Revert "manager: don't remember state when process died." close #728

This reverts commit 12761ee167.

.github/FUNDING.yml

@@ -0,0 +1,5 @@
+# These are supported funding model platforms
+
+github: tiann
+patreon: weishu
+custom: https://vxposed.com/donate.html

.github/ISSUE_TEMPLATE/feature_request.md

@@ -1,20 +0,0 @@
----
-name: Feature request
-about: Suggest an idea for this project
-title: ''
-labels: ''
-assignees: ''
-
----
-
-**Is your feature request related to a problem? Please describe.**
-A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
-
-**Describe the solution you'd like**
-A clear and concise description of what you want to happen.
-
-**Describe alternatives you've considered**
-A clear and concise description of any alternative solutions or features you've considered.
-
-**Additional context**
-Add any other context or screenshots about the feature request here.

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,40 @@
+name: Feature Request
+description: "Suggest an idea for this project"
+title: "[Feature]"
+labels: "feature"
+assignees: tiann
+body:
+  - type: markdown
+    id: feature-info
+    attributes:
+      value: "## Feature Infomation"
+  - type: textarea
+    id: feature-main
+    validations:
+      required: true
+    attributes:
+      label: "Is your feature request related to a problem? Please describe."
+      description: "A clear and concise description of what the problem is."
+      placeholder: "I'm always frustrated when [...]"
+  - type: textarea
+    id: feature-solution
+    validations:
+      required: true
+    attributes:
+      label: "Describe the solution you'd like."
+      description: "A clear and concise description of what you want to happen."
+  - type: textarea
+    id: feature-describe
+    validations:
+      required: true
+    attributes:
+      label: "Describe alternatives you've considered."
+      description: "A clear and concise description of any alternative solutions or features you've considered."
+  - type: textarea
+    id: feature-extra
+    validations:
+      required: false
+    attributes:
+      label: "Additional context"
+      description: "Add any other context or screenshots about the feature request here."
+

.github/patches/5.10/0001-setlocalversion-don-t-check-for-uncommitted-changes.patch

@@ -1,43 +0,0 @@
-From dbdd2906c0b3a967ca28c6b870b46f905c170661 Mon Sep 17 00:00:00 2001
-From: Park Ju Hyung <qkrwngud825@gmail.com>
-Date: Wed, 13 Mar 2019 13:36:37 +0900
-Subject: [PATCH] setlocalversion: don't check for uncommitted changes
-
-I ofter push after the build is done and I hate seeing "-dirty"
-
-Signed-off-by: Park Ju Hyung <qkrwngud825@gmail.com>
-Signed-off-by: Danny Lin <danny@kdrag0n.dev>
-Signed-off-by: Divyanshu-Modi <divyan.m05@gmail.com>
-Change-Id: I240c516520879da680794fd144b1f273f9e21e13
-Signed-off-by: Divyanshu-Modi <divyan.m05@gmail.com>
----
- scripts/setlocalversion | 13 -------------
- 1 file changed, 13 deletions(-)
-
-diff --git a/scripts/setlocalversion b/scripts/setlocalversion
-index 842936656b84..ef27a273ebf5 100755
---- a/scripts/setlocalversion
-+++ b/scripts/setlocalversion
-@@ -107,19 +107,6 @@ scm_version()
- 			printf -- '-svn%s' "$(git svn find-rev $head)"
- 		fi
- 
--		# Check for uncommitted changes.
--		# First, with git-status, but --no-optional-locks is only
--		# supported in git >= 2.14, so fall back to git-diff-index if
--		# it fails. Note that git-diff-index does not refresh the
--		# index, so it may give misleading results. See
--		# git-update-index(1), git-diff-index(1), and git-status(1).
--		if {
--			git --no-optional-locks status -uno --porcelain 2>/dev/null ||
--			git diff-index --name-only HEAD
--		} | grep -qvE '^(.. )?scripts/package'; then
--			printf '%s' -dirty
--		fi
--
- 		# All done with git
- 		return
- 	fi
--- 
-2.37.2
-

.github/patches/5.15/0001-setlocalversion-don-t-check-for-uncommitted-changes-5.15.patch

@@ -1,46 +0,0 @@
-From bbb9e7fb1ccadac47b58ba615e6874ddeaa9e628 Mon Sep 17 00:00:00 2001
-From: Park Ju Hyung <qkrwngud825@gmail.com>
-Date: Wed, 13 Mar 2019 13:36:37 +0900
-Subject: [PATCH] setlocalversion: don't check for uncommitted changes
-
-I ofter push after the build is done and I hate seeing "-dirty"
-
-Signed-off-by: Park Ju Hyung <qkrwngud825@gmail.com>
-Signed-off-by: Danny Lin <danny@kdrag0n.dev>
-Signed-off-by: Divyanshu-Modi <divyan.m05@gmail.com>
-Change-Id: I240c516520879da680794fd144b1f273f9e21e13
-Signed-off-by: Divyanshu-Modi <divyan.m05@gmail.com>
----
- scripts/setlocalversion | 16 ----------------
- 1 file changed, 16 deletions(-)
-
-diff --git a/scripts/setlocalversion b/scripts/setlocalversion
-index 1b733ae4c..2a3ea7684 100755
---- a/scripts/setlocalversion
-+++ b/scripts/setlocalversion
-@@ -90,22 +90,6 @@ scm_version()
- 			printf '%s%s' -g "$(echo $head | cut -c1-12)"
- 		fi
- 
--		# Check for uncommitted changes.
--		# This script must avoid any write attempt to the source tree,
--		# which might be read-only.
--		# You cannot use 'git describe --dirty' because it tries to
--		# create .git/index.lock .
--		# First, with git-status, but --no-optional-locks is only
--		# supported in git >= 2.14, so fall back to git-diff-index if
--		# it fails. Note that git-diff-index does not refresh the
--		# index, so it may give misleading results. See
--		# git-update-index(1), git-diff-index(1), and git-status(1).
--		if {
--			git --no-optional-locks status -uno --porcelain 2>/dev/null ||
--			git diff-index --name-only HEAD
--		} | read dummy; then
--			printf '%s' -dirty
--		fi
- 	fi
- }
- 
--- 
-2.37.2
-

.github/scripts/build_a12.sh

@@ -1,51 +1,64 @@
-build_from_image(){
-	export TITLE=kernel-aarch64-$(echo $1 | sed 's/Image-//g')
+#!/bin/bash
+set -euo pipefail
+
+build_from_image() {
+	export TITLE
+	TITLE=kernel-aarch64-${1//Image-/}
 	echo "[+] title: $TITLE"
 
-	export PATCH_LEVEL=$(echo $1 | awk -F_ '{ print $2}')
+	export PATCH_LEVEL
+	PATCH_LEVEL=$(echo "$1" | awk -F_ '{ print $2}')
 	echo "[+] patch level: $PATCH_LEVEL"
 
-	echo "[+] Download prebuilt ramdisk"
-	curl -Lo gki-kernel.zip https://dl.google.com/android/gki/gki-certified-boot-android12-5.10-${PATCH_LEVEL}_r1.zip
+	echo '[+] Download prebuilt ramdisk'
+    GKI_URL=https://dl.google.com/android/gki/gki-certified-boot-android12-5.10-"${PATCH_LEVEL}"_r1.zip
+    FALLBACK_URL=https://dl.google.com/android/gki/gki-certified-boot-android12-5.10-2023-01_r1.zip
+    status=$(curl -sL -w "%{http_code}" "$GKI_URL" -o /dev/null)
+    if [ "$status" = "200" ]; then
+        curl -Lo gki-kernel.zip "$GKI_URL"
+    else
+        echo "[+] $GKI_URL not found, using $FALLBACK_URL"
+        curl -Lo gki-kernel.zip "$FALLBACK_URL"
+    fi
 	unzip gki-kernel.zip && rm gki-kernel.zip
 
-	echo "[+] Unpack prebuilt boot.img"
+	echo '[+] Unpack prebuilt boot.img'
 	BOOT_IMG=$(find . -maxdepth 1 -name "boot*.img")
-	$UNPACK_BOOTIMG --boot_img=$BOOT_IMG
-	rm $BOOT_IMG
+	$UNPACK_BOOTIMG --boot_img="$BOOT_IMG"
+	rm "$BOOT_IMG"
 
-	echo "[+] Building Image.gz"
-	cat Image | $GZIP -n -f -9 > Image.gz
+	echo '[+] Building Image.gz'
+	$GZIP -n -k -f -9 Image >Image.gz
 
-	echo "[+] Building boot.img"
-	$MKBOOTIMG --header_version 4 --kernel Image --output boot.img --ramdisk out/ramdisk --os_version 12.0.0 --os_patch_level ${PATCH_LEVEL}
-	$AVBTOOL add_hash_footer --partition_name boot --partition_size $((64*1024*1024)) --image boot.img --algorithm SHA256_RSA2048 --key ../kernel-build-tools/linux-x86/share/avb/testkey_rsa2048.pem
+	echo '[+] Building boot.img'
+	$MKBOOTIMG --header_version 4 --kernel Image --output boot.img --ramdisk out/ramdisk --os_version 12.0.0 --os_patch_level "${PATCH_LEVEL}"
+	$AVBTOOL add_hash_footer --partition_name boot --partition_size $((64 * 1024 * 1024)) --image boot.img --algorithm SHA256_RSA2048 --key ../kernel-build-tools/linux-x86/share/avb/testkey_rsa2048.pem
 
-	echo "[+] Building boot-gz.img"
-	$MKBOOTIMG --header_version 4 --kernel Image.gz --output boot-gz.img --ramdisk out/ramdisk --os_version 12.0.0 --os_patch_level ${PATCH_LEVEL}
-	$AVBTOOL add_hash_footer --partition_name boot --partition_size $((64*1024*1024)) --image boot-gz.img --algorithm SHA256_RSA2048 --key ../kernel-build-tools/linux-x86/share/avb/testkey_rsa2048.pem
+	echo '[+] Building boot-gz.img'
+	$MKBOOTIMG --header_version 4 --kernel Image.gz --output boot-gz.img --ramdisk out/ramdisk --os_version 12.0.0 --os_patch_level "${PATCH_LEVEL}"
+	$AVBTOOL add_hash_footer --partition_name boot --partition_size $((64 * 1024 * 1024)) --image boot-gz.img --algorithm SHA256_RSA2048 --key ../kernel-build-tools/linux-x86/share/avb/testkey_rsa2048.pem
 
-	echo "[+] Building boot-lz4.img"
-	$MKBOOTIMG --header_version 4 --kernel Image.lz4 --output boot-lz4.img --ramdisk out/ramdisk --os_version 12.0.0 --os_patch_level ${PATCH_LEVEL}
-	$AVBTOOL add_hash_footer --partition_name boot --partition_size $((64*1024*1024)) --image boot-lz4.img --algorithm SHA256_RSA2048 --key ../kernel-build-tools/linux-x86/share/avb/testkey_rsa2048.pem
+	echo '[+] Building boot-lz4.img'
+	$MKBOOTIMG --header_version 4 --kernel Image.lz4 --output boot-lz4.img --ramdisk out/ramdisk --os_version 12.0.0 --os_patch_level "${PATCH_LEVEL}"
+	$AVBTOOL add_hash_footer --partition_name boot --partition_size $((64 * 1024 * 1024)) --image boot-lz4.img --algorithm SHA256_RSA2048 --key ../kernel-build-tools/linux-x86/share/avb/testkey_rsa2048.pem
 
-    echo "[+] Compress images"
-    for image in boot*.img; do
-        $GZIP -n -f -9 $image
-		mv $image.gz ksu-$VERSION-$image.gz
-    done
+	echo '[+] Compress images'
+	for image in boot*.img; do
+		$GZIP -n -f -9 "$image"
+		mv "$image".gz "${1//Image-/}"-"$image".gz
+	done
 
-    echo "[+] Images to upload"
-    find . -type f -name "*.gz"
+	echo "[+] Images to upload"
+	find . -type f -name "*.gz"
 
-	find . -type f -name "*.gz" | xargs python3 $GITHUB_WORKSPACE/KernelSU/scripts/ksubot.py
+	find . -type f -name "*.gz" -exec python3 "$GITHUB_WORKSPACE"/KernelSU/scripts/ksubot.py {} +
 }
 
 for dir in Image*; do
 	if [ -d "$dir" ]; then
 		echo "----- Building $dir -----"
-		cd $dir
-		build_from_image $dir
+		cd "$dir"
+		build_from_image "$dir"
 		cd ..
 	fi
-done
+done

.github/scripts/build_a13.sh

@@ -1,38 +1,43 @@
-build_from_image(){
-	export TITLE=kernel-aarch64-$(echo $1 | sed 's/Image-//g')
+#!/bin/bash
+set -euo pipefail
+
+build_from_image() {
+	export TITLE
+	TITLE=kernel-aarch64-${1//Image-/}
+
 	echo "[+] title: $TITLE"
-	echo "[+] Building Image.gz"
-	cat Image | $GZIP -n -f -9 > Image.gz
+	echo '[+] Building Image.gz'
+	$GZIP -n -k -f -9 Image >Image.gz
 
-	echo "[+] Building boot.img"
+	echo '[+] Building boot.img'
 	$MKBOOTIMG --header_version 4 --kernel Image --output boot.img
-	$AVBTOOL add_hash_footer --partition_name boot --partition_size $((64*1024*1024)) --image boot.img --algorithm SHA256_RSA2048 --key ../kernel-build-tools/linux-x86/share/avb/testkey_rsa2048.pem
+	$AVBTOOL add_hash_footer --partition_name boot --partition_size $((64 * 1024 * 1024)) --image boot.img --algorithm SHA256_RSA2048 --key ../kernel-build-tools/linux-x86/share/avb/testkey_rsa2048.pem
 
-	echo "[+] Building boot-gz.img"
+	echo '[+] Building boot-gz.img'
 	$MKBOOTIMG --header_version 4 --kernel Image.gz --output boot-gz.img
-	$AVBTOOL add_hash_footer --partition_name boot --partition_size $((64*1024*1024)) --image boot-gz.img --algorithm SHA256_RSA2048 --key ../kernel-build-tools/linux-x86/share/avb/testkey_rsa2048.pem
+	$AVBTOOL add_hash_footer --partition_name boot --partition_size $((64 * 1024 * 1024)) --image boot-gz.img --algorithm SHA256_RSA2048 --key ../kernel-build-tools/linux-x86/share/avb/testkey_rsa2048.pem
 
-	echo "[+] Building boot-lz4.img"
+	echo '[+] Building boot-lz4.img'
 	$MKBOOTIMG --header_version 4 --kernel Image.lz4 --output boot-lz4.img
-	$AVBTOOL add_hash_footer --partition_name boot --partition_size $((64*1024*1024)) --image boot-lz4.img --algorithm SHA256_RSA2048 --key ../kernel-build-tools/linux-x86/share/avb/testkey_rsa2048.pem
+	$AVBTOOL add_hash_footer --partition_name boot --partition_size $((64 * 1024 * 1024)) --image boot-lz4.img --algorithm SHA256_RSA2048 --key ../kernel-build-tools/linux-x86/share/avb/testkey_rsa2048.pem
 
-    echo "[+] Compress images"
-    for image in boot*.img; do
-        $GZIP -n -f -9 $image
-		mv $image.gz ksu-$VERSION-$image.gz
-    done
+	echo '[+] Compress images'
+	for image in boot*.img; do
+		$GZIP -n -f -9 "$image"
+        mv "$image".gz "${1//Image-/}"-"$image".gz
+	done
 
-	echo "[+] Images to upload"
-    find . -type f -name "*.gz"
+	echo '[+] Images to upload'
+	find . -type f -name "*.gz"
 
-	find . -type f -name "*.gz" | xargs python3 $GITHUB_WORKSPACE/KernelSU/scripts/ksubot.py
+	find . -type f -name "*.gz" -exec python3 "$GITHUB_WORKSPACE"/KernelSU/scripts/ksubot.py {} +
 }
 
 for dir in Image*; do
 	if [ -d "$dir" ]; then
 		echo "----- Building $dir -----"
-		cd $dir
-		build_from_image $dir
+		cd "$dir"
+		build_from_image "$dir"
 		cd ..
 	fi
-done
+done

.github/workflows/add-device.yml

@@ -42,12 +42,12 @@ jobs:
         run: |
           echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}"
           echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"
-      - uses: ben-z/actions-comment-on-issue@1.0.2
+      - uses: Kernel-SU/actions-comment-on-issue@master
         if: ${{ steps.cpr.outputs.pull-request-number }}
         with:
           message: "Automatically created pull request: ${{ steps.cpr.outputs.pull-request-url }}"
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - uses: ben-z/actions-comment-on-issue@1.0.2
+      - uses: Kernel-SU/actions-comment-on-issue@master
         if: steps.handle-add-device.outputs.success != 'true'
         with:
           message: "Cannot create pull request. Please check the issue content. Or you can create a pull request manually."
@@ -56,4 +56,4 @@ jobs:
         uses: peter-evans/close-issue@v1
         with:
           issue-number: ${{ github.event.issue.number }}
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/build-WSA-5.10.117-kernel.yml

@@ -1,98 +0,0 @@
-name: Build WSA-5.10.117-Kernel
-on:
-  push:
-    branches: [ "main" ]
-    paths: 
-      - '.github/workflows/build-WSA-5.10.117-kernel.yml'
-      - 'kernel/**'
-  pull_request:
-    branches: [ "main" ]
-    paths: 
-      - 'kernel/**'
-jobs:
-  build:
-    strategy:
-      matrix:
-        include:
-          - version: 5.10.117.2
-            arch: "x86_64"
-            out_file: "arch/x86/boot/bzImage"
-            kernel_make_cmd: "bzImage"
-            make_config: "config-wsa"
-            date: "20220906"
-          - version: 5.10.117.2
-            arch: "arm64"
-            out_file: "arch/arm64/boot/Image"
-            kernel_make_cmd: "ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu Image"
-            make_config: "config-wsa-arm64"
-            date: "20220906"
-
-    name: Build WSA-Kernel-${{ matrix.version }}-${{ matrix.arch }}
-    runs-on: ubuntu-18.04
-    env:
-      CCACHE_COMPILERCHECK: "%compiler% -dumpmachine; %compiler% -dumpversion"
-      CCACHE_NOHASHDIR: "true"
-      CCACHE_MAXSIZE: "2G"
-      CCACHE_HARDLINK: "true"
-    steps:
-    - uses: hendrikmuhs/ccache-action@v1.2
-      with:
-        key: ccache-WSA-Kernel-${{ matrix.version }}-${{ matrix.arch }}
-        append-timestamp: false
-        save: ${{ github.event_name != 'pull_request' }}
-    - uses: actions/checkout@v3
-      with:
-        path: KernelSU
-
-    - name: Install LLVM
-      run: |
-        sudo apt install -y --no-install-recommends bc bison build-essential ca-certificates flex git gnupg libelf-dev libssl-dev lsb-release software-properties-common wget libncurses-dev binutils-aarch64-linux-gnu gcc-aarch64-linux-gnu nuget
-        export LLVM_VERSION=10
-        wget https://apt.llvm.org/llvm.sh
-        chmod +x llvm.sh
-        sudo ./llvm.sh $LLVM_VERSION
-        rm ./llvm.sh
-        sudo ln -s --force /usr/bin/clang-$LLVM_VERSION /usr/bin/clang
-        sudo ln -s --force /usr/bin/ld.lld-$LLVM_VERSION /usr/bin/ld.lld
-        sudo ln -s --force /usr/bin/llvm-objdump-$LLVM_VERSION /usr/bin/llvm-objdump
-        sudo ln -s --force /usr/bin/llvm-ar-$LLVM_VERSION /usr/bin/llvm-ar
-        sudo ln -s --force /usr/bin/llvm-nm-$LLVM_VERSION /usr/bin/llvm-nm
-        sudo ln -s --force /usr/bin/llvm-strip-$LLVM_VERSION /usr/bin/llvm-strip
-        sudo ln -s --force /usr/bin/llvm-objcopy-$LLVM_VERSION /usr/bin/llvm-objcopy
-        sudo ln -s --force /usr/bin/llvm-readelf-$LLVM_VERSION /usr/bin/llvm-readelf
-        sudo ln -s --force /usr/bin/clang++-$LLVM_VERSION /usr/bin/clang++
-
-    - name: Download kernel source
-      run: |
-        cd $GITHUB_WORKSPACE
-        KERNEL_ROOT=$GITHUB_WORKSPACE/WSA-Linux-Kernel
-        echo "[+] 克隆远程仓库 WSA-Linux-Kernel..."
-        git clone https://github.com/microsoft/WSA-Linux-Kernel
-        cd WSA-Linux-Kernel && git checkout android-lts/latte/${{ matrix.version }}
-        echo "[+] 切换到分支 android-lts/latte/${{ matrix.version }}"
-        echo "[+] 导入 KernelSU"
-        echo "[+] KERNEL_ROOT: $KERNEL_ROOT"
-        echo "[+] 复制 kernel su driver 到路径：$KERNEL_ROOT/drivers"
-        ln -sf $GITHUB_WORKSPACE/KernelSU/kernel $KERNEL_ROOT/drivers/kernelsu
-        DRIVER_MAKEFILE=$KERNEL_ROOT/drivers/Makefile
-        echo "[+] 添加 kernel su driver 到文件：$DRIVER_MAKEFILE"
-        grep -q "kernelsu" $DRIVER_MAKEFILE || echo "obj-y += kernelsu/" >> $DRIVER_MAKEFILE
-        echo "[+] KernelSU 导入完成"
-        cd $KERNEL_ROOT && git apply $GITHUB_WORKSPACE/KernelSU/.github/patches/5.10/*.patch
-        cd -
-    
-    - name: Build Kernel
-      working-directory: WSA-Linux-Kernel
-      run: |
-        KERNEL_ROOT=$GITHUB_WORKSPACE/WSA-Linux-Kernel
-        echo "[+] 构建 kernel"
-        cp configs/wsa/${{ matrix.make_config }}-5.10 $KERNEL_ROOT/.config
-        echo "[+] 复制配置文件 configs/wsa/${{ matrix.make_config }}-5.10 到 $KERNEL_ROOT/.config"
-        echo "执行: make -j`nproc` LLVM=1 ${{ matrix.kernel_make_cmd }}"
-        make -j`nproc` LLVM=1 ${{ matrix.kernel_make_cmd }} CCACHE="/usr/bin/ccache" 
-
-    - name: Upload kernel-${{ matrix.arch }}-${{ matrix.version }}
-      uses: actions/upload-artifact@v3
-      with:
-        name: kernel-WSA-${{ matrix.arch }}-${{ matrix.version }}-${{ matrix.date }}
-        path: WSA-Linux-Kernel/${{ matrix.out_file }}

.github/workflows/build-debug-kernel.yml

@@ -0,0 +1,31 @@
+name: Build debug kernel
+on:
+  workflow_dispatch:
+
+jobs:
+  build-debug-kernel-a12:
+    uses: ./.github/workflows/gki-kernel.yml
+    with:
+      version: android12-5.10
+      version_name: android12-5.10.177
+      tag: android12-5.10-2023-06
+      os_patch_level: 2023-06
+      patch_path: "5.10"
+      debug: true
+  build-debug-kernel-a13:
+    strategy:
+      matrix:
+        include:
+          - version: "5.10"
+            sub_level: 177
+            os_patch_level: 2023-06
+          - version: "5.15"
+            sub_level: 94
+            os_patch_level: 2023-06
+    uses: ./.github/workflows/gki-kernel.yml
+    with:
+      version: android13-${{ matrix.version }}
+      version_name: android13-${{ matrix.version }}.${{ matrix.sub_level }}
+      tag: android13-${{ matrix.version }}-${{ matrix.os_patch_level }}
+      patch_path: ${{ matrix.version }}
+      debug: true

.github/workflows/build-kernel-a12.yml

@@ -7,7 +7,6 @@ on:
       - ".github/workflows/gki-kernel.yml"
       - ".github/scripts/build_a12.sh"
       - "kernel/**"
-      - "userspace/ksud/**"
   pull_request:
     branches: ["main"]
     paths:
@@ -15,7 +14,7 @@ on:
       - ".github/workflows/gki-kernel.yml"
       - ".github/scripts/build-a12.sh"
       - "kernel/**"
-      - "userspace/ksud/**"
+  workflow_call:
 jobs:
   build-kernel:
     if: github.event_name != 'pull_request'
@@ -23,15 +22,25 @@ jobs:
       matrix:
         include:
           - sub_level: 66
-            os_patch_level: 2021-11
+            os_patch_level: 2022-01
           - sub_level: 81
             os_patch_level: 2022-03
           - sub_level: 101
             os_patch_level: 2022-05
           - sub_level: 110
             os_patch_level: 2022-07
+          - sub_level: 117
+            os_patch_level: 2022-09
           - sub_level: 136
             os_patch_level: 2022-11
+          - sub_level: 149
+            os_patch_level: 2023-01
+          - sub_level: 160
+            os_patch_level: 2023-03
+          - sub_level: 168
+            os_patch_level: 2023-05
+          - sub_level: 177
+            os_patch_level: 2023-06
     uses: ./.github/workflows/gki-kernel.yml
     secrets: inherit
     with:
@@ -43,7 +52,7 @@ jobs:
   upload-artifacts:
     needs: build-kernel
     runs-on: ubuntu-latest
-    if: ${{ ( github.event_name != 'pull_request' && github.ref == 'refs/heads/main' ) || github.ref_type == 'tag' }}
+    if: ${{ ( github.event_name != 'pull_request' && github.ref == 'refs/heads/main' ) || github.ref_type == 'tag' || github.ref == 'refs/heads/ci' }}
     env:
       CHAT_ID: ${{ secrets.CHAT_ID }}
       CACHE_CHAT_ID: ${{ secrets.CACHE_CHAT_ID }}
@@ -93,17 +102,26 @@ jobs:
           export MKBOOTIMG=$GITHUB_WORKSPACE/mkbootimg/mkbootimg.py
           export UNPACK_BOOTIMG=$GITHUB_WORKSPACE/mkbootimg/unpack_bootimg.py
           cd $GITHUB_WORKSPACE/KernelSU
-          export VERSION=$(git rev-list --count HEAD)
+          export VERSION=$(($(git rev-list --count HEAD) + 10200))
           echo "VERSION: $VERSION"
           cd -
           bash $GITHUB_WORKSPACE/KernelSU/.github/scripts/build_a12.sh
 
+      - name: Display structure of boot files
+        run: ls -R
+
+      - name: Upload images artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: boot-images-android12
+          path: Image-android12*/*.img.gz
+
   check-build-kernel:
     if: github.event_name == 'pull_request'
     uses: ./.github/workflows/gki-kernel.yml
     with:
       version: android12-5.10
-      version_name: android12-5.10.101
-      tag: android12-5.10-2022-05
-      os_patch_level: 2022-05
+      version_name: android12-5.10.177
+      tag: android12-5.10-2023-06
+      os_patch_level: 2023-06
       patch_path: "5.10"

.github/workflows/build-kernel-a13.yml

@@ -7,7 +7,6 @@ on:
       - ".github/workflows/gki-kernel.yml"
       - ".github/scripts/build_a13.sh"
       - "kernel/**"
-      - "userspace/ksud/**"
   pull_request:
     branches: ["main"]
     paths:
@@ -15,7 +14,7 @@ on:
       - ".github/workflows/gki-kernel.yml"
       - ".github/scripts/build-a13.sh"
       - "kernel/**"
-      - "userspace/ksud/**"
+  workflow_call:
 jobs:
   build-kernel:
     if: github.event_name != 'pull_request'
@@ -28,23 +27,42 @@ jobs:
           - version: "5.10"
             sub_level: 149
             os_patch_level: 2023-01
+          - version: "5.10"
+            sub_level: 157
+            os_patch_level: 2023-03
+          - version: "5.10"
+            sub_level: 168
+            os_patch_level: 2023-05
+          - version: "5.10"
+            sub_level: 177
+            os_patch_level: 2023-06
           - version: "5.15"
             sub_level: 41
             os_patch_level: 2022-11
           - version: "5.15"
             sub_level: 74
-            os_patch_level: 2022-12
+            os_patch_level: 2023-01
+          - version: "5.15"
+            sub_level: 78
+            os_patch_level: 2023-03
+          - version: "5.15"
+            sub_level: 94
+            os_patch_level: 2023-05
+          - version: "5.15"
+            sub_level: 104
+            os_patch_level: 2023-06
     uses: ./.github/workflows/gki-kernel.yml
     secrets: inherit
     with:
       version: android13-${{ matrix.version }}
       version_name: android13-${{ matrix.version }}.${{ matrix.sub_level }}
       tag: android13-${{ matrix.version }}-${{ matrix.os_patch_level }}
+      os_patch_level: ${{ matrix.os_patch_level }}
       patch_path: ${{ matrix.version }}
   upload-artifacts:
     needs: build-kernel
     runs-on: ubuntu-latest
-    if: ${{ ( github.event_name != 'pull_request' && github.ref == 'refs/heads/main' ) || github.ref_type == 'tag' }}
+    if: ${{ ( github.event_name != 'pull_request' && github.ref == 'refs/heads/main' ) || github.ref_type == 'tag' || github.ref == 'refs/heads/ci' }}
     env:
       CHAT_ID: ${{ secrets.CHAT_ID }}
       CACHE_CHAT_ID: ${{ secrets.CACHE_CHAT_ID }}
@@ -94,10 +112,19 @@ jobs:
           export MKBOOTIMG=$GITHUB_WORKSPACE/mkbootimg/mkbootimg.py
           export UNPACK_BOOTIMG=$GITHUB_WORKSPACE/mkbootimg/unpack_bootimg.py
           cd $GITHUB_WORKSPACE/KernelSU
-          export VERSION=$(git rev-list --count HEAD)
+          export VERSION=$(($(git rev-list --count HEAD) + 10200))
           echo "VERSION: $VERSION"
           cd -
           bash $GITHUB_WORKSPACE/KernelSU/.github/scripts/build_a13.sh
+      
+      - name: Display structure of boot files
+        run: ls -R
+
+      - name: Upload images artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: boot-images-android13
+          path: Image-android13*/*.img.gz
 
   check-build-kernel:
     if: github.event_name == 'pull_request'
@@ -105,14 +132,14 @@ jobs:
       matrix:
         include:
           - version: "5.10"
-            sub_level: 107
-            os_patch_level: 2022-11
+            sub_level: 177
+            os_patch_level: 2023-06
           - version: "5.15"
-            sub_level: 41
-            os_patch_level: 2022-11
+            sub_level: 104
+            os_patch_level: 2023-06
     uses: ./.github/workflows/gki-kernel.yml
     with:
       version: android13-${{ matrix.version }}
       version_name: android13-${{ matrix.version }}.${{ matrix.sub_level }}
       tag: android13-${{ matrix.version }}-${{ matrix.os_patch_level }}
-      patch_path: ${{ matrix.version }}
+      patch_path: ${{ matrix.version }}

.github/workflows/build-kernel-arcvm.yml

@@ -0,0 +1,136 @@
+name: Build Kernel - ChromeOS ARCVM
+on:
+  push:
+    branches: ["main"]
+    paths:
+      - ".github/workflows/build-kernel-arcvm.yml"
+      - "kernel/**"
+  pull_request:
+    branches: ["main"]
+    paths:
+      - ".github/workflows/build-kernel-arcvm.yml"
+      - "kernel/**"
+  workflow_call:
+  workflow_dispatch:
+
+jobs:
+  build:
+    strategy:
+      matrix:
+        arch: [x86_64]
+        version: ["5.10.178"]
+        include:
+          - arch: x86_64
+            git_tag: chromeos-5.10-arcvm
+            file_name: "bzImage"
+
+    name: Build ChromeOS ARCVM kernel
+    runs-on: ubuntu-20.04
+    env:
+      LTO: thin
+      ROOT_DIR: /
+      KERNEL_DIR: ${{ github.workspace }}/kernel
+
+    steps:
+      - name: Install Build Tools
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y --no-install-recommends bc \
+              bison build-essential ca-certificates flex git gnupg \
+              libelf-dev libssl-dev lsb-release software-properties-common wget \
+              libncurses-dev binutils-aarch64-linux-gnu gcc-aarch64-linux-gnu nuget gzip \
+              rsync python3 device-tree-compiler
+
+          sudo ln -s --force python3 /usr/bin/python
+
+          export LLVM_VERSION=12
+          wget https://apt.llvm.org/llvm.sh
+          chmod +x llvm.sh
+          sudo ./llvm.sh $LLVM_VERSION
+          rm ./llvm.sh
+          sudo ln -s --force /usr/bin/clang-$LLVM_VERSION /usr/bin/clang
+          sudo ln -s --force /usr/bin/ld.lld-$LLVM_VERSION /usr/bin/ld.lld
+          sudo ln -s --force /usr/bin/llvm-objdump-$LLVM_VERSION /usr/bin/llvm-objdump
+          sudo ln -s --force /usr/bin/llvm-ar-$LLVM_VERSION /usr/bin/llvm-ar
+          sudo ln -s --force /usr/bin/llvm-nm-$LLVM_VERSION /usr/bin/llvm-nm
+          sudo ln -s --force /usr/bin/llvm-strip-$LLVM_VERSION /usr/bin/llvm-strip
+          sudo ln -s --force /usr/bin/llvm-objcopy-$LLVM_VERSION /usr/bin/llvm-objcopy
+          sudo ln -s --force /usr/bin/llvm-readelf-$LLVM_VERSION /usr/bin/llvm-readelf
+          sudo ln -s --force /usr/bin/clang++-$LLVM_VERSION /usr/bin/clang++
+
+      - name: Checkout KernelSU
+        uses: actions/checkout@v3
+        with:
+          path: KernelSU
+          fetch-depth: 0
+
+      - name: Setup kernel source
+        run: git clone https://chromium.googlesource.com/chromiumos/third_party/kernel.git -b ${{ matrix.git_tag }} --depth=1
+
+      - name: Setup KernelSU
+        working-directory: kernel
+        run: |
+          echo "[+] KernelSU setup"
+          KERNEL_ROOT=$GITHUB_WORKSPACE/kernel
+          echo "[+] KERNEL_ROOT: $KERNEL_ROOT"
+          echo "[+] Copy KernelSU driver to $KERNEL_ROOT/drivers"
+          ln -sf $GITHUB_WORKSPACE/KernelSU/kernel $KERNEL_ROOT/drivers/kernelsu
+
+          echo "[+] Add KernelSU driver to Makefile"
+          DRIVER_MAKEFILE=$KERNEL_ROOT/drivers/Makefile
+          grep -q "kernelsu" $DRIVER_MAKEFILE || echo "obj-y += kernelsu/" >> $DRIVER_MAKEFILE
+
+          echo "[+] Apply KernelSU patches"
+          cd $KERNEL_ROOT && git apply $GITHUB_WORKSPACE/KernelSU/.github/patches/5.10/*.patch
+
+          echo "[+] Patch script/setlocalversion"
+          sed -i 's/-dirty//g' $KERNEL_ROOT/scripts/setlocalversion
+
+          echo "[+] KernelSU setup done."
+          cd $GITHUB_WORKSPACE/KernelSU
+          VERSION=$(($(git rev-list --count HEAD) + 10200))
+          echo "VERSION: $VERSION"
+          echo "kernelsu_version=$VERSION" >> $GITHUB_ENV
+
+      - name: Build Kernel
+        working-directory: kernel
+        run: |
+          set -a && . build.config.gki.x86_64; set +a
+          export DEFCONFIG=x86_64_arcvm_defconfig
+
+          make LLVM=1 LLVM_IAS=1 DEPMOD=depmod DTC=dtc O=${PWD} mrproper
+          make LLVM=1 LLVM_IAS=1 DEPMOD=depmod DTC=dtc O=${PWD} ${DEFCONFIG} < /dev/null
+          scripts/config --file .config -e LTO_CLANG -d LTO_NONE -e LTO_CLANG_THIN -d LTO_CLANG_FULL -e THINLTO
+          make LLVM=1 LLVM_IAS=1 DEPMOD=depmod DTC=dtc O=${PWD} -j$(nproc) bzImage modules prepare-objtool
+
+          echo "file_path=${PWD}/arch/x86/boot/bzImage" >> $GITHUB_ENV
+
+      - name: Upload kernel-ARCVM-${{ matrix.arch }}-${{ matrix.version }}
+        uses: actions/upload-artifact@v3
+        with:
+          name: kernel-ARCVM-${{ matrix.arch }}-${{ matrix.version }}
+          path: "${{ env.file_path }}"
+
+      - name: Post to Telegram
+        if: ${{ ( github.event_name == 'push' && github.ref == 'refs/heads/main' ) || github.ref_type == 'tag' }}
+        env:
+          CHAT_ID: ${{ secrets.CHAT_ID }}
+          CACHE_CHAT_ID: ${{ secrets.CACHE_CHAT_ID }}
+          BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
+          MESSAGE_THREAD_ID: ${{ secrets.MESSAGE_THREAD_ID }}
+          COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
+          COMMIT_URL: ${{ github.event.head_commit.url }}
+          RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+        run: |
+          TITLE=kernel-ARCVM-${{ matrix.arch }}-${{ matrix.version }}
+          echo "[+] title: $TITLE"
+          export TITLE
+          export VERSION="${{ env.kernelsu_version }}"
+          echo "[+] Compress images"
+          gzip -n -f -9 "${{ env.file_path }}"
+          echo "[+] Image to upload"
+          ls -l "${{ env.file_path }}.gz"
+          if [ -n "${{ secrets.BOT_TOKEN }}" ]; then
+            pip3 install python-telegram-bot
+            python3 "$GITHUB_WORKSPACE/KernelSU/scripts/ksubot.py" "${{ env.file_path }}.gz"
+          fi

.github/workflows/build-kernel-wsa.yml

@@ -0,0 +1,151 @@
+name: Build Kernel - WSA
+on:
+  push:
+    branches: ["main"]
+    paths:
+      - ".github/workflows/build-kernel-wsa.yml"
+      - "kernel/**"
+  pull_request:
+    branches: ["main"]
+    paths:
+      - ".github/workflows/build-kernel-wsa.yml"
+      - "kernel/**"
+  workflow_call:
+  workflow_dispatch:
+
+jobs:
+  build:
+    strategy:
+      matrix:
+        arch: [x86_64, arm64]
+        version: ["5.15.78.1", "5.15.94.4"]
+        include:
+          - arch: x86_64
+            file_name: "bzImage"
+          - arch: arm64
+            file_name: "Image"
+            cross_compile: "aarch64-linux-gnu"
+          - version: "5.15.78.1"
+            arch: x86_64
+            make_config: config-wsa-x64
+          - version: "5.15.78.1"
+            arch: arm64
+            make_config: config-wsa-arm64
+          - version: "5.15.94.4"
+            arch: x86_64
+            make_config: config-wsa-x64
+          - version: "5.15.94.4"
+            arch: arm64
+            make_config: config-wsa-arm64
+          - version: "5.15.78.1"
+            device_code: latte-2
+            kernel_version: "5.15"
+          - version: "5.15.94.4"
+            device_code: latte-2
+            kernel_version: "5.15"
+
+
+    name: Build WSA-Kernel-${{ matrix.version }}-${{ matrix.arch }}
+    runs-on: ubuntu-20.04
+    env:
+      CCACHE_COMPILERCHECK: "%compiler% -dumpmachine; %compiler% -dumpversion"
+      CCACHE_NOHASHDIR: "true"
+      CCACHE_HARDLINK: "true"
+
+    steps:
+      - name: Install Build Tools
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y --no-install-recommends bc bison build-essential ca-certificates flex git gnupg libelf-dev libssl-dev lsb-release software-properties-common wget libncurses-dev binutils-aarch64-linux-gnu gcc-aarch64-linux-gnu nuget gzip
+          export LLVM_VERSION=12
+          wget https://apt.llvm.org/llvm.sh
+          chmod +x llvm.sh
+          sudo ./llvm.sh $LLVM_VERSION
+          rm ./llvm.sh
+          sudo ln -s --force /usr/bin/clang-$LLVM_VERSION /usr/bin/clang
+          sudo ln -s --force /usr/bin/ld.lld-$LLVM_VERSION /usr/bin/ld.lld
+          sudo ln -s --force /usr/bin/llvm-objdump-$LLVM_VERSION /usr/bin/llvm-objdump
+          sudo ln -s --force /usr/bin/llvm-ar-$LLVM_VERSION /usr/bin/llvm-ar
+          sudo ln -s --force /usr/bin/llvm-nm-$LLVM_VERSION /usr/bin/llvm-nm
+          sudo ln -s --force /usr/bin/llvm-strip-$LLVM_VERSION /usr/bin/llvm-strip
+          sudo ln -s --force /usr/bin/llvm-objcopy-$LLVM_VERSION /usr/bin/llvm-objcopy
+          sudo ln -s --force /usr/bin/llvm-readelf-$LLVM_VERSION /usr/bin/llvm-readelf
+          sudo ln -s --force /usr/bin/clang++-$LLVM_VERSION /usr/bin/clang++
+
+      - name: Checkout KernelSU
+        uses: actions/checkout@v3
+        with:
+          path: KernelSU
+          fetch-depth: 0
+
+      - name: Setup kernel source
+        uses: actions/checkout@v3
+        with:
+          repository: microsoft/WSA-Linux-Kernel
+          ref: android-lts/${{ matrix.device_code }}/${{ matrix.version }}
+          path: WSA-Linux-Kernel
+
+      - name: Setup Ccache
+        uses: hendrikmuhs/ccache-action@v1.2
+        with:
+          key: WSA-Kernel-${{ matrix.version }}-${{ matrix.arch }}
+          save: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+          max-size: 2G
+
+      - name: Setup KernelSU
+        working-directory: WSA-Linux-Kernel
+        run: |
+          echo "[+] KernelSU setup"
+          KERNEL_ROOT=$GITHUB_WORKSPACE/WSA-Linux-Kernel
+          echo "[+] KERNEL_ROOT: $KERNEL_ROOT"
+          echo "[+] Copy KernelSU driver to $KERNEL_ROOT/drivers"
+          ln -sf $GITHUB_WORKSPACE/KernelSU/kernel $KERNEL_ROOT/drivers/kernelsu
+          echo "[+] Add KernelSU driver to Makefile"
+          DRIVER_MAKEFILE=$KERNEL_ROOT/drivers/Makefile
+          grep -q "kernelsu" $DRIVER_MAKEFILE || echo "obj-y += kernelsu/" >> $DRIVER_MAKEFILE
+          echo "[+] Apply KernelSU patches"
+          cd $KERNEL_ROOT && git apply $GITHUB_WORKSPACE/KernelSU/.github/patches/${{ matrix.kernel_version }}/*.patch
+          echo "[+] KernelSU setup done."
+          cd $GITHUB_WORKSPACE/KernelSU
+          VERSION=$(($(git rev-list --count HEAD) + 10200))
+          echo "VERSION: $VERSION"
+          echo "kernelsu_version=$VERSION" >> $GITHUB_ENV
+
+      - name: Build Kernel
+        working-directory: WSA-Linux-Kernel
+        run: |
+          cp configs/wsa/${{ matrix.make_config }} .config
+          make olddefconfig
+          make -j`nproc` LLVM=1 ARCH=${{ matrix.arch }} CROSS_COMPILE=${{ matrix.cross_compile }} ${{ matrix.file_name }} CCACHE="/usr/bin/ccache"
+          declare -A ARCH_MAP=(["x86_64"]="x86" ["arm64"]="arm64")
+          echo "file_path=WSA-Linux-Kernel/arch/${ARCH_MAP[${{ matrix.arch }}]}/boot/${{ matrix.file_name }}" >> $GITHUB_ENV
+
+      - name: Upload kernel-${{ matrix.arch }}-${{ matrix.version }}
+        uses: actions/upload-artifact@v3
+        with:
+          name: kernel-WSA-${{ matrix.arch }}-${{ matrix.version }}
+          path: "${{ env.file_path }}"
+
+      - name: Post to Telegram
+        if: ${{ ( github.event_name == 'push' && github.ref == 'refs/heads/main' ) || github.ref_type == 'tag' }}
+        env:
+          CHAT_ID: ${{ secrets.CHAT_ID }}
+          CACHE_CHAT_ID: ${{ secrets.CACHE_CHAT_ID }}
+          BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
+          MESSAGE_THREAD_ID: ${{ secrets.MESSAGE_THREAD_ID }}
+          COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
+          COMMIT_URL: ${{ github.event.head_commit.url }}
+          RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}    
+        run: |
+          TITLE=kernel-${{ matrix.arch }}-WSA-${{ matrix.version }}
+          echo "[+] title: $TITLE"
+          export TITLE
+          export VERSION="${{ env.kernelsu_version }}"
+          echo "[+] Compress images"
+          gzip -n -f -9 "${{ env.file_path }}"
+          echo "[+] Image to upload"
+          ls -l "${{ env.file_path }}.gz"
+          if [ -n "${{ secrets.BOT_TOKEN }}" ]; then
+            pip3 install python-telegram-bot
+            python3 "$GITHUB_WORKSPACE/KernelSU/scripts/ksubot.py" "${{ env.file_path }}.gz"
+          fi

.github/workflows/build-ksud.yml

@@ -19,6 +19,7 @@ jobs:
         include:
           - target: aarch64-linux-android
           - target: x86_64-linux-android
+          - target: x86_64-pc-windows-gnu # only for build
     uses: ./.github/workflows/ksud.yml
     with:
       target: ${{ matrix.target }}

.github/workflows/build-manager.yml

@@ -1,15 +1,18 @@
 name: Build Manager
+
 on:
   push:
     branches: [ "main" ]
-    paths: 
+    paths:
       - '.github/workflows/build-manager.yml'
       - 'manager/**'
       - 'userspace/ksud/**'
   pull_request:
     branches: [ "main" ]
-    paths: 
+    paths:
       - 'manager/**'
+  workflow_call:
+
 jobs:
   build-ksud:
     strategy:
@@ -20,87 +23,104 @@ jobs:
     uses: ./.github/workflows/ksud.yml
     with:
       target: ${{ matrix.target }}
+
   build-manager:
     needs: build-ksud
     runs-on: ubuntu-latest
     defaults:
       run:
         working-directory: ./manager
+
     steps:
-    - uses: actions/checkout@v3
-      with:
-        fetch-depth: 0
-    - name: Setup need_upload
-      id: need_upload
-      run: |
-        if [ ! -z "${{ secrets.BOT_TOKEN }}" ]; then
-          echo "UPLOAD=true" >> $GITHUB_OUTPUT
-        else
-          echo "UPLOAD=false" >> $GITHUB_OUTPUT
-        fi
-    - name: set up JDK 11
-      uses: actions/setup-java@v3
-      with:
-        java-version: '11'
-        distribution: 'temurin'
-        cache: gradle
-    - uses: nttld/setup-ndk@v1
-      with:
-        ndk-version: r25b
-        local-cache: true
-    - name: Extract keystore
-      if: ${{ ( github.event_name != 'pull_request' && github.ref == 'refs/heads/main' ) || github.ref_type == 'tag' }}
-      run: |
-        if [ ! -z "${{ secrets.KEYSTORE }}" ]; then
-          echo KEYSTORE_PASSWORD='${{ secrets.KEYSTORE_PASSWORD }}' >> sign.properties
-          echo KEY_ALIAS='${{ secrets.KEY_ALIAS }}' >> sign.properties
-          echo KEY_PASSWORD='${{ secrets.KEY_PASSWORD }}' >> sign.properties
-          echo KEYSTORE_FILE='../key.jks' >> sign.properties
-          echo ${{ secrets.KEYSTORE }} | base64 --decode > key.jks
-        fi
-    - name: Download arm64 ksud
-      uses: actions/download-artifact@v3
-      with:
-        name: ksud-aarch64-linux-android
-        path: .
-    - name: Download x86_64 ksud
-      uses: actions/download-artifact@v3
-      with:
-        name: ksud-x86_64-linux-android
-        path: .
-    - name: Copy ksud to app jniLibs
-      run: |
-        mkdir -p app/src/main/jniLibs/arm64-v8a
-        mkdir -p app/src/main/jniLibs/x86_64
-        cp -f ../aarch64-linux-android/release/ksud ../manager/app/src/main/jniLibs/arm64-v8a/libksud.so
-        cp -f ../x86_64-linux-android/release/ksud ../manager/app/src/main/jniLibs/x86_64/libksud.so
-    - name: Grant execute permission for gradlew
-      run: chmod +x gradlew
-    - name: Build with Gradle
-      run: ./gradlew clean assembleRelease
-    - name: Upload build artifact
-      uses: actions/upload-artifact@v3
-      with:
-        name: manager
-        path: manager/app/build/outputs/apk/release/*.apk
-    - name: Setup mutex for uploading
-      uses: ben-z/gh-action-mutex@v1.0-alpha-7
-      if: github.event_name != 'pull_request' && steps.need_upload.outputs.UPLOAD == 'true'
-    - name: Upload to telegram
-      if: github.event_name != 'pull_request' && steps.need_upload.outputs.UPLOAD == 'true'
-      env:
-        CHAT_ID: ${{ secrets.CHAT_ID }}
-        CACHE_CHAT_ID: ${{ secrets.CACHE_CHAT_ID }}
-        BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
-        MESSAGE_THREAD_ID: ${{ secrets.MESSAGE_THREAD_ID }}
-        COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
-        COMMIT_URL: ${{ github.event.head_commit.url }}
-        RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
-        TITLE: Manager
-      run: |
-        if [ ! -z "${{ secrets.BOT_TOKEN }}" ]; then
-          export VERSION=$(git rev-list --count HEAD)
-          APK=$(find ./app/build/outputs/apk/release -name "*.apk")
-          pip3 install python-telegram-bot
-          python3 $GITHUB_WORKSPACE/scripts/ksubot.py $APK
-        fi
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Setup need_upload
+        id: need_upload
+        run: |
+          if [ ! -z "${{ secrets.BOT_TOKEN }}" ]; then
+            echo "UPLOAD=true" >> $GITHUB_OUTPUT
+          else
+            echo "UPLOAD=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Write key
+        if: ${{ ( github.event_name != 'pull_request' && github.ref == 'refs/heads/main' ) || github.ref_type == 'tag' }}
+        run: |
+          if [ ! -z "${{ secrets.KEYSTORE }}" ]; then
+            echo KEYSTORE_PASSWORD='${{ secrets.KEYSTORE_PASSWORD }}' >> gradle.properties
+            echo KEY_ALIAS='${{ secrets.KEY_ALIAS }}' >> gradle.properties
+            echo KEY_PASSWORD='${{ secrets.KEY_PASSWORD }}' >> gradle.properties
+            echo KEYSTORE_FILE='../key.jks' >> gradle.properties
+            echo ${{ secrets.KEYSTORE }} | base64 --decode > key.jks
+          fi
+
+      - name: Setup Java
+        uses: actions/setup-java@v3
+        with:
+          distribution: "temurin"
+          java-version: "17"
+
+      - name: Setup Gradle
+        uses: gradle/gradle-build-action@v2
+        with:
+          gradle-home-cache-cleanup: true
+
+      - name: Download arm64 ksud
+        uses: actions/download-artifact@v3
+        with:
+          name: ksud-aarch64-linux-android
+          path: .
+
+      - name: Download x86_64 ksud
+        uses: actions/download-artifact@v3
+        with:
+          name: ksud-x86_64-linux-android
+          path: .
+
+      - name: Copy ksud to app jniLibs
+        run: |
+          mkdir -p app/src/main/jniLibs/arm64-v8a
+          mkdir -p app/src/main/jniLibs/x86_64
+          cp -f ../aarch64-linux-android/release/ksud ../manager/app/src/main/jniLibs/arm64-v8a/libksud.so
+          cp -f ../x86_64-linux-android/release/ksud ../manager/app/src/main/jniLibs/x86_64/libksud.so
+
+      - name: Build with Gradle
+        run: |
+          echo 'org.gradle.parallel=true' >> gradle.properties
+          echo 'org.gradle.vfs.watch=true' >> gradle.properties
+          echo 'org.gradle.jvmargs=-Xmx2048m' >> gradle.properties
+          echo 'android.native.buildOutput=verbose' >> gradle.properties
+          sed -i 's/org.gradle.configuration-cache=true//g' gradle.properties
+          ./gradlew clean assembleRelease
+
+      - name: Upload build artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: manager
+          path: manager/app/build/outputs/apk/release/*.apk
+
+      - name: Setup mutex for uploading
+        uses: ben-z/gh-action-mutex@v1.0-alpha-7
+        if: github.event_name != 'pull_request' && steps.need_upload.outputs.UPLOAD == 'true'
+
+      - name: Upload to telegram
+        if: github.event_name != 'pull_request' && steps.need_upload.outputs.UPLOAD == 'true'
+        env:
+          CHAT_ID: ${{ secrets.CHAT_ID }}
+          CACHE_CHAT_ID: ${{ secrets.CACHE_CHAT_ID }}
+          BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
+          MESSAGE_THREAD_ID: ${{ secrets.MESSAGE_THREAD_ID }}
+          COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
+          COMMIT_URL: ${{ github.event.head_commit.url }}
+          RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+          TITLE: Manager
+        run: |
+          if [ ! -z "${{ secrets.BOT_TOKEN }}" ]; then
+            export VERSION=$(git rev-list --count HEAD)
+            APK=$(find ./app/build/outputs/apk/release -name "*.apk")
+            pip3 install python-telegram-bot
+            python3 $GITHUB_WORKSPACE/scripts/ksubot.py $APK
+          fi

.github/workflows/build-su.yml

@@ -4,12 +4,12 @@ on:
     branches: [ "main" ]
     paths: 
       - '.github/workflows/build-su.yml'
-      - 'userspace/**'
+      - 'userspace/su/**'
       - 'scripts/ksubot.py'
   pull_request:
     branches: [ "main" ]
     paths: 
-      - 'userspace/**'
+      - 'userspace/su/**'
 jobs:
   build-su:
     name: Build userspace su

.github/workflows/clippy.yml

@@ -0,0 +1,37 @@
+name: Clippy check
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - '.github/workflows/clippy.yml'
+      - 'userspace/ksud/**'
+  pull_request:
+    branches:
+      - main
+    paths:
+      - '.github/workflows/clippy.yml'
+      - 'userspace/ksud/**'
+
+env:
+  RUSTFLAGS: '-Dwarnings'
+
+jobs:
+  clippy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      # cross build failed after Rust 1.68, see https://github.com/cross-rs/cross/issues/1222
+      - run: rustup default 1.67.0
+      - uses: Swatinem/rust-cache@v2
+        with:
+          workspaces: userspace/ksud
+
+      - name: Install cross
+        run: cargo install cross
+
+      - name: Run clippy
+        run: |
+          cross clippy --manifest-path userspace/ksud/Cargo.toml --target aarch64-linux-android --release
+          cross clippy --manifest-path userspace/ksud/Cargo.toml --target x86_64-linux-android --release

.github/workflows/gki-kernel.yml

@@ -45,6 +45,10 @@ on:
         description: >
           Artifact name of prebuilt ksud to be embedded
           for example: ksud-aarch64-linux-android
+      debug:
+        required: false
+        type: boolean
+        default: false
     secrets:
       BOOT_SIGN_KEY:
         required: false
@@ -64,7 +68,6 @@ jobs:
     env:
       CCACHE_COMPILERCHECK: "%compiler% -dumpmachine; %compiler% -dumpversion"
       CCACHE_NOHASHDIR: "true"
-      CCACHE_MAXSIZE: "2G"
       CCACHE_HARDLINK: "true"
     steps:
       - uses: actions/checkout@v3
@@ -72,13 +75,6 @@ jobs:
           path: KernelSU
           fetch-depth: 0
 
-      - uses: hendrikmuhs/ccache-action@v1.2
-        if: inputs.use_cache == true
-        with:
-          key: ccache-aarch64-${{ inputs.version_name }}
-          append-timestamp: false
-          save: ${{ github.event_name != 'pull_request' }}
-
       - name: Setup need_upload
         id: need_upload
         run: |
@@ -94,11 +90,18 @@ jobs:
           git clone https://gerrit.googlesource.com/git-repo
           mkdir android-kernel && cd android-kernel
           ../git-repo/repo init --depth=1 --u https://android.googlesource.com/kernel/manifest -b common-${{ inputs.tag }}
+          REMOTE_BRANCH=$(git ls-remote https://android.googlesource.com/kernel/common ${{ inputs.tag }})
+          if grep -q deprecated <<< $REMOTE_BRANCH; then
+            echo "Found deprecated branch: ${{ inputs.tag }}"
+            sed -i 's/"${{ inputs.tag }}"/"deprecated\/${{ inputs.tag }}"/g' .repo/manifests/default.xml
+            cat .repo/manifests/default.xml
+          fi
           ../git-repo/repo sync -j$(nproc --all)
 
       - name: Setup KernelSU
         env:
           PATCH_PATH: ${{ inputs.patch_path }}
+          IS_DEBUG_KERNEL: ${{ inputs.debug }}
         run: |
           cd $GITHUB_WORKSPACE/android-kernel
           echo "[+] KernelSU setup"
@@ -111,6 +114,13 @@ jobs:
           grep -q "kernelsu" $DRIVER_MAKEFILE || echo "obj-y += kernelsu/" >> $DRIVER_MAKEFILE
           echo "[+] Apply KernelSU patches"
           cd $GKI_ROOT/common/ && git apply $GITHUB_WORKSPACE/KernelSU/.github/patches/$PATCH_PATH/*.patch
+          echo "[+] Patch script/setlocalversion"
+          sed -i 's/-dirty//g' $GKI_ROOT/common/scripts/setlocalversion
+
+          if [ "$IS_DEBUG_KERNEL" = "true" ]; then
+            echo "[+] Enable debug features for kernel"
+            echo "ccflags-y += -DCONFIG_KSU_DEBUG" >> $GITHUB_WORKSPACE/KernelSU/kernel/Makefile
+          fi
           echo "[+] KernelSU setup done."
 
       - name: Symbol magic
@@ -124,6 +134,14 @@ jobs:
           echo "[+] Add KernelSU symbols"
           cat $KSU_ROOT/kernel/export_symbol.txt | awk '{sub("[ \t]+","");print "  "$0}' >> $SYMBOL_LIST
 
+      - name: Setup ccache
+        if: inputs.use_cache == true
+        uses: hendrikmuhs/ccache-action@v1.2
+        with:
+          key: gki-kernel-aarch64-${{ inputs.version_name }}
+          max-size: 2G
+          save: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+
       - name: Build boot.img
         working-directory: android-kernel
         run: CCACHE="/usr/bin/ccache" LTO=thin BUILD_CONFIG=common/build.config.gki.aarch64 build/build.sh
@@ -149,4 +167,4 @@ jobs:
         uses: actions/upload-artifact@v3
         with:
           name: AnyKernel3-${{ inputs.version_name }}_${{ inputs.os_patch_level }}
-          path: ./AnyKernel3/*
+          path: ./AnyKernel3/*

.github/workflows/ksud.yml

@@ -14,19 +14,17 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v3
-
-    - name: Set up cargo cache
-      if: inputs.use_cache == true
-      uses: actions/cache@v3
-      continue-on-error: false
       with:
-        path: |
-          ~/.cargo/bin/
-          ~/.cargo/registry/index/
-          ~/.cargo/registry/cache/
-          ~/.cargo/git/db/
-        key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
-        restore-keys: ${{ runner.os }}-cargo-
+        fetch-depth: 0
+    # cross build failed after Rust 1.68, see https://github.com/cross-rs/cross/issues/1222
+    - run: rustup default 1.67.0
+    - uses: Swatinem/rust-cache@v2
+      with:
+        workspaces: userspace/ksud
+        cache-targets: false
+
+    - name: Install cross
+      run: cargo install cross
 
     - name: Build ksud
       run: cross build --target ${{ inputs.target }} --release --manifest-path ./userspace/ksud/Cargo.toml
@@ -35,5 +33,4 @@ jobs:
       uses: actions/upload-artifact@v3
       with:
         name: ksud-${{ inputs.target }}
-        path: ./userspace/ksud/target/**/release/ksud
-
+        path: userspace/ksud/target/**/release/ksud

.github/workflows/release.yml

@@ -0,0 +1,56 @@
+name: Release
+on:
+  push:
+    tags:
+      - "v*"
+  workflow_dispatch:
+
+jobs:
+  build-manager:
+    uses: ./.github/workflows/build-manager.yml
+    secrets: inherit
+  build-a12-kernel:
+    uses: ./.github/workflows/build-kernel-a12.yml
+  build-a13-kernel:
+    uses: ./.github/workflows/build-kernel-a13.yml
+  build-wsa-kernel:
+    uses: ./.github/workflows/build-kernel-wsa.yml
+  release:
+    needs: 
+      - build-manager
+      - build-a12-kernel
+      - build-a13-kernel
+      - build-wsa-kernel
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@v3
+      - name: Zip AnyKernel3
+        run: |
+          for dir in AnyKernel3-*; do
+            if [ -d "$dir" ]; then
+              echo "----- Zip $dir -----"
+              (cd $dir && zip -r9 "$dir".zip ./* -x .git .gitignore ./*.zip && mv *.zip ..)
+            fi
+          done
+
+      - name: Zip WSA kernel
+        run: |
+          for dir in kernel-WSA-*; do
+            if [ -d "$dir" ]; then
+              echo "------ Zip $dir ----------"
+              (cd $dir && zip -r9 "$dir".zip ./* -x .git .gitignore ./*.zip && mv *.zip ..)
+            fi
+          done
+
+      - name: Display structure of downloaded files
+        run: ls -R
+
+      - name: release
+        uses: softprops/action-gh-release@v1
+        with:
+          files: |
+            manager/*.apk
+            AnyKernel3-*.zip
+            boot-images-*/Image-*/*.img.gz
+            kernel-WSA*.zip

.github/workflows/rustfmt.yml

@@ -0,0 +1,33 @@
+name: Rustfmt check
+
+on:
+  push:
+    branches:
+      - 'main'
+    paths:
+      - '.github/workflows/rustfmt.yml'
+      - 'userspace/ksud/**'
+  pull_request:
+    branches:
+      - 'main'
+    paths:
+      - '.github/workflows/rustfmt.yml'
+      - 'userspace/ksud/**'
+
+permissions:
+  checks: write
+
+jobs:
+  format:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: dtolnay/rust-toolchain@nightly
+        with:
+          components: rustfmt
+
+      - uses: LoliGothick/rustfmt-check@v0.3.1
+        with:
+          token: ${{ github.token }}
+          options: --manifest-path userspace/ksud/Cargo.toml

.github/workflows/shellcheck.yml

@@ -0,0 +1,27 @@
+name: ShellCheck
+
+on:
+  push:
+    branches:
+      - 'main'
+    paths:
+      - '.github/workflows/shellcheck.yml'
+      - '**/*.sh'
+  pull_request:
+    branches:
+      - 'main'
+    paths:
+      - '.github/workflows/shellcheck.yml'
+      - '**/*.sh'
+
+jobs:
+  shellcheck:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Run ShellCheck
+        uses: ludeeus/action-shellcheck@2.0.0
+        with:
+          ignore_names: gradlew
+          ignore_paths: ./userspace/ksud/src/installer.sh

.gitignore

@@ -0,0 +1,2 @@
+.idea
+.vscode

README.md

@@ -1,4 +1,4 @@
-**English** | [中文](README_CN.md)
+**English** | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | [日本語](README_JP.md) | [Polski](README_PL.md) | [Portuguese-Brazil](README_PT-BR.md) | [Türkçe](README_TR.md)
 
 # KernelSU
 
@@ -11,7 +11,7 @@ A Kernel based root solution for Android devices.
 
 ## Compatibility State
 
-KernelSU officially supports Android GKI 2.0 devices(with kernel 5.10+), old kernels(4.14+) is also compatiable, but you need to build kernel yourself.
+KernelSU officially supports Android GKI 2.0 devices(with kernel 5.10+), old kernels(4.14+) is also compatible, but you need to build kernel yourself.
 
 WSA and containter-based Android should also work with KernelSU integrated.
 
@@ -31,7 +31,8 @@ And the current supported ABIs are : `arm64-v8a` and `x86_64`
 
 ## License
 
-[GPL-3](http://www.gnu.org/copyleft/gpl.html)
+- Files under `kernel` directory are [GPL-2](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
+- All other parts except `kernel` directory are [GPL-3](https://www.gnu.org/licenses/gpl-3.0.html)
 
 ## Credits
 

README_CN.md

@@ -1,4 +1,4 @@
-[English](README.md) | **中文**
+[English](README.md) | [Español](README_ES.md) | **简体中文** | [繁體中文](README_TW.md) | [日本語](README_JP.md) | [Polski](README_PL.md) | [Portuguese-Brazil](README_PT-BR.md) | [Türkçe](README_TR.md)
 
 # KernelSU
 
@@ -31,11 +31,12 @@ WSA 和运行在容器上的 Android 也可以与 KernelSU 一起工作。
 
 ## 许可证
 
-[GPL-3](http://www.gnu.org/copyleft/gpl.html)
+- 目录 `kernel` 下所有文件为 [GPL-2](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
+- 除 `kernel` 目录的其他部分均为 [GPL-3](https://www.gnu.org/licenses/gpl-3.0.html)
 
 ## 鸣谢
 
 - [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/)：KernelSU 的灵感。
-- [true](https://github.com/brevent/genuine/)：apk v2 签名验证。
+- [genuine](https://github.com/brevent/genuine/)：apk v2 签名验证。
 - [Diamorphine](https://github.com/m0nad/Diamorphine)：一些 rootkit 技巧。
 - [Magisk](https://github.com/topjohnwu/Magisk)：sepolicy 的实现。

README_ES.md

@@ -0,0 +1,47 @@
+[ 🇬🇧 English](README.md) | 🇪🇸 **Español** | [🇨🇳 简体中文](README_CN.md) | [🇹🇼 繁體中文](README_TW.md) | [ 🇯🇵 日本語](README_JP.md) | [🇵🇱 Polski](README_PL.md) | [🇧🇷 Portuguese-Brazil](README_PT-BR.md) | [🇹🇷 Türkçe](README_TR.md)
+
+<div style="display: flex; align-items: center;">
+    <img src="https://kernelsu.org/logo.png" style="width: 96px;" alt="">
+    <div style="margin-left: 20px;">
+        <span style="font-size: large; "><b>KernelSU</b></span>
+        <br>
+        <span style="font-size: medium; "><i>Una solución root basada en el kernel para dispositivos Android.</i></span>   
+    </div>
+</div>
+
+## 🚀 Características
+
+**1.** Binario `su` basado en el kernel y gestión de acceso root.<br/>
+**2.** Sistema de módulos basado en **OverlayFS**.
+
+## ✅ Estado de compatibilidad
+
+**KernelSU** soporta de forma oficial dispositivos Android con **GKI 2.0** (a partir de la versión **5.10** del kernel). Los kernels antiguos (a partir de la versión **4.14**) también son compatibles, pero necesitas compilarlos por tu cuenta.
+
+El **Subsistema de Windows para Android (WSA)** e implementaciones de Android basadas en contenedores, como **Waydroid**, también deberían funcionar con **KernelSU** integrado.
+
+Actualmente se soportan las siguientes **ABIs**: `arm64-v8a`; `x86_64`.
+
+## 📖 Uso
+
+[¿Cómo instalarlo?](https://kernelsu.org/guide/installation.html)
+
+## 🔨 Compilación
+
+[¿Cómo compilarlo?](https://kernelsu.org/guide/how-to-build.html)
+
+## 💬 Discusión
+
+- Telegram: [@KernelSU](https://t.me/KernelSU)
+
+## ⚖️ Licencia
+
+- Los archivos bajo el directorio `kernel` están licenciados bajo [GPL-2](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html).
+- Todas las demás partes, a excepción del directorio `kernel`, están licenciados bajo [GPL-3](https://www.gnu.org/licenses/gpl-3.0.html).
+
+## 👥 Créditos
+
+- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/): la idea de **KernelSU**.
+- [genuine](https://github.com/brevent/genuine/): la validación del **esquema de firmas APK v2**.
+- [Diamorphine](https://github.com/m0nad/Diamorphine): algunas habilidades de rootkit.
+- [Magisk](https://github.com/topjohnwu/Magisk): la implementación de la **política de SELinux (SEPolicy)**.

README_JP.md

@@ -0,0 +1,42 @@
+[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | **日本語** | [Polski](README_PL.md) | [Portuguese-Brazil](README_PT-BR.md) | [Türkçe](README_TR.md)
+
+# KernelSU
+
+Android におけるカーネルベースの root ソリューションです。
+
+## 特徴
+
+1. カーネルベースの `su` と権限管理
+2. OverlayFS に基づくモジュールシステム
+
+## 対応状況
+
+KernelSU は GKI 2.0 デバイス（カーネルバージョン 5.10 以上）を公式にサポートしています。古いカーネル（4.14以上）とも互換性がありますが、自分でカーネルをビルドする必要があります。
+
+WSA とコンテナ上で動作する Android でも KernelSU を統合して動かせます。
+
+現在サポートしているアーキテクチャは `arm64-v8a` および `x86_64` です。
+
+## 使用方法
+
+[インストール方法はこちら](https://kernelsu.org/ja_JP/guide/installation.html)
+
+## ビルド
+
+[ビルド方法はこちら](https://kernelsu.org/guide/how-to-build.html)
+
+### ディスカッション
+
+- Telegram: [@KernelSU](https://t.me/KernelSU)
+
+## ライセンス
+
+- `kernel` ディレクトリの下にあるすべてのファイル： [GPL-2](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
+- `kernel` ディレクトリ以外のすべてのファイル： [GPL-3](https://www.gnu.org/licenses/gpl-3.0.html)
+
+## クレジット
+
+- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/)：KernelSU のアイデア元
+- [genuine](https://github.com/brevent/genuine/)：apk v2 の署名検証
+- [Diamorphine](https://github.com/m0nad/Diamorphine): rootkit のスキル
+- [Magisk](https://github.com/topjohnwu/Magisk)：sepolicy の実装

README_PL.md

@@ -0,0 +1,42 @@
+[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | [日本語](README_JP.md) | **Polski** | [Portuguese-Brazil](README_PT-BR.md) | [Türkçe](README_TR.md)
+
+# KernelSU
+
+Rozwiązanie root oparte na jądrze dla urządzeń z systemem Android.
+
+## Cechy
+
+1. Oparte na jądrze `su` i zarządzanie dostępem roota.
+2. System modułów oparty na overlayfs.
+
+## Kompatybilność
+
+KernelSU oficjalnie obsługuje urządzenia z Androidem GKI 2.0 (z jądrem 5.10+), starsze jądra (4.14+) są również kompatybilne, ale musisz sam skompilować jądro.
+
+WSA i Android oparty na kontenerach również powinny działać ze zintegrowanym KernelSU.
+
+Aktualnie obsługiwane ABI to : `arm64-v8a` i `x86_64`.
+
+## Użycie
+
+[Instalacja](https://kernelsu.org/guide/installation.html)
+
+## Kompilacja
+
+[Jak skompilować?](https://kernelsu.org/guide/how-to-build.html)
+
+### Dyskusja
+
+- Telegram: [@KernelSU](https://t.me/KernelSU)
+
+## Licencja
+
+- Pliki w katalogu `kernel` są na licencji [GPL-2](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
+- Wszystkie inne części poza katalogiem `kernel` są na licencji [GPL-3](https://www.gnu.org/licenses/gpl-3.0.html)
+
+## Podziękowania
+
+- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/): pomysłodawca KernelSU.
+- [genuine](https://github.com/brevent/genuine/): walidacja podpisu apk v2.
+- [Diamorphine](https://github.com/m0nad/Diamorphine): cenna znajomość rootkitów.
+- [Magisk](https://github.com/topjohnwu/Magisk): implementacja sepolicy.

README_PT-BR.md

@@ -0,0 +1,47 @@
+[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | [日本語](README_JP.md) | [Polski](README_PL.md) | **Portuguese-Brazil** | [Türkçe](README_TR.md)
+
+# KernelSU
+
+Uma solução raiz baseada em Kernel para dispositivos Android.
+
+## Características
+
+1. `su` baseado em kernel e gerenciamento de acesso root.
+
+2. Sistema modular baseado em overlayfs.
+
+## Estado de compatibilidade
+
+O KernelSU suporta oficialmente dispositivos Android GKI 2.0 (com kernel 5.10+), kernels antigos (4.14+) também são compatíveis, mas você mesmo precisa construir o kernel.
+
+O Android baseado em WSA e contêiner também deve funcionar com o KernelSU integrado.
+
+E os ABIs atualmente suportados são: `arm64-v8a` e `x86_64`
+
+## Uso
+
+[Instalação](https://kernelsu.org/guide/installation.html)
+
+## Construir
+
+[Como construir?](https://kernelsu.org/guide/how-to-build.html)
+
+### Discussão
+
+- Telegram: [@KernelSU](https://t.me/KernelSU)
+
+## Licença
+
+- Os arquivos no diretório `kernel` são [GPL-2](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
+
+- Todas as outras partes, exceto o diretório `kernel`, são [GPL-3](https://www.gnu.org/licenses/gpl-3.0.html)
+
+## Créditos
+
+- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/): a ideia do KernelSU.
+
+- [genuine](https://github.com/brevent/genuine/): validação de assinatura apk v2.
+
+- [Diamorphine](https://github.com/m0nad/Diamorphine): algumas habilidades de rootkit.
+
+- [Magisk](https://github.com/topjohnwu/Magisk): a implementação da sepolicy.

README_TR.md

@@ -0,0 +1,42 @@
+[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | [日本語](README_JP.md) | [Polski](README_PL.md) | [Portuguese-Brazil](README_PT-BR.md) | **Türkçe**
+
+# KernelSU
+
+Android cihazlar için kernel tabanlı bir root çözümü.
+
+## Özellikler
+
+1. Kernel-tabanlı `su` ve root erişimi yönetimi.
+2. Overlayfs'ye dayalı modül sistemi.
+
+## Uyumluluk Durumu
+
+KernelSU resmi olarak Android GKI 2.0 cihazlarını ( 5.10+ kernelli) destekler, eski kernellerle de (4.14+) uyumludur, ancak kerneli kendinizin inşaa etmesi gerekir.
+
+WSA ve konteyner tabanlı Android'in de, KernelSU ile entegre olarak da çalışması gerekmektedir.
+
+Ve desteklenen mevcut ABI'ler : `arm64-v8a` ve `x86_64`
+
+## Kullanım
+
+[Yükleme](https://kernelsu.org/guide/installation.html)
+
+## İnşaa
+
+[Nasıl inşa edilir?](https://kernelsu.org/guide/how-to-build.html)
+
+### Tartışma
+
+- Telegram: [@KernelSU](https://t.me/KernelSU)
+
+## Lisans
+
+- `kernel` klasöründeki dosyalar [GPL-2](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html) lisansı altındadır.
+- `kernel` klasörü dışındaki bütün diğer bölümler [GPL-3](https://www.gnu.org/licenses/gpl-3.0.html) lisansı altındadır.
+
+## Krediler
+
+- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/): KernelSU fikri.
+- [genuine](https://github.com/brevent/genuine/): apk v2 imza doğrulama.
+- [Diamorphine](https://github.com/m0nad/Diamorphine): bazı rootkit becerileri.
+- [Magisk](https://github.com/topjohnwu/Magisk): sepolicy uygulaması.

README_TW.md

@@ -0,0 +1,42 @@
+[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | **繁體中文** | [日本語](README_JP.md) | [Polski](README_PL.md) | [Portuguese-Brazil](README_PT-BR.md) | [Türkçe](README_TR.md)
+
+# KernelSU
+
+一個基於核心的 Android 裝置 Root 解決方案
+
+## 功能
+
+- 基於核心的 Su 和 Root 存取權管理。
+- 基於 Overlayfs 的模組系統。
+
+## 相容性狀態
+
+KernelSU 官方支援 Android GKI 2.0 的裝置 (核心版本 5.10+)；舊版核心同樣相容 (最低 4.14+)，但需要自行編譯核心。
+
+WSA 和執行在容器中的 Android 也可以與 KernelSU 一同運作。
+
+目前支援架構：`arm64-v8a` 和 `x86_64`
+
+## 使用方法
+
+[安裝教學](https://kernelsu.org/zh_TW/guide/installation.html)
+
+## 建置
+
+[如何建置？](https://kernelsu.org/zh_TW/guide/how-to-build.html)
+
+### 討論
+
+- Telegram：[@KernelSU](https://t.me/KernelSU)
+
+## 授權
+
+- 目錄 `kernel` 下所有檔案為 [GPL-2](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
+- 除 `kernel` 目錄的其他部分均為 [GPL-3](https://www.gnu.org/licenses/gpl-3.0.html)
+
+## 致謝
+
+- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/)：KernelSU 的靈感。
+- [genuine](https://github.com/brevent/genuine/)：apk v2 簽章驗證。
+- [Diamorphine](https://github.com/m0nad/Diamorphine)：一些 rootkit 技巧。
+- [Magisk](https://github.com/topjohnwu/Magisk)：sepolicy 實作。

kernel/.clang-format

@@ -0,0 +1,548 @@
+# SPDX-License-Identifier: GPL-2.0
+#
+# clang-format configuration file. Intended for clang-format >= 4.
+#
+# For more information, see:
+#
+#   Documentation/process/clang-format.rst
+#   https://clang.llvm.org/docs/ClangFormat.html
+#   https://clang.llvm.org/docs/ClangFormatStyleOptions.html
+#
+---
+AccessModifierOffset: -4
+AlignAfterOpenBracket: Align
+AlignConsecutiveAssignments: false
+AlignConsecutiveDeclarations: false
+#AlignEscapedNewlines: Left # Unknown to clang-format-4.0
+AlignOperands: true
+AlignTrailingComments: false
+AllowAllParametersOfDeclarationOnNextLine: false
+AllowShortBlocksOnASingleLine: false
+AllowShortCaseLabelsOnASingleLine: false
+AllowShortFunctionsOnASingleLine: None
+AllowShortIfStatementsOnASingleLine: false
+AllowShortLoopsOnASingleLine: false
+AlwaysBreakAfterDefinitionReturnType: None
+AlwaysBreakAfterReturnType: None
+AlwaysBreakBeforeMultilineStrings: false
+AlwaysBreakTemplateDeclarations: false
+BinPackArguments: true
+BinPackParameters: true
+BraceWrapping:
+  AfterClass: false
+  AfterControlStatement: false
+  AfterEnum: false
+  AfterFunction: true
+  AfterNamespace: true
+  AfterObjCDeclaration: false
+  AfterStruct: false
+  AfterUnion: false
+  #AfterExternBlock: false # Unknown to clang-format-5.0
+  BeforeCatch: false
+  BeforeElse: false
+  IndentBraces: false
+  #SplitEmptyFunction: true # Unknown to clang-format-4.0
+  #SplitEmptyRecord: true # Unknown to clang-format-4.0
+  #SplitEmptyNamespace: true # Unknown to clang-format-4.0
+BreakBeforeBinaryOperators: None
+BreakBeforeBraces: Custom
+#BreakBeforeInheritanceComma: false # Unknown to clang-format-4.0
+BreakBeforeTernaryOperators: false
+BreakConstructorInitializersBeforeComma: false
+#BreakConstructorInitializers: BeforeComma # Unknown to clang-format-4.0
+BreakAfterJavaFieldAnnotations: false
+BreakStringLiterals: false
+ColumnLimit: 80
+CommentPragmas: '^ IWYU pragma:'
+#CompactNamespaces: false # Unknown to clang-format-4.0
+ConstructorInitializerAllOnOneLineOrOnePerLine: false
+ConstructorInitializerIndentWidth: 8
+ContinuationIndentWidth: 8
+Cpp11BracedListStyle: false
+DerivePointerAlignment: false
+DisableFormat: false
+ExperimentalAutoDetectBinPacking: false
+#FixNamespaceComments: false # Unknown to clang-format-4.0
+
+# Taken from:
+#   git grep -h '^#define [^[:space:]]*for_each[^[:space:]]*(' include/ \
+#   | sed "s,^#define \([^[:space:]]*for_each[^[:space:]]*\)(.*$,  - '\1'," \
+#   | sort | uniq
+ForEachMacros:
+  - 'apei_estatus_for_each_section'
+  - 'ata_for_each_dev'
+  - 'ata_for_each_link'
+  - '__ata_qc_for_each'
+  - 'ata_qc_for_each'
+  - 'ata_qc_for_each_raw'
+  - 'ata_qc_for_each_with_internal'
+  - 'ax25_for_each'
+  - 'ax25_uid_for_each'
+  - '__bio_for_each_bvec'
+  - 'bio_for_each_bvec'
+  - 'bio_for_each_bvec_all'
+  - 'bio_for_each_integrity_vec'
+  - '__bio_for_each_segment'
+  - 'bio_for_each_segment'
+  - 'bio_for_each_segment_all'
+  - 'bio_list_for_each'
+  - 'bip_for_each_vec'
+  - 'bitmap_for_each_clear_region'
+  - 'bitmap_for_each_set_region'
+  - 'blkg_for_each_descendant_post'
+  - 'blkg_for_each_descendant_pre'
+  - 'blk_queue_for_each_rl'
+  - 'bond_for_each_slave'
+  - 'bond_for_each_slave_rcu'
+  - 'bpf_for_each_spilled_reg'
+  - 'btree_for_each_safe128'
+  - 'btree_for_each_safe32'
+  - 'btree_for_each_safe64'
+  - 'btree_for_each_safel'
+  - 'card_for_each_dev'
+  - 'cgroup_taskset_for_each'
+  - 'cgroup_taskset_for_each_leader'
+  - 'cpufreq_for_each_entry'
+  - 'cpufreq_for_each_entry_idx'
+  - 'cpufreq_for_each_valid_entry'
+  - 'cpufreq_for_each_valid_entry_idx'
+  - 'css_for_each_child'
+  - 'css_for_each_descendant_post'
+  - 'css_for_each_descendant_pre'
+  - 'device_for_each_child_node'
+  - 'dma_fence_chain_for_each'
+  - 'do_for_each_ftrace_op'
+  - 'drm_atomic_crtc_for_each_plane'
+  - 'drm_atomic_crtc_state_for_each_plane'
+  - 'drm_atomic_crtc_state_for_each_plane_state'
+  - 'drm_atomic_for_each_plane_damage'
+  - 'drm_client_for_each_connector_iter'
+  - 'drm_client_for_each_modeset'
+  - 'drm_connector_for_each_possible_encoder'
+  - 'drm_for_each_bridge_in_chain'
+  - 'drm_for_each_connector_iter'
+  - 'drm_for_each_crtc'
+  - 'drm_for_each_encoder'
+  - 'drm_for_each_encoder_mask'
+  - 'drm_for_each_fb'
+  - 'drm_for_each_legacy_plane'
+  - 'drm_for_each_plane'
+  - 'drm_for_each_plane_mask'
+  - 'drm_for_each_privobj'
+  - 'drm_mm_for_each_hole'
+  - 'drm_mm_for_each_node'
+  - 'drm_mm_for_each_node_in_range'
+  - 'drm_mm_for_each_node_safe'
+  - 'flow_action_for_each'
+  - 'for_each_active_dev_scope'
+  - 'for_each_active_drhd_unit'
+  - 'for_each_active_iommu'
+  - 'for_each_aggr_pgid'
+  - 'for_each_available_child_of_node'
+  - 'for_each_bio'
+  - 'for_each_board_func_rsrc'
+  - 'for_each_bvec'
+  - 'for_each_card_auxs'
+  - 'for_each_card_auxs_safe'
+  - 'for_each_card_components'
+  - 'for_each_card_dapms'
+  - 'for_each_card_pre_auxs'
+  - 'for_each_card_prelinks'
+  - 'for_each_card_rtds'
+  - 'for_each_card_rtds_safe'
+  - 'for_each_card_widgets'
+  - 'for_each_card_widgets_safe'
+  - 'for_each_cgroup_storage_type'
+  - 'for_each_child_of_node'
+  - 'for_each_clear_bit'
+  - 'for_each_clear_bit_from'
+  - 'for_each_cmsghdr'
+  - 'for_each_compatible_node'
+  - 'for_each_component_dais'
+  - 'for_each_component_dais_safe'
+  - 'for_each_comp_order'
+  - 'for_each_console'
+  - 'for_each_cpu'
+  - 'for_each_cpu_and'
+  - 'for_each_cpu_not'
+  - 'for_each_cpu_wrap'
+  - 'for_each_dapm_widgets'
+  - 'for_each_dev_addr'
+  - 'for_each_dev_scope'
+  - 'for_each_displayid_db'
+  - 'for_each_dma_cap_mask'
+  - 'for_each_dpcm_be'
+  - 'for_each_dpcm_be_rollback'
+  - 'for_each_dpcm_be_safe'
+  - 'for_each_dpcm_fe'
+  - 'for_each_drhd_unit'
+  - 'for_each_dss_dev'
+  - 'for_each_efi_memory_desc'
+  - 'for_each_efi_memory_desc_in_map'
+  - 'for_each_element'
+  - 'for_each_element_extid'
+  - 'for_each_element_id'
+  - 'for_each_endpoint_of_node'
+  - 'for_each_evictable_lru'
+  - 'for_each_fib6_node_rt_rcu'
+  - 'for_each_fib6_walker_rt'
+  - 'for_each_free_mem_pfn_range_in_zone'
+  - 'for_each_free_mem_pfn_range_in_zone_from'
+  - 'for_each_free_mem_range'
+  - 'for_each_free_mem_range_reverse'
+  - 'for_each_func_rsrc'
+  - 'for_each_hstate'
+  - 'for_each_if'
+  - 'for_each_iommu'
+  - 'for_each_ip_tunnel_rcu'
+  - 'for_each_irq_nr'
+  - 'for_each_link_codecs'
+  - 'for_each_link_cpus'
+  - 'for_each_link_platforms'
+  - 'for_each_lru'
+  - 'for_each_matching_node'
+  - 'for_each_matching_node_and_match'
+  - 'for_each_member'
+  - 'for_each_mem_region'
+  - 'for_each_memblock_type'
+  - 'for_each_memcg_cache_index'
+  - 'for_each_mem_pfn_range'
+  - '__for_each_mem_range'
+  - 'for_each_mem_range'
+  - '__for_each_mem_range_rev'
+  - 'for_each_mem_range_rev'
+  - 'for_each_migratetype_order'
+  - 'for_each_msi_entry'
+  - 'for_each_msi_entry_safe'
+  - 'for_each_net'
+  - 'for_each_net_continue_reverse'
+  - 'for_each_netdev'
+  - 'for_each_netdev_continue'
+  - 'for_each_netdev_continue_rcu'
+  - 'for_each_netdev_continue_reverse'
+  - 'for_each_netdev_feature'
+  - 'for_each_netdev_in_bond_rcu'
+  - 'for_each_netdev_rcu'
+  - 'for_each_netdev_reverse'
+  - 'for_each_netdev_safe'
+  - 'for_each_net_rcu'
+  - 'for_each_new_connector_in_state'
+  - 'for_each_new_crtc_in_state'
+  - 'for_each_new_mst_mgr_in_state'
+  - 'for_each_new_plane_in_state'
+  - 'for_each_new_private_obj_in_state'
+  - 'for_each_node'
+  - 'for_each_node_by_name'
+  - 'for_each_node_by_type'
+  - 'for_each_node_mask'
+  - 'for_each_node_state'
+  - 'for_each_node_with_cpus'
+  - 'for_each_node_with_property'
+  - 'for_each_nonreserved_multicast_dest_pgid'
+  - 'for_each_of_allnodes'
+  - 'for_each_of_allnodes_from'
+  - 'for_each_of_cpu_node'
+  - 'for_each_of_pci_range'
+  - 'for_each_old_connector_in_state'
+  - 'for_each_old_crtc_in_state'
+  - 'for_each_old_mst_mgr_in_state'
+  - 'for_each_oldnew_connector_in_state'
+  - 'for_each_oldnew_crtc_in_state'
+  - 'for_each_oldnew_mst_mgr_in_state'
+  - 'for_each_oldnew_plane_in_state'
+  - 'for_each_oldnew_plane_in_state_reverse'
+  - 'for_each_oldnew_private_obj_in_state'
+  - 'for_each_old_plane_in_state'
+  - 'for_each_old_private_obj_in_state'
+  - 'for_each_online_cpu'
+  - 'for_each_online_node'
+  - 'for_each_online_pgdat'
+  - 'for_each_pci_bridge'
+  - 'for_each_pci_dev'
+  - 'for_each_pci_msi_entry'
+  - 'for_each_pcm_streams'
+  - 'for_each_physmem_range'
+  - 'for_each_populated_zone'
+  - 'for_each_possible_cpu'
+  - 'for_each_present_cpu'
+  - 'for_each_prime_number'
+  - 'for_each_prime_number_from'
+  - 'for_each_process'
+  - 'for_each_process_thread'
+  - 'for_each_property_of_node'
+  - 'for_each_registered_fb'
+  - 'for_each_requested_gpio'
+  - 'for_each_requested_gpio_in_range'
+  - 'for_each_reserved_mem_range'
+  - 'for_each_reserved_mem_region'
+  - 'for_each_rtd_codec_dais'
+  - 'for_each_rtd_codec_dais_rollback'
+  - 'for_each_rtd_components'
+  - 'for_each_rtd_cpu_dais'
+  - 'for_each_rtd_cpu_dais_rollback'
+  - 'for_each_rtd_dais'
+  - 'for_each_set_bit'
+  - 'for_each_set_bit_from'
+  - 'for_each_set_clump8'
+  - 'for_each_sg'
+  - 'for_each_sg_dma_page'
+  - 'for_each_sg_page'
+  - 'for_each_sgtable_dma_page'
+  - 'for_each_sgtable_dma_sg'
+  - 'for_each_sgtable_page'
+  - 'for_each_sgtable_sg'
+  - 'for_each_sibling_event'
+  - 'for_each_subelement'
+  - 'for_each_subelement_extid'
+  - 'for_each_subelement_id'
+  - '__for_each_thread'
+  - 'for_each_thread'
+  - 'for_each_unicast_dest_pgid'
+  - 'for_each_wakeup_source'
+  - 'for_each_zone'
+  - 'for_each_zone_zonelist'
+  - 'for_each_zone_zonelist_nodemask'
+  - 'fwnode_for_each_available_child_node'
+  - 'fwnode_for_each_child_node'
+  - 'fwnode_graph_for_each_endpoint'
+  - 'gadget_for_each_ep'
+  - 'genradix_for_each'
+  - 'genradix_for_each_from'
+  - 'hash_for_each'
+  - 'hash_for_each_possible'
+  - 'hash_for_each_possible_rcu'
+  - 'hash_for_each_possible_rcu_notrace'
+  - 'hash_for_each_possible_safe'
+  - 'hash_for_each_rcu'
+  - 'hash_for_each_safe'
+  - 'hctx_for_each_ctx'
+  - 'hlist_bl_for_each_entry'
+  - 'hlist_bl_for_each_entry_rcu'
+  - 'hlist_bl_for_each_entry_safe'
+  - 'hlist_for_each'
+  - 'hlist_for_each_entry'
+  - 'hlist_for_each_entry_continue'
+  - 'hlist_for_each_entry_continue_rcu'
+  - 'hlist_for_each_entry_continue_rcu_bh'
+  - 'hlist_for_each_entry_from'
+  - 'hlist_for_each_entry_from_rcu'
+  - 'hlist_for_each_entry_rcu'
+  - 'hlist_for_each_entry_rcu_bh'
+  - 'hlist_for_each_entry_rcu_notrace'
+  - 'hlist_for_each_entry_safe'
+  - '__hlist_for_each_rcu'
+  - 'hlist_for_each_safe'
+  - 'hlist_nulls_for_each_entry'
+  - 'hlist_nulls_for_each_entry_from'
+  - 'hlist_nulls_for_each_entry_rcu'
+  - 'hlist_nulls_for_each_entry_safe'
+  - 'i3c_bus_for_each_i2cdev'
+  - 'i3c_bus_for_each_i3cdev'
+  - 'ide_host_for_each_port'
+  - 'ide_port_for_each_dev'
+  - 'ide_port_for_each_present_dev'
+  - 'idr_for_each_entry'
+  - 'idr_for_each_entry_continue'
+  - 'idr_for_each_entry_continue_ul'
+  - 'idr_for_each_entry_ul'
+  - 'in_dev_for_each_ifa_rcu'
+  - 'in_dev_for_each_ifa_rtnl'
+  - 'inet_bind_bucket_for_each'
+  - 'inet_lhash2_for_each_icsk_rcu'
+  - 'key_for_each'
+  - 'key_for_each_safe'
+  - 'klp_for_each_func'
+  - 'klp_for_each_func_safe'
+  - 'klp_for_each_func_static'
+  - 'klp_for_each_object'
+  - 'klp_for_each_object_safe'
+  - 'klp_for_each_object_static'
+  - 'kunit_suite_for_each_test_case'
+  - 'kvm_for_each_memslot'
+  - 'kvm_for_each_vcpu'
+  - 'list_for_each'
+  - 'list_for_each_codec'
+  - 'list_for_each_codec_safe'
+  - 'list_for_each_continue'
+  - 'list_for_each_entry'
+  - 'list_for_each_entry_continue'
+  - 'list_for_each_entry_continue_rcu'
+  - 'list_for_each_entry_continue_reverse'
+  - 'list_for_each_entry_from'
+  - 'list_for_each_entry_from_rcu'
+  - 'list_for_each_entry_from_reverse'
+  - 'list_for_each_entry_lockless'
+  - 'list_for_each_entry_rcu'
+  - 'list_for_each_entry_reverse'
+  - 'list_for_each_entry_safe'
+  - 'list_for_each_entry_safe_continue'
+  - 'list_for_each_entry_safe_from'
+  - 'list_for_each_entry_safe_reverse'
+  - 'list_for_each_prev'
+  - 'list_for_each_prev_safe'
+  - 'list_for_each_safe'
+  - 'llist_for_each'
+  - 'llist_for_each_entry'
+  - 'llist_for_each_entry_safe'
+  - 'llist_for_each_safe'
+  - 'mci_for_each_dimm'
+  - 'media_device_for_each_entity'
+  - 'media_device_for_each_intf'
+  - 'media_device_for_each_link'
+  - 'media_device_for_each_pad'
+  - 'nanddev_io_for_each_page'
+  - 'netdev_for_each_lower_dev'
+  - 'netdev_for_each_lower_private'
+  - 'netdev_for_each_lower_private_rcu'
+  - 'netdev_for_each_mc_addr'
+  - 'netdev_for_each_uc_addr'
+  - 'netdev_for_each_upper_dev_rcu'
+  - 'netdev_hw_addr_list_for_each'
+  - 'nft_rule_for_each_expr'
+  - 'nla_for_each_attr'
+  - 'nla_for_each_nested'
+  - 'nlmsg_for_each_attr'
+  - 'nlmsg_for_each_msg'
+  - 'nr_neigh_for_each'
+  - 'nr_neigh_for_each_safe'
+  - 'nr_node_for_each'
+  - 'nr_node_for_each_safe'
+  - 'of_for_each_phandle'
+  - 'of_property_for_each_string'
+  - 'of_property_for_each_u32'
+  - 'pci_bus_for_each_resource'
+  - 'pcm_for_each_format'
+  - 'ping_portaddr_for_each_entry'
+  - 'plist_for_each'
+  - 'plist_for_each_continue'
+  - 'plist_for_each_entry'
+  - 'plist_for_each_entry_continue'
+  - 'plist_for_each_entry_safe'
+  - 'plist_for_each_safe'
+  - 'pnp_for_each_card'
+  - 'pnp_for_each_dev'
+  - 'protocol_for_each_card'
+  - 'protocol_for_each_dev'
+  - 'queue_for_each_hw_ctx'
+  - 'radix_tree_for_each_slot'
+  - 'radix_tree_for_each_tagged'
+  - 'rbtree_postorder_for_each_entry_safe'
+  - 'rdma_for_each_block'
+  - 'rdma_for_each_port'
+  - 'rdma_umem_for_each_dma_block'
+  - 'resource_list_for_each_entry'
+  - 'resource_list_for_each_entry_safe'
+  - 'rhl_for_each_entry_rcu'
+  - 'rhl_for_each_rcu'
+  - 'rht_for_each'
+  - 'rht_for_each_entry'
+  - 'rht_for_each_entry_from'
+  - 'rht_for_each_entry_rcu'
+  - 'rht_for_each_entry_rcu_from'
+  - 'rht_for_each_entry_safe'
+  - 'rht_for_each_from'
+  - 'rht_for_each_rcu'
+  - 'rht_for_each_rcu_from'
+  - '__rq_for_each_bio'
+  - 'rq_for_each_bvec'
+  - 'rq_for_each_segment'
+  - 'scsi_for_each_prot_sg'
+  - 'scsi_for_each_sg'
+  - 'sctp_for_each_hentry'
+  - 'sctp_skb_for_each'
+  - 'shdma_for_each_chan'
+  - '__shost_for_each_device'
+  - 'shost_for_each_device'
+  - 'sk_for_each'
+  - 'sk_for_each_bound'
+  - 'sk_for_each_entry_offset_rcu'
+  - 'sk_for_each_from'
+  - 'sk_for_each_rcu'
+  - 'sk_for_each_safe'
+  - 'sk_nulls_for_each'
+  - 'sk_nulls_for_each_from'
+  - 'sk_nulls_for_each_rcu'
+  - 'snd_array_for_each'
+  - 'snd_pcm_group_for_each_entry'
+  - 'snd_soc_dapm_widget_for_each_path'
+  - 'snd_soc_dapm_widget_for_each_path_safe'
+  - 'snd_soc_dapm_widget_for_each_sink_path'
+  - 'snd_soc_dapm_widget_for_each_source_path'
+  - 'tb_property_for_each'
+  - 'tcf_exts_for_each_action'
+  - 'udp_portaddr_for_each_entry'
+  - 'udp_portaddr_for_each_entry_rcu'
+  - 'usb_hub_for_each_child'
+  - 'v4l2_device_for_each_subdev'
+  - 'v4l2_m2m_for_each_dst_buf'
+  - 'v4l2_m2m_for_each_dst_buf_safe'
+  - 'v4l2_m2m_for_each_src_buf'
+  - 'v4l2_m2m_for_each_src_buf_safe'
+  - 'virtio_device_for_each_vq'
+  - 'while_for_each_ftrace_op'
+  - 'xa_for_each'
+  - 'xa_for_each_marked'
+  - 'xa_for_each_range'
+  - 'xa_for_each_start'
+  - 'xas_for_each'
+  - 'xas_for_each_conflict'
+  - 'xas_for_each_marked'
+  - 'xbc_array_for_each_value'
+  - 'xbc_for_each_key_value'
+  - 'xbc_node_for_each_array_value'
+  - 'xbc_node_for_each_child'
+  - 'xbc_node_for_each_key_value'
+  - 'zorro_for_each_dev'
+
+#IncludeBlocks: Preserve # Unknown to clang-format-5.0
+IncludeCategories:
+  - Regex: '.*'
+    Priority: 1
+IncludeIsMainRegex: '(Test)?$'
+IndentCaseLabels: false
+#IndentPPDirectives: None # Unknown to clang-format-5.0
+IndentWidth: 8
+IndentWrappedFunctionNames: false
+JavaScriptQuotes: Leave
+JavaScriptWrapImports: true
+KeepEmptyLinesAtTheStartOfBlocks: false
+MacroBlockBegin: ''
+MacroBlockEnd: ''
+MaxEmptyLinesToKeep: 1
+NamespaceIndentation: None
+#ObjCBinPackProtocolList: Auto # Unknown to clang-format-5.0
+ObjCBlockIndentWidth: 8
+ObjCSpaceAfterProperty: true
+ObjCSpaceBeforeProtocolList: true
+
+# Taken from git's rules
+#PenaltyBreakAssignment: 10 # Unknown to clang-format-4.0
+PenaltyBreakBeforeFirstCallParameter: 30
+PenaltyBreakComment: 10
+PenaltyBreakFirstLessLess: 0
+PenaltyBreakString: 10
+PenaltyExcessCharacter: 100
+PenaltyReturnTypeOnItsOwnLine: 60
+
+PointerAlignment: Right
+ReflowComments: false
+SortIncludes: false
+#SortUsingDeclarations: false # Unknown to clang-format-4.0
+SpaceAfterCStyleCast: false
+SpaceAfterTemplateKeyword: true
+SpaceBeforeAssignmentOperators: true
+#SpaceBeforeCtorInitializerColon: true # Unknown to clang-format-5.0
+#SpaceBeforeInheritanceColon: true # Unknown to clang-format-5.0
+SpaceBeforeParens: ControlStatements
+#SpaceBeforeRangeBasedForLoopColon: true # Unknown to clang-format-5.0
+SpaceInEmptyParentheses: false
+SpacesBeforeTrailingComments: 1
+SpacesInAngles: false
+SpacesInContainerLiterals: false
+SpacesInCStyleCastParentheses: false
+SpacesInParentheses: false
+SpacesInSquareBrackets: false
+Standard: Cpp03
+TabWidth: 8
+UseTab: Always
+...

kernel/.clangd

@@ -1,4 +1,4 @@
 Diagnostics:
   UnusedIncludes: Strict
   ClangTidy:
-    Remove: bugprone-sizeof-expression
+    Remove: bugprone-sizeof-expression

kernel/Kconfig

@@ -1,14 +1,17 @@
+menu "KernelSU"
+
 config KSU
-	tristate "KernelSU module"
+	tristate "KernelSU function support"
+	select OVERLAY_FS
 	default y
-	depends on KPROBES
-	depends on OVERLAY_FS
 	help
-	This is the KSU privilege driver for android system.
+	Enable kernel-level root privileges on Android System.
 
 config KSU_DEBUG
-	tristate "KernelSU module debug mode"
-	default n
+	bool "KernelSU debug mode"
 	depends on KSU
+	default n
 	help
-	This enables debug mode for KSU
+	Enable KernelSU debug mode
+
+endmenu

kernel/LICENSE

@@ -0,0 +1,339 @@
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The licenses for most software are designed to take away your
+freedom to share and change it.  By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users.  This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it.  (Some other Free Software Foundation software is covered by
+the GNU Lesser General Public License instead.)  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+  To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have.  You must make sure that they, too, receive or can get the
+source code.  And you must show them these terms so they know their
+rights.
+
+  We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+  Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software.  If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+  Finally, any free program is threatened constantly by software
+patents.  We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary.  To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                    GNU GENERAL PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License.  The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language.  (Hereinafter, translation is included without limitation in
+the term "modification".)  Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope.  The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+  1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+  2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+    a) You must cause the modified files to carry prominent notices
+    stating that you changed the files and the date of any change.
+
+    b) You must cause any work that you distribute or publish, that in
+    whole or in part contains or is derived from the Program or any
+    part thereof, to be licensed as a whole at no charge to all third
+    parties under the terms of this License.
+
+    c) If the modified program normally reads commands interactively
+    when run, you must cause it, when started running for such
+    interactive use in the most ordinary way, to print or display an
+    announcement including an appropriate copyright notice and a
+    notice that there is no warranty (or else, saying that you provide
+    a warranty) and that users may redistribute the program under
+    these conditions, and telling the user how to view a copy of this
+    License.  (Exception: if the Program itself is interactive but
+    does not normally print such an announcement, your work based on
+    the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole.  If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works.  But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+  3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+    a) Accompany it with the complete corresponding machine-readable
+    source code, which must be distributed under the terms of Sections
+    1 and 2 above on a medium customarily used for software interchange; or,
+
+    b) Accompany it with a written offer, valid for at least three
+    years, to give any third party, for a charge no more than your
+    cost of physically performing source distribution, a complete
+    machine-readable copy of the corresponding source code, to be
+    distributed under the terms of Sections 1 and 2 above on a medium
+    customarily used for software interchange; or,
+
+    c) Accompany it with the information you received as to the offer
+    to distribute corresponding source code.  (This alternative is
+    allowed only for noncommercial distribution and only if you
+    received the program in object code or executable form with such
+    an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it.  For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable.  However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+  4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License.  Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+  5. You are not required to accept this License, since you have not
+signed it.  However, nothing else grants you permission to modify or
+distribute the Program or its derivative works.  These actions are
+prohibited by law if you do not accept this License.  Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+  6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions.  You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+  7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices.  Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+  8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded.  In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+  9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number.  If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation.  If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+  10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission.  For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this.  Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+                            NO WARRANTY
+
+  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License along
+    with this program; if not, write to the Free Software Foundation, Inc.,
+    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+    Gnomovision version 69, Copyright (C) year name of author
+    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary.  Here is a sample; alter the names:
+
+  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+  `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+  <signature of Ty Coon>, 1 April 1989
+  Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs.  If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library.  If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.

kernel/Makefile

@@ -9,8 +9,20 @@ obj-y += manager.o
 obj-y += core_hook.o
 obj-y += ksud.o
 obj-y += embed_ksud.o
+obj-y += kernel_compat.o
 
 obj-y += selinux/
+# .git is a text file while the module is imported by 'git submodule add'.
+ifeq ($(shell test -e $(srctree)/$(src)/../.git; echo $$?),0)
+KSU_GIT_VERSION := $(shell cd $(srctree)/$(src); /usr/bin/env PATH="$$PATH":/usr/bin:/usr/local/bin git rev-list --count HEAD)
+# ksu_version: major * 10000 + git version + 200 for historical reasons
+$(eval KSU_VERSION=$(shell expr 10000 + $(KSU_GIT_VERSION) + 200))
+$(info -- KernelSU version: $(KSU_VERSION))
+ccflags-y += -DKSU_VERSION=$(KSU_VERSION)
+else # If there is no .git file, the default version will be passed.
+$(warning "KSU_GIT_VERSION not defined! It is better to make KernelSU a git submodule!")
+ccflags-y += -DKSU_VERSION=16
+endif
 
 ifndef EXPECTED_SIZE
 EXPECTED_SIZE := 0x033b
@@ -23,4 +35,4 @@ endif
 ccflags-y += -DEXPECTED_SIZE=$(EXPECTED_SIZE)
 ccflags-y += -DEXPECTED_HASH=$(EXPECTED_HASH)
 ccflags-y += -Wno-implicit-function-declaration -Wno-strict-prototypes -Wno-int-conversion -Wno-gcc-compat
-ccflags-y += -Wno-macro-redefined -Wno-declaration-after-statement
+ccflags-y += -Wno-declaration-after-statement

kernel/allowlist.c

@@ -1,27 +1,92 @@
-#include "linux/delay.h"
+#include "ksu.h"
+#include "linux/compiler.h"
 #include "linux/fs.h"
+#include "linux/gfp.h"
 #include "linux/kernel.h"
 #include "linux/list.h"
 #include "linux/printk.h"
 #include "linux/slab.h"
+#include "linux/types.h"
+#include "linux/version.h"
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 14, 0)
+#include "linux/compiler_types.h"
+#endif
 
 #include "klog.h" // IWYU pragma: keep
 #include "selinux/selinux.h"
+#include "kernel_compat.h"
+#include "allowlist.h"
 
 #define FILE_MAGIC 0x7f4b5355 // ' KSU', u32
-#define FILE_FORMAT_VERSION 1 // u32
+#define FILE_FORMAT_VERSION 3 // u32
+
+#define KSU_APP_PROFILE_PRESERVE_UID 9999 // NOBODY_UID
+#define KSU_DEFAULT_SELINUX_DOMAIN "u:r:su:s0"
 
 static DEFINE_MUTEX(allowlist_mutex);
 
+// default profiles, these may be used frequently, so we cache it
+static struct root_profile default_root_profile;
+static struct non_root_profile default_non_root_profile;
+
+static int allow_list_arr[PAGE_SIZE / sizeof(int)] __read_mostly __aligned(PAGE_SIZE);
+static int allow_list_pointer __read_mostly = 0;
+
+static void remove_uid_from_arr(uid_t uid)
+{
+	int *temp_arr;
+	int i, j;
+
+	if (allow_list_pointer == 0)
+		return;
+
+	temp_arr = kmalloc(sizeof(allow_list_arr), GFP_KERNEL);
+	if (temp_arr == NULL) {
+		pr_err("%s: unable to allocate memory\n", __func__);
+		return;
+	}
+
+	for (i = j = 0; i < allow_list_pointer; i++) {
+		if (allow_list_arr[i] == uid)
+			continue;
+		temp_arr[j++] = allow_list_arr[i];
+	}
+
+	allow_list_pointer = j;
+
+	for (; j < ARRAY_SIZE(allow_list_arr); j++)
+		temp_arr[j] = -1;
+
+	memcpy(&allow_list_arr, temp_arr, PAGE_SIZE);
+	kfree(temp_arr);
+}
+
+static void init_default_profiles()
+{
+	default_root_profile.uid = 0;
+	default_root_profile.gid = 0;
+	default_root_profile.groups_count = 1;
+	default_root_profile.groups[0] = 0;
+	memset(&default_root_profile.capabilities, 0xff,
+	       sizeof(default_root_profile.capabilities));
+	default_root_profile.namespaces = 0;
+	strcpy(default_root_profile.selinux_domain, KSU_DEFAULT_SELINUX_DOMAIN);
+
+	// This means that we will umount modules by default!
+	default_non_root_profile.umount_modules = true;
+}
+
 struct perm_data {
 	struct list_head list;
-	uid_t uid;
-	bool allow;
+	struct app_profile profile;
 };
 
 static struct list_head allow_list;
 
-#define KERNEL_SU_ALLOWLIST "/data/adb/.ksu_allowlist"
+static uint8_t allow_list_bitmap[PAGE_SIZE] __read_mostly __aligned(PAGE_SIZE);
+#define BITMAP_UID_MAX ((sizeof(allow_list_bitmap) * BITS_PER_BYTE) - 1)
+
+#define KERNEL_SU_ALLOWLIST "/data/adb/ksu/.allowlist"
 
 static struct work_struct ksu_save_work;
 static struct work_struct ksu_load_work;
@@ -35,65 +100,231 @@ void ksu_show_allow_list(void)
 	pr_info("ksu_show_allow_list");
 	list_for_each (pos, &allow_list) {
 		p = list_entry(pos, struct perm_data, list);
-		pr_info("uid :%d, allow: %d\n", p->uid, p->allow);
+		pr_info("uid :%d, allow: %d\n", p->profile.current_uid,
+			p->profile.allow_su);
 	}
 }
 
-bool ksu_allow_uid(uid_t uid, bool allow, bool persist)
+#ifdef CONFIG_KSU_DEBUG
+static void ksu_grant_root_to_shell()
+{
+	struct app_profile profile = {
+		.allow_su = true,
+		.current_uid = 2000,
+	};
+	strcpy(profile.key, "com.android.shell");
+	strcpy(profile.rp_config.profile.selinux_domain, KSU_DEFAULT_SELINUX_DOMAIN);
+	ksu_set_app_profile(&profile, false);
+}
+#endif
+
+bool ksu_get_app_profile(struct app_profile *profile)
+{
+	struct perm_data *p = NULL;
+	struct list_head *pos = NULL;
+	bool found = false;
+
+	list_for_each (pos, &allow_list) {
+		p = list_entry(pos, struct perm_data, list);
+		bool uid_match = profile->current_uid == p->profile.current_uid;
+		if (uid_match) {
+			// found it, override it with ours
+			memcpy(profile, &p->profile, sizeof(*profile));
+			found = true;
+			goto exit;
+		}
+	}
+
+exit:
+	return found;
+}
+
+static inline bool forbid_system_uid(uid_t uid) {
+	#define SHELL_UID 2000
+	#define SYSTEM_UID 1000
+	return uid < SHELL_UID && uid != SYSTEM_UID;
+}
+
+static bool profile_valid(struct app_profile *profile)
+{
+	if (!profile) {
+		return false;
+	}
+
+	if (forbid_system_uid(profile->current_uid)) {
+		pr_err("uid lower than 2000 is unsupported: %d\n", profile->current_uid);
+		return false;
+	}
+
+	if (profile->version < KSU_APP_PROFILE_VER) {
+		pr_info("Unsupported profile version: %d\n", profile->version);
+		return false;
+	}
+
+	if (profile->allow_su) {
+		if (profile->rp_config.profile.groups_count > KSU_MAX_GROUPS) {
+			return false;
+		}
+
+		if (strlen(profile->rp_config.profile.selinux_domain) == 0) {
+			return false;
+		}
+	}
+
+	return true;
+}
+
+bool ksu_set_app_profile(struct app_profile *profile, bool persist)
 {
-	// find the node first!
 	struct perm_data *p = NULL;
 	struct list_head *pos = NULL;
 	bool result = false;
+
+	if (!profile_valid(profile)) {
+		pr_err("Failed to set app profile: invalid profile!\n");
+		return false;
+	}
+
 	list_for_each (pos, &allow_list) {
 		p = list_entry(pos, struct perm_data, list);
-		if (uid == p->uid) {
-			p->allow = allow;
+		// both uid and package must match, otherwise it will break multiple package with different user id
+		if (profile->current_uid == p->profile.current_uid &&
+		    !strcmp(profile->key, p->profile.key)) {
+			// found it, just override it all!
+			memcpy(&p->profile, profile, sizeof(*profile));
 			result = true;
-			goto exit;
+			goto out;
 		}
 	}
 
 	// not found, alloc a new node!
 	p = (struct perm_data *)kmalloc(sizeof(struct perm_data), GFP_KERNEL);
 	if (!p) {
-		pr_err("alloc allow node failed.\n");
+		pr_err("ksu_set_app_profile alloc failed\n");
 		return false;
 	}
-	p->uid = uid;
-	p->allow = allow;
 
+	memcpy(&p->profile, profile, sizeof(*profile));
+	if (profile->allow_su) {
+		pr_info("set root profile, key: %s, uid: %d, gid: %d, context: %s\n",
+			profile->key, profile->current_uid,
+			profile->rp_config.profile.gid,
+			profile->rp_config.profile.selinux_domain);
+	} else {
+		pr_info("set app profile, key: %s, uid: %d, umount modules: %d\n",
+			profile->key, profile->current_uid,
+			profile->nrp_config.profile.umount_modules);
+	}
 	list_add_tail(&p->list, &allow_list);
+
+out:
+	if (profile->current_uid <= BITMAP_UID_MAX) {
+		if (profile->allow_su)
+			allow_list_bitmap[profile->current_uid / BITS_PER_BYTE] |= 1 << (profile->current_uid % BITS_PER_BYTE);
+		else
+			allow_list_bitmap[profile->current_uid / BITS_PER_BYTE] &= ~(1 << (profile->current_uid % BITS_PER_BYTE));
+	} else {
+		if (profile->allow_su) {
+			/*
+			 * 1024 apps with uid higher than BITMAP_UID_MAX
+			 * registered to request superuser?
+			 */
+			if (allow_list_pointer >= ARRAY_SIZE(allow_list_arr)) {
+				pr_err("too many apps registered\n");
+				WARN_ON(1);
+				return false;
+			}
+			allow_list_arr[allow_list_pointer++] = profile->current_uid;
+		} else {
+			remove_uid_from_arr(profile->current_uid);
+		}
+	}
 	result = true;
 
-exit:
+	// check if the default profiles is changed, cache it to a single struct to accelerate access.
+	if (unlikely(!strcmp(profile->key, "$"))) {
+		// set default non root profile
+		memcpy(&default_non_root_profile, &profile->nrp_config.profile,
+		       sizeof(default_non_root_profile));
+	}
+
+	if (unlikely(!strcmp(profile->key, "#"))) {
+		// set default root profile
+		memcpy(&default_root_profile, &profile->rp_config.profile,
+		       sizeof(default_root_profile));
+	}
+
 	if (persist)
 		persistent_allow_list();
 
 	return result;
 }
 
-bool ksu_is_allow_uid(uid_t uid)
+bool __ksu_is_allow_uid(uid_t uid)
 {
-	struct perm_data *p = NULL;
-	struct list_head *pos = NULL;
+	int i;
 
-	if (uid == 0) {
+	if (unlikely(uid == 0)) {
 		// already root, but only allow our domain.
 		return is_ksu_domain();
 	}
 
-	list_for_each (pos, &allow_list) {
-		p = list_entry(pos, struct perm_data, list);
-		// pr_info("is_allow_uid uid :%d, allow: %d\n", p->uid, p->allow);
-		if (uid == p->uid) {
-			return p->allow;
+	if (forbid_system_uid(uid)) {
+		// do not bother going through the list if it's system
+		return false;
+	}
+
+	if (likely(uid <= BITMAP_UID_MAX)) {
+		return !!(allow_list_bitmap[uid / BITS_PER_BYTE] & (1 << (uid % BITS_PER_BYTE)));
+	} else {
+		for (i = 0; i < allow_list_pointer; i++) {
+			if (allow_list_arr[i] == uid)
+				return true;
 		}
 	}
 
 	return false;
 }
 
+bool ksu_uid_should_umount(uid_t uid)
+{
+	struct app_profile profile = { .current_uid = uid };
+	bool found = ksu_get_app_profile(&profile);
+	if (!found) {
+		// no app profile found, it must be non root app
+		return default_non_root_profile.umount_modules;
+	}
+	if (profile.allow_su) {
+		// if found and it is granted to su, we shouldn't umount for it
+		return false;
+	} else {
+		// found an app profile
+		if (profile.nrp_config.use_default) {
+			return default_non_root_profile.umount_modules;
+		} else {
+			return profile.nrp_config.profile.umount_modules;
+		}
+	}
+}
+
+struct root_profile *ksu_get_root_profile(uid_t uid)
+{
+	struct perm_data *p = NULL;
+	struct list_head *pos = NULL;
+
+	list_for_each (pos, &allow_list) {
+		p = list_entry(pos, struct perm_data, list);
+		if (uid == p->profile.current_uid && p->profile.allow_su) {
+			if (!p->profile.rp_config.use_default) {
+				return &p->profile.rp_config.profile;
+			}
+		}
+	}
+
+	// use default profile
+	return &default_root_profile;
+}
+
 bool ksu_get_allow_list(int *array, int *length, bool allow)
 {
 	struct perm_data *p = NULL;
@@ -101,9 +332,9 @@ bool ksu_get_allow_list(int *array, int *length, bool allow)
 	int i = 0;
 	list_for_each (pos, &allow_list) {
 		p = list_entry(pos, struct perm_data, list);
-		pr_info("get_allow_list uid: %d allow: %d\n", p->uid, p->allow);
-		if (p->allow == allow) {
-			array[i++] = p->uid;
+		// pr_info("get_allow_list uid: %d allow: %d\n", p->uid, p->allow);
+		if (p->profile.allow_su == allow) {
+			array[i++] = p->profile.current_uid;
 		}
 	}
 	*length = i;
@@ -111,7 +342,7 @@ bool ksu_get_allow_list(int *array, int *length, bool allow)
 	return true;
 }
 
-void do_persistent_allow_list(struct work_struct *work)
+void do_save_allow_list(struct work_struct *work)
 {
 	u32 magic = FILE_MAGIC;
 	u32 version = FILE_FORMAT_VERSION;
@@ -120,20 +351,20 @@ void do_persistent_allow_list(struct work_struct *work)
 	loff_t off = 0;
 
 	struct file *fp =
-		filp_open(KERNEL_SU_ALLOWLIST, O_WRONLY | O_CREAT, 0644);
-
+		ksu_filp_open_compat(KERNEL_SU_ALLOWLIST, O_WRONLY | O_CREAT, 0644);
 	if (IS_ERR(fp)) {
-		pr_err("save_allow_list creat file failed: %d\n", PTR_ERR(fp));
+		pr_err("save_allow_list create file failed: %ld\n", PTR_ERR(fp));
 		return;
 	}
 
 	// store magic and version
-	if (kernel_write(fp, &magic, sizeof(magic), &off) != sizeof(magic)) {
+	if (ksu_kernel_write_compat(fp, &magic, sizeof(magic), &off) !=
+	    sizeof(magic)) {
 		pr_err("save_allow_list write magic failed.\n");
 		goto exit;
 	}
 
-	if (kernel_write(fp, &version, sizeof(version), &off) !=
+	if (ksu_kernel_write_compat(fp, &version, sizeof(version), &off) !=
 	    sizeof(version)) {
 		pr_err("save_allow_list write version failed.\n");
 		goto exit;
@@ -141,10 +372,12 @@ void do_persistent_allow_list(struct work_struct *work)
 
 	list_for_each (pos, &allow_list) {
 		p = list_entry(pos, struct perm_data, list);
-		pr_info("save allow list uid :%d, allow: %d\n", p->uid,
-			p->allow);
-		kernel_write(fp, &p->uid, sizeof(p->uid), &off);
-		kernel_write(fp, &p->allow, sizeof(p->allow), &off);
+		pr_info("save allow list, name: %s uid :%d, allow: %d\n",
+			p->profile.key, p->profile.current_uid,
+			p->profile.allow_su);
+
+		ksu_kernel_write_compat(fp, &p->profile, sizeof(p->profile),
+					&off);
 	}
 
 exit:
@@ -159,48 +392,27 @@ void do_load_allow_list(struct work_struct *work)
 	u32 magic;
 	u32 version;
 
-	fp = filp_open("/data/adb/", O_RDONLY, 0);
-	if (IS_ERR(fp)) {
-		int errno = PTR_ERR(fp);
-		pr_err("load_allow_list open '/data/adb': %d\n", PTR_ERR(fp));
-		if (errno == -ENOENT) {
-			msleep(2000);
-			ksu_queue_work(&ksu_load_work);
-			return;
-		} else {
-			pr_info("load_allow list dir exist now!");
-		}
-	} else {
-		filp_close(fp, 0);
-	}
+#ifdef CONFIG_KSU_DEBUG
+	// always allow adb shell by default
+	ksu_grant_root_to_shell();
+#endif
 
 	// load allowlist now!
-	fp = filp_open(KERNEL_SU_ALLOWLIST, O_RDONLY, 0);
-
+	fp = ksu_filp_open_compat(KERNEL_SU_ALLOWLIST, O_RDONLY, 0);
 	if (IS_ERR(fp)) {
-#ifdef CONFIG_KSU_DEBUG
-		int errno = PTR_ERR(fp);
-		if (errno == -ENOENT) {
-			ksu_allow_uid(2000, true,
-				      true); // allow adb shell by default
-		} else {
-			pr_err("load_allow_list open file failed: %d\n",
-			       PTR_ERR(fp));
-		}
-#else
-		pr_err("load_allow_list open file failed: %d\n", PTR_ERR(fp));
-#endif
+		pr_err("load_allow_list open file failed: %ld\n", PTR_ERR(fp));
 		return;
 	}
 
 	// verify magic
-	if (kernel_read(fp, &magic, sizeof(magic), &off) != sizeof(magic) ||
+	if (ksu_kernel_read_compat(fp, &magic, sizeof(magic), &off) !=
+		    sizeof(magic) ||
 	    magic != FILE_MAGIC) {
 		pr_err("allowlist file invalid: %d!\n", magic);
 		goto exit;
 	}
 
-	if (kernel_read(fp, &version, sizeof(version), &off) !=
+	if (ksu_kernel_read_compat(fp, &version, sizeof(version), &off) !=
 	    sizeof(version)) {
 		pr_err("allowlist read version: %d failed\n", version);
 		goto exit;
@@ -209,18 +421,19 @@ void do_load_allow_list(struct work_struct *work)
 	pr_info("allowlist version: %d\n", version);
 
 	while (true) {
-		u32 uid;
-		bool allow = false;
-		ret = kernel_read(fp, &uid, sizeof(uid), &off);
+		struct app_profile profile;
+
+		ret = ksu_kernel_read_compat(fp, &profile, sizeof(profile),
+					     &off);
+
 		if (ret <= 0) {
-			pr_info("load_allow_list read err: %d\n", ret);
+			pr_info("load_allow_list read err: %zd\n", ret);
 			break;
 		}
-		ret = kernel_read(fp, &allow, sizeof(allow), &off);
 
-		pr_info("load_allow_uid: %d, allow: %d\n", uid, allow);
-
-		ksu_allow_uid(uid, allow, false);
+		pr_info("load_allow_uid, name: %s, uid: %d, allow: %d\n",
+			profile.key, profile.current_uid, profile.allow_su);
+		ksu_set_app_profile(&profile, false);
 	}
 
 exit:
@@ -237,11 +450,16 @@ void ksu_prune_allowlist(bool (*is_uid_exist)(uid_t, void *), void *data)
 	// TODO: use RCU!
 	mutex_lock(&allowlist_mutex);
 	list_for_each_entry_safe (np, n, &allow_list, list) {
-		uid_t uid = np->uid;
-		if (!is_uid_exist(uid, data)) {
+		uid_t uid = np->profile.current_uid;
+		// we use this uid for special cases, don't prune it!
+		bool is_preserved_uid = uid == KSU_APP_PROFILE_PRESERVE_UID;
+		if (!is_preserved_uid && !is_uid_exist(uid, data)) {
 			modified = true;
 			pr_info("prune uid: %d\n", uid);
 			list_del(&np->list);
+			allow_list_bitmap[uid / BITS_PER_BYTE] &= ~(1 << (uid % BITS_PER_BYTE));
+			remove_uid_from_arr(uid);
+			smp_mb();
 			kfree(np);
 		}
 	}
@@ -265,10 +483,20 @@ bool ksu_load_allow_list(void)
 
 void ksu_allowlist_init(void)
 {
+	int i;
+
+	BUILD_BUG_ON(sizeof(allow_list_bitmap) != PAGE_SIZE);
+	BUILD_BUG_ON(sizeof(allow_list_arr) != PAGE_SIZE);
+
+	for (i = 0; i < ARRAY_SIZE(allow_list_arr); i++)
+		allow_list_arr[i] = -1;
+
 	INIT_LIST_HEAD(&allow_list);
 
-	INIT_WORK(&ksu_save_work, do_persistent_allow_list);
+	INIT_WORK(&ksu_save_work, do_save_allow_list);
 	INIT_WORK(&ksu_load_work, do_load_allow_list);
+
+	init_default_profiles();
 }
 
 void ksu_allowlist_exit(void)
@@ -276,7 +504,7 @@ void ksu_allowlist_exit(void)
 	struct perm_data *np = NULL;
 	struct perm_data *n = NULL;
 
-	do_persistent_allow_list(NULL);
+	do_save_allow_list(NULL);
 
 	// free allowlist
 	mutex_lock(&allowlist_mutex);
@@ -285,4 +513,4 @@ void ksu_allowlist_exit(void)
 		kfree(np);
 	}
 	mutex_unlock(&allowlist_mutex);
-}
+}

kernel/allowlist.h

@@ -2,6 +2,7 @@
 #define __KSU_H_ALLOWLIST
 
 #include "linux/types.h"
+#include "ksu.h"
 
 void ksu_allowlist_init(void);
 
@@ -11,12 +12,16 @@ bool ksu_load_allow_list(void);
 
 void ksu_show_allow_list(void);
 
-bool ksu_is_allow_uid(uid_t uid);
-
-bool ksu_allow_uid(uid_t uid, bool allow, bool persist);
+bool __ksu_is_allow_uid(uid_t uid);
+#define ksu_is_allow_uid(uid) unlikely(__ksu_is_allow_uid(uid))
 
 bool ksu_get_allow_list(int *array, int *length, bool allow);
 
 void ksu_prune_allowlist(bool (*is_uid_exist)(uid_t, void *), void *data);
 
-#endif
+bool ksu_get_app_profile(struct app_profile *);
+bool ksu_set_app_profile(struct app_profile *, bool persist);
+
+bool ksu_uid_should_umount(uid_t uid);
+struct root_profile *ksu_get_root_profile(uid_t uid);
+#endif

kernel/apk_sign.c

@@ -3,6 +3,7 @@
 
 #include "apk_sign.h"
 #include "klog.h" // IWYU pragma: keep
+#include "kernel_compat.h"
 
 static __always_inline int
 check_v2_signature(char *path, unsigned expected_size, unsigned expected_hash)
@@ -14,21 +15,25 @@ check_v2_signature(char *path, unsigned expected_size, unsigned expected_hash)
 	loff_t pos;
 
 	int sign = -1;
-	struct file *fp = filp_open(path, O_RDONLY, 0);
+	int i;
+	struct file *fp = ksu_filp_open_compat(path, O_RDONLY, 0);
 	if (IS_ERR(fp)) {
 		pr_err("open %s error.", path);
 		return PTR_ERR(fp);
 	}
 
+	// disable inotify for this file
+	fp->f_mode |= FMODE_NONOTIFY;
+
 	sign = 1;
 	// https://en.wikipedia.org/wiki/Zip_(file_format)#End_of_central_directory_record_(EOCD)
-	for (int i = 0;; ++i) {
+	for (i = 0;; ++i) {
 		unsigned short n;
 		pos = generic_file_llseek(fp, -i - 2, SEEK_END);
-		kernel_read(fp, &n, 2, &pos);
+		ksu_kernel_read_compat(fp, &n, 2, &pos);
 		if (n == i) {
 			pos -= 22;
-			kernel_read(fp, &size4, 4, &pos);
+			ksu_kernel_read_compat(fp, &size4, 4, &pos);
 			if ((size4 ^ 0xcafebabeu) == 0xccfbf1eeu) {
 				break;
 			}
@@ -41,17 +46,17 @@ check_v2_signature(char *path, unsigned expected_size, unsigned expected_hash)
 
 	pos += 12;
 	// offset
-	kernel_read(fp, &size4, 0x4, &pos);
+	ksu_kernel_read_compat(fp, &size4, 0x4, &pos);
 	pos = size4 - 0x18;
 
-	kernel_read(fp, &size8, 0x8, &pos);
-	kernel_read(fp, buffer, 0x10, &pos);
+	ksu_kernel_read_compat(fp, &size8, 0x8, &pos);
+	ksu_kernel_read_compat(fp, buffer, 0x10, &pos);
 	if (strcmp((char *)buffer, "APK Sig Block 42")) {
 		goto clean;
 	}
 
 	pos = size4 - (size8 + 0x8);
-	kernel_read(fp, &size_of_block, 0x8, &pos);
+	ksu_kernel_read_compat(fp, &size_of_block, 0x8, &pos);
 	if (size_of_block != size8) {
 		goto clean;
 	}
@@ -59,37 +64,37 @@ check_v2_signature(char *path, unsigned expected_size, unsigned expected_hash)
 	for (;;) {
 		uint32_t id;
 		uint32_t offset;
-		kernel_read(fp, &size8, 0x8, &pos); // sequence length
+		ksu_kernel_read_compat(fp, &size8, 0x8, &pos); // sequence length
 		if (size8 == size_of_block) {
 			break;
 		}
-		kernel_read(fp, &id, 0x4, &pos); // id
+		ksu_kernel_read_compat(fp, &id, 0x4, &pos); // id
 		offset = 4;
 		pr_info("id: 0x%08x\n", id);
 		if ((id ^ 0xdeadbeefu) == 0xafa439f5u ||
 		    (id ^ 0xdeadbeefu) == 0x2efed62f) {
-			kernel_read(fp, &size4, 0x4,
+			ksu_kernel_read_compat(fp, &size4, 0x4,
 				    &pos); // signer-sequence length
-			kernel_read(fp, &size4, 0x4, &pos); // signer length
-			kernel_read(fp, &size4, 0x4,
+			ksu_kernel_read_compat(fp, &size4, 0x4, &pos); // signer length
+			ksu_kernel_read_compat(fp, &size4, 0x4,
 				    &pos); // signed data length
 			offset += 0x4 * 3;
 
-			kernel_read(fp, &size4, 0x4,
+			ksu_kernel_read_compat(fp, &size4, 0x4,
 				    &pos); // digests-sequence length
 			pos += size4;
 			offset += 0x4 + size4;
 
-			kernel_read(fp, &size4, 0x4,
+			ksu_kernel_read_compat(fp, &size4, 0x4,
 				    &pos); // certificates length
-			kernel_read(fp, &size4, 0x4,
+			ksu_kernel_read_compat(fp, &size4, 0x4,
 				    &pos); // certificate length
 			offset += 0x4 * 2;
 #if 0
 			int hash = 1;
 			signed char c;
-			for (unsigned i = 0; i < size4; ++i) {
-				kernel_read(fp, &c, 0x1, &pos);
+			for (i = 0; i < size4; ++i) {
+				ksu_kernel_read_compat(fp, &c, 0x1, &pos);
 				hash = 31 * hash + c;
 			}
 			offset += size4;
@@ -98,8 +103,8 @@ check_v2_signature(char *path, unsigned expected_size, unsigned expected_hash)
 			if (size4 == expected_size) {
 				int hash = 1;
 				signed char c;
-				for (unsigned i = 0; i < size4; ++i) {
-					kernel_read(fp, &c, 0x1, &pos);
+				for (i = 0; i < size4; ++i) {
+					ksu_kernel_read_compat(fp, &c, 0x1, &pos);
 					hash = 31 * hash + c;
 				}
 				offset += size4;
@@ -172,4 +177,4 @@ int is_manager_apk(char *path)
 	return check_v2_signature(path, EXPECTED_SIZE, EXPECTED_HASH);
 }
 
-#endif
+#endif

kernel/apk_sign.h

@@ -4,4 +4,4 @@
 // return 0 if signature match
 int is_manager_apk(char *path);
 
-#endif
+#endif

kernel/arch.h

@@ -8,7 +8,8 @@
 #define __PT_PARM1_REG regs[0]
 #define __PT_PARM2_REG regs[1]
 #define __PT_PARM3_REG regs[2]
-#define __PT_PARM4_REG regs[3]
+#define __PT_SYSCALL_PARM4_REG regs[3]
+#define __PT_CCALL_PARM4_REG regs[3]
 #define __PT_PARM5_REG regs[4]
 #define __PT_PARM6_REG regs[5]
 #define __PT_RET_REG regs[30]
@@ -29,8 +30,8 @@
 #define __PT_PARM2_REG si
 #define __PT_PARM3_REG dx
 /* syscall uses r10 for PARM4 */
-#define __PT_PARM4_REG r10
-// #define __PT_PARM4_REG cx
+#define __PT_SYSCALL_PARM4_REG r10
+#define __PT_CCALL_PARM4_REG cx
 #define __PT_PARM5_REG r8
 #define __PT_PARM6_REG r9
 #define __PT_RET_REG sp
@@ -56,7 +57,8 @@
 #define PT_REGS_PARM1(x) (__PT_REGS_CAST(x)->__PT_PARM1_REG)
 #define PT_REGS_PARM2(x) (__PT_REGS_CAST(x)->__PT_PARM2_REG)
 #define PT_REGS_PARM3(x) (__PT_REGS_CAST(x)->__PT_PARM3_REG)
-#define PT_REGS_PARM4(x) (__PT_REGS_CAST(x)->__PT_PARM4_REG)
+#define PT_REGS_SYSCALL_PARM4(x) (__PT_REGS_CAST(x)->__PT_SYSCALL_PARM4_REG)
+#define PT_REGS_CCALL_PARM4(x) (__PT_REGS_CAST(x)->__PT_CCALL_PARM4_REG)
 #define PT_REGS_PARM5(x) (__PT_REGS_CAST(x)->__PT_PARM5_REG)
 #define PT_REGS_PARM6(x) (__PT_REGS_CAST(x)->__PT_PARM6_REG)
 #define PT_REGS_RET(x) (__PT_REGS_CAST(x)->__PT_RET_REG)

kernel/core_hook.c

@@ -1,13 +1,18 @@
+#include "linux/capability.h"
 #include "linux/cred.h"
+#include "linux/dcache.h"
 #include "linux/err.h"
 #include "linux/init.h"
 #include "linux/kernel.h"
 #include "linux/kprobes.h"
 #include "linux/lsm_hooks.h"
+#include "linux/nsproxy.h"
+#include "linux/path.h"
 #include "linux/printk.h"
 #include "linux/uaccess.h"
 #include "linux/uidgid.h"
 #include "linux/version.h"
+#include "linux/mount.h"
 
 #include "linux/fs.h"
 #include "linux/namei.h"
@@ -22,6 +27,7 @@
 #include "manager.h"
 #include "selinux/selinux.h"
 #include "uid_observer.h"
+#include "kernel_compat.h"
 
 extern int handle_sepolicy(unsigned long arg3, void __user *arg4);
 
@@ -34,26 +40,99 @@ static inline bool is_allow_su()
 	return ksu_is_allow_uid(current_uid().val);
 }
 
+static inline bool is_isolated_uid(uid_t uid)
+{
+#define FIRST_ISOLATED_UID 99000
+#define LAST_ISOLATED_UID 99999
+#define FIRST_APP_ZYGOTE_ISOLATED_UID 90000
+#define LAST_APP_ZYGOTE_ISOLATED_UID 98999
+	uid_t appid = uid % 100000;
+	return (appid >= FIRST_ISOLATED_UID && appid <= LAST_ISOLATED_UID) ||
+	       (appid >= FIRST_APP_ZYGOTE_ISOLATED_UID &&
+		appid <= LAST_APP_ZYGOTE_ISOLATED_UID);
+}
+
 static struct group_info root_groups = { .usage = ATOMIC_INIT(2) };
 
+static void setup_groups(struct root_profile *profile, struct cred *cred)
+{
+	if (profile->groups_count > KSU_MAX_GROUPS) {
+		pr_warn("Failed to setgroups, too large group: %d!\n",
+			profile->uid);
+		return;
+	}
+
+	if (profile->groups_count == 1 && profile->groups[0] == 0) {
+		// setgroup to root and return early.
+		if (cred->group_info)
+			put_group_info(cred->group_info);
+		cred->group_info = get_group_info(&root_groups);
+		return;
+	}
+
+	u32 ngroups = profile->groups_count;
+	struct group_info *group_info = groups_alloc(ngroups);
+	if (!group_info) {
+		pr_warn("Failed to setgroups, ENOMEM for: %d\n", profile->uid);
+		return;
+	}
+
+	int i;
+	for (i = 0; i < ngroups; i++) {
+		gid_t gid = profile->groups[i];
+		kgid_t kgid = make_kgid(current_user_ns(), gid);
+		if (!gid_valid(kgid)) {
+			pr_warn("Failed to setgroups, invalid gid: %d\n", gid);
+			put_group_info(group_info);
+			return;
+		}
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 9, 0)
+		group_info->gid[i] = kgid;
+#else
+		GROUP_AT(group_info, i) = kgid;
+#endif
+	}
+
+	groups_sort(group_info);
+	set_groups(cred, group_info);
+}
+
 void escape_to_root(void)
 {
 	struct cred *cred;
 
 	cred = (struct cred *)__task_cred(current);
 
-	memset(&cred->uid, 0, sizeof(cred->uid));
-	memset(&cred->gid, 0, sizeof(cred->gid));
-	memset(&cred->suid, 0, sizeof(cred->suid));
-	memset(&cred->euid, 0, sizeof(cred->euid));
-	memset(&cred->egid, 0, sizeof(cred->egid));
-	memset(&cred->fsuid, 0, sizeof(cred->fsuid));
-	memset(&cred->fsgid, 0, sizeof(cred->fsgid));
-	memset(&cred->cap_inheritable, 0xff, sizeof(cred->cap_inheritable));
-	memset(&cred->cap_permitted, 0xff, sizeof(cred->cap_permitted));
-	memset(&cred->cap_effective, 0xff, sizeof(cred->cap_effective));
-	memset(&cred->cap_bset, 0xff, sizeof(cred->cap_bset));
-	memset(&cred->cap_ambient, 0xff, sizeof(cred->cap_ambient));
+	if (cred->euid.val == 0) {
+		pr_warn("Already root, don't escape!\n");
+		return;
+	}
+	struct root_profile *profile = ksu_get_root_profile(cred->uid.val);
+
+	cred->uid.val = profile->uid;
+	cred->suid.val = profile->uid;
+	cred->euid.val = profile->uid;
+	cred->fsuid.val = profile->uid;
+
+	cred->gid.val = profile->gid;
+	cred->fsgid.val = profile->gid;
+	cred->sgid.val = profile->gid;
+	cred->egid.val = profile->gid;
+
+	BUILD_BUG_ON(sizeof(profile->capabilities.effective) !=
+		     sizeof(kernel_cap_t));
+
+	// capabilities
+	memcpy(&cred->cap_effective, &profile->capabilities.effective,
+	       sizeof(cred->cap_effective));
+	memcpy(&cred->cap_inheritable, &profile->capabilities.effective,
+	       sizeof(cred->cap_inheritable));
+	memcpy(&cred->cap_permitted, &profile->capabilities.effective,
+	       sizeof(cred->cap_permitted));
+	memcpy(&cred->cap_bset, &profile->capabilities.effective,
+	       sizeof(cred->cap_bset));
+	memcpy(&cred->cap_ambient, &profile->capabilities.effective,
+	       sizeof(cred->cap_ambient));
 
 	// disable seccomp
 #if defined(CONFIG_GENERIC_ENTRY) &&                                           \
@@ -62,15 +141,16 @@ void escape_to_root(void)
 #else
 	current_thread_info()->flags &= ~(TIF_SECCOMP | _TIF_SECCOMP);
 #endif
+
+#ifdef CONFIG_SECCOMP
 	current->seccomp.mode = 0;
 	current->seccomp.filter = NULL;
+#else
+#endif
 
-	// setgroup to root
-	if (cred->group_info)
-		put_group_info(cred->group_info);
-	cred->group_info = get_group_info(&root_groups);
+	setup_groups(profile, cred);
 
-	setup_selinux();
+	setup_selinux(profile->selinux_domain);
 }
 
 int ksu_handle_rename(struct dentry *old_dentry, struct dentry *new_dentry)
@@ -123,7 +203,17 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,
 		return 0;
 	}
 
-	pr_info("option: 0x%x, cmd: %ld\n", option, arg2);
+	// always ignore isolated app uid
+	if (is_isolated_uid(current_uid().val)) {
+		return 0;
+	}
+
+	static uid_t last_failed_uid = -1;
+	if (last_failed_uid == current_uid().val) {
+		return 0;
+	}
+
+	// pr_info("option: 0x%x, cmd: %ld\n", option, arg2);
 
 	if (arg2 == CMD_BECOME_MANAGER) {
 		// quick check
@@ -140,14 +230,26 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,
 		}
 
 		// someone wants to be root manager, just check it!
-		// arg3 should be `/data/data/<manager_package_name>`
+		// arg3 should be `/data/user/<userId>/<manager_package_name>`
 		char param[128];
-		const char *prefix = "/data/data/";
 		if (copy_from_user(param, arg3, sizeof(param))) {
 			pr_err("become_manager: copy param err\n");
 			return 0;
 		}
 
+		// for user 0, it is /data/data
+		// for user 999, it is /data/user/999
+		const char *prefix;
+		char prefixTmp[64];
+		int userId = current_uid().val / 100000;
+		if (userId == 0) {
+			prefix = "/data/data";
+		} else {
+			snprintf(prefixTmp, sizeof(prefixTmp), "/data/user/%d",
+				 userId);
+			prefix = prefixTmp;
+		}
+
 		if (startswith(param, (char *)prefix) != 0) {
 			pr_info("become_manager: invalid param: %s\n", param);
 			return 0;
@@ -185,10 +287,6 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,
 			if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) {
 				pr_err("grant_root: prctl reply error\n");
 			}
-		} else {
-			pr_info("deny root for: %d\n", current_uid());
-			// add it to deny list!
-			ksu_allow_uid(current_uid().val, false, true);
 		}
 		return 0;
 	}
@@ -199,9 +297,9 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,
 			u32 version = KERNEL_SU_VERSION;
 			if (copy_to_user(arg3, &version, sizeof(version))) {
 				pr_err("prctl reply error, cmd: %d\n", arg2);
-				return 0;
 			}
 		}
+		return 0;
 	}
 
 	if (arg2 == CMD_REPORT_EVENT) {
@@ -233,6 +331,9 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,
 	}
 
 	if (arg2 == CMD_SET_SEPOLICY) {
+		if (0 != current_uid().val) {
+			return 0;
+		}
 		if (!handle_sepolicy(arg3, arg4)) {
 			if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) {
 				pr_err("sepolicy: prctl reply error\n");
@@ -242,45 +343,207 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,
 		return 0;
 	}
 
-	// all other cmds are for 'root manager'
-	if (!is_manager()) {
-		pr_info("Only manager can do cmd: %d\n", arg2);
+	if (arg2 == CMD_CHECK_SAFEMODE) {
+		if (!is_manager() && 0 != current_uid().val) {
+			return 0;
+		}
+		if (ksu_is_safe_mode()) {
+			pr_warn("safemode enabled!\n");
+			if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) {
+				pr_err("safemode: prctl reply error\n");
+			}
+		}
 		return 0;
 	}
 
-	// we are already manager
-	if (arg2 == CMD_ALLOW_SU || arg2 == CMD_DENY_SU) {
-		bool allow = arg2 == CMD_ALLOW_SU;
-		bool success = false;
-		uid_t uid = (uid_t)arg3;
-		success = ksu_allow_uid(uid, allow, true);
-		if (success) {
-			if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) {
-				pr_err("prctl reply error, cmd: %d\n", arg2);
+	if (arg2 == CMD_GET_ALLOW_LIST || arg2 == CMD_GET_DENY_LIST) {
+		if (is_manager() || 0 == current_uid().val) {
+			u32 array[128];
+			u32 array_length;
+			bool success =
+				ksu_get_allow_list(array, &array_length,
+						   arg2 == CMD_GET_ALLOW_LIST);
+			if (success) {
+				if (!copy_to_user(arg4, &array_length,
+						  sizeof(array_length)) &&
+				    !copy_to_user(arg3, array,
+						  sizeof(u32) * array_length)) {
+					if (copy_to_user(result, &reply_ok,
+							 sizeof(reply_ok))) {
+						pr_err("prctl reply error, cmd: %d\n",
+						       arg2);
+					}
+				} else {
+					pr_err("prctl copy allowlist error\n");
+				}
 			}
 		}
-		ksu_show_allow_list();
-	} else if (arg2 == CMD_GET_ALLOW_LIST || arg2 == CMD_GET_DENY_LIST) {
-		u32 array[128];
-		u32 array_length;
-		bool success = ksu_get_allow_list(array, &array_length,
-						  arg2 == CMD_GET_ALLOW_LIST);
-		if (success) {
-			if (!copy_to_user(arg4, &array_length,
-					  sizeof(array_length)) &&
-			    !copy_to_user(arg3, array,
-					  sizeof(u32) * array_length)) {
+		return 0;
+	}
+
+	if (arg2 == CMD_UID_GRANTED_ROOT || arg2 == CMD_UID_SHOULD_UMOUNT) {
+		if (is_manager() || 0 == current_uid().val) {
+			uid_t target_uid = (uid_t)arg3;
+			bool allow = false;
+			if (arg2 == CMD_UID_GRANTED_ROOT) {
+				allow = ksu_is_allow_uid(target_uid);
+			} else if (arg2 == CMD_UID_SHOULD_UMOUNT) {
+				allow = ksu_uid_should_umount(target_uid);
+			} else {
+				pr_err("unknown cmd: %d\n", arg2);
+			}
+			if (!copy_to_user(arg4, &allow, sizeof(allow))) {
 				if (copy_to_user(result, &reply_ok,
-						  sizeof(reply_ok))) {
+						 sizeof(reply_ok))) {
 					pr_err("prctl reply error, cmd: %d\n",
 					       arg2);
 				}
 			} else {
-				pr_err("prctl copy allowlist error\n");
+				pr_err("prctl copy err, cmd: %d\n", arg2);
 			}
 		}
+		return 0;
 	}
 
+	// all other cmds are for 'root manager'
+	if (!is_manager()) {
+		last_failed_uid = current_uid().val;
+		return 0;
+	}
+
+	// we are already manager
+	if (arg2 == CMD_GET_APP_PROFILE) {
+		struct app_profile profile;
+		if (copy_from_user(&profile, arg3, sizeof(profile))) {
+			pr_err("copy profile failed\n");
+			return 0;
+		}
+
+		bool success = ksu_get_app_profile(&profile);
+		if (success) {
+			if (copy_to_user(arg3, &profile, sizeof(profile))) {
+				pr_err("copy profile failed\n");
+				return 0;
+			}
+			if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) {
+				pr_err("prctl reply error, cmd: %d\n", arg2);
+			}
+		}
+		return 0;
+	}
+
+	if (arg2 == CMD_SET_APP_PROFILE) {
+		struct app_profile profile;
+		if (copy_from_user(&profile, arg3, sizeof(profile))) {
+			pr_err("copy profile failed\n");
+			return 0;
+		}
+
+		// todo: validate the params
+		if (ksu_set_app_profile(&profile, true)) {
+			if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) {
+				pr_err("prctl reply error, cmd: %d\n", arg2);
+			}
+		}
+		return 0;
+	}
+
+	return 0;
+}
+
+static bool is_appuid(kuid_t uid)
+{
+#define PER_USER_RANGE 100000
+#define FIRST_APPLICATION_UID 10000
+#define LAST_APPLICATION_UID 19999
+
+	uid_t appid = uid.val % PER_USER_RANGE;
+	return appid >= FIRST_APPLICATION_UID && appid <= LAST_APPLICATION_UID;
+}
+
+static bool should_umount(struct path *path)
+{
+	if (!path) {
+		return false;
+	}
+
+	if (current->nsproxy->mnt_ns == init_nsproxy.mnt_ns) {
+		pr_info("ignore global mnt namespace process: %d\n",
+			current_uid().val);
+		return false;
+	}
+
+	if (path->mnt && path->mnt->mnt_sb && path->mnt->mnt_sb->s_type) {
+		const char *fstype = path->mnt->mnt_sb->s_type->name;
+		return strcmp(fstype, "overlay") == 0;
+	}
+	return false;
+}
+
+static void try_umount(const char *mnt)
+{
+	struct path path;
+	int err = kern_path(mnt, 0, &path);
+	if (err) {
+		return;
+	}
+
+	// we are only interest in some specific mounts
+	if (!should_umount(&path)) {
+		return;
+	}
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 9, 0)
+	err = path_umount(&path, 0);
+	if (err) {
+		pr_info("umount %s failed: %d\n", mnt, err);
+	}
+#endif
+}
+
+int ksu_handle_setuid(struct cred *new, const struct cred *old)
+{
+	if (!new || !old) {
+		return 0;
+	}
+
+	kuid_t new_uid = new->uid;
+	kuid_t old_uid = old->uid;
+
+	if (0 != old_uid.val) {
+		// old process is not root, ignore it.
+		return 0;
+	}
+
+	// todo: check old process's selinux context, if it is not zygote, ignore it!
+
+	if (!is_appuid(new_uid)) {
+		// pr_info("handle setuid ignore non application uid: %d\n", new_uid.val);
+		return 0;
+	}
+
+	if (ksu_is_allow_uid(new_uid.val)) {
+		// pr_info("handle setuid ignore allowed application: %d\n", new_uid.val);
+		return 0;
+	}
+
+	if (!ksu_uid_should_umount(new_uid.val)) {
+		return 0;
+	} else {
+#ifdef CONFIG_KSU_DEBUG
+		pr_info("uid: %d should not umount!\n", current_uid().val);
+#endif
+	}
+
+	// umount the target mnt
+	pr_info("handle umount for uid: %d\n", new_uid.val);
+
+	// fixme: use `collect_mounts` and `iterate_mount` to iterate all mountpoint and
+	// filter the mountpoint whose target is `/data/adb`
+	try_umount("/system");
+	try_umount("/vendor");
+	try_umount("/product");
+
 	return 0;
 }
 
@@ -296,7 +559,14 @@ static int handler_pre(struct kprobe *p, struct pt_regs *regs)
 	int option = (int)PT_REGS_PARM1(real_regs);
 	unsigned long arg2 = (unsigned long)PT_REGS_PARM2(real_regs);
 	unsigned long arg3 = (unsigned long)PT_REGS_PARM3(real_regs);
-	unsigned long arg4 = (unsigned long)PT_REGS_PARM4(real_regs);
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 16, 0)
+	// PRCTL_SYMBOL is the arch-specificed one, which receive raw pt_regs from syscall
+	unsigned long arg4 = (unsigned long)PT_REGS_SYSCALL_PARM4(real_regs);
+#else
+	// PRCTL_SYMBOL is the common one, called by C convention in do_syscall_64
+	// https://elixir.bootlin.com/linux/v4.15.18/source/arch/x86/entry/common.c#L287
+	unsigned long arg4 = (unsigned long)PT_REGS_CCALL_PARM4(real_regs);
+#endif
 	unsigned long arg5 = (unsigned long)PT_REGS_PARM5(real_regs);
 
 	return ksu_handle_prctl(option, arg2, arg3, arg4, arg5);
@@ -316,7 +586,7 @@ static int renameat_handler_pre(struct kprobe *p, struct pt_regs *regs)
 	struct dentry *new_entry = rd->new_dentry;
 #else
 	struct dentry *old_entry = (struct dentry *)PT_REGS_PARM2(regs);
-	struct dentry *new_entry = (struct dentry *)PT_REGS_PARM4(regs);
+	struct dentry *new_entry = (struct dentry *)PT_REGS_CCALL_PARM4(regs);
 #endif
 
 	return ksu_handle_rename(old_entry, new_entry);
@@ -356,16 +626,42 @@ static int ksu_task_prctl(int option, unsigned long arg2, unsigned long arg3,
 	ksu_handle_prctl(option, arg2, arg3, arg4, arg5);
 	return -ENOSYS;
 }
-
+// kernel 4.4 and 4.9
+#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0)
+static int ksu_key_permission(key_ref_t key_ref, const struct cred *cred,
+			      unsigned perm)
+{
+	if (init_session_keyring != NULL) {
+		return 0;
+	}
+	if (strcmp(current->comm, "init")) {
+		// we are only interested in `init` process
+		return 0;
+	}
+	init_session_keyring = cred->session_keyring;
+	pr_info("kernel_compat: got init_session_keyring");
+	return 0;
+}
+#endif
 static int ksu_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
 			    struct inode *new_inode, struct dentry *new_dentry)
 {
 	return ksu_handle_rename(old_dentry, new_dentry);
 }
 
+static int ksu_task_fix_setuid(struct cred *new, const struct cred *old,
+			       int flags)
+{
+	return ksu_handle_setuid(new, old);
+}
+
 static struct security_hook_list ksu_hooks[] = {
 	LSM_HOOK_INIT(task_prctl, ksu_task_prctl),
 	LSM_HOOK_INIT(inode_rename, ksu_inode_rename),
+	LSM_HOOK_INIT(task_fix_setuid, ksu_task_fix_setuid),
+#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0)
+	LSM_HOOK_INIT(key_permission, ksu_key_permission)
+#endif
 };
 
 void __init ksu_lsm_hook_init(void)
@@ -395,4 +691,4 @@ void ksu_core_exit(void)
 	pr_info("ksu_kprobe_exit\n");
 	ksu_kprobe_exit();
 #endif
-}
+}

kernel/embed_ksud.c

@@ -2,4 +2,4 @@
 // This file will be regenerated by CI
 
 unsigned int ksud_size = 0;
-const char ksud[0] = {};
+const char ksud[0] = {};

kernel/export_symbol.txt

@@ -1,2 +1,2 @@
 register_kprobe
-unregister_kprobe
+unregister_kprobe

kernel/include/ksu_hook.h

@@ -21,4 +21,8 @@ int ksu_handle_vfs_read(struct file **file_ptr, char __user **buf_ptr,
 int ksu_handle_execveat(int *fd, struct filename **filename_ptr, void *argv,
 			void *envp, int *flags);
 
-#endif
+// For volume button
+int ksu_handle_input_handle_event(unsigned int *type, unsigned int *code, 
+				  int *value);
+
+#endif

kernel/kernel_compat.c

@@ -0,0 +1,135 @@
+#include "linux/version.h"
+#include "linux/fs.h"
+#include "linux/nsproxy.h"
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0)
+#include "linux/sched/task.h"
+#else
+#include "linux/sched.h"
+#endif
+#include "klog.h" // IWYU pragma: keep
+
+#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0)
+#include "linux/key.h"
+#include "linux/errno.h"
+struct key *init_session_keyring = NULL;
+
+static inline int install_session_keyring(struct key *keyring)
+{
+	struct cred *new;
+	int ret;
+
+	new = prepare_creds();
+	if (!new)
+		return -ENOMEM;
+
+	ret = install_session_keyring_to_cred(new, keyring);
+	if (ret < 0) {
+		abort_creds(new);
+		return ret;
+	}
+
+	return commit_creds(new);
+}
+#endif
+
+extern struct task_struct init_task;
+
+// mnt_ns context switch for environment that android_init->nsproxy->mnt_ns != init_task.nsproxy->mnt_ns, such as WSA
+struct ksu_ns_fs_saved {
+	struct nsproxy *ns;
+	struct fs_struct *fs;
+};
+
+static void ksu_save_ns_fs(struct ksu_ns_fs_saved *ns_fs_saved)
+{
+	ns_fs_saved->ns = current->nsproxy;
+	ns_fs_saved->fs = current->fs;
+}
+
+static void ksu_load_ns_fs(struct ksu_ns_fs_saved *ns_fs_saved)
+{
+	current->nsproxy = ns_fs_saved->ns;
+	current->fs = ns_fs_saved->fs;
+}
+
+static bool android_context_saved_checked = false;
+static bool android_context_saved_enabled = false;
+static struct ksu_ns_fs_saved android_context_saved;
+
+void ksu_android_ns_fs_check()
+{
+	if (android_context_saved_checked)
+		return;
+	android_context_saved_checked = true;
+	task_lock(current);
+	if (current->nsproxy && current->fs &&
+	    current->nsproxy->mnt_ns != init_task.nsproxy->mnt_ns) {
+		android_context_saved_enabled = true;
+		pr_info("android context saved enabled due to init mnt_ns(%p) != android mnt_ns(%p)\n",
+			current->nsproxy->mnt_ns, init_task.nsproxy->mnt_ns);
+		ksu_save_ns_fs(&android_context_saved);
+	} else {
+		pr_info("android context saved disabled\n");
+	}
+	task_unlock(current);
+}
+
+struct file *ksu_filp_open_compat(const char *filename, int flags, umode_t mode)
+{
+#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0)
+	static bool keyring_installed = false;
+	if (init_session_keyring != NULL && !keyring_installed &&
+	    (current->flags & PF_WQ_WORKER)) {
+		pr_info("installing init session keyring for older kernel\n");
+		install_session_keyring(init_session_keyring);
+		keyring_installed = true;
+	}
+#endif
+	// switch mnt_ns even if current is not wq_worker, to ensure what we open is the correct file in android mnt_ns, rather than user created mnt_ns
+	struct ksu_ns_fs_saved saved;
+	if (android_context_saved_enabled) {
+		pr_info("start switch current nsproxy and fs to android context\n");
+		task_lock(current);
+		ksu_save_ns_fs(&saved);
+		ksu_load_ns_fs(&android_context_saved);
+		task_unlock(current);
+	}
+	struct file *fp = filp_open(filename, flags, mode);
+	if (android_context_saved_enabled) {
+		task_lock(current);
+		ksu_load_ns_fs(&saved);
+		task_unlock(current);
+		pr_info("switch current nsproxy and fs back to saved successfully\n");
+	}
+	return fp;
+}
+
+ssize_t ksu_kernel_read_compat(struct file *p, void *buf, size_t count,
+			       loff_t *pos)
+{
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 14, 0)
+	return kernel_read(p, buf, count, pos);
+#else
+	loff_t offset = pos ? *pos : 0;
+	ssize_t result = kernel_read(p, offset, (char *)buf, count);
+	if (pos && result > 0) {
+		*pos = offset + result;
+	}
+	return result;
+#endif
+}
+
+ssize_t ksu_kernel_write_compat(struct file *p, const void *buf, size_t count,
+				loff_t *pos)
+{
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 14, 0)
+	return kernel_write(p, buf, count, pos);
+#else
+	loff_t offset = pos ? *pos : 0;
+	ssize_t result = kernel_write(p, buf, count, offset);
+	if (pos && result > 0) {
+		*pos = offset + result;
+	}
+	return result;
+#endif
+}

kernel/kernel_compat.h

@@ -0,0 +1,26 @@
+#ifndef __KSU_H_KERNEL_COMPAT
+#define __KSU_H_KERNEL_COMPAT
+
+#include "linux/fs.h"
+#include "linux/key.h"
+#include "linux/version.h"
+#include "linux/uaccess.h"
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 8, 0)
+#define ksu_strncpy_from_user_nofault strncpy_from_user_nofault
+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(5, 3, 0)
+#define ksu_strncpy_from_user_nofault strncpy_from_unsafe_user
+#else
+#define ksu_strncpy_from_user_nofault strncpy_from_user
+#endif
+
+#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0)
+extern struct key *init_session_keyring;
+#endif
+
+extern void ksu_android_ns_fs_check();
+extern struct file *ksu_filp_open_compat(const char *filename, int flags, umode_t mode);
+extern ssize_t ksu_kernel_read_compat(struct file *p, void *buf, size_t count, loff_t *pos);
+extern ssize_t ksu_kernel_write_compat(struct file *p, const void *buf, size_t count, loff_t *pos);
+
+#endif

kernel/klog.h

@@ -8,4 +8,4 @@
 #define pr_fmt(fmt) "KernelSU: " fmt
 #endif
 
-#endif
+#endif

kernel/ksu.c

@@ -39,7 +39,7 @@ int __init kernelsu_init(void)
 	pr_alert("*************************************************************");
 	pr_alert("**     NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE    **");
 	pr_alert("**                                                         **");
-	pr_alert("**         You are running DEBUG version of KernelSU       **");
+	pr_alert("**         You are running KernelSU in DEBUG mode          **");
 	pr_alert("**                                                         **");
 	pr_alert("**     NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE    **");
 	pr_alert("*************************************************************");
@@ -57,7 +57,7 @@ int __init kernelsu_init(void)
 	ksu_enable_sucompat();
 	ksu_enable_ksud();
 #else
-#warning("KPROBES is disabled, KernelSU may not work, please check https://kernelsu.org/guide/how-to-integrate-for-non-gki.html")
+	pr_alert("KPROBES is disabled, KernelSU may not work, please check https://kernelsu.org/guide/how-to-integrate-for-non-gki.html");
 #endif
 
 	return 0;

kernel/ksu.h

@@ -1,10 +1,10 @@
 #ifndef __KSU_H_KSU
 #define __KSU_H_KSU
 
+#include "linux/types.h"
 #include "linux/workqueue.h"
 
-#define KERNEL_SU_VERSION 14
-
+#define KERNEL_SU_VERSION KSU_VERSION
 #define KERNEL_SU_OPTION 0xDEADBEEF
 
 #define CMD_GRANT_ROOT 0
@@ -16,10 +16,69 @@
 #define CMD_GET_DENY_LIST 6
 #define CMD_REPORT_EVENT 7
 #define CMD_SET_SEPOLICY 8
+#define CMD_CHECK_SAFEMODE 9
+#define CMD_GET_APP_PROFILE 10
+#define CMD_SET_APP_PROFILE 11
+#define CMD_UID_GRANTED_ROOT 12
+#define CMD_UID_SHOULD_UMOUNT 13
 
 #define EVENT_POST_FS_DATA 1
 #define EVENT_BOOT_COMPLETED 2
 
+#define KSU_APP_PROFILE_VER 2
+#define KSU_MAX_PACKAGE_NAME 256
+// NGROUPS_MAX for Linux is 65535 generally, but we only supports 32 groups.
+#define KSU_MAX_GROUPS 32
+#define KSU_SELINUX_DOMAIN 64
+
+struct root_profile {
+	int32_t uid;
+	int32_t gid;
+
+	int32_t groups_count;
+	int32_t groups[KSU_MAX_GROUPS];
+
+	// kernel_cap_t is u32[2] for capabilities v3
+	struct {
+		u64 effective;
+		u64 permitted;
+		u64 inheritable;
+	} capabilities;
+
+	char selinux_domain[KSU_SELINUX_DOMAIN];
+
+	int32_t namespaces;
+};
+
+struct non_root_profile {
+	bool umount_modules;
+};
+
+struct app_profile {
+	// It may be utilized for backward compatibility, although we have never explicitly made any promises regarding this.
+	u32 version;
+
+	// this is usually the package of the app, but can be other value for special apps
+	char key[KSU_MAX_PACKAGE_NAME];
+	int32_t current_uid;
+	bool allow_su;
+
+	union {
+		struct {
+			bool use_default;
+			char template_name[KSU_MAX_PACKAGE_NAME];
+
+			struct root_profile profile;
+		} rp_config;
+
+		struct {
+			bool use_default;
+
+			struct non_root_profile profile;
+		} nrp_config;
+	};
+};
+
 bool ksu_queue_work(struct work_struct *work);
 
 static inline int startswith(char *s, char *prefix)

kernel/ksud.c

@@ -1,8 +1,9 @@
 #include "asm/current.h"
-#include "linux/cred.h"
+#include "linux/compat.h"
 #include "linux/dcache.h"
 #include "linux/err.h"
 #include "linux/fs.h"
+#include "linux/input-event-codes.h"
 #include "linux/kprobes.h"
 #include "linux/printk.h"
 #include "linux/types.h"
@@ -13,39 +14,45 @@
 #include "allowlist.h"
 #include "arch.h"
 #include "klog.h" // IWYU pragma: keep
+#include "ksud.h"
+#include "kernel_compat.h"
 #include "selinux/selinux.h"
 
 static const char KERNEL_SU_RC[] =
 	"\n"
 
 	"on post-fs-data\n"
+	"    start logd\n"
 	// We should wait for the post-fs-data finish
-	"    exec u:r:su:s0 root -- /data/adb/ksud post-fs-data\n"
+	"    exec u:r:su:s0 root -- " KSUD_PATH " post-fs-data\n"
 	"\n"
 
 	"on nonencrypted\n"
-	"    exec u:r:su:s0 root -- /data/adb/ksud services\n"
+	"    exec u:r:su:s0 root -- " KSUD_PATH " services\n"
 	"\n"
 
 	"on property:vold.decrypt=trigger_restart_framework\n"
-	"    exec u:r:su:s0 root -- /data/adb/ksud services\n"
+	"    exec u:r:su:s0 root -- " KSUD_PATH " services\n"
 	"\n"
 
 	"on property:sys.boot_completed=1\n"
-	"    exec u:r:su:s0 root -- /data/adb/ksud boot-completed\n"
+	"    exec u:r:su:s0 root -- " KSUD_PATH " boot-completed\n"
 	"\n"
 
 	"\n";
 
 static void stop_vfs_read_hook();
 static void stop_execve_hook();
+static void stop_input_hook();
 
 #ifdef CONFIG_KPROBES
 static struct work_struct stop_vfs_read_work;
 static struct work_struct stop_execve_hook_work;
+static struct work_struct stop_input_hook_work;
 #else
-static bool vfs_read_hook = true;
-static bool execveat_hook = true;
+bool ksu_vfs_read_hook __read_mostly = true;
+bool ksu_execveat_hook __read_mostly = true;
+bool ksu_input_hook __read_mostly = true;
 #endif
 
 void on_post_fs_data(void)
@@ -56,15 +63,87 @@ void on_post_fs_data(void)
 		return;
 	}
 	done = true;
-	pr_info("ksu_load_allow_list");
+	pr_info("on_post_fs_data!");
 	ksu_load_allow_list();
+	// sanity check, this may influence the performance
+	stop_input_hook();
 }
 
+#define MAX_ARG_STRINGS 0x7FFFFFFF
+struct user_arg_ptr {
+#ifdef CONFIG_COMPAT
+	bool is_compat;
+#endif
+	union {
+		const char __user *const __user *native;
+#ifdef CONFIG_COMPAT
+		const compat_uptr_t __user *compat;
+#endif
+	} ptr;
+};
+
+static const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr)
+{
+	const char __user *native;
+
+#ifdef CONFIG_COMPAT
+	if (unlikely(argv.is_compat)) {
+		compat_uptr_t compat;
+
+		if (get_user(compat, argv.ptr.compat + nr))
+			return ERR_PTR(-EFAULT);
+
+		return compat_ptr(compat);
+	}
+#endif
+
+	if (get_user(native, argv.ptr.native + nr))
+		return ERR_PTR(-EFAULT);
+
+	return native;
+}
+
+/*
+ * count() counts the number of strings in array ARGV.
+ */
+
+ /*
+ * Make sure old GCC compiler can use __maybe_unused,
+ * Test passed in 4.4.x ~ 4.9.x when use GCC.
+ */
+
+static int __maybe_unused count(struct user_arg_ptr argv, int max)
+{
+	int i = 0;
+
+	if (argv.ptr.native != NULL) {
+		for (;;) {
+			const char __user *p = get_user_arg_ptr(argv, i);
+
+			if (!p)
+				break;
+
+			if (IS_ERR(p))
+				return -EFAULT;
+
+			if (i >= max)
+				return -E2BIG;
+			++i;
+
+			if (fatal_signal_pending(current))
+				return -ERESTARTNOHAND;
+			cond_resched();
+		}
+	}
+	return i;
+}
+
+// the call from execve_handler_pre won't provided correct value for __never_use_argument, use them after fix execve_handler_pre, keeping them for consistence for manually patched code
 int ksu_handle_execveat_ksud(int *fd, struct filename **filename_ptr,
-			     void *argv, void *envp, int *flags)
+			     struct user_arg_ptr *argv, void *__never_use_envp, int *__never_use_flags)
 {
 #ifndef CONFIG_KPROBES
-	if (!execveat_hook) {
+	if (!ksu_execveat_hook) {
 		return 0;
 	}
 #endif
@@ -73,7 +152,7 @@ int ksu_handle_execveat_ksud(int *fd, struct filename **filename_ptr,
 	static const char app_process[] = "/system/bin/app_process";
 	static bool first_app_process = true;
 	static const char system_bin_init[] = "/system/bin/init";
-	static int init_count = 0;
+	static bool init_second_stage_executed = false;
 
 	if (!filename_ptr)
 		return 0;
@@ -83,21 +162,33 @@ int ksu_handle_execveat_ksud(int *fd, struct filename **filename_ptr,
 		return 0;
 	}
 
-	if (!memcmp(filename->name, system_bin_init,
-		    sizeof(system_bin_init) - 1)) {
+	if (unlikely(!memcmp(filename->name, system_bin_init,
+		    sizeof(system_bin_init) - 1))) {
 		// /system/bin/init executed
-		if (++init_count == 2) {
-			// 1: /system/bin/init selinux_setup
-			// 2: /system/bin/init second_stage
-			pr_info("/system/bin/init second_stage executed\n");
-			apply_kernelsu_rules();
+		int argc = count(*argv, MAX_ARG_STRINGS);
+		pr_info("/system/bin/init argc: %d\n", argc);
+		if (argc > 1 && !init_second_stage_executed) {
+			const char __user *p = get_user_arg_ptr(*argv, 1);
+			if (p && !IS_ERR(p)) {
+				char first_arg[16];
+                                ksu_strncpy_from_user_nofault(first_arg, p, sizeof(first_arg));
+				pr_info("first arg: %s\n", first_arg);
+				if (!strcmp(first_arg, "second_stage")) {
+					pr_info("/system/bin/init second_stage executed\n");
+					apply_kernelsu_rules();
+					init_second_stage_executed = true;
+					ksu_android_ns_fs_check();
+				}
+			} else {
+				pr_err("/system/bin/init parse args err!\n");
+			}
 		}
 	}
 
-	if (first_app_process &&
-	    !memcmp(filename->name, app_process, sizeof(app_process) - 1)) {
+	if (unlikely(first_app_process &&
+	    !memcmp(filename->name, app_process, sizeof(app_process) - 1))) {
 		first_app_process = false;
-		pr_info("exec app_process, /data prepared!\n");
+		pr_info("exec app_process, /data prepared, second_stage: %d\n", init_second_stage_executed);
 		on_post_fs_data(); // we keep this for old ksud
 		stop_execve_hook();
 	}
@@ -105,11 +196,40 @@ int ksu_handle_execveat_ksud(int *fd, struct filename **filename_ptr,
 	return 0;
 }
 
+static ssize_t (*orig_read)(struct file *, char __user *, size_t, loff_t *);
+static ssize_t (*orig_read_iter)(struct kiocb *, struct iov_iter *);
+static struct file_operations fops_proxy;
+static ssize_t read_count_append = 0;
+
+static ssize_t read_proxy(struct file *file, char __user *buf, size_t count,
+			  loff_t *pos)
+{
+	bool first_read = file->f_pos == 0;
+	ssize_t ret = orig_read(file, buf, count, pos);
+	if (first_read) {
+		pr_info("read_proxy append %ld + %ld", ret, read_count_append);
+		ret += read_count_append;
+	}
+	return ret;
+}
+
+static ssize_t read_iter_proxy(struct kiocb *iocb, struct iov_iter *to)
+{
+	bool first_read = iocb->ki_pos == 0;
+	ssize_t ret = orig_read_iter(iocb, to);
+	if (first_read) {
+		pr_info("read_iter_proxy append %ld + %ld", ret,
+			read_count_append);
+		ret += read_count_append;
+	}
+	return ret;
+}
+
 int ksu_handle_vfs_read(struct file **file_ptr, char __user **buf_ptr,
 			size_t *count_ptr, loff_t **pos)
 {
 #ifndef CONFIG_KPROBES
-	if (!vfs_read_hook) {
+	if (!ksu_vfs_read_hook) {
 		return 0;
 	}
 #endif
@@ -177,12 +297,80 @@ int ksu_handle_vfs_read(struct file **file_ptr, char __user **buf_ptr,
 		return 0;
 	}
 
+	// we've succeed to insert ksud.rc, now we need to proxy the read and modify the result!
+	// But, we can not modify the file_operations directly, because it's in read-only memory.
+	// We just replace the whole file_operations with a proxy one.
+	memcpy(&fops_proxy, file->f_op, sizeof(struct file_operations));
+	orig_read = file->f_op->read;
+	if (orig_read) {
+		fops_proxy.read = read_proxy;
+	}
+	orig_read_iter = file->f_op->read_iter;
+	if (orig_read_iter) {
+		fops_proxy.read_iter = read_iter_proxy;
+	}
+	// replace the file_operations
+	file->f_op = &fops_proxy;
+	read_count_append = rc_count;
+
 	*buf_ptr = buf + rc_count;
 	*count_ptr = count - rc_count;
 
 	return 0;
 }
 
+static unsigned int volumedown_pressed_count = 0;
+
+static bool is_volumedown_enough(unsigned int count)
+{
+	return count >= 3;
+}
+
+int ksu_handle_input_handle_event(unsigned int *type, unsigned int *code,
+				  int *value)
+{
+#ifndef CONFIG_KPROBES
+	if (!ksu_input_hook) {
+		return 0;
+	}
+#endif
+	if (*type == EV_KEY && *code == KEY_VOLUMEDOWN) {
+		int val = *value;
+		pr_info("KEY_VOLUMEDOWN val: %d\n", val);
+		if (val) {
+			// key pressed, count it
+			volumedown_pressed_count += 1;
+			if (is_volumedown_enough(volumedown_pressed_count)) {
+				stop_input_hook();
+			}
+		}
+	}
+
+	return 0;
+}
+
+bool ksu_is_safe_mode()
+{
+	static bool safe_mode = false;
+	if (safe_mode) {
+		// don't need to check again, userspace may call multiple times
+		return true;
+	}
+
+	// stop hook first!
+	stop_input_hook();
+
+	pr_info("volumedown_pressed_count: %d\n", volumedown_pressed_count);
+	if (is_volumedown_enough(volumedown_pressed_count)) {
+		// pressed over 3 times
+		pr_info("KEY_VOLUMEDOWN pressed max times, safe mode detected!\n");
+		safe_mode = true;
+		return true;
+	}
+
+	return false;
+}
+
 #ifdef CONFIG_KPROBES
 
 // https://elixir.bootlin.com/linux/v5.10.158/source/fs/exec.c#L1864
@@ -191,11 +379,19 @@ static int execve_handler_pre(struct kprobe *p, struct pt_regs *regs)
 	int *fd = (int *)&PT_REGS_PARM1(regs);
 	struct filename **filename_ptr =
 		(struct filename **)&PT_REGS_PARM2(regs);
-	void *argv = (void *)&PT_REGS_PARM3(regs);
-	void *envp = (void *)&PT_REGS_PARM4(regs);
-	int *flags = (int *)&PT_REGS_PARM5(regs);
+	struct user_arg_ptr argv;
+#ifdef CONFIG_COMPAT
+	argv.is_compat = PT_REGS_PARM3(regs);
+	if (unlikely(argv.is_compat)) {
+		argv.ptr.compat = PT_REGS_CCALL_PARM4(regs);
+	} else {
+		argv.ptr.native = PT_REGS_CCALL_PARM4(regs);
+	}
+#else
+	argv.ptr.native = PT_REGS_PARM3(regs);
+#endif
 
-	return ksu_handle_execveat_ksud(fd, filename_ptr, argv, envp, flags);
+	return ksu_handle_execveat_ksud(fd, filename_ptr, &argv, NULL, NULL);
 }
 
 static int read_handler_pre(struct kprobe *p, struct pt_regs *regs)
@@ -203,19 +399,26 @@ static int read_handler_pre(struct kprobe *p, struct pt_regs *regs)
 	struct file **file_ptr = (struct file **)&PT_REGS_PARM1(regs);
 	char __user **buf_ptr = (char **)&PT_REGS_PARM2(regs);
 	size_t *count_ptr = (size_t *)&PT_REGS_PARM3(regs);
-	loff_t **pos_ptr = (loff_t **)&PT_REGS_PARM4(regs);
+	loff_t **pos_ptr = (loff_t **)&PT_REGS_CCALL_PARM4(regs);
 
 	return ksu_handle_vfs_read(file_ptr, buf_ptr, count_ptr, pos_ptr);
 }
 
+static int input_handle_event_handler_pre(struct kprobe *p,
+					  struct pt_regs *regs)
+{
+	unsigned int *type = (unsigned int *)&PT_REGS_PARM2(regs);
+	unsigned int *code = (unsigned int *)&PT_REGS_PARM3(regs);
+	int *value = (int *)&PT_REGS_CCALL_PARM4(regs);
+	return ksu_handle_input_handle_event(type, code, value);
+}
+
 static struct kprobe execve_kp = {
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 9, 0)
 	.symbol_name = "do_execveat_common",
-#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4, 19, 0) &&                        \
-	LINUX_VERSION_CODE < KERNEL_VERSION(5, 9, 0)
+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4, 19, 0)
 	.symbol_name = "__do_execve_file",
-#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4, 14, 0) &&                        \
-	LINUX_VERSION_CODE < KERNEL_VERSION(4, 19, 0)
+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(3, 19, 0)
 	.symbol_name = "do_execveat_common",
 #endif
 	.pre_handler = execve_handler_pre,
@@ -226,6 +429,11 @@ static struct kprobe vfs_read_kp = {
 	.pre_handler = read_handler_pre,
 };
 
+static struct kprobe input_handle_event_kp = {
+	.symbol_name = "input_handle_event",
+	.pre_handler = input_handle_event_handler_pre,
+};
+
 static void do_stop_vfs_read_hook(struct work_struct *work)
 {
 	unregister_kprobe(&vfs_read_kp);
@@ -235,6 +443,11 @@ static void do_stop_execve_hook(struct work_struct *work)
 {
 	unregister_kprobe(&execve_kp);
 }
+
+static void do_stop_input_hook(struct work_struct *work)
+{
+	unregister_kprobe(&input_handle_event_kp);
+}
 #endif
 
 static void stop_vfs_read_hook()
@@ -243,7 +456,7 @@ static void stop_vfs_read_hook()
 	bool ret = schedule_work(&stop_vfs_read_work);
 	pr_info("unregister vfs_read kprobe: %d!\n", ret);
 #else
-	vfs_read_hook = false;
+	ksu_vfs_read_hook = false;
 #endif
 }
 
@@ -253,7 +466,22 @@ static void stop_execve_hook()
 	bool ret = schedule_work(&stop_execve_hook_work);
 	pr_info("unregister execve kprobe: %d!\n", ret);
 #else
-	execveat_hook = false;
+	ksu_execveat_hook = false;
+#endif
+}
+
+static void stop_input_hook()
+{
+	static bool input_hook_stopped = false;
+	if (input_hook_stopped) {
+		return;
+	}
+	input_hook_stopped = true;
+#ifdef CONFIG_KPROBES
+	bool ret = schedule_work(&stop_input_hook_work);
+	pr_info("unregister input kprobe: %d!\n", ret);
+#else
+	ksu_input_hook = false;
 #endif
 }
 
@@ -269,7 +497,11 @@ void ksu_enable_ksud()
 	ret = register_kprobe(&vfs_read_kp);
 	pr_info("ksud: vfs_read_kp: %d\n", ret);
 
+	ret = register_kprobe(&input_handle_event_kp);
+	pr_info("ksud: input_handle_event_kp: %d\n", ret);
+
 	INIT_WORK(&stop_vfs_read_work, do_stop_vfs_read_hook);
 	INIT_WORK(&stop_execve_hook_work, do_stop_execve_hook);
+	INIT_WORK(&stop_input_hook_work, do_stop_input_hook);
 #endif
 }

kernel/ksud.h

@@ -1,6 +1,10 @@
 #ifndef __KSU_H_KSUD
 #define __KSU_H_KSUD
 
+#define KSUD_PATH "/data/adb/ksud"
+
 void on_post_fs_data(void);
 
-#endif
+bool ksu_is_safe_mode(void);
+
+#endif

kernel/manager.c

@@ -13,7 +13,7 @@
 #include "ksu.h"
 #include "manager.h"
 
-uid_t ksu_manager_uid = INVALID_UID;
+uid_t ksu_manager_uid = KSU_INVALID_UID;
 
 bool become_manager(char *pkg)
 {
@@ -39,39 +39,51 @@ bool become_manager(char *pkg)
 
 	files_table = files_fdtable(current->files);
 
+	int pkg_len = strlen(pkg);
 	// todo: use iterate_fd
-	while (files_table->fd[i] != NULL) {
+	for (i = 0; files_table->fd[i] != NULL; i++) {
 		files_path = files_table->fd[i]->f_path;
 		if (!d_is_reg(files_path.dentry)) {
-			i++;
 			continue;
 		}
 		cwd = d_path(&files_path, buf, PATH_MAX);
-		if (startswith(cwd, "/data/app/") == 0 &&
-		    endswith(cwd, "/base.apk") == 0) {
-			// we have found the apk!
-			pr_info("found apk: %s", cwd);
-			if (!strstr(cwd, pkg)) {
-				pr_info("apk path not match package name!\n");
-				i++;
-				continue;
-			}
-			if (is_manager_apk(cwd) == 0) {
-				// check passed
-				uid_t uid = current_uid().val;
-				pr_info("manager uid: %d\n", uid);
-
-				ksu_set_manager_uid(uid);
-
-				result = true;
-				goto clean;
-			} else {
-				pr_info("manager signature invalid!");
-			}
-
-			break;
+		if (startswith(cwd, "/data/app/") != 0 ||
+		    endswith(cwd, "/base.apk") != 0) {
+			continue;
 		}
-		i++;
+		// we have found the apk!
+		pr_info("found apk: %s", cwd);
+		char *pkg_index = strstr(cwd, pkg);
+		if (!pkg_index) {
+			pr_info("apk path not match package name!\n");
+			continue;
+		}
+		char *next_char = pkg_index + pkg_len;
+		// because we ensure the cwd must startswith `/data/app` and endswith `base.apk`
+		// we don't need to check if the pointer is out of bounds
+		if (*next_char != '-') {
+			// from android 8.1: http://aospxref.com/android-8.1.0_r81/xref/frameworks/base/services/core/java/com/android/server/pm/PackageManagerService.java#17612
+			// to android 13: http://aospxref.com/android-13.0.0_r3/xref/frameworks/base/services/core/java/com/android/server/pm/PackageManagerServiceUtils.java#1208
+			// /data/app/~~[randomStringA]/[packageName]-[randomStringB]
+			// the previous char must be `/` and the next char must be `-`
+			// because we use strstr instead of equals, this is a strong verfication.
+			pr_info("invalid pkg: %s\n", pkg);
+			continue;
+		}
+		if (is_manager_apk(cwd) == 0) {
+			// check passed
+			uid_t uid = current_uid().val;
+			pr_info("manager uid: %d\n", uid);
+
+			ksu_set_manager_uid(uid);
+
+			result = true;
+			goto clean;
+		} else {
+			pr_info("manager signature invalid!");
+		}
+
+		break;
 	}
 
 clean:

kernel/manager.h

@@ -4,18 +4,18 @@
 #include "linux/cred.h"
 #include "linux/types.h"
 
-#define INVALID_UID -1
+#define KSU_INVALID_UID -1
 
 extern uid_t ksu_manager_uid; // DO NOT DIRECT USE
 
 static inline bool ksu_is_manager_uid_valid()
 {
-	return ksu_manager_uid != INVALID_UID;
+	return ksu_manager_uid != KSU_INVALID_UID;
 }
 
 static inline bool is_manager()
 {
-	return ksu_manager_uid == current_uid().val;
+	return unlikely(ksu_manager_uid == current_uid().val);
 }
 
 static inline uid_t ksu_get_manager_uid()
@@ -30,7 +30,7 @@ static inline void ksu_set_manager_uid(uid_t uid)
 
 static inline void ksu_invalidate_manager_uid()
 {
-	ksu_manager_uid = INVALID_UID;
+	ksu_manager_uid = KSU_INVALID_UID;
 }
 
 bool become_manager(char *pkg);

kernel/module_api.c

@@ -30,4 +30,4 @@ RE_EXPORT_SYMBOL1(unsigned long, kallsyms_lookup_name, const char *, name)
 // int ksu_register_kretprobe(struct kretprobe *rp);
 // void unregister_kretprobe(struct kretprobe *rp);
 // int register_kretprobes(struct kretprobe **rps, int num);
-// void unregister_kretprobes(struct kretprobe **rps, int num);
+// void unregister_kretprobes(struct kretprobe **rps, int num);

kernel/selinux/Makefile

@@ -2,8 +2,15 @@ obj-y += selinux.o
 obj-y += sepolicy.o
 obj-y += rules.o
 
+ifeq ($(shell grep -q " current_sid(void)" $(srctree)/security/selinux/include/objsec.h; echo $$?),0)
+ccflags-y += -DKSU_COMPAT_HAS_CURRENT_SID
+endif
+
+ifeq ($(shell grep -q "struct selinux_state " $(srctree)/security/selinux/include/security.h; echo $$?),0)
+ccflags-y += -DKSU_COMPAT_HAS_SELINUX_STATE
+endif
 
 ccflags-y += -Wno-implicit-function-declaration -Wno-strict-prototypes -Wno-int-conversion
-ccflags-y += -Wno-macro-redefined -Wno-declaration-after-statement -Wno-unused-function
+ccflags-y += -Wno-declaration-after-statement -Wno-unused-function
 ccflags-y += -I$(srctree)/security/selinux -I$(srctree)/security/selinux/include
-ccflags-y += -I$(objtree)/security/selinux
+ccflags-y += -I$(objtree)/security/selinux -include $(srctree)/include/uapi/asm-generic/errno.h

kernel/selinux/rules.c

@@ -6,6 +6,8 @@
 #include "selinux.h"
 #include "sepolicy.h"
 #include "ss/services.h"
+#include "linux/lsm_audit.h"
+#include "xfrm.h"
 
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 0)
 #define SELINUX_POLICY_INSTEAD_SELINUX_SS
@@ -19,12 +21,17 @@
 static struct policydb *get_policydb(void)
 {
 	struct policydb *db;
+// selinux_state does not exists before 4.19
+#ifdef KSU_COMPAT_USE_SELINUX_STATE
 #ifdef SELINUX_POLICY_INSTEAD_SELINUX_SS
 	struct selinux_policy *policy = rcu_dereference(selinux_state.policy);
 	db = &policy->policydb;
 #else
 	struct selinux_ss *ss = rcu_dereference(selinux_state.ss);
 	db = &ss->policydb;
+#endif
+#else
+	db = &policydb;
 #endif
 	return db;
 }
@@ -32,8 +39,7 @@ static struct policydb *get_policydb(void)
 void apply_kernelsu_rules()
 {
 	if (!getenforce()) {
-		pr_info("SELinux permissive or disabled, don't apply rules.");
-		return;
+		pr_info("SELinux permissive or disabled, apply rules!");
 	}
 
 	rcu_read_lock();
@@ -59,7 +65,7 @@ void apply_kernelsu_rules()
 		ksu_allowxperm(db, KERNEL_SU_DOMAIN, ALL, "chr_file", ALL);
 	}
 
-	// we need to save allowlist in /data/adb
+	// we need to save allowlist in /data/adb/ksu
 	ksu_allow(db, "kernel", "adb_data_file", "dir", ALL);
 	ksu_allow(db, "kernel", "adb_data_file", "file", ALL);
 	// we may need to do mount on shell
@@ -69,12 +75,14 @@ void apply_kernelsu_rules()
 	// Android 10+:
 	// http://aospxref.com/android-12.0.0_r3/xref/system/sepolicy/private/file_contexts#512
 	ksu_allow(db, "kernel", "packages_list_file", "file", ALL);
+	// Kernel 4.4
+	ksu_allow(db, "kernel", "packages_list_file", "dir", ALL);
 	// Android 9-:
 	// http://aospxref.com/android-9.0.0_r61/xref/system/sepolicy/private/file_contexts#360
 	ksu_allow(db, "kernel", "system_data_file", "file", ALL);
-
+	ksu_allow(db, "kernel", "system_data_file", "dir", ALL);
 	// our ksud triggered by init
-	ksu_allow(db, "init", "adb_data_file", "file", "execute");
+	ksu_allow(db, "init", "adb_data_file", "file", ALL);
 	ksu_allow(db, "init", KERNEL_SU_DOMAIN, ALL, ALL);
 
 	// copied from Magisk rules
@@ -106,6 +114,10 @@ void apply_kernelsu_rules()
 	ksu_allow(db, "hwservicemanager", KERNEL_SU_DOMAIN, "process",
 		  "getattr");
 
+	// For mounting loop devices, mirrors, tmpfs
+	ksu_allow(db, "kernel", ALL, "file", "read");
+	ksu_allow(db, "kernel", ALL, "file", "write");
+
 	// Allow all binder transactions
 	ksu_allow(db, ALL, KERNEL_SU_DOMAIN, "binder", ALL);
 
@@ -159,6 +171,22 @@ static int get_object(char *buf, char __user *user_object, size_t buf_sz,
 	return 0;
 }
 
+// reset avc cache table, otherwise the new rules will not take effect if already denied
+static void reset_avc_cache()
+{
+#ifndef KSU_COMPAT_USE_SELINUX_STATE
+	avc_ss_reset(0);
+	selnl_notify_policyload(0);
+	selinux_status_update_policyload(0);
+#else
+	struct selinux_avc *avc = selinux_state.avc;
+	avc_ss_reset(avc, 0);
+	selnl_notify_policyload(0);
+	selinux_status_update_policyload(&selinux_state, 0);
+#endif
+	selinux_xfrm_notify_policyload();
+}
+
 int handle_sepolicy(unsigned long arg3, void __user *arg4)
 {
 	if (!arg4) {
@@ -166,8 +194,7 @@ int handle_sepolicy(unsigned long arg3, void __user *arg4)
 	}
 
 	if (!getenforce()) {
-		pr_info("SELinux permissive or disabled, don't apply policies.");
-		return -1;
+		pr_info("SELinux permissive or disabled when handle policy!\n");
 	}
 
 	struct sepol_data data;
@@ -427,11 +454,15 @@ int handle_sepolicy(unsigned long arg3, void __user *arg4)
 		}
 		ret = 0;
 	} else {
-		pr_err("sepol: unknown cmd: %d");
+		pr_err("sepol: unknown cmd: %d\n", cmd);
 	}
 
 exit:
 	rcu_read_unlock();
 
+	// only allow and xallow needs to reset avc cache, but we cannot do that because
+	// we are in atomic context. so we just reset it every time.
+	reset_avc_cache();
+
 	return ret;
-}
+}

kernel/selinux/selinux.c

@@ -1,7 +1,10 @@
 #include "selinux.h"
 #include "objsec.h"
-
+#include "linux/version.h"
 #include "../klog.h" // IWYU pragma: keep
+#ifndef KSU_COMPAT_USE_SELINUX_STATE
+#include "avc.h"
+#endif
 
 #define KERNEL_SU_DOMAIN "u:r:su:s0"
 
@@ -23,7 +26,9 @@ static int transive_to_domain(const char *domain)
 	}
 
 	error = security_secctx_to_secid(domain, strlen(domain), &sid);
-	pr_info("error: %d, sid: %d\n", error, sid);
+	if (error) {
+		pr_info("security_secctx_to_secid %s -> sid: %d, error: %d\n", domain, sid, error);
+	}
 	if (!error) {
 		if (!ksu_sid)
 			ksu_sid = sid;
@@ -36,9 +41,9 @@ static int transive_to_domain(const char *domain)
 	return error;
 }
 
-void setup_selinux()
+void setup_selinux(const char *domain)
 {
-	if (transive_to_domain(KERNEL_SU_DOMAIN)) {
+	if (transive_to_domain(domain)) {
 		pr_err("transive domain failed.");
 		return;
 	}
@@ -54,26 +59,51 @@ if (!is_domain_permissive) {
 void setenforce(bool enforce)
 {
 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
+#ifdef KSU_COMPAT_USE_SELINUX_STATE
 	selinux_state.enforcing = enforce;
+#else
+	selinux_enforcing = enforce;
+#endif
 #endif
 }
 
 bool getenforce()
 {
 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
+#ifdef KSU_COMPAT_USE_SELINUX_STATE
 	if (selinux_state.disabled) {
+#else
+	if (selinux_disabled) {
+#endif
 		return false;
 	}
 #endif
 
 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
+#ifdef KSU_COMPAT_USE_SELINUX_STATE
 	return selinux_state.enforcing;
 #else
-	return false;
+	return selinux_enforcing;
+#endif
+#else
+	return true;
 #endif
 }
 
+#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 10, 0)) &&                         \
+	!defined(KSU_COMPAT_HAS_CURRENT_SID)
+/*
+ * get the subjective security ID of the current task
+ */
+static inline u32 current_sid(void)
+{
+	const struct task_security_struct *tsec = current_security();
+
+	return tsec->sid;
+}
+#endif
+
 bool is_ksu_domain()
 {
 	return ksu_sid && current_sid() == ksu_sid;
-}
+}

kernel/selinux/selinux.h

@@ -2,8 +2,13 @@
 #define __KSU_H_SELINUX
 
 #include "linux/types.h"
+#include "linux/version.h"
 
-void setup_selinux();
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 0)) || defined(KSU_COMPAT_HAS_SELINUX_STATE)
+#define KSU_COMPAT_USE_SELINUX_STATE
+#endif
+
+void setup_selinux(const char *);
 
 void setenforce(bool);
 
@@ -13,4 +18,4 @@ bool is_ksu_domain();
 
 void apply_kernelsu_rules();
 
-#endif
+#endif

kernel/selinux/sepolicy.c

@@ -7,9 +7,18 @@
 #include "../klog.h" // IWYU pragma: keep
 #include "ss/symtab.h"
 
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 0)
-// TODO: backport to lower kernel
 #define KSU_SUPPORT_ADD_TYPE
+
+/*
+ * Adapt to Huawei HISI kernel without affecting other kernels ,
+ * Huawei Hisi Kernel EBITMAP Enable or Disable Flag ,
+ * From ss/ebitmap.h
+ */
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 9, 0) &&                           \
+	LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0)
+#ifdef HISI_SELINUX_EBITMAP_RO
+#define CONFIG_IS_HW_HISI
+#endif
 #endif
 
 //////////////////////////////////////////////////////
@@ -64,7 +73,7 @@ static bool add_typeattribute(struct policydb *db, const char *type,
 // rules
 #define strip_av(effect, invert) ((effect == AVTAB_AUDITDENY) == !invert)
 
-#define hash_for_each(node_ptr, n_slot, cur)                                   \
+#define ksu_hash_for_each(node_ptr, n_slot, cur)                               \
 	int i;                                                                 \
 	for (i = 0; i < n_slot; ++i)                                           \
 		for (cur = node_ptr[i]; cur; cur = cur->next)
@@ -72,21 +81,22 @@ static bool add_typeattribute(struct policydb *db, const char *type,
 // htable is a struct instead of pointer above 5.8.0:
 // https://elixir.bootlin.com/linux/v5.8-rc1/source/security/selinux/ss/symtab.h
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 8, 0)
-#define hashtab_for_each(htab, cur) hash_for_each (htab.htable, htab.size, cur)
+#define ksu_hashtab_for_each(htab, cur)                                        \
+	ksu_hash_for_each(htab.htable, htab.size, cur)
 #else
-#define hashtab_for_each(htab, cur)                                            \
-	hash_for_each (htab->htable, htab->size, cur)
+#define ksu_hashtab_for_each(htab, cur)                                        \
+	ksu_hash_for_each(htab->htable, htab->size, cur)
 #endif
 
 // symtab_search is introduced on 5.9.0:
 // https://elixir.bootlin.com/linux/v5.9-rc1/source/security/selinux/ss/symtab.h
 #if LINUX_VERSION_CODE < KERNEL_VERSION(5, 9, 0)
 #define symtab_search(s, name) hashtab_search((s)->table, name)
+#define symtab_insert(s, name, datum) hashtab_insert((s)->table, name, datum)
 #endif
 
 #define avtab_for_each(avtab, cur)                                             \
-	hash_for_each (avtab.htable, avtab.nslot, cur)                         \
-		;
+	ksu_hash_for_each(avtab.htable, avtab.nslot, cur);
 
 static struct avtab_node *get_avtab_node(struct policydb *db,
 					 struct avtab_key *key,
@@ -128,14 +138,13 @@ static struct avtab_node *get_avtab_node(struct policydb *db,
 		/* this is used to get the node - insertion is actually unique */
 		node = avtab_insert_nonunique(&db->te_avtab, key, &avdatum);
 
-		int grow_size = sizeof(u16) * 4;
+		int grow_size = sizeof(struct avtab_key);
+		grow_size += sizeof(struct avtab_datum);
 		if (key->specified & AVTAB_XPERMS) {
 			grow_size += sizeof(u8);
 			grow_size += sizeof(u8);
 			grow_size += sizeof(u32) *
 				     ARRAY_SIZE(avdatum.u.xperms->perms.p);
-		} else {
-			grow_size += sizeof(u32) * 1;
 		}
 		db->len += grow_size;
 	}
@@ -201,14 +210,14 @@ static void add_rule_raw(struct policydb *db, struct type_datum *src,
 	if (src == NULL) {
 		struct hashtab_node *node;
 		if (strip_av(effect, invert)) {
-			hashtab_for_each(db->p_types.table, node)
+			ksu_hashtab_for_each(db->p_types.table, node)
 			{
 				add_rule_raw(db,
 					     (struct type_datum *)node->datum,
 					     tgt, cls, perm, effect, invert);
 			};
 		} else {
-			hashtab_for_each(db->p_types.table, node)
+			ksu_hashtab_for_each(db->p_types.table, node)
 			{
 				struct type_datum *type =
 					(struct type_datum *)(node->datum);
@@ -221,14 +230,14 @@ static void add_rule_raw(struct policydb *db, struct type_datum *src,
 	} else if (tgt == NULL) {
 		struct hashtab_node *node;
 		if (strip_av(effect, invert)) {
-			hashtab_for_each(db->p_types.table, node)
+			ksu_hashtab_for_each(db->p_types.table, node)
 			{
 				add_rule_raw(db, src,
 					     (struct type_datum *)node->datum,
 					     cls, perm, effect, invert);
 			};
 		} else {
-			hashtab_for_each(db->p_types.table, node)
+			ksu_hashtab_for_each(db->p_types.table, node)
 			{
 				struct type_datum *type =
 					(struct type_datum *)(node->datum);
@@ -240,7 +249,7 @@ static void add_rule_raw(struct policydb *db, struct type_datum *src,
 		}
 	} else if (cls == NULL) {
 		struct hashtab_node *node;
-		hashtab_for_each(db->p_classes.table, node)
+		ksu_hashtab_for_each(db->p_classes.table, node)
 		{
 			add_rule_raw(db, src, tgt,
 				     (struct class_datum *)node->datum, perm,
@@ -283,7 +292,7 @@ static void add_xperm_rule_raw(struct policydb *db, struct type_datum *src,
 {
 	if (src == NULL) {
 		struct hashtab_node *node;
-		hashtab_for_each(db->p_types.table, node)
+		ksu_hashtab_for_each(db->p_types.table, node)
 		{
 			struct type_datum *type =
 				(struct type_datum *)(node->datum);
@@ -294,7 +303,7 @@ static void add_xperm_rule_raw(struct policydb *db, struct type_datum *src,
 		};
 	} else if (tgt == NULL) {
 		struct hashtab_node *node;
-		hashtab_for_each(db->p_types.table, node)
+		ksu_hashtab_for_each(db->p_types.table, node)
 		{
 			struct type_datum *type =
 				(struct type_datum *)(node->datum);
@@ -305,7 +314,7 @@ static void add_xperm_rule_raw(struct policydb *db, struct type_datum *src,
 		};
 	} else if (cls == NULL) {
 		struct hashtab_node *node;
-		hashtab_for_each(db->p_classes.table, node)
+		ksu_hashtab_for_each(db->p_classes.table, node)
 		{
 			add_xperm_rule_raw(db, src, tgt,
 					   (struct class_datum *)(node->datum),
@@ -456,7 +465,10 @@ static bool add_type_rule(struct policydb *db, const char *s, const char *t,
 	return true;
 }
 
-#ifdef KSU_SUPPORT_ADD_TYPE
+// 5.9.0 : static inline int hashtab_insert(struct hashtab *h, void *key, void
+// *datum, struct hashtab_key_params key_params) 5.8.0: int
+// hashtab_insert(struct hashtab *h, void *k, void *d);
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 9, 0)
 static u32 filenametr_hash(const void *k)
 {
 	const struct filename_trans_key *ft = k;
@@ -487,7 +499,6 @@ static int filenametr_cmp(const void *k1, const void *k2)
 		return v;
 
 	return strcmp(ft1->name, ft2->name);
-
 }
 
 static const struct hashtab_key_params filenametr_key_params = {
@@ -500,7 +511,6 @@ static bool add_filename_trans(struct policydb *db, const char *s,
 			       const char *t, const char *c, const char *d,
 			       const char *o)
 {
-#ifdef KSU_SUPPORT_ADD_TYPE
 	struct type_datum *src, *tgt, *def;
 	struct class_datum *cls;
 
@@ -525,14 +535,21 @@ static bool add_filename_trans(struct policydb *db, const char *s,
 		return false;
 	}
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 7, 0)
 	struct filename_trans_key key;
 	key.ttype = tgt->value;
 	key.tclass = cls->value;
 	key.name = (char *)o;
 
 	struct filename_trans_datum *last = NULL;
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 9, 0)
 	struct filename_trans_datum *trans =
 		policydb_filenametr_search(db, &key);
+#else
+	struct filename_trans_datum *trans =
+		hashtab_search(&db->filename_trans, &key);
+#endif
 	while (trans) {
 		if (ebitmap_get_bit(&trans->stypes, src->value - 1)) {
 			// Duplicate, overwrite existing data and return
@@ -546,21 +563,53 @@ static bool add_filename_trans(struct policydb *db, const char *s,
 	}
 
 	if (trans == NULL) {
-		trans = (struct filename_trans_datum*) kcalloc(sizeof(*trans), 1, GFP_ATOMIC);
+		trans = (struct filename_trans_datum *)kcalloc(sizeof(*trans),
+							       1, GFP_ATOMIC);
 		struct filename_trans_key *new_key =
-			(struct filename_trans_key*) kmalloc(sizeof(*new_key), GFP_ATOMIC);
+			(struct filename_trans_key *)kmalloc(sizeof(*new_key),
+							     GFP_ATOMIC);
 		*new_key = key;
 		new_key->name = kstrdup(key.name, GFP_ATOMIC);
 		trans->next = last;
 		trans->otype = def->value;
-		hashtab_insert(&db->filename_trans, new_key,
-			       trans, filenametr_key_params);
+		hashtab_insert(&db->filename_trans, new_key, trans,
+			       filenametr_key_params);
 	}
 
 	db->compat_filename_trans_count++;
 	return ebitmap_set_bit(&trans->stypes, src->value - 1, 1) == 0;
-#else
-	return false;
+#else // < 5.7.0, has no filename_trans_key, but struct filename_trans
+
+	struct filename_trans key;
+	key.ttype = tgt->value;
+	key.tclass = cls->value;
+	key.name = (char *)o;
+
+	struct filename_trans_datum *trans =
+		hashtab_search(db->filename_trans, &key);
+
+	if (trans == NULL) {
+		trans = (struct filename_trans_datum *)kcalloc(sizeof(*trans),
+							       1, GFP_ATOMIC);
+		if (!trans) {
+			pr_err("add_filename_trans: Failed to alloc datum");
+			return false;
+		}
+		struct filename_trans *new_key =
+			(struct filename_trans *)kmalloc(sizeof(*new_key),
+							 GFP_ATOMIC);
+		if (!new_key) {
+			pr_err("add_filename_trans: Failed to alloc new_key");
+			return false;
+		}
+		*new_key = key;
+		new_key->name = kstrdup(key.name, GFP_ATOMIC);
+		trans->otype = def->value;
+		hashtab_insert(db->filename_trans, new_key, trans);
+	}
+
+	return ebitmap_set_bit(&db->filename_trans_ttypes, src->value - 1, 1) ==
+	       0;
 #endif
 }
 
@@ -580,7 +629,7 @@ static bool add_type(struct policydb *db, const char *type_name, bool attr)
 	}
 
 	u32 value = ++db->p_types.nprim;
-	type = (struct type_datum *)kmalloc(sizeof(struct type_datum),
+	type = (struct type_datum *)kzalloc(sizeof(struct type_datum),
 					    GFP_ATOMIC);
 	if (!type) {
 		pr_err("add_type: alloc type_datum failed.\n");
@@ -589,6 +638,7 @@ static bool add_type(struct policydb *db, const char *type_name, bool attr)
 
 	type->primary = 1;
 	type->value = value;
+	type->attribute = attr;
 
 	char *key = kstrdup(type_name, GFP_ATOMIC);
 	if (!key) {
@@ -601,6 +651,7 @@ static bool add_type(struct policydb *db, const char *type_name, bool attr)
 		return false;
 	}
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 1, 0)
 	size_t new_size = sizeof(struct ebitmap) * db->p_types.nprim;
 	struct ebitmap *new_type_attr_map_array =
 		(krealloc(db->type_attr_map_array, new_size, GFP_ATOMIC));
@@ -642,10 +693,172 @@ static bool add_type(struct policydb *db, const char *type_name, bool attr)
 	int i;
 	for (i = 0; i < db->p_roles.nprim; ++i) {
 		ebitmap_set_bit(&db->role_val_to_struct[i]->types, value - 1,
-				0);
+				1);
 	}
 
 	return true;
+#elif defined(CONFIG_IS_HW_HISI)
+	/*
+   * Huawei use type_attr_map and type_val_to_struct.
+   * And use ebitmap not flex_array.
+   */
+	size_t new_size = sizeof(struct ebitmap) * db->p_types.nprim;
+	struct ebitmap *new_type_attr_map =
+		(krealloc(db->type_attr_map, new_size, GFP_ATOMIC));
+
+	struct type_datum **new_type_val_to_struct =
+		krealloc(db->type_val_to_struct,
+			 sizeof(*db->type_val_to_struct) * db->p_types.nprim,
+			 GFP_ATOMIC);
+
+	if (!new_type_attr_map) {
+		pr_err("add_type: alloc type_attr_map failed\n");
+		return false;
+	}
+
+	if (!new_type_val_to_struct) {
+		pr_err("add_type: alloc type_val_to_struct failed\n");
+		return false;
+	}
+
+	char **new_val_to_name_types =
+		krealloc(db->sym_val_to_name[SYM_TYPES],
+			 sizeof(char *) * db->symtab[SYM_TYPES].nprim,
+			 GFP_KERNEL);
+	if (!new_val_to_name_types) {
+		pr_err("add_type: alloc val_to_name failed\n");
+		return false;
+	}
+
+	db->type_attr_map = new_type_attr_map;
+	ebitmap_init(&db->type_attr_map[value - 1], HISI_SELINUX_EBITMAP_RO);
+	ebitmap_set_bit(&db->type_attr_map[value - 1], value - 1, 1);
+
+	db->type_val_to_struct = new_type_val_to_struct;
+	db->type_val_to_struct[value - 1] = type;
+
+	db->sym_val_to_name[SYM_TYPES] = new_val_to_name_types;
+	db->sym_val_to_name[SYM_TYPES][value - 1] = key;
+
+	int i;
+	for (i = 0; i < db->p_roles.nprim; ++i) {
+		ebitmap_set_bit(&db->role_val_to_struct[i]->types, value - 1,
+				1);
+	}
+
+	return true;
+#else
+	// flex_array is not extensible, we need to create a new bigger one instead
+	struct flex_array *new_type_attr_map_array =
+		flex_array_alloc(sizeof(struct ebitmap), db->p_types.nprim,
+				 GFP_ATOMIC | __GFP_ZERO);
+
+	struct flex_array *new_type_val_to_struct =
+		flex_array_alloc(sizeof(struct type_datum *), db->p_types.nprim,
+				 GFP_ATOMIC | __GFP_ZERO);
+
+	struct flex_array *new_val_to_name_types =
+		flex_array_alloc(sizeof(char *), db->symtab[SYM_TYPES].nprim,
+				 GFP_ATOMIC | __GFP_ZERO);
+
+	if (!new_type_attr_map_array) {
+		pr_err("add_type: alloc type_attr_map_array failed\n");
+		return false;
+	}
+
+	if (!new_type_val_to_struct) {
+		pr_err("add_type: alloc type_val_to_struct failed\n");
+		return false;
+	}
+
+	if (!new_val_to_name_types) {
+		pr_err("add_type: alloc val_to_name failed\n");
+		return false;
+	}
+
+	// preallocate so we don't have to worry about the put ever failing
+	if (flex_array_prealloc(new_type_attr_map_array, 0, db->p_types.nprim,
+				GFP_ATOMIC | __GFP_ZERO)) {
+		pr_err("add_type: prealloc type_attr_map_array failed\n");
+		return false;
+	}
+
+	if (flex_array_prealloc(new_type_val_to_struct, 0, db->p_types.nprim,
+				GFP_ATOMIC | __GFP_ZERO)) {
+		pr_err("add_type: prealloc type_val_to_struct_array failed\n");
+		return false;
+	}
+
+	if (flex_array_prealloc(new_val_to_name_types, 0,
+				db->symtab[SYM_TYPES].nprim,
+				GFP_ATOMIC | __GFP_ZERO)) {
+		pr_err("add_type: prealloc val_to_name_types failed\n");
+		return false;
+	}
+
+	int j;
+	void *old_elem;
+	// copy the old data or pointers to new flex arrays
+	for (j = 0; j < db->type_attr_map_array->total_nr_elements; j++) {
+		old_elem = flex_array_get(db->type_attr_map_array, j);
+		if (old_elem)
+			flex_array_put(new_type_attr_map_array, j, old_elem,
+				       GFP_ATOMIC | __GFP_ZERO);
+	}
+
+	for (j = 0; j < db->type_val_to_struct_array->total_nr_elements; j++) {
+		old_elem = flex_array_get_ptr(db->type_val_to_struct_array, j);
+		if (old_elem)
+			flex_array_put_ptr(new_type_val_to_struct, j, old_elem,
+					   GFP_ATOMIC | __GFP_ZERO);
+	}
+
+	for (j = 0; j < db->symtab[SYM_TYPES].nprim; j++) {
+		old_elem =
+			flex_array_get_ptr(db->sym_val_to_name[SYM_TYPES], j);
+		if (old_elem)
+			flex_array_put_ptr(new_val_to_name_types, j, old_elem,
+					   GFP_ATOMIC | __GFP_ZERO);
+	}
+
+	// store the pointer of old flex arrays first, when assigning new ones we
+	// should free it
+	struct flex_array *old_fa;
+
+	old_fa = db->type_attr_map_array;
+	db->type_attr_map_array = new_type_attr_map_array;
+	if (old_fa) {
+		flex_array_free(old_fa);
+	}
+
+	ebitmap_init(flex_array_get(db->type_attr_map_array, value - 1));
+	ebitmap_set_bit(flex_array_get(db->type_attr_map_array, value - 1),
+			value - 1, 1);
+
+	old_fa = db->type_val_to_struct_array;
+	db->type_val_to_struct_array = new_type_val_to_struct;
+	if (old_fa) {
+		flex_array_free(old_fa);
+	}
+	flex_array_put_ptr(db->type_val_to_struct_array, value - 1, type,
+			   GFP_ATOMIC | __GFP_ZERO);
+
+	old_fa = db->sym_val_to_name[SYM_TYPES];
+	db->sym_val_to_name[SYM_TYPES] = new_val_to_name_types;
+	if (old_fa) {
+		flex_array_free(old_fa);
+	}
+	flex_array_put_ptr(db->sym_val_to_name[SYM_TYPES], value - 1, key,
+			   GFP_ATOMIC | __GFP_ZERO);
+
+	int i;
+	for (i = 0; i < db->p_roles.nprim; ++i) {
+		ebitmap_set_bit(&db->role_val_to_struct[i]->types, value - 1,
+				1);
+	}
+	return true;
+#endif
+
 #else
 	return false;
 #endif
@@ -657,7 +870,7 @@ static bool set_type_state(struct policydb *db, const char *type_name,
 	struct type_datum *type;
 	if (type_name == NULL) {
 		struct hashtab_node *node;
-		hashtab_for_each(db->p_types.table, node)
+		ksu_hashtab_for_each(db->p_types.table, node)
 		{
 			type = (struct type_datum *)(node->datum);
 			if (ebitmap_set_bit(&db->permissive_map, type->value,
@@ -685,6 +898,12 @@ static void add_typeattribute_raw(struct policydb *db, struct type_datum *type,
 {
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 1, 0)
 	struct ebitmap *sattr = &db->type_attr_map_array[type->value - 1];
+#elif defined(CONFIG_IS_HW_HISI)
+	/*
+   *   HISI_SELINUX_EBITMAP_RO is Huawei's unique features.
+   */
+	struct ebitmap *sattr = &db->type_attr_map[type->value - 1],
+		       HISI_SELINUX_EBITMAP_RO;
 #else
 	struct ebitmap *sattr =
 		flex_array_get(db->type_attr_map_array, type->value - 1);
@@ -694,7 +913,7 @@ static void add_typeattribute_raw(struct policydb *db, struct type_datum *type,
 	struct hashtab_node *node;
 	struct constraint_node *n;
 	struct constraint_expr *e;
-	hashtab_for_each(db->p_classes.table, node)
+	ksu_hashtab_for_each(db->p_classes.table, node)
 	{
 		struct class_datum *cls = (struct class_datum *)(node->datum);
 		for (n = cls->constraints; n; n = n->next) {
@@ -842,4 +1061,4 @@ bool ksu_genfscon(struct policydb *db, const char *fs_name, const char *path,
 		  const char *ctx)
 {
 	return add_genfscon(db, fs_name, path, ctx);
-}
+}

kernel/setup.sh

@@ -1,6 +1,5 @@
-#! /bin/bash
-
-set -x
+#!/bin/sh
+set -eux
 
 GKI_ROOT=$(pwd)
 
@@ -11,24 +10,41 @@ if test -d "$GKI_ROOT/common/drivers"; then
 elif test -d "$GKI_ROOT/drivers"; then
      DRIVER_DIR="$GKI_ROOT/drivers"
 else
-     echo "[ERROR] "drivers/" directory is not found."
-     echo "[+] You should modify this scrpit by yourself."
+     echo '[ERROR] "drivers/" directory is not found.'
+     echo '[+] You should modify this script by yourself.'
      exit 127
 fi
 
 test -d "$GKI_ROOT/KernelSU" || git clone https://github.com/tiann/KernelSU
 cd "$GKI_ROOT/KernelSU"
-git stash && git pull
+git stash
+if [ "$(git status | grep -Po 'v\d+(\.\d+)*' | head -n1)" ]; then
+     git checkout main
+fi
+git pull
+if [ -z "${1-}" ]; then
+    git checkout "$(git describe --abbrev=0 --tags)"
+else
+    git checkout "$1"
+fi
 cd "$GKI_ROOT"
 
 echo "[+] GKI_ROOT: $GKI_ROOT"
 echo "[+] Copy kernel su driver to $DRIVER_DIR"
 
-test -e "$DRIVER_DIR/kernelsu" || ln -sf "$GKI_ROOT/KernelSU/kernel" "$DRIVER_DIR/kernelsu"
+cd "$DRIVER_DIR"
+if test -d "$GKI_ROOT/common/drivers"; then
+     ln -sf "../../KernelSU/kernel" "kernelsu"
+elif test -d "$GKI_ROOT/drivers"; then
+     ln -sf "../KernelSU/kernel" "kernelsu"
+fi
+cd "$GKI_ROOT"
 
-echo "[+] Add kernel su driver to Makefile"
+echo '[+] Add kernel su driver to Makefile'
 
 DRIVER_MAKEFILE=$DRIVER_DIR/Makefile
-grep -q "kernelsu" $DRIVER_MAKEFILE || echo "obj-y += kernelsu/" >> $DRIVER_MAKEFILE
+DRIVER_KCONFIG=$DRIVER_DIR/Kconfig
+grep -q "kernelsu" "$DRIVER_MAKEFILE" || printf "obj-\$(CONFIG_KSU) += kernelsu/\n" >> "$DRIVER_MAKEFILE"
+grep -q "kernelsu" "$DRIVER_KCONFIG" || sed -i "/endmenu/i\\source \"drivers/kernelsu/Kconfig\"" "$DRIVER_KCONFIG"
 
-echo "[+] Done."
+echo '[+] Done.'

kernel/sucompat.c

@@ -15,6 +15,8 @@
 #include "allowlist.h"
 #include "arch.h"
 #include "klog.h" // IWYU pragma: keep
+#include "ksud.h"
+#include "kernel_compat.h"
 
 #define SU_PATH "/system/bin/su"
 #define SH_PATH "/system/bin/sh"
@@ -40,65 +42,58 @@ static char __user *sh_user_path(void)
 int ksu_handle_faccessat(int *dfd, const char __user **filename_user, int *mode,
 			 int *flags)
 {
-	struct filename *filename;
 	const char su[] = SU_PATH;
 
 	if (!ksu_is_allow_uid(current_uid().val)) {
 		return 0;
 	}
 
-	filename = getname(*filename_user);
+	char path[sizeof(su)];
+	memset(path, 0, sizeof(path));
+	ksu_strncpy_from_user_nofault(path, *filename_user, sizeof(path));
 
-	if (IS_ERR(filename)) {
-		return 0;
-	}
-	if (!memcmp(filename->name, su, sizeof(su))) {
+	if (unlikely(!memcmp(path, su, sizeof(su)))) {
 		pr_info("faccessat su->sh!\n");
 		*filename_user = sh_user_path();
 	}
 
-	putname(filename);
-
 	return 0;
 }
 
 int ksu_handle_stat(int *dfd, const char __user **filename_user, int *flags)
 {
 	// const char sh[] = SH_PATH;
-	struct filename *filename;
 	const char su[] = SU_PATH;
 
 	if (!ksu_is_allow_uid(current_uid().val)) {
 		return 0;
 	}
 
-	if (!filename_user) {
+	if (unlikely(!filename_user)) {
 		return 0;
 	}
 
-	filename = getname(*filename_user);
+	char path[sizeof(su)];
+	memset(path, 0, sizeof(path));
+	ksu_strncpy_from_user_nofault(path, *filename_user, sizeof(path));
 
-	if (IS_ERR(filename)) {
-		return 0;
-	}
-	if (!memcmp(filename->name, su, sizeof(su))) {
+	if (unlikely(!memcmp(path, su, sizeof(su)))) {
 		pr_info("newfstatat su->sh!\n");
 		*filename_user = sh_user_path();
 	}
 
-	putname(filename);
-
 	return 0;
 }
 
+// the call from execve_handler_pre won't provided correct value for __never_use_argument, use them after fix execve_handler_pre, keeping them for consistence for manually patched code
 int ksu_handle_execveat_sucompat(int *fd, struct filename **filename_ptr,
-				 void *argv, void *envp, int *flags)
+				 void *__never_use_argv, void *__never_use_envp, int *__never_use_flags)
 {
 	struct filename *filename;
-	const char sh[] = SH_PATH;
+	const char sh[] = KSUD_PATH;
 	const char su[] = SU_PATH;
 
-	if (!filename_ptr)
+	if (unlikely(!filename_ptr))
 		return 0;
 
 	filename = *filename_ptr;
@@ -106,16 +101,16 @@ int ksu_handle_execveat_sucompat(int *fd, struct filename **filename_ptr,
 		return 0;
 	}
 
-	if (!ksu_is_allow_uid(current_uid().val)) {
+	if (likely(memcmp(filename->name, su, sizeof(su))))
 		return 0;
-	}
 
-	if (!memcmp(filename->name, su, sizeof(su))) {
-		pr_info("do_execveat_common su found\n");
-		memcpy((void *)filename->name, sh, sizeof(sh));
+	if (!ksu_is_allow_uid(current_uid().val))
+		return 0;
 
-		escape_to_root();
-	}
+	pr_info("do_execveat_common su found\n");
+	memcpy((void *)filename->name, sh, sizeof(sh));
+
+	escape_to_root();
 
 	return 0;
 }
@@ -127,16 +122,23 @@ static int faccessat_handler_pre(struct kprobe *p, struct pt_regs *regs)
 	int *dfd = (int *)PT_REGS_PARM1(regs);
 	const char __user **filename_user = (const char **)&PT_REGS_PARM2(regs);
 	int *mode = (int *)&PT_REGS_PARM3(regs);
-	int *flags = (int *)&PT_REGS_PARM4(regs);
+	// Both sys_ and do_ is C function
+	int *flags = (int *)&PT_REGS_CCALL_PARM4(regs);
 
 	return ksu_handle_faccessat(dfd, filename_user, mode, flags);
 }
 
 static int newfstatat_handler_pre(struct kprobe *p, struct pt_regs *regs)
 {
-	int *dfd = (int *)PT_REGS_PARM1(regs);
+	int *dfd = (int *)&PT_REGS_PARM1(regs);
 	const char __user **filename_user = (const char **)&PT_REGS_PARM2(regs);
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 11, 0)
+// static int vfs_statx(int dfd, const char __user *filename, int flags, struct kstat *stat, u32 request_mask)
 	int *flags = (int *)&PT_REGS_PARM3(regs);
+#else
+// int vfs_fstatat(int dfd, const char __user *filename, struct kstat *stat,int flag)
+	int *flags = (int *)&PT_REGS_CCALL_PARM4(regs);
+#endif
 
 	return ksu_handle_stat(dfd, filename_user, flags);
 }
@@ -147,12 +149,8 @@ static int execve_handler_pre(struct kprobe *p, struct pt_regs *regs)
 	int *fd = (int *)&PT_REGS_PARM1(regs);
 	struct filename **filename_ptr =
 		(struct filename **)&PT_REGS_PARM2(regs);
-	void *argv = (void *)&PT_REGS_PARM3(regs);
-	void *envp = (void *)&PT_REGS_PARM4(regs);
-	int *flags = (int *)&PT_REGS_PARM5(regs);
 
-	return ksu_handle_execveat_sucompat(fd, filename_ptr, argv, envp,
-					    flags);
+	return ksu_handle_execveat_sucompat(fd, filename_ptr, NULL, NULL, NULL);
 }
 
 static struct kprobe faccessat_kp = {
@@ -165,18 +163,20 @@ static struct kprobe faccessat_kp = {
 };
 
 static struct kprobe newfstatat_kp = {
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 11, 0)
 	.symbol_name = "vfs_statx",
+#else
+	.symbol_name = "vfs_fstatat",
+#endif
 	.pre_handler = newfstatat_handler_pre,
 };
 
 static struct kprobe execve_kp = {
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 9, 0)
 	.symbol_name = "do_execveat_common",
-#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4, 19, 0) &&                        \
-	LINUX_VERSION_CODE < KERNEL_VERSION(5, 9, 0)
+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4, 19, 0)
 	.symbol_name = "__do_execve_file",
-#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4, 14, 0) &&                        \
-	LINUX_VERSION_CODE < KERNEL_VERSION(4, 19, 0)
+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(3, 19, 0)
 	.symbol_name = "do_execveat_common",
 #endif
 	.pre_handler = execve_handler_pre,

kernel/uid_observer.c

@@ -12,6 +12,7 @@
 #include "ksu.h"
 #include "manager.h"
 #include "uid_observer.h"
+#include "kernel_compat.h"
 
 #define SYSTEM_PACKAGES_LIST_PATH "/data/system/packages.list"
 static struct work_struct ksu_update_uid_work;
@@ -28,7 +29,7 @@ static bool is_uid_exist(uid_t uid, void *data)
 
 	bool exist = false;
 	list_for_each_entry (np, list, list) {
-		if (np->uid == uid) {
+		if (np->uid == uid % 100000) {
 			exist = true;
 			break;
 		}
@@ -38,11 +39,11 @@ static bool is_uid_exist(uid_t uid, void *data)
 
 static void do_update_uid(struct work_struct *work)
 {
-	struct file *fp = filp_open(SYSTEM_PACKAGES_LIST_PATH, O_RDONLY, 0);
+	struct file *fp = ksu_filp_open_compat(SYSTEM_PACKAGES_LIST_PATH, O_RDONLY, 0);
 	if (IS_ERR(fp)) {
 		pr_err("do_update_uid, open " SYSTEM_PACKAGES_LIST_PATH
 		       " failed: %d\n",
-		       ERR_PTR(fp));
+		       PTR_ERR(fp));
 		return;
 	}
 
@@ -54,13 +55,15 @@ static void do_update_uid(struct work_struct *work)
 	loff_t line_start = 0;
 	char buf[128];
 	for (;;) {
-		ssize_t count = kernel_read(fp, &chr, sizeof(chr), &pos);
+		ssize_t count =
+			ksu_kernel_read_compat(fp, &chr, sizeof(chr), &pos);
 		if (count != sizeof(chr))
 			break;
 		if (chr != '\n')
 			continue;
 
-		count = kernel_read(fp, buf, sizeof(buf), &line_start);
+		count = ksu_kernel_read_compat(fp, buf, sizeof(buf),
+					       &line_start);
 
 		struct uid_data *data =
 			kmalloc(sizeof(struct uid_data), GFP_ATOMIC);
@@ -95,7 +98,10 @@ static void do_update_uid(struct work_struct *work)
 	// first, check if manager_uid exist!
 	bool manager_exist = false;
 	list_for_each_entry (np, &uid_list, list) {
-		if (np->uid == ksu_get_manager_uid()) {
+		// if manager is installed in work profile, the uid in packages.list is still equals main profile
+		// don't delete it in this case!
+		int manager_uid = ksu_get_manager_uid() % 100000;
+		if (np->uid == manager_uid) {
 			manager_exist = true;
 			break;
 		}
@@ -131,4 +137,4 @@ int ksu_uid_observer_init()
 int ksu_uid_observer_exit()
 {
 	return 0;
-}
+}

kernel/uid_observer.h

@@ -7,4 +7,4 @@ int ksu_uid_observer_exit();
 
 void update_uid();
 
-#endif
+#endif

manager/.gitignore

@@ -1,17 +1,9 @@
 *.iml
 .gradle
-/local.properties
-/.idea/caches
-/.idea/libraries
-/.idea/modules.xml
-/.idea/workspace.xml
-/.idea/navEditor.xml
-/.idea/assetWizardSettings.xml
-.DS_Store
-/build
-/captures
-.externalNativeBuild
-.cxx
 local.properties
-sign.properties
+.idea
+.DS_Store
+build
+captures
+.cxx
 key.jks

manager/.idea/.gitignore

@@ -1,3 +0,0 @@
-# Default ignored files
-/shelf/
-/workspace.xml

manager/.idea/.name

@@ -1 +0,0 @@
-KernelSU

manager/.idea/compiler.xml

@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project version="4">
-  <component name="CompilerConfiguration">
-    <bytecodeTargetLevel target="11" />
-  </component>
-</project>

manager/.idea/gradle.xml

@@ -1,20 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project version="4">
-  <component name="GradleMigrationSettings" migrationVersion="1" />
-  <component name="GradleSettings">
-    <option name="linkedExternalProjectsSettings">
-      <GradleProjectSettings>
-        <option name="testRunner" value="GRADLE" />
-        <option name="distributionType" value="DEFAULT_WRAPPED" />
-        <option name="externalProjectPath" value="$PROJECT_DIR$" />
-        <option name="gradleJvm" value="Embedded JDK" />
-        <option name="modules">
-          <set>
-            <option value="$PROJECT_DIR$" />
-            <option value="$PROJECT_DIR$/app" />
-          </set>
-        </option>
-      </GradleProjectSettings>
-    </option>
-  </component>
-</project>

manager/.idea/inspectionProfiles/Project_Default.xml

@@ -1,37 +0,0 @@
-<component name="InspectionProjectProfileManager">
-  <profile version="1.0">
-    <option name="myName" value="Project Default" />
-    <inspection_tool class="PreviewAnnotationInFunctionWithParameters" enabled="true" level="ERROR" enabled_by_default="true">
-      <option name="composableFile" value="true" />
-      <option name="previewFile" value="true" />
-    </inspection_tool>
-    <inspection_tool class="PreviewDimensionRespectsLimit" enabled="true" level="WARNING" enabled_by_default="true">
-      <option name="composableFile" value="true" />
-      <option name="previewFile" value="true" />
-    </inspection_tool>
-    <inspection_tool class="PreviewFontScaleMustBeGreaterThanZero" enabled="true" level="ERROR" enabled_by_default="true">
-      <option name="composableFile" value="true" />
-      <option name="previewFile" value="true" />
-    </inspection_tool>
-    <inspection_tool class="PreviewMultipleParameterProviders" enabled="true" level="ERROR" enabled_by_default="true">
-      <option name="composableFile" value="true" />
-      <option name="previewFile" value="true" />
-    </inspection_tool>
-    <inspection_tool class="PreviewMustBeTopLevelFunction" enabled="true" level="ERROR" enabled_by_default="true">
-      <option name="composableFile" value="true" />
-      <option name="previewFile" value="true" />
-    </inspection_tool>
-    <inspection_tool class="PreviewNeedsComposableAnnotation" enabled="true" level="ERROR" enabled_by_default="true">
-      <option name="composableFile" value="true" />
-      <option name="previewFile" value="true" />
-    </inspection_tool>
-    <inspection_tool class="PreviewNotSupportedInUnitTestFiles" enabled="true" level="ERROR" enabled_by_default="true">
-      <option name="composableFile" value="true" />
-      <option name="previewFile" value="true" />
-    </inspection_tool>
-    <inspection_tool class="PreviewPickerAnnotation" enabled="true" level="ERROR" enabled_by_default="true">
-      <option name="composableFile" value="true" />
-      <option name="previewFile" value="true" />
-    </inspection_tool>
-  </profile>
-</component>

manager/.idea/misc.xml

@@ -1,10 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project version="4">
-  <component name="ExternalStorageConfigurationManager" enabled="true" />
-  <component name="ProjectRootManager" version="2" languageLevel="JDK_11" project-jdk-name="1.8" project-jdk-type="JavaSDK">
-    <output url="file://$PROJECT_DIR$/build/classes" />
-  </component>
-  <component name="ProjectType">
-    <option name="id" value="Android" />
-  </component>
-</project>

manager/.idea/vcs.xml

@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project version="4">
-  <component name="VcsDirectoryMappings">
-    <mapping directory="$PROJECT_DIR$/.." vcs="Git" />
-  </component>
-</project>

manager/app/build.gradle.kts

@@ -1,37 +1,52 @@
 import com.android.build.gradle.internal.api.BaseVariantOutputImpl
 
 plugins {
-    id("com.android.application")
-    id("com.google.devtools.ksp")
-    kotlin("android")
+    alias(libs.plugins.agp.app)
+    alias(libs.plugins.kotlin)
+    alias(libs.plugins.ksp)
+    alias(libs.plugins.lsplugin.apksign)
+    id("kotlin-parcelize")
+}
+
+val managerVersionCode: Int by rootProject.extra
+val managerVersionName: String by rootProject.extra
+
+apksign {
+    storeFileProperty = "KEYSTORE_FILE"
+    storePasswordProperty = "KEYSTORE_PASSWORD"
+    keyAliasProperty = "KEY_ALIAS"
+    keyPasswordProperty = "KEY_PASSWORD"
 }
 
 android {
     namespace = "me.weishu.kernelsu"
 
-    ndkVersion = "25.1.8937393"
-
-    defaultConfig {
-        testInstrumentationRunner = "androidx.test.runner.AndroidJUnitRunner"
-
-        ndk {
-            abiFilters += listOf("arm64-v8a", "x86_64")
+    buildTypes {
+        release {
+            isMinifyEnabled = true
+            isShrinkResources = true
+            proguardFiles(getDefaultProguardFile("proguard-android-optimize.txt"), "proguard-rules.pro")
         }
     }
 
-    lint {
-        checkReleaseBuilds = false
-    }
-
     buildFeatures {
+        aidl = true
+        buildConfig = true
         compose = true
     }
 
-    composeOptions {
-        kotlinCompilerExtensionVersion = "1.3.2"
+    kotlinOptions {
+        jvmTarget = "17"
     }
 
-    packagingOptions {
+    composeOptions {
+        kotlinCompilerExtensionVersion = "1.4.3"
+    }
+
+    packaging {
+        jniLibs {
+            useLegacyPackaging = true
+        }
         resources {
             excludes += "/META-INF/{AL2.0,LGPL2.1}"
         }
@@ -39,15 +54,14 @@ android {
 
     externalNativeBuild {
         cmake {
-            path(file("src/main/cpp/CMakeLists.txt"))
-            version = "3.18.1"
+            path("src/main/cpp/CMakeLists.txt")
         }
     }
 
     applicationVariants.all {
         outputs.forEach {
             val output = it as BaseVariantOutputImpl
-            output.outputFileName = "KernelSU_$versionName-${buildType.name}.apk"
+            output.outputFileName = "KernelSU_${managerVersionName}_${managerVersionCode}-$name.apk"
         }
 
         kotlin.sourceSets {
@@ -59,35 +73,42 @@ android {
 }
 
 dependencies {
-    val accompanistVersion = "0.28.0"
-    val composeDestinationsVersion = "1.7.27-beta"
-    implementation(platform("androidx.compose:compose-bom:2022.12.00"))
+    implementation(libs.androidx.activity.compose)
+    implementation(libs.androidx.navigation.compose)
 
-    debugImplementation("androidx.compose.ui:ui-test-manifest")
-    debugImplementation("androidx.compose.ui:ui-tooling")
-    implementation("androidx.activity:activity-compose:1.6.1")
-    implementation("androidx.compose.material:material-icons-extended")
-    implementation("androidx.compose.material3:material3")
-    implementation("androidx.compose.ui:ui")
-    implementation("androidx.compose.ui:ui-tooling-preview")
-    implementation("androidx.core:core-ktx:1.9.0")
-    implementation("androidx.lifecycle:lifecycle-viewmodel-compose:2.5.1")
-    implementation("androidx.navigation:navigation-compose:2.5.3")
-    implementation("com.google.accompanist:accompanist-drawablepainter:$accompanistVersion")
-    implementation("com.google.accompanist:accompanist-navigation-animation:$accompanistVersion")
-    implementation("com.google.accompanist:accompanist-swiperefresh:$accompanistVersion")
-    implementation("com.google.accompanist:accompanist-systemuicontroller:$accompanistVersion")
-    implementation("io.github.raamcosta.compose-destinations:animations-core:$composeDestinationsVersion")
+    implementation(platform(libs.androidx.compose.bom))
+    implementation(libs.androidx.compose.material.icons.extended)
+    implementation(libs.androidx.compose.material)
+    implementation(libs.androidx.compose.material3)
+    implementation(libs.androidx.compose.ui)
+    implementation(libs.androidx.compose.ui.tooling.preview)
 
-    implementation("io.coil-kt:coil-compose:2.2.2")
-    implementation("me.zhanghai.android.appiconloader:appiconloader-coil:1.5.0")
+    debugImplementation(libs.androidx.compose.ui.test.manifest)
+    debugImplementation(libs.androidx.compose.ui.tooling)
 
-    implementation("com.github.topjohnwu.libsu:core:5.0.3")
-    implementation("com.github.alorma:compose-settings-ui-m3:0.15.0")
+    implementation(libs.androidx.lifecycle.runtime.compose)
+    implementation(libs.androidx.lifecycle.runtime.ktx)
+    implementation(libs.androidx.lifecycle.viewmodel.compose)
 
-    ksp("io.github.raamcosta.compose-destinations:ksp:$composeDestinationsVersion")
+    implementation(libs.com.google.accompanist.drawablepainter)
+    implementation(libs.com.google.accompanist.navigation.animation)
+    implementation(libs.com.google.accompanist.systemuicontroller)
 
-    testImplementation("junit:junit:4.13.2")
-    androidTestImplementation("androidx.test.ext:junit:1.1.4")
-    androidTestImplementation("androidx.test.espresso:espresso-core:3.5.0")
+    implementation(libs.compose.destinations.animations.core)
+    ksp(libs.compose.destinations.ksp)
+
+    implementation(libs.com.github.topjohnwu.libsu.core)
+    implementation(libs.com.github.topjohnwu.libsu.service)
+
+    implementation(libs.dev.rikka.rikkax.parcelablelist)
+
+    implementation(libs.io.coil.kt.coil.compose)
+
+    implementation(libs.kotlinx.coroutines.core)
+
+    implementation(libs.me.zhanghai.android.appiconloader.coil)
+
+    implementation(libs.sheet.compose.dialogs.core)
+    implementation(libs.sheet.compose.dialogs.list)
+    implementation(libs.sheet.compose.dialogs.input)
 }

manager/app/proguard-rules.pro

@@ -1,21 +1,9 @@
-# Add project specific ProGuard rules here.
-# You can control the set of applied configuration files using the
-# proguardFiles setting in build.gradle.
-#
-# For more details, see
-#   http://developer.android.com/guide/developing/tools/proguard.html
-
-# If your project uses WebView with JS, uncomment the following
-# and specify the fully qualified class name to the JavaScript interface
-# class:
-#-keepclassmembers class fqcn.of.javascript.interface.for.webview {
-#   public *;
-#}
-
-# Uncomment this to preserve the line number information for
-# debugging stack traces.
-#-keepattributes SourceFile,LineNumberTable
-
-# If you keep the line number information, uncomment this to
-# hide the original source file name.
-#-renamesourcefileattribute SourceFile
+-dontwarn org.bouncycastle.jsse.BCSSLParameters
+-dontwarn org.bouncycastle.jsse.BCSSLSocket
+-dontwarn org.bouncycastle.jsse.provider.BouncyCastleJsseProvider
+-dontwarn org.conscrypt.Conscrypt$Version
+-dontwarn org.conscrypt.Conscrypt
+-dontwarn org.conscrypt.ConscryptHostnameVerifier
+-dontwarn org.openjsse.javax.net.ssl.SSLParameters
+-dontwarn org.openjsse.javax.net.ssl.SSLSocket
+-dontwarn org.openjsse.net.ssl.OpenJSSE

manager/app/src/androidTest/java/me/weishu/kernelsu/ExampleInstrumentedTest.kt

@@ -1,24 +0,0 @@
-package me.weishu.kernelsu
-
-import androidx.test.platform.app.InstrumentationRegistry
-import androidx.test.ext.junit.runners.AndroidJUnit4
-
-import org.junit.Test
-import org.junit.runner.RunWith
-
-import org.junit.Assert.*
-
-/**
- * Instrumented test, which will execute on an Android device.
- *
- * See [testing documentation](http://d.android.com/tools/testing).
- */
-@RunWith(AndroidJUnit4::class)
-class ExampleInstrumentedTest {
-    @Test
-    fun useAppContext() {
-        // Context of the app under test.
-        val appContext = InstrumentationRegistry.getInstrumentation().targetContext
-        assertEquals("me.weishu.kernelsu", appContext.packageName)
-    }
-}

manager/app/src/main/AndroidManifest.xml

@@ -2,22 +2,19 @@
 <manifest xmlns:android="http://schemas.android.com/apk/res/android"
     xmlns:tools="http://schemas.android.com/tools">
 
-    <uses-permission
-        android:name="android.permission.QUERY_ALL_PACKAGES"
-        tools:ignore="QueryAllPackagesPermission" />
+    <uses-permission android:name="android.permission.INTERNET" />
 
     <application
         android:name=".KernelSUApplication"
         android:allowBackup="true"
         android:dataExtractionRules="@xml/data_extraction_rules"
-        android:fullBackupContent="@xml/backup_rules"
         android:enableOnBackInvokedCallback="true"
-        android:extractNativeLibs="true"
+        android:fullBackupContent="@xml/backup_rules"
         android:icon="@mipmap/ic_launcher"
         android:label="@string/app_name"
         android:supportsRtl="true"
         android:theme="@style/Theme.KernelSU"
-        tools:targetApi="31">
+        tools:targetApi="33">
         <activity
             android:name=".ui.MainActivity"
             android:exported="true"
@@ -32,6 +29,16 @@
                 android:name="android.app.lib_name"
                 android:value="" />
         </activity>
+
+        <provider
+            android:name="androidx.core.content.FileProvider"
+            android:authorities="${applicationId}.fileprovider"
+            android:exported="false"
+            android:grantUriPermissions="true">
+            <meta-data
+                android:name="android.support.FILE_PROVIDER_PATHS"
+                android:resource="@xml/filepaths" />
+        </provider>
     </application>
 
 </manifest>

manager/app/src/main/aidl/me/weishu/kernelsu/IKsuInterface.aidl

@@ -0,0 +1,9 @@
+// IKsuInterface.aidl
+package me.weishu.kernelsu;
+
+import android.content.pm.PackageInfo;
+import rikka.parcelablelist.ParcelableListSlice;
+
+interface IKsuInterface {
+    ParcelableListSlice<PackageInfo> getPackages(int flags);
+}

manager/app/src/main/cpp/jni.cc

@@ -3,15 +3,16 @@
 #include <sys/prctl.h>
 
 #include <android/log.h>
+#include <cstring>
 
 #include "ksu.h"
 
-#define LOG_TAG "KernelSu"
+#define LOG_TAG "KernelSU"
 #define LOGD(...) __android_log_print(ANDROID_LOG_DEBUG, LOG_TAG, __VA_ARGS__)
 
 extern "C"
 JNIEXPORT jboolean JNICALL
-Java_me_weishu_kernelsu_Natives_becomeManager(JNIEnv *env, jclass clazz, jstring pkg) {
+Java_me_weishu_kernelsu_Natives_becomeManager(JNIEnv *env, jobject, jstring pkg) {
     auto cpkg = env->GetStringUTFChars(pkg, nullptr);
     auto result = become_manager(cpkg);
     env->ReleaseStringUTFChars(pkg, cpkg);
@@ -20,13 +21,13 @@ Java_me_weishu_kernelsu_Natives_becomeManager(JNIEnv *env, jclass clazz, jstring
 
 extern "C"
 JNIEXPORT jint JNICALL
-Java_me_weishu_kernelsu_Natives_getVersion(JNIEnv *env, jclass clazz) {
+Java_me_weishu_kernelsu_Natives_getVersion(JNIEnv *env, jobject) {
     return get_version();
 }
 
 extern "C"
 JNIEXPORT jintArray JNICALL
-Java_me_weishu_kernelsu_Natives_getAllowList(JNIEnv *env, jclass clazz) {
+Java_me_weishu_kernelsu_Natives_getAllowList(JNIEnv *env, jobject) {
     int uids[1024];
     int size = 0;
     bool result = get_allow_list(uids, &size);
@@ -40,24 +41,259 @@ Java_me_weishu_kernelsu_Natives_getAllowList(JNIEnv *env, jclass clazz) {
 }
 
 extern "C"
-JNIEXPORT jintArray JNICALL
-Java_me_weishu_kernelsu_Natives_getDenyList(JNIEnv *env, jclass clazz) {
-    int uids[1024];
-    int size = 0;
-    bool result = get_deny_list(uids, &size);
-    if (result) {
-        // success!
-        auto array = env->NewIntArray(size);
-        env->SetIntArrayRegion(array, 0, size, uids);
-        return array;
+JNIEXPORT jboolean JNICALL
+Java_me_weishu_kernelsu_Natives_isSafeMode(JNIEnv *env, jclass clazz) {
+    return is_safe_mode();
+}
+
+static void fillIntArray(JNIEnv *env, jobject list, int *data, int count) {
+    auto cls = env->GetObjectClass(list);
+    auto add = env->GetMethodID(cls, "add", "(Ljava/lang/Object;)Z");
+    auto integerCls = env->FindClass("java/lang/Integer");
+    auto constructor = env->GetMethodID(integerCls, "<init>", "(I)V");
+    for (int i = 0; i < count; ++i) {
+        auto integer = env->NewObject(integerCls, constructor, data[i]);
+        env->CallBooleanMethod(list, add, integer);
     }
-    return env->NewIntArray(0);
+}
+
+static void addIntToList(JNIEnv *env, jobject list, int ele) {
+    auto cls = env->GetObjectClass(list);
+    auto add = env->GetMethodID(cls, "add", "(Ljava/lang/Object;)Z");
+    auto integerCls = env->FindClass("java/lang/Integer");
+    auto constructor = env->GetMethodID(integerCls, "<init>", "(I)V");
+    auto integer = env->NewObject(integerCls, constructor, ele);
+    env->CallBooleanMethod(list, add, integer);
+}
+
+static uint64_t capListToBits(JNIEnv *env, jobject list) {
+    auto cls = env->GetObjectClass(list);
+    auto get = env->GetMethodID(cls, "get", "(I)Ljava/lang/Object;");
+    auto size = env->GetMethodID(cls, "size", "()I");
+    auto listSize = env->CallIntMethod(list, size);
+    auto integerCls = env->FindClass("java/lang/Integer");
+    auto intValue = env->GetMethodID(integerCls, "intValue", "()I");
+    uint64_t result = 0;
+    for (int i = 0; i < listSize; ++i) {
+        auto integer = env->CallObjectMethod(list, get, i);
+        int data = env->CallIntMethod(integer, intValue);
+
+        if (cap_valid(data)) {
+            result |= (1ULL << data);
+        }
+    }
+
+    return result;
+}
+
+static int getListSize(JNIEnv *env, jobject list) {
+    auto cls = env->GetObjectClass(list);
+    auto size = env->GetMethodID(cls, "size", "()I");
+    return env->CallIntMethod(list, size);
+}
+
+static void fillArrayWithList(JNIEnv *env, jobject list, int *data, int count) {
+    auto cls = env->GetObjectClass(list);
+    auto get = env->GetMethodID(cls, "get", "(I)Ljava/lang/Object;");
+    auto integerCls = env->FindClass("java/lang/Integer");
+    auto intValue = env->GetMethodID(integerCls, "intValue", "()I");
+    for (int i = 0; i < count; ++i) {
+        auto integer = env->CallObjectMethod(list, get, i);
+        data[i] = env->CallIntMethod(integer, intValue);
+    }
+}
+
+extern "C"
+JNIEXPORT jobject JNICALL
+Java_me_weishu_kernelsu_Natives_getAppProfile(JNIEnv *env, jobject, jstring pkg, jint uid) {
+    if (env->GetStringLength(pkg) > KSU_MAX_PACKAGE_NAME) {
+        return nullptr;
+    }
+
+    p_key_t key = {};
+    auto cpkg = env->GetStringUTFChars(pkg, nullptr);
+    strcpy(key, cpkg);
+    env->ReleaseStringUTFChars(pkg, cpkg);
+
+    app_profile profile = {};
+    profile.version = KSU_APP_PROFILE_VER;
+
+    strcpy(profile.key, key);
+    profile.current_uid = uid;
+
+    bool useDefaultProfile = !get_app_profile(key, &profile);
+
+    auto cls = env->FindClass("me/weishu/kernelsu/Natives$Profile");
+    auto constructor = env->GetMethodID(cls, "<init>", "()V");
+    auto obj = env->NewObject(cls, constructor);
+    auto keyField = env->GetFieldID(cls, "name", "Ljava/lang/String;");
+    auto currentUidField = env->GetFieldID(cls, "currentUid", "I");
+    auto allowSuField = env->GetFieldID(cls, "allowSu", "Z");
+
+    auto rootUseDefaultField = env->GetFieldID(cls, "rootUseDefault", "Z");
+    auto rootTemplateField = env->GetFieldID(cls, "rootTemplate", "Ljava/lang/String;");
+
+    auto uidField = env->GetFieldID(cls, "uid", "I");
+    auto gidField = env->GetFieldID(cls, "gid", "I");
+    auto groupsField = env->GetFieldID(cls, "groups", "Ljava/util/List;");
+    auto capabilitiesField = env->GetFieldID(cls, "capabilities", "Ljava/util/List;");
+    auto domainField = env->GetFieldID(cls, "context", "Ljava/lang/String;");
+    auto namespacesField = env->GetFieldID(cls, "namespace", "I");
+
+    auto nonRootUseDefaultField = env->GetFieldID(cls, "nonRootUseDefault", "Z");
+    auto umountModulesField = env->GetFieldID(cls, "umountModules", "Z");
+
+    env->SetObjectField(obj, keyField, env->NewStringUTF(profile.key));
+    env->SetIntField(obj, currentUidField, profile.current_uid);
+
+    if (useDefaultProfile) {
+        // no profile found, so just use default profile:
+        // don't allow root and use default profile!
+        LOGD("use default profile for: %s, %d", key, uid);
+
+        // allow_su = false
+        // non root use default = true
+        env->SetBooleanField(obj, allowSuField, false);
+        env->SetBooleanField(obj, nonRootUseDefaultField, true);
+
+        jobject capList = env->GetObjectField(obj, capabilitiesField);
+        int DEFAULT_CAPS[] = {CAP_DAC_READ_SEARCH};
+
+        for (auto i: DEFAULT_CAPS) {
+            addIntToList(env, capList, i);
+        }
+
+        return obj;
+    }
+
+    auto allowSu = profile.allow_su;
+
+    if (allowSu) {
+        env->SetBooleanField(obj, rootUseDefaultField, (jboolean) profile.rp_config.use_default);
+        if (strlen(profile.rp_config.template_name) > 0) {
+            env->SetObjectField(obj, rootTemplateField,
+                                env->NewStringUTF(profile.rp_config.template_name));
+        }
+
+        env->SetIntField(obj, uidField, profile.rp_config.profile.uid);
+        env->SetIntField(obj, gidField, profile.rp_config.profile.gid);
+
+        jobject groupList = env->GetObjectField(obj, groupsField);
+        int groupCount = profile.rp_config.profile.groups_count;
+        if (groupCount > KSU_MAX_GROUPS) {
+            LOGD("kernel group count too large: %d???", groupCount);
+            groupCount = KSU_MAX_GROUPS;
+        }
+        fillIntArray(env, groupList, profile.rp_config.profile.groups, groupCount);
+
+        jobject capList = env->GetObjectField(obj, capabilitiesField);
+        for (int i = 0; i <= CAP_LAST_CAP; i++) {
+            if (profile.rp_config.profile.capabilities.effective & (1ULL << i)) {
+                addIntToList(env, capList, i);
+            }
+        }
+
+        env->SetObjectField(obj, domainField,
+                            env->NewStringUTF(profile.rp_config.profile.selinux_domain));
+        env->SetIntField(obj, namespacesField, profile.rp_config.profile.namespaces);
+        env->SetBooleanField(obj, allowSuField, profile.allow_su);
+    } else {
+        env->SetBooleanField(obj, nonRootUseDefaultField,
+                             (jboolean) profile.nrp_config.use_default);
+        env->SetBooleanField(obj, umountModulesField, profile.nrp_config.profile.umount_modules);
+    }
+
+    return obj;
 }
 
 extern "C"
 JNIEXPORT jboolean JNICALL
-Java_me_weishu_kernelsu_Natives_allowRoot(JNIEnv *env, jclass clazz, jint uid, jboolean allow) {
-    return allow_su(uid, allow);
+Java_me_weishu_kernelsu_Natives_setAppProfile(JNIEnv *env, jobject clazz, jobject profile) {
+    auto cls = env->FindClass("me/weishu/kernelsu/Natives$Profile");
+
+    auto keyField = env->GetFieldID(cls, "name", "Ljava/lang/String;");
+    auto currentUidField = env->GetFieldID(cls, "currentUid", "I");
+    auto allowSuField = env->GetFieldID(cls, "allowSu", "Z");
+
+    auto rootUseDefaultField = env->GetFieldID(cls, "rootUseDefault", "Z");
+    auto rootTemplateField = env->GetFieldID(cls, "rootTemplate", "Ljava/lang/String;");
+
+    auto uidField = env->GetFieldID(cls, "uid", "I");
+    auto gidField = env->GetFieldID(cls, "gid", "I");
+    auto groupsField = env->GetFieldID(cls, "groups", "Ljava/util/List;");
+    auto capabilitiesField = env->GetFieldID(cls, "capabilities", "Ljava/util/List;");
+    auto domainField = env->GetFieldID(cls, "context", "Ljava/lang/String;");
+    auto namespacesField = env->GetFieldID(cls, "namespace", "I");
+
+    auto nonRootUseDefaultField = env->GetFieldID(cls, "nonRootUseDefault", "Z");
+    auto umountModulesField = env->GetFieldID(cls, "umountModules", "Z");
+
+    auto key = env->GetObjectField(profile, keyField);
+    if (!key) {
+        return false;
+    }
+    if (env->GetStringLength((jstring) key) > KSU_MAX_PACKAGE_NAME) {
+        return false;
+    }
+
+    auto cpkg = env->GetStringUTFChars((jstring) key, nullptr);
+    p_key_t p_key = {};
+    strcpy(p_key, cpkg);
+    env->ReleaseStringUTFChars((jstring) key, cpkg);
+
+    auto currentUid = env->GetIntField(profile, currentUidField);
+
+    auto uid = env->GetIntField(profile, uidField);
+    auto gid = env->GetIntField(profile, gidField);
+    auto groups = env->GetObjectField(profile, groupsField);
+    auto capabilities = env->GetObjectField(profile, capabilitiesField);
+    auto domain = env->GetObjectField(profile, domainField);
+    auto allowSu = env->GetBooleanField(profile, allowSuField);
+    auto umountModules = env->GetBooleanField(profile, umountModulesField);
+
+    app_profile p = {};
+    p.version = KSU_APP_PROFILE_VER;
+
+    strcpy(p.key, p_key);
+    p.allow_su = allowSu;
+    p.current_uid = currentUid;
+
+    if (allowSu) {
+        p.rp_config.use_default = env->GetBooleanField(profile, rootUseDefaultField);
+        auto templateName = env->GetObjectField(profile, rootTemplateField);
+        if (templateName) {
+            auto ctemplateName = env->GetStringUTFChars((jstring) templateName, nullptr);
+            strcpy(p.rp_config.template_name, ctemplateName);
+            env->ReleaseStringUTFChars((jstring) templateName, ctemplateName);
+        }
+
+        p.rp_config.profile.uid = uid;
+        p.rp_config.profile.gid = gid;
+
+        int groups_count = getListSize(env, groups);
+        if (groups_count > KSU_MAX_GROUPS) {
+            LOGD("groups count too large: %d", groups_count);
+            return false;
+        }
+        p.rp_config.profile.groups_count = groups_count;
+        fillArrayWithList(env, groups, p.rp_config.profile.groups, groups_count);
+
+        p.rp_config.profile.capabilities.effective = capListToBits(env, capabilities);
+
+        auto cdomain = env->GetStringUTFChars((jstring) domain, nullptr);
+        strcpy(p.rp_config.profile.selinux_domain, cdomain);
+        env->ReleaseStringUTFChars((jstring) domain, cdomain);
+
+        p.rp_config.profile.namespaces = env->GetIntField(profile, namespacesField);
+    } else {
+        p.nrp_config.use_default = env->GetBooleanField(profile, nonRootUseDefaultField);
+        p.nrp_config.profile.umount_modules = umountModules;
+    }
+
+    return set_app_profile(&p);
 }
-
-
+extern "C"
+JNIEXPORT jboolean JNICALL
+Java_me_weishu_kernelsu_Natives_uidShouldUmount(JNIEnv *env, jobject thiz, jint uid) {
+    return uid_should_umount(uid);
+}

manager/app/src/main/cpp/ksu.cc

@@ -6,6 +6,7 @@
 #include <stdint.h>
 #include <string.h>
 #include <stdio.h>
+#include <unistd.h>
 
 #include "ksu.h"
 
@@ -17,8 +18,15 @@
 #define CMD_GET_VERSION 2
 #define CMD_ALLOW_SU 3
 #define CMD_DENY_SU 4
-#define CMD_GET_ALLOW_LIST 5
+#define CMD_GET_SU_LIST 5
 #define CMD_GET_DENY_LIST 6
+#define CMD_CHECK_SAFEMODE 9
+
+#define CMD_GET_APP_PROFILE 10
+#define CMD_SET_APP_PROFILE 11
+
+#define CMD_IS_UID_GRANTED_ROOT 12
+#define CMD_IS_UID_SHOULD_UMOUNT 13
 
 static bool ksuctl(int cmd, void* arg1, void* arg2) {
     int32_t result = 0;
@@ -28,7 +36,14 @@ static bool ksuctl(int cmd, void* arg1, void* arg2) {
 
 bool become_manager(const char* pkg) {
     char param[128];
-    sprintf(param, "/data/data/%s", pkg);
+    uid_t uid = getuid();
+    uint32_t userId = uid / 100000;
+    if (userId == 0) {
+        sprintf(param, "/data/data/%s", pkg);
+    } else {
+        snprintf(param, sizeof(param), "/data/user/%d/%s", userId, pkg);
+    }
+
     return ksuctl(CMD_BECOME_MANAGER, param, nullptr);
 }
 
@@ -40,15 +55,23 @@ int get_version() {
     return version;
 }
 
-bool allow_su(int uid, bool allow) {
-    int cmd = allow ? CMD_ALLOW_SU : CMD_DENY_SU;
-    return ksuctl(cmd, (void*) uid, nullptr);
-}
-
 bool get_allow_list(int *uids, int *size) {
-    return ksuctl(CMD_GET_ALLOW_LIST, uids, size);
+    return ksuctl(CMD_GET_SU_LIST, uids, size);
 }
 
-bool get_deny_list(int *uids, int *size) {
-    return ksuctl(CMD_GET_DENY_LIST, uids, size);
-}
+bool is_safe_mode() {
+    return ksuctl(CMD_CHECK_SAFEMODE, nullptr, nullptr);
+}
+
+bool uid_should_umount(int uid) {
+    bool should;
+    return ksuctl(CMD_IS_UID_SHOULD_UMOUNT, reinterpret_cast<void*>(uid), &should) && should;
+}
+
+bool set_app_profile(const app_profile *profile) {
+    return ksuctl(CMD_SET_APP_PROFILE, (void*) profile, nullptr);
+}
+
+bool get_app_profile(p_key_t key, app_profile *profile) {
+    return ksuctl(CMD_GET_APP_PROFILE, (void*) profile, nullptr);
+}

manager/app/src/main/cpp/ksu.h

@@ -5,14 +5,76 @@
 #ifndef KERNELSU_KSU_H
 #define KERNELSU_KSU_H
 
-bool become_manager(const char*);
+#include <linux/capability.h>
+
+bool become_manager(const char *);
 
 int get_version();
 
-bool allow_su(int uid, bool allow);
-
 bool get_allow_list(int *uids, int *size);
 
-bool get_deny_list(int *uids, int *size);
+bool uid_should_umount(int uid);
+
+bool is_safe_mode();
+
+#define KSU_APP_PROFILE_VER 2
+#define KSU_MAX_PACKAGE_NAME 256
+// NGROUPS_MAX for Linux is 65535 generally, but we only supports 32 groups.
+#define KSU_MAX_GROUPS 32
+#define KSU_SELINUX_DOMAIN 64
+
+using p_key_t = char[KSU_MAX_PACKAGE_NAME];
+
+struct root_profile {
+    int32_t uid;
+    int32_t gid;
+
+    int32_t groups_count;
+    int32_t groups[KSU_MAX_GROUPS];
+
+    // kernel_cap_t is u32[2] for capabilities v3
+    struct {
+        uint64_t effective;
+        uint64_t permitted;
+        uint64_t inheritable;
+    } capabilities;
+
+    char selinux_domain[KSU_SELINUX_DOMAIN];
+
+    int32_t namespaces;
+};
+
+struct non_root_profile {
+    bool umount_modules;
+};
+
+struct app_profile {
+    // It may be utilized for backward compatibility, although we have never explicitly made any promises regarding this.
+    uint32_t version;
+
+    // this is usually the package of the app, but can be other value for special apps
+    char key[KSU_MAX_PACKAGE_NAME];
+    int32_t current_uid;
+    bool allow_su;
+
+    union {
+        struct {
+            bool use_default;
+            char template_name[KSU_MAX_PACKAGE_NAME];
+
+            struct root_profile profile;
+        } rp_config;
+
+        struct {
+            bool use_default;
+
+            struct non_root_profile profile;
+        } nrp_config;
+    };
+};
+
+bool set_app_profile(const app_profile *profile);
+
+bool get_app_profile(p_key_t key, app_profile *profile);
 
 #endif //KERNELSU_KSU_H

manager/app/src/main/java/me/weishu/kernelsu/Natives.java

@@ -1,24 +0,0 @@
-package me.weishu.kernelsu;
-
-/**
- * @author weishu
- * @date 2022/12/8.
- */
-public final class Natives {
-
-    static {
-       System.loadLibrary("kernelsu");
-    }
-
-    // become root manager, return true if success.
-    public static native boolean becomeManager(String pkg);
-
-    public static native int getVersion();
-
-    // get the uid list of allowed su processes.
-    public static native int[] getAllowList();
-
-    public static native int[] getDenyList();
-
-    public static native boolean allowRoot(int uid, boolean allow);
-}

manager/app/src/main/java/me/weishu/kernelsu/Natives.kt

@@ -0,0 +1,107 @@
+package me.weishu.kernelsu
+
+import android.os.Parcelable
+import androidx.annotation.Keep
+import androidx.compose.runtime.Immutable
+import kotlinx.parcelize.Parcelize
+
+/**
+ * @author weishu
+ * @date 2022/12/8.
+ */
+object Natives {
+    // minimal supported kernel version
+    // 10915: allowlist breaking change, add app profile
+    // 10931: app profile struct add 'version' field
+    // 10946: add capabilities
+    // 10977: change groups_count and groups to avoid overflow write
+    // 11071: Fix the issue of failing to set a custom SELinux type.
+    const val MINIMAL_SUPPORTED_KERNEL = 11071
+
+    init {
+        System.loadLibrary("kernelsu")
+    }
+
+    // become root manager, return true if success.
+    external fun becomeManager(pkg: String?): Boolean
+    val version: Int
+        external get
+
+    // get the uid list of allowed su processes.
+    val allowList: IntArray
+        external get
+
+    val isSafeMode: Boolean
+        external get
+
+    external fun uidShouldUmount(uid: Int): Boolean
+
+    /**
+     * Get the profile of the given package.
+     * @param key usually the package name
+     * @return return null if failed.
+     */
+    external fun getAppProfile(key: String?, uid: Int): Profile
+    external fun setAppProfile(profile: Profile?): Boolean
+
+    private const val NON_ROOT_DEFAULT_PROFILE_KEY = "$"
+    private const val ROOT_DEFAULT_PROFILE_KEY = "#"
+    private const val NOBODY_UID = 9999
+
+    fun setDefaultUmountModules(umountModules: Boolean): Boolean {
+        Profile(
+            NON_ROOT_DEFAULT_PROFILE_KEY,
+            NOBODY_UID,
+            false,
+            umountModules = umountModules
+        ).let {
+            return setAppProfile(it)
+        }
+    }
+
+    fun isDefaultUmountModules(): Boolean {
+        getAppProfile(NON_ROOT_DEFAULT_PROFILE_KEY, NOBODY_UID).let {
+            return it.umountModules
+        }
+    }
+
+    fun requireNewKernel(): Boolean {
+        return version < MINIMAL_SUPPORTED_KERNEL
+    }
+
+    @Immutable
+    @Parcelize
+    @Keep
+    data class Profile(
+        // and there is a default profile for root and non-root
+        val name: String,
+        // current uid for the package, this is convivent for kernel to check
+        // if the package name doesn't match uid, then it should be invalidated.
+        val currentUid: Int = 0,
+
+        // if this is true, kernel will grant root permission to this package
+        val allowSu: Boolean = false,
+
+        // these are used for root profile
+        val rootUseDefault: Boolean = true,
+        val rootTemplate: String? = null,
+        val uid: Int = 0,
+        val gid: Int = 0,
+        val groups: List<Int> = mutableListOf(),
+        val capabilities: List<Int> = mutableListOf(),
+        val context: String = "u:r:su:s0",
+        val namespace: Int = Namespace.Inherited.ordinal,
+
+        val nonRootUseDefault: Boolean = true,
+        val umountModules: Boolean = true,
+        var rules: String = "", // this field is save in ksud!!
+    ) : Parcelable {
+        enum class Namespace {
+            Inherited,
+            Global,
+            Individual,
+        }
+
+        constructor() : this("")
+    }
+}

manager/app/src/main/java/me/weishu/kernelsu/profile/Capabilities.kt

@@ -0,0 +1,49 @@
+package me.weishu.kernelsu.profile
+
+/**
+ * @author weishu
+ * @date 2023/6/3.
+ */
+enum class Capabilities(val cap: Int, val display: String, val desc: String) {
+    CAP_CHOWN(0, "CHOWN", "Make arbitrary changes to file UIDs and GIDs (see chown(2))"),
+    CAP_DAC_OVERRIDE(1, "DAC_OVERRIDE", "Bypass file read, write, and execute permission checks"),
+    CAP_DAC_READ_SEARCH(2, "DAC_READ_SEARCH", "Bypass file read permission checks and directory read and execute permission checks"),
+    CAP_FOWNER(3, "FOWNER", "Bypass permission checks on operations that normally require the filesystem UID of the process to match the UID of the file (e.g., chmod(2), utime(2)), excluding those operations covered by CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH"),
+    CAP_FSETID(4, "FSETID", "Don’t clear set-user-ID and set-group-ID permission bits when a file is modified; set the set-group-ID bit for a file whose GID does not match the filesystem or any of the supplementary GIDs of the calling process"),
+    CAP_KILL(5, "KILL", "Bypass permission checks for sending signals (see kill(2))."),
+    CAP_SETGID(6, "SETGID", "Make arbitrary manipulations of process GIDs and supplementary GID list; allow setgid(2) manipulation of the caller’s effective and real group IDs"),
+    CAP_SETUID(7, "SETUID", "Make arbitrary manipulations of process UIDs (setuid(2), setreuid(2), setresuid(2), setfsuid(2)); allow changing the current process user IDs; allow changing of the current process group ID to any value in the system’s range of legal group IDs"),
+    CAP_SETPCAP(8, "SETPCAP", "If file capabilities are supported: grant or remove any capability in the caller’s permitted capability set to or from any other process. (This property supersedes the obsolete notion of giving a process all capabilities by granting all capabilities in its permitted set, and of removing all capabilities from a process by granting no capabilities in its permitted set. It does not permit any actions that were not permitted before.)"),
+    CAP_LINUX_IMMUTABLE(9, "LINUX_IMMUTABLE", "Set the FS_APPEND_FL and FS_IMMUTABLE_FL inode flags (see chattr(1))."),
+    CAP_NET_BIND_SERVICE(10, "NET_BIND_SERVICE", "Bind a socket to Internet domain"),
+    CAP_NET_BROADCAST(11, "NET_BROADCAST", "Make socket broadcasts, and listen to multicasts"),
+    CAP_NET_ADMIN(12, "NET_ADMIN", "Perform various network-related operations: interface configuration, administration of IP firewall, masquerading, and accounting, modify routing tables, bind to any address for transparent proxying, set type-of-service (TOS), clear driver statistics, set promiscuous mode, enabling multicasting, use setsockopt(2) to set the following socket options: SO_DEBUG, SO_MARK, SO_PRIORITY (for a priority outside the range 0 to 6), SO_RCVBUFFORCE, and SO_SNDBUFFORCE"),
+    CAP_NET_RAW(13, "NET_RAW", "Use RAW and PACKET sockets"),
+    CAP_IPC_LOCK(14, "IPC_LOCK", "Lock memory (mlock(2), mlockall(2), mmap(2), shmctl(2))"),
+    CAP_IPC_OWNER(15, "IPC_OWNER", "Bypass permission checks for operations on System V IPC objects"),
+    CAP_SYS_MODULE(16, "SYS_MODULE", "Load and unload kernel modules (see init_module(2) and delete_module(2)); in kernels before 2.6.25, this also granted rights for various other operations related to kernel modules"),
+    CAP_SYS_RAWIO(17, "SYS_RAWIO", "Perform I/O port operations (iopl(2) and ioperm(2)); access /proc/kcore"),
+    CAP_SYS_CHROOT(18, "SYS_CHROOT", "Use chroot(2)"),
+    CAP_SYS_PTRACE(19, "SYS_PTRACE", "Trace arbitrary processes using ptrace(2)"),
+    CAP_SYS_PACCT(20, "SYS_PACCT", "Use acct(2)"),
+    CAP_SYS_ADMIN(21, "SYS_ADMIN", "Perform a range of system administration operations including: quotactl(2), mount(2), umount(2), swapon(2), swapoff(2), sethostname(2), and setdomainname(2); set and modify process resource limits (setrlimit(2)); perform various network-related operations (e.g., setting privileged socket options, enabling multicasting, interface configuration); perform various IPC operations (e.g., SysV semaphores, POSIX message queues, System V shared memory); allow reboot and kexec_load(2); override /proc/sys kernel tunables; perform ptrace(2) PTRACE_SECCOMP_GET_FILTER operation; perform some tracing and debugging operations (see ptrace(2)); administer the lifetime of kernel tracepoints (tracefs(5)); perform the KEYCTL_CHOWN and KEYCTL_SETPERM keyctl(2) operations; perform the following keyctl(2) operations: KEYCTL_CAPABILITIES, KEYCTL_CAPSQUASH, and KEYCTL_PKEY_ OPERATIONS; set state for the Extensible Authentication Protocol (EAP) kernel module; and override the RLIMIT_NPROC resource limit; allow ioperm/iopl access to I/O ports"),
+    CAP_SYS_BOOT(22, "SYS_BOOT", "Use reboot(2) and kexec_load(2), reboot and load a new kernel for later execution"),
+    CAP_SYS_NICE(23, "SYS_NICE", "Raise process nice value (nice(2), setpriority(2)) and change the nice value for arbitrary processes; set real-time scheduling policies for calling process, and set scheduling policies and priorities for arbitrary processes (sched_setscheduler(2), sched_setparam(2)"),
+    CAP_SYS_RESOURCE(24, "SYS_RESOURCE", "Override resource Limits. Set resource limits (setrlimit(2), prlimit(2)), override quota limits (quota(2), quotactl(2)), override reserved space on ext2 filesystem (ext2_ioctl(2)), override size restrictions on IPC message queues (msg(2)) and system V shared memory segments (shmget(2)), and override the /proc/sys/fs/pipe-size-max limit"),
+    CAP_SYS_TIME(25, "SYS_TIME", "Set system clock (settimeofday(2), stime(2), adjtimex(2)); set real-time (hardware) clock"),
+    CAP_SYS_TTY_CONFIG(26, "SYS_TTY_CONFIG", "Use vhangup(2); employ various privileged ioctl(2) operations on virtual terminals"),
+    CAP_MKNOD(27, "MKNOD", "Create special files using mknod(2)"),
+    CAP_LEASE(28, "LEASE", "Establish leases on arbitrary files (see fcntl(2))"),
+    CAP_AUDIT_WRITE(29, "AUDIT_WRITE", "Write records to kernel auditing log"),
+    CAP_AUDIT_CONTROL(30, "AUDIT_CONTROL", "Enable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules"),
+    CAP_SETFCAP(31, "SETFCAP", "If file capabilities are supported: grant or remove any capability in any capability set to any file"),
+    CAP_MAC_OVERRIDE(32, "MAC_OVERRIDE", "Override Mandatory Access Control (MAC). Implemented for the Smack Linux Security Module (LSM)"),
+    CAP_MAC_ADMIN(33, "MAC_ADMIN", "Allow MAC configuration or state changes. Implemented for the Smack LSM"),
+    CAP_SYSLOG(34, "SYSLOG", "Perform privileged syslog(2) operations. See syslog(2) for information on which operations require privilege"),
+    CAP_WAKE_ALARM(35, "WAKE_ALARM", "Trigger something that will wake up the system"),
+    CAP_BLOCK_SUSPEND(36, "BLOCK_SUSPEND", "Employ features that can block system suspend"),
+    CAP_AUDIT_READ(37, "AUDIT_READ", "Allow reading the audit log via a multicast netlink socket"),
+    CAP_PERFMON(38, "PERFMON", "Allow performance monitoring via perf_event_open(2)"),
+    CAP_BPF(39, "BPF", "Allow BPF operations via bpf(2)"),
+    CAP_CHECKPOINT_RESTORE(40, "CHECKPOINT_RESTORE", "Allow processes to be checkpointed via checkpoint/restore in user namespace(2)"),
+}

manager/app/src/main/java/me/weishu/kernelsu/profile/Groups.kt

@@ -0,0 +1,87 @@
+package me.weishu.kernelsu.profile
+
+/**
+ * @author weishu
+ * @date 2023/6/3.
+ */
+enum class Groups(val gid: Int, val display: String, val desc: String) {
+    ROOT(0, "root", "traditional unix root user"),
+    DAEMON(1, "daemon", "Traditional unix daemon owner."),
+    BIN(2, "bin", "Traditional unix binaries owner."),
+    SYS(3, "sys", "A group with the same gid on Linux/macOS/Android."),
+    SYSTEM(1000, "system", "system server"),
+    RADIO(1001, "radio", "telephony subsystem, RIL"),
+    BLUETOOTH(1002, "bluetooth", "bluetooth subsystem"),
+    GRAPHICS(1003, "graphics", "graphics devices"),
+    INPUT(1004, "input", "input devices"),
+    AUDIO(1005, "audio", "audio devices"),
+    CAMERA(1006, "camera", "camera devices"),
+    LOG(1007, "log", "log devices"),
+    COMPASS(1008, "compass", "compass device"),
+    MOUNT(1009, "mount", "mountd socket"),
+    WIFI(1010, "wifi", "wifi subsystem"),
+    ADB(1011, "adb", "android debug bridge (adbd)"),
+    INSTALL(1012, "install", "group for installing packages"),
+    MEDIA(1013, "media", "mediaserver process"),
+    DHCP(1014, "dhcp", "dhcp client"),
+    SDCARD_RW(1015, "sdcard_rw", "external storage write access"),
+    VPN(1016, "vpn", "vpn system"),
+    KEYSTORE(1017, "keystore", "keystore subsystem"),
+    USB(1018, "usb", "USB devices"),
+    DRM(1019, "drm", "DRM server"),
+    MDNSR(1020, "mdnsr", "MulticastDNSResponder (service discovery)"),
+    GPS(1021, "gps", "GPS daemon"),
+    UNUSED1(1022, "unused1", "deprecated, DO NOT USE"),
+    MEDIA_RW(1023, "media_rw", "internal media storage write access"),
+    MTP(1024, "mtp", "MTP USB driver access"),
+    UNUSED2(1025, "unused2", "deprecated, DO NOT USE"),
+    DRMRPC(1026, "drmrpc", "group for drm rpc"),
+    NFC(1027, "nfc", "nfc subsystem"),
+    SDCARD_R(1028, "sdcard_r", "external storage read access"),
+    CLAT(1029, "clat", "clat part of nat464"),
+    LOOP_RADIO(1030, "loop_radio", "loop radio devices"),
+    MEDIA_DRM(1031, "media_drm", "MediaDrm plugins"),
+    PACKAGE_INFO(1032, "package_info", "access to installed package details"),
+    SDCARD_PICS(1033, "sdcard_pics", "external storage photos access"),
+    SDCARD_AV(1034, "sdcard_av", "external storage audio/video access"),
+    SDCARD_ALL(1035, "sdcard_all", "access all users external storage"),
+    LOGD(1036, "logd", "log daemon"),
+    SHARED_RELRO(1037, "shared_relro", "creator of shared GNU RELRO files"),
+    DBUS(1038, "dbus", "dbus-daemon IPC broker process"),
+    TLSDATE(1039, "tlsdate", "tlsdate unprivileged user"),
+    MEDIA_EX(1040, "media_ex", "mediaextractor process"),
+    AUDIOSERVER(1041, "audioserver", "audioserver process"),
+    METRICS_COLL(1042, "metrics_coll", "metrics_collector process"),
+    METRICSD(1043, "metricsd", "metricsd process"),
+    WEBSERV(1044, "webserv", "webservd process"),
+    DEBUGGERD(1045, "debuggerd", "debuggerd unprivileged user"),
+    MEDIA_CODEC(1046, "media_codec", "media_codec process"),
+    CAMERASERVER(1047, "cameraserver", "cameraserver process"),
+    FIREWALL(1048, "firewall", "firewall process"),
+    TRUNKS(1049, "trunks", "trunksd process"),
+    NVRAM(1050, "nvram", "nvram daemon"),
+    DNS_TETHER(1051, "dns_tether", "dns_tether device"),
+    DNS_TETHER_RESERVED(1052, "dns_tether_reserved", "Reserved range for dns_tether"),
+    WEBVIEW_ZYGOTE(1053, "webview_zygote", "zygote process"),
+    WEBVIEW_USER(1054, "webview_user", "webview chromium user"),
+    ETHERNET(1055, "ethernet", "Ethernet"),
+    TOMBSTONED(1056, "tombstoned", "tombstoned process"),
+    GRAPHICS_RW(1057, "graphics_rw", "graphics devices"),
+
+    SHELL(2000, "shell", "adb and debug shell user"),
+    CACHE(2001, "cache", "cache access"),
+    DIAG(2002, "diag", "diagnostics"),
+    NET_BT_ADMIN(3001, "net_bt_admin", "bluetooth: create any socket"),
+    NET_BT(3002, "net_bt", "bluetooth: create sco, rfcomm or l2cap sockets"),
+    INET(3003, "inet", "can create AF_INET and AF_INET6 sockets"),
+    NET_RAW(3004, "net_raw", "can create raw INET sockets"),
+    NET_ADMIN(3005, "net_admin", "can configure interfaces and routing tables."),
+    NET_BW_STATS(3006, "net_bw_stats", "read bandwidth statistics"),
+    NET_BW_ACCT(3007, "net_bw_acct", "change bandwidth statistics accounting"),
+    NET_BT_STACK(3008, "net_bt_stack", "access to various bluetooth management functions"),
+    QCOM_DIAG(3009, "qcom_diag", "allow msm specific diag commands"),
+    EVERYBODY(9997, "everybody", "Shared external storage read/write"),
+    MISC(9998, "misc", "Access to misc storage"),
+    NOBODY(9999, "nobody", "Reserved"),
+    APP(10000, "app", "Access to app data"),
+}

manager/app/src/main/java/me/weishu/kernelsu/ui/KsuService.java

@@ -0,0 +1,77 @@
+package me.weishu.kernelsu.ui;
+
+import android.content.Context;
+import android.content.Intent;
+import android.content.pm.PackageInfo;
+import android.content.pm.PackageManager;
+import android.os.IBinder;
+import android.os.UserHandle;
+import android.os.UserManager;
+import android.util.Log;
+
+import androidx.annotation.NonNull;
+
+import com.topjohnwu.superuser.ipc.RootService;
+
+import java.lang.reflect.Method;
+import java.util.ArrayList;
+import java.util.List;
+
+import me.weishu.kernelsu.IKsuInterface;
+import rikka.parcelablelist.ParcelableListSlice;
+
+/**
+ * @author weishu
+ * @date 2023/4/18.
+ */
+
+public class KsuService extends RootService {
+
+    private static final String TAG = "KsuService";
+
+    class Stub extends IKsuInterface.Stub {
+        @Override
+        public ParcelableListSlice<PackageInfo> getPackages(int flags) {
+            List<PackageInfo> list = getInstalledPackagesAll(flags);
+            Log.i(TAG, "getPackages: " + list.size());
+            return new ParcelableListSlice<>(list);
+        }
+    }
+
+    @Override
+    public IBinder onBind(@NonNull Intent intent) {
+        return new Stub();
+    }
+
+    List<Integer> getUserIds() {
+        List<Integer> result = new ArrayList<>();
+        UserManager um = (UserManager) getSystemService(Context.USER_SERVICE);
+        List<UserHandle> userProfiles = um.getUserProfiles();
+        for (UserHandle userProfile : userProfiles) {
+            int userId = userProfile.hashCode();
+            result.add(userProfile.hashCode());
+        }
+        return result;
+    }
+
+    ArrayList<PackageInfo> getInstalledPackagesAll(int flags) {
+        ArrayList<PackageInfo> packages = new ArrayList<>();
+        for (Integer userId : getUserIds()) {
+            Log.i(TAG, "getInstalledPackagesAll: " + userId);
+            packages.addAll(getInstalledPackagesAsUser(flags, userId));
+        }
+        return packages;
+    }
+
+    List<PackageInfo> getInstalledPackagesAsUser(int flags, int userId) {
+        try {
+            PackageManager pm = getPackageManager();
+            Method getInstalledPackagesAsUser = pm.getClass().getDeclaredMethod("getInstalledPackagesAsUser", int.class, int.class);
+            return (List<PackageInfo>) getInstalledPackagesAsUser.invoke(pm, flags, userId);
+        } catch (Throwable e) {
+            Log.e(TAG, "err", e);
+        }
+
+        return new ArrayList<>();
+    }
+}

manager/app/src/main/java/me/weishu/kernelsu/ui/MainActivity.kt

@@ -5,27 +5,37 @@ import androidx.activity.ComponentActivity
 import androidx.activity.compose.setContent
 import androidx.compose.animation.ExperimentalAnimationApi
 import androidx.compose.foundation.layout.padding
-import androidx.compose.material3.*
-import androidx.compose.runtime.*
-import androidx.compose.runtime.saveable.rememberSaveable
+import androidx.compose.material3.Icon
+import androidx.compose.material3.NavigationBar
+import androidx.compose.material3.NavigationBarItem
+import androidx.compose.material3.Scaffold
+import androidx.compose.material3.SnackbarHost
+import androidx.compose.material3.SnackbarHostState
+import androidx.compose.material3.Text
+import androidx.compose.runtime.Composable
+import androidx.compose.runtime.CompositionLocalProvider
+import androidx.compose.runtime.getValue
+import androidx.compose.runtime.remember
 import androidx.compose.ui.Modifier
 import androidx.compose.ui.res.stringResource
 import androidx.compose.ui.unit.dp
-import androidx.navigation.NavGraph.Companion.findStartDestination
 import androidx.navigation.NavHostController
 import com.google.accompanist.navigation.animation.rememberAnimatedNavController
 import com.ramcosta.composedestinations.DestinationsNavHost
+import com.ramcosta.composedestinations.navigation.popBackStack
+import com.ramcosta.composedestinations.utils.isRouteOnBackStackAsState
+import me.weishu.kernelsu.Natives
+import me.weishu.kernelsu.ksuApp
+import me.weishu.kernelsu.ui.component.rememberDialogHostState
 import me.weishu.kernelsu.ui.screen.BottomBarDestination
 import me.weishu.kernelsu.ui.screen.NavGraphs
-import me.weishu.kernelsu.ui.screen.appCurrentDestinationAsState
-import me.weishu.kernelsu.ui.screen.destinations.Destination
-import me.weishu.kernelsu.ui.screen.startAppDestination
 import me.weishu.kernelsu.ui.theme.KernelSUTheme
+import me.weishu.kernelsu.ui.util.LocalDialogHost
 import me.weishu.kernelsu.ui.util.LocalSnackbarHost
 
 class MainActivity : ComponentActivity() {
 
-    @OptIn(ExperimentalAnimationApi::class, ExperimentalMaterial3Api::class)
+    @OptIn(ExperimentalAnimationApi::class)
     override fun onCreate(savedInstanceState: Bundle?) {
         super.onCreate(savedInstanceState)
 
@@ -37,7 +47,10 @@ class MainActivity : ComponentActivity() {
                     bottomBar = { BottomBar(navController) },
                     snackbarHost = { SnackbarHost(snackbarHostState) }
                 ) { innerPadding ->
-                    CompositionLocalProvider(LocalSnackbarHost provides snackbarHostState) {
+                    CompositionLocalProvider(
+                        LocalSnackbarHost provides snackbarHostState,
+                        LocalDialogHost provides rememberDialogHostState(),
+                    ) {
                         DestinationsNavHost(
                             modifier = Modifier.padding(innerPadding),
                             navGraph = NavGraphs.root,
@@ -52,22 +65,21 @@ class MainActivity : ComponentActivity() {
 
 @Composable
 private fun BottomBar(navController: NavHostController) {
-    val currentDestination: Destination = navController.appCurrentDestinationAsState().value
-        ?: NavGraphs.root.startAppDestination
-    var topDestination by rememberSaveable { mutableStateOf(currentDestination.route) }
-    LaunchedEffect(currentDestination) {
-        val queue = navController.backQueue
-        if (queue.size == 2) topDestination = queue[1].destination.route!!
-        else if (queue.size > 2) topDestination = queue[2].destination.route!!
-    }
-
+    val isManager = Natives.becomeManager(ksuApp.packageName)
+    val fullFeatured = isManager && !Natives.requireNewKernel()
     NavigationBar(tonalElevation = 8.dp) {
         BottomBarDestination.values().forEach { destination ->
+            if (!fullFeatured && destination.rootRequired) return@forEach
+            val isCurrentDestOnBackStack by navController.isRouteOnBackStackAsState(destination.direction)
             NavigationBarItem(
-                selected = topDestination == destination.direction.route,
+                selected = isCurrentDestOnBackStack,
                 onClick = {
+                    if (isCurrentDestOnBackStack) {
+                        navController.popBackStack(destination.direction, false)
+                    }
+
                     navController.navigate(destination.direction.route) {
-                        popUpTo(navController.graph.findStartDestination().id) {
+                        popUpTo(NavGraphs.root.route) {
                             saveState = true
                         }
                         launchSingleTop = true
@@ -75,8 +87,11 @@ private fun BottomBar(navController: NavHostController) {
                     }
                 },
                 icon = {
-                    if (topDestination == destination.direction.route) Icon(destination.iconSelected, stringResource(destination.label))
-                    else Icon(destination.iconNotSelected, stringResource(destination.label))
+                    if (isCurrentDestOnBackStack) {
+                        Icon(destination.iconSelected, stringResource(destination.label))
+                    } else {
+                        Icon(destination.iconNotSelected, stringResource(destination.label))
+                    }
                 },
                 label = { Text(stringResource(destination.label)) },
                 alwaysShowLabel = false

manager/app/src/main/java/me/weishu/kernelsu/ui/component/AboutCard.kt

@@ -0,0 +1,126 @@
+package me.weishu.kernelsu.ui.component
+
+import android.text.method.LinkMovementMethod
+import android.widget.TextView
+import androidx.compose.foundation.Image
+import androidx.compose.foundation.layout.Column
+import androidx.compose.foundation.layout.Row
+import androidx.compose.foundation.layout.Spacer
+import androidx.compose.foundation.layout.fillMaxWidth
+import androidx.compose.foundation.layout.height
+import androidx.compose.foundation.layout.padding
+import androidx.compose.foundation.layout.size
+import androidx.compose.foundation.layout.width
+import androidx.compose.foundation.shape.RoundedCornerShape
+import androidx.compose.material3.ElevatedCard
+import androidx.compose.material3.LocalContentColor
+import androidx.compose.material3.MaterialTheme
+import androidx.compose.material3.Text
+import androidx.compose.runtime.Composable
+import androidx.compose.runtime.MutableState
+import androidx.compose.ui.Modifier
+import androidx.compose.ui.graphics.toArgb
+import androidx.compose.ui.platform.LocalContext
+import androidx.compose.ui.res.stringResource
+import androidx.compose.ui.tooling.preview.Preview
+import androidx.compose.ui.unit.dp
+import androidx.compose.ui.unit.sp
+import androidx.compose.ui.viewinterop.AndroidView
+import androidx.compose.ui.window.Dialog
+import androidx.core.content.res.ResourcesCompat
+import androidx.core.text.HtmlCompat
+import com.google.accompanist.drawablepainter.rememberDrawablePainter
+import me.weishu.kernelsu.BuildConfig
+import me.weishu.kernelsu.R
+
+@Preview
+@Composable
+fun AboutCard() {
+    ElevatedCard(
+        modifier = Modifier
+            .fillMaxWidth(),
+        shape = RoundedCornerShape(8.dp),
+    ) {
+        Row(
+            modifier = Modifier
+                .fillMaxWidth()
+                .padding(24.dp)
+        ) {
+            AboutCardContent()
+        }
+    }
+}
+
+@Composable
+fun AboutDialog(showAboutDialog: MutableState<Boolean>) {
+    if (showAboutDialog.value) {
+        Dialog(onDismissRequest = { showAboutDialog.value = false }) {
+            AboutCard()
+        }
+    }
+}
+
+@Composable
+private fun AboutCardContent() {
+    Column(
+        modifier = Modifier
+            .fillMaxWidth()
+    ) {
+        val drawable = ResourcesCompat.getDrawable(
+            LocalContext.current.resources,
+            R.mipmap.ic_launcher,
+            LocalContext.current.theme
+        )
+
+        Row {
+            Image(
+                painter = rememberDrawablePainter(drawable),
+                contentDescription = "icon",
+                modifier = Modifier.size(40.dp)
+            )
+
+            Spacer(modifier = Modifier.width(12.dp))
+
+            Column {
+
+                Text(
+                    stringResource(id = R.string.app_name),
+                    style = MaterialTheme.typography.titleSmall,
+                    fontSize = 18.sp
+                )
+                Text(
+                    BuildConfig.VERSION_NAME,
+                    style = MaterialTheme.typography.bodySmall,
+                    fontSize = 14.sp
+                )
+
+                Spacer(modifier = Modifier.height(8.dp))
+
+                HtmlText(
+                    html = stringResource(
+                        id = R.string.about_source_code,
+                        "<b><a href=\"https://github.com/tiann/KernelSU\">GitHub</a></b>",
+                        "<b><a href=\"https://t.me/KernelSU\">Telegram</a></b>"
+                    )
+                )
+            }
+        }
+    }
+}
+
+@Composable
+fun HtmlText(html: String, modifier: Modifier = Modifier) {
+    val contentColor = LocalContentColor.current
+    AndroidView(
+        modifier = modifier,
+        factory = { context ->
+            TextView(context).also {
+                it.movementMethod = LinkMovementMethod.getInstance()
+            }
+        },
+        update = {
+            it.text = HtmlCompat.fromHtml(html, HtmlCompat.FROM_HTML_MODE_COMPACT)
+            it.setTextColor(contentColor.toArgb())
+        }
+    )
+}

manager/app/src/main/java/me/weishu/kernelsu/ui/component/Dialog.kt

@@ -0,0 +1,269 @@
+package me.weishu.kernelsu.ui.component
+
+import androidx.compose.foundation.layout.Box
+import androidx.compose.foundation.layout.size
+import androidx.compose.foundation.shape.RoundedCornerShape
+import androidx.compose.material3.AlertDialog
+import androidx.compose.material3.CircularProgressIndicator
+import androidx.compose.material3.Surface
+import androidx.compose.material3.Text
+import androidx.compose.material3.TextButton
+import androidx.compose.runtime.*
+import androidx.compose.ui.Alignment
+import androidx.compose.ui.Modifier
+import androidx.compose.ui.res.stringResource
+import androidx.compose.ui.unit.dp
+import androidx.compose.ui.window.Dialog
+import androidx.compose.ui.window.DialogProperties
+import kotlinx.coroutines.CancellableContinuation
+import kotlinx.coroutines.coroutineScope
+import kotlinx.coroutines.launch
+import kotlinx.coroutines.suspendCancellableCoroutine
+import kotlinx.coroutines.sync.Mutex
+import kotlinx.coroutines.sync.withLock
+import me.weishu.kernelsu.ui.util.LocalDialogHost
+import kotlin.coroutines.resume
+
+interface DialogVisuals
+
+interface LoadingDialogVisuals : DialogVisuals
+
+interface PromptDialogVisuals : DialogVisuals {
+    val title: String
+    val content: String
+}
+
+interface ConfirmDialogVisuals : PromptDialogVisuals {
+    val confirm: String?
+    val dismiss: String?
+}
+
+
+sealed interface DialogData {
+    val visuals: DialogVisuals
+}
+
+interface LoadingDialogData : DialogData {
+    override val visuals: LoadingDialogVisuals
+    fun dismiss()
+}
+
+interface PromptDialogData : DialogData {
+    override val visuals: PromptDialogVisuals
+    fun dismiss()
+}
+
+interface ConfirmDialogData : PromptDialogData {
+    override val visuals: ConfirmDialogVisuals
+    fun confirm()
+}
+
+sealed interface ConfirmResult {
+    object Confirmed : ConfirmResult
+    object Canceled : ConfirmResult
+}
+
+class DialogHostState {
+
+    private object LoadingDialogVisualsImpl : LoadingDialogVisuals
+
+    private data class PromptDialogVisualsImpl(
+        override val title: String,
+        override val content: String
+    ) : PromptDialogVisuals
+
+    private data class ConfirmDialogVisualsImpl(
+        override val title: String,
+        override val content: String,
+        override val confirm: String?,
+        override val dismiss: String?
+    ) : ConfirmDialogVisuals
+
+    private data class LoadingDialogDataImpl(
+        override val visuals: LoadingDialogVisuals,
+        private val continuation: CancellableContinuation<Unit>,
+    ) : LoadingDialogData {
+        override fun dismiss() {
+            if (continuation.isActive) continuation.resume(Unit)
+        }
+    }
+
+    private data class PromptDialogDataImpl(
+        override val visuals: PromptDialogVisuals,
+        private val continuation: CancellableContinuation<Unit>,
+    ) : PromptDialogData {
+        override fun dismiss() {
+            if (continuation.isActive) continuation.resume(Unit)
+        }
+    }
+
+    private data class ConfirmDialogDataImpl(
+        override val visuals: ConfirmDialogVisuals,
+        private val continuation: CancellableContinuation<ConfirmResult>
+    ) : ConfirmDialogData {
+
+        override fun confirm() {
+            if (continuation.isActive) continuation.resume(ConfirmResult.Confirmed)
+        }
+
+        override fun dismiss() {
+            if (continuation.isActive) continuation.resume(ConfirmResult.Canceled)
+        }
+    }
+
+    private val mutex = Mutex()
+
+    var currentDialogData by mutableStateOf<DialogData?>(null)
+        private set
+
+    suspend fun showLoading() {
+        try {
+            mutex.withLock {
+                suspendCancellableCoroutine { continuation ->
+                    currentDialogData = LoadingDialogDataImpl(
+                        visuals = LoadingDialogVisualsImpl,
+                        continuation = continuation
+                    )
+                }
+            }
+        } finally {
+            currentDialogData = null
+        }
+    }
+
+    suspend fun <R> withLoading(block: suspend () -> R) = coroutineScope {
+        val showLoading = launch {
+            showLoading()
+        }
+
+        val result = block()
+
+        showLoading.cancel()
+
+        result
+    }
+
+    suspend fun showPrompt(title: String, content: String) {
+        try {
+            mutex.withLock {
+                suspendCancellableCoroutine { continuation ->
+                    currentDialogData = PromptDialogDataImpl(
+                        visuals = PromptDialogVisualsImpl(title, content),
+                        continuation = continuation
+                    )
+                }
+            }
+        } finally {
+            currentDialogData = null
+        }
+    }
+
+    suspend fun showConfirm(
+        title: String,
+        content: String,
+        confirm: String? = null,
+        dismiss: String? = null
+    ): ConfirmResult = mutex.withLock {
+        try {
+            return@withLock suspendCancellableCoroutine { continuation ->
+                currentDialogData = ConfirmDialogDataImpl(
+                    visuals = ConfirmDialogVisualsImpl(title, content, confirm, dismiss),
+                    continuation = continuation
+                )
+            }
+        } finally {
+            currentDialogData = null
+        }
+    }
+}
+
+@Composable
+fun rememberDialogHostState(): DialogHostState {
+    return remember {
+        DialogHostState()
+    }
+}
+
+private inline fun <reified T : DialogData> DialogData?.tryInto(): T? {
+    return when (this) {
+        is T -> this
+        else -> null
+    }
+}
+
+@Composable
+fun LoadingDialog(
+    state: DialogHostState = LocalDialogHost.current,
+) {
+    state.currentDialogData.tryInto<LoadingDialogData>() ?: return
+    val dialogProperties = remember {
+        DialogProperties(dismissOnClickOutside = false, dismissOnBackPress = false)
+    }
+    Dialog(onDismissRequest = {}, properties = dialogProperties) {
+        Surface(
+            modifier = Modifier
+                .size(100.dp),
+            shape = RoundedCornerShape(8.dp)
+        ) {
+            Box(
+                contentAlignment = Alignment.Center,
+            ) {
+                CircularProgressIndicator()
+            }
+        }
+    }
+}
+
+@Composable
+fun PromptDialog(
+    state: DialogHostState = LocalDialogHost.current,
+) {
+    val promptDialogData = state.currentDialogData.tryInto<PromptDialogData>() ?: return
+
+    val visuals = promptDialogData.visuals
+    AlertDialog(
+        onDismissRequest = {
+            promptDialogData.dismiss()
+        },
+        title = {
+            Text(text = visuals.title)
+        },
+        text = {
+            Text(text = visuals.content)
+        },
+        confirmButton = {
+            TextButton(onClick = { promptDialogData.dismiss() }) {
+                Text(text = stringResource(id = android.R.string.ok))
+            }
+        },
+        dismissButton = null,
+    )
+}
+
+@Composable
+fun ConfirmDialog(state: DialogHostState = LocalDialogHost.current) {
+    val confirmDialogData = state.currentDialogData.tryInto<ConfirmDialogData>() ?: return
+
+    val visuals = confirmDialogData.visuals
+    AlertDialog(
+        onDismissRequest = {
+            confirmDialogData.dismiss()
+        },
+        title = {
+            Text(text = visuals.title)
+        },
+        text = {
+            Text(text = visuals.content)
+        },
+        confirmButton = {
+            TextButton(onClick = { confirmDialogData.confirm() }) {
+                Text(text = visuals.confirm ?: stringResource(id = android.R.string.ok))
+            }
+        },
+        dismissButton = {
+            TextButton(onClick = { confirmDialogData.dismiss() }) {
+                Text(text = visuals.dismiss ?: stringResource(id = android.R.string.cancel))
+            }
+        },
+    )
+}

manager/app/src/main/java/me/weishu/kernelsu/ui/component/SearchBar.kt

@@ -13,8 +13,19 @@ import androidx.compose.material.icons.Icons
 import androidx.compose.material.icons.filled.Close
 import androidx.compose.material.icons.filled.Search
 import androidx.compose.material.icons.outlined.ArrowBack
-import androidx.compose.material3.*
-import androidx.compose.runtime.*
+import androidx.compose.material3.ExperimentalMaterial3Api
+import androidx.compose.material3.Icon
+import androidx.compose.material3.IconButton
+import androidx.compose.material3.OutlinedTextField
+import androidx.compose.material3.Text
+import androidx.compose.material3.TopAppBar
+import androidx.compose.runtime.Composable
+import androidx.compose.runtime.DisposableEffect
+import androidx.compose.runtime.LaunchedEffect
+import androidx.compose.runtime.getValue
+import androidx.compose.runtime.mutableStateOf
+import androidx.compose.runtime.remember
+import androidx.compose.runtime.setValue
 import androidx.compose.ui.Alignment
 import androidx.compose.ui.ExperimentalComposeUiApi
 import androidx.compose.ui.Modifier
@@ -36,7 +47,8 @@ fun SearchAppBar(
     onSearchTextChange: (String) -> Unit,
     onClearClick: () -> Unit,
     onBackClick: (() -> Unit)? = null,
-    onConfirm: (() -> Unit)? = null
+    onConfirm: (() -> Unit)? = null,
+    dropdownContent: @Composable (() -> Unit)? = null,
 ) {
     val keyboardController = LocalSoftwareKeyboardController.current
     val focusRequester = remember { FocusRequester() }
@@ -116,6 +128,11 @@ fun SearchAppBar(
                     content = { Icon(Icons.Filled.Search, null) }
                 )
             }
+
+            if (dropdownContent != null) {
+                dropdownContent()
+            }
+
         }
     )
 }

manager/app/src/main/java/me/weishu/kernelsu/ui/component/SettingsItem.kt

@@ -0,0 +1,52 @@
+package me.weishu.kernelsu.ui.component
+
+import androidx.compose.material3.Icon
+import androidx.compose.material3.ListItem
+import androidx.compose.material3.RadioButton
+import androidx.compose.material3.Switch
+import androidx.compose.material3.Text
+import androidx.compose.runtime.Composable
+import androidx.compose.ui.graphics.vector.ImageVector
+
+@Composable
+fun SwitchItem(
+    icon: ImageVector? = null,
+    title: String,
+    summary: String? = null,
+    checked: Boolean,
+    enabled: Boolean = true,
+    onCheckedChange: (Boolean) -> Unit
+) {
+    ListItem(
+        headlineContent = {
+            Text(title)
+        },
+        leadingContent = icon?.let {
+            { Icon(icon, title) }
+        },
+        trailingContent = {
+            Switch(checked = checked, enabled = enabled, onCheckedChange = onCheckedChange)
+        },
+        supportingContent = {
+            if (summary != null) {
+                Text(summary)
+            }
+        }
+    )
+}
+
+@Composable
+fun RadioItem(
+    title: String,
+    selected: Boolean,
+    onClick: () -> Unit,
+) {
+    ListItem(
+        headlineContent = {
+            Text(title)
+        },
+        leadingContent = {
+            RadioButton(selected = selected, onClick = onClick)
+        },
+    )
+}

manager/app/src/main/java/me/weishu/kernelsu/ui/component/profile/AppProfileConfig.kt

@@ -0,0 +1,63 @@
+package me.weishu.kernelsu.ui.component.profile
+
+import androidx.compose.foundation.layout.Column
+import androidx.compose.material3.OutlinedTextField
+import androidx.compose.material3.Text
+import androidx.compose.runtime.Composable
+import androidx.compose.runtime.getValue
+import androidx.compose.runtime.mutableStateOf
+import androidx.compose.runtime.remember
+import androidx.compose.runtime.setValue
+import androidx.compose.ui.Modifier
+import androidx.compose.ui.res.stringResource
+import androidx.compose.ui.tooling.preview.Preview
+import me.weishu.kernelsu.Natives
+import me.weishu.kernelsu.R
+import me.weishu.kernelsu.ui.component.SwitchItem
+
+@Composable
+fun AppProfileConfig(
+    modifier: Modifier = Modifier,
+    fixedName: Boolean,
+    enabled: Boolean,
+    profile: Natives.Profile,
+    onProfileChange: (Natives.Profile) -> Unit,
+) {
+    Column(modifier = modifier) {
+        if (!fixedName) {
+            OutlinedTextField(
+                label = { Text(stringResource(R.string.profile_name)) },
+                value = profile.name,
+                onValueChange = { onProfileChange(profile.copy(name = it)) }
+            )
+        }
+
+        SwitchItem(
+            title = stringResource(R.string.profile_umount_modules),
+            summary = stringResource(R.string.profile_umount_modules_summary),
+            checked = if (enabled) {
+                profile.umountModules
+            } else {
+                Natives.isDefaultUmountModules()
+            },
+            enabled = enabled,
+            onCheckedChange = {
+                onProfileChange(
+                    profile.copy(
+                        umountModules = it,
+                        nonRootUseDefault = false
+                    )
+                )
+            }
+        )
+    }
+}
+
+@Preview
+@Composable
+private fun AppProfileConfigPreview() {
+    var profile by remember { mutableStateOf(Natives.Profile("")) }
+    AppProfileConfig(fixedName = true, enabled = false, profile = profile) {
+        profile = it
+    }
+}

manager/app/src/main/java/me/weishu/kernelsu/ui/component/profile/RootProfileConfig.kt

@@ -0,0 +1,464 @@
+@file:OptIn(ExperimentalMaterial3Api::class)
+
+package me.weishu.kernelsu.ui.component.profile
+
+import androidx.compose.foundation.clickable
+import androidx.compose.foundation.layout.Column
+import androidx.compose.foundation.layout.ExperimentalLayoutApi
+import androidx.compose.foundation.layout.FlowRow
+import androidx.compose.foundation.layout.fillMaxWidth
+import androidx.compose.foundation.layout.padding
+import androidx.compose.foundation.text.KeyboardActions
+import androidx.compose.foundation.text.KeyboardOptions
+import androidx.compose.material.icons.Icons
+import androidx.compose.material.icons.filled.ArrowDropDown
+import androidx.compose.material.icons.filled.ArrowDropUp
+import androidx.compose.material3.AssistChip
+import androidx.compose.material3.DropdownMenuItem
+import androidx.compose.material3.ExperimentalMaterial3Api
+import androidx.compose.material3.ExposedDropdownMenuBox
+import androidx.compose.material3.Icon
+import androidx.compose.material3.ListItem
+import androidx.compose.material3.MaterialTheme
+import androidx.compose.material3.OutlinedCard
+import androidx.compose.material3.OutlinedTextField
+import androidx.compose.material3.Text
+import androidx.compose.material3.TextFieldDefaults
+import androidx.compose.runtime.Composable
+import androidx.compose.runtime.getValue
+import androidx.compose.runtime.mutableStateOf
+import androidx.compose.runtime.remember
+import androidx.compose.runtime.setValue
+import androidx.compose.ui.ExperimentalComposeUiApi
+import androidx.compose.ui.Modifier
+import androidx.compose.ui.platform.LocalSoftwareKeyboardController
+import androidx.compose.ui.res.stringResource
+import androidx.compose.ui.text.input.ImeAction
+import androidx.compose.ui.text.input.KeyboardType
+import androidx.compose.ui.tooling.preview.Preview
+import androidx.compose.ui.unit.dp
+import androidx.core.text.isDigitsOnly
+import com.maxkeppeker.sheets.core.models.base.Header
+import com.maxkeppeker.sheets.core.models.base.rememberUseCaseState
+import com.maxkeppeler.sheets.input.InputDialog
+import com.maxkeppeler.sheets.input.models.InputHeader
+import com.maxkeppeler.sheets.input.models.InputSelection
+import com.maxkeppeler.sheets.input.models.InputTextField
+import com.maxkeppeler.sheets.input.models.InputTextFieldType
+import com.maxkeppeler.sheets.input.models.ValidationResult
+import com.maxkeppeler.sheets.list.ListDialog
+import com.maxkeppeler.sheets.list.models.ListOption
+import com.maxkeppeler.sheets.list.models.ListSelection
+import me.weishu.kernelsu.Natives
+import me.weishu.kernelsu.R
+import me.weishu.kernelsu.profile.Capabilities
+import me.weishu.kernelsu.profile.Groups
+import me.weishu.kernelsu.ui.util.isSepolicyValid
+
+@OptIn(ExperimentalMaterial3Api::class)
+@Composable
+fun RootProfileConfig(
+    modifier: Modifier = Modifier,
+    fixedName: Boolean,
+    profile: Natives.Profile,
+    onProfileChange: (Natives.Profile) -> Unit,
+) {
+    Column(modifier = modifier) {
+        if (!fixedName) {
+            OutlinedTextField(
+                label = { Text(stringResource(R.string.profile_name)) },
+                value = profile.name,
+                onValueChange = { onProfileChange(profile.copy(name = it)) }
+            )
+        }
+
+        var expanded by remember { mutableStateOf(false) }
+        val currentNamespace = when (profile.namespace) {
+            Natives.Profile.Namespace.Inherited.ordinal -> stringResource(R.string.profile_namespace_inherited)
+            Natives.Profile.Namespace.Global.ordinal -> stringResource(R.string.profile_namespace_global)
+            Natives.Profile.Namespace.Individual.ordinal -> stringResource(R.string.profile_namespace_individual)
+            else -> stringResource(R.string.profile_namespace_inherited)
+        }
+        ListItem(headlineContent = {
+            ExposedDropdownMenuBox(
+                expanded = expanded,
+                onExpandedChange = { expanded = !expanded }
+            ) {
+                OutlinedTextField(
+                    modifier = Modifier
+                        .menuAnchor()
+                        .fillMaxWidth(),
+                    readOnly = true,
+                    label = { Text(stringResource(R.string.profile_namespace)) },
+                    value = currentNamespace,
+                    onValueChange = {},
+                    trailingIcon = {
+                        if (expanded) Icon(Icons.Filled.ArrowDropUp, null)
+                        else Icon(Icons.Filled.ArrowDropDown, null)
+                    },
+                )
+                ExposedDropdownMenu(
+                    expanded = expanded,
+                    onDismissRequest = { expanded = false }
+                ) {
+                    DropdownMenuItem(
+                        text = { Text(stringResource(R.string.profile_namespace_inherited)) },
+                        onClick = {
+                            onProfileChange(profile.copy(namespace = Natives.Profile.Namespace.Inherited.ordinal))
+                            expanded = false
+                        },
+                    )
+                    DropdownMenuItem(
+                        text = { Text(stringResource(R.string.profile_namespace_global)) },
+                        onClick = {
+                            onProfileChange(profile.copy(namespace = Natives.Profile.Namespace.Global.ordinal))
+                            expanded = false
+                        },
+                    )
+                    DropdownMenuItem(
+                        text = { Text(stringResource(R.string.profile_namespace_individual)) },
+                        onClick = {
+                            onProfileChange(profile.copy(namespace = Natives.Profile.Namespace.Individual.ordinal))
+                            expanded = false
+                        },
+                    )
+                }
+            }
+        })
+
+        UidPanel(uid = profile.uid, label = "uid", onUidChange = {
+            onProfileChange(
+                profile.copy(
+                    uid = it,
+                    rootUseDefault = false
+                )
+            )
+        })
+
+        UidPanel(uid = profile.gid, label = "gid", onUidChange = {
+            onProfileChange(
+                profile.copy(
+                    gid = it,
+                    rootUseDefault = false
+                )
+            )
+        })
+
+        val selectedGroups = profile.groups.ifEmpty { listOf(0) }.let { e ->
+            e.mapNotNull { g ->
+                Groups.values().find { it.gid == g }
+            }
+        }
+        GroupsPanel(selectedGroups) {
+            onProfileChange(
+                profile.copy(
+                    groups = it.map { group -> group.gid }.ifEmpty { listOf(0) },
+                    rootUseDefault = false
+                )
+            )
+        }
+
+        val selectedCaps = profile.capabilities.mapNotNull { e ->
+            Capabilities.values().find { it.cap == e }
+        }
+
+        CapsPanel(selectedCaps) {
+            onProfileChange(
+                profile.copy(
+                    capabilities = it.map { cap -> cap.cap },
+                    rootUseDefault = false
+                )
+            )
+        }
+
+        SELinuxPanel(profile = profile, onSELinuxChange = { domain, rules ->
+            onProfileChange(
+                profile.copy(
+                    context = domain,
+                    rules = rules,
+                    rootUseDefault = false
+                )
+            )
+        })
+
+    }
+}
+
+@OptIn(ExperimentalLayoutApi::class)
+@Composable
+fun GroupsPanel(selected: List<Groups>, closeSelection: (selection: Set<Groups>) -> Unit) {
+
+    var showDialog by remember { mutableStateOf(false) }
+
+    if (showDialog) {
+        val groups = Groups.values()
+        val options = groups.map { value ->
+            ListOption(
+                titleText = value.display,
+                subtitleText = value.desc,
+                selected = selected.contains(value),
+            )
+        }
+
+        val selection = HashSet(selected)
+        ListDialog(
+            state = rememberUseCaseState(visible = true, onFinishedRequest = {
+                closeSelection(selection)
+            }, onCloseRequest = {
+                showDialog = false
+            }),
+            header = Header.Default(
+                title = stringResource(R.string.profile_groups),
+            ),
+            selection = ListSelection.Multiple(
+                showCheckBoxes = true,
+                options = options,
+                maxChoices = 32, // Kernel only supports 32 groups at most
+            ) { indecies, _ ->
+                // Handle selection
+                selection.clear()
+                indecies.forEach { index ->
+                    val group = groups[index]
+                    selection.add(group)
+                }
+            }
+        )
+    }
+
+    OutlinedCard(modifier = Modifier
+        .fillMaxWidth()
+        .padding(16.dp)
+        .clickable {
+            showDialog = true
+        }) {
+
+        Column(modifier = Modifier.padding(16.dp)) {
+            Text(stringResource(R.string.profile_groups))
+            FlowRow {
+                selected.forEach { group ->
+                    AssistChip(
+                        modifier = Modifier.padding(3.dp),
+                        onClick = { /*TODO*/ },
+                        label = { Text(group.display) })
+                }
+            }
+        }
+
+    }
+}
+
+@OptIn(ExperimentalLayoutApi::class)
+@Composable
+fun CapsPanel(
+    selected: Collection<Capabilities>,
+    closeSelection: (selection: Set<Capabilities>) -> Unit
+) {
+
+    var showDialog by remember { mutableStateOf(false) }
+
+    if (showDialog) {
+        val caps = Capabilities.values()
+        val options = caps.map { value ->
+            ListOption(
+                titleText = value.display,
+                subtitleText = value.desc,
+                selected = selected.contains(value),
+            )
+        }
+
+        val selection = HashSet(selected)
+        ListDialog(
+            state = rememberUseCaseState(visible = true, onFinishedRequest = {
+                closeSelection(selection)
+            }, onCloseRequest = {
+                showDialog = false
+            }),
+            header = Header.Default(
+                title = stringResource(R.string.profile_capabilities),
+            ),
+            selection = ListSelection.Multiple(
+                showCheckBoxes = true,
+                options = options
+            ) { indecies, _ ->
+                // Handle selection
+                selection.clear()
+                indecies.forEach { index ->
+                    val group = caps[index]
+                    selection.add(group)
+                }
+            }
+        )
+    }
+
+    OutlinedCard(modifier = Modifier
+        .fillMaxWidth()
+        .padding(16.dp)
+        .clickable {
+            showDialog = true
+        }) {
+
+        Column(modifier = Modifier.padding(16.dp)) {
+            Text(stringResource(R.string.profile_capabilities))
+            FlowRow {
+                selected.forEach { group ->
+                    AssistChip(
+                        modifier = Modifier.padding(3.dp),
+                        onClick = { /*TODO*/ },
+                        label = { Text(group.display) })
+                }
+            }
+        }
+
+    }
+}
+
+@OptIn(ExperimentalComposeUiApi::class)
+@Composable
+private fun UidPanel(uid: Int, label: String, onUidChange: (Int) -> Unit) {
+
+    ListItem(headlineContent = {
+        var isError by remember {
+            mutableStateOf(false)
+        }
+        var lastValidUid by remember {
+            mutableStateOf(uid)
+        }
+
+        val keyboardController = LocalSoftwareKeyboardController.current
+        OutlinedTextField(
+            modifier = Modifier.fillMaxWidth(),
+            label = { Text(label) },
+            value = uid.toString(),
+            isError = isError,
+            keyboardOptions = KeyboardOptions(
+                keyboardType = KeyboardType.Number,
+                imeAction = ImeAction.Done
+            ),
+            keyboardActions = KeyboardActions(onDone = {
+                keyboardController?.hide()
+            }),
+            onValueChange = {
+                if (it.isEmpty()) {
+                    onUidChange(0)
+                    return@OutlinedTextField
+                }
+                val valid = isTextValidUid(it)
+
+                val targetUid = if (valid) it.toInt() else lastValidUid
+                if (valid) {
+                    lastValidUid = it.toInt()
+                }
+
+                onUidChange(targetUid)
+
+                isError = !valid
+            }
+        )
+    })
+}
+
+@Composable
+private fun SELinuxPanel(
+    profile: Natives.Profile,
+    onSELinuxChange: (domain: String, rules: String) -> Unit
+) {
+    var showDialog by remember { mutableStateOf(false) }
+    if (showDialog) {
+        var domain by remember { mutableStateOf(profile.context) }
+        var rules by remember { mutableStateOf(profile.rules) }
+
+        val inputOptions = listOf(
+            InputTextField(
+                text = domain,
+                header = InputHeader(
+                    title = stringResource(id = R.string.profile_selinux_domain),
+                ),
+                type = InputTextFieldType.OUTLINED,
+                required = true,
+                keyboardOptions = KeyboardOptions(
+                    keyboardType = KeyboardType.Ascii,
+                    imeAction = ImeAction.Next
+                ),
+                resultListener = {
+                    domain = it ?: ""
+                },
+                validationListener = { value ->
+                    // value can be a-zA-Z0-9_
+                    val regex = Regex("^[a-z_]+:[a-z0-9_]+:[a-z0-9_]+(:[a-z0-9_]+)?$")
+                    if (value?.matches(regex) == true) ValidationResult.Valid
+                    else ValidationResult.Invalid("Domain must be in the format of \"user:role:type:level\"")
+                }
+            ),
+            InputTextField(
+                text = rules,
+                header = InputHeader(
+                    title = stringResource(id = R.string.profile_selinux_rules),
+                ),
+                type = InputTextFieldType.OUTLINED,
+                keyboardOptions = KeyboardOptions(
+                    keyboardType = KeyboardType.Ascii,
+                ),
+                singleLine = false,
+                resultListener = {
+                    rules = it ?: ""
+                },
+                validationListener = { value ->
+                    if (isSepolicyValid(value)) ValidationResult.Valid
+                    else ValidationResult.Invalid("SELinux rules is invalid!")
+                }
+            )
+        )
+
+        InputDialog(
+            state = rememberUseCaseState(visible = true,
+                onFinishedRequest = {
+                    onSELinuxChange(domain, rules)
+                },
+                onCloseRequest = {
+                    showDialog = false
+                }),
+            header = Header.Default(
+                title = stringResource(R.string.profile_selinux_context),
+            ),
+            selection = InputSelection(
+                input = inputOptions,
+                onPositiveClick = { result ->
+                    // Handle selection
+                },
+            )
+        )
+    }
+
+    ListItem(headlineContent = {
+        OutlinedTextField(
+            modifier = Modifier
+                .fillMaxWidth()
+                .clickable {
+                    showDialog = true
+                },
+            enabled = false,
+            colors = TextFieldDefaults.outlinedTextFieldColors(
+                disabledTextColor = MaterialTheme.colorScheme.onSurface,
+                disabledBorderColor = MaterialTheme.colorScheme.outline,
+                disabledPlaceholderColor = MaterialTheme.colorScheme.onSurfaceVariant,
+                disabledLabelColor = MaterialTheme.colorScheme.onSurfaceVariant
+            ),
+            label = { Text(text = stringResource(R.string.profile_selinux_context)) },
+            value = profile.context,
+            onValueChange = { },
+        )
+    })
+}
+
+@Preview
+@Composable
+private fun RootProfileConfigPreview() {
+    var profile by remember { mutableStateOf(Natives.Profile("")) }
+    RootProfileConfig(fixedName = true, profile = profile) {
+        profile = it
+    }
+}
+
+private fun isTextValidUid(text: String): Boolean {
+    return text.isNotEmpty() && text.isDigitsOnly() && text.toInt() >= 0 && text.toInt() <= Int.MAX_VALUE
+}

manager/app/src/main/java/me/weishu/kernelsu/ui/screen/AppProfile.kt

@@ -0,0 +1,391 @@
+package me.weishu.kernelsu.ui.screen
+
+import androidx.annotation.StringRes
+import androidx.compose.animation.Crossfade
+import androidx.compose.foundation.gestures.detectTapGestures
+import androidx.compose.foundation.layout.Arrangement
+import androidx.compose.foundation.layout.BoxWithConstraints
+import androidx.compose.foundation.layout.Column
+import androidx.compose.foundation.layout.Row
+import androidx.compose.foundation.layout.fillMaxSize
+import androidx.compose.foundation.layout.fillMaxWidth
+import androidx.compose.foundation.layout.height
+import androidx.compose.foundation.layout.padding
+import androidx.compose.foundation.layout.width
+import androidx.compose.foundation.rememberScrollState
+import androidx.compose.foundation.verticalScroll
+import androidx.compose.material.icons.Icons
+import androidx.compose.material.icons.filled.AccountCircle
+import androidx.compose.material.icons.filled.Android
+import androidx.compose.material.icons.filled.ArrowBack
+import androidx.compose.material.icons.filled.ArrowDropDown
+import androidx.compose.material.icons.filled.ArrowDropUp
+import androidx.compose.material.icons.filled.Security
+import androidx.compose.material3.Divider
+import androidx.compose.material3.DropdownMenu
+import androidx.compose.material3.DropdownMenuItem
+import androidx.compose.material3.ExperimentalMaterial3Api
+import androidx.compose.material3.ExposedDropdownMenuBox
+import androidx.compose.material3.FilterChip
+import androidx.compose.material3.Icon
+import androidx.compose.material3.IconButton
+import androidx.compose.material3.ListItem
+import androidx.compose.material3.OutlinedTextField
+import androidx.compose.material3.Scaffold
+import androidx.compose.material3.Text
+import androidx.compose.material3.TopAppBar
+import androidx.compose.runtime.Composable
+import androidx.compose.runtime.getValue
+import androidx.compose.runtime.mutableStateOf
+import androidx.compose.runtime.remember
+import androidx.compose.runtime.rememberCoroutineScope
+import androidx.compose.runtime.saveable.rememberSaveable
+import androidx.compose.runtime.setValue
+import androidx.compose.ui.Modifier
+import androidx.compose.ui.geometry.Offset
+import androidx.compose.ui.input.pointer.pointerInput
+import androidx.compose.ui.platform.LocalContext
+import androidx.compose.ui.platform.LocalDensity
+import androidx.compose.ui.res.stringResource
+import androidx.compose.ui.tooling.preview.Preview
+import androidx.compose.ui.unit.Dp
+import androidx.compose.ui.unit.DpOffset
+import androidx.compose.ui.unit.dp
+import coil.compose.AsyncImage
+import coil.request.ImageRequest
+import com.ramcosta.composedestinations.annotation.Destination
+import com.ramcosta.composedestinations.navigation.DestinationsNavigator
+import kotlinx.coroutines.launch
+import me.weishu.kernelsu.Natives
+import me.weishu.kernelsu.R
+import me.weishu.kernelsu.ui.component.SwitchItem
+import me.weishu.kernelsu.ui.component.profile.AppProfileConfig
+import me.weishu.kernelsu.ui.component.profile.RootProfileConfig
+import me.weishu.kernelsu.ui.util.LocalSnackbarHost
+import me.weishu.kernelsu.ui.util.forceStopApp
+import me.weishu.kernelsu.ui.util.getSepolicy
+import me.weishu.kernelsu.ui.util.launchApp
+import me.weishu.kernelsu.ui.util.restartApp
+import me.weishu.kernelsu.ui.util.setSepolicy
+import me.weishu.kernelsu.ui.viewmodel.SuperUserViewModel
+
+/**
+ * @author weishu
+ * @date 2023/5/16.
+ */
+@Destination
+@Composable
+fun AppProfileScreen(
+    navigator: DestinationsNavigator,
+    appInfo: SuperUserViewModel.AppInfo,
+) {
+    val context = LocalContext.current
+    val snackbarHost = LocalSnackbarHost.current
+    val scope = rememberCoroutineScope()
+    val failToUpdateAppProfile =
+        stringResource(R.string.failed_to_update_app_profile).format(appInfo.label)
+    val failToUpdateSepolicy =
+        stringResource(R.string.failed_to_update_sepolicy).format(appInfo.label)
+
+    val packageName = appInfo.packageName
+    val initialProfile = Natives.getAppProfile(packageName, appInfo.uid)
+    if (initialProfile.allowSu) {
+        initialProfile.rules = getSepolicy(packageName)
+    }
+    var profile by rememberSaveable {
+        mutableStateOf(initialProfile)
+    }
+
+    Scaffold(
+        topBar = { TopBar { navigator.popBackStack() } },
+    ) { paddingValues ->
+        AppProfileInner(
+            modifier = Modifier
+                .padding(paddingValues)
+                .verticalScroll(rememberScrollState()),
+            packageName = appInfo.packageName,
+            appLabel = appInfo.label,
+            appIcon = {
+                AsyncImage(
+                    model = ImageRequest.Builder(context)
+                        .data(appInfo.packageInfo)
+                        .crossfade(true)
+                        .build(),
+                    contentDescription = appInfo.label,
+                    modifier = Modifier
+                        .padding(4.dp)
+                        .width(48.dp)
+                        .height(48.dp)
+                )
+            },
+            profile = profile,
+            onProfileChange = {
+                scope.launch {
+                    if (it.allowSu && !it.rootUseDefault && it.rules.isNotEmpty()) {
+                        if (!setSepolicy(profile.name, it.rules)) {
+                            snackbarHost.showSnackbar(failToUpdateSepolicy)
+                            return@launch
+                        }
+                    }
+                    if (!Natives.setAppProfile(it)) {
+                        snackbarHost.showSnackbar(failToUpdateAppProfile.format(appInfo.uid))
+                    } else {
+                        profile = it
+                    }
+                }
+            },
+        )
+    }
+}
+
+@OptIn(ExperimentalMaterial3Api::class)
+@Composable
+private fun AppProfileInner(
+    modifier: Modifier = Modifier,
+    packageName: String,
+    appLabel: String,
+    appIcon: @Composable () -> Unit,
+    profile: Natives.Profile,
+    onProfileChange: (Natives.Profile) -> Unit,
+) {
+    val isRootGranted = profile.allowSu
+
+    Column(modifier = modifier) {
+        AppMenuBox(packageName) {
+            ListItem(
+                headlineContent = { Text(appLabel) },
+                supportingContent = { Text(packageName) },
+                leadingContent = appIcon,
+            )
+        }
+
+        SwitchItem(
+            icon = Icons.Filled.Security,
+            title = stringResource(id = R.string.superuser),
+            checked = isRootGranted,
+            onCheckedChange = { onProfileChange(profile.copy(allowSu = it)) },
+        )
+
+        Crossfade(targetState = isRootGranted, label = "") { current ->
+            Column {
+                if (current) {
+                    val initialMode = if (profile.rootUseDefault) {
+                        Mode.Default
+                    } else if (profile.rootTemplate != null) {
+                        Mode.Template
+                    } else {
+                        Mode.Custom
+                    }
+                    var mode by remember {
+                        mutableStateOf(initialMode)
+                    }
+                    ProfileBox(mode, false) {
+                        // template mode shouldn't change profile here!
+                        if (it == Mode.Default || it == Mode.Custom) {
+                            onProfileChange(profile.copy(rootUseDefault = it == Mode.Default))
+                        }
+                        mode = it
+                    }
+                    Crossfade(targetState = mode, label = "") { currentMode ->
+                        if (currentMode == Mode.Template) {
+                            var expanded by remember { mutableStateOf(false) }
+                            val templateNone = "None"
+                            var template by rememberSaveable {
+                                mutableStateOf(
+                                    profile.rootTemplate
+                                        ?: templateNone
+                                )
+                            }
+                            ListItem(headlineContent = {
+                                ExposedDropdownMenuBox(
+                                    expanded = expanded,
+                                    onExpandedChange = { expanded = it },
+                                ) {
+                                    OutlinedTextField(
+                                        modifier = Modifier.menuAnchor(),
+                                        readOnly = true,
+                                        label = { Text(stringResource(R.string.profile_template)) },
+                                        value = template,
+                                        onValueChange = {
+                                            if (template != templateNone) {
+                                                onProfileChange(
+                                                    profile.copy(
+                                                        rootTemplate = it,
+                                                        rootUseDefault = false
+                                                    )
+                                                )
+                                                template = it
+                                            }
+                                        },
+                                        trailingIcon = {
+                                            if (expanded) Icon(Icons.Filled.ArrowDropUp, null)
+                                            else Icon(Icons.Filled.ArrowDropDown, null)
+                                        },
+                                    )
+                                    // TODO: Template
+                                }
+                            })
+                        } else if (mode == Mode.Custom) {
+                            RootProfileConfig(
+                                fixedName = true,
+                                profile = profile,
+                                onProfileChange = onProfileChange
+                            )
+                        }
+                    }
+                } else {
+                    val mode = if (profile.nonRootUseDefault) Mode.Default else Mode.Custom
+                    ProfileBox(mode, false) {
+                        onProfileChange(profile.copy(nonRootUseDefault = (it == Mode.Default)))
+                    }
+                    Crossfade(targetState = mode, label = "") { currentMode ->
+                        val modifyEnabled = currentMode == Mode.Custom
+                        AppProfileConfig(
+                            fixedName = true,
+                            profile = profile,
+                            enabled = modifyEnabled,
+                            onProfileChange = onProfileChange
+                        )
+                    }
+                }
+            }
+        }
+    }
+}
+
+private enum class Mode(@StringRes private val res: Int) {
+    Default(R.string.profile_default),
+    Template(R.string.profile_template),
+    Custom(R.string.profile_custom);
+
+    val text: String
+        @Composable get() = stringResource(res)
+}
+
+@OptIn(ExperimentalMaterial3Api::class)
+@Composable
+private fun TopBar(onBack: () -> Unit) {
+    TopAppBar(
+        title = {
+            Text(stringResource(R.string.profile))
+        },
+        navigationIcon = {
+            IconButton(
+                onClick = onBack
+            ) { Icon(Icons.Filled.ArrowBack, contentDescription = null) }
+        },
+    )
+}
+
+@OptIn(ExperimentalMaterial3Api::class)
+@Composable
+private fun ProfileBox(
+    mode: Mode,
+    hasTemplate: Boolean,
+    onModeChange: (Mode) -> Unit,
+) {
+    ListItem(
+        headlineContent = { Text(stringResource(R.string.profile)) },
+        supportingContent = { Text(mode.text) },
+        leadingContent = { Icon(Icons.Filled.AccountCircle, null) },
+    )
+    Divider(thickness = Dp.Hairline)
+    ListItem(headlineContent = {
+        Row(
+            modifier = Modifier.fillMaxWidth(),
+            horizontalArrangement = Arrangement.SpaceEvenly
+        ) {
+            FilterChip(
+                selected = mode == Mode.Default,
+                label = { Text(stringResource(R.string.profile_default)) },
+                onClick = { onModeChange(Mode.Default) },
+            )
+            if (hasTemplate) {
+                FilterChip(
+                    selected = mode == Mode.Template,
+                    label = { Text(stringResource(R.string.profile_template)) },
+                    onClick = { onModeChange(Mode.Template) },
+                )
+            }
+            FilterChip(
+                selected = mode == Mode.Custom,
+                label = { Text(stringResource(R.string.profile_custom)) },
+                onClick = { onModeChange(Mode.Custom) },
+            )
+        }
+    })
+}
+
+@Composable
+private fun AppMenuBox(packageName: String, content: @Composable () -> Unit) {
+
+    var expanded by remember { mutableStateOf(false) }
+    var touchPoint: Offset by remember { mutableStateOf(Offset.Zero) }
+    val density = LocalDensity.current
+
+    BoxWithConstraints(
+        Modifier
+            .fillMaxSize()
+            .pointerInput(Unit) {
+                detectTapGestures {
+                    touchPoint = it
+                    expanded = true
+                }
+            }
+    ) {
+
+        content()
+
+        val (offsetX, offsetY) = with(density) {
+            (touchPoint.x.toDp()) to (touchPoint.y.toDp())
+        }
+
+        DropdownMenu(
+            expanded = expanded,
+            offset = DpOffset(offsetX, -offsetY),
+            onDismissRequest = {
+                expanded = false
+            },
+        ) {
+            DropdownMenuItem(
+                text = { Text(stringResource(id = R.string.launch_app)) },
+                onClick = {
+                    expanded = false
+                    launchApp(packageName)
+                },
+            )
+            DropdownMenuItem(
+                text = { Text(stringResource(id = R.string.force_stop_app)) },
+                onClick = {
+                    expanded = false
+                    forceStopApp(packageName)
+                },
+            )
+            DropdownMenuItem(
+                text = { Text(stringResource(id = R.string.restart_app)) },
+                onClick = {
+                    expanded = false
+                    restartApp(packageName)
+                },
+            )
+        }
+    }
+
+
+}
+
+@Preview
+@Composable
+private fun AppProfilePreview() {
+    var profile by remember { mutableStateOf(Natives.Profile("")) }
+    AppProfileInner(
+        packageName = "icu.nullptr.test",
+        appLabel = "Test",
+        appIcon = { Icon(Icons.Filled.Android, null) },
+        profile = profile,
+        onProfileChange = {
+            profile = it
+        },
+    )
+}
+

manager/app/src/main/java/me/weishu/kernelsu/ui/screen/BottomBarDestination.kt

@@ -15,9 +15,10 @@ enum class BottomBarDestination(
     val direction: DirectionDestinationSpec,
     @StringRes val label: Int,
     val iconSelected: ImageVector,
-    val iconNotSelected: ImageVector
+    val iconNotSelected: ImageVector,
+    val rootRequired: Boolean,
 ) {
-    Home(HomeScreenDestination, R.string.home, Icons.Filled.Home, Icons.Outlined.Home),
-    SuperUser(SuperUserScreenDestination, R.string.superuser, Icons.Filled.Security, Icons.Outlined.Security),
-    Module(ModuleScreenDestination, R.string.module, Icons.Filled.Apps, Icons.Outlined.Apps)
+    Home(HomeScreenDestination, R.string.home, Icons.Filled.Home, Icons.Outlined.Home, false),
+    SuperUser(SuperUserScreenDestination, R.string.superuser, Icons.Filled.Security, Icons.Outlined.Security, true),
+    Module(ModuleScreenDestination, R.string.module, Icons.Filled.Apps, Icons.Outlined.Apps, true)
 }

manager/app/src/main/java/me/weishu/kernelsu/ui/screen/Home.kt

@@ -1,7 +1,5 @@
 package me.weishu.kernelsu.ui.screen
 
-import android.content.ClipData
-import android.content.ClipboardManager
 import android.content.Context
 import android.os.Build
 import android.os.PowerManager
@@ -21,7 +19,9 @@ import androidx.compose.material3.*
 import androidx.compose.runtime.*
 import androidx.compose.ui.Alignment
 import androidx.compose.ui.Modifier
+import androidx.compose.ui.graphics.Color
 import androidx.compose.ui.platform.LocalContext
+import androidx.compose.ui.platform.LocalUriHandler
 import androidx.compose.ui.res.stringResource
 import androidx.compose.ui.text.font.FontFamily
 import androidx.compose.ui.tooling.preview.Preview
@@ -29,27 +29,22 @@ import androidx.compose.ui.unit.dp
 import com.ramcosta.composedestinations.annotation.Destination
 import com.ramcosta.composedestinations.annotation.RootNavGraph
 import com.ramcosta.composedestinations.navigation.DestinationsNavigator
-import kotlinx.coroutines.launch
+import kotlinx.coroutines.Dispatchers
+import kotlinx.coroutines.withContext
 import me.weishu.kernelsu.*
 import me.weishu.kernelsu.R
 import me.weishu.kernelsu.ui.screen.destinations.SettingScreenDestination
-import me.weishu.kernelsu.ui.util.LocalSnackbarHost
-import me.weishu.kernelsu.ui.util.reboot
-import me.weishu.kernelsu.ui.util.getSELinuxStatus
-import me.weishu.kernelsu.ui.util.install
+import me.weishu.kernelsu.ui.util.*
 
-@OptIn(ExperimentalMaterial3Api::class)
 @RootNavGraph(start = true)
 @Destination
 @Composable
 fun HomeScreen(navigator: DestinationsNavigator) {
-    Scaffold(
-        topBar = {
-            TopBar(onSettingsClick = {
-                navigator.navigate(SettingScreenDestination)
-            })
-        }
-    ) { innerPadding ->
+    Scaffold(topBar = {
+        TopBar(onSettingsClick = {
+            navigator.navigate(SettingScreenDestination)
+        })
+    }) { innerPadding ->
         Column(
             modifier = Modifier
                 .padding(innerPadding)
@@ -62,15 +57,47 @@ fun HomeScreen(navigator: DestinationsNavigator) {
             SideEffect {
                 if (isManager) install()
             }
-            val ksuVersion = if (isManager) Natives.getVersion() else null
+            val ksuVersion = if (isManager) Natives.version else null
 
             StatusCard(kernelVersion, ksuVersion)
+            if (isManager && Natives.requireNewKernel()) {
+                WarningCard(
+                    stringResource(id = R.string.require_kernel_version).format(
+                        ksuVersion, Natives.MINIMAL_SUPPORTED_KERNEL
+                    )
+                )
+            }
+            UpdateCard()
             InfoCard()
+            DonateCard()
+            LearnMoreCard()
             Spacer(Modifier)
         }
     }
 }
 
+@Composable
+fun UpdateCard() {
+    val context = LocalContext.current
+    val newVersion by produceState(initialValue = 0 to "") {
+        value = withContext(Dispatchers.IO) { checkNewVersion() }
+    }
+    val currentVersionCode = getManagerVersion(context).second
+    val newVersionCode = newVersion.first
+    val newVersionUrl = newVersion.second
+    if (newVersionCode <= currentVersionCode) {
+        return
+    }
+
+    val uriHandler = LocalUriHandler.current
+    WarningCard(
+        message = stringResource(id = R.string.new_version_available).format(newVersionCode),
+        MaterialTheme.colorScheme.outlineVariant
+    ) {
+        uriHandler.openUri(newVersionUrl)
+    }
+}
+
 @Composable
 fun RebootDropdownItem(@StringRes id: Int, reason: String = "") {
     DropdownMenuItem(text = {
@@ -83,43 +110,41 @@ fun RebootDropdownItem(@StringRes id: Int, reason: String = "") {
 @OptIn(ExperimentalMaterial3Api::class)
 @Composable
 private fun TopBar(onSettingsClick: () -> Unit) {
-    TopAppBar(
-        title = { Text(stringResource(R.string.app_name)) },
-        actions = {
-            var showDropdown by remember { mutableStateOf(false) }
-            IconButton(onClick = {
-                showDropdown = true
+    TopAppBar(title = { Text(stringResource(R.string.app_name)) }, actions = {
+        var showDropdown by remember { mutableStateOf(false) }
+        IconButton(onClick = {
+            showDropdown = true
+        }) {
+            Icon(
+                imageVector = Icons.Filled.Refresh,
+                contentDescription = stringResource(id = R.string.reboot)
+            )
+
+            DropdownMenu(expanded = showDropdown, onDismissRequest = {
+                showDropdown = false
             }) {
-                Icon(
-                    imageVector = Icons.Filled.Refresh,
-                    contentDescription = stringResource(id = R.string.reboot)
-                )
 
-                DropdownMenu(expanded = showDropdown, onDismissRequest = {
-                    showDropdown = false
-                }) {
+                RebootDropdownItem(id = R.string.reboot)
 
-                    RebootDropdownItem(id = R.string.reboot)
-
-                    val pm = LocalContext.current.getSystemService(Context.POWER_SERVICE) as PowerManager?
-                    if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.R && pm?.isRebootingUserspaceSupported == true) {
-                        RebootDropdownItem(id = R.string.reboot_userspace, reason = "userspace")
-                    }
-                    RebootDropdownItem(id = R.string.reboot_recovery, reason = "recovery")
-                    RebootDropdownItem(id = R.string.reboot_bootloader, reason = "bootloader")
-                    RebootDropdownItem(id = R.string.reboot_download, reason = "download")
-                    RebootDropdownItem(id = R.string.reboot_edl, reason = "edl")
+                val pm =
+                    LocalContext.current.getSystemService(Context.POWER_SERVICE) as PowerManager?
+                if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.R && pm?.isRebootingUserspaceSupported == true) {
+                    RebootDropdownItem(id = R.string.reboot_userspace, reason = "userspace")
                 }
-            }
-
-            IconButton(onClick = onSettingsClick) {
-                Icon(
-                    imageVector = Icons.Filled.Settings,
-                    contentDescription = stringResource(id = R.string.settings)
-                )
+                RebootDropdownItem(id = R.string.reboot_recovery, reason = "recovery")
+                RebootDropdownItem(id = R.string.reboot_bootloader, reason = "bootloader")
+                RebootDropdownItem(id = R.string.reboot_download, reason = "download")
+                RebootDropdownItem(id = R.string.reboot_edl, reason = "edl")
             }
         }
-    )
+
+        IconButton(onClick = onSettingsClick) {
+            Icon(
+                imageVector = Icons.Filled.Settings,
+                contentDescription = stringResource(id = R.string.settings)
+            )
+        }
+    })
 }
 
 @Composable
@@ -130,21 +155,26 @@ private fun StatusCard(kernelVersion: KernelVersion, ksuVersion: Int?) {
             else MaterialTheme.colorScheme.errorContainer
         })
     ) {
-        Row(
-            modifier = Modifier
-                .fillMaxWidth()
-                .clickable {
-                    // TODO: Install kernel
+        val uriHandler = LocalUriHandler.current
+        Row(modifier = Modifier
+            .fillMaxWidth()
+            .clickable {
+                if (kernelVersion.isGKI() && ksuVersion == null) {
+                    uriHandler.openUri("https://kernelsu.org/guide/installation.html")
                 }
-                .padding(24.dp),
-            verticalAlignment = Alignment.CenterVertically
-        ) {
+            }
+            .padding(24.dp), verticalAlignment = Alignment.CenterVertically) {
             when {
                 ksuVersion != null -> {
+                    val appendText = if (Natives.isSafeMode) {
+                        " [${stringResource(id = R.string.safe_mode)}]"
+                    } else {
+                        ""
+                    }
                     Icon(Icons.Outlined.CheckCircle, stringResource(R.string.home_working))
                     Column(Modifier.padding(start = 20.dp)) {
                         Text(
-                            text = stringResource(R.string.home_working),
+                            text = stringResource(R.string.home_working) + appendText,
                             style = MaterialTheme.typography.titleMedium
                         )
                         Spacer(Modifier.height(4.dp))
@@ -152,8 +182,20 @@ private fun StatusCard(kernelVersion: KernelVersion, ksuVersion: Int?) {
                             text = stringResource(R.string.home_working_version, ksuVersion),
                             style = MaterialTheme.typography.bodyMedium
                         )
+                        Spacer(Modifier.height(4.dp))
+                        Text(
+                            text = stringResource(
+                                R.string.home_superuser_count, getSuperuserCount()
+                            ), style = MaterialTheme.typography.bodyMedium
+                        )
+                        Spacer(Modifier.height(4.dp))
+                        Text(
+                            text = stringResource(R.string.home_module_count, getModuleCount()),
+                            style = MaterialTheme.typography.bodyMedium
+                        )
                     }
                 }
+
                 kernelVersion.isGKI() -> {
                     Icon(Icons.Outlined.Warning, stringResource(R.string.home_not_installed))
                     Column(Modifier.padding(start = 20.dp)) {
@@ -168,12 +210,12 @@ private fun StatusCard(kernelVersion: KernelVersion, ksuVersion: Int?) {
                         )
                     }
                 }
+
                 else -> {
                     Icon(Icons.Outlined.Block, stringResource(R.string.home_unsupported))
                     Column(Modifier.padding(start = 20.dp)) {
                         Text(
                             text = stringResource(R.string.home_unsupported),
-                            fontFamily = FontFamily.Serif,
                             style = MaterialTheme.typography.titleMedium
                         )
                         Spacer(Modifier.height(4.dp))
@@ -188,11 +230,90 @@ private fun StatusCard(kernelVersion: KernelVersion, ksuVersion: Int?) {
     }
 }
 
+@Composable
+fun WarningCard(
+    message: String, color: Color = MaterialTheme.colorScheme.error, onClick: () -> Unit = {}
+) {
+    ElevatedCard(
+        colors = CardDefaults.elevatedCardColors(
+            containerColor = color
+        )
+    ) {
+        Row(
+            modifier = Modifier
+                .fillMaxWidth()
+                .padding(24.dp)
+                .clickable {
+                    onClick()
+                }, verticalAlignment = Alignment.CenterVertically
+        ) {
+            Column() {
+                Text(
+                    text = message, style = MaterialTheme.typography.bodyMedium
+                )
+            }
+        }
+    }
+}
+
+@Composable
+fun LearnMoreCard() {
+    val uriHandler = LocalUriHandler.current
+    val url = stringResource(R.string.home_learn_kernelsu_url)
+
+    ElevatedCard {
+
+        Row(modifier = Modifier
+            .fillMaxWidth()
+            .clickable {
+                uriHandler.openUri(url)
+            }
+            .padding(24.dp), verticalAlignment = Alignment.CenterVertically) {
+            Column() {
+                Text(
+                    text = stringResource(R.string.home_learn_kernelsu),
+                    style = MaterialTheme.typography.titleSmall
+                )
+                Spacer(Modifier.height(4.dp))
+                Text(
+                    text = stringResource(R.string.home_click_to_learn_kernelsu),
+                    style = MaterialTheme.typography.bodyMedium
+                )
+            }
+        }
+    }
+}
+
+@Composable
+fun DonateCard() {
+    val uriHandler = LocalUriHandler.current
+
+    ElevatedCard {
+
+        Row(modifier = Modifier
+            .fillMaxWidth()
+            .clickable {
+                uriHandler.openUri("https://patreon.com/weishu")
+            }
+            .padding(24.dp), verticalAlignment = Alignment.CenterVertically) {
+            Column() {
+                Text(
+                    text = stringResource(R.string.home_support_title),
+                    style = MaterialTheme.typography.titleSmall
+                )
+                Spacer(Modifier.height(4.dp))
+                Text(
+                    text = stringResource(R.string.home_support_content),
+                    style = MaterialTheme.typography.bodyMedium
+                )
+            }
+        }
+    }
+}
+
 @Composable
 private fun InfoCard() {
     val context = LocalContext.current
-    val snackbarHost = LocalSnackbarHost.current
-    val scope = rememberCoroutineScope()
 
     ElevatedCard {
         Column(
@@ -212,41 +333,27 @@ private fun InfoCard() {
 
             InfoCardItem(stringResource(R.string.home_kernel), uname.release)
 
-            Spacer(Modifier.height(24.dp))
-            InfoCardItem(stringResource(R.string.home_arch), uname.machine)
+            Spacer(Modifier.height(16.dp))
+            val managerVersion = getManagerVersion(context)
+            InfoCardItem(
+                stringResource(R.string.home_manager_version),
+                "${managerVersion.first} (${managerVersion.second})"
+            )
 
-            Spacer(Modifier.height(24.dp))
-            InfoCardItem(stringResource(R.string.home_version), uname.version)
-
-            Spacer(Modifier.height(24.dp))
-            InfoCardItem(stringResource(R.string.home_api), Build.VERSION.SDK_INT.toString())
-
-            Spacer(Modifier.height(24.dp))
-            InfoCardItem(stringResource(R.string.home_abi), Build.SUPPORTED_ABIS.joinToString(", "))
-
-            Spacer(Modifier.height(24.dp))
+            Spacer(Modifier.height(16.dp))
             InfoCardItem(stringResource(R.string.home_fingerprint), Build.FINGERPRINT)
 
-            Spacer(Modifier.height(24.dp))
-            InfoCardItem(stringResource(R.string.home_securitypatch), Build.VERSION.SECURITY_PATCH)
-
-            Spacer(Modifier.height(24.dp))
+            Spacer(Modifier.height(16.dp))
             InfoCardItem(stringResource(R.string.home_selinux_status), getSELinuxStatus())
-
-            val copiedMessage = stringResource(R.string.home_copied_to_clipboard)
-            TextButton(
-                modifier = Modifier.align(Alignment.End),
-                onClick = {
-                    val cm = context.getSystemService(Context.CLIPBOARD_SERVICE) as ClipboardManager
-                    cm.setPrimaryClip(ClipData.newPlainText("KernelSU", contents.toString()))
-                    scope.launch { snackbarHost.showSnackbar(copiedMessage) }
-                },
-                content = { Text(stringResource(android.R.string.copy)) }
-            )
         }
     }
 }
 
+fun getManagerVersion(context: Context): Pair<String, Int> {
+    val packageInfo = context.packageManager.getPackageInfo(context.packageName, 0)
+    return Pair(packageInfo.versionName, packageInfo.versionCode)
+}
+
 @Preview
 @Composable
 private fun StatusCardPreview() {

manager/app/src/main/java/me/weishu/kernelsu/ui/screen/Install.kt

@@ -24,7 +24,6 @@ import kotlinx.coroutines.Dispatchers
 import kotlinx.coroutines.launch
 import kotlinx.coroutines.withContext
 import me.weishu.kernelsu.R
-import me.weishu.kernelsu.ksuApp
 import me.weishu.kernelsu.ui.util.LocalSnackbarHost
 import me.weishu.kernelsu.ui.util.installModule
 import me.weishu.kernelsu.ui.util.reboot
@@ -36,7 +35,6 @@ import java.util.*
  * @author weishu
  * @date 2023/1/1.
  */
-@OptIn(ExperimentalMaterial3Api::class)
 @Composable
 @Destination
 fun InstallScreen(navigator: DestinationsNavigator, uri: Uri) {
@@ -73,7 +71,7 @@ fun InstallScreen(navigator: DestinationsNavigator, uri: Uri) {
                         val format = SimpleDateFormat("yyyy-MM-dd-HH-mm-ss", Locale.getDefault())
                         val date = format.format(Date())
                         val file = File(
-                            ksuApp.getExternalFilesDir(Environment.DIRECTORY_DOWNLOADS),
+                            Environment.getExternalStoragePublicDirectory(Environment.DIRECTORY_DOWNLOADS),
                             "KernelSU_install_log_${date}.log"
                         )
                         file.writeText(text)

manager/app/src/main/java/me/weishu/kernelsu/ui/screen/Module.kt

@@ -2,49 +2,51 @@ package me.weishu.kernelsu.ui.screen
 
 import android.app.Activity.RESULT_OK
 import android.content.Intent
+import android.net.Uri
 import android.util.Log
+import android.widget.Toast
 import androidx.activity.compose.rememberLauncherForActivityResult
 import androidx.activity.result.contract.ActivityResultContracts
 import androidx.compose.foundation.layout.*
 import androidx.compose.foundation.lazy.LazyColumn
 import androidx.compose.foundation.lazy.items
+import androidx.compose.foundation.shape.RoundedCornerShape
+import androidx.compose.material.ExperimentalMaterialApi
 import androidx.compose.material.icons.Icons
 import androidx.compose.material.icons.filled.Add
+import androidx.compose.material.pullrefresh.PullRefreshIndicator
+import androidx.compose.material.pullrefresh.pullRefresh
+import androidx.compose.material.pullrefresh.rememberPullRefreshState
 import androidx.compose.material3.*
 import androidx.compose.runtime.*
 import androidx.compose.runtime.saveable.rememberSaveable
 import androidx.compose.ui.Alignment
 import androidx.compose.ui.Modifier
+import androidx.compose.ui.platform.LocalContext
 import androidx.compose.ui.res.stringResource
 import androidx.compose.ui.text.font.FontWeight
+import androidx.compose.ui.text.style.TextAlign
 import androidx.compose.ui.text.style.TextDecoration
 import androidx.compose.ui.text.style.TextOverflow
 import androidx.compose.ui.tooling.preview.Preview
 import androidx.compose.ui.unit.Dp
 import androidx.compose.ui.unit.dp
 import androidx.lifecycle.viewmodel.compose.viewModel
-import com.google.accompanist.swiperefresh.SwipeRefresh
-import com.google.accompanist.swiperefresh.rememberSwipeRefreshState
 import com.ramcosta.composedestinations.annotation.Destination
 import com.ramcosta.composedestinations.navigation.DestinationsNavigator
 import kotlinx.coroutines.launch
 import me.weishu.kernelsu.Natives
 import me.weishu.kernelsu.R
+import me.weishu.kernelsu.ui.component.ConfirmDialog
+import me.weishu.kernelsu.ui.component.ConfirmResult
 import me.weishu.kernelsu.ui.screen.destinations.InstallScreenDestination
-import me.weishu.kernelsu.ui.util.LocalSnackbarHost
-import me.weishu.kernelsu.ui.util.overlayFsAvailable
-import me.weishu.kernelsu.ui.util.toggleModule
-import me.weishu.kernelsu.ui.util.uninstallModule
+import me.weishu.kernelsu.ui.util.*
 import me.weishu.kernelsu.ui.viewmodel.ModuleViewModel
 
-@OptIn(ExperimentalMaterial3Api::class)
 @Destination
 @Composable
 fun ModuleScreen(navigator: DestinationsNavigator) {
     val viewModel = viewModel<ModuleViewModel>()
-    val snackBarHost = LocalSnackbarHost.current
-
-    val scope = rememberCoroutineScope()
 
     LaunchedEffect(Unit) {
         if (viewModel.moduleList.isEmpty()) {
@@ -52,11 +54,17 @@ fun ModuleScreen(navigator: DestinationsNavigator) {
         }
     }
 
-    Scaffold(
-        topBar = {
-            TopBar()
-        },
-        floatingActionButton = {
+    val isSafeMode = Natives.isSafeMode
+    val hasMagisk = hasMagisk()
+
+    val hideInstallButton = isSafeMode || hasMagisk
+
+    Scaffold(topBar = {
+        TopBar()
+    }, floatingActionButton = if (hideInstallButton) {
+        { /* Empty */ }
+    } else {
+        {
             val moduleInstall = stringResource(id = R.string.module_install)
             val selectZipLauncher = rememberLauncherForActivityResult(
                 contract = ActivityResultContracts.StartActivityForResult()
@@ -83,103 +91,205 @@ fun ModuleScreen(navigator: DestinationsNavigator) {
                 text = { Text(text = moduleInstall) },
             )
         }
-    ) { innerPadding ->
-        val failedEnable = stringResource(R.string.module_failed_to_enable)
-        val failedDisable = stringResource(R.string.module_failed_to_disable)
-        val failedUninstall = stringResource(R.string.module_uninstall_failed)
-        val successUninstall = stringResource(R.string.module_uninstall_success)
-        val swipeState = rememberSwipeRefreshState(viewModel.isRefreshing)
-        // TODO: Replace SwipeRefresh with RefreshIndicator when it's ready
-        if (Natives.getVersion() < 8) {
-            Box(modifier = Modifier.fillMaxSize(), contentAlignment = Alignment.Center) {
-                Text(stringResource(R.string.require_kernel_version_8))
-            }
-            return@Scaffold
-        }
-        SwipeRefresh(
-            state = swipeState,
-            onRefresh = {
-                scope.launch { viewModel.fetchModuleList() }
-            },
-            modifier = Modifier
-                .padding(innerPadding)
-                .padding(16.dp)
-                .fillMaxSize()
-        ) {
-            val isOverlayAvailable = overlayFsAvailable()
-            if (!isOverlayAvailable) {
-                swipeState.isRefreshing = false
-                Box(modifier = Modifier.fillMaxSize(), contentAlignment = Alignment.Center) {
-                    Text(stringResource(R.string.module_overlay_fs_not_available))
-                }
-                return@SwipeRefresh
-            }
-            val isEmpty = viewModel.moduleList.isEmpty()
-            if (isEmpty) {
-                swipeState.isRefreshing = false
-                Box(modifier = Modifier.fillMaxSize(), contentAlignment = Alignment.Center) {
-                    Text(stringResource(R.string.module_empty))
-                }
-            } else {
-                LazyColumn(
-                    verticalArrangement = Arrangement.spacedBy(15.dp),
-                    contentPadding = remember { PaddingValues(bottom = 16.dp + 56.dp /* Scaffold Fab Spacing + Fab container height */ ) }
+    }) { innerPadding ->
+
+        ConfirmDialog()
+
+        when {
+            hasMagisk -> {
+                Box(
+                    modifier = Modifier
+                        .fillMaxSize()
+                        .padding(24.dp),
+                    contentAlignment = Alignment.Center
                 ) {
-                    items(viewModel.moduleList) { module ->
-                        var isChecked by rememberSaveable(module) { mutableStateOf(module.enabled) }
-                        ModuleItem(module,
-                            isChecked,
-                            onUninstall = {
-                                scope.launch {
-                                    val result = uninstallModule(module.id)
-                                    if (result) {
-                                        viewModel.fetchModuleList()
-                                    }
-                                    snackBarHost.showSnackbar(
-                                        if (result) {
-                                            successUninstall.format(module.name)
-                                        } else {
-                                            failedUninstall.format(module.name)
-                                        }
-                                    )
-                                }
-                            },
-                            onCheckChanged = {
-                                val success = toggleModule(module.id, !isChecked)
-                                if (success) {
-                                    isChecked = it
-                                    scope.launch {
-                                        viewModel.fetchModuleList()
-                                    }
-                                } else scope.launch {
-                                    val message = if (isChecked) failedDisable else failedEnable
-                                    snackBarHost.showSnackbar(message.format(module.name))
-                                }
-                            }
-                        )
-                        // fix last item shadow incomplete in LazyColumn
-                        Spacer(Modifier.height(1.dp))
-                    }
+                    Text(
+                        stringResource(R.string.module_magisk_conflict),
+                        textAlign = TextAlign.Center,
+                    )
+                }
+            }
+
+            else -> {
+                ModuleList(
+                    viewModel = viewModel, modifier = Modifier
+                        .padding(innerPadding)
+                        .fillMaxSize()
+                ) {
+                    navigator.navigate(InstallScreenDestination(it))
                 }
             }
         }
     }
 }
 
+@OptIn(ExperimentalMaterialApi::class)
+@Composable
+private fun ModuleList(
+    viewModel: ModuleViewModel, modifier: Modifier = Modifier, onInstallModule: (Uri) -> Unit
+) {
+    val failedEnable = stringResource(R.string.module_failed_to_enable)
+    val failedDisable = stringResource(R.string.module_failed_to_disable)
+    val failedUninstall = stringResource(R.string.module_uninstall_failed)
+    val successUninstall = stringResource(R.string.module_uninstall_success)
+    val reboot = stringResource(id = R.string.reboot)
+    val rebootToApply = stringResource(id = R.string.reboot_to_apply)
+    val moduleStr = stringResource(id = R.string.module)
+    val uninstall = stringResource(id = R.string.uninstall)
+    val cancel = stringResource(id = android.R.string.cancel)
+    val moduleUninstallConfirm = stringResource(id = R.string.module_uninstall_confirm)
+
+    val dialogHost = LocalDialogHost.current
+    val snackBarHost = LocalSnackbarHost.current
+
+    suspend fun onModuleUninstall(module: ModuleViewModel.ModuleInfo) {
+        val confirmResult = dialogHost.showConfirm(
+            moduleStr,
+            content = moduleUninstallConfirm.format(module.name),
+            confirm = uninstall,
+            dismiss = cancel
+        )
+        if (confirmResult != ConfirmResult.Confirmed) {
+            return
+        }
+
+        val success = uninstallModule(module.id)
+        if (success) {
+            viewModel.fetchModuleList()
+        }
+        val message = if (success) {
+            successUninstall.format(module.name)
+        } else {
+            failedUninstall.format(module.name)
+        }
+        val actionLabel = if (success) {
+            reboot
+        } else {
+            null
+        }
+        val result = snackBarHost.showSnackbar(message, actionLabel = actionLabel)
+        if (result == SnackbarResult.ActionPerformed) {
+            reboot()
+        }
+    }
+
+    val refreshState = rememberPullRefreshState(refreshing = viewModel.isRefreshing,
+        onRefresh = { viewModel.fetchModuleList() })
+    Box(modifier.pullRefresh(refreshState)) {
+        if (viewModel.isOverlayAvailable) {
+            val context = LocalContext.current
+
+            LazyColumn(
+                modifier = Modifier.fillMaxSize(),
+                verticalArrangement = Arrangement.spacedBy(16.dp),
+                contentPadding = remember {
+                    PaddingValues(
+                        start = 16.dp,
+                        top = 16.dp,
+                        end = 16.dp,
+                        bottom = 16.dp + 16.dp + 56.dp /*  Scaffold Fab Spacing + Fab container height */
+                    )
+                },
+            ) {
+                val isEmpty = viewModel.moduleList.isEmpty()
+                if (isEmpty) {
+                    item {
+                        Box(
+                            modifier = Modifier.fillMaxSize(), contentAlignment = Alignment.Center
+                        ) {
+                            Text(stringResource(R.string.module_empty))
+                        }
+                    }
+                } else {
+                    items(viewModel.moduleList) { module ->
+                        var isChecked by rememberSaveable(module) { mutableStateOf(module.enabled) }
+                        val scope = rememberCoroutineScope()
+                        val updateUrl by produceState(initialValue = "") {
+                            viewModel.checkUpdate(module) { value = it.orEmpty() }
+                        }
+
+                        val downloadingText = stringResource(R.string.module_downloading)
+                        val startDownloadingText = stringResource(R.string.module_start_downloading)
+
+                        ModuleItem(module, isChecked, updateUrl, onUninstall = {
+                            scope.launch { onModuleUninstall(module) }
+                        }, onCheckChanged = {
+                            val success = toggleModule(module.id, !isChecked)
+                            if (success) {
+                                isChecked = it
+                                scope.launch {
+                                    viewModel.fetchModuleList()
+
+                                    val result = snackBarHost.showSnackbar(
+                                        rebootToApply, actionLabel = reboot
+                                    )
+                                    if (result == SnackbarResult.ActionPerformed) {
+                                        reboot()
+                                    }
+                                }
+                            } else scope.launch {
+                                val message = if (isChecked) failedDisable else failedEnable
+                                snackBarHost.showSnackbar(message.format(module.name))
+                            }
+                        }, onUpdate = {
+
+                            scope.launch {
+                                Toast.makeText(
+                                    context,
+                                    startDownloadingText.format(module.name),
+                                    Toast.LENGTH_SHORT
+                                ).show()
+                            }
+
+                            val downloading = downloadingText.format(module.name)
+                            download(
+                                context,
+                                updateUrl,
+                                "${module.name}-${module.version}.zip",
+                                downloading,
+                                onDownloaded = onInstallModule,
+                                onDownloading = {
+                                    Toast.makeText(context, downloading, Toast.LENGTH_SHORT).show()
+                                }
+                            )
+                        })
+
+                        // fix last item shadow incomplete in LazyColumn
+                        Spacer(Modifier.height(1.dp))
+                    }
+                }
+            }
+
+            DownloadListener(context, onInstallModule)
+
+        } else {
+            Box(modifier = Modifier.fillMaxSize(), contentAlignment = Alignment.Center) {
+                Text(stringResource(R.string.module_overlay_fs_not_available))
+            }
+        }
+
+        PullRefreshIndicator(
+            refreshing = viewModel.isRefreshing, state = refreshState, modifier = Modifier.align(
+                Alignment.TopCenter
+            )
+        )
+    }
+}
+
 @OptIn(ExperimentalMaterial3Api::class)
 @Composable
 private fun TopBar() {
-    TopAppBar(
-        title = { Text(stringResource(R.string.module)) }
-    )
+    TopAppBar(title = { Text(stringResource(R.string.module)) })
 }
 
 @Composable
 private fun ModuleItem(
     module: ModuleViewModel.ModuleInfo,
     isChecked: Boolean,
+    updateUrl: String,
     onUninstall: (ModuleViewModel.ModuleInfo) -> Unit,
-    onCheckChanged: (Boolean) -> Unit
+    onCheckChanged: (Boolean) -> Unit,
+    onUpdate: (ModuleViewModel.ModuleInfo) -> Unit,
 ) {
     ElevatedCard(
         modifier = Modifier.fillMaxWidth(),
@@ -261,6 +371,23 @@ private fun ModuleItem(
             ) {
                 Spacer(modifier = Modifier.weight(1f, true))
 
+                if (updateUrl.isNotEmpty()) {
+                    Button(
+                        modifier = Modifier
+                            .padding(0.dp)
+                            .defaultMinSize(52.dp, 32.dp),
+                        onClick = { onUpdate(module) },
+                        shape = RoundedCornerShape(6.dp),
+                        contentPadding = PaddingValues(0.dp)
+                    ) {
+                        Text(
+                            fontFamily = MaterialTheme.typography.labelMedium.fontFamily,
+                            fontSize = MaterialTheme.typography.labelMedium.fontSize,
+                            text = stringResource(R.string.module_update),
+                        )
+                    }
+                }
+
                 TextButton(
                     enabled = !module.remove,
                     onClick = { onUninstall(module) },
@@ -289,6 +416,7 @@ fun ModuleItemPreview() {
         enabled = true,
         update = true,
         remove = true,
+        updateJson = ""
     )
-    ModuleItem(module, true, {}, {})
+    ModuleItem(module, true, "", {}, {}, {})
 }

manager/app/src/main/java/me/weishu/kernelsu/ui/screen/Settings.kt

@@ -1,27 +1,39 @@
 package me.weishu.kernelsu.ui.screen
 
+import android.content.Intent
+import android.net.Uri
+import androidx.compose.foundation.clickable
 import androidx.compose.foundation.layout.*
 import androidx.compose.material.icons.Icons
 import androidx.compose.material.icons.filled.ArrowBack
-import androidx.compose.material.icons.filled.Info
+import androidx.compose.material.icons.filled.BugReport
+import androidx.compose.material.icons.filled.ContactPage
+import androidx.compose.material.icons.filled.RemoveModerator
 import androidx.compose.material3.*
 import androidx.compose.runtime.*
+import androidx.compose.runtime.saveable.rememberSaveable
 import androidx.compose.ui.Modifier
+import androidx.compose.ui.platform.LocalContext
 import androidx.compose.ui.res.stringResource
-import androidx.compose.ui.text.font.FontWeight
-import androidx.compose.ui.tooling.preview.Preview
-import androidx.compose.ui.unit.dp
-import com.alorma.compose.settings.ui.*
+import androidx.core.content.FileProvider
 import com.ramcosta.composedestinations.annotation.Destination
 import com.ramcosta.composedestinations.navigation.DestinationsNavigator
+import kotlinx.coroutines.Dispatchers
+import kotlinx.coroutines.launch
+import kotlinx.coroutines.withContext
+import me.weishu.kernelsu.BuildConfig
+import me.weishu.kernelsu.Natives
 import me.weishu.kernelsu.R
-import me.weishu.kernelsu.ui.util.LinkifyText
+import me.weishu.kernelsu.ui.component.AboutDialog
+import me.weishu.kernelsu.ui.component.LoadingDialog
+import me.weishu.kernelsu.ui.component.SwitchItem
+import me.weishu.kernelsu.ui.util.LocalDialogHost
+import me.weishu.kernelsu.ui.util.getBugreportFile
 
 /**
  * @author weishu
  * @date 2023/1/1.
  */
-@OptIn(ExperimentalMaterial3Api::class)
 @Destination
 @Composable
 fun SettingScreen(navigator: DestinationsNavigator) {
@@ -33,47 +45,70 @@ fun SettingScreen(navigator: DestinationsNavigator) {
             })
         }
     ) { paddingValues ->
+        LoadingDialog()
 
-        var openDialog by remember { mutableStateOf(false) }
-
-        if (openDialog) {
-            AlertDialog(
-                onDismissRequest = {
-                    openDialog = false
-                },
-                title = {
-                    Text(text = stringResource(id = R.string.about))
-                },
-                text = {
-                    SupportCard()
-                },
-                confirmButton = {
-                    TextButton(
-                        onClick = {
-                            openDialog = false
-                        }
-                    ) {
-                        Text(stringResource(id = android.R.string.ok))
-                    }
-                },
-            )
-        }
+        val showAboutDialog = remember { mutableStateOf(false) }
+        AboutDialog(showAboutDialog)
 
         Column(modifier = Modifier.padding(paddingValues)) {
 
-            SettingsSwitch(
-                title = {
-                    Text(stringResource(id = R.string.settings_system_rw))
-                },
-                subtitle = {
-                    Text(stringResource(id = R.string.settings_system_rw_summary))
+            val context = LocalContext.current
+            val scope = rememberCoroutineScope()
+            val dialogHost = LocalDialogHost.current
+
+            var umountChecked by rememberSaveable {
+                mutableStateOf(Natives.isDefaultUmountModules())
+            }
+            SwitchItem(
+                icon = Icons.Filled.RemoveModerator,
+                title = stringResource(id = R.string.settings_umount_modules_default),
+                summary = stringResource(id = R.string.settings_umount_modules_default_summary),
+                checked = umountChecked
+            ) {
+                if (Natives.setDefaultUmountModules(it)) {
+                    umountChecked = it
+                }
+            }
+
+            ListItem(
+                leadingContent = { Icon(Icons.Filled.BugReport, stringResource(id = R.string.send_log)) },
+                headlineContent = { Text(stringResource(id = R.string.send_log)) },
+                modifier = Modifier.clickable {
+                    scope.launch {
+                        val bugreport = dialogHost.withLoading {
+                            withContext(Dispatchers.IO) {
+                                getBugreportFile(context)
+                            }
+                        }
+
+                        val uri: Uri =
+                            FileProvider.getUriForFile(
+                                context,
+                                "${BuildConfig.APPLICATION_ID}.fileprovider",
+                                bugreport
+                            )
+
+                        val shareIntent = Intent(Intent.ACTION_SEND)
+                        shareIntent.putExtra(Intent.EXTRA_STREAM, uri)
+                        shareIntent.setDataAndType(uri, "application/zip")
+                        shareIntent.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION)
+
+                        context.startActivity(
+                            Intent.createChooser(
+                                shareIntent,
+                                context.getString(R.string.send_log)
+                            )
+                        )
+                    }
                 }
             )
-            SettingsMenuLink(title = {
-                Text(stringResource(id = R.string.about))
-            },
-                onClick = {
-                    openDialog = true
+
+            val about = stringResource(id = R.string.about)
+            ListItem(
+                leadingContent = { Icon(Icons.Filled.ContactPage, stringResource(id = R.string.about)) },
+                headlineContent = { Text(about) },
+                modifier = Modifier.clickable {
+                    showAboutDialog.value = true
                 }
             )
         }
@@ -92,19 +127,3 @@ private fun TopBar(onBack: () -> Unit = {}) {
         },
     )
 }
-
-@Preview
-@Composable
-private fun SupportCard() {
-    Column(
-        modifier = Modifier
-            .fillMaxWidth()
-    ) {
-        CompositionLocalProvider(LocalTextStyle provides MaterialTheme.typography.bodyMedium) {
-            LinkifyText("Author: weishu")
-            LinkifyText("Github: https://github.com/tiann/KernelSU")
-            LinkifyText("Telegram: https://t.me/KernelSU")
-            LinkifyText("QQ: https://pd.qq.com/s/8lipl1brp")
-        }
-    }
-}

manager/app/src/main/java/me/weishu/kernelsu/ui/screen/SuperUser.kt

@@ -1,51 +1,45 @@
 package me.weishu.kernelsu.ui.screen
 
-import android.content.pm.ApplicationInfo
-import android.content.pm.PackageManager
-import android.graphics.Bitmap
-import android.graphics.drawable.Drawable
-import android.util.Log
-import androidx.compose.foundation.Image
+import androidx.compose.foundation.background
+import androidx.compose.foundation.clickable
 import androidx.compose.foundation.layout.*
 import androidx.compose.foundation.lazy.LazyColumn
 import androidx.compose.foundation.lazy.items
+import androidx.compose.foundation.shape.RoundedCornerShape
+import androidx.compose.material.ExperimentalMaterialApi
+import androidx.compose.material.icons.Icons
+import androidx.compose.material.icons.filled.MoreVert
+import androidx.compose.material.pullrefresh.PullRefreshIndicator
+import androidx.compose.material.pullrefresh.pullRefresh
+import androidx.compose.material.pullrefresh.rememberPullRefreshState
 import androidx.compose.material3.*
 import androidx.compose.runtime.*
-import androidx.compose.runtime.saveable.rememberSaveable
+import androidx.compose.ui.Alignment
 import androidx.compose.ui.Modifier
+import androidx.compose.ui.graphics.Color
 import androidx.compose.ui.platform.LocalContext
 import androidx.compose.ui.res.stringResource
+import androidx.compose.ui.text.TextStyle
 import androidx.compose.ui.unit.dp
+import androidx.compose.ui.unit.sp
 import androidx.lifecycle.viewmodel.compose.viewModel
-import coil.ImageLoader
 import coil.compose.AsyncImage
-import coil.compose.rememberAsyncImagePainter
-import coil.compose.rememberImagePainter
-import coil.decode.DataSource
-import coil.fetch.DrawableResult
-import coil.fetch.FetchResult
-import coil.fetch.Fetcher
-import coil.request.CachePolicy
 import coil.request.ImageRequest
-import coil.request.Options
-import com.google.accompanist.swiperefresh.SwipeRefresh
-import com.google.accompanist.swiperefresh.rememberSwipeRefreshState
 import com.ramcosta.composedestinations.annotation.Destination
+import com.ramcosta.composedestinations.navigation.DestinationsNavigator
 import kotlinx.coroutines.launch
 import me.weishu.kernelsu.Natives
 import me.weishu.kernelsu.R
+import me.weishu.kernelsu.ui.component.ConfirmDialog
 import me.weishu.kernelsu.ui.component.SearchAppBar
-import me.weishu.kernelsu.ui.util.LocalSnackbarHost
+import me.weishu.kernelsu.ui.screen.destinations.AppProfileScreenDestination
 import me.weishu.kernelsu.ui.viewmodel.SuperUserViewModel
-import me.zhanghai.android.appiconloader.coil.AppIconKeyer
-import java.util.*
 
-@OptIn(ExperimentalMaterial3Api::class)
+@OptIn(ExperimentalMaterialApi::class)
 @Destination
 @Composable
-fun SuperUserScreen() {
+fun SuperUserScreen(navigator: DestinationsNavigator) {
     val viewModel = viewModel<SuperUserViewModel>()
-    val snackbarHost = LocalSnackbarHost.current
     val scope = rememberCoroutineScope()
 
     LaunchedEffect(Unit) {
@@ -60,53 +54,107 @@ fun SuperUserScreen() {
                 title = { Text(stringResource(R.string.superuser)) },
                 searchText = viewModel.search,
                 onSearchTextChange = { viewModel.search = it },
-                onClearClick = { viewModel.search = "" }
+                onClearClick = { viewModel.search = "" },
+                dropdownContent = {
+                    var showDropdown by remember { mutableStateOf(false) }
+
+                    IconButton(
+                        onClick = { showDropdown = true },
+                    ) {
+                        Icon(
+                            imageVector = Icons.Filled.MoreVert,
+                            contentDescription = stringResource(id = R.string.settings)
+                        )
+
+                        DropdownMenu(expanded = showDropdown, onDismissRequest = {
+                            showDropdown = false
+                        }) {
+                            DropdownMenuItem(text = {
+                                Text(stringResource(R.string.refresh))
+                            }, onClick = {
+                                scope.launch {
+                                    viewModel.fetchAppList()
+                                }
+                                showDropdown = false
+                            })
+                            DropdownMenuItem(text = {
+                                Text(
+                                    if (viewModel.showSystemApps) {
+                                        stringResource(R.string.hide_system_apps)
+                                    } else {
+                                        stringResource(R.string.show_system_apps)
+                                    }
+                                )
+                            }, onClick = {
+                                viewModel.showSystemApps = !viewModel.showSystemApps
+                                showDropdown = false
+                            })
+                        }
+                    }
+                },
             )
         }
     ) { innerPadding ->
-        val failMessage = stringResource(R.string.superuser_failed_to_grant_root)
 
-        // TODO: Replace SwipeRefresh with RefreshIndicator when it's ready
-        SwipeRefresh(
-            state = rememberSwipeRefreshState(viewModel.isRefreshing),
-            onRefresh = {
-                scope.launch { viewModel.fetchAppList() }
-            },
+        ConfirmDialog()
+
+        val refreshState = rememberPullRefreshState(
+            refreshing = viewModel.isRefreshing,
+            onRefresh = { scope.launch { viewModel.fetchAppList() } },
+        )
+        Box(
             modifier = Modifier
                 .padding(innerPadding)
-                .fillMaxSize()
+                .pullRefresh(refreshState)
         ) {
-            LazyColumn {
-                items(viewModel.appList) { app ->
-                    var isChecked by rememberSaveable(app) { mutableStateOf(app.onAllowList) }
-                    AppItem(app, isChecked) { checked ->
-                        val success = Natives.allowRoot(app.uid, checked)
-                        if (success) {
-                            isChecked = checked
-                        } else scope.launch {
-                            snackbarHost.showSnackbar(failMessage.format(app.uid))
-                        }
+            LazyColumn(Modifier.fillMaxSize()) {
+                items(viewModel.appList, key = { it.packageName + it.uid }) { app ->
+                    AppItem(app) {
+                        navigator.navigate(AppProfileScreenDestination(app))
                     }
+
                 }
             }
+
+            PullRefreshIndicator(
+                refreshing = viewModel.isRefreshing,
+                state = refreshState,
+                modifier = Modifier.align(Alignment.TopCenter)
+            )
         }
     }
 }
 
-@OptIn(ExperimentalMaterial3Api::class)
+@OptIn(ExperimentalLayoutApi::class)
 @Composable
 private fun AppItem(
     app: SuperUserViewModel.AppInfo,
-    isChecked: Boolean,
-    onCheckedChange: (Boolean) -> Unit
+    onClickListener: () -> Unit,
 ) {
     ListItem(
-        headlineText = { Text(app.label) },
-        supportingText = { Text(app.packageName) },
+        modifier = Modifier.clickable(onClick = onClickListener),
+        headlineContent = { Text(app.label) },
+        supportingContent = {
+            Column {
+                Text(app.packageName)
+                FlowRow {
+                    if (app.allowSu) {
+                        LabelText(label = "ROOT")
+                    } else {
+                        if (Natives.uidShouldUmount(app.uid)) {
+                            LabelText(label = "UMOUNT")
+                        }
+                    }
+                    if (app.hasCustomProfile) {
+                        LabelText(label = "CUSTOM")
+                    }
+                }
+            }
+        },
         leadingContent = {
             AsyncImage(
                 model = ImageRequest.Builder(LocalContext.current)
-                    .data(app.icon)
+                    .data(app.packageInfo)
                     .crossfade(true)
                     .build(),
                 contentDescription = app.label,
@@ -116,12 +164,26 @@ private fun AppItem(
                     .height(48.dp)
             )
         },
-        trailingContent = {
-            Switch(
-                checked = isChecked,
-                onCheckedChange = onCheckedChange,
-                modifier = Modifier.padding(4.dp)
-            )
-        }
     )
 }
+
+@Composable
+fun LabelText(label: String) {
+    Box(
+        modifier = Modifier
+            .padding(top = 4.dp, end = 4.dp)
+            .background(
+                Color.Black,
+                shape = RoundedCornerShape(4.dp)
+            )
+    ) {
+        Text(
+            text = label,
+            modifier = Modifier.padding(vertical = 2.dp, horizontal = 5.dp),
+            style = TextStyle(
+                fontSize = 8.sp,
+                color = Color.White,
+            )
+        )
+    }
+}