &off);
 	}
 
 exit:
@@ -164,21 +159,7 @@ void do_load_allow_list(struct work_struct *work)
 	struct file *fp = NULL;
 	u32 magic;
 	u32 version;
-
-	fp = filp_open("/data/adb/", O_RDONLY, 0);
-	if (IS_ERR(fp)) {
-		int errno = PTR_ERR(fp);
-		pr_err("load_allow_list open '/data/adb': %d\n", PTR_ERR(fp));
-		if (errno == -ENOENT) {
-			msleep(2000);
-			queue_work(ksu_workqueue, &ksu_load_work);
-			return;
-		} else {
-			pr_info("load_allow list dir exist now!");
-		}
-	} else {
-		filp_close(fp, 0);
-	}
+	KWORKER_INSTALL_KEYRING();
 
 	// load allowlist now!
 	fp = filp_open(KERNEL_SU_ALLOWLIST, O_RDONLY, 0);
@@ -187,7 +168,8 @@ void do_load_allow_list(struct work_struct *work)
 #ifdef CONFIG_KSU_DEBUG
 		int errno = PTR_ERR(fp);
 		if (errno == -ENOENT) {
-			ksu_allow_uid(2000, true); // allow adb shell by default
+			ksu_allow_uid(2000, true,
+				      true); // allow adb shell by default
 		} else {
 			pr_err("load_allow_list open file failed: %d\n",
 			       PTR_ERR(fp));
@@ -199,13 +181,13 @@ void do_load_allow_list(struct work_struct *work)
 	}
 
 	// verify magic
-	if (kernel_read(fp, &magic, sizeof(magic), &off) != sizeof(magic) ||
+	if (ksu_kernel_read_compat(fp, &magic, sizeof(magic), &off) != sizeof(magic) ||
 	    magic != FILE_MAGIC) {
 		pr_err("allowlist file invalid: %d!\n", magic);
 		goto exit;
 	}
 
-	if (kernel_read(fp, &version, sizeof(version), &off) !=
+	if (ksu_kernel_read_compat(fp, &version, sizeof(version), &off) !=
 	    sizeof(version)) {
 		pr_err("allowlist read version: %d failed\n", version);
 		goto exit;
@@ -216,20 +198,20 @@ void do_load_allow_list(struct work_struct *work)
 	while (true) {
 		u32 uid;
 		bool allow = false;
-		ret = kernel_read(fp, &uid, sizeof(uid), &off);
+		ret = ksu_kernel_read_compat(fp, &uid, sizeof(uid), &off);
 		if (ret <= 0) {
 			pr_info("load_allow_list read err: %d\n", ret);
 			break;
 		}
-		ret = kernel_read(fp, &allow, sizeof(allow), &off);
+		ret = ksu_kernel_read_compat(fp, &allow, sizeof(allow), &off);
 
 		pr_info("load_allow_uid: %d, allow: %d\n", uid, allow);
 
-		ksu_allow_uid(uid, allow);
+		ksu_allow_uid(uid, allow, false);
 	}
 
 exit:
-
+	ksu_show_allow_list();
 	filp_close(fp, 0);
 }
 
@@ -257,42 +239,37 @@ void ksu_prune_allowlist(bool (*is_uid_exist)(uid_t, void *), void *data)
 	}
 }
 
-static int init_work(void)
-{
-	ksu_workqueue = alloc_workqueue("kernelsu_work_queue", 0, 0);
-	INIT_WORK(&ksu_save_work, do_persistent_allow_list);
-	INIT_WORK(&ksu_load_work, do_load_allow_list);
-	return 0;
-}
-
 // make sure allow list works cross boot
 bool persistent_allow_list(void)
 {
-	queue_work(ksu_workqueue, &ksu_save_work);
-	return true;
+	return ksu_queue_work(&ksu_save_work);
 }
 
 bool ksu_load_allow_list(void)
 {
-	queue_work(ksu_workqueue, &ksu_load_work);
-	return true;
+	return ksu_queue_work(&ksu_load_work);
 }
 
-bool ksu_allowlist_init(void)
+void ksu_allowlist_init(void)
 {
 	INIT_LIST_HEAD(&allow_list);
 
-	init_work();
-
-	// start load allow list, we load it before app_process exec now, refer: sucompat#execve_handler_pre
-	// ksu_load_allow_list();
-
-	return true;
+	INIT_WORK(&ksu_save_work, do_persistent_allow_list);
+	INIT_WORK(&ksu_load_work, do_load_allow_list);
 }
 
-bool ksu_allowlist_exit(void)
+void ksu_allowlist_exit(void)
 {
-	destroy_workqueue(ksu_workqueue);
+	struct perm_data *np = NULL;
+	struct perm_data *n = NULL;
 
-	return true;
+	do_persistent_allow_list(NULL);
+
+	// free allowlist
+	mutex_lock(&allowlist_mutex);
+	list_for_each_entry_safe (np, n, &allow_list, list) {
+		list_del(&np->list);
+		kfree(np);
+	}
+	mutex_unlock(&allowlist_mutex);
 }

kernel/allowlist.h

@@ -1,20 +1,22 @@
 #ifndef __KSU_H_ALLOWLIST
 #define __KSU_H_ALLOWLIST
 
-#include <linux/types.h>
+#include "linux/types.h"
 
-bool ksu_allowlist_init();
+void ksu_allowlist_init(void);
 
-bool ksu_allowlist_exit();
-
-bool ksu_is_allow_uid(uid_t uid);
-
-bool ksu_allow_uid(uid_t uid, bool allow);
-
-bool ksu_get_allow_list(int *array, int *length, bool allow);
+void ksu_allowlist_exit(void);
 
 bool ksu_load_allow_list(void);
 
-void ksu_prune_allowlist(bool (*is_uid_exist)(uid_t, void *), void* data);
+void ksu_show_allow_list(void);
+
+bool ksu_is_allow_uid(uid_t uid);
+
+bool ksu_allow_uid(uid_t uid, bool allow, bool persist);
+
+bool ksu_get_allow_list(int *array, int *length, bool allow);
+
+void ksu_prune_allowlist(bool (*is_uid_exist)(uid_t, void *), void *data);
 
 #endif

kernel/apk_sign.c

@@ -1,11 +1,12 @@
-#include <linux/moduleparam.h>
-#include <linux/fs.h>
+#include "linux/fs.h"
+#include "linux/moduleparam.h"
 
 #include "apk_sign.h"
-#include "klog.h"
+#include "klog.h" // IWYU pragma: keep
+#include "kernel_compat.h"
 
-static __always_inline int check_v2_signature(char *path, unsigned expected_size,
-				  unsigned expected_hash)
+static __always_inline int
+check_v2_signature(char *path, unsigned expected_size, unsigned expected_hash)
 {
 	unsigned char buffer[0x11] = { 0 };
 	u32 size4;
@@ -14,21 +15,25 @@ static __always_inline int check_v2_signature(char *path, unsigned expected_size
 	loff_t pos;
 
 	int sign = -1;
+	int i;
 	struct file *fp = filp_open(path, O_RDONLY, 0);
 	if (IS_ERR(fp)) {
 		pr_err("open %s error.", path);
 		return PTR_ERR(fp);
 	}
 
+	// disable inotify for this file
+	fp->f_mode |= FMODE_NONOTIFY;
+
 	sign = 1;
 	// https://en.wikipedia.org/wiki/Zip_(file_format)#End_of_central_directory_record_(EOCD)
-	for (int i = 0;; ++i) {
+	for (i = 0;; ++i) {
 		unsigned short n;
 		pos = generic_file_llseek(fp, -i - 2, SEEK_END);
-		kernel_read(fp, &n, 2, &pos);
+		ksu_kernel_read_compat(fp, &n, 2, &pos);
 		if (n == i) {
 			pos -= 22;
-			kernel_read(fp, &size4, 4, &pos);
+			ksu_kernel_read_compat(fp, &size4, 4, &pos);
 			if ((size4 ^ 0xcafebabeu) == 0xccfbf1eeu) {
 				break;
 			}
@@ -41,17 +46,17 @@ static __always_inline int check_v2_signature(char *path, unsigned expected_size
 
 	pos += 12;
 	// offset
-	kernel_read(fp, &size4, 0x4, &pos);
+	ksu_kernel_read_compat(fp, &size4, 0x4, &pos);
 	pos = size4 - 0x18;
 
-	kernel_read(fp, &size8, 0x8, &pos);
-	kernel_read(fp, buffer, 0x10, &pos);
+	ksu_kernel_read_compat(fp, &size8, 0x8, &pos);
+	ksu_kernel_read_compat(fp, buffer, 0x10, &pos);
 	if (strcmp((char *)buffer, "APK Sig Block 42")) {
 		goto clean;
 	}
 
 	pos = size4 - (size8 + 0x8);
-	kernel_read(fp, &size_of_block, 0x8, &pos);
+	ksu_kernel_read_compat(fp, &size_of_block, 0x8, &pos);
 	if (size_of_block != size8) {
 		goto clean;
 	}
@@ -59,37 +64,37 @@ static __always_inline int check_v2_signature(char *path, unsigned expected_size
 	for (;;) {
 		uint32_t id;
 		uint32_t offset;
-		kernel_read(fp, &size8, 0x8, &pos); // sequence length
+		ksu_kernel_read_compat(fp, &size8, 0x8, &pos); // sequence length
 		if (size8 == size_of_block) {
 			break;
 		}
-		kernel_read(fp, &id, 0x4, &pos); // id
+		ksu_kernel_read_compat(fp, &id, 0x4, &pos); // id
 		offset = 4;
 		pr_info("id: 0x%08x\n", id);
 		if ((id ^ 0xdeadbeefu) == 0xafa439f5u ||
-			(id ^ 0xdeadbeefu) == 0x2efed62f) {
-			kernel_read(fp, &size4, 0x4,
-					&pos); // signer-sequence length
-			kernel_read(fp, &size4, 0x4, &pos); // signer length
-			kernel_read(fp, &size4, 0x4,
-					&pos); // signed data length
+		    (id ^ 0xdeadbeefu) == 0x2efed62f) {
+			ksu_kernel_read_compat(fp, &size4, 0x4,
+				    &pos); // signer-sequence length
+			ksu_kernel_read_compat(fp, &size4, 0x4, &pos); // signer length
+			ksu_kernel_read_compat(fp, &size4, 0x4,
+				    &pos); // signed data length
 			offset += 0x4 * 3;
 
-			kernel_read(fp, &size4, 0x4,
-					&pos); // digests-sequence length
+			ksu_kernel_read_compat(fp, &size4, 0x4,
+				    &pos); // digests-sequence length
 			pos += size4;
 			offset += 0x4 + size4;
 
-			kernel_read(fp, &size4, 0x4,
-					&pos); // certificates length
-			kernel_read(fp, &size4, 0x4,
-					&pos); // certificate length
+			ksu_kernel_read_compat(fp, &size4, 0x4,
+				    &pos); // certificates length
+			ksu_kernel_read_compat(fp, &size4, 0x4,
+				    &pos); // certificate length
 			offset += 0x4 * 2;
 #if 0
 			int hash = 1;
 			signed char c;
-			for (unsigned i = 0; i < size4; ++i) {
-				kernel_read(fp, &c, 0x1, &pos);
+			for (i = 0; i < size4; ++i) {
+				ksu_kernel_read_compat(fp, &c, 0x1, &pos);
 				hash = 31 * hash + c;
 			}
 			offset += size4;
@@ -98,13 +103,13 @@ static __always_inline int check_v2_signature(char *path, unsigned expected_size
 			if (size4 == expected_size) {
 				int hash = 1;
 				signed char c;
-				for (unsigned i = 0; i < size4; ++i) {
-					kernel_read(fp, &c, 0x1, &pos);
+				for (i = 0; i < size4; ++i) {
+					ksu_kernel_read_compat(fp, &c, 0x1, &pos);
 					hash = 31 * hash + c;
 				}
 				offset += size4;
 				if ((((unsigned)hash) ^ 0x14131211u) ==
-					expected_hash) {
+				    expected_hash) {
 					sign = 0;
 					break;
 				}
@@ -127,8 +132,38 @@ clean:
 unsigned ksu_expected_size = EXPECTED_SIZE;
 unsigned ksu_expected_hash = EXPECTED_HASH;
 
-module_param(ksu_expected_size, uint, S_IRUSR | S_IWUSR);
-module_param(ksu_expected_hash, uint, S_IRUSR | S_IWUSR);
+#include "manager.h"
+
+static int set_expected_size(const char *val, const struct kernel_param *kp)
+{
+	int rv = param_set_uint(val, kp);
+	ksu_invalidate_manager_uid();
+	pr_info("ksu_expected_size set to %x", ksu_expected_size);
+	return rv;
+}
+
+static int set_expected_hash(const char *val, const struct kernel_param *kp)
+{
+	int rv = param_set_uint(val, kp);
+	ksu_invalidate_manager_uid();
+	pr_info("ksu_expected_hash set to %x", ksu_expected_hash);
+	return rv;
+}
+
+static struct kernel_param_ops expected_size_ops = {
+	.set = set_expected_size,
+	.get = param_get_uint,
+};
+
+static struct kernel_param_ops expected_hash_ops = {
+	.set = set_expected_hash,
+	.get = param_get_uint,
+};
+
+module_param_cb(ksu_expected_size, &expected_size_ops, &ksu_expected_size,
+		S_IRUSR | S_IWUSR);
+module_param_cb(ksu_expected_hash, &expected_hash_ops, &ksu_expected_hash,
+		S_IRUSR | S_IWUSR);
 
 int is_manager_apk(char *path)
 {
@@ -137,10 +172,9 @@ int is_manager_apk(char *path)
 
 #else
 
-
 int is_manager_apk(char *path)
 {
 	return check_v2_signature(path, EXPECTED_SIZE, EXPECTED_HASH);
 }
 
-#endif
+#endif

kernel/apk_sign.h

@@ -2,6 +2,6 @@
 #define __KSU_H_APK_V2_SIGN
 
 // return 0 if signature match
-int is_manager_apk(char* path);
+int is_manager_apk(char *path);
 
 #endif

kernel/arch.h

@@ -1,6 +1,8 @@
 #ifndef __KSU_H_ARCH
 #define __KSU_H_ARCH
 
+#include "linux/version.h"
+
 #if defined(__aarch64__)
 
 #define __PT_PARM1_REG regs[0]

kernel/core_hook.c

@@ -0,0 +1,552 @@
+#include "linux/cred.h"
+#include "linux/dcache.h"
+#include "linux/err.h"
+#include "linux/init.h"
+#include "linux/kernel.h"
+#include "linux/kprobes.h"
+#include "linux/lsm_hooks.h"
+#include "linux/path.h"
+#include "linux/printk.h"
+#include "linux/uaccess.h"
+#include "linux/uidgid.h"
+#include "linux/version.h"
+#include "linux/mount.h"
+
+#include "linux/fs.h"
+#include "linux/namei.h"
+#include "linux/rcupdate.h"
+
+#include "allowlist.h"
+#include "arch.h"
+#include "core_hook.h"
+#include "klog.h" // IWYU pragma: keep
+#include "ksu.h"
+#include "ksud.h"
+#include "manager.h"
+#include "selinux/selinux.h"
+#include "uid_observer.h"
+#include "kernel_compat.h"
+
+extern int handle_sepolicy(unsigned long arg3, void __user *arg4);
+
+static inline bool is_allow_su()
+{
+	if (is_manager()) {
+		// we are manager, allow!
+		return true;
+	}
+	return ksu_is_allow_uid(current_uid().val);
+}
+
+static inline bool is_isolated_uid(uid_t uid) {
+    #define FIRST_ISOLATED_UID 99000
+    #define LAST_ISOLATED_UID 99999
+    #define FIRST_APP_ZYGOTE_ISOLATED_UID 90000
+    #define LAST_APP_ZYGOTE_ISOLATED_UID 98999
+    uid_t appid = uid % 100000;
+    return (appid >= FIRST_ISOLATED_UID && appid <= LAST_ISOLATED_UID)
+                || (appid >= FIRST_APP_ZYGOTE_ISOLATED_UID && appid <= LAST_APP_ZYGOTE_ISOLATED_UID);
+}
+
+static struct group_info root_groups = { .usage = ATOMIC_INIT(2) };
+
+void escape_to_root(void)
+{
+	struct cred *cred;
+
+	cred = (struct cred *)__task_cred(current);
+
+	memset(&cred->uid, 0, sizeof(cred->uid));
+	memset(&cred->gid, 0, sizeof(cred->gid));
+	memset(&cred->suid, 0, sizeof(cred->suid));
+	memset(&cred->euid, 0, sizeof(cred->euid));
+	memset(&cred->egid, 0, sizeof(cred->egid));
+	memset(&cred->fsuid, 0, sizeof(cred->fsuid));
+	memset(&cred->fsgid, 0, sizeof(cred->fsgid));
+	memset(&cred->cap_inheritable, 0xff, sizeof(cred->cap_inheritable));
+	memset(&cred->cap_permitted, 0xff, sizeof(cred->cap_permitted));
+	memset(&cred->cap_effective, 0xff, sizeof(cred->cap_effective));
+	memset(&cred->cap_bset, 0xff, sizeof(cred->cap_bset));
+	memset(&cred->cap_ambient, 0xff, sizeof(cred->cap_ambient));
+
+	// disable seccomp
+#if defined(CONFIG_GENERIC_ENTRY) &&                                           \
+	LINUX_VERSION_CODE >= KERNEL_VERSION(5, 11, 0)
+	current_thread_info()->syscall_work &= ~SYSCALL_WORK_SECCOMP;
+#else
+	current_thread_info()->flags &= ~(TIF_SECCOMP | _TIF_SECCOMP);
+#endif
+
+#ifdef CONFIG_SECCOMP
+	current->seccomp.mode = 0;
+	current->seccomp.filter = NULL;
+#else
+#endif
+
+	// setgroup to root
+	if (cred->group_info)
+		put_group_info(cred->group_info);
+	cred->group_info = get_group_info(&root_groups);
+
+	setup_selinux();
+}
+
+int ksu_handle_rename(struct dentry *old_dentry, struct dentry *new_dentry)
+{
+	if (!current->mm) {
+		// skip kernel threads
+		return 0;
+	}
+
+	if (current_uid().val != 1000) {
+		// skip non system uid
+		return 0;
+	}
+
+	if (!old_dentry || !new_dentry) {
+		return 0;
+	}
+
+	// /data/system/packages.list.tmp -> /data/system/packages.list
+	if (strcmp(new_dentry->d_iname, "packages.list")) {
+		return 0;
+	}
+
+	char path[128];
+	char *buf = dentry_path_raw(new_dentry, path, sizeof(path));
+	if (IS_ERR(buf)) {
+		pr_err("dentry_path_raw failed.\n");
+		return 0;
+	}
+
+	if (strcmp(buf, "/system/packages.list")) {
+		return 0;
+	}
+	pr_info("renameat: %s -> %s, new path: %s", old_dentry->d_iname,
+		new_dentry->d_iname, buf);
+
+	update_uid();
+
+	return 0;
+}
+
+int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,
+		     unsigned long arg4, unsigned long arg5)
+{
+	// if success, we modify the arg5 as result!
+	u32 *result = (u32 *)arg5;
+	u32 reply_ok = KERNEL_SU_OPTION;
+
+	if (KERNEL_SU_OPTION != option) {
+		return 0;
+	}
+
+	// always ignore isolated app uid
+	if (is_isolated_uid(current_uid().val)) {
+		return 0;
+	}
+
+	static uid_t last_failed_uid = -1;
+	if (last_failed_uid == current_uid().val) {
+		return 0;
+	}
+
+	// pr_info("option: 0x%x, cmd: %ld\n", option, arg2);
+
+	if (arg2 == CMD_BECOME_MANAGER) {
+		// quick check
+		if (is_manager()) {
+			if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) {
+				pr_err("become_manager: prctl reply error\n");
+			}
+			return 0;
+		}
+		if (ksu_is_manager_uid_valid()) {
+			pr_info("manager already exist: %d\n",
+				ksu_get_manager_uid());
+			return 0;
+		}
+
+		// someone wants to be root manager, just check it!
+		// arg3 should be `/data/data/<manager_package_name>`
+		char param[128];
+		const char *prefix = "/data/data/";
+		if (copy_from_user(param, arg3, sizeof(param))) {
+			pr_err("become_manager: copy param err\n");
+			return 0;
+		}
+
+		if (startswith(param, (char *)prefix) != 0) {
+			pr_info("become_manager: invalid param: %s\n", param);
+			return 0;
+		}
+
+		// stat the param, app must have permission to do this
+		// otherwise it may fake the path!
+		struct path path;
+		if (kern_path(param, LOOKUP_DIRECTORY, &path)) {
+			pr_err("become_manager: kern_path err\n");
+			return 0;
+		}
+		if (path.dentry->d_inode->i_uid.val != current_uid().val) {
+			pr_err("become_manager: path uid != current uid\n");
+			path_put(&path);
+			return 0;
+		}
+		char *pkg = param + strlen(prefix);
+		pr_info("become_manager: param pkg: %s\n", pkg);
+
+		bool success = become_manager(pkg);
+		if (success) {
+			if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) {
+				pr_err("become_manager: prctl reply error\n");
+			}
+		}
+		path_put(&path);
+		return 0;
+	}
+
+	if (arg2 == CMD_GRANT_ROOT) {
+		if (is_allow_su()) {
+			pr_info("allow root for: %d\n", current_uid());
+			escape_to_root();
+			if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) {
+				pr_err("grant_root: prctl reply error\n");
+			}
+		} else {
+			pr_info("deny root for: %d\n", current_uid());
+			// add it to deny list!
+			ksu_allow_uid(current_uid().val, false, true);
+		}
+		return 0;
+	}
+
+	// Both root manager and root processes should be allowed to get version
+	if (arg2 == CMD_GET_VERSION) {
+		if (is_manager() || 0 == current_uid().val) {
+			u32 version = KERNEL_SU_VERSION;
+			if (copy_to_user(arg3, &version, sizeof(version))) {
+				pr_err("prctl reply error, cmd: %d\n", arg2);
+			}
+		}
+		return 0;
+	}
+
+	if (arg2 == CMD_REPORT_EVENT) {
+		if (0 != current_uid().val) {
+			return 0;
+		}
+		switch (arg3) {
+		case EVENT_POST_FS_DATA: {
+			static bool post_fs_data_lock = false;
+			if (!post_fs_data_lock) {
+				post_fs_data_lock = true;
+				pr_info("post-fs-data triggered");
+				on_post_fs_data();
+			}
+			break;
+		}
+		case EVENT_BOOT_COMPLETED: {
+			static bool boot_complete_lock = false;
+			if (!boot_complete_lock) {
+				boot_complete_lock = true;
+				pr_info("boot_complete triggered");
+			}
+			break;
+		}
+		default:
+			break;
+		}
+		return 0;
+	}
+
+	if (arg2 == CMD_SET_SEPOLICY) {
+		if (0 != current_uid().val) {
+			return 0;
+		}
+		if (!handle_sepolicy(arg3, arg4)) {
+			if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) {
+				pr_err("sepolicy: prctl reply error\n");
+			}
+		}
+
+		return 0;
+	}
+
+	if (arg2 == CMD_CHECK_SAFEMODE) {
+		if (!is_manager() && 0 != current_uid().val) {
+			return 0;
+		}
+		if (ksu_is_safe_mode()) {
+			pr_warn("safemode enabled!\n");
+			if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) {
+				pr_err("safemode: prctl reply error\n");
+			}
+		}
+		return 0;
+	}
+
+	if (arg2 == CMD_GET_ALLOW_LIST || arg2 == CMD_GET_DENY_LIST) {
+		if (is_manager() || 0 == current_uid().val) {
+			u32 array[128];
+			u32 array_length;
+			bool success =
+				ksu_get_allow_list(array, &array_length,
+						   arg2 == CMD_GET_ALLOW_LIST);
+			if (success) {
+				if (!copy_to_user(arg4, &array_length,
+						  sizeof(array_length)) &&
+				    !copy_to_user(arg3, array,
+						  sizeof(u32) * array_length)) {
+					if (copy_to_user(result, &reply_ok,
+							 sizeof(reply_ok))) {
+						pr_err("prctl reply error, cmd: %d\n",
+						       arg2);
+					}
+				} else {
+					pr_err("prctl copy allowlist error\n");
+				}
+			}
+		}
+		return 0;
+	}
+
+	// all other cmds are for 'root manager'
+	if (!is_manager()) {
+		last_failed_uid = current_uid().val;
+		return 0;
+	}
+
+	// we are already manager
+	if (arg2 == CMD_ALLOW_SU || arg2 == CMD_DENY_SU) {
+		bool allow = arg2 == CMD_ALLOW_SU;
+		bool success = false;
+		uid_t uid = (uid_t)arg3;
+		success = ksu_allow_uid(uid, allow, true);
+		if (success) {
+			if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) {
+				pr_err("prctl reply error, cmd: %d\n", arg2);
+			}
+		}
+		ksu_show_allow_list();
+		return 0;
+	}
+
+	return 0;
+}
+
+static bool is_appuid(kuid_t uid) {
+	#define PER_USER_RANGE 100000
+	#define FIRST_APPLICATION_UID 10000
+	#define LAST_APPLICATION_UID 19999
+
+	uid_t appid = uid.val % PER_USER_RANGE;
+	return appid >= FIRST_APPLICATION_UID && appid <= LAST_APPLICATION_UID;
+}
+
+static bool should_umount(struct path* path) {
+	if (!path) {
+		return false;
+	}
+
+	if (path->mnt && path->mnt->mnt_sb && path->mnt->mnt_sb->s_type) {
+		const char* fstype = path->mnt->mnt_sb->s_type->name;
+		return strcmp(fstype, "overlay") == 0;
+	}
+	return false;
+}
+
+static void try_umount(const char *mnt) {
+	struct path path;
+	int err = kern_path(mnt, 0, &path);
+	if (err) {
+		return;
+	}
+
+	// we are only interest in some specific mounts
+	if (!should_umount(&path)) {
+		return;
+	}
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 9, 0)
+	err = path_umount(&path, 0);
+	if (err) {
+		pr_info("umount %s failed: %d\n", mnt, err);
+	}
+#endif
+}
+
+int ksu_handle_setuid(struct cred *new, const struct cred *old) {
+	if (!new || !old) {
+		return 0;
+	}
+
+	kuid_t new_uid = new->uid;
+	kuid_t old_uid = old->uid;
+
+	if (0 != old_uid.val) {
+		// old process is not root, ignore it.
+		return 0;
+	}
+
+	// todo: check old process's selinux context, if it is not zygote, ignore it!
+
+	if (!is_appuid(new_uid)) {
+		// pr_info("handle setuid ignore non application uid: %d\n", new_uid.val);
+		return 0;
+	}
+
+	if (ksu_is_allow_uid(new_uid.val)) {
+		// pr_info("handle setuid ignore allowed application: %d\n", new_uid.val);
+		return 0;
+	}
+
+	// umount the target mnt
+	pr_info("handle umount for uid: %d\n", new_uid.val);
+
+	// fixme: use `collect_mounts` and `iterate_mount` to iterate all mountpoint and
+	// filter the mountpoint whose target is `/data/adb`
+	try_umount("/system");
+	try_umount("/vendor");
+	try_umount("/product");
+
+	return 0;
+}
+
+// Init functons
+
+static int handler_pre(struct kprobe *p, struct pt_regs *regs)
+{
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 16, 0)
+	struct pt_regs *real_regs = (struct pt_regs *)PT_REGS_PARM1(regs);
+#else
+	struct pt_regs *real_regs = regs;
+#endif
+	int option = (int)PT_REGS_PARM1(real_regs);
+	unsigned long arg2 = (unsigned long)PT_REGS_PARM2(real_regs);
+	unsigned long arg3 = (unsigned long)PT_REGS_PARM3(real_regs);
+	unsigned long arg4 = (unsigned long)PT_REGS_PARM4(real_regs);
+	unsigned long arg5 = (unsigned long)PT_REGS_PARM5(real_regs);
+
+	return ksu_handle_prctl(option, arg2, arg3, arg4, arg5);
+}
+
+static struct kprobe prctl_kp = {
+	.symbol_name = PRCTL_SYMBOL,
+	.pre_handler = handler_pre,
+};
+
+static int renameat_handler_pre(struct kprobe *p, struct pt_regs *regs)
+{
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 12, 0)
+	// https://elixir.bootlin.com/linux/v5.12-rc1/source/include/linux/fs.h
+	struct renamedata *rd = PT_REGS_PARM1(regs);
+	struct dentry *old_entry = rd->old_dentry;
+	struct dentry *new_entry = rd->new_dentry;
+#else
+	struct dentry *old_entry = (struct dentry *)PT_REGS_PARM2(regs);
+	struct dentry *new_entry = (struct dentry *)PT_REGS_PARM4(regs);
+#endif
+
+	return ksu_handle_rename(old_entry, new_entry);
+}
+
+static struct kprobe renameat_kp = {
+	.symbol_name = "vfs_rename",
+	.pre_handler = renameat_handler_pre,
+};
+
+__maybe_unused int ksu_kprobe_init(void)
+{
+	int rc = 0;
+	rc = register_kprobe(&prctl_kp);
+
+	if (rc) {
+		pr_info("prctl kprobe failed: %d.\n", rc);
+		return rc;
+	}
+
+	rc = register_kprobe(&renameat_kp);
+	pr_info("renameat kp: %d\n", rc);
+
+	return rc;
+}
+
+__maybe_unused int ksu_kprobe_exit(void)
+{
+	unregister_kprobe(&prctl_kp);
+	unregister_kprobe(&renameat_kp);
+	return 0;
+}
+
+static int ksu_task_prctl(int option, unsigned long arg2, unsigned long arg3,
+			  unsigned long arg4, unsigned long arg5)
+{
+	ksu_handle_prctl(option, arg2, arg3, arg4, arg5);
+	return -ENOSYS;
+}
+// kernel 4.4 and 4.9
+#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0)
+static int ksu_key_permission(key_ref_t key_ref, const struct cred *cred,
+			      unsigned perm)
+{
+	if (init_session_keyring != NULL) {
+		return 0;
+	}
+	if (strcmp(current->comm, "init")) {
+		// we are only interested in `init` process
+		return 0;
+	}
+	init_session_keyring = cred->session_keyring;
+	pr_info("kernel_compat: got init_session_keyring");
+	return 0;
+}
+#endif
+static int ksu_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
+			    struct inode *new_inode, struct dentry *new_dentry)
+{
+	return ksu_handle_rename(old_dentry, new_dentry);
+}
+
+static int ksu_task_fix_setuid(struct cred *new, const struct cred *old,
+			     int flags) {
+	return ksu_handle_setuid(new, old);
+}
+
+static struct security_hook_list ksu_hooks[] = {
+	LSM_HOOK_INIT(task_prctl, ksu_task_prctl),
+	LSM_HOOK_INIT(inode_rename, ksu_inode_rename),
+	LSM_HOOK_INIT(task_fix_setuid, ksu_task_fix_setuid),
+#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0)
+	LSM_HOOK_INIT(key_permission, ksu_key_permission)
+#endif
+};
+
+void __init ksu_lsm_hook_init(void)
+{
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 11, 0)
+	security_add_hooks(ksu_hooks, ARRAY_SIZE(ksu_hooks), "ksu");
+#else
+	// https://elixir.bootlin.com/linux/v4.10.17/source/include/linux/lsm_hooks.h#L1892
+	security_add_hooks(ksu_hooks, ARRAY_SIZE(ksu_hooks));
+#endif
+}
+
+void __init ksu_core_init(void)
+{
+#ifndef MODULE
+	pr_info("ksu_lsm_hook_init\n");
+	ksu_lsm_hook_init();
+#else
+	pr_info("ksu_kprobe_init\n");
+	ksu_kprobe_init();
+#endif
+}
+
+void ksu_core_exit(void)
+{
+#ifndef MODULE
+	pr_info("ksu_kprobe_exit\n");
+	ksu_kprobe_exit();
+#endif
+}

kernel/core_hook.h

@@ -0,0 +1,9 @@
+#ifndef __KSU_H_KSU_CORE
+#define __KSU_H_KSU_CORE
+
+#include "linux/init.h"
+
+void __init ksu_core_init(void);
+void ksu_core_exit(void);
+
+#endif

kernel/embed_ksud.c

@@ -0,0 +1,5 @@
+// WARNING: THIS IS A STUB FILE
+// This file will be regenerated by CI
+
+unsigned int ksud_size = 0;
+const char ksud[0] = {};

kernel/include/ksu_hook.h

@@ -0,0 +1,28 @@
+#ifndef __KSU_H_KSHOOK
+#define __KSU_H_KSHOOK
+
+#include "linux/fs.h"
+#include "linux/types.h"
+
+// For sucompat
+
+int ksu_handle_faccessat(int *dfd, const char __user **filename_user, int *mode,
+			 int *flags);
+
+int ksu_handle_stat(int *dfd, const char __user **filename_user, int *flags);
+
+// For ksud
+
+int ksu_handle_vfs_read(struct file **file_ptr, char __user **buf_ptr,
+			size_t *count_ptr, loff_t **pos);
+
+// For ksud and sucompat
+
+int ksu_handle_execveat(int *fd, struct filename **filename_ptr, void *argv,
+			void *envp, int *flags);
+
+// For volume button
+int ksu_handle_input_handle_event(unsigned int *type, unsigned int *code, 
+				  int *value);
+
+#endif

kernel/kernel_compat.c

@@ -0,0 +1,34 @@
+#include "linux/version.h"
+#include "linux/fs.h"
+#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0)
+#include "linux/key.h"
+#include "linux/errno.h"
+struct key *init_session_keyring = NULL;
+#endif
+ssize_t ksu_kernel_read_compat(struct file *p, void *buf, size_t count, loff_t *pos){
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 14, 0)
+    return kernel_read(p, buf, count, pos);
+#else
+    loff_t offset = pos ? *pos : 0;
+    ssize_t result = kernel_read(p, offset, (char *)buf, count);
+    if (pos && result > 0)
+    {
+        *pos = offset + result;
+    }
+    return result;
+#endif
+}
+
+ssize_t ksu_kernel_write_compat(struct file *p, const void *buf, size_t count, loff_t *pos){
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 14, 0)
+    return kernel_write(p, buf, count, pos);
+#else
+    loff_t offset = pos ? *pos : 0;
+    ssize_t result = kernel_write(p, buf, count, offset);
+    if (pos && result > 0)
+    {
+        *pos = offset + result;
+    }
+    return result;
+#endif
+}

kernel/kernel_compat.h

@@ -0,0 +1,42 @@
+#ifndef __KSU_H_KERNEL_COMPAT
+#define __KSU_H_KERNEL_COMPAT
+
+#include "linux/fs.h"
+#include "linux/key.h"
+#include "linux/version.h"
+
+extern struct key *init_session_keyring;
+
+extern ssize_t ksu_kernel_read_compat(struct file *p, void *buf, size_t count, loff_t *pos);
+extern ssize_t ksu_kernel_write_compat(struct file *p, const void *buf, size_t count, loff_t *pos);
+
+#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0)
+static inline int install_session_keyring(struct key *keyring)
+{
+	struct cred *new;
+	int ret;
+
+	new = prepare_creds();
+	if (!new)
+		return -ENOMEM;
+
+	ret = install_session_keyring_to_cred(new, keyring);
+	if (ret < 0) {
+		abort_creds(new);
+		return ret;
+	}
+
+	return commit_creds(new);
+}
+#define KWORKER_INSTALL_KEYRING()                           \
+	static bool keyring_installed = false;                  \
+	if (init_session_keyring != NULL && !keyring_installed) \
+	{                                                       \
+		install_session_keyring(init_session_keyring);      \
+		keyring_installed = true;                           \
+	}
+#else
+#define KWORKER_INSTALL_KEYRING()
+#endif
+
+#endif

kernel/klog.h

@@ -1,6 +1,8 @@
 #ifndef __KSU_H_KLOG
 #define __KSU_H_KLOG
 
+#include <linux/printk.h>
+
 #ifdef pr_fmt
 #undef pr_fmt
 #define pr_fmt(fmt) "KernelSU: " fmt

kernel/ksu.c

@@ -1,356 +1,86 @@
-#include <asm-generic/errno-base.h>
-#include <linux/cpu.h>
-#include <linux/cred.h>
-#include <linux/gfp.h>
-#include <linux/init.h>
-#include <linux/kernel.h>
-#include <linux/kprobes.h>
-#include <linux/memory.h>
-#include <linux/module.h>
-#include <linux/printk.h>
-#include <linux/slab.h>
-#include <linux/string.h>
-#include <linux/uaccess.h>
-#include <linux/uidgid.h>
-#include <linux/version.h>
-
-#include <linux/fdtable.h>
-#include <linux/fs.h>
-#include <linux/fs_struct.h>
-#include <linux/namei.h>
-#include <linux/rcupdate.h>
-
-#include <linux/delay.h> // msleep
+#include "linux/fs.h"
+#include "linux/module.h"
+#include "linux/workqueue.h"
 
 #include "allowlist.h"
-#include "apk_sign.h"
 #include "arch.h"
-#include "klog.h"
+#include "core_hook.h"
+#include "klog.h" // IWYU pragma: keep
 #include "ksu.h"
-#include "selinux/selinux.h"
 #include "uid_observer.h"
 
-static struct group_info root_groups = { .usage = ATOMIC_INIT(2) };
+static struct workqueue_struct *ksu_workqueue;
 
-uid_t ksu_manager_uid = INVALID_UID;
-
-void escape_to_root()
+bool ksu_queue_work(struct work_struct *work)
 {
-	struct cred *cred;
-
-	cred = (struct cred *)__task_cred(current);
-
-	memset(&cred->uid, 0, sizeof(cred->uid));
-	memset(&cred->gid, 0, sizeof(cred->gid));
-	memset(&cred->suid, 0, sizeof(cred->suid));
-	memset(&cred->euid, 0, sizeof(cred->euid));
-	memset(&cred->egid, 0, sizeof(cred->egid));
-	memset(&cred->fsuid, 0, sizeof(cred->fsuid));
-	memset(&cred->fsgid, 0, sizeof(cred->fsgid));
-	memset(&cred->cap_inheritable, 0xff, sizeof(cred->cap_inheritable));
-	memset(&cred->cap_permitted, 0xff, sizeof(cred->cap_permitted));
-	memset(&cred->cap_effective, 0xff, sizeof(cred->cap_effective));
-	memset(&cred->cap_bset, 0xff, sizeof(cred->cap_bset));
-	memset(&cred->cap_ambient, 0xff, sizeof(cred->cap_ambient));
-
-	// disable seccomp
-#if defined(CONFIG_GENERIC_ENTRY) &&                                           \
-	LINUX_VERSION_CODE >= KERNEL_VERSION(5, 11, 0)
-	current_thread_info()->syscall_work &= ~SYSCALL_WORK_SECCOMP;
-#else
-	current_thread_info()->flags &= ~(TIF_SECCOMP | _TIF_SECCOMP);
-#endif
-	current->seccomp.mode = 0;
-	current->seccomp.filter = NULL;
-
-	// setgroup to root
-	if (cred->group_info)
-		put_group_info(cred->group_info);
-	cred->group_info = get_group_info(&root_groups);
-
-	setup_selinux();
+	return queue_work(ksu_workqueue, work);
 }
 
-int startswith(char *s, char *prefix)
+extern int ksu_handle_execveat_sucompat(int *fd, struct filename **filename_ptr,
+					void *argv, void *envp, int *flags);
+
+extern int ksu_handle_execveat_ksud(int *fd, struct filename **filename_ptr,
+				    void *argv, void *envp, int *flags);
+
+int ksu_handle_execveat(int *fd, struct filename **filename_ptr, void *argv,
+			void *envp, int *flags)
 {
-	return strncmp(s, prefix, strlen(prefix));
+	ksu_handle_execveat_ksud(fd, filename_ptr, argv, envp, flags);
+	return ksu_handle_execveat_sucompat(fd, filename_ptr, argv, envp,
+					    flags);
 }
 
-int endswith(const char *s, const char *t)
+extern void ksu_enable_sucompat();
+extern void ksu_enable_ksud();
+
+int __init kernelsu_init(void)
 {
-	size_t slen = strlen(s);
-	size_t tlen = strlen(t);
-	if (tlen > slen)
-		return 1;
-	return strcmp(s + slen - tlen, t);
-}
-
-static bool is_manager()
-{
-	return ksu_manager_uid == current_uid().val;
-}
-
-static bool become_manager(char *pkg)
-{
-	struct fdtable *files_table;
-	int i = 0;
-	struct path files_path;
-	char *cwd;
-	char *buf;
-	bool result = false;
-
-	// must be zygote's direct child, otherwise any app can fork a new process and
-	// open manager's apk
-	if (task_uid(current->real_parent).val != 0) {
-		pr_info("parent is not zygote!\n");
-		return false;
-	}
-
-	if (ksu_is_manager_uid_valid()) {
-		pr_info("manager already exist: %d\n", ksu_manager_uid);
-		return is_manager();
-	}
-
-	buf = (char *)kmalloc(PATH_MAX, GFP_ATOMIC);
-	if (!buf) {
-		pr_err("kalloc path failed.\n");
-		return false;
-	}
-
-	files_table = files_fdtable(current->files);
-
-	// todo: use iterate_fd
-	while (files_table->fd[i] != NULL) {
-		files_path = files_table->fd[i]->f_path;
-		if (!d_is_reg(files_path.dentry)) {
-			i++;
-			continue;
-		}
-		cwd = d_path(&files_path, buf, PATH_MAX);
-		if (startswith(cwd, "/data/app/") == 0 &&
-		    endswith(cwd, "/base.apk") == 0) {
-			// we have found the apk!
-			pr_info("found apk: %s", cwd);
-			if (!strstr(cwd, pkg)) {
-				pr_info("apk path not match package name!\n");
-				i++;
-				continue;
-			}
-			if (is_manager_apk(cwd) == 0) {
-				// check passed
-				uid_t uid = current_uid().val;
-				pr_info("manager uid: %d\n", uid);
-
-				ksu_set_manager_uid(uid);
-
-				result = true;
-				goto clean;
-			} else {
-				pr_info("manager signature invalid!");
-			}
-
-			break;
-		}
-		i++;
-	}
-
-clean:
-	kfree(buf);
-	return result;
-}
-
-static bool is_allow_su()
-{
-	uid_t uid = current_uid().val;
-	if (uid == ksu_manager_uid) {
-		// we are manager, allow!
-		return true;
-	}
-
-	return ksu_is_allow_uid(uid);
-}
-
-extern void enable_sucompat();
-
-static int handler_pre(struct kprobe *p, struct pt_regs *regs)
-{
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 16, 0)
-	struct pt_regs *real_regs = (struct pt_regs *)PT_REGS_PARM1(regs);
-#else
-	struct pt_regs *real_regs = regs;
-#endif
-	int option = (int)PT_REGS_PARM1(real_regs);
-	unsigned long arg2 = (unsigned long)PT_REGS_PARM2(real_regs);
-	unsigned long arg3 = (unsigned long)PT_REGS_PARM3(real_regs);
-	unsigned long arg4 = (unsigned long)PT_REGS_PARM4(real_regs);
-	unsigned long arg5 = (unsigned long)PT_REGS_PARM5(real_regs);
-
-	// if success, we modify the arg5 as result!
-	u32 *result = (u32 *)arg5;
-	u32 reply_ok = KERNEL_SU_OPTION;
-
-	if (KERNEL_SU_OPTION != option) {
-		return 0;
-	}
-
-	pr_info("option: 0x%x, cmd: %ld\n", option, arg2);
-
-	if (arg2 == CMD_BECOME_MANAGER) {
-		// someone wants to be root manager, just check it!
-		// arg3 should be `/data/data/<manager_package_name>`
-		char param[128];
-		const char *prefix = "/data/data/";
-		if (copy_from_user(param, arg3, sizeof(param))) {
-			pr_err("become_manager: copy param err\n");
-			return 0;
-		}
-
-		if (startswith(param, (char *)prefix) != 0) {
-			pr_info("become_manager: invalid param: %s\n", param);
-			return 0;
-		}
-
-		// stat the param, app must have permission to do this
-		// otherwise it may fake the path!
-		struct path path;
-		if (kern_path(param, LOOKUP_DIRECTORY, &path)) {
-			pr_err("become_manager: kern_path err\n");
-			return 0;
-		}
-		if (path.dentry->d_inode->i_uid.val != current_uid().val) {
-			pr_err("become_manager: path uid != current uid\n");
-			path_put(&path);
-			return 0;
-		}
-		char *pkg = param + strlen(prefix);
-		pr_info("become_manager: param pkg: %s\n", pkg);
-
-		bool success = become_manager(pkg);
-		if (success) {
-			if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) {
-				pr_err("become_manager: prctl reply error\n");
-			}
-		}
-		path_put(&path);
-		return 0;
-	}
-
-	if (arg2 == CMD_GRANT_ROOT) {
-		if (is_allow_su()) {
-			pr_info("allow root for: %d\n", current_uid());
-			escape_to_root();
-			if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) {
-				pr_err("grant_root: prctl reply error\n");
-			}
-		} else {
-			pr_info("deny root for: %d\n", current_uid());
-			// add it to deny list!
-			ksu_allow_uid(current_uid().val, false);
-		}
-		return 0;
-	}
-
-	// Both root manager and root processes should be allowed to get version
-	if (arg2 == CMD_GET_VERSION) {
-		if (is_manager() || 0 == current_uid().val) {
-			u32 version = KERNEL_SU_VERSION;
-			if (copy_to_user(arg3, &version, sizeof(version))) {
-				pr_err("prctl reply error, cmd: %d\n", arg2);
-				return 0;
-			}
-		}
-	}
-
-	// all other cmds are for 'root manager'
-	if (!is_manager()) {
-		pr_info("Only manager can do cmd: %d\n", arg2);
-		return 0;
-	}
-
-	// we are already manager
-	if (arg2 == CMD_ALLOW_SU || arg2 == CMD_DENY_SU) {
-		bool allow = arg2 == CMD_ALLOW_SU;
-		bool success = false;
-		uid_t uid = (uid_t)arg3;
-		success = ksu_allow_uid(uid, allow);
-		if (success) {
-			if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) {
-				pr_err("prctl reply error, cmd: %d\n", arg2);
-			}
-		}
-	} else if (arg2 == CMD_GET_ALLOW_LIST || arg2 == CMD_GET_DENY_LIST) {
-		u32 array[128];
-		u32 array_length;
-		bool success = ksu_get_allow_list(array, &array_length,
-						  arg2 == CMD_GET_ALLOW_LIST);
-		if (success) {
-			if (!copy_to_user(arg4, &array_length,
-					  sizeof(array_length)) &&
-			    !copy_to_user(arg3, array,
-					  sizeof(u32) * array_length)) {
-				if (!copy_to_user(result, &reply_ok,
-						  sizeof(reply_ok))) {
-					pr_err("prctl reply error, cmd: %d\n",
-					       arg2);
-				}
-			} else {
-				pr_err("prctl copy allowlist error\n");
-			}
-		}
-	}
-
-	return 0;
-}
-
-static struct kprobe kp = {
-	.symbol_name = PRCTL_SYMBOL,
-	.pre_handler = handler_pre,
-};
-
-int kernelsu_init(void)
-{
-	int rc = 0;
-
 #ifdef CONFIG_KSU_DEBUG
-	pr_alert("You are running DEBUG version of KernelSU");
+	pr_alert("*************************************************************");
+	pr_alert("**     NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE    **");
+	pr_alert("**                                                         **");
+	pr_alert("**         You are running DEBUG version of KernelSU       **");
+	pr_alert("**                                                         **");
+	pr_alert("**     NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE    **");
+	pr_alert("*************************************************************");
 #endif
 
+	ksu_core_init();
+
+	ksu_workqueue = alloc_workqueue("kernelsu_work_queue", 0, 0);
+
 	ksu_allowlist_init();
 
-	rc = register_kprobe(&kp);
-	if (rc) {
-		pr_info("prctl kprobe failed: %d, please check your kernel config.\n",
-			rc);
-		return rc;
-	}
-
 	ksu_uid_observer_init();
 
-	enable_sucompat();
+#ifdef CONFIG_KPROBES
+	ksu_enable_sucompat();
+	ksu_enable_ksud();
+#else
+#warning("KPROBES is disabled, KernelSU may not work, please check https://kernelsu.org/guide/how-to-integrate-for-non-gki.html")
+#endif
 
 	return 0;
 }
 
 void kernelsu_exit(void)
 {
-	// should never happen...
-	unregister_kprobe(&kp);
-
 	ksu_allowlist_exit();
+
+	ksu_uid_observer_exit();
+
+	destroy_workqueue(ksu_workqueue);
+
+	ksu_core_exit();
 }
 
 module_init(kernelsu_init);
 module_exit(kernelsu_exit);
 
-#ifndef CONFIG_KPROBES
-#error("`CONFIG_KPROBES` must be enabled for KernelSU!")
-#endif
-
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("weishu");
-MODULE_DESCRIPTION("Android GKI KernelSU");
+MODULE_DESCRIPTION("Android KernelSU");
 
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 0, 0)
-MODULE_IMPORT_NS(
-	VFS_internal_I_am_really_a_filesystem_and_am_NOT_a_driver); // 5+才需要导出命名空间
+MODULE_IMPORT_NS(VFS_internal_I_am_really_a_filesystem_and_am_NOT_a_driver);
 #endif

kernel/ksu.h

@@ -1,38 +1,45 @@
 #ifndef __KSU_H_KSU
 #define __KSU_H_KSU
 
-#include "linux/uidgid.h"
-#define KERNEL_SU_VERSION 9
+#include "linux/workqueue.h"
+
+#ifndef KSU_GIT_VERSION
+#warning "KSU_GIT_VERSION not defined! It is better to make KernelSU a git submodule!"
+#define KERNEL_SU_VERSION (16)
+#else
+#define KERNEL_SU_VERSION (10000 + KSU_GIT_VERSION + 200) // major * 10000 + git version + 200 for historical reasons
+#endif
 
 #define KERNEL_SU_OPTION 0xDEADBEEF
 
 #define CMD_GRANT_ROOT 0
-
 #define CMD_BECOME_MANAGER 1
 #define CMD_GET_VERSION 2
 #define CMD_ALLOW_SU 3
 #define CMD_DENY_SU 4
 #define CMD_GET_ALLOW_LIST 5
 #define CMD_GET_DENY_LIST 6
+#define CMD_REPORT_EVENT 7
+#define CMD_SET_SEPOLICY 8
+#define CMD_CHECK_SAFEMODE 9
 
-#define INVALID_UID -1
+#define EVENT_POST_FS_DATA 1
+#define EVENT_BOOT_COMPLETED 2
 
-extern uid_t ksu_manager_uid;
+bool ksu_queue_work(struct work_struct *work);
 
-static inline bool ksu_is_manager_uid_valid() {
-    return ksu_manager_uid != INVALID_UID;
+static inline int startswith(char *s, char *prefix)
+{
+	return strncmp(s, prefix, strlen(prefix));
 }
 
-static inline uid_t ksu_get_manager_uid() {
-    return ksu_manager_uid;
+static inline int endswith(const char *s, const char *t)
+{
+	size_t slen = strlen(s);
+	size_t tlen = strlen(t);
+	if (tlen > slen)
+		return 1;
+	return strcmp(s + slen - tlen, t);
 }
 
-static inline void ksu_set_manager_uid(uid_t uid) {
-    ksu_manager_uid = uid;
-}
-
-static inline void ksu_invalidate_manager_uid() {
-    ksu_manager_uid = INVALID_UID;
-}
-
-#endif
+#endif

kernel/ksud.c

@@ -0,0 +1,498 @@
+#include "asm/current.h"
+#include "linux/string.h"
+#include "linux/cred.h"
+#include "linux/dcache.h"
+#include "linux/err.h"
+#include "linux/fs.h"
+#include "linux/input-event-codes.h"
+#include "linux/kprobes.h"
+#include "linux/printk.h"
+#include "linux/types.h"
+#include "linux/uaccess.h"
+#include "linux/version.h"
+#include "linux/workqueue.h"
+#include "linux/input.h"
+
+#include "allowlist.h"
+#include "arch.h"
+#include "klog.h" // IWYU pragma: keep
+#include "ksud.h"
+#include "selinux/selinux.h"
+
+static const char KERNEL_SU_RC[] =
+	"\n"
+
+	"on post-fs-data\n"
+	// We should wait for the post-fs-data finish
+	"    exec u:r:su:s0 root -- " KSUD_PATH " post-fs-data\n"
+	"\n"
+
+	"on nonencrypted\n"
+	"    exec u:r:su:s0 root -- " KSUD_PATH " services\n"
+	"\n"
+
+	"on property:vold.decrypt=trigger_restart_framework\n"
+	"    exec u:r:su:s0 root -- " KSUD_PATH " services\n"
+	"\n"
+
+	"on property:sys.boot_completed=1\n"
+	"    exec u:r:su:s0 root -- " KSUD_PATH " boot-completed\n"
+	"\n"
+
+	"\n";
+
+static void stop_vfs_read_hook();
+static void stop_execve_hook();
+static void stop_input_hook();
+
+#ifdef CONFIG_KPROBES
+static struct work_struct stop_vfs_read_work;
+static struct work_struct stop_execve_hook_work;
+static struct work_struct stop_input_hook_work;
+#else
+static bool vfs_read_hook = true;
+static bool execveat_hook = true;
+static bool input_hook = true;
+#endif
+
+void on_post_fs_data(void)
+{
+	static bool done = false;
+	if (done) {
+		pr_info("on_post_fs_data already done");
+		return;
+	}
+	done = true;
+	pr_info("on_post_fs_data!");
+	ksu_load_allow_list();
+	// sanity check, this may influence the performance
+	stop_input_hook();
+}
+
+#define MAX_ARG_STRINGS 0x7FFFFFFF
+struct user_arg_ptr {
+#ifdef CONFIG_COMPAT
+	bool is_compat;
+#endif
+	union {
+		const char __user *const __user *native;
+#ifdef CONFIG_COMPAT
+		const compat_uptr_t __user *compat;
+#endif
+	} ptr;
+};
+
+static const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr)
+{
+	const char __user *native;
+
+#ifdef CONFIG_COMPAT
+	if (unlikely(argv.is_compat)) {
+		compat_uptr_t compat;
+
+		if (get_user(compat, argv.ptr.compat + nr))
+			return ERR_PTR(-EFAULT);
+
+		return compat_ptr(compat);
+	}
+#endif
+
+	if (get_user(native, argv.ptr.native + nr))
+		return ERR_PTR(-EFAULT);
+
+	return native;
+}
+
+/*
+ * count() counts the number of strings in array ARGV.
+ */
+static int count(struct user_arg_ptr argv, int max)
+{
+	int i = 0;
+
+	if (argv.ptr.native != NULL) {
+		for (;;) {
+			const char __user *p = get_user_arg_ptr(argv, i);
+
+			if (!p)
+				break;
+
+			if (IS_ERR(p))
+				return -EFAULT;
+
+			if (i >= max)
+				return -E2BIG;
+			++i;
+
+			if (fatal_signal_pending(current))
+				return -ERESTARTNOHAND;
+			cond_resched();
+		}
+	}
+	return i;
+}
+
+int ksu_handle_execveat_ksud(int *fd, struct filename **filename_ptr,
+			     void *argv, void *envp, int *flags)
+{
+#ifndef CONFIG_KPROBES
+	if (!execveat_hook) {
+		return 0;
+	}
+#endif
+	struct filename *filename;
+
+	static const char app_process[] = "/system/bin/app_process";
+	static bool first_app_process = true;
+	static const char system_bin_init[] = "/system/bin/init";
+	static bool init_second_stage_executed = false;
+
+	if (!filename_ptr)
+		return 0;
+
+	filename = *filename_ptr;
+	if (IS_ERR(filename)) {
+		return 0;
+	}
+
+	if (!memcmp(filename->name, system_bin_init,
+		    sizeof(system_bin_init) - 1)) {
+		// /system/bin/init executed
+		struct user_arg_ptr *ptr = (struct user_arg_ptr*) argv;
+		int argc = count(*ptr, MAX_ARG_STRINGS);
+		pr_info("/system/bin/init argc: %d\n", argc);
+		if (argc > 1 && !init_second_stage_executed) {
+			const char __user *p = get_user_arg_ptr(*ptr, 1);
+			if (p && !IS_ERR(p)) {
+				char first_arg[16];
+				#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 8, 0)
+                                strncpy_from_user_nofault(first_arg, p, sizeof(first_arg));
+                                #elif LINUX_VERSION_CODE >= KERNEL_VERSION(5, 3, 0)
+                                strncpy_from_unsafe_user(first_arg, p, sizeof(first_arg));
+                                #else
+                                strncpy_from_user(first_arg, p, sizeof(first_arg));
+                                #endif
+				pr_info("first arg: %s\n", first_arg);
+				if (!strcmp(first_arg, "second_stage")) {
+					pr_info("/system/bin/init second_stage executed\n");
+					apply_kernelsu_rules();
+					init_second_stage_executed = true;
+				}
+			} else {
+				pr_err("/system/bin/init parse args err!\n");
+			}
+		}
+	}
+
+	if (first_app_process &&
+	    !memcmp(filename->name, app_process, sizeof(app_process) - 1)) {
+		first_app_process = false;
+		pr_info("exec app_process, /data prepared, second_stage: %d\n", init_second_stage_executed);
+		on_post_fs_data(); // we keep this for old ksud
+		stop_execve_hook();
+	}
+
+	return 0;
+}
+
+static ssize_t (*orig_read)(struct file *, char __user *, size_t, loff_t *);
+static ssize_t (*orig_read_iter)(struct kiocb *, struct iov_iter *);
+static struct file_operations fops_proxy;
+static ssize_t read_count_append = 0;
+
+static ssize_t read_proxy(struct file *file, char __user *buf, size_t count,
+			  loff_t *pos)
+{
+	bool first_read = file->f_pos == 0;
+	ssize_t ret = orig_read(file, buf, count, pos);
+	if (first_read) {
+		pr_info("read_proxy append %ld + %ld", ret, read_count_append);
+		ret += read_count_append;
+	}
+	return ret;
+}
+
+static ssize_t read_iter_proxy(struct kiocb *iocb, struct iov_iter *to)
+{
+	bool first_read = iocb->ki_pos == 0;
+	ssize_t ret = orig_read_iter(iocb, to);
+	if (first_read) {
+		pr_info("read_iter_proxy append %ld + %ld", ret,
+			read_count_append);
+		ret += read_count_append;
+	}
+	return ret;
+}
+
+int ksu_handle_vfs_read(struct file **file_ptr, char __user **buf_ptr,
+			size_t *count_ptr, loff_t **pos)
+{
+#ifndef CONFIG_KPROBES
+	if (!vfs_read_hook) {
+		return 0;
+	}
+#endif
+	struct file *file;
+	char __user *buf;
+	size_t count;
+
+	if (strcmp(current->comm, "init")) {
+		// we are only interest in `init` process
+		return 0;
+	}
+
+	file = *file_ptr;
+	if (IS_ERR(file)) {
+		return 0;
+	}
+
+	if (!d_is_reg(file->f_path.dentry)) {
+		return 0;
+	}
+
+	const char *short_name = file->f_path.dentry->d_name.name;
+	if (strcmp(short_name, "atrace.rc")) {
+		// we are only interest `atrace.rc` file name file
+		return 0;
+	}
+	char path[256];
+	char *dpath = d_path(&file->f_path, path, sizeof(path));
+
+	if (IS_ERR(dpath)) {
+		return 0;
+	}
+
+	if (strcmp(dpath, "/system/etc/init/atrace.rc")) {
+		return 0;
+	}
+
+	// we only process the first read
+	static bool rc_inserted = false;
+	if (rc_inserted) {
+		// we don't need this kprobe, unregister it!
+		stop_vfs_read_hook();
+		return 0;
+	}
+	rc_inserted = true;
+
+	// now we can sure that the init process is reading
+	// `/system/etc/init/atrace.rc`
+	buf = *buf_ptr;
+	count = *count_ptr;
+
+	size_t rc_count = strlen(KERNEL_SU_RC);
+
+	pr_info("vfs_read: %s, comm: %s, count: %d, rc_count: %d\n", dpath,
+		current->comm, count, rc_count);
+
+	if (count < rc_count) {
+		pr_err("count: %d < rc_count: %d", count, rc_count);
+		return 0;
+	}
+
+	size_t ret = copy_to_user(buf, KERNEL_SU_RC, rc_count);
+	if (ret) {
+		pr_err("copy ksud.rc failed: %d\n", ret);
+		return 0;
+	}
+
+	// we've succeed to insert ksud.rc, now we need to proxy the read and modify the result!
+	// But, we can not modify the file_operations directly, because it's in read-only memory.
+	// We just replace the whole file_operations with a proxy one.
+	memcpy(&fops_proxy, file->f_op, sizeof(struct file_operations));
+	orig_read = file->f_op->read;
+	if (orig_read) {
+		fops_proxy.read = read_proxy;
+	}
+	orig_read_iter = file->f_op->read_iter;
+	if (orig_read_iter) {
+		fops_proxy.read_iter = read_iter_proxy;
+	}
+	// replace the file_operations
+	file->f_op = &fops_proxy;
+	read_count_append = rc_count;
+
+	*buf_ptr = buf + rc_count;
+	*count_ptr = count - rc_count;
+
+	return 0;
+}
+
+static unsigned int volumedown_pressed_count = 0;
+
+static bool is_volumedown_enough(unsigned int count)
+{
+	return count >= 3;
+}
+
+int ksu_handle_input_handle_event(unsigned int *type, unsigned int *code,
+				  int *value)
+{
+#ifndef CONFIG_KPROBES
+	if (!input_hook) {
+		return 0;
+	}
+#endif
+	if (*type == EV_KEY && *code == KEY_VOLUMEDOWN) {
+		int val = *value;
+		pr_info("KEY_VOLUMEDOWN val: %d\n", val);
+		if (val) {
+			// key pressed, count it
+			volumedown_pressed_count += 1;
+			if (is_volumedown_enough(volumedown_pressed_count)) {
+				stop_input_hook();
+			}
+		}
+	}
+
+	return 0;
+}
+
+bool ksu_is_safe_mode()
+{
+	static bool safe_mode = false;
+	if (safe_mode) {
+		// don't need to check again, userspace may call multiple times
+		return true;
+	}
+
+	// stop hook first!
+	stop_input_hook();
+
+	pr_info("volumedown_pressed_count: %d\n", volumedown_pressed_count);
+	if (is_volumedown_enough(volumedown_pressed_count)) {
+		// pressed over 3 times
+		pr_info("KEY_VOLUMEDOWN pressed max times, safe mode detected!\n");
+		safe_mode = true;
+		return true;
+	}
+
+	return false;
+}
+
+#ifdef CONFIG_KPROBES
+
+// https://elixir.bootlin.com/linux/v5.10.158/source/fs/exec.c#L1864
+static int execve_handler_pre(struct kprobe *p, struct pt_regs *regs)
+{
+	int *fd = (int *)&PT_REGS_PARM1(regs);
+	struct filename **filename_ptr =
+		(struct filename **)&PT_REGS_PARM2(regs);
+	void *argv = (void *)&PT_REGS_PARM3(regs);
+	void *envp = (void *)&PT_REGS_PARM4(regs);
+	int *flags = (int *)&PT_REGS_PARM5(regs);
+
+	return ksu_handle_execveat_ksud(fd, filename_ptr, argv, envp, flags);
+}
+
+static int read_handler_pre(struct kprobe *p, struct pt_regs *regs)
+{
+	struct file **file_ptr = (struct file **)&PT_REGS_PARM1(regs);
+	char __user **buf_ptr = (char **)&PT_REGS_PARM2(regs);
+	size_t *count_ptr = (size_t *)&PT_REGS_PARM3(regs);
+	loff_t **pos_ptr = (loff_t **)&PT_REGS_PARM4(regs);
+
+	return ksu_handle_vfs_read(file_ptr, buf_ptr, count_ptr, pos_ptr);
+}
+
+static int input_handle_event_handler_pre(struct kprobe *p,
+					  struct pt_regs *regs)
+{
+	unsigned int *type = (unsigned int *)&PT_REGS_PARM2(regs);
+	unsigned int *code = (unsigned int *)&PT_REGS_PARM3(regs);
+	int *value = (int *)&PT_REGS_PARM4(regs);
+	return ksu_handle_input_handle_event(type, code, value);
+}
+
+static struct kprobe execve_kp = {
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 9, 0)
+	.symbol_name = "do_execveat_common",
+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4, 19, 0)
+	.symbol_name = "__do_execve_file",
+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(3, 19, 0)
+	.symbol_name = "do_execveat_common",
+#endif
+	.pre_handler = execve_handler_pre,
+};
+
+static struct kprobe vfs_read_kp = {
+	.symbol_name = "vfs_read",
+	.pre_handler = read_handler_pre,
+};
+
+static struct kprobe input_handle_event_kp = {
+	.symbol_name = "input_handle_event",
+	.pre_handler = input_handle_event_handler_pre,
+};
+
+static void do_stop_vfs_read_hook(struct work_struct *work)
+{
+	unregister_kprobe(&vfs_read_kp);
+}
+
+static void do_stop_execve_hook(struct work_struct *work)
+{
+	unregister_kprobe(&execve_kp);
+}
+
+static void do_stop_input_hook(struct work_struct *work)
+{
+	unregister_kprobe(&input_handle_event_kp);
+}
+#endif
+
+static void stop_vfs_read_hook()
+{
+#ifdef CONFIG_KPROBES
+	bool ret = schedule_work(&stop_vfs_read_work);
+	pr_info("unregister vfs_read kprobe: %d!\n", ret);
+#else
+	vfs_read_hook = false;
+#endif
+}
+
+static void stop_execve_hook()
+{
+#ifdef CONFIG_KPROBES
+	bool ret = schedule_work(&stop_execve_hook_work);
+	pr_info("unregister execve kprobe: %d!\n", ret);
+#else
+	execveat_hook = false;
+#endif
+}
+
+static void stop_input_hook()
+{
+	static bool input_hook_stopped = false;
+	if (input_hook_stopped) {
+		return;
+	}
+	input_hook_stopped = true;
+#ifdef CONFIG_KPROBES
+	bool ret = schedule_work(&stop_input_hook_work);
+	pr_info("unregister input kprobe: %d!\n", ret);
+#else
+	input_hook = false;
+#endif
+}
+
+// ksud: module support
+void ksu_enable_ksud()
+{
+#ifdef CONFIG_KPROBES
+	int ret;
+
+	ret = register_kprobe(&execve_kp);
+	pr_info("ksud: execve_kp: %d\n", ret);
+
+	ret = register_kprobe(&vfs_read_kp);
+	pr_info("ksud: vfs_read_kp: %d\n", ret);
+
+	ret = register_kprobe(&input_handle_event_kp);
+	pr_info("ksud: input_handle_event_kp: %d\n", ret);
+
+	INIT_WORK(&stop_vfs_read_work, do_stop_vfs_read_hook);
+	INIT_WORK(&stop_execve_hook_work, do_stop_execve_hook);
+	INIT_WORK(&stop_input_hook_work, do_stop_input_hook);
+#endif
+}

kernel/ksud.h

@@ -0,0 +1,10 @@
+#ifndef __KSU_H_KSUD
+#define __KSU_H_KSUD
+
+#define KSUD_PATH "/data/adb/ksud"
+
+void on_post_fs_data(void);
+
+bool ksu_is_safe_mode(void);
+
+#endif

kernel/manager.c

@@ -0,0 +1,80 @@
+#include "linux/cred.h"
+#include "linux/gfp.h"
+#include "linux/slab.h"
+#include "linux/uidgid.h"
+#include "linux/version.h"
+
+#include "linux/fdtable.h"
+#include "linux/fs.h"
+#include "linux/rcupdate.h"
+
+#include "apk_sign.h"
+#include "klog.h" // IWYU pragma: keep
+#include "ksu.h"
+#include "manager.h"
+
+uid_t ksu_manager_uid = INVALID_UID;
+
+bool become_manager(char *pkg)
+{
+	struct fdtable *files_table;
+	int i = 0;
+	struct path files_path;
+	char *cwd;
+	char *buf;
+	bool result = false;
+
+	// must be zygote's direct child, otherwise any app can fork a new process and
+	// open manager's apk
+	if (task_uid(current->real_parent).val != 0) {
+		pr_info("parent is not zygote!\n");
+		return false;
+	}
+
+	buf = (char *)kmalloc(PATH_MAX, GFP_ATOMIC);
+	if (!buf) {
+		pr_err("kalloc path failed.\n");
+		return false;
+	}
+
+	files_table = files_fdtable(current->files);
+
+	// todo: use iterate_fd
+	while (files_table->fd[i] != NULL) {
+		files_path = files_table->fd[i]->f_path;
+		if (!d_is_reg(files_path.dentry)) {
+			i++;
+			continue;
+		}
+		cwd = d_path(&files_path, buf, PATH_MAX);
+		if (startswith(cwd, "/data/app/") == 0 &&
+		    endswith(cwd, "/base.apk") == 0) {
+			// we have found the apk!
+			pr_info("found apk: %s", cwd);
+			if (!strstr(cwd, pkg)) {
+				pr_info("apk path not match package name!\n");
+				i++;
+				continue;
+			}
+			if (is_manager_apk(cwd) == 0) {
+				// check passed
+				uid_t uid = current_uid().val;
+				pr_info("manager uid: %d\n", uid);
+
+				ksu_set_manager_uid(uid);
+
+				result = true;
+				goto clean;
+			} else {
+				pr_info("manager signature invalid!");
+			}
+
+			break;
+		}
+		i++;
+	}
+
+clean:
+	kfree(buf);
+	return result;
+}

kernel/manager.h

@@ -0,0 +1,38 @@
+#ifndef __KSU_H_KSU_MANAGER
+#define __KSU_H_KSU_MANAGER
+
+#include "linux/cred.h"
+#include "linux/types.h"
+
+#define INVALID_UID -1
+
+extern uid_t ksu_manager_uid; // DO NOT DIRECT USE
+
+static inline bool ksu_is_manager_uid_valid()
+{
+	return ksu_manager_uid != INVALID_UID;
+}
+
+static inline bool is_manager()
+{
+	return ksu_manager_uid == current_uid().val;
+}
+
+static inline uid_t ksu_get_manager_uid()
+{
+	return ksu_manager_uid;
+}
+
+static inline void ksu_set_manager_uid(uid_t uid)
+{
+	ksu_manager_uid = uid;
+}
+
+static inline void ksu_invalidate_manager_uid()
+{
+	ksu_manager_uid = INVALID_UID;
+}
+
+bool become_manager(char *pkg);
+
+#endif

kernel/module_api.c

@@ -1,20 +1,20 @@
-#include <linux/kallsyms.h>
-#include <linux/kprobes.h>
+#include "linux/kallsyms.h"
 
-#define RE_EXPORT_SYMBOL1(ret, func, t1, v1)    \
-  ret ksu_##func(t1 v1) {             \
-    return func(v1);               \
-  }                                         \
-  EXPORT_SYMBOL(ksu_##func);                \
+#define RE_EXPORT_SYMBOL1(ret, func, t1, v1)                                   \
+	ret ksu_##func(t1 v1)                                                  \
+	{                                                                      \
+		return func(v1);                                               \
+	}                                                                      \
+	EXPORT_SYMBOL(ksu_##func);
 
-#define RE_EXPORT_SYMBOL2(ret, func, t1, v1, t2, v2)    \
-  ret ksu_##func(t1 v1, t2 v2) {             \
-    return func(v1, v2);               \
-  }                                         \
-  EXPORT_SYMBOL(ksu_##func);                \
+#define RE_EXPORT_SYMBOL2(ret, func, t1, v1, t2, v2)                           \
+	ret ksu_##func(t1 v1, t2 v2)                                           \
+	{                                                                      \
+		return func(v1, v2);                                           \
+	}                                                                      \
+	EXPORT_SYMBOL(ksu_##func);
 
-
-RE_EXPORT_SYMBOL1(unsigned long, kallsyms_lookup_name, const char*, name)
+RE_EXPORT_SYMBOL1(unsigned long, kallsyms_lookup_name, const char *, name)
 
 // RE_EXPORT_SYMBOL2(int, register_kprobe, struct kprobe *, p)
 // RE_EXPORT_SYMBOL2(void, unregister_kprobe, struct kprobe *, p)

kernel/selinux/rules.c

@@ -1,28 +1,28 @@
-#include <linux/version.h>
-#include "sepolicy.h"
+#include "linux/uaccess.h"
+#include "linux/types.h"
+#include "linux/version.h"
+
+#include "../klog.h" // IWYU pragma: keep
 #include "selinux.h"
+#include "sepolicy.h"
+#include "ss/services.h"
+#include "linux/lsm_audit.h"
+#include "xfrm.h"
 
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 0)
 #define SELINUX_POLICY_INSTEAD_SELINUX_SS
 #endif
 
-#ifndef SELINUX_POLICY_INSTEAD_SELINUX_SS
-#include <ss/services.h>
-#endif
-
 #define KERNEL_SU_DOMAIN "su"
+#define KERNEL_SU_FILE "ksu_file"
+#define KERNEL_EXEC_TYPE "ksu_exec"
 #define ALL NULL
 
-void apply_kernelsu_rules()
+static struct policydb *get_policydb(void)
 {
 	struct policydb *db;
-
-	if (!getenforce()) {
-		pr_info("SELinux permissive or disabled, don't apply rules.");
-		return;
-	}
-
-	rcu_read_lock();
+// selinux_state does not exists before 4.19
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 9, 337)
 #ifdef SELINUX_POLICY_INSTEAD_SELINUX_SS
 	struct selinux_policy *policy = rcu_dereference(selinux_state.policy);
 	db = &policy->policydb;
@@ -30,12 +30,32 @@ void apply_kernelsu_rules()
 	struct selinux_ss *ss = rcu_dereference(selinux_state.ss);
 	db = &ss->policydb;
 #endif
+#else
+    db = &policydb;
+#endif
+	return db;
+}
+
+void apply_kernelsu_rules()
+{
+	if (!getenforce()) {
+		pr_info("SELinux permissive or disabled, don't apply rules.");
+		return;
+	}
+
+	rcu_read_lock();
+	struct policydb *db = get_policydb();
 
 	ksu_permissive(db, KERNEL_SU_DOMAIN);
 	ksu_typeattribute(db, KERNEL_SU_DOMAIN, "mlstrustedsubject");
 	ksu_typeattribute(db, KERNEL_SU_DOMAIN, "netdomain");
 	ksu_typeattribute(db, KERNEL_SU_DOMAIN, "bluetoothdomain");
 
+	// Create unconstrained file type
+	ksu_type(db, KERNEL_SU_FILE, "file_type");
+	ksu_typeattribute(db, KERNEL_SU_FILE, "mlstrustedobject");
+	ksu_allow(db, ALL, KERNEL_SU_FILE, ALL, ALL);
+
 	// allow all!
 	ksu_allow(db, KERNEL_SU_DOMAIN, ALL, ALL, ALL);
 
@@ -46,20 +66,24 @@ void apply_kernelsu_rules()
 		ksu_allowxperm(db, KERNEL_SU_DOMAIN, ALL, "chr_file", ALL);
 	}
 
-	// we need to save allowlist in /data/adb
+	// we need to save allowlist in /data/adb/ksu
 	ksu_allow(db, "kernel", "adb_data_file", "dir", ALL);
 	ksu_allow(db, "kernel", "adb_data_file", "file", ALL);
 	// we may need to do mount on shell
 	ksu_allow(db, "kernel", "shell_data_file", "file", ALL);
 	// we need to read /data/system/packages.list
 	ksu_allow(db, "kernel", "kernel", "capability", "dac_override");
-	// Android 10+: http://aospxref.com/android-12.0.0_r3/xref/system/sepolicy/private/file_contexts#512
+	// Android 10+:
+	// http://aospxref.com/android-12.0.0_r3/xref/system/sepolicy/private/file_contexts#512
 	ksu_allow(db, "kernel", "packages_list_file", "file", ALL);
-	// Android 9-: http://aospxref.com/android-9.0.0_r61/xref/system/sepolicy/private/file_contexts#360
+	// Kernel 4.4
+	ksu_allow(db, "kernel", "packages_list_file", "dir", ALL);
+	// Android 9-:
+	// http://aospxref.com/android-9.0.0_r61/xref/system/sepolicy/private/file_contexts#360
 	ksu_allow(db, "kernel", "system_data_file", "file", ALL);
-
+	ksu_allow(db, "kernel", "system_data_file", "dir", ALL);
 	// our ksud triggered by init
-	ksu_allow(db, "init", "adb_data_file", "file", "execute");
+	ksu_allow(db, "init", "adb_data_file", "file", ALL);
 	ksu_allow(db, "init", KERNEL_SU_DOMAIN, ALL, ALL);
 
 	// copied from Magisk rules
@@ -88,14 +112,354 @@ void apply_kernelsu_rules()
 	ksu_allow(db, "hwservicemanager", KERNEL_SU_DOMAIN, "dir", "search");
 	ksu_allow(db, "hwservicemanager", KERNEL_SU_DOMAIN, "file", "read");
 	ksu_allow(db, "hwservicemanager", KERNEL_SU_DOMAIN, "file", "open");
-	ksu_allow(db, "hwservicemanager", KERNEL_SU_DOMAIN, "process", "getattr");
+	ksu_allow(db, "hwservicemanager", KERNEL_SU_DOMAIN, "process",
+		  "getattr");
 
 	// Allow all binder transactions
 	ksu_allow(db, ALL, KERNEL_SU_DOMAIN, "binder", ALL);
 
 	// Allow system server devpts
-	ksu_allow(db, "system_server", "untrusted_app_all_devpts", "chr_file", "read");
-	ksu_allow(db, "system_server", "untrusted_app_all_devpts", "chr_file", "write");
+	ksu_allow(db, "system_server", "untrusted_app_all_devpts", "chr_file",
+		  "read");
+	ksu_allow(db, "system_server", "untrusted_app_all_devpts", "chr_file",
+		  "write");
 
 	rcu_read_unlock();
-}
+}
+
+#define MAX_SEPOL_LEN 128
+
+#define CMD_NORMAL_PERM 1
+#define CMD_XPERM 2
+#define CMD_TYPE_STATE 3
+#define CMD_TYPE 4
+#define CMD_TYPE_ATTR 5
+#define CMD_ATTR 6
+#define CMD_TYPE_TRANSITION 7
+#define CMD_TYPE_CHANGE 8
+#define CMD_GENFSCON 9
+
+struct sepol_data {
+	u32 cmd;
+	u32 subcmd;
+	char __user *sepol1;
+	char __user *sepol2;
+	char __user *sepol3;
+	char __user *sepol4;
+	char __user *sepol5;
+	char __user *sepol6;
+	char __user *sepol7;
+};
+
+static int get_object(char *buf, char __user *user_object, size_t buf_sz,
+		      char **object)
+{
+	if (!user_object) {
+		*object = ALL;
+		return 0;
+	}
+
+	if (strncpy_from_user(buf, user_object, buf_sz) < 0) {
+		return -1;
+	}
+
+	*object = buf;
+
+	return 0;
+}
+
+// reset avc cache table, otherwise the new rules will not take effect if already denied
+static void reset_avc_cache() {
+#if ((KERNEL_VERSION(4, 14, 0) <= LINUX_VERSION_CODE) && (LINUX_VERSION_CODE < KERNEL_VERSION(4, 14, 163))) || (LINUX_VERSION_CODE < KERNEL_VERSION(4, 9, 337))
+	avc_ss_reset(0);
+	selnl_notify_policyload(0);
+	selinux_status_update_policyload(0);
+#else
+	struct selinux_avc *avc = selinux_state.avc;
+	avc_ss_reset(avc, 0);
+	selnl_notify_policyload(0);
+	selinux_status_update_policyload(&selinux_state, 0);
+#endif
+	selinux_xfrm_notify_policyload();
+}
+
+int handle_sepolicy(unsigned long arg3, void __user *arg4)
+{
+	if (!arg4) {
+		return -1;
+	}
+
+	if (!getenforce()) {
+		pr_info("SELinux permissive or disabled, don't apply policies.");
+		return 0;
+	}
+
+	struct sepol_data data;
+	if (copy_from_user(&data, arg4, sizeof(struct sepol_data))) {
+		pr_err("sepol: copy sepol_data failed.\n");
+		return -1;
+	}
+
+	u32 cmd = data.cmd;
+	u32 subcmd = data.subcmd;
+
+	rcu_read_lock();
+
+	struct policydb *db = get_policydb();
+
+	int ret = -1;
+	if (cmd == CMD_NORMAL_PERM) {
+		char src_buf[MAX_SEPOL_LEN];
+		char tgt_buf[MAX_SEPOL_LEN];
+		char cls_buf[MAX_SEPOL_LEN];
+		char perm_buf[MAX_SEPOL_LEN];
+
+		char *s, *t, *c, *p;
+		if (get_object(src_buf, data.sepol1, sizeof(src_buf), &s) < 0) {
+			pr_err("sepol: copy src failed.\n");
+			goto exit;
+		}
+
+		if (get_object(tgt_buf, data.sepol2, sizeof(tgt_buf), &t) < 0) {
+			pr_err("sepol: copy tgt failed.\n");
+			goto exit;
+		}
+
+		if (get_object(cls_buf, data.sepol3, sizeof(cls_buf), &c) < 0) {
+			pr_err("sepol: copy cls failed.\n");
+			goto exit;
+		}
+
+		if (get_object(perm_buf, data.sepol4, sizeof(perm_buf), &p) <
+		    0) {
+			pr_err("sepol: copy perm failed.\n");
+			goto exit;
+		}
+
+		bool success = false;
+		if (subcmd == 1) {
+			success = ksu_allow(db, s, t, c, p);
+		} else if (subcmd == 2) {
+			success = ksu_deny(db, s, t, c, p);
+		} else if (subcmd == 3) {
+			success = ksu_auditallow(db, s, t, c, p);
+		} else if (subcmd == 4) {
+			success = ksu_dontaudit(db, s, t, c, p);
+		} else {
+			pr_err("sepol: unknown subcmd: %d", subcmd);
+		}
+		ret = success ? 0 : -1;
+
+	} else if (cmd == CMD_XPERM) {
+		char src_buf[MAX_SEPOL_LEN];
+		char tgt_buf[MAX_SEPOL_LEN];
+		char cls_buf[MAX_SEPOL_LEN];
+
+		char __maybe_unused
+			operation[MAX_SEPOL_LEN]; // it is always ioctl now!
+		char perm_set[MAX_SEPOL_LEN];
+
+		char *s, *t, *c;
+		if (get_object(src_buf, data.sepol1, sizeof(src_buf), &s) < 0) {
+			pr_err("sepol: copy src failed.\n");
+			goto exit;
+		}
+		if (get_object(tgt_buf, data.sepol2, sizeof(tgt_buf), &t) < 0) {
+			pr_err("sepol: copy tgt failed.\n");
+			goto exit;
+		}
+		if (get_object(cls_buf, data.sepol3, sizeof(cls_buf), &c) < 0) {
+			pr_err("sepol: copy cls failed.\n");
+			goto exit;
+		}
+		if (strncpy_from_user(operation, data.sepol4,
+				      sizeof(operation)) < 0) {
+			pr_err("sepol: copy operation failed.\n");
+			goto exit;
+		}
+		if (strncpy_from_user(perm_set, data.sepol5, sizeof(perm_set)) <
+		    0) {
+			pr_err("sepol: copy perm_set failed.\n");
+			goto exit;
+		}
+
+		bool success = false;
+		if (subcmd == 1) {
+			success = ksu_allowxperm(db, s, t, c, perm_set);
+		} else if (subcmd == 2) {
+			success = ksu_auditallowxperm(db, s, t, c, perm_set);
+		} else if (subcmd == 3) {
+			success = ksu_dontauditxperm(db, s, t, c, perm_set);
+		} else {
+			pr_err("sepol: unknown subcmd: %d", subcmd);
+		}
+		ret = success ? 0 : -1;
+	} else if (cmd == CMD_TYPE_STATE) {
+		char src[MAX_SEPOL_LEN];
+
+		if (strncpy_from_user(src, data.sepol1, sizeof(src)) < 0) {
+			pr_err("sepol: copy src failed.\n");
+			goto exit;
+		}
+
+		bool success = false;
+		if (subcmd == 1) {
+			success = ksu_permissive(db, src);
+		} else if (subcmd == 2) {
+			success = ksu_enforce(db, src);
+		} else {
+			pr_err("sepol: unknown subcmd: %d", subcmd);
+		}
+		if (success)
+			ret = 0;
+
+	} else if (cmd == CMD_TYPE || cmd == CMD_TYPE_ATTR) {
+		char type[MAX_SEPOL_LEN];
+		char attr[MAX_SEPOL_LEN];
+
+		if (strncpy_from_user(type, data.sepol1, sizeof(type)) < 0) {
+			pr_err("sepol: copy type failed.\n");
+			goto exit;
+		}
+		if (strncpy_from_user(attr, data.sepol2, sizeof(attr)) < 0) {
+			pr_err("sepol: copy attr failed.\n");
+			goto exit;
+		}
+
+		bool success = false;
+		if (cmd == CMD_TYPE) {
+			success = ksu_type(db, type, attr);
+		} else {
+			success = ksu_typeattribute(db, type, attr);
+		}
+		if (!success) {
+			pr_err("sepol: %d failed.\n", cmd);
+			goto exit;
+		}
+		ret = 0;
+
+	} else if (cmd == CMD_ATTR) {
+		char attr[MAX_SEPOL_LEN];
+
+		if (strncpy_from_user(attr, data.sepol1, sizeof(attr)) < 0) {
+			pr_err("sepol: copy attr failed.\n");
+			goto exit;
+		}
+		if (!ksu_attribute(db, attr)) {
+			pr_err("sepol: %d failed.\n", cmd);
+			goto exit;
+		}
+		ret = 0;
+
+	} else if (cmd == CMD_TYPE_TRANSITION) {
+		char src[MAX_SEPOL_LEN];
+		char tgt[MAX_SEPOL_LEN];
+		char cls[MAX_SEPOL_LEN];
+		char default_type[MAX_SEPOL_LEN];
+		char object[MAX_SEPOL_LEN];
+
+		if (strncpy_from_user(src, data.sepol1, sizeof(src)) < 0) {
+			pr_err("sepol: copy src failed.\n");
+			goto exit;
+		}
+		if (strncpy_from_user(tgt, data.sepol2, sizeof(tgt)) < 0) {
+			pr_err("sepol: copy tgt failed.\n");
+			goto exit;
+		}
+		if (strncpy_from_user(cls, data.sepol3, sizeof(cls)) < 0) {
+			pr_err("sepol: copy cls failed.\n");
+			goto exit;
+		}
+		if (strncpy_from_user(default_type, data.sepol4,
+				      sizeof(default_type)) < 0) {
+			pr_err("sepol: copy default_type failed.\n");
+			goto exit;
+		}
+		char *real_object;
+		if (data.sepol5 == NULL) {
+			real_object = NULL;
+		} else {
+			if (strncpy_from_user(object, data.sepol5,
+					      sizeof(object)) < 0) {
+				pr_err("sepol: copy object failed.\n");
+				goto exit;
+			}
+			real_object = object;
+		}
+
+		bool success = ksu_type_transition(db, src, tgt, cls,
+						   default_type, real_object);
+		if (success)
+			ret = 0;
+
+	} else if (cmd == CMD_TYPE_CHANGE) {
+		char src[MAX_SEPOL_LEN];
+		char tgt[MAX_SEPOL_LEN];
+		char cls[MAX_SEPOL_LEN];
+		char default_type[MAX_SEPOL_LEN];
+
+		if (strncpy_from_user(src, data.sepol1, sizeof(src)) < 0) {
+			pr_err("sepol: copy src failed.\n");
+			goto exit;
+		}
+		if (strncpy_from_user(tgt, data.sepol2, sizeof(tgt)) < 0) {
+			pr_err("sepol: copy tgt failed.\n");
+			goto exit;
+		}
+		if (strncpy_from_user(cls, data.sepol3, sizeof(cls)) < 0) {
+			pr_err("sepol: copy cls failed.\n");
+			goto exit;
+		}
+		if (strncpy_from_user(default_type, data.sepol4,
+				      sizeof(default_type)) < 0) {
+			pr_err("sepol: copy default_type failed.\n");
+			goto exit;
+		}
+		bool success = false;
+		if (subcmd == 1) {
+			success = ksu_type_change(db, src, tgt, cls,
+						  default_type);
+		} else if (subcmd == 2) {
+			success = ksu_type_member(db, src, tgt, cls,
+						  default_type);
+		} else {
+			pr_err("sepol: unknown subcmd: %d", subcmd);
+		}
+		if (success)
+			ret = 0;
+	} else if (cmd == CMD_GENFSCON) {
+		char name[MAX_SEPOL_LEN];
+		char path[MAX_SEPOL_LEN];
+		char context[MAX_SEPOL_LEN];
+		if (strncpy_from_user(name, data.sepol1, sizeof(name)) < 0) {
+			pr_err("sepol: copy name failed.\n");
+			goto exit;
+		}
+		if (strncpy_from_user(path, data.sepol2, sizeof(path)) < 0) {
+			pr_err("sepol: copy path failed.\n");
+			goto exit;
+		}
+		if (strncpy_from_user(context, data.sepol3, sizeof(context)) <
+		    0) {
+			pr_err("sepol: copy context failed.\n");
+			goto exit;
+		}
+
+		if (!ksu_genfscon(db, name, path, context)) {
+			pr_err("sepol: %d failed.\n", cmd);
+			goto exit;
+		}
+		ret = 0;
+	} else {
+		pr_err("sepol: unknown cmd: %d\n", cmd);
+	}
+
+exit:
+	rcu_read_unlock();
+
+	// only allow and xallow needs to reset avc cache, but we cannot do that because
+	// we are in atomic context. so we just reset it every time.
+	reset_avc_cache();
+
+	return ret;
+}

kernel/selinux/selinux.c

@@ -1,20 +1,10 @@
-#include <linux/cpu.h>
-#include <linux/memory.h>
-#include <linux/uaccess.h>
-#include <linux/init.h>
-#include <linux/module.h>
-#include <linux/kprobes.h>
-#include <linux/printk.h>
-#include <linux/string.h>
-#include <linux/kernel.h>
-#include <linux/slab.h>
-
-#include <ss/sidtab.h>
-#include <ss/services.h>
-#include <objsec.h>
-
 #include "selinux.h"
-#include "../klog.h"
+#include "objsec.h"
+#include "linux/version.h"
+#include "../klog.h" // IWYU pragma: keep
+#if ((KERNEL_VERSION(4, 14, 0) <= LINUX_VERSION_CODE) && (LINUX_VERSION_CODE < KERNEL_VERSION(4, 14, 163))) || (LINUX_VERSION_CODE < KERNEL_VERSION(4, 9, 337))
+#include "avc.h"
+#endif
 
 #define KERNEL_SU_DOMAIN "u:r:su:s0"
 
@@ -57,36 +47,60 @@ void setup_selinux()
 	}
 
 	/* we didn't need this now, we have change selinux rules when boot!
-    if (!is_domain_permissive) {
-        if (set_domain_permissive() == 0) {
-            is_domain_permissive = true;
-        }
-    }*/
+if (!is_domain_permissive) {
+  if (set_domain_permissive() == 0) {
+      is_domain_permissive = true;
+  }
+}*/
 }
 
 void setenforce(bool enforce)
 {
 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(4, 14, 163)) || ((KERNEL_VERSION(4, 10, 0) > LINUX_VERSION_CODE) && (LINUX_VERSION_CODE  >= KERNEL_VERSION(4, 9, 337)))
 	selinux_state.enforcing = enforce;
+#else
+	selinux_enforcing = enforce;
+#endif
 #endif
 }
 
 bool getenforce()
 {
 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(4, 14, 163)) || ((KERNEL_VERSION(4, 10, 0) > LINUX_VERSION_CODE) && (LINUX_VERSION_CODE  >= KERNEL_VERSION(4, 9, 337)))
 	if (selinux_state.disabled) {
+#else
+	if (selinux_disabled) {
+#endif
 		return false;
 	}
 #endif
 
 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(4, 14, 163)) || ((KERNEL_VERSION(4, 10, 0) > LINUX_VERSION_CODE) && (LINUX_VERSION_CODE  >= KERNEL_VERSION(4, 9, 337)))
 	return selinux_state.enforcing;
 #else
-	return false;
+	return selinux_enforcing;
+#endif
+#else
+	return true;
 #endif
 }
 
+#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 9, 337)
+/*
+ * get the subjective security ID of the current task
+ */
+static inline u32 current_sid(void)
+{
+	const struct task_security_struct *tsec = current_security();
+
+	return tsec->sid;
+}
+#endif
+
 bool is_ksu_domain()
 {
 	return ksu_sid && current_sid() == ksu_sid;
-}
+}

kernel/selinux/selinux.h

@@ -1,7 +1,7 @@
 #ifndef __KSU_H_SELINUX
 #define __KSU_H_SELINUX
 
-#include <linux/types.h>
+#include "linux/types.h"
 
 void setup_selinux();
 

kernel/selinux/sepolicy.c

@@ -1,40 +1,64 @@
-#include <linux/version.h>
 #include "sepolicy.h"
-#include "../klog.h"
+#include "linux/gfp.h"
+#include "linux/printk.h"
+#include "linux/slab.h"
+#include "linux/version.h"
+
+#include "../klog.h" // IWYU pragma: keep
+#include "ss/symtab.h"
+
+#define KSU_SUPPORT_ADD_TYPE
 
 //////////////////////////////////////////////////////
 // Declaration
 //////////////////////////////////////////////////////
 
-static struct avtab_node* get_avtab_node(struct policydb* db, struct avtab_key *key, struct avtab_extended_perms *xperms);
+static struct avtab_node *get_avtab_node(struct policydb *db,
+					 struct avtab_key *key,
+					 struct avtab_extended_perms *xperms);
 
-static bool add_rule(struct policydb* db, const char *s, const char *t, const char *c, const char *p, int effect, bool invert);
+static bool add_rule(struct policydb *db, const char *s, const char *t,
+		     const char *c, const char *p, int effect, bool invert);
 
-static void add_rule_raw(struct policydb* db, struct type_datum *src, struct type_datum *tgt, struct class_datum *cls, struct perm_datum *perm, int effect, bool invert);
+static void add_rule_raw(struct policydb *db, struct type_datum *src,
+			 struct type_datum *tgt, struct class_datum *cls,
+			 struct perm_datum *perm, int effect, bool invert);
 
-static void add_xperm_rule_raw(struct policydb* db, struct type_datum *src, struct type_datum *tgt,
-        struct class_datum *cls, uint16_t low, uint16_t high, int effect, bool invert);
-static bool add_xperm_rule(struct policydb* db, const char *s, const char *t, const char *c, const char *range, int effect, bool invert);
+static void add_xperm_rule_raw(struct policydb *db, struct type_datum *src,
+			       struct type_datum *tgt, struct class_datum *cls,
+			       uint16_t low, uint16_t high, int effect,
+			       bool invert);
+static bool add_xperm_rule(struct policydb *db, const char *s, const char *t,
+			   const char *c, const char *range, int effect,
+			   bool invert);
 
-static bool add_type_rule(struct policydb* db, const char *s, const char *t, const char *c, const char *d, int effect);
+static bool add_type_rule(struct policydb *db, const char *s, const char *t,
+			  const char *c, const char *d, int effect);
 
-static bool add_filename_trans(const char *s, const char *t, const char *c, const char *d, const char *o);
+static bool add_filename_trans(struct policydb *db, const char *s,
+			       const char *t, const char *c, const char *d,
+			       const char *o);
 
-static bool add_genfscon(const char *fs_name, const char *path, const char *context);
+static bool add_genfscon(struct policydb *db, const char *fs_name,
+			 const char *path, const char *context);
 
-static bool add_type(struct policydb* db, const char *type_name, bool attr);
+static bool add_type(struct policydb *db, const char *type_name, bool attr);
 
-static bool set_type_state(struct policydb* db, const char *type_name, bool permissive);
+static bool set_type_state(struct policydb *db, const char *type_name,
+			   bool permissive);
 
-static void add_typeattribute_raw(struct policydb* db, struct type_datum *type, struct type_datum *attr);
+static void add_typeattribute_raw(struct policydb *db, struct type_datum *type,
+				  struct type_datum *attr);
 
-static bool add_typeattribute(struct policydb* db, const char *type, const char *attr);
+static bool add_typeattribute(struct policydb *db, const char *type,
+			      const char *attr);
 
 //////////////////////////////////////////////////////
 // Implementation
 //////////////////////////////////////////////////////
 
-// Invert is adding rules for auditdeny; in other cases, invert is removing rules
+// Invert is adding rules for auditdeny; in other cases, invert is removing
+// rules
 #define strip_av(effect, invert) ((effect == AVTAB_AUDITDENY) == !invert)
 
 #define hash_for_each(node_ptr, n_slot, cur)                                   \
@@ -42,25 +66,29 @@ static bool add_typeattribute(struct policydb* db, const char *type, const char
 	for (i = 0; i < n_slot; ++i)                                           \
 		for (cur = node_ptr[i]; cur; cur = cur->next)
 
-
-// htable is a struct instead of pointer above 5.8.0: https://elixir.bootlin.com/linux/v5.8-rc1/source/security/selinux/ss/symtab.h
+// htable is a struct instead of pointer above 5.8.0:
+// https://elixir.bootlin.com/linux/v5.8-rc1/source/security/selinux/ss/symtab.h
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 8, 0)
 #define hashtab_for_each(htab, cur) hash_for_each (htab.htable, htab.size, cur)
 #else
-#define hashtab_for_each(htab, cur) hash_for_each (htab->htable, htab->size, cur)
+#define hashtab_for_each(htab, cur)                                            \
+	hash_for_each (htab->htable, htab->size, cur)
 #endif
 
-// symtab_search is introduced on 5.9.0: https://elixir.bootlin.com/linux/v5.9-rc1/source/security/selinux/ss/symtab.h
+// symtab_search is introduced on 5.9.0:
+// https://elixir.bootlin.com/linux/v5.9-rc1/source/security/selinux/ss/symtab.h
 #if LINUX_VERSION_CODE < KERNEL_VERSION(5, 9, 0)
 #define symtab_search(s, name) hashtab_search((s)->table, name)
+#define symtab_insert(s, name, datum) hashtab_insert((s)->table, name, datum)
 #endif
 
 #define avtab_for_each(avtab, cur)                                             \
 	hash_for_each (avtab.htable, avtab.nslot, cur)                         \
 		;
 
-static struct avtab_node *get_avtab_node(struct policydb *db, struct avtab_key *key,
-				  struct avtab_extended_perms *xperms)
+static struct avtab_node *get_avtab_node(struct policydb *db,
+					 struct avtab_key *key,
+					 struct avtab_extended_perms *xperms)
 {
 	struct avtab_node *node;
 
@@ -86,9 +114,9 @@ static struct avtab_node *get_avtab_node(struct policydb *db, struct avtab_key *
 	if (!node) {
 		struct avtab_datum avdatum = {};
 		/*
-         * AUDITDENY, aka DONTAUDIT, are &= assigned, versus |= for
-         * others. Initialize the data accordingly.
-         */
+     * AUDITDENY, aka DONTAUDIT, are &= assigned, versus |= for
+     * others. Initialize the data accordingly.
+     */
 		if (key->specified & AVTAB_XPERMS) {
 			avdatum.u.xperms = xperms;
 		} else {
@@ -98,14 +126,13 @@ static struct avtab_node *get_avtab_node(struct policydb *db, struct avtab_key *
 		/* this is used to get the node - insertion is actually unique */
 		node = avtab_insert_nonunique(&db->te_avtab, key, &avdatum);
 
-		int grow_size = sizeof(u16) * 4;
+		int grow_size = sizeof(struct avtab_key);
+		grow_size += sizeof(struct avtab_datum);
 		if (key->specified & AVTAB_XPERMS) {
 			grow_size += sizeof(u8);
 			grow_size += sizeof(u8);
 			grow_size += sizeof(u32) *
 				     ARRAY_SIZE(avdatum.u.xperms->perms.p);
-		} else {
-			grow_size += sizeof(u32) * 1;
 		}
 		db->len += grow_size;
 	}
@@ -113,8 +140,8 @@ static struct avtab_node *get_avtab_node(struct policydb *db, struct avtab_key *
 	return node;
 }
 
-static bool add_rule(struct policydb *db, const char *s, const char *t, const char *c,
-	      const char *p, int effect, bool invert)
+static bool add_rule(struct policydb *db, const char *s, const char *t,
+		     const char *c, const char *p, int effect, bool invert)
 {
 	struct type_datum *src = NULL, *tgt = NULL;
 	struct class_datum *cls = NULL;
@@ -165,8 +192,8 @@ static bool add_rule(struct policydb *db, const char *s, const char *t, const ch
 }
 
 static void add_rule_raw(struct policydb *db, struct type_datum *src,
-		  struct type_datum *tgt, struct class_datum *cls,
-		  struct perm_datum *perm, int effect, bool invert)
+			 struct type_datum *tgt, struct class_datum *cls,
+			 struct perm_datum *perm, int effect, bool invert)
 {
 	if (src == NULL) {
 		struct hashtab_node *node;
@@ -247,8 +274,9 @@ static void add_rule_raw(struct policydb *db, struct type_datum *src,
 #define xperm_clear(x, p) (p[x >> 5] &= ~(1 << (x & 0x1f)))
 
 static void add_xperm_rule_raw(struct policydb *db, struct type_datum *src,
-			struct type_datum *tgt, struct class_datum *cls,
-			uint16_t low, uint16_t high, int effect, bool invert)
+			       struct type_datum *tgt, struct class_datum *cls,
+			       uint16_t low, uint16_t high, int effect,
+			       bool invert)
 {
 	if (src == NULL) {
 		struct hashtab_node *node;
@@ -309,8 +337,7 @@ static void add_xperm_rule_raw(struct policydb *db, struct type_datum *src,
 					xperm_set(i, xperms.perms.p);
 			}
 		} else {
-			for (i = ioctl_func(low); i <= ioctl_func(high);
-			     ++i) {
+			for (i = ioctl_func(low); i <= ioctl_func(high); ++i) {
 				if (invert)
 					xperm_clear(i, xperms.perms.p);
 				else
@@ -339,7 +366,8 @@ static void add_xperm_rule_raw(struct policydb *db, struct type_datum *src,
 }
 
 static bool add_xperm_rule(struct policydb *db, const char *s, const char *t,
-		    const char *c, const char *range, int effect, bool invert)
+			   const char *c, const char *range, int effect,
+			   bool invert)
 {
 	struct type_datum *src = NULL, *tgt = NULL;
 	struct class_datum *cls = NULL;
@@ -387,7 +415,7 @@ static bool add_xperm_rule(struct policydb *db, const char *s, const char *t,
 }
 
 static bool add_type_rule(struct policydb *db, const char *s, const char *t,
-		   const char *c, const char *d, int effect)
+			  const char *c, const char *d, int effect)
 {
 	struct type_datum *src, *tgt, *def;
 	struct class_datum *cls;
@@ -425,23 +453,346 @@ static bool add_type_rule(struct policydb *db, const char *s, const char *t,
 	return true;
 }
 
-static bool add_filename_trans(const char *s, const char *t, const char *c,
-			const char *d, const char *o)
+// 5.9.0 : static inline int hashtab_insert(struct hashtab *h, void *key, void *datum, struct hashtab_key_params key_params)
+// 5.8.0: int hashtab_insert(struct hashtab *h, void *k, void *d);
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 9, 0)
+static u32 filenametr_hash(const void *k)
 {
-	return false;
+	const struct filename_trans_key *ft = k;
+	unsigned long hash;
+	unsigned int byte_num;
+	unsigned char focus;
+
+	hash = ft->ttype ^ ft->tclass;
+
+	byte_num = 0;
+	while ((focus = ft->name[byte_num++]))
+		hash = partial_name_hash(focus, hash);
+	return hash;
 }
 
-static bool add_genfscon(const char *fs_name, const char *path, const char *context)
+static int filenametr_cmp(const void *k1, const void *k2)
+{
+	const struct filename_trans_key *ft1 = k1;
+	const struct filename_trans_key *ft2 = k2;
+	int v;
+
+	v = ft1->ttype - ft2->ttype;
+	if (v)
+		return v;
+
+	v = ft1->tclass - ft2->tclass;
+	if (v)
+		return v;
+
+	return strcmp(ft1->name, ft2->name);
+
+}
+
+static const struct hashtab_key_params filenametr_key_params = {
+	.hash = filenametr_hash,
+	.cmp = filenametr_cmp,
+};
+#endif
+
+static bool add_filename_trans(struct policydb *db, const char *s,
+			       const char *t, const char *c, const char *d,
+			       const char *o)
+{
+	struct type_datum *src, *tgt, *def;
+	struct class_datum *cls;
+
+	src = symtab_search(&db->p_types, s);
+	if (src == NULL) {
+		pr_warn("source type %s does not exist\n", s);
+		return false;
+	}
+	tgt = symtab_search(&db->p_types, t);
+	if (tgt == NULL) {
+		pr_warn("target type %s does not exist\n", t);
+		return false;
+	}
+	cls = symtab_search(&db->p_classes, c);
+	if (cls == NULL) {
+		pr_warn("class %s does not exist\n", c);
+		return false;
+	}
+	def = symtab_search(&db->p_types, d);
+	if (def == NULL) {
+		pr_warn("default type %s does not exist\n", d);
+		return false;
+	}
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 7, 0)
+	struct filename_trans_key key;
+	key.ttype = tgt->value;
+	key.tclass = cls->value;
+	key.name = (char *)o;
+
+	struct filename_trans_datum *last = NULL;
+
+	#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 9, 0)
+	struct filename_trans_datum *trans =
+		policydb_filenametr_search(db, &key);
+	#else
+	struct filename_trans_datum *trans =
+		hashtab_search(&db->filename_trans, &key);
+	#endif
+	while (trans) {
+		if (ebitmap_get_bit(&trans->stypes, src->value - 1)) {
+			// Duplicate, overwrite existing data and return
+			trans->otype = def->value;
+			return true;
+		}
+		if (trans->otype == def->value)
+			break;
+		last = trans;
+		trans = trans->next;
+	}
+
+	if (trans == NULL) {
+		trans = (struct filename_trans_datum*) kcalloc(sizeof(*trans), 1, GFP_ATOMIC);
+		struct filename_trans_key *new_key =
+			(struct filename_trans_key*) kmalloc(sizeof(*new_key), GFP_ATOMIC);
+		*new_key = key;
+		new_key->name = kstrdup(key.name, GFP_ATOMIC);
+		trans->next = last;
+		trans->otype = def->value;
+		hashtab_insert(&db->filename_trans, new_key,
+			       trans, filenametr_key_params);
+	}
+
+	db->compat_filename_trans_count++;
+	return ebitmap_set_bit(&trans->stypes, src->value - 1, 1) == 0;
+#else // < 5.7.0, has no filename_trans_key, but struct filename_trans
+
+	struct filename_trans key;
+	key.ttype = tgt->value;
+	key.tclass = cls->value;
+	key.name = (char *)o;
+
+	struct filename_trans_datum *trans =
+		hashtab_search(db->filename_trans, &key);
+
+	if (trans == NULL) {
+		trans = (struct filename_trans_datum*) kcalloc(sizeof(*trans), 1, GFP_ATOMIC);
+		if (!trans) {
+			pr_err("add_filename_trans: Failed to alloc datum");
+			return false;
+		}
+		struct filename_trans *new_key =
+			(struct filename_trans*) kmalloc(sizeof(*new_key), GFP_ATOMIC);
+		if (!new_key) {
+			pr_err("add_filename_trans: Failed to alloc new_key");
+			return false;
+		}
+		*new_key = key;
+		new_key->name = kstrdup(key.name, GFP_ATOMIC);
+		trans->otype = def->value;
+		hashtab_insert(db->filename_trans, new_key, trans);
+	}
+
+	return ebitmap_set_bit(&db->filename_trans_ttypes, src->value - 1, 1) == 0;
+#endif
+}
+
+static bool add_genfscon(struct policydb *db, const char *fs_name,
+			 const char *path, const char *context)
 {
 	return false;
 }
 
 static bool add_type(struct policydb *db, const char *type_name, bool attr)
 {
+#ifdef KSU_SUPPORT_ADD_TYPE
+	struct type_datum *type = symtab_search(&db->p_types, type_name);
+	if (type) {
+		pr_warn("Type %s already exists\n", type_name);
+		return true;
+	}
+
+	u32 value = ++db->p_types.nprim;
+	type = (struct type_datum *)kzalloc(sizeof(struct type_datum),
+					    GFP_ATOMIC);
+	if (!type) {
+		pr_err("add_type: alloc type_datum failed.\n");
+		return false;
+	}
+
+	type->primary = 1;
+	type->value = value;
+	type->attribute = attr;
+
+	char *key = kstrdup(type_name, GFP_ATOMIC);
+	if (!key) {
+		pr_err("add_type: alloc key failed.\n");
+		return false;
+	}
+
+	if (symtab_insert(&db->p_types, key, type)) {
+		pr_err("add_type: insert symtab failed.\n");
+		return false;
+	}
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 1, 0)
+	size_t new_size = sizeof(struct ebitmap) * db->p_types.nprim;
+	struct ebitmap *new_type_attr_map_array =
+		(krealloc(db->type_attr_map_array, new_size, GFP_ATOMIC));
+
+	struct type_datum **new_type_val_to_struct =
+		krealloc(db->type_val_to_struct,
+			 sizeof(*db->type_val_to_struct) * db->p_types.nprim,
+			 GFP_ATOMIC);
+
+	if (!new_type_attr_map_array) {
+		pr_err("add_type: alloc type_attr_map_array failed\n");
+		return false;
+	}
+
+	if (!new_type_val_to_struct) {
+		pr_err("add_type: alloc type_val_to_struct failed\n");
+		return false;
+	}
+
+	char **new_val_to_name_types =
+		krealloc(db->sym_val_to_name[SYM_TYPES],
+			 sizeof(char *) * db->symtab[SYM_TYPES].nprim,
+			 GFP_KERNEL);
+	if (!new_val_to_name_types) {
+		pr_err("add_type: alloc val_to_name failed\n");
+		return false;
+	}
+
+	db->type_attr_map_array = new_type_attr_map_array;
+	ebitmap_init(&db->type_attr_map_array[value - 1]);
+	ebitmap_set_bit(&db->type_attr_map_array[value - 1], value - 1, 1);
+
+	db->type_val_to_struct = new_type_val_to_struct;
+	db->type_val_to_struct[value - 1] = type;
+
+	db->sym_val_to_name[SYM_TYPES] = new_val_to_name_types;
+	db->sym_val_to_name[SYM_TYPES][value - 1] = key;
+
+	int i;
+	for (i = 0; i < db->p_roles.nprim; ++i) {
+		ebitmap_set_bit(&db->role_val_to_struct[i]->types, value - 1,
+				0);
+	}
+
+	return true;
+#else
+	// flex_array is not extensible, we need to create a new bigger one instead
+	struct flex_array *new_type_attr_map_array = flex_array_alloc(sizeof(struct ebitmap),
+		db->p_types.nprim, GFP_ATOMIC | __GFP_ZERO);
+
+	struct flex_array *new_type_val_to_struct = flex_array_alloc(sizeof(struct type_datum *),
+		db->p_types.nprim, GFP_ATOMIC | __GFP_ZERO);
+	
+	struct flex_array *new_val_to_name_types = flex_array_alloc(sizeof(char *),
+		db->symtab[SYM_TYPES].nprim, GFP_ATOMIC | __GFP_ZERO);
+
+	if (!new_type_attr_map_array) {
+		pr_err("add_type: alloc type_attr_map_array failed\n");
+		return false;
+	}
+
+	if (!new_type_val_to_struct) {
+		pr_err("add_type: alloc type_val_to_struct failed\n");
+		return false;
+	}
+
+	if (!new_val_to_name_types) {
+		pr_err("add_type: alloc val_to_name failed\n");
+		return false;
+	}
+
+	// preallocate so we don't have to worry about the put ever failing
+	if (flex_array_prealloc(new_type_attr_map_array, 0,
+			db->p_types.nprim, GFP_ATOMIC | __GFP_ZERO)) {
+		pr_err("add_type: prealloc type_attr_map_array failed\n");
+		return false;
+	}
+
+	if (flex_array_prealloc(new_type_val_to_struct, 0,
+				db->p_types.nprim, GFP_ATOMIC | __GFP_ZERO)) {
+		pr_err("add_type: prealloc type_val_to_struct_array failed\n");
+		return false;
+	}
+
+	if (flex_array_prealloc(new_val_to_name_types, 0,
+		db->symtab[SYM_TYPES].nprim, GFP_ATOMIC | __GFP_ZERO)) {
+		pr_err("add_type: prealloc val_to_name_types failed\n");
+		return false;
+	}
+
+	int j;
+	void *old_elem;
+	// copy the old data or pointers to new flex arrays
+	for (j = 0; j < db->type_attr_map_array->total_nr_elements; j++) {
+		old_elem = flex_array_get(db->type_attr_map_array, j);
+		if (old_elem)
+			flex_array_put(new_type_attr_map_array, j,
+					old_elem, GFP_ATOMIC | __GFP_ZERO);
+	}
+
+	for (j = 0; j < db->type_val_to_struct_array->total_nr_elements; j++) {
+		old_elem = flex_array_get_ptr(db->type_val_to_struct_array, j);
+		if (old_elem)
+			flex_array_put_ptr(new_type_val_to_struct, j,
+					old_elem, GFP_ATOMIC | __GFP_ZERO);
+	}
+
+	for (j = 0; j < db->symtab[SYM_TYPES].nprim; j++) {
+		old_elem = flex_array_get_ptr(db->sym_val_to_name[SYM_TYPES], j);
+		if (old_elem)
+			flex_array_put_ptr(new_val_to_name_types, j,
+					old_elem, GFP_ATOMIC | __GFP_ZERO);
+	}
+
+	// store the pointer of old flex arrays first, when assigning new ones we should free it
+	struct flex_array *old_fa;
+
+	old_fa = db->type_attr_map_array;
+	db->type_attr_map_array = new_type_attr_map_array;
+	if (old_fa) {
+		flex_array_free(old_fa);
+	}
+
+	ebitmap_init(flex_array_get(db->type_attr_map_array, value - 1));
+	ebitmap_set_bit(flex_array_get(db->type_attr_map_array, value - 1),
+			value - 1, 1);
+
+	old_fa = db->type_val_to_struct_array;
+	db->type_val_to_struct_array = new_type_val_to_struct;
+	if (old_fa) {
+		flex_array_free(old_fa);
+	}
+	flex_array_put_ptr(db->type_val_to_struct_array, value - 1,
+			type, GFP_ATOMIC | __GFP_ZERO);
+
+	old_fa = db->sym_val_to_name[SYM_TYPES];
+	db->sym_val_to_name[SYM_TYPES] = new_val_to_name_types;
+	if (old_fa) {
+		flex_array_free(old_fa);
+	}
+	flex_array_put_ptr(db->sym_val_to_name[SYM_TYPES], value - 1,
+				key, GFP_ATOMIC | __GFP_ZERO);
+
+	int i;
+	for (i = 0; i < db->p_roles.nprim; ++i) {
+		ebitmap_set_bit(&db->role_val_to_struct[i]->types, value - 1,
+				0);
+	}
+	return true;
+#endif
+
+#else
 	return false;
+#endif
 }
 
-static bool set_type_state(struct policydb *db, const char *type_name, bool permissive)
+static bool set_type_state(struct policydb *db, const char *type_name,
+			   bool permissive)
 {
 	struct type_datum *type;
 	if (type_name == NULL) {
@@ -470,12 +821,13 @@ static bool set_type_state(struct policydb *db, const char *type_name, bool perm
 }
 
 static void add_typeattribute_raw(struct policydb *db, struct type_datum *type,
-			   struct type_datum *attr)
+				  struct type_datum *attr)
 {
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 1, 0)
 	struct ebitmap *sattr = &db->type_attr_map_array[type->value - 1];
 #else
-	struct ebitmap *sattr = flex_array_get(db->type_attr_map_array, type->value -1);
+	struct ebitmap *sattr =
+		flex_array_get(db->type_attr_map_array, type->value - 1);
 #endif
 	ebitmap_set_bit(sattr, attr->value - 1, 1);
 
@@ -498,7 +850,8 @@ static void add_typeattribute_raw(struct policydb *db, struct type_datum *type,
 	};
 }
 
-static bool add_typeattribute(struct policydb *db, const char *type, const char *attr)
+static bool add_typeattribute(struct policydb *db, const char *type,
+			      const char *attr)
 {
 	struct type_datum *type_d = symtab_search(&db->p_types, type);
 	if (type_d == NULL) {
@@ -557,45 +910,45 @@ bool ksu_exists(struct policydb *db, const char *type)
 
 // Access vector rules
 bool ksu_allow(struct policydb *db, const char *src, const char *tgt,
-	   const char *cls, const char *perm)
+	       const char *cls, const char *perm)
 {
 	return add_rule(db, src, tgt, cls, perm, AVTAB_ALLOWED, false);
 }
 
 bool ksu_deny(struct policydb *db, const char *src, const char *tgt,
-	  const char *cls, const char *perm)
+	      const char *cls, const char *perm)
 {
 	return add_rule(db, src, tgt, cls, perm, AVTAB_ALLOWED, true);
 }
 
 bool ksu_auditallow(struct policydb *db, const char *src, const char *tgt,
-		const char *cls, const char *perm)
+		    const char *cls, const char *perm)
 {
 	return add_rule(db, src, tgt, cls, perm, AVTAB_AUDITALLOW, false);
 }
 bool ksu_dontaudit(struct policydb *db, const char *src, const char *tgt,
-	       const char *cls, const char *perm)
+		   const char *cls, const char *perm)
 {
 	return add_rule(db, src, tgt, cls, perm, AVTAB_AUDITDENY, true);
 }
 
 // Extended permissions access vector rules
 bool ksu_allowxperm(struct policydb *db, const char *src, const char *tgt,
-		const char *cls, const char *range)
+		    const char *cls, const char *range)
 {
 	return add_xperm_rule(db, src, tgt, cls, range, AVTAB_XPERMS_ALLOWED,
 			      false);
 }
 
 bool ksu_auditallowxperm(struct policydb *db, const char *src, const char *tgt,
-		     const char *cls, const char *range)
+			 const char *cls, const char *range)
 {
 	return add_xperm_rule(db, src, tgt, cls, range, AVTAB_XPERMS_AUDITALLOW,
 			      false);
 }
 
 bool ksu_dontauditxperm(struct policydb *db, const char *src, const char *tgt,
-		    const char *cls, const char *range)
+			const char *cls, const char *range)
 {
 	return add_xperm_rule(db, src, tgt, cls, range, AVTAB_XPERMS_DONTAUDIT,
 			      false);
@@ -603,25 +956,30 @@ bool ksu_dontauditxperm(struct policydb *db, const char *src, const char *tgt,
 
 // Type rules
 bool ksu_type_transition(struct policydb *db, const char *src, const char *tgt,
-		     const char *cls, const char *def, const char *obj)
+			 const char *cls, const char *def, const char *obj)
 {
-	return false;
+	if (obj) {
+		return add_filename_trans(db, src, tgt, cls, def, obj);
+	} else {
+		return add_type_rule(db, src, tgt, cls, def, AVTAB_TRANSITION);
+	}
 }
 
 bool ksu_type_change(struct policydb *db, const char *src, const char *tgt,
-		 const char *cls, const char *def)
+		     const char *cls, const char *def)
 {
-	return false;
+	return add_type_rule(db, src, tgt, cls, def, AVTAB_CHANGE);
 }
+
 bool ksu_type_member(struct policydb *db, const char *src, const char *tgt,
-		 const char *cls, const char *def)
+		     const char *cls, const char *def)
 {
-	return false;
+	return add_type_rule(db, src, tgt, cls, def, AVTAB_MEMBER);
 }
 
 // File system labeling
 bool ksu_genfscon(struct policydb *db, const char *fs_name, const char *path,
-	      const char *ctx)
+		  const char *ctx)
 {
-	return false;
-}
+	return add_genfscon(db, fs_name, path, ctx);
+}

kernel/selinux/sepolicy.h

@@ -1,37 +1,46 @@
 #ifndef __KSU_H_SEPOLICY
 #define __KSU_H_SEPOLICY
 
-#include <linux/types.h>
-#include <ss/sidtab.h>
-#include <ss/services.h>
-#include <objsec.h>
+#include "linux/types.h"
 
+#include "ss/policydb.h"
 
 // Operation on types
-bool ksu_type(struct policydb* db, const char* name, const char* attr);
-bool ksu_attribute(struct policydb* db, const char* name);
-bool ksu_permissive(struct policydb* db, const char* type);
-bool ksu_enforce(struct policydb* db, const char* type);
-bool ksu_typeattribute(struct policydb* db, const char* type, const char* attr);
-bool ksu_exists(struct policydb* db, const char* type);
+bool ksu_type(struct policydb *db, const char *name, const char *attr);
+bool ksu_attribute(struct policydb *db, const char *name);
+bool ksu_permissive(struct policydb *db, const char *type);
+bool ksu_enforce(struct policydb *db, const char *type);
+bool ksu_typeattribute(struct policydb *db, const char *type, const char *attr);
+bool ksu_exists(struct policydb *db, const char *type);
 
 // Access vector rules
-bool ksu_allow(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* perm);
-bool ksu_deny(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* perm);
-bool ksu_auditallow(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* perm);
-bool ksu_dontaudit(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* perm);
+bool ksu_allow(struct policydb *db, const char *src, const char *tgt,
+	       const char *cls, const char *perm);
+bool ksu_deny(struct policydb *db, const char *src, const char *tgt,
+	      const char *cls, const char *perm);
+bool ksu_auditallow(struct policydb *db, const char *src, const char *tgt,
+		    const char *cls, const char *perm);
+bool ksu_dontaudit(struct policydb *db, const char *src, const char *tgt,
+		   const char *cls, const char *perm);
 
 // Extended permissions access vector rules
-bool ksu_allowxperm(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* range);
-bool ksu_auditallowxperm(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* range);
-bool ksu_dontauditxperm(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* range);
+bool ksu_allowxperm(struct policydb *db, const char *src, const char *tgt,
+		    const char *cls, const char *range);
+bool ksu_auditallowxperm(struct policydb *db, const char *src, const char *tgt,
+			 const char *cls, const char *range);
+bool ksu_dontauditxperm(struct policydb *db, const char *src, const char *tgt,
+			const char *cls, const char *range);
 
 // Type rules
-bool ksu_type_transition(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* def, const char* obj);
-bool ksu_type_change(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* def);
-bool ksu_type_member(struct policydb* db, const char* src, const char* tgt, const char* cls, const char* def);
+bool ksu_type_transition(struct policydb *db, const char *src, const char *tgt,
+			 const char *cls, const char *def, const char *obj);
+bool ksu_type_change(struct policydb *db, const char *src, const char *tgt,
+		     const char *cls, const char *def);
+bool ksu_type_member(struct policydb *db, const char *src, const char *tgt,
+		     const char *cls, const char *def);
 
 // File system labeling
-bool ksu_genfscon(struct policydb* db, const char* fs_name, const char* path, const char* ctx);
+bool ksu_genfscon(struct policydb *db, const char *fs_name, const char *path,
+		  const char *ctx);
 
 #endif

kernel/setup.sh

@@ -1,6 +1,5 @@
-#! /bin/bash
-
-set -x
+#!/bin/sh
+set -eux
 
 GKI_ROOT=$(pwd)
 
@@ -11,8 +10,8 @@ if test -d "$GKI_ROOT/common/drivers"; then
 elif test -d "$GKI_ROOT/drivers"; then
      DRIVER_DIR="$GKI_ROOT/drivers"
 else
-     echo "[ERROR] "drivers/" directory is not found."
-     echo "[+] You should modify this scrpit by yourself."
+     echo '[ERROR] "drivers/" directory is not found.'
+     echo '[+] You should modify this scrpit by yourself.'
      exit 127
 fi
 
@@ -26,9 +25,9 @@ echo "[+] Copy kernel su driver to $DRIVER_DIR"
 
 test -e "$DRIVER_DIR/kernelsu" || ln -sf "$GKI_ROOT/KernelSU/kernel" "$DRIVER_DIR/kernelsu"
 
-echo "[+] Add kernel su driver to Makefile"
+echo '[+] Add kernel su driver to Makefile'
 
 DRIVER_MAKEFILE=$DRIVER_DIR/Makefile
-grep -q "kernelsu" $DRIVER_MAKEFILE || echo "obj-y += kernelsu/" >> $DRIVER_MAKEFILE
+grep -q "kernelsu" "$DRIVER_MAKEFILE" || printf "\nobj-y += kernelsu/\n" >> "$DRIVER_MAKEFILE"
 
-echo "[+] Done."
+echo '[+] Done.'

kernel/sucompat.c

@@ -1,35 +1,21 @@
+#include "asm/current.h"
+#include "linux/cred.h"
+#include "linux/err.h"
+#include "linux/fs.h"
+#include "linux/kprobes.h"
+#include "linux/types.h"
+#include "linux/uaccess.h"
+#include "linux/version.h"
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 11, 0)
+#include "linux/sched/task_stack.h"
+#else
+#include "linux/sched.h"
+#endif
 
-#include <linux/gfp.h>
-#include <linux/workqueue.h>
-#include <asm/current.h>
-#include <linux/cred.h>
-#include <linux/dcache.h>
-#include <linux/err.h>
-#include <linux/limits.h>
-#include <linux/cpu.h>
-#include <linux/memory.h>
-#include <linux/uaccess.h>
-#include <linux/init.h>
-#include <linux/module.h>
-#include <linux/kprobes.h>
-#include <linux/printk.h>
-#include <linux/string.h>
-#include <linux/kernel.h>
-#include <linux/sched/task_stack.h>
-#include <linux/slab.h>
-#include <linux/version.h>
-#include <asm-generic/errno-base.h>
-
-#include <linux/rcupdate.h>
-#include <linux/fdtable.h>
-#include <linux/fs.h>
-#include <linux/fs_struct.h>
-#include <linux/namei.h>
-
-#include "klog.h"
-#include "arch.h"
 #include "allowlist.h"
-#include "selinux/selinux.h"
+#include "arch.h"
+#include "klog.h" // IWYU pragma: keep
+#include "ksud.h"
 
 #define SU_PATH "/system/bin/su"
 #define SH_PATH "/system/bin/sh"
@@ -38,7 +24,8 @@ extern void escape_to_root();
 
 static void __user *userspace_stack_buffer(const void *d, size_t len)
 {
-	/* To avoid having to mmap a page in userspace, just write below the stack pointer. */
+	/* To avoid having to mmap a page in userspace, just write below the stack
+   * pointer. */
 	char __user *p = (void __user *)current_user_stack_pointer() - len;
 
 	return copy_to_user(p, d, len) ? NULL : p;
@@ -51,7 +38,8 @@ static char __user *sh_user_path(void)
 	return userspace_stack_buffer(sh_path, sizeof(sh_path));
 }
 
-static int faccessat_handler_pre(struct kprobe *p, struct pt_regs *regs)
+int ksu_handle_faccessat(int *dfd, const char __user **filename_user, int *mode,
+			 int *flags)
 {
 	struct filename *filename;
 	const char su[] = SU_PATH;
@@ -60,14 +48,14 @@ static int faccessat_handler_pre(struct kprobe *p, struct pt_regs *regs)
 		return 0;
 	}
 
-	filename = getname(PT_REGS_PARM2(regs));
+	filename = getname(*filename_user);
 
 	if (IS_ERR(filename)) {
 		return 0;
 	}
 	if (!memcmp(filename->name, su, sizeof(su))) {
 		pr_info("faccessat su->sh!\n");
-		PT_REGS_PARM2(regs) = sh_user_path();
+		*filename_user = sh_user_path();
 	}
 
 	putname(filename);
@@ -75,7 +63,7 @@ static int faccessat_handler_pre(struct kprobe *p, struct pt_regs *regs)
 	return 0;
 }
 
-static int newfstatat_handler_pre(struct kprobe *p, struct pt_regs *regs)
+int ksu_handle_stat(int *dfd, const char __user **filename_user, int *flags)
 {
 	// const char sh[] = SH_PATH;
 	struct filename *filename;
@@ -85,14 +73,18 @@ static int newfstatat_handler_pre(struct kprobe *p, struct pt_regs *regs)
 		return 0;
 	}
 
-	filename = getname(PT_REGS_PARM2(regs));
+	if (!filename_user) {
+		return 0;
+	}
+
+	filename = getname(*filename_user);
 
 	if (IS_ERR(filename)) {
 		return 0;
 	}
 	if (!memcmp(filename->name, su, sizeof(su))) {
 		pr_info("newfstatat su->sh!\n");
-		PT_REGS_PARM2(regs) = sh_user_path();
+		*filename_user = sh_user_path();
 	}
 
 	putname(filename);
@@ -100,40 +92,21 @@ static int newfstatat_handler_pre(struct kprobe *p, struct pt_regs *regs)
 	return 0;
 }
 
-// https://elixir.bootlin.com/linux/v5.10.158/source/fs/exec.c#L1864
-static int execve_handler_pre(struct kprobe *p, struct pt_regs *regs)
+int ksu_handle_execveat_sucompat(int *fd, struct filename **filename_ptr,
+				 void *argv, void *envp, int *flags)
 {
 	struct filename *filename;
-	const char sh[] = SH_PATH;
+	const char sh[] = KSUD_PATH;
 	const char su[] = SU_PATH;
 
-	static const char app_process[] = "/system/bin/app_process";
-	static bool first_app_process = true;
-	static const char system_bin_init[] = "/system/bin/init";
-	static int init_count = 0;
+	if (!filename_ptr)
+		return 0;
 
-	filename = PT_REGS_PARM2(regs);
+	filename = *filename_ptr;
 	if (IS_ERR(filename)) {
 		return 0;
 	}
 
-	if (!memcmp(filename->name, system_bin_init, sizeof(system_bin_init) - 1)) {
-		// /system/bin/init executed
-		if (++init_count == 2) {
-			// 1: /system/bin/init selinux_setup
-			// 2: /system/bin/init second_stage
-			pr_info("/system/bin/init second_stage executed\n");
-			apply_kernelsu_rules();
-		}
-	}
-
-	if (first_app_process &&
-		!memcmp(filename->name, app_process, sizeof(app_process) - 1)) {
-		first_app_process = false;
-		pr_info("exec app_process, /data prepared!\n");
-		ksu_load_allow_list();
-	}
-
 	if (!ksu_is_allow_uid(current_uid().val)) {
 		return 0;
 	}
@@ -148,103 +121,45 @@ static int execve_handler_pre(struct kprobe *p, struct pt_regs *regs)
 	return 0;
 }
 
-static const char KERNEL_SU_RC[] =
-"\n"
+#ifdef CONFIG_KPROBES
 
-"on post-fs-data\n"
-// We should wait for the post-fs-data finish
-"    exec u:r:su:s0 root -- /data/adb/ksud post-fs-data\n"
-"\n"
-
-"on nonencrypted\n"
-"    exec u:r:su:s0 root -- /data/adb/ksud services\n"
-"\n"
-
-"on property:vold.decrypt=trigger_restart_framework\n"
-"    exec u:r:su:s0 root -- /data/adb/ksud services\n"
-"\n"
-
-"on property:sys.boot_completed=1\n"
-"    exec u:r:su:s0 root -- /data/adb/ksud boot-completed\n"
-"\n"
-
-"\n"
-;
-
-static void unregister_vfs_read_kp();
-static struct work_struct unregister_vfs_read_work;
-
-static int read_handler_pre(struct kprobe *p, struct pt_regs *regs)
+static int faccessat_handler_pre(struct kprobe *p, struct pt_regs *regs)
 {
-	struct file *file;
-	char __user *buf;
-	size_t count;
+	int *dfd = (int *)PT_REGS_PARM1(regs);
+	const char __user **filename_user = (const char **)&PT_REGS_PARM2(regs);
+	int *mode = (int *)&PT_REGS_PARM3(regs);
+	int *flags = (int *)&PT_REGS_PARM4(regs);
 
-	if (strcmp(current->comm, "init")) {
-		// we are only interest in `init` process
-		return 0;
-	}
+	return ksu_handle_faccessat(dfd, filename_user, mode, flags);
+}
 
-	file = PT_REGS_PARM1(regs);
-	if (IS_ERR(file)) {
-		return 0;
-	}
+static int newfstatat_handler_pre(struct kprobe *p, struct pt_regs *regs)
+{
+	int *dfd = (int *)&PT_REGS_PARM1(regs);
+	const char __user **filename_user = (const char **)&PT_REGS_PARM2(regs);
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 11, 0)
+// static int vfs_statx(int dfd, const char __user *filename, int flags, struct kstat *stat, u32 request_mask)
+	int *flags = (int *)&PT_REGS_PARM3(regs);
+#else
+// int vfs_fstatat(int dfd, const char __user *filename, struct kstat *stat,int flag)
+	int *flags = (int *)&PT_REGS_PARM4(regs);
+#endif
 
-	if (!d_is_reg(file->f_path.dentry)) {
-		return 0;
-	}
+	return ksu_handle_stat(dfd, filename_user, flags);
+}
 
-	const char *short_name = file->f_path.dentry->d_name.name;
-	if (strcmp(short_name, "atrace.rc")) {
-		// we are only interest `atrace.rc` file name file
-		return 0;
-	}
-	#define RC_PATH_MAX 256
-	char path[RC_PATH_MAX];
-	char* dpath = d_path(&file->f_path, path, RC_PATH_MAX);
+// https://elixir.bootlin.com/linux/v5.10.158/source/fs/exec.c#L1864
+static int execve_handler_pre(struct kprobe *p, struct pt_regs *regs)
+{
+	int *fd = (int *)&PT_REGS_PARM1(regs);
+	struct filename **filename_ptr =
+		(struct filename **)&PT_REGS_PARM2(regs);
+	void *argv = (void *)&PT_REGS_PARM3(regs);
+	void *envp = (void *)&PT_REGS_PARM4(regs);
+	int *flags = (int *)&PT_REGS_PARM5(regs);
 
-	#undef RC_PATH_MAX
-
-	if (IS_ERR(dpath)) {
-		return 0;
-	}
-
-	if (strcmp(dpath, "/system/etc/init/atrace.rc")) {
-		return 0;
-	}
-
-	// we only process the first read
-	static bool rc_inserted = false;
-	if (rc_inserted) {
-		// we don't need this kprobe, unregister it!
-		unregister_vfs_read_kp();
-		return 0;
-	}
-	rc_inserted = true;
-
-	// now we can sure that the init process is reading `/system/etc/init/atrace.rc`
-	buf = PT_REGS_PARM2(regs);
-	count = PT_REGS_PARM3(regs);
-
-	size_t rc_count = strlen(KERNEL_SU_RC);
-
-	pr_info("vfs_read: %s, comm: %s, count: %d, rc_count: %d\n", dpath, current->comm, count, rc_count);
-
-	if (count < rc_count) {
-		pr_err("count: %d < rc_count: %d", count, rc_count);
-		return 0;
-	}
-
-	size_t ret = copy_to_user(buf, KERNEL_SU_RC, rc_count);
-	if (ret) {
-		pr_err("copy ksud.rc failed: %d\n", ret);
-		return 0;
-	}
-
-	PT_REGS_PARM2(regs) = buf + rc_count;
-	PT_REGS_PARM3(regs) = count - rc_count;
-
-	return 0;
+	return ksu_handle_execveat_sucompat(fd, filename_ptr, argv, envp,
+					    flags);
 }
 
 static struct kprobe faccessat_kp = {
@@ -257,49 +172,37 @@ static struct kprobe faccessat_kp = {
 };
 
 static struct kprobe newfstatat_kp = {
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 11, 0)
 	.symbol_name = "vfs_statx",
+#else
+	.symbol_name = "vfs_fstatat",
+#endif
 	.pre_handler = newfstatat_handler_pre,
 };
 
 static struct kprobe execve_kp = {
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 9, 0)
 	.symbol_name = "do_execveat_common",
-#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4,19,0) &&  LINUX_VERSION_CODE < KERNEL_VERSION(5,9,0)
+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4, 19, 0)
 	.symbol_name = "__do_execve_file",
-#elif  LINUX_VERSION_CODE >= KERNEL_VERSION(4,14,0) &&  LINUX_VERSION_CODE < KERNEL_VERSION(4,19,0)
+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(3, 19, 0)
 	.symbol_name = "do_execveat_common",
 #endif
 	.pre_handler = execve_handler_pre,
 };
 
-static struct kprobe vfs_read_kp = {
-	.symbol_name = "vfs_read",
-	.pre_handler = read_handler_pre,
-};
-
-static void do_unregister_vfs_read_kp(struct work_struct *work) {
-	unregister_kprobe(&vfs_read_kp);
-}
-
-static void unregister_vfs_read_kp() {
-	bool ret = schedule_work(&unregister_vfs_read_work);
-	pr_info("unregister vfs_read kprobe: %d!\n", ret);
-}
+#endif
 
 // sucompat: permited process can execute 'su' to gain root access.
-void enable_sucompat()
+void ksu_enable_sucompat()
 {
+#ifdef CONFIG_KPROBES
 	int ret;
-
 	ret = register_kprobe(&execve_kp);
-	pr_info("execve_kp: %d\n", ret);
+	pr_info("sucompat: execve_kp: %d\n", ret);
 	ret = register_kprobe(&newfstatat_kp);
-	pr_info("newfstatat_kp: %d\n", ret);
+	pr_info("sucompat: newfstatat_kp: %d\n", ret);
 	ret = register_kprobe(&faccessat_kp);
-	pr_info("faccessat_kp: %d\n", ret);
-
-	ret = register_kprobe(&vfs_read_kp);
-	pr_info("vfs_read_kp: %d\n", ret);
-
-	INIT_WORK(&unregister_vfs_read_work, do_unregister_vfs_read_kp);
+	pr_info("sucompat: faccessat_kp: %d\n", ret);
+#endif
 }

kernel/uid_observer.c

@@ -1,21 +1,18 @@
-#include "linux/kprobes.h"
-#include <linux/list.h>
-#include <linux/types.h>
-#include <linux/fs.h>
-#include <linux/fs_struct.h>
-#include <linux/namei.h>
-#include <linux/err.h>
-#include <linux/workqueue.h>
-#include <linux/string.h>
-#include <linux/version.h>
-#include <linux/slab.h>
-#include <linux/mutex.h>
+#include "linux/err.h"
+#include "linux/fs.h"
+#include "linux/list.h"
+#include "linux/slab.h"
+#include "linux/string.h"
+#include "linux/types.h"
+#include "linux/version.h"
+#include "linux/workqueue.h"
 
-#include "uid_observer.h"
 #include "allowlist.h"
-#include "arch.h"
-#include "klog.h"
+#include "klog.h" // IWYU pragma: keep
 #include "ksu.h"
+#include "manager.h"
+#include "uid_observer.h"
+#include "kernel_compat.h"
 
 #define SYSTEM_PACKAGES_LIST_PATH "/data/system/packages.list"
 static struct work_struct ksu_update_uid_work;
@@ -42,6 +39,7 @@ static bool is_uid_exist(uid_t uid, void *data)
 
 static void do_update_uid(struct work_struct *work)
 {
+	KWORKER_INSTALL_KEYRING();
 	struct file *fp = filp_open(SYSTEM_PACKAGES_LIST_PATH, O_RDONLY, 0);
 	if (IS_ERR(fp)) {
 		pr_err("do_update_uid, open " SYSTEM_PACKAGES_LIST_PATH
@@ -58,13 +56,13 @@ static void do_update_uid(struct work_struct *work)
 	loff_t line_start = 0;
 	char buf[128];
 	for (;;) {
-		ssize_t count = kernel_read(fp, &chr, sizeof(chr), &pos);
+		ssize_t count = ksu_kernel_read_compat(fp, &chr, sizeof(chr), &pos);
 		if (count != sizeof(chr))
 			break;
 		if (chr != '\n')
 			continue;
 
-		count = kernel_read(fp, buf, sizeof(buf), &line_start);
+		count = ksu_kernel_read_compat(fp, buf, sizeof(buf), &line_start);
 
 		struct uid_data *data =
 			kmalloc(sizeof(struct uid_data), GFP_ATOMIC);
@@ -121,76 +119,18 @@ out:
 	filp_close(fp, 0);
 }
 
-static void update_uid()
+void update_uid()
 {
-	schedule_work(&ksu_update_uid_work);
+	ksu_queue_work(&ksu_update_uid_work);
 }
 
-static int renameat_handler_pre(struct kprobe *p, struct pt_regs *regs)
-{
-	if (!current->mm) {
-		// skip kernel threads
-		return 0;
-	}
-
-	if (current_uid().val != 1000) {
-		// skip non system uid
-		return 0;
-	}
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 12, 0)
-	// https://elixir.bootlin.com/linux/v5.12-rc1/source/include/linux/fs.h
-	struct renamedata *rd = PT_REGS_PARM1(regs);
-	struct dentry *old_entry = rd->old_dentry;
-	struct dentry *new_entry = rd->new_dentry;
-#else
-	struct dentry *old_entry = PT_REGS_PARM2(regs);
-	struct dentry *new_entry = PT_REGS_PARM4(regs);
-#endif
-
-	if (!old_entry || !new_entry) {
-		return 0;
-	}
-
-	// /data/system/packages.list.tmp -> /data/system/packages.list
-	if (strcmp(new_entry->d_iname, "packages.list")) {
-		return 0;
-	}
-
-	char path[128];
-	char *buf = dentry_path_raw(new_entry, path, sizeof(path));
-	if (IS_ERR(buf)) {
-		pr_err("dentry_path_raw failed.\n");
-		return 0;
-	}
-
-	if (strcmp(buf, "/system/packages.list")) {
-		return 0;
-	}
-	pr_info("renameat: %s -> %s\n, new path: %s", old_entry->d_iname,
-		new_entry->d_iname, buf);
-
-	update_uid();
-
-	return 0;
-}
-
-static struct kprobe renameat_kp = {
-	.symbol_name = "vfs_rename",
-	.pre_handler = renameat_handler_pre,
-};
-
 int ksu_uid_observer_init()
 {
 	INIT_WORK(&ksu_update_uid_work, do_update_uid);
-
-	int rc = register_kprobe(&renameat_kp);
-	pr_info("renameat kp: %d\n", rc);
-	return rc;
+	return 0;
 }
 
 int ksu_uid_observer_exit()
 {
-	unregister_kprobe(&renameat_kp);
 	return 0;
 }

kernel/uid_observer.h

@@ -5,4 +5,6 @@ int ksu_uid_observer_init();
 
 int ksu_uid_observer_exit();
 
+void update_uid();
+
 #endif

manager/app/build.gradle.kts

@@ -62,10 +62,10 @@ dependencies {
     val accompanistVersion = "0.28.0"
     val composeDestinationsVersion = "1.7.27-beta"
     implementation(platform("androidx.compose:compose-bom:2022.12.00"))
-
     debugImplementation("androidx.compose.ui:ui-test-manifest")
     debugImplementation("androidx.compose.ui:ui-tooling")
     implementation("androidx.activity:activity-compose:1.6.1")
+    implementation("androidx.compose.material:material:1.4.0-beta02")
     implementation("androidx.compose.material:material-icons-extended")
     implementation("androidx.compose.material3:material3")
     implementation("androidx.compose.ui:ui")
@@ -75,7 +75,6 @@ dependencies {
     implementation("androidx.navigation:navigation-compose:2.5.3")
     implementation("com.google.accompanist:accompanist-drawablepainter:$accompanistVersion")
     implementation("com.google.accompanist:accompanist-navigation-animation:$accompanistVersion")
-    implementation("com.google.accompanist:accompanist-swiperefresh:$accompanistVersion")
     implementation("com.google.accompanist:accompanist-systemuicontroller:$accompanistVersion")
     implementation("io.github.raamcosta.compose-destinations:animations-core:$composeDestinationsVersion")
 
@@ -83,7 +82,7 @@ dependencies {
     implementation("me.zhanghai.android.appiconloader:appiconloader-coil:1.5.0")
 
     implementation("com.github.topjohnwu.libsu:core:5.0.3")
-    implementation("com.github.alorma:compose-settings-ui-m3:0.15.0")
+    implementation("com.github.alorma:compose-settings-ui-m3:0.22.0")
 
     ksp("io.github.raamcosta.compose-destinations:ksp:$composeDestinationsVersion")
 

manager/app/src/main/AndroidManifest.xml

@@ -11,6 +11,7 @@
         android:allowBackup="true"
         android:dataExtractionRules="@xml/data_extraction_rules"
         android:fullBackupContent="@xml/backup_rules"
+        android:enableOnBackInvokedCallback="true"
         android:extractNativeLibs="true"
         android:icon="@mipmap/ic_launcher"
         android:label="@string/app_name"
@@ -31,6 +32,16 @@
                 android:name="android.app.lib_name"
                 android:value="" />
         </activity>
+
+        <provider
+            android:name="androidx.core.content.FileProvider"
+            android:authorities="${applicationId}.fileprovider"
+            android:exported="false"
+            android:grantUriPermissions="true">
+            <meta-data
+                android:name="android.support.FILE_PROVIDER_PATHS"
+                android:resource="@xml/filepaths" />
+        </provider>
     </application>
 
 </manifest>

manager/app/src/main/cpp/CMakeLists.txt

@@ -15,6 +15,4 @@ add_library(kernelsu
 
 find_library(log-lib log)
 
-target_link_libraries(kernelsu ${log-lib})
-
-add_executable(libksu.so su.c)
+target_link_libraries(kernelsu ${log-lib})

manager/app/src/main/cpp/jni.cc

@@ -61,3 +61,9 @@ Java_me_weishu_kernelsu_Natives_allowRoot(JNIEnv *env, jclass clazz, jint uid, j
 }
 
 
+
+extern "C"
+JNIEXPORT jboolean JNICALL
+Java_me_weishu_kernelsu_Natives_isSafeMode(JNIEnv *env, jclass clazz) {
+    return is_safe_mode();
+}

manager/app/src/main/cpp/ksu.cc

@@ -19,6 +19,7 @@
 #define CMD_DENY_SU 4
 #define CMD_GET_ALLOW_LIST 5
 #define CMD_GET_DENY_LIST 6
+#define CMD_CHECK_SAFEMODE 9
 
 static bool ksuctl(int cmd, void* arg1, void* arg2) {
     int32_t result = 0;
@@ -51,4 +52,8 @@ bool get_allow_list(int *uids, int *size) {
 
 bool get_deny_list(int *uids, int *size) {
     return ksuctl(CMD_GET_DENY_LIST, uids, size);
+}
+
+bool is_safe_mode() {
+    return ksuctl(CMD_CHECK_SAFEMODE, nullptr, nullptr);
 }

manager/app/src/main/cpp/ksu.h

@@ -15,4 +15,6 @@ bool get_allow_list(int *uids, int *size);
 
 bool get_deny_list(int *uids, int *size);
 
+bool is_safe_mode();
+
 #endif //KERNELSU_KSU_H

manager/app/src/main/cpp/su.c

@@ -1,10 +0,0 @@
-#include <unistd.h>
-#include <stdlib.h>
-#include <sys/prctl.h>
-
-int main(){
-    int32_t result = 0;
-    prctl(0xdeadbeef, 0, 0, 0, &result);
-    system("/system/bin/sh");
-    return 0;
-}

manager/app/src/main/java/me/weishu/kernelsu/KernelSUApplication.kt

@@ -3,7 +3,6 @@ package me.weishu.kernelsu
 import android.app.Application
 import coil.Coil
 import coil.ImageLoader
-import me.weishu.kernelsu.ui.util.install
 import me.zhanghai.android.appiconloader.coil.AppIconFetcher
 import me.zhanghai.android.appiconloader.coil.AppIconKeyer
 
@@ -25,8 +24,6 @@ class KernelSUApplication : Application() {
                 }
                 .build()
         )
-
-        install()
     }
 
 

manager/app/src/main/java/me/weishu/kernelsu/Natives.java

@@ -21,4 +21,6 @@ public final class Natives {
     public static native int[] getDenyList();
 
     public static native boolean allowRoot(int uid, boolean allow);
+
+    public static native boolean isSafeMode();
 }

manager/app/src/main/java/me/weishu/kernelsu/ui/MainActivity.kt

@@ -6,8 +6,9 @@ import androidx.activity.compose.setContent
 import androidx.compose.animation.ExperimentalAnimationApi
 import androidx.compose.foundation.layout.padding
 import androidx.compose.material3.*
-import androidx.compose.runtime.*
-import androidx.compose.runtime.saveable.rememberSaveable
+import androidx.compose.runtime.Composable
+import androidx.compose.runtime.CompositionLocalProvider
+import androidx.compose.runtime.remember
 import androidx.compose.ui.Modifier
 import androidx.compose.ui.res.stringResource
 import androidx.compose.ui.unit.dp
@@ -15,12 +16,14 @@ import androidx.navigation.NavGraph.Companion.findStartDestination
 import androidx.navigation.NavHostController
 import com.google.accompanist.navigation.animation.rememberAnimatedNavController
 import com.ramcosta.composedestinations.DestinationsNavHost
+import me.weishu.kernelsu.ui.component.rememberDialogHostState
 import me.weishu.kernelsu.ui.screen.BottomBarDestination
 import me.weishu.kernelsu.ui.screen.NavGraphs
 import me.weishu.kernelsu.ui.screen.appCurrentDestinationAsState
 import me.weishu.kernelsu.ui.screen.destinations.Destination
 import me.weishu.kernelsu.ui.screen.startAppDestination
 import me.weishu.kernelsu.ui.theme.KernelSUTheme
+import me.weishu.kernelsu.ui.util.LocalDialogHost
 import me.weishu.kernelsu.ui.util.LocalSnackbarHost
 
 class MainActivity : ComponentActivity() {
@@ -37,7 +40,10 @@ class MainActivity : ComponentActivity() {
                     bottomBar = { BottomBar(navController) },
                     snackbarHost = { SnackbarHost(snackbarHostState) }
                 ) { innerPadding ->
-                    CompositionLocalProvider(LocalSnackbarHost provides snackbarHostState) {
+                    CompositionLocalProvider(
+                        LocalSnackbarHost provides snackbarHostState,
+                        LocalDialogHost provides rememberDialogHostState(),
+                    ) {
                         DestinationsNavHost(
                             modifier = Modifier.padding(innerPadding),
                             navGraph = NavGraphs.root,
@@ -52,31 +58,35 @@ class MainActivity : ComponentActivity() {
 
 @Composable
 private fun BottomBar(navController: NavHostController) {
-    val currentDestination: Destination = navController.appCurrentDestinationAsState().value
+    val topDestination: Destination = navController.appCurrentDestinationAsState().value
         ?: NavGraphs.root.startAppDestination
-    var topDestination by rememberSaveable { mutableStateOf(currentDestination.route) }
-    LaunchedEffect(currentDestination) {
-        val queue = navController.backQueue
-        if (queue.size == 2) topDestination = queue[1].destination.route!!
-        else if (queue.size > 2) topDestination = queue[2].destination.route!!
+    val bottomBarRoutes = remember {
+        BottomBarDestination.values().map { it.direction.route }
     }
 
     NavigationBar(tonalElevation = 8.dp) {
         BottomBarDestination.values().forEach { destination ->
             NavigationBarItem(
-                selected = topDestination == destination.direction.route,
+                selected = topDestination.route == destination.direction.route,
                 onClick = {
+                    val firstRoute = navController.backQueue.reversed().first {
+                        it.destination.route in bottomBarRoutes
+                    }.destination.route
+
                     navController.navigate(destination.direction.route) {
                         popUpTo(navController.graph.findStartDestination().id) {
-                            saveState = true
+                            saveState = firstRoute != destination.direction.route
                         }
                         launchSingleTop = true
                         restoreState = true
                     }
                 },
                 icon = {
-                    if (topDestination == destination.direction.route) Icon(destination.iconSelected, stringResource(destination.label))
-                    else Icon(destination.iconNotSelected, stringResource(destination.label))
+                    if (topDestination.route == destination.direction.route) {
+                        Icon(destination.iconSelected, stringResource(destination.label))
+                    } else {
+                        Icon(destination.iconNotSelected, stringResource(destination.label))
+                    }
                 },
                 label = { Text(stringResource(destination.label)) },
                 alwaysShowLabel = false

manager/app/src/main/java/me/weishu/kernelsu/ui/component/Dialog.kt

@@ -0,0 +1,167 @@
+package me.weishu.kernelsu.ui.component
+
+import androidx.compose.material3.AlertDialog
+import androidx.compose.material3.Text
+import androidx.compose.material3.TextButton
+import androidx.compose.runtime.*
+import kotlinx.coroutines.CancellableContinuation
+import kotlinx.coroutines.suspendCancellableCoroutine
+import kotlinx.coroutines.sync.Mutex
+import kotlinx.coroutines.sync.withLock
+import me.weishu.kernelsu.ui.util.LocalDialogHost
+import kotlin.coroutines.resume
+
+sealed interface DialogResult {
+    object Confirmed : DialogResult
+    object Dismissed : DialogResult
+}
+
+interface DialogVisuals {
+    val title: String
+    val content: String
+    val confirm: String?
+    val dismiss: String?
+}
+
+interface DialogData {
+    val visuals: DialogVisuals
+
+    fun confirm()
+
+    fun dismiss()
+}
+
+class DialogHostState {
+
+    private data class DialogVisualsImpl(
+        override val title: String,
+        override val content: String,
+        override val confirm: String?,
+        override val dismiss: String?
+    ) : DialogVisuals
+
+    private data class DialogDataImpl(
+        override val visuals: DialogVisuals,
+        val continuation: CancellableContinuation<DialogResult>
+    ) : DialogData {
+
+        override fun confirm() {
+            if (continuation.isActive) continuation.resume(DialogResult.Confirmed)
+        }
+
+        override fun dismiss() {
+            if (continuation.isActive) continuation.resume(DialogResult.Dismissed)
+        }
+    }
+
+    private val mutex = Mutex()
+
+    var currentDialogData by mutableStateOf<DialogData?>(null)
+        private set
+
+    suspend fun showDialog(
+        title: String,
+        content: String,
+        confirm: String? = null,
+        dismiss: String? = null
+    ): DialogResult = mutex.withLock {
+        try {
+            return@withLock suspendCancellableCoroutine { continuation ->
+                currentDialogData = DialogDataImpl(
+                    visuals = DialogVisualsImpl(title, content, confirm, dismiss),
+                    continuation = continuation
+                )
+            }
+        } finally {
+            currentDialogData = null
+        }
+    }
+}
+
+@Composable
+fun rememberDialogHostState(): DialogHostState {
+    return remember {
+        DialogHostState()
+    }
+}
+
+@Composable
+fun BaseDialog(
+    state: DialogHostState = LocalDialogHost.current,
+    title: @Composable (String) -> Unit,
+    confirmButton: @Composable (String?, () -> Unit) -> Unit,
+    dismissButton: @Composable (String?, () -> Unit) -> Unit,
+    content: @Composable (String) -> Unit = { Text(text = it) },
+) {
+    val currentDialogData = state.currentDialogData ?: return
+    val visuals = currentDialogData.visuals
+    AlertDialog(
+        onDismissRequest = {
+            currentDialogData.dismiss()
+        },
+        title = {
+            title(visuals.title)
+        },
+        text = {
+            content(visuals.content)
+        },
+        confirmButton = {
+            confirmButton(visuals.confirm, currentDialogData::confirm)
+        },
+        dismissButton = {
+            dismissButton(visuals.dismiss, currentDialogData::dismiss)
+        }
+    )
+}
+
+@Composable
+fun SimpleDialog(
+    state: DialogHostState = LocalDialogHost.current,
+    content: @Composable (String) -> Unit
+) {
+    BaseDialog(
+        state = state,
+        title = {
+            Text(text = it)
+        },
+        confirmButton = { text, confirm ->
+            text?.let {
+                TextButton(onClick = confirm) {
+                    Text(text = it)
+                }
+            }
+        },
+        dismissButton = { text, dismiss ->
+            text?.let {
+                TextButton(onClick = dismiss) {
+                    Text(text = it)
+                }
+            }
+        },
+        content = content
+    )
+}
+
+@Composable
+fun ConfirmDialog(state: DialogHostState = LocalDialogHost.current) {
+    BaseDialog(
+        state = state,
+        title = {
+            Text(text = it)
+        },
+        confirmButton = { text, confirm ->
+            text?.let {
+                TextButton(onClick = confirm) {
+                    Text(text = it)
+                }
+            }
+        },
+        dismissButton = { text, dismiss ->
+            text?.let {
+                TextButton(onClick = dismiss) {
+                    Text(text = it)
+                }
+            }
+        },
+    )
+}

manager/app/src/main/java/me/weishu/kernelsu/ui/component/SearchBar.kt

@@ -10,8 +10,7 @@ import androidx.compose.foundation.layout.padding
 import androidx.compose.foundation.text.KeyboardActions
 import androidx.compose.foundation.text.KeyboardOptions
 import androidx.compose.material.icons.Icons
-import androidx.compose.material.icons.filled.Close
-import androidx.compose.material.icons.filled.Search
+import androidx.compose.material.icons.filled.*
 import androidx.compose.material.icons.outlined.ArrowBack
 import androidx.compose.material3.*
 import androidx.compose.runtime.*
@@ -22,9 +21,11 @@ import androidx.compose.ui.focus.FocusRequester
 import androidx.compose.ui.focus.focusRequester
 import androidx.compose.ui.focus.onFocusChanged
 import androidx.compose.ui.platform.LocalSoftwareKeyboardController
+import androidx.compose.ui.res.stringResource
 import androidx.compose.ui.text.input.ImeAction
 import androidx.compose.ui.tooling.preview.Preview
 import androidx.compose.ui.unit.dp
+import me.weishu.kernelsu.R
 
 private const val TAG = "SearchBar"
 
@@ -36,7 +37,8 @@ fun SearchAppBar(
     onSearchTextChange: (String) -> Unit,
     onClearClick: () -> Unit,
     onBackClick: (() -> Unit)? = null,
-    onConfirm: (() -> Unit)? = null
+    onConfirm: (() -> Unit)? = null,
+    dropdownContent: @Composable (() -> Unit)? = null,
 ) {
     val keyboardController = LocalSoftwareKeyboardController.current
     val focusRequester = remember { FocusRequester() }
@@ -116,6 +118,11 @@ fun SearchAppBar(
                     content = { Icon(Icons.Filled.Search, null) }
                 )
             }
+
+            if (dropdownContent != null) {
+                dropdownContent()
+            }
+
         }
     )
 }

manager/app/src/main/java/me/weishu/kernelsu/ui/screen/Home.kt

@@ -22,9 +22,9 @@ import androidx.compose.runtime.*
 import androidx.compose.ui.Alignment
 import androidx.compose.ui.Modifier
 import androidx.compose.ui.platform.LocalContext
+import androidx.compose.ui.platform.LocalUriHandler
 import androidx.compose.ui.res.stringResource
 import androidx.compose.ui.text.font.FontFamily
-import androidx.compose.ui.text.font.FontWeight
 import androidx.compose.ui.tooling.preview.Preview
 import androidx.compose.ui.unit.dp
 import com.ramcosta.composedestinations.annotation.Destination
@@ -34,9 +34,10 @@ import kotlinx.coroutines.launch
 import me.weishu.kernelsu.*
 import me.weishu.kernelsu.R
 import me.weishu.kernelsu.ui.screen.destinations.SettingScreenDestination
-import me.weishu.kernelsu.ui.util.LinkifyText
 import me.weishu.kernelsu.ui.util.LocalSnackbarHost
 import me.weishu.kernelsu.ui.util.reboot
+import me.weishu.kernelsu.ui.util.getSELinuxStatus
+import me.weishu.kernelsu.ui.util.install
 
 @OptIn(ExperimentalMaterial3Api::class)
 @RootNavGraph(start = true)
@@ -59,6 +60,9 @@ fun HomeScreen(navigator: DestinationsNavigator) {
         ) {
             val kernelVersion = getKernelVersion()
             val isManager = Natives.becomeManager(ksuApp.packageName)
+            SideEffect {
+                if (isManager) install()
+            }
             val ksuVersion = if (isManager) Natives.getVersion() else null
 
             StatusCard(kernelVersion, ksuVersion)
@@ -127,21 +131,29 @@ private fun StatusCard(kernelVersion: KernelVersion, ksuVersion: Int?) {
             else MaterialTheme.colorScheme.errorContainer
         })
     ) {
+        val uriHandler = LocalUriHandler.current
         Row(
             modifier = Modifier
                 .fillMaxWidth()
                 .clickable {
-                    // TODO: Install kernel
+                    if (kernelVersion.isGKI() && ksuVersion == null) {
+                        uriHandler.openUri("https://kernelsu.org/guide/installation.html")
+                    }
                 }
                 .padding(24.dp),
             verticalAlignment = Alignment.CenterVertically
         ) {
             when {
                 ksuVersion != null -> {
+                    val appendText = if (Natives.isSafeMode()) {
+                        " [${stringResource(id = R.string.safe_mode)}]"
+                    } else {
+                        ""
+                    }
                     Icon(Icons.Outlined.CheckCircle, stringResource(R.string.home_working))
                     Column(Modifier.padding(start = 20.dp)) {
                         Text(
-                            text = stringResource(R.string.home_working),
+                            text = stringResource(R.string.home_working) + appendText,
                             style = MaterialTheme.typography.titleMedium
                         )
                         Spacer(Modifier.height(4.dp))
@@ -210,10 +222,7 @@ private fun InfoCard() {
             InfoCardItem(stringResource(R.string.home_kernel), uname.release)
 
             Spacer(Modifier.height(24.dp))
-            InfoCardItem(stringResource(R.string.home_arch), uname.machine)
-
-            Spacer(Modifier.height(24.dp))
-            InfoCardItem(stringResource(R.string.home_version), uname.version)
+            InfoCardItem(stringResource(R.string.home_manager_version), getManagerVersion(context))
 
             Spacer(Modifier.height(24.dp))
             InfoCardItem(stringResource(R.string.home_api), Build.VERSION.SDK_INT.toString())
@@ -227,6 +236,9 @@ private fun InfoCard() {
             Spacer(Modifier.height(24.dp))
             InfoCardItem(stringResource(R.string.home_securitypatch), Build.VERSION.SECURITY_PATCH)
 
+            Spacer(Modifier.height(24.dp))
+            InfoCardItem(stringResource(R.string.home_selinux_status), getSELinuxStatus())
+
             val copiedMessage = stringResource(R.string.home_copied_to_clipboard)
             TextButton(
                 modifier = Modifier.align(Alignment.End),
@@ -241,6 +253,11 @@ private fun InfoCard() {
     }
 }
 
+fun getManagerVersion(context: Context) : String {
+    val packageInfo = context.packageManager.getPackageInfo(context.packageName, 0)
+    return "${packageInfo.versionName} (${packageInfo.versionCode})"
+}
+
 @Preview
 @Composable
 private fun StatusCardPreview() {

manager/app/src/main/java/me/weishu/kernelsu/ui/screen/Install.kt

@@ -24,7 +24,6 @@ import kotlinx.coroutines.Dispatchers
 import kotlinx.coroutines.launch
 import kotlinx.coroutines.withContext
 import me.weishu.kernelsu.R
-import me.weishu.kernelsu.ksuApp
 import me.weishu.kernelsu.ui.util.LocalSnackbarHost
 import me.weishu.kernelsu.ui.util.installModule
 import me.weishu.kernelsu.ui.util.reboot
@@ -73,7 +72,7 @@ fun InstallScreen(navigator: DestinationsNavigator, uri: Uri) {
                         val format = SimpleDateFormat("yyyy-MM-dd-HH-mm-ss", Locale.getDefault())
                         val date = format.format(Date())
                         val file = File(
-                            ksuApp.getExternalFilesDir(Environment.DIRECTORY_DOWNLOADS),
+                            Environment.getExternalStoragePublicDirectory(Environment.DIRECTORY_DOWNLOADS),
                             "KernelSU_install_log_${date}.log"
                         )
                         file.writeText(text)

manager/app/src/main/java/me/weishu/kernelsu/ui/screen/Module.kt

@@ -8,8 +8,12 @@ import androidx.activity.result.contract.ActivityResultContracts
 import androidx.compose.foundation.layout.*
 import androidx.compose.foundation.lazy.LazyColumn
 import androidx.compose.foundation.lazy.items
+import androidx.compose.material.ExperimentalMaterialApi
 import androidx.compose.material.icons.Icons
 import androidx.compose.material.icons.filled.Add
+import androidx.compose.material.pullrefresh.PullRefreshIndicator
+import androidx.compose.material.pullrefresh.pullRefresh
+import androidx.compose.material.pullrefresh.rememberPullRefreshState
 import androidx.compose.material3.*
 import androidx.compose.runtime.*
 import androidx.compose.runtime.saveable.rememberSaveable
@@ -17,23 +21,22 @@ import androidx.compose.ui.Alignment
 import androidx.compose.ui.Modifier
 import androidx.compose.ui.res.stringResource
 import androidx.compose.ui.text.font.FontWeight
+import androidx.compose.ui.text.style.TextAlign
 import androidx.compose.ui.text.style.TextDecoration
 import androidx.compose.ui.text.style.TextOverflow
 import androidx.compose.ui.tooling.preview.Preview
 import androidx.compose.ui.unit.Dp
 import androidx.compose.ui.unit.dp
 import androidx.lifecycle.viewmodel.compose.viewModel
-import com.google.accompanist.swiperefresh.SwipeRefresh
-import com.google.accompanist.swiperefresh.rememberSwipeRefreshState
 import com.ramcosta.composedestinations.annotation.Destination
 import com.ramcosta.composedestinations.navigation.DestinationsNavigator
 import kotlinx.coroutines.launch
 import me.weishu.kernelsu.Natives
 import me.weishu.kernelsu.R
+import me.weishu.kernelsu.ui.component.ConfirmDialog
+import me.weishu.kernelsu.ui.component.DialogResult
 import me.weishu.kernelsu.ui.screen.destinations.InstallScreenDestination
-import me.weishu.kernelsu.ui.util.LocalSnackbarHost
-import me.weishu.kernelsu.ui.util.toggleModule
-import me.weishu.kernelsu.ui.util.uninstallModule
+import me.weishu.kernelsu.ui.util.*
 import me.weishu.kernelsu.ui.viewmodel.ModuleViewModel
 
 @OptIn(ExperimentalMaterial3Api::class)
@@ -41,9 +44,6 @@ import me.weishu.kernelsu.ui.viewmodel.ModuleViewModel
 @Composable
 fun ModuleScreen(navigator: DestinationsNavigator) {
     val viewModel = viewModel<ModuleViewModel>()
-    val snackBarHost = LocalSnackbarHost.current
-
-    val scope = rememberCoroutineScope()
 
     LaunchedEffect(Unit) {
         if (viewModel.moduleList.isEmpty()) {
@@ -51,11 +51,18 @@ fun ModuleScreen(navigator: DestinationsNavigator) {
         }
     }
 
-    Scaffold(
-        topBar = {
-            TopBar()
-        },
-        floatingActionButton = {
+    val isSafeMode = Natives.isSafeMode()
+    val isKSUVersionInvalid = Natives.getVersion() < 0
+    val hasMagisk = hasMagisk()
+
+    val hideInstallButton = isSafeMode || isKSUVersionInvalid || hasMagisk
+
+    Scaffold(topBar = {
+        TopBar()
+    }, floatingActionButton = if (hideInstallButton) {
+        { /* Empty */ }
+    } else {
+        {
             val moduleInstall = stringResource(id = R.string.module_install)
             val selectZipLauncher = rememberLauncherForActivityResult(
                 contract = ActivityResultContracts.StartActivityForResult()
@@ -81,87 +88,170 @@ fun ModuleScreen(navigator: DestinationsNavigator) {
                 icon = { Icon(Icons.Filled.Add, moduleInstall) },
                 text = { Text(text = moduleInstall) },
             )
-        },
-    ) { innerPadding ->
-        val failedEnable = stringResource(R.string.module_failed_to_enable)
-        val failedDisable = stringResource(R.string.module_failed_to_disable)
-        val failedUninstall = stringResource(R.string.module_uninstall_failed)
-        val successUninstall = stringResource(R.string.module_uninstall_success)
-        val swipeState = rememberSwipeRefreshState(viewModel.isRefreshing)
-        // TODO: Replace SwipeRefresh with RefreshIndicator when it's ready
-        if (Natives.getVersion() < 8) {
-            Box(modifier = Modifier.fillMaxSize(), contentAlignment = Alignment.Center) {
-                Text(stringResource(R.string.require_kernel_version_8))
-            }
-            return@Scaffold
         }
-        SwipeRefresh(
-            state = swipeState,
-            onRefresh = {
-                scope.launch { viewModel.fetchModuleList() }
-            },
-            modifier = Modifier
-                .padding(innerPadding)
-                .padding(16.dp)
-                .fillMaxSize()
-        ) {
-            val isEmpty = viewModel.moduleList.isEmpty()
-            if (isEmpty) {
-                swipeState.isRefreshing = false
+    }) { innerPadding ->
+
+        ConfirmDialog()
+
+        when {
+            isKSUVersionInvalid -> {
                 Box(modifier = Modifier.fillMaxSize(), contentAlignment = Alignment.Center) {
-                    Text(stringResource(R.string.module_empty))
+                    Text(stringResource(R.string.require_kernel_version_8))
                 }
-            } else {
-                LazyColumn(
-                    verticalArrangement = Arrangement.spacedBy(15.dp)
+            }
+            hasMagisk -> {
+                Box(
+                    modifier = Modifier
+                        .fillMaxSize()
+                        .padding(24.dp),
+                    contentAlignment = Alignment.Center
                 ) {
+                    Text(
+                        stringResource(R.string.module_magisk_conflict),
+                        textAlign = TextAlign.Center,
+                    )
+                }
+            }
+            else -> {
+                ModuleList(
+                    viewModel = viewModel,
+                    modifier = Modifier
+                        .padding(innerPadding)
+                        .fillMaxSize()
+                )
+            }
+        }
+    }
+}
+
+@OptIn(ExperimentalMaterialApi::class)
+@Composable
+private fun ModuleList(viewModel: ModuleViewModel, modifier: Modifier = Modifier) {
+    val failedEnable = stringResource(R.string.module_failed_to_enable)
+    val failedDisable = stringResource(R.string.module_failed_to_disable)
+    val failedUninstall = stringResource(R.string.module_uninstall_failed)
+    val successUninstall = stringResource(R.string.module_uninstall_success)
+    val reboot = stringResource(id = R.string.reboot)
+    val rebootToApply = stringResource(id = R.string.reboot_to_apply)
+    val moduleStr = stringResource(id = R.string.module)
+    val uninstall = stringResource(id = R.string.uninstall)
+    val cancel = stringResource(id = android.R.string.cancel)
+    val moduleUninstallConfirm =
+        stringResource(id = R.string.module_uninstall_confirm)
+
+    val dialogHost = LocalDialogHost.current
+    val snackBarHost = LocalSnackbarHost.current
+
+    suspend fun onModuleUninstall(module: ModuleViewModel.ModuleInfo) {
+        val dialogResult = dialogHost.showDialog(
+            moduleStr,
+            content = moduleUninstallConfirm.format(module.name),
+            confirm = uninstall,
+            dismiss = cancel
+        )
+        if (dialogResult != DialogResult.Confirmed) {
+            return
+        }
+
+        val success = uninstallModule(module.id)
+        if (success) {
+            viewModel.fetchModuleList()
+        }
+        val message = if (success) {
+            successUninstall.format(module.name)
+        } else {
+            failedUninstall.format(module.name)
+        }
+        val actionLabel = if (success) {
+            reboot
+        } else {
+            null
+        }
+        val result = snackBarHost.showSnackbar(message, actionLabel = actionLabel)
+        if (result == SnackbarResult.ActionPerformed) {
+            reboot()
+        }
+    }
+
+    val refreshState = rememberPullRefreshState(
+        refreshing = viewModel.isRefreshing,
+        onRefresh = { viewModel.fetchModuleList() }
+    )
+    Box(modifier.pullRefresh(refreshState)) {
+        if (viewModel.isOverlayAvailable) {
+            LazyColumn(
+                modifier = Modifier.fillMaxSize(),
+                verticalArrangement = Arrangement.spacedBy(16.dp),
+                contentPadding = remember {
+                    PaddingValues(
+                        start = 16.dp,
+                        top = 16.dp,
+                        end = 16.dp,
+                        bottom = 16.dp
+                                + 16.dp + 56.dp /*  Scaffold Fab Spacing + Fab container height */
+                    )
+                },
+            ) {
+                val isEmpty = viewModel.moduleList.isEmpty()
+                if (isEmpty) {
+                    item {
+                        Box(
+                            modifier = Modifier.fillMaxSize(),
+                            contentAlignment = Alignment.Center
+                        ) {
+                            Text(stringResource(R.string.module_empty))
+                        }
+                    }
+                } else {
                     items(viewModel.moduleList) { module ->
                         var isChecked by rememberSaveable(module) { mutableStateOf(module.enabled) }
-                        ModuleItem(module,
-                            isChecked,
-                            onUninstall = {
+                        val scope = rememberCoroutineScope()
+                        ModuleItem(module, isChecked, onUninstall = {
+                            scope.launch { onModuleUninstall(module) }
+                        }, onCheckChanged = {
+                            val success = toggleModule(module.id, !isChecked)
+                            if (success) {
+                                isChecked = it
                                 scope.launch {
-                                    val result = uninstallModule(module.id)
-                                    if (result) {
-                                        viewModel.fetchModuleList()
-                                    }
-                                    snackBarHost.showSnackbar(
-                                        if (result) {
-                                            successUninstall.format(module.name)
-                                        } else {
-                                            failedUninstall.format(module.name)
-                                        }
+                                    viewModel.fetchModuleList()
+
+                                    val result = snackBarHost.showSnackbar(
+                                        rebootToApply, actionLabel = reboot
                                     )
-                                }
-                            },
-                            onCheckChanged = {
-                                val success = toggleModule(module.id, !isChecked)
-                                if (success) {
-                                    isChecked = it
-                                    scope.launch {
-                                        viewModel.fetchModuleList()
+                                    if (result == SnackbarResult.ActionPerformed) {
+                                        reboot()
                                     }
-                                } else scope.launch {
-                                    val message = if (isChecked) failedDisable else failedEnable
-                                    snackBarHost.showSnackbar(message.format(module.name))
                                 }
+                            } else scope.launch {
+                                val message = if (isChecked) failedDisable else failedEnable
+                                snackBarHost.showSnackbar(message.format(module.name))
                             }
-                        )
+                        })
                         // fix last item shadow incomplete in LazyColumn
                         Spacer(Modifier.height(1.dp))
                     }
                 }
             }
+        } else {
+            Box(modifier = Modifier.fillMaxSize(), contentAlignment = Alignment.Center) {
+                Text(stringResource(R.string.module_overlay_fs_not_available))
+            }
         }
+
+        PullRefreshIndicator(
+            refreshing = viewModel.isRefreshing,
+            state = refreshState,
+            modifier = Modifier.align(
+                Alignment.TopCenter
+            )
+        )
     }
 }
 
 @OptIn(ExperimentalMaterial3Api::class)
 @Composable
 private fun TopBar() {
-    TopAppBar(
-        title = { Text(stringResource(R.string.module)) }
-    )
+    TopAppBar(title = { Text(stringResource(R.string.module)) })
 }
 
 @Composable

manager/app/src/main/java/me/weishu/kernelsu/ui/screen/Settings.kt

@@ -1,21 +1,28 @@
 package me.weishu.kernelsu.ui.screen
 
+import android.content.Intent
+import android.net.Uri
 import androidx.compose.foundation.layout.*
 import androidx.compose.material.icons.Icons
 import androidx.compose.material.icons.filled.ArrowBack
-import androidx.compose.material.icons.filled.Info
 import androidx.compose.material3.*
 import androidx.compose.runtime.*
 import androidx.compose.ui.Modifier
+import androidx.compose.ui.platform.LocalContext
 import androidx.compose.ui.res.stringResource
-import androidx.compose.ui.text.font.FontWeight
 import androidx.compose.ui.tooling.preview.Preview
-import androidx.compose.ui.unit.dp
+import androidx.core.content.FileProvider
 import com.alorma.compose.settings.ui.*
 import com.ramcosta.composedestinations.annotation.Destination
 import com.ramcosta.composedestinations.navigation.DestinationsNavigator
+import kotlinx.coroutines.launch
+import me.weishu.kernelsu.BuildConfig
 import me.weishu.kernelsu.R
+import me.weishu.kernelsu.ui.component.SimpleDialog
 import me.weishu.kernelsu.ui.util.LinkifyText
+import me.weishu.kernelsu.ui.util.LocalDialogHost
+import me.weishu.kernelsu.ui.util.getBugreportFile
+
 
 /**
  * @author weishu
@@ -34,46 +41,45 @@ fun SettingScreen(navigator: DestinationsNavigator) {
         }
     ) { paddingValues ->
 
-        var openDialog by remember { mutableStateOf(false) }
-
-        if (openDialog) {
-            AlertDialog(
-                onDismissRequest = {
-                    openDialog = false
-                },
-                title = {
-                    Text(text = stringResource(id = R.string.about))
-                },
-                text = {
-                    SupportCard()
-                },
-                confirmButton = {
-                    TextButton(
-                        onClick = {
-                            openDialog = false
-                        }
-                    ) {
-                        Text(stringResource(id = android.R.string.ok))
-                    }
-                },
-            )
+        SimpleDialog {
+            SupportCard()
         }
 
         Column(modifier = Modifier.padding(paddingValues)) {
 
-            SettingsSwitch(
-                title = {
-                    Text(stringResource(id = R.string.settings_system_rw))
-                },
-                subtitle = {
-                    Text(stringResource(id = R.string.settings_system_rw_summary))
-                }
-            )
+            val context = LocalContext.current
             SettingsMenuLink(title = {
-                Text(stringResource(id = R.string.about))
+                Text(stringResource(id = R.string.send_log))
             },
                 onClick = {
-                    openDialog = true
+                    val bugreport = getBugreportFile(context)
+                    val uri: Uri = FileProvider.getUriForFile(context, "${BuildConfig.APPLICATION_ID}.fileprovider", bugreport)
+
+                    val shareIntent = Intent(Intent.ACTION_SEND)
+                    shareIntent.putExtra(Intent.EXTRA_STREAM, uri)
+                    shareIntent.setDataAndType(uri, "application/zip")
+                    shareIntent.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION)
+
+                    context.startActivity(
+                        Intent.createChooser(
+                            shareIntent,
+                            context.getString(R.string.send_log)
+                        )
+                    )
+                }
+            )
+
+            val about = stringResource(id = R.string.about)
+            val ok = stringResource(id = android.R.string.ok)
+            val scope = rememberCoroutineScope()
+            val dialogHost = LocalDialogHost.current
+            SettingsMenuLink(title = {
+                Text(about)
+            },
+                onClick = {
+                    scope.launch {
+                        dialogHost.showDialog(about, content = "unused", confirm = ok)
+                    }
                 }
             )
         }

manager/app/src/main/java/me/weishu/kernelsu/ui/screen/SuperUser.kt

@@ -1,35 +1,25 @@
 package me.weishu.kernelsu.ui.screen
 
-import android.content.pm.ApplicationInfo
-import android.content.pm.PackageManager
-import android.graphics.Bitmap
-import android.graphics.drawable.Drawable
-import android.util.Log
-import androidx.compose.foundation.Image
 import androidx.compose.foundation.layout.*
 import androidx.compose.foundation.lazy.LazyColumn
 import androidx.compose.foundation.lazy.items
+import androidx.compose.material.ExperimentalMaterialApi
+import androidx.compose.material.icons.Icons
+import androidx.compose.material.icons.filled.MoreVert
+import androidx.compose.material.pullrefresh.PullRefreshIndicator
+import androidx.compose.material.pullrefresh.pullRefresh
+import androidx.compose.material.pullrefresh.rememberPullRefreshState
 import androidx.compose.material3.*
 import androidx.compose.runtime.*
 import androidx.compose.runtime.saveable.rememberSaveable
+import androidx.compose.ui.Alignment
 import androidx.compose.ui.Modifier
 import androidx.compose.ui.platform.LocalContext
 import androidx.compose.ui.res.stringResource
 import androidx.compose.ui.unit.dp
 import androidx.lifecycle.viewmodel.compose.viewModel
-import coil.ImageLoader
 import coil.compose.AsyncImage
-import coil.compose.rememberAsyncImagePainter
-import coil.compose.rememberImagePainter
-import coil.decode.DataSource
-import coil.fetch.DrawableResult
-import coil.fetch.FetchResult
-import coil.fetch.Fetcher
-import coil.request.CachePolicy
 import coil.request.ImageRequest
-import coil.request.Options
-import com.google.accompanist.swiperefresh.SwipeRefresh
-import com.google.accompanist.swiperefresh.rememberSwipeRefreshState
 import com.ramcosta.composedestinations.annotation.Destination
 import kotlinx.coroutines.launch
 import me.weishu.kernelsu.Natives
@@ -37,10 +27,9 @@ import me.weishu.kernelsu.R
 import me.weishu.kernelsu.ui.component.SearchAppBar
 import me.weishu.kernelsu.ui.util.LocalSnackbarHost
 import me.weishu.kernelsu.ui.viewmodel.SuperUserViewModel
-import me.zhanghai.android.appiconloader.coil.AppIconKeyer
 import java.util.*
 
-@OptIn(ExperimentalMaterial3Api::class)
+@OptIn(ExperimentalMaterial3Api::class, ExperimentalMaterialApi::class)
 @Destination
 @Composable
 fun SuperUserScreen() {
@@ -60,24 +49,61 @@ fun SuperUserScreen() {
                 title = { Text(stringResource(R.string.superuser)) },
                 searchText = viewModel.search,
                 onSearchTextChange = { viewModel.search = it },
-                onClearClick = { viewModel.search = "" }
+                onClearClick = { viewModel.search = "" },
+                dropdownContent = {
+                    var showDropdown by remember { mutableStateOf(false) }
+
+                    IconButton(
+                        onClick = { showDropdown = true },
+                    ) {
+                        Icon(
+                            imageVector = Icons.Filled.MoreVert,
+                            contentDescription = stringResource(id = R.string.settings)
+                        )
+
+                        DropdownMenu(expanded = showDropdown, onDismissRequest = {
+                            showDropdown = false
+                        }) {
+                            DropdownMenuItem(text = {
+                                Text(stringResource(R.string.refresh))
+                            }, onClick = {
+                                scope.launch {
+                                    viewModel.fetchAppList()
+                                }
+                                showDropdown = false
+                            })
+                            DropdownMenuItem(text = {
+                                Text(
+                                    if (viewModel.showSystemApps) {
+                                        stringResource(R.string.hide_system_apps)
+                                    } else {
+                                        stringResource(R.string.show_system_apps)
+                                    }
+                                )
+                            }, onClick = {
+                                viewModel.showSystemApps = !viewModel.showSystemApps
+                                showDropdown = false
+                            })
+                        }
+                    }
+                },
             )
         }
     ) { innerPadding ->
-        val failMessage = stringResource(R.string.superuser_failed_to_grant_root)
 
-        // TODO: Replace SwipeRefresh with RefreshIndicator when it's ready
-        SwipeRefresh(
-            state = rememberSwipeRefreshState(viewModel.isRefreshing),
-            onRefresh = {
-                scope.launch { viewModel.fetchAppList() }
-            },
+        val refreshState = rememberPullRefreshState(
+            refreshing = viewModel.isRefreshing,
+            onRefresh = { scope.launch { viewModel.fetchAppList() } },
+        )
+        Box(
             modifier = Modifier
                 .padding(innerPadding)
-                .fillMaxSize()
+                .pullRefresh(refreshState)
         ) {
-            LazyColumn {
-                items(viewModel.appList) { app ->
+            val failMessage = stringResource(R.string.superuser_failed_to_grant_root)
+
+            LazyColumn(Modifier.fillMaxSize()) {
+                items(viewModel.appList, key = { it.packageName }) { app ->
                     var isChecked by rememberSaveable(app) { mutableStateOf(app.onAllowList) }
                     AppItem(app, isChecked) { checked ->
                         val success = Natives.allowRoot(app.uid, checked)
@@ -89,6 +115,12 @@ fun SuperUserScreen() {
                     }
                 }
             }
+
+            PullRefreshIndicator(
+                refreshing = viewModel.isRefreshing,
+                state = refreshState,
+                modifier = Modifier.align(Alignment.TopCenter)
+            )
         }
     }
 }

manager/app/src/main/java/me/weishu/kernelsu/ui/theme/Theme.kt

@@ -10,6 +10,7 @@ import androidx.compose.ui.graphics.Color
 import androidx.compose.ui.graphics.toArgb
 import androidx.compose.ui.platform.LocalContext
 import androidx.compose.ui.platform.LocalView
+import androidx.compose.ui.unit.dp
 import androidx.core.view.ViewCompat
 import com.google.accompanist.systemuicontroller.rememberSystemUiController
 
@@ -47,6 +48,12 @@ fun KernelSUTheme(
             color = colorScheme.surface,
             darkIcons = !darkTheme
         )
+
+        // To match the App Navbar color
+        systemUiController.setNavigationBarColor(
+            color = colorScheme.surfaceColorAtElevation(8.dp),
+            darkIcons = !darkTheme,
+        )
     }
 
     MaterialTheme(
@@ -54,4 +61,4 @@ fun KernelSUTheme(
         typography = Typography,
         content = content
     )
-}
+}

manager/app/src/main/java/me/weishu/kernelsu/ui/util/CompositionProvider.kt

@@ -2,7 +2,12 @@ package me.weishu.kernelsu.ui.util
 
 import androidx.compose.material3.SnackbarHostState
 import androidx.compose.runtime.compositionLocalOf
+import me.weishu.kernelsu.ui.component.DialogHostState
 
 val LocalSnackbarHost = compositionLocalOf<SnackbarHostState> {
     error("CompositionLocal LocalSnackbarController not present")
 }
+
+val LocalDialogHost = compositionLocalOf<DialogHostState> {
+    error("CompositionLocal LocalDialogController not present")
+}

manager/app/src/main/java/me/weishu/kernelsu/ui/util/KsuCli.kt

@@ -21,19 +21,27 @@ private fun getKsuDaemonPath(): String {
     return ksuApp.applicationInfo.nativeLibraryDir + File.separator + "libksud.so"
 }
 
+object KsuCli {
+    val SHELL: Shell = createRootShell()
+}
+
+fun getRootShell(): Shell {
+    return KsuCli.SHELL
+}
+
 fun createRootShell(): Shell {
     Shell.enableVerboseLogging = BuildConfig.DEBUG
-    val su = ksuApp.applicationInfo.nativeLibraryDir + File.separator + "libksu.so"
     val builder = Shell.Builder.create()
     return try {
-        builder.build(su)
+        builder.build(getKsuDaemonPath(), "debug", "su")
     } catch (e: Throwable) {
+        Log.e(TAG, "su failed: ", e)
         builder.build("sh")
     }
 }
 
 fun execKsud(args: String): Boolean {
-    val shell = createRootShell()
+    val shell = getRootShell()
     return ShellUtils.fastCmdResult(shell, "${getKsuDaemonPath()} $args")
 }
 
@@ -44,7 +52,7 @@ fun install() {
 }
 
 fun listModules(): String {
-    val shell = createRootShell()
+    val shell = getRootShell()
 
     val out = shell.newJob().add("${getKsuDaemonPath()} module list").to(ArrayList(), null).exec().out
     return out.joinToString("\n").ifBlank { "[]" }
@@ -77,7 +85,7 @@ fun installModule(uri: Uri, onFinish: (Boolean)->Unit, onOutput: (String) -> Uni
         }
         val cmd = "module install ${file.absolutePath}"
 
-        val shell = createRootShell()
+        val shell = getRootShell()
 
         val callbackList: CallbackList<String?> = object : CallbackList<String?>() {
             override fun onAddElement(s: String?) {
@@ -96,10 +104,23 @@ fun installModule(uri: Uri, onFinish: (Boolean)->Unit, onOutput: (String) -> Uni
 }
 
 fun reboot(reason: String = "") {
-    val shell = createRootShell()
+    val shell = getRootShell()
     if (reason == "recovery") {
         // KEYCODE_POWER = 26, hide incorrect "Factory data reset" message
         ShellUtils.fastCmd(shell, "/system/bin/input keyevent 26")
     }
     ShellUtils.fastCmd(shell, "/system/bin/svc power reboot $reason || /system/bin/reboot $reason")
+}
+
+fun overlayFsAvailable(): Boolean {
+    val shell = getRootShell()
+    // check /proc/filesystems
+    return ShellUtils.fastCmdResult(shell, "cat /proc/filesystems | grep overlay")
+}
+
+fun hasMagisk(): Boolean {
+    val shell = getRootShell()
+    val result = shell.newJob().add("nsenter --mount=/proc/1/ns/mnt which magisk").exec()
+    Log.i(TAG, "has magisk: ${result.isSuccess}")
+    return result.isSuccess
 }

manager/app/src/main/java/me/weishu/kernelsu/ui/util/LogEvent.kt

@@ -0,0 +1,87 @@
+package me.weishu.kernelsu.ui.util
+
+import android.content.Context
+import android.os.Build
+import android.system.Os
+import me.weishu.kernelsu.Natives
+import me.weishu.kernelsu.ui.screen.getManagerVersion
+import java.io.File
+import java.io.FileWriter
+import java.io.PrintWriter
+import java.time.LocalDateTime
+import java.time.format.DateTimeFormatter
+
+fun getBugreportFile(context: Context): File {
+
+    val bugreportDir = File(context.cacheDir, "bugreport")
+    bugreportDir.mkdirs()
+
+    val dmesgFile = File(bugreportDir, "dmesg.txt")
+    val logcatFile = File(bugreportDir, "logcat.txt")
+    val tombstonesFile = File(bugreportDir, "tombstones.tar.gz")
+    val dropboxFile = File(bugreportDir, "dropbox.tar.gz")
+    val pstoreFile = File(bugreportDir, "pstore.tar.gz")
+    val diagFile = File(bugreportDir, "diag.tar.gz")
+    val mountsFile = File(bugreportDir, "mounts.txt")
+    val fileSystemsFile = File(bugreportDir, "filesystems.txt")
+    val ksuFileTree = File(bugreportDir, "ksu_tree.txt")
+    val appListFile = File(bugreportDir, "app_list.txt")
+    val propFile = File(bugreportDir, "props.txt")
+
+    val shell = getRootShell()
+
+    shell.newJob().add("dmesg > ${dmesgFile.absolutePath}").exec()
+    shell.newJob().add("logcat -d > ${logcatFile.absolutePath}").exec()
+    shell.newJob().add("tar -czf ${tombstonesFile.absolutePath} /data/tombstones").exec()
+    shell.newJob().add("tar -czf ${dropboxFile.absolutePath} /data/system/dropbox").exec()
+    shell.newJob().add("tar -czf ${pstoreFile.absolutePath} /sys/fs/pstore").exec()
+    shell.newJob().add("tar -czf ${diagFile.absolutePath} /data/vendor/diag").exec()
+
+    shell.newJob().add("cat /proc/mounts > ${mountsFile.absolutePath}").exec()
+    shell.newJob().add("cat /proc/filesystems > ${fileSystemsFile.absolutePath}").exec()
+    shell.newJob().add("ls -alRZ /data/adb > ${ksuFileTree.absolutePath}").exec()
+    shell.newJob().add("cat /data/system/packages.list > ${appListFile.absolutePath}").exec()
+    shell.newJob().add("getprop > ${propFile.absolutePath}").exec()
+
+    // basic information
+    val buildInfo = File(bugreportDir, "basic.txt")
+    PrintWriter(FileWriter(buildInfo)).use { pw ->
+        pw.println("Kernel: ${System.getProperty("os.version")}")
+        pw.println("BRAND: " + Build.BRAND)
+        pw.println("MODEL: " + Build.MODEL)
+        pw.println("PRODUCT: " + Build.PRODUCT)
+        pw.println("MANUFACTURER: " + Build.MANUFACTURER)
+        pw.println("SDK: " + Build.VERSION.SDK_INT)
+        pw.println("PREVIEW_SDK: " + Build.VERSION.PREVIEW_SDK_INT)
+        pw.println("FINGERPRINT: " + Build.FINGERPRINT)
+        pw.println("DEVICE: " + Build.DEVICE)
+        pw.println("Manager: " + getManagerVersion(context))
+
+        val uname = Os.uname()
+        pw.println("KernelRelease: ${uname.release}")
+        pw.println("KernelVersion: ${uname.version}")
+        pw.println("Mahcine: ${uname.machine}")
+        pw.println("Nodename: ${uname.nodename}")
+        pw.println("Sysname: ${uname.sysname}")
+
+        val ksuKernel = Natives.getVersion()
+        pw.println("KernelSU: $ksuKernel")
+        val safeMode = Natives.isSafeMode()
+        pw.println("SafeMode: $safeMode")
+    }
+
+    // modules
+    val modulesFile = File(bugreportDir, "modules.json")
+    modulesFile.writeText(listModules())
+
+    val formatter = DateTimeFormatter.ofPattern("yyyy-MM-dd_HH_mm")
+    val current = LocalDateTime.now().format(formatter)
+
+    val targetFile = File(context.cacheDir, "KernelSU_bugreport_${current}.tar.gz")
+
+    shell.newJob().add("tar czf ${targetFile.absolutePath} -C ${bugreportDir.absolutePath} .").exec()
+    shell.newJob().add("rm -rf ${bugreportDir.absolutePath}").exec()
+    shell.newJob().add("chmod 0644 ${targetFile.absolutePath}").exec()
+
+    return targetFile
+}

manager/app/src/main/java/me/weishu/kernelsu/ui/util/SELinuxChecker.kt

@@ -0,0 +1,32 @@
+package me.weishu.kernelsu.ui.util
+
+import androidx.compose.ui.res.stringResource
+import androidx.compose.runtime.Composable
+import com.topjohnwu.superuser.Shell
+import me.weishu.kernelsu.R
+
+@Composable
+fun getSELinuxStatus(): String {
+    val shell = Shell.Builder.create()
+        .setFlags(Shell.FLAG_REDIRECT_STDERR)
+        .build("sh")
+
+    val list = ArrayList<String>()
+    val result = shell.newJob().add("getenforce").to(list, list).exec()
+    val output = result.out.joinToString("\n").trim()
+
+    if (result.isSuccess) {
+        return when (output) {
+            "Enforcing" -> stringResource(R.string.selinux_status_enforcing)
+            "Permissive" -> stringResource(R.string.selinux_status_permissive)
+            "Disabled" -> stringResource(R.string.selinux_status_disabled)
+            else -> stringResource(R.string.selinux_status_unknown)
+        }
+    }
+
+    return if (output.endsWith("Permission denied")) {
+        stringResource(R.string.selinux_status_enforcing)
+    } else {
+        stringResource(R.string.selinux_status_unknown)
+    }
+}

manager/app/src/main/java/me/weishu/kernelsu/ui/viewmodel/ModuleViewModel.kt

@@ -1,6 +1,5 @@
 package me.weishu.kernelsu.ui.viewmodel
 
-import android.content.Context
 import android.os.SystemClock
 import android.util.Log
 import androidx.compose.runtime.derivedStateOf
@@ -8,9 +7,11 @@ import androidx.compose.runtime.getValue
 import androidx.compose.runtime.mutableStateOf
 import androidx.compose.runtime.setValue
 import androidx.lifecycle.ViewModel
+import androidx.lifecycle.viewModelScope
 import kotlinx.coroutines.Dispatchers
-import kotlinx.coroutines.withContext
+import kotlinx.coroutines.launch
 import me.weishu.kernelsu.ui.util.listModules
+import me.weishu.kernelsu.ui.util.overlayFsAvailable
 import org.json.JSONArray
 import java.text.Collator
 import java.util.*
@@ -37,6 +38,9 @@ class ModuleViewModel : ViewModel() {
     var isRefreshing by mutableStateOf(false)
         private set
 
+    var isOverlayAvailable by mutableStateOf(overlayFsAvailable())
+        private set
+
     val moduleList by derivedStateOf {
         val comparator = compareBy(Collator.getInstance(Locale.getDefault()), ModuleInfo::id)
         modules.sortedWith(comparator).also {
@@ -44,12 +48,16 @@ class ModuleViewModel : ViewModel() {
         }
     }
 
-    suspend fun fetchModuleList() {
-        withContext(Dispatchers.IO) {
+    fun fetchModuleList() {
+        viewModelScope.launch(Dispatchers.IO) {
             isRefreshing = true
+
+            val oldModuleList = modules
+
             val start = SystemClock.elapsedRealtime()
 
             kotlin.runCatching {
+                isOverlayAvailable = overlayFsAvailable()
 
                 val result = listModules()
 
@@ -74,8 +82,14 @@ class ModuleViewModel : ViewModel() {
                     }.toList()
             }.onFailure { e ->
                 Log.e(TAG, "fetchModuleList: ", e)
+                isRefreshing = false
             }
 
+            // when both old and new is kotlin.collections.EmptyList
+            // moduleList update will don't trigger
+            if (oldModuleList === modules) {
+                isRefreshing = false
+            }
 
             Log.i(TAG, "load cost: ${SystemClock.elapsedRealtime() - start}, modules: $modules")
         }

manager/app/src/main/java/me/weishu/kernelsu/ui/viewmodel/SuperUserViewModel.kt

@@ -35,6 +35,7 @@ class SuperUserViewModel : ViewModel() {
     )
 
     var search by mutableStateOf("")
+    var showSystemApps by mutableStateOf(false)
     var isRefreshing by mutableStateOf(false)
         private set
 
@@ -55,6 +56,9 @@ class SuperUserViewModel : ViewModel() {
         sortedList.filter {
             it.label.contains(search) || it.packageName.contains(search) || HanziToPinyin.getInstance()
                 .toPinyinString(it.label).contains(search)
+        }.filter {
+            it.uid == 2000 // Always show shell
+                    || showSystemApps || it.icon.applicationInfo.flags.and(ApplicationInfo.FLAG_SYSTEM) == 0
         }
     }
 

manager/app/src/main/res/drawable/ic_launcher_background.xml

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="utf-8"?>
+<vector xmlns:android="http://schemas.android.com/apk/res/android"
+    android:width="108dp"
+    android:height="108dp"
+    android:viewportWidth="108"
+    android:viewportHeight="108">
+
+    <group
+        android:scaleX="0.135"
+        android:scaleY="0.135">
+        <path
+            android:fillColor="#ffffff"
+            android:pathData="M 0 0 H 800 V 800 H 0 V 0 Z" />
+    </group>
+</vector>

manager/app/src/main/res/drawable/ic_launcher_foreground.xml

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<vector xmlns:android="http://schemas.android.com/apk/res/android"
+    android:width="108dp"
+    android:height="108dp"
+    android:viewportWidth="108"
+    android:viewportHeight="108">
+
+    <group
+        android:scaleX="0.135"
+        android:scaleY="0.135">
+        <path
+            android:pathData="M 259 259 H 541 V 541 H 259 V 259 Z"
+            android:strokeWidth="18"
+            android:strokeColor="#1e110d" />
+        <path
+            android:fillColor="#1e110d"
+            android:pathData="M 257 257 H 407 V 407 H 257 V 257 Z" />
+        <path
+            android:fillColor="#1e110d"
+            android:pathData="M 393 393 H 543 V 543 H 393 V 393 Z" />
+    </group>
+</vector>

manager/app/src/main/res/drawable/ic_launcher_monochrome.xml

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<vector xmlns:android="http://schemas.android.com/apk/res/android"
+    android:width="108dp"
+    android:height="108dp"
+    android:viewportWidth="108"
+    android:viewportHeight="108">
+
+    <group
+        android:scaleX="0.135"
+        android:scaleY="0.135">
+        <path
+            android:pathData="M 259 259 H 541 V 541 H 259 V 259 Z"
+            android:strokeWidth="18"
+            android:strokeColor="#000000" />
+        <path
+            android:fillColor="#000000"
+            android:pathData="M 257 257 H 407 V 407 H 257 V 257 Z" />
+        <path
+            android:fillColor="#000000"
+            android:pathData="M 393 393 H 543 V 543 H 393 V 393 Z" />
+    </group>
+</vector>

manager/app/src/main/res/mipmap-anydpi-v26/ic_launcher.xml

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<adaptive-icon xmlns:android="http://schemas.android.com/apk/res/android">
+    <background android:drawable="@drawable/ic_launcher_background" />
+    <foreground android:drawable="@drawable/ic_launcher_foreground" />
+    <monochrome android:drawable="@drawable/ic_launcher_monochrome" />
+</adaptive-icon>

manager/app/src/main/res/values-in/strings.xml

@@ -0,0 +1,55 @@
+<?xml version="1.0" encoding="utf-8"?>
+<resources>
+    <string name="home">Beranda</string>
+    <string name="home_not_installed">Tidak terinstall</string>
+    <string name="home_click_to_install">Klik untuk menginstall</string>
+    <string name="home_working">Bekerja</string>
+    <string name="home_working_version">Versi: %d</string>
+    <string name="home_unsupported">Tidak didukung</string>
+    <string name="home_unsupported_reason">Saat ini kernelSu hanya mendukung GKI kernel</string>
+    <string name="home_copied_to_clipboard">Salin ke clipboard</string>
+    <string name="home_support">Dukungan</string>
+    <string name="home_kernel">Kernel</string>
+    <string name="home_arch">Arch</string>
+    <string name="home_manager_version">Versi manager</string>
+    <string name="home_api">API Level</string>
+    <string name="home_abi">ABI</string>
+    <string name="home_fingerprint">Fingerprint</string>
+    <string name="home_securitypatch">Patch keamanan</string>
+    <string name="home_selinux_status">Status SElinux</string>
+    <string name="selinux_status_disabled">Cacat</string>
+    <string name="selinux_status_enforcing">Enforcing</string>
+    <string name="selinux_status_permissive">Permissive</string>
+    <string name="selinux_status_unknown">Tidak tersedia</string>
+    <string name="superuser">Superuser</string>
+    <string name="superuser_failed_to_grant_root">Gagal mengizinkan root untuk %d</string>
+    <string name="module_failed_to_enable">Gagal mengaktifkan module: %s</string>
+    <string name="module_failed_to_disable">Gagal menonaktifkan module: %s</string>
+    <string name="module_empty">Tidak ada module terpasang</string>
+    <string name="module">Module</string>
+    <string name="uninstall">Hapus</string>
+    <string name="module_install">Memasang module</string>
+    <string name="install">Pasang</string>
+    <string name="reboot">Reboot perangkat</string>
+    <string name="settings">Pengaturan</string>
+    <string name="reboot_userspace">Soft Reboot</string>
+    <string name="reboot_recovery">Reboot ke Recovery</string>
+    <string name="reboot_bootloader">Reboot ke Bootloader</string>
+    <string name="reboot_download">Reboot ke Download</string>
+    <string name="reboot_edl">Reboot ke EDL</string>
+    <string name="about">Tentang</string>
+    <string name="require_kernel_version_8">Membutuhkan KernelSU Versi 8+</string>
+    <string name="module_uninstall_confirm">Apakah anda yakin ingin menghapus module ini %s?</string>
+    <string name="module_uninstall_success">%s terhapus</string>
+    <string name="module_uninstall_failed">Gagal untuk menghapus: %s</string>
+    <string name="module_version">Versi</string>
+    <string name="module_author">Pembuat</string>
+    <string name="module_overlay_fs_not_available">overlayfs tidak tersedia, module tidak bekerja!</string>
+    <string name="refresh">Segarkan</string>
+    <string name="show_system_apps">Tampilkan system apps</string>
+    <string name="hide_system_apps">Sembunyikan system apps</string>
+    <string name="send_log">Kirim logs</string>
+    <string name="safe_mode">Mode aman</string>
+    <string name="reboot_to_apply">Restart untuk menerapkan</string>
+    <string name="module_magisk_conflict">Module akan di nonaktifkan karna konflik dengan magisk\'s!</string>
+</resources>

manager/app/src/main/res/values-ja/strings.xml

@@ -0,0 +1,54 @@
+<?xml version="1.0" encoding="utf-8"?>
+<resources>
+  <string name="app_name" translatable="false">KernelSU</string>
+  <string name="home">ホーム</string>
+  <string name="home_not_installed">未インストール</string>
+  <string name="home_click_to_install">タップでインストール</string>
+  <string name="home_working">動作中</string>
+  <string name="home_working_version">バージョン: %d</string>
+  <string name="home_unsupported">非対応</string>
+  <string name="home_unsupported_reason">KernelSUは現在、GKIカーネルのみサポートをしています</string>
+  <string name="home_copied_to_clipboard">クリップボードにコピーしました</string>
+  <string name="home_support">対応</string>
+  <string name="home_kernel">カーネル</string>
+  <string name="home_arch">アーキテクチャ</string>
+  <string name="home_manager_version">バージョン</string>
+  <string name="home_api">APIレベル</string>
+  <string name="home_abi">ABI</string>
+  <string name="home_fingerprint">Fingerprint</string>
+  <string name="home_securitypatch">セキュリティパッチ</string>
+  <string name="home_selinux_status">SELinuxの状態</string>
+  <string name="selinux_status_disabled">無効</string>
+  <string name="selinux_status_enforcing">Enforcing</string>
+  <string name="selinux_status_permissive">Permissive</string>
+  <string name="selinux_status_unknown">不明</string>
+  <string name="superuser">スーパーユーザー</string>
+  <string name="superuser_failed_to_grant_root">%dの権限の付与に失敗しました</string>
+  <string name="module_failed_to_enable">モジュールの有効化に失敗: %s</string>
+  <string name="module_failed_to_disable">モジュールの無効化に失敗: %s</string>
+  <string name="module_empty">モジュールはインストールされていません</string>
+  <string name="module">モジュール</string>
+  <string name="uninstall">アンインストール</string>
+  <string name="module_install">インストール</string>
+  <string name="install">インストール</string>
+  <string name="reboot">再起動</string>
+  <string name="settings">設定</string>
+  <string name="reboot_userspace">ソフトリブート</string>
+  <string name="reboot_recovery">リカバリーで再起動</string>
+  <string name="reboot_bootloader">Bootloaderで再起動</string>
+  <string name="reboot_download">ダウンロードモードで再起動</string>
+  <string name="reboot_edl">EDLで再起動</string>
+  <string name="about">アプリについて</string>
+  <string name="require_kernel_version_8">KernelSU バージョン8以降が必要です</string>
+  <string name="module_uninstall_success">%sをアンインストールしました</string>
+  <string name="module_uninstall_failed">アンインストールに失敗: %s</string>
+  <string name="module_version">バージョン</string>
+  <string name="module_author">作者</string>
+  <string name="module_overlay_fs_not_available">OverlayFSが有効でないためモジュールは動作しません</string>
+  <string name="refresh">更新</string>
+  <string name="show_system_apps">システムアプリを表示</string>
+  <string name="hide_system_apps">システムアプリを非表示</string>
+  <string name="send_log">ログを送信</string>
+  <string name="safe_mode">セーフモード</string>
+  <string name="reboot_to_apply">再起動をして有効化する</string>
+</resources>

manager/app/src/main/res/values-ro/strings.xml

@@ -0,0 +1,58 @@
+<?xml version="1.0" encoding="utf-8"?>
+<resources>
+    <string name="home">Acasă</string>
+    <string name="home_not_installed">Nu este instalat</string>
+    <string name="home_click_to_install">Click pentru a instala</string>
+    <string name="home_working">Funcționează</string>
+    <string name="home_working_version">Versiune: %d</string>
+    <string name="home_unsupported">Necompatibil</string>
+    <string name="home_unsupported_reason">KernelSU suportă doar nuclee GKI acum</string>
+    <string name="home_copied_to_clipboard">Copiat în clipboard</string>
+    <string name="home_support">Asistență</string>
+
+    <string name="home_kernel">Nucleu</string>
+    <string name="home_arch">Arhitectură</string>
+    <string name="home_manager_version">Versiune Manager</string>
+    <string name="home_api">Nivel API</string>
+    <string name="home_abi">ABI</string>
+    <string name="home_fingerprint">Amprentă</string>
+    <string name="home_securitypatch">Corecție de securitate</string>
+
+    <string name="home_selinux_status">Stare SELinux</string>
+    <string name="selinux_status_disabled">Dezactivat</string>
+    <string name="selinux_status_enforcing">Obligatoriu</string>
+    <string name="selinux_status_permissive">Permisiv</string>
+    <string name="selinux_status_unknown">Necunoscut</string>
+    <string name="superuser">Superutilizator</string>
+    <string name="superuser_failed_to_grant_root">Nu s-a putut acorda acces root pentru %d</string>
+    <string name="module_failed_to_enable">Activarea modulului %s a eșuat</string>
+    <string name="module_failed_to_disable">Dezactivarea modulului %s a eșuat</string>
+    <string name="module_empty">Niciun modul instalat</string>
+
+    <string name="module">Module</string>
+    <string name="uninstall">Dezinstalează</string>
+    <string name="module_install">Instalează</string>
+    <string name="install">Instalează</string>
+    <string name="reboot">Repornește</string>
+    <string name="settings">Setări</string>
+    <string name="reboot_userspace">Repornire rapidă</string>
+    <string name="reboot_recovery">Repornire în Recuperare</string>
+    <string name="reboot_bootloader">Repornire în Bootloader</string>
+    <string name="reboot_download">Repornire în Download</string>
+    <string name="reboot_edl">Repornire în EDL</string>
+    <string name="about">Despre</string>
+    <string name="require_kernel_version_8">Necesită KernelSU versiunea 8+</string>
+    <string name="module_uninstall_confirm">Sigur dorești să dezinstalezi modulul %s?</string>
+    <string name="module_uninstall_success">%s dezinstalat</string>
+    <string name="module_uninstall_failed">Dezinstalare eșuată: %s</string>
+    <string name="module_version">Versiune</string>
+    <string name="module_author">Autor</string>
+    <string name="module_overlay_fs_not_available">overlayfs nu este disponibil, modulul nu poate funcționa!</string>
+    <string name="refresh">Reîmprospătează</string>
+    <string name="show_system_apps">Arată aplicațiile de sistem</string>
+    <string name="hide_system_apps">Ascunde aplicațiile de sistem</string>
+    <string name="send_log">Trimite jurnal</string>
+    <string name="safe_mode">Mod sigur</string>
+    <string name="reboot_to_apply">Repornește pentru ca modificările să intre în vigoare</string>
+    <string name="module_magisk_conflict">Modulele sunt dezactivate deoarece sunt în conflict cu cele ale Magisk-ului!</string>
+</resources>

manager/app/src/main/res/values-ru/strings.xml

@@ -0,0 +1,56 @@
+<resources>
+    <string name="home">Главная</string>
+    <string name="home_not_installed">Не установлен</string>
+    <string name="home_click_to_install">Нажмите чтобы установить</string>
+    <string name="home_working">Работает</string>
+    <string name="home_working_version">Версия: %d</string>
+    <string name="home_unsupported">Не поддерживается</string>
+    <string name="home_unsupported_reason">KernelSU поддерживает только GKI ядра</string>
+    <string name="home_copied_to_clipboard">Скопировано в буфер обмена</string>
+    <string name="home_support">Поддержка</string>
+
+    <string name="home_kernel">Ядро</string>
+    <string name="home_arch">Архитектура</string>
+    <string name="home_manager_version">Версия</string>
+    <string name="home_api">Уровень API</string>
+    <string name="home_abi">ABI</string>
+    <string name="home_fingerprint">Подпись</string>
+    <string name="home_securitypatch">Патч Безопасности</string>
+
+    <string name="home_selinux_status">Состояние SELinux</string>
+    <string name="selinux_status_disabled">Выключен</string>
+    <string name="selinux_status_enforcing">Принудительный</string>
+    <string name="selinux_status_permissive">Разрешающий</string>
+    <string name="selinux_status_unknown">Неизвестно</string>
+    <string name="superuser">Superuser</string>
+    <string name="superuser_failed_to_grant_root">Failed to grant root for %d</string>
+    <string name="module_failed_to_enable">Не удалось включить модуль: %s</string>
+    <string name="module_failed_to_disable">Не удалось отключить модуль: %s</string>
+    <string name="module_empty">Нет установленных модулей</string>
+
+    <string name="module">Модули</string>
+    <string name="uninstall">Удалить</string>
+    <string name="module_install">Установить</string>
+    <string name="install">Установить</string>
+    <string name="reboot">Перезагрузка</string>
+    <string name="settings">Настройки</string>
+    <string name="reboot_userspace">Soft Reboot</string>
+    <string name="reboot_recovery">Reboot to Recovery</string>
+    <string name="reboot_bootloader">Reboot to Bootloader</string>
+    <string name="reboot_download">Reboot to Download</string>
+    <string name="reboot_edl">Reboot to EDL</string>
+    <string name="about">О KernelSU</string>
+    <string name="require_kernel_version_8">Требуется KernelSU версии 8 и выше</string>
+    <string name="module_uninstall_success">%s удален</string>
+    <string name="module_uninstall_failed">Не удалось удалить: %s</string>
+    <string name="module_version">Версия</string>
+    <string name="module_author">Автор</string>
+    <string name="module_overlay_fs_not_available">overlayfs выключен, модуль не будет работать!</string>
+    <string name="refresh">Обновить</string>
+    <string name="show_system_apps">Показать системные приложения</string>
+    <string name="hide_system_apps">Скрыть системные приложения</string>
+    <string name="send_log">Отправить лог</string>
+    <string name="safe_mode">Безопасный режим</string>
+    <string name="reboot_to_apply">Перезагрузите, чтобы вступить в силу</string>
+
+</resources>

manager/app/src/main/res/values-vi/strings.xml

@@ -0,0 +1,54 @@
+<resources>
+    <string name="module_magisk_conflict">"Các mô-đun bị vô hiệu hóa vì nó xung đột với Magisk!"</string>
+    <string name="module_uninstall_confirm">Bạn có chắc chắn muốn gỡ cài đặt mô-đun %s?</string>
+    <string name="send_log">Gửi nhật ký</string>
+    <string name="home">Trang chủ</string>
+    <string name="home_not_installed">Chưa được cài đặt</string>
+    <string name="home_click_to_install">Nhấn đề cài dặt</string>
+    <string name="home_working">Đang chạy</string>
+    <string name="home_working_version">Phiên bản: %d</string>
+    <string name="home_unsupported">Không hỗ trợ</string>
+    <string name="home_unsupported_reason">KernelSU hiện tại chỉ hỗ trợ kernel GKI</string>
+    <string name="home_copied_to_clipboard">Sao chép vào clipboard</string>
+    <string name="home_support">Ủng hộ</string>
+    <string name="home_kernel">Kernel</string>
+    <string name="home_arch">Kiến trúc</string>
+    <string name="home_manager_version">Phiên bản</string>
+    <string name="home_api">Cấp độ API</string>
+    <string name="home_abi">ABI</string>
+    <string name="home_fingerprint">Fingerprint</string>
+    <string name="home_securitypatch">Bản vá bảo mật</string>
+    <string name="home_selinux_status">Trạng thái SELinux</string>
+    <string name="selinux_status_disabled">Vô hiệu hóa</string>
+    <string name="selinux_status_enforcing">Thực thi</string>
+    <string name="selinux_status_permissive">Cho phép</string>
+    <string name="selinux_status_unknown">Không rõ</string>
+    <string name="superuser">Superuser</string>
+    <string name="superuser_failed_to_grant_root">Không thể cấp quyền root cho %d</string>
+    <string name="module_failed_to_enable">Không thể kích hoạt mô-đun: %s</string>
+    <string name="module_failed_to_disable">Không thể vô hiệu hóa mô-đun: %s</string>
+    <string name="module_empty">Chưa có mô-đun nào được cài đặt</string>
+    <string name="module">Mô-đun</string>
+    <string name="uninstall">Gỡ cài đặt</string>
+    <string name="module_install">Cài đặt</string>
+    <string name="install">Cài đặt</string>
+    <string name="reboot">Khởi động lại</string>
+    <string name="settings">Thiết lập</string>
+    <string name="reboot_userspace">Khởi động mềm</string>
+    <string name="reboot_recovery">Khởi động lại vào Recovery</string>
+    <string name="reboot_bootloader">Khởi động lại vào Bootloader</string>
+    <string name="reboot_download">Khởi động lại vào Download Mode</string>
+    <string name="reboot_edl">Khởi động vào EDL</string>
+    <string name="about">Thông tin</string>
+    <string name="require_kernel_version_8">Yêu cầu KernelSU phiên bản 8+</string>
+    <string name="module_uninstall_success">%s đã được gỡ cài đặt</string>
+    <string name="module_uninstall_failed">Lỗi khi gỡ cài đặt: %s</string>
+    <string name="module_version">Phiên bản</string>
+    <string name="module_author">Tác giả</string>
+    <string name="module_overlay_fs_not_available">Không tìm thấy overlayfs, mô-đun sẽ không thể hoạt động!</string>
+    <string name="refresh">Làm mới</string>
+    <string name="show_system_apps">Hiển thị ứng dụng hệ thống</string>
+    <string name="hide_system_apps">Ẩn ứng dụng hệ thống</string>
+    <string name="safe_mode">Chế độ an toàn</string>
+    <string name="reboot_to_apply">Khởi động lại để có hiệu lực</string>
+</resources>

manager/app/src/main/res/values-zh-rCN/strings.xml

@@ -11,11 +11,16 @@
     <string name="home_support">支持</string>
     <string name="home_kernel">内核版本</string>
     <string name="home_arch">设备架构</string>
-    <string name="home_version">系统版本</string>
+    <string name="home_manager_version">管理器版本</string>
     <string name="home_api">API 版本</string>
     <string name="home_abi">ABI 支持</string>
     <string name="home_fingerprint">系统指纹</string>
     <string name="home_securitypatch">安全补丁</string>
+    <string name="home_selinux_status">SELinux 状态</string>
+    <string name="selinux_status_disabled">被禁用</string>
+    <string name="selinux_status_enforcing">强制执行</string>
+    <string name="selinux_status_permissive">宽容模式</string>
+    <string name="selinux_status_unknown">未知</string>
     <string name="superuser">超级用户</string>
     <string name="superuser_failed_to_grant_root">无法为 %d 授予 Root</string>
     <string name="module_failed_to_enable">无法启用模块: %s</string>
@@ -32,12 +37,19 @@
     <string name="reboot_bootloader">重启到 BootLoader</string>
     <string name="reboot_download">重启到 Download</string>
     <string name="reboot_edl">重启到 EDL</string>
-    <string name="settings_system_rw">使系统可写</string>
-    <string name="settings_system_rw_summary">使用 overlayfs 使系统分区可写, 重启生效</string>
     <string name="about">关于</string>
     <string name="require_kernel_version_8">需要 KernelSU 版本 8+</string>
+    <string name="module_uninstall_confirm">确定要卸载模块 %s 吗？</string>
     <string name="module_uninstall_success">%s 已卸载</string>
     <string name="module_uninstall_failed">卸载失败: %s</string>
     <string name="module_version">版本</string>
     <string name="module_author">作者</string>
+    <string name="module_overlay_fs_not_available">内核不支持 overlayfs，模块功能无法运作！</string>
+    <string name="refresh">刷新</string>
+    <string name="show_system_apps">显示系统应用</string>
+    <string name="hide_system_apps">隐藏系统应用</string>
+    <string name="send_log">发送日志</string>
+    <string name="safe_mode">安全模式</string>
+    <string name="reboot_to_apply">重启生效</string>
+    <string name="module_magisk_conflict">所有模块已被禁用，因为它与 Magisk 的模块系统有冲突！</string>
 </resources>

manager/app/src/main/res/values-zh-rHK/strings.xml

@@ -1,43 +1,58 @@
 <?xml version="1.0" encoding="utf-8"?>
 <resources>
-    <string name="home">主頁</string>
-    <string name="home_not_installed">未安装</string>
-    <string name="home_click_to_install">点击安装</string>
-    <string name="home_working">工作中</string>
-    <string name="home_working_version">版本: %d</string>
-    <string name="home_unsupported">不支持</string>
-    <string name="home_unsupported_reason">KernelSU 现在只支持 GKI 内核</string>
+    <string name="home">首頁</string>
+    <string name="home_not_installed">未安裝</string>
+    <string name="home_click_to_install">按一下以安裝</string>
+    <string name="home_working">正在處理</string>
+    <string name="home_working_version">版本：%d</string>
+    <string name="home_unsupported">不支援</string>
+    <string name="home_unsupported_reason">KernelSU 現在僅支援 GKI 核心</string>
     <string name="home_copied_to_clipboard">已複製到剪貼簿</string>
-    <string name="home_support">支持</string>
-    <string name="home_kernel">内核版本</string>
-    <string name="home_arch">设备架构</string>
-    <string name="home_version">系统版本</string>
-    <string name="home_api">API 版本</string>
-    <string name="home_abi">ABI 支持</string>
-    <string name="home_fingerprint">系统指纹</string>
-    <string name="home_securitypatch">安全补丁</string>
-    <string name="superuser">超級用戶</string>
-    <string name="superuser_failed_to_grant_root">无法为 %d 授予 Root</string>
-    <string name="module_failed_to_enable">无法启用模块: %s</string>
-    <string name="module_failed_to_disable">无法禁用模块: %s</string>
-    <string name="module_empty">没有安装模块</string>
-    <string name="module">模块</string>
-    <string name="uninstall">卸载</string>
-    <string name="module_install">安装</string>
-    <string name="install">安装</string>
-    <string name="reboot">重启</string>
+    <string name="home_support">支援</string>
+
+    <string name="home_kernel">核心</string>
+    <string name="home_arch">架構</string>
+    <string name="home_manager_version">管理員版本</string>
+    <string name="home_api">API 層級</string>
+    <string name="home_abi">ABI 支援</string>
+    <string name="home_fingerprint">指紋</string>
+    <string name="home_securitypatch">安全性修補程式</string>
+
+    <string name="home_selinux_status">SELinux 狀態</string>
+    <string name="selinux_status_disabled">已停用</string>
+    <string name="selinux_status_enforcing">強制</string>
+    <string name="selinux_status_permissive">寬鬆</string>
+    <string name="selinux_status_unknown">未知</string>
+    <string name="superuser">超級使用者</string>
+    <string name="superuser_failed_to_grant_root">無法為 %d 授予 Root 存取權</string>
+    <string name="module_failed_to_enable">無法啟用模組：%s</string>
+    <string name="module_failed_to_disable">無法停用模組：%s</string>
+    <string name="module_empty">尚未安裝模組</string>
+
+    <string name="module">模組</string>
+    <string name="uninstall">解除安裝</string>
+    <string name="module_install">安裝</string>
+    <string name="install">安裝</string>
+    <string name="reboot">重新啟動</string>
     <string name="settings">設定</string>
-    <string name="reboot_userspace">软重启</string>
-    <string name="reboot_recovery">重启到 Recovery</string>
-    <string name="reboot_bootloader">重启到 BootLoader</string>
-    <string name="reboot_download">重启到 Download</string>
-    <string name="reboot_edl">重启到 EDL</string>
-    <string name="settings_system_rw">使系统可写</string>
-    <string name="settings_system_rw_summary">使用 overlayfs 使系统分区可写, 重启生效</string>
-    <string name="about">关于</string>
-    <string name="require_kernel_version_8">需要 KernelSU 版本 8+</string>
-    <string name="module_uninstall_success">%s 已卸載</string>
-    <string name="module_uninstall_failed">卸載失敗: %s</string>
+    <string name="reboot_userspace">軟啟動</string>
+    <string name="reboot_recovery">重新啟動至 Recovery</string>
+    <string name="reboot_bootloader">重新啟動至 Bootloader</string>
+    <string name="reboot_download">重新啟動至 Download</string>
+    <string name="reboot_edl">重新啟動至 EDL</string>
+    <string name="about">關於</string>
+    <string name="require_kernel_version_8">需要 KernelSU 8+ 版本</string>
+    <string name="module_uninstall_confirm">您確定要解除安裝模組 %s 嗎？</string>
+    <string name="module_uninstall_success">%s 已解除安裝</string>
+    <string name="module_uninstall_failed">無法解除安裝：%s</string>
     <string name="module_version">版本</string>
     <string name="module_author">作者</string>
+    <string name="module_overlay_fs_not_available">OverlayFS 無法使用，模組無法正常運作！</string>
+    <string name="refresh">重新整理</string>
+    <string name="show_system_apps">顯示系統應用程式</string>
+    <string name="hide_system_apps">隱藏系統應用程式</string>
+    <string name="send_log">傳送記錄</string>
+    <string name="safe_mode">安全模式</string>
+    <string name="reboot_to_apply">重新啟動以生效</string>
+    <string name="module_magisk_conflict">模組已停用，因其與 Magisk 的模組存在衝突！</string>
 </resources>

manager/app/src/main/res/values-zh-rTW/strings.xml

@@ -1,43 +1,58 @@
 <?xml version="1.0" encoding="utf-8"?>
 <resources>
-    <string name="home">主頁</string>
+    <string name="home">首頁</string>
     <string name="home_not_installed">未安裝</string>
-    <string name="home_click_to_install">点击安装</string>
-    <string name="home_working">工作中</string>
-    <string name="home_working_version">版本: %d</string>
-    <string name="home_unsupported">不支持</string>
-    <string name="home_unsupported_reason">KernelSU 现在只支持 GKI 内核</string>
+    <string name="home_click_to_install">按一下以安裝</string>
+    <string name="home_working">正在處理</string>
+    <string name="home_working_version">版本：%d</string>
+    <string name="home_unsupported">不支援</string>
+    <string name="home_unsupported_reason">KernelSU 現在僅支援 GKI 核心</string>
     <string name="home_copied_to_clipboard">已複製到剪貼簿</string>
-    <string name="home_support">支持</string>
-    <string name="home_kernel">内核版本</string>
-    <string name="home_arch">设备架构</string>
-    <string name="home_version">系统版本</string>
-    <string name="home_api">API 版本</string>
-    <string name="home_abi">ABI 支持</string>
-    <string name="home_fingerprint">系统指纹</string>
-    <string name="home_securitypatch">安全补丁</string>
-    <string name="superuser">超級用戶</string>
-    <string name="superuser_failed_to_grant_root">无法为 %d 授予 Root</string>
-    <string name="module_failed_to_enable">无法启用模块: %s</string>
-    <string name="module_failed_to_disable">无法禁用模块: %s</string>
-    <string name="module_empty">没有安装模块</string>
-    <string name="module">模块</string>
-    <string name="uninstall">卸载</string>
-    <string name="module_install">安装</string>
-    <string name="install">安装</string>
-    <string name="reboot">重启</string>
+    <string name="home_support">支援</string>
+
+    <string name="home_kernel">核心</string>
+    <string name="home_arch">架構</string>
+    <string name="home_manager_version">管理員版本</string>
+    <string name="home_api">API 層級</string>
+    <string name="home_abi">ABI 支援</string>
+    <string name="home_fingerprint">指紋</string>
+    <string name="home_securitypatch">安全性修補程式</string>
+
+    <string name="home_selinux_status">SELinux 狀態</string>
+    <string name="selinux_status_disabled">已停用</string>
+    <string name="selinux_status_enforcing">強制</string>
+    <string name="selinux_status_permissive">寬鬆</string>
+    <string name="selinux_status_unknown">未知</string>
+    <string name="superuser">超級使用者</string>
+    <string name="superuser_failed_to_grant_root">無法為 %d 授予 Root 存取權</string>
+    <string name="module_failed_to_enable">無法啟用模組：%s</string>
+    <string name="module_failed_to_disable">無法停用模組：%s</string>
+    <string name="module_empty">尚未安裝模組</string>
+
+    <string name="module">模組</string>
+    <string name="uninstall">解除安裝</string>
+    <string name="module_install">安裝</string>
+    <string name="install">安裝</string>
+    <string name="reboot">重新啟動</string>
     <string name="settings">設定</string>
-    <string name="reboot_userspace">软重启</string>
-    <string name="reboot_recovery">重启到 Recovery</string>
-    <string name="reboot_bootloader">重启到 BootLoader</string>
-    <string name="reboot_download">重启到 Download</string>
-    <string name="reboot_edl">重启到 EDL</string>
-    <string name="settings_system_rw">使系统可写</string>
-    <string name="settings_system_rw_summary">使用 overlayfs 使系统分区可写, 重启生效</string>
-    <string name="about">关于</string>
-    <string name="require_kernel_version_8">需要 KernelSU 版本 8+</string>
-    <string name="module_uninstall_success">%s 已卸載</string>
-    <string name="module_uninstall_failed">卸載失敗: %s</string>
+    <string name="reboot_userspace">軟啟動</string>
+    <string name="reboot_recovery">重新啟動至 Recovery</string>
+    <string name="reboot_bootloader">重新啟動至 Bootloader</string>
+    <string name="reboot_download">重新啟動至 Download</string>
+    <string name="reboot_edl">重新啟動至 EDL</string>
+    <string name="about">關於</string>
+    <string name="require_kernel_version_8">需要 KernelSU 8+ 版本</string>
+    <string name="module_uninstall_confirm">您確定要解除安裝模組 %s 嗎？</string>
+    <string name="module_uninstall_success">%s 已解除安裝</string>
+    <string name="module_uninstall_failed">無法解除安裝：%s</string>
     <string name="module_version">版本</string>
     <string name="module_author">作者</string>
+    <string name="module_overlay_fs_not_available">OverlayFS 無法使用，模組無法正常運作！</string>
+    <string name="refresh">重新整理</string>
+    <string name="show_system_apps">顯示系統應用程式</string>
+    <string name="hide_system_apps">隱藏系統應用程式</string>
+    <string name="send_log">傳送記錄</string>
+    <string name="safe_mode">安全模式</string>
+    <string name="reboot_to_apply">重新啟動以生效</string>
+    <string name="module_magisk_conflict">模組已停用，因其與 Magisk 的模組存在衝突！</string>
 </resources>

manager/app/src/main/res/values/strings.xml

@@ -13,12 +13,17 @@
 
     <string name="home_kernel">Kernel</string>
     <string name="home_arch">Arch</string>
-    <string name="home_version">Version</string>
+    <string name="home_manager_version">Manager Version</string>
     <string name="home_api">API Level</string>
     <string name="home_abi">ABI</string>
     <string name="home_fingerprint">Fingerprint</string>
     <string name="home_securitypatch">Security Patch</string>
 
+    <string name="home_selinux_status">SELinux status</string>
+    <string name="selinux_status_disabled">Disabled</string>
+    <string name="selinux_status_enforcing">Enforcing</string>
+    <string name="selinux_status_permissive">Permissive</string>
+    <string name="selinux_status_unknown">Unknown</string>
     <string name="superuser">Superuser</string>
     <string name="superuser_failed_to_grant_root">Failed to grant root for %d</string>
     <string name="module_failed_to_enable">Failed to enable module: %s</string>
@@ -36,13 +41,20 @@
     <string name="reboot_bootloader">Reboot to Bootloader</string>
     <string name="reboot_download">Reboot to Download</string>
     <string name="reboot_edl">Reboot to EDL</string>
-    <string name="settings_system_rw">Make system writable</string>
-    <string name="settings_system_rw_summary">Use overlayfs to make system partition writable, reboot to take effect.</string>
     <string name="about">About</string>
     <string name="require_kernel_version_8">Require KernelSU version 8+</string>
+    <string name="module_uninstall_confirm">Are you sure you want to uninstall module %s?</string>
     <string name="module_uninstall_success">%s uninstalled</string>
     <string name="module_uninstall_failed">Failed to uninstall: %s</string>
     <string name="module_version">Version</string>
     <string name="module_author">Author</string>
+    <string name="module_overlay_fs_not_available">overlayfs is not available, module cannot work!</string>
+    <string name="refresh">Refresh</string>
+    <string name="show_system_apps">Show system apps</string>
+    <string name="hide_system_apps">Hide system apps</string>
+    <string name="send_log">Send Log</string>
+    <string name="safe_mode">Safe mode</string>
+    <string name="reboot_to_apply">Reboot to take effect</string>
+    <string name="module_magisk_conflict">Modules are disabled because it is conflict with Magisk\'s!</string>
 
 </resources>

manager/app/src/main/res/xml/filepaths.xml

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<paths>
+    <cache-path name="cache" path="."/>
+    <root-path name="root" path="." />
+</paths>

scripts/add_device_handler.py

@@ -0,0 +1,50 @@
+import json
+import sys
+import os
+
+
+def main():
+    assert len(sys.argv) == 2
+    file_name = sys.argv[1]
+    github = "https://github.com/"
+    issue_content = os.environ["ISSUE_CONTENT"]
+    lines = issue_content.split("\n\n")
+    assert len(lines) == 6
+    url = lines[1]
+    print(url)
+    device = lines[3]
+    print(device)
+    code_of_conduct = lines[5]
+    print(code_of_conduct)
+    assert code_of_conduct.find("[X]") > 0
+    tmp = url.removesuffix("/").replace(github, "").split("/")
+    print(tmp)
+    assert len(tmp) == 2
+    maintainer = tmp[0]
+    print(maintainer)
+    maintainer_link = "%s%s" % (github, maintainer)
+    print(maintainer_link)
+    kernel_name = tmp[1]
+    print(kernel_name)
+    kernel_link = "%s%s/%s" % (github, maintainer, kernel_name)
+    print(kernel_link)
+    with open(file_name, "r") as f:
+        data = json.loads(f.read())
+        data.append(
+            {
+                "maintainer": maintainer,
+                "maintainer_link": maintainer_link,
+                "kernel_name": kernel_name,
+                "kernel_link": kernel_link,
+                "devices": device,
+            }
+        )
+    os.remove(file_name)
+    with open(file_name, "w") as f:
+        f.write(json.dumps(data, indent=4))
+    os.system("echo success=true >> $GITHUB_OUTPUT")
+    os.system("echo device=%s >> $GITHUB_OUTPUT" % device)
+
+
+if __name__ == "__main__":
+    main()

scripts/bin2c.py

@@ -0,0 +1,51 @@
+#!/usr/bin/python3
+
+import argparse
+import os
+import re
+
+line_size = 80
+
+
+def bin2c(filename, varname='data'):
+    if not os.path.isfile(filename):
+        print('File "%s" is not found!' % filename)
+        return ''
+    if not re.match('[a-zA-Z_][a-zA-Z0-9_]*', varname):
+        print('Invalid variable name "%s"' % varname)
+        return
+    with open(filename, 'rb') as in_file:
+        data = in_file.read()
+    # limit the line length
+    byte_len = 6  # '0x00, '
+    out = 'unsigned int %s_size = %d;\n' \
+          'const char %s[%d] = {\n' % (varname, len(data), varname, len(data))
+    line = ''
+    for byte in data:
+        line += '0x%02x, ' % byte
+        if len(line) + 4 + byte_len >= line_size:
+            out += ' ' * 4 + line + '\n'
+            line = ''
+    # add the last line
+    if len(line) + 4 + byte_len < line_size:
+        out += ' ' * 4 + line + '\n'
+    # strip the last comma
+    out = out.rstrip(', \n') + '\n'
+    out += '};'
+    return out
+
+
+def main():
+    """ Main func """
+    parser = argparse.ArgumentParser()
+    parser.add_argument(
+        'filename', help='filename to convert to C array')
+    parser.add_argument(
+        'varname', nargs='?', help='variable name', default='data')
+    args = parser.parse_args()
+    # print out the data
+    print(bin2c(args.filename, args.varname))
+
+
+if __name__ == '__main__':
+    main()

userspace/ksud/.gitignore

@@ -1 +1,2 @@
 /target
+.cargo/

userspace/ksud/Cargo.toml

@@ -10,7 +10,6 @@ rust-version = "1.65"
 anyhow = "1.0.68"
 clap = { version = "4.0.32", features = ["derive"] }
 const_format = "0.2.30"
-subprocess = "0.2.9"
 zip = "0.6.3"
 zip-extensions = "0.6.1"
 java-properties = "1.4.1"
@@ -20,8 +19,32 @@ serde = { version = "1.0" }
 serde_json = "1.0"
 regex = "1.5.4"
 encoding = "0.2.33"
+retry = "2.0.0"
+humansize = "2.0.0"
+libc = "0.2"
+extattr = "1.0.0"
+jwalk = "0.8.1"
+is_executable = "1.0.1"
+nom = "7"
+derive-new = "0.5"
+rust-embed = { version = "6.4.2", features = [
+    "debug-embed",
+    "compression", # must clean build after updating binaries
+] }
+which = "4.2.2"
+getopts = "0.2.21"
+
+[target.'cfg(any(target_os = "android", target_os = "linux"))'.dependencies]
+sys-mount = { git = "https://github.com/tiann/sys-mount" }
+# some android specific dependencies which compiles under unix are also listed here for convenience of coding
+android-properties = { version = "0.2.2", features = ["bionic-deprecated"] }
+procfs = "0.15"
+proc-mounts = "0.3"
+
+[target.'cfg(target_os = "android")'.dependencies]
+android_logger = "0.13"
 
 [profile.release]
 strip = true
 opt-level = "z"
-lto = true
+lto = true