docs: Add devpts description for non gki

Bumps `agp` from 8.3.2 to 8.4.0.
Updates `com.android.application` from 8.3.2 to 8.4.0

Updates `com.android.library` from 8.3.2 to 8.4.0


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.gitattributes

@@ -0,0 +1 @@
+*.bat eol=crlf

.github/FUNDING.yml

@@ -0,0 +1,5 @@
+# These are supported funding model platforms
+
+github: tiann
+patreon: weishu
+custom: https://vxposed.com/donate.html

.github/ISSUE_TEMPLATE/add_device.yml

@@ -6,7 +6,7 @@ body:
   - type: markdown
     attributes:
       value: |
-        Thanks for supporting KernelSU !
+        Thanks for supporting KernelSU!
   - type: input
     id: repo-url
     attributes:

.github/ISSUE_TEMPLATE/bug_report.md

@@ -1,32 +0,0 @@
----
-name: Bug report
-about: Create a report to help us improve
-title: ''
-labels: ''
-assignees: ''
-
----
-
-**Describe the bug**
-A clear and concise description of what the bug is.
-
-**To Reproduce**
-Steps to reproduce the behavior:
-1. Go to '...'
-2. Click on '....'
-3. Scroll down to '....'
-4. See error
-
-**Expected behavior**
-A clear and concise description of what you expected to happen.
-
-**Screenshots**
-If applicable, add screenshots to help explain your problem.
-
-**Smartphone (please complete the following information):**
- - Device: [e.g. iPhone6]
- - OS: [e.g. iOS8.1]
- - Version [e.g. 22]
-
-**Additional context**
-Add any other context about the problem here.

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,72 @@
+name: Bug report
+description: Create a report to help us improve KernelSU
+labels: [Bug]
+
+body:
+  - type: checkboxes
+    attributes:
+       label: Please check before submitting an issue
+       options:
+          - label: I have searched the issues and haven't found anything relevant
+            required: true
+            
+          - label: I will upload bugreport file in KernelSU Manager - Settings - Report log
+            required: true
+            
+          - label: I know how to reproduce the issue which may not be specific to my device
+            required: false
+
+
+  - type: textarea
+    attributes:
+        label: Describe the bug
+        description: A clear and concise description of what the bug is
+    validations:
+        required: true
+      
+
+  - type: textarea
+    attributes:
+        label: To Reproduce
+        description: Steps to reproduce the behaviour
+        placeholder: |
+          - 1. Go to '...'
+          - 2. Click on '....'
+          - 3. Scroll down to '....'
+          - 4. See error
+          
+
+  - type: textarea
+    attributes:
+        label: Expected behavior
+        description: A clear and concise description of what you expected to happen.
+    
+    
+  - type: textarea
+    attributes:
+        label: Screenshots
+        description: If applicable, add screenshots to help explain your problem.
+        
+        
+  - type: textarea
+    attributes:
+        label: Logs
+        description: If applicable, add crash or any other logs to help us figure out the problem.
+        
+        
+  - type: textarea
+    attributes:
+        label: Device info
+        value: |
+          - Device:
+          - OS Version:
+          - KernelSU Version:
+          - Kernel Version:
+    validations:
+        required: true
+
+
+  - type: textarea
+    attributes:
+        label: Additional context
+        description: Add any other context about the problem here.

.github/ISSUE_TEMPLATE/custom.md

@@ -1,10 +0,0 @@
----
-name: Custom issue template
-about: Describe this issue template's purpose here.
-title: ''
-labels: ''
-assignees: ''
-
----
-
-

.github/ISSUE_TEMPLATE/custom.yml

@@ -0,0 +1,11 @@
+name: Custom issue template
+description: WARNING! If you are reporting a bug but use this template, the issue will be closed directly.
+title: '[Custom]'
+body:
+  - type: textarea
+    id: description
+    attributes:
+      label: "Describe your problem."
+    validations:
+      required: true
+

.github/ISSUE_TEMPLATE/feature_request.md

@@ -1,20 +0,0 @@
----
-name: Feature request
-about: Suggest an idea for this project
-title: ''
-labels: ''
-assignees: ''
-
----
-
-**Is your feature request related to a problem? Please describe.**
-A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
-
-**Describe the solution you'd like**
-A clear and concise description of what you want to happen.
-
-**Describe alternatives you've considered**
-A clear and concise description of any alternative solutions or features you've considered.
-
-**Additional context**
-Add any other context or screenshots about the feature request here.

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,39 @@
+name: Feature Request
+description: "Suggest an idea for this project"
+title: "[Feature]"
+labels: "feature"
+body:
+  - type: markdown
+    id: feature-info
+    attributes:
+      value: "## Feature Infomation"
+  - type: textarea
+    id: feature-main
+    validations:
+      required: true
+    attributes:
+      label: "Is your feature request related to a problem? Please describe."
+      description: "A clear and concise description of what the problem is."
+      placeholder: "I'm always frustrated when [...]"
+  - type: textarea
+    id: feature-solution
+    validations:
+      required: true
+    attributes:
+      label: "Describe the solution you'd like."
+      description: "A clear and concise description of what you want to happen."
+  - type: textarea
+    id: feature-describe
+    validations:
+      required: true
+    attributes:
+      label: "Describe alternatives you've considered."
+      description: "A clear and concise description of any alternative solutions or features you've considered."
+  - type: textarea
+    id: feature-extra
+    validations:
+      required: false
+    attributes:
+      label: "Additional context"
+      description: "Add any other context or screenshots about the feature request here."
+

.github/dependabot.yml

@@ -0,0 +1,21 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
+
+  - package-ecosystem: cargo
+    directory: userspace/ksud
+    schedule:
+      interval: daily
+
+  - package-ecosystem: gradle
+    directory: manager
+    schedule:
+      interval: daily
+
+  - package-ecosystem: npm
+    directory: website
+    schedule:
+      interval: daily

.github/manifests/android-14-avd_x86_64.xml

@@ -0,0 +1,71 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!--https://ci.android.com/builds/submitted/9964412/kernel_virt_x86_64/latest/manifest_9964412.xml-->
+<manifest>
+  <remote name="aosp" fetch="https://android.googlesource.com/" review="https://android.googlesource.com/" />
+
+  <default revision="master" remote="aosp" sync-j="4" />
+
+  <superproject name="kernel/superproject" remote="aosp" revision="common-android14-6.1" />
+
+  <project path="build/kernel" name="kernel/build" revision="b0377a072bb3f78cdacfd6d809914a9d1b0c0148">
+    <linkfile dest="tools/bazel" src="kleaf/bazel.sh" />
+
+    <linkfile dest="WORKSPACE" src="kleaf/bazel.WORKSPACE" />
+
+    <linkfile dest="build/build.sh" src="build.sh" />
+
+    <linkfile dest="build/build_abi.sh" src="build_abi.sh" />
+
+    <linkfile dest="build/build_test.sh" src="build_test.sh" />
+
+    <linkfile dest="build/build_utils.sh" src="build_utils.sh" />
+
+    <linkfile dest="build/config.sh" src="config.sh" />
+
+    <linkfile dest="build/envsetup.sh" src="envsetup.sh" />
+
+    <linkfile dest="build/_setup_env.sh" src="_setup_env.sh" />
+
+    <linkfile dest="build/multi-switcher.sh" src="multi-switcher.sh" />
+
+    <linkfile dest="build/abi" src="abi" />
+
+    <linkfile dest="build/static_analysis" src="static_analysis" />
+</project>
+
+  <project path="common" name="kernel/common" revision="7e35917775b8b3e3346a87f294e334e258bf15e6">
+    <linkfile dest=".source_date_epoch_dir" src="." />
+</project>
+
+  <project path="kernel/tests" name="kernel/tests" revision="c90a1c1b226b975cc31e709fa96fc1c6ecdbe272" />
+
+  <project path="kernel/configs" name="kernel/configs" revision="52a7267d6a9f9efabf3cb43839bb5e7f7ff05be3" />
+
+  <project path="common-modules/virtual-device" name="kernel/common-modules/virtual-device" revision="0d03de3246301028775f05ea388c2c444344a268" />
+
+  <project path="prebuilts/clang/host/linux-x86" name="platform/prebuilts/clang/host/linux-x86" clone-depth="1" revision="4f7e5adc160ab726ac5bafb260de98e612904c50" />
+
+  <project path="prebuilts/gcc/linux-x86/host/x86_64-linux-glibc2.17-4.8" name="platform/prebuilts/gcc/linux-x86/host/x86_64-linux-glibc2.17-4.8" clone-depth="1" revision="f7b0d5b0ee369864d5ac3e96ae24ec9e2b6a52da" />
+
+  <project path="prebuilts/build-tools" name="platform/prebuilts/build-tools" clone-depth="1" revision="dc92e06585a7647bf739a2309a721b82fcfa01d4" />
+
+  <project path="prebuilts/clang-tools" name="platform/prebuilts/clang-tools" clone-depth="1" revision="5611871963f54c688d3ac49e527aecdef21e8567" />
+
+  <project path="prebuilts/kernel-build-tools" name="kernel/prebuilts/build-tools" clone-depth="1" revision="2597cb1b5525e419b7fa806373be673054a68d29" />
+
+  <project path="tools/mkbootimg" name="platform/system/tools/mkbootimg" revision="2680066d0844544b3e78d6022cd21321d31837c3" />
+
+  <project path="prebuilts/bazel/linux-x86_64" name="platform/prebuilts/bazel/linux-x86_64" clone-depth="1" revision="4fdb9395071ff22118311d434d697c2b6fd887b4" />
+
+  <project path="prebuilts/jdk/jdk11" name="platform/prebuilts/jdk/jdk11" clone-depth="1" revision="491e6aa056676f29c4541f71bd738e4e876e4ba2" />
+
+  <project path="prebuilts/ndk-r23" name="toolchain/prebuilts/ndk/r23" clone-depth="1" revision="19ac7e4eded12adb99d4f613490dde6dd0e72664" />
+
+  <project path="external/bazel-skylib" name="platform/external/bazel-skylib" revision="f998e5dc13c03f0eae9e373263d3afff0932c738" />
+
+  <project path="build/bazel_common_rules" name="platform/build/bazel_common_rules" revision="707b2c5fe3d0d7d934a93e00a8a4062e83557831" />
+
+  <project path="external/stardoc" name="platform/external/stardoc" revision="e83f522ee95419e55d2c5654aa6e0143beeef595" />
+
+  <project path="external/python/absl-py" name="platform/external/python/absl-py" revision="393d0b1e3f0fea3e95944a2fd3282cc9f76d4f14" />
+</manifest>

.github/manifests/android-15-avd_aarch64.xml

@@ -0,0 +1,89 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!-- https://ci.android.com/builds/submitted/11577653/kernel_virt_aarch64/latest/manifest_11577653.xml -->
+<manifest>
+  <remote name="aosp" fetch="https://android.googlesource.com/" review="https://android.googlesource.com/" />
+
+  <default revision="main" remote="aosp" sync-j="4" />
+
+  <superproject name="kernel/superproject" remote="aosp" revision="common-android15-6.6" />
+
+  <project path="build/kernel" name="kernel/build" groups="ddk" revision="9a2196a1ec1048c2869750c9d3969c88ac18adcd">
+    <linkfile dest="tools/bazel" src="kleaf/bazel.sh" />
+
+    <linkfile dest="WORKSPACE" src="kleaf/bazel.WORKSPACE" />
+
+    <linkfile dest="MODULE.bazel" src="kleaf/bzlmod/bazel.MODULE.bazel" />
+
+    <linkfile dest="WORKSPACE.bzlmod" src="kleaf/bzlmod/bazel.WORKSPACE.bzlmod" />
+</project>
+
+  <project path="common" name="kernel/common" revision="ac1a7c65ff1bc7ece5569d62f02b121b4f2364f8" />
+
+  <project path="kernel/common-patches" name="kernel/common-patches" revision="3807ce65081de12ef4baa2a04487306672685160">
+    <linkfile dest="common/patches" src="android-mainline" />
+</project>
+
+  <project path="kernel/tests" name="kernel/tests" revision="ca9fd66f5b48abc92990c9c770f73380b428362b" />
+
+  <project path="kernel/configs" name="kernel/configs" revision="be625f2ccf377a75d0ea86c082c716c322b8d4c6" />
+
+  <project path="common-modules/virtual-device" name="kernel/common-modules/virtual-device" revision="60a24583ac921279e40a44f818040e40abb3ef46" />
+
+  <project path="prebuilts/clang/host/linux-x86" name="platform/prebuilts/clang/host/linux-x86" revision="93a1369ba33743a87bdf0183373f590a36ff7cb1" clone-depth="1" groups="ddk" />
+
+  <project path="prebuilts/gcc/linux-x86/host/x86_64-linux-glibc2.17-4.8" name="platform/prebuilts/gcc/linux-x86/host/x86_64-linux-glibc2.17-4.8" clone-depth="1" groups="ddk" revision="cef8f53bb61fbdb02dbf4d433004f6cb637c3bc6" />
+
+  <project path="prebuilts/build-tools" name="platform/prebuilts/build-tools" clone-depth="1" groups="ddk" revision="5aca9957ab19d2668c7f1da1954bbe89652d5fed" />
+
+  <project path="prebuilts/clang-tools" name="platform/prebuilts/clang-tools" clone-depth="1" revision="69f9fb9b8e75c6f1ff01f380d5251757785bb823" />
+
+  <project path="prebuilts/kernel-build-tools" name="kernel/prebuilts/build-tools" clone-depth="1" groups="ddk" revision="b09295493adc8d804b6d24286660f6e451e387fd" />
+
+  <project path="prebuilts/rust" name="platform/prebuilts/rust" revision="adc0e5499c3ddac831ca596d12cbef8d9747f737" clone-depth="1" />
+
+  <project path="prebuilts/tradefed" name="platform/tools/tradefederation/prebuilts" clone-depth="1" revision="a76ca09c5593e22e65b0d823d508882c6c64c13e" />
+
+  <project path="prebuilts/asuite" name="platform/prebuilts/asuite" clone-depth="1" revision="24510f175cb313a92241500efee917c2930d5d30" />
+
+  <project path="tools/mkbootimg" name="platform/system/tools/mkbootimg" revision="28b7934249c2885db8b561f1439d74663fcdce93" />
+
+  <project path="prebuilts/jdk/jdk11" name="platform/prebuilts/jdk/jdk11" revision="c6c90521b7c317f13d41bbd9336a8d45ee202cec" clone-depth="1" groups="ddk" />
+
+  <project path="prebuilts/ndk-r26" name="toolchain/prebuilts/ndk/r26" clone-depth="1" groups="ddk" revision="e535051ebc04204cec44bde38f62385d63180388" />
+
+  <project path="external/bazel-skylib" name="platform/external/bazel-skylib" groups="ddk" revision="6b103c40d8113f001475d5e13672922ef2aa0e5a" />
+
+  <project path="build/bazel_common_rules" name="platform/build/bazel_common_rules" groups="ddk" revision="2a10807a06153b5862da0369f4b6b368afc2dd08" />
+
+  <project path="external/libcap-ng" name="platform/external/libcap-ng" revision="2bcc92ae19481dd2b8d3ce3abdfbbee49261abe6" />
+
+  <project path="external/libcap" name="platform/external/libcap" revision="d7d1a0a38c5be06a7e7d6391d140b54878836f48" />
+
+  <project path="external/stardoc" name="platform/external/stardoc" groups="ddk" revision="f31250f9f5b03834d9964aaee7a3794c1d73d4a2" />
+
+  <project path="external/python/absl-py" name="platform/external/python/absl-py" groups="ddk" revision="9ae5a78fc57c3cd539398373ae39601a8b923e62" />
+
+  <project path="external/bazelbuild-bazel-central-registry" name="platform/external/bazelbuild-bazel-central-registry" revision="3422f064566c274ea66633442521704d4a22486d" groups="ddk" />
+
+  <project path="external/bazelbuild-platforms" name="platform/external/bazelbuild-platforms" groups="ddk" revision="e352aabd0131f3ac3f340282a43ba85ffc3fe8fa" />
+
+  <project path="external/bazelbuild-apple_support" name="platform/external/bazelbuild-apple_support" groups="ddk" revision="f6003e1e3763f8aad9fb9acae79cfa5fff9ae988" />
+
+  <project path="external/bazelbuild-rules_cc" name="platform/external/bazelbuild-rules_cc" groups="ddk" revision="f0df148dbeb9b9ed3816aad328ebe7c65efaaa24" />
+
+  <project path="external/bazelbuild-rules_java" name="platform/external/bazelbuild-rules_java" groups="ddk" revision="8e548c7053dffd1717d565f0409a88992f401da1" />
+
+  <project path="external/bazelbuild-rules_license" name="platform/external/bazelbuild-rules_license" groups="ddk" revision="f578df4fd057ffe2023728444759535685631548" />
+
+  <project path="external/bazelbuild-rules_pkg" name="platform/external/bazelbuild-rules_pkg" groups="ddk" revision="429887dfd8db834498ad95e99043f771a3882af0" />
+
+  <project path="external/bazelbuild-rules_python" name="platform/external/bazelbuild-rules_python" groups="ddk" revision="f71847ac898655b67634bb14e77a7408c4fb5e00" />
+
+  <project path="external/bazelbuild-rules_rust" name="platform/external/bazelbuild-rules_rust" groups="ddk" revision="1520b49835be9122c2424231357d4db80069cc38" />
+
+  <project path="external/pigz" name="platform/external/pigz" groups="ddk" revision="9bc9fa17d499ddde88b77820f6d063e16c0cdd42" />
+
+  <project path="external/zlib" name="platform/external/zlib" groups="ddk" revision="eff168fd731068a3faddd9aae056875e10014a51" />
+
+  <project path="external/zopfli" name="platform/external/zopfli" groups="ddk" revision="36c79f00e5229800d2aaa13fc42c301ec8ef1153" />
+</manifest>

.github/manifests/android-15-avd_x86_64.xml

@@ -0,0 +1,89 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!-- https://ci.android.com/builds/submitted/11577653/kernel_virt_x86_64/latest/manifest_11577653.xml -->
+<manifest>
+  <remote name="aosp" fetch="https://android.googlesource.com/" review="https://android.googlesource.com/" />
+
+  <default revision="main" remote="aosp" sync-j="4" />
+
+  <superproject name="kernel/superproject" remote="aosp" revision="common-android15-6.6" />
+
+  <project path="build/kernel" name="kernel/build" groups="ddk" revision="9a2196a1ec1048c2869750c9d3969c88ac18adcd">
+    <linkfile dest="tools/bazel" src="kleaf/bazel.sh" />
+
+    <linkfile dest="WORKSPACE" src="kleaf/bazel.WORKSPACE" />
+
+    <linkfile dest="MODULE.bazel" src="kleaf/bzlmod/bazel.MODULE.bazel" />
+
+    <linkfile dest="WORKSPACE.bzlmod" src="kleaf/bzlmod/bazel.WORKSPACE.bzlmod" />
+</project>
+
+  <project path="common" name="kernel/common" revision="ac1a7c65ff1bc7ece5569d62f02b121b4f2364f8" />
+
+  <project path="kernel/common-patches" name="kernel/common-patches" revision="3807ce65081de12ef4baa2a04487306672685160">
+    <linkfile dest="common/patches" src="android-mainline" />
+</project>
+
+  <project path="kernel/tests" name="kernel/tests" revision="ca9fd66f5b48abc92990c9c770f73380b428362b" />
+
+  <project path="kernel/configs" name="kernel/configs" revision="be625f2ccf377a75d0ea86c082c716c322b8d4c6" />
+
+  <project path="common-modules/virtual-device" name="kernel/common-modules/virtual-device" revision="60a24583ac921279e40a44f818040e40abb3ef46" />
+
+  <project path="prebuilts/clang/host/linux-x86" name="platform/prebuilts/clang/host/linux-x86" revision="93a1369ba33743a87bdf0183373f590a36ff7cb1" clone-depth="1" groups="ddk" />
+
+  <project path="prebuilts/gcc/linux-x86/host/x86_64-linux-glibc2.17-4.8" name="platform/prebuilts/gcc/linux-x86/host/x86_64-linux-glibc2.17-4.8" clone-depth="1" groups="ddk" revision="cef8f53bb61fbdb02dbf4d433004f6cb637c3bc6" />
+
+  <project path="prebuilts/build-tools" name="platform/prebuilts/build-tools" clone-depth="1" groups="ddk" revision="5aca9957ab19d2668c7f1da1954bbe89652d5fed" />
+
+  <project path="prebuilts/clang-tools" name="platform/prebuilts/clang-tools" clone-depth="1" revision="69f9fb9b8e75c6f1ff01f380d5251757785bb823" />
+
+  <project path="prebuilts/kernel-build-tools" name="kernel/prebuilts/build-tools" clone-depth="1" groups="ddk" revision="b09295493adc8d804b6d24286660f6e451e387fd" />
+
+  <project path="prebuilts/rust" name="platform/prebuilts/rust" revision="adc0e5499c3ddac831ca596d12cbef8d9747f737" clone-depth="1" />
+
+  <project path="prebuilts/tradefed" name="platform/tools/tradefederation/prebuilts" clone-depth="1" revision="a76ca09c5593e22e65b0d823d508882c6c64c13e" />
+
+  <project path="prebuilts/asuite" name="platform/prebuilts/asuite" clone-depth="1" revision="24510f175cb313a92241500efee917c2930d5d30" />
+
+  <project path="tools/mkbootimg" name="platform/system/tools/mkbootimg" revision="28b7934249c2885db8b561f1439d74663fcdce93" />
+
+  <project path="prebuilts/jdk/jdk11" name="platform/prebuilts/jdk/jdk11" revision="c6c90521b7c317f13d41bbd9336a8d45ee202cec" clone-depth="1" groups="ddk" />
+
+  <project path="prebuilts/ndk-r26" name="toolchain/prebuilts/ndk/r26" clone-depth="1" groups="ddk" revision="e535051ebc04204cec44bde38f62385d63180388" />
+
+  <project path="external/bazel-skylib" name="platform/external/bazel-skylib" groups="ddk" revision="6b103c40d8113f001475d5e13672922ef2aa0e5a" />
+
+  <project path="build/bazel_common_rules" name="platform/build/bazel_common_rules" groups="ddk" revision="2a10807a06153b5862da0369f4b6b368afc2dd08" />
+
+  <project path="external/libcap-ng" name="platform/external/libcap-ng" revision="2bcc92ae19481dd2b8d3ce3abdfbbee49261abe6" />
+
+  <project path="external/libcap" name="platform/external/libcap" revision="d7d1a0a38c5be06a7e7d6391d140b54878836f48" />
+
+  <project path="external/stardoc" name="platform/external/stardoc" groups="ddk" revision="f31250f9f5b03834d9964aaee7a3794c1d73d4a2" />
+
+  <project path="external/python/absl-py" name="platform/external/python/absl-py" groups="ddk" revision="9ae5a78fc57c3cd539398373ae39601a8b923e62" />
+
+  <project path="external/bazelbuild-bazel-central-registry" name="platform/external/bazelbuild-bazel-central-registry" revision="3422f064566c274ea66633442521704d4a22486d" groups="ddk" />
+
+  <project path="external/bazelbuild-platforms" name="platform/external/bazelbuild-platforms" groups="ddk" revision="e352aabd0131f3ac3f340282a43ba85ffc3fe8fa" />
+
+  <project path="external/bazelbuild-apple_support" name="platform/external/bazelbuild-apple_support" groups="ddk" revision="f6003e1e3763f8aad9fb9acae79cfa5fff9ae988" />
+
+  <project path="external/bazelbuild-rules_cc" name="platform/external/bazelbuild-rules_cc" groups="ddk" revision="f0df148dbeb9b9ed3816aad328ebe7c65efaaa24" />
+
+  <project path="external/bazelbuild-rules_java" name="platform/external/bazelbuild-rules_java" groups="ddk" revision="8e548c7053dffd1717d565f0409a88992f401da1" />
+
+  <project path="external/bazelbuild-rules_license" name="platform/external/bazelbuild-rules_license" groups="ddk" revision="f578df4fd057ffe2023728444759535685631548" />
+
+  <project path="external/bazelbuild-rules_pkg" name="platform/external/bazelbuild-rules_pkg" groups="ddk" revision="429887dfd8db834498ad95e99043f771a3882af0" />
+
+  <project path="external/bazelbuild-rules_python" name="platform/external/bazelbuild-rules_python" groups="ddk" revision="f71847ac898655b67634bb14e77a7408c4fb5e00" />
+
+  <project path="external/bazelbuild-rules_rust" name="platform/external/bazelbuild-rules_rust" groups="ddk" revision="1520b49835be9122c2424231357d4db80069cc38" />
+
+  <project path="external/pigz" name="platform/external/pigz" groups="ddk" revision="9bc9fa17d499ddde88b77820f6d063e16c0cdd42" />
+
+  <project path="external/zlib" name="platform/external/zlib" groups="ddk" revision="eff168fd731068a3faddd9aae056875e10014a51" />
+
+  <project path="external/zopfli" name="platform/external/zopfli" groups="ddk" revision="36c79f00e5229800d2aaa13fc42c301ec8ef1153" />
+</manifest>

.github/patches/5.10/0001-Makefile-Use-CCACHE-for-faster-compilation.patch

@@ -1,48 +0,0 @@
-From f1e398602b989ac197cdd0fda4a7c4c323b03eb9 Mon Sep 17 00:00:00 2001
-From: DozNaka <dozdguide@gmail.com>
-Date: Mon, 11 Apr 2022 20:43:45 -0400
-Subject: [PATCH] Makefile: Use CCACHE for faster compilation
-
----
- Makefile | 20 ++++++++++----------
- 1 file changed, 10 insertions(+), 10 deletions(-)
-
-diff --git a/Makefile b/Makefile
-index e8b8d5894..51e8aac6e 100644
---- a/Makefile
-+++ b/Makefile
-@@ -442,21 +442,21 @@ KBUILD_HOSTLDLIBS   := $(HOST_LFS_LIBS) $(HOSTLDLIBS)
- # Make variables (CC, etc...)
- CPP		= $(CC) -E
- ifneq ($(LLVM),)
--CC		= clang
--LD		= ld.lld
--AR		= llvm-ar
-+CC		= $(CCACHE) clang
-+LD		= $(CCACHE) ld.lld
-+AR		= $(CCACHE) llvm-ar
- NM		= llvm-nm
--OBJCOPY		= llvm-objcopy
--OBJDUMP		= llvm-objdump
-+OBJCOPY		= $(CCACHE) llvm-objcopy
-+OBJDUMP		= $(CCACHE) llvm-objdump
- READELF		= llvm-readelf
- STRIP		= llvm-strip
- else
--CC		= $(CROSS_COMPILE)gcc
--LD		= $(CROSS_COMPILE)ld
--AR		= $(CROSS_COMPILE)ar
-+CC		= $(CCACHE) $(CROSS_COMPILE)gcc
-+LD		= $(CCACHE) $(CROSS_COMPILE)ld
-+AR		= $(CCACHE) $(CROSS_COMPILE)ar
- NM		= $(CROSS_COMPILE)nm
--OBJCOPY		= $(CROSS_COMPILE)objcopy
--OBJDUMP		= $(CROSS_COMPILE)objdump
-+OBJCOPY		= $(CCACHE) $(CROSS_COMPILE)objcopy
-+OBJDUMP		= $(CCACHE) $(CROSS_COMPILE)objdump
- READELF		= $(CROSS_COMPILE)readelf
- STRIP		= $(CROSS_COMPILE)strip
- endif
--- 
-2.37.2
-

.github/patches/5.10/0001-setlocalversion-don-t-check-for-uncommitted-changes.patch

@@ -1,43 +0,0 @@
-From dbdd2906c0b3a967ca28c6b870b46f905c170661 Mon Sep 17 00:00:00 2001
-From: Park Ju Hyung <qkrwngud825@gmail.com>
-Date: Wed, 13 Mar 2019 13:36:37 +0900
-Subject: [PATCH] setlocalversion: don't check for uncommitted changes
-
-I ofter push after the build is done and I hate seeing "-dirty"
-
-Signed-off-by: Park Ju Hyung <qkrwngud825@gmail.com>
-Signed-off-by: Danny Lin <danny@kdrag0n.dev>
-Signed-off-by: Divyanshu-Modi <divyan.m05@gmail.com>
-Change-Id: I240c516520879da680794fd144b1f273f9e21e13
-Signed-off-by: Divyanshu-Modi <divyan.m05@gmail.com>
----
- scripts/setlocalversion | 13 -------------
- 1 file changed, 13 deletions(-)
-
-diff --git a/scripts/setlocalversion b/scripts/setlocalversion
-index 842936656b84..ef27a273ebf5 100755
---- a/scripts/setlocalversion
-+++ b/scripts/setlocalversion
-@@ -107,19 +107,6 @@ scm_version()
- 			printf -- '-svn%s' "$(git svn find-rev $head)"
- 		fi
- 
--		# Check for uncommitted changes.
--		# First, with git-status, but --no-optional-locks is only
--		# supported in git >= 2.14, so fall back to git-diff-index if
--		# it fails. Note that git-diff-index does not refresh the
--		# index, so it may give misleading results. See
--		# git-update-index(1), git-diff-index(1), and git-status(1).
--		if {
--			git --no-optional-locks status -uno --porcelain 2>/dev/null ||
--			git diff-index --name-only HEAD
--		} | grep -qvE '^(.. )?scripts/package'; then
--			printf '%s' -dirty
--		fi
--
- 		# All done with git
- 		return
- 	fi
--- 
-2.37.2
-

.github/patches/5.15/0001-Makefile-Use-CCACHE-for-faster-compilation.patch

@@ -1,48 +0,0 @@
-From f1e398602b989ac197cdd0fda4a7c4c323b03eb9 Mon Sep 17 00:00:00 2001
-From: DozNaka <dozdguide@gmail.com>
-Date: Mon, 11 Apr 2022 20:43:45 -0400
-Subject: [PATCH] Makefile: Use CCACHE for faster compilation
-
----
- Makefile | 20 ++++++++++----------
- 1 file changed, 10 insertions(+), 10 deletions(-)
-
-diff --git a/Makefile b/Makefile
-index e8b8d5894..51e8aac6e 100644
---- a/Makefile
-+++ b/Makefile
-@@ -442,21 +442,21 @@ KBUILD_HOSTLDLIBS   := $(HOST_LFS_LIBS) $(HOSTLDLIBS)
- # Make variables (CC, etc...)
- CPP		= $(CC) -E
- ifneq ($(LLVM),)
--CC		= clang
--LD		= ld.lld
--AR		= llvm-ar
-+CC		= $(CCACHE) clang
-+LD		= $(CCACHE) ld.lld
-+AR		= $(CCACHE) llvm-ar
- NM		= llvm-nm
--OBJCOPY		= llvm-objcopy
--OBJDUMP		= llvm-objdump
-+OBJCOPY		= $(CCACHE) llvm-objcopy
-+OBJDUMP		= $(CCACHE) llvm-objdump
- READELF		= llvm-readelf
- STRIP		= llvm-strip
- else
--CC		= $(CROSS_COMPILE)gcc
--LD		= $(CROSS_COMPILE)ld
--AR		= $(CROSS_COMPILE)ar
-+CC		= $(CCACHE) $(CROSS_COMPILE)gcc
-+LD		= $(CCACHE) $(CROSS_COMPILE)ld
-+AR		= $(CCACHE) $(CROSS_COMPILE)ar
- NM		= $(CROSS_COMPILE)nm
--OBJCOPY		= $(CROSS_COMPILE)objcopy
--OBJDUMP		= $(CROSS_COMPILE)objdump
-+OBJCOPY		= $(CCACHE) $(CROSS_COMPILE)objcopy
-+OBJDUMP		= $(CCACHE) $(CROSS_COMPILE)objdump
- READELF		= $(CROSS_COMPILE)readelf
- STRIP		= $(CROSS_COMPILE)strip
- endif
--- 
-2.37.2
-

.github/patches/5.15/0001-setlocalversion-don-t-check-for-uncommitted-changes-5.15.patch

@@ -1,46 +0,0 @@
-From bbb9e7fb1ccadac47b58ba615e6874ddeaa9e628 Mon Sep 17 00:00:00 2001
-From: Park Ju Hyung <qkrwngud825@gmail.com>
-Date: Wed, 13 Mar 2019 13:36:37 +0900
-Subject: [PATCH] setlocalversion: don't check for uncommitted changes
-
-I ofter push after the build is done and I hate seeing "-dirty"
-
-Signed-off-by: Park Ju Hyung <qkrwngud825@gmail.com>
-Signed-off-by: Danny Lin <danny@kdrag0n.dev>
-Signed-off-by: Divyanshu-Modi <divyan.m05@gmail.com>
-Change-Id: I240c516520879da680794fd144b1f273f9e21e13
-Signed-off-by: Divyanshu-Modi <divyan.m05@gmail.com>
----
- scripts/setlocalversion | 16 ----------------
- 1 file changed, 16 deletions(-)
-
-diff --git a/scripts/setlocalversion b/scripts/setlocalversion
-index 1b733ae4c..2a3ea7684 100755
---- a/scripts/setlocalversion
-+++ b/scripts/setlocalversion
-@@ -90,22 +90,6 @@ scm_version()
- 			printf '%s%s' -g "$(echo $head | cut -c1-12)"
- 		fi
- 
--		# Check for uncommitted changes.
--		# This script must avoid any write attempt to the source tree,
--		# which might be read-only.
--		# You cannot use 'git describe --dirty' because it tries to
--		# create .git/index.lock .
--		# First, with git-status, but --no-optional-locks is only
--		# supported in git >= 2.14, so fall back to git-diff-index if
--		# it fails. Note that git-diff-index does not refresh the
--		# index, so it may give misleading results. See
--		# git-update-index(1), git-diff-index(1), and git-status(1).
--		if {
--			git --no-optional-locks status -uno --porcelain 2>/dev/null ||
--			git diff-index --name-only HEAD
--		} | read dummy; then
--			printf '%s' -dirty
--		fi
- 	fi
- }
- 
--- 
-2.37.2
-

.github/scripts/build_a12.sh

@@ -11,7 +11,15 @@ build_from_image() {
 	echo "[+] patch level: $PATCH_LEVEL"
 
 	echo '[+] Download prebuilt ramdisk'
-	curl -Lo gki-kernel.zip https://dl.google.com/android/gki/gki-certified-boot-android12-5.10-"${PATCH_LEVEL}"_r1.zip
+    GKI_URL=https://dl.google.com/android/gki/gki-certified-boot-android12-5.10-"${PATCH_LEVEL}"_r1.zip
+    FALLBACK_URL=https://dl.google.com/android/gki/gki-certified-boot-android12-5.10-2023-01_r1.zip
+    status=$(curl -sL -w "%{http_code}" "$GKI_URL" -o /dev/null)
+    if [ "$status" = "200" ]; then
+        curl -Lo gki-kernel.zip "$GKI_URL"
+    else
+        echo "[+] $GKI_URL not found, using $FALLBACK_URL"
+        curl -Lo gki-kernel.zip "$FALLBACK_URL"
+    fi
 	unzip gki-kernel.zip && rm gki-kernel.zip
 
 	echo '[+] Unpack prebuilt boot.img'
@@ -43,7 +51,7 @@ build_from_image() {
 	echo "[+] Images to upload"
 	find . -type f -name "*.gz"
 
-	find . -type f -name "*.gz" -exec python3 "$GITHUB_WORKSPACE"/KernelSU/scripts/ksubot.py {} +
+	# find . -type f -name "*.gz" -exec python3 "$GITHUB_WORKSPACE"/KernelSU/scripts/ksubot.py {} +
 }
 
 for dir in Image*; do

.github/scripts/build_a13.sh

@@ -30,7 +30,7 @@ build_from_image() {
 	echo '[+] Images to upload'
 	find . -type f -name "*.gz"
 
-	find . -type f -name "*.gz" -exec python3 "$GITHUB_WORKSPACE"/KernelSU/scripts/ksubot.py {} +
+	# find . -type f -name "*.gz" -exec python3 "$GITHUB_WORKSPACE"/KernelSU/scripts/ksubot.py {} +
 }
 
 for dir in Image*; do

.github/workflows/add-device.yml

@@ -11,7 +11,7 @@ jobs:
     env:
       ISSUE_CONTENT: ${{ github.event.issue.body }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Parse issue body
         id: handle-add-device
         run: |
@@ -26,7 +26,7 @@ jobs:
       - name: Make pull request
         if: steps.handle-add-device.outputs.success == 'true'
         id: cpr
-        uses: peter-evans/create-pull-request@v4
+        uses: peter-evans/create-pull-request@v6
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           commit-message: "[add device]: ${{ steps.handle-add-device.outputs.device }}"
@@ -42,18 +42,18 @@ jobs:
         run: |
           echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}"
           echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"
-      - uses: ben-z/actions-comment-on-issue@1.0.2
+      - uses: Kernel-SU/actions-comment-on-issue@master
         if: ${{ steps.cpr.outputs.pull-request-number }}
         with:
           message: "Automatically created pull request: ${{ steps.cpr.outputs.pull-request-url }}"
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - uses: ben-z/actions-comment-on-issue@1.0.2
+      - uses: Kernel-SU/actions-comment-on-issue@master
         if: steps.handle-add-device.outputs.success != 'true'
         with:
           message: "Cannot create pull request. Please check the issue content. Or you can create a pull request manually."
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: close issue
-        uses: peter-evans/close-issue@v1
+        uses: peter-evans/close-issue@v3
         with:
           issue-number: ${{ github.event.issue.number }}
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/avd-kernel.yml

@@ -0,0 +1,137 @@
+name: GKI Kernel Build
+
+on:
+  workflow_call:
+    inputs:
+      version_name:
+        required: true
+        type: string
+        description: >
+          With SUBLEVEL of kernel,
+          for example: android12-5.10.66
+      arch:
+        required: true
+        type: string
+        description: >
+          Build arch: aarch64/x86_64
+      debug:
+        required: false
+        type: boolean
+        default: true
+      manifest_name:
+        required: false
+        type: string
+        description: >
+          Local repo manifest xml path,
+          typically for AVD kernel build.
+    secrets:
+      BOOT_SIGN_KEY:
+        required: false
+      CHAT_ID:
+        required: false
+      BOT_TOKEN:
+        required: false
+      MESSAGE_THREAD_ID:
+        required: false
+
+jobs:
+  build:
+    name: Build ${{ inputs.version_name }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Maximize build space
+        uses: easimon/maximize-build-space@master
+        with:
+          root-reserve-mb: 8192
+          temp-reserve-mb: 2048
+          remove-dotnet: 'true'
+          remove-android: 'true'
+          remove-haskell: 'true'
+          remove-codeql: 'true'
+
+      - uses: actions/checkout@v4
+        with:
+          path: KernelSU
+          fetch-depth: 0
+
+      - name: Setup need_upload
+        id: need_upload
+        run: |
+          if [ ! -z "${{ secrets.BOT_TOKEN }}" ]; then
+            echo "UPLOAD=true" >> $GITHUB_OUTPUT
+          else
+            echo "UPLOAD=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Setup kernel source
+        run: |
+          echo "Free space:"
+          df -h
+          cd $GITHUB_WORKSPACE
+          sudo apt-get install repo -y
+          mkdir android-kernel && cd android-kernel
+          repo init --depth=1 -u https://android.googlesource.com/kernel/manifest -m "$GITHUB_WORKSPACE/KernelSU/.github/manifests/${{ inputs.manifest_name }}" --repo-rev=v2.16
+          repo --version
+          repo --trace sync -c -j$(nproc --all) --no-tags
+          df -h
+
+      - name: Setup KernelSU
+        env:
+          PATCH_PATH: ${{ inputs.patch_path }}
+          IS_DEBUG_KERNEL: ${{ inputs.debug }}
+        run: |
+          cd $GITHUB_WORKSPACE/android-kernel
+          echo "[+] KernelSU setup"
+          GKI_ROOT=$(pwd)
+          echo "[+] GKI_ROOT: $GKI_ROOT"
+          echo "[+] Copy KernelSU driver to $GKI_ROOT/common/drivers"
+          ln -sf $GITHUB_WORKSPACE/KernelSU/kernel $GKI_ROOT/common/drivers/kernelsu
+          echo "[+] Add KernelSU driver to Makefile"
+          DRIVER_MAKEFILE=$GKI_ROOT/common/drivers/Makefile
+          DRIVER_KCONFIG=$GKI_ROOT/common/drivers/Kconfig
+          grep -q "kernelsu" "$DRIVER_MAKEFILE" || printf "\nobj-\$(CONFIG_KSU) += kernelsu/\n" >> "$DRIVER_MAKEFILE"
+          grep -q "kernelsu" "$DRIVER_KCONFIG" || sed -i "/endmenu/i\\source \"drivers/kernelsu/Kconfig\"" "$DRIVER_KCONFIG"
+          echo "[+] Apply KernelSU patches"
+          cd $GKI_ROOT/common/ && git apply $GITHUB_WORKSPACE/KernelSU/.github/patches/$PATCH_PATH/*.patch || echo "[-] No patch found"
+
+          if [ "$IS_DEBUG_KERNEL" = "true" ]; then
+            echo "[+] Enable debug features for kernel"
+            printf "\nccflags-y += -DCONFIG_KSU_DEBUG\n" >> $GITHUB_WORKSPACE/KernelSU/kernel/Makefile
+          fi
+          repo status
+          echo "[+] KernelSU setup done."
+          cd $GITHUB_WORKSPACE/KernelSU
+          VERSION=$(($(git rev-list --count HEAD) + 10200))
+          echo "VERSION: $VERSION"
+          echo "kernelsu_version=$VERSION" >> $GITHUB_ENV
+
+      - name: Make working directory clean to avoid dirty
+        working-directory: android-kernel
+        run: |
+          rm common/android/abi_gki_protected_exports_* || echo "No protected exports!"
+          git config --global user.email "bot@kernelsu.org"
+          git config --global user.name "KernelSUBot"
+          cd common/ && git add -A && git commit -a -m "Add KernelSU"
+          repo status
+
+      - name: Build kernel
+        working-directory: android-kernel
+        run: |
+          if [ ! -z ${{ vars.EXPECTED_SIZE }} ] && [ ! -z ${{ vars.EXPECTED_HASH }} ]; then
+            export KSU_EXPECTED_SIZE=${{ vars.EXPECTED_SIZE }}
+            export KSU_EXPECTED_HASH=${{ vars.EXPECTED_HASH }}
+          fi
+          tools/bazel run --config=fast --config=stamp --lto=thin //common-modules/virtual-device:virtual_device_${{ inputs.arch }}_dist -- --dist_dir=dist
+          NAME=kernel-${{ inputs.arch }}-avd-${{ inputs.version_name }}-${{ env.kernelsu_version }}
+          TARGET_IMAGE=dist/bzImage
+          if [ ! -e $TARGET_IMAGE ]; then
+            TARGET_IMAGE=dist/Image
+          fi
+          mv $TARGET_IMAGE $NAME
+          echo "file_path=android-kernel/$NAME" >> $GITHUB_ENV
+
+      - name: Upload Kernel
+        uses: actions/upload-artifact@v4
+        with:
+          name: kernel-${{ inputs.arch }}-avd-${{ inputs.version_name }}-${{ env.kernelsu_version }}
+          path: "${{ env.file_path }}"

.github/workflows/build-debug-kernel.yml

@@ -0,0 +1,31 @@
+name: Build debug kernel
+on:
+  workflow_dispatch:
+
+jobs:
+  build-debug-kernel-a12:
+    uses: ./.github/workflows/gki-kernel.yml
+    with:
+      version: android12-5.10
+      version_name: android12-5.10.185
+      tag: android12-5.10-2023-09
+      os_patch_level: 2023-09
+      patch_path: "5.10"
+      debug: true
+  build-debug-kernel-a13:
+    strategy:
+      matrix:
+        include:
+          - version: "5.10"
+            sub_level: 187
+            os_patch_level: 2023-08
+          - version: "5.15"
+            sub_level: 119
+            os_patch_level: 2023-09
+    uses: ./.github/workflows/gki-kernel.yml
+    with:
+      version: android13-${{ matrix.version }}
+      version_name: android13-${{ matrix.version }}.${{ matrix.sub_level }}
+      tag: android13-${{ matrix.version }}-${{ matrix.os_patch_level }}
+      patch_path: ${{ matrix.version }}
+      debug: true

.github/workflows/build-kernel-a12.yml

@@ -1,7 +1,7 @@
 name: Build Kernel - Android 12
 on:
   push:
-    branches: ["main", "ci"]
+    branches: ["main", "ci", "checkci"]
     paths:
       - ".github/workflows/build-kernel-a12.yml"
       - ".github/workflows/gki-kernel.yml"
@@ -17,24 +17,20 @@ on:
   workflow_call:
 jobs:
   build-kernel:
-    if: github.event_name != 'pull_request'
+    if: github.event_name != 'pull_request' && github.ref != 'refs/heads/checkci'
     strategy:
       matrix:
         include:
-          - sub_level: 66
-            os_patch_level: 2021-11
-          - sub_level: 81
-            os_patch_level: 2022-03
-          - sub_level: 101
-            os_patch_level: 2022-05
-          - sub_level: 110
-            os_patch_level: 2022-07
-          - sub_level: 136
-            os_patch_level: 2022-11
-          - sub_level: 149
-            os_patch_level: 2023-01
-          - sub_level: 160
-            os_patch_level: 2023-02
+          - sub_level: 168
+            os_patch_level: 2023-05
+          - sub_level: 177
+            os_patch_level: 2023-07
+          - sub_level: 185
+            os_patch_level: 2023-09
+          - sub_level: 198
+            os_patch_level: 2024-01
+          - sub_level: 205
+            os_patch_level: 2024-03
     uses: ./.github/workflows/gki-kernel.yml
     secrets: inherit
     with:
@@ -43,13 +39,13 @@ jobs:
       tag: android12-5.10-${{ matrix.os_patch_level }}
       os_patch_level: ${{ matrix.os_patch_level }}
       patch_path: "5.10"
+  
   upload-artifacts:
     needs: build-kernel
     runs-on: ubuntu-latest
     if: ${{ ( github.event_name != 'pull_request' && github.ref == 'refs/heads/main' ) || github.ref_type == 'tag' || github.ref == 'refs/heads/ci' }}
     env:
       CHAT_ID: ${{ secrets.CHAT_ID }}
-      CACHE_CHAT_ID: ${{ secrets.CACHE_CHAT_ID }}
       BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
       MESSAGE_THREAD_ID: ${{ secrets.MESSAGE_THREAD_ID }}
       COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
@@ -57,9 +53,9 @@ jobs:
       RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
     steps:
       - name: Download artifacts
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
 
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           path: KernelSU
           fetch-depth: 0
@@ -71,11 +67,11 @@ jobs:
       - name: Download prebuilt toolchain
         run: |
           AOSP_MIRROR=https://android.googlesource.com
-          BRANCH=master-kernel-build-2022
+          BRANCH=main-kernel-build-2023
           git clone $AOSP_MIRROR/platform/prebuilts/build-tools -b $BRANCH --depth 1 build-tools
           git clone $AOSP_MIRROR/kernel/prebuilts/build-tools -b $BRANCH --depth 1 kernel-build-tools
           git clone $AOSP_MIRROR/platform/system/tools/mkbootimg -b $BRANCH --depth 1
-          pip3 install python-telegram-bot
+          pip3 install telethon==1.34.0
 
       - name: Set boot sign key
         env:
@@ -85,8 +81,13 @@ jobs:
             echo "$BOOT_SIGN_KEY" > ./kernel-build-tools/linux-x86/share/avb/testkey_rsa2048.pem
           fi
 
-      - name: Setup mutex for uploading
-        uses: ben-z/gh-action-mutex@v1.0-alpha-7
+      - name: Bot session cache
+        id: bot_session_cache
+        uses: actions/cache@v4
+        if: false
+        with:
+          path: scripts/ksubot.session
+          key: ${{ runner.os }}-bot-session
 
       - name: Build boot images
         run: |
@@ -105,17 +106,17 @@ jobs:
         run: ls -R
 
       - name: Upload images artifact
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: boot-images-android12
           path: Image-android12*/*.img.gz
 
   check-build-kernel:
-    if: github.event_name == 'pull_request'
+    if: (github.event_name == 'pull_request' && !github.event.pull_request.draft) || github.ref == 'refs/heads/checkci'
     uses: ./.github/workflows/gki-kernel.yml
     with:
       version: android12-5.10
-      version_name: android12-5.10.160
-      tag: android12-5.10-2023-02
-      os_patch_level: 2023-02
-      patch_path: "5.10"
+      version_name: android12-5.10.205
+      tag: android12-5.10-2024-03
+      os_patch_level: 2024-03
+      patch_path: "5.10"

.github/workflows/build-kernel-a13.yml

@@ -1,7 +1,7 @@
 name: Build Kernel - Android 13
 on:
   push:
-    branches: ["main", "ci"]
+    branches: ["main", "ci", "checkci"]
     paths:
       - ".github/workflows/build-kernel-a13.yml"
       - ".github/workflows/gki-kernel.yml"
@@ -17,42 +17,76 @@ on:
   workflow_call:
 jobs:
   build-kernel:
-    if: github.event_name != 'pull_request'
+    if: github.event_name != 'pull_request' && github.ref != 'refs/heads/checkci'
     strategy:
       matrix:
         include:
           - version: "5.10"
-            sub_level: 107
-            os_patch_level: 2022-11
+            sub_level: 168
+            os_patch_level: 2023-05
           - version: "5.10"
-            sub_level: 149
-            os_patch_level: 2023-01
+            sub_level: 177
+            os_patch_level: 2023-07
           - version: "5.10"
-            sub_level: 157
-            os_patch_level: 2023-02
+            sub_level: 177
+            os_patch_level: 2024-02
+          - version: "5.10"
+            sub_level: 186
+            os_patch_level: 2023-08
+          - version: "5.10"
+            sub_level: 186
+            os_patch_level: 2023-09
+          - version: "5.10"
+            sub_level: 189
+            os_patch_level: 2023-11
+          - version: "5.10"
+            sub_level: 198
+            os_patch_level: 2023-12
+          - version: "5.10"
+            sub_level: 205
+            os_patch_level: 2024-02
+          - version: "5.10"
+            sub_level: 205
+            os_patch_level: 2024-03
+          - version: "5.10"
+            sub_level: 209
+            os_patch_level: 2024-04
           - version: "5.15"
-            sub_level: 41
-            os_patch_level: 2022-11
+            sub_level: 94
+            os_patch_level: 2023-05
           - version: "5.15"
-            sub_level: 74
-            os_patch_level: 2023-01
+            sub_level: 104
+            os_patch_level: 2023-07
           - version: "5.15"
-            sub_level: 78
-            os_patch_level: 2023-02
+            sub_level: 119
+            os_patch_level: 2023-09
+          - version: "5.15"
+            sub_level: 123
+            os_patch_level: 2023-11
+          - version: "5.15"
+            sub_level: 137
+            os_patch_level: 2023-12
+          - version: "5.15"
+            sub_level: 144
+            os_patch_level: 2024-03
+          - version: "5.15"
+            sub_level: 148
+            os_patch_level: 2024-04
     uses: ./.github/workflows/gki-kernel.yml
     secrets: inherit
     with:
       version: android13-${{ matrix.version }}
       version_name: android13-${{ matrix.version }}.${{ matrix.sub_level }}
       tag: android13-${{ matrix.version }}-${{ matrix.os_patch_level }}
+      os_patch_level: ${{ matrix.os_patch_level }}
       patch_path: ${{ matrix.version }}
+  
   upload-artifacts:
     needs: build-kernel
     runs-on: ubuntu-latest
     if: ${{ ( github.event_name != 'pull_request' && github.ref == 'refs/heads/main' ) || github.ref_type == 'tag' || github.ref == 'refs/heads/ci' }}
     env:
       CHAT_ID: ${{ secrets.CHAT_ID }}
-      CACHE_CHAT_ID: ${{ secrets.CACHE_CHAT_ID }}
       BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
       MESSAGE_THREAD_ID: ${{ secrets.MESSAGE_THREAD_ID }}
       COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
@@ -60,9 +94,9 @@ jobs:
       RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
     steps:
       - name: Download artifacts
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
 
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           path: KernelSU
           fetch-depth: 0
@@ -74,11 +108,11 @@ jobs:
       - name: Download prebuilt toolchain
         run: |
           AOSP_MIRROR=https://android.googlesource.com
-          BRANCH=master-kernel-build-2022
+          BRANCH=main-kernel-build-2023
           git clone $AOSP_MIRROR/platform/prebuilts/build-tools -b $BRANCH --depth 1 build-tools
           git clone $AOSP_MIRROR/kernel/prebuilts/build-tools -b $BRANCH --depth 1 kernel-build-tools
           git clone $AOSP_MIRROR/platform/system/tools/mkbootimg -b $BRANCH --depth 1
-          pip3 install python-telegram-bot
+          pip3 install telethon==1.34.0
 
       - name: Set boot sign key
         env:
@@ -88,8 +122,13 @@ jobs:
             echo "$BOOT_SIGN_KEY" > ./kernel-build-tools/linux-x86/share/avb/testkey_rsa2048.pem
           fi
 
-      - name: Setup mutex for uploading
-        uses: ben-z/gh-action-mutex@v1.0-alpha-7
+      - name: Bot session cache
+        id: bot_session_cache
+        uses: actions/cache@v4
+        if: false
+        with:
+          path: scripts/ksubot.session
+          key: ${{ runner.os }}-bot-session
 
       - name: Build boot images
         run: |
@@ -103,30 +142,31 @@ jobs:
           echo "VERSION: $VERSION"
           cd -
           bash $GITHUB_WORKSPACE/KernelSU/.github/scripts/build_a13.sh
-      
+
       - name: Display structure of boot files
         run: ls -R
 
       - name: Upload images artifact
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: boot-images-android13
           path: Image-android13*/*.img.gz
 
   check-build-kernel:
-    if: github.event_name == 'pull_request'
+    if: (github.event_name == 'pull_request' && !github.event.pull_request.draft) || github.ref == 'refs/heads/checkci'
     strategy:
       matrix:
         include:
           - version: "5.10"
-            sub_level: 149
-            os_patch_level: 2022-11
+            sub_level: 189
+            os_patch_level: 2023-10
           - version: "5.15"
-            sub_level: 74
-            os_patch_level: 2023-01
+            sub_level: 123
+            os_patch_level: 2023-10
     uses: ./.github/workflows/gki-kernel.yml
     with:
       version: android13-${{ matrix.version }}
       version_name: android13-${{ matrix.version }}.${{ matrix.sub_level }}
       tag: android13-${{ matrix.version }}-${{ matrix.os_patch_level }}
-      patch_path: ${{ matrix.version }}
+      os_patch_level: ${{ matrix.os_patch_level }}
+      patch_path: ${{ matrix.version }}

.github/workflows/build-kernel-a14.yml

@@ -0,0 +1,151 @@
+name: Build Kernel - Android 14
+on:
+  push:
+    branches: ["main", "ci", "checkci"]
+    paths:
+      - ".github/workflows/build-kernel-a14.yml"
+      - ".github/workflows/gki-kernel.yml"
+      - ".github/scripts/build_a13.sh"
+      - "kernel/**"
+  pull_request:
+    branches: ["main"]
+    paths:
+      - ".github/workflows/build-kernel-a14.yml"
+      - ".github/workflows/gki-kernel.yml"
+      - ".github/scripts/build-a13.sh"
+      - "kernel/**"
+  workflow_call:
+jobs:
+  build-kernel:
+    if: github.event_name != 'pull_request' && github.ref != 'refs/heads/checkci'
+    strategy:
+      matrix:
+        include:
+          - version: "5.15"
+            sub_level: 110
+            os_patch_level: 2023-09
+          - version: "5.15"
+            sub_level: 131
+            os_patch_level: 2023-11
+          - version: "5.15"
+            sub_level: 137
+            os_patch_level: 2024-01
+          - version: "5.15"
+            sub_level: 144
+            os_patch_level: 2024-03
+          - version: "5.15"
+            sub_level: 148
+            os_patch_level: 2024-04
+          - version: "6.1"
+            sub_level: 25
+            os_patch_level: 2023-10
+          - version: "6.1"
+            sub_level: 43
+            os_patch_level: 2023-11
+          - version: "6.1"
+            sub_level: 57
+            os_patch_level: 2024-01
+          - version: "6.1"
+            sub_level: 68
+            os_patch_level: 2024-03
+          - version: "6.1"
+            sub_level: 75
+            os_patch_level: 2024-04
+    uses: ./.github/workflows/gki-kernel.yml
+    secrets: inherit
+    with:
+      version: android14-${{ matrix.version }}
+      version_name: android14-${{ matrix.version }}.${{ matrix.sub_level }}
+      tag: android14-${{ matrix.version }}-${{ matrix.os_patch_level }}
+      os_patch_level: ${{ matrix.os_patch_level }}
+      patch_path: ${{ matrix.version }}
+  
+  upload-artifacts:
+    needs: build-kernel
+    runs-on: ubuntu-latest
+    if: ${{ ( github.event_name != 'pull_request' && github.ref == 'refs/heads/main' ) || github.ref_type == 'tag' || github.ref == 'refs/heads/ci' }}
+    env:
+      CHAT_ID: ${{ secrets.CHAT_ID }}
+      BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
+      MESSAGE_THREAD_ID: ${{ secrets.MESSAGE_THREAD_ID }}
+      COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
+      COMMIT_URL: ${{ github.event.head_commit.url }}
+      RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+
+      - uses: actions/checkout@v4
+        with:
+          path: KernelSU
+          fetch-depth: 0
+
+      - name: List artifacts
+        run: |
+          tree
+
+      - name: Download prebuilt toolchain
+        run: |
+          AOSP_MIRROR=https://android.googlesource.com
+          BRANCH=main-kernel-build-2023
+          git clone $AOSP_MIRROR/platform/prebuilts/build-tools -b $BRANCH --depth 1 build-tools
+          git clone $AOSP_MIRROR/kernel/prebuilts/build-tools -b $BRANCH --depth 1 kernel-build-tools
+          git clone $AOSP_MIRROR/platform/system/tools/mkbootimg -b $BRANCH --depth 1
+          pip3 install telethon==1.34.0
+
+      - name: Set boot sign key
+        env:
+          BOOT_SIGN_KEY: ${{ secrets.BOOT_SIGN_KEY }}
+        run: |
+          if [ ! -z "$BOOT_SIGN_KEY" ]; then
+            echo "$BOOT_SIGN_KEY" > ./kernel-build-tools/linux-x86/share/avb/testkey_rsa2048.pem
+          fi
+
+      - name: Bot session cache
+        id: bot_session_cache
+        uses: actions/cache@v4
+        if: false
+        with:
+          path: scripts/ksubot.session
+          key: ${{ runner.os }}-bot-session
+
+      - name: Build boot images
+        run: |
+          export AVBTOOL=$GITHUB_WORKSPACE/kernel-build-tools/linux-x86/bin/avbtool
+          export GZIP=$GITHUB_WORKSPACE/build-tools/path/linux-x86/gzip
+          export LZ4=$GITHUB_WORKSPACE/build-tools/path/linux-x86/lz4
+          export MKBOOTIMG=$GITHUB_WORKSPACE/mkbootimg/mkbootimg.py
+          export UNPACK_BOOTIMG=$GITHUB_WORKSPACE/mkbootimg/unpack_bootimg.py
+          cd $GITHUB_WORKSPACE/KernelSU
+          export VERSION=$(($(git rev-list --count HEAD) + 10200))
+          echo "VERSION: $VERSION"
+          cd -
+          bash $GITHUB_WORKSPACE/KernelSU/.github/scripts/build_a13.sh
+
+      - name: Display structure of boot files
+        run: ls -R
+
+      - name: Upload images artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: boot-images-android14
+          path: Image-android14*/*.img.gz
+
+  check-build-kernel:
+    if: (github.event_name == 'pull_request' && !github.event.pull_request.draft) || github.ref == 'refs/heads/checkci'
+    strategy:
+      matrix:
+        include:
+          - version: "5.15"
+            sub_level: 110
+            os_patch_level: 2023-09
+          - version: "6.1"
+            sub_level: 75
+            os_patch_level: 2024-04
+    uses: ./.github/workflows/gki-kernel.yml
+    with:
+      version: android14-${{ matrix.version }}
+      version_name: android14-${{ matrix.version }}.${{ matrix.sub_level }}
+      tag: android14-${{ matrix.version }}-${{ matrix.os_patch_level }}
+      os_patch_level: ${{ matrix.os_patch_level }}
+      patch_path: ${{ matrix.version }}

.github/workflows/build-kernel-arcvm.yml

@@ -0,0 +1,135 @@
+name: Build Kernel - ChromeOS ARCVM
+on:
+  push:
+    branches: ["main", "ci", "checkci"]
+    paths:
+      - ".github/workflows/build-kernel-arcvm.yml"
+      - "kernel/**"
+  pull_request:
+    branches: ["main"]
+    paths:
+      - ".github/workflows/build-kernel-arcvm.yml"
+      - "kernel/**"
+  workflow_call:
+  workflow_dispatch:
+
+env:
+  git_tag: chromeos-5.10-arcvm
+
+jobs:
+  build:
+    if: github.event_name != 'pull_request' || (github.event_name == 'pull_request' && !github.event.pull_request.draft)
+    strategy:
+      matrix:
+        include:
+          - arch: x86_64
+            kernel_image_name: bzImage
+            build_config: build.config.gki.x86_64
+            defconfig: x86_64_arcvm_defconfig
+          - arch: arm64
+            kernel_image_name: Image
+            build_config: build.config.gki.aarch64
+            defconfig: arm64_arcvm_defconfig
+
+    name: Build ChromeOS ARCVM kernel
+    runs-on: ubuntu-20.04
+    env:
+      LTO: thin
+      ROOT_DIR: /
+      KERNEL_DIR: ${{ github.workspace }}/kernel
+
+    steps:
+      - name: Install Build Tools
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y --no-install-recommends bc \
+              bison build-essential ca-certificates flex git gnupg \
+              libelf-dev libssl-dev lsb-release software-properties-common wget \
+              libncurses-dev binutils-aarch64-linux-gnu gcc-aarch64-linux-gnu nuget gzip \
+              rsync python3 device-tree-compiler
+
+          sudo ln -s --force python3 /usr/bin/python
+
+          export LLVM_VERSION=12
+          wget https://apt.llvm.org/llvm.sh
+          chmod +x llvm.sh
+          sudo ./llvm.sh $LLVM_VERSION
+          rm ./llvm.sh
+          sudo ln -s --force /usr/bin/clang-$LLVM_VERSION /usr/bin/clang
+          sudo ln -s --force /usr/bin/ld.lld-$LLVM_VERSION /usr/bin/ld.lld
+          sudo ln -s --force /usr/bin/llvm-objdump-$LLVM_VERSION /usr/bin/llvm-objdump
+          sudo ln -s --force /usr/bin/llvm-ar-$LLVM_VERSION /usr/bin/llvm-ar
+          sudo ln -s --force /usr/bin/llvm-nm-$LLVM_VERSION /usr/bin/llvm-nm
+          sudo ln -s --force /usr/bin/llvm-strip-$LLVM_VERSION /usr/bin/llvm-strip
+          sudo ln -s --force /usr/bin/llvm-objcopy-$LLVM_VERSION /usr/bin/llvm-objcopy
+          sudo ln -s --force /usr/bin/llvm-readelf-$LLVM_VERSION /usr/bin/llvm-readelf
+          sudo ln -s --force /usr/bin/clang++-$LLVM_VERSION /usr/bin/clang++
+
+      - name: Checkout KernelSU
+        uses: actions/checkout@v4
+        with:
+          path: KernelSU
+          fetch-depth: 0
+
+      - name: Setup kernel source
+        run: git clone https://chromium.googlesource.com/chromiumos/third_party/kernel.git -b ${{ env.git_tag }} --depth=1
+
+      - name: Extract version from Makefile
+        working-directory: kernel
+        run: |
+          VERSION=$(grep -E '^VERSION = ' Makefile | awk '{print $3}')
+          PATCHLEVEL=$(grep -E '^PATCHLEVEL = ' Makefile | awk '{print $3}')
+          SUBLEVEL=$(grep -E '^SUBLEVEL = ' Makefile | awk '{print $3}')
+          echo "ChromeOS ARCVM Linux kernel version: $VERSION.$PATCHLEVEL.$SUBLEVEL"
+          echo "version=$VERSION.$PATCHLEVEL.$SUBLEVEL" >> $GITHUB_ENV
+          
+      - name: Setup KernelSU
+        working-directory: kernel
+        run: |
+          echo "[+] KernelSU setup"
+          KERNEL_ROOT=$GITHUB_WORKSPACE/kernel
+          echo "[+] KERNEL_ROOT: $KERNEL_ROOT"
+          echo "[+] Copy KernelSU driver to $KERNEL_ROOT/drivers"
+          ln -sf $GITHUB_WORKSPACE/KernelSU/kernel $KERNEL_ROOT/drivers/kernelsu
+
+          echo "[+] Add KernelSU driver to Makefile"
+          DRIVER_MAKEFILE=$KERNEL_ROOT/drivers/Makefile
+          grep -q "kernelsu" $DRIVER_MAKEFILE || echo "obj-y += kernelsu/" >> $DRIVER_MAKEFILE
+
+          echo "[+] Apply KernelSU patches"
+          cd $KERNEL_ROOT && git apply $GITHUB_WORKSPACE/KernelSU/.github/patches/5.10/*.patch || echo "[-] No patch found"
+
+          echo "[+] Patch script/setlocalversion"
+          sed -i 's/-dirty//g' $KERNEL_ROOT/scripts/setlocalversion
+
+          echo "[+] KernelSU setup done."
+          cd $GITHUB_WORKSPACE/KernelSU
+          KSU_VERSION=$(($(git rev-list --count HEAD) + 10200))
+          echo "KernelSU version: $KSU_VERSION"
+          echo "kernelsu_version=$KSU_VERSION" >> $GITHUB_ENV
+
+      - name: Build Kernel
+        working-directory: kernel
+        env:
+          KERNEL_IMAGE_NAME: ${{ matrix.kernel_image_name }}
+          ARCH: ${{ matrix.arch }}
+        run: |
+          set -a && . ${{ matrix.build_config }}; set +a
+          export DEFCONFIG=${{ matrix.defconfig }}
+          if [ ! -z ${{ vars.EXPECTED_SIZE }} ] && [ ! -z ${{ vars.EXPECTED_HASH }} ]; then
+            export KSU_EXPECTED_SIZE=${{ vars.EXPECTED_SIZE }}
+            export KSU_EXPECTED_HASH=${{ vars.EXPECTED_HASH }}
+          fi
+
+          make LLVM=1 LLVM_IAS=1 DEPMOD=depmod DTC=dtc O=${PWD} mrproper
+          make LLVM=1 LLVM_IAS=1 DEPMOD=depmod DTC=dtc O=${PWD} ${DEFCONFIG} < /dev/null
+          scripts/config --file .config -e LTO_CLANG -d LTO_NONE -e LTO_CLANG_THIN -d LTO_CLANG_FULL -e THINLTO
+          make LLVM=1 LLVM_IAS=1 DEPMOD=depmod DTC=dtc O=${PWD} -j$(nproc) ${KERNEL_IMAGE_NAME} modules prepare-objtool
+          ls -l -h ${PWD}/arch/${ARCH}/boot
+          echo "file_path=${PWD}/arch/${ARCH}/boot/${KERNEL_IMAGE_NAME}" >> $GITHUB_ENV
+
+      - name: Upload kernel-ARCVM-${{ matrix.arch }}-${{ env.version }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: kernel-ARCVM-${{ matrix.arch }}-${{ env.version }}
+          path: "${{ env.file_path }}"

.github/workflows/build-kernel-avd.yml

@@ -0,0 +1,40 @@
+name: Build Kernel - AVD
+on:
+  push:
+    branches: ["main", "ci", "checkci"]
+    paths:
+      - ".github/workflows/build-kernel-avd.yml"
+      - ".github/workflows/avd-kernel.yml"
+      - ".github/workflows/manifests/*xml"
+      - "kernel/**"
+  pull_request:
+    branches: ["main"]
+    paths:
+      - ".github/workflows/build-kernel-avd.yml"
+      - ".github/workflows/avd-kernel.yml"
+      - ".github/workflows/manifests/*.xml"
+      - "kernel/**"
+  workflow_call:
+  workflow_dispatch:
+jobs:
+  build-kernel:
+    if: github.event_name != 'pull_request' && github.ref != 'refs/heads/checkci'
+    uses: ./.github/workflows/avd-kernel.yml
+    secrets: inherit
+    strategy:
+      matrix:
+        include:
+          - version: "android-14-avd_x86_64"
+            manifest: "android-14-avd_x86_64.xml"
+            arch: "x86_64"
+          - version: "android-15-avd_aarch64"
+            manifest: "android-15-avd_aarch64.xml"
+            arch: "aarch64"
+          - version: "android-15-avd_x86_64"
+            manifest: "android-15-avd_x86_64.xml"
+            arch: "x86_64"
+    with:
+      version_name: ${{ matrix.version }}
+      manifest_name: ${{ matrix.manifest }}
+      arch: ${{ matrix.arch }}
+      debug: true

.github/workflows/build-kernel-wsa.yml

@@ -1,150 +1,38 @@
 name: Build Kernel - WSA
 on:
   push:
-    branches: ["main"]
+    branches: ["main", "ci", "checkci"]
     paths:
       - ".github/workflows/build-kernel-wsa.yml"
+      - ".github/workflows/wsa-kernel.yml"
       - "kernel/**"
   pull_request:
     branches: ["main"]
     paths:
       - ".github/workflows/build-kernel-wsa.yml"
+      - ".github/workflows/wsa-kernel.yml"
       - "kernel/**"
   workflow_call:
   workflow_dispatch:
 
 jobs:
   build:
+    if: github.event_name != 'pull_request' && github.ref != 'refs/heads/checkci'
     strategy:
       matrix:
         arch: [x86_64, arm64]
-        version: ["5.10.117.2", "5.15.78.1"]
-        include:
-          - arch: x86_64
-            file_name: "bzImage"
-          - arch: arm64
-            file_name: "Image"
-            cross_compile: "aarch64-linux-gnu"
-          - version: "5.10.117.2"
-            arch: x86_64
-            make_config: config-wsa-5.10
-          - version: "5.10.117.2"
-            arch: arm64
-            make_config: config-wsa-arm64-5.10
-          - version: "5.15.78.1"
-            arch: x86_64
-            make_config: config-wsa-x64
-          - version: "5.15.78.1"
-            arch: arm64
-            make_config: config-wsa-arm64
-          - version: "5.10.117.2"
-            device_code: latte
-            kernel_version: "5.10"
-          - version: "5.15.78.1"
-            device_code: latte-2
-            kernel_version: "5.15"
+        version: ["5.15.94.2", "5.15.104.1", "5.15.104.2", "5.15.104.3", "5.15.104.4"]
+    uses: ./.github/workflows/wsa-kernel.yml
+    with:
+      arch: ${{ matrix.arch }}
+      version: ${{ matrix.version }}
 
-    name: Build WSA-Kernel-${{ matrix.version }}-${{ matrix.arch }}
-    runs-on: ubuntu-20.04
-    env:
-      CCACHE_COMPILERCHECK: "%compiler% -dumpmachine; %compiler% -dumpversion"
-      CCACHE_NOHASHDIR: "true"
-      CCACHE_HARDLINK: "true"
-
-    steps:
-      - name: Install Build Tools
-        run: |
-          sudo apt update
-          sudo apt install -y --no-install-recommends bc bison build-essential ca-certificates flex git gnupg libelf-dev libssl-dev lsb-release software-properties-common wget libncurses-dev binutils-aarch64-linux-gnu gcc-aarch64-linux-gnu nuget gzip
-          export LLVM_VERSION=12
-          wget https://apt.llvm.org/llvm.sh
-          chmod +x llvm.sh
-          sudo ./llvm.sh $LLVM_VERSION
-          rm ./llvm.sh
-          sudo ln -s --force /usr/bin/clang-$LLVM_VERSION /usr/bin/clang
-          sudo ln -s --force /usr/bin/ld.lld-$LLVM_VERSION /usr/bin/ld.lld
-          sudo ln -s --force /usr/bin/llvm-objdump-$LLVM_VERSION /usr/bin/llvm-objdump
-          sudo ln -s --force /usr/bin/llvm-ar-$LLVM_VERSION /usr/bin/llvm-ar
-          sudo ln -s --force /usr/bin/llvm-nm-$LLVM_VERSION /usr/bin/llvm-nm
-          sudo ln -s --force /usr/bin/llvm-strip-$LLVM_VERSION /usr/bin/llvm-strip
-          sudo ln -s --force /usr/bin/llvm-objcopy-$LLVM_VERSION /usr/bin/llvm-objcopy
-          sudo ln -s --force /usr/bin/llvm-readelf-$LLVM_VERSION /usr/bin/llvm-readelf
-          sudo ln -s --force /usr/bin/clang++-$LLVM_VERSION /usr/bin/clang++
-
-      - name: Checkout KernelSU
-        uses: actions/checkout@v3
-        with:
-          path: KernelSU
-          ref: main
-          fetch-depth: 0
-
-      - name: Setup kernel source
-        uses: actions/checkout@v3
-        with:
-          repository: microsoft/WSA-Linux-Kernel
-          ref: android-lts/${{ matrix.device_code }}/${{ matrix.version }}
-          path: WSA-Linux-Kernel
-
-      - name: Setup Ccache
-        uses: hendrikmuhs/ccache-action@v1.2
-        with:
-          key: WSA-Kernel-${{ matrix.version }}-${{ matrix.arch }}
-          save: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
-          max-size: 2G
-
-      - name: Setup KernelSU
-        working-directory: WSA-Linux-Kernel
-        run: |
-          echo "[+] KernelSU setup"
-          KERNEL_ROOT=$GITHUB_WORKSPACE/WSA-Linux-Kernel
-          echo "[+] KERNEL_ROOT: $KERNEL_ROOT"
-          echo "[+] Copy KernelSU driver to $KERNEL_ROOT/drivers"
-          ln -sf $GITHUB_WORKSPACE/KernelSU/kernel $KERNEL_ROOT/drivers/kernelsu
-          echo "[+] Add KernelSU driver to Makefile"
-          DRIVER_MAKEFILE=$KERNEL_ROOT/drivers/Makefile
-          grep -q "kernelsu" $DRIVER_MAKEFILE || echo "obj-y += kernelsu/" >> $DRIVER_MAKEFILE
-          echo "[+] Apply KernelSU patches"
-          cd $KERNEL_ROOT && git apply $GITHUB_WORKSPACE/KernelSU/.github/patches/${{ matrix.kernel_version }}/*.patch
-          echo "[+] KernelSU setup done."
-          cd $GITHUB_WORKSPACE/KernelSU
-          VERSION=$(($(git rev-list --count HEAD) + 10200))
-          echo "VERSION: $VERSION"
-          echo "kernelsu_version=$VERSION" >> $GITHUB_ENV
-
-      - name: Build Kernel
-        working-directory: WSA-Linux-Kernel
-        run: |
-          cp configs/wsa/${{ matrix.make_config }} .config
-          make olddefconfig
-          make -j`nproc` LLVM=1 ARCH=${{ matrix.arch }} CROSS_COMPILE=${{ matrix.cross_compile }} ${{ matrix.file_name }} CCACHE="/usr/bin/ccache"
-          echo "file_path=WSA-Linux-Kernel/arch/${{ matrix.arch }}/boot/${{ matrix.file_name }}" >> $GITHUB_ENV
-
-      - name: Upload kernel-${{ matrix.arch }}-${{ matrix.version }}
-        uses: actions/upload-artifact@v3
-        with:
-          name: kernel-WSA-${{ matrix.arch }}-${{ matrix.version }}
-          path: "${{ env.file_path }}"
-
-      - name: Post to Telegram
-        if: ${{ ( github.event_name == 'push' && github.ref == 'refs/heads/main' ) || github.ref_type == 'tag' }}
-        env:
-          CHAT_ID: ${{ secrets.CHAT_ID }}
-          CACHE_CHAT_ID: ${{ secrets.CACHE_CHAT_ID }}
-          BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
-          MESSAGE_THREAD_ID: ${{ secrets.MESSAGE_THREAD_ID }}
-          COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
-          COMMIT_URL: ${{ github.event.head_commit.url }}
-          RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}    
-        run: |
-          TITLE=kernel-${{ matrix.arch }}-WSA-${{ matrix.version }}
-          echo "[+] title: $TITLE"
-          export TITLE
-          export VERSION="${{ env.kernelsu_version }}"
-          echo "[+] Compress images"
-          gzip -n -f -9 "${{ env.file_path }}"
-          echo "[+] Image to upload"
-          ls -l "${{ env.file_path }}.gz"
-          if [ -n "${{ secrets.BOT_TOKEN }}" ]; then
-            pip3 install python-telegram-bot
-            python3 "$GITHUB_WORKSPACE/KernelSU/scripts/ksubot.py" "${{ env.file_path }}.gz"
-          fi
+  check_build:
+    if: (github.event_name == 'pull_request' && !github.event.pull_request.draft) || github.ref == 'refs/heads/checkci'
+    uses: ./.github/workflows/wsa-kernel.yml
+    strategy:
+      matrix:
+        arch: [x86_64, arm64]
+    with:
+      arch: ${{ matrix.arch }}
+      version: "5.15.104.4"

.github/workflows/build-ksud.yml

@@ -1,25 +0,0 @@
-name: Build KSUD
-on:
-  push:
-    branches: [ "main", "ci" ]
-    paths: 
-      - '.github/workflows/build-ksud.yml'
-      - '.github/workflows/ksud.yml'
-      - 'userspace/ksud/**'
-  pull_request:
-    branches: [ "main" ]
-    paths: 
-      - '.github/workflows/build-ksud.yml'
-      - '.github/workflows/ksud.yml'
-      - 'userspace/ksud/**'
-jobs:
-  build:
-    strategy:
-      matrix:
-        include:
-          - target: aarch64-linux-android
-          - target: x86_64-linux-android
-          - target: x86_64-pc-windows-gnu # only for build
-    uses: ./.github/workflows/ksud.yml
-    with:
-      target: ${{ matrix.target }}

.github/workflows/build-lkm.yml

@@ -0,0 +1,38 @@
+name: Build LKM for KernelSU
+on:
+  push:
+    branches: ["main", "ci", "checkci"]
+    paths:
+      - ".github/workflows/build-lkm.yml"
+  pull_request:
+    branches: ["main"]
+    paths:
+      - ".github/workflows/build-lkm.yml"
+  workflow_call:
+jobs:
+  build-lkm:
+    strategy:
+      matrix:
+        include:
+          - version: "android12-5.10"
+            sub_level: 198
+            os_patch_level: "2024-01"
+          - version: "android13-5.10"
+            sub_level: 198
+            os_patch_level: 2023-12
+          - version: "android13-5.15"
+            sub_level: 137
+            os_patch_level: 2023-12
+          - version: "android14-5.15"
+            sub_level: 110
+            os_patch_level: 2023-09
+          - version: "android14-6.1"
+            sub_level: 43
+            os_patch_level: 2023-11
+    uses: ./.github/workflows/gki-kernel.yml
+    with:
+      version: ${{ matrix.version }}
+      version_name: ${{ matrix.version }}.${{ matrix.sub_level }}
+      tag: ${{ matrix.version }}-${{ matrix.os_patch_level }}
+      os_patch_level: ${{ matrix.os_patch_level }}
+      build_lkm: true

.github/workflows/build-manager.yml

@@ -1,107 +1,160 @@
 name: Build Manager
+
 on:
   push:
-    branches: [ "main" ]
-    paths: 
+    branches: [ "main", "ci" ]
+    paths:
       - '.github/workflows/build-manager.yml'
       - 'manager/**'
+      - 'kernel/**'
       - 'userspace/ksud/**'
   pull_request:
     branches: [ "main" ]
-    paths: 
+    paths:
       - 'manager/**'
   workflow_call:
+
 jobs:
+  build-lkm:
+    uses: ./.github/workflows/build-lkm.yml
+    secrets: inherit
+
   build-ksud:
+    needs: build-lkm
     strategy:
       matrix:
         include:
           - target: aarch64-linux-android
+            os: ubuntu-latest
           - target: x86_64-linux-android
+            os: ubuntu-latest
+          - target: x86_64-pc-windows-gnu # windows pc
+            os: ubuntu-latest
+          - target: x86_64-apple-darwin # Intel mac
+            os: macos-latest
+          - target: aarch64-apple-darwin # M chip mac
+            os: macos-latest
+          - target: aarch64-unknown-linux-musl # arm64 Linux
+            os: ubuntu-latest
+          - target: x86_64-unknown-linux-musl # x86 Linux
+            os: ubuntu-latest
     uses: ./.github/workflows/ksud.yml
     with:
       target: ${{ matrix.target }}
+      os: ${{ matrix.os }}
+
   build-manager:
     needs: build-ksud
     runs-on: ubuntu-latest
     defaults:
       run:
         working-directory: ./manager
+
     steps:
-    - uses: actions/checkout@v3
-      with:
-        fetch-depth: 0
-    - name: Setup need_upload
-      id: need_upload
-      run: |
-        if [ ! -z "${{ secrets.BOT_TOKEN }}" ]; then
-          echo "UPLOAD=true" >> $GITHUB_OUTPUT
-        else
-          echo "UPLOAD=false" >> $GITHUB_OUTPUT
-        fi
-    - name: set up JDK 11
-      uses: actions/setup-java@v3
-      with:
-        java-version: '11'
-        distribution: 'temurin'
-        cache: gradle
-    - uses: nttld/setup-ndk@v1
-      with:
-        ndk-version: r25b
-        local-cache: true
-    - name: Extract keystore
-      if: ${{ ( github.event_name != 'pull_request' && github.ref == 'refs/heads/main' ) || github.ref_type == 'tag' }}
-      run: |
-        if [ ! -z "${{ secrets.KEYSTORE }}" ]; then
-          echo KEYSTORE_PASSWORD='${{ secrets.KEYSTORE_PASSWORD }}' >> sign.properties
-          echo KEY_ALIAS='${{ secrets.KEY_ALIAS }}' >> sign.properties
-          echo KEY_PASSWORD='${{ secrets.KEY_PASSWORD }}' >> sign.properties
-          echo KEYSTORE_FILE='../key.jks' >> sign.properties
-          echo ${{ secrets.KEYSTORE }} | base64 --decode > key.jks
-        fi
-    - name: Download arm64 ksud
-      uses: actions/download-artifact@v3
-      with:
-        name: ksud-aarch64-linux-android
-        path: .
-    - name: Download x86_64 ksud
-      uses: actions/download-artifact@v3
-      with:
-        name: ksud-x86_64-linux-android
-        path: .
-    - name: Copy ksud to app jniLibs
-      run: |
-        mkdir -p app/src/main/jniLibs/arm64-v8a
-        mkdir -p app/src/main/jniLibs/x86_64
-        cp -f ../aarch64-linux-android/release/ksud ../manager/app/src/main/jniLibs/arm64-v8a/libksud.so
-        cp -f ../x86_64-linux-android/release/ksud ../manager/app/src/main/jniLibs/x86_64/libksud.so
-    - name: Grant execute permission for gradlew
-      run: chmod +x gradlew
-    - name: Build with Gradle
-      run: ./gradlew clean assembleRelease
-    - name: Upload build artifact
-      uses: actions/upload-artifact@v3
-      with:
-        name: manager
-        path: manager/app/build/outputs/apk/release/*.apk
-    - name: Setup mutex for uploading
-      uses: ben-z/gh-action-mutex@v1.0-alpha-7
-      if: github.event_name != 'pull_request' && steps.need_upload.outputs.UPLOAD == 'true'
-    - name: Upload to telegram
-      if: github.event_name != 'pull_request' && steps.need_upload.outputs.UPLOAD == 'true'
-      env:
-        CHAT_ID: ${{ secrets.CHAT_ID }}
-        CACHE_CHAT_ID: ${{ secrets.CACHE_CHAT_ID }}
-        BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
-        MESSAGE_THREAD_ID: ${{ secrets.MESSAGE_THREAD_ID }}
-        COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
-        COMMIT_URL: ${{ github.event.head_commit.url }}
-        RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
-        TITLE: Manager
-      run: |
-        if [ ! -z "${{ secrets.BOT_TOKEN }}" ]; then
-          export VERSION=$(git rev-list --count HEAD)
-          APK=$(find ./app/build/outputs/apk/release -name "*.apk")
-          pip3 install python-telegram-bot
-          python3 $GITHUB_WORKSPACE/scripts/ksubot.py $APK
-        fi
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup need_upload
+        id: need_upload
+        run: |
+          if [ ! -z "${{ secrets.BOT_TOKEN }}" ]; then
+            echo "UPLOAD=true" >> $GITHUB_OUTPUT
+          else
+            echo "UPLOAD=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Write key
+        if: ${{ ( github.event_name != 'pull_request' && github.ref == 'refs/heads/main' ) || github.ref_type == 'tag' }}
+        run: |
+          if [ ! -z "${{ secrets.KEYSTORE }}" ]; then
+            {
+              echo KEYSTORE_PASSWORD='${{ secrets.KEYSTORE_PASSWORD }}'
+              echo KEY_ALIAS='${{ secrets.KEY_ALIAS }}'
+              echo KEY_PASSWORD='${{ secrets.KEY_PASSWORD }}'
+              echo KEYSTORE_FILE='key.jks'
+            } >> gradle.properties
+            echo ${{ secrets.KEYSTORE }} | base64 -d > key.jks
+          fi
+
+      - name: Setup Java
+        uses: actions/setup-java@v4
+        with:
+          distribution: temurin
+          java-version: 21
+
+      - name: Setup Gradle
+        uses: gradle/actions/setup-gradle@v3
+        with:
+          gradle-home-cache-cleanup: true
+
+      - name: Download arm64 ksud
+        uses: actions/download-artifact@v4
+        with:
+          name: ksud-aarch64-linux-android
+          path: .
+
+      - name: Download x86_64 ksud
+        uses: actions/download-artifact@v4
+        with:
+          name: ksud-x86_64-linux-android
+          path: .
+
+      - name: Copy ksud to app jniLibs
+        run: |
+          mkdir -p app/src/main/jniLibs/arm64-v8a
+          mkdir -p app/src/main/jniLibs/x86_64
+          cp -f ../aarch64-linux-android/release/ksud ../manager/app/src/main/jniLibs/arm64-v8a/libksud.so
+          cp -f ../x86_64-linux-android/release/ksud ../manager/app/src/main/jniLibs/x86_64/libksud.so
+
+      - name: Build with Gradle
+        run: |
+          {
+            echo 'org.gradle.parallel=true'
+            echo 'org.gradle.vfs.watch=true'
+            echo 'org.gradle.jvmargs=-Xmx2048m'
+            echo 'android.native.buildOutput=verbose'
+          } >> gradle.properties
+          sed -i 's/org.gradle.configuration-cache=true//g' gradle.properties
+          ./gradlew clean assembleRelease
+
+      - name: Upload build artifact
+        uses: actions/upload-artifact@v4
+        if: ${{ ( github.event_name != 'pull_request' && github.ref == 'refs/heads/main' ) || github.ref_type == 'tag' }}
+        with:
+          name: manager
+          path: manager/app/build/outputs/apk/release/*.apk
+
+      - name: Upload mappings
+        uses: actions/upload-artifact@v4
+        if: ${{ ( github.event_name != 'pull_request' && github.ref == 'refs/heads/main' ) || github.ref_type == 'tag' }}
+        with:
+          name: "mappings"
+          path: "manager/app/build/outputs/mapping/release/"
+
+      - name: Bot session cache
+        if: github.event_name != 'pull_request' && steps.need_upload.outputs.UPLOAD == 'true'
+        id: bot_session_cache
+        uses: actions/cache@v4
+        with:
+          path: scripts/ksubot.session
+          key: ${{ runner.os }}-bot-session
+
+      - name: Upload to telegram
+        if: github.event_name != 'pull_request' && steps.need_upload.outputs.UPLOAD == 'true'
+        env:
+          CHAT_ID: ${{ secrets.CHAT_ID }}
+          BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
+          MESSAGE_THREAD_ID: ${{ secrets.MESSAGE_THREAD_ID }}
+          COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
+          COMMIT_URL: ${{ github.event.head_commit.url }}
+          RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+          TITLE: Manager
+        run: |
+          if [ ! -z "${{ secrets.BOT_TOKEN }}" ]; then
+            export VERSION=$(git rev-list --count HEAD)
+            APK=$(find ./app/build/outputs/apk/release -name "*.apk")
+            pip3 install telethon==1.34.0
+            python3 $GITHUB_WORKSPACE/scripts/ksubot.py $APK
+          fi

.github/workflows/build-su.yml

@@ -1,21 +1,21 @@
 name: Build SU
 on:
   push:
-    branches: [ "main" ]
-    paths: 
+    branches: [ "main", "ci" ]
+    paths:
       - '.github/workflows/build-su.yml'
       - 'userspace/su/**'
       - 'scripts/ksubot.py'
   pull_request:
     branches: [ "main" ]
-    paths: 
+    paths:
       - 'userspace/su/**'
 jobs:
   build-su:
     name: Build userspace su
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
       with:
         fetch-depth: 0
     - name: Setup need_upload
@@ -28,35 +28,12 @@ jobs:
         fi
     - uses: nttld/setup-ndk@v1
       with:
-        ndk-version: r25b
-        local-cache: true
+        ndk-version: r26d
     - name: Build su
       working-directory: ./userspace/su
       run: ndk-build
     - name: Upload a Build Artifact
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: su
-        path: ./userspace/su/libs
-    - name: Setup mutex for uploading
-      uses: ben-z/gh-action-mutex@v1.0-alpha-7
-      if: github.event_name != 'pull_request' && steps.need_upload.outputs.UPLOAD == 'true'
-    - name: Upload to telegram
-      if: github.event_name != 'pull_request' && steps.need_upload.outputs.UPLOAD == 'true'
-      env:
-        CHAT_ID: ${{ secrets.CHAT_ID }}
-        CACHE_CHAT_ID: ${{ secrets.CACHE_CHAT_ID }}
-        BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
-        MESSAGE_THREAD_ID: ${{ secrets.MESSAGE_THREAD_ID }}
-        COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
-        COMMIT_URL: ${{ github.event.head_commit.url }}
-        RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
-        TITLE: SU
-      run: |
-        if [ ! -z "${{ secrets.BOT_TOKEN }}" ]; then
-          export VERSION=$(git rev-list --count HEAD)
-          pip3 install python-telegram-bot
-          mv ./userspace/su/libs/arm64-v8a/su su-arm64
-          mv ./userspace/su/libs/x86_64/su su-x86_64
-          python3 scripts/ksubot.py su-arm64 su-x86_64
-        fi
+        path: ./userspace/su/libs

.github/workflows/clippy.yml

@@ -21,14 +21,15 @@ jobs:
   clippy:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-
+      - uses: actions/checkout@v4
+      - run: rustup update --force-non-host stable-x86_64-unknown-linux-gnu
       - uses: Swatinem/rust-cache@v2
         with:
           workspaces: userspace/ksud
 
       - name: Install cross
-        run: cargo install cross
+        run: |
+          cargo install cross --git https://github.com/cross-rs/cross --rev 66845c1
 
       - name: Run clippy
         run: |

.github/workflows/deploy-website.yml

@@ -8,30 +8,60 @@ on:
     paths:
       - '.github/workflows/deploy-website.yml'
       - 'website/**'
+  workflow_dispatch:
+
+# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
+permissions:
+  contents: read
+  pages: write
+  id-token: write
+
+# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
+# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
+concurrency:
+  group: pages
+  cancel-in-progress: false
 
 jobs:
-  deploy:
+  # Build job
+  build:
     runs-on: ubuntu-latest
     defaults:
       run:
         working-directory: ./website
     steps:
-      - uses: actions/checkout@v3
+      - name: Checkout
+        uses: actions/checkout@v4
         with:
-          fetch-depth: 0
-      - uses: actions/setup-node@v3
+          fetch-depth: 0 # Not needed if lastUpdated is not enabled
+      - name: Setup Node
+        uses: actions/setup-node@v4
         with:
-          node-version: 16
-          cache: yarn
+          node-version: 20
+          cache: yarn # or pnpm / yarn
           cache-dependency-path: website/yarn.lock
-      - run: yarn install --frozen-lockfile
-
-      - name: Build
-        run: yarn docs:build
-
-      - name: Deploy
-        uses: peaceiris/actions-gh-pages@v3
+      - name: Setup Pages
+        uses: actions/configure-pages@v5
+      - name: Install dependencies
+        run: yarn install --frozen-lockfile
+      - name: Build with VitePress
+        run: |
+          yarn docs:build
+          touch docs/.vitepress/dist/.nojekyll
+      - name: Upload artifact
+        uses: actions/upload-pages-artifact@v3
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          publish_dir: website/docs/.vitepress/dist
-          cname: kernelsu.org # if wanna deploy to custom domain
+          path: website/docs/.vitepress/dist
+
+  # Deployment job
+  deploy:
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    needs: build
+    runs-on: ubuntu-latest
+    name: Deploy
+    steps:
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@v4

.github/workflows/gki-kernel.yml

@@ -29,7 +29,7 @@ on:
           for example: 2021-11
         default: 2022-05
       patch_path:
-        required: true
+        required: false
         type: string
         description: >
           Directory name of .github/patches/<patch_path>
@@ -45,13 +45,19 @@ on:
         description: >
           Artifact name of prebuilt ksud to be embedded
           for example: ksud-aarch64-linux-android
+      debug:
+        required: false
+        type: boolean
+        default: false
+      build_lkm:
+        required: false
+        type: boolean
+        default: false
     secrets:
       BOOT_SIGN_KEY:
         required: false
       CHAT_ID:
         required: false
-      CACHE_CHAT_ID:
-        required: false
       BOT_TOKEN:
         required: false
       MESSAGE_THREAD_ID:
@@ -66,7 +72,17 @@ jobs:
       CCACHE_NOHASHDIR: "true"
       CCACHE_HARDLINK: "true"
     steps:
-      - uses: actions/checkout@v3
+      - name: Maximize build space
+        uses: easimon/maximize-build-space@master
+        with:
+          root-reserve-mb: 8192
+          temp-reserve-mb: 2048
+          remove-dotnet: 'true'
+          remove-android: 'true'
+          remove-haskell: 'true'
+          remove-codeql: 'true'
+
+      - uses: actions/checkout@v4
         with:
           path: KernelSU
           fetch-depth: 0
@@ -82,15 +98,27 @@ jobs:
 
       - name: Setup kernel source
         run: |
+          echo "Free space:"
+          df -h
           cd $GITHUB_WORKSPACE
-          git clone https://gerrit.googlesource.com/git-repo
+          sudo apt-get install repo -y
           mkdir android-kernel && cd android-kernel
-          ../git-repo/repo init --depth=1 --u https://android.googlesource.com/kernel/manifest -b common-${{ inputs.tag }}
-          ../git-repo/repo sync -j$(nproc --all)
+          repo init --depth=1 --u https://android.googlesource.com/kernel/manifest -b common-${{ inputs.tag }} --repo-rev=v2.16
+          REMOTE_BRANCH=$(git ls-remote https://android.googlesource.com/kernel/common ${{ inputs.tag }})
+          DEFAULT_MANIFEST_PATH=.repo/manifests/default.xml
+          if grep -q deprecated <<< $REMOTE_BRANCH; then
+            echo "Found deprecated branch: ${{ inputs.tag }}"
+            sed -i 's/"${{ inputs.tag }}"/"deprecated\/${{ inputs.tag }}"/g' $DEFAULT_MANIFEST_PATH
+            cat $DEFAULT_MANIFEST_PATH
+          fi
+          repo --version
+          repo --trace sync -c -j$(nproc --all) --no-tags
+          df -h
 
       - name: Setup KernelSU
         env:
           PATCH_PATH: ${{ inputs.patch_path }}
+          IS_DEBUG_KERNEL: ${{ inputs.debug }}
         run: |
           cd $GITHUB_WORKSPACE/android-kernel
           echo "[+] KernelSU setup"
@@ -100,9 +128,17 @@ jobs:
           ln -sf $GITHUB_WORKSPACE/KernelSU/kernel $GKI_ROOT/common/drivers/kernelsu
           echo "[+] Add KernelSU driver to Makefile"
           DRIVER_MAKEFILE=$GKI_ROOT/common/drivers/Makefile
-          grep -q "kernelsu" $DRIVER_MAKEFILE || echo "obj-y += kernelsu/" >> $DRIVER_MAKEFILE
+          DRIVER_KCONFIG=$GKI_ROOT/common/drivers/Kconfig
+          grep -q "kernelsu" "$DRIVER_MAKEFILE" || printf "\nobj-\$(CONFIG_KSU) += kernelsu/\n" >> "$DRIVER_MAKEFILE"
+          grep -q "kernelsu" "$DRIVER_KCONFIG" || sed -i "/endmenu/i\\source \"drivers/kernelsu/Kconfig\"" "$DRIVER_KCONFIG"
           echo "[+] Apply KernelSU patches"
-          cd $GKI_ROOT/common/ && git apply $GITHUB_WORKSPACE/KernelSU/.github/patches/$PATCH_PATH/*.patch
+          cd $GKI_ROOT/common/ && git apply $GITHUB_WORKSPACE/KernelSU/.github/patches/$PATCH_PATH/*.patch || echo "[-] No patch found"
+
+          if [ "$IS_DEBUG_KERNEL" = "true" ]; then
+            echo "[+] Enable debug features for kernel"
+            printf "\nccflags-y += -DCONFIG_KSU_DEBUG\n" >> $GITHUB_WORKSPACE/KernelSU/kernel/Makefile
+          fi
+          repo status
           echo "[+] KernelSU setup done."
 
       - name: Symbol magic
@@ -118,35 +154,98 @@ jobs:
 
       - name: Setup ccache
         if: inputs.use_cache == true
-        uses: hendrikmuhs/ccache-action@v1.2
+        uses: hendrikmuhs/ccache-action@v1
         with:
           key: gki-kernel-aarch64-${{ inputs.version_name }}
           max-size: 2G
           save: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
 
-      - name: Build boot.img
+      - name: Setup for LKM
+        if: ${{ inputs.build_lkm == true }}
         working-directory: android-kernel
-        run: CCACHE="/usr/bin/ccache" LTO=thin BUILD_CONFIG=common/build.config.gki.aarch64 build/build.sh
+        run: |
+          pip install ast-grep-cli
+          sudo apt-get install llvm-15 -y
+          ast-grep -U -p '$$$ check_exports($$$) {$$$}' -r '' common/scripts/mod/modpost.c
+          ast-grep -U -p 'check_exports($$$);' -r '' common/scripts/mod/modpost.c
+          sed -i '/config KSU/,/help/{s/default y/default m/}' common/drivers/kernelsu/Kconfig
+          echo "drivers/kernelsu/kernelsu.ko" >> common/android/gki_aarch64_modules
+
+          # bazel build, android14-5.15, android14-6.1 use bazel
+          if [ ! -e build/build.sh ]; then
+            sed -i 's/needs unknown symbol/Dont abort when unknown symbol/g' build/kernel/*.sh || echo "No unknown symbol scripts found"
+            if [ -e common/modules.bzl ]; then
+              sed -i 's/_COMMON_GKI_MODULES_LIST = \[/_COMMON_GKI_MODULES_LIST = \[ "drivers\/kernelsu\/kernelsu.ko",/g' common/modules.bzl
+            fi
+          else
+            TARGET_FILE="build/kernel/build.sh"
+            if [ ! -e "$TARGET_FILE" ]; then
+              TARGET_FILE="build/build.sh"
+            fi
+            sed -i 's/needs unknown symbol/Dont abort when unknown symbol/g' $TARGET_FILE || echo "No unknown symbol in $TARGET_FILE"
+            sed -i 's/if ! diff -u "\${KERNEL_DIR}\/\${MODULES_ORDER}" "\${OUT_DIR}\/modules\.order"; then/if false; then/g' $TARGET_FILE
+            sed -i 's@${ROOT_DIR}/build/abi/compare_to_symbol_list@echo@g' $TARGET_FILE
+            sed -i 's/needs unknown symbol/Dont abort when unknown symbol/g' build/kernel/*.sh || echo "No unknown symbol scripts found"
+          fi
+
+      - name: Make working directory clean to avoid dirty
+        working-directory: android-kernel
+        run: |
+          rm common/android/abi_gki_protected_exports_* || echo "No protected exports!"
+          git config --global user.email "bot@kernelsu.org"
+          git config --global user.name "KernelSUBot"
+          cd common/ && git add -A && git commit -a -m "Add KernelSU"
+          repo status
+
+      - name: Build Kernel/LKM
+        working-directory: android-kernel
+        run: |
+          if [ ! -z ${{ vars.EXPECTED_SIZE }} ] && [ ! -z ${{ vars.EXPECTED_HASH }} ]; then
+            export KSU_EXPECTED_SIZE=${{ vars.EXPECTED_SIZE }}
+            export KSU_EXPECTED_HASH=${{ vars.EXPECTED_HASH }}
+          fi
+          if [ -e build/build.sh ]; then
+            LTO=thin BUILD_CONFIG=common/build.config.gki.aarch64 build/build.sh CC="/usr/bin/ccache clang"
+          else
+            tools/bazel run --disk_cache=/home/runner/.cache/bazel --config=fast --config=stamp --lto=thin //common:kernel_aarch64_dist -- --dist_dir=dist
+          fi
 
       - name: Prepare artifacts
         id: prepareArtifacts
         run: |
           OUTDIR=android-kernel/out/${{ inputs.version }}/dist
+          if [ ! -e $OUTDIR ]; then
+            OUTDIR=android-kernel/dist
+          fi
           mkdir output
-          cp $OUTDIR/Image ./output/
-          cp $OUTDIR/Image.lz4 ./output/
-          git clone https://github.com/Kernel-SU/AnyKernel3
-          rm -rf ./AnyKernel3/.git
-          cp $OUTDIR/Image ./AnyKernel3/
+          if [ "${{ inputs.build_lkm}}" = "true" ]; then 
+            llvm-strip-15 -d $OUTDIR/kernelsu.ko
+            mv $OUTDIR/kernelsu.ko ./output/${{ inputs.version }}_kernelsu.ko
+          else
+            cp $OUTDIR/Image ./output/
+            cp $OUTDIR/Image.lz4 ./output/
+            git clone https://github.com/Kernel-SU/AnyKernel3
+            rm -rf ./AnyKernel3/.git
+            cp $OUTDIR/Image ./AnyKernel3/
+          fi
 
       - name: Upload Image and Image.gz
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
+        if: ${{ inputs.build_lkm == false }}
         with:
           name: Image-${{ inputs.version_name }}_${{ inputs.os_patch_level }}
           path: ./output/*
 
       - name: Upload AnyKernel3
-        uses: actions/upload-artifact@v3
+        if: ${{ inputs.build_lkm == false }}
+        uses: actions/upload-artifact@v4
         with:
           name: AnyKernel3-${{ inputs.version_name }}_${{ inputs.os_patch_level }}
           path: ./AnyKernel3/*
+
+      - name: Upload LKM
+        uses: actions/upload-artifact@v4
+        if: ${{ inputs.build_lkm == true }}
+        with:
+          name: ${{ inputs.version }}-lkm
+          path: ./output/*_kernelsu.ko

.github/workflows/ksud.yml

@@ -5,32 +5,53 @@ on:
       target:
         required: true
         type: string
+      os:
+        required: false
+        type: string
+        default: ubuntu-latest
+      pack_lkm:
+        required: false
+        type: boolean
+        default: true
       use_cache:
         required: false
         type: boolean
         default: true
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: ${{ inputs.os }}
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
       with:
         fetch-depth: 0
-    # cross build failed after Rust 1.68, see https://github.com/cross-rs/cross/issues/1222
-    - run: rustup default 1.67.0
+
+    - name: Download artifacts
+      uses: actions/download-artifact@v4
+    
+    - name: Prepare LKM fies
+      if: ${{ inputs.pack_lkm }}
+      run: |
+        cp android*-lkm/*_kernelsu.ko ./userspace/ksud/bin/aarch64/
+        
+    - name: Setup rustup
+      run: |
+        rustup update stable
+        rustup target add x86_64-apple-darwin
+        rustup target add aarch64-apple-darwin
     - uses: Swatinem/rust-cache@v2
       with:
         workspaces: userspace/ksud
         cache-targets: false
 
     - name: Install cross
-      run: cargo install cross
+      run: |
+        cargo install cross --git https://github.com/cross-rs/cross --rev 66845c1
 
     - name: Build ksud
-      run: cross build --target ${{ inputs.target }} --release --manifest-path ./userspace/ksud/Cargo.toml
+      run: CROSS_NO_WARNINGS=0 cross build --target ${{ inputs.target }} --release --manifest-path ./userspace/ksud/Cargo.toml
 
     - name: Upload ksud artifact
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: ksud-${{ inputs.target }}
-        path: userspace/ksud/target/**/release/ksud
+        path: userspace/ksud/target/**/release/ksud*

.github/workflows/release.yml

@@ -11,20 +11,31 @@ jobs:
     secrets: inherit
   build-a12-kernel:
     uses: ./.github/workflows/build-kernel-a12.yml
+    secrets: inherit
   build-a13-kernel:
     uses: ./.github/workflows/build-kernel-a13.yml
+    secrets: inherit
+  build-a14-kernel:
+    uses: ./.github/workflows/build-kernel-a14.yml
+    secrets: inherit
   build-wsa-kernel:
     uses: ./.github/workflows/build-kernel-wsa.yml
+    secrets: inherit
+  build-arcvm-kernel:
+    uses: ./.github/workflows/build-kernel-arcvm.yml
+    secrets: inherit
   release:
-    needs: 
+    needs:
       - build-manager
       - build-a12-kernel
       - build-a13-kernel
+      - build-a14-kernel
       - build-wsa-kernel
+      - build-arcvm-kernel
     runs-on: ubuntu-latest
     steps:
       - name: Download artifacts
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
       - name: Zip AnyKernel3
         run: |
           for dir in AnyKernel3-*; do
@@ -43,14 +54,26 @@ jobs:
             fi
           done
 
+      - name: Zip ChromeOS ARCVM kernel
+        run: |
+          for dir in kernel-ARCVM-*; do
+            if [ -d "$dir" ]; then
+              echo "------ Zip $dir ----------"
+              (cd $dir && zip -r9 "$dir".zip ./* -x .git .gitignore ./*.zip && mv *.zip ..)
+            fi
+          done
+
       - name: Display structure of downloaded files
         run: ls -R
 
       - name: release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
         with:
           files: |
             manager/*.apk
+            android*-lkm/*_kernelsu.ko
             AnyKernel3-*.zip
             boot-images-*/Image-*/*.img.gz
             kernel-WSA*.zip
+            kernel-ARCVM*.zip
+            ksud-*

.github/workflows/rustfmt.yml

@@ -21,13 +21,13 @@ jobs:
   format:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - uses: dtolnay/rust-toolchain@nightly
         with:
           components: rustfmt
 
-      - uses: LoliGothick/rustfmt-check@v0.3.1
+      - uses: LoliGothick/rustfmt-check@master
         with:
           token: ${{ github.token }}
-          options: --manifest-path userspace/ksud/Cargo.toml
+          working-directory: userspace/ksud

.github/workflows/shellcheck.yml

@@ -18,7 +18,7 @@ jobs:
   shellcheck:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Run ShellCheck
         uses: ludeeus/action-shellcheck@2.0.0

.github/workflows/wsa-kernel.yml

@@ -0,0 +1,106 @@
+name: Build Kernel - WSA
+on:
+  workflow_call:
+    inputs:
+      arch:
+        required: true
+        type: string
+        description: >
+          Build arch: x86_64 / arm64
+      version:
+        required: true
+        type: string
+        description: >
+          Build version
+jobs:
+  build:
+    name: Build WSA-Kernel-${{ inputs.version }}-${{ inputs.arch }}
+    runs-on: ubuntu-22.04
+    env:
+      CCACHE_COMPILERCHECK: "%compiler% -dumpmachine; %compiler% -dumpversion"
+      CCACHE_NOHASHDIR: "true"
+      CCACHE_HARDLINK: "true"
+
+    steps:
+      - name: Install Build Tools
+        uses: awalsh128/cache-apt-pkgs-action@v1
+        with:
+          packages: bc bison build-essential flex libelf-dev binutils-aarch64-linux-gnu gcc-aarch64-linux-gnu gzip ccache
+          version: 1.0
+
+      - name: Cache LLVM
+        id: cache-llvm
+        uses: actions/cache@v4
+        with:
+          path: ./llvm
+          key: llvm-12.0.1
+
+      - name: Setup LLVM
+        uses: KyleMayes/install-llvm-action@v1
+        with:
+          version: "12.0.1"
+          force-version: true
+          ubuntu-version: "16.04"
+          cached: ${{ steps.cache-llvm.outputs.cache-hit }}
+
+      - name: Checkout KernelSU
+        uses: actions/checkout@v4
+        with:
+          path: KernelSU
+          fetch-depth: 0
+
+      - name: Setup kernel source
+        uses: actions/checkout@v4
+        with:
+          repository: microsoft/WSA-Linux-Kernel
+          ref: android-lts/latte-2/${{ inputs.version }}
+          path: WSA-Linux-Kernel
+
+      - name: Setup Ccache
+        uses: hendrikmuhs/ccache-action@v1
+        with:
+          key: WSA-Kernel-${{ inputs.version }}-${{ inputs.arch }}
+          save: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+          max-size: 2G
+
+      - name: Setup KernelSU
+        working-directory: WSA-Linux-Kernel
+        run: |
+          echo "[+] KernelSU setup"
+          KERNEL_ROOT=$GITHUB_WORKSPACE/WSA-Linux-Kernel
+          echo "[+] KERNEL_ROOT: $KERNEL_ROOT"
+          echo "[+] Copy KernelSU driver to $KERNEL_ROOT/drivers"
+          ln -sf $GITHUB_WORKSPACE/KernelSU/kernel $KERNEL_ROOT/drivers/kernelsu
+          echo "[+] Add KernelSU driver to Makefile"
+          DRIVER_MAKEFILE=$KERNEL_ROOT/drivers/Makefile
+          DRIVER_KCONFIG=$KERNEL_ROOT/drivers/Kconfig
+          grep -q "kernelsu" "$DRIVER_MAKEFILE" || printf "\nobj-\$(CONFIG_KSU) += kernelsu/\n" >> "$DRIVER_MAKEFILE"
+          grep -q "kernelsu" "$DRIVER_KCONFIG" || sed -i "/endmenu/i\\source \"drivers/kernelsu/Kconfig\"" "$DRIVER_KCONFIG"
+          echo "[+] Apply KernelSU patches"
+          cd $KERNEL_ROOT && git apply $GITHUB_WORKSPACE/KernelSU/.github/patches/5.15/*.patch || echo "[-] No patch found"
+          echo "[+] KernelSU setup done."
+          cd $GITHUB_WORKSPACE/KernelSU
+          VERSION=$(($(git rev-list --count HEAD) + 10200))
+          echo "VERSION: $VERSION"
+          echo "kernelsu_version=$VERSION" >> $GITHUB_ENV
+
+      - name: Build Kernel
+        working-directory: WSA-Linux-Kernel
+        run: |
+          if [ ! -z ${{ vars.EXPECTED_SIZE }} ] && [ ! -z ${{ vars.EXPECTED_HASH }} ]; then
+            export KSU_EXPECTED_SIZE=${{ vars.EXPECTED_SIZE }}
+            export KSU_EXPECTED_HASH=${{ vars.EXPECTED_HASH }}
+          fi
+          declare -A ARCH_MAP=(["x86_64"]="x64" ["arm64"]="arm64")
+          cp configs/wsa/config-wsa-${ARCH_MAP[${{ inputs.arch }}]} .config
+          make olddefconfig
+          declare -A FILE_NAME=(["x86_64"]="bzImage" ["arm64"]="Image")
+          make -j`nproc` LLVM=1 ARCH=${{ inputs.arch }} $(if [ "${{ inputs.arch }}" == "arm64" ]; then echo CROSS_COMPILE=aarch64-linux-gnu; fi) ${FILE_NAME[${{ inputs.arch }}]} CCACHE="/usr/bin/ccache"
+          declare -A ARCH_MAP_FILE=(["x86_64"]="x86" ["arm64"]="arm64")
+          echo "file_path=WSA-Linux-Kernel/arch/${ARCH_MAP_FILE[${{ inputs.arch }}]}/boot/${FILE_NAME[${{ inputs.arch }}]}" >> $GITHUB_ENV
+
+      - name: Upload kernel-${{ inputs.arch }}-${{ inputs.version }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: kernel-WSA-${{ inputs.arch }}-${{ inputs.version }}
+          path: "${{ env.file_path }}"

.gitignore

@@ -1 +1,2 @@
-.vscode/
+.idea
+.vscode

README.md

@@ -1,42 +0,0 @@
-**English** | [中文](README_CN.md)
-
-# KernelSU
-
-A Kernel based root solution for Android devices.
-
-## Features
-
-1. Kernel-based `su` and root access management.
-2. Module system based on overlayfs.
-
-## Compatibility State
-
-KernelSU officially supports Android GKI 2.0 devices(with kernel 5.10+), old kernels(4.14+) is also compatiable, but you need to build kernel yourself.
-
-WSA and containter-based Android should also work with KernelSU integrated.
-
-And the current supported ABIs are : `arm64-v8a` and `x86_64`
-
-## Usage
-
-[Installation](https://kernelsu.org/guide/installation.html)
-
-## Build
-
-[How to build?](https://kernelsu.org/guide/how-to-build.html)
-
-### Discussion
-
-- Telegram: [@KernelSU](https://t.me/KernelSU)
-
-## License
-
-- Files under `kernel` directory are [GPL-2](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
-- All other parts except `kernel` directory are [GPL-3](https://www.gnu.org/licenses/gpl-3.0.html)
-
-## Credits
-
-- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/): the KernelSU idea.
-- [genuine](https://github.com/brevent/genuine/): apk v2 signature validation.
-- [Diamorphine](https://github.com/m0nad/Diamorphine): some rootkit skills.
-- [Magisk](https://github.com/topjohnwu/Magisk): the sepolicy implementation.

README_CN.md

@@ -1,42 +0,0 @@
-[English](README.md) | **中文**
-
-# KernelSU
-
-一个 Android 上基于内核的 root 方案。
-
-## 特性
-
-- 基于内核的 su 和权限管理。
-- 基于 overlayfs 的模块系统。
-
-## 兼容状态
-
-KernelSU 官方支持 GKI 2.0 的设备（内核版本5.10以上）；旧内核也是兼容的（最低4.14+），不过需要自己编译内核。
-
-WSA 和运行在容器上的 Android 也可以与 KernelSU 一起工作。
-
-目前支持架构 : `arm64-v8a` 和 `x86_64`
-
-## 使用方法
-
-[安装教程](https://kernelsu.org/zh_CN/guide/installation.html)
-
-## 构建
-
-[如何构建？](https://kernelsu.org/zh_CN/guide/how-to-build.html)
-
-### 讨论
-
-- Telegram: [@KernelSU](https://t.me/KernelSU)
-
-## 许可证
-
-- 目录 `kernel` 下所有文件为 [GPL-2](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
-- 除 `kernel` 目录的其他部分均为 [GPL-3](https://www.gnu.org/licenses/gpl-3.0.html)
-
-## 鸣谢
-
-- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/)：KernelSU 的灵感。
-- [true](https://github.com/brevent/genuine/)：apk v2 签名验证。
-- [Diamorphine](https://github.com/m0nad/Diamorphine)：一些 rootkit 技巧。
-- [Magisk](https://github.com/topjohnwu/Magisk)：sepolicy 的实现。

SECURITY.md

@@ -0,0 +1,7 @@
+# Reporting Security Issues
+
+The KernelSU team and community take security bugs in KernelSU seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.
+
+To report a security issue, please use the GitHub Security Advisory ["Report a Vulnerability"](https://github.com/tiann/KernelSU/security/advisories/new) tab, or you can mailto [weishu](mailto:twsxtd@gmail.com) directly.
+
+The KernelSU team will send a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.

docs/README.md

@@ -0,0 +1,57 @@
+**English** | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | [日本語](README_JP.md) | [한국어](README_KR.md) | [Polski](README_PL.md) | [Português (Brasil)](README_PT-BR.md) | [Türkçe](README_TR.md) | [Русский](README_RU.md) | [Tiếng Việt](README_VI.md) | [Indonesia](README_ID.md) | [עברית](README_IW.md) | [हिंदी](README_IN.md)
+
+# KernelSU
+
+<img src="https://kernelsu.org/logo.png" style="width: 96px;" alt="logo">
+
+A Kernel-based root solution for Android devices.
+
+[![Latest release](https://img.shields.io/github/v/release/tiann/KernelSU?label=Release&logo=github)](https://github.com/tiann/KernelSU/releases/latest)
+[![Weblate](https://img.shields.io/badge/Localization-Weblate-teal?logo=weblate)](https://hosted.weblate.org/engage/kernelsu)
+[![Channel](https://img.shields.io/badge/Follow-Telegram-blue.svg?logo=telegram)](https://t.me/KernelSU)
+[![License: GPL v2](https://img.shields.io/badge/License-GPL%20v2-orange.svg?logo=gnu)](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
+[![GitHub License](https://img.shields.io/github/license/tiann/KernelSU?logo=gnu)](/LICENSE)
+
+## Features
+
+1. Kernel-based `su` and root access management.
+2. Module system based on [OverlayFS](https://en.wikipedia.org/wiki/OverlayFS).
+3. [App Profile](https://kernelsu.org/guide/app-profile.html): Lock up the root power in a cage.
+
+## Compatibility State
+
+KernelSU officially supports Android GKI 2.0 devices (kernel 5.10+). Older kernels (4.14+) are also compatible, but the kernel will have to be built manually.
+
+With this, WSA, ChromeOS, and container-based Android are all supported.
+
+Currently, only `arm64-v8a` and `x86_64` are supported.
+
+## Usage
+
+- [Installation Instruction](https://kernelsu.org/guide/installation.html)
+- [How to build?](https://kernelsu.org/guide/how-to-build.html)
+- [Official Website](https://kernelsu.org/)
+
+## Translation
+
+To help translate KernelSU or improve existing translations, please use [Weblate](https://hosted.weblate.org/engage/kernelsu/). PR of Manager's translation is no longer accepted, because it will conflict with Weblate.
+
+## Discussion
+
+- Telegram: [@KernelSU](https://t.me/KernelSU)
+
+## Security
+
+For information on reporting security vulnerabilities in KernelSU, see [SECURITY.md](/SECURITY.md).
+
+## License
+
+- Files under the `kernel` directory are [GPL-2.0-only](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html).
+- All other parts except the `kernel` directory are [GPL-3.0-or-later](https://www.gnu.org/licenses/gpl-3.0.html).
+
+## Credits
+
+- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/): the KernelSU idea.
+- [Magisk](https://github.com/topjohnwu/Magisk): the powerful root tool.
+- [genuine](https://github.com/brevent/genuine/): apk v2 signature validation.
+- [Diamorphine](https://github.com/m0nad/Diamorphine): some rootkit skills.

docs/README_CN.md

@@ -0,0 +1,57 @@
+[English](README.md) | [Español](README_ES.md) | **简体中文** | [繁體中文](README_TW.md) | [日本語](README_JP.md) | [한국어](README_KR.md) | [Polski](README_PL.md) | [Português (Brasil)](README_PT-BR.md) | [Türkçe](README_TR.md) | [Русский](README_RU.md) | [Tiếng Việt](README_VI.md) | [Indonesia](README_ID.md) | [עברית](README_IW.md) | [हिंदी](README_IN.md)
+
+# KernelSU
+
+<img src="https://kernelsu.org/logo.png" style="width: 96px;" alt="logo">
+
+一个 Android 上基于内核的 root 方案。
+
+[![Latest release](https://img.shields.io/github/v/release/tiann/KernelSU?label=Release&logo=github)](https://github.com/tiann/KernelSU/releases/latest)
+[![Weblate](https://img.shields.io/badge/Localization-Weblate-teal?logo=weblate)](https://hosted.weblate.org/engage/kernelsu)
+[![Channel](https://img.shields.io/badge/Follow-Telegram-blue.svg?logo=telegram)](https://t.me/KernelSU)
+[![License: GPL v2](https://img.shields.io/badge/License-GPL%20v2-orange.svg?logo=gnu)](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
+[![GitHub License](https://img.shields.io/github/license/tiann/KernelSU?logo=gnu)](/LICENSE)
+
+## 特性
+
+- 基于内核的 `su` 和权限管理。
+- 基于 [OverlayFS](https://en.wikipedia.org/wiki/OverlayFS) 的模块系统。
+- [App Profile](https://kernelsu.org/zh_CN/guide/app-profile.html): 把 Root 权限关进笼子里。
+
+## 兼容状态
+
+KernelSU 官方支持 GKI 2.0 的设备（内核版本5.10以上）；旧内核也是兼容的（最低4.14+），不过需要自己编译内核。
+
+WSA, ChromeOS 和运行在容器上的 Android 也可以与 KernelSU 一起工作。
+
+目前支持架构 : `arm64-v8a` 和 `x86_64`。
+
+## 使用方法
+
+- [安装教程](https://kernelsu.org/zh_CN/guide/installation.html)
+- [如何构建？](https://kernelsu.org/zh_CN/guide/how-to-build.html)
+- [官方网站](https://kernelsu.org/zh_CN/)
+
+## 参与翻译
+
+要将 KernelSU 翻译成您的语言，或完善现有的翻译，请使用 [Weblate](https://hosted.weblate.org/engage/kernelsu/)。现已不再接受有关管理器翻译的PR，因为这会与Weblate冲突。
+
+## 讨论
+
+- Telegram: [@KernelSU](https://t.me/KernelSU)
+
+## 安全性
+
+有关报告 KernelSU 安全漏洞的信息，请参阅 [SECURITY.md](/SECURITY.md)。
+
+## 许可证
+
+- 目录 `kernel` 下所有文件为 [GPL-2.0-only](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)。
+- 除 `kernel` 目录的其他部分均为 [GPL-3.0-or-later](https://www.gnu.org/licenses/gpl-3.0.html)。
+
+## 鸣谢
+
+- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/)：KernelSU 的灵感。
+- [Magisk](https://github.com/topjohnwu/Magisk)：强大的 root 工具箱。
+- [genuine](https://github.com/brevent/genuine/)：apk v2 签名验证。
+- [Diamorphine](https://github.com/m0nad/Diamorphine)：一些 rootkit 技巧。

docs/README_ES.md

@@ -0,0 +1,56 @@
+[English](README.md) | **Español** | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | [日本語](README_JP.md) | [한국어](README_KR.md) | [Polski](README_PL.md) | [Português (Brasil)](README_PT-BR.md) | [Türkçe](README_TR.md) | [Русский](README_RU.md) | [Tiếng Việt](README_VI.md) | [Indonesia](README_ID.md) | [עברית](README_IW.md) | [हिंदी](README_IN.md)
+
+# KernelSU
+
+<img src="https://kernelsu.org/logo.png" style="width: 96px;" alt="logo">
+
+Una solución root basada en el kernel para dispositivos Android.
+
+[![Latest release](https://img.shields.io/github/v/release/tiann/KernelSU?label=Release&logo=github)](https://github.com/tiann/KernelSU/releases/latest)
+[![Weblate](https://img.shields.io/badge/Localización-Weblate-teal?logo=weblate)](https://hosted.weblate.org/engage/kernelsu)
+[![Channel](https://img.shields.io/badge/Seguir-Telegram-blue.svg?logo=telegram)](https://t.me/KernelSU)
+[![License: GPL v2](https://img.shields.io/badge/Licencia-GPL%20v2-orange.svg?logo=gnu)](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
+[![GitHub License](https://img.shields.io/github/license/tiann/KernelSU?logo=gnu)](/LICENSE)
+
+## Características
+
+1. Binario `su` basado en el kernel y gestión de acceso root.
+2. Sistema de módulos basado en [OverlayFS](https://en.wikipedia.org/wiki/OverlayFS).
+
+## Estado de compatibilidad
+
+**KernelSU** soporta de forma oficial dispositivos Android con **GKI 2.0** (a partir de la versión **5.10** del kernel). Los kernels antiguos (a partir de la versión **4.14**) también son compatibles, pero necesitas compilarlos por tu cuenta.
+
+Con esto, WSA, ChromeOS y Android basado en contenedores están todos compatibles.
+
+Actualmente, solo se admiten las arquitecturas `arm64-v8a` y `x86_64`.
+
+## Uso
+
+- [¿Cómo instalarlo?](https://kernelsu.org/guide/installation.html)
+- [¿Cómo compilarlo?](https://kernelsu.org/guide/how-to-build.html)
+- [Site oficial](https://kernelsu.org/)
+
+## Traducción
+
+Para ayudar a traducir KernelSU o mejorar las traducciones existentes, utilice [Weblate](https://hosted.weblate.org/engage/kernelsu/). Ya no se aceptan PR de la traducción de Manager porque entrará en conflicto con Weblate.
+
+## Discusión
+
+- Telegram: [@KernelSU](https://t.me/KernelSU)
+
+## Seguridad
+
+Para obtener información sobre cómo informar vulnerabilidades de seguridad en KernelSU, consulte [SECURITY.md](/SECURITY.md).
+
+##  Licencia
+
+- Los archivos bajo el directorio `kernel` están licenciados bajo [GPL-2-only](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html).
+- Todas las demás partes, a excepción del directorio `kernel`, están licenciados bajo [GPL-3-or-later](https://www.gnu.org/licenses/gpl-3.0.html).
+
+## Créditos
+
+- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/): la idea de KernelSU.
+- [Magisk](https://github.com/topjohnwu/Magisk): la poderosa herramienta root.
+- [genuine](https://github.com/brevent/genuine/): validación de firma apk v2.
+- [Diamorphine](https://github.com/m0nad/Diamorphine): algunas habilidades de rootkit.

docs/README_ID.md

@@ -0,0 +1,53 @@
+[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | [日本語](README_JP.md) | [한국어](README_KR.md) | [Polski](README_PL.md) | [Português (Brasil)](README_PT-BR.md) | [Türkçe](README_TR.md) | [Русский](README_RU.md) | [Tiếng Việt](README_VI.md) | **Indonesia** | [עברית](README_IW.md) | [हिंदी](README_IN.md)
+
+# KernelSU
+
+<img src="https://kernelsu.org/logo.png" style="width: 96px;" alt="logo">
+
+Solusi root berbasis Kernel untuk perangkat Android.
+
+[![Latest release](https://img.shields.io/github/v/release/tiann/KernelSU?label=Release&logo=github)](https://github.com/tiann/KernelSU/releases/latest)
+[![Weblate](https://img.shields.io/badge/Localization-Weblate-teal?logo=weblate)](https://hosted.weblate.org/engage/kernelsu)
+[![Channel](https://img.shields.io/badge/Follow-Telegram-blue.svg?logo=telegram)](https://t.me/KernelSU)
+[![License: GPL v2](https://img.shields.io/badge/License-GPL%20v2-orange.svg?logo=gnu)](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
+[![GitHub License](https://img.shields.io/github/license/tiann/KernelSU?logo=gnu)](/LICENSE)
+
+## Fitur
+
+1. Manajemen akses root dan `su` berbasis kernel.
+2. Sistem modul berdasarkan [OverlayFS](https://en.wikipedia.org/wiki/OverlayFS).
+3. [Profil Aplikasi](https://kernelsu.org/guide/app-profile.html): Kunci daya root di dalam sangkar.
+
+## Status Kompatibilitas
+
+KernelSU secara resmi mendukung perangkat Android GKI 2.0 (dengan kernel 5.10+), kernel lama (4.14+) juga kompatibel, tetapi Anda perlu membuat kernel sendiri.
+
+WSA, ChromeOS, dan Android berbasis wadah juga dapat bekerja dengan KernelSU terintegrasi.
+
+Dan ABI yang didukung saat ini adalah: `arm64-v8a` dan `x86_64`
+
+## Penggunaan
+
+- [Petunjuk Instalasi](https://kernelsu.org/id_ID/guide/installation.html)
+- [Bagaimana cara membuat?](https://kernelsu.org/id_ID/guide/how-to-build.html)
+- [Situs Web Resmi](https://kernelsu.org/id_ID/)
+
+## Terjemahan
+
+Untuk menerjemahkan KernelSU ke dalam bahasa Anda atau menyempurnakan terjemahan yang sudah ada, harap gunakan [Weblat](https://hosted.weblate.org/engage/kernelsu/).
+
+## Diskusi
+
+- Telegram: [@KernelSU](https://t.me/KernelSU)
+
+## Lisensi
+
+- File di bawah direktori `kernel` adalah [GPL-2-only](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html).
+- Semua bagian lain kecuali direktori `kernel` adalah [GPL-3.0-or-later](https://www.gnu.org/licenses/gpl-3.0.html).
+
+## Kredit
+
+- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/): ide KernelSU.
+- [Magisk](https://github.com/topjohnwu/Magisk): alat root yang ampuh.
+- [genuine](https://github.com/brevent/genuine/): validasi tanda tangan apk v2.
+- [Diamorphine](https://github.com/m0nad/Diamorphine): beberapa keterampilan rootkit.

docs/README_IN.md

@@ -0,0 +1,53 @@
+[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | [日本語](README_JP.md) | [한국어](README_KR.md) | [Polski](README_PL.md) | [Português (Brasil)](README_PT-BR.md) | [Türkçe](README_TR.md) | [Русский](README_RU.md) | [Tiếng Việt](README_VI.md) | [Indonesia](README_ID.md) | [עברית](README_IW.md) |  **हिंदी**
+
+# KernelSU
+
+<img src="https://kernelsu.org/logo.png" style="width: 96px;" alt="logo">
+
+Android उपकरणों के लिए कर्नेल-आधारित रूट समाधान।
+
+[![Latest release](https://img.shields.io/github/v/release/tiann/KernelSU?label=Release&logo=github)](https://github.com/tiann/KernelSU/releases/latest)
+[![Weblate](https://img.shields.io/badge/Localization-Weblate-teal?logo=weblate)](https://hosted.weblate.org/engage/kernelsu)
+[![Channel](https://img.shields.io/badge/Follow-Telegram-blue.svg?logo=telegram)](https://t.me/KernelSU)
+[![License: GPL v2](https://img.shields.io/badge/License-GPL%20v2-orange.svg?logo=gnu)](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
+[![GitHub License](https://img.shields.io/github/license/tiann/KernelSU?logo=gnu)](/LICENSE)
+
+## विशेषताएँ
+
+1. कर्नेल-आधारित `su` और रूट एक्सेस प्रबंधन।
+2. [OverlayFS](https://en.wikipedia.org/wiki/OverlayFS) पर आधारित मॉड्यूल प्रणाली।
+3. [App Profile](https://kernelsu.org/guide/app-profile.html): Root शक्ति को पिंजरे में बंद कर दो।
+
+## अनुकूलता अवस्था
+
+KernelSU आधिकारिक तौर पर Android GKI 2.0 डिवाइस (कर्नेल 5.10+) का समर्थन करता है। पुराने कर्नेल (4.14+) भी संगत हैं, लेकिन कर्नेल को मैन्युअल रूप से बनाना होगा।
+
+इसके साथ, WSA, ChromeOS और कंटेनर-आधारित Android सभी समर्थित हैं।
+
+वर्तमान में, केवल `arm64-v8a` और `x86_64` समर्थित हैं।
+
+## प्रयोग
+
+- [स्थापना निर्देश](https://kernelsu.org/guide/installation.html)
+- [कैसे बनाना है ?](https://kernelsu.org/guide/how-to-build.html)
+- [आधिकारिक वेबसाइट](https://kernelsu.org/)
+
+## अनुवाद करना
+
+KernelSU का अनुवाद करने या मौजूदा अनुवादों को बेहतर बनाने में सहायता के लिए, कृपया इसका उपयोग करें [Weblate](https://hosted.weblate.org/engage/kernelsu/).
+
+## बहस
+
+- Telegram: [@KernelSU](https://t.me/KernelSU)
+
+## लाइसेंस
+
+- `Kernel` निर्देशिका के अंतर्गत फ़ाइलें हैं [GPL-2-only](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
+- `Kernel` निर्देशिका को छोड़कर अन्य सभी भाग हैं [GPL-3.0-or-later](https://www.gnu.org/licenses/gpl-3.0.html)
+
+## आभार सूची
+
+- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/): KernelSU विचार।
+- [Magisk](https://github.com/topjohnwu/Magisk): शक्तिशाली root उपकरण।
+- [genuine](https://github.com/brevent/genuine/): apk v2 हस्ताक्षर सत्यापन।
+- [Diamorphine](https://github.com/m0nad/Diamorphine): कुछ रूटकिट कौशल।

docs/README_IW.md

@@ -0,0 +1,53 @@
+[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | [日本語](README_JP.md) | [한국어](README_KR.md) | [Polski](README_PL.md) | [Português (Brasil)](README_PT-BR.md) | [Türkçe](README_TR.md) | [Русский](README_RU.md) | [Tiếng Việt](README_VI.md) | [Indonesia](README_ID.md) | **עברית** | [हिंदी](README_IN.md)
+
+# KernelSU
+
+<img src="https://kernelsu.org/logo.png" style="width: 96px;" alt="logo">
+
+פתרון לניהול root מבוסס על Kernel עבור מכשירי Android.
+
+[![Latest release](https://img.shields.io/github/v/release/tiann/KernelSU?label=Release&logo=github)](https://github.com/tiann/KernelSU/releases/latest)
+[![Weblate](https://img.shields.io/badge/Localization-Weblate-teal?logo=weblate)](https://hosted.weblate.org/engage/kernelsu)
+[![Channel](https://img.shields.io/badge/Follow-Telegram-blue.svg?logo=telegram)](https://t.me/KernelSU)
+[![License: GPL v2](https://img.shields.io/badge/License-GPL%20v2-orange.svg?logo=gnu)](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
+[![GitHub License](https://img.shields.io/github/license/tiann/KernelSU?logo=gnu)](/LICENSE)
+
+## תכונות
+
+1. ניהול root ו־`su` מבוססים על Kernel.
+2. מערכת מודולים מבוססת [OverlayFS](https://en.wikipedia.org/wiki/OverlayFS).
+3. [פרופיל אפליקציה](https://kernelsu.org/guide/app-profile.html): נעילת גישת root בכלוב.
+
+## מצב תאימות
+
+KernelSU תומך במכשירי Android GKI 2.0 (kernel 5.10+) באופן רשמי. לליבות ישנות (4.14+) יש גם תאימות, אך יידרש לבנות את הליבה באופן ידני.
+
+באמצעות זה, תמיכה זמינה גם ל-WSA, ChromeOS ומכשירי Android המבוססים על מיכלים.
+
+כרגע, רק `arm64-v8a` ו־`x86_64` נתמכים.
+
+## שימוש
+
+- [הוראות התקנה](https://kernelsu.org/guide/installation.html)
+- [איך לבנות?](https://kernelsu.org/guide/how-to-build.html)
+- [האתר רשמי](https://kernelsu.org/)
+
+## תרגום
+
+כדי לעזור בתרגום של KernelSU או לשפר תרגומים קיימים, יש להשתמש ב-[Weblate](https://hosted.weblate.org/engage/kernelsu/).
+
+## דיון
+
+- Telegram: [@KernelSU](https://t.me/KernelSU)
+
+## רשיון
+
+- קבצים תחת הספרייה `kernel` מוגנים על פי [GPL-2.0-only](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html).
+- כל החלקים האחרים, למעט הספרייה `kernel`, מוגנים על פי [GPL-3.0-or-later](https://www.gnu.org/licenses/gpl-3.0.html).
+
+## קרדיטים
+
+- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/): הרעיון של KernelSU.
+- [Magisk](https://github.com/topjohnwu/Magisk): הכלי הסופר חזק לניהול root.
+- [genuine](https://github.com/brevent/genuine/): אימות חתימת apk v2.
+- [Diamorphine](https://github.com/m0nad/Diamorphine): כמה יכולות רוט.

docs/README_JP.md

@@ -0,0 +1,53 @@
+[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | **日本語** | [한국어](README_KR.md) | [Polski](README_PL.md) | [Português (Brasil)](README_PT-BR.md) | [Türkçe](README_TR.md) | [Русский](README_RU.md) | [Tiếng Việt](README_VI.md) | [Indonesia](README_ID.md) | [עברית](README_IW.md) | [हिंदी](README_IN.md)
+
+# KernelSU
+
+<img src="https://kernelsu.org/logo.png" style="width: 96px;" alt="logo">
+
+Android におけるカーネルベースの root ソリューションです。
+
+[![Latest release](https://img.shields.io/github/v/release/tiann/KernelSU?label=Release&logo=github)](https://github.com/tiann/KernelSU/releases/latest)
+[![Weblate](https://img.shields.io/badge/Localization-Weblate-teal?logo=weblate)](https://hosted.weblate.org/engage/kernelsu)
+[![Channel](https://img.shields.io/badge/Follow-Telegram-blue.svg?logo=telegram)](https://t.me/KernelSU)
+[![License: GPL v2](https://img.shields.io/badge/License-GPL%20v2-orange.svg?logo=gnu)](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
+[![GitHub License](https://img.shields.io/github/license/tiann/KernelSU?logo=gnu)](/LICENSE)
+
+## 特徴
+
+1. カーネルベースの `su` と権限管理。
+2. [OverlayFS](https://en.wikipedia.org/wiki/OverlayFS) に基づくモジュールシステム。
+3. [アプリのプロファイル](https://kernelsu.org/guide/app-profile.html): root の権限をケージ内に閉じ込めます。
+
+## 対応状況
+
+KernelSU は GKI 2.0 デバイス（カーネルバージョン 5.10 以上）を公式にサポートしています。古いカーネル（4.14以上）とも互換性がありますが、自分でカーネルをビルドする必要があります。
+
+WSA 、ChromeOS とコンテナ上で動作する Android でも KernelSU を統合して動かせます。
+
+現在サポートしているアーキテクチャは `arm64-v8a` および `x86_64` です。
+
+## 使用方法
+
+- [インストール方法はこちら](https://kernelsu.org/ja_JP/guide/installation.html)
+- [ビルド方法はこちら](https://kernelsu.org/guide/how-to-build.html)
+- [公式サイト](https://kernelsu.org/ja_JP/)
+
+## 翻訳
+
+KernelSU をあなたの言語に翻訳するか、既存の翻訳を改善するには、[Weblate](https://hosted.weblate.org/engage/kernelsu/) を使用してください。Manager翻訳した PR は、Weblate と競合するため受け入れられなくなりました。
+
+## ディスカッション
+
+- Telegram: [@KernelSU](https://t.me/KernelSU)
+
+## ライセンス
+
+- `kernel` ディレクトリの下にあるすべてのファイル： [GPL-2-only](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)。
+- `kernel` ディレクトリ以外のすべてのファイル： [GPL-3.0-or-later](https://www.gnu.org/licenses/gpl-3.0.html)。
+
+## クレジット
+
+- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/)：KernelSU のアイデア元。
+- [Magisk](https://github.com/topjohnwu/Magisk)：強力な root ツール。
+- [genuine](https://github.com/brevent/genuine/)：apk v2 の署名検証。
+- [Diamorphine](https://github.com/m0nad/Diamorphine): rootkit のスキル。

docs/README_KR.md

@@ -0,0 +1,57 @@
+[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | [日本語](README_JP.md) | **한국어** | [Polski](README_PL.md) | [Português (Brasil)](README_PT-BR.md) | [Türkçe](README_TR.md) | [Русский](README_RU.md) | [Tiếng Việt](README_VI.md) | [Indonesia](README_ID.md) | [עברית](README_IW.md) | [हिंदी](README_IN.md)
+
+# KernelSU
+
+<img src="https://kernelsu.org/logo.png" style="width: 96px;" alt="logo">
+
+안드로이드 기기에서 사용되는 커널 기반 루팅 솔루션입니다.
+
+[![Latest release](https://img.shields.io/github/v/release/tiann/KernelSU?label=Release&logo=github)](https://github.com/tiann/KernelSU/releases/latest)
+[![Weblate](https://img.shields.io/badge/Localization-Weblate-teal?logo=weblate)](https://hosted.weblate.org/engage/kernelsu)
+[![Channel](https://img.shields.io/badge/Follow-Telegram-blue.svg?logo=telegram)](https://t.me/KernelSU)
+[![License: GPL v2](https://img.shields.io/badge/License-GPL%20v2-orange.svg?logo=gnu)](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
+[![GitHub License](https://img.shields.io/github/license/tiann/KernelSU?logo=gnu)](/LICENSE)
+
+## 기능들
+
+1. 커널 기반 `su` 및 루트 액세스 관리.
+2. [OverlayFS](https://en.wikipedia.org/wiki/OverlayFS) 기반 모듈 시스템.
+3. [App Profile](https://kernelsu.org/guide/app-profile.html): 루트 권한을 케이지에 가둡니다.
+
+## 호환 상태
+
+KernelSU는 공식적으로 안드로이드 GKI 2.0 디바이스(커널 5.10 이상)를 지원합니다. 오래된 커널(4.14 이상)도 사용할 수 있지만, 커널을 수동으로 빌드해야 합니다.
+
+KernelSU는 WSA, ChromeOS, 컨테이너 기반 안드로이드 모두를 지원합니다.
+
+현재는 `arm64-v8a`와 `x86_64`만 지원됩니다.
+
+## 사용 방법
+
+- [설치 방법](https://kernelsu.org/guide/installation.html)
+- [어떻게 빌드하나요?](https://kernelsu.org/guide/how-to-build.html)
+- [공식 웹사이트](https://kernelsu.org/)
+
+## 번역
+
+KernelSU 번역을 돕거나 기존 번역을 개선하려면 [Weblate](https://hosted.weblate.org/engage/kernelsu/)를 이용해 주세요. 매니저의 번역은 Weblate와 충돌할 수 있으므로 더 이상 허용되지 않습니다.
+
+## 토론
+
+- 텔레그램: [@KernelSU](https://t.me/KernelSU)
+
+## 보안
+
+KernelSU의 보안 취약점 보고에 대한 자세한 내용은 [SECURITY.md](/SECURITY.md)를 참조하세요.
+
+## 저작권
+
+- `kernel` 디렉터리 아래의 파일은 [GPL-2.0 전용](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)입니다.
+- `kernel` 디렉토리를 제외한 다른 모든 부분은 [GPL-3.0-이상](https://www.gnu.org/licenses/gpl-3.0.html)입니다.
+
+## 크래딧
+
+- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/): KernelSU의 아이디어.
+- [Magisk](https://github.com/topjohnwu/Magisk): 강력한 루팅 도구.
+- [genuine](https://github.com/brevent/genuine/): apk v2 서명 유효성 검사.
+- [Diamorphine](https://github.com/m0nad/Diamorphine): 일부 rootkit 스킬.

docs/README_PL.md

@@ -0,0 +1,55 @@
+[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | [日本語](README_JP.md) | [한국어](README_KR.md) | **Polski** | [Português (Brasil)](README_PT-BR.md) | [Türkçe](README_TR.md) | [Русский](README_RU.md) | [Tiếng Việt](README_VI.md) | [Indonesia](README_ID.md) | [עברית](README_IW.md) | [हिंदी](README_IN.md)
+
+# KernelSU
+
+<img src="https://kernelsu.org/logo.png" style="width: 96px;" alt="logo">
+
+Rozwiązanie root oparte na jądrze dla urządzeń z systemem Android.
+
+[![Latest release](https://img.shields.io/github/v/release/tiann/KernelSU?label=Release&logo=github)](https://github.com/tiann/KernelSU/releases/latest)
+[![Weblate](https://img.shields.io/badge/Localization-Weblate-teal?logo=weblate)](https://hosted.weblate.org/engage/kernelsu)
+[![Channel](https://img.shields.io/badge/Follow-Telegram-blue.svg?logo=telegram)](https://t.me/KernelSU)
+[![License: GPL v2](https://img.shields.io/badge/License-GPL%20v2-orange.svg?logo=gnu)](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
+[![GitHub License](https://img.shields.io/github/license/tiann/KernelSU?logo=gnu)](/LICENSE)
+
+## Cechy
+
+1. Oparte na jądrze `su` i zarządzanie dostępem roota.
+2. System modułów oparty na [OverlayFS](https://en.wikipedia.org/wiki/OverlayFS).
+
+## Kompatybilność
+
+KernelSU oficjalnie obsługuje urządzenia z Androidem GKI 2.0 (z jądrem 5.10+), starsze jądra (4.14+) są również kompatybilne, ale musisz sam skompilować jądro.
+
+WSA i Android oparty na kontenerach również powinny działać ze zintegrowanym KernelSU.
+
+Aktualnie obsługiwane ABI to : `arm64-v8a` i `x86_64`.
+
+## Użycie
+
+- [Instalacja](https://kernelsu.org/guide/installation.html)
+- [Jak skompilować?](https://kernelsu.org/guide/how-to-build.html)
+
+## Tłumaczenie
+
+Aby pomóc w tłumaczeniu KernelSU lub ulepszyć istniejące tłumaczenia, użyj [Weblate](https://hosted.weblate.org/engage/kernelsu/). PR tłumaczenia Managera nie jest już akceptowany, ponieważ będzie kolidował z Weblate.
+
+## Dyskusja
+
+- Telegram: [@KernelSU](https://t.me/KernelSU)
+
+## Bezpieczeństwo
+
+Informacje na temat zgłaszania luk w zabezpieczeniach w KernelSU można znaleźć w pliku [SECURITY.md](/SECURITY.md).
+
+## Licencja
+
+- Pliki w katalogu `kernel` są na licencji [GPL-2-only](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html).
+- Wszystkie inne części poza katalogiem `kernel` są na licencji [GPL-3-or-later](https://www.gnu.org/licenses/gpl-3.0.html).
+
+## Podziękowania
+
+- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/): pomysłodawca KernelSU.
+- [Magisk](https://github.com/topjohnwu/Magisk): implementacja sepolicy.
+- [genuine](https://github.com/brevent/genuine/): walidacja podpisu apk v2.
+- [Diamorphine](https://github.com/m0nad/Diamorphine): cenna znajomość rootkitów.

docs/README_PT-BR.md

@@ -0,0 +1,57 @@
+[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | [日本語](README_JP.md) | [한국어](README_KR.md) | [Polski](README_PL.md) | **Português (Brasil)** | [Türkçe](README_TR.md) | [Русский](README_RU.md) | [Tiếng Việt](README_VI.md) | [Indonesia](README_ID.md) | [עברית](README_IW.md) | [हिंदी](README_IN.md)
+
+# KernelSU
+
+<img src="https://kernelsu.org/logo.png" style="width: 96px;" alt="logo">
+
+Uma solução root baseada em kernel para dispositivos Android.
+
+[![Latest release](https://img.shields.io/github/v/release/tiann/KernelSU?label=Release&logo=github)](https://github.com/tiann/KernelSU/releases/latest)
+[![Weblate](https://img.shields.io/badge/Localização-Weblate-teal?logo=weblate)](https://hosted.weblate.org/engage/kernelsu)
+[![Channel](https://img.shields.io/badge/Seguir-Telegram-blue.svg?logo=telegram)](https://t.me/KernelSU)
+[![License: GPL v2](https://img.shields.io/badge/Licença-GPL%20v2-orange.svg?logo=gnu)](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
+[![GitHub License](https://img.shields.io/github/license/tiann/KernelSU?logo=gnu)](/LICENSE)
+
+## Características
+
+1. `su` e gerenciamento de acesso root baseado em kernel.
+2. Sistema modular baseado em [OverlayFS](https://en.wikipedia.org/wiki/OverlayFS).
+3. [Perfil do Aplicativo](https://kernelsu.org/pt_BR/guide/app-profile.html): Tranque o poder root em uma gaiola.
+
+## Estado de compatibilidade
+
+O KernelSU oferece suporte oficial a dispositivos Android GKI 2.0 (kernel 5.10+). Kernels mais antigos (4.14+) também são compatíveis, mas o kernel terá que ser construído manualmente.
+
+Com isso, WSA, ChromeOS e Android baseado em contêiner são todos suportados.
+
+Atualmente, apenas `arm64-v8a` e `x86_64` são suportados.
+
+## Uso
+
+ - [Instalação](https://kernelsu.org/pt_BR/guide/installation.html)
+ - [Como compilar o KernelSU?](https://kernelsu.org/pt_BR/guide/how-to-build.html)
+ - [Site oficial](https://kernelsu.org/pt_BR/)
+
+## Tradução
+
+Para contribuir com a tradução do KernelSU ou aprimorar traduções existentes, por favor, utilize o [Weblate](https://hosted.weblate.org/engage/kernelsu/). PR para a tradução do Gerenciador não são mais aceitas, pois podem entrar em conflito com o Weblate.
+
+## Discussão
+
+- Telegram: [@KernelSU](https://t.me/KernelSU)
+
+## Segurança
+
+Para obter informações sobre como relatar vulnerabilidades de segurança do KernelSU, consulte [SECURITY.md](/SECURITY.md).
+
+## Licença
+
+- Os arquivos no diretório `kernel` são [GPL-2.0-only](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html).
+- Todas as outras partes, exceto o diretório `kernel` são [GPL-3.0-or-later](https://www.gnu.org/licenses/gpl-3.0.html).
+
+## Créditos
+
+- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/): a ideia do KernelSU.
+- [Magisk](https://github.com/topjohnwu/Magisk): a poderosa ferramenta root.
+- [genuine](https://github.com/brevent/genuine/): validação de assinatura apk v2.
+- [Diamorphine](https://github.com/m0nad/Diamorphine): algumas habilidades de rootkit.

docs/README_RU.md

@@ -0,0 +1,49 @@
+[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | [日本語](README_JP.md) | [한국어](README_KR.md) | [Polski](README_PL.md) | [Português (Brasil)](README_PT-BR.md) | [Türkçe](README_TR.md) | **Русский** | [Tiếng Việt](README_VI.md) | [Indonesia](README_ID.md) | [עברית](README_IW.md) | [हिंदी](README_IN.md)
+
+# KernelSU
+
+<img src="https://kernelsu.org/logo.png" style="width: 96px;" alt="logo">
+
+Решение на основе ядра root для Android-устройств.
+
+[![Latest release](https://img.shields.io/github/v/release/tiann/KernelSU?label=Release&logo=github)](https://github.com/tiann/KernelSU/releases/latest)
+[![Weblate](https://img.shields.io/badge/Localization-Weblate-teal?logo=weblate)](https://hosted.weblate.org/engage/kernelsu)
+[![Channel](https://img.shields.io/badge/Follow-Telegram-blue.svg?logo=telegram)](https://t.me/KernelSU)
+[![License: GPL v2](https://img.shields.io/badge/License-GPL%20v2-orange.svg?logo=gnu)](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
+[![GitHub License](https://img.shields.io/github/license/tiann/KernelSU?logo=gnu)](/LICENSE)
+
+## Особенности
+
+1. Управление `su` и root-доступом на основе ядра.
+2. Система модулей на основе [OverlayFS](https://en.wikipedia.org/wiki/OverlayFS).
+3. [Профиль приложений](https://kernelsu.org/ru_RU/guide/app-profile.html): Запри корневую силу в клетке.
+
+## Совместимость
+
+KernelSU официально поддерживает устройства на базе Android GKI 2.0 (с ядром 5.10+), старые ядра (4.14+) также совместимы, но для этого необходимо собрать ядро самостоятельно.
+
+WSA и Android на основе контейнеров также должны работать с интегрированным KernelSU.
+
+В настоящее время поддерживаются следующие ABI: `arm64-v8a` и `x86_64`.
+
+## Использование
+
+- [Установка](https://kernelsu.org/ru_RU/guide/installation.html)
+- [Как собрать?](https://kernelsu.org/ru_RU/guide/how-to-build.html)
+- [официальный сайт](https://kernelsu.org/ru_RU/)
+
+## Обсуждение
+
+- Telegram: [@KernelSU](https://t.me/KernelSU)
+
+## Лицензия
+
+- Файлы в директории `kernel` [GPL-2-only](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html).
+- Все остальные части, кроме директории `kernel` [GPL-3-or-later](https://www.gnu.org/licenses/gpl-3.0.html).
+
+## Благодарности
+
+- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/): идея KernelSU.
+- [Magisk](https://github.com/topjohnwu/Magisk): реализация sepolicy.
+- [genuine](https://github.com/brevent/genuine/): проверка подписи apk v2.
+- [Diamorphine](https://github.com/m0nad/Diamorphine): некоторые навыки руткита.

docs/README_TR.md

@@ -0,0 +1,57 @@
+[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | [日本語](README_JP.md) | [한국어](README_KR.md) | [Polski](README_PL.md) | [Português (Brasil)](README_PT-BR.md) | **Türkçe** | [Русский](README_RU.md) | [Tiếng Việt](README_VI.md) | [Indonesia](README_ID.md) | [עברית](README_IW.md) | [हिंदी](README_IN.md)
+
+# KernelSU
+
+<img src="https://kernelsu.org/logo.png" style="width: 96px;" alt="logo">
+
+Android cihazlar için kernel tabanlı root çözümü.
+
+[![Latest release](https://img.shields.io/github/v/release/tiann/KernelSU?label=Release&logo=github)](https://github.com/tiann/KernelSU/releases/latest)
+[![Weblate](https://img.shields.io/badge/Localization-Weblate-teal?logo=weblate)](https://hosted.weblate.org/engage/kernelsu)
+[![Channel](https://img.shields.io/badge/Follow-Telegram-blue.svg?logo=telegram)](https://t.me/KernelSU)
+[![License: GPL v2](https://img.shields.io/badge/License-GPL%20v2-orange.svg?logo=gnu)](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
+[![GitHub License](https://img.shields.io/github/license/tiann/KernelSU?logo=gnu)](/LICENSE)
+
+## Özellikler
+
+1. Kernel-tabanlı `su` ve root erişimi yönetimi.
+2. [OverlayFS](https://en.wikipedia.org/wiki/OverlayFS)'ye dayalı modül sistemi.
+3. [Uygulama profili](https://kernelsu.org/guide/app-profile.html): Root gücünü bir kafese kapatın.
+
+## Uyumluluk Durumu
+
+KernelSU resmi olarak Android GKI 2.0 cihazlarını (5.10+ kernelli) destekler, eski kernellerle de (4.14+) uyumludur, ancak kerneli kendinizin derlemeniz gerekir.
+
+Bununla birlikte; WSA, ChromeOS ve konteyner tabanlı Android'in tamamı desteklenmektedir.
+
+Şimdilik sadece `arm64-v8a` ve `x86_64` desteklenmektedir.
+
+## Kullanım
+
+- [Yükleme yönergeleri](https://kernelsu.org/guide/installation.html)
+- [Nasıl derlenir?](https://kernelsu.org/guide/how-to-build.html)
+- [Resmi WEB sitesi](https://kernelsu.org/)
+
+## Çeviri
+
+KernelSU'nun başka dillere çevrilmesine veya mevcut çevirilerin iyileştirilmesine yardımcı olmak için lütfen [Weblate](https://hosted.weblate.org/engage/kernelsu/) kullanın. Yönetici uygulamasının PR ile çevirisi, Weblate ile çakışacağından artık kabul edilmeyecektir.
+
+## Tartışma
+
+- Telegram: [@KernelSU](https://t.me/KernelSU)
+
+## Güvenlik
+
+KernelSU'daki güvenlik açıklarını bildirme hakkında bilgi için, bkz [SECURITY.md](/SECURITY.md).
+
+## Lisans
+
+- `kernel` klasöründeki dosyalar [GPL-2-only](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html) lisansı altındadır.
+- `kernel` klasörü dışındaki bütün diğer bölümler [GPL-3-veya-sonraki](https://www.gnu.org/licenses/gpl-3.0.html) lisansı altındadır.
+
+## Krediler
+
+- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/): KernelSU fikri.
+- [Magisk](https://github.com/topjohnwu/Magisk): güçlü root aracı.
+- [genuine](https://github.com/brevent/genuine/): apk v2 imza doğrulaması.
+- [Diamorphine](https://github.com/m0nad/Diamorphine): bazı rootkit becerileri.

docs/README_TW.md

@@ -0,0 +1,56 @@
+[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | **繁體中文** | [日本語](README_JP.md) | [한국어](README_KR.md) | [Polski](README_PL.md) | [Português (Brasil)](README_PT-BR.md) | [Türkçe](README_TR.md) | [Русский](README_RU.md) | [Tiếng Việt](README_VI.md) | [Indonesia](README_ID.md) | [עברית](README_IW.md) | [हिंदी](README_IN.md)
+
+# KernelSU
+
+<img src="https://kernelsu.org/logo.png" style="width: 96px;" alt="logo">
+
+一個基於核心的 Android 裝置 Root 解決方案
+
+[![Latest release](https://img.shields.io/github/v/release/tiann/KernelSU?label=Release&logo=github)](https://github.com/tiann/KernelSU/releases/latest)
+[![Weblate](https://img.shields.io/badge/Localization-Weblate-teal?logo=weblate)](https://hosted.weblate.org/engage/kernelsu)
+[![Channel](https://img.shields.io/badge/Follow-Telegram-blue.svg?logo=telegram)](https://t.me/KernelSU)
+[![License: GPL v2](https://img.shields.io/badge/License-GPL%20v2-orange.svg?logo=gnu)](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
+[![GitHub License](https://img.shields.io/github/license/tiann/KernelSU?logo=gnu)](/LICENSE)
+
+## 功能
+
+- 基於核心的 `su` 和 Root 存取權管理。
+- 基於 [OverlayFS](https://en.wikipedia.org/wiki/OverlayFS) 的模組系統。
+- [App Profile](https://kernelsu.org/zh_TW/guide/app-profile.html): 將 Root 的權限鎖在牢籠中.
+
+## 相容性狀態
+
+KernelSU 官方支援 Android GKI 2.0 的裝置 (核心版本 5.10+ )；舊版核心同樣相容 (最低 4.14+ )，但需要自行編譯核心。
+
+WSA和ChromeOS和執行在容器中的 Android 也可以與 KernelSU 一同運作。
+
+目前支援架構：`arm64-v8a` 和 `x86_64`。
+
+## 使用方法
+
+- [安裝教學](https://kernelsu.org/zh_TW/guide/installation.html)
+- [如何建置？](https://kernelsu.org/zh_TW/guide/how-to-build.html)
+- [官方網站](https://kernelsu.org/zh_TW/)
+
+## 翻譯
+
+若要協助翻譯 KernelSU 或改進現有翻譯，請使用 [Weblate](https://hosted.weblate.org/engage/kernelsu/)。 翻譯管理器的PR不再被接受，因為它會與Weblate衝突。
+
+### 討論
+
+- Telegram：[@KernelSU](https://t.me/KernelSU)
+
+## 安全
+有關報告 KernelSU 中的安全漏洞的資訊，請參閱 [SECURITY.md](/SECURITY.md)。
+
+## 授權
+
+- 目錄 `kernel` 下所有檔案為 [GPL-2-only](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)。
+- 除 `kernel` 目錄的其他部分均為 [GPL-3-or-later](https://www.gnu.org/licenses/gpl-3.0.html)。
+
+## 致謝
+
+- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/)：KernelSU 的靈感。
+- [Magisk](https://github.com/topjohnwu/Magisk)：sepolicy 實作。
+- [genuine](https://github.com/brevent/genuine/)：apk v2 簽章驗證。
+- [Diamorphine](https://github.com/m0nad/Diamorphine)：一些 rootkit 技巧。

docs/README_VI.md

@@ -0,0 +1,53 @@
+[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | [日本語](README_JP.md) | [한국어](README_KR.md) | [Polski](README_PL.md) | [Português (Brasil)](README_PT-BR.md) | [Türkçe](README_TR.md) | [Русский](README_RU.md) | **Tiếng Việt** | [Indonesia](README_ID.md) | [עברית](README_IW.md) | [हिंदी](README_IN.md)
+
+# KernelSU
+
+<img src="https://kernelsu.org/logo.png" style="width: 96px;" alt="logo">
+
+Giải pháp root thông qua thay đổi trên Kernel hệ điều hành cho các thiết bị Android.
+
+[![Latest release](https://img.shields.io/github/v/release/tiann/KernelSU?label=Release&logo=github)](https://github.com/tiann/KernelSU/releases/latest)
+[![Weblate](https://img.shields.io/badge/Localization-Weblate-teal?logo=weblate)](https://hosted.weblate.org/engage/kernelsu)
+[![Channel](https://img.shields.io/badge/Follow-Telegram-blue.svg?logo=telegram)](https://t.me/KernelSU)
+[![License: GPL v2](https://img.shields.io/badge/License-GPL%20v2-orange.svg?logo=gnu)](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
+[![GitHub License](https://img.shields.io/github/license/tiann/KernelSU?logo=gnu)](/LICENSE)
+
+## Tính năng
+
+1. Hỗ trợ gói thực thi `su` và quản lý quyền root.
+2. Hệ thống mô-đun thông qua [OverlayFS](https://en.wikipedia.org/wiki/OverlayFS).
+3. [App Profile](https://kernelsu.org/guide/app-profile.html): Hạn chế quyền root của ứng dụng.
+
+## Tình trạng tương thích
+
+KernelSU chính thức hỗ trợ các thiết bị Android với kernel GKI 2.0 (phiên bản kernel 5.10+), các phiên bản kernel cũ hơn (4.14+) cũng tương thích, nhưng bạn cần phải tự biên dịch.
+
+WSA, ChromeOS và Android dựa trên container(container-based) cũng được hỗ trợ bởi KernelSU.
+
+Hiên tại Giao diện nhị phân của ứng dụng (ABI) được hỗ trợ bao gồm `arm64-v8a` và `x86_64`.
+
+## Sử dụng
+
+- [Hướng dẫn cài đặt](https://kernelsu.org/vi_VN/guide/installation.html)
+- [Cách để build?](https://kernelsu.org/vi_VN/guide/how-to-build.html)
+- [Website Chính Thức](https://kernelsu.org/vi_VN/)
+
+## Hỗ trợ dịch
+
+Nếu bạn muốn hỗ trợ dịch KernelSU sang một ngôn ngữ khác hoặc cải thiện các bản dịch trước, vui lòng sử dụng [Weblate](https://hosted.weblate.org/engage/kernelsu/).
+
+## Thảo luận
+
+- Telegram: [@KernelSU](https://t.me/KernelSU)
+
+## Giấy phép
+
+- Tất cả các file trong thư mục `kernel` dùng giấy phép [GPL-2-only](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html).
+- Tất cả các thành phần khác ngoại trừ thư mục `kernel` dùng giấy phép [GPL-3-or-later](https://www.gnu.org/licenses/gpl-3.0.html).
+
+## Lời cảm ơn
+
+- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/): ý tưởng cho KernelSU.
+- [Magisk](https://github.com/topjohnwu/Magisk): công cụ root mạnh mẽ.
+- [genuine](https://github.com/brevent/genuine/): phương pháp xác thực apk v2.
+- [Diamorphine](https://github.com/m0nad/Diamorphine): các phương pháp ẩn của rootkit.

js/README.md

@@ -0,0 +1,111 @@
+# Library for KernelSU's module WebUI
+
+## Install
+
+```sh
+yarn add kernelsu
+```
+
+## API
+
+### exec
+
+Spawns a **root** shell and runs a command within that shell, passing the `stdout` and `stderr` to a Promise when complete.
+
+- `command` `<string>` The command to run, with space-separated arguments.
+- `options` `<Object>`
+  - `cwd` - Current working directory of the child process
+  - `env` - Environment key-value pairs
+
+```javascript
+import { exec } from 'kernelsu';
+
+const { errno, stdout, stderr } = await exec('ls -l', { cwd: '/tmp' });
+if (errno === 0) {
+    // success
+    console.log(stdout);
+}
+```
+
+### spawn
+
+Spawns a new process using the given `command` in **root** shell, with command-line arguments in `args`. If omitted, `args` defaults to an empty array.
+
+Returns a `ChildProcess`, Instances of the ChildProcess represent spawned child processes.
+
+- `command` `<string>` The command to run.
+- `args` `<string[]>` List of string arguments.
+- `options` `<Object>`:
+  - `cwd` `<string>` - Current working directory of the child process
+  - `env` `<Object>` - Environment key-value pairs
+
+Example of running `ls -lh /data`, capturing `stdout`, `stderr`, and the exit code:
+
+```javascript
+import { spawn } from 'kernelsu';
+
+const ls = spawn('ls', ['-lh', '/data']);
+
+ls.stdout.on('data', (data) => {
+  console.log(`stdout: ${data}`);
+});
+
+ls.stderr.on('data', (data) => {
+  console.log(`stderr: ${data}`);
+});
+
+ls.on('exit', (code) => {
+  console.log(`child process exited with code ${code}`);
+});
+```
+
+#### ChildProcess
+
+##### Event 'exit'
+
+- `code` `<number>` The exit code if the child exited on its own.
+
+The `'exit'` event is emitted after the child process ends. If the process exited, `code` is the final exit code of the process, otherwise null
+
+##### Event 'error'
+
+- `err` `<Error>` The error.
+
+The `'error'` event is emitted whenever:
+
+- The process could not be spawned.
+- The process could not be killed.
+
+##### `stdout`
+
+A `Readable Stream` that represents the child process's `stdout`.
+
+```javascript
+const subprocess = spawn('ls');
+
+subprocess.stdout.on('data', (data) => {
+  console.log(`Received chunk ${data}`);
+});
+```
+
+#### `stderr`
+
+A `Readable Stream` that represents the child process's `stderr`.
+
+### fullScreen
+
+Request the WebView enter/exit full screen.
+
+```javascript
+import { fullScreen } from 'kernelsu';
+fullScreen(true);
+```
+
+### toast
+
+Show a toast message.
+
+```javascript
+import { toast } from 'kernelsu';
+toast('Hello, world!');
+```

js/index.d.ts

@@ -0,0 +1,45 @@
+interface ExecOptions {
+    cwd?: string,
+    env?: { [key: string]: string }
+}
+
+interface ExecResults {
+    errno: number,
+    stdout: string,
+    stderr: string
+}
+
+declare function exec(command: string): Promise<ExecResults>;
+declare function exec(command: string, options: ExecOptions): Promise<ExecResults>;
+
+interface SpawnOptions {
+    cwd?: string,
+    env?: { [key: string]: string }
+}
+
+interface Stdio {
+    on(event: 'data', callback: (data: string) => void)
+}
+
+interface ChildProcess {
+    stdout: Stdio,
+    stderr: Stdio,
+    on(event: 'exit', callback: (code: number) => void)
+    on(event: 'error', callback: (err: any) => void)
+}
+
+declare function spawn(command: string): ChildProcess;
+declare function spawn(command: string, args: string[]): ChildProcess;
+declare function spawn(command: string, options: SpawnOptions): ChildProcess;
+declare function spawn(command: string, args: string[], options: SpawnOptions): ChildProcess;
+
+declare function fullScreen(isFullScreen: boolean);
+
+declare function toast(message: string);
+
+export {
+    exec,
+    spawn,
+    fullScreen,
+    toast
+}

js/index.js

@@ -0,0 +1,115 @@
+let callbackCounter = 0;
+function getUniqueCallbackName(prefix) {
+  return `${prefix}_callback_${Date.now()}_${callbackCounter++}`;
+}
+
+export function exec(command, options) {
+  if (typeof options === "undefined") {
+    options = {};
+  }
+
+  return new Promise((resolve, reject) => {
+    // Generate a unique callback function name
+    const callbackFuncName = getUniqueCallbackName("exec");
+
+    // Define the success callback function
+    window[callbackFuncName] = (errno, stdout, stderr) => {
+      resolve({ errno, stdout, stderr });
+      cleanup(callbackFuncName);
+    };
+
+    function cleanup(successName) {
+      delete window[successName];
+    }
+
+    try {
+      ksu.exec(command, JSON.stringify(options), callbackFuncName);
+    } catch (error) {
+      reject(error);
+      cleanup(callbackFuncName);
+    }
+  });
+}
+
+function Stdio() {
+    this.listeners = {};
+  }
+  
+  Stdio.prototype.on = function (event, listener) {
+    if (!this.listeners[event]) {
+      this.listeners[event] = [];
+    }
+    this.listeners[event].push(listener);
+  };
+  
+  Stdio.prototype.emit = function (event, ...args) {
+    if (this.listeners[event]) {
+      this.listeners[event].forEach((listener) => listener(...args));
+    }
+  };
+  
+  function ChildProcess() {
+    this.listeners = {};
+    this.stdin = new Stdio();
+    this.stdout = new Stdio();
+    this.stderr = new Stdio();
+  }
+  
+  ChildProcess.prototype.on = function (event, listener) {
+    if (!this.listeners[event]) {
+      this.listeners[event] = [];
+    }
+    this.listeners[event].push(listener);
+  };
+  
+  ChildProcess.prototype.emit = function (event, ...args) {
+    if (this.listeners[event]) {
+      this.listeners[event].forEach((listener) => listener(...args));
+    }
+  };
+  
+  export function spawn(command, args, options) {
+    if (typeof args === "undefined") {
+      args = [];
+    } else if (!(args instanceof Array)) {
+        // allow for (command, options) signature
+        options = args;
+    }
+    
+    if (typeof options === "undefined") {
+      options = {};
+    }
+  
+    const child = new ChildProcess();
+    const childCallbackName = getUniqueCallbackName("spawn");
+    window[childCallbackName] = child;
+  
+    function cleanup(name) {
+      delete window[name];
+    }
+
+    child.on("exit", code => {
+        cleanup(childCallbackName);
+    });
+
+    try {
+      ksu.spawn(
+        command,
+        JSON.stringify(args),
+        JSON.stringify(options),
+        childCallbackName
+      );
+    } catch (error) {
+      child.emit("error", error);
+      cleanup(childCallbackName);
+    }
+    return child;
+  }
+
+export function fullScreen(isFullScreen) {
+  ksu.fullScreen(isFullScreen);
+}
+
+export function toast(message) {
+  ksu.toast(message);
+}

js/package.json

@@ -0,0 +1,26 @@
+{
+  "name": "kernelsu",
+  "version": "1.0.6",
+  "description": "Library for KernelSU's module WebUI",
+  "main": "index.js",
+  "types": "index.d.ts",
+  "scripts": {
+    "test": "npm run test"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/tiann/KernelSU.git"
+  },
+  "keywords": [
+    "su",
+    "kernelsu",
+    "module",
+    "webui"
+  ],
+  "author": "weishu",
+  "license": "Apache-2.0",
+  "bugs": {
+    "url": "https://github.com/tiann/KernelSU/issues"
+  },
+  "homepage": "https://github.com/tiann/KernelSU#readme"
+}

justfile

@@ -0,0 +1,14 @@
+alias bk := build_ksud
+alias bm := build_manager
+
+build_ksud:
+    cross build --target aarch64-linux-android --release --manifest-path ./userspace/ksud/Cargo.toml
+
+build_manager: build_ksud
+    cp userspace/ksud/target/aarch64-linux-android/release/ksud manager/app/src/main/jniLibs/arm64-v8a/libksud.so
+    cd manager && ./gradlew aDebug
+
+clippy:
+    cargo fmt --manifest-path ./userspace/ksud/Cargo.toml
+    cross clippy --target x86_64-pc-windows-gnu --release --manifest-path ./userspace/ksud/Cargo.toml
+    cross clippy --target aarch64-linux-android --release --manifest-path ./userspace/ksud/Cargo.toml

kernel/.clangd

@@ -1,4 +1,4 @@
 Diagnostics:
   UnusedIncludes: Strict
   ClangTidy:
-    Remove: bugprone-sizeof-expression
+    Remove: bugprone-sizeof-expression

kernel/Kconfig

@@ -1,14 +1,19 @@
+menu "KernelSU"
+
 config KSU
-	tristate "KernelSU module"
-	default y
-	depends on KPROBES
+	tristate "KernelSU function support"
 	depends on OVERLAY_FS
+	default y
 	help
-	This is the KSU privilege driver for android system.
+	  Enable kernel-level root privileges on Android System.
+	  To compile as a module, choose M here: the
+	  module will be called kernelsu.
 
 config KSU_DEBUG
-	tristate "KernelSU module debug mode"
-	default n
+	bool "KernelSU debug mode"
 	depends on KSU
+	default n
 	help
-	This enables debug mode for KSU
+	  Enable KernelSU debug mode.
+
+endmenu

kernel/Makefile

@@ -1,32 +1,69 @@
-obj-y += ksu.o
-obj-y += allowlist.o
-kernelsu-objs := apk_sign.o
-obj-y += kernelsu.o
-obj-y += module_api.o
-obj-y += sucompat.o
-obj-y += uid_observer.o
-obj-y += manager.o
-obj-y += core_hook.o
-obj-y += ksud.o
-obj-y += embed_ksud.o
-obj-y += kernel_compat.o
+kernelsu-objs := ksu.o
+kernelsu-objs += allowlist.o
+kernelsu-objs += apk_sign.o
+kernelsu-objs += sucompat.o
+kernelsu-objs += throne_tracker.o
+kernelsu-objs += core_hook.o
+kernelsu-objs += ksud.o
+kernelsu-objs += embed_ksud.o
+kernelsu-objs += kernel_compat.o
+
+kernelsu-objs += selinux/selinux.o
+kernelsu-objs += selinux/sepolicy.o
+kernelsu-objs += selinux/rules.o
+ccflags-y += -I$(srctree)/security/selinux -I$(srctree)/security/selinux/include
+ccflags-y += -I$(objtree)/security/selinux -include $(srctree)/include/uapi/asm-generic/errno.h
+
+obj-$(CONFIG_KSU) += kernelsu.o
 
-obj-y += selinux/
 # .git is a text file while the module is imported by 'git submodule add'.
 ifeq ($(shell test -e $(srctree)/$(src)/../.git; echo $$?),0)
+$(shell cd $(srctree)/$(src); /usr/bin/env PATH="$$PATH":/usr/bin:/usr/local/bin [ -f ../.git/shallow ] && git fetch --unshallow)
 KSU_GIT_VERSION := $(shell cd $(srctree)/$(src); /usr/bin/env PATH="$$PATH":/usr/bin:/usr/local/bin git rev-list --count HEAD)
-ccflags-y += -DKSU_GIT_VERSION=$(KSU_GIT_VERSION)
+# ksu_version: major * 10000 + git version + 200 for historical reasons
+$(eval KSU_VERSION=$(shell expr 10000 + $(KSU_GIT_VERSION) + 200))
+$(info -- KernelSU version: $(KSU_VERSION))
+ccflags-y += -DKSU_VERSION=$(KSU_VERSION)
+else # If there is no .git file, the default version will be passed.
+$(warning "KSU_GIT_VERSION not defined! It is better to make KernelSU a git submodule!")
+ccflags-y += -DKSU_VERSION=16
 endif
 
-ifndef EXPECTED_SIZE
-EXPECTED_SIZE := 0x033b
+ifeq ($(shell grep -q " current_sid(void)" $(srctree)/security/selinux/include/objsec.h; echo $$?),0)
+ccflags-y += -DKSU_COMPAT_HAS_CURRENT_SID
 endif
 
-ifndef EXPECTED_HASH
-EXPECTED_HASH := 0xb0b91415
+ifeq ($(shell grep -q "struct selinux_state " $(srctree)/security/selinux/include/security.h; echo $$?),0)
+ccflags-y += -DKSU_COMPAT_HAS_SELINUX_STATE
+endif
+
+ifndef KSU_EXPECTED_SIZE
+KSU_EXPECTED_SIZE := 0x033b
+endif
+
+ifndef KSU_EXPECTED_HASH
+KSU_EXPECTED_HASH := c371061b19d8c7d7d6133c6a9bafe198fa944e50c1b31c9d8daa8d7f1fc2d2d6
+endif
+
+ifdef KSU_MANAGER_PACKAGE
+ccflags-y += -DKSU_MANAGER_PACKAGE=\"$(KSU_MANAGER_PACKAGE)\"
+$(info -- KernelSU Manager package name: $(KSU_MANAGER_PACKAGE))
+endif
+
+$(info -- KernelSU Manager signature size: $(KSU_EXPECTED_SIZE))
+$(info -- KernelSU Manager signature hash: $(KSU_EXPECTED_HASH))
+
+ccflags-y += -DEXPECTED_SIZE=$(KSU_EXPECTED_SIZE)
+ccflags-y += -DEXPECTED_HASH=\"$(KSU_EXPECTED_HASH)\"
+
+ifeq ($(shell grep -q "int path_umount" $(srctree)/fs/namespace.c; echo $$?),0)
+ccflags-y += -DKSU_UMOUNT
+else
+$(info -- Did you know you can backport path_umount to fs/namespace.c from 5.9?)
+$(info -- Read: https://kernelsu.org/guide/how-to-integrate-for-non-gki.html#how-to-backport-path-umount)
 endif
 
-ccflags-y += -DEXPECTED_SIZE=$(EXPECTED_SIZE)
-ccflags-y += -DEXPECTED_HASH=$(EXPECTED_HASH)
 ccflags-y += -Wno-implicit-function-declaration -Wno-strict-prototypes -Wno-int-conversion -Wno-gcc-compat
-ccflags-y += -Wno-macro-redefined -Wno-declaration-after-statement
+ccflags-y += -Wno-declaration-after-statement -Wno-unused-function
+
+# Keep a new line here!! Because someone may append config

kernel/allowlist.c

@@ -1,27 +1,92 @@
-#include "linux/delay.h"
-#include "linux/fs.h"
-#include "linux/kernel.h"
-#include "linux/list.h"
-#include "linux/printk.h"
-#include "linux/slab.h"
-#include "linux/version.h"
+#include <linux/compiler.h>
+#include <linux/fs.h>
+#include <linux/gfp.h>
+#include <linux/kernel.h>
+#include <linux/list.h>
+#include <linux/printk.h>
+#include <linux/slab.h>
+#include <linux/types.h>
+#include <linux/version.h>
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 14, 0)
+#include <linux/compiler_types.h>
+#endif
+
+#include "ksu.h"
 #include "klog.h" // IWYU pragma: keep
 #include "selinux/selinux.h"
 #include "kernel_compat.h"
+#include "allowlist.h"
+#include "manager.h"
 
 #define FILE_MAGIC 0x7f4b5355 // ' KSU', u32
-#define FILE_FORMAT_VERSION 1 // u32
+#define FILE_FORMAT_VERSION 3 // u32
+
+#define KSU_APP_PROFILE_PRESERVE_UID 9999 // NOBODY_UID
+#define KSU_DEFAULT_SELINUX_DOMAIN "u:r:su:s0"
 
 static DEFINE_MUTEX(allowlist_mutex);
 
+// default profiles, these may be used frequently, so we cache it
+static struct root_profile default_root_profile;
+static struct non_root_profile default_non_root_profile;
+
+static int allow_list_arr[PAGE_SIZE / sizeof(int)] __read_mostly __aligned(PAGE_SIZE);
+static int allow_list_pointer __read_mostly = 0;
+
+static void remove_uid_from_arr(uid_t uid)
+{
+	int *temp_arr;
+	int i, j;
+
+	if (allow_list_pointer == 0)
+		return;
+
+	temp_arr = kmalloc(sizeof(allow_list_arr), GFP_KERNEL);
+	if (temp_arr == NULL) {
+		pr_err("%s: unable to allocate memory\n", __func__);
+		return;
+	}
+
+	for (i = j = 0; i < allow_list_pointer; i++) {
+		if (allow_list_arr[i] == uid)
+			continue;
+		temp_arr[j++] = allow_list_arr[i];
+	}
+
+	allow_list_pointer = j;
+
+	for (; j < ARRAY_SIZE(allow_list_arr); j++)
+		temp_arr[j] = -1;
+
+	memcpy(&allow_list_arr, temp_arr, PAGE_SIZE);
+	kfree(temp_arr);
+}
+
+static void init_default_profiles()
+{
+	default_root_profile.uid = 0;
+	default_root_profile.gid = 0;
+	default_root_profile.groups_count = 1;
+	default_root_profile.groups[0] = 0;
+	memset(&default_root_profile.capabilities, 0xff,
+	       sizeof(default_root_profile.capabilities));
+	default_root_profile.namespaces = 0;
+	strcpy(default_root_profile.selinux_domain, KSU_DEFAULT_SELINUX_DOMAIN);
+
+	// This means that we will umount modules by default!
+	default_non_root_profile.umount_modules = true;
+}
+
 struct perm_data {
 	struct list_head list;
-	uid_t uid;
-	bool allow;
+	struct app_profile profile;
 };
 
 static struct list_head allow_list;
 
+static uint8_t allow_list_bitmap[PAGE_SIZE] __read_mostly __aligned(PAGE_SIZE);
+#define BITMAP_UID_MAX ((sizeof(allow_list_bitmap) * BITS_PER_BYTE) - 1)
+
 #define KERNEL_SU_ALLOWLIST "/data/adb/ksu/.allowlist"
 
 static struct work_struct ksu_save_work;
@@ -33,70 +98,243 @@ void ksu_show_allow_list(void)
 {
 	struct perm_data *p = NULL;
 	struct list_head *pos = NULL;
-	pr_info("ksu_show_allow_list");
+	pr_info("ksu_show_allow_list\n");
 	list_for_each (pos, &allow_list) {
 		p = list_entry(pos, struct perm_data, list);
-		pr_info("uid :%d, allow: %d\n", p->uid, p->allow);
+		pr_info("uid :%d, allow: %d\n", p->profile.current_uid,
+			p->profile.allow_su);
 	}
 }
 
-bool ksu_allow_uid(uid_t uid, bool allow, bool persist)
+#ifdef CONFIG_KSU_DEBUG
+static void ksu_grant_root_to_shell()
+{
+	struct app_profile profile = {
+		.allow_su = true,
+		.current_uid = 2000,
+	};
+	strcpy(profile.key, "com.android.shell");
+	strcpy(profile.rp_config.profile.selinux_domain, KSU_DEFAULT_SELINUX_DOMAIN);
+	ksu_set_app_profile(&profile, false);
+}
+#endif
+
+bool ksu_get_app_profile(struct app_profile *profile)
+{
+	struct perm_data *p = NULL;
+	struct list_head *pos = NULL;
+	bool found = false;
+
+	list_for_each (pos, &allow_list) {
+		p = list_entry(pos, struct perm_data, list);
+		bool uid_match = profile->current_uid == p->profile.current_uid;
+		if (uid_match) {
+			// found it, override it with ours
+			memcpy(profile, &p->profile, sizeof(*profile));
+			found = true;
+			goto exit;
+		}
+	}
+
+exit:
+	return found;
+}
+
+static inline bool forbid_system_uid(uid_t uid) {
+	#define SHELL_UID 2000
+	#define SYSTEM_UID 1000
+	return uid < SHELL_UID && uid != SYSTEM_UID;
+}
+
+static bool profile_valid(struct app_profile *profile)
+{
+	if (!profile) {
+		return false;
+	}
+
+	if (forbid_system_uid(profile->current_uid)) {
+		pr_err("uid lower than 2000 is unsupported: %d\n", profile->current_uid);
+		return false;
+	}
+
+	if (profile->version < KSU_APP_PROFILE_VER) {
+		pr_info("Unsupported profile version: %d\n", profile->version);
+		return false;
+	}
+
+	if (profile->allow_su) {
+		if (profile->rp_config.profile.groups_count > KSU_MAX_GROUPS) {
+			return false;
+		}
+
+		if (strlen(profile->rp_config.profile.selinux_domain) == 0) {
+			return false;
+		}
+	}
+
+	return true;
+}
+
+bool ksu_set_app_profile(struct app_profile *profile, bool persist)
 {
-	// find the node first!
 	struct perm_data *p = NULL;
 	struct list_head *pos = NULL;
 	bool result = false;
+
+	if (!profile_valid(profile)) {
+		pr_err("Failed to set app profile: invalid profile!\n");
+		return false;
+	}
+
 	list_for_each (pos, &allow_list) {
 		p = list_entry(pos, struct perm_data, list);
-		if (uid == p->uid) {
-			p->allow = allow;
+		// both uid and package must match, otherwise it will break multiple package with different user id
+		if (profile->current_uid == p->profile.current_uid &&
+		    !strcmp(profile->key, p->profile.key)) {
+			// found it, just override it all!
+			memcpy(&p->profile, profile, sizeof(*profile));
 			result = true;
-			goto exit;
+			goto out;
 		}
 	}
 
 	// not found, alloc a new node!
 	p = (struct perm_data *)kmalloc(sizeof(struct perm_data), GFP_KERNEL);
 	if (!p) {
-		pr_err("alloc allow node failed.\n");
+		pr_err("ksu_set_app_profile alloc failed\n");
 		return false;
 	}
-	p->uid = uid;
-	p->allow = allow;
-
-	pr_info("allow_uid: %d, allow: %d", uid, allow);
 
+	memcpy(&p->profile, profile, sizeof(*profile));
+	if (profile->allow_su) {
+		pr_info("set root profile, key: %s, uid: %d, gid: %d, context: %s\n",
+			profile->key, profile->current_uid,
+			profile->rp_config.profile.gid,
+			profile->rp_config.profile.selinux_domain);
+	} else {
+		pr_info("set app profile, key: %s, uid: %d, umount modules: %d\n",
+			profile->key, profile->current_uid,
+			profile->nrp_config.profile.umount_modules);
+	}
 	list_add_tail(&p->list, &allow_list);
+
+out:
+	if (profile->current_uid <= BITMAP_UID_MAX) {
+		if (profile->allow_su)
+			allow_list_bitmap[profile->current_uid / BITS_PER_BYTE] |= 1 << (profile->current_uid % BITS_PER_BYTE);
+		else
+			allow_list_bitmap[profile->current_uid / BITS_PER_BYTE] &= ~(1 << (profile->current_uid % BITS_PER_BYTE));
+	} else {
+		if (profile->allow_su) {
+			/*
+			 * 1024 apps with uid higher than BITMAP_UID_MAX
+			 * registered to request superuser?
+			 */
+			if (allow_list_pointer >= ARRAY_SIZE(allow_list_arr)) {
+				pr_err("too many apps registered\n");
+				WARN_ON(1);
+				return false;
+			}
+			allow_list_arr[allow_list_pointer++] = profile->current_uid;
+		} else {
+			remove_uid_from_arr(profile->current_uid);
+		}
+	}
 	result = true;
 
-exit:
+	// check if the default profiles is changed, cache it to a single struct to accelerate access.
+	if (unlikely(!strcmp(profile->key, "$"))) {
+		// set default non root profile
+		memcpy(&default_non_root_profile, &profile->nrp_config.profile,
+		       sizeof(default_non_root_profile));
+	}
+
+	if (unlikely(!strcmp(profile->key, "#"))) {
+		// set default root profile
+		memcpy(&default_root_profile, &profile->rp_config.profile,
+		       sizeof(default_root_profile));
+	}
+
 	if (persist)
 		persistent_allow_list();
 
 	return result;
 }
 
-bool ksu_is_allow_uid(uid_t uid)
+bool __ksu_is_allow_uid(uid_t uid)
 {
-	struct perm_data *p = NULL;
-	struct list_head *pos = NULL;
+	int i;
 
-	if (uid == 0) {
+	if (unlikely(uid == 0)) {
 		// already root, but only allow our domain.
 		return is_ksu_domain();
 	}
 
-	list_for_each (pos, &allow_list) {
-		p = list_entry(pos, struct perm_data, list);
-		// pr_info("is_allow_uid uid :%d, allow: %d\n", p->uid, p->allow);
-		if (uid == p->uid) {
-			return p->allow;
+	if (forbid_system_uid(uid)) {
+		// do not bother going through the list if it's system
+		return false;
+	}
+
+	if (likely(ksu_is_manager_uid_valid()) && unlikely(ksu_get_manager_uid() == uid)) {
+		// manager is always allowed!
+		return true;
+	}
+
+	if (likely(uid <= BITMAP_UID_MAX)) {
+		return !!(allow_list_bitmap[uid / BITS_PER_BYTE] & (1 << (uid % BITS_PER_BYTE)));
+	} else {
+		for (i = 0; i < allow_list_pointer; i++) {
+			if (allow_list_arr[i] == uid)
+				return true;
 		}
 	}
 
 	return false;
 }
 
+bool ksu_uid_should_umount(uid_t uid)
+{
+	struct app_profile profile = { .current_uid = uid };
+	if (likely(ksu_is_manager_uid_valid()) && unlikely(ksu_get_manager_uid() == uid)) {
+		// we should not umount on manager!
+		return false;
+	}
+	bool found = ksu_get_app_profile(&profile);
+	if (!found) {
+		// no app profile found, it must be non root app
+		return default_non_root_profile.umount_modules;
+	}
+	if (profile.allow_su) {
+		// if found and it is granted to su, we shouldn't umount for it
+		return false;
+	} else {
+		// found an app profile
+		if (profile.nrp_config.use_default) {
+			return default_non_root_profile.umount_modules;
+		} else {
+			return profile.nrp_config.profile.umount_modules;
+		}
+	}
+}
+
+struct root_profile *ksu_get_root_profile(uid_t uid)
+{
+	struct perm_data *p = NULL;
+	struct list_head *pos = NULL;
+
+	list_for_each (pos, &allow_list) {
+		p = list_entry(pos, struct perm_data, list);
+		if (uid == p->profile.current_uid && p->profile.allow_su) {
+			if (!p->profile.rp_config.use_default) {
+				return &p->profile.rp_config.profile;
+			}
+		}
+	}
+
+	// use default profile
+	return &default_root_profile;
+}
+
 bool ksu_get_allow_list(int *array, int *length, bool allow)
 {
 	struct perm_data *p = NULL;
@@ -105,8 +343,8 @@ bool ksu_get_allow_list(int *array, int *length, bool allow)
 	list_for_each (pos, &allow_list) {
 		p = list_entry(pos, struct perm_data, list);
 		// pr_info("get_allow_list uid: %d allow: %d\n", p->uid, p->allow);
-		if (p->allow == allow) {
-			array[i++] = p->uid;
+		if (p->profile.allow_su == allow) {
+			array[i++] = p->profile.current_uid;
 		}
 	}
 	*length = i;
@@ -114,24 +352,24 @@ bool ksu_get_allow_list(int *array, int *length, bool allow)
 	return true;
 }
 
-void do_persistent_allow_list(struct work_struct *work)
+void do_save_allow_list(struct work_struct *work)
 {
 	u32 magic = FILE_MAGIC;
 	u32 version = FILE_FORMAT_VERSION;
 	struct perm_data *p = NULL;
 	struct list_head *pos = NULL;
 	loff_t off = 0;
-	KWORKER_INSTALL_KEYRING();
-	struct file *fp =
-		filp_open(KERNEL_SU_ALLOWLIST, O_WRONLY | O_CREAT, 0644);
 
+	struct file *fp =
+		ksu_filp_open_compat(KERNEL_SU_ALLOWLIST, O_WRONLY | O_CREAT | O_TRUNC, 0644);
 	if (IS_ERR(fp)) {
-		pr_err("save_allow_list creat file failed: %d\n", PTR_ERR(fp));
+		pr_err("save_allow_list create file failed: %ld\n", PTR_ERR(fp));
 		return;
 	}
 
 	// store magic and version
-	if (ksu_kernel_write_compat(fp, &magic, sizeof(magic), &off) != sizeof(magic)) {
+	if (ksu_kernel_write_compat(fp, &magic, sizeof(magic), &off) !=
+	    sizeof(magic)) {
 		pr_err("save_allow_list write magic failed.\n");
 		goto exit;
 	}
@@ -144,10 +382,12 @@ void do_persistent_allow_list(struct work_struct *work)
 
 	list_for_each (pos, &allow_list) {
 		p = list_entry(pos, struct perm_data, list);
-		pr_info("save allow list uid :%d, allow: %d\n", p->uid,
-			p->allow);
-		ksu_kernel_write_compat(fp, &p->uid, sizeof(p->uid), &off);
-		ksu_kernel_write_compat(fp, &p->allow, sizeof(p->allow), &off);
+		pr_info("save allow list, name: %s uid :%d, allow: %d\n",
+			p->profile.key, p->profile.current_uid,
+			p->profile.allow_su);
+
+		ksu_kernel_write_compat(fp, &p->profile, sizeof(p->profile),
+					&off);
 	}
 
 exit:
@@ -161,29 +401,22 @@ void do_load_allow_list(struct work_struct *work)
 	struct file *fp = NULL;
 	u32 magic;
 	u32 version;
-	KWORKER_INSTALL_KEYRING();
+
+#ifdef CONFIG_KSU_DEBUG
+	// always allow adb shell by default
+	ksu_grant_root_to_shell();
+#endif
 
 	// load allowlist now!
-	fp = filp_open(KERNEL_SU_ALLOWLIST, O_RDONLY, 0);
-
+	fp = ksu_filp_open_compat(KERNEL_SU_ALLOWLIST, O_RDONLY, 0);
 	if (IS_ERR(fp)) {
-#ifdef CONFIG_KSU_DEBUG
-		int errno = PTR_ERR(fp);
-		if (errno == -ENOENT) {
-			ksu_allow_uid(2000, true,
-				      true); // allow adb shell by default
-		} else {
-			pr_err("load_allow_list open file failed: %d\n",
-			       PTR_ERR(fp));
-		}
-#else
-		pr_err("load_allow_list open file failed: %d\n", PTR_ERR(fp));
-#endif
+		pr_err("load_allow_list open file failed: %ld\n", PTR_ERR(fp));
 		return;
 	}
 
 	// verify magic
-	if (ksu_kernel_read_compat(fp, &magic, sizeof(magic), &off) != sizeof(magic) ||
+	if (ksu_kernel_read_compat(fp, &magic, sizeof(magic), &off) !=
+		    sizeof(magic) ||
 	    magic != FILE_MAGIC) {
 		pr_err("allowlist file invalid: %d!\n", magic);
 		goto exit;
@@ -198,18 +431,19 @@ void do_load_allow_list(struct work_struct *work)
 	pr_info("allowlist version: %d\n", version);
 
 	while (true) {
-		u32 uid;
-		bool allow = false;
-		ret = ksu_kernel_read_compat(fp, &uid, sizeof(uid), &off);
+		struct app_profile profile;
+
+		ret = ksu_kernel_read_compat(fp, &profile, sizeof(profile),
+					     &off);
+
 		if (ret <= 0) {
-			pr_info("load_allow_list read err: %d\n", ret);
+			pr_info("load_allow_list read err: %zd\n", ret);
 			break;
 		}
-		ret = ksu_kernel_read_compat(fp, &allow, sizeof(allow), &off);
 
-		pr_info("load_allow_uid: %d, allow: %d\n", uid, allow);
-
-		ksu_allow_uid(uid, allow, false);
+		pr_info("load_allow_uid, name: %s, uid: %d, allow: %d\n",
+			profile.key, profile.current_uid, profile.allow_su);
+		ksu_set_app_profile(&profile, false);
 	}
 
 exit:
@@ -217,7 +451,7 @@ exit:
 	filp_close(fp, 0);
 }
 
-void ksu_prune_allowlist(bool (*is_uid_exist)(uid_t, void *), void *data)
+void ksu_prune_allowlist(bool (*is_uid_valid)(uid_t, char *, void *), void *data)
 {
 	struct perm_data *np = NULL;
 	struct perm_data *n = NULL;
@@ -226,11 +460,19 @@ void ksu_prune_allowlist(bool (*is_uid_exist)(uid_t, void *), void *data)
 	// TODO: use RCU!
 	mutex_lock(&allowlist_mutex);
 	list_for_each_entry_safe (np, n, &allow_list, list) {
-		uid_t uid = np->uid;
-		if (!is_uid_exist(uid, data)) {
+		uid_t uid = np->profile.current_uid;
+		char *package = np->profile.key;
+		// we use this uid for special cases, don't prune it!
+		bool is_preserved_uid = uid == KSU_APP_PROFILE_PRESERVE_UID;
+		if (!is_preserved_uid && !is_uid_valid(uid, package, data)) {
 			modified = true;
-			pr_info("prune uid: %d\n", uid);
+			pr_info("prune uid: %d, package: %s\n", uid, package);
 			list_del(&np->list);
+			if (likely(uid <= BITMAP_UID_MAX)) {
+				allow_list_bitmap[uid / BITS_PER_BYTE] &= ~(1 << (uid % BITS_PER_BYTE));
+			}
+			remove_uid_from_arr(uid);
+			smp_mb();
 			kfree(np);
 		}
 	}
@@ -254,10 +496,20 @@ bool ksu_load_allow_list(void)
 
 void ksu_allowlist_init(void)
 {
+	int i;
+
+	BUILD_BUG_ON(sizeof(allow_list_bitmap) != PAGE_SIZE);
+	BUILD_BUG_ON(sizeof(allow_list_arr) != PAGE_SIZE);
+
+	for (i = 0; i < ARRAY_SIZE(allow_list_arr); i++)
+		allow_list_arr[i] = -1;
+
 	INIT_LIST_HEAD(&allow_list);
 
-	INIT_WORK(&ksu_save_work, do_persistent_allow_list);
+	INIT_WORK(&ksu_save_work, do_save_allow_list);
 	INIT_WORK(&ksu_load_work, do_load_allow_list);
+
+	init_default_profiles();
 }
 
 void ksu_allowlist_exit(void)
@@ -265,7 +517,7 @@ void ksu_allowlist_exit(void)
 	struct perm_data *np = NULL;
 	struct perm_data *n = NULL;
 
-	do_persistent_allow_list(NULL);
+	do_save_allow_list(NULL);
 
 	// free allowlist
 	mutex_lock(&allowlist_mutex);
@@ -274,4 +526,4 @@ void ksu_allowlist_exit(void)
 		kfree(np);
 	}
 	mutex_unlock(&allowlist_mutex);
-}
+}

kernel/allowlist.h

@@ -1,7 +1,8 @@
 #ifndef __KSU_H_ALLOWLIST
 #define __KSU_H_ALLOWLIST
 
-#include "linux/types.h"
+#include <linux/types.h>
+#include "ksu.h"
 
 void ksu_allowlist_init(void);
 
@@ -11,12 +12,16 @@ bool ksu_load_allow_list(void);
 
 void ksu_show_allow_list(void);
 
-bool ksu_is_allow_uid(uid_t uid);
-
-bool ksu_allow_uid(uid_t uid, bool allow, bool persist);
+bool __ksu_is_allow_uid(uid_t uid);
+#define ksu_is_allow_uid(uid) unlikely(__ksu_is_allow_uid(uid))
 
 bool ksu_get_allow_list(int *array, int *length, bool allow);
 
-void ksu_prune_allowlist(bool (*is_uid_exist)(uid_t, void *), void *data);
+void ksu_prune_allowlist(bool (*is_uid_exist)(uid_t, char *, void *), void *data);
 
-#endif
+bool ksu_get_app_profile(struct app_profile *);
+bool ksu_set_app_profile(struct app_profile *, bool persist);
+
+bool ksu_uid_should_umount(uid_t uid);
+struct root_profile *ksu_get_root_profile(uid_t uid);
+#endif

kernel/apk_sign.c

@@ -1,12 +1,179 @@
-#include "linux/fs.h"
-#include "linux/moduleparam.h"
+#include <linux/err.h>
+#include <linux/fs.h>
+#include <linux/gfp.h>
+#include <linux/kernel.h>
+#include <linux/slab.h>
+#include <linux/version.h>
+#ifdef CONFIG_KSU_DEBUG
+#include <linux/moduleparam.h>
+#endif
+#include <crypto/hash.h>
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 11, 0)
+#include <crypto/sha2.h>
+#else
+#include <crypto/sha.h>
+#endif
 
 #include "apk_sign.h"
 #include "klog.h" // IWYU pragma: keep
 #include "kernel_compat.h"
 
-static __always_inline int
-check_v2_signature(char *path, unsigned expected_size, unsigned expected_hash)
+
+struct sdesc {
+	struct shash_desc shash;
+	char ctx[];
+};
+
+static struct sdesc *init_sdesc(struct crypto_shash *alg)
+{
+	struct sdesc *sdesc;
+	int size;
+
+	size = sizeof(struct shash_desc) + crypto_shash_descsize(alg);
+	sdesc = kmalloc(size, GFP_KERNEL);
+	if (!sdesc)
+		return ERR_PTR(-ENOMEM);
+	sdesc->shash.tfm = alg;
+	return sdesc;
+}
+
+static int calc_hash(struct crypto_shash *alg, const unsigned char *data,
+		     unsigned int datalen, unsigned char *digest)
+{
+	struct sdesc *sdesc;
+	int ret;
+
+	sdesc = init_sdesc(alg);
+	if (IS_ERR(sdesc)) {
+		pr_info("can't alloc sdesc\n");
+		return PTR_ERR(sdesc);
+	}
+
+	ret = crypto_shash_digest(&sdesc->shash, data, datalen, digest);
+	kfree(sdesc);
+	return ret;
+}
+
+static int ksu_sha256(const unsigned char *data, unsigned int datalen,
+		      unsigned char *digest)
+{
+	struct crypto_shash *alg;
+	char *hash_alg_name = "sha256";
+	int ret;
+
+	alg = crypto_alloc_shash(hash_alg_name, 0, 0);
+	if (IS_ERR(alg)) {
+		pr_info("can't alloc alg %s\n", hash_alg_name);
+		return PTR_ERR(alg);
+	}
+	ret = calc_hash(alg, data, datalen, digest);
+	crypto_free_shash(alg);
+	return ret;
+}
+
+static bool check_block(struct file *fp, u32 *size4, loff_t *pos, u32 *offset,
+			unsigned expected_size, const char *expected_sha256)
+{
+	ksu_kernel_read_compat(fp, size4, 0x4, pos); // signer-sequence length
+	ksu_kernel_read_compat(fp, size4, 0x4, pos); // signer length
+	ksu_kernel_read_compat(fp, size4, 0x4, pos); // signed data length
+
+	*offset += 0x4 * 3;
+
+	ksu_kernel_read_compat(fp, size4, 0x4, pos); // digests-sequence length
+
+	*pos += *size4;
+	*offset += 0x4 + *size4;
+
+	ksu_kernel_read_compat(fp, size4, 0x4, pos); // certificates length
+	ksu_kernel_read_compat(fp, size4, 0x4, pos); // certificate length
+	*offset += 0x4 * 2;
+
+	if (*size4 == expected_size) {
+		*offset += *size4;
+
+#define CERT_MAX_LENGTH 1024
+		char cert[CERT_MAX_LENGTH];
+		if (*size4 > CERT_MAX_LENGTH) {
+			pr_info("cert length overlimit\n");
+			return false;
+		}
+		ksu_kernel_read_compat(fp, cert, *size4, pos);
+		unsigned char digest[SHA256_DIGEST_SIZE];
+		if (IS_ERR(ksu_sha256(cert, *size4, digest))) {
+			pr_info("sha256 error\n");
+			return false;
+		}
+
+		char hash_str[SHA256_DIGEST_SIZE * 2 + 1];
+		hash_str[SHA256_DIGEST_SIZE * 2] = '\0';
+
+		bin2hex(hash_str, digest, SHA256_DIGEST_SIZE);
+		pr_info("sha256: %s, expected: %s\n", hash_str,
+			expected_sha256);
+		if (strcmp(expected_sha256, hash_str) == 0) {
+			return true;
+		}
+	}
+	return false;
+}
+
+struct zip_entry_header {
+	uint32_t signature;
+	uint16_t version;
+	uint16_t flags;
+	uint16_t compression;
+	uint16_t mod_time;
+	uint16_t mod_date;
+	uint32_t crc32;
+	uint32_t compressed_size;
+	uint32_t uncompressed_size;
+	uint16_t file_name_length;
+	uint16_t extra_field_length;
+} __attribute__((packed));
+
+// This is a necessary but not sufficient condition, but it is enough for us
+static bool has_v1_signature_file(struct file *fp)
+{
+	struct zip_entry_header header;
+	const char MANIFEST[] = "META-INF/MANIFEST.MF";
+
+	loff_t pos = 0;
+
+	while (ksu_kernel_read_compat(fp, &header,
+				      sizeof(struct zip_entry_header), &pos) ==
+	       sizeof(struct zip_entry_header)) {
+		if (header.signature != 0x04034b50) {
+			// ZIP magic: 'PK'
+			return false;
+		}
+		// Read the entry file name
+		if (header.file_name_length == sizeof(MANIFEST) - 1) {
+			char fileName[sizeof(MANIFEST)];
+			ksu_kernel_read_compat(fp, fileName,
+					       header.file_name_length, &pos);
+			fileName[header.file_name_length] = '\0';
+
+			// Check if the entry matches META-INF/MANIFEST.MF
+			if (strncmp(MANIFEST, fileName, sizeof(MANIFEST) - 1) ==
+			    0) {
+				return true;
+			}
+		} else {
+			// Skip the entry file name
+			pos += header.file_name_length;
+		}
+
+		// Skip to the next entry
+		pos += header.extra_field_length + header.compressed_size;
+	}
+
+	return false;
+}
+
+static __always_inline bool check_v2_signature(char *path,
+					       unsigned expected_size,
+					       const char *expected_sha256)
 {
 	unsigned char buffer[0x11] = { 0 };
 	u32 size4;
@@ -14,18 +181,21 @@ check_v2_signature(char *path, unsigned expected_size, unsigned expected_hash)
 
 	loff_t pos;
 
-	int sign = -1;
+	bool v2_signing_valid = false;
+	int v2_signing_blocks = 0;
+	bool v3_signing_exist = false;
+	bool v3_1_signing_exist = false;
+
 	int i;
-	struct file *fp = filp_open(path, O_RDONLY, 0);
+	struct file *fp = ksu_filp_open_compat(path, O_RDONLY, 0);
 	if (IS_ERR(fp)) {
-		pr_err("open %s error.", path);
-		return PTR_ERR(fp);
+		pr_err("open %s error.\n", path);
+		return false;
 	}
 
 	// disable inotify for this file
 	fp->f_mode |= FMODE_NONOTIFY;
 
-	sign = 1;
 	// https://en.wikipedia.org/wiki/Zip_(file_format)#End_of_central_directory_record_(EOCD)
 	for (i = 0;; ++i) {
 		unsigned short n;
@@ -61,92 +231,76 @@ check_v2_signature(char *path, unsigned expected_size, unsigned expected_hash)
 		goto clean;
 	}
 
-	for (;;) {
+	int loop_count = 0;
+	while (loop_count++ < 10) {
 		uint32_t id;
 		uint32_t offset;
-		ksu_kernel_read_compat(fp, &size8, 0x8, &pos); // sequence length
+		ksu_kernel_read_compat(fp, &size8, 0x8,
+				       &pos); // sequence length
 		if (size8 == size_of_block) {
 			break;
 		}
 		ksu_kernel_read_compat(fp, &id, 0x4, &pos); // id
 		offset = 4;
-		pr_info("id: 0x%08x\n", id);
-		if ((id ^ 0xdeadbeefu) == 0xafa439f5u ||
-		    (id ^ 0xdeadbeefu) == 0x2efed62f) {
-			ksu_kernel_read_compat(fp, &size4, 0x4,
-				    &pos); // signer-sequence length
-			ksu_kernel_read_compat(fp, &size4, 0x4, &pos); // signer length
-			ksu_kernel_read_compat(fp, &size4, 0x4,
-				    &pos); // signed data length
-			offset += 0x4 * 3;
-
-			ksu_kernel_read_compat(fp, &size4, 0x4,
-				    &pos); // digests-sequence length
-			pos += size4;
-			offset += 0x4 + size4;
-
-			ksu_kernel_read_compat(fp, &size4, 0x4,
-				    &pos); // certificates length
-			ksu_kernel_read_compat(fp, &size4, 0x4,
-				    &pos); // certificate length
-			offset += 0x4 * 2;
-#if 0
-			int hash = 1;
-			signed char c;
-			for (i = 0; i < size4; ++i) {
-				ksu_kernel_read_compat(fp, &c, 0x1, &pos);
-				hash = 31 * hash + c;
-			}
-			offset += size4;
-			pr_info("    size: 0x%04x, hash: 0x%08x\n", size4, ((unsigned) hash) ^ 0x14131211u);
-#else
-			if (size4 == expected_size) {
-				int hash = 1;
-				signed char c;
-				for (i = 0; i < size4; ++i) {
-					ksu_kernel_read_compat(fp, &c, 0x1, &pos);
-					hash = 31 * hash + c;
-				}
-				offset += size4;
-				if ((((unsigned)hash) ^ 0x14131211u) ==
-				    expected_hash) {
-					sign = 0;
-					break;
-				}
-			}
-			// don't try again.
-			break;
+		if (id == 0x7109871au) {
+			v2_signing_blocks++;
+			v2_signing_valid =
+				check_block(fp, &size4, &pos, &offset,
+					    expected_size, expected_sha256);
+		} else if (id == 0xf05368c0u) {
+			// http://aospxref.com/android-14.0.0_r2/xref/frameworks/base/core/java/android/util/apk/ApkSignatureSchemeV3Verifier.java#73
+			v3_signing_exist = true;
+		} else if (id == 0x1b93ad61u) {
+			// http://aospxref.com/android-14.0.0_r2/xref/frameworks/base/core/java/android/util/apk/ApkSignatureSchemeV3Verifier.java#74
+			v3_1_signing_exist = true;
+		} else {
+#ifdef CONFIG_KSU_DEBUG
+			pr_info("Unknown id: 0x%08x\n", id);
 #endif
 		}
 		pos += (size8 - offset);
 	}
 
+	if (v2_signing_blocks != 1) {
+#ifdef CONFIG_KSU_DEBUG
+		pr_err("Unexpected v2 signature count: %d\n",
+		       v2_signing_blocks);
+#endif
+		v2_signing_valid = false;
+	}
+
+	if (v2_signing_valid) {
+		int has_v1_signing = has_v1_signature_file(fp);
+		if (has_v1_signing) {
+			pr_err("Unexpected v1 signature scheme found!\n");
+			filp_close(fp, 0);
+			return false;
+		}
+	}
 clean:
 	filp_close(fp, 0);
 
-	return sign;
+	if (v3_signing_exist || v3_1_signing_exist) {
+#ifdef CONFIG_KSU_DEBUG
+		pr_err("Unexpected v3 signature scheme found!\n");
+#endif
+		return false;
+	}
+
+	return v2_signing_valid;
 }
 
 #ifdef CONFIG_KSU_DEBUG
 
-unsigned ksu_expected_size = EXPECTED_SIZE;
-unsigned ksu_expected_hash = EXPECTED_HASH;
+int ksu_debug_manager_uid = -1;
 
 #include "manager.h"
 
 static int set_expected_size(const char *val, const struct kernel_param *kp)
 {
 	int rv = param_set_uint(val, kp);
-	ksu_invalidate_manager_uid();
-	pr_info("ksu_expected_size set to %x", ksu_expected_size);
-	return rv;
-}
-
-static int set_expected_hash(const char *val, const struct kernel_param *kp)
-{
-	int rv = param_set_uint(val, kp);
-	ksu_invalidate_manager_uid();
-	pr_info("ksu_expected_hash set to %x", ksu_expected_hash);
+	ksu_set_manager_uid(ksu_debug_manager_uid);
+	pr_info("ksu_manager_uid set to %d\n", ksu_debug_manager_uid);
 	return rv;
 }
 
@@ -155,26 +309,12 @@ static struct kernel_param_ops expected_size_ops = {
 	.get = param_get_uint,
 };
 
-static struct kernel_param_ops expected_hash_ops = {
-	.set = set_expected_hash,
-	.get = param_get_uint,
-};
-
-module_param_cb(ksu_expected_size, &expected_size_ops, &ksu_expected_size,
-		S_IRUSR | S_IWUSR);
-module_param_cb(ksu_expected_hash, &expected_hash_ops, &ksu_expected_hash,
-		S_IRUSR | S_IWUSR);
-
-int is_manager_apk(char *path)
-{
-	return check_v2_signature(path, ksu_expected_size, ksu_expected_hash);
-}
-
-#else
-
-int is_manager_apk(char *path)
-{
-	return check_v2_signature(path, EXPECTED_SIZE, EXPECTED_HASH);
-}
+module_param_cb(ksu_debug_manager_uid, &expected_size_ops,
+		&ksu_debug_manager_uid, S_IRUSR | S_IWUSR);
 
 #endif
+
+bool is_manager_apk(char *path)
+{
+	return check_v2_signature(path, EXPECTED_SIZE, EXPECTED_HASH);
+}

kernel/apk_sign.h

@@ -1,7 +1,8 @@
 #ifndef __KSU_H_APK_V2_SIGN
 #define __KSU_H_APK_V2_SIGN
 
-// return 0 if signature match
-int is_manager_apk(char *path);
+#include <linux/types.h>
 
-#endif
+bool is_manager_apk(char *path);
+
+#endif

kernel/arch.h

@@ -1,14 +1,15 @@
 #ifndef __KSU_H_ARCH
 #define __KSU_H_ARCH
 
-#include "linux/version.h"
+#include <linux/version.h>
 
 #if defined(__aarch64__)
 
 #define __PT_PARM1_REG regs[0]
 #define __PT_PARM2_REG regs[1]
 #define __PT_PARM3_REG regs[2]
-#define __PT_PARM4_REG regs[3]
+#define __PT_SYSCALL_PARM4_REG regs[3]
+#define __PT_CCALL_PARM4_REG regs[3]
 #define __PT_PARM5_REG regs[4]
 #define __PT_PARM6_REG regs[5]
 #define __PT_RET_REG regs[30]
@@ -19,8 +20,16 @@
 
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 16, 0)
 #define PRCTL_SYMBOL "__arm64_sys_prctl"
+#define SYS_READ_SYMBOL "__arm64_sys_read"
+#define SYS_NEWFSTATAT_SYMBOL "__arm64_sys_newfstatat"
+#define SYS_FACCESSAT_SYMBOL "__arm64_sys_faccessat"
+#define SYS_EXECVE_SYMBOL "__arm64_sys_execve"
 #else
 #define PRCTL_SYMBOL "sys_prctl"
+#define SYS_READ_SYMBOL "sys_read"
+#define SYS_NEWFSTATAT_SYMBOL "sys_newfstatat"
+#define SYS_FACCESSAT_SYMBOL "sys_faccessat"
+#define SYS_EXECVE_SYMBOL "sys_execve"
 #endif
 
 #elif defined(__x86_64__)
@@ -29,8 +38,8 @@
 #define __PT_PARM2_REG si
 #define __PT_PARM3_REG dx
 /* syscall uses r10 for PARM4 */
-#define __PT_PARM4_REG r10
-// #define __PT_PARM4_REG cx
+#define __PT_SYSCALL_PARM4_REG r10
+#define __PT_CCALL_PARM4_REG cx
 #define __PT_PARM5_REG r8
 #define __PT_PARM6_REG r9
 #define __PT_RET_REG sp
@@ -40,8 +49,16 @@
 #define __PT_IP_REG ip
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 16, 0)
 #define PRCTL_SYMBOL "__x64_sys_prctl"
+#define SYS_READ_SYMBOL "__x64_sys_read"
+#define SYS_NEWFSTATAT_SYMBOL "__x64_sys_newfstatat"
+#define SYS_FACCESSAT_SYMBOL "__x64_sys_faccessat"
+#define SYS_EXECVE_SYMBOL "__x64_sys_execve"
 #else
 #define PRCTL_SYMBOL "sys_prctl"
+#define SYS_READ_SYMBOL "sys_read"
+#define SYS_NEWFSTATAT_SYMBOL "sys_newfstatat"
+#define SYS_FACCESSAT_SYMBOL "sys_faccessat"
+#define SYS_EXECVE_SYMBOL "sys_execve"
 #endif
 
 #else
@@ -56,7 +73,8 @@
 #define PT_REGS_PARM1(x) (__PT_REGS_CAST(x)->__PT_PARM1_REG)
 #define PT_REGS_PARM2(x) (__PT_REGS_CAST(x)->__PT_PARM2_REG)
 #define PT_REGS_PARM3(x) (__PT_REGS_CAST(x)->__PT_PARM3_REG)
-#define PT_REGS_PARM4(x) (__PT_REGS_CAST(x)->__PT_PARM4_REG)
+#define PT_REGS_SYSCALL_PARM4(x) (__PT_REGS_CAST(x)->__PT_SYSCALL_PARM4_REG)
+#define PT_REGS_CCALL_PARM4(x) (__PT_REGS_CAST(x)->__PT_CCALL_PARM4_REG)
 #define PT_REGS_PARM5(x) (__PT_REGS_CAST(x)->__PT_PARM5_REG)
 #define PT_REGS_PARM6(x) (__PT_REGS_CAST(x)->__PT_PARM6_REG)
 #define PT_REGS_RET(x) (__PT_REGS_CAST(x)->__PT_RET_REG)
@@ -65,4 +83,10 @@
 #define PT_REGS_SP(x) (__PT_REGS_CAST(x)->__PT_SP_REG)
 #define PT_REGS_IP(x) (__PT_REGS_CAST(x)->__PT_IP_REG)
 
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 16, 0)
+#define PT_REAL_REGS(regs) ((struct pt_regs *)PT_REGS_PARM1(regs))
+#else
+#define PT_REAL_REGS(regs) ((regs))
+#endif
+
 #endif

kernel/core_hook.c

@@ -1,20 +1,36 @@
-#include "linux/cred.h"
-#include "linux/dcache.h"
-#include "linux/err.h"
-#include "linux/init.h"
-#include "linux/kernel.h"
-#include "linux/kprobes.h"
-#include "linux/lsm_hooks.h"
-#include "linux/path.h"
-#include "linux/printk.h"
-#include "linux/uaccess.h"
-#include "linux/uidgid.h"
-#include "linux/version.h"
-#include "linux/mount.h"
+#include <linux/capability.h>
+#include <linux/cred.h>
+#include <linux/dcache.h>
+#include <linux/err.h>
+#include <linux/init.h>
+#include <linux/init_task.h>
+#include <linux/kallsyms.h>
+#include <linux/kernel.h>
+#include <linux/kprobes.h>
+#include <linux/lsm_hooks.h>
+#include <linux/mm.h>
+#include <linux/nsproxy.h>
+#include <linux/path.h>
+#include <linux/printk.h>
+#include <linux/sched.h>
+#include <linux/security.h>
+#include <linux/stddef.h>
+#include <linux/types.h>
+#include <linux/uaccess.h>
+#include <linux/uidgid.h>
+#include <linux/version.h>
+#include <linux/mount.h>
 
-#include "linux/fs.h"
-#include "linux/namei.h"
-#include "linux/rcupdate.h"
+#include <linux/fs.h>
+#include <linux/namei.h>
+
+#ifdef MODULE
+#include <linux/list.h>
+#include <linux/irqflags.h>
+#include <linux/mm_types.h>
+#include <linux/rcupdate.h>
+#include <linux/vmalloc.h>
+#endif
 
 #include "allowlist.h"
 #include "arch.h"
@@ -24,9 +40,12 @@
 #include "ksud.h"
 #include "manager.h"
 #include "selinux/selinux.h"
-#include "uid_observer.h"
+#include "throne_tracker.h"
+#include "throne_tracker.h"
 #include "kernel_compat.h"
 
+static bool ksu_module_mounted = false;
+
 extern int handle_sepolicy(unsigned long arg3, void __user *arg4);
 
 static inline bool is_allow_su()
@@ -38,38 +57,98 @@ static inline bool is_allow_su()
 	return ksu_is_allow_uid(current_uid().val);
 }
 
-static inline bool is_isolated_uid(uid_t uid)
+static inline bool is_unsupported_uid(uid_t uid)
 {
-#define FIRST_ISOLATED_UID 99000
-#define LAST_ISOLATED_UID 99999
-#define FIRST_APP_ZYGOTE_ISOLATED_UID 90000
-#define LAST_APP_ZYGOTE_ISOLATED_UID 98999
+#define LAST_APPLICATION_UID 19999
 	uid_t appid = uid % 100000;
-	return (appid >= FIRST_ISOLATED_UID && appid <= LAST_ISOLATED_UID) ||
-	       (appid >= FIRST_APP_ZYGOTE_ISOLATED_UID &&
-		appid <= LAST_APP_ZYGOTE_ISOLATED_UID);
+	return appid > LAST_APPLICATION_UID;
 }
 
 static struct group_info root_groups = { .usage = ATOMIC_INIT(2) };
 
+static void setup_groups(struct root_profile *profile, struct cred *cred)
+{
+	if (profile->groups_count > KSU_MAX_GROUPS) {
+		pr_warn("Failed to setgroups, too large group: %d!\n",
+			profile->uid);
+		return;
+	}
+
+	if (profile->groups_count == 1 && profile->groups[0] == 0) {
+		// setgroup to root and return early.
+		if (cred->group_info)
+			put_group_info(cred->group_info);
+		cred->group_info = get_group_info(&root_groups);
+		return;
+	}
+
+	u32 ngroups = profile->groups_count;
+	struct group_info *group_info = groups_alloc(ngroups);
+	if (!group_info) {
+		pr_warn("Failed to setgroups, ENOMEM for: %d\n", profile->uid);
+		return;
+	}
+
+	int i;
+	for (i = 0; i < ngroups; i++) {
+		gid_t gid = profile->groups[i];
+		kgid_t kgid = make_kgid(current_user_ns(), gid);
+		if (!gid_valid(kgid)) {
+			pr_warn("Failed to setgroups, invalid gid: %d\n", gid);
+			put_group_info(group_info);
+			return;
+		}
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 9, 0)
+		group_info->gid[i] = kgid;
+#else
+		GROUP_AT(group_info, i) = kgid;
+#endif
+	}
+
+	groups_sort(group_info);
+	set_groups(cred, group_info);
+}
+
 void escape_to_root(void)
 {
 	struct cred *cred;
 
 	cred = (struct cred *)__task_cred(current);
 
-	memset(&cred->uid, 0, sizeof(cred->uid));
-	memset(&cred->gid, 0, sizeof(cred->gid));
-	memset(&cred->suid, 0, sizeof(cred->suid));
-	memset(&cred->euid, 0, sizeof(cred->euid));
-	memset(&cred->egid, 0, sizeof(cred->egid));
-	memset(&cred->fsuid, 0, sizeof(cred->fsuid));
-	memset(&cred->fsgid, 0, sizeof(cred->fsgid));
-	memset(&cred->cap_inheritable, 0xff, sizeof(cred->cap_inheritable));
-	memset(&cred->cap_permitted, 0xff, sizeof(cred->cap_permitted));
-	memset(&cred->cap_effective, 0xff, sizeof(cred->cap_effective));
-	memset(&cred->cap_bset, 0xff, sizeof(cred->cap_bset));
-	memset(&cred->cap_ambient, 0xff, sizeof(cred->cap_ambient));
+	if (cred->euid.val == 0) {
+		pr_warn("Already root, don't escape!\n");
+		return;
+	}
+	struct root_profile *profile = ksu_get_root_profile(cred->uid.val);
+
+	cred->uid.val = profile->uid;
+	cred->suid.val = profile->uid;
+	cred->euid.val = profile->uid;
+	cred->fsuid.val = profile->uid;
+
+	cred->gid.val = profile->gid;
+	cred->fsgid.val = profile->gid;
+	cred->sgid.val = profile->gid;
+	cred->egid.val = profile->gid;
+
+	BUILD_BUG_ON(sizeof(profile->capabilities.effective) !=
+		     sizeof(kernel_cap_t));
+
+	// setup capabilities
+	// we need CAP_DAC_READ_SEARCH becuase `/data/adb/ksud` is not accessible for non root process
+	// we add it here but don't add it to cap_inhertiable, it would be dropped automaticly after exec!
+	u64 cap_for_ksud =
+		profile->capabilities.effective | CAP_DAC_READ_SEARCH;
+	memcpy(&cred->cap_effective, &cap_for_ksud,
+	       sizeof(cred->cap_effective));
+	memcpy(&cred->cap_inheritable, &profile->capabilities.effective,
+	       sizeof(cred->cap_inheritable));
+	memcpy(&cred->cap_permitted, &profile->capabilities.effective,
+	       sizeof(cred->cap_permitted));
+	memcpy(&cred->cap_bset, &profile->capabilities.effective,
+	       sizeof(cred->cap_bset));
+	memcpy(&cred->cap_ambient, &profile->capabilities.effective,
+	       sizeof(cred->cap_ambient));
 
 	// disable seccomp
 #if defined(CONFIG_GENERIC_ENTRY) &&                                           \
@@ -85,12 +164,9 @@ void escape_to_root(void)
 #else
 #endif
 
-	// setgroup to root
-	if (cred->group_info)
-		put_group_info(cred->group_info);
-	cred->group_info = get_group_info(&root_groups);
+	setup_groups(profile, cred);
 
-	setup_selinux();
+	setup_selinux(profile->selinux_domain);
 }
 
 int ksu_handle_rename(struct dentry *old_dentry, struct dentry *new_dentry)
@@ -124,10 +200,10 @@ int ksu_handle_rename(struct dentry *old_dentry, struct dentry *new_dentry)
 	if (strcmp(buf, "/system/packages.list")) {
 		return 0;
 	}
-	pr_info("renameat: %s -> %s, new path: %s", old_dentry->d_iname,
+	pr_info("renameat: %s -> %s, new path: %s\n", old_dentry->d_iname,
 		new_dentry->d_iname, buf);
 
-	update_uid();
+	track_throne();
 
 	return 0;
 }
@@ -143,110 +219,58 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,
 		return 0;
 	}
 
-	// always ignore isolated app uid
-	if (is_isolated_uid(current_uid().val)) {
+	bool from_root = 0 == current_uid().val;
+	bool from_manager = is_manager();
+
+	if (!from_root && !from_manager) {
+		// only root or manager can access this interface
 		return 0;
 	}
 
-	static uid_t last_failed_uid = -1;
-	if (last_failed_uid == current_uid().val) {
-		return 0;
-	}
-
-	// pr_info("option: 0x%x, cmd: %ld\n", option, arg2);
+#ifdef CONFIG_KSU_DEBUG
+	pr_info("option: 0x%x, cmd: %ld\n", option, arg2);
+#endif
 
 	if (arg2 == CMD_BECOME_MANAGER) {
-		// quick check
-		if (is_manager()) {
+		if (from_manager) {
 			if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) {
 				pr_err("become_manager: prctl reply error\n");
 			}
 			return 0;
 		}
-		if (ksu_is_manager_uid_valid()) {
-			pr_info("manager already exist: %d\n",
-				ksu_get_manager_uid());
-			return 0;
-		}
-
-		// someone wants to be root manager, just check it!
-		// arg3 should be `/data/user/<userId>/<manager_package_name>`
-		char param[128];
-		if (copy_from_user(param, arg3, sizeof(param))) {
-			pr_err("become_manager: copy param err\n");
-			return 0;
-		}
-
-		// for user 0, it is /data/data
-		// for user 999, it is /data/user/999
-		const char *prefix;
-		char prefixTmp[64];
-		int userId = current_uid().val / 100000;
-		if (userId == 0) {
-			prefix = "/data/data";
-		} else {
-			snprintf(prefixTmp, sizeof(prefixTmp), "/data/user/%d", userId);
-			prefix = prefixTmp;
-		}
-
-		if (startswith(param, (char *)prefix) != 0) {
-			pr_info("become_manager: invalid param: %s\n", param);
-			return 0;
-		}
-
-		// stat the param, app must have permission to do this
-		// otherwise it may fake the path!
-		struct path path;
-		if (kern_path(param, LOOKUP_DIRECTORY, &path)) {
-			pr_err("become_manager: kern_path err\n");
-			return 0;
-		}
-		if (path.dentry->d_inode->i_uid.val != current_uid().val) {
-			pr_err("become_manager: path uid != current uid\n");
-			path_put(&path);
-			return 0;
-		}
-		char *pkg = param + strlen(prefix);
-		pr_info("become_manager: param pkg: %s\n", pkg);
-
-		bool success = become_manager(pkg);
-		if (success) {
-			if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) {
-				pr_err("become_manager: prctl reply error\n");
-			}
-		}
-		path_put(&path);
 		return 0;
 	}
 
 	if (arg2 == CMD_GRANT_ROOT) {
 		if (is_allow_su()) {
-			pr_info("allow root for: %d\n", current_uid());
+			pr_info("allow root for: %d\n", current_uid().val);
 			escape_to_root();
 			if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) {
 				pr_err("grant_root: prctl reply error\n");
 			}
-		} else {
-			pr_info("deny root for: %d\n", current_uid());
-			// add it to deny list!
-			ksu_allow_uid(current_uid().val, false, true);
 		}
 		return 0;
 	}
 
 	// Both root manager and root processes should be allowed to get version
 	if (arg2 == CMD_GET_VERSION) {
-		if (is_manager() || 0 == current_uid().val) {
-			u32 version = KERNEL_SU_VERSION;
-			if (copy_to_user(arg3, &version, sizeof(version))) {
-				pr_err("prctl reply error, cmd: %d\n", arg2);
-			}
+		u32 version = KERNEL_SU_VERSION;
+		if (copy_to_user(arg3, &version, sizeof(version))) {
+			pr_err("prctl reply error, cmd: %lu\n", arg2);
+		}
+#ifdef MODULE
+		u32 is_lkm = 0x1;
+#else
+		u32 is_lkm = 0x0;
+#endif
+		if (arg4 && copy_to_user(arg4, &is_lkm, sizeof(is_lkm))) {
+			pr_err("prctl reply error, cmd: %lu\n", arg2);
 		}
 		return 0;
 	}
 
 	if (arg2 == CMD_REPORT_EVENT) {
-		if (0 != current_uid().val) {
+		if (!from_root) {
 			return 0;
 		}
 		switch (arg3) {
@@ -254,7 +278,7 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,
 			static bool post_fs_data_lock = false;
 			if (!post_fs_data_lock) {
 				post_fs_data_lock = true;
-				pr_info("post-fs-data triggered");
+				pr_info("post-fs-data triggered\n");
 				on_post_fs_data();
 			}
 			break;
@@ -263,10 +287,15 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,
 			static bool boot_complete_lock = false;
 			if (!boot_complete_lock) {
 				boot_complete_lock = true;
-				pr_info("boot_complete triggered");
+				pr_info("boot_complete triggered\n");
 			}
 			break;
 		}
+		case EVENT_MODULE_MOUNTED: {
+			ksu_module_mounted = true;
+			pr_info("module mounted!\n");
+			break;
+		}
 		default:
 			break;
 		}
@@ -274,7 +303,7 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,
 	}
 
 	if (arg2 == CMD_SET_SEPOLICY) {
-		if (0 != current_uid().val) {
+		if (!from_root) {
 			return 0;
 		}
 		if (!handle_sepolicy(arg3, arg4)) {
@@ -287,9 +316,6 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,
 	}
 
 	if (arg2 == CMD_CHECK_SAFEMODE) {
-		if (!is_manager() && 0 != current_uid().val) {
-			return 0;
-		}
 		if (ksu_is_safe_mode()) {
 			pr_warn("safemode enabled!\n");
 			if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) {
@@ -300,48 +326,86 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,
 	}
 
 	if (arg2 == CMD_GET_ALLOW_LIST || arg2 == CMD_GET_DENY_LIST) {
-		if (is_manager() || 0 == current_uid().val) {
-			u32 array[128];
-			u32 array_length;
-			bool success =
-				ksu_get_allow_list(array, &array_length,
-						   arg2 == CMD_GET_ALLOW_LIST);
-			if (success) {
-				if (!copy_to_user(arg4, &array_length,
-						  sizeof(array_length)) &&
-				    !copy_to_user(arg3, array,
-						  sizeof(u32) * array_length)) {
-					if (copy_to_user(result, &reply_ok,
-							 sizeof(reply_ok))) {
-						pr_err("prctl reply error, cmd: %d\n",
-						       arg2);
-					}
-				} else {
-					pr_err("prctl copy allowlist error\n");
+		u32 array[128];
+		u32 array_length;
+		bool success = ksu_get_allow_list(array, &array_length,
+						  arg2 == CMD_GET_ALLOW_LIST);
+		if (success) {
+			if (!copy_to_user(arg4, &array_length,
+					  sizeof(array_length)) &&
+			    !copy_to_user(arg3, array,
+					  sizeof(u32) * array_length)) {
+				if (copy_to_user(result, &reply_ok,
+						 sizeof(reply_ok))) {
+					pr_err("prctl reply error, cmd: %lu\n",
+					       arg2);
 				}
+			} else {
+				pr_err("prctl copy allowlist error\n");
 			}
 		}
 		return 0;
 	}
 
+	if (arg2 == CMD_UID_GRANTED_ROOT || arg2 == CMD_UID_SHOULD_UMOUNT) {
+		uid_t target_uid = (uid_t)arg3;
+		bool allow = false;
+		if (arg2 == CMD_UID_GRANTED_ROOT) {
+			allow = ksu_is_allow_uid(target_uid);
+		} else if (arg2 == CMD_UID_SHOULD_UMOUNT) {
+			allow = ksu_uid_should_umount(target_uid);
+		} else {
+			pr_err("unknown cmd: %lu\n", arg2);
+		}
+		if (!copy_to_user(arg4, &allow, sizeof(allow))) {
+			if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) {
+				pr_err("prctl reply error, cmd: %lu\n", arg2);
+			}
+		} else {
+			pr_err("prctl copy err, cmd: %lu\n", arg2);
+		}
+		return 0;
+	}
+
 	// all other cmds are for 'root manager'
-	if (!is_manager()) {
-		last_failed_uid = current_uid().val;
+	if (!from_manager) {
 		return 0;
 	}
 
 	// we are already manager
-	if (arg2 == CMD_ALLOW_SU || arg2 == CMD_DENY_SU) {
-		bool allow = arg2 == CMD_ALLOW_SU;
-		bool success = false;
-		uid_t uid = (uid_t)arg3;
-		success = ksu_allow_uid(uid, allow, true);
+	if (arg2 == CMD_GET_APP_PROFILE) {
+		struct app_profile profile;
+		if (copy_from_user(&profile, arg3, sizeof(profile))) {
+			pr_err("copy profile failed\n");
+			return 0;
+		}
+
+		bool success = ksu_get_app_profile(&profile);
 		if (success) {
+			if (copy_to_user(arg3, &profile, sizeof(profile))) {
+				pr_err("copy profile failed\n");
+				return 0;
+			}
 			if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) {
-				pr_err("prctl reply error, cmd: %d\n", arg2);
+				pr_err("prctl reply error, cmd: %lu\n", arg2);
+			}
+		}
+		return 0;
+	}
+
+	if (arg2 == CMD_SET_APP_PROFILE) {
+		struct app_profile profile;
+		if (copy_from_user(&profile, arg3, sizeof(profile))) {
+			pr_err("copy profile failed\n");
+			return 0;
+		}
+
+		// todo: validate the params
+		if (ksu_set_app_profile(&profile, true)) {
+			if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) {
+				pr_err("prctl reply error, cmd: %lu\n", arg2);
 			}
 		}
-		ksu_show_allow_list();
 		return 0;
 	}
 
@@ -364,6 +428,12 @@ static bool should_umount(struct path *path)
 		return false;
 	}
 
+	if (current->nsproxy->mnt_ns == init_nsproxy.mnt_ns) {
+		pr_info("ignore global mnt namespace process: %d\n",
+			current_uid().val);
+		return false;
+	}
+
 	if (path->mnt && path->mnt->mnt_sb && path->mnt->mnt_sb->s_type) {
 		const char *fstype = path->mnt->mnt_sb->s_type->name;
 		return strcmp(fstype, "overlay") == 0;
@@ -371,7 +441,17 @@ static bool should_umount(struct path *path)
 	return false;
 }
 
-static void try_umount(const char *mnt)
+static int ksu_umount_mnt(struct path *path, int flags)
+{
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 9, 0) || defined(KSU_UMOUNT)
+	return path_umount(path, flags);
+#else
+	// TODO: umount for non GKI kernel
+	return -ENOSYS;
+#endif
+}
+
+static void try_umount(const char *mnt, bool check_mnt, int flags)
 {
 	struct path path;
 	int err = kern_path(mnt, 0, &path);
@@ -379,21 +459,29 @@ static void try_umount(const char *mnt)
 		return;
 	}
 
-	// we are only interest in some specific mounts
-	if (!should_umount(&path)) {
+	if (path.dentry != path.mnt->mnt_root) {
+		// it is not root mountpoint, maybe umounted by others already.
 		return;
 	}
 
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 9, 0)
-	err = path_umount(&path, 0);
-	if (err) {
-		pr_info("umount %s failed: %d\n", mnt, err);
+	// we are only interest in some specific mounts
+	if (check_mnt && !should_umount(&path)) {
+		return;
+	}
+
+	err = ksu_umount_mnt(&path, flags);
+	if (err) {
+		pr_warn("umount %s failed: %d\n", mnt, err);
 	}
-#endif
 }
 
 int ksu_handle_setuid(struct cred *new, const struct cred *old)
 {
+	// this hook is used for umounting overlayfs for some uid, if there isn't any module mounted, just ignore it!
+	if (!ksu_module_mounted) {
+		return 0;
+	}
+
 	if (!new || !old) {
 		return 0;
 	}
@@ -406,10 +494,8 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old)
 		return 0;
 	}
 
-	// todo: check old process's selinux context, if it is not zygote, ignore it!
-
-	if (!is_appuid(new_uid)) {
-		// pr_info("handle setuid ignore non application uid: %d\n", new_uid.val);
+	if (!is_appuid(new_uid) || is_unsupported_uid(new_uid.val)) {
+		// pr_info("handle setuid ignore non application or isolated uid: %d\n", new_uid.val);
 		return 0;
 	}
 
@@ -418,14 +504,39 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old)
 		return 0;
 	}
 
+	if (!ksu_uid_should_umount(new_uid.val)) {
+		return 0;
+	} else {
+#ifdef CONFIG_KSU_DEBUG
+		pr_info("uid: %d should not umount!\n", current_uid().val);
+#endif
+	}
+
+	// check old process's selinux context, if it is not zygote, ignore it!
+	// because some su apps may setuid to untrusted_app but they are in global mount namespace
+	// when we umount for such process, that is a disaster!
+	bool is_zygote_child = is_zygote(old->security);
+	if (!is_zygote_child) {
+		pr_info("handle umount ignore non zygote child: %d\n",
+			current->pid);
+		return 0;
+	}
+#ifdef CONFIG_KSU_DEBUG
 	// umount the target mnt
-	pr_info("handle umount for uid: %d\n", new_uid.val);
+	pr_info("handle umount for uid: %d, pid: %d\n", new_uid.val,
+		current->pid);
+#endif
 
 	// fixme: use `collect_mounts` and `iterate_mount` to iterate all mountpoint and
 	// filter the mountpoint whose target is `/data/adb`
-	try_umount("/system");
-	try_umount("/vendor");
-	try_umount("/product");
+	try_umount("/system", true, 0);
+	try_umount("/vendor", true, 0);
+	try_umount("/product", true, 0);
+	try_umount("/data/adb/modules", false, MNT_DETACH);
+
+	// try umount ksu temp path
+	try_umount("/debug_ramdisk", false, MNT_DETACH);
+	try_umount("/sbin", false, MNT_DETACH);
 
 	return 0;
 }
@@ -434,15 +545,18 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old)
 
 static int handler_pre(struct kprobe *p, struct pt_regs *regs)
 {
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 16, 0)
-	struct pt_regs *real_regs = (struct pt_regs *)PT_REGS_PARM1(regs);
-#else
-	struct pt_regs *real_regs = regs;
-#endif
+	struct pt_regs *real_regs = PT_REAL_REGS(regs);
 	int option = (int)PT_REGS_PARM1(real_regs);
 	unsigned long arg2 = (unsigned long)PT_REGS_PARM2(real_regs);
 	unsigned long arg3 = (unsigned long)PT_REGS_PARM3(real_regs);
-	unsigned long arg4 = (unsigned long)PT_REGS_PARM4(real_regs);
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 16, 0)
+	// PRCTL_SYMBOL is the arch-specificed one, which receive raw pt_regs from syscall
+	unsigned long arg4 = (unsigned long)PT_REGS_SYSCALL_PARM4(real_regs);
+#else
+	// PRCTL_SYMBOL is the common one, called by C convention in do_syscall_64
+	// https://elixir.bootlin.com/linux/v4.15.18/source/arch/x86/entry/common.c#L287
+	unsigned long arg4 = (unsigned long)PT_REGS_CCALL_PARM4(real_regs);
+#endif
 	unsigned long arg5 = (unsigned long)PT_REGS_PARM5(real_regs);
 
 	return ksu_handle_prctl(option, arg2, arg3, arg4, arg5);
@@ -462,7 +576,7 @@ static int renameat_handler_pre(struct kprobe *p, struct pt_regs *regs)
 	struct dentry *new_entry = rd->new_dentry;
 #else
 	struct dentry *old_entry = (struct dentry *)PT_REGS_PARM2(regs);
-	struct dentry *new_entry = (struct dentry *)PT_REGS_PARM4(regs);
+	struct dentry *new_entry = (struct dentry *)PT_REGS_CCALL_PARM4(regs);
 #endif
 
 	return ksu_handle_rename(old_entry, new_entry);
@@ -503,7 +617,7 @@ static int ksu_task_prctl(int option, unsigned long arg2, unsigned long arg3,
 	return -ENOSYS;
 }
 // kernel 4.4 and 4.9
-#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0)
+#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0) || defined(CONFIG_IS_HW_HISI)
 static int ksu_key_permission(key_ref_t key_ref, const struct cred *cred,
 			      unsigned perm)
 {
@@ -515,7 +629,7 @@ static int ksu_key_permission(key_ref_t key_ref, const struct cred *cred,
 		return 0;
 	}
 	init_session_keyring = cred->session_keyring;
-	pr_info("kernel_compat: got init_session_keyring");
+	pr_info("kernel_compat: got init_session_keyring\n");
 	return 0;
 }
 #endif
@@ -531,11 +645,12 @@ static int ksu_task_fix_setuid(struct cred *new, const struct cred *old,
 	return ksu_handle_setuid(new, old);
 }
 
+#ifndef MODULE
 static struct security_hook_list ksu_hooks[] = {
 	LSM_HOOK_INIT(task_prctl, ksu_task_prctl),
 	LSM_HOOK_INIT(inode_rename, ksu_inode_rename),
 	LSM_HOOK_INIT(task_fix_setuid, ksu_task_fix_setuid),
-#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0)
+#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0) || defined(CONFIG_IS_HW_HISI)
 	LSM_HOOK_INIT(key_permission, ksu_key_permission)
 #endif
 };
@@ -550,21 +665,184 @@ void __init ksu_lsm_hook_init(void)
 #endif
 }
 
+#else
+static int override_security_head(void *head, const void *new_head, size_t len)
+{
+	unsigned long base = (unsigned long)head & PAGE_MASK;
+	unsigned long offset = offset_in_page(head);
+
+	// this is impossible for our case because the page alignment
+	// but be careful for other cases!
+	BUG_ON(offset + len > PAGE_SIZE);
+	struct page *page = phys_to_page(__pa(base));
+	if (!page) {
+		return -EFAULT;
+	}
+
+	void *addr = vmap(&page, 1, VM_MAP, PAGE_KERNEL);
+	if (!addr) {
+		return -ENOMEM;
+	}
+	local_irq_disable();
+	memcpy(addr + offset, new_head, len);
+	local_irq_enable();
+	vunmap(addr);
+	return 0;
+}
+
+static void free_security_hook_list(struct hlist_head *head)
+{
+	struct hlist_node *temp;
+	struct security_hook_list *entry;
+
+	if (!head)
+		return;
+
+	hlist_for_each_entry_safe (entry, temp, head, list) {
+		hlist_del(&entry->list);
+		kfree(entry);
+	}
+
+	kfree(head);
+}
+
+struct hlist_head *copy_security_hlist(struct hlist_head *orig)
+{
+	struct hlist_head *new_head = kmalloc(sizeof(*new_head), GFP_KERNEL);
+	if (!new_head)
+		return NULL;
+
+	INIT_HLIST_HEAD(new_head);
+
+	struct security_hook_list *entry;
+	struct security_hook_list *new_entry;
+
+	hlist_for_each_entry (entry, orig, list) {
+		new_entry = kmalloc(sizeof(*new_entry), GFP_KERNEL);
+		if (!new_entry) {
+			free_security_hook_list(new_head);
+			return NULL;
+		}
+
+		*new_entry = *entry;
+
+		hlist_add_tail_rcu(&new_entry->list, new_head);
+	}
+
+	return new_head;
+}
+
+#define LSM_SEARCH_MAX 180 // This should be enough to iterate
+static void *find_head_addr(void *security_ptr, int *index)
+{
+	if (!security_ptr) {
+		return NULL;
+	}
+	struct hlist_head *head_start =
+		(struct hlist_head *)&security_hook_heads;
+
+	for (int i = 0; i < LSM_SEARCH_MAX; i++) {
+		struct hlist_head *head = head_start + i;
+		struct security_hook_list *pos;
+		hlist_for_each_entry (pos, head, list) {
+			if (pos->hook.capget == security_ptr) {
+				if (index) {
+					*index = i;
+				}
+				return head;
+			}
+		}
+	}
+
+	return NULL;
+}
+
+#define GET_SYMBOL_ADDR(sym)                                                   \
+	({                                                                     \
+		void *addr = kallsyms_lookup_name(#sym ".cfi_jt");             \
+		if (!addr) {                                                   \
+			addr = kallsyms_lookup_name(#sym);                     \
+		}                                                              \
+		addr;                                                          \
+	})
+
+#define KSU_LSM_HOOK_HACK_INIT(head_ptr, name, func)                           \
+	do {                                                                   \
+		static struct security_hook_list hook = {                      \
+			.hook = { .name = func }                               \
+		};                                                             \
+		hook.head = head_ptr;                                          \
+		hook.lsm = "ksu";                                              \
+		struct hlist_head *new_head = copy_security_hlist(hook.head);  \
+		if (!new_head) {                                               \
+			pr_err("Failed to copy security list: %s\n", #name);   \
+			break;                                                 \
+		}                                                              \
+		hlist_add_tail_rcu(&hook.list, new_head);                      \
+		if (override_security_head(hook.head, new_head,                \
+					   sizeof(*new_head))) {               \
+			free_security_hook_list(new_head);                     \
+			pr_err("Failed to hack lsm for: %s\n", #name);         \
+		}                                                              \
+	} while (0)
+
+void __init ksu_lsm_hook_init(void)
+{
+	void *cap_prctl = GET_SYMBOL_ADDR(cap_task_prctl);
+	void *prctl_head = find_head_addr(cap_prctl, NULL);
+	if (prctl_head) {
+		if (prctl_head != &security_hook_heads.task_prctl) {
+			pr_warn("prctl's address has shifted!\n");
+		}
+		KSU_LSM_HOOK_HACK_INIT(prctl_head, task_prctl, ksu_task_prctl);
+	} else {
+		pr_warn("Failed to find task_prctl!\n");
+	}
+
+	int inode_killpriv_index = -1;
+	void *cap_killpriv = GET_SYMBOL_ADDR(cap_inode_killpriv);
+	find_head_addr(cap_killpriv, &inode_killpriv_index);
+	if (inode_killpriv_index < 0) {
+		pr_warn("Failed to find inode_rename, use kprobe instead!\n");
+		register_kprobe(&renameat_kp);
+	} else {
+		int inode_rename_index = inode_killpriv_index +
+					 &security_hook_heads.inode_rename -
+					 &security_hook_heads.inode_killpriv;
+		struct hlist_head *head_start =
+			(struct hlist_head *)&security_hook_heads;
+		void *inode_rename_head = head_start + inode_rename_index;
+		if (inode_rename_head != &security_hook_heads.inode_rename) {
+			pr_warn("inode_rename's address has shifted!\n");
+		}
+		KSU_LSM_HOOK_HACK_INIT(inode_rename_head, inode_rename,
+				       ksu_inode_rename);
+	}
+	void *cap_setuid = GET_SYMBOL_ADDR(cap_task_fix_setuid);
+	void *setuid_head = find_head_addr(cap_setuid, NULL);
+	if (setuid_head) {
+		if (setuid_head != &security_hook_heads.task_fix_setuid) {
+			pr_warn("setuid's address has shifted!\n");
+		}
+		KSU_LSM_HOOK_HACK_INIT(setuid_head, task_fix_setuid,
+				       ksu_task_fix_setuid);
+	} else {
+		pr_warn("Failed to find task_fix_setuid!\n");
+	}
+	smp_mb();
+}
+#endif
+
 void __init ksu_core_init(void)
 {
-#ifndef MODULE
-	pr_info("ksu_lsm_hook_init\n");
 	ksu_lsm_hook_init();
-#else
-	pr_info("ksu_kprobe_init\n");
-	ksu_kprobe_init();
-#endif
 }
 
 void ksu_core_exit(void)
 {
-#ifndef MODULE
-	pr_info("ksu_kprobe_exit\n");
-	ksu_kprobe_exit();
+#ifdef CONFIG_KPROBES
+	pr_info("ksu_core_kprobe_exit\n");
+	// we dont use this now
+	// ksu_kprobe_exit();
 #endif
 }

kernel/core_hook.h

@@ -1,7 +1,7 @@
 #ifndef __KSU_H_KSU_CORE
 #define __KSU_H_KSU_CORE
 
-#include "linux/init.h"
+#include <linux/init.h>
 
 void __init ksu_core_init(void);
 void ksu_core_exit(void);

kernel/embed_ksud.c

@@ -2,4 +2,4 @@
 // This file will be regenerated by CI
 
 unsigned int ksud_size = 0;
-const char ksud[0] = {};
+const char ksud[0] = {};

kernel/export_symbol.txt

@@ -1,2 +1,2 @@
 register_kprobe
-unregister_kprobe
+unregister_kprobe

kernel/include/ksu_hook.h

@@ -1,8 +1,8 @@
 #ifndef __KSU_H_KSHOOK
 #define __KSU_H_KSHOOK
 
-#include "linux/fs.h"
-#include "linux/types.h"
+#include <linux/fs.h>
+#include <linux/types.h>
 
 // For sucompat
 

kernel/kernel_compat.c

@@ -1,34 +1,176 @@
-#include "linux/version.h"
-#include "linux/fs.h"
-#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0)
-#include "linux/key.h"
-#include "linux/errno.h"
-struct key *init_session_keyring = NULL;
-#endif
-ssize_t ksu_kernel_read_compat(struct file *p, void *buf, size_t count, loff_t *pos){
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 14, 0)
-    return kernel_read(p, buf, count, pos);
+#include <linux/version.h>
+#include <linux/fs.h>
+#include <linux/nsproxy.h>
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0)
+#include <linux/sched/task.h>
 #else
-    loff_t offset = pos ? *pos : 0;
-    ssize_t result = kernel_read(p, offset, (char *)buf, count);
-    if (pos && result > 0)
-    {
-        *pos = offset + result;
-    }
-    return result;
+#include <linux/sched.h>
+#endif
+#include <linux/uaccess.h>
+#include "klog.h" // IWYU pragma: keep
+#include "kernel_compat.h" // Add check Huawei Device
+
+#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0) || defined(CONFIG_IS_HW_HISI)
+#include <linux/key.h>
+#include <linux/errno.h>
+#include <linux/cred.h>
+struct key *init_session_keyring = NULL;
+
+static inline int install_session_keyring(struct key *keyring)
+{
+	struct cred *new;
+	int ret;
+
+	new = prepare_creds();
+	if (!new)
+		return -ENOMEM;
+
+	ret = install_session_keyring_to_cred(new, keyring);
+	if (ret < 0) {
+		abort_creds(new);
+		return ret;
+	}
+
+	return commit_creds(new);
+}
+#endif
+
+extern struct task_struct init_task;
+
+// mnt_ns context switch for environment that android_init->nsproxy->mnt_ns != init_task.nsproxy->mnt_ns, such as WSA
+struct ksu_ns_fs_saved {
+	struct nsproxy *ns;
+	struct fs_struct *fs;
+};
+
+static void ksu_save_ns_fs(struct ksu_ns_fs_saved *ns_fs_saved)
+{
+	ns_fs_saved->ns = current->nsproxy;
+	ns_fs_saved->fs = current->fs;
+}
+
+static void ksu_load_ns_fs(struct ksu_ns_fs_saved *ns_fs_saved)
+{
+	current->nsproxy = ns_fs_saved->ns;
+	current->fs = ns_fs_saved->fs;
+}
+
+static bool android_context_saved_checked = false;
+static bool android_context_saved_enabled = false;
+static struct ksu_ns_fs_saved android_context_saved;
+
+void ksu_android_ns_fs_check()
+{
+	if (android_context_saved_checked)
+		return;
+	android_context_saved_checked = true;
+	task_lock(current);
+	if (current->nsproxy && current->fs &&
+	    current->nsproxy->mnt_ns != init_task.nsproxy->mnt_ns) {
+		android_context_saved_enabled = true;
+		pr_info("android context saved enabled due to init mnt_ns(%p) != android mnt_ns(%p)\n",
+			current->nsproxy->mnt_ns, init_task.nsproxy->mnt_ns);
+		ksu_save_ns_fs(&android_context_saved);
+	} else {
+		pr_info("android context saved disabled\n");
+	}
+	task_unlock(current);
+}
+
+struct file *ksu_filp_open_compat(const char *filename, int flags, umode_t mode)
+{
+#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0) || defined(CONFIG_IS_HW_HISI)
+	if (init_session_keyring != NULL && !current_cred()->session_keyring &&
+	    (current->flags & PF_WQ_WORKER)) {
+		pr_info("installing init session keyring for older kernel\n");
+		install_session_keyring(init_session_keyring);
+	}
+#endif
+	// switch mnt_ns even if current is not wq_worker, to ensure what we open is the correct file in android mnt_ns, rather than user created mnt_ns
+	struct ksu_ns_fs_saved saved;
+	if (android_context_saved_enabled) {
+		pr_info("start switch current nsproxy and fs to android context\n");
+		task_lock(current);
+		ksu_save_ns_fs(&saved);
+		ksu_load_ns_fs(&android_context_saved);
+		task_unlock(current);
+	}
+	struct file *fp = filp_open(filename, flags, mode);
+	if (android_context_saved_enabled) {
+		task_lock(current);
+		ksu_load_ns_fs(&saved);
+		task_unlock(current);
+		pr_info("switch current nsproxy and fs back to saved successfully\n");
+	}
+	return fp;
+}
+
+ssize_t ksu_kernel_read_compat(struct file *p, void *buf, size_t count,
+			       loff_t *pos)
+{
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 14, 0)
+	return kernel_read(p, buf, count, pos);
+#else
+	loff_t offset = pos ? *pos : 0;
+	ssize_t result = kernel_read(p, offset, (char *)buf, count);
+	if (pos && result > 0) {
+		*pos = offset + result;
+	}
+	return result;
 #endif
 }
 
-ssize_t ksu_kernel_write_compat(struct file *p, const void *buf, size_t count, loff_t *pos){
+ssize_t ksu_kernel_write_compat(struct file *p, const void *buf, size_t count,
+				loff_t *pos)
+{
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 14, 0)
-    return kernel_write(p, buf, count, pos);
+	return kernel_write(p, buf, count, pos);
 #else
-    loff_t offset = pos ? *pos : 0;
-    ssize_t result = kernel_write(p, buf, count, offset);
-    if (pos && result > 0)
-    {
-        *pos = offset + result;
-    }
-    return result;
+	loff_t offset = pos ? *pos : 0;
+	ssize_t result = kernel_write(p, buf, count, offset);
+	if (pos && result > 0) {
+		*pos = offset + result;
+	}
+	return result;
+#endif
+}
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 8, 0)
+long ksu_strncpy_from_user_nofault(char *dst, const void __user *unsafe_addr,
+				   long count)
+{
+	return strncpy_from_user_nofault(dst, unsafe_addr, count);
+}
+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(5, 3, 0)
+long ksu_strncpy_from_user_nofault(char *dst, const void __user *unsafe_addr,
+				   long count)
+{
+	return strncpy_from_unsafe_user(dst, unsafe_addr, count);
+}
+#else
+// Copied from: https://elixir.bootlin.com/linux/v4.9.337/source/mm/maccess.c#L201
+long ksu_strncpy_from_user_nofault(char *dst, const void __user *unsafe_addr,
+				   long count)
+{
+	mm_segment_t old_fs = get_fs();
+	long ret;
+
+	if (unlikely(count <= 0))
+		return 0;
+
+	set_fs(USER_DS);
+	pagefault_disable();
+	ret = strncpy_from_user(dst, unsafe_addr, count);
+	pagefault_enable();
+	set_fs(old_fs);
+
+	if (ret >= count) {
+		ret = count;
+		dst[ret - 1] = '\0';
+	} else if (ret > 0) {
+		ret++;
+	}
+
+	return ret;
+}
 #endif
-}

kernel/kernel_compat.h

@@ -1,42 +1,39 @@
 #ifndef __KSU_H_KERNEL_COMPAT
 #define __KSU_H_KERNEL_COMPAT
 
-#include "linux/fs.h"
+#include <linux/fs.h>
+#include <linux/version.h>
+#include "ss/policydb.h"
 #include "linux/key.h"
-#include "linux/version.h"
 
-extern struct key *init_session_keyring;
-
-extern ssize_t ksu_kernel_read_compat(struct file *p, void *buf, size_t count, loff_t *pos);
-extern ssize_t ksu_kernel_write_compat(struct file *p, const void *buf, size_t count, loff_t *pos);
-
-#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0)
-static inline int install_session_keyring(struct key *keyring)
-{
-	struct cred *new;
-	int ret;
-
-	new = prepare_creds();
-	if (!new)
-		return -ENOMEM;
-
-	ret = install_session_keyring_to_cred(new, keyring);
-	if (ret < 0) {
-		abort_creds(new);
-		return ret;
-	}
-
-	return commit_creds(new);
-}
-#define KWORKER_INSTALL_KEYRING()                           \
-	static bool keyring_installed = false;                  \
-	if (init_session_keyring != NULL && !keyring_installed) \
-	{                                                       \
-		install_session_keyring(init_session_keyring);      \
-		keyring_installed = true;                           \
-	}
-#else
-#define KWORKER_INSTALL_KEYRING()
+/*
+ * Adapt to Huawei HISI kernel without affecting other kernels ,
+ * Huawei Hisi Kernel EBITMAP Enable or Disable Flag ,
+ * From ss/ebitmap.h
+ */
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(4, 9, 0)) &&                           \
+		(LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0)) ||               \
+	(LINUX_VERSION_CODE >= KERNEL_VERSION(4, 14, 0)) &&                      \
+		(LINUX_VERSION_CODE < KERNEL_VERSION(4, 15, 0))
+#ifdef HISI_SELINUX_EBITMAP_RO
+#define CONFIG_IS_HW_HISI
+#endif
 #endif
 
-#endif
+extern long ksu_strncpy_from_user_nofault(char *dst,
+					  const void __user *unsafe_addr,
+					  long count);
+
+#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0) || defined(CONFIG_IS_HW_HISI)
+extern struct key *init_session_keyring;
+#endif
+
+extern void ksu_android_ns_fs_check();
+extern struct file *ksu_filp_open_compat(const char *filename, int flags,
+					 umode_t mode);
+extern ssize_t ksu_kernel_read_compat(struct file *p, void *buf, size_t count,
+				      loff_t *pos);
+extern ssize_t ksu_kernel_write_compat(struct file *p, const void *buf,
+				       size_t count, loff_t *pos);
+
+#endif

kernel/klog.h

@@ -8,4 +8,4 @@
 #define pr_fmt(fmt) "KernelSU: " fmt
 #endif
 
-#endif
+#endif

kernel/ksu.c

@@ -1,13 +1,15 @@
-#include "linux/fs.h"
-#include "linux/module.h"
-#include "linux/workqueue.h"
+#include <linux/export.h>
+#include <linux/fs.h>
+#include <linux/kobject.h>
+#include <linux/module.h>
+#include <linux/workqueue.h>
 
 #include "allowlist.h"
 #include "arch.h"
 #include "core_hook.h"
 #include "klog.h" // IWYU pragma: keep
 #include "ksu.h"
-#include "uid_observer.h"
+#include "throne_tracker.h"
 
 static struct workqueue_struct *ksu_workqueue;
 
@@ -30,8 +32,10 @@ int ksu_handle_execveat(int *fd, struct filename **filename_ptr, void *argv,
 					    flags);
 }
 
-extern void ksu_enable_sucompat();
-extern void ksu_enable_ksud();
+extern void ksu_sucompat_init();
+extern void ksu_sucompat_exit();
+extern void ksu_ksud_init();
+extern void ksu_ksud_exit();
 
 int __init kernelsu_init(void)
 {
@@ -39,7 +43,7 @@ int __init kernelsu_init(void)
 	pr_alert("*************************************************************");
 	pr_alert("**     NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE    **");
 	pr_alert("**                                                         **");
-	pr_alert("**         You are running DEBUG version of KernelSU       **");
+	pr_alert("**         You are running KernelSU in DEBUG mode          **");
 	pr_alert("**                                                         **");
 	pr_alert("**     NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE    **");
 	pr_alert("*************************************************************");
@@ -47,19 +51,24 @@ int __init kernelsu_init(void)
 
 	ksu_core_init();
 
-	ksu_workqueue = alloc_workqueue("kernelsu_work_queue", 0, 0);
+	ksu_workqueue = alloc_ordered_workqueue("kernelsu_work_queue", 0);
 
 	ksu_allowlist_init();
 
-	ksu_uid_observer_init();
+	ksu_throne_tracker_init();
 
 #ifdef CONFIG_KPROBES
-	ksu_enable_sucompat();
-	ksu_enable_ksud();
+	ksu_sucompat_init();
+	ksu_ksud_init();
 #else
-#warning("KPROBES is disabled, KernelSU may not work, please check https://kernelsu.org/guide/how-to-integrate-for-non-gki.html")
+	pr_alert("KPROBES is disabled, KernelSU may not work, please check https://kernelsu.org/guide/how-to-integrate-for-non-gki.html");
 #endif
 
+#ifdef MODULE
+#ifndef CONFIG_KSU_DEBUG
+	kobject_del(&THIS_MODULE->mkobj.kobj);
+#endif
+#endif
 	return 0;
 }
 
@@ -67,10 +76,15 @@ void kernelsu_exit(void)
 {
 	ksu_allowlist_exit();
 
-	ksu_uid_observer_exit();
+	ksu_throne_tracker_exit();
 
 	destroy_workqueue(ksu_workqueue);
 
+#ifdef CONFIG_KPROBES
+	ksu_ksud_exit();
+	ksu_sucompat_exit();
+#endif
+
 	ksu_core_exit();
 }
 

kernel/ksu.h

@@ -1,15 +1,10 @@
 #ifndef __KSU_H_KSU
 #define __KSU_H_KSU
 
-#include "linux/workqueue.h"
-
-#ifndef KSU_GIT_VERSION
-#warning "KSU_GIT_VERSION not defined! It is better to make KernelSU a git submodule!"
-#define KERNEL_SU_VERSION (16)
-#else
-#define KERNEL_SU_VERSION (10000 + KSU_GIT_VERSION + 200) // major * 10000 + git version + 200 for historical reasons
-#endif
+#include <linux/types.h>
+#include <linux/workqueue.h>
 
+#define KERNEL_SU_VERSION KSU_VERSION
 #define KERNEL_SU_OPTION 0xDEADBEEF
 
 #define CMD_GRANT_ROOT 0
@@ -22,9 +17,68 @@
 #define CMD_REPORT_EVENT 7
 #define CMD_SET_SEPOLICY 8
 #define CMD_CHECK_SAFEMODE 9
+#define CMD_GET_APP_PROFILE 10
+#define CMD_SET_APP_PROFILE 11
+#define CMD_UID_GRANTED_ROOT 12
+#define CMD_UID_SHOULD_UMOUNT 13
 
 #define EVENT_POST_FS_DATA 1
 #define EVENT_BOOT_COMPLETED 2
+#define EVENT_MODULE_MOUNTED 3
+
+#define KSU_APP_PROFILE_VER 2
+#define KSU_MAX_PACKAGE_NAME 256
+// NGROUPS_MAX for Linux is 65535 generally, but we only supports 32 groups.
+#define KSU_MAX_GROUPS 32
+#define KSU_SELINUX_DOMAIN 64
+
+struct root_profile {
+	int32_t uid;
+	int32_t gid;
+
+	int32_t groups_count;
+	int32_t groups[KSU_MAX_GROUPS];
+
+	// kernel_cap_t is u32[2] for capabilities v3
+	struct {
+		u64 effective;
+		u64 permitted;
+		u64 inheritable;
+	} capabilities;
+
+	char selinux_domain[KSU_SELINUX_DOMAIN];
+
+	int32_t namespaces;
+};
+
+struct non_root_profile {
+	bool umount_modules;
+};
+
+struct app_profile {
+	// It may be utilized for backward compatibility, although we have never explicitly made any promises regarding this.
+	u32 version;
+
+	// this is usually the package of the app, but can be other value for special apps
+	char key[KSU_MAX_PACKAGE_NAME];
+	int32_t current_uid;
+	bool allow_su;
+
+	union {
+		struct {
+			bool use_default;
+			char template_name[KSU_MAX_PACKAGE_NAME];
+
+			struct root_profile profile;
+		} rp_config;
+
+		struct {
+			bool use_default;
+
+			struct non_root_profile profile;
+		} nrp_config;
+	};
+};
 
 bool ksu_queue_work(struct work_struct *work);
 

kernel/ksud.c

@@ -1,22 +1,30 @@
-#include "asm/current.h"
-#include "linux/string.h"
-#include "linux/cred.h"
-#include "linux/dcache.h"
-#include "linux/err.h"
-#include "linux/fs.h"
-#include "linux/input-event-codes.h"
-#include "linux/kprobes.h"
-#include "linux/printk.h"
-#include "linux/types.h"
-#include "linux/uaccess.h"
-#include "linux/version.h"
-#include "linux/workqueue.h"
-#include "linux/input.h"
+#include <asm/current.h>
+#include <linux/compat.h>
+#include <linux/cred.h>
+#include <linux/dcache.h>
+#include <linux/err.h>
+#include <linux/file.h>
+#include <linux/fs.h>
+#include <linux/version.h>
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 4, 0)
+#include <linux/input-event-codes.h>
+#else
+#include <uapi/linux/input.h>
+#endif
+#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 1, 0)
+#include <linux/aio.h>
+#endif
+#include <linux/kprobes.h>
+#include <linux/printk.h>
+#include <linux/types.h>
+#include <linux/uaccess.h>
+#include <linux/workqueue.h>
 
 #include "allowlist.h"
 #include "arch.h"
 #include "klog.h" // IWYU pragma: keep
 #include "ksud.h"
+#include "kernel_compat.h"
 #include "selinux/selinux.h"
 
 static const char KERNEL_SU_RC[] =
@@ -51,23 +59,28 @@ static struct work_struct stop_vfs_read_work;
 static struct work_struct stop_execve_hook_work;
 static struct work_struct stop_input_hook_work;
 #else
-static bool vfs_read_hook = true;
-static bool execveat_hook = true;
-static bool input_hook = true;
+bool ksu_vfs_read_hook __read_mostly = true;
+bool ksu_execveat_hook __read_mostly = true;
+bool ksu_input_hook __read_mostly = true;
 #endif
 
+u32 ksu_devpts_sid;
+
 void on_post_fs_data(void)
 {
 	static bool done = false;
 	if (done) {
-		pr_info("on_post_fs_data already done");
+		pr_info("on_post_fs_data already done\n");
 		return;
 	}
 	done = true;
-	pr_info("on_post_fs_data!");
+	pr_info("on_post_fs_data!\n");
 	ksu_load_allow_list();
 	// sanity check, this may influence the performance
 	stop_input_hook();
+
+	ksu_devpts_sid = ksu_get_devpts_sid();
+	pr_info("devpts sid: %d\n", ksu_devpts_sid);
 }
 
 #define MAX_ARG_STRINGS 0x7FFFFFFF
@@ -107,7 +120,13 @@ static const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr)
 /*
  * count() counts the number of strings in array ARGV.
  */
-static int count(struct user_arg_ptr argv, int max)
+
+/*
+ * Make sure old GCC compiler can use __maybe_unused,
+ * Test passed in 4.4.x ~ 4.9.x when use GCC.
+ */
+
+static int __maybe_unused count(struct user_arg_ptr argv, int max)
 {
 	int i = 0;
 
@@ -133,11 +152,13 @@ static int count(struct user_arg_ptr argv, int max)
 	return i;
 }
 
+// IMPORTANT NOTE: the call from execve_handler_pre WON'T provided correct value for envp and flags in GKI version
 int ksu_handle_execveat_ksud(int *fd, struct filename **filename_ptr,
-			     void *argv, void *envp, int *flags)
+			     struct user_arg_ptr *argv,
+			     struct user_arg_ptr *envp, int *flags)
 {
 #ifndef CONFIG_KPROBES
-	if (!execveat_hook) {
+	if (!ksu_execveat_hook) {
 		return 0;
 	}
 #endif
@@ -145,7 +166,11 @@ int ksu_handle_execveat_ksud(int *fd, struct filename **filename_ptr,
 
 	static const char app_process[] = "/system/bin/app_process";
 	static bool first_app_process = true;
+
+	/* This applies to versions Android 10+ */
 	static const char system_bin_init[] = "/system/bin/init";
+	/* This applies to versions between Android 6 ~ 9  */
+	static const char old_system_init[] = "/init";
 	static bool init_second_stage_executed = false;
 
 	if (!filename_ptr)
@@ -156,39 +181,98 @@ int ksu_handle_execveat_ksud(int *fd, struct filename **filename_ptr,
 		return 0;
 	}
 
-	if (!memcmp(filename->name, system_bin_init,
-		    sizeof(system_bin_init) - 1)) {
+	if (unlikely(!memcmp(filename->name, system_bin_init,
+			     sizeof(system_bin_init) - 1) &&
+		     argv)) {
 		// /system/bin/init executed
-		struct user_arg_ptr *ptr = (struct user_arg_ptr*) argv;
-		int argc = count(*ptr, MAX_ARG_STRINGS);
+		int argc = count(*argv, MAX_ARG_STRINGS);
 		pr_info("/system/bin/init argc: %d\n", argc);
 		if (argc > 1 && !init_second_stage_executed) {
-			const char __user *p = get_user_arg_ptr(*ptr, 1);
+			const char __user *p = get_user_arg_ptr(*argv, 1);
 			if (p && !IS_ERR(p)) {
 				char first_arg[16];
-				#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 8, 0)
-                                strncpy_from_user_nofault(first_arg, p, sizeof(first_arg));
-                                #elif LINUX_VERSION_CODE >= KERNEL_VERSION(5, 3, 0)
-                                strncpy_from_unsafe_user(first_arg, p, sizeof(first_arg));
-                                #else
-                                strncpy_from_user(first_arg, p, sizeof(first_arg));
-                                #endif
-				pr_info("first arg: %s\n", first_arg);
+				ksu_strncpy_from_user_nofault(
+					first_arg, p, sizeof(first_arg));
+				pr_info("/system/bin/init first arg: %s\n",
+					first_arg);
 				if (!strcmp(first_arg, "second_stage")) {
 					pr_info("/system/bin/init second_stage executed\n");
 					apply_kernelsu_rules();
 					init_second_stage_executed = true;
+					ksu_android_ns_fs_check();
 				}
 			} else {
 				pr_err("/system/bin/init parse args err!\n");
 			}
 		}
+	} else if (unlikely(!memcmp(filename->name, old_system_init,
+				    sizeof(old_system_init) - 1) &&
+			    argv)) {
+		// /init executed
+		int argc = count(*argv, MAX_ARG_STRINGS);
+		pr_info("/init argc: %d\n", argc);
+		if (argc > 1 && !init_second_stage_executed) {
+			/* This applies to versions between Android 6 ~ 7 */
+			const char __user *p = get_user_arg_ptr(*argv, 1);
+			if (p && !IS_ERR(p)) {
+				char first_arg[16];
+				ksu_strncpy_from_user_nofault(
+					first_arg, p, sizeof(first_arg));
+				pr_info("/init first arg: %s\n", first_arg);
+				if (!strcmp(first_arg, "--second-stage")) {
+					pr_info("/init second_stage executed\n");
+					apply_kernelsu_rules();
+					init_second_stage_executed = true;
+					ksu_android_ns_fs_check();
+				}
+			} else {
+				pr_err("/init parse args err!\n");
+			}
+		} else if (argc == 1 && !init_second_stage_executed && envp) {
+			/* This applies to versions between Android 8 ~ 9  */
+			int envc = count(*envp, MAX_ARG_STRINGS);
+			if (envc > 0) {
+				int n;
+				for (n = 1; n <= envc; n++) {
+					const char __user *p =
+						get_user_arg_ptr(*envp, n);
+					if (!p || IS_ERR(p)) {
+						continue;
+					}
+					char env[256];
+					// Reading environment variable strings from user space
+					if (ksu_strncpy_from_user_nofault(
+						    env, p, sizeof(env)) < 0)
+						continue;
+					// Parsing environment variable names and values
+					char *env_name = env;
+					char *env_value = strchr(env, '=');
+					if (env_value == NULL)
+						continue;
+					// Replace equal sign with string terminator
+					*env_value = '\0';
+					env_value++;
+					// Check if the environment variable name and value are matching
+					if (!strcmp(env_name,
+						    "INIT_SECOND_STAGE") &&
+					    (!strcmp(env_value, "1") ||
+					     !strcmp(env_value, "true"))) {
+						pr_info("/init second_stage executed\n");
+						apply_kernelsu_rules();
+						init_second_stage_executed =
+							true;
+						ksu_android_ns_fs_check();
+					}
+				}
+			}
+		}
 	}
 
-	if (first_app_process &&
-	    !memcmp(filename->name, app_process, sizeof(app_process) - 1)) {
+	if (unlikely(first_app_process && !memcmp(filename->name, app_process,
+						  sizeof(app_process) - 1))) {
 		first_app_process = false;
-		pr_info("exec app_process, /data prepared, second_stage: %d\n", init_second_stage_executed);
+		pr_info("exec app_process, /data prepared, second_stage: %d\n",
+			init_second_stage_executed);
 		on_post_fs_data(); // we keep this for old ksud
 		stop_execve_hook();
 	}
@@ -207,7 +291,8 @@ static ssize_t read_proxy(struct file *file, char __user *buf, size_t count,
 	bool first_read = file->f_pos == 0;
 	ssize_t ret = orig_read(file, buf, count, pos);
 	if (first_read) {
-		pr_info("read_proxy append %ld + %ld", ret, read_count_append);
+		pr_info("read_proxy append %ld + %ld\n", ret,
+			read_count_append);
 		ret += read_count_append;
 	}
 	return ret;
@@ -218,7 +303,7 @@ static ssize_t read_iter_proxy(struct kiocb *iocb, struct iov_iter *to)
 	bool first_read = iocb->ki_pos == 0;
 	ssize_t ret = orig_read_iter(iocb, to);
 	if (first_read) {
-		pr_info("read_iter_proxy append %ld + %ld", ret,
+		pr_info("read_iter_proxy append %ld + %ld\n", ret,
 			read_count_append);
 		ret += read_count_append;
 	}
@@ -229,7 +314,7 @@ int ksu_handle_vfs_read(struct file **file_ptr, char __user **buf_ptr,
 			size_t *count_ptr, loff_t **pos)
 {
 #ifndef CONFIG_KPROBES
-	if (!vfs_read_hook) {
+	if (!ksu_vfs_read_hook) {
 		return 0;
 	}
 #endif
@@ -283,17 +368,17 @@ int ksu_handle_vfs_read(struct file **file_ptr, char __user **buf_ptr,
 
 	size_t rc_count = strlen(KERNEL_SU_RC);
 
-	pr_info("vfs_read: %s, comm: %s, count: %d, rc_count: %d\n", dpath,
+	pr_info("vfs_read: %s, comm: %s, count: %zu, rc_count: %zu\n", dpath,
 		current->comm, count, rc_count);
 
 	if (count < rc_count) {
-		pr_err("count: %d < rc_count: %d", count, rc_count);
+		pr_err("count: %zu < rc_count: %zu\n", count, rc_count);
 		return 0;
 	}
 
 	size_t ret = copy_to_user(buf, KERNEL_SU_RC, rc_count);
 	if (ret) {
-		pr_err("copy ksud.rc failed: %d\n", ret);
+		pr_err("copy ksud.rc failed: %zu\n", ret);
 		return 0;
 	}
 
@@ -319,6 +404,18 @@ int ksu_handle_vfs_read(struct file **file_ptr, char __user **buf_ptr,
 	return 0;
 }
 
+int ksu_handle_sys_read(unsigned int fd, char __user **buf_ptr,
+			size_t *count_ptr)
+{
+	struct file *file = fget(fd);
+	if (!file) {
+		return 0;
+	}
+	int result = ksu_handle_vfs_read(&file, buf_ptr, count_ptr, NULL);
+	fput(file);
+	return result;
+}
+
 static unsigned int volumedown_pressed_count = 0;
 
 static bool is_volumedown_enough(unsigned int count)
@@ -330,7 +427,7 @@ int ksu_handle_input_handle_event(unsigned int *type, unsigned int *code,
 				  int *value)
 {
 #ifndef CONFIG_KPROBES
-	if (!input_hook) {
+	if (!ksu_input_hook) {
 		return 0;
 	}
 #endif
@@ -379,32 +476,81 @@ static int execve_handler_pre(struct kprobe *p, struct pt_regs *regs)
 	int *fd = (int *)&PT_REGS_PARM1(regs);
 	struct filename **filename_ptr =
 		(struct filename **)&PT_REGS_PARM2(regs);
-	void *argv = (void *)&PT_REGS_PARM3(regs);
-	void *envp = (void *)&PT_REGS_PARM4(regs);
-	int *flags = (int *)&PT_REGS_PARM5(regs);
+	struct user_arg_ptr argv;
+#ifdef CONFIG_COMPAT
+	argv.is_compat = PT_REGS_PARM3(regs);
+	if (unlikely(argv.is_compat)) {
+		argv.ptr.compat = PT_REGS_CCALL_PARM4(regs);
+	} else {
+		argv.ptr.native = PT_REGS_CCALL_PARM4(regs);
+	}
+#else
+	argv.ptr.native = PT_REGS_PARM3(regs);
+#endif
 
-	return ksu_handle_execveat_ksud(fd, filename_ptr, argv, envp, flags);
+	return ksu_handle_execveat_ksud(fd, filename_ptr, &argv, NULL, NULL);
 }
 
-static int read_handler_pre(struct kprobe *p, struct pt_regs *regs)
+static int sys_execve_handler_pre(struct kprobe *p, struct pt_regs *regs)
+{
+	struct pt_regs *real_regs = PT_REAL_REGS(regs);
+	const char __user **filename_user =
+		(const char **)&PT_REGS_PARM1(real_regs);
+	const char __user *const __user *__argv =
+		(const char __user *const __user *)PT_REGS_PARM2(real_regs);
+	struct user_arg_ptr argv = { .ptr.native = __argv };
+	struct filename filename_in, *filename_p;
+	char path[32];
+
+	if (!filename_user)
+		return 0;
+
+	memset(path, 0, sizeof(path));
+	ksu_strncpy_from_user_nofault(path, *filename_user, 32);
+	filename_in.name = path;
+
+	filename_p = &filename_in;
+	return ksu_handle_execveat_ksud(AT_FDCWD, &filename_p, &argv, NULL,
+					NULL);
+}
+
+// remove this later!
+__maybe_unused static int vfs_read_handler_pre(struct kprobe *p,
+					       struct pt_regs *regs)
 {
 	struct file **file_ptr = (struct file **)&PT_REGS_PARM1(regs);
 	char __user **buf_ptr = (char **)&PT_REGS_PARM2(regs);
 	size_t *count_ptr = (size_t *)&PT_REGS_PARM3(regs);
-	loff_t **pos_ptr = (loff_t **)&PT_REGS_PARM4(regs);
+	loff_t **pos_ptr = (loff_t **)&PT_REGS_CCALL_PARM4(regs);
 
 	return ksu_handle_vfs_read(file_ptr, buf_ptr, count_ptr, pos_ptr);
 }
 
+static int sys_read_handler_pre(struct kprobe *p, struct pt_regs *regs)
+{
+	struct pt_regs *real_regs = PT_REAL_REGS(regs);
+	unsigned int fd = PT_REGS_PARM1(real_regs);
+	char __user **buf_ptr = (char __user **)&PT_REGS_PARM2(real_regs);
+	size_t count_ptr = (size_t *)&PT_REGS_PARM3(real_regs);
+
+	return ksu_handle_sys_read(fd, buf_ptr, count_ptr);
+}
+
 static int input_handle_event_handler_pre(struct kprobe *p,
 					  struct pt_regs *regs)
 {
 	unsigned int *type = (unsigned int *)&PT_REGS_PARM2(regs);
 	unsigned int *code = (unsigned int *)&PT_REGS_PARM3(regs);
-	int *value = (int *)&PT_REGS_PARM4(regs);
+	int *value = (int *)&PT_REGS_CCALL_PARM4(regs);
 	return ksu_handle_input_handle_event(type, code, value);
 }
 
+#if 1
+static struct kprobe execve_kp = {
+	.symbol_name = SYS_EXECVE_SYMBOL,
+	.pre_handler = sys_execve_handler_pre,
+};
+#else
 static struct kprobe execve_kp = {
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 9, 0)
 	.symbol_name = "do_execveat_common",
@@ -415,14 +561,22 @@ static struct kprobe execve_kp = {
 #endif
 	.pre_handler = execve_handler_pre,
 };
+#endif
 
+#if 1
+static struct kprobe vfs_read_kp = {
+	.symbol_name = SYS_READ_SYMBOL,
+	.pre_handler = sys_read_handler_pre,
+};
+#else
 static struct kprobe vfs_read_kp = {
 	.symbol_name = "vfs_read",
-	.pre_handler = read_handler_pre,
+	.pre_handler = vfs_read_handler_pre,
 };
+#endif
 
-static struct kprobe input_handle_event_kp = {
-	.symbol_name = "input_handle_event",
+static struct kprobe input_event_kp = {
+	.symbol_name = "input_event",
 	.pre_handler = input_handle_event_handler_pre,
 };
 
@@ -438,7 +592,7 @@ static void do_stop_execve_hook(struct work_struct *work)
 
 static void do_stop_input_hook(struct work_struct *work)
 {
-	unregister_kprobe(&input_handle_event_kp);
+	unregister_kprobe(&input_event_kp);
 }
 #endif
 
@@ -448,7 +602,8 @@ static void stop_vfs_read_hook()
 	bool ret = schedule_work(&stop_vfs_read_work);
 	pr_info("unregister vfs_read kprobe: %d!\n", ret);
 #else
-	vfs_read_hook = false;
+	ksu_vfs_read_hook = false;
+	pr_info("stop vfs_read_hook\n");
 #endif
 }
 
@@ -458,7 +613,8 @@ static void stop_execve_hook()
 	bool ret = schedule_work(&stop_execve_hook_work);
 	pr_info("unregister execve kprobe: %d!\n", ret);
 #else
-	execveat_hook = false;
+	ksu_execveat_hook = false;
+	pr_info("stop execve_hook\n");
 #endif
 }
 
@@ -473,12 +629,13 @@ static void stop_input_hook()
 	bool ret = schedule_work(&stop_input_hook_work);
 	pr_info("unregister input kprobe: %d!\n", ret);
 #else
-	input_hook = false;
+	ksu_input_hook = false;
+	pr_info("stop input_hook\n");
 #endif
 }
 
 // ksud: module support
-void ksu_enable_ksud()
+void ksu_ksud_init()
 {
 #ifdef CONFIG_KPROBES
 	int ret;
@@ -489,11 +646,21 @@ void ksu_enable_ksud()
 	ret = register_kprobe(&vfs_read_kp);
 	pr_info("ksud: vfs_read_kp: %d\n", ret);
 
-	ret = register_kprobe(&input_handle_event_kp);
-	pr_info("ksud: input_handle_event_kp: %d\n", ret);
+	ret = register_kprobe(&input_event_kp);
+	pr_info("ksud: input_event_kp: %d\n", ret);
 
 	INIT_WORK(&stop_vfs_read_work, do_stop_vfs_read_hook);
 	INIT_WORK(&stop_execve_hook_work, do_stop_execve_hook);
 	INIT_WORK(&stop_input_hook_work, do_stop_input_hook);
 #endif
 }
+
+void ksu_ksud_exit()
+{
+#ifdef CONFIG_KPROBES
+	unregister_kprobe(&execve_kp);
+	// this should be done before unregister vfs_read_kp
+	// unregister_kprobe(&vfs_read_kp);
+	unregister_kprobe(&input_event_kp);
+#endif
+}

kernel/ksud.h

@@ -1,10 +1,14 @@
 #ifndef __KSU_H_KSUD
 #define __KSU_H_KSUD
 
+#include <linux/types.h>
+
 #define KSUD_PATH "/data/adb/ksud"
 
 void on_post_fs_data(void);
 
 bool ksu_is_safe_mode(void);
 
-#endif
+extern u32 ksu_devpts_sid;
+
+#endif

kernel/manager.c

@@ -1,80 +0,0 @@
-#include "linux/cred.h"
-#include "linux/gfp.h"
-#include "linux/slab.h"
-#include "linux/uidgid.h"
-#include "linux/version.h"
-
-#include "linux/fdtable.h"
-#include "linux/fs.h"
-#include "linux/rcupdate.h"
-
-#include "apk_sign.h"
-#include "klog.h" // IWYU pragma: keep
-#include "ksu.h"
-#include "manager.h"
-
-uid_t ksu_manager_uid = INVALID_UID;
-
-bool become_manager(char *pkg)
-{
-	struct fdtable *files_table;
-	int i = 0;
-	struct path files_path;
-	char *cwd;
-	char *buf;
-	bool result = false;
-
-	// must be zygote's direct child, otherwise any app can fork a new process and
-	// open manager's apk
-	if (task_uid(current->real_parent).val != 0) {
-		pr_info("parent is not zygote!\n");
-		return false;
-	}
-
-	buf = (char *)kmalloc(PATH_MAX, GFP_ATOMIC);
-	if (!buf) {
-		pr_err("kalloc path failed.\n");
-		return false;
-	}
-
-	files_table = files_fdtable(current->files);
-
-	// todo: use iterate_fd
-	while (files_table->fd[i] != NULL) {
-		files_path = files_table->fd[i]->f_path;
-		if (!d_is_reg(files_path.dentry)) {
-			i++;
-			continue;
-		}
-		cwd = d_path(&files_path, buf, PATH_MAX);
-		if (startswith(cwd, "/data/app/") == 0 &&
-		    endswith(cwd, "/base.apk") == 0) {
-			// we have found the apk!
-			pr_info("found apk: %s", cwd);
-			if (!strstr(cwd, pkg)) {
-				pr_info("apk path not match package name!\n");
-				i++;
-				continue;
-			}
-			if (is_manager_apk(cwd) == 0) {
-				// check passed
-				uid_t uid = current_uid().val;
-				pr_info("manager uid: %d\n", uid);
-
-				ksu_set_manager_uid(uid);
-
-				result = true;
-				goto clean;
-			} else {
-				pr_info("manager signature invalid!");
-			}
-
-			break;
-		}
-		i++;
-	}
-
-clean:
-	kfree(buf);
-	return result;
-}

kernel/manager.h

@@ -1,21 +1,21 @@
 #ifndef __KSU_H_KSU_MANAGER
 #define __KSU_H_KSU_MANAGER
 
-#include "linux/cred.h"
-#include "linux/types.h"
+#include <linux/cred.h>
+#include <linux/types.h>
 
-#define INVALID_UID -1
+#define KSU_INVALID_UID -1
 
 extern uid_t ksu_manager_uid; // DO NOT DIRECT USE
 
 static inline bool ksu_is_manager_uid_valid()
 {
-	return ksu_manager_uid != INVALID_UID;
+	return ksu_manager_uid != KSU_INVALID_UID;
 }
 
 static inline bool is_manager()
 {
-	return ksu_manager_uid == current_uid().val;
+	return unlikely(ksu_manager_uid == current_uid().val);
 }
 
 static inline uid_t ksu_get_manager_uid()
@@ -30,9 +30,7 @@ static inline void ksu_set_manager_uid(uid_t uid)
 
 static inline void ksu_invalidate_manager_uid()
 {
-	ksu_manager_uid = INVALID_UID;
+	ksu_manager_uid = KSU_INVALID_UID;
 }
 
-bool become_manager(char *pkg);
-
 #endif

kernel/module_api.c

@@ -1,33 +0,0 @@
-#include "linux/kallsyms.h"
-
-#define RE_EXPORT_SYMBOL1(ret, func, t1, v1)                                   \
-	ret ksu_##func(t1 v1)                                                  \
-	{                                                                      \
-		return func(v1);                                               \
-	}                                                                      \
-	EXPORT_SYMBOL(ksu_##func);
-
-#define RE_EXPORT_SYMBOL2(ret, func, t1, v1, t2, v2)                           \
-	ret ksu_##func(t1 v1, t2 v2)                                           \
-	{                                                                      \
-		return func(v1, v2);                                           \
-	}                                                                      \
-	EXPORT_SYMBOL(ksu_##func);
-
-RE_EXPORT_SYMBOL1(unsigned long, kallsyms_lookup_name, const char *, name)
-
-// RE_EXPORT_SYMBOL2(int, register_kprobe, struct kprobe *, p)
-// RE_EXPORT_SYMBOL2(void, unregister_kprobe, struct kprobe *, p)
-
-// RE_EXPORT_SYMBOL2(int, register_kprobe, struct kprobe *, p)
-// RE_EXPORT_SYMBOL2(void, unregister_kprobe, struct kprobe *, p)
-
-// int ksu_register_kprobe(struct kprobe *p);
-// void ksu_unregister_kprobe(struct kprobe *p);
-// int ksu_register_kprobes(struct kprobe **kps, int num);
-// void ksu_unregister_kprobes(struct kprobe **kps, int num);
-
-// int ksu_register_kretprobe(struct kretprobe *rp);
-// void unregister_kretprobe(struct kretprobe *rp);
-// int register_kretprobes(struct kretprobe **rps, int num);
-// void unregister_kretprobes(struct kretprobe **rps, int num);

kernel/selinux/Makefile

@@ -11,6 +11,6 @@ ccflags-y += -DKSU_COMPAT_HAS_SELINUX_STATE
 endif
 
 ccflags-y += -Wno-implicit-function-declaration -Wno-strict-prototypes -Wno-int-conversion
-ccflags-y += -Wno-macro-redefined -Wno-declaration-after-statement -Wno-unused-function
+ccflags-y += -Wno-declaration-after-statement -Wno-unused-function
 ccflags-y += -I$(srctree)/security/selinux -I$(srctree)/security/selinux/include
-ccflags-y += -I$(objtree)/security/selinux
+ccflags-y += -I$(objtree)/security/selinux -include $(srctree)/include/uapi/asm-generic/errno.h

kernel/selinux/rules.c

@@ -1,6 +1,6 @@
-#include "linux/uaccess.h"
-#include "linux/types.h"
-#include "linux/version.h"
+#include <linux/uaccess.h>
+#include <linux/types.h>
+#include <linux/version.h>
 
 #include "../klog.h" // IWYU pragma: keep
 #include "selinux.h"
@@ -39,7 +39,7 @@ static struct policydb *get_policydb(void)
 void apply_kernelsu_rules()
 {
 	if (!getenforce()) {
-		pr_info("SELinux permissive or disabled, apply rules!");
+		pr_info("SELinux permissive or disabled, apply rules!\n");
 	}
 
 	rcu_read_lock();
@@ -63,11 +63,17 @@ void apply_kernelsu_rules()
 		ksu_allowxperm(db, KERNEL_SU_DOMAIN, ALL, "blk_file", ALL);
 		ksu_allowxperm(db, KERNEL_SU_DOMAIN, ALL, "fifo_file", ALL);
 		ksu_allowxperm(db, KERNEL_SU_DOMAIN, ALL, "chr_file", ALL);
+		ksu_allowxperm(db, KERNEL_SU_DOMAIN, ALL, "file", ALL);
 	}
 
 	// we need to save allowlist in /data/adb/ksu
 	ksu_allow(db, "kernel", "adb_data_file", "dir", ALL);
 	ksu_allow(db, "kernel", "adb_data_file", "file", ALL);
+	// we need to search /data/app
+	ksu_allow(db, "kernel", "apk_data_file", "file", "open");
+	ksu_allow(db, "kernel", "apk_data_file", "dir", "open");
+	ksu_allow(db, "kernel", "apk_data_file", "dir", "read");
+	ksu_allow(db, "kernel", "apk_data_file", "dir", "search");
 	// we may need to do mount on shell
 	ksu_allow(db, "kernel", "shell_data_file", "file", ALL);
 	// we need to read /data/system/packages.list
@@ -83,7 +89,10 @@ void apply_kernelsu_rules()
 	ksu_allow(db, "kernel", "system_data_file", "dir", ALL);
 	// our ksud triggered by init
 	ksu_allow(db, "init", "adb_data_file", "file", ALL);
+	ksu_allow(db, "init", "adb_data_file", "dir", ALL); // #1289
 	ksu_allow(db, "init", KERNEL_SU_DOMAIN, ALL, ALL);
+	// we need to umount modules in zygote
+	ksu_allow(db, "zygote", "adb_data_file", "dir", "search");
 
 	// copied from Magisk rules
 	// suRights
@@ -114,14 +123,16 @@ void apply_kernelsu_rules()
 	ksu_allow(db, "hwservicemanager", KERNEL_SU_DOMAIN, "process",
 		  "getattr");
 
+	// For mounting loop devices, mirrors, tmpfs
+	ksu_allow(db, "kernel", ALL, "file", "read");
+	ksu_allow(db, "kernel", ALL, "file", "write");
+
 	// Allow all binder transactions
 	ksu_allow(db, ALL, KERNEL_SU_DOMAIN, "binder", ALL);
 
-	// Allow system server devpts
-	ksu_allow(db, "system_server", "untrusted_app_all_devpts", "chr_file",
-		  "read");
-	ksu_allow(db, "system_server", "untrusted_app_all_devpts", "chr_file",
-		  "write");
+    // Allow system server kill su process
+    ksu_allow(db, "system_server", KERNEL_SU_DOMAIN, "process", "getpgid");
+    ksu_allow(db, "system_server", KERNEL_SU_DOMAIN, "process", "sigkill");
 
 	rcu_read_unlock();
 }
@@ -170,7 +181,8 @@ static int get_object(char *buf, char __user *user_object, size_t buf_sz,
 // reset avc cache table, otherwise the new rules will not take effect if already denied
 static void reset_avc_cache()
 {
-#ifndef KSU_COMPAT_USE_SELINUX_STATE
+#if ((!defined(KSU_COMPAT_USE_SELINUX_STATE)) || \
+        LINUX_VERSION_CODE >= KERNEL_VERSION(6, 4, 0))
 	avc_ss_reset(0);
 	selnl_notify_policyload(0);
 	selinux_status_update_policyload(0);
@@ -245,7 +257,7 @@ int handle_sepolicy(unsigned long arg3, void __user *arg4)
 		} else if (subcmd == 4) {
 			success = ksu_dontaudit(db, s, t, c, p);
 		} else {
-			pr_err("sepol: unknown subcmd: %d", subcmd);
+			pr_err("sepol: unknown subcmd: %d\n", subcmd);
 		}
 		ret = success ? 0 : -1;
 
@@ -290,7 +302,7 @@ int handle_sepolicy(unsigned long arg3, void __user *arg4)
 		} else if (subcmd == 3) {
 			success = ksu_dontauditxperm(db, s, t, c, perm_set);
 		} else {
-			pr_err("sepol: unknown subcmd: %d", subcmd);
+			pr_err("sepol: unknown subcmd: %d\n", subcmd);
 		}
 		ret = success ? 0 : -1;
 	} else if (cmd == CMD_TYPE_STATE) {
@@ -307,7 +319,7 @@ int handle_sepolicy(unsigned long arg3, void __user *arg4)
 		} else if (subcmd == 2) {
 			success = ksu_enforce(db, src);
 		} else {
-			pr_err("sepol: unknown subcmd: %d", subcmd);
+			pr_err("sepol: unknown subcmd: %d\n", subcmd);
 		}
 		if (success)
 			ret = 0;
@@ -422,7 +434,7 @@ int handle_sepolicy(unsigned long arg3, void __user *arg4)
 			success = ksu_type_member(db, src, tgt, cls,
 						  default_type);
 		} else {
-			pr_err("sepol: unknown subcmd: %d", subcmd);
+			pr_err("sepol: unknown subcmd: %d\n", subcmd);
 		}
 		if (success)
 			ret = 0;

kernel/selinux/selinux.c

@@ -8,8 +8,6 @@
 
 #define KERNEL_SU_DOMAIN "u:r:su:s0"
 
-static u32 ksu_sid;
-
 static int transive_to_domain(const char *domain)
 {
 	struct cred *cred;
@@ -26,11 +24,11 @@ static int transive_to_domain(const char *domain)
 	}
 
 	error = security_secctx_to_secid(domain, strlen(domain), &sid);
-	pr_info("error: %d, sid: %d\n", error, sid);
+	if (error) {
+		pr_info("security_secctx_to_secid %s -> sid: %d, error: %d\n",
+			domain, sid, error);
+	}
 	if (!error) {
-		if (!ksu_sid)
-			ksu_sid = sid;
-
 		tsec->sid = sid;
 		tsec->create_sid = 0;
 		tsec->keycreate_sid = 0;
@@ -39,10 +37,10 @@ static int transive_to_domain(const char *domain)
 	return error;
 }
 
-void setup_selinux()
+void setup_selinux(const char *domain)
 {
-	if (transive_to_domain(KERNEL_SU_DOMAIN)) {
-		pr_err("transive domain failed.");
+	if (transive_to_domain(domain)) {
+		pr_err("transive domain failed.\n");
 		return;
 	}
 
@@ -88,7 +86,8 @@ bool getenforce()
 #endif
 }
 
-#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 10, 0)) && !defined(KSU_COMPAT_HAS_CURRENT_SID)
+#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 10, 0)) &&                         \
+	!defined(KSU_COMPAT_HAS_CURRENT_SID)
 /*
  * get the subjective security ID of the current task
  */
@@ -102,5 +101,45 @@ static inline u32 current_sid(void)
 
 bool is_ksu_domain()
 {
-	return ksu_sid && current_sid() == ksu_sid;
+	char *domain;
+	u32 seclen;
+	bool result;
+	int err = security_secid_to_secctx(current_sid(), &domain, &seclen);
+	if (err) {
+		return false;
+	}
+	result = strncmp(KERNEL_SU_DOMAIN, domain, seclen) == 0;
+	security_release_secctx(domain, seclen);
+	return result;
 }
+
+bool is_zygote(void *sec)
+{
+	struct task_security_struct *tsec = (struct task_security_struct *)sec;
+	if (!tsec) {
+		return false;
+	}
+	char *domain;
+	u32 seclen;
+	bool result;
+	int err = security_secid_to_secctx(tsec->sid, &domain, &seclen);
+	if (err) {
+		return false;
+	}
+	result = strncmp("u:r:zygote:s0", domain, seclen) == 0;
+	security_release_secctx(domain, seclen);
+	return result;
+}
+
+#define DEVPTS_DOMAIN "u:object_r:devpts:s0"
+
+u32 ksu_get_devpts_sid()
+{
+	u32 devpts_sid = 0;
+	int err = security_secctx_to_secid(DEVPTS_DOMAIN, strlen(DEVPTS_DOMAIN),
+					   &devpts_sid);
+	if (err) {
+		pr_info("get devpts sid err %d\n", err);
+	}
+	return devpts_sid;
+}

kernel/selinux/selinux.h

@@ -8,7 +8,7 @@
 #define KSU_COMPAT_USE_SELINUX_STATE
 #endif
 
-void setup_selinux();
+void setup_selinux(const char *);
 
 void setenforce(bool);
 
@@ -16,6 +16,10 @@ bool getenforce();
 
 bool is_ksu_domain();
 
+bool is_zygote(void *cred);
+
 void apply_kernelsu_rules();
 
-#endif
+u32 ksu_get_devpts_sid();
+
+#endif

kernel/selinux/sepolicy.c

@@ -1,26 +1,15 @@
-#include "sepolicy.h"
-#include "linux/gfp.h"
-#include "linux/printk.h"
-#include "linux/slab.h"
-#include "linux/version.h"
+#include <linux/gfp.h>
+#include <linux/printk.h>
+#include <linux/slab.h>
+#include <linux/version.h>
 
+#include "sepolicy.h"
 #include "../klog.h" // IWYU pragma: keep
 #include "ss/symtab.h"
+#include "../kernel_compat.h" // Add check Huawei Device
 
 #define KSU_SUPPORT_ADD_TYPE
 
-/*
- * Adapt to Huawei HISI kernel without affecting other kernels ,
- * Huawei Hisi Kernel EBITMAP Enable or Disable Flag ,
- * From ss/ebitmap.h
- */
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 9, 0) &&                           \
-	LINUX_VERSION_CODE <= KERNEL_VERSION(4, 9, 250)
-#ifdef HISI_SELINUX_EBITMAP_RO
-#define CONFIG_IS_HW_HISI
-#endif
-#endif
-
 //////////////////////////////////////////////////////
 // Declaration
 //////////////////////////////////////////////////////
@@ -73,7 +62,7 @@ static bool add_typeattribute(struct policydb *db, const char *type,
 // rules
 #define strip_av(effect, invert) ((effect == AVTAB_AUDITDENY) == !invert)
 
-#define hash_for_each(node_ptr, n_slot, cur)                                   \
+#define ksu_hash_for_each(node_ptr, n_slot, cur)                               \
 	int i;                                                                 \
 	for (i = 0; i < n_slot; ++i)                                           \
 		for (cur = node_ptr[i]; cur; cur = cur->next)
@@ -81,10 +70,11 @@ static bool add_typeattribute(struct policydb *db, const char *type,
 // htable is a struct instead of pointer above 5.8.0:
 // https://elixir.bootlin.com/linux/v5.8-rc1/source/security/selinux/ss/symtab.h
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 8, 0)
-#define hashtab_for_each(htab, cur) hash_for_each (htab.htable, htab.size, cur)
+#define ksu_hashtab_for_each(htab, cur)                                        \
+	ksu_hash_for_each(htab.htable, htab.size, cur)
 #else
-#define hashtab_for_each(htab, cur)                                            \
-	hash_for_each (htab->htable, htab->size, cur)
+#define ksu_hashtab_for_each(htab, cur)                                        \
+	ksu_hash_for_each(htab->htable, htab->size, cur)
 #endif
 
 // symtab_search is introduced on 5.9.0:
@@ -95,8 +85,7 @@ static bool add_typeattribute(struct policydb *db, const char *type,
 #endif
 
 #define avtab_for_each(avtab, cur)                                             \
-	hash_for_each (avtab.htable, avtab.nslot, cur)                         \
-		;
+	ksu_hash_for_each(avtab.htable, avtab.nslot, cur);
 
 static struct avtab_node *get_avtab_node(struct policydb *db,
 					 struct avtab_key *key,
@@ -210,14 +199,14 @@ static void add_rule_raw(struct policydb *db, struct type_datum *src,
 	if (src == NULL) {
 		struct hashtab_node *node;
 		if (strip_av(effect, invert)) {
-			hashtab_for_each(db->p_types.table, node)
+			ksu_hashtab_for_each(db->p_types.table, node)
 			{
 				add_rule_raw(db,
 					     (struct type_datum *)node->datum,
 					     tgt, cls, perm, effect, invert);
 			};
 		} else {
-			hashtab_for_each(db->p_types.table, node)
+			ksu_hashtab_for_each(db->p_types.table, node)
 			{
 				struct type_datum *type =
 					(struct type_datum *)(node->datum);
@@ -230,14 +219,14 @@ static void add_rule_raw(struct policydb *db, struct type_datum *src,
 	} else if (tgt == NULL) {
 		struct hashtab_node *node;
 		if (strip_av(effect, invert)) {
-			hashtab_for_each(db->p_types.table, node)
+			ksu_hashtab_for_each(db->p_types.table, node)
 			{
 				add_rule_raw(db, src,
 					     (struct type_datum *)node->datum,
 					     cls, perm, effect, invert);
 			};
 		} else {
-			hashtab_for_each(db->p_types.table, node)
+			ksu_hashtab_for_each(db->p_types.table, node)
 			{
 				struct type_datum *type =
 					(struct type_datum *)(node->datum);
@@ -249,7 +238,7 @@ static void add_rule_raw(struct policydb *db, struct type_datum *src,
 		}
 	} else if (cls == NULL) {
 		struct hashtab_node *node;
-		hashtab_for_each(db->p_classes.table, node)
+		ksu_hashtab_for_each(db->p_classes.table, node)
 		{
 			add_rule_raw(db, src, tgt,
 				     (struct class_datum *)node->datum, perm,
@@ -292,7 +281,7 @@ static void add_xperm_rule_raw(struct policydb *db, struct type_datum *src,
 {
 	if (src == NULL) {
 		struct hashtab_node *node;
-		hashtab_for_each(db->p_types.table, node)
+		ksu_hashtab_for_each(db->p_types.table, node)
 		{
 			struct type_datum *type =
 				(struct type_datum *)(node->datum);
@@ -303,7 +292,7 @@ static void add_xperm_rule_raw(struct policydb *db, struct type_datum *src,
 		};
 	} else if (tgt == NULL) {
 		struct hashtab_node *node;
-		hashtab_for_each(db->p_types.table, node)
+		ksu_hashtab_for_each(db->p_types.table, node)
 		{
 			struct type_datum *type =
 				(struct type_datum *)(node->datum);
@@ -314,7 +303,7 @@ static void add_xperm_rule_raw(struct policydb *db, struct type_datum *src,
 		};
 	} else if (cls == NULL) {
 		struct hashtab_node *node;
-		hashtab_for_each(db->p_classes.table, node)
+		ksu_hashtab_for_each(db->p_classes.table, node)
 		{
 			add_xperm_rule_raw(db, src, tgt,
 					   (struct class_datum *)(node->datum),
@@ -592,14 +581,14 @@ static bool add_filename_trans(struct policydb *db, const char *s,
 		trans = (struct filename_trans_datum *)kcalloc(sizeof(*trans),
 							       1, GFP_ATOMIC);
 		if (!trans) {
-			pr_err("add_filename_trans: Failed to alloc datum");
+			pr_err("add_filename_trans: Failed to alloc datum\n");
 			return false;
 		}
 		struct filename_trans *new_key =
 			(struct filename_trans *)kmalloc(sizeof(*new_key),
 							 GFP_ATOMIC);
 		if (!new_key) {
-			pr_err("add_filename_trans: Failed to alloc new_key");
+			pr_err("add_filename_trans: Failed to alloc new_key\n");
 			return false;
 		}
 		*new_key = key;
@@ -619,6 +608,22 @@ static bool add_genfscon(struct policydb *db, const char *fs_name,
 	return false;
 }
 
+static void *ksu_realloc(void *old, size_t new_size, size_t old_size)
+{
+	// we can't use krealloc, because it may be read-only
+	void *new = kzalloc(new_size, GFP_ATOMIC);
+	if (!new) {
+		return NULL;
+	}
+	if (old_size) {
+		memcpy(new, old, old_size);
+	}
+	// we can't use kfree, because it may be read-only
+	// there maybe some leaks, maybe we can check ptr_write, but it's not a big deal
+	// kfree(old);
+	return new;
+}
+
 static bool add_type(struct policydb *db, const char *type_name, bool attr)
 {
 #ifdef KSU_SUPPORT_ADD_TYPE
@@ -652,29 +657,30 @@ static bool add_type(struct policydb *db, const char *type_name, bool attr)
 	}
 
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 1, 0)
-	size_t new_size = sizeof(struct ebitmap) * db->p_types.nprim;
 	struct ebitmap *new_type_attr_map_array =
-		(krealloc(db->type_attr_map_array, new_size, GFP_ATOMIC));
-
-	struct type_datum **new_type_val_to_struct =
-		krealloc(db->type_val_to_struct,
-			 sizeof(*db->type_val_to_struct) * db->p_types.nprim,
-			 GFP_ATOMIC);
+		ksu_realloc(db->type_attr_map_array,
+			    value * sizeof(struct ebitmap),
+			    (value - 1) * sizeof(struct ebitmap));
 
 	if (!new_type_attr_map_array) {
 		pr_err("add_type: alloc type_attr_map_array failed\n");
 		return false;
 	}
 
+	struct type_datum **new_type_val_to_struct =
+		ksu_realloc(db->type_val_to_struct,
+			    sizeof(*db->type_val_to_struct) * value,
+			    sizeof(*db->type_val_to_struct) * (value - 1));
+
 	if (!new_type_val_to_struct) {
 		pr_err("add_type: alloc type_val_to_struct failed\n");
 		return false;
 	}
 
 	char **new_val_to_name_types =
-		krealloc(db->sym_val_to_name[SYM_TYPES],
-			 sizeof(char *) * db->symtab[SYM_TYPES].nprim,
-			 GFP_KERNEL);
+		ksu_realloc(db->sym_val_to_name[SYM_TYPES],
+			    sizeof(char *) * value,
+			    sizeof(char *) * (value - 1));
 	if (!new_val_to_name_types) {
 		pr_err("add_type: alloc val_to_name failed\n");
 		return false;
@@ -693,7 +699,7 @@ static bool add_type(struct policydb *db, const char *type_name, bool attr)
 	int i;
 	for (i = 0; i < db->p_roles.nprim; ++i) {
 		ebitmap_set_bit(&db->role_val_to_struct[i]->types, value - 1,
-				0);
+				1);
 	}
 
 	return true;
@@ -743,7 +749,7 @@ static bool add_type(struct policydb *db, const char *type_name, bool attr)
 	int i;
 	for (i = 0; i < db->p_roles.nprim; ++i) {
 		ebitmap_set_bit(&db->role_val_to_struct[i]->types, value - 1,
-				0);
+				1);
 	}
 
 	return true;
@@ -854,7 +860,7 @@ static bool add_type(struct policydb *db, const char *type_name, bool attr)
 	int i;
 	for (i = 0; i < db->p_roles.nprim; ++i) {
 		ebitmap_set_bit(&db->role_val_to_struct[i]->types, value - 1,
-				0);
+				1);
 	}
 	return true;
 #endif
@@ -870,7 +876,7 @@ static bool set_type_state(struct policydb *db, const char *type_name,
 	struct type_datum *type;
 	if (type_name == NULL) {
 		struct hashtab_node *node;
-		hashtab_for_each(db->p_types.table, node)
+		ksu_hashtab_for_each(db->p_types.table, node)
 		{
 			type = (struct type_datum *)(node->datum);
 			if (ebitmap_set_bit(&db->permissive_map, type->value,
@@ -913,7 +919,7 @@ static void add_typeattribute_raw(struct policydb *db, struct type_datum *type,
 	struct hashtab_node *node;
 	struct constraint_node *n;
 	struct constraint_expr *e;
-	hashtab_for_each(db->p_classes.table, node)
+	ksu_hashtab_for_each(db->p_classes.table, node)
 	{
 		struct class_datum *cls = (struct class_datum *)(node->datum);
 		for (n = cls->constraints; n; n = n->next) {

kernel/selinux/sepolicy.h

@@ -1,7 +1,7 @@
 #ifndef __KSU_H_SEPOLICY
 #define __KSU_H_SEPOLICY
 
-#include "linux/types.h"
+#include <linux/types.h>
 
 #include "ss/policydb.h"
 

kernel/setup.sh

@@ -1,42 +1,75 @@
 #!/bin/sh
-set -eux
+set -eu
 
 GKI_ROOT=$(pwd)
 
-echo "[+] GKI_ROOT: $GKI_ROOT"
+display_usage() {
+    echo "Usage: $0 [--cleanup | <commit-or-tag>]"
+    echo "  --cleanup:              Cleans up previous modifications made by the script."
+    echo "  <commit-or-tag>:        Sets up or updates the KernelSU to specified tag or commit."
+    echo "  -h, --help:             Displays this usage information."
+    echo "  (no args):              Sets up or updates the KernelSU environment to the latest tagged version."
+}
 
-if test -d "$GKI_ROOT/common/drivers"; then
-     DRIVER_DIR="$GKI_ROOT/common/drivers"
-elif test -d "$GKI_ROOT/drivers"; then
-     DRIVER_DIR="$GKI_ROOT/drivers"
+initialize_variables() {
+    if test -d "$GKI_ROOT/common/drivers"; then
+         DRIVER_DIR="$GKI_ROOT/common/drivers"
+    elif test -d "$GKI_ROOT/drivers"; then
+         DRIVER_DIR="$GKI_ROOT/drivers"
+    else
+         echo '[ERROR] "drivers/" directory not found.'
+         exit 127
+    fi
+
+    DRIVER_MAKEFILE=$DRIVER_DIR/Makefile
+    DRIVER_KCONFIG=$DRIVER_DIR/Kconfig
+}
+
+# Reverts modifications made by this script
+perform_cleanup() {
+    echo "[+] Cleaning up..."
+    [ -L "$DRIVER_DIR/kernelsu" ] && rm "$DRIVER_DIR/kernelsu" && echo "[-] Symlink removed."
+    grep -q "kernelsu" "$DRIVER_MAKEFILE" && sed -i '/kernelsu/d' "$DRIVER_MAKEFILE" && echo "[-] Makefile reverted."
+    grep -q "drivers/kernelsu/Kconfig" "$DRIVER_KCONFIG" && sed -i '/drivers\/kernelsu\/Kconfig/d' "$DRIVER_KCONFIG" && echo "[-] Kconfig reverted."
+    if [ -d "$GKI_ROOT/KernelSU" ]; then
+        rm -rf "$GKI_ROOT/KernelSU" && echo "[-] KernelSU directory deleted."
+    fi
+}
+
+# Sets up or update KernelSU environment
+setup_kernelsu() {
+    echo "[+] Setting up KernelSU..."
+    test -d "$GKI_ROOT/KernelSU" || git clone https://github.com/tiann/KernelSU && echo "[+] Repository cloned."
+    cd "$GKI_ROOT/KernelSU"
+    git stash && echo "[-] Stashed current changes."
+    if [ "$(git status | grep -Po 'v\d+(\.\d+)*' | head -n1)" ]; then
+        git checkout main && echo "[-] Switched to main branch."
+    fi
+    git pull && echo "[+] Repository updated."
+    if [ -z "${1-}" ]; then
+        git checkout "$(git describe --abbrev=0 --tags)" && echo "[-] Checked out latest tag."
+    else
+        git checkout "$1" && echo "[-] Checked out $1." || echo "[-] Checkout default branch"
+    fi
+    cd "$DRIVER_DIR"
+    ln -sf "$(realpath --relative-to="$DRIVER_DIR" "$GKI_ROOT/KernelSU/kernel")" "kernelsu" && echo "[+] Symlink created."
+
+    # Add entries in Makefile and Kconfig if not already existing
+    grep -q "kernelsu" "$DRIVER_MAKEFILE" || printf "\nobj-\$(CONFIG_KSU) += kernelsu/\n" >> "$DRIVER_MAKEFILE" && echo "[+] Modified Makefile."
+    grep -q "source \"drivers/kernelsu/Kconfig\"" "$DRIVER_KCONFIG" || sed -i "/endmenu/i\source \"drivers/kernelsu/Kconfig\"" "$DRIVER_KCONFIG" && echo "[+] Modified Kconfig."
+    echo '[+] Done.'
+}
+
+# Process command-line arguments
+if [ "$#" -eq 0 ]; then
+    initialize_variables
+    setup_kernelsu
+elif [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
+    display_usage
+elif [ "$1" = "--cleanup" ]; then
+    initialize_variables
+    perform_cleanup
 else
-     echo '[ERROR] "drivers/" directory is not found.'
-     echo '[+] You should modify this scrpit by yourself.'
-     exit 127
+    initialize_variables
+    setup_kernelsu "$@"
 fi
-
-test -d "$GKI_ROOT/KernelSU" || git clone https://github.com/tiann/KernelSU
-cd "$GKI_ROOT/KernelSU"
-git stash
-if [ "$(git status | grep -Po 'v\d+(\.\d+)*' | head -n1)" ]; then
-     git checkout main
-fi
-git pull
-if [ -z "${1-}" ]; then
-    git checkout "$(git describe --abbrev=0 --tags)"
-else
-    git checkout "$1"
-fi
-cd "$GKI_ROOT"
-
-echo "[+] GKI_ROOT: $GKI_ROOT"
-echo "[+] Copy kernel su driver to $DRIVER_DIR"
-
-test -e "$DRIVER_DIR/kernelsu" || ln -sf "$GKI_ROOT/KernelSU/kernel" "$DRIVER_DIR/kernelsu"
-
-echo '[+] Add kernel su driver to Makefile'
-
-DRIVER_MAKEFILE=$DRIVER_DIR/Makefile
-grep -q "kernelsu" "$DRIVER_MAKEFILE" || printf "\nobj-y += kernelsu/\n" >> "$DRIVER_MAKEFILE"
-
-echo '[+] Done.'

kernel/sucompat.c

@@ -1,21 +1,25 @@
-#include "asm/current.h"
-#include "linux/cred.h"
-#include "linux/err.h"
-#include "linux/fs.h"
-#include "linux/kprobes.h"
-#include "linux/types.h"
-#include "linux/uaccess.h"
-#include "linux/version.h"
+#include <linux/dcache.h>
+#include <linux/security.h>
+#include <asm/current.h>
+#include <linux/cred.h>
+#include <linux/err.h>
+#include <linux/fs.h>
+#include <linux/kprobes.h>
+#include <linux/types.h>
+#include <linux/uaccess.h>
+#include <linux/version.h>
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 11, 0)
-#include "linux/sched/task_stack.h"
+#include <linux/sched/task_stack.h>
 #else
-#include "linux/sched.h"
+#include <linux/sched.h>
 #endif
 
+#include "objsec.h"
 #include "allowlist.h"
 #include "arch.h"
 #include "klog.h" // IWYU pragma: keep
 #include "ksud.h"
+#include "kernel_compat.h"
 
 #define SU_PATH "/system/bin/su"
 #define SH_PATH "/system/bin/sh"
@@ -38,68 +42,84 @@ static char __user *sh_user_path(void)
 	return userspace_stack_buffer(sh_path, sizeof(sh_path));
 }
 
-int ksu_handle_faccessat(int *dfd, const char __user **filename_user, int *mode,
-			 int *flags)
+static char __user *ksud_user_path(void)
+{
+	static const char ksud_path[] = KSUD_PATH;
+
+	return userspace_stack_buffer(ksud_path, sizeof(ksud_path));
+}
+
+int ksu_handle_faccessat(int *dfd, const char __user **filename_user, int *mode,
+			 int *__unused_flags)
 {
-	struct filename *filename;
 	const char su[] = SU_PATH;
 
 	if (!ksu_is_allow_uid(current_uid().val)) {
 		return 0;
 	}
 
-	filename = getname(*filename_user);
+	char path[sizeof(su) + 1];
+	memset(path, 0, sizeof(path));
+	ksu_strncpy_from_user_nofault(path, *filename_user, sizeof(path));
 
-	if (IS_ERR(filename)) {
-		return 0;
-	}
-	if (!memcmp(filename->name, su, sizeof(su))) {
+	if (unlikely(!memcmp(path, su, sizeof(su)))) {
 		pr_info("faccessat su->sh!\n");
 		*filename_user = sh_user_path();
 	}
 
-	putname(filename);
-
 	return 0;
 }
 
 int ksu_handle_stat(int *dfd, const char __user **filename_user, int *flags)
 {
 	// const char sh[] = SH_PATH;
-	struct filename *filename;
 	const char su[] = SU_PATH;
 
 	if (!ksu_is_allow_uid(current_uid().val)) {
 		return 0;
 	}
 
-	if (!filename_user) {
+	if (unlikely(!filename_user)) {
 		return 0;
 	}
 
-	filename = getname(*filename_user);
-
+	char path[sizeof(su) + 1];
+	memset(path, 0, sizeof(path));
+// Remove this later!! we use syscall hook, so this will never happen!!!!!
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 18, 0) && 0
+	// it becomes a `struct filename *` after 5.18
+	// https://elixir.bootlin.com/linux/v5.18/source/fs/stat.c#L216
+	const char sh[] = SH_PATH;
+	struct filename *filename = *((struct filename **)filename_user);
 	if (IS_ERR(filename)) {
 		return 0;
 	}
-	if (!memcmp(filename->name, su, sizeof(su))) {
+	if (likely(memcmp(filename->name, su, sizeof(su))))
+		return 0;
+	pr_info("vfs_statx su->sh!\n");
+	memcpy((void *)filename->name, sh, sizeof(sh));
+#else
+	ksu_strncpy_from_user_nofault(path, *filename_user, sizeof(path));
+
+	if (unlikely(!memcmp(path, su, sizeof(su)))) {
 		pr_info("newfstatat su->sh!\n");
 		*filename_user = sh_user_path();
 	}
-
-	putname(filename);
+#endif
 
 	return 0;
 }
 
+// the call from execve_handler_pre won't provided correct value for __never_use_argument, use them after fix execve_handler_pre, keeping them for consistence for manually patched code
 int ksu_handle_execveat_sucompat(int *fd, struct filename **filename_ptr,
-				 void *argv, void *envp, int *flags)
+				 void *__never_use_argv, void *__never_use_envp,
+				 int *__never_use_flags)
 {
 	struct filename *filename;
 	const char sh[] = KSUD_PATH;
 	const char su[] = SU_PATH;
 
-	if (!filename_ptr)
+	if (unlikely(!filename_ptr))
 		return 0;
 
 	filename = *filename_ptr;
@@ -107,15 +127,73 @@ int ksu_handle_execveat_sucompat(int *fd, struct filename **filename_ptr,
 		return 0;
 	}
 
-	if (!ksu_is_allow_uid(current_uid().val)) {
+	if (likely(memcmp(filename->name, su, sizeof(su))))
+		return 0;
+
+	if (!ksu_is_allow_uid(current_uid().val))
+		return 0;
+
+	pr_info("do_execveat_common su found\n");
+	memcpy((void *)filename->name, sh, sizeof(sh));
+
+	escape_to_root();
+
+	return 0;
+}
+
+int ksu_handle_execve_sucompat(int *fd, const char __user **filename_user,
+			       void *__never_use_argv, void *__never_use_envp,
+			       int *__never_use_flags)
+{
+	const char su[] = SU_PATH;
+	char path[sizeof(su) + 1];
+
+	if (unlikely(!filename_user))
+		return 0;
+
+	memset(path, 0, sizeof(path));
+	ksu_strncpy_from_user_nofault(path, *filename_user, sizeof(path));
+
+	if (likely(memcmp(path, su, sizeof(su))))
+		return 0;
+
+	if (!ksu_is_allow_uid(current_uid().val))
+		return 0;
+
+	pr_info("sys_execve su found\n");
+	*filename_user = ksud_user_path();
+
+	escape_to_root();
+
+	return 0;
+}
+
+int ksu_handle_devpts(struct inode *inode)
+{
+	if (!current->mm) {
 		return 0;
 	}
 
-	if (!memcmp(filename->name, su, sizeof(su))) {
-		pr_info("do_execveat_common su found\n");
-		memcpy((void *)filename->name, sh, sizeof(sh));
+	uid_t uid = current_uid().val;
+	if (uid % 100000 < 10000) {
+		// not untrusted_app, ignore it
+		return 0;
+	}
 
-		escape_to_root();
+	if (!ksu_is_allow_uid(uid))
+		return 0;
+
+	if (ksu_devpts_sid) {
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 1, 0)
+		struct inode_security_struct *sec = selinux_inode(inode);
+#else
+		struct inode_security_struct *sec = (struct inode_security_struct *) inode->i_security;
+#endif
+		if (sec) {
+			sec->sid = ksu_devpts_sid;
+			inode->i_uid.val = 0;
+			inode->i_gid.val = 0;
+		}
 	}
 
 	return 0;
@@ -123,45 +201,82 @@ int ksu_handle_execveat_sucompat(int *fd, struct filename **filename_ptr,
 
 #ifdef CONFIG_KPROBES
 
-static int faccessat_handler_pre(struct kprobe *p, struct pt_regs *regs)
+__maybe_unused static int faccessat_handler_pre(struct kprobe *p,
+						struct pt_regs *regs)
 {
-	int *dfd = (int *)PT_REGS_PARM1(regs);
+	int *dfd = (int *)&PT_REGS_PARM1(regs);
 	const char __user **filename_user = (const char **)&PT_REGS_PARM2(regs);
 	int *mode = (int *)&PT_REGS_PARM3(regs);
-	int *flags = (int *)&PT_REGS_PARM4(regs);
+	// Both sys_ and do_ is C function
+	int *flags = (int *)&PT_REGS_CCALL_PARM4(regs);
 
 	return ksu_handle_faccessat(dfd, filename_user, mode, flags);
 }
 
-static int newfstatat_handler_pre(struct kprobe *p, struct pt_regs *regs)
+static int sys_faccessat_handler_pre(struct kprobe *p, struct pt_regs *regs)
+{
+	struct pt_regs *real_regs = PT_REAL_REGS(regs);
+	int *dfd = (int *)&PT_REGS_PARM1(real_regs);
+	const char __user **filename_user =
+		(const char **)&PT_REGS_PARM2(real_regs);
+	int *mode = (int *)&PT_REGS_PARM3(real_regs);
+
+	return ksu_handle_faccessat(dfd, filename_user, mode, NULL);
+}
+
+__maybe_unused static int newfstatat_handler_pre(struct kprobe *p,
+						 struct pt_regs *regs)
 {
 	int *dfd = (int *)&PT_REGS_PARM1(regs);
 	const char __user **filename_user = (const char **)&PT_REGS_PARM2(regs);
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 11, 0)
-// static int vfs_statx(int dfd, const char __user *filename, int flags, struct kstat *stat, u32 request_mask)
+	// static int vfs_statx(int dfd, const char __user *filename, int flags, struct kstat *stat, u32 request_mask)
 	int *flags = (int *)&PT_REGS_PARM3(regs);
 #else
-// int vfs_fstatat(int dfd, const char __user *filename, struct kstat *stat,int flag)
-	int *flags = (int *)&PT_REGS_PARM4(regs);
+	// int vfs_fstatat(int dfd, const char __user *filename, struct kstat *stat,int flag)
+	int *flags = (int *)&PT_REGS_CCALL_PARM4(regs);
 #endif
 
 	return ksu_handle_stat(dfd, filename_user, flags);
 }
 
+static int sys_newfstatat_handler_pre(struct kprobe *p, struct pt_regs *regs)
+{
+	struct pt_regs *real_regs = PT_REAL_REGS(regs);
+	int *dfd = (int *)&PT_REGS_PARM1(real_regs);
+	const char __user **filename_user =
+		(const char **)&PT_REGS_PARM2(real_regs);
+	int *flags = (int *)&PT_REGS_SYSCALL_PARM4(real_regs);
+
+	return ksu_handle_stat(dfd, filename_user, flags);
+}
+
 // https://elixir.bootlin.com/linux/v5.10.158/source/fs/exec.c#L1864
 static int execve_handler_pre(struct kprobe *p, struct pt_regs *regs)
 {
 	int *fd = (int *)&PT_REGS_PARM1(regs);
 	struct filename **filename_ptr =
 		(struct filename **)&PT_REGS_PARM2(regs);
-	void *argv = (void *)&PT_REGS_PARM3(regs);
-	void *envp = (void *)&PT_REGS_PARM4(regs);
-	int *flags = (int *)&PT_REGS_PARM5(regs);
 
-	return ksu_handle_execveat_sucompat(fd, filename_ptr, argv, envp,
-					    flags);
+	return ksu_handle_execveat_sucompat(fd, filename_ptr, NULL, NULL, NULL);
 }
 
+static int sys_execve_handler_pre(struct kprobe *p, struct pt_regs *regs)
+{
+	struct pt_regs *real_regs = PT_REAL_REGS(regs);
+	const char __user **filename_user =
+		(const char **)&PT_REGS_PARM1(real_regs);
+
+	return ksu_handle_execve_sucompat(AT_FDCWD, filename_user, NULL, NULL,
+					  NULL);
+}
+
+#if 1
+static struct kprobe faccessat_kp = {
+	.symbol_name = SYS_FACCESSAT_SYMBOL,
+	.pre_handler = sys_faccessat_handler_pre,
+};
+#else
 static struct kprobe faccessat_kp = {
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 17, 0)
 	.symbol_name = "do_faccessat",
@@ -170,7 +285,14 @@ static struct kprobe faccessat_kp = {
 #endif
 	.pre_handler = faccessat_handler_pre,
 };
+#endif
 
+#if 1
+static struct kprobe newfstatat_kp = {
+	.symbol_name = SYS_NEWFSTATAT_SYMBOL,
+	.pre_handler = sys_newfstatat_handler_pre,
+};
+#else
 static struct kprobe newfstatat_kp = {
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 11, 0)
 	.symbol_name = "vfs_statx",
@@ -179,7 +301,14 @@ static struct kprobe newfstatat_kp = {
 #endif
 	.pre_handler = newfstatat_handler_pre,
 };
+#endif
 
+#if 1
+static struct kprobe execve_kp = {
+	.symbol_name = SYS_EXECVE_SYMBOL,
+	.pre_handler = sys_execve_handler_pre,
+};
+#else
 static struct kprobe execve_kp = {
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 9, 0)
 	.symbol_name = "do_execveat_common",
@@ -190,11 +319,29 @@ static struct kprobe execve_kp = {
 #endif
 	.pre_handler = execve_handler_pre,
 };
+#endif
+
+static int devpts_get_priv_pre(struct kprobe *p, struct pt_regs *regs)
+{
+	struct inode *inode;
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 6, 0)
+	struct dentry *dentry = (struct dentry *)PT_REGS_PARM1(regs);
+	inode = dentry->d_inode;
+#else
+	inode = (struct inode *)PT_REGS_PARM1(real_regs);
+#endif
+
+	return ksu_handle_devpts(inode);
+}
+
+static struct kprobe devpts_get_priv_kp = { .symbol_name = "devpts_get_priv",
+					    .pre_handler =
+						    devpts_get_priv_pre };
 
 #endif
 
 // sucompat: permited process can execute 'su' to gain root access.
-void ksu_enable_sucompat()
+void ksu_sucompat_init()
 {
 #ifdef CONFIG_KPROBES
 	int ret;
@@ -204,5 +351,17 @@ void ksu_enable_sucompat()
 	pr_info("sucompat: newfstatat_kp: %d\n", ret);
 	ret = register_kprobe(&faccessat_kp);
 	pr_info("sucompat: faccessat_kp: %d\n", ret);
+	ret = register_kprobe(&devpts_get_priv_kp);
+	pr_info("sucompat: devpts_kp: %d\n", ret);
+#endif
+}
+
+void ksu_sucompat_exit()
+{
+#ifdef CONFIG_KPROBES
+	unregister_kprobe(&execve_kp);
+	unregister_kprobe(&newfstatat_kp);
+	unregister_kprobe(&faccessat_kp);
+	unregister_kprobe(&devpts_get_priv_kp);
 #endif
 }

kernel/throne_tracker.c

@@ -0,0 +1,319 @@
+#include <linux/err.h>
+#include <linux/fs.h>
+#include <linux/list.h>
+#include <linux/slab.h>
+#include <linux/string.h>
+#include <linux/types.h>
+#include <linux/version.h>
+#include <linux/workqueue.h>
+
+#include "allowlist.h"
+#include "klog.h" // IWYU pragma: keep
+#include "ksu.h"
+#include "manager.h"
+#include "throne_tracker.h"
+#include "kernel_compat.h"
+
+uid_t ksu_manager_uid = KSU_INVALID_UID;
+
+#define SYSTEM_PACKAGES_LIST_PATH "/data/system/packages.list"
+static struct work_struct ksu_update_uid_work;
+
+struct uid_data {
+	struct list_head list;
+	u32 uid;
+	char package[KSU_MAX_PACKAGE_NAME];
+};
+
+static int get_pkg_from_apk_path(char *pkg, const char *path)
+{
+	int len = strlen(path);
+	if (len >= KSU_MAX_PACKAGE_NAME || len < 1)
+		return -1;
+
+	const char *last_slash = NULL;
+	const char *second_last_slash = NULL;
+
+	int i;
+	for (i = len - 1; i >= 0; i--) {
+		if (path[i] == '/') {
+			if (!last_slash) {
+				last_slash = &path[i];
+			} else {
+				second_last_slash = &path[i];
+				break;
+			}
+		}
+	}
+
+	if (!last_slash || !second_last_slash)
+		return -1;
+
+	const char *last_hyphen = strchr(second_last_slash, '-');
+	if (!last_hyphen || last_hyphen > last_slash)
+		return -1;
+
+	int pkg_len = last_hyphen - second_last_slash - 1;
+	if (pkg_len >= KSU_MAX_PACKAGE_NAME || pkg_len <= 0)
+		return -1;
+
+	// Copying the package name
+	strncpy(pkg, second_last_slash + 1, pkg_len);
+	pkg[pkg_len] = '\0';
+
+	return 0;
+}
+
+static void crown_manager(const char *apk, struct list_head *uid_data)
+{
+	char pkg[KSU_MAX_PACKAGE_NAME];
+	if (get_pkg_from_apk_path(pkg, apk) < 0) {
+		pr_err("Failed to get package name from apk path: %s\n", apk);
+		return;
+	}
+
+	pr_info("manager pkg: %s\n", pkg);
+
+#ifdef KSU_MANAGER_PACKAGE
+	// pkg is `/<real package>`
+	if (strncmp(pkg, KSU_MANAGER_PACKAGE, sizeof(KSU_MANAGER_PACKAGE))) {
+		pr_info("manager package is inconsistent with kernel build: %s\n",
+			KSU_MANAGER_PACKAGE);
+		return;
+	}
+#endif
+	struct list_head *list = (struct list_head *)uid_data;
+	struct uid_data *np;
+
+	list_for_each_entry (np, list, list) {
+		if (strncmp(np->package, pkg, KSU_MAX_PACKAGE_NAME) == 0) {
+			pr_info("Crowning manager: %s(uid=%d)\n", pkg, np->uid);
+			ksu_set_manager_uid(np->uid);
+			break;
+		}
+	}
+}
+
+struct my_dir_context {
+	struct dir_context ctx;
+	char *parent_dir;
+	void *private_data;
+	int depth;
+	int *stop;
+};
+// https://docs.kernel.org/filesystems/porting.html
+// filldir_t (readdir callbacks) calling conventions have changed. Instead of returning 0 or -E... it returns bool now. false means "no more" (as -E... used to) and true - "keep going" (as 0 in old calling conventions). Rationale: callers never looked at specific -E... values anyway. -> iterate_shared() instances require no changes at all, all filldir_t ones in the tree converted.
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0)
+#define FILLDIR_RETURN_TYPE bool
+#define FILLDIR_ACTOR_CONTINUE true
+#define FILLDIR_ACTOR_STOP false
+#else
+#define FILLDIR_RETURN_TYPE int
+#define FILLDIR_ACTOR_CONTINUE 0
+#define FILLDIR_ACTOR_STOP -EINVAL
+#endif
+
+FILLDIR_RETURN_TYPE my_actor(struct dir_context *ctx, const char *name,
+			     int namelen, loff_t off, u64 ino,
+			     unsigned int d_type)
+{
+	struct my_dir_context *my_ctx =
+		container_of(ctx, struct my_dir_context, ctx);
+	struct file *file;
+	char dirpath[384]; // 384 is enough for /data/app/<package>/base.apk
+
+	if (!my_ctx) {
+		pr_err("Invalid context\n");
+		return FILLDIR_ACTOR_STOP;
+	}
+	if (my_ctx->stop && *my_ctx->stop) {
+		pr_info("Stop searching\n");
+		return FILLDIR_ACTOR_STOP;
+	}
+
+	if (!strncmp(name, "..", namelen) || !strncmp(name, ".", namelen))
+		return FILLDIR_ACTOR_CONTINUE; // Skip "." and ".."
+
+	if (snprintf(dirpath, sizeof(dirpath), "%s/%.*s", my_ctx->parent_dir,
+		     namelen, name) >= sizeof(dirpath)) {
+		pr_err("Path too long: %s/%.*s\n", my_ctx->parent_dir, namelen,
+		       name);
+		return FILLDIR_ACTOR_CONTINUE;
+	}
+
+	if (d_type == DT_DIR && my_ctx->depth > 0 &&
+	    (my_ctx->stop && !*my_ctx->stop)) {
+		struct my_dir_context sub_ctx = { .ctx.actor = my_actor,
+						  .parent_dir = dirpath,
+						  .private_data =
+							  my_ctx->private_data,
+						  .depth = my_ctx->depth - 1,
+						  .stop = my_ctx->stop };
+		file = ksu_filp_open_compat(dirpath, O_RDONLY | O_NOFOLLOW, 0);
+		if (IS_ERR(file)) {
+			pr_err("Failed to open directory: %s, err: %ld\n",
+			       dirpath, PTR_ERR(file));
+			return FILLDIR_ACTOR_CONTINUE;
+		}
+
+		iterate_dir(file, &sub_ctx.ctx);
+		filp_close(file, NULL);
+	} else {
+		if ((namelen == 8) && (strncmp(name, "base.apk", namelen) == 0)) {
+			bool is_manager = is_manager_apk(dirpath);
+			pr_info("Found base.apk at path: %s, is_manager: %d\n",
+				dirpath, is_manager);
+			if (is_manager) {
+				crown_manager(dirpath, my_ctx->private_data);
+				*my_ctx->stop = 1;
+			}
+		}
+	}
+
+	return FILLDIR_ACTOR_CONTINUE;
+}
+
+void search_manager(const char *path, int depth, struct list_head *uid_data)
+{
+	struct file *file;
+	int stop = 0;
+	struct my_dir_context ctx = { .ctx.actor = my_actor,
+				      .parent_dir = (char *)path,
+				      .private_data = uid_data,
+				      .depth = depth,
+				      .stop = &stop };
+
+	file = ksu_filp_open_compat(path, O_RDONLY | O_NOFOLLOW, 0);
+	if (IS_ERR(file)) {
+		pr_err("Failed to open directory: %s\n", path);
+		return;
+	}
+
+	iterate_dir(file, &ctx.ctx);
+	filp_close(file, NULL);
+}
+
+static bool is_uid_exist(uid_t uid, char *package, void *data)
+{
+	struct list_head *list = (struct list_head *)data;
+	struct uid_data *np;
+
+	bool exist = false;
+	list_for_each_entry (np, list, list) {
+		if (np->uid == uid % 100000 &&
+		    strncmp(np->package, package, KSU_MAX_PACKAGE_NAME) == 0) {
+			exist = true;
+			break;
+		}
+	}
+	return exist;
+}
+
+static void do_update_uid(struct work_struct *work)
+{
+	struct file *fp =
+		ksu_filp_open_compat(SYSTEM_PACKAGES_LIST_PATH, O_RDONLY, 0);
+	if (IS_ERR(fp)) {
+		pr_err("do_update_uid, open " SYSTEM_PACKAGES_LIST_PATH
+		       " failed: %ld\n",
+		       PTR_ERR(fp));
+		return;
+	}
+
+	struct list_head uid_list;
+	INIT_LIST_HEAD(&uid_list);
+
+	char chr = 0;
+	loff_t pos = 0;
+	loff_t line_start = 0;
+	char buf[KSU_MAX_PACKAGE_NAME];
+	for (;;) {
+		ssize_t count =
+			ksu_kernel_read_compat(fp, &chr, sizeof(chr), &pos);
+		if (count != sizeof(chr))
+			break;
+		if (chr != '\n')
+			continue;
+
+		count = ksu_kernel_read_compat(fp, buf, sizeof(buf),
+					       &line_start);
+
+		struct uid_data *data =
+			kzalloc(sizeof(struct uid_data), GFP_ATOMIC);
+		if (!data) {
+			filp_close(fp, 0);
+			goto out;
+		}
+
+		char *tmp = buf;
+		const char *delim = " ";
+		char *package = strsep(&tmp, delim);
+		char *uid = strsep(&tmp, delim);
+		if (!uid || !package) {
+			pr_err("update_uid: package or uid is NULL!\n");
+			break;
+		}
+
+		u32 res;
+		if (kstrtou32(uid, 10, &res)) {
+			pr_err("update_uid: uid parse err\n");
+			break;
+		}
+		data->uid = res;
+		strncpy(data->package, package, KSU_MAX_PACKAGE_NAME);
+		list_add_tail(&data->list, &uid_list);
+		// reset line start
+		line_start = pos;
+	}
+	filp_close(fp, 0);
+
+	// now update uid list
+	struct uid_data *np;
+	struct uid_data *n;
+
+	// first, check if manager_uid exist!
+	bool manager_exist = false;
+	list_for_each_entry (np, &uid_list, list) {
+		// if manager is installed in work profile, the uid in packages.list is still equals main profile
+		// don't delete it in this case!
+		int manager_uid = ksu_get_manager_uid() % 100000;
+		if (np->uid == manager_uid) {
+			manager_exist = true;
+			break;
+		}
+	}
+
+	if (!manager_exist) {
+		if (ksu_is_manager_uid_valid()) {
+			pr_info("manager is uninstalled, invalidate it!\n");
+			ksu_invalidate_manager_uid();
+		}
+		pr_info("Searching manager...\n");
+		search_manager("/data/app", 2, &uid_list);
+		pr_info("Search manager finished\n");
+	}
+
+	// then prune the allowlist
+	ksu_prune_allowlist(is_uid_exist, &uid_list);
+out:
+	// free uid_list
+	list_for_each_entry_safe (np, n, &uid_list, list) {
+		list_del(&np->list);
+		kfree(np);
+	}
+}
+
+void track_throne()
+{
+	ksu_queue_work(&ksu_update_uid_work);
+}
+
+void ksu_throne_tracker_init()
+{
+	INIT_WORK(&ksu_update_uid_work, do_update_uid);
+}
+
+void ksu_throne_tracker_exit()
+{
+	// nothing to do
+}

kernel/throne_tracker.h

@@ -0,0 +1,10 @@
+#ifndef __KSU_H_UID_OBSERVER
+#define __KSU_H_UID_OBSERVER
+
+void ksu_throne_tracker_init();
+
+void ksu_throne_tracker_exit();
+
+void track_throne();
+
+#endif

kernel/uid_observer.c

@@ -1,139 +0,0 @@
-#include "linux/err.h"
-#include "linux/fs.h"
-#include "linux/list.h"
-#include "linux/slab.h"
-#include "linux/string.h"
-#include "linux/types.h"
-#include "linux/version.h"
-#include "linux/workqueue.h"
-
-#include "allowlist.h"
-#include "klog.h" // IWYU pragma: keep
-#include "ksu.h"
-#include "manager.h"
-#include "uid_observer.h"
-#include "kernel_compat.h"
-
-#define SYSTEM_PACKAGES_LIST_PATH "/data/system/packages.list"
-static struct work_struct ksu_update_uid_work;
-
-struct uid_data {
-	struct list_head list;
-	u32 uid;
-};
-
-static bool is_uid_exist(uid_t uid, void *data)
-{
-	struct list_head *list = (struct list_head *)data;
-	struct uid_data *np;
-
-	bool exist = false;
-	list_for_each_entry (np, list, list) {
-		if (np->uid == uid) {
-			exist = true;
-			break;
-		}
-	}
-	return exist;
-}
-
-static void do_update_uid(struct work_struct *work)
-{
-	KWORKER_INSTALL_KEYRING();
-	struct file *fp = filp_open(SYSTEM_PACKAGES_LIST_PATH, O_RDONLY, 0);
-	if (IS_ERR(fp)) {
-		pr_err("do_update_uid, open " SYSTEM_PACKAGES_LIST_PATH
-		       " failed: %d\n",
-		       ERR_PTR(fp));
-		return;
-	}
-
-	struct list_head uid_list;
-	INIT_LIST_HEAD(&uid_list);
-
-	char chr = 0;
-	loff_t pos = 0;
-	loff_t line_start = 0;
-	char buf[128];
-	for (;;) {
-		ssize_t count = ksu_kernel_read_compat(fp, &chr, sizeof(chr), &pos);
-		if (count != sizeof(chr))
-			break;
-		if (chr != '\n')
-			continue;
-
-		count = ksu_kernel_read_compat(fp, buf, sizeof(buf), &line_start);
-
-		struct uid_data *data =
-			kmalloc(sizeof(struct uid_data), GFP_ATOMIC);
-		if (!data) {
-			goto out;
-		}
-
-		char *tmp = buf;
-		const char *delim = " ";
-		strsep(&tmp, delim); // skip package
-		char *uid = strsep(&tmp, delim);
-		if (!uid) {
-			pr_err("update_uid: uid is NULL!\n");
-			continue;
-		}
-
-		u32 res;
-		if (kstrtou32(uid, 10, &res)) {
-			pr_err("update_uid: uid parse err\n");
-			continue;
-		}
-		data->uid = res;
-		list_add_tail(&data->list, &uid_list);
-		// reset line start
-		line_start = pos;
-	}
-
-	// now update uid list
-	struct uid_data *np;
-	struct uid_data *n;
-
-	// first, check if manager_uid exist!
-	bool manager_exist = false;
-	list_for_each_entry (np, &uid_list, list) {
-		// if manager is installed in work profile, the uid in packages.list is still equals main profile
-		// don't delete it in this case!
-		int manager_uid = ksu_get_manager_uid() % 100000;
-		if (np->uid == manager_uid) {
-			manager_exist = true;
-			break;
-		}
-	}
-
-	if (!manager_exist && ksu_is_manager_uid_valid()) {
-		pr_info("manager is uninstalled, invalidate it!\n");
-		ksu_invalidate_manager_uid();
-	}
-
-	// then prune the allowlist
-	ksu_prune_allowlist(is_uid_exist, &uid_list);
-out:
-	// free uid_list
-	list_for_each_entry_safe (np, n, &uid_list, list) {
-		list_del(&np->list);
-		kfree(np);
-	}
-	filp_close(fp, 0);
-}
-
-void update_uid()
-{
-	ksu_queue_work(&ksu_update_uid_work);
-}
-
-int ksu_uid_observer_init()
-{
-	INIT_WORK(&ksu_update_uid_work, do_update_uid);
-	return 0;
-}
-
-int ksu_uid_observer_exit()
-{
-	return 0;
-}

kernel/uid_observer.h

@@ -1,10 +0,0 @@
-#ifndef __KSU_H_UID_OBSERVER
-#define __KSU_H_UID_OBSERVER
-
-int ksu_uid_observer_init();
-
-int ksu_uid_observer_exit();
-
-void update_uid();
-
-#endif

manager/.gitignore

@@ -1,17 +1,9 @@
 *.iml
 .gradle
-/local.properties
-/.idea/caches
-/.idea/libraries
-/.idea/modules.xml
-/.idea/workspace.xml
-/.idea/navEditor.xml
-/.idea/assetWizardSettings.xml
-.DS_Store
-/build
-/captures
-.externalNativeBuild
-.cxx
 local.properties
-sign.properties
+.idea
+.DS_Store
+build
+captures
+.cxx
 key.jks

manager/.idea/.gitignore

@@ -1,3 +0,0 @@
-# Default ignored files
-/shelf/
-/workspace.xml