kernel: reject v3 and v3.1 signature scheme for manager verification

https://github.com/Vincent4440/noxious_kernel_xiaomi_sm8250  404

https://github.com/SakuraNotStupid  301 > https://github.com/SakuraKyuo

https://github.com/Sanju0910  301 > https://github.com/sreeshankark

https://github.com/zharzinhoo/Kernel-Oriente-Cebu  404

.github/FUNDING.yml

@@ -0,0 +1,5 @@
+# These are supported funding model platforms
+
+github: tiann
+patreon: weishu
+custom: https://vxposed.com/donate.html

.github/ISSUE_TEMPLATE/add_device.yml

@@ -6,7 +6,7 @@ body:
   - type: markdown
     attributes:
       value: |
-        Thanks for supporting KernelSU !
+        Thanks for supporting KernelSU!
   - type: input
     id: repo-url
     attributes:

.github/ISSUE_TEMPLATE/bug_report.md

@@ -11,13 +11,13 @@ assignees: ''
 A clear and concise description of what the bug is.
 
 **To Reproduce**
-Steps to reproduce the behavior:
+Steps to reproduce the behaviour:
 1. Go to '...'
 2. Click on '....'
 3. Scroll down to '....'
-4. See error
+4. See the error
 
-**Expected behavior**
+**Expected behaviour**
 A clear and concise description of what you expected to happen.
 
 **Screenshots**

.github/ISSUE_TEMPLATE/custom.md

@@ -1,10 +0,0 @@
----
-name: Custom issue template
-about: Describe this issue template's purpose here.
-title: ''
-labels: ''
-assignees: ''
-
----
-
-

.github/ISSUE_TEMPLATE/custom.yml

@@ -0,0 +1,11 @@
+name: Custom issue template
+description: WARNING! If you are reporting a bug but use this template, the issue will be closed directly.
+title: '[Custom]'
+body:
+  - type: textarea
+    id: description
+    attributes:
+      label: "Describe your problem."
+    validations:
+      required: true
+

.github/ISSUE_TEMPLATE/feature_request.md

@@ -1,20 +0,0 @@
----
-name: Feature request
-about: Suggest an idea for this project
-title: ''
-labels: ''
-assignees: ''
-
----
-
-**Is your feature request related to a problem? Please describe.**
-A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
-
-**Describe the solution you'd like**
-A clear and concise description of what you want to happen.
-
-**Describe alternatives you've considered**
-A clear and concise description of any alternative solutions or features you've considered.
-
-**Additional context**
-Add any other context or screenshots about the feature request here.

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,40 @@
+name: Feature Request
+description: "Suggest an idea for this project"
+title: "[Feature]"
+labels: "feature"
+assignees: tiann
+body:
+  - type: markdown
+    id: feature-info
+    attributes:
+      value: "## Feature Infomation"
+  - type: textarea
+    id: feature-main
+    validations:
+      required: true
+    attributes:
+      label: "Is your feature request related to a problem? Please describe."
+      description: "A clear and concise description of what the problem is."
+      placeholder: "I'm always frustrated when [...]"
+  - type: textarea
+    id: feature-solution
+    validations:
+      required: true
+    attributes:
+      label: "Describe the solution you'd like."
+      description: "A clear and concise description of what you want to happen."
+  - type: textarea
+    id: feature-describe
+    validations:
+      required: true
+    attributes:
+      label: "Describe alternatives you've considered."
+      description: "A clear and concise description of any alternative solutions or features you've considered."
+  - type: textarea
+    id: feature-extra
+    validations:
+      required: false
+    attributes:
+      label: "Additional context"
+      description: "Add any other context or screenshots about the feature request here."
+

.github/scripts/build_a12.sh

@@ -11,7 +11,15 @@ build_from_image() {
 	echo "[+] patch level: $PATCH_LEVEL"
 
 	echo '[+] Download prebuilt ramdisk'
-	curl -Lo gki-kernel.zip https://dl.google.com/android/gki/gki-certified-boot-android12-5.10-"${PATCH_LEVEL}"_r1.zip
+    GKI_URL=https://dl.google.com/android/gki/gki-certified-boot-android12-5.10-"${PATCH_LEVEL}"_r1.zip
+    FALLBACK_URL=https://dl.google.com/android/gki/gki-certified-boot-android12-5.10-2023-01_r1.zip
+    status=$(curl -sL -w "%{http_code}" "$GKI_URL" -o /dev/null)
+    if [ "$status" = "200" ]; then
+        curl -Lo gki-kernel.zip "$GKI_URL"
+    else
+        echo "[+] $GKI_URL not found, using $FALLBACK_URL"
+        curl -Lo gki-kernel.zip "$FALLBACK_URL"
+    fi
 	unzip gki-kernel.zip && rm gki-kernel.zip
 
 	echo '[+] Unpack prebuilt boot.img'

.github/workflows/add-device.yml

@@ -11,7 +11,7 @@ jobs:
     env:
       ISSUE_CONTENT: ${{ github.event.issue.body }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Parse issue body
         id: handle-add-device
         run: |
@@ -42,12 +42,12 @@ jobs:
         run: |
           echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}"
           echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"
-      - uses: ben-z/actions-comment-on-issue@1.0.2
+      - uses: Kernel-SU/actions-comment-on-issue@master
         if: ${{ steps.cpr.outputs.pull-request-number }}
         with:
           message: "Automatically created pull request: ${{ steps.cpr.outputs.pull-request-url }}"
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - uses: ben-z/actions-comment-on-issue@1.0.2
+      - uses: Kernel-SU/actions-comment-on-issue@master
         if: steps.handle-add-device.outputs.success != 'true'
         with:
           message: "Cannot create pull request. Please check the issue content. Or you can create a pull request manually."
@@ -56,4 +56,4 @@ jobs:
         uses: peter-evans/close-issue@v1
         with:
           issue-number: ${{ github.event.issue.number }}
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/build-debug-kernel.yml

@@ -0,0 +1,31 @@
+name: Build debug kernel
+on:
+  workflow_dispatch:
+
+jobs:
+  build-debug-kernel-a12:
+    uses: ./.github/workflows/gki-kernel.yml
+    with:
+      version: android12-5.10
+      version_name: android12-5.10.185
+      tag: android12-5.10-2023-09
+      os_patch_level: 2023-09
+      patch_path: "5.10"
+      debug: true
+  build-debug-kernel-a13:
+    strategy:
+      matrix:
+        include:
+          - version: "5.10"
+            sub_level: 187
+            os_patch_level: 2023-08
+          - version: "5.15"
+            sub_level: 119
+            os_patch_level: 2023-09
+    uses: ./.github/workflows/gki-kernel.yml
+    with:
+      version: android13-${{ matrix.version }}
+      version_name: android13-${{ matrix.version }}.${{ matrix.sub_level }}
+      tag: android13-${{ matrix.version }}-${{ matrix.os_patch_level }}
+      patch_path: ${{ matrix.version }}
+      debug: true

.github/workflows/build-kernel-a12.yml

@@ -21,6 +21,16 @@ jobs:
     strategy:
       matrix:
         include:
+          - sub_level: 66
+            os_patch_level: 2022-01
+          - sub_level: 81
+            os_patch_level: 2022-03
+          - sub_level: 101
+            os_patch_level: 2022-05
+          - sub_level: 110
+            os_patch_level: 2022-07
+          - sub_level: 117
+            os_patch_level: 2022-09
           - sub_level: 136
             os_patch_level: 2022-11
           - sub_level: 149
@@ -28,7 +38,11 @@ jobs:
           - sub_level: 160
             os_patch_level: 2023-03
           - sub_level: 168
-            os_patch_level: 2023-04
+            os_patch_level: 2023-05
+          - sub_level: 177
+            os_patch_level: 2023-07
+          - sub_level: 185
+            os_patch_level: 2023-09
     uses: ./.github/workflows/gki-kernel.yml
     secrets: inherit
     with:
@@ -53,7 +67,7 @@ jobs:
       - name: Download artifacts
         uses: actions/download-artifact@v3
 
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           path: KernelSU
           fetch-depth: 0
@@ -65,7 +79,7 @@ jobs:
       - name: Download prebuilt toolchain
         run: |
           AOSP_MIRROR=https://android.googlesource.com
-          BRANCH=master-kernel-build-2022
+          BRANCH=main-kernel-build-2023
           git clone $AOSP_MIRROR/platform/prebuilts/build-tools -b $BRANCH --depth 1 build-tools
           git clone $AOSP_MIRROR/kernel/prebuilts/build-tools -b $BRANCH --depth 1 kernel-build-tools
           git clone $AOSP_MIRROR/platform/system/tools/mkbootimg -b $BRANCH --depth 1
@@ -109,7 +123,7 @@ jobs:
     uses: ./.github/workflows/gki-kernel.yml
     with:
       version: android12-5.10
-      version_name: android12-5.10.160
-      tag: android12-5.10-2023-02
-      os_patch_level: 2023-02
+      version_name: android12-5.10.177
+      tag: android12-5.10-2023-06
+      os_patch_level: 2023-06
       patch_path: "5.10"

.github/workflows/build-kernel-a13.yml

@@ -29,7 +29,19 @@ jobs:
             os_patch_level: 2023-01
           - version: "5.10"
             sub_level: 157
-            os_patch_level: 2023-02
+            os_patch_level: 2023-03
+          - version: "5.10"
+            sub_level: 168
+            os_patch_level: 2023-05
+          - version: "5.10"
+            sub_level: 177
+            os_patch_level: 2023-06
+          - version: "5.10"
+            sub_level: 186
+            os_patch_level: 2023-08
+          - version: "5.10"
+            sub_level: 186
+            os_patch_level: 2023-09
           - version: "5.15"
             sub_level: 41
             os_patch_level: 2022-11
@@ -38,13 +50,23 @@ jobs:
             os_patch_level: 2023-01
           - version: "5.15"
             sub_level: 78
-            os_patch_level: 2023-02
+            os_patch_level: 2023-03
+          - version: "5.15"
+            sub_level: 94
+            os_patch_level: 2023-05
+          - version: "5.15"
+            sub_level: 104
+            os_patch_level: 2023-07
+          - version: "5.15"
+            sub_level: 119
+            os_patch_level: 2023-09
     uses: ./.github/workflows/gki-kernel.yml
     secrets: inherit
     with:
       version: android13-${{ matrix.version }}
       version_name: android13-${{ matrix.version }}.${{ matrix.sub_level }}
       tag: android13-${{ matrix.version }}-${{ matrix.os_patch_level }}
+      os_patch_level: ${{ matrix.os_patch_level }}
       patch_path: ${{ matrix.version }}
   upload-artifacts:
     needs: build-kernel
@@ -62,7 +84,7 @@ jobs:
       - name: Download artifacts
         uses: actions/download-artifact@v3
 
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           path: KernelSU
           fetch-depth: 0
@@ -74,7 +96,7 @@ jobs:
       - name: Download prebuilt toolchain
         run: |
           AOSP_MIRROR=https://android.googlesource.com
-          BRANCH=master-kernel-build-2022
+          BRANCH=main-kernel-build-2023
           git clone $AOSP_MIRROR/platform/prebuilts/build-tools -b $BRANCH --depth 1 build-tools
           git clone $AOSP_MIRROR/kernel/prebuilts/build-tools -b $BRANCH --depth 1 kernel-build-tools
           git clone $AOSP_MIRROR/platform/system/tools/mkbootimg -b $BRANCH --depth 1
@@ -119,14 +141,14 @@ jobs:
       matrix:
         include:
           - version: "5.10"
-            sub_level: 149
-            os_patch_level: 2022-11
+            sub_level: 187
+            os_patch_level: 2023-08
           - version: "5.15"
-            sub_level: 74
-            os_patch_level: 2023-01
+            sub_level: 119
+            os_patch_level: 2023-09
     uses: ./.github/workflows/gki-kernel.yml
     with:
       version: android13-${{ matrix.version }}
       version_name: android13-${{ matrix.version }}.${{ matrix.sub_level }}
       tag: android13-${{ matrix.version }}-${{ matrix.os_patch_level }}
-      patch_path: ${{ matrix.version }}
+      patch_path: ${{ matrix.version }}

.github/workflows/build-kernel-arcvm.yml

@@ -0,0 +1,140 @@
+name: Build Kernel - ChromeOS ARCVM
+on:
+  push:
+    branches: ["main"]
+    paths:
+      - ".github/workflows/build-kernel-arcvm.yml"
+      - "kernel/**"
+  pull_request:
+    branches: ["main"]
+    paths:
+      - ".github/workflows/build-kernel-arcvm.yml"
+      - "kernel/**"
+  workflow_call:
+  workflow_dispatch:
+
+jobs:
+  build:
+    strategy:
+      matrix:
+        arch: [x86_64]
+        version: ["5.10.178"]
+        include:
+          - arch: x86_64
+            git_tag: chromeos-5.10-arcvm
+            file_name: "bzImage"
+
+    name: Build ChromeOS ARCVM kernel
+    runs-on: ubuntu-20.04
+    env:
+      LTO: thin
+      ROOT_DIR: /
+      KERNEL_DIR: ${{ github.workspace }}/kernel
+
+    steps:
+      - name: Install Build Tools
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y --no-install-recommends bc \
+              bison build-essential ca-certificates flex git gnupg \
+              libelf-dev libssl-dev lsb-release software-properties-common wget \
+              libncurses-dev binutils-aarch64-linux-gnu gcc-aarch64-linux-gnu nuget gzip \
+              rsync python3 device-tree-compiler
+
+          sudo ln -s --force python3 /usr/bin/python
+
+          export LLVM_VERSION=12
+          wget https://apt.llvm.org/llvm.sh
+          chmod +x llvm.sh
+          sudo ./llvm.sh $LLVM_VERSION
+          rm ./llvm.sh
+          sudo ln -s --force /usr/bin/clang-$LLVM_VERSION /usr/bin/clang
+          sudo ln -s --force /usr/bin/ld.lld-$LLVM_VERSION /usr/bin/ld.lld
+          sudo ln -s --force /usr/bin/llvm-objdump-$LLVM_VERSION /usr/bin/llvm-objdump
+          sudo ln -s --force /usr/bin/llvm-ar-$LLVM_VERSION /usr/bin/llvm-ar
+          sudo ln -s --force /usr/bin/llvm-nm-$LLVM_VERSION /usr/bin/llvm-nm
+          sudo ln -s --force /usr/bin/llvm-strip-$LLVM_VERSION /usr/bin/llvm-strip
+          sudo ln -s --force /usr/bin/llvm-objcopy-$LLVM_VERSION /usr/bin/llvm-objcopy
+          sudo ln -s --force /usr/bin/llvm-readelf-$LLVM_VERSION /usr/bin/llvm-readelf
+          sudo ln -s --force /usr/bin/clang++-$LLVM_VERSION /usr/bin/clang++
+
+      - name: Checkout KernelSU
+        uses: actions/checkout@v4
+        with:
+          path: KernelSU
+          fetch-depth: 0
+
+      - name: Setup kernel source
+        run: git clone https://chromium.googlesource.com/chromiumos/third_party/kernel.git -b ${{ matrix.git_tag }} --depth=1
+
+      - name: Setup KernelSU
+        working-directory: kernel
+        run: |
+          echo "[+] KernelSU setup"
+          KERNEL_ROOT=$GITHUB_WORKSPACE/kernel
+          echo "[+] KERNEL_ROOT: $KERNEL_ROOT"
+          echo "[+] Copy KernelSU driver to $KERNEL_ROOT/drivers"
+          ln -sf $GITHUB_WORKSPACE/KernelSU/kernel $KERNEL_ROOT/drivers/kernelsu
+
+          echo "[+] Add KernelSU driver to Makefile"
+          DRIVER_MAKEFILE=$KERNEL_ROOT/drivers/Makefile
+          grep -q "kernelsu" $DRIVER_MAKEFILE || echo "obj-y += kernelsu/" >> $DRIVER_MAKEFILE
+
+          echo "[+] Apply KernelSU patches"
+          cd $KERNEL_ROOT && git apply $GITHUB_WORKSPACE/KernelSU/.github/patches/5.10/*.patch
+
+          echo "[+] Patch script/setlocalversion"
+          sed -i 's/-dirty//g' $KERNEL_ROOT/scripts/setlocalversion
+
+          echo "[+] KernelSU setup done."
+          cd $GITHUB_WORKSPACE/KernelSU
+          VERSION=$(($(git rev-list --count HEAD) + 10200))
+          echo "VERSION: $VERSION"
+          echo "kernelsu_version=$VERSION" >> $GITHUB_ENV
+
+      - name: Build Kernel
+        working-directory: kernel
+        run: |
+          set -a && . build.config.gki.x86_64; set +a
+          export DEFCONFIG=x86_64_arcvm_defconfig
+          if [ ! -z ${{ vars.EXPECTED_SIZE }} ] && [ ! -z ${{ vars.EXPECTED_HASH }} ]; then
+            export KSU_EXPECTED_SIZE=${{ vars.EXPECTED_SIZE }}
+            export KSU_EXPECTED_HASH=${{ vars.EXPECTED_HASH }}
+          fi
+
+          make LLVM=1 LLVM_IAS=1 DEPMOD=depmod DTC=dtc O=${PWD} mrproper
+          make LLVM=1 LLVM_IAS=1 DEPMOD=depmod DTC=dtc O=${PWD} ${DEFCONFIG} < /dev/null
+          scripts/config --file .config -e LTO_CLANG -d LTO_NONE -e LTO_CLANG_THIN -d LTO_CLANG_FULL -e THINLTO
+          make LLVM=1 LLVM_IAS=1 DEPMOD=depmod DTC=dtc O=${PWD} -j$(nproc) bzImage modules prepare-objtool
+
+          echo "file_path=${PWD}/arch/x86/boot/bzImage" >> $GITHUB_ENV
+
+      - name: Upload kernel-ARCVM-${{ matrix.arch }}-${{ matrix.version }}
+        uses: actions/upload-artifact@v3
+        with:
+          name: kernel-ARCVM-${{ matrix.arch }}-${{ matrix.version }}
+          path: "${{ env.file_path }}"
+
+      - name: Post to Telegram
+        if: ${{ ( github.event_name == 'push' && github.ref == 'refs/heads/main' ) || github.ref_type == 'tag' }}
+        env:
+          CHAT_ID: ${{ secrets.CHAT_ID }}
+          CACHE_CHAT_ID: ${{ secrets.CACHE_CHAT_ID }}
+          BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
+          MESSAGE_THREAD_ID: ${{ secrets.MESSAGE_THREAD_ID }}
+          COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
+          COMMIT_URL: ${{ github.event.head_commit.url }}
+          RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+        run: |
+          TITLE=kernel-ARCVM-${{ matrix.arch }}-${{ matrix.version }}
+          echo "[+] title: $TITLE"
+          export TITLE
+          export VERSION="${{ env.kernelsu_version }}"
+          echo "[+] Compress images"
+          gzip -n -f -9 "${{ env.file_path }}"
+          echo "[+] Image to upload"
+          ls -l "${{ env.file_path }}.gz"
+          if [ -n "${{ secrets.BOT_TOKEN }}" ]; then
+            pip3 install python-telegram-bot
+            python3 "$GITHUB_WORKSPACE/KernelSU/scripts/ksubot.py" "${{ env.file_path }}.gz"
+          fi

.github/workflows/build-kernel-wsa.yml

@@ -18,41 +18,7 @@ jobs:
     strategy:
       matrix:
         arch: [x86_64, arm64]
-        version: ["5.10.117.2", "5.15.78.1", "5.15.94.1"]
-        include:
-          - arch: x86_64
-            file_name: "bzImage"
-          - arch: arm64
-            file_name: "Image"
-            cross_compile: "aarch64-linux-gnu"
-          - version: "5.10.117.2"
-            arch: x86_64
-            make_config: config-wsa-5.10
-          - version: "5.10.117.2"
-            arch: arm64
-            make_config: config-wsa-arm64-5.10
-          - version: "5.15.78.1"
-            arch: x86_64
-            make_config: config-wsa-x64
-          - version: "5.15.78.1"
-            arch: arm64
-            make_config: config-wsa-arm64
-          - version: "5.15.94.1"
-            arch: x86_64
-            make_config: config-wsa-x64
-          - version: "5.15.94.1"
-            arch: arm64
-            make_config: config-wsa-arm64
-          - version: "5.10.117.2"
-            device_code: latte
-            kernel_version: "5.10"
-          - version: "5.15.78.1"
-            device_code: latte-2
-            kernel_version: "5.15"
-          - version: "5.15.94.1"
-            device_code: latte-2
-            kernel_version: "5.15"
-
+        version: ["5.15.94.2", "5.15.104.1", "5.15.104.2", "5.15.104.3"]
 
     name: Build WSA-Kernel-${{ matrix.version }}-${{ matrix.arch }}
     runs-on: ubuntu-20.04
@@ -67,32 +33,30 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y --no-install-recommends bc bison build-essential ca-certificates flex git gnupg libelf-dev libssl-dev lsb-release software-properties-common wget libncurses-dev binutils-aarch64-linux-gnu gcc-aarch64-linux-gnu nuget gzip
           export LLVM_VERSION=12
-          wget https://apt.llvm.org/llvm.sh
-          chmod +x llvm.sh
-          sudo ./llvm.sh $LLVM_VERSION
-          rm ./llvm.sh
-          sudo ln -s --force /usr/bin/clang-$LLVM_VERSION /usr/bin/clang
-          sudo ln -s --force /usr/bin/ld.lld-$LLVM_VERSION /usr/bin/ld.lld
-          sudo ln -s --force /usr/bin/llvm-objdump-$LLVM_VERSION /usr/bin/llvm-objdump
-          sudo ln -s --force /usr/bin/llvm-ar-$LLVM_VERSION /usr/bin/llvm-ar
-          sudo ln -s --force /usr/bin/llvm-nm-$LLVM_VERSION /usr/bin/llvm-nm
-          sudo ln -s --force /usr/bin/llvm-strip-$LLVM_VERSION /usr/bin/llvm-strip
-          sudo ln -s --force /usr/bin/llvm-objcopy-$LLVM_VERSION /usr/bin/llvm-objcopy
-          sudo ln -s --force /usr/bin/llvm-readelf-$LLVM_VERSION /usr/bin/llvm-readelf
-          sudo ln -s --force /usr/bin/clang++-$LLVM_VERSION /usr/bin/clang++
+          wget -q https://apt.llvm.org/llvm.sh
+          sudo bash ./llvm.sh $LLVM_VERSION
+          cd /usr/bin
+          sudo ln -sf clang-$LLVM_VERSION clang
+          sudo ln -sf ld.lld-$LLVM_VERSION ld.lld
+          sudo ln -sf llvm-objdump-$LLVM_VERSION llvm-objdump
+          sudo ln -sf llvm-ar-$LLVM_VERSION llvm-ar
+          sudo ln -sf llvm-nm-$LLVM_VERSION llvm-nm
+          sudo ln -sf llvm-strip-$LLVM_VERSION llvm-strip
+          sudo ln -sf llvm-objcopy-$LLVM_VERSION llvm-objcopy
+          sudo ln -sf llvm-readelf-$LLVM_VERSION llvm-readelf
+          sudo ln -sf clang++-$LLVM_VERSION clang++
 
       - name: Checkout KernelSU
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           path: KernelSU
-          ref: main
           fetch-depth: 0
 
       - name: Setup kernel source
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           repository: microsoft/WSA-Linux-Kernel
-          ref: android-lts/${{ matrix.device_code }}/${{ matrix.version }}
+          ref: android-lts/latte-2/${{ matrix.version }}
           path: WSA-Linux-Kernel
 
       - name: Setup Ccache
@@ -114,7 +78,7 @@ jobs:
           DRIVER_MAKEFILE=$KERNEL_ROOT/drivers/Makefile
           grep -q "kernelsu" $DRIVER_MAKEFILE || echo "obj-y += kernelsu/" >> $DRIVER_MAKEFILE
           echo "[+] Apply KernelSU patches"
-          cd $KERNEL_ROOT && git apply $GITHUB_WORKSPACE/KernelSU/.github/patches/${{ matrix.kernel_version }}/*.patch
+          cd $KERNEL_ROOT && git apply $GITHUB_WORKSPACE/KernelSU/.github/patches/5.15/*.patch
           echo "[+] KernelSU setup done."
           cd $GITHUB_WORKSPACE/KernelSU
           VERSION=$(($(git rev-list --count HEAD) + 10200))
@@ -124,10 +88,17 @@ jobs:
       - name: Build Kernel
         working-directory: WSA-Linux-Kernel
         run: |
-          cp configs/wsa/${{ matrix.make_config }} .config
+          declare -A ARCH_MAP=(["x86_64"]="x64" ["arm64"]="arm64")
+          cp configs/wsa/config-wsa-${ARCH_MAP[${{ matrix.arch }}]} .config
           make olddefconfig
-          make -j`nproc` LLVM=1 ARCH=${{ matrix.arch }} CROSS_COMPILE=${{ matrix.cross_compile }} ${{ matrix.file_name }} CCACHE="/usr/bin/ccache"
-          echo "file_path=WSA-Linux-Kernel/arch/${{ matrix.arch }}/boot/${{ matrix.file_name }}" >> $GITHUB_ENV
+          if [ ! -z ${{ vars.EXPECTED_SIZE }} ] && [ ! -z ${{ vars.EXPECTED_HASH }} ]; then
+            export KSU_EXPECTED_SIZE=${{ vars.EXPECTED_SIZE }}
+            export KSU_EXPECTED_HASH=${{ vars.EXPECTED_HASH }}
+          fi
+          declare -A FILE_NAME=(["x86_64"]="bzImage" ["arm64"]="Image")
+          make -j`nproc` LLVM=1 ARCH=${{ matrix.arch }} $(if [ "${{ matrix.arch }}" == "arm64" ]; then echo CROSS_COMPILE=aarch64-linux-gnu; fi) ${FILE_NAME[${{ matrix.arch }}]} CCACHE="/usr/bin/ccache"
+          declare -A ARCH_MAP_FILE=(["x86_64"]="x86" ["arm64"]="arm64")
+          echo "file_path=WSA-Linux-Kernel/arch/${ARCH_MAP_FILE[${{ matrix.arch }}]}/boot/${FILE_NAME[${{ matrix.arch }}]}" >> $GITHUB_ENV
 
       - name: Upload kernel-${{ matrix.arch }}-${{ matrix.version }}
         uses: actions/upload-artifact@v3
@@ -136,7 +107,7 @@ jobs:
           path: "${{ env.file_path }}"
 
       - name: Post to Telegram
-        if: ${{ ( github.event_name == 'push' && github.ref == 'refs/heads/main' ) || github.ref_type == 'tag' }}
+        if: github.event_name == 'push' && github.ref == 'refs/heads/main' || github.ref_type == 'tag'
         env:
           CHAT_ID: ${{ secrets.CHAT_ID }}
           CACHE_CHAT_ID: ${{ secrets.CACHE_CHAT_ID }}

.github/workflows/build-ksud.yml

@@ -2,13 +2,13 @@ name: Build KSUD
 on:
   push:
     branches: [ "main", "ci" ]
-    paths: 
+    paths:
       - '.github/workflows/build-ksud.yml'
       - '.github/workflows/ksud.yml'
       - 'userspace/ksud/**'
   pull_request:
     branches: [ "main" ]
-    paths: 
+    paths:
       - '.github/workflows/build-ksud.yml'
       - '.github/workflows/ksud.yml'
       - 'userspace/ksud/**'

.github/workflows/build-manager.yml

@@ -33,7 +33,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 

.github/workflows/build-su.yml

@@ -2,20 +2,20 @@ name: Build SU
 on:
   push:
     branches: [ "main" ]
-    paths: 
+    paths:
       - '.github/workflows/build-su.yml'
       - 'userspace/su/**'
       - 'scripts/ksubot.py'
   pull_request:
     branches: [ "main" ]
-    paths: 
+    paths:
       - 'userspace/su/**'
 jobs:
   build-su:
     name: Build userspace su
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
       with:
         fetch-depth: 0
     - name: Setup need_upload

.github/workflows/clippy.yml

@@ -21,8 +21,9 @@ jobs:
   clippy:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-
+      - uses: actions/checkout@v4
+      # cross build failed after Rust 1.68, see https://github.com/cross-rs/cross/issues/1222
+      - run: rustup default 1.67.0
       - uses: Swatinem/rust-cache@v2
         with:
           workspaces: userspace/ksud

.github/workflows/deploy-website.yml

@@ -16,7 +16,7 @@ jobs:
       run:
         working-directory: ./website
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - uses: actions/setup-node@v3

.github/workflows/gki-kernel.yml

@@ -45,6 +45,10 @@ on:
         description: >
           Artifact name of prebuilt ksud to be embedded
           for example: ksud-aarch64-linux-android
+      debug:
+        required: false
+        type: boolean
+        default: false
     secrets:
       BOOT_SIGN_KEY:
         required: false
@@ -66,7 +70,17 @@ jobs:
       CCACHE_NOHASHDIR: "true"
       CCACHE_HARDLINK: "true"
     steps:
-      - uses: actions/checkout@v3
+      - name: Maximize build space
+        uses: easimon/maximize-build-space@master
+        with:
+          root-reserve-mb: 8192
+          temp-reserve-mb: 2048
+          remove-dotnet: 'true'
+          remove-android: 'true'
+          remove-haskell: 'true'
+          remove-codeql: 'true'
+
+      - uses: actions/checkout@v4
         with:
           path: KernelSU
           fetch-depth: 0
@@ -82,15 +96,27 @@ jobs:
 
       - name: Setup kernel source
         run: |
+          echo "Free space:"
+          df -h
           cd $GITHUB_WORKSPACE
-          git clone https://gerrit.googlesource.com/git-repo
+          sudo apt-get install repo -y
           mkdir android-kernel && cd android-kernel
-          ../git-repo/repo init --depth=1 --u https://android.googlesource.com/kernel/manifest -b common-${{ inputs.tag }}
-          ../git-repo/repo sync -j$(nproc --all)
+          repo init --depth=1 --u https://android.googlesource.com/kernel/manifest -b common-${{ inputs.tag }} --repo-rev=v2.16
+          REMOTE_BRANCH=$(git ls-remote https://android.googlesource.com/kernel/common ${{ inputs.tag }})
+          DEFAULT_MANIFEST_PATH=.repo/manifests/default.xml
+          if grep -q deprecated <<< $REMOTE_BRANCH; then
+            echo "Found deprecated branch: ${{ inputs.tag }}"
+            sed -i 's/"${{ inputs.tag }}"/"deprecated\/${{ inputs.tag }}"/g' $DEFAULT_MANIFEST_PATH
+            cat $DEFAULT_MANIFEST_PATH
+          fi
+          repo --version
+          repo --trace sync -c -j$(nproc --all) --no-tags
+          df -h
 
       - name: Setup KernelSU
         env:
           PATCH_PATH: ${{ inputs.patch_path }}
+          IS_DEBUG_KERNEL: ${{ inputs.debug }}
         run: |
           cd $GITHUB_WORKSPACE/android-kernel
           echo "[+] KernelSU setup"
@@ -103,8 +129,13 @@ jobs:
           grep -q "kernelsu" $DRIVER_MAKEFILE || echo "obj-y += kernelsu/" >> $DRIVER_MAKEFILE
           echo "[+] Apply KernelSU patches"
           cd $GKI_ROOT/common/ && git apply $GITHUB_WORKSPACE/KernelSU/.github/patches/$PATCH_PATH/*.patch
-          echo "Patch script/setlocalversion"
+          echo "[+] Patch script/setlocalversion"
           sed -i 's/-dirty//g' $GKI_ROOT/common/scripts/setlocalversion
+
+          if [ "$IS_DEBUG_KERNEL" = "true" ]; then
+            echo "[+] Enable debug features for kernel"
+            echo "ccflags-y += -DCONFIG_KSU_DEBUG" >> $GITHUB_WORKSPACE/KernelSU/kernel/Makefile
+          fi
           echo "[+] KernelSU setup done."
 
       - name: Symbol magic
@@ -128,7 +159,12 @@ jobs:
 
       - name: Build boot.img
         working-directory: android-kernel
-        run: CCACHE="/usr/bin/ccache" LTO=thin BUILD_CONFIG=common/build.config.gki.aarch64 build/build.sh
+        run: |
+          if [ ! -z ${{ vars.EXPECTED_SIZE }} ] && [ ! -z ${{ vars.EXPECTED_HASH }} ]; then
+            export KSU_EXPECTED_SIZE=${{ vars.EXPECTED_SIZE }}
+            export KSU_EXPECTED_HASH=${{ vars.EXPECTED_HASH }}
+          fi
+          CCACHE="/usr/bin/ccache" LTO=thin BUILD_CONFIG=common/build.config.gki.aarch64 build/build.sh
 
       - name: Prepare artifacts
         id: prepareArtifacts

.github/workflows/ksud.yml

@@ -13,7 +13,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
       with:
         fetch-depth: 0
     # cross build failed after Rust 1.68, see https://github.com/cross-rs/cross/issues/1222

.github/workflows/release.yml

@@ -15,12 +15,15 @@ jobs:
     uses: ./.github/workflows/build-kernel-a13.yml
   build-wsa-kernel:
     uses: ./.github/workflows/build-kernel-wsa.yml
+  build-arcvm-kernel:
+    uses: ./.github/workflows/build-kernel-arcvm.yml
   release:
-    needs: 
+    needs:
       - build-manager
       - build-a12-kernel
       - build-a13-kernel
       - build-wsa-kernel
+      - build-arcvm-kernel
     runs-on: ubuntu-latest
     steps:
       - name: Download artifacts
@@ -43,6 +46,15 @@ jobs:
             fi
           done
 
+      - name: Zip ChromeOS ARCVM kernel
+        run: |
+          for dir in kernel-ARCVM-*; do
+            if [ -d "$dir" ]; then
+              echo "------ Zip $dir ----------"
+              (cd $dir && zip -r9 "$dir".zip ./* -x .git .gitignore ./*.zip && mv *.zip ..)
+            fi
+          done
+
       - name: Display structure of downloaded files
         run: ls -R
 
@@ -54,3 +66,4 @@ jobs:
             AnyKernel3-*.zip
             boot-images-*/Image-*/*.img.gz
             kernel-WSA*.zip
+            kernel-ARCVM*.zip

.github/workflows/rustfmt.yml

@@ -21,13 +21,13 @@ jobs:
   format:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - uses: dtolnay/rust-toolchain@nightly
         with:
           components: rustfmt
 
-      - uses: LoliGothick/rustfmt-check@v0.3.1
+      - uses: LoliGothick/rustfmt-check@master
         with:
           token: ${{ github.token }}
-          options: --manifest-path userspace/ksud/Cargo.toml
+          working-directory: userspace/ksud

.github/workflows/shellcheck.yml

@@ -18,7 +18,7 @@ jobs:
   shellcheck:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Run ShellCheck
         uses: ludeeus/action-shellcheck@2.0.0

README.md

@@ -1,42 +0,0 @@
-**English** | [简体中文](README_CN.md) | [繁體中文](README_TW.md)
-
-# KernelSU
-
-A Kernel based root solution for Android devices.
-
-## Features
-
-1. Kernel-based `su` and root access management.
-2. Module system based on overlayfs.
-
-## Compatibility State
-
-KernelSU officially supports Android GKI 2.0 devices(with kernel 5.10+), old kernels(4.14+) is also compatiable, but you need to build kernel yourself.
-
-WSA and containter-based Android should also work with KernelSU integrated.
-
-And the current supported ABIs are : `arm64-v8a` and `x86_64`
-
-## Usage
-
-[Installation](https://kernelsu.org/guide/installation.html)
-
-## Build
-
-[How to build?](https://kernelsu.org/guide/how-to-build.html)
-
-### Discussion
-
-- Telegram: [@KernelSU](https://t.me/KernelSU)
-
-## License
-
-- Files under `kernel` directory are [GPL-2](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
-- All other parts except `kernel` directory are [GPL-3](https://www.gnu.org/licenses/gpl-3.0.html)
-
-## Credits
-
-- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/): the KernelSU idea.
-- [genuine](https://github.com/brevent/genuine/): apk v2 signature validation.
-- [Diamorphine](https://github.com/m0nad/Diamorphine): some rootkit skills.
-- [Magisk](https://github.com/topjohnwu/Magisk): the sepolicy implementation.

README_CN.md

@@ -1,42 +0,0 @@
-[English](README.md) | **简体中文** | [繁體中文](README_TW.md) 
-
-# KernelSU
-
-一个 Android 上基于内核的 root 方案。
-
-## 特性
-
-- 基于内核的 su 和权限管理。
-- 基于 overlayfs 的模块系统。
-
-## 兼容状态
-
-KernelSU 官方支持 GKI 2.0 的设备（内核版本5.10以上）；旧内核也是兼容的（最低4.14+），不过需要自己编译内核。
-
-WSA 和运行在容器上的 Android 也可以与 KernelSU 一起工作。
-
-目前支持架构 : `arm64-v8a` 和 `x86_64`
-
-## 使用方法
-
-[安装教程](https://kernelsu.org/zh_CN/guide/installation.html)
-
-## 构建
-
-[如何构建？](https://kernelsu.org/zh_CN/guide/how-to-build.html)
-
-### 讨论
-
-- Telegram: [@KernelSU](https://t.me/KernelSU)
-
-## 许可证
-
-- 目录 `kernel` 下所有文件为 [GPL-2](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
-- 除 `kernel` 目录的其他部分均为 [GPL-3](https://www.gnu.org/licenses/gpl-3.0.html)
-
-## 鸣谢
-
-- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/)：KernelSU 的灵感。
-- [genuine](https://github.com/brevent/genuine/)：apk v2 签名验证。
-- [Diamorphine](https://github.com/m0nad/Diamorphine)：一些 rootkit 技巧。
-- [Magisk](https://github.com/topjohnwu/Magisk)：sepolicy 的实现。

SECURITY.md

@@ -0,0 +1,7 @@
+# Reporting Security Issues
+
+The KernelSU team and community take security bugs in KernelSU seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.
+
+To report a security issue, please use the GitHub Security Advisory ["Report a Vulnerability"](https://github.com/tiann/KernelSU/security/advisories/new) tab, or you can mailto [weishu](mailto:twsxtd@gmail.com) directly.
+
+The KernelSU team will send a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.

docs/README.md

@@ -0,0 +1,46 @@
+
+**English** | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | [日本語](README_JP.md) | [Polski](README_PL.md) | [Portuguese-Brazil](README_PT-BR.md) | [Türkçe](README_TR.md) | [Русский](README_RU.md) | [Tiếng Việt](README_VI.md) | [Indonesia](README_ID.md) | [עברית](README_iw.md) | [हिंदी](README_IN.md)
+
+# KernelSU
+
+A Kernel-based root solution for Android devices.
+
+## Features
+
+1. Kernel-based `su` and root access management.
+2. Module system based on overlayfs.
+3. [App Profile](https://kernelsu.org/guide/app-profile.html): Lock up the root power in a cage.
+
+## Compatibility State
+
+KernelSU officially supports Android GKI 2.0 devices (kernel 5.10+). Older kernels (4.14+) are also compatible, but the kernel will have to be built manually.
+
+With this, WSA, ChromeOS, and container-based Android are all supported.
+
+Currently, only `arm64-v8a` and `x86_64` are supported.
+
+## Usage
+
+- [Installation Instruction](https://kernelsu.org/guide/installation.html)
+- [How to build?](https://kernelsu.org/guide/how-to-build.html)
+- [Official Website](https://kernelsu.org/)
+
+## Translation
+
+To help translate KernelSU or improve existing translations, please use [Weblate](https://hosted.weblate.org/engage/kernelsu/).
+
+## Discussion
+
+- Telegram: [@KernelSU](https://t.me/KernelSU)
+
+## License
+
+- Files under the `kernel` directory are [GPL-2](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
+- All other parts except the `kernel` directory are [GPL-3](https://www.gnu.org/licenses/gpl-3.0.html)
+
+## Credits
+
+- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/): the KernelSU idea.
+- [Magisk](https://github.com/topjohnwu/Magisk): the powerful root tool.
+- [genuine](https://github.com/brevent/genuine/): apk v2 signature validation.
+- [Diamorphine](https://github.com/m0nad/Diamorphine): some rootkit skills.

docs/README_CN.md

@@ -0,0 +1,44 @@
+[English](README.md) | [Español](README_ES.md) | **简体中文** | [繁體中文](README_TW.md) | [日本語](README_JP.md) | [Polski](README_PL.md) | [Portuguese-Brazil](README_PT-BR.md) | [Türkçe](README_TR.md) | [Русский](README_RU.md) | [Tiếng Việt](README_VI.md) | [Indonesia](README_ID.md) | [עברית](README_iw.md) | [हिंदी](README_IN.md)
+
+# KernelSU
+
+一个 Android 上基于内核的 root 方案。
+
+## 特性
+
+- 基于内核的 su 和权限管理。
+- 基于 overlayfs 的模块系统。
+- [App Profile](https://kernelsu.org/guide/app-profile.html): 把 Root 权限关进笼子里。
+
+## 兼容状态
+
+KernelSU 官方支持 GKI 2.0 的设备（内核版本5.10以上）；旧内核也是兼容的（最低4.14+），不过需要自己编译内核。
+
+WSA, ChromeOS 和运行在容器上的 Android 也可以与 KernelSU 一起工作。
+
+目前支持架构 : `arm64-v8a` 和 `x86_64`
+
+## 使用方法
+
+- [安装教程](https://kernelsu.org/zh_CN/guide/installation.html)
+- [如何构建？](https://kernelsu.org/zh_CN/guide/how-to-build.html)
+
+## 参与翻译
+
+要将 KernelSU 翻译成您的语言，或完善现有的翻译，请使用 [Weblate](https://hosted.weblate.org/engage/kernelsu/)。
+
+## 讨论
+
+- Telegram: [@KernelSU](https://t.me/KernelSU)
+
+## 许可证
+
+- 目录 `kernel` 下所有文件为 [GPL-2](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
+- 除 `kernel` 目录的其他部分均为 [GPL-3](https://www.gnu.org/licenses/gpl-3.0.html)
+
+## 鸣谢
+
+- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/)：KernelSU 的灵感。
+- [Magisk](https://github.com/topjohnwu/Magisk)：强大的 root 工具箱。
+- [genuine](https://github.com/brevent/genuine/)：apk v2 签名验证。
+- [Diamorphine](https://github.com/m0nad/Diamorphine)：一些 rootkit 技巧。

docs/README_ES.md

@@ -0,0 +1,47 @@
+[ 🇬🇧 English](README.md) | 🇪🇸 **Español** | [🇨🇳 简体中文](README_CN.md) | [🇹🇼 繁體中文](README_TW.md) | [ 🇯🇵 日本語](README_JP.md) | [🇵🇱 Polski](README_PL.md) | [🇧🇷 Portuguese-Brazil](README_PT-BR.md) | [🇹🇷 Türkçe](README_TR.md) | [🇷🇺Русский](README_RU.md) | [🇻🇳Tiếng Việt](README_VI.md) | [ɪᴅ indonesia](README_ID.md) | [עברית](README_iw.md) | [🇮🇳हिंदी](README_IN.md)
+
+<div style="display: flex; align-items: center;">
+    <img src="https://kernelsu.org/logo.png" style="width: 96px;" alt="">
+    <div style="margin-left: 20px;">
+        <span style="font-size: large; "><b>KernelSU</b></span>
+        <br>
+        <span style="font-size: medium; "><i>Una solución root basada en el kernel para dispositivos Android.</i></span>   
+    </div>
+</div>
+
+## 🚀 Características
+
+**1.** Binario `su` basado en el kernel y gestión de acceso root.<br/>
+**2.** Sistema de módulos basado en **OverlayFS**.
+
+## ✅ Estado de compatibilidad
+
+**KernelSU** soporta de forma oficial dispositivos Android con **GKI 2.0** (a partir de la versión **5.10** del kernel). Los kernels antiguos (a partir de la versión **4.14**) también son compatibles, pero necesitas compilarlos por tu cuenta.
+
+El **Subsistema de Windows para Android (WSA)** e implementaciones de Android basadas en contenedores, como **Waydroid**, también deberían funcionar con **KernelSU** integrado.
+
+Actualmente se soportan las siguientes **ABIs**: `arm64-v8a`; `x86_64`.
+
+## 📖 Uso
+
+[¿Cómo instalarlo?](https://kernelsu.org/guide/installation.html)
+
+## 🔨 Compilación
+
+[¿Cómo compilarlo?](https://kernelsu.org/guide/how-to-build.html)
+
+## 💬 Discusión
+
+- Telegram: [@KernelSU](https://t.me/KernelSU)
+
+## ⚖️ Licencia
+
+- Los archivos bajo el directorio `kernel` están licenciados bajo [GPL-2](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html).
+- Todas las demás partes, a excepción del directorio `kernel`, están licenciados bajo [GPL-3](https://www.gnu.org/licenses/gpl-3.0.html).
+
+## 👥 Créditos
+
+- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/): la idea de **KernelSU**.
+- [genuine](https://github.com/brevent/genuine/): la validación del **esquema de firmas APK v2**.
+- [Diamorphine](https://github.com/m0nad/Diamorphine): algunas habilidades de rootkit.
+- [Magisk](https://github.com/topjohnwu/Magisk): la implementación de la **política de SELinux (SEPolicy)**.

docs/README_ID.md

@@ -0,0 +1,45 @@
+[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | [日本語](README_JP.md) | [Polski](README_PL.md) | [Portugis-Brasil](README_PT-BR.md) | [Türkçe](README_TR.md) | [Русский](README_RU.md) | [Tiếng Việt](README_VI.md) | **Indonesia** | [עברית](README_iw.md) | [हिंदी](README_IN.md)
+
+# KernelSU
+
+Solusi root berbasis Kernel untuk perangkat Android.
+
+## Fitur
+
+1. Manajemen akses root dan `su` berbasis kernel.
+2. Sistem modul berdasarkan overlayfs.
+3. [Profil Aplikasi](https://kernelsu.org/guide/app-profile.html): Kunci daya root di dalam sangkar.
+
+## Status Kompatibilitas
+
+KernelSU secara resmi mendukung perangkat Android GKI 2.0 (dengan kernel 5.10+), kernel lama (4.14+) juga kompatibel, tetapi Anda perlu membuat kernel sendiri.
+
+WSA, ChromeOS, dan Android berbasis wadah juga dapat bekerja dengan KernelSU terintegrasi.
+
+Dan ABI yang didukung saat ini adalah: `arm64-v8a` dan `x86_64`
+
+## Penggunaan
+
+- [Petunjuk Instalasi](https://kernelsu.org/guide/installation.html)
+- [Bagaimana cara membuat?](https://kernelsu.org/guide/how-to-build.html)
+- [Situs Web Resmi](https://kernelsu.org/)
+
+## Terjemahan
+
+Untuk menerjemahkan KernelSU ke dalam bahasa Anda atau menyempurnakan terjemahan yang sudah ada, harap gunakan [Weblat](https://hosted.weblate.org/engage/kernelsu/).
+
+## Diskusi
+
+- Telegram: [@KernelSU](https://t.me/KernelSU)
+
+## Lisensi
+
+- File di bawah direktori `kernel` adalah [GPL-2](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
+- Semua bagian lain kecuali direktori `kernel` adalah [GPL-3](https://www.gnu.org/licenses/gpl-3.0.html)
+
+## Kredit
+
+- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/): ide KernelSU.
+- [Magisk](https://github.com/topjohnwu/Magisk): alat root yang ampuh.
+- [genuine](https://github.com/brevent/genuine/): validasi tanda tangan apk v2.
+- [Diamorphine](https://github.com/m0nad/Diamorphine): beberapa keterampilan rootkit.

docs/README_IN.md

@@ -0,0 +1,51 @@
+
+[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | [日本語](README_JP.md) | [Polski](README_PL.md) | [Portuguese-Brazil](README_PT-BR.md) | [Türkçe](README_TR.md) | [Русский](README_RU.md) | [Tiếng Việt](README_VI.md) | [Indonesia](README_ID.md) | [עברית](README_iw.md) |  **हिंदी**
+
+<div style="display: flex; align-items: center;">
+    <img src="https://kernelsu.org/logo.png" style="width: 96px;" alt="">
+    <div style="margin-left: 20px;">
+        <span style="font-size: large; "><b>KernelSU</b></span>
+        <br>
+        <span style="font-size: medium; "><i>Android उपकरणों के लिए कर्नेल-आधारित रूट समाधान।</i></span>   
+    </div>
+</div>
+
+## विशेषताएँ
+
+1. कर्नेल-आधारित `su` और रूट एक्सेस प्रबंधन।
+2. Overlayfs पर आधारित मॉड्यूल प्रणाली।
+3. [App Profile](https://kernelsu.org/guide/app-profile.html): Root शक्ति को पिंजरे में बंद कर दो।
+
+## अनुकूलता अवस्था
+
+KernelSU आधिकारिक तौर पर Android GKI 2.0 डिवाइस (कर्नेल 5.10+) का समर्थन करता है। पुराने कर्नेल (4.14+) भी संगत हैं, लेकिन कर्नेल को मैन्युअल रूप से बनाना होगा।
+
+इसके साथ, WSA, ChromeOS और कंटेनर-आधारित Android सभी समर्थित हैं।
+
+वर्तमान में, केवल `arm64-v8a` और `x86_64` समर्थित हैं।
+
+## प्रयोग
+
+- [स्थापना निर्देश](https://kernelsu.org/guide/installation.html)
+- [कैसे बनाना है ?](https://kernelsu.org/guide/how-to-build.html)
+- [आधिकारिक वेबसाइट](https://kernelsu.org/)
+
+## अनुवाद करना
+
+KernelSU का अनुवाद करने या मौजूदा अनुवादों को बेहतर बनाने में सहायता के लिए, कृपया इसका उपयोग करें [Weblate](https://hosted.weblate.org/engage/kernelsu/).
+
+## बहस
+
+- Telegram: [@KernelSU](https://t.me/KernelSU)
+
+## लाइसेंस
+
+- `Kernel` निर्देशिका के अंतर्गत फ़ाइलें हैं [GPL-2](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
+- `Kernel` निर्देशिका को छोड़कर अन्य सभी भाग हैं [GPL-3](https://www.gnu.org/licenses/gpl-3.0.html)
+
+## आभार सूची
+
+- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/): KernelSU विचार।
+- [Magisk](https://github.com/topjohnwu/Magisk): शक्तिशाली root उपकरण।
+- [genuine](https://github.com/brevent/genuine/): apk v2 हस्ताक्षर सत्यापन।
+- [Diamorphine](https://github.com/m0nad/Diamorphine): कुछ रूटकिट कौशल।

docs/README_JP.md

@@ -0,0 +1,47 @@
+[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | **日本語** | [Polski](README_PL.md) | [Portuguese-Brazil](README_PT-BR.md) | [Türkçe](README_TR.md) | [Русский](README_RU.md) | | [Tiếng Việt](README_VI.md) | [Indonesia](README_ID.md) | [עברית](README_iw.md) | [हिंदी](README_IN.md)
+
+# KernelSU
+
+Android におけるカーネルベースの root ソリューションです。
+
+## 特徴
+
+1. カーネルベースの `su` と権限管理
+2. OverlayFS に基づくモジュールシステム
+3. [アプリのプロファイル](https://kernelsu.org/guide/app-profile.html): root の権限をケージ内に閉じ込めます。
+
+
+## 対応状況
+
+KernelSU は GKI 2.0 デバイス（カーネルバージョン 5.10 以上）を公式にサポートしています。古いカーネル（4.14以上）とも互換性がありますが、自分でカーネルをビルドする必要があります。
+
+WSA 、ChromeOS とコンテナ上で動作する Android でも KernelSU を統合して動かせます。
+
+現在サポートしているアーキテクチャは `arm64-v8a` および `x86_64` です。
+
+## 使用方法
+
+- [インストール方法はこちら](https://kernelsu.org/ja_JP/guide/installation.html)
+- [ビルド方法はこちら](https://kernelsu.org/guide/how-to-build.html)
+- [公式サイト](https://kernelsu.org)
+
+## 翻訳
+
+KernelSU をあなたの言語に翻訳するか、既存の翻訳を改善するには、[Weblate](https://hosted.weblate.org/engage/kernelsu/) を使用してください。
+
+## ディスカッション
+
+- Telegram: [@KernelSU](https://t.me/KernelSU)
+
+## ライセンス
+
+- `kernel` ディレクトリの下にあるすべてのファイル： [GPL-2](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
+- `kernel` ディレクトリ以外のすべてのファイル： [GPL-3](https://www.gnu.org/licenses/gpl-3.0.html)
+
+## クレジット
+
+- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/)：KernelSU のアイデア元
+- [Magisk](https://github.com/topjohnwu/Magisk)：強力な root ツール
+- [genuine](https://github.com/brevent/genuine/)：apk v2 の署名検証
+- [Diamorphine](https://github.com/m0nad/Diamorphine): rootkit のスキル
+

docs/README_PL.md

@@ -0,0 +1,42 @@
+[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | [日本語](README_JP.md) | **Polski** | [Portuguese-Brazil](README_PT-BR.md) | [Türkçe](README_TR.md) | [Русский](README_RU.md) | [Tiếng Việt](README_VI.md) | [Indonesia](README_ID.md) | [עברית](README_iw.md) | [हिंदी](README_IN.md)
+
+# KernelSU
+
+Rozwiązanie root oparte na jądrze dla urządzeń z systemem Android.
+
+## Cechy
+
+1. Oparte na jądrze `su` i zarządzanie dostępem roota.
+2. System modułów oparty na overlayfs.
+
+## Kompatybilność
+
+KernelSU oficjalnie obsługuje urządzenia z Androidem GKI 2.0 (z jądrem 5.10+), starsze jądra (4.14+) są również kompatybilne, ale musisz sam skompilować jądro.
+
+WSA i Android oparty na kontenerach również powinny działać ze zintegrowanym KernelSU.
+
+Aktualnie obsługiwane ABI to : `arm64-v8a` i `x86_64`.
+
+## Użycie
+
+[Instalacja](https://kernelsu.org/guide/installation.html)
+
+## Kompilacja
+
+[Jak skompilować?](https://kernelsu.org/guide/how-to-build.html)
+
+## Dyskusja
+
+- Telegram: [@KernelSU](https://t.me/KernelSU)
+
+## Licencja
+
+- Pliki w katalogu `kernel` są na licencji [GPL-2](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
+- Wszystkie inne części poza katalogiem `kernel` są na licencji [GPL-3](https://www.gnu.org/licenses/gpl-3.0.html)
+
+## Podziękowania
+
+- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/): pomysłodawca KernelSU.
+- [genuine](https://github.com/brevent/genuine/): walidacja podpisu apk v2.
+- [Diamorphine](https://github.com/m0nad/Diamorphine): cenna znajomość rootkitów.
+- [Magisk](https://github.com/topjohnwu/Magisk): implementacja sepolicy.

docs/README_PT-BR.md

@@ -0,0 +1,46 @@
+[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | [日本語](README_JP.md) | [Polski](README_PL.md) | **Português (Brasil)** | [Türkçe](README_TR.md) | [Русский](README_RU.md) | [Tiếng Việt](README_VI.md) | [Indonesia](README_ID.md) | [עברית](README_iw.md) | [हिंदी](README_IN.md)
+
+# KernelSU
+
+Uma solução root baseada em kernel para dispositivos Android.
+
+## Características
+
+1. `su` e gerenciamento de acesso root baseado em kernel.
+
+2. Sistema modular baseado em overlayfs.
+
+3. [Perfil do Aplicativo](https://kernelsu.org/pt_BR/guide/app-profile.html): Tranque o poder root em uma gaiola.
+
+## Estado de Compatibilidade
+
+O KernelSU oferece suporte oficial a dispositivos Android GKI 2.0 (kernel 5.10+). Kernels mais antigos (4.14+) também são compatíveis, mas o kernel terá que ser construído manualmente.
+
+Com isso, WSA, ChromeOS e Android baseado em contêiner são todos suportados.
+
+Atualmente, apenas `arm64-v8a` e `x86_64` são suportados.
+
+## Uso
+ - [Instalação](https://kernelsu.org/pt_BR/guide/installation.html)
+ - [Como construir o KernelSU?](https://kernelsu.org/pt_BR/guide/how-to-build.html)
+ - [Site oficial](https://kernelsu.org/pt_BR/)
+
+## Tradução
+Para ajudar a traduzir o KernelSU ou melhorar as traduções existentes, use o [Weblate](https://hosted.weblate.org/engage/kernelsu/), por favor.
+
+## Discussão
+
+- Telegram: [@KernelSU](https://t.me/KernelSU)
+
+## Licença
+
+- Os arquivos no diretório `kernel` são [GPL-2](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
+
+- Todas as outras partes, exceto o diretório `kernel` são [GPL-3](https://www.gnu.org/licenses/gpl-3.0.html)
+
+## Créditos
+
+- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/): a ideia do KernelSU.
+- [Magisk](https://github.com/topjohnwu/Magisk): a poderosa ferramenta root.
+- [genuine](https://github.com/brevent/genuine/): validação de assinatura apk v2.
+- [Diamorphine](https://github.com/m0nad/Diamorphine): algumas habilidades de rootkit.

docs/README_RU.md

@@ -0,0 +1,42 @@
+[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | [日本語](README_JP.md) | [Polski](README_PL.md) | [Portuguese-Brazil](README_PT-BR.md) | [Türkçe](README_TR.md) | **Русский** | [Tiếng Việt](README_VI.md) | [Indonesia](README_ID.md) | [עברית](README_iw.md) | [हिंदी](README_IN.md)
+
+# KernelSU
+
+Решение на основе ядра root для Android-устройств.
+
+## Особенности
+
+1. Управление `su` и root-доступом на основе ядра.
+2. Система модулей на основе overlayfs.
+
+## Совместимость
+
+KernelSU официально поддерживает устройства на базе Android GKI 2.0 (с ядром 5.10+), старые ядра (4.14+) также совместимы, но для этого необходимо собрать ядро самостоятельно.
+
+WSA и Android на основе контейнеров также должны работать с интегрированным KernelSU.
+
+В настоящее время поддерживаются следующие ABI: `arm64-v8a` и `x86_64`.
+
+## Использование
+
+[Установка](https://kernelsu.org/ru_RU/guide/installation.html)
+
+## Сборка
+
+[Как собрать?](https://kernelsu.org/ru_RU/guide/how-to-build.html)
+
+## Обсуждение
+
+- Telegram: [@KernelSU](https://t.me/KernelSU)
+
+## Лицензия
+
+- Файлы в директории `kernel` - [GPL-2](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
+- Все остальные части, кроме директории `kernel` - [GPL-3](https://www.gnu.org/licenses/gpl-3.0.html)
+
+## Благодарности
+
+- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/): идея KernelSU.
+- [genuine](https://github.com/brevent/genuine/): проверка подписи apk v2.
+- [Diamorphine](https://github.com/m0nad/Diamorphine): некоторые навыки руткита.
+- [Magisk](https://github.com/topjohnwu/Magisk): реализация sepolicy.

docs/README_TR.md

@@ -0,0 +1,45 @@
+[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | [日本語](README_JP.md) | [Polski](README_PL.md) | [Portuguese-Brazil](README_PT-BR.md) | **Türkçe** | [Русский](README_RU.md) | [Tiếng Việt](README_VI.md) | [Indonesia](README_ID.md) | [עברית](README_iw.md) | [हिंदी](README_IN.md)
+
+# KernelSU
+
+Android cihazlar için kernel tabanlı bir root çözümü.
+
+## Özellikler
+
+1. Kernel-tabanlı `su` ve root erişimi yönetimi.
+2. Overlayfs'ye dayalı modül sistemi.
+3. [Uygulama profili](https://kernelsu.org/guide/app-profile.html): Root gücünü bir kafese kapatın.
+
+## Uyumluluk Durumu
+
+KernelSU resmi olarak Android GKI 2.0 cihazlarını ( 5.10+ kernelli) destekler, eski kernellerle de (4.14+) uyumludur, ancak kerneli kendinizin inşaa etmesi gerekir.
+
+WSA ve konteyner tabanlı Android'in de, KernelSU ile entegre olarak da çalışması gerekmektedir.
+
+Ve desteklenen mevcut ABI'ler : `arm64-v8a` ve `x86_64`
+
+## Kullanım
+
+- [Yükleme](https://kernelsu.org/guide/installation.html)
+- [Nasıl inşa edilir?](https://kernelsu.org/guide/how-to-build.html)
+- [Resmi WEB sitesi](https://kernelsu.org/)
+
+## Çeviri
+
+KernelSU'yu kendi dilinize çevirmek veya varolan bir çeviriyi geliştirmek istiyorsanız, lütfen [Weblate](https://hosted.weblate.org/engage/kernelsu/)'i kullanın.
+
+## Tartışma
+
+- Telegram: [@KernelSU](https://t.me/KernelSU)
+
+## Lisans
+
+- `kernel` klasöründeki dosyalar [GPL-2](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html) lisansı altındadır.
+- `kernel` klasörü dışındaki bütün diğer bölümler [GPL-3](https://www.gnu.org/licenses/gpl-3.0.html) lisansı altındadır.
+
+## Krediler
+
+- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/): KernelSU fikri.
+- [Magisk](https://github.com/topjohnwu/Magisk): güçlü root aracı.
+- [genuine](https://github.com/brevent/genuine/): apk v2 imza doğrulama.
+- [Diamorphine](https://github.com/m0nad/Diamorphine): bazı rootkit becerileri.

docs/README_TW.md

@@ -1,4 +1,4 @@
-[English](README.md) | [简体中文](README_CN.md) | **繁體中文**
+[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | **繁體中文** | [日本語](README_JP.md) | [Polski](README_PL.md) | [Portuguese-Brazil](README_PT-BR.md) | [Türkçe](README_TR.md) | [Русский](README_RU.md) | [Tiếng Việt](README_VI.md) | [Indonesia](README_ID.md) | [עברית](README_iw.md) | [हिंदी](README_IN.md)
 
 # KernelSU
 

docs/README_VI.md

@@ -0,0 +1,45 @@
+[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | [日本語](README_JP.md) | [Polski](README_PL.md) | [Portuguese-Brazil](README_PT-BR.md) | [Türkçe](README_TR.md) | [Русский](README_RU.md) | **Tiếng Việt** | [Indonesia](README_ID.md) | [עברית](README_iw.md) | [हिंदी](README_IN.md)
+
+# KernelSU
+
+Giải pháp root thông qua thay đổi trên Kernel hệ điều hành cho các thiết bị Android.
+
+## Tính năng
+
+1. Hỗ trợ gói thực thi `su` và quản lý quyền root.
+2. Hệ thống mô-đun thông qua overlayfs.
+3. [App Profile](https://kernelsu.org/guide/app-profile.html): Hạn chế quyền root của ứng dụng.
+
+## Tình trạng tương thích
+
+KernelSU chính thức hỗ trợ các thiết bị Android với kernel GKI 2.0 (phiên bản kernel 5.10+), các phiên bản kernel cũ hơn (4.14+) cũng tương thích, nhưng bạn cần phải tự biên dịch.
+
+WSA, ChromeOS và Android dựa trên container(container-based) cũng được hỗ trợ bởi KernelSU.
+
+Hiên tại Giao diện nhị phân của ứng dụng (ABI) được hỗ trợ bao gồm `arm64-v8a` và `x86_64`
+
+## Sử dụng
+
+- [Hướng dẫn cài đặt](https://kernelsu.org/vi_VN/guide/installation.html)
+- [Cách để build?](https://kernelsu.org/vi_VN/guide/how-to-build.html)
+- [Website Chính Thức](https://kernelsu.org/vi_VN/)
+
+## Hỗ trợ dịch
+
+Nếu bạn muốn hỗ trợ dịch KernelSU sang một ngôn ngữ khác hoặc cải thiện các bản dịch trước, vui lòng sử dụng [Weblate](https://hosted.weblate.org/engage/kernelsu/).
+
+## Thảo luận
+
+- Telegram: [@KernelSU](https://t.me/KernelSU)
+
+## Giấy phép
+
+- Tất cả các file trong thư mục `kernel` dùng giấy phép [GPL-2](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
+- Tất cả các thành phần khác ngoại trừ thư mục `kernel` dùng giấy phép [GPL-3](https://www.gnu.org/licenses/gpl-3.0.html)
+
+## Lời cảm ơn
+
+- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/): ý tưởng cho KernelSU.
+- [Magisk](https://github.com/topjohnwu/Magisk): công cụ root mạnh mẽ.
+- [genuine](https://github.com/brevent/genuine/): phương pháp xác thực apk v2.
+- [Diamorphine](https://github.com/m0nad/Diamorphine): các phương pháp ẩn của rootkit .

docs/README_iw.md

@@ -0,0 +1,45 @@
+[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | [日本語](README_JP.md) | [Polski](README_PL.md) | [Portuguese-Brazil](README_PT-BR.md) | [Türkçe](README_TR.md) | [Русский](README_RU.md) | [Tiếng Việt](README_VI.md) | [Indonesia](README_ID.md) | **עברית** | [हिंदी](README_IN.md)
+
+# KernelSU
+
+פתרון לניהול root מבוסס על Kernel עבור מכשירי Android.
+
+## תכונות
+
+1. ניהול root ו־`su` מבוססים על Kernel.
+2. מערכת מודולים מבוססת overlayfs.
+3. [פרופיל אפליקציה](https://kernelsu.org/guide/app-profile.html): נעילת גישת root בכלוב.
+
+## מצב תאימות
+
+KernelSU תומך במכשירי Android GKI 2.0 (kernel 5.10+) באופן רשמי. לליבות ישנות (4.14+) יש גם תאימות, אך יידרש לבנות את הליבה באופן ידני.
+
+באמצעות זה, תמיכה זמינה גם ל-WSA, ChromeOS ומכשירי Android המבוססים על מיכלים.
+
+כרגע, רק `arm64-v8a` ו־`x86_64` נתמכים.
+
+## שימוש
+
+- [הוראות התקנה](https://kernelsu.org/guide/installation.html)
+- [איך לבנות?](https://kernelsu.org/guide/how-to-build.html)
+- [האתר רשמי](https://kernelsu.org/)
+
+## תרגום
+
+כדי לעזור בתרגום של KernelSU או לשפר תרגומים קיימים, יש להשתמש ב-[Weblate](https://hosted.weblate.org/engage/kernelsu/).
+
+## דיון
+
+- Telegram: [@KernelSU](https://t.me/KernelSU)
+
+## רשיון
+
+- קבצים תחת הספרייה `kernel` מוגנים על פי [GPL-2](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
+- כל החלקים האחרים, למעט הספרייה `kernel`, מוגנים על פי [GPL-3](https://www.gnu.org/licenses/gpl-3.0.html)
+
+## קרדיטים
+
+- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/): הרעיון של KernelSU.
+- [Magisk](https://github.com/topjohnwu/Magisk): הכלי הסופר חזק לניהול root.
+- [genuine](https://github.com/brevent/genuine/): אימות חתימת apk v2.
+- [Diamorphine](https://github.com/m0nad/Diamorphine): כמה יכולות רוט.

kernel/.clangd

@@ -1,4 +1,4 @@
 Diagnostics:
   UnusedIncludes: Strict
   ClangTidy:
-    Remove: bugprone-sizeof-expression
+    Remove: bugprone-sizeof-expression

kernel/Kconfig

@@ -1,13 +1,17 @@
+menu "KernelSU"
+
 config KSU
-	tristate "KernelSU module"
-	default y
+	tristate "KernelSU function support"
 	depends on OVERLAY_FS
+	default y
 	help
-	This is the KSU privilege driver for android system.
+	Enable kernel-level root privileges on Android System.
 
 config KSU_DEBUG
-	tristate "KernelSU module debug mode"
-	default n
+	bool "KernelSU debug mode"
 	depends on KSU
+	default n
 	help
-	This enables debug mode for KSU
+	Enable KernelSU debug mode
+
+endmenu

kernel/Makefile

@@ -15,18 +15,27 @@ obj-y += selinux/
 # .git is a text file while the module is imported by 'git submodule add'.
 ifeq ($(shell test -e $(srctree)/$(src)/../.git; echo $$?),0)
 KSU_GIT_VERSION := $(shell cd $(srctree)/$(src); /usr/bin/env PATH="$$PATH":/usr/bin:/usr/local/bin git rev-list --count HEAD)
-ccflags-y += -DKSU_GIT_VERSION=$(KSU_GIT_VERSION)
+# ksu_version: major * 10000 + git version + 200 for historical reasons
+$(eval KSU_VERSION=$(shell expr 10000 + $(KSU_GIT_VERSION) + 200))
+$(info -- KernelSU version: $(KSU_VERSION))
+ccflags-y += -DKSU_VERSION=$(KSU_VERSION)
+else # If there is no .git file, the default version will be passed.
+$(warning "KSU_GIT_VERSION not defined! It is better to make KernelSU a git submodule!")
+ccflags-y += -DKSU_VERSION=16
 endif
 
-ifndef EXPECTED_SIZE
-EXPECTED_SIZE := 0x033b
+ifndef KSU_EXPECTED_SIZE
+KSU_EXPECTED_SIZE := 0x033b
 endif
 
-ifndef EXPECTED_HASH
-EXPECTED_HASH := 0xb0b91415
+ifndef KSU_EXPECTED_HASH
+KSU_EXPECTED_HASH := c371061b19d8c7d7d6133c6a9bafe198fa944e50c1b31c9d8daa8d7f1fc2d2d6
 endif
 
-ccflags-y += -DEXPECTED_SIZE=$(EXPECTED_SIZE)
-ccflags-y += -DEXPECTED_HASH=$(EXPECTED_HASH)
+$(info -- KernelSU Manager signature size: $(KSU_EXPECTED_SIZE))
+$(info -- KernelSU Manager signature hash: $(KSU_EXPECTED_HASH))
+
+ccflags-y += -DEXPECTED_SIZE=$(KSU_EXPECTED_SIZE)
+ccflags-y += -DEXPECTED_HASH=\"$(KSU_EXPECTED_HASH)\"
 ccflags-y += -Wno-implicit-function-declaration -Wno-strict-prototypes -Wno-int-conversion -Wno-gcc-compat
-ccflags-y += -Wno-macro-redefined -Wno-declaration-after-statement
+ccflags-y += -Wno-declaration-after-statement

kernel/allowlist.c

@@ -1,27 +1,91 @@
-#include "linux/delay.h"
+#include "ksu.h"
+#include "linux/compiler.h"
 #include "linux/fs.h"
+#include "linux/gfp.h"
 #include "linux/kernel.h"
 #include "linux/list.h"
 #include "linux/printk.h"
 #include "linux/slab.h"
+#include "linux/types.h"
 #include "linux/version.h"
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 14, 0)
+#include "linux/compiler_types.h"
+#endif
+
 #include "klog.h" // IWYU pragma: keep
 #include "selinux/selinux.h"
 #include "kernel_compat.h"
+#include "allowlist.h"
 
 #define FILE_MAGIC 0x7f4b5355 // ' KSU', u32
-#define FILE_FORMAT_VERSION 1 // u32
+#define FILE_FORMAT_VERSION 3 // u32
+
+#define KSU_APP_PROFILE_PRESERVE_UID 9999 // NOBODY_UID
+#define KSU_DEFAULT_SELINUX_DOMAIN "u:r:su:s0"
 
 static DEFINE_MUTEX(allowlist_mutex);
 
+// default profiles, these may be used frequently, so we cache it
+static struct root_profile default_root_profile;
+static struct non_root_profile default_non_root_profile;
+
+static int allow_list_arr[PAGE_SIZE / sizeof(int)] __read_mostly __aligned(PAGE_SIZE);
+static int allow_list_pointer __read_mostly = 0;
+
+static void remove_uid_from_arr(uid_t uid)
+{
+	int *temp_arr;
+	int i, j;
+
+	if (allow_list_pointer == 0)
+		return;
+
+	temp_arr = kmalloc(sizeof(allow_list_arr), GFP_KERNEL);
+	if (temp_arr == NULL) {
+		pr_err("%s: unable to allocate memory\n", __func__);
+		return;
+	}
+
+	for (i = j = 0; i < allow_list_pointer; i++) {
+		if (allow_list_arr[i] == uid)
+			continue;
+		temp_arr[j++] = allow_list_arr[i];
+	}
+
+	allow_list_pointer = j;
+
+	for (; j < ARRAY_SIZE(allow_list_arr); j++)
+		temp_arr[j] = -1;
+
+	memcpy(&allow_list_arr, temp_arr, PAGE_SIZE);
+	kfree(temp_arr);
+}
+
+static void init_default_profiles()
+{
+	default_root_profile.uid = 0;
+	default_root_profile.gid = 0;
+	default_root_profile.groups_count = 1;
+	default_root_profile.groups[0] = 0;
+	memset(&default_root_profile.capabilities, 0xff,
+	       sizeof(default_root_profile.capabilities));
+	default_root_profile.namespaces = 0;
+	strcpy(default_root_profile.selinux_domain, KSU_DEFAULT_SELINUX_DOMAIN);
+
+	// This means that we will umount modules by default!
+	default_non_root_profile.umount_modules = true;
+}
+
 struct perm_data {
 	struct list_head list;
-	uid_t uid;
-	bool allow;
+	struct app_profile profile;
 };
 
 static struct list_head allow_list;
 
+static uint8_t allow_list_bitmap[PAGE_SIZE] __read_mostly __aligned(PAGE_SIZE);
+#define BITMAP_UID_MAX ((sizeof(allow_list_bitmap) * BITS_PER_BYTE) - 1)
+
 #define KERNEL_SU_ALLOWLIST "/data/adb/ksu/.allowlist"
 
 static struct work_struct ksu_save_work;
@@ -33,70 +97,234 @@ void ksu_show_allow_list(void)
 {
 	struct perm_data *p = NULL;
 	struct list_head *pos = NULL;
-	pr_info("ksu_show_allow_list");
+	pr_info("ksu_show_allow_list\n");
 	list_for_each (pos, &allow_list) {
 		p = list_entry(pos, struct perm_data, list);
-		pr_info("uid :%d, allow: %d\n", p->uid, p->allow);
+		pr_info("uid :%d, allow: %d\n", p->profile.current_uid,
+			p->profile.allow_su);
 	}
 }
 
-bool ksu_allow_uid(uid_t uid, bool allow, bool persist)
+#ifdef CONFIG_KSU_DEBUG
+static void ksu_grant_root_to_shell()
+{
+	struct app_profile profile = {
+		.allow_su = true,
+		.current_uid = 2000,
+	};
+	strcpy(profile.key, "com.android.shell");
+	strcpy(profile.rp_config.profile.selinux_domain, KSU_DEFAULT_SELINUX_DOMAIN);
+	ksu_set_app_profile(&profile, false);
+}
+#endif
+
+bool ksu_get_app_profile(struct app_profile *profile)
+{
+	struct perm_data *p = NULL;
+	struct list_head *pos = NULL;
+	bool found = false;
+
+	list_for_each (pos, &allow_list) {
+		p = list_entry(pos, struct perm_data, list);
+		bool uid_match = profile->current_uid == p->profile.current_uid;
+		if (uid_match) {
+			// found it, override it with ours
+			memcpy(profile, &p->profile, sizeof(*profile));
+			found = true;
+			goto exit;
+		}
+	}
+
+exit:
+	return found;
+}
+
+static inline bool forbid_system_uid(uid_t uid) {
+	#define SHELL_UID 2000
+	#define SYSTEM_UID 1000
+	return uid < SHELL_UID && uid != SYSTEM_UID;
+}
+
+static bool profile_valid(struct app_profile *profile)
+{
+	if (!profile) {
+		return false;
+	}
+
+	if (forbid_system_uid(profile->current_uid)) {
+		pr_err("uid lower than 2000 is unsupported: %d\n", profile->current_uid);
+		return false;
+	}
+
+	if (profile->version < KSU_APP_PROFILE_VER) {
+		pr_info("Unsupported profile version: %d\n", profile->version);
+		return false;
+	}
+
+	if (profile->allow_su) {
+		if (profile->rp_config.profile.groups_count > KSU_MAX_GROUPS) {
+			return false;
+		}
+
+		if (strlen(profile->rp_config.profile.selinux_domain) == 0) {
+			return false;
+		}
+	}
+
+	return true;
+}
+
+bool ksu_set_app_profile(struct app_profile *profile, bool persist)
 {
-	// find the node first!
 	struct perm_data *p = NULL;
 	struct list_head *pos = NULL;
 	bool result = false;
+
+	if (!profile_valid(profile)) {
+		pr_err("Failed to set app profile: invalid profile!\n");
+		return false;
+	}
+
 	list_for_each (pos, &allow_list) {
 		p = list_entry(pos, struct perm_data, list);
-		if (uid == p->uid) {
-			p->allow = allow;
+		// both uid and package must match, otherwise it will break multiple package with different user id
+		if (profile->current_uid == p->profile.current_uid &&
+		    !strcmp(profile->key, p->profile.key)) {
+			// found it, just override it all!
+			memcpy(&p->profile, profile, sizeof(*profile));
 			result = true;
-			goto exit;
+			goto out;
 		}
 	}
 
 	// not found, alloc a new node!
 	p = (struct perm_data *)kmalloc(sizeof(struct perm_data), GFP_KERNEL);
 	if (!p) {
-		pr_err("alloc allow node failed.\n");
+		pr_err("ksu_set_app_profile alloc failed\n");
 		return false;
 	}
-	p->uid = uid;
-	p->allow = allow;
-
-	pr_info("allow_uid: %d, allow: %d", uid, allow);
 
+	memcpy(&p->profile, profile, sizeof(*profile));
+	if (profile->allow_su) {
+		pr_info("set root profile, key: %s, uid: %d, gid: %d, context: %s\n",
+			profile->key, profile->current_uid,
+			profile->rp_config.profile.gid,
+			profile->rp_config.profile.selinux_domain);
+	} else {
+		pr_info("set app profile, key: %s, uid: %d, umount modules: %d\n",
+			profile->key, profile->current_uid,
+			profile->nrp_config.profile.umount_modules);
+	}
 	list_add_tail(&p->list, &allow_list);
+
+out:
+	if (profile->current_uid <= BITMAP_UID_MAX) {
+		if (profile->allow_su)
+			allow_list_bitmap[profile->current_uid / BITS_PER_BYTE] |= 1 << (profile->current_uid % BITS_PER_BYTE);
+		else
+			allow_list_bitmap[profile->current_uid / BITS_PER_BYTE] &= ~(1 << (profile->current_uid % BITS_PER_BYTE));
+	} else {
+		if (profile->allow_su) {
+			/*
+			 * 1024 apps with uid higher than BITMAP_UID_MAX
+			 * registered to request superuser?
+			 */
+			if (allow_list_pointer >= ARRAY_SIZE(allow_list_arr)) {
+				pr_err("too many apps registered\n");
+				WARN_ON(1);
+				return false;
+			}
+			allow_list_arr[allow_list_pointer++] = profile->current_uid;
+		} else {
+			remove_uid_from_arr(profile->current_uid);
+		}
+	}
 	result = true;
 
-exit:
+	// check if the default profiles is changed, cache it to a single struct to accelerate access.
+	if (unlikely(!strcmp(profile->key, "$"))) {
+		// set default non root profile
+		memcpy(&default_non_root_profile, &profile->nrp_config.profile,
+		       sizeof(default_non_root_profile));
+	}
+
+	if (unlikely(!strcmp(profile->key, "#"))) {
+		// set default root profile
+		memcpy(&default_root_profile, &profile->rp_config.profile,
+		       sizeof(default_root_profile));
+	}
+
 	if (persist)
 		persistent_allow_list();
 
 	return result;
 }
 
-bool ksu_is_allow_uid(uid_t uid)
+bool __ksu_is_allow_uid(uid_t uid)
 {
-	struct perm_data *p = NULL;
-	struct list_head *pos = NULL;
+	int i;
 
-	if (uid == 0) {
+	if (unlikely(uid == 0)) {
 		// already root, but only allow our domain.
 		return is_ksu_domain();
 	}
 
-	list_for_each (pos, &allow_list) {
-		p = list_entry(pos, struct perm_data, list);
-		// pr_info("is_allow_uid uid :%d, allow: %d\n", p->uid, p->allow);
-		if (uid == p->uid) {
-			return p->allow;
+	if (forbid_system_uid(uid)) {
+		// do not bother going through the list if it's system
+		return false;
+	}
+
+	if (likely(uid <= BITMAP_UID_MAX)) {
+		return !!(allow_list_bitmap[uid / BITS_PER_BYTE] & (1 << (uid % BITS_PER_BYTE)));
+	} else {
+		for (i = 0; i < allow_list_pointer; i++) {
+			if (allow_list_arr[i] == uid)
+				return true;
 		}
 	}
 
 	return false;
 }
 
+bool ksu_uid_should_umount(uid_t uid)
+{
+	struct app_profile profile = { .current_uid = uid };
+	bool found = ksu_get_app_profile(&profile);
+	if (!found) {
+		// no app profile found, it must be non root app
+		return default_non_root_profile.umount_modules;
+	}
+	if (profile.allow_su) {
+		// if found and it is granted to su, we shouldn't umount for it
+		return false;
+	} else {
+		// found an app profile
+		if (profile.nrp_config.use_default) {
+			return default_non_root_profile.umount_modules;
+		} else {
+			return profile.nrp_config.profile.umount_modules;
+		}
+	}
+}
+
+struct root_profile *ksu_get_root_profile(uid_t uid)
+{
+	struct perm_data *p = NULL;
+	struct list_head *pos = NULL;
+
+	list_for_each (pos, &allow_list) {
+		p = list_entry(pos, struct perm_data, list);
+		if (uid == p->profile.current_uid && p->profile.allow_su) {
+			if (!p->profile.rp_config.use_default) {
+				return &p->profile.rp_config.profile;
+			}
+		}
+	}
+
+	// use default profile
+	return &default_root_profile;
+}
+
 bool ksu_get_allow_list(int *array, int *length, bool allow)
 {
 	struct perm_data *p = NULL;
@@ -105,8 +333,8 @@ bool ksu_get_allow_list(int *array, int *length, bool allow)
 	list_for_each (pos, &allow_list) {
 		p = list_entry(pos, struct perm_data, list);
 		// pr_info("get_allow_list uid: %d allow: %d\n", p->uid, p->allow);
-		if (p->allow == allow) {
-			array[i++] = p->uid;
+		if (p->profile.allow_su == allow) {
+			array[i++] = p->profile.current_uid;
 		}
 	}
 	*length = i;
@@ -114,24 +342,24 @@ bool ksu_get_allow_list(int *array, int *length, bool allow)
 	return true;
 }
 
-void do_persistent_allow_list(struct work_struct *work)
+void do_save_allow_list(struct work_struct *work)
 {
 	u32 magic = FILE_MAGIC;
 	u32 version = FILE_FORMAT_VERSION;
 	struct perm_data *p = NULL;
 	struct list_head *pos = NULL;
 	loff_t off = 0;
-	KWORKER_INSTALL_KEYRING();
-	struct file *fp =
-		filp_open(KERNEL_SU_ALLOWLIST, O_WRONLY | O_CREAT, 0644);
 
+	struct file *fp =
+		ksu_filp_open_compat(KERNEL_SU_ALLOWLIST, O_WRONLY | O_CREAT, 0644);
 	if (IS_ERR(fp)) {
-		pr_err("save_allow_list creat file failed: %d\n", PTR_ERR(fp));
+		pr_err("save_allow_list create file failed: %ld\n", PTR_ERR(fp));
 		return;
 	}
 
 	// store magic and version
-	if (ksu_kernel_write_compat(fp, &magic, sizeof(magic), &off) != sizeof(magic)) {
+	if (ksu_kernel_write_compat(fp, &magic, sizeof(magic), &off) !=
+	    sizeof(magic)) {
 		pr_err("save_allow_list write magic failed.\n");
 		goto exit;
 	}
@@ -144,10 +372,12 @@ void do_persistent_allow_list(struct work_struct *work)
 
 	list_for_each (pos, &allow_list) {
 		p = list_entry(pos, struct perm_data, list);
-		pr_info("save allow list uid :%d, allow: %d\n", p->uid,
-			p->allow);
-		ksu_kernel_write_compat(fp, &p->uid, sizeof(p->uid), &off);
-		ksu_kernel_write_compat(fp, &p->allow, sizeof(p->allow), &off);
+		pr_info("save allow list, name: %s uid :%d, allow: %d\n",
+			p->profile.key, p->profile.current_uid,
+			p->profile.allow_su);
+
+		ksu_kernel_write_compat(fp, &p->profile, sizeof(p->profile),
+					&off);
 	}
 
 exit:
@@ -161,29 +391,22 @@ void do_load_allow_list(struct work_struct *work)
 	struct file *fp = NULL;
 	u32 magic;
 	u32 version;
-	KWORKER_INSTALL_KEYRING();
+
+#ifdef CONFIG_KSU_DEBUG
+	// always allow adb shell by default
+	ksu_grant_root_to_shell();
+#endif
 
 	// load allowlist now!
-	fp = filp_open(KERNEL_SU_ALLOWLIST, O_RDONLY, 0);
-
+	fp = ksu_filp_open_compat(KERNEL_SU_ALLOWLIST, O_RDONLY, 0);
 	if (IS_ERR(fp)) {
-#ifdef CONFIG_KSU_DEBUG
-		int errno = PTR_ERR(fp);
-		if (errno == -ENOENT) {
-			ksu_allow_uid(2000, true,
-				      true); // allow adb shell by default
-		} else {
-			pr_err("load_allow_list open file failed: %d\n",
-			       PTR_ERR(fp));
-		}
-#else
-		pr_err("load_allow_list open file failed: %d\n", PTR_ERR(fp));
-#endif
+		pr_err("load_allow_list open file failed: %ld\n", PTR_ERR(fp));
 		return;
 	}
 
 	// verify magic
-	if (ksu_kernel_read_compat(fp, &magic, sizeof(magic), &off) != sizeof(magic) ||
+	if (ksu_kernel_read_compat(fp, &magic, sizeof(magic), &off) !=
+		    sizeof(magic) ||
 	    magic != FILE_MAGIC) {
 		pr_err("allowlist file invalid: %d!\n", magic);
 		goto exit;
@@ -198,18 +421,19 @@ void do_load_allow_list(struct work_struct *work)
 	pr_info("allowlist version: %d\n", version);
 
 	while (true) {
-		u32 uid;
-		bool allow = false;
-		ret = ksu_kernel_read_compat(fp, &uid, sizeof(uid), &off);
+		struct app_profile profile;
+
+		ret = ksu_kernel_read_compat(fp, &profile, sizeof(profile),
+					     &off);
+
 		if (ret <= 0) {
-			pr_info("load_allow_list read err: %d\n", ret);
+			pr_info("load_allow_list read err: %zd\n", ret);
 			break;
 		}
-		ret = ksu_kernel_read_compat(fp, &allow, sizeof(allow), &off);
 
-		pr_info("load_allow_uid: %d, allow: %d\n", uid, allow);
-
-		ksu_allow_uid(uid, allow, false);
+		pr_info("load_allow_uid, name: %s, uid: %d, allow: %d\n",
+			profile.key, profile.current_uid, profile.allow_su);
+		ksu_set_app_profile(&profile, false);
 	}
 
 exit:
@@ -226,11 +450,16 @@ void ksu_prune_allowlist(bool (*is_uid_exist)(uid_t, void *), void *data)
 	// TODO: use RCU!
 	mutex_lock(&allowlist_mutex);
 	list_for_each_entry_safe (np, n, &allow_list, list) {
-		uid_t uid = np->uid;
-		if (!is_uid_exist(uid, data)) {
+		uid_t uid = np->profile.current_uid;
+		// we use this uid for special cases, don't prune it!
+		bool is_preserved_uid = uid == KSU_APP_PROFILE_PRESERVE_UID;
+		if (!is_preserved_uid && !is_uid_exist(uid, data)) {
 			modified = true;
 			pr_info("prune uid: %d\n", uid);
 			list_del(&np->list);
+			allow_list_bitmap[uid / BITS_PER_BYTE] &= ~(1 << (uid % BITS_PER_BYTE));
+			remove_uid_from_arr(uid);
+			smp_mb();
 			kfree(np);
 		}
 	}
@@ -254,10 +483,20 @@ bool ksu_load_allow_list(void)
 
 void ksu_allowlist_init(void)
 {
+	int i;
+
+	BUILD_BUG_ON(sizeof(allow_list_bitmap) != PAGE_SIZE);
+	BUILD_BUG_ON(sizeof(allow_list_arr) != PAGE_SIZE);
+
+	for (i = 0; i < ARRAY_SIZE(allow_list_arr); i++)
+		allow_list_arr[i] = -1;
+
 	INIT_LIST_HEAD(&allow_list);
 
-	INIT_WORK(&ksu_save_work, do_persistent_allow_list);
+	INIT_WORK(&ksu_save_work, do_save_allow_list);
 	INIT_WORK(&ksu_load_work, do_load_allow_list);
+
+	init_default_profiles();
 }
 
 void ksu_allowlist_exit(void)
@@ -265,7 +504,7 @@ void ksu_allowlist_exit(void)
 	struct perm_data *np = NULL;
 	struct perm_data *n = NULL;
 
-	do_persistent_allow_list(NULL);
+	do_save_allow_list(NULL);
 
 	// free allowlist
 	mutex_lock(&allowlist_mutex);
@@ -274,4 +513,4 @@ void ksu_allowlist_exit(void)
 		kfree(np);
 	}
 	mutex_unlock(&allowlist_mutex);
-}
+}

kernel/allowlist.h

@@ -2,6 +2,7 @@
 #define __KSU_H_ALLOWLIST
 
 #include "linux/types.h"
+#include "ksu.h"
 
 void ksu_allowlist_init(void);
 
@@ -11,12 +12,16 @@ bool ksu_load_allow_list(void);
 
 void ksu_show_allow_list(void);
 
-bool ksu_is_allow_uid(uid_t uid);
-
-bool ksu_allow_uid(uid_t uid, bool allow, bool persist);
+bool __ksu_is_allow_uid(uid_t uid);
+#define ksu_is_allow_uid(uid) unlikely(__ksu_is_allow_uid(uid))
 
 bool ksu_get_allow_list(int *array, int *length, bool allow);
 
 void ksu_prune_allowlist(bool (*is_uid_exist)(uid_t, void *), void *data);
 
-#endif
+bool ksu_get_app_profile(struct app_profile *);
+bool ksu_set_app_profile(struct app_profile *, bool persist);
+
+bool ksu_uid_should_umount(uid_t uid);
+struct root_profile *ksu_get_root_profile(uid_t uid);
+#endif

kernel/apk_sign.c

@@ -1,12 +1,122 @@
+#include "linux/err.h"
 #include "linux/fs.h"
+#include "linux/gfp.h"
+#include "linux/kernel.h"
 #include "linux/moduleparam.h"
 
 #include "apk_sign.h"
 #include "klog.h" // IWYU pragma: keep
 #include "kernel_compat.h"
+#include "crypto/hash.h"
+#include "linux/slab.h"
+#include "linux/version.h"
 
-static __always_inline int
-check_v2_signature(char *path, unsigned expected_size, unsigned expected_hash)
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 11, 0)
+#include "crypto/sha2.h"
+#else
+#include "crypto/sha.h"
+#endif
+
+struct sdesc {
+	struct shash_desc shash;
+	char ctx[];
+};
+
+static struct sdesc *init_sdesc(struct crypto_shash *alg)
+{
+	struct sdesc *sdesc;
+	int size;
+
+	size = sizeof(struct shash_desc) + crypto_shash_descsize(alg);
+	sdesc = kmalloc(size, GFP_KERNEL);
+	if (!sdesc)
+		return ERR_PTR(-ENOMEM);
+	sdesc->shash.tfm = alg;
+	return sdesc;
+}
+
+static int calc_hash(struct crypto_shash *alg, const unsigned char *data,
+		     unsigned int datalen, unsigned char *digest)
+{
+	struct sdesc *sdesc;
+	int ret;
+
+	sdesc = init_sdesc(alg);
+	if (IS_ERR(sdesc)) {
+		pr_info("can't alloc sdesc\n");
+		return PTR_ERR(sdesc);
+	}
+
+	ret = crypto_shash_digest(&sdesc->shash, data, datalen, digest);
+	kfree(sdesc);
+	return ret;
+}
+
+static int ksu_sha256(const unsigned char *data, unsigned int datalen,
+		unsigned char *digest)
+{
+	struct crypto_shash *alg;
+	char *hash_alg_name = "sha256";
+	int ret;
+
+	alg = crypto_alloc_shash(hash_alg_name, 0, 0);
+	if (IS_ERR(alg)) {
+		pr_info("can't alloc alg %s\n", hash_alg_name);
+		return PTR_ERR(alg);
+	}
+	ret = calc_hash(alg, data, datalen, digest);
+	crypto_free_shash(alg);
+	return ret;
+}
+
+static bool check_block(struct file *fp, u32 *size4, loff_t *pos, u32 *offset,
+			unsigned expected_size, const char* expected_sha256)
+{
+	ksu_kernel_read_compat(fp, size4, 0x4, pos); // signer-sequence length
+	ksu_kernel_read_compat(fp, size4, 0x4, pos); // signer length
+	ksu_kernel_read_compat(fp, size4, 0x4, pos); // signed data length
+
+	*offset += 0x4 * 3;
+
+	ksu_kernel_read_compat(fp, size4, 0x4, pos); // digests-sequence length
+
+	*pos += *size4;
+	*offset += 0x4 + *size4;
+
+	ksu_kernel_read_compat(fp, size4, 0x4, pos); // certificates length
+	ksu_kernel_read_compat(fp, size4, 0x4, pos); // certificate length
+	*offset += 0x4 * 2;
+
+	if (*size4 == expected_size) {
+		*offset += *size4;
+
+		#define CERT_MAX_LENGTH 1024
+		char cert[CERT_MAX_LENGTH];
+		if (*size4 > CERT_MAX_LENGTH) {
+			pr_info("cert length overlimit\n");
+			return false;
+		}
+		ksu_kernel_read_compat(fp, cert, *size4, pos);
+		unsigned char digest[SHA256_DIGEST_SIZE];
+		if (IS_ERR(ksu_sha256(cert, *size4, digest))) {
+			pr_info("sha256 error\n");
+			return false;
+		}
+
+		char hash_str[SHA256_DIGEST_SIZE * 2 + 1];
+		hash_str[SHA256_DIGEST_SIZE * 2] = '\0';
+
+		bin2hex(hash_str, digest, SHA256_DIGEST_SIZE);
+		pr_info("sha256: %s, expected: %s\n", hash_str, expected_sha256);
+		if (strcmp(expected_sha256, hash_str) == 0) {
+			return true;
+		}
+	}
+	return false;
+}
+
+static __always_inline bool
+check_v2_signature(char *path, unsigned expected_size, const char *expected_sha256)
 {
 	unsigned char buffer[0x11] = { 0 };
 	u32 size4;
@@ -14,18 +124,20 @@ check_v2_signature(char *path, unsigned expected_size, unsigned expected_hash)
 
 	loff_t pos;
 
-	int sign = -1;
+	bool v2_signing_valid = false;
+	bool v3_signing_exist = false;
+	bool v3_1_signing_exist = false;
+
 	int i;
-	struct file *fp = filp_open(path, O_RDONLY, 0);
+	struct file *fp = ksu_filp_open_compat(path, O_RDONLY, 0);
 	if (IS_ERR(fp)) {
-		pr_err("open %s error.", path);
+		pr_err("open %s error.\n", path);
 		return PTR_ERR(fp);
 	}
 
 	// disable inotify for this file
 	fp->f_mode |= FMODE_NONOTIFY;
 
-	sign = 1;
 	// https://en.wikipedia.org/wiki/Zip_(file_format)#End_of_central_directory_record_(EOCD)
 	for (i = 0;; ++i) {
 		unsigned short n;
@@ -64,59 +176,23 @@ check_v2_signature(char *path, unsigned expected_size, unsigned expected_hash)
 	for (;;) {
 		uint32_t id;
 		uint32_t offset;
-		ksu_kernel_read_compat(fp, &size8, 0x8, &pos); // sequence length
+		ksu_kernel_read_compat(fp, &size8, 0x8,
+				       &pos); // sequence length
 		if (size8 == size_of_block) {
 			break;
 		}
 		ksu_kernel_read_compat(fp, &id, 0x4, &pos); // id
 		offset = 4;
 		pr_info("id: 0x%08x\n", id);
-		if ((id ^ 0xdeadbeefu) == 0xafa439f5u ||
-		    (id ^ 0xdeadbeefu) == 0x2efed62f) {
-			ksu_kernel_read_compat(fp, &size4, 0x4,
-				    &pos); // signer-sequence length
-			ksu_kernel_read_compat(fp, &size4, 0x4, &pos); // signer length
-			ksu_kernel_read_compat(fp, &size4, 0x4,
-				    &pos); // signed data length
-			offset += 0x4 * 3;
-
-			ksu_kernel_read_compat(fp, &size4, 0x4,
-				    &pos); // digests-sequence length
-			pos += size4;
-			offset += 0x4 + size4;
-
-			ksu_kernel_read_compat(fp, &size4, 0x4,
-				    &pos); // certificates length
-			ksu_kernel_read_compat(fp, &size4, 0x4,
-				    &pos); // certificate length
-			offset += 0x4 * 2;
-#if 0
-			int hash = 1;
-			signed char c;
-			for (i = 0; i < size4; ++i) {
-				ksu_kernel_read_compat(fp, &c, 0x1, &pos);
-				hash = 31 * hash + c;
-			}
-			offset += size4;
-			pr_info("    size: 0x%04x, hash: 0x%08x\n", size4, ((unsigned) hash) ^ 0x14131211u);
-#else
-			if (size4 == expected_size) {
-				int hash = 1;
-				signed char c;
-				for (i = 0; i < size4; ++i) {
-					ksu_kernel_read_compat(fp, &c, 0x1, &pos);
-					hash = 31 * hash + c;
-				}
-				offset += size4;
-				if ((((unsigned)hash) ^ 0x14131211u) ==
-				    expected_hash) {
-					sign = 0;
-					break;
-				}
-			}
-			// don't try again.
-			break;
-#endif
+		if (id == 0x7109871au) {
+			v2_signing_valid = check_block(fp, &size4, &pos, &offset,
+						  expected_size, expected_sha256);
+		} else if (id == 0xf05368c0u) {
+			// http://aospxref.com/android-14.0.0_r2/xref/frameworks/base/core/java/android/util/apk/ApkSignatureSchemeV3Verifier.java#73
+			v3_signing_exist = true;
+		} else if (id == 0x1b93ad61u) {
+			// http://aospxref.com/android-14.0.0_r2/xref/frameworks/base/core/java/android/util/apk/ApkSignatureSchemeV3Verifier.java#74
+			v3_1_signing_exist = true;
 		}
 		pos += (size8 - offset);
 	}
@@ -124,13 +200,18 @@ check_v2_signature(char *path, unsigned expected_size, unsigned expected_hash)
 clean:
 	filp_close(fp, 0);
 
-	return sign;
+	if (v3_signing_exist || v3_1_signing_exist) {
+		pr_err("Unexpected v3 signature scheme found!\n");
+		return false;
+	}
+
+	return v2_signing_valid;
 }
 
 #ifdef CONFIG_KSU_DEBUG
 
 unsigned ksu_expected_size = EXPECTED_SIZE;
-unsigned ksu_expected_hash = EXPECTED_HASH;
+const char *ksu_expected_hash = EXPECTED_HASH;
 
 #include "manager.h"
 
@@ -138,15 +219,16 @@ static int set_expected_size(const char *val, const struct kernel_param *kp)
 {
 	int rv = param_set_uint(val, kp);
 	ksu_invalidate_manager_uid();
-	pr_info("ksu_expected_size set to %x", ksu_expected_size);
+	pr_info("ksu_expected_size set to %x\n", ksu_expected_size);
 	return rv;
 }
 
 static int set_expected_hash(const char *val, const struct kernel_param *kp)
 {
-	int rv = param_set_uint(val, kp);
+	pr_info("set_expected_hash: %s\n", val);
+	int rv = param_set_charp(val, kp);
 	ksu_invalidate_manager_uid();
-	pr_info("ksu_expected_hash set to %x", ksu_expected_hash);
+	pr_info("ksu_expected_hash set to %s\n", ksu_expected_hash);
 	return rv;
 }
 
@@ -157,7 +239,8 @@ static struct kernel_param_ops expected_size_ops = {
 
 static struct kernel_param_ops expected_hash_ops = {
 	.set = set_expected_hash,
-	.get = param_get_uint,
+	.get = param_get_charp,
+	.free = param_free_charp,
 };
 
 module_param_cb(ksu_expected_size, &expected_size_ops, &ksu_expected_size,
@@ -165,14 +248,14 @@ module_param_cb(ksu_expected_size, &expected_size_ops, &ksu_expected_size,
 module_param_cb(ksu_expected_hash, &expected_hash_ops, &ksu_expected_hash,
 		S_IRUSR | S_IWUSR);
 
-int is_manager_apk(char *path)
+bool is_manager_apk(char *path)
 {
 	return check_v2_signature(path, ksu_expected_size, ksu_expected_hash);
 }
 
 #else
 
-int is_manager_apk(char *path)
+bool is_manager_apk(char *path)
 {
 	return check_v2_signature(path, EXPECTED_SIZE, EXPECTED_HASH);
 }

kernel/apk_sign.h

@@ -1,7 +1,8 @@
 #ifndef __KSU_H_APK_V2_SIGN
 #define __KSU_H_APK_V2_SIGN
 
-// return 0 if signature match
-int is_manager_apk(char *path);
+#include "linux/types.h"
 
-#endif
+bool is_manager_apk(char *path);
+
+#endif

kernel/arch.h

@@ -8,7 +8,8 @@
 #define __PT_PARM1_REG regs[0]
 #define __PT_PARM2_REG regs[1]
 #define __PT_PARM3_REG regs[2]
-#define __PT_PARM4_REG regs[3]
+#define __PT_SYSCALL_PARM4_REG regs[3]
+#define __PT_CCALL_PARM4_REG regs[3]
 #define __PT_PARM5_REG regs[4]
 #define __PT_PARM6_REG regs[5]
 #define __PT_RET_REG regs[30]
@@ -29,8 +30,8 @@
 #define __PT_PARM2_REG si
 #define __PT_PARM3_REG dx
 /* syscall uses r10 for PARM4 */
-#define __PT_PARM4_REG r10
-// #define __PT_PARM4_REG cx
+#define __PT_SYSCALL_PARM4_REG r10
+#define __PT_CCALL_PARM4_REG cx
 #define __PT_PARM5_REG r8
 #define __PT_PARM6_REG r9
 #define __PT_RET_REG sp
@@ -56,7 +57,8 @@
 #define PT_REGS_PARM1(x) (__PT_REGS_CAST(x)->__PT_PARM1_REG)
 #define PT_REGS_PARM2(x) (__PT_REGS_CAST(x)->__PT_PARM2_REG)
 #define PT_REGS_PARM3(x) (__PT_REGS_CAST(x)->__PT_PARM3_REG)
-#define PT_REGS_PARM4(x) (__PT_REGS_CAST(x)->__PT_PARM4_REG)
+#define PT_REGS_SYSCALL_PARM4(x) (__PT_REGS_CAST(x)->__PT_SYSCALL_PARM4_REG)
+#define PT_REGS_CCALL_PARM4(x) (__PT_REGS_CAST(x)->__PT_CCALL_PARM4_REG)
 #define PT_REGS_PARM5(x) (__PT_REGS_CAST(x)->__PT_PARM5_REG)
 #define PT_REGS_PARM6(x) (__PT_REGS_CAST(x)->__PT_PARM6_REG)
 #define PT_REGS_RET(x) (__PT_REGS_CAST(x)->__PT_RET_REG)

kernel/core_hook.c

@@ -1,7 +1,9 @@
+#include "linux/capability.h"
 #include "linux/cred.h"
 #include "linux/dcache.h"
 #include "linux/err.h"
 #include "linux/init.h"
+#include "linux/init_task.h"
 #include "linux/kernel.h"
 #include "linux/kprobes.h"
 #include "linux/lsm_hooks.h"
@@ -53,24 +55,85 @@ static inline bool is_isolated_uid(uid_t uid)
 
 static struct group_info root_groups = { .usage = ATOMIC_INIT(2) };
 
+static void setup_groups(struct root_profile *profile, struct cred *cred)
+{
+	if (profile->groups_count > KSU_MAX_GROUPS) {
+		pr_warn("Failed to setgroups, too large group: %d!\n",
+			profile->uid);
+		return;
+	}
+
+	if (profile->groups_count == 1 && profile->groups[0] == 0) {
+		// setgroup to root and return early.
+		if (cred->group_info)
+			put_group_info(cred->group_info);
+		cred->group_info = get_group_info(&root_groups);
+		return;
+	}
+
+	u32 ngroups = profile->groups_count;
+	struct group_info *group_info = groups_alloc(ngroups);
+	if (!group_info) {
+		pr_warn("Failed to setgroups, ENOMEM for: %d\n", profile->uid);
+		return;
+	}
+
+	int i;
+	for (i = 0; i < ngroups; i++) {
+		gid_t gid = profile->groups[i];
+		kgid_t kgid = make_kgid(current_user_ns(), gid);
+		if (!gid_valid(kgid)) {
+			pr_warn("Failed to setgroups, invalid gid: %d\n", gid);
+			put_group_info(group_info);
+			return;
+		}
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 9, 0)
+		group_info->gid[i] = kgid;
+#else
+		GROUP_AT(group_info, i) = kgid;
+#endif
+	}
+
+	groups_sort(group_info);
+	set_groups(cred, group_info);
+}
+
 void escape_to_root(void)
 {
 	struct cred *cred;
 
 	cred = (struct cred *)__task_cred(current);
 
-	memset(&cred->uid, 0, sizeof(cred->uid));
-	memset(&cred->gid, 0, sizeof(cred->gid));
-	memset(&cred->suid, 0, sizeof(cred->suid));
-	memset(&cred->euid, 0, sizeof(cred->euid));
-	memset(&cred->egid, 0, sizeof(cred->egid));
-	memset(&cred->fsuid, 0, sizeof(cred->fsuid));
-	memset(&cred->fsgid, 0, sizeof(cred->fsgid));
-	memset(&cred->cap_inheritable, 0xff, sizeof(cred->cap_inheritable));
-	memset(&cred->cap_permitted, 0xff, sizeof(cred->cap_permitted));
-	memset(&cred->cap_effective, 0xff, sizeof(cred->cap_effective));
-	memset(&cred->cap_bset, 0xff, sizeof(cred->cap_bset));
-	memset(&cred->cap_ambient, 0xff, sizeof(cred->cap_ambient));
+	if (cred->euid.val == 0) {
+		pr_warn("Already root, don't escape!\n");
+		return;
+	}
+	struct root_profile *profile = ksu_get_root_profile(cred->uid.val);
+
+	cred->uid.val = profile->uid;
+	cred->suid.val = profile->uid;
+	cred->euid.val = profile->uid;
+	cred->fsuid.val = profile->uid;
+
+	cred->gid.val = profile->gid;
+	cred->fsgid.val = profile->gid;
+	cred->sgid.val = profile->gid;
+	cred->egid.val = profile->gid;
+
+	BUILD_BUG_ON(sizeof(profile->capabilities.effective) !=
+		     sizeof(kernel_cap_t));
+
+	// capabilities
+	memcpy(&cred->cap_effective, &profile->capabilities.effective,
+	       sizeof(cred->cap_effective));
+	memcpy(&cred->cap_inheritable, &profile->capabilities.effective,
+	       sizeof(cred->cap_inheritable));
+	memcpy(&cred->cap_permitted, &profile->capabilities.effective,
+	       sizeof(cred->cap_permitted));
+	memcpy(&cred->cap_bset, &profile->capabilities.effective,
+	       sizeof(cred->cap_bset));
+	memcpy(&cred->cap_ambient, &profile->capabilities.effective,
+	       sizeof(cred->cap_ambient));
 
 	// disable seccomp
 #if defined(CONFIG_GENERIC_ENTRY) &&                                           \
@@ -86,12 +149,9 @@ void escape_to_root(void)
 #else
 #endif
 
-	// setgroup to root
-	if (cred->group_info)
-		put_group_info(cred->group_info);
-	cred->group_info = get_group_info(&root_groups);
+	setup_groups(profile, cred);
 
-	setup_selinux();
+	setup_selinux(profile->selinux_domain);
 }
 
 int ksu_handle_rename(struct dentry *old_dentry, struct dentry *new_dentry)
@@ -125,7 +185,7 @@ int ksu_handle_rename(struct dentry *old_dentry, struct dentry *new_dentry)
 	if (strcmp(buf, "/system/packages.list")) {
 		return 0;
 	}
-	pr_info("renameat: %s -> %s, new path: %s", old_dentry->d_iname,
+	pr_info("renameat: %s -> %s, new path: %s\n", old_dentry->d_iname,
 		new_dentry->d_iname, buf);
 
 	update_uid();
@@ -173,8 +233,10 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,
 		// someone wants to be root manager, just check it!
 		// arg3 should be `/data/user/<userId>/<manager_package_name>`
 		char param[128];
-		if (copy_from_user(param, arg3, sizeof(param))) {
+		if (ksu_strncpy_from_user_nofault(param, arg3, sizeof(param)) == -EFAULT) {
+#ifdef CONFIG_KSU_DEBUG
 			pr_err("become_manager: copy param err\n");
+#endif
 			return 0;
 		}
 
@@ -186,7 +248,8 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,
 		if (userId == 0) {
 			prefix = "/data/data";
 		} else {
-			snprintf(prefixTmp, sizeof(prefixTmp), "/data/user/%d", userId);
+			snprintf(prefixTmp, sizeof(prefixTmp), "/data/user/%d",
+				 userId);
 			prefix = prefixTmp;
 		}
 
@@ -227,10 +290,6 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,
 			if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) {
 				pr_err("grant_root: prctl reply error\n");
 			}
-		} else {
-			pr_info("deny root for: %d\n", current_uid());
-			// add it to deny list!
-			ksu_allow_uid(current_uid().val, false, true);
 		}
 		return 0;
 	}
@@ -255,7 +314,7 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,
 			static bool post_fs_data_lock = false;
 			if (!post_fs_data_lock) {
 				post_fs_data_lock = true;
-				pr_info("post-fs-data triggered");
+				pr_info("post-fs-data triggered\n");
 				on_post_fs_data();
 			}
 			break;
@@ -264,7 +323,7 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,
 			static bool boot_complete_lock = false;
 			if (!boot_complete_lock) {
 				boot_complete_lock = true;
-				pr_info("boot_complete triggered");
+				pr_info("boot_complete triggered\n");
 			}
 			break;
 		}
@@ -325,6 +384,30 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,
 		return 0;
 	}
 
+	if (arg2 == CMD_UID_GRANTED_ROOT || arg2 == CMD_UID_SHOULD_UMOUNT) {
+		if (is_manager() || 0 == current_uid().val) {
+			uid_t target_uid = (uid_t)arg3;
+			bool allow = false;
+			if (arg2 == CMD_UID_GRANTED_ROOT) {
+				allow = ksu_is_allow_uid(target_uid);
+			} else if (arg2 == CMD_UID_SHOULD_UMOUNT) {
+				allow = ksu_uid_should_umount(target_uid);
+			} else {
+				pr_err("unknown cmd: %d\n", arg2);
+			}
+			if (!copy_to_user(arg4, &allow, sizeof(allow))) {
+				if (copy_to_user(result, &reply_ok,
+						 sizeof(reply_ok))) {
+					pr_err("prctl reply error, cmd: %d\n",
+					       arg2);
+				}
+			} else {
+				pr_err("prctl copy err, cmd: %d\n", arg2);
+			}
+		}
+		return 0;
+	}
+
 	// all other cmds are for 'root manager'
 	if (!is_manager()) {
 		last_failed_uid = current_uid().val;
@@ -332,17 +415,39 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,
 	}
 
 	// we are already manager
-	if (arg2 == CMD_ALLOW_SU || arg2 == CMD_DENY_SU) {
-		bool allow = arg2 == CMD_ALLOW_SU;
-		bool success = false;
-		uid_t uid = (uid_t)arg3;
-		success = ksu_allow_uid(uid, allow, true);
+	if (arg2 == CMD_GET_APP_PROFILE) {
+		struct app_profile profile;
+		if (copy_from_user(&profile, arg3, sizeof(profile))) {
+			pr_err("copy profile failed\n");
+			return 0;
+		}
+
+		bool success = ksu_get_app_profile(&profile);
 		if (success) {
+			if (copy_to_user(arg3, &profile, sizeof(profile))) {
+				pr_err("copy profile failed\n");
+				return 0;
+			}
+			if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) {
+				pr_err("prctl reply error, cmd: %d\n", arg2);
+			}
+		}
+		return 0;
+	}
+
+	if (arg2 == CMD_SET_APP_PROFILE) {
+		struct app_profile profile;
+		if (copy_from_user(&profile, arg3, sizeof(profile))) {
+			pr_err("copy profile failed\n");
+			return 0;
+		}
+
+		// todo: validate the params
+		if (ksu_set_app_profile(&profile, true)) {
 			if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) {
 				pr_err("prctl reply error, cmd: %d\n", arg2);
 			}
 		}
-		ksu_show_allow_list();
 		return 0;
 	}
 
@@ -366,7 +471,8 @@ static bool should_umount(struct path *path)
 	}
 
 	if (current->nsproxy->mnt_ns == init_nsproxy.mnt_ns) {
-		pr_info("ignore global mnt namespace process: %d\n", current_uid().val);
+		pr_info("ignore global mnt namespace process: %d\n",
+			current_uid().val);
 		return false;
 	}
 
@@ -377,7 +483,18 @@ static bool should_umount(struct path *path)
 	return false;
 }
 
-static void try_umount(const char *mnt)
+static void ksu_umount_mnt(struct path *path, int flags) {
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 9, 0)
+	int err = path_umount(path, flags);
+	if (err) {
+		pr_info("umount %s failed: %d\n", path->dentry->d_iname, err);
+	}
+#else
+	// TODO: umount for non GKI kernel
+#endif
+}
+
+static void try_umount(const char *mnt, bool check_mnt, int flags)
 {
 	struct path path;
 	int err = kern_path(mnt, 0, &path);
@@ -386,16 +503,11 @@ static void try_umount(const char *mnt)
 	}
 
 	// we are only interest in some specific mounts
-	if (!should_umount(&path)) {
+	if (check_mnt && !should_umount(&path)) {
 		return;
 	}
 
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 9, 0)
-	err = path_umount(&path, MNT_DETACH);
-	if (err) {
-		pr_info("umount %s failed: %d\n", mnt, err);
-	}
-#endif
+	ksu_umount_mnt(&path, flags);
 }
 
 int ksu_handle_setuid(struct cred *new, const struct cred *old)
@@ -414,8 +526,8 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old)
 
 	// todo: check old process's selinux context, if it is not zygote, ignore it!
 
-	if (!is_appuid(new_uid)) {
-		// pr_info("handle setuid ignore non application uid: %d\n", new_uid.val);
+	if (!is_appuid(new_uid) || is_isolated_uid(new_uid.val)) {
+		// pr_info("handle setuid ignore non application or isolated uid: %d\n", new_uid.val);
 		return 0;
 	}
 
@@ -424,14 +536,23 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old)
 		return 0;
 	}
 
+	if (!ksu_uid_should_umount(new_uid.val)) {
+		return 0;
+	} else {
+#ifdef CONFIG_KSU_DEBUG
+		pr_info("uid: %d should not umount!\n", current_uid().val);
+#endif
+	}
+
 	// umount the target mnt
 	pr_info("handle umount for uid: %d\n", new_uid.val);
 
 	// fixme: use `collect_mounts` and `iterate_mount` to iterate all mountpoint and
 	// filter the mountpoint whose target is `/data/adb`
-	try_umount("/system");
-	try_umount("/vendor");
-	try_umount("/product");
+	try_umount("/system", true, 0);
+	try_umount("/vendor", true, 0);
+	try_umount("/product", true, 0);
+	try_umount("/data/adb/modules", false, MNT_DETACH);
 
 	return 0;
 }
@@ -448,7 +569,14 @@ static int handler_pre(struct kprobe *p, struct pt_regs *regs)
 	int option = (int)PT_REGS_PARM1(real_regs);
 	unsigned long arg2 = (unsigned long)PT_REGS_PARM2(real_regs);
 	unsigned long arg3 = (unsigned long)PT_REGS_PARM3(real_regs);
-	unsigned long arg4 = (unsigned long)PT_REGS_PARM4(real_regs);
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 16, 0)
+	// PRCTL_SYMBOL is the arch-specificed one, which receive raw pt_regs from syscall
+	unsigned long arg4 = (unsigned long)PT_REGS_SYSCALL_PARM4(real_regs);
+#else
+	// PRCTL_SYMBOL is the common one, called by C convention in do_syscall_64
+	// https://elixir.bootlin.com/linux/v4.15.18/source/arch/x86/entry/common.c#L287
+	unsigned long arg4 = (unsigned long)PT_REGS_CCALL_PARM4(real_regs);
+#endif
 	unsigned long arg5 = (unsigned long)PT_REGS_PARM5(real_regs);
 
 	return ksu_handle_prctl(option, arg2, arg3, arg4, arg5);
@@ -468,7 +596,7 @@ static int renameat_handler_pre(struct kprobe *p, struct pt_regs *regs)
 	struct dentry *new_entry = rd->new_dentry;
 #else
 	struct dentry *old_entry = (struct dentry *)PT_REGS_PARM2(regs);
-	struct dentry *new_entry = (struct dentry *)PT_REGS_PARM4(regs);
+	struct dentry *new_entry = (struct dentry *)PT_REGS_CCALL_PARM4(regs);
 #endif
 
 	return ksu_handle_rename(old_entry, new_entry);
@@ -521,7 +649,7 @@ static int ksu_key_permission(key_ref_t key_ref, const struct cred *cred,
 		return 0;
 	}
 	init_session_keyring = cred->session_keyring;
-	pr_info("kernel_compat: got init_session_keyring");
+	pr_info("kernel_compat: got init_session_keyring\n");
 	return 0;
 }
 #endif

kernel/embed_ksud.c

@@ -2,4 +2,4 @@
 // This file will be regenerated by CI
 
 unsigned int ksud_size = 0;
-const char ksud[0] = {};
+const char ksud[0] = {};

kernel/export_symbol.txt

@@ -1,2 +1,2 @@
 register_kprobe
-unregister_kprobe
+unregister_kprobe

kernel/kernel_compat.c

@@ -1,34 +1,178 @@
 #include "linux/version.h"
 #include "linux/fs.h"
+#include "linux/nsproxy.h"
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0)
+#include "linux/sched/task.h"
+#include "linux/uaccess.h"
+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4, 4, 0)
+#include "linux/uaccess.h"
+#include "linux/sched.h"
+#else
+#include "linux/sched.h"
+#endif
+#include "klog.h" // IWYU pragma: keep
+
 #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0)
 #include "linux/key.h"
 #include "linux/errno.h"
+#include "linux/cred.h"
 struct key *init_session_keyring = NULL;
+
+static inline int install_session_keyring(struct key *keyring)
+{
+	struct cred *new;
+	int ret;
+
+	new = prepare_creds();
+	if (!new)
+		return -ENOMEM;
+
+	ret = install_session_keyring_to_cred(new, keyring);
+	if (ret < 0) {
+		abort_creds(new);
+		return ret;
+	}
+
+	return commit_creds(new);
+}
 #endif
-ssize_t ksu_kernel_read_compat(struct file *p, void *buf, size_t count, loff_t *pos){
+
+extern struct task_struct init_task;
+
+// mnt_ns context switch for environment that android_init->nsproxy->mnt_ns != init_task.nsproxy->mnt_ns, such as WSA
+struct ksu_ns_fs_saved {
+	struct nsproxy *ns;
+	struct fs_struct *fs;
+};
+
+static void ksu_save_ns_fs(struct ksu_ns_fs_saved *ns_fs_saved)
+{
+	ns_fs_saved->ns = current->nsproxy;
+	ns_fs_saved->fs = current->fs;
+}
+
+static void ksu_load_ns_fs(struct ksu_ns_fs_saved *ns_fs_saved)
+{
+	current->nsproxy = ns_fs_saved->ns;
+	current->fs = ns_fs_saved->fs;
+}
+
+static bool android_context_saved_checked = false;
+static bool android_context_saved_enabled = false;
+static struct ksu_ns_fs_saved android_context_saved;
+
+void ksu_android_ns_fs_check()
+{
+	if (android_context_saved_checked)
+		return;
+	android_context_saved_checked = true;
+	task_lock(current);
+	if (current->nsproxy && current->fs &&
+	    current->nsproxy->mnt_ns != init_task.nsproxy->mnt_ns) {
+		android_context_saved_enabled = true;
+		pr_info("android context saved enabled due to init mnt_ns(%p) != android mnt_ns(%p)\n",
+			current->nsproxy->mnt_ns, init_task.nsproxy->mnt_ns);
+		ksu_save_ns_fs(&android_context_saved);
+	} else {
+		pr_info("android context saved disabled\n");
+	}
+	task_unlock(current);
+}
+
+struct file *ksu_filp_open_compat(const char *filename, int flags, umode_t mode)
+{
+#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0)
+	if (init_session_keyring != NULL && !current_cred()->session_keyring &&
+	    (current->flags & PF_WQ_WORKER)) {
+		pr_info("installing init session keyring for older kernel\n");
+		install_session_keyring(init_session_keyring);
+	}
+#endif
+	// switch mnt_ns even if current is not wq_worker, to ensure what we open is the correct file in android mnt_ns, rather than user created mnt_ns
+	struct ksu_ns_fs_saved saved;
+	if (android_context_saved_enabled) {
+		pr_info("start switch current nsproxy and fs to android context\n");
+		task_lock(current);
+		ksu_save_ns_fs(&saved);
+		ksu_load_ns_fs(&android_context_saved);
+		task_unlock(current);
+	}
+	struct file *fp = filp_open(filename, flags, mode);
+	if (android_context_saved_enabled) {
+		task_lock(current);
+		ksu_load_ns_fs(&saved);
+		task_unlock(current);
+		pr_info("switch current nsproxy and fs back to saved successfully\n");
+	}
+	return fp;
+}
+
+ssize_t ksu_kernel_read_compat(struct file *p, void *buf, size_t count,
+			       loff_t *pos)
+{
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 14, 0)
-    return kernel_read(p, buf, count, pos);
+	return kernel_read(p, buf, count, pos);
 #else
-    loff_t offset = pos ? *pos : 0;
-    ssize_t result = kernel_read(p, offset, (char *)buf, count);
-    if (pos && result > 0)
-    {
-        *pos = offset + result;
-    }
-    return result;
+	loff_t offset = pos ? *pos : 0;
+	ssize_t result = kernel_read(p, offset, (char *)buf, count);
+	if (pos && result > 0) {
+		*pos = offset + result;
+	}
+	return result;
 #endif
 }
 
-ssize_t ksu_kernel_write_compat(struct file *p, const void *buf, size_t count, loff_t *pos){
+ssize_t ksu_kernel_write_compat(struct file *p, const void *buf, size_t count,
+				loff_t *pos)
+{
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 14, 0)
-    return kernel_write(p, buf, count, pos);
+	return kernel_write(p, buf, count, pos);
 #else
-    loff_t offset = pos ? *pos : 0;
-    ssize_t result = kernel_write(p, buf, count, offset);
-    if (pos && result > 0)
-    {
-        *pos = offset + result;
-    }
-    return result;
+	loff_t offset = pos ? *pos : 0;
+	ssize_t result = kernel_write(p, buf, count, offset);
+	if (pos && result > 0) {
+		*pos = offset + result;
+	}
+	return result;
+#endif
+}
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 8, 0)
+long ksu_strncpy_from_user_nofault(char *dst, const void __user *unsafe_addr,
+				   long count)
+{
+	return strncpy_from_user_nofault(dst, unsafe_addr, count);
+}
+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(5, 3, 0)
+long ksu_strncpy_from_user_nofault(char *dst, const void __user *unsafe_addr,
+				   long count)
+{
+	return strncpy_from_unsafe_user(dst, unsafe_addr, count);
+}
+#else
+// Copied from: https://elixir.bootlin.com/linux/v4.9.337/source/mm/maccess.c#L201
+long ksu_strncpy_from_user_nofault(char *dst, const void __user *unsafe_addr,
+				   long count)
+{
+	mm_segment_t old_fs = get_fs();
+	long ret;
+
+	if (unlikely(count <= 0))
+		return 0;
+
+	set_fs(USER_DS);
+	pagefault_disable();
+	ret = strncpy_from_user(dst, unsafe_addr, count);
+	pagefault_enable();
+	set_fs(old_fs);
+
+	if (ret >= count) {
+		ret = count;
+		dst[ret - 1] = '\0';
+	} else if (ret > 0) {
+		ret++;
+	}
+
+	return ret;
+}
 #endif
-}

kernel/kernel_compat.h

@@ -5,38 +5,20 @@
 #include "linux/key.h"
 #include "linux/version.h"
 
-extern struct key *init_session_keyring;
-
-extern ssize_t ksu_kernel_read_compat(struct file *p, void *buf, size_t count, loff_t *pos);
-extern ssize_t ksu_kernel_write_compat(struct file *p, const void *buf, size_t count, loff_t *pos);
+extern long ksu_strncpy_from_user_nofault(char *dst,
+					  const void __user *unsafe_addr,
+					  long count);
 
 #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0)
-static inline int install_session_keyring(struct key *keyring)
-{
-	struct cred *new;
-	int ret;
-
-	new = prepare_creds();
-	if (!new)
-		return -ENOMEM;
-
-	ret = install_session_keyring_to_cred(new, keyring);
-	if (ret < 0) {
-		abort_creds(new);
-		return ret;
-	}
-
-	return commit_creds(new);
-}
-#define KWORKER_INSTALL_KEYRING()                           \
-	static bool keyring_installed = false;                  \
-	if (init_session_keyring != NULL && !keyring_installed) \
-	{                                                       \
-		install_session_keyring(init_session_keyring);      \
-		keyring_installed = true;                           \
-	}
-#else
-#define KWORKER_INSTALL_KEYRING()
+extern struct key *init_session_keyring;
 #endif
 
-#endif
+extern void ksu_android_ns_fs_check();
+extern struct file *ksu_filp_open_compat(const char *filename, int flags,
+					 umode_t mode);
+extern ssize_t ksu_kernel_read_compat(struct file *p, void *buf, size_t count,
+				      loff_t *pos);
+extern ssize_t ksu_kernel_write_compat(struct file *p, const void *buf,
+				       size_t count, loff_t *pos);
+
+#endif

kernel/klog.h

@@ -8,4 +8,4 @@
 #define pr_fmt(fmt) "KernelSU: " fmt
 #endif
 
-#endif
+#endif

kernel/ksu.c

@@ -39,7 +39,7 @@ int __init kernelsu_init(void)
 	pr_alert("*************************************************************");
 	pr_alert("**     NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE    **");
 	pr_alert("**                                                         **");
-	pr_alert("**         You are running DEBUG version of KernelSU       **");
+	pr_alert("**         You are running KernelSU in DEBUG mode          **");
 	pr_alert("**                                                         **");
 	pr_alert("**     NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE    **");
 	pr_alert("*************************************************************");
@@ -47,7 +47,7 @@ int __init kernelsu_init(void)
 
 	ksu_core_init();
 
-	ksu_workqueue = alloc_workqueue("kernelsu_work_queue", 0, 0);
+	ksu_workqueue = alloc_ordered_workqueue("kernelsu_work_queue", 0);
 
 	ksu_allowlist_init();
 
@@ -57,7 +57,7 @@ int __init kernelsu_init(void)
 	ksu_enable_sucompat();
 	ksu_enable_ksud();
 #else
-#warning("KPROBES is disabled, KernelSU may not work, please check https://kernelsu.org/guide/how-to-integrate-for-non-gki.html")
+	pr_alert("KPROBES is disabled, KernelSU may not work, please check https://kernelsu.org/guide/how-to-integrate-for-non-gki.html");
 #endif
 
 	return 0;

kernel/ksu.h

@@ -1,15 +1,10 @@
 #ifndef __KSU_H_KSU
 #define __KSU_H_KSU
 
+#include "linux/types.h"
 #include "linux/workqueue.h"
 
-#ifndef KSU_GIT_VERSION
-#warning "KSU_GIT_VERSION not defined! It is better to make KernelSU a git submodule!"
-#define KERNEL_SU_VERSION (16)
-#else
-#define KERNEL_SU_VERSION (10000 + KSU_GIT_VERSION + 200) // major * 10000 + git version + 200 for historical reasons
-#endif
-
+#define KERNEL_SU_VERSION KSU_VERSION
 #define KERNEL_SU_OPTION 0xDEADBEEF
 
 #define CMD_GRANT_ROOT 0
@@ -22,10 +17,68 @@
 #define CMD_REPORT_EVENT 7
 #define CMD_SET_SEPOLICY 8
 #define CMD_CHECK_SAFEMODE 9
+#define CMD_GET_APP_PROFILE 10
+#define CMD_SET_APP_PROFILE 11
+#define CMD_UID_GRANTED_ROOT 12
+#define CMD_UID_SHOULD_UMOUNT 13
 
 #define EVENT_POST_FS_DATA 1
 #define EVENT_BOOT_COMPLETED 2
 
+#define KSU_APP_PROFILE_VER 2
+#define KSU_MAX_PACKAGE_NAME 256
+// NGROUPS_MAX for Linux is 65535 generally, but we only supports 32 groups.
+#define KSU_MAX_GROUPS 32
+#define KSU_SELINUX_DOMAIN 64
+
+struct root_profile {
+	int32_t uid;
+	int32_t gid;
+
+	int32_t groups_count;
+	int32_t groups[KSU_MAX_GROUPS];
+
+	// kernel_cap_t is u32[2] for capabilities v3
+	struct {
+		u64 effective;
+		u64 permitted;
+		u64 inheritable;
+	} capabilities;
+
+	char selinux_domain[KSU_SELINUX_DOMAIN];
+
+	int32_t namespaces;
+};
+
+struct non_root_profile {
+	bool umount_modules;
+};
+
+struct app_profile {
+	// It may be utilized for backward compatibility, although we have never explicitly made any promises regarding this.
+	u32 version;
+
+	// this is usually the package of the app, but can be other value for special apps
+	char key[KSU_MAX_PACKAGE_NAME];
+	int32_t current_uid;
+	bool allow_su;
+
+	union {
+		struct {
+			bool use_default;
+			char template_name[KSU_MAX_PACKAGE_NAME];
+
+			struct root_profile profile;
+		} rp_config;
+
+		struct {
+			bool use_default;
+
+			struct non_root_profile profile;
+		} nrp_config;
+	};
+};
+
 bool ksu_queue_work(struct work_struct *work);
 
 static inline int startswith(char *s, char *prefix)

kernel/ksud.c

@@ -1,7 +1,5 @@
 #include "asm/current.h"
-#include "linux/string.h"
 #include "linux/compat.h"
-#include "linux/cred.h"
 #include "linux/dcache.h"
 #include "linux/err.h"
 #include "linux/fs.h"
@@ -12,12 +10,12 @@
 #include "linux/uaccess.h"
 #include "linux/version.h"
 #include "linux/workqueue.h"
-#include "linux/input.h"
 
 #include "allowlist.h"
 #include "arch.h"
 #include "klog.h" // IWYU pragma: keep
 #include "ksud.h"
+#include "kernel_compat.h"
 #include "selinux/selinux.h"
 
 static const char KERNEL_SU_RC[] =
@@ -52,20 +50,20 @@ static struct work_struct stop_vfs_read_work;
 static struct work_struct stop_execve_hook_work;
 static struct work_struct stop_input_hook_work;
 #else
-static bool vfs_read_hook = true;
-static bool execveat_hook = true;
-static bool input_hook = true;
+bool ksu_vfs_read_hook __read_mostly = true;
+bool ksu_execveat_hook __read_mostly = true;
+bool ksu_input_hook __read_mostly = true;
 #endif
 
 void on_post_fs_data(void)
 {
 	static bool done = false;
 	if (done) {
-		pr_info("on_post_fs_data already done");
+		pr_info("on_post_fs_data already done\n");
 		return;
 	}
 	done = true;
-	pr_info("on_post_fs_data!");
+	pr_info("on_post_fs_data!\n");
 	ksu_load_allow_list();
 	// sanity check, this may influence the performance
 	stop_input_hook();
@@ -108,7 +106,13 @@ static const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr)
 /*
  * count() counts the number of strings in array ARGV.
  */
-static int count(struct user_arg_ptr argv, int max)
+
+ /*
+ * Make sure old GCC compiler can use __maybe_unused,
+ * Test passed in 4.4.x ~ 4.9.x when use GCC.
+ */
+
+static int __maybe_unused count(struct user_arg_ptr argv, int max)
 {
 	int i = 0;
 
@@ -134,11 +138,12 @@ static int count(struct user_arg_ptr argv, int max)
 	return i;
 }
 
+// the call from execve_handler_pre won't provided correct value for __never_use_argument, use them after fix execve_handler_pre, keeping them for consistence for manually patched code
 int ksu_handle_execveat_ksud(int *fd, struct filename **filename_ptr,
-			     void *argv, void *envp, int *flags)
+				struct user_arg_ptr *argv, struct user_arg_ptr *envp, int *__never_use_flags)
 {
 #ifndef CONFIG_KPROBES
-	if (!execveat_hook) {
+	if (!ksu_execveat_hook) {
 		return 0;
 	}
 #endif
@@ -146,7 +151,11 @@ int ksu_handle_execveat_ksud(int *fd, struct filename **filename_ptr,
 
 	static const char app_process[] = "/system/bin/app_process";
 	static bool first_app_process = true;
+
+	/* This applies to versions Android 10+ */
 	static const char system_bin_init[] = "/system/bin/init";
+	/* This applies to versions between Android 6 ~ 9  */
+	static const char old_system_init[] = "/init";
 	static bool init_second_stage_executed = false;
 
 	if (!filename_ptr)
@@ -157,51 +166,84 @@ int ksu_handle_execveat_ksud(int *fd, struct filename **filename_ptr,
 		return 0;
 	}
 
-	if (!memcmp(filename->name, system_bin_init,
-		    sizeof(system_bin_init) - 1)) {
-#ifdef __aarch64__
+	if (unlikely(!memcmp(filename->name, system_bin_init, 
+				sizeof(system_bin_init) - 1))) {
 		// /system/bin/init executed
-		struct user_arg_ptr *ptr = (struct user_arg_ptr*) argv;
-		int argc = count(*ptr, MAX_ARG_STRINGS);
+		int argc = count(*argv, MAX_ARG_STRINGS);
 		pr_info("/system/bin/init argc: %d\n", argc);
 		if (argc > 1 && !init_second_stage_executed) {
-			const char __user *p = get_user_arg_ptr(*ptr, 1);
+			const char __user *p = get_user_arg_ptr(*argv, 1);
 			if (p && !IS_ERR(p)) {
 				char first_arg[16];
-				#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 8, 0)
-                                strncpy_from_user_nofault(first_arg, p, sizeof(first_arg));
-                                #elif LINUX_VERSION_CODE >= KERNEL_VERSION(5, 3, 0)
-                                strncpy_from_unsafe_user(first_arg, p, sizeof(first_arg));
-                                #else
-                                strncpy_from_user(first_arg, p, sizeof(first_arg));
-                                #endif
-				pr_info("first arg: %s\n", first_arg);
+				ksu_strncpy_from_user_nofault(first_arg, p, sizeof(first_arg));
+				pr_info("/system/bin/init first arg: %s\n", first_arg);
 				if (!strcmp(first_arg, "second_stage")) {
 					pr_info("/system/bin/init second_stage executed\n");
 					apply_kernelsu_rules();
 					init_second_stage_executed = true;
+					ksu_android_ns_fs_check();
 				}
 			} else {
 				pr_err("/system/bin/init parse args err!\n");
 			}
 		}
-#else
-		// The argument parse is incorrect becuase of the struct user_arg_ptr has 16bytes
-		// and it is passed by value(not pointer), in arm64, it is correct becuase the register
-		// is just arranged correct accidentally, but is not correct in x86_64
-		// i have no device to test, so revert it for x86_64
-		static int init_count = 0;
-		if (++init_count == 2) {
-			// 1: /system/bin/init selinux_setup
-			// 2: /system/bin/init second_stage
-			pr_info("/system/bin/init second_stage executed\n");
-			apply_kernelsu_rules();
+	} else if (unlikely(!memcmp(filename->name, old_system_init,
+				sizeof(old_system_init) - 1))) {
+		// /init executed
+		int argc = count(*argv, MAX_ARG_STRINGS);
+		pr_info("/init argc: %d\n", argc);
+		if (argc > 1 && !init_second_stage_executed) {
+			/* This applies to versions between Android 6 ~ 7 */
+			const char __user *p = get_user_arg_ptr(*argv, 1);
+			if (p && !IS_ERR(p)) {
+				char first_arg[16];
+				ksu_strncpy_from_user_nofault(first_arg, p, sizeof(first_arg));
+				pr_info("/init first arg: %s\n", first_arg);
+				if (!strcmp(first_arg, "--second-stage")) {
+					pr_info("/init second_stage executed\n");
+					apply_kernelsu_rules();
+					init_second_stage_executed = true;
+					ksu_android_ns_fs_check();
+				}
+			} else {
+				pr_err("/init parse args err!\n");
+			}
+		} else if (argc == 1 && !init_second_stage_executed) {
+			/* This applies to versions between Android 8 ~ 9  */
+			int envc = count(*envp, MAX_ARG_STRINGS);
+			if (envc > 0) {
+				int n;
+				for (n = 1; n <= envc; n++) {
+					const char __user *p = get_user_arg_ptr(*envp, n);
+					if (!p || IS_ERR(p)) {
+						continue;
+					}
+					char env[256];
+					// Reading environment variable strings from user space
+					if (ksu_strncpy_from_user_nofault(env, p, sizeof(env)) < 0)
+						continue;
+					// Parsing environment variable names and values
+					char *env_name = env;
+					char *env_value = strchr(env, '=');
+					if (env_value == NULL)
+						continue;
+					// Replace equal sign with string terminator
+					*env_value = '\0';
+					env_value++;
+					// Check if the environment variable name and value are matching
+					if (!strcmp(env_name, "INIT_SECOND_STAGE") && (!strcmp(env_value, "1") || !strcmp(env_value, "true"))) {
+						pr_info("/init second_stage executed\n");
+						apply_kernelsu_rules();
+						init_second_stage_executed = true;
+						ksu_android_ns_fs_check();
+					}
+				}
+			}
 		}
-#endif
 	}
 
-	if (first_app_process &&
-	    !memcmp(filename->name, app_process, sizeof(app_process) - 1)) {
+	if (unlikely(first_app_process &&
+		!memcmp(filename->name, app_process, sizeof(app_process) - 1))) {
 		first_app_process = false;
 		pr_info("exec app_process, /data prepared, second_stage: %d\n", init_second_stage_executed);
 		on_post_fs_data(); // we keep this for old ksud
@@ -222,7 +264,7 @@ static ssize_t read_proxy(struct file *file, char __user *buf, size_t count,
 	bool first_read = file->f_pos == 0;
 	ssize_t ret = orig_read(file, buf, count, pos);
 	if (first_read) {
-		pr_info("read_proxy append %ld + %ld", ret, read_count_append);
+		pr_info("read_proxy append %ld + %ld\n", ret, read_count_append);
 		ret += read_count_append;
 	}
 	return ret;
@@ -233,7 +275,7 @@ static ssize_t read_iter_proxy(struct kiocb *iocb, struct iov_iter *to)
 	bool first_read = iocb->ki_pos == 0;
 	ssize_t ret = orig_read_iter(iocb, to);
 	if (first_read) {
-		pr_info("read_iter_proxy append %ld + %ld", ret,
+		pr_info("read_iter_proxy append %ld + %ld\n", ret,
 			read_count_append);
 		ret += read_count_append;
 	}
@@ -244,7 +286,7 @@ int ksu_handle_vfs_read(struct file **file_ptr, char __user **buf_ptr,
 			size_t *count_ptr, loff_t **pos)
 {
 #ifndef CONFIG_KPROBES
-	if (!vfs_read_hook) {
+	if (!ksu_vfs_read_hook) {
 		return 0;
 	}
 #endif
@@ -302,7 +344,7 @@ int ksu_handle_vfs_read(struct file **file_ptr, char __user **buf_ptr,
 		current->comm, count, rc_count);
 
 	if (count < rc_count) {
-		pr_err("count: %d < rc_count: %d", count, rc_count);
+		pr_err("count: %d < rc_count: %d\n", count, rc_count);
 		return 0;
 	}
 
@@ -345,7 +387,7 @@ int ksu_handle_input_handle_event(unsigned int *type, unsigned int *code,
 				  int *value)
 {
 #ifndef CONFIG_KPROBES
-	if (!input_hook) {
+	if (!ksu_input_hook) {
 		return 0;
 	}
 #endif
@@ -394,11 +436,19 @@ static int execve_handler_pre(struct kprobe *p, struct pt_regs *regs)
 	int *fd = (int *)&PT_REGS_PARM1(regs);
 	struct filename **filename_ptr =
 		(struct filename **)&PT_REGS_PARM2(regs);
-	void *argv = (void *)&PT_REGS_PARM3(regs);
-	void *envp = (void *)&PT_REGS_PARM4(regs);
-	int *flags = (int *)&PT_REGS_PARM5(regs);
+	struct user_arg_ptr argv;
+#ifdef CONFIG_COMPAT
+	argv.is_compat = PT_REGS_PARM3(regs);
+	if (unlikely(argv.is_compat)) {
+		argv.ptr.compat = PT_REGS_CCALL_PARM4(regs);
+	} else {
+		argv.ptr.native = PT_REGS_CCALL_PARM4(regs);
+	}
+#else
+	argv.ptr.native = PT_REGS_PARM3(regs);
+#endif
 
-	return ksu_handle_execveat_ksud(fd, filename_ptr, argv, envp, flags);
+	return ksu_handle_execveat_ksud(fd, filename_ptr, &argv, NULL, NULL);
 }
 
 static int read_handler_pre(struct kprobe *p, struct pt_regs *regs)
@@ -406,7 +456,7 @@ static int read_handler_pre(struct kprobe *p, struct pt_regs *regs)
 	struct file **file_ptr = (struct file **)&PT_REGS_PARM1(regs);
 	char __user **buf_ptr = (char **)&PT_REGS_PARM2(regs);
 	size_t *count_ptr = (size_t *)&PT_REGS_PARM3(regs);
-	loff_t **pos_ptr = (loff_t **)&PT_REGS_PARM4(regs);
+	loff_t **pos_ptr = (loff_t **)&PT_REGS_CCALL_PARM4(regs);
 
 	return ksu_handle_vfs_read(file_ptr, buf_ptr, count_ptr, pos_ptr);
 }
@@ -416,7 +466,7 @@ static int input_handle_event_handler_pre(struct kprobe *p,
 {
 	unsigned int *type = (unsigned int *)&PT_REGS_PARM2(regs);
 	unsigned int *code = (unsigned int *)&PT_REGS_PARM3(regs);
-	int *value = (int *)&PT_REGS_PARM4(regs);
+	int *value = (int *)&PT_REGS_CCALL_PARM4(regs);
 	return ksu_handle_input_handle_event(type, code, value);
 }
 
@@ -463,7 +513,8 @@ static void stop_vfs_read_hook()
 	bool ret = schedule_work(&stop_vfs_read_work);
 	pr_info("unregister vfs_read kprobe: %d!\n", ret);
 #else
-	vfs_read_hook = false;
+	ksu_vfs_read_hook = false;
+	pr_info("stop vfs_read_hook\n");
 #endif
 }
 
@@ -473,7 +524,8 @@ static void stop_execve_hook()
 	bool ret = schedule_work(&stop_execve_hook_work);
 	pr_info("unregister execve kprobe: %d!\n", ret);
 #else
-	execveat_hook = false;
+	ksu_execveat_hook = false;
+	pr_info("stop execve_hook\n");
 #endif
 }
 
@@ -488,7 +540,8 @@ static void stop_input_hook()
 	bool ret = schedule_work(&stop_input_hook_work);
 	pr_info("unregister input kprobe: %d!\n", ret);
 #else
-	input_hook = false;
+	ksu_input_hook = false;
+	pr_info("stop input_hook\n");
 #endif
 }
 

kernel/ksud.h

@@ -7,4 +7,4 @@ void on_post_fs_data(void);
 
 bool ksu_is_safe_mode(void);
 
-#endif
+#endif

kernel/manager.c

@@ -13,7 +13,7 @@
 #include "ksu.h"
 #include "manager.h"
 
-uid_t ksu_manager_uid = INVALID_UID;
+uid_t ksu_manager_uid = KSU_INVALID_UID;
 
 bool become_manager(char *pkg)
 {
@@ -39,39 +39,51 @@ bool become_manager(char *pkg)
 
 	files_table = files_fdtable(current->files);
 
+	int pkg_len = strlen(pkg);
 	// todo: use iterate_fd
-	while (files_table->fd[i] != NULL) {
+	for (i = 0; files_table->fd[i] != NULL; i++) {
 		files_path = files_table->fd[i]->f_path;
 		if (!d_is_reg(files_path.dentry)) {
-			i++;
 			continue;
 		}
 		cwd = d_path(&files_path, buf, PATH_MAX);
-		if (startswith(cwd, "/data/app/") == 0 &&
-		    endswith(cwd, "/base.apk") == 0) {
-			// we have found the apk!
-			pr_info("found apk: %s", cwd);
-			if (!strstr(cwd, pkg)) {
-				pr_info("apk path not match package name!\n");
-				i++;
-				continue;
-			}
-			if (is_manager_apk(cwd) == 0) {
-				// check passed
-				uid_t uid = current_uid().val;
-				pr_info("manager uid: %d\n", uid);
-
-				ksu_set_manager_uid(uid);
-
-				result = true;
-				goto clean;
-			} else {
-				pr_info("manager signature invalid!");
-			}
-
-			break;
+		if (startswith(cwd, "/data/app/") != 0 ||
+		    endswith(cwd, "/base.apk") != 0) {
+			continue;
 		}
-		i++;
+		// we have found the apk!
+		pr_info("found apk: %s\n", cwd);
+		char *pkg_index = strstr(cwd, pkg);
+		if (!pkg_index) {
+			pr_info("apk path not match package name!\n");
+			continue;
+		}
+		char *next_char = pkg_index + pkg_len;
+		// because we ensure the cwd must startswith `/data/app` and endswith `base.apk`
+		// we don't need to check if the pointer is out of bounds
+		if (*next_char != '-') {
+			// from android 8.1: http://aospxref.com/android-8.1.0_r81/xref/frameworks/base/services/core/java/com/android/server/pm/PackageManagerService.java#17612
+			// to android 13: http://aospxref.com/android-13.0.0_r3/xref/frameworks/base/services/core/java/com/android/server/pm/PackageManagerServiceUtils.java#1208
+			// /data/app/~~[randomStringA]/[packageName]-[randomStringB]
+			// the previous char must be `/` and the next char must be `-`
+			// because we use strstr instead of equals, this is a strong verfication.
+			pr_info("invalid pkg: %s\n", pkg);
+			continue;
+		}
+		if (is_manager_apk(cwd)) {
+			// check passed
+			uid_t uid = current_uid().val;
+			pr_info("manager uid: %d\n", uid);
+
+			ksu_set_manager_uid(uid);
+
+			result = true;
+			goto clean;
+		} else {
+			pr_info("manager signature invalid!\n");
+		}
+
+		break;
 	}
 
 clean:

kernel/manager.h

@@ -4,18 +4,18 @@
 #include "linux/cred.h"
 #include "linux/types.h"
 
-#define INVALID_UID -1
+#define KSU_INVALID_UID -1
 
 extern uid_t ksu_manager_uid; // DO NOT DIRECT USE
 
 static inline bool ksu_is_manager_uid_valid()
 {
-	return ksu_manager_uid != INVALID_UID;
+	return ksu_manager_uid != KSU_INVALID_UID;
 }
 
 static inline bool is_manager()
 {
-	return ksu_manager_uid == current_uid().val;
+	return unlikely(ksu_manager_uid == current_uid().val);
 }
 
 static inline uid_t ksu_get_manager_uid()
@@ -30,7 +30,7 @@ static inline void ksu_set_manager_uid(uid_t uid)
 
 static inline void ksu_invalidate_manager_uid()
 {
-	ksu_manager_uid = INVALID_UID;
+	ksu_manager_uid = KSU_INVALID_UID;
 }
 
 bool become_manager(char *pkg);

kernel/module_api.c

@@ -30,4 +30,4 @@ RE_EXPORT_SYMBOL1(unsigned long, kallsyms_lookup_name, const char *, name)
 // int ksu_register_kretprobe(struct kretprobe *rp);
 // void unregister_kretprobe(struct kretprobe *rp);
 // int register_kretprobes(struct kretprobe **rps, int num);
-// void unregister_kretprobes(struct kretprobe **rps, int num);
+// void unregister_kretprobes(struct kretprobe **rps, int num);

kernel/selinux/Makefile

@@ -11,6 +11,6 @@ ccflags-y += -DKSU_COMPAT_HAS_SELINUX_STATE
 endif
 
 ccflags-y += -Wno-implicit-function-declaration -Wno-strict-prototypes -Wno-int-conversion
-ccflags-y += -Wno-macro-redefined -Wno-declaration-after-statement -Wno-unused-function
+ccflags-y += -Wno-declaration-after-statement -Wno-unused-function
 ccflags-y += -I$(srctree)/security/selinux -I$(srctree)/security/selinux/include
-ccflags-y += -I$(objtree)/security/selinux
+ccflags-y += -I$(objtree)/security/selinux -include $(srctree)/include/uapi/asm-generic/errno.h

kernel/selinux/rules.c

@@ -39,7 +39,7 @@ static struct policydb *get_policydb(void)
 void apply_kernelsu_rules()
 {
 	if (!getenforce()) {
-		pr_info("SELinux permissive or disabled, apply rules!");
+		pr_info("SELinux permissive or disabled, apply rules!\n");
 	}
 
 	rcu_read_lock();
@@ -84,6 +84,8 @@ void apply_kernelsu_rules()
 	// our ksud triggered by init
 	ksu_allow(db, "init", "adb_data_file", "file", ALL);
 	ksu_allow(db, "init", KERNEL_SU_DOMAIN, ALL, ALL);
+	// we need to umount modules in zygote
+	ksu_allow(db, "zygote", "adb_data_file", "dir", "search");
 
 	// copied from Magisk rules
 	// suRights
@@ -114,6 +116,10 @@ void apply_kernelsu_rules()
 	ksu_allow(db, "hwservicemanager", KERNEL_SU_DOMAIN, "process",
 		  "getattr");
 
+	// For mounting loop devices, mirrors, tmpfs
+	ksu_allow(db, "kernel", ALL, "file", "read");
+	ksu_allow(db, "kernel", ALL, "file", "write");
+
 	// Allow all binder transactions
 	ksu_allow(db, ALL, KERNEL_SU_DOMAIN, "binder", ALL);
 
@@ -245,7 +251,7 @@ int handle_sepolicy(unsigned long arg3, void __user *arg4)
 		} else if (subcmd == 4) {
 			success = ksu_dontaudit(db, s, t, c, p);
 		} else {
-			pr_err("sepol: unknown subcmd: %d", subcmd);
+			pr_err("sepol: unknown subcmd: %d\n", subcmd);
 		}
 		ret = success ? 0 : -1;
 
@@ -290,7 +296,7 @@ int handle_sepolicy(unsigned long arg3, void __user *arg4)
 		} else if (subcmd == 3) {
 			success = ksu_dontauditxperm(db, s, t, c, perm_set);
 		} else {
-			pr_err("sepol: unknown subcmd: %d", subcmd);
+			pr_err("sepol: unknown subcmd: %d\n", subcmd);
 		}
 		ret = success ? 0 : -1;
 	} else if (cmd == CMD_TYPE_STATE) {
@@ -307,7 +313,7 @@ int handle_sepolicy(unsigned long arg3, void __user *arg4)
 		} else if (subcmd == 2) {
 			success = ksu_enforce(db, src);
 		} else {
-			pr_err("sepol: unknown subcmd: %d", subcmd);
+			pr_err("sepol: unknown subcmd: %d\n", subcmd);
 		}
 		if (success)
 			ret = 0;
@@ -422,7 +428,7 @@ int handle_sepolicy(unsigned long arg3, void __user *arg4)
 			success = ksu_type_member(db, src, tgt, cls,
 						  default_type);
 		} else {
-			pr_err("sepol: unknown subcmd: %d", subcmd);
+			pr_err("sepol: unknown subcmd: %d\n", subcmd);
 		}
 		if (success)
 			ret = 0;

kernel/selinux/selinux.c

@@ -26,7 +26,9 @@ static int transive_to_domain(const char *domain)
 	}
 
 	error = security_secctx_to_secid(domain, strlen(domain), &sid);
-	pr_info("error: %d, sid: %d\n", error, sid);
+	if (error) {
+		pr_info("security_secctx_to_secid %s -> sid: %d, error: %d\n", domain, sid, error);
+	}
 	if (!error) {
 		if (!ksu_sid)
 			ksu_sid = sid;
@@ -39,10 +41,10 @@ static int transive_to_domain(const char *domain)
 	return error;
 }
 
-void setup_selinux()
+void setup_selinux(const char *domain)
 {
-	if (transive_to_domain(KERNEL_SU_DOMAIN)) {
-		pr_err("transive domain failed.");
+	if (transive_to_domain(domain)) {
+		pr_err("transive domain failed.\n");
 		return;
 	}
 
@@ -88,7 +90,8 @@ bool getenforce()
 #endif
 }
 
-#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 10, 0)) && !defined(KSU_COMPAT_HAS_CURRENT_SID)
+#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 10, 0)) &&                         \
+	!defined(KSU_COMPAT_HAS_CURRENT_SID)
 /*
  * get the subjective security ID of the current task
  */

kernel/selinux/selinux.h

@@ -8,7 +8,7 @@
 #define KSU_COMPAT_USE_SELINUX_STATE
 #endif
 
-void setup_selinux();
+void setup_selinux(const char *);
 
 void setenforce(bool);
 
@@ -18,4 +18,4 @@ bool is_ksu_domain();
 
 void apply_kernelsu_rules();
 
-#endif
+#endif

kernel/selinux/sepolicy.c

@@ -73,7 +73,7 @@ static bool add_typeattribute(struct policydb *db, const char *type,
 // rules
 #define strip_av(effect, invert) ((effect == AVTAB_AUDITDENY) == !invert)
 
-#define hash_for_each(node_ptr, n_slot, cur)                                   \
+#define ksu_hash_for_each(node_ptr, n_slot, cur)                               \
 	int i;                                                                 \
 	for (i = 0; i < n_slot; ++i)                                           \
 		for (cur = node_ptr[i]; cur; cur = cur->next)
@@ -81,10 +81,11 @@ static bool add_typeattribute(struct policydb *db, const char *type,
 // htable is a struct instead of pointer above 5.8.0:
 // https://elixir.bootlin.com/linux/v5.8-rc1/source/security/selinux/ss/symtab.h
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 8, 0)
-#define hashtab_for_each(htab, cur) hash_for_each (htab.htable, htab.size, cur)
+#define ksu_hashtab_for_each(htab, cur)                                        \
+	ksu_hash_for_each(htab.htable, htab.size, cur)
 #else
-#define hashtab_for_each(htab, cur)                                            \
-	hash_for_each (htab->htable, htab->size, cur)
+#define ksu_hashtab_for_each(htab, cur)                                        \
+	ksu_hash_for_each(htab->htable, htab->size, cur)
 #endif
 
 // symtab_search is introduced on 5.9.0:
@@ -95,8 +96,7 @@ static bool add_typeattribute(struct policydb *db, const char *type,
 #endif
 
 #define avtab_for_each(avtab, cur)                                             \
-	hash_for_each (avtab.htable, avtab.nslot, cur)                         \
-		;
+	ksu_hash_for_each(avtab.htable, avtab.nslot, cur);
 
 static struct avtab_node *get_avtab_node(struct policydb *db,
 					 struct avtab_key *key,
@@ -210,14 +210,14 @@ static void add_rule_raw(struct policydb *db, struct type_datum *src,
 	if (src == NULL) {
 		struct hashtab_node *node;
 		if (strip_av(effect, invert)) {
-			hashtab_for_each(db->p_types.table, node)
+			ksu_hashtab_for_each(db->p_types.table, node)
 			{
 				add_rule_raw(db,
 					     (struct type_datum *)node->datum,
 					     tgt, cls, perm, effect, invert);
 			};
 		} else {
-			hashtab_for_each(db->p_types.table, node)
+			ksu_hashtab_for_each(db->p_types.table, node)
 			{
 				struct type_datum *type =
 					(struct type_datum *)(node->datum);
@@ -230,14 +230,14 @@ static void add_rule_raw(struct policydb *db, struct type_datum *src,
 	} else if (tgt == NULL) {
 		struct hashtab_node *node;
 		if (strip_av(effect, invert)) {
-			hashtab_for_each(db->p_types.table, node)
+			ksu_hashtab_for_each(db->p_types.table, node)
 			{
 				add_rule_raw(db, src,
 					     (struct type_datum *)node->datum,
 					     cls, perm, effect, invert);
 			};
 		} else {
-			hashtab_for_each(db->p_types.table, node)
+			ksu_hashtab_for_each(db->p_types.table, node)
 			{
 				struct type_datum *type =
 					(struct type_datum *)(node->datum);
@@ -249,7 +249,7 @@ static void add_rule_raw(struct policydb *db, struct type_datum *src,
 		}
 	} else if (cls == NULL) {
 		struct hashtab_node *node;
-		hashtab_for_each(db->p_classes.table, node)
+		ksu_hashtab_for_each(db->p_classes.table, node)
 		{
 			add_rule_raw(db, src, tgt,
 				     (struct class_datum *)node->datum, perm,
@@ -292,7 +292,7 @@ static void add_xperm_rule_raw(struct policydb *db, struct type_datum *src,
 {
 	if (src == NULL) {
 		struct hashtab_node *node;
-		hashtab_for_each(db->p_types.table, node)
+		ksu_hashtab_for_each(db->p_types.table, node)
 		{
 			struct type_datum *type =
 				(struct type_datum *)(node->datum);
@@ -303,7 +303,7 @@ static void add_xperm_rule_raw(struct policydb *db, struct type_datum *src,
 		};
 	} else if (tgt == NULL) {
 		struct hashtab_node *node;
-		hashtab_for_each(db->p_types.table, node)
+		ksu_hashtab_for_each(db->p_types.table, node)
 		{
 			struct type_datum *type =
 				(struct type_datum *)(node->datum);
@@ -314,7 +314,7 @@ static void add_xperm_rule_raw(struct policydb *db, struct type_datum *src,
 		};
 	} else if (cls == NULL) {
 		struct hashtab_node *node;
-		hashtab_for_each(db->p_classes.table, node)
+		ksu_hashtab_for_each(db->p_classes.table, node)
 		{
 			add_xperm_rule_raw(db, src, tgt,
 					   (struct class_datum *)(node->datum),
@@ -592,14 +592,14 @@ static bool add_filename_trans(struct policydb *db, const char *s,
 		trans = (struct filename_trans_datum *)kcalloc(sizeof(*trans),
 							       1, GFP_ATOMIC);
 		if (!trans) {
-			pr_err("add_filename_trans: Failed to alloc datum");
+			pr_err("add_filename_trans: Failed to alloc datum\n");
 			return false;
 		}
 		struct filename_trans *new_key =
 			(struct filename_trans *)kmalloc(sizeof(*new_key),
 							 GFP_ATOMIC);
 		if (!new_key) {
-			pr_err("add_filename_trans: Failed to alloc new_key");
+			pr_err("add_filename_trans: Failed to alloc new_key\n");
 			return false;
 		}
 		*new_key = key;
@@ -693,7 +693,7 @@ static bool add_type(struct policydb *db, const char *type_name, bool attr)
 	int i;
 	for (i = 0; i < db->p_roles.nprim; ++i) {
 		ebitmap_set_bit(&db->role_val_to_struct[i]->types, value - 1,
-				0);
+				1);
 	}
 
 	return true;
@@ -743,7 +743,7 @@ static bool add_type(struct policydb *db, const char *type_name, bool attr)
 	int i;
 	for (i = 0; i < db->p_roles.nprim; ++i) {
 		ebitmap_set_bit(&db->role_val_to_struct[i]->types, value - 1,
-				0);
+				1);
 	}
 
 	return true;
@@ -854,7 +854,7 @@ static bool add_type(struct policydb *db, const char *type_name, bool attr)
 	int i;
 	for (i = 0; i < db->p_roles.nprim; ++i) {
 		ebitmap_set_bit(&db->role_val_to_struct[i]->types, value - 1,
-				0);
+				1);
 	}
 	return true;
 #endif
@@ -870,7 +870,7 @@ static bool set_type_state(struct policydb *db, const char *type_name,
 	struct type_datum *type;
 	if (type_name == NULL) {
 		struct hashtab_node *node;
-		hashtab_for_each(db->p_types.table, node)
+		ksu_hashtab_for_each(db->p_types.table, node)
 		{
 			type = (struct type_datum *)(node->datum);
 			if (ebitmap_set_bit(&db->permissive_map, type->value,
@@ -913,7 +913,7 @@ static void add_typeattribute_raw(struct policydb *db, struct type_datum *type,
 	struct hashtab_node *node;
 	struct constraint_node *n;
 	struct constraint_expr *e;
-	hashtab_for_each(db->p_classes.table, node)
+	ksu_hashtab_for_each(db->p_classes.table, node)
 	{
 		struct class_datum *cls = (struct class_datum *)(node->datum);
 		for (n = cls->constraints; n; n = n->next) {

kernel/setup.sh

@@ -11,7 +11,7 @@ elif test -d "$GKI_ROOT/drivers"; then
      DRIVER_DIR="$GKI_ROOT/drivers"
 else
      echo '[ERROR] "drivers/" directory is not found.'
-     echo '[+] You should modify this scrpit by yourself.'
+     echo '[+] You should modify this script by yourself.'
      exit 127
 fi
 
@@ -43,6 +43,8 @@ cd "$GKI_ROOT"
 echo '[+] Add kernel su driver to Makefile'
 
 DRIVER_MAKEFILE=$DRIVER_DIR/Makefile
-grep -q "kernelsu" "$DRIVER_MAKEFILE" || printf "\nobj-y += kernelsu/\n" >> "$DRIVER_MAKEFILE"
+DRIVER_KCONFIG=$DRIVER_DIR/Kconfig
+grep -q "kernelsu" "$DRIVER_MAKEFILE" || printf "obj-\$(CONFIG_KSU) += kernelsu/\n" >> "$DRIVER_MAKEFILE"
+grep -q "kernelsu" "$DRIVER_KCONFIG" || sed -i "/endmenu/i\\source \"drivers/kernelsu/Kconfig\"" "$DRIVER_KCONFIG"
 
-echo '[+] Done.'
+echo '[+] Done.'

kernel/sucompat.c

@@ -16,6 +16,7 @@
 #include "arch.h"
 #include "klog.h" // IWYU pragma: keep
 #include "ksud.h"
+#include "kernel_compat.h"
 
 #define SU_PATH "/system/bin/su"
 #define SH_PATH "/system/bin/sh"
@@ -41,65 +42,58 @@ static char __user *sh_user_path(void)
 int ksu_handle_faccessat(int *dfd, const char __user **filename_user, int *mode,
 			 int *flags)
 {
-	struct filename *filename;
 	const char su[] = SU_PATH;
 
 	if (!ksu_is_allow_uid(current_uid().val)) {
 		return 0;
 	}
 
-	filename = getname(*filename_user);
+	char path[sizeof(su) + 1];
+	memset(path, 0, sizeof(path));
+	ksu_strncpy_from_user_nofault(path, *filename_user, sizeof(path));
 
-	if (IS_ERR(filename)) {
-		return 0;
-	}
-	if (!memcmp(filename->name, su, sizeof(su))) {
+	if (unlikely(!memcmp(path, su, sizeof(su)))) {
 		pr_info("faccessat su->sh!\n");
 		*filename_user = sh_user_path();
 	}
 
-	putname(filename);
-
 	return 0;
 }
 
 int ksu_handle_stat(int *dfd, const char __user **filename_user, int *flags)
 {
 	// const char sh[] = SH_PATH;
-	struct filename *filename;
 	const char su[] = SU_PATH;
 
 	if (!ksu_is_allow_uid(current_uid().val)) {
 		return 0;
 	}
 
-	if (!filename_user) {
+	if (unlikely(!filename_user)) {
 		return 0;
 	}
 
-	filename = getname(*filename_user);
+	char path[sizeof(su) + 1];
+	memset(path, 0, sizeof(path));
+	ksu_strncpy_from_user_nofault(path, *filename_user, sizeof(path));
 
-	if (IS_ERR(filename)) {
-		return 0;
-	}
-	if (!memcmp(filename->name, su, sizeof(su))) {
+	if (unlikely(!memcmp(path, su, sizeof(su)))) {
 		pr_info("newfstatat su->sh!\n");
 		*filename_user = sh_user_path();
 	}
 
-	putname(filename);
-
 	return 0;
 }
 
+// the call from execve_handler_pre won't provided correct value for __never_use_argument, use them after fix execve_handler_pre, keeping them for consistence for manually patched code
 int ksu_handle_execveat_sucompat(int *fd, struct filename **filename_ptr,
-				 void *argv, void *envp, int *flags)
+				 void *__never_use_argv, void *__never_use_envp, int *__never_use_flags)
 {
 	struct filename *filename;
 	const char sh[] = KSUD_PATH;
 	const char su[] = SU_PATH;
 
-	if (!filename_ptr)
+	if (unlikely(!filename_ptr))
 		return 0;
 
 	filename = *filename_ptr;
@@ -107,16 +101,16 @@ int ksu_handle_execveat_sucompat(int *fd, struct filename **filename_ptr,
 		return 0;
 	}
 
-	if (!ksu_is_allow_uid(current_uid().val)) {
+	if (likely(memcmp(filename->name, su, sizeof(su))))
 		return 0;
-	}
 
-	if (!memcmp(filename->name, su, sizeof(su))) {
-		pr_info("do_execveat_common su found\n");
-		memcpy((void *)filename->name, sh, sizeof(sh));
+	if (!ksu_is_allow_uid(current_uid().val))
+		return 0;
 
-		escape_to_root();
-	}
+	pr_info("do_execveat_common su found\n");
+	memcpy((void *)filename->name, sh, sizeof(sh));
+
+	escape_to_root();
 
 	return 0;
 }
@@ -128,7 +122,8 @@ static int faccessat_handler_pre(struct kprobe *p, struct pt_regs *regs)
 	int *dfd = (int *)PT_REGS_PARM1(regs);
 	const char __user **filename_user = (const char **)&PT_REGS_PARM2(regs);
 	int *mode = (int *)&PT_REGS_PARM3(regs);
-	int *flags = (int *)&PT_REGS_PARM4(regs);
+	// Both sys_ and do_ is C function
+	int *flags = (int *)&PT_REGS_CCALL_PARM4(regs);
 
 	return ksu_handle_faccessat(dfd, filename_user, mode, flags);
 }
@@ -142,7 +137,7 @@ static int newfstatat_handler_pre(struct kprobe *p, struct pt_regs *regs)
 	int *flags = (int *)&PT_REGS_PARM3(regs);
 #else
 // int vfs_fstatat(int dfd, const char __user *filename, struct kstat *stat,int flag)
-	int *flags = (int *)&PT_REGS_PARM4(regs);
+	int *flags = (int *)&PT_REGS_CCALL_PARM4(regs);
 #endif
 
 	return ksu_handle_stat(dfd, filename_user, flags);
@@ -154,12 +149,8 @@ static int execve_handler_pre(struct kprobe *p, struct pt_regs *regs)
 	int *fd = (int *)&PT_REGS_PARM1(regs);
 	struct filename **filename_ptr =
 		(struct filename **)&PT_REGS_PARM2(regs);
-	void *argv = (void *)&PT_REGS_PARM3(regs);
-	void *envp = (void *)&PT_REGS_PARM4(regs);
-	int *flags = (int *)&PT_REGS_PARM5(regs);
 
-	return ksu_handle_execveat_sucompat(fd, filename_ptr, argv, envp,
-					    flags);
+	return ksu_handle_execveat_sucompat(fd, filename_ptr, NULL, NULL, NULL);
 }
 
 static struct kprobe faccessat_kp = {

kernel/uid_observer.c

@@ -29,7 +29,7 @@ static bool is_uid_exist(uid_t uid, void *data)
 
 	bool exist = false;
 	list_for_each_entry (np, list, list) {
-		if (np->uid == uid) {
+		if (np->uid == uid % 100000) {
 			exist = true;
 			break;
 		}
@@ -39,12 +39,11 @@ static bool is_uid_exist(uid_t uid, void *data)
 
 static void do_update_uid(struct work_struct *work)
 {
-	KWORKER_INSTALL_KEYRING();
-	struct file *fp = filp_open(SYSTEM_PACKAGES_LIST_PATH, O_RDONLY, 0);
+	struct file *fp = ksu_filp_open_compat(SYSTEM_PACKAGES_LIST_PATH, O_RDONLY, 0);
 	if (IS_ERR(fp)) {
 		pr_err("do_update_uid, open " SYSTEM_PACKAGES_LIST_PATH
 		       " failed: %d\n",
-		       ERR_PTR(fp));
+		       PTR_ERR(fp));
 		return;
 	}
 
@@ -56,13 +55,15 @@ static void do_update_uid(struct work_struct *work)
 	loff_t line_start = 0;
 	char buf[128];
 	for (;;) {
-		ssize_t count = ksu_kernel_read_compat(fp, &chr, sizeof(chr), &pos);
+		ssize_t count =
+			ksu_kernel_read_compat(fp, &chr, sizeof(chr), &pos);
 		if (count != sizeof(chr))
 			break;
 		if (chr != '\n')
 			continue;
 
-		count = ksu_kernel_read_compat(fp, buf, sizeof(buf), &line_start);
+		count = ksu_kernel_read_compat(fp, buf, sizeof(buf),
+					       &line_start);
 
 		struct uid_data *data =
 			kmalloc(sizeof(struct uid_data), GFP_ATOMIC);
@@ -136,4 +137,4 @@ int ksu_uid_observer_init()
 int ksu_uid_observer_exit()
 {
 	return 0;
-}
+}

kernel/uid_observer.h

@@ -7,4 +7,4 @@ int ksu_uid_observer_exit();
 
 void update_uid();
 
-#endif
+#endif

manager/app/build.gradle.kts

@@ -5,6 +5,7 @@ plugins {
     alias(libs.plugins.kotlin)
     alias(libs.plugins.ksp)
     alias(libs.plugins.lsplugin.apksign)
+    id("kotlin-parcelize")
 }
 
 val managerVersionCode: Int by rootProject.extra
@@ -96,8 +97,6 @@ dependencies {
     implementation(libs.compose.destinations.animations.core)
     ksp(libs.compose.destinations.ksp)
 
-    implementation(libs.com.github.alorma.compose.settings.ui.m3)
-
     implementation(libs.com.github.topjohnwu.libsu.core)
     implementation(libs.com.github.topjohnwu.libsu.service)
 
@@ -108,4 +107,10 @@ dependencies {
     implementation(libs.kotlinx.coroutines.core)
 
     implementation(libs.me.zhanghai.android.appiconloader.coil)
+
+    implementation(libs.sheet.compose.dialogs.core)
+    implementation(libs.sheet.compose.dialogs.list)
+    implementation(libs.sheet.compose.dialogs.input)
+
+    implementation(libs.markdown)
 }

manager/app/src/main/AndroidManifest.xml

@@ -2,6 +2,8 @@
 <manifest xmlns:android="http://schemas.android.com/apk/res/android"
     xmlns:tools="http://schemas.android.com/tools">
 
+    <uses-permission android:name="android.permission.INTERNET" />
+
     <application
         android:name=".KernelSUApplication"
         android:allowBackup="true"

manager/app/src/main/cpp/jni.cc

@@ -3,15 +3,16 @@
 #include <sys/prctl.h>
 
 #include <android/log.h>
+#include <cstring>
 
 #include "ksu.h"
 
-#define LOG_TAG "KernelSu"
+#define LOG_TAG "KernelSU"
 #define LOGD(...) __android_log_print(ANDROID_LOG_DEBUG, LOG_TAG, __VA_ARGS__)
 
 extern "C"
 JNIEXPORT jboolean JNICALL
-Java_me_weishu_kernelsu_Natives_becomeManager(JNIEnv *env, jclass clazz, jstring pkg) {
+Java_me_weishu_kernelsu_Natives_becomeManager(JNIEnv *env, jobject, jstring pkg) {
     auto cpkg = env->GetStringUTFChars(pkg, nullptr);
     auto result = become_manager(cpkg);
     env->ReleaseStringUTFChars(pkg, cpkg);
@@ -20,13 +21,13 @@ Java_me_weishu_kernelsu_Natives_becomeManager(JNIEnv *env, jclass clazz, jstring
 
 extern "C"
 JNIEXPORT jint JNICALL
-Java_me_weishu_kernelsu_Natives_getVersion(JNIEnv *env, jclass clazz) {
+Java_me_weishu_kernelsu_Natives_getVersion(JNIEnv *env, jobject) {
     return get_version();
 }
 
 extern "C"
 JNIEXPORT jintArray JNICALL
-Java_me_weishu_kernelsu_Natives_getAllowList(JNIEnv *env, jclass clazz) {
+Java_me_weishu_kernelsu_Natives_getAllowList(JNIEnv *env, jobject) {
     int uids[1024];
     int size = 0;
     bool result = get_allow_list(uids, &size);
@@ -39,31 +40,260 @@ Java_me_weishu_kernelsu_Natives_getAllowList(JNIEnv *env, jclass clazz) {
     return env->NewIntArray(0);
 }
 
-extern "C"
-JNIEXPORT jintArray JNICALL
-Java_me_weishu_kernelsu_Natives_getDenyList(JNIEnv *env, jclass clazz) {
-    int uids[1024];
-    int size = 0;
-    bool result = get_deny_list(uids, &size);
-    if (result) {
-        // success!
-        auto array = env->NewIntArray(size);
-        env->SetIntArrayRegion(array, 0, size, uids);
-        return array;
-    }
-    return env->NewIntArray(0);
-}
-
-extern "C"
-JNIEXPORT jboolean JNICALL
-Java_me_weishu_kernelsu_Natives_allowRoot(JNIEnv *env, jclass clazz, jint uid, jboolean allow) {
-    return allow_su(uid, allow);
-}
-
-
-
 extern "C"
 JNIEXPORT jboolean JNICALL
 Java_me_weishu_kernelsu_Natives_isSafeMode(JNIEnv *env, jclass clazz) {
     return is_safe_mode();
+}
+
+static void fillIntArray(JNIEnv *env, jobject list, int *data, int count) {
+    auto cls = env->GetObjectClass(list);
+    auto add = env->GetMethodID(cls, "add", "(Ljava/lang/Object;)Z");
+    auto integerCls = env->FindClass("java/lang/Integer");
+    auto constructor = env->GetMethodID(integerCls, "<init>", "(I)V");
+    for (int i = 0; i < count; ++i) {
+        auto integer = env->NewObject(integerCls, constructor, data[i]);
+        env->CallBooleanMethod(list, add, integer);
+    }
+}
+
+static void addIntToList(JNIEnv *env, jobject list, int ele) {
+    auto cls = env->GetObjectClass(list);
+    auto add = env->GetMethodID(cls, "add", "(Ljava/lang/Object;)Z");
+    auto integerCls = env->FindClass("java/lang/Integer");
+    auto constructor = env->GetMethodID(integerCls, "<init>", "(I)V");
+    auto integer = env->NewObject(integerCls, constructor, ele);
+    env->CallBooleanMethod(list, add, integer);
+}
+
+static uint64_t capListToBits(JNIEnv *env, jobject list) {
+    auto cls = env->GetObjectClass(list);
+    auto get = env->GetMethodID(cls, "get", "(I)Ljava/lang/Object;");
+    auto size = env->GetMethodID(cls, "size", "()I");
+    auto listSize = env->CallIntMethod(list, size);
+    auto integerCls = env->FindClass("java/lang/Integer");
+    auto intValue = env->GetMethodID(integerCls, "intValue", "()I");
+    uint64_t result = 0;
+    for (int i = 0; i < listSize; ++i) {
+        auto integer = env->CallObjectMethod(list, get, i);
+        int data = env->CallIntMethod(integer, intValue);
+
+        if (cap_valid(data)) {
+            result |= (1ULL << data);
+        }
+    }
+
+    return result;
+}
+
+static int getListSize(JNIEnv *env, jobject list) {
+    auto cls = env->GetObjectClass(list);
+    auto size = env->GetMethodID(cls, "size", "()I");
+    return env->CallIntMethod(list, size);
+}
+
+static void fillArrayWithList(JNIEnv *env, jobject list, int *data, int count) {
+    auto cls = env->GetObjectClass(list);
+    auto get = env->GetMethodID(cls, "get", "(I)Ljava/lang/Object;");
+    auto integerCls = env->FindClass("java/lang/Integer");
+    auto intValue = env->GetMethodID(integerCls, "intValue", "()I");
+    for (int i = 0; i < count; ++i) {
+        auto integer = env->CallObjectMethod(list, get, i);
+        data[i] = env->CallIntMethod(integer, intValue);
+    }
+}
+
+extern "C"
+JNIEXPORT jobject JNICALL
+Java_me_weishu_kernelsu_Natives_getAppProfile(JNIEnv *env, jobject, jstring pkg, jint uid) {
+    if (env->GetStringLength(pkg) > KSU_MAX_PACKAGE_NAME) {
+        return nullptr;
+    }
+
+    p_key_t key = {};
+    auto cpkg = env->GetStringUTFChars(pkg, nullptr);
+    strcpy(key, cpkg);
+    env->ReleaseStringUTFChars(pkg, cpkg);
+
+    app_profile profile = {};
+    profile.version = KSU_APP_PROFILE_VER;
+
+    strcpy(profile.key, key);
+    profile.current_uid = uid;
+
+    bool useDefaultProfile = !get_app_profile(key, &profile);
+
+    auto cls = env->FindClass("me/weishu/kernelsu/Natives$Profile");
+    auto constructor = env->GetMethodID(cls, "<init>", "()V");
+    auto obj = env->NewObject(cls, constructor);
+    auto keyField = env->GetFieldID(cls, "name", "Ljava/lang/String;");
+    auto currentUidField = env->GetFieldID(cls, "currentUid", "I");
+    auto allowSuField = env->GetFieldID(cls, "allowSu", "Z");
+
+    auto rootUseDefaultField = env->GetFieldID(cls, "rootUseDefault", "Z");
+    auto rootTemplateField = env->GetFieldID(cls, "rootTemplate", "Ljava/lang/String;");
+
+    auto uidField = env->GetFieldID(cls, "uid", "I");
+    auto gidField = env->GetFieldID(cls, "gid", "I");
+    auto groupsField = env->GetFieldID(cls, "groups", "Ljava/util/List;");
+    auto capabilitiesField = env->GetFieldID(cls, "capabilities", "Ljava/util/List;");
+    auto domainField = env->GetFieldID(cls, "context", "Ljava/lang/String;");
+    auto namespacesField = env->GetFieldID(cls, "namespace", "I");
+
+    auto nonRootUseDefaultField = env->GetFieldID(cls, "nonRootUseDefault", "Z");
+    auto umountModulesField = env->GetFieldID(cls, "umountModules", "Z");
+
+    env->SetObjectField(obj, keyField, env->NewStringUTF(profile.key));
+    env->SetIntField(obj, currentUidField, profile.current_uid);
+
+    if (useDefaultProfile) {
+        // no profile found, so just use default profile:
+        // don't allow root and use default profile!
+        LOGD("use default profile for: %s, %d", key, uid);
+
+        // allow_su = false
+        // non root use default = true
+        env->SetBooleanField(obj, allowSuField, false);
+        env->SetBooleanField(obj, nonRootUseDefaultField, true);
+
+        jobject capList = env->GetObjectField(obj, capabilitiesField);
+        int DEFAULT_CAPS[] = {CAP_DAC_READ_SEARCH};
+
+        for (auto i: DEFAULT_CAPS) {
+            addIntToList(env, capList, i);
+        }
+
+        return obj;
+    }
+
+    auto allowSu = profile.allow_su;
+
+    if (allowSu) {
+        env->SetBooleanField(obj, rootUseDefaultField, (jboolean) profile.rp_config.use_default);
+        if (strlen(profile.rp_config.template_name) > 0) {
+            env->SetObjectField(obj, rootTemplateField,
+                                env->NewStringUTF(profile.rp_config.template_name));
+        }
+
+        env->SetIntField(obj, uidField, profile.rp_config.profile.uid);
+        env->SetIntField(obj, gidField, profile.rp_config.profile.gid);
+
+        jobject groupList = env->GetObjectField(obj, groupsField);
+        int groupCount = profile.rp_config.profile.groups_count;
+        if (groupCount > KSU_MAX_GROUPS) {
+            LOGD("kernel group count too large: %d???", groupCount);
+            groupCount = KSU_MAX_GROUPS;
+        }
+        fillIntArray(env, groupList, profile.rp_config.profile.groups, groupCount);
+
+        jobject capList = env->GetObjectField(obj, capabilitiesField);
+        for (int i = 0; i <= CAP_LAST_CAP; i++) {
+            if (profile.rp_config.profile.capabilities.effective & (1ULL << i)) {
+                addIntToList(env, capList, i);
+            }
+        }
+
+        env->SetObjectField(obj, domainField,
+                            env->NewStringUTF(profile.rp_config.profile.selinux_domain));
+        env->SetIntField(obj, namespacesField, profile.rp_config.profile.namespaces);
+        env->SetBooleanField(obj, allowSuField, profile.allow_su);
+    } else {
+        env->SetBooleanField(obj, nonRootUseDefaultField,
+                             (jboolean) profile.nrp_config.use_default);
+        env->SetBooleanField(obj, umountModulesField, profile.nrp_config.profile.umount_modules);
+    }
+
+    return obj;
+}
+
+extern "C"
+JNIEXPORT jboolean JNICALL
+Java_me_weishu_kernelsu_Natives_setAppProfile(JNIEnv *env, jobject clazz, jobject profile) {
+    auto cls = env->FindClass("me/weishu/kernelsu/Natives$Profile");
+
+    auto keyField = env->GetFieldID(cls, "name", "Ljava/lang/String;");
+    auto currentUidField = env->GetFieldID(cls, "currentUid", "I");
+    auto allowSuField = env->GetFieldID(cls, "allowSu", "Z");
+
+    auto rootUseDefaultField = env->GetFieldID(cls, "rootUseDefault", "Z");
+    auto rootTemplateField = env->GetFieldID(cls, "rootTemplate", "Ljava/lang/String;");
+
+    auto uidField = env->GetFieldID(cls, "uid", "I");
+    auto gidField = env->GetFieldID(cls, "gid", "I");
+    auto groupsField = env->GetFieldID(cls, "groups", "Ljava/util/List;");
+    auto capabilitiesField = env->GetFieldID(cls, "capabilities", "Ljava/util/List;");
+    auto domainField = env->GetFieldID(cls, "context", "Ljava/lang/String;");
+    auto namespacesField = env->GetFieldID(cls, "namespace", "I");
+
+    auto nonRootUseDefaultField = env->GetFieldID(cls, "nonRootUseDefault", "Z");
+    auto umountModulesField = env->GetFieldID(cls, "umountModules", "Z");
+
+    auto key = env->GetObjectField(profile, keyField);
+    if (!key) {
+        return false;
+    }
+    if (env->GetStringLength((jstring) key) > KSU_MAX_PACKAGE_NAME) {
+        return false;
+    }
+
+    auto cpkg = env->GetStringUTFChars((jstring) key, nullptr);
+    p_key_t p_key = {};
+    strcpy(p_key, cpkg);
+    env->ReleaseStringUTFChars((jstring) key, cpkg);
+
+    auto currentUid = env->GetIntField(profile, currentUidField);
+
+    auto uid = env->GetIntField(profile, uidField);
+    auto gid = env->GetIntField(profile, gidField);
+    auto groups = env->GetObjectField(profile, groupsField);
+    auto capabilities = env->GetObjectField(profile, capabilitiesField);
+    auto domain = env->GetObjectField(profile, domainField);
+    auto allowSu = env->GetBooleanField(profile, allowSuField);
+    auto umountModules = env->GetBooleanField(profile, umountModulesField);
+
+    app_profile p = {};
+    p.version = KSU_APP_PROFILE_VER;
+
+    strcpy(p.key, p_key);
+    p.allow_su = allowSu;
+    p.current_uid = currentUid;
+
+    if (allowSu) {
+        p.rp_config.use_default = env->GetBooleanField(profile, rootUseDefaultField);
+        auto templateName = env->GetObjectField(profile, rootTemplateField);
+        if (templateName) {
+            auto ctemplateName = env->GetStringUTFChars((jstring) templateName, nullptr);
+            strcpy(p.rp_config.template_name, ctemplateName);
+            env->ReleaseStringUTFChars((jstring) templateName, ctemplateName);
+        }
+
+        p.rp_config.profile.uid = uid;
+        p.rp_config.profile.gid = gid;
+
+        int groups_count = getListSize(env, groups);
+        if (groups_count > KSU_MAX_GROUPS) {
+            LOGD("groups count too large: %d", groups_count);
+            return false;
+        }
+        p.rp_config.profile.groups_count = groups_count;
+        fillArrayWithList(env, groups, p.rp_config.profile.groups, groups_count);
+
+        p.rp_config.profile.capabilities.effective = capListToBits(env, capabilities);
+
+        auto cdomain = env->GetStringUTFChars((jstring) domain, nullptr);
+        strcpy(p.rp_config.profile.selinux_domain, cdomain);
+        env->ReleaseStringUTFChars((jstring) domain, cdomain);
+
+        p.rp_config.profile.namespaces = env->GetIntField(profile, namespacesField);
+    } else {
+        p.nrp_config.use_default = env->GetBooleanField(profile, nonRootUseDefaultField);
+        p.nrp_config.profile.umount_modules = umountModules;
+    }
+
+    return set_app_profile(&p);
+}
+extern "C"
+JNIEXPORT jboolean JNICALL
+Java_me_weishu_kernelsu_Natives_uidShouldUmount(JNIEnv *env, jobject thiz, jint uid) {
+    return uid_should_umount(uid);
 }

manager/app/src/main/cpp/ksu.cc

@@ -18,10 +18,16 @@
 #define CMD_GET_VERSION 2
 #define CMD_ALLOW_SU 3
 #define CMD_DENY_SU 4
-#define CMD_GET_ALLOW_LIST 5
+#define CMD_GET_SU_LIST 5
 #define CMD_GET_DENY_LIST 6
 #define CMD_CHECK_SAFEMODE 9
 
+#define CMD_GET_APP_PROFILE 10
+#define CMD_SET_APP_PROFILE 11
+
+#define CMD_IS_UID_GRANTED_ROOT 12
+#define CMD_IS_UID_SHOULD_UMOUNT 13
+
 static bool ksuctl(int cmd, void* arg1, void* arg2) {
     int32_t result = 0;
     prctl(KERNEL_SU_OPTION, cmd, arg1, arg2, &result);
@@ -49,19 +55,23 @@ int get_version() {
     return version;
 }
 
-bool allow_su(int uid, bool allow) {
-    int cmd = allow ? CMD_ALLOW_SU : CMD_DENY_SU;
-    return ksuctl(cmd, (void*) uid, nullptr);
-}
-
 bool get_allow_list(int *uids, int *size) {
-    return ksuctl(CMD_GET_ALLOW_LIST, uids, size);
-}
-
-bool get_deny_list(int *uids, int *size) {
-    return ksuctl(CMD_GET_DENY_LIST, uids, size);
+    return ksuctl(CMD_GET_SU_LIST, uids, size);
 }
 
 bool is_safe_mode() {
     return ksuctl(CMD_CHECK_SAFEMODE, nullptr, nullptr);
-}
+}
+
+bool uid_should_umount(int uid) {
+    bool should;
+    return ksuctl(CMD_IS_UID_SHOULD_UMOUNT, reinterpret_cast<void*>(uid), &should) && should;
+}
+
+bool set_app_profile(const app_profile *profile) {
+    return ksuctl(CMD_SET_APP_PROFILE, (void*) profile, nullptr);
+}
+
+bool get_app_profile(p_key_t key, app_profile *profile) {
+    return ksuctl(CMD_GET_APP_PROFILE, (void*) profile, nullptr);
+}

manager/app/src/main/cpp/ksu.h

@@ -5,16 +5,76 @@
 #ifndef KERNELSU_KSU_H
 #define KERNELSU_KSU_H
 
-bool become_manager(const char*);
+#include <linux/capability.h>
+
+bool become_manager(const char *);
 
 int get_version();
 
-bool allow_su(int uid, bool allow);
-
 bool get_allow_list(int *uids, int *size);
 
-bool get_deny_list(int *uids, int *size);
+bool uid_should_umount(int uid);
 
 bool is_safe_mode();
 
+#define KSU_APP_PROFILE_VER 2
+#define KSU_MAX_PACKAGE_NAME 256
+// NGROUPS_MAX for Linux is 65535 generally, but we only supports 32 groups.
+#define KSU_MAX_GROUPS 32
+#define KSU_SELINUX_DOMAIN 64
+
+using p_key_t = char[KSU_MAX_PACKAGE_NAME];
+
+struct root_profile {
+    int32_t uid;
+    int32_t gid;
+
+    int32_t groups_count;
+    int32_t groups[KSU_MAX_GROUPS];
+
+    // kernel_cap_t is u32[2] for capabilities v3
+    struct {
+        uint64_t effective;
+        uint64_t permitted;
+        uint64_t inheritable;
+    } capabilities;
+
+    char selinux_domain[KSU_SELINUX_DOMAIN];
+
+    int32_t namespaces;
+};
+
+struct non_root_profile {
+    bool umount_modules;
+};
+
+struct app_profile {
+    // It may be utilized for backward compatibility, although we have never explicitly made any promises regarding this.
+    uint32_t version;
+
+    // this is usually the package of the app, but can be other value for special apps
+    char key[KSU_MAX_PACKAGE_NAME];
+    int32_t current_uid;
+    bool allow_su;
+
+    union {
+        struct {
+            bool use_default;
+            char template_name[KSU_MAX_PACKAGE_NAME];
+
+            struct root_profile profile;
+        } rp_config;
+
+        struct {
+            bool use_default;
+
+            struct non_root_profile profile;
+        } nrp_config;
+    };
+};
+
+bool set_app_profile(const app_profile *profile);
+
+bool get_app_profile(p_key_t key, app_profile *profile);
+
 #endif //KERNELSU_KSU_H

manager/app/src/main/java/me/weishu/kernelsu/Natives.java

@@ -1,26 +0,0 @@
-package me.weishu.kernelsu;
-
-/**
- * @author weishu
- * @date 2022/12/8.
- */
-public final class Natives {
-
-    static {
-       System.loadLibrary("kernelsu");
-    }
-
-    // become root manager, return true if success.
-    public static native boolean becomeManager(String pkg);
-
-    public static native int getVersion();
-
-    // get the uid list of allowed su processes.
-    public static native int[] getAllowList();
-
-    public static native int[] getDenyList();
-
-    public static native boolean allowRoot(int uid, boolean allow);
-
-    public static native boolean isSafeMode();
-}

manager/app/src/main/java/me/weishu/kernelsu/Natives.kt

@@ -0,0 +1,107 @@
+package me.weishu.kernelsu
+
+import android.os.Parcelable
+import androidx.annotation.Keep
+import androidx.compose.runtime.Immutable
+import kotlinx.parcelize.Parcelize
+
+/**
+ * @author weishu
+ * @date 2022/12/8.
+ */
+object Natives {
+    // minimal supported kernel version
+    // 10915: allowlist breaking change, add app profile
+    // 10931: app profile struct add 'version' field
+    // 10946: add capabilities
+    // 10977: change groups_count and groups to avoid overflow write
+    // 11071: Fix the issue of failing to set a custom SELinux type.
+    const val MINIMAL_SUPPORTED_KERNEL = 11071
+
+    init {
+        System.loadLibrary("kernelsu")
+    }
+
+    // become root manager, return true if success.
+    external fun becomeManager(pkg: String?): Boolean
+    val version: Int
+        external get
+
+    // get the uid list of allowed su processes.
+    val allowList: IntArray
+        external get
+
+    val isSafeMode: Boolean
+        external get
+
+    external fun uidShouldUmount(uid: Int): Boolean
+
+    /**
+     * Get the profile of the given package.
+     * @param key usually the package name
+     * @return return null if failed.
+     */
+    external fun getAppProfile(key: String?, uid: Int): Profile
+    external fun setAppProfile(profile: Profile?): Boolean
+
+    private const val NON_ROOT_DEFAULT_PROFILE_KEY = "$"
+    private const val ROOT_DEFAULT_PROFILE_KEY = "#"
+    private const val NOBODY_UID = 9999
+
+    fun setDefaultUmountModules(umountModules: Boolean): Boolean {
+        Profile(
+            NON_ROOT_DEFAULT_PROFILE_KEY,
+            NOBODY_UID,
+            false,
+            umountModules = umountModules
+        ).let {
+            return setAppProfile(it)
+        }
+    }
+
+    fun isDefaultUmountModules(): Boolean {
+        getAppProfile(NON_ROOT_DEFAULT_PROFILE_KEY, NOBODY_UID).let {
+            return it.umountModules
+        }
+    }
+
+    fun requireNewKernel(): Boolean {
+        return version < MINIMAL_SUPPORTED_KERNEL
+    }
+
+    @Immutable
+    @Parcelize
+    @Keep
+    data class Profile(
+        // and there is a default profile for root and non-root
+        val name: String,
+        // current uid for the package, this is convivent for kernel to check
+        // if the package name doesn't match uid, then it should be invalidated.
+        val currentUid: Int = 0,
+
+        // if this is true, kernel will grant root permission to this package
+        val allowSu: Boolean = false,
+
+        // these are used for root profile
+        val rootUseDefault: Boolean = true,
+        val rootTemplate: String? = null,
+        val uid: Int = 0,
+        val gid: Int = 0,
+        val groups: List<Int> = mutableListOf(),
+        val capabilities: List<Int> = mutableListOf(),
+        val context: String = "u:r:su:s0",
+        val namespace: Int = Namespace.Inherited.ordinal,
+
+        val nonRootUseDefault: Boolean = true,
+        val umountModules: Boolean = true,
+        var rules: String = "", // this field is save in ksud!!
+    ) : Parcelable {
+        enum class Namespace {
+            Inherited,
+            Global,
+            Individual,
+        }
+
+        constructor() : this("")
+    }
+}

manager/app/src/main/java/me/weishu/kernelsu/profile/Capabilities.kt

@@ -0,0 +1,49 @@
+package me.weishu.kernelsu.profile
+
+/**
+ * @author weishu
+ * @date 2023/6/3.
+ */
+enum class Capabilities(val cap: Int, val display: String, val desc: String) {
+    CAP_CHOWN(0, "CHOWN", "Make arbitrary changes to file UIDs and GIDs (see chown(2))"),
+    CAP_DAC_OVERRIDE(1, "DAC_OVERRIDE", "Bypass file read, write, and execute permission checks"),
+    CAP_DAC_READ_SEARCH(2, "DAC_READ_SEARCH", "Bypass file read permission checks and directory read and execute permission checks"),
+    CAP_FOWNER(3, "FOWNER", "Bypass permission checks on operations that normally require the filesystem UID of the process to match the UID of the file (e.g., chmod(2), utime(2)), excluding those operations covered by CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH"),
+    CAP_FSETID(4, "FSETID", "Don’t clear set-user-ID and set-group-ID permission bits when a file is modified; set the set-group-ID bit for a file whose GID does not match the filesystem or any of the supplementary GIDs of the calling process"),
+    CAP_KILL(5, "KILL", "Bypass permission checks for sending signals (see kill(2))."),
+    CAP_SETGID(6, "SETGID", "Make arbitrary manipulations of process GIDs and supplementary GID list; allow setgid(2) manipulation of the caller’s effective and real group IDs"),
+    CAP_SETUID(7, "SETUID", "Make arbitrary manipulations of process UIDs (setuid(2), setreuid(2), setresuid(2), setfsuid(2)); allow changing the current process user IDs; allow changing of the current process group ID to any value in the system’s range of legal group IDs"),
+    CAP_SETPCAP(8, "SETPCAP", "If file capabilities are supported: grant or remove any capability in the caller’s permitted capability set to or from any other process. (This property supersedes the obsolete notion of giving a process all capabilities by granting all capabilities in its permitted set, and of removing all capabilities from a process by granting no capabilities in its permitted set. It does not permit any actions that were not permitted before.)"),
+    CAP_LINUX_IMMUTABLE(9, "LINUX_IMMUTABLE", "Set the FS_APPEND_FL and FS_IMMUTABLE_FL inode flags (see chattr(1))."),
+    CAP_NET_BIND_SERVICE(10, "NET_BIND_SERVICE", "Bind a socket to Internet domain"),
+    CAP_NET_BROADCAST(11, "NET_BROADCAST", "Make socket broadcasts, and listen to multicasts"),
+    CAP_NET_ADMIN(12, "NET_ADMIN", "Perform various network-related operations: interface configuration, administration of IP firewall, masquerading, and accounting, modify routing tables, bind to any address for transparent proxying, set type-of-service (TOS), clear driver statistics, set promiscuous mode, enabling multicasting, use setsockopt(2) to set the following socket options: SO_DEBUG, SO_MARK, SO_PRIORITY (for a priority outside the range 0 to 6), SO_RCVBUFFORCE, and SO_SNDBUFFORCE"),
+    CAP_NET_RAW(13, "NET_RAW", "Use RAW and PACKET sockets"),
+    CAP_IPC_LOCK(14, "IPC_LOCK", "Lock memory (mlock(2), mlockall(2), mmap(2), shmctl(2))"),
+    CAP_IPC_OWNER(15, "IPC_OWNER", "Bypass permission checks for operations on System V IPC objects"),
+    CAP_SYS_MODULE(16, "SYS_MODULE", "Load and unload kernel modules (see init_module(2) and delete_module(2)); in kernels before 2.6.25, this also granted rights for various other operations related to kernel modules"),
+    CAP_SYS_RAWIO(17, "SYS_RAWIO", "Perform I/O port operations (iopl(2) and ioperm(2)); access /proc/kcore"),
+    CAP_SYS_CHROOT(18, "SYS_CHROOT", "Use chroot(2)"),
+    CAP_SYS_PTRACE(19, "SYS_PTRACE", "Trace arbitrary processes using ptrace(2)"),
+    CAP_SYS_PACCT(20, "SYS_PACCT", "Use acct(2)"),
+    CAP_SYS_ADMIN(21, "SYS_ADMIN", "Perform a range of system administration operations including: quotactl(2), mount(2), umount(2), swapon(2), swapoff(2), sethostname(2), and setdomainname(2); set and modify process resource limits (setrlimit(2)); perform various network-related operations (e.g., setting privileged socket options, enabling multicasting, interface configuration); perform various IPC operations (e.g., SysV semaphores, POSIX message queues, System V shared memory); allow reboot and kexec_load(2); override /proc/sys kernel tunables; perform ptrace(2) PTRACE_SECCOMP_GET_FILTER operation; perform some tracing and debugging operations (see ptrace(2)); administer the lifetime of kernel tracepoints (tracefs(5)); perform the KEYCTL_CHOWN and KEYCTL_SETPERM keyctl(2) operations; perform the following keyctl(2) operations: KEYCTL_CAPABILITIES, KEYCTL_CAPSQUASH, and KEYCTL_PKEY_ OPERATIONS; set state for the Extensible Authentication Protocol (EAP) kernel module; and override the RLIMIT_NPROC resource limit; allow ioperm/iopl access to I/O ports"),
+    CAP_SYS_BOOT(22, "SYS_BOOT", "Use reboot(2) and kexec_load(2), reboot and load a new kernel for later execution"),
+    CAP_SYS_NICE(23, "SYS_NICE", "Raise process nice value (nice(2), setpriority(2)) and change the nice value for arbitrary processes; set real-time scheduling policies for calling process, and set scheduling policies and priorities for arbitrary processes (sched_setscheduler(2), sched_setparam(2)"),
+    CAP_SYS_RESOURCE(24, "SYS_RESOURCE", "Override resource Limits. Set resource limits (setrlimit(2), prlimit(2)), override quota limits (quota(2), quotactl(2)), override reserved space on ext2 filesystem (ext2_ioctl(2)), override size restrictions on IPC message queues (msg(2)) and system V shared memory segments (shmget(2)), and override the /proc/sys/fs/pipe-size-max limit"),
+    CAP_SYS_TIME(25, "SYS_TIME", "Set system clock (settimeofday(2), stime(2), adjtimex(2)); set real-time (hardware) clock"),
+    CAP_SYS_TTY_CONFIG(26, "SYS_TTY_CONFIG", "Use vhangup(2); employ various privileged ioctl(2) operations on virtual terminals"),
+    CAP_MKNOD(27, "MKNOD", "Create special files using mknod(2)"),
+    CAP_LEASE(28, "LEASE", "Establish leases on arbitrary files (see fcntl(2))"),
+    CAP_AUDIT_WRITE(29, "AUDIT_WRITE", "Write records to kernel auditing log"),
+    CAP_AUDIT_CONTROL(30, "AUDIT_CONTROL", "Enable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules"),
+    CAP_SETFCAP(31, "SETFCAP", "If file capabilities are supported: grant or remove any capability in any capability set to any file"),
+    CAP_MAC_OVERRIDE(32, "MAC_OVERRIDE", "Override Mandatory Access Control (MAC). Implemented for the Smack Linux Security Module (LSM)"),
+    CAP_MAC_ADMIN(33, "MAC_ADMIN", "Allow MAC configuration or state changes. Implemented for the Smack LSM"),
+    CAP_SYSLOG(34, "SYSLOG", "Perform privileged syslog(2) operations. See syslog(2) for information on which operations require privilege"),
+    CAP_WAKE_ALARM(35, "WAKE_ALARM", "Trigger something that will wake up the system"),
+    CAP_BLOCK_SUSPEND(36, "BLOCK_SUSPEND", "Employ features that can block system suspend"),
+    CAP_AUDIT_READ(37, "AUDIT_READ", "Allow reading the audit log via a multicast netlink socket"),
+    CAP_PERFMON(38, "PERFMON", "Allow performance monitoring via perf_event_open(2)"),
+    CAP_BPF(39, "BPF", "Allow BPF operations via bpf(2)"),
+    CAP_CHECKPOINT_RESTORE(40, "CHECKPOINT_RESTORE", "Allow processes to be checkpointed via checkpoint/restore in user namespace(2)"),
+}

manager/app/src/main/java/me/weishu/kernelsu/profile/Groups.kt

@@ -0,0 +1,87 @@
+package me.weishu.kernelsu.profile
+
+/**
+ * @author weishu
+ * @date 2023/6/3.
+ */
+enum class Groups(val gid: Int, val display: String, val desc: String) {
+    ROOT(0, "root", "traditional unix root user"),
+    DAEMON(1, "daemon", "Traditional unix daemon owner."),
+    BIN(2, "bin", "Traditional unix binaries owner."),
+    SYS(3, "sys", "A group with the same gid on Linux/macOS/Android."),
+    SYSTEM(1000, "system", "system server"),
+    RADIO(1001, "radio", "telephony subsystem, RIL"),
+    BLUETOOTH(1002, "bluetooth", "bluetooth subsystem"),
+    GRAPHICS(1003, "graphics", "graphics devices"),
+    INPUT(1004, "input", "input devices"),
+    AUDIO(1005, "audio", "audio devices"),
+    CAMERA(1006, "camera", "camera devices"),
+    LOG(1007, "log", "log devices"),
+    COMPASS(1008, "compass", "compass device"),
+    MOUNT(1009, "mount", "mountd socket"),
+    WIFI(1010, "wifi", "wifi subsystem"),
+    ADB(1011, "adb", "android debug bridge (adbd)"),
+    INSTALL(1012, "install", "group for installing packages"),
+    MEDIA(1013, "media", "mediaserver process"),
+    DHCP(1014, "dhcp", "dhcp client"),
+    SDCARD_RW(1015, "sdcard_rw", "external storage write access"),
+    VPN(1016, "vpn", "vpn system"),
+    KEYSTORE(1017, "keystore", "keystore subsystem"),
+    USB(1018, "usb", "USB devices"),
+    DRM(1019, "drm", "DRM server"),
+    MDNSR(1020, "mdnsr", "MulticastDNSResponder (service discovery)"),
+    GPS(1021, "gps", "GPS daemon"),
+    UNUSED1(1022, "unused1", "deprecated, DO NOT USE"),
+    MEDIA_RW(1023, "media_rw", "internal media storage write access"),
+    MTP(1024, "mtp", "MTP USB driver access"),
+    UNUSED2(1025, "unused2", "deprecated, DO NOT USE"),
+    DRMRPC(1026, "drmrpc", "group for drm rpc"),
+    NFC(1027, "nfc", "nfc subsystem"),
+    SDCARD_R(1028, "sdcard_r", "external storage read access"),
+    CLAT(1029, "clat", "clat part of nat464"),
+    LOOP_RADIO(1030, "loop_radio", "loop radio devices"),
+    MEDIA_DRM(1031, "media_drm", "MediaDrm plugins"),
+    PACKAGE_INFO(1032, "package_info", "access to installed package details"),
+    SDCARD_PICS(1033, "sdcard_pics", "external storage photos access"),
+    SDCARD_AV(1034, "sdcard_av", "external storage audio/video access"),
+    SDCARD_ALL(1035, "sdcard_all", "access all users external storage"),
+    LOGD(1036, "logd", "log daemon"),
+    SHARED_RELRO(1037, "shared_relro", "creator of shared GNU RELRO files"),
+    DBUS(1038, "dbus", "dbus-daemon IPC broker process"),
+    TLSDATE(1039, "tlsdate", "tlsdate unprivileged user"),
+    MEDIA_EX(1040, "media_ex", "mediaextractor process"),
+    AUDIOSERVER(1041, "audioserver", "audioserver process"),
+    METRICS_COLL(1042, "metrics_coll", "metrics_collector process"),
+    METRICSD(1043, "metricsd", "metricsd process"),
+    WEBSERV(1044, "webserv", "webservd process"),
+    DEBUGGERD(1045, "debuggerd", "debuggerd unprivileged user"),
+    MEDIA_CODEC(1046, "media_codec", "media_codec process"),
+    CAMERASERVER(1047, "cameraserver", "cameraserver process"),
+    FIREWALL(1048, "firewall", "firewall process"),
+    TRUNKS(1049, "trunks", "trunksd process"),
+    NVRAM(1050, "nvram", "nvram daemon"),
+    DNS_TETHER(1051, "dns_tether", "dns_tether device"),
+    DNS_TETHER_RESERVED(1052, "dns_tether_reserved", "Reserved range for dns_tether"),
+    WEBVIEW_ZYGOTE(1053, "webview_zygote", "zygote process"),
+    WEBVIEW_USER(1054, "webview_user", "webview chromium user"),
+    ETHERNET(1055, "ethernet", "Ethernet"),
+    TOMBSTONED(1056, "tombstoned", "tombstoned process"),
+    GRAPHICS_RW(1057, "graphics_rw", "graphics devices"),
+
+    SHELL(2000, "shell", "adb and debug shell user"),
+    CACHE(2001, "cache", "cache access"),
+    DIAG(2002, "diag", "diagnostics"),
+    NET_BT_ADMIN(3001, "net_bt_admin", "bluetooth: create any socket"),
+    NET_BT(3002, "net_bt", "bluetooth: create sco, rfcomm or l2cap sockets"),
+    INET(3003, "inet", "can create AF_INET and AF_INET6 sockets"),
+    NET_RAW(3004, "net_raw", "can create raw INET sockets"),
+    NET_ADMIN(3005, "net_admin", "can configure interfaces and routing tables."),
+    NET_BW_STATS(3006, "net_bw_stats", "read bandwidth statistics"),
+    NET_BW_ACCT(3007, "net_bw_acct", "change bandwidth statistics accounting"),
+    NET_BT_STACK(3008, "net_bt_stack", "access to various bluetooth management functions"),
+    QCOM_DIAG(3009, "qcom_diag", "allow msm specific diag commands"),
+    EVERYBODY(9997, "everybody", "Shared external storage read/write"),
+    MISC(9998, "misc", "Access to misc storage"),
+    NOBODY(9999, "nobody", "Reserved"),
+    APP(10000, "app", "Access to app data"),
+}

manager/app/src/main/java/me/weishu/kernelsu/ui/MainActivity.kt

@@ -5,7 +5,6 @@ import androidx.activity.ComponentActivity
 import androidx.activity.compose.setContent
 import androidx.compose.animation.ExperimentalAnimationApi
 import androidx.compose.foundation.layout.padding
-import androidx.compose.material3.ExperimentalMaterial3Api
 import androidx.compose.material3.Icon
 import androidx.compose.material3.NavigationBar
 import androidx.compose.material3.NavigationBarItem
@@ -25,6 +24,8 @@ import com.google.accompanist.navigation.animation.rememberAnimatedNavController
 import com.ramcosta.composedestinations.DestinationsNavHost
 import com.ramcosta.composedestinations.navigation.popBackStack
 import com.ramcosta.composedestinations.utils.isRouteOnBackStackAsState
+import me.weishu.kernelsu.Natives
+import me.weishu.kernelsu.ksuApp
 import me.weishu.kernelsu.ui.component.rememberDialogHostState
 import me.weishu.kernelsu.ui.screen.BottomBarDestination
 import me.weishu.kernelsu.ui.screen.NavGraphs
@@ -34,7 +35,7 @@ import me.weishu.kernelsu.ui.util.LocalSnackbarHost
 
 class MainActivity : ComponentActivity() {
 
-    @OptIn(ExperimentalAnimationApi::class, ExperimentalMaterial3Api::class)
+    @OptIn(ExperimentalAnimationApi::class)
     override fun onCreate(savedInstanceState: Bundle?) {
         super.onCreate(savedInstanceState)
 
@@ -64,8 +65,11 @@ class MainActivity : ComponentActivity() {
 
 @Composable
 private fun BottomBar(navController: NavHostController) {
+    val isManager = Natives.becomeManager(ksuApp.packageName)
+    val fullFeatured = isManager && !Natives.requireNewKernel()
     NavigationBar(tonalElevation = 8.dp) {
         BottomBarDestination.values().forEach { destination ->
+            if (!fullFeatured && destination.rootRequired) return@forEach
             val isCurrentDestOnBackStack by navController.isRouteOnBackStackAsState(destination.direction)
             NavigationBarItem(
                 selected = isCurrentDestOnBackStack,

manager/app/src/main/java/me/weishu/kernelsu/ui/component/Dialog.kt

@@ -1,20 +1,33 @@
 package me.weishu.kernelsu.ui.component
 
+import android.graphics.text.LineBreaker
+import android.text.Layout
+import android.text.method.LinkMovementMethod
+import android.view.ViewGroup
+import android.widget.TextView
 import androidx.compose.foundation.layout.Box
+import androidx.compose.foundation.layout.fillMaxWidth
 import androidx.compose.foundation.layout.size
+import androidx.compose.foundation.layout.wrapContentHeight
 import androidx.compose.foundation.shape.RoundedCornerShape
 import androidx.compose.material3.AlertDialog
 import androidx.compose.material3.CircularProgressIndicator
+import androidx.compose.material3.ExperimentalMaterial3Api
+import androidx.compose.material3.LocalContentColor
 import androidx.compose.material3.Surface
 import androidx.compose.material3.Text
 import androidx.compose.material3.TextButton
 import androidx.compose.runtime.*
 import androidx.compose.ui.Alignment
 import androidx.compose.ui.Modifier
+import androidx.compose.ui.graphics.toArgb
 import androidx.compose.ui.res.stringResource
 import androidx.compose.ui.unit.dp
+import androidx.compose.ui.viewinterop.AndroidView
 import androidx.compose.ui.window.Dialog
 import androidx.compose.ui.window.DialogProperties
+import io.noties.markwon.Markwon
+import io.noties.markwon.utils.NoCopySpannableFactory
 import kotlinx.coroutines.CancellableContinuation
 import kotlinx.coroutines.coroutineScope
 import kotlinx.coroutines.launch
@@ -36,6 +49,7 @@ interface PromptDialogVisuals : DialogVisuals {
 interface ConfirmDialogVisuals : PromptDialogVisuals {
     val confirm: String?
     val dismiss: String?
+    val isMarkdown: Boolean
 }
 
 
@@ -68,15 +82,15 @@ class DialogHostState {
     private object LoadingDialogVisualsImpl : LoadingDialogVisuals
 
     private data class PromptDialogVisualsImpl(
-        override val title: String,
-        override val content: String
+        override val title: String, override val content: String
     ) : PromptDialogVisuals
 
     private data class ConfirmDialogVisualsImpl(
         override val title: String,
         override val content: String,
         override val confirm: String?,
-        override val dismiss: String?
+        override val dismiss: String?,
+        override val isMarkdown: Boolean,
     ) : ConfirmDialogVisuals
 
     private data class LoadingDialogDataImpl(
@@ -121,8 +135,7 @@ class DialogHostState {
             mutex.withLock {
                 suspendCancellableCoroutine { continuation ->
                     currentDialogData = LoadingDialogDataImpl(
-                        visuals = LoadingDialogVisualsImpl,
-                        continuation = continuation
+                        visuals = LoadingDialogVisualsImpl, continuation = continuation
                     )
                 }
             }
@@ -161,13 +174,14 @@ class DialogHostState {
     suspend fun showConfirm(
         title: String,
         content: String,
+        markdown: Boolean = false,
         confirm: String? = null,
         dismiss: String? = null
     ): ConfirmResult = mutex.withLock {
         try {
             return@withLock suspendCancellableCoroutine { continuation ->
                 currentDialogData = ConfirmDialogDataImpl(
-                    visuals = ConfirmDialogVisualsImpl(title, content, confirm, dismiss),
+                    visuals = ConfirmDialogVisualsImpl(title, content, confirm, dismiss, markdown),
                     continuation = continuation
                 )
             }
@@ -201,9 +215,7 @@ fun LoadingDialog(
     }
     Dialog(onDismissRequest = {}, properties = dialogProperties) {
         Surface(
-            modifier = Modifier
-                .size(100.dp),
-            shape = RoundedCornerShape(8.dp)
+            modifier = Modifier.size(100.dp), shape = RoundedCornerShape(8.dp)
         ) {
             Box(
                 contentAlignment = Alignment.Center,
@@ -240,11 +252,13 @@ fun PromptDialog(
     )
 }
 
+@OptIn(ExperimentalMaterial3Api::class)
 @Composable
 fun ConfirmDialog(state: DialogHostState = LocalDialogHost.current) {
     val confirmDialogData = state.currentDialogData.tryInto<ConfirmDialogData>() ?: return
 
     val visuals = confirmDialogData.visuals
+
     AlertDialog(
         onDismissRequest = {
             confirmDialogData.dismiss()
@@ -253,7 +267,11 @@ fun ConfirmDialog(state: DialogHostState = LocalDialogHost.current) {
             Text(text = visuals.title)
         },
         text = {
-            Text(text = visuals.content)
+            if (visuals.isMarkdown) {
+                MarkdownContent(content = visuals.content)
+            } else {
+                Text(text = visuals.content)
+            }
         },
         confirmButton = {
             TextButton(onClick = { confirmDialogData.confirm() }) {
@@ -266,4 +284,28 @@ fun ConfirmDialog(state: DialogHostState = LocalDialogHost.current) {
             }
         },
     )
+}
+@Composable
+private fun MarkdownContent(content: String) {
+    val contentColor = LocalContentColor.current
+
+    AndroidView(
+        factory = { context ->
+            TextView(context).apply {
+                movementMethod = LinkMovementMethod.getInstance()
+                setSpannableFactory(NoCopySpannableFactory.getInstance())
+                breakStrategy = LineBreaker.BREAK_STRATEGY_SIMPLE
+                hyphenationFrequency = Layout.HYPHENATION_FREQUENCY_NONE
+                layoutParams = ViewGroup.LayoutParams(
+                    ViewGroup.LayoutParams.MATCH_PARENT, ViewGroup.LayoutParams.WRAP_CONTENT
+                )
+            }
+        },
+        modifier = Modifier
+            .fillMaxWidth()
+            .wrapContentHeight(),
+        update = {
+            Markwon.create(it.context).setMarkdown(it, content)
+            it.setTextColor(contentColor.toArgb())
+        })
 }

manager/app/src/main/java/me/weishu/kernelsu/ui/component/KeyEventBlocker.kt

@@ -0,0 +1,28 @@
+package me.weishu.kernelsu.ui.component
+
+import androidx.compose.foundation.focusable
+import androidx.compose.foundation.layout.Box
+import androidx.compose.runtime.Composable
+import androidx.compose.runtime.LaunchedEffect
+import androidx.compose.runtime.remember
+import androidx.compose.ui.Modifier
+import androidx.compose.ui.focus.FocusRequester
+import androidx.compose.ui.focus.focusRequester
+import androidx.compose.ui.input.key.KeyEvent
+import androidx.compose.ui.input.key.onKeyEvent
+
+@Composable
+fun KeyEventBlocker(predicate: (KeyEvent) -> Boolean) {
+    val requester = remember { FocusRequester() }
+    Box(
+        Modifier
+            .onKeyEvent {
+                predicate(it)
+            }
+            .focusRequester(requester)
+            .focusable()
+    )
+    LaunchedEffect(Unit) {
+        requester.requestFocus()
+    }
+}

manager/app/src/main/java/me/weishu/kernelsu/ui/component/SearchBar.kt

@@ -10,10 +10,22 @@ import androidx.compose.foundation.layout.padding
 import androidx.compose.foundation.text.KeyboardActions
 import androidx.compose.foundation.text.KeyboardOptions
 import androidx.compose.material.icons.Icons
-import androidx.compose.material.icons.filled.*
+import androidx.compose.material.icons.filled.Close
+import androidx.compose.material.icons.filled.Search
 import androidx.compose.material.icons.outlined.ArrowBack
-import androidx.compose.material3.*
-import androidx.compose.runtime.*
+import androidx.compose.material3.ExperimentalMaterial3Api
+import androidx.compose.material3.Icon
+import androidx.compose.material3.IconButton
+import androidx.compose.material3.OutlinedTextField
+import androidx.compose.material3.Text
+import androidx.compose.material3.TopAppBar
+import androidx.compose.runtime.Composable
+import androidx.compose.runtime.DisposableEffect
+import androidx.compose.runtime.LaunchedEffect
+import androidx.compose.runtime.getValue
+import androidx.compose.runtime.mutableStateOf
+import androidx.compose.runtime.remember
+import androidx.compose.runtime.setValue
 import androidx.compose.ui.Alignment
 import androidx.compose.ui.ExperimentalComposeUiApi
 import androidx.compose.ui.Modifier
@@ -21,11 +33,9 @@ import androidx.compose.ui.focus.FocusRequester
 import androidx.compose.ui.focus.focusRequester
 import androidx.compose.ui.focus.onFocusChanged
 import androidx.compose.ui.platform.LocalSoftwareKeyboardController
-import androidx.compose.ui.res.stringResource
 import androidx.compose.ui.text.input.ImeAction
 import androidx.compose.ui.tooling.preview.Preview
 import androidx.compose.ui.unit.dp
-import me.weishu.kernelsu.R
 
 private const val TAG = "SearchBar"
 

manager/app/src/main/java/me/weishu/kernelsu/ui/component/SettingsItem.kt

@@ -0,0 +1,52 @@
+package me.weishu.kernelsu.ui.component
+
+import androidx.compose.material3.Icon
+import androidx.compose.material3.ListItem
+import androidx.compose.material3.RadioButton
+import androidx.compose.material3.Switch
+import androidx.compose.material3.Text
+import androidx.compose.runtime.Composable
+import androidx.compose.ui.graphics.vector.ImageVector
+
+@Composable
+fun SwitchItem(
+    icon: ImageVector? = null,
+    title: String,
+    summary: String? = null,
+    checked: Boolean,
+    enabled: Boolean = true,
+    onCheckedChange: (Boolean) -> Unit
+) {
+    ListItem(
+        headlineContent = {
+            Text(title)
+        },
+        leadingContent = icon?.let {
+            { Icon(icon, title) }
+        },
+        trailingContent = {
+            Switch(checked = checked, enabled = enabled, onCheckedChange = onCheckedChange)
+        },
+        supportingContent = {
+            if (summary != null) {
+                Text(summary)
+            }
+        }
+    )
+}
+
+@Composable
+fun RadioItem(
+    title: String,
+    selected: Boolean,
+    onClick: () -> Unit,
+) {
+    ListItem(
+        headlineContent = {
+            Text(title)
+        },
+        leadingContent = {
+            RadioButton(selected = selected, onClick = onClick)
+        },
+    )
+}

manager/app/src/main/java/me/weishu/kernelsu/ui/component/profile/AppProfileConfig.kt

@@ -0,0 +1,63 @@
+package me.weishu.kernelsu.ui.component.profile
+
+import androidx.compose.foundation.layout.Column
+import androidx.compose.material3.OutlinedTextField
+import androidx.compose.material3.Text
+import androidx.compose.runtime.Composable
+import androidx.compose.runtime.getValue
+import androidx.compose.runtime.mutableStateOf
+import androidx.compose.runtime.remember
+import androidx.compose.runtime.setValue
+import androidx.compose.ui.Modifier
+import androidx.compose.ui.res.stringResource
+import androidx.compose.ui.tooling.preview.Preview
+import me.weishu.kernelsu.Natives
+import me.weishu.kernelsu.R
+import me.weishu.kernelsu.ui.component.SwitchItem
+
+@Composable
+fun AppProfileConfig(
+    modifier: Modifier = Modifier,
+    fixedName: Boolean,
+    enabled: Boolean,
+    profile: Natives.Profile,
+    onProfileChange: (Natives.Profile) -> Unit,
+) {
+    Column(modifier = modifier) {
+        if (!fixedName) {
+            OutlinedTextField(
+                label = { Text(stringResource(R.string.profile_name)) },
+                value = profile.name,
+                onValueChange = { onProfileChange(profile.copy(name = it)) }
+            )
+        }
+
+        SwitchItem(
+            title = stringResource(R.string.profile_umount_modules),
+            summary = stringResource(R.string.profile_umount_modules_summary),
+            checked = if (enabled) {
+                profile.umountModules
+            } else {
+                Natives.isDefaultUmountModules()
+            },
+            enabled = enabled,
+            onCheckedChange = {
+                onProfileChange(
+                    profile.copy(
+                        umountModules = it,
+                        nonRootUseDefault = false
+                    )
+                )
+            }
+        )
+    }
+}
+
+@Preview
+@Composable
+private fun AppProfileConfigPreview() {
+    var profile by remember { mutableStateOf(Natives.Profile("")) }
+    AppProfileConfig(fixedName = true, enabled = false, profile = profile) {
+        profile = it
+    }
+}

manager/app/src/main/java/me/weishu/kernelsu/ui/component/profile/RootProfileConfig.kt

@@ -0,0 +1,464 @@
+@file:OptIn(ExperimentalMaterial3Api::class)
+
+package me.weishu.kernelsu.ui.component.profile
+
+import androidx.compose.foundation.clickable
+import androidx.compose.foundation.layout.Column
+import androidx.compose.foundation.layout.ExperimentalLayoutApi
+import androidx.compose.foundation.layout.FlowRow
+import androidx.compose.foundation.layout.fillMaxWidth
+import androidx.compose.foundation.layout.padding
+import androidx.compose.foundation.text.KeyboardActions
+import androidx.compose.foundation.text.KeyboardOptions
+import androidx.compose.material.icons.Icons
+import androidx.compose.material.icons.filled.ArrowDropDown
+import androidx.compose.material.icons.filled.ArrowDropUp
+import androidx.compose.material3.AssistChip
+import androidx.compose.material3.DropdownMenuItem
+import androidx.compose.material3.ExperimentalMaterial3Api
+import androidx.compose.material3.ExposedDropdownMenuBox
+import androidx.compose.material3.Icon
+import androidx.compose.material3.ListItem
+import androidx.compose.material3.MaterialTheme
+import androidx.compose.material3.OutlinedCard
+import androidx.compose.material3.OutlinedTextField
+import androidx.compose.material3.Text
+import androidx.compose.material3.TextFieldDefaults
+import androidx.compose.runtime.Composable
+import androidx.compose.runtime.getValue
+import androidx.compose.runtime.mutableStateOf
+import androidx.compose.runtime.remember
+import androidx.compose.runtime.setValue
+import androidx.compose.ui.ExperimentalComposeUiApi
+import androidx.compose.ui.Modifier
+import androidx.compose.ui.platform.LocalSoftwareKeyboardController
+import androidx.compose.ui.res.stringResource
+import androidx.compose.ui.text.input.ImeAction
+import androidx.compose.ui.text.input.KeyboardType
+import androidx.compose.ui.tooling.preview.Preview
+import androidx.compose.ui.unit.dp
+import androidx.core.text.isDigitsOnly
+import com.maxkeppeker.sheets.core.models.base.Header
+import com.maxkeppeker.sheets.core.models.base.rememberUseCaseState
+import com.maxkeppeler.sheets.input.InputDialog
+import com.maxkeppeler.sheets.input.models.InputHeader
+import com.maxkeppeler.sheets.input.models.InputSelection
+import com.maxkeppeler.sheets.input.models.InputTextField
+import com.maxkeppeler.sheets.input.models.InputTextFieldType
+import com.maxkeppeler.sheets.input.models.ValidationResult
+import com.maxkeppeler.sheets.list.ListDialog
+import com.maxkeppeler.sheets.list.models.ListOption
+import com.maxkeppeler.sheets.list.models.ListSelection
+import me.weishu.kernelsu.Natives
+import me.weishu.kernelsu.R
+import me.weishu.kernelsu.profile.Capabilities
+import me.weishu.kernelsu.profile.Groups
+import me.weishu.kernelsu.ui.util.isSepolicyValid
+
+@OptIn(ExperimentalMaterial3Api::class)
+@Composable
+fun RootProfileConfig(
+    modifier: Modifier = Modifier,
+    fixedName: Boolean,
+    profile: Natives.Profile,
+    onProfileChange: (Natives.Profile) -> Unit,
+) {
+    Column(modifier = modifier) {
+        if (!fixedName) {
+            OutlinedTextField(
+                label = { Text(stringResource(R.string.profile_name)) },
+                value = profile.name,
+                onValueChange = { onProfileChange(profile.copy(name = it)) }
+            )
+        }
+
+        var expanded by remember { mutableStateOf(false) }
+        val currentNamespace = when (profile.namespace) {
+            Natives.Profile.Namespace.Inherited.ordinal -> stringResource(R.string.profile_namespace_inherited)
+            Natives.Profile.Namespace.Global.ordinal -> stringResource(R.string.profile_namespace_global)
+            Natives.Profile.Namespace.Individual.ordinal -> stringResource(R.string.profile_namespace_individual)
+            else -> stringResource(R.string.profile_namespace_inherited)
+        }
+        ListItem(headlineContent = {
+            ExposedDropdownMenuBox(
+                expanded = expanded,
+                onExpandedChange = { expanded = !expanded }
+            ) {
+                OutlinedTextField(
+                    modifier = Modifier
+                        .menuAnchor()
+                        .fillMaxWidth(),
+                    readOnly = true,
+                    label = { Text(stringResource(R.string.profile_namespace)) },
+                    value = currentNamespace,
+                    onValueChange = {},
+                    trailingIcon = {
+                        if (expanded) Icon(Icons.Filled.ArrowDropUp, null)
+                        else Icon(Icons.Filled.ArrowDropDown, null)
+                    },
+                )
+                ExposedDropdownMenu(
+                    expanded = expanded,
+                    onDismissRequest = { expanded = false }
+                ) {
+                    DropdownMenuItem(
+                        text = { Text(stringResource(R.string.profile_namespace_inherited)) },
+                        onClick = {
+                            onProfileChange(profile.copy(namespace = Natives.Profile.Namespace.Inherited.ordinal))
+                            expanded = false
+                        },
+                    )
+                    DropdownMenuItem(
+                        text = { Text(stringResource(R.string.profile_namespace_global)) },
+                        onClick = {
+                            onProfileChange(profile.copy(namespace = Natives.Profile.Namespace.Global.ordinal))
+                            expanded = false
+                        },
+                    )
+                    DropdownMenuItem(
+                        text = { Text(stringResource(R.string.profile_namespace_individual)) },
+                        onClick = {
+                            onProfileChange(profile.copy(namespace = Natives.Profile.Namespace.Individual.ordinal))
+                            expanded = false
+                        },
+                    )
+                }
+            }
+        })
+
+        UidPanel(uid = profile.uid, label = "uid", onUidChange = {
+            onProfileChange(
+                profile.copy(
+                    uid = it,
+                    rootUseDefault = false
+                )
+            )
+        })
+
+        UidPanel(uid = profile.gid, label = "gid", onUidChange = {
+            onProfileChange(
+                profile.copy(
+                    gid = it,
+                    rootUseDefault = false
+                )
+            )
+        })
+
+        val selectedGroups = profile.groups.ifEmpty { listOf(0) }.let { e ->
+            e.mapNotNull { g ->
+                Groups.values().find { it.gid == g }
+            }
+        }
+        GroupsPanel(selectedGroups) {
+            onProfileChange(
+                profile.copy(
+                    groups = it.map { group -> group.gid }.ifEmpty { listOf(0) },
+                    rootUseDefault = false
+                )
+            )
+        }
+
+        val selectedCaps = profile.capabilities.mapNotNull { e ->
+            Capabilities.values().find { it.cap == e }
+        }
+
+        CapsPanel(selectedCaps) {
+            onProfileChange(
+                profile.copy(
+                    capabilities = it.map { cap -> cap.cap },
+                    rootUseDefault = false
+                )
+            )
+        }
+
+        SELinuxPanel(profile = profile, onSELinuxChange = { domain, rules ->
+            onProfileChange(
+                profile.copy(
+                    context = domain,
+                    rules = rules,
+                    rootUseDefault = false
+                )
+            )
+        })
+
+    }
+}
+
+@OptIn(ExperimentalLayoutApi::class)
+@Composable
+fun GroupsPanel(selected: List<Groups>, closeSelection: (selection: Set<Groups>) -> Unit) {
+
+    var showDialog by remember { mutableStateOf(false) }
+
+    if (showDialog) {
+        val groups = Groups.values()
+        val options = groups.map { value ->
+            ListOption(
+                titleText = value.display,
+                subtitleText = value.desc,
+                selected = selected.contains(value),
+            )
+        }
+
+        val selection = HashSet(selected)
+        ListDialog(
+            state = rememberUseCaseState(visible = true, onFinishedRequest = {
+                closeSelection(selection)
+            }, onCloseRequest = {
+                showDialog = false
+            }),
+            header = Header.Default(
+                title = stringResource(R.string.profile_groups),
+            ),
+            selection = ListSelection.Multiple(
+                showCheckBoxes = true,
+                options = options,
+                maxChoices = 32, // Kernel only supports 32 groups at most
+            ) { indecies, _ ->
+                // Handle selection
+                selection.clear()
+                indecies.forEach { index ->
+                    val group = groups[index]
+                    selection.add(group)
+                }
+            }
+        )
+    }
+
+    OutlinedCard(modifier = Modifier
+        .fillMaxWidth()
+        .padding(16.dp)
+        .clickable {
+            showDialog = true
+        }) {
+
+        Column(modifier = Modifier.padding(16.dp)) {
+            Text(stringResource(R.string.profile_groups))
+            FlowRow {
+                selected.forEach { group ->
+                    AssistChip(
+                        modifier = Modifier.padding(3.dp),
+                        onClick = { /*TODO*/ },
+                        label = { Text(group.display) })
+                }
+            }
+        }
+
+    }
+}
+
+@OptIn(ExperimentalLayoutApi::class)
+@Composable
+fun CapsPanel(
+    selected: Collection<Capabilities>,
+    closeSelection: (selection: Set<Capabilities>) -> Unit
+) {
+
+    var showDialog by remember { mutableStateOf(false) }
+
+    if (showDialog) {
+        val caps = Capabilities.values()
+        val options = caps.map { value ->
+            ListOption(
+                titleText = value.display,
+                subtitleText = value.desc,
+                selected = selected.contains(value),
+            )
+        }
+
+        val selection = HashSet(selected)
+        ListDialog(
+            state = rememberUseCaseState(visible = true, onFinishedRequest = {
+                closeSelection(selection)
+            }, onCloseRequest = {
+                showDialog = false
+            }),
+            header = Header.Default(
+                title = stringResource(R.string.profile_capabilities),
+            ),
+            selection = ListSelection.Multiple(
+                showCheckBoxes = true,
+                options = options
+            ) { indecies, _ ->
+                // Handle selection
+                selection.clear()
+                indecies.forEach { index ->
+                    val group = caps[index]
+                    selection.add(group)
+                }
+            }
+        )
+    }
+
+    OutlinedCard(modifier = Modifier
+        .fillMaxWidth()
+        .padding(16.dp)
+        .clickable {
+            showDialog = true
+        }) {
+
+        Column(modifier = Modifier.padding(16.dp)) {
+            Text(stringResource(R.string.profile_capabilities))
+            FlowRow {
+                selected.forEach { group ->
+                    AssistChip(
+                        modifier = Modifier.padding(3.dp),
+                        onClick = { /*TODO*/ },
+                        label = { Text(group.display) })
+                }
+            }
+        }
+
+    }
+}
+
+@OptIn(ExperimentalComposeUiApi::class)
+@Composable
+private fun UidPanel(uid: Int, label: String, onUidChange: (Int) -> Unit) {
+
+    ListItem(headlineContent = {
+        var isError by remember {
+            mutableStateOf(false)
+        }
+        var lastValidUid by remember {
+            mutableStateOf(uid)
+        }
+
+        val keyboardController = LocalSoftwareKeyboardController.current
+        OutlinedTextField(
+            modifier = Modifier.fillMaxWidth(),
+            label = { Text(label) },
+            value = uid.toString(),
+            isError = isError,
+            keyboardOptions = KeyboardOptions(
+                keyboardType = KeyboardType.Number,
+                imeAction = ImeAction.Done
+            ),
+            keyboardActions = KeyboardActions(onDone = {
+                keyboardController?.hide()
+            }),
+            onValueChange = {
+                if (it.isEmpty()) {
+                    onUidChange(0)
+                    return@OutlinedTextField
+                }
+                val valid = isTextValidUid(it)
+
+                val targetUid = if (valid) it.toInt() else lastValidUid
+                if (valid) {
+                    lastValidUid = it.toInt()
+                }
+
+                onUidChange(targetUid)
+
+                isError = !valid
+            }
+        )
+    })
+}
+
+@Composable
+private fun SELinuxPanel(
+    profile: Natives.Profile,
+    onSELinuxChange: (domain: String, rules: String) -> Unit
+) {
+    var showDialog by remember { mutableStateOf(false) }
+    if (showDialog) {
+        var domain by remember { mutableStateOf(profile.context) }
+        var rules by remember { mutableStateOf(profile.rules) }
+
+        val inputOptions = listOf(
+            InputTextField(
+                text = domain,
+                header = InputHeader(
+                    title = stringResource(id = R.string.profile_selinux_domain),
+                ),
+                type = InputTextFieldType.OUTLINED,
+                required = true,
+                keyboardOptions = KeyboardOptions(
+                    keyboardType = KeyboardType.Ascii,
+                    imeAction = ImeAction.Next
+                ),
+                resultListener = {
+                    domain = it ?: ""
+                },
+                validationListener = { value ->
+                    // value can be a-zA-Z0-9_
+                    val regex = Regex("^[a-z_]+:[a-z0-9_]+:[a-z0-9_]+(:[a-z0-9_]+)?$")
+                    if (value?.matches(regex) == true) ValidationResult.Valid
+                    else ValidationResult.Invalid("Domain must be in the format of \"user:role:type:level\"")
+                }
+            ),
+            InputTextField(
+                text = rules,
+                header = InputHeader(
+                    title = stringResource(id = R.string.profile_selinux_rules),
+                ),
+                type = InputTextFieldType.OUTLINED,
+                keyboardOptions = KeyboardOptions(
+                    keyboardType = KeyboardType.Ascii,
+                ),
+                singleLine = false,
+                resultListener = {
+                    rules = it ?: ""
+                },
+                validationListener = { value ->
+                    if (isSepolicyValid(value)) ValidationResult.Valid
+                    else ValidationResult.Invalid("SELinux rules is invalid!")
+                }
+            )
+        )
+
+        InputDialog(
+            state = rememberUseCaseState(visible = true,
+                onFinishedRequest = {
+                    onSELinuxChange(domain, rules)
+                },
+                onCloseRequest = {
+                    showDialog = false
+                }),
+            header = Header.Default(
+                title = stringResource(R.string.profile_selinux_context),
+            ),
+            selection = InputSelection(
+                input = inputOptions,
+                onPositiveClick = { result ->
+                    // Handle selection
+                },
+            )
+        )
+    }
+
+    ListItem(headlineContent = {
+        OutlinedTextField(
+            modifier = Modifier
+                .fillMaxWidth()
+                .clickable {
+                    showDialog = true
+                },
+            enabled = false,
+            colors = TextFieldDefaults.outlinedTextFieldColors(
+                disabledTextColor = MaterialTheme.colorScheme.onSurface,
+                disabledBorderColor = MaterialTheme.colorScheme.outline,
+                disabledPlaceholderColor = MaterialTheme.colorScheme.onSurfaceVariant,
+                disabledLabelColor = MaterialTheme.colorScheme.onSurfaceVariant
+            ),
+            label = { Text(text = stringResource(R.string.profile_selinux_context)) },
+            value = profile.context,
+            onValueChange = { },
+        )
+    })
+}
+
+@Preview
+@Composable
+private fun RootProfileConfigPreview() {
+    var profile by remember { mutableStateOf(Natives.Profile("")) }
+    RootProfileConfig(fixedName = true, profile = profile) {
+        profile = it
+    }
+}
+
+private fun isTextValidUid(text: String): Boolean {
+    return text.isNotEmpty() && text.isDigitsOnly() && text.toInt() >= 0 && text.toInt() <= Int.MAX_VALUE
+}

manager/app/src/main/java/me/weishu/kernelsu/ui/screen/AppProfile.kt

@@ -0,0 +1,391 @@
+package me.weishu.kernelsu.ui.screen
+
+import androidx.annotation.StringRes
+import androidx.compose.animation.Crossfade
+import androidx.compose.foundation.gestures.detectTapGestures
+import androidx.compose.foundation.layout.Arrangement
+import androidx.compose.foundation.layout.BoxWithConstraints
+import androidx.compose.foundation.layout.Column
+import androidx.compose.foundation.layout.Row
+import androidx.compose.foundation.layout.fillMaxSize
+import androidx.compose.foundation.layout.fillMaxWidth
+import androidx.compose.foundation.layout.height
+import androidx.compose.foundation.layout.padding
+import androidx.compose.foundation.layout.width
+import androidx.compose.foundation.rememberScrollState
+import androidx.compose.foundation.verticalScroll
+import androidx.compose.material.icons.Icons
+import androidx.compose.material.icons.filled.AccountCircle
+import androidx.compose.material.icons.filled.Android
+import androidx.compose.material.icons.filled.ArrowBack
+import androidx.compose.material.icons.filled.ArrowDropDown
+import androidx.compose.material.icons.filled.ArrowDropUp
+import androidx.compose.material.icons.filled.Security
+import androidx.compose.material3.Divider
+import androidx.compose.material3.DropdownMenu
+import androidx.compose.material3.DropdownMenuItem
+import androidx.compose.material3.ExperimentalMaterial3Api
+import androidx.compose.material3.ExposedDropdownMenuBox
+import androidx.compose.material3.FilterChip
+import androidx.compose.material3.Icon
+import androidx.compose.material3.IconButton
+import androidx.compose.material3.ListItem
+import androidx.compose.material3.OutlinedTextField
+import androidx.compose.material3.Scaffold
+import androidx.compose.material3.Text
+import androidx.compose.material3.TopAppBar
+import androidx.compose.runtime.Composable
+import androidx.compose.runtime.getValue
+import androidx.compose.runtime.mutableStateOf
+import androidx.compose.runtime.remember
+import androidx.compose.runtime.rememberCoroutineScope
+import androidx.compose.runtime.saveable.rememberSaveable
+import androidx.compose.runtime.setValue
+import androidx.compose.ui.Modifier
+import androidx.compose.ui.geometry.Offset
+import androidx.compose.ui.input.pointer.pointerInput
+import androidx.compose.ui.platform.LocalContext
+import androidx.compose.ui.platform.LocalDensity
+import androidx.compose.ui.res.stringResource
+import androidx.compose.ui.tooling.preview.Preview
+import androidx.compose.ui.unit.Dp
+import androidx.compose.ui.unit.DpOffset
+import androidx.compose.ui.unit.dp
+import coil.compose.AsyncImage
+import coil.request.ImageRequest
+import com.ramcosta.composedestinations.annotation.Destination
+import com.ramcosta.composedestinations.navigation.DestinationsNavigator
+import kotlinx.coroutines.launch
+import me.weishu.kernelsu.Natives
+import me.weishu.kernelsu.R
+import me.weishu.kernelsu.ui.component.SwitchItem
+import me.weishu.kernelsu.ui.component.profile.AppProfileConfig
+import me.weishu.kernelsu.ui.component.profile.RootProfileConfig
+import me.weishu.kernelsu.ui.util.LocalSnackbarHost
+import me.weishu.kernelsu.ui.util.forceStopApp
+import me.weishu.kernelsu.ui.util.getSepolicy
+import me.weishu.kernelsu.ui.util.launchApp
+import me.weishu.kernelsu.ui.util.restartApp
+import me.weishu.kernelsu.ui.util.setSepolicy
+import me.weishu.kernelsu.ui.viewmodel.SuperUserViewModel
+
+/**
+ * @author weishu
+ * @date 2023/5/16.
+ */
+@Destination
+@Composable
+fun AppProfileScreen(
+    navigator: DestinationsNavigator,
+    appInfo: SuperUserViewModel.AppInfo,
+) {
+    val context = LocalContext.current
+    val snackbarHost = LocalSnackbarHost.current
+    val scope = rememberCoroutineScope()
+    val failToUpdateAppProfile =
+        stringResource(R.string.failed_to_update_app_profile).format(appInfo.label)
+    val failToUpdateSepolicy =
+        stringResource(R.string.failed_to_update_sepolicy).format(appInfo.label)
+
+    val packageName = appInfo.packageName
+    val initialProfile = Natives.getAppProfile(packageName, appInfo.uid)
+    if (initialProfile.allowSu) {
+        initialProfile.rules = getSepolicy(packageName)
+    }
+    var profile by rememberSaveable {
+        mutableStateOf(initialProfile)
+    }
+
+    Scaffold(
+        topBar = { TopBar { navigator.popBackStack() } },
+    ) { paddingValues ->
+        AppProfileInner(
+            modifier = Modifier
+                .padding(paddingValues)
+                .verticalScroll(rememberScrollState()),
+            packageName = appInfo.packageName,
+            appLabel = appInfo.label,
+            appIcon = {
+                AsyncImage(
+                    model = ImageRequest.Builder(context)
+                        .data(appInfo.packageInfo)
+                        .crossfade(true)
+                        .build(),
+                    contentDescription = appInfo.label,
+                    modifier = Modifier
+                        .padding(4.dp)
+                        .width(48.dp)
+                        .height(48.dp)
+                )
+            },
+            profile = profile,
+            onProfileChange = {
+                scope.launch {
+                    if (it.allowSu && !it.rootUseDefault && it.rules.isNotEmpty()) {
+                        if (!setSepolicy(profile.name, it.rules)) {
+                            snackbarHost.showSnackbar(failToUpdateSepolicy)
+                            return@launch
+                        }
+                    }
+                    if (!Natives.setAppProfile(it)) {
+                        snackbarHost.showSnackbar(failToUpdateAppProfile.format(appInfo.uid))
+                    } else {
+                        profile = it
+                    }
+                }
+            },
+        )
+    }
+}
+
+@OptIn(ExperimentalMaterial3Api::class)
+@Composable
+private fun AppProfileInner(
+    modifier: Modifier = Modifier,
+    packageName: String,
+    appLabel: String,
+    appIcon: @Composable () -> Unit,
+    profile: Natives.Profile,
+    onProfileChange: (Natives.Profile) -> Unit,
+) {
+    val isRootGranted = profile.allowSu
+
+    Column(modifier = modifier) {
+        AppMenuBox(packageName) {
+            ListItem(
+                headlineContent = { Text(appLabel) },
+                supportingContent = { Text(packageName) },
+                leadingContent = appIcon,
+            )
+        }
+
+        SwitchItem(
+            icon = Icons.Filled.Security,
+            title = stringResource(id = R.string.superuser),
+            checked = isRootGranted,
+            onCheckedChange = { onProfileChange(profile.copy(allowSu = it)) },
+        )
+
+        Crossfade(targetState = isRootGranted, label = "") { current ->
+            Column {
+                if (current) {
+                    val initialMode = if (profile.rootUseDefault) {
+                        Mode.Default
+                    } else if (profile.rootTemplate != null) {
+                        Mode.Template
+                    } else {
+                        Mode.Custom
+                    }
+                    var mode by remember {
+                        mutableStateOf(initialMode)
+                    }
+                    ProfileBox(mode, false) {
+                        // template mode shouldn't change profile here!
+                        if (it == Mode.Default || it == Mode.Custom) {
+                            onProfileChange(profile.copy(rootUseDefault = it == Mode.Default))
+                        }
+                        mode = it
+                    }
+                    Crossfade(targetState = mode, label = "") { currentMode ->
+                        if (currentMode == Mode.Template) {
+                            var expanded by remember { mutableStateOf(false) }
+                            val templateNone = "None"
+                            var template by rememberSaveable {
+                                mutableStateOf(
+                                    profile.rootTemplate
+                                        ?: templateNone
+                                )
+                            }
+                            ListItem(headlineContent = {
+                                ExposedDropdownMenuBox(
+                                    expanded = expanded,
+                                    onExpandedChange = { expanded = it },
+                                ) {
+                                    OutlinedTextField(
+                                        modifier = Modifier.menuAnchor(),
+                                        readOnly = true,
+                                        label = { Text(stringResource(R.string.profile_template)) },
+                                        value = template,
+                                        onValueChange = {
+                                            if (template != templateNone) {
+                                                onProfileChange(
+                                                    profile.copy(
+                                                        rootTemplate = it,
+                                                        rootUseDefault = false
+                                                    )
+                                                )
+                                                template = it
+                                            }
+                                        },
+                                        trailingIcon = {
+                                            if (expanded) Icon(Icons.Filled.ArrowDropUp, null)
+                                            else Icon(Icons.Filled.ArrowDropDown, null)
+                                        },
+                                    )
+                                    // TODO: Template
+                                }
+                            })
+                        } else if (mode == Mode.Custom) {
+                            RootProfileConfig(
+                                fixedName = true,
+                                profile = profile,
+                                onProfileChange = onProfileChange
+                            )
+                        }
+                    }
+                } else {
+                    val mode = if (profile.nonRootUseDefault) Mode.Default else Mode.Custom
+                    ProfileBox(mode, false) {
+                        onProfileChange(profile.copy(nonRootUseDefault = (it == Mode.Default)))
+                    }
+                    Crossfade(targetState = mode, label = "") { currentMode ->
+                        val modifyEnabled = currentMode == Mode.Custom
+                        AppProfileConfig(
+                            fixedName = true,
+                            profile = profile,
+                            enabled = modifyEnabled,
+                            onProfileChange = onProfileChange
+                        )
+                    }
+                }
+            }
+        }
+    }
+}
+
+private enum class Mode(@StringRes private val res: Int) {
+    Default(R.string.profile_default),
+    Template(R.string.profile_template),
+    Custom(R.string.profile_custom);
+
+    val text: String
+        @Composable get() = stringResource(res)
+}
+
+@OptIn(ExperimentalMaterial3Api::class)
+@Composable
+private fun TopBar(onBack: () -> Unit) {
+    TopAppBar(
+        title = {
+            Text(stringResource(R.string.profile))
+        },
+        navigationIcon = {
+            IconButton(
+                onClick = onBack
+            ) { Icon(Icons.Filled.ArrowBack, contentDescription = null) }
+        },
+    )
+}
+
+@OptIn(ExperimentalMaterial3Api::class)
+@Composable
+private fun ProfileBox(
+    mode: Mode,
+    hasTemplate: Boolean,
+    onModeChange: (Mode) -> Unit,
+) {
+    ListItem(
+        headlineContent = { Text(stringResource(R.string.profile)) },
+        supportingContent = { Text(mode.text) },
+        leadingContent = { Icon(Icons.Filled.AccountCircle, null) },
+    )
+    Divider(thickness = Dp.Hairline)
+    ListItem(headlineContent = {
+        Row(
+            modifier = Modifier.fillMaxWidth(),
+            horizontalArrangement = Arrangement.SpaceEvenly
+        ) {
+            FilterChip(
+                selected = mode == Mode.Default,
+                label = { Text(stringResource(R.string.profile_default)) },
+                onClick = { onModeChange(Mode.Default) },
+            )
+            if (hasTemplate) {
+                FilterChip(
+                    selected = mode == Mode.Template,
+                    label = { Text(stringResource(R.string.profile_template)) },
+                    onClick = { onModeChange(Mode.Template) },
+                )
+            }
+            FilterChip(
+                selected = mode == Mode.Custom,
+                label = { Text(stringResource(R.string.profile_custom)) },
+                onClick = { onModeChange(Mode.Custom) },
+            )
+        }
+    })
+}
+
+@Composable
+private fun AppMenuBox(packageName: String, content: @Composable () -> Unit) {
+
+    var expanded by remember { mutableStateOf(false) }
+    var touchPoint: Offset by remember { mutableStateOf(Offset.Zero) }
+    val density = LocalDensity.current
+
+    BoxWithConstraints(
+        Modifier
+            .fillMaxSize()
+            .pointerInput(Unit) {
+                detectTapGestures {
+                    touchPoint = it
+                    expanded = true
+                }
+            }
+    ) {
+
+        content()
+
+        val (offsetX, offsetY) = with(density) {
+            (touchPoint.x.toDp()) to (touchPoint.y.toDp())
+        }
+
+        DropdownMenu(
+            expanded = expanded,
+            offset = DpOffset(offsetX, -offsetY),
+            onDismissRequest = {
+                expanded = false
+            },
+        ) {
+            DropdownMenuItem(
+                text = { Text(stringResource(id = R.string.launch_app)) },
+                onClick = {
+                    expanded = false
+                    launchApp(packageName)
+                },
+            )
+            DropdownMenuItem(
+                text = { Text(stringResource(id = R.string.force_stop_app)) },
+                onClick = {
+                    expanded = false
+                    forceStopApp(packageName)
+                },
+            )
+            DropdownMenuItem(
+                text = { Text(stringResource(id = R.string.restart_app)) },
+                onClick = {
+                    expanded = false
+                    restartApp(packageName)
+                },
+            )
+        }
+    }
+
+
+}
+
+@Preview
+@Composable
+private fun AppProfilePreview() {
+    var profile by remember { mutableStateOf(Natives.Profile("")) }
+    AppProfileInner(
+        packageName = "icu.nullptr.test",
+        appLabel = "Test",
+        appIcon = { Icon(Icons.Filled.Android, null) },
+        profile = profile,
+        onProfileChange = {
+            profile = it
+        },
+    )
+}
+

manager/app/src/main/java/me/weishu/kernelsu/ui/screen/BottomBarDestination.kt

@@ -15,9 +15,10 @@ enum class BottomBarDestination(
     val direction: DirectionDestinationSpec,
     @StringRes val label: Int,
     val iconSelected: ImageVector,
-    val iconNotSelected: ImageVector
+    val iconNotSelected: ImageVector,
+    val rootRequired: Boolean,
 ) {
-    Home(HomeScreenDestination, R.string.home, Icons.Filled.Home, Icons.Outlined.Home),
-    SuperUser(SuperUserScreenDestination, R.string.superuser, Icons.Filled.Security, Icons.Outlined.Security),
-    Module(ModuleScreenDestination, R.string.module, Icons.Filled.Apps, Icons.Outlined.Apps)
+    Home(HomeScreenDestination, R.string.home, Icons.Filled.Home, Icons.Outlined.Home, false),
+    SuperUser(SuperUserScreenDestination, R.string.superuser, Icons.Filled.Security, Icons.Outlined.Security, true),
+    Module(ModuleScreenDestination, R.string.module, Icons.Filled.Apps, Icons.Outlined.Apps, true)
 }

manager/app/src/main/java/me/weishu/kernelsu/ui/screen/Home.kt

@@ -19,32 +19,34 @@ import androidx.compose.material3.*
 import androidx.compose.runtime.*
 import androidx.compose.ui.Alignment
 import androidx.compose.ui.Modifier
+import androidx.compose.ui.graphics.Color
 import androidx.compose.ui.platform.LocalContext
 import androidx.compose.ui.platform.LocalUriHandler
 import androidx.compose.ui.res.stringResource
-import androidx.compose.ui.text.font.FontFamily
 import androidx.compose.ui.tooling.preview.Preview
 import androidx.compose.ui.unit.dp
 import com.ramcosta.composedestinations.annotation.Destination
 import com.ramcosta.composedestinations.annotation.RootNavGraph
 import com.ramcosta.composedestinations.navigation.DestinationsNavigator
+import kotlinx.coroutines.Dispatchers
+import kotlinx.coroutines.launch
+import kotlinx.coroutines.withContext
 import me.weishu.kernelsu.*
 import me.weishu.kernelsu.R
+import me.weishu.kernelsu.ui.component.ConfirmDialog
+import me.weishu.kernelsu.ui.component.ConfirmResult
 import me.weishu.kernelsu.ui.screen.destinations.SettingScreenDestination
 import me.weishu.kernelsu.ui.util.*
 
-@OptIn(ExperimentalMaterial3Api::class)
 @RootNavGraph(start = true)
 @Destination
 @Composable
 fun HomeScreen(navigator: DestinationsNavigator) {
-    Scaffold(
-        topBar = {
-            TopBar(onSettingsClick = {
-                navigator.navigate(SettingScreenDestination)
-            })
-        }
-    ) { innerPadding ->
+    Scaffold(topBar = {
+        TopBar(onSettingsClick = {
+            navigator.navigate(SettingScreenDestination)
+        })
+    }) { innerPadding ->
         Column(
             modifier = Modifier
                 .padding(innerPadding)
@@ -57,13 +59,59 @@ fun HomeScreen(navigator: DestinationsNavigator) {
             SideEffect {
                 if (isManager) install()
             }
-            val ksuVersion = if (isManager) Natives.getVersion() else null
+            val ksuVersion = if (isManager) Natives.version else null
 
             StatusCard(kernelVersion, ksuVersion)
+            if (isManager && Natives.requireNewKernel()) {
+                WarningCard(
+                    stringResource(id = R.string.require_kernel_version).format(
+                        ksuVersion, Natives.MINIMAL_SUPPORTED_KERNEL
+                    )
+                )
+            }
+            UpdateCard()
             InfoCard()
             DonateCard()
             LearnMoreCard()
             Spacer(Modifier)
+            ConfirmDialog()
+        }
+    }
+}
+
+@Composable
+fun UpdateCard() {
+    val context = LocalContext.current
+    val newVersion by produceState(initialValue = Triple(0, "", "")) {
+        value = withContext(Dispatchers.IO) { checkNewVersion() }
+    }
+    val currentVersionCode = getManagerVersion(context).second
+    val newVersionCode = newVersion.first
+    val newVersionUrl = newVersion.second
+    val changelog = newVersion.third
+    if (newVersionCode <= currentVersionCode) {
+        return
+    }
+
+    val uriHandler = LocalUriHandler.current
+    val dialogHost = LocalDialogHost.current
+    val title = stringResource(id = R.string.module_changelog)
+    val updateText = stringResource(id = R.string.module_update)
+    val scope = rememberCoroutineScope()
+    WarningCard(
+        message = stringResource(id = R.string.new_version_available).format(newVersionCode),
+        MaterialTheme.colorScheme.outlineVariant
+    ) {
+        scope.launch {
+            if (changelog.isEmpty() || dialogHost.showConfirm(
+                    title = title,
+                    content = changelog,
+                    markdown = true,
+                    confirm = updateText,
+                ) == ConfirmResult.Confirmed
+            ) {
+                uriHandler.openUri(newVersionUrl)
+            }
         }
     }
 }
@@ -80,44 +128,41 @@ fun RebootDropdownItem(@StringRes id: Int, reason: String = "") {
 @OptIn(ExperimentalMaterial3Api::class)
 @Composable
 private fun TopBar(onSettingsClick: () -> Unit) {
-    TopAppBar(
-        title = { Text(stringResource(R.string.app_name)) },
-        actions = {
-            var showDropdown by remember { mutableStateOf(false) }
-            IconButton(onClick = {
-                showDropdown = true
+    TopAppBar(title = { Text(stringResource(R.string.app_name)) }, actions = {
+        var showDropdown by remember { mutableStateOf(false) }
+        IconButton(onClick = {
+            showDropdown = true
+        }) {
+            Icon(
+                imageVector = Icons.Filled.Refresh,
+                contentDescription = stringResource(id = R.string.reboot)
+            )
+
+            DropdownMenu(expanded = showDropdown, onDismissRequest = {
+                showDropdown = false
             }) {
-                Icon(
-                    imageVector = Icons.Filled.Refresh,
-                    contentDescription = stringResource(id = R.string.reboot)
-                )
 
-                DropdownMenu(expanded = showDropdown, onDismissRequest = {
-                    showDropdown = false
-                }) {
+                RebootDropdownItem(id = R.string.reboot)
 
-                    RebootDropdownItem(id = R.string.reboot)
-
-                    val pm =
-                        LocalContext.current.getSystemService(Context.POWER_SERVICE) as PowerManager?
-                    if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.R && pm?.isRebootingUserspaceSupported == true) {
-                        RebootDropdownItem(id = R.string.reboot_userspace, reason = "userspace")
-                    }
-                    RebootDropdownItem(id = R.string.reboot_recovery, reason = "recovery")
-                    RebootDropdownItem(id = R.string.reboot_bootloader, reason = "bootloader")
-                    RebootDropdownItem(id = R.string.reboot_download, reason = "download")
-                    RebootDropdownItem(id = R.string.reboot_edl, reason = "edl")
+                val pm =
+                    LocalContext.current.getSystemService(Context.POWER_SERVICE) as PowerManager?
+                if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.R && pm?.isRebootingUserspaceSupported == true) {
+                    RebootDropdownItem(id = R.string.reboot_userspace, reason = "userspace")
                 }
-            }
-
-            IconButton(onClick = onSettingsClick) {
-                Icon(
-                    imageVector = Icons.Filled.Settings,
-                    contentDescription = stringResource(id = R.string.settings)
-                )
+                RebootDropdownItem(id = R.string.reboot_recovery, reason = "recovery")
+                RebootDropdownItem(id = R.string.reboot_bootloader, reason = "bootloader")
+                RebootDropdownItem(id = R.string.reboot_download, reason = "download")
+                RebootDropdownItem(id = R.string.reboot_edl, reason = "edl")
             }
         }
-    )
+
+        IconButton(onClick = onSettingsClick) {
+            Icon(
+                imageVector = Icons.Filled.Settings,
+                contentDescription = stringResource(id = R.string.settings)
+            )
+        }
+    })
 }
 
 @Composable
@@ -129,20 +174,17 @@ private fun StatusCard(kernelVersion: KernelVersion, ksuVersion: Int?) {
         })
     ) {
         val uriHandler = LocalUriHandler.current
-        Row(
-            modifier = Modifier
-                .fillMaxWidth()
-                .clickable {
-                    if (kernelVersion.isGKI() && ksuVersion == null) {
-                        uriHandler.openUri("https://kernelsu.org/guide/installation.html")
-                    }
+        Row(modifier = Modifier
+            .fillMaxWidth()
+            .clickable {
+                if (kernelVersion.isGKI() && ksuVersion == null) {
+                    uriHandler.openUri("https://kernelsu.org/guide/installation.html")
                 }
-                .padding(24.dp),
-            verticalAlignment = Alignment.CenterVertically
-        ) {
+            }
+            .padding(24.dp), verticalAlignment = Alignment.CenterVertically) {
             when {
                 ksuVersion != null -> {
-                    val appendText = if (Natives.isSafeMode()) {
+                    val appendText = if (Natives.isSafeMode) {
                         " [${stringResource(id = R.string.safe_mode)}]"
                     } else {
                         ""
@@ -160,8 +202,9 @@ private fun StatusCard(kernelVersion: KernelVersion, ksuVersion: Int?) {
                         )
                         Spacer(Modifier.height(4.dp))
                         Text(
-                            text = stringResource(R.string.home_superuser_count, getSuperuserCount()),
-                            style = MaterialTheme.typography.bodyMedium
+                            text = stringResource(
+                                R.string.home_superuser_count, getSuperuserCount()
+                            ), style = MaterialTheme.typography.bodyMedium
                         )
                         Spacer(Modifier.height(4.dp))
                         Text(
@@ -170,6 +213,7 @@ private fun StatusCard(kernelVersion: KernelVersion, ksuVersion: Int?) {
                         )
                     }
                 }
+
                 kernelVersion.isGKI() -> {
                     Icon(Icons.Outlined.Warning, stringResource(R.string.home_not_installed))
                     Column(Modifier.padding(start = 20.dp)) {
@@ -184,12 +228,12 @@ private fun StatusCard(kernelVersion: KernelVersion, ksuVersion: Int?) {
                         )
                     }
                 }
+
                 else -> {
                     Icon(Icons.Outlined.Block, stringResource(R.string.home_unsupported))
                     Column(Modifier.padding(start = 20.dp)) {
                         Text(
                             text = stringResource(R.string.home_unsupported),
-                            fontFamily = FontFamily.Serif,
                             style = MaterialTheme.typography.titleMedium
                         )
                         Spacer(Modifier.height(4.dp))
@@ -204,6 +248,28 @@ private fun StatusCard(kernelVersion: KernelVersion, ksuVersion: Int?) {
     }
 }
 
+@Composable
+fun WarningCard(
+    message: String, color: Color = MaterialTheme.colorScheme.error, onClick: (() -> Unit)? = null
+) {
+    ElevatedCard(
+        colors = CardDefaults.elevatedCardColors(
+            containerColor = color
+        )
+    ) {
+        Row(
+            modifier = Modifier
+                .fillMaxWidth()
+                .then(onClick?.let { Modifier.clickable { it() } } ?: Modifier)
+                .padding(24.dp)
+        ) {
+            Text(
+                text = message, style = MaterialTheme.typography.bodyMedium
+            )
+        }
+    }
+}
+
 @Composable
 fun LearnMoreCard() {
     val uriHandler = LocalUriHandler.current
@@ -211,15 +277,12 @@ fun LearnMoreCard() {
 
     ElevatedCard {
 
-        Row(
-            modifier = Modifier
-                .fillMaxWidth()
-                .clickable {
-                    uriHandler.openUri(url)
-                }
-                .padding(24.dp),
-            verticalAlignment = Alignment.CenterVertically
-        ) {
+        Row(modifier = Modifier
+            .fillMaxWidth()
+            .clickable {
+                uriHandler.openUri(url)
+            }
+            .padding(24.dp), verticalAlignment = Alignment.CenterVertically) {
             Column() {
                 Text(
                     text = stringResource(R.string.home_learn_kernelsu),
@@ -241,15 +304,12 @@ fun DonateCard() {
 
     ElevatedCard {
 
-        Row(
-            modifier = Modifier
-                .fillMaxWidth()
-                .clickable {
-                    uriHandler.openUri("https://patreon.com/weishu")
-                }
-                .padding(24.dp),
-            verticalAlignment = Alignment.CenterVertically
-        ) {
+        Row(modifier = Modifier
+            .fillMaxWidth()
+            .clickable {
+                uriHandler.openUri("https://patreon.com/weishu")
+            }
+            .padding(24.dp), verticalAlignment = Alignment.CenterVertically) {
             Column() {
                 Text(
                     text = stringResource(R.string.home_support_title),
@@ -288,7 +348,11 @@ private fun InfoCard() {
             InfoCardItem(stringResource(R.string.home_kernel), uname.release)
 
             Spacer(Modifier.height(16.dp))
-            InfoCardItem(stringResource(R.string.home_manager_version), getManagerVersion(context))
+            val managerVersion = getManagerVersion(context)
+            InfoCardItem(
+                stringResource(R.string.home_manager_version),
+                "${managerVersion.first} (${managerVersion.second})"
+            )
 
             Spacer(Modifier.height(16.dp))
             InfoCardItem(stringResource(R.string.home_fingerprint), Build.FINGERPRINT)
@@ -299,9 +363,9 @@ private fun InfoCard() {
     }
 }
 
-fun getManagerVersion(context: Context): String {
+fun getManagerVersion(context: Context): Pair<String, Int> {
     val packageInfo = context.packageManager.getPackageInfo(context.packageName, 0)
-    return "${packageInfo.versionName} (${packageInfo.versionCode})"
+    return Pair(packageInfo.versionName, packageInfo.versionCode)
 }
 
 @Preview
@@ -313,3 +377,15 @@ private fun StatusCardPreview() {
         StatusCard(KernelVersion(4, 10, 101), null)
     }
 }
+
+@Preview
+@Composable
+private fun WarningCardPreview() {
+    Column {
+        WarningCard(message = "Warning message")
+        WarningCard(
+            message = "Warning message ",
+            MaterialTheme.colorScheme.outlineVariant,
+            onClick = {})
+    }
+}

manager/app/src/main/java/me/weishu/kernelsu/ui/screen/Install.kt

@@ -14,8 +14,12 @@ import androidx.compose.material.icons.filled.Save
 import androidx.compose.material3.*
 import androidx.compose.runtime.*
 import androidx.compose.runtime.saveable.rememberSaveable
+import androidx.compose.ui.ExperimentalComposeUiApi
 import androidx.compose.ui.Modifier
+import androidx.compose.ui.input.key.Key
+import androidx.compose.ui.input.key.key
 import androidx.compose.ui.res.stringResource
+import androidx.compose.ui.text.font.FontFamily
 import androidx.compose.ui.tooling.preview.Preview
 import androidx.compose.ui.unit.dp
 import com.ramcosta.composedestinations.annotation.Destination
@@ -24,6 +28,7 @@ import kotlinx.coroutines.Dispatchers
 import kotlinx.coroutines.launch
 import kotlinx.coroutines.withContext
 import me.weishu.kernelsu.R
+import me.weishu.kernelsu.ui.component.KeyEventBlocker
 import me.weishu.kernelsu.ui.util.LocalSnackbarHost
 import me.weishu.kernelsu.ui.util.installModule
 import me.weishu.kernelsu.ui.util.reboot
@@ -35,16 +40,18 @@ import java.util.*
  * @author weishu
  * @date 2023/1/1.
  */
-@OptIn(ExperimentalMaterial3Api::class)
+@OptIn(ExperimentalComposeUiApi::class)
 @Composable
 @Destination
 fun InstallScreen(navigator: DestinationsNavigator, uri: Uri) {
 
     var text by rememberSaveable { mutableStateOf("") }
+    val logContent = StringBuilder()
     var showFloatAction by rememberSaveable { mutableStateOf(false) }
 
     val snackBarHost = LocalSnackbarHost.current
     val scope = rememberCoroutineScope()
+    val scrollState = rememberScrollState()
 
     LaunchedEffect(Unit) {
         if (text.isNotEmpty()) {
@@ -55,9 +62,15 @@ fun InstallScreen(navigator: DestinationsNavigator, uri: Uri) {
                 if (success) {
                     showFloatAction = true
                 }
-            }) {
+            }, onStdout = {
                 text += "$it\n"
-            }
+                scope.launch {
+                    scrollState.animateScrollTo(scrollState.maxValue)
+                }
+                logContent.append(it).append("\n")
+            }, onStderr = {
+                logContent.append(it).append("\n")
+            });
         }
     }
 
@@ -75,7 +88,7 @@ fun InstallScreen(navigator: DestinationsNavigator, uri: Uri) {
                             Environment.getExternalStoragePublicDirectory(Environment.DIRECTORY_DOWNLOADS),
                             "KernelSU_install_log_${date}.log"
                         )
-                        file.writeText(text)
+                        file.writeText(logContent.toString())
                         snackBarHost.showSnackbar("Log saved to ${file.absolutePath}")
                     }
                 }
@@ -99,17 +112,20 @@ fun InstallScreen(navigator: DestinationsNavigator, uri: Uri) {
 
         }
     ) { innerPadding ->
+        KeyEventBlocker {
+            it.key == Key.VolumeDown || it.key == Key.VolumeUp
+        }
         Column(
             modifier = Modifier
                 .fillMaxSize(1f)
                 .padding(innerPadding)
-                .verticalScroll(rememberScrollState()),
+                .verticalScroll(scrollState),
         ) {
             Text(
                 modifier = Modifier.padding(8.dp),
                 text = text,
                 fontSize = MaterialTheme.typography.bodySmall.fontSize,
-                fontFamily = MaterialTheme.typography.bodySmall.fontFamily,
+                fontFamily = FontFamily.Monospace,
                 lineHeight = MaterialTheme.typography.bodySmall.lineHeight,
             )
         }

manager/app/src/main/java/me/weishu/kernelsu/ui/screen/Module.kt

@@ -2,12 +2,15 @@ package me.weishu.kernelsu.ui.screen
 
 import android.app.Activity.RESULT_OK
 import android.content.Intent
+import android.net.Uri
 import android.util.Log
+import android.widget.Toast
 import androidx.activity.compose.rememberLauncherForActivityResult
 import androidx.activity.result.contract.ActivityResultContracts
 import androidx.compose.foundation.layout.*
 import androidx.compose.foundation.lazy.LazyColumn
 import androidx.compose.foundation.lazy.items
+import androidx.compose.foundation.shape.RoundedCornerShape
 import androidx.compose.material.ExperimentalMaterialApi
 import androidx.compose.material.icons.Icons
 import androidx.compose.material.icons.filled.Add
@@ -19,6 +22,7 @@ import androidx.compose.runtime.*
 import androidx.compose.runtime.saveable.rememberSaveable
 import androidx.compose.ui.Alignment
 import androidx.compose.ui.Modifier
+import androidx.compose.ui.platform.LocalContext
 import androidx.compose.ui.res.stringResource
 import androidx.compose.ui.text.font.FontWeight
 import androidx.compose.ui.text.style.TextAlign
@@ -30,32 +34,34 @@ import androidx.compose.ui.unit.dp
 import androidx.lifecycle.viewmodel.compose.viewModel
 import com.ramcosta.composedestinations.annotation.Destination
 import com.ramcosta.composedestinations.navigation.DestinationsNavigator
+import kotlinx.coroutines.Dispatchers
 import kotlinx.coroutines.launch
+import kotlinx.coroutines.withContext
 import me.weishu.kernelsu.Natives
 import me.weishu.kernelsu.R
 import me.weishu.kernelsu.ui.component.ConfirmDialog
 import me.weishu.kernelsu.ui.component.ConfirmResult
+import me.weishu.kernelsu.ui.component.LoadingDialog
 import me.weishu.kernelsu.ui.screen.destinations.InstallScreenDestination
 import me.weishu.kernelsu.ui.util.*
 import me.weishu.kernelsu.ui.viewmodel.ModuleViewModel
+import okhttp3.OkHttpClient
 
-@OptIn(ExperimentalMaterial3Api::class)
 @Destination
 @Composable
 fun ModuleScreen(navigator: DestinationsNavigator) {
     val viewModel = viewModel<ModuleViewModel>()
 
     LaunchedEffect(Unit) {
-        if (viewModel.moduleList.isEmpty()) {
+        if (viewModel.moduleList.isEmpty() || viewModel.isNeedRefresh) {
             viewModel.fetchModuleList()
         }
     }
 
-    val isSafeMode = Natives.isSafeMode()
-    val isKSUVersionInvalid = Natives.getVersion() < 0
+    val isSafeMode = Natives.isSafeMode
     val hasMagisk = hasMagisk()
 
-    val hideInstallButton = isSafeMode || isKSUVersionInvalid || hasMagisk
+    val hideInstallButton = isSafeMode || hasMagisk
 
     Scaffold(topBar = {
         TopBar()
@@ -75,6 +81,8 @@ fun ModuleScreen(navigator: DestinationsNavigator) {
 
                 navigator.navigate(InstallScreenDestination(uri))
 
+                viewModel.markNeedRefresh()
+
                 Log.i("ModuleScreen", "select zip result: ${it.data}")
             }
 
@@ -93,12 +101,9 @@ fun ModuleScreen(navigator: DestinationsNavigator) {
 
         ConfirmDialog()
 
+        LoadingDialog()
+
         when {
-            isKSUVersionInvalid -> {
-                Box(modifier = Modifier.fillMaxSize(), contentAlignment = Alignment.Center) {
-                    Text(stringResource(R.string.require_kernel_version_8))
-                }
-            }
             hasMagisk -> {
                 Box(
                     modifier = Modifier
@@ -112,13 +117,15 @@ fun ModuleScreen(navigator: DestinationsNavigator) {
                     )
                 }
             }
+
             else -> {
                 ModuleList(
-                    viewModel = viewModel,
-                    modifier = Modifier
+                    viewModel = viewModel, modifier = Modifier
                         .padding(innerPadding)
                         .fillMaxSize()
-                )
+                ) {
+                    navigator.navigate(InstallScreenDestination(it))
+                }
             }
         }
     }
@@ -126,7 +133,9 @@ fun ModuleScreen(navigator: DestinationsNavigator) {
 
 @OptIn(ExperimentalMaterialApi::class)
 @Composable
-private fun ModuleList(viewModel: ModuleViewModel, modifier: Modifier = Modifier) {
+private fun ModuleList(
+    viewModel: ModuleViewModel, modifier: Modifier = Modifier, onInstallModule: (Uri) -> Unit
+) {
     val failedEnable = stringResource(R.string.module_failed_to_enable)
     val failedDisable = stringResource(R.string.module_failed_to_disable)
     val failedUninstall = stringResource(R.string.module_uninstall_failed)
@@ -136,11 +145,68 @@ private fun ModuleList(viewModel: ModuleViewModel, modifier: Modifier = Modifier
     val moduleStr = stringResource(id = R.string.module)
     val uninstall = stringResource(id = R.string.uninstall)
     val cancel = stringResource(id = android.R.string.cancel)
-    val moduleUninstallConfirm =
-        stringResource(id = R.string.module_uninstall_confirm)
+    val moduleUninstallConfirm = stringResource(id = R.string.module_uninstall_confirm)
+    val updateText = stringResource(R.string.module_update)
+    val changelogText = stringResource(R.string.module_changelog)
+    val downloadingText = stringResource(R.string.module_downloading)
+    val startDownloadingText = stringResource(R.string.module_start_downloading)
 
     val dialogHost = LocalDialogHost.current
     val snackBarHost = LocalSnackbarHost.current
+    val context = LocalContext.current
+
+    suspend fun onModuleUpdate(
+        module: ModuleViewModel.ModuleInfo,
+        changelogUrl: String,
+        downloadUrl: String,
+        fileName: String
+    ) {
+        val changelog = dialogHost.withLoading {
+            withContext(Dispatchers.IO) {
+                OkHttpClient().newCall(
+                    okhttp3.Request.Builder().url(changelogUrl).build()
+                ).execute().body!!.string()
+            }
+        }
+
+        if (changelog.isNotEmpty()) {
+            // changelog is not empty, show it and wait for confirm
+            val confirmResult = dialogHost.showConfirm(
+                changelogText,
+                content = changelog,
+                markdown = true,
+                confirm = updateText,
+            )
+
+            if (confirmResult != ConfirmResult.Confirmed) {
+                return
+            }
+        }
+
+        withContext(Dispatchers.Main) {
+            Toast.makeText(
+                context,
+                startDownloadingText.format(module.name),
+                Toast.LENGTH_SHORT
+            ).show()
+        }
+
+        val downloading = downloadingText.format(module.name)
+        withContext(Dispatchers.IO) {
+            download(
+                context,
+                downloadUrl,
+                fileName,
+                downloading,
+                onDownloaded = onInstallModule,
+                onDownloading = {
+                    launch(Dispatchers.Main) {
+                        Toast.makeText(context, downloading, Toast.LENGTH_SHORT).show()
+                    }
+                }
+            )
+        }
+    }
 
     suspend fun onModuleUninstall(module: ModuleViewModel.ModuleInfo) {
         val confirmResult = dialogHost.showConfirm(
@@ -153,7 +219,12 @@ private fun ModuleList(viewModel: ModuleViewModel, modifier: Modifier = Modifier
             return
         }
 
-        val success = uninstallModule(module.id)
+        val success = dialogHost.withLoading {
+            withContext(Dispatchers.IO) {
+                uninstallModule(module.id)
+            }
+        }
+
         if (success) {
             viewModel.fetchModuleList()
         }
@@ -173,46 +244,73 @@ private fun ModuleList(viewModel: ModuleViewModel, modifier: Modifier = Modifier
         }
     }
 
-    val refreshState = rememberPullRefreshState(
-        refreshing = viewModel.isRefreshing,
-        onRefresh = { viewModel.fetchModuleList() }
-    )
+    val refreshState = rememberPullRefreshState(refreshing = viewModel.isRefreshing,
+        onRefresh = { viewModel.fetchModuleList() })
     Box(modifier.pullRefresh(refreshState)) {
-        if (viewModel.isOverlayAvailable) {
-            LazyColumn(
-                modifier = Modifier.fillMaxSize(),
-                verticalArrangement = Arrangement.spacedBy(16.dp),
-                contentPadding = remember {
-                    PaddingValues(
-                        start = 16.dp,
-                        top = 16.dp,
-                        end = 16.dp,
-                        bottom = 16.dp
-                                + 16.dp + 56.dp /*  Scaffold Fab Spacing + Fab container height */
-                    )
-                },
-            ) {
-                val isEmpty = viewModel.moduleList.isEmpty()
-                if (isEmpty) {
+        val context = LocalContext.current
+
+        LazyColumn(
+            modifier = Modifier.fillMaxSize(),
+            verticalArrangement = Arrangement.spacedBy(16.dp),
+            contentPadding = remember {
+                PaddingValues(
+                    start = 16.dp,
+                    top = 16.dp,
+                    end = 16.dp,
+                    bottom = 16.dp + 16.dp + 56.dp /*  Scaffold Fab Spacing + Fab container height */
+                )
+            },
+        ) {
+            when {
+                !viewModel.isOverlayAvailable -> {
                     item {
                         Box(
-                            modifier = Modifier.fillMaxSize(),
+                            modifier = Modifier.fillParentMaxSize(),
                             contentAlignment = Alignment.Center
                         ) {
-                            Text(stringResource(R.string.module_empty))
+                            Text(
+                                stringResource(R.string.module_overlay_fs_not_available),
+                                textAlign = TextAlign.Center
+                            )
                         }
                     }
-                } else {
+                }
+
+                viewModel.moduleList.isEmpty() -> {
+                    item {
+                        Box(
+                            modifier = Modifier.fillParentMaxSize(),
+                            contentAlignment = Alignment.Center
+                        ) {
+                            Text(
+                                stringResource(R.string.module_empty),
+                                textAlign = TextAlign.Center
+                            )
+                        }
+                    }
+                }
+
+                else -> {
                     items(viewModel.moduleList) { module ->
                         var isChecked by rememberSaveable(module) { mutableStateOf(module.enabled) }
                         val scope = rememberCoroutineScope()
-                        ModuleItem(module, isChecked, onUninstall = {
+                        val updatedModule by produceState(initialValue = Triple("", "", "")) {
+                            scope.launch(Dispatchers.IO) {
+                                value = viewModel.checkUpdate(module)
+                            }
+                        }
+
+                        ModuleItem(module, isChecked, updatedModule.first, onUninstall = {
                             scope.launch { onModuleUninstall(module) }
                         }, onCheckChanged = {
-                            val success = toggleModule(module.id, !isChecked)
-                            if (success) {
-                                isChecked = it
-                                scope.launch {
+                            scope.launch {
+                                val success = dialogHost.withLoading {
+                                    withContext(Dispatchers.IO) {
+                                        toggleModule(module.id, !isChecked)
+                                    }
+                                }
+                                if (success) {
+                                    isChecked = it
                                     viewModel.fetchModuleList()
 
                                     val result = snackBarHost.showSnackbar(
@@ -221,27 +319,33 @@ private fun ModuleList(viewModel: ModuleViewModel, modifier: Modifier = Modifier
                                     if (result == SnackbarResult.ActionPerformed) {
                                         reboot()
                                     }
+                                } else {
+                                    val message = if (isChecked) failedDisable else failedEnable
+                                    snackBarHost.showSnackbar(message.format(module.name))
                                 }
-                            } else scope.launch {
-                                val message = if (isChecked) failedDisable else failedEnable
-                                snackBarHost.showSnackbar(message.format(module.name))
+                            }
+                        }, onUpdate = {
+                            scope.launch {
+                                onModuleUpdate(
+                                    module,
+                                    updatedModule.third,
+                                    updatedModule.first,
+                                    "${module.name}-${updatedModule.second}.zip"
+                                )
                             }
                         })
+
                         // fix last item shadow incomplete in LazyColumn
                         Spacer(Modifier.height(1.dp))
                     }
                 }
             }
-        } else {
-            Box(modifier = Modifier.fillMaxSize(), contentAlignment = Alignment.Center) {
-                Text(stringResource(R.string.module_overlay_fs_not_available))
-            }
         }
 
+        DownloadListener(context, onInstallModule)
+
         PullRefreshIndicator(
-            refreshing = viewModel.isRefreshing,
-            state = refreshState,
-            modifier = Modifier.align(
+            refreshing = viewModel.isRefreshing, state = refreshState, modifier = Modifier.align(
                 Alignment.TopCenter
             )
         )
@@ -258,8 +362,10 @@ private fun TopBar() {
 private fun ModuleItem(
     module: ModuleViewModel.ModuleInfo,
     isChecked: Boolean,
+    updateUrl: String,
     onUninstall: (ModuleViewModel.ModuleInfo) -> Unit,
-    onCheckChanged: (Boolean) -> Unit
+    onCheckChanged: (Boolean) -> Unit,
+    onUpdate: (ModuleViewModel.ModuleInfo) -> Unit,
 ) {
     ElevatedCard(
         modifier = Modifier.fillMaxWidth(),
@@ -341,6 +447,23 @@ private fun ModuleItem(
             ) {
                 Spacer(modifier = Modifier.weight(1f, true))
 
+                if (updateUrl.isNotEmpty()) {
+                    Button(
+                        modifier = Modifier
+                            .padding(0.dp)
+                            .defaultMinSize(52.dp, 32.dp),
+                        onClick = { onUpdate(module) },
+                        shape = RoundedCornerShape(6.dp),
+                        contentPadding = PaddingValues(0.dp)
+                    ) {
+                        Text(
+                            fontFamily = MaterialTheme.typography.labelMedium.fontFamily,
+                            fontSize = MaterialTheme.typography.labelMedium.fontSize,
+                            text = stringResource(R.string.module_update),
+                        )
+                    }
+                }
+
                 TextButton(
                     enabled = !module.remove,
                     onClick = { onUninstall(module) },
@@ -369,6 +492,7 @@ fun ModuleItemPreview() {
         enabled = true,
         update = true,
         remove = true,
+        updateJson = ""
     )
-    ModuleItem(module, true, {}, {})
+    ModuleItem(module, true, "", {}, {}, {})
 }

manager/app/src/main/java/me/weishu/kernelsu/ui/screen/Settings.kt

@@ -2,25 +2,31 @@ package me.weishu.kernelsu.ui.screen
 
 import android.content.Intent
 import android.net.Uri
+import androidx.compose.foundation.clickable
 import androidx.compose.foundation.layout.*
 import androidx.compose.material.icons.Icons
 import androidx.compose.material.icons.filled.ArrowBack
+import androidx.compose.material.icons.filled.BugReport
+import androidx.compose.material.icons.filled.ContactPage
+import androidx.compose.material.icons.filled.RemoveModerator
 import androidx.compose.material3.*
 import androidx.compose.runtime.*
+import androidx.compose.runtime.saveable.rememberSaveable
 import androidx.compose.ui.Modifier
 import androidx.compose.ui.platform.LocalContext
 import androidx.compose.ui.res.stringResource
 import androidx.core.content.FileProvider
-import com.alorma.compose.settings.ui.*
 import com.ramcosta.composedestinations.annotation.Destination
 import com.ramcosta.composedestinations.navigation.DestinationsNavigator
 import kotlinx.coroutines.Dispatchers
 import kotlinx.coroutines.launch
 import kotlinx.coroutines.withContext
 import me.weishu.kernelsu.BuildConfig
+import me.weishu.kernelsu.Natives
 import me.weishu.kernelsu.R
 import me.weishu.kernelsu.ui.component.AboutDialog
 import me.weishu.kernelsu.ui.component.LoadingDialog
+import me.weishu.kernelsu.ui.component.SwitchItem
 import me.weishu.kernelsu.ui.util.LocalDialogHost
 import me.weishu.kernelsu.ui.util.getBugreportFile
 
@@ -28,7 +34,6 @@ import me.weishu.kernelsu.ui.util.getBugreportFile
  * @author weishu
  * @date 2023/1/1.
  */
-@OptIn(ExperimentalMaterial3Api::class)
 @Destination
 @Composable
 fun SettingScreen(navigator: DestinationsNavigator) {
@@ -50,11 +55,25 @@ fun SettingScreen(navigator: DestinationsNavigator) {
             val context = LocalContext.current
             val scope = rememberCoroutineScope()
             val dialogHost = LocalDialogHost.current
-            SettingsMenuLink(
-                title = {
-                    Text(stringResource(id = R.string.send_log))
-                },
-                onClick = {
+
+            var umountChecked by rememberSaveable {
+                mutableStateOf(Natives.isDefaultUmountModules())
+            }
+            SwitchItem(
+                icon = Icons.Filled.RemoveModerator,
+                title = stringResource(id = R.string.settings_umount_modules_default),
+                summary = stringResource(id = R.string.settings_umount_modules_default_summary),
+                checked = umountChecked
+            ) {
+                if (Natives.setDefaultUmountModules(it)) {
+                    umountChecked = it
+                }
+            }
+
+            ListItem(
+                leadingContent = { Icon(Icons.Filled.BugReport, stringResource(id = R.string.send_log)) },
+                headlineContent = { Text(stringResource(id = R.string.send_log)) },
+                modifier = Modifier.clickable {
                     scope.launch {
                         val bugreport = dialogHost.withLoading {
                             withContext(Dispatchers.IO) {
@@ -85,11 +104,10 @@ fun SettingScreen(navigator: DestinationsNavigator) {
             )
 
             val about = stringResource(id = R.string.about)
-            SettingsMenuLink(
-                title = {
-                    Text(about)
-                },
-                onClick = {
+            ListItem(
+                leadingContent = { Icon(Icons.Filled.ContactPage, stringResource(id = R.string.about)) },
+                headlineContent = { Text(about) },
+                modifier = Modifier.clickable {
                     showAboutDialog.value = true
                 }
             )
@@ -108,4 +126,4 @@ private fun TopBar(onBack: () -> Unit = {}) {
             ) { Icon(Icons.Filled.ArrowBack, contentDescription = null) }
         },
     )
-}
+}

manager/app/src/main/java/me/weishu/kernelsu/ui/screen/SuperUser.kt

@@ -1,8 +1,11 @@
 package me.weishu.kernelsu.ui.screen
 
+import androidx.compose.foundation.background
+import androidx.compose.foundation.clickable
 import androidx.compose.foundation.layout.*
 import androidx.compose.foundation.lazy.LazyColumn
 import androidx.compose.foundation.lazy.items
+import androidx.compose.foundation.shape.RoundedCornerShape
 import androidx.compose.material.ExperimentalMaterialApi
 import androidx.compose.material.icons.Icons
 import androidx.compose.material.icons.filled.MoreVert
@@ -11,33 +14,32 @@ import androidx.compose.material.pullrefresh.pullRefresh
 import androidx.compose.material.pullrefresh.rememberPullRefreshState
 import androidx.compose.material3.*
 import androidx.compose.runtime.*
-import androidx.compose.runtime.saveable.rememberSaveable
 import androidx.compose.ui.Alignment
 import androidx.compose.ui.Modifier
+import androidx.compose.ui.graphics.Color
 import androidx.compose.ui.platform.LocalContext
 import androidx.compose.ui.res.stringResource
+import androidx.compose.ui.text.TextStyle
 import androidx.compose.ui.unit.dp
+import androidx.compose.ui.unit.sp
 import androidx.lifecycle.viewmodel.compose.viewModel
 import coil.compose.AsyncImage
 import coil.request.ImageRequest
 import com.ramcosta.composedestinations.annotation.Destination
+import com.ramcosta.composedestinations.navigation.DestinationsNavigator
 import kotlinx.coroutines.launch
 import me.weishu.kernelsu.Natives
 import me.weishu.kernelsu.R
 import me.weishu.kernelsu.ui.component.ConfirmDialog
-import me.weishu.kernelsu.ui.component.ConfirmResult
 import me.weishu.kernelsu.ui.component.SearchAppBar
-import me.weishu.kernelsu.ui.util.LocalDialogHost
-import me.weishu.kernelsu.ui.util.LocalSnackbarHost
+import me.weishu.kernelsu.ui.screen.destinations.AppProfileScreenDestination
 import me.weishu.kernelsu.ui.viewmodel.SuperUserViewModel
-import java.util.*
 
-@OptIn(ExperimentalMaterial3Api::class, ExperimentalMaterialApi::class)
+@OptIn(ExperimentalMaterialApi::class)
 @Destination
 @Composable
-fun SuperUserScreen() {
+fun SuperUserScreen(navigator: DestinationsNavigator) {
     val viewModel = viewModel<SuperUserViewModel>()
-    val snackbarHost = LocalSnackbarHost.current
     val scope = rememberCoroutineScope()
 
     LaunchedEffect(Unit) {
@@ -105,39 +107,12 @@ fun SuperUserScreen() {
                 .padding(innerPadding)
                 .pullRefresh(refreshState)
         ) {
-            val failMessage = stringResource(R.string.superuser_failed_to_grant_root)
-
             LazyColumn(Modifier.fillMaxSize()) {
                 items(viewModel.appList, key = { it.packageName + it.uid }) { app ->
-                    var isChecked by rememberSaveable(app) { mutableStateOf(app.onAllowList) }
-                    val dialogHost = LocalDialogHost.current
-                    val content =
-                        stringResource(id = R.string.superuser_allow_root_confirm, app.label)
-                    val confirm = stringResource(id = android.R.string.ok)
-                    val cancel = stringResource(id = android.R.string.cancel)
-
-                    AppItem(app, isChecked) { checked ->
-                        scope.launch {
-                            if (checked) {
-                                val confirmResult = dialogHost.showConfirm(
-                                    app.label,
-                                    content = content,
-                                    confirm = confirm,
-                                    dismiss = cancel
-                                )
-                                if (confirmResult != ConfirmResult.Confirmed) {
-                                    return@launch
-                                }
-                            }
-
-                            val success = Natives.allowRoot(app.uid, checked)
-                            if (success) {
-                                isChecked = checked
-                            } else {
-                                snackbarHost.showSnackbar(failMessage.format(app.uid))
-                            }
-                        }
+                    AppItem(app) {
+                        navigator.navigate(AppProfileScreenDestination(app))
                     }
+
                 }
             }
 
@@ -150,20 +125,36 @@ fun SuperUserScreen() {
     }
 }
 
-@OptIn(ExperimentalMaterial3Api::class)
+@OptIn(ExperimentalLayoutApi::class)
 @Composable
 private fun AppItem(
     app: SuperUserViewModel.AppInfo,
-    isChecked: Boolean,
-    onCheckedChange: (Boolean) -> Unit
+    onClickListener: () -> Unit,
 ) {
     ListItem(
-        headlineText = { Text(app.label) },
-        supportingText = { Text(app.packageName) },
+        modifier = Modifier.clickable(onClick = onClickListener),
+        headlineContent = { Text(app.label) },
+        supportingContent = {
+            Column {
+                Text(app.packageName)
+                FlowRow {
+                    if (app.allowSu) {
+                        LabelText(label = "ROOT")
+                    } else {
+                        if (Natives.uidShouldUmount(app.uid)) {
+                            LabelText(label = "UMOUNT")
+                        }
+                    }
+                    if (app.hasCustomProfile) {
+                        LabelText(label = "CUSTOM")
+                    }
+                }
+            }
+        },
         leadingContent = {
             AsyncImage(
                 model = ImageRequest.Builder(LocalContext.current)
-                    .data(app.icon)
+                    .data(app.packageInfo)
                     .crossfade(true)
                     .build(),
                 contentDescription = app.label,
@@ -173,12 +164,26 @@ private fun AppItem(
                     .height(48.dp)
             )
         },
-        trailingContent = {
-            Switch(
-                checked = isChecked,
-                onCheckedChange = onCheckedChange,
-                modifier = Modifier.padding(4.dp)
-            )
-        }
     )
 }
+
+@Composable
+fun LabelText(label: String) {
+    Box(
+        modifier = Modifier
+            .padding(top = 4.dp, end = 4.dp)
+            .background(
+                Color.Black,
+                shape = RoundedCornerShape(4.dp)
+            )
+    ) {
+        Text(
+            text = label,
+            modifier = Modifier.padding(vertical = 2.dp, horizontal = 5.dp),
+            style = TextStyle(
+                fontSize = 8.sp,
+                color = Color.White,
+            )
+        )
+    }
+}

manager/app/src/main/java/me/weishu/kernelsu/ui/util/Downloader.kt

@@ -0,0 +1,134 @@
+package me.weishu.kernelsu.ui.util
+
+import android.annotation.SuppressLint
+import android.app.DownloadManager
+import android.content.BroadcastReceiver
+import android.content.Context
+import android.content.Intent
+import android.content.IntentFilter
+import android.net.Uri
+import android.os.Environment
+import androidx.compose.runtime.Composable
+import androidx.compose.runtime.DisposableEffect
+
+/**
+ * @author weishu
+ * @date 2023/6/22.
+ */
+@SuppressLint("Range")
+fun download(
+    context: Context,
+    url: String,
+    fileName: String,
+    description: String,
+    onDownloaded: (Uri) -> Unit = {},
+    onDownloading: () -> Unit = {}
+) {
+    val downloadManager =
+        context.getSystemService(Context.DOWNLOAD_SERVICE) as DownloadManager
+
+    val query = DownloadManager.Query()
+    query.setFilterByStatus(DownloadManager.STATUS_RUNNING or DownloadManager.STATUS_PAUSED or DownloadManager.STATUS_PENDING)
+    downloadManager.query(query).use { cursor ->
+        while (cursor.moveToNext()) {
+            val uri = cursor.getString(cursor.getColumnIndex(DownloadManager.COLUMN_URI))
+            val localUri = cursor.getString(cursor.getColumnIndex(DownloadManager.COLUMN_LOCAL_URI))
+            val status = cursor.getInt(cursor.getColumnIndex(DownloadManager.COLUMN_STATUS))
+            val columnTitle = cursor.getString(cursor.getColumnIndex(DownloadManager.COLUMN_TITLE))
+            if (url == uri || fileName == columnTitle) {
+                if (status == DownloadManager.STATUS_RUNNING || status == DownloadManager.STATUS_PENDING) {
+                    onDownloading()
+                    return
+                } else if (status == DownloadManager.STATUS_SUCCESSFUL) {
+                    onDownloaded(Uri.parse(localUri))
+                    return
+                }
+            }
+        }
+    }
+
+    val request = DownloadManager.Request(Uri.parse(url))
+        .setDestinationInExternalPublicDir(
+            Environment.DIRECTORY_DOWNLOADS,
+            fileName
+        )
+        .setNotificationVisibility(DownloadManager.Request.VISIBILITY_VISIBLE_NOTIFY_COMPLETED)
+        .setMimeType("application/zip")
+        .setTitle(fileName)
+        .setDescription(description)
+
+    downloadManager.enqueue(request)
+}
+
+fun checkNewVersion(): Triple<Int, String, String> {
+    val url = "https://api.github.com/repos/tiann/KernelSU/releases/latest"
+    val defaultValue = Triple(0, "", "")
+    runCatching {
+        okhttp3.OkHttpClient().newCall(okhttp3.Request.Builder().url(url).build()).execute()
+            .use { response ->
+                if (!response.isSuccessful) {
+                    return defaultValue
+                }
+                val body = response.body?.string() ?: return defaultValue
+                val json = org.json.JSONObject(body)
+                val changelog = json.optString("body")
+
+                val assets = json.getJSONArray("assets")
+                for (i in 0 until assets.length()) {
+                    val asset = assets.getJSONObject(i)
+                    val name = asset.getString("name")
+                    if (!name.endsWith(".apk")) {
+                        continue
+                    }
+
+                    val regex = Regex("v(.+?)_(\\d+)-")
+                    val matchResult = regex.find(name) ?: continue
+                    val versionName = matchResult.groupValues[1]
+                    val versionCode = matchResult.groupValues[2].toInt()
+                    val downloadUrl = asset.getString("browser_download_url")
+
+                    return Triple(versionCode, downloadUrl, changelog)
+                }
+
+            }
+    }
+    return defaultValue
+}
+
+@Composable
+fun DownloadListener(context: Context, onDownloaded: (Uri) -> Unit) {
+    DisposableEffect(context) {
+        val receiver = object : BroadcastReceiver() {
+            @SuppressLint("Range")
+            override fun onReceive(context: Context?, intent: Intent?) {
+                if (intent?.action == DownloadManager.ACTION_DOWNLOAD_COMPLETE) {
+                    val id = intent.getLongExtra(
+                        DownloadManager.EXTRA_DOWNLOAD_ID, -1
+                    )
+                    val query = DownloadManager.Query().setFilterById(id)
+                    val downloadManager =
+                        context?.getSystemService(Context.DOWNLOAD_SERVICE) as DownloadManager
+                    val cursor = downloadManager.query(query)
+                    if (cursor.moveToFirst()) {
+                        val status = cursor.getInt(
+                            cursor.getColumnIndex(DownloadManager.COLUMN_STATUS)
+                        )
+                        if (status == DownloadManager.STATUS_SUCCESSFUL) {
+                            val uri = cursor.getString(
+                                cursor.getColumnIndex(DownloadManager.COLUMN_LOCAL_URI)
+                            )
+                            onDownloaded(Uri.parse(uri))
+                        }
+                    }
+                }
+            }
+        }
+        context.registerReceiver(
+            receiver,
+            IntentFilter(DownloadManager.ACTION_DOWNLOAD_COMPLETE)
+        )
+        onDispose {
+            context.unregisterReceiver(receiver)
+        }
+    }
+}

manager/app/src/main/java/me/weishu/kernelsu/ui/util/KsuCli.kt

@@ -9,7 +9,6 @@ import com.topjohnwu.superuser.ShellUtils
 import me.weishu.kernelsu.BuildConfig
 import me.weishu.kernelsu.Natives
 import me.weishu.kernelsu.ksuApp
-import me.weishu.kernelsu.ui.viewmodel.ModuleViewModel
 import org.json.JSONArray
 import java.io.File
 
@@ -71,7 +70,7 @@ fun getModuleCount(): Int {
 }
 
 fun getSuperuserCount(): Int {
-    return Natives.getAllowList().size
+    return Natives.allowList.size
 }
 
 fun toggleModule(id: String, enable: Boolean): Boolean {
@@ -92,7 +91,7 @@ fun uninstallModule(id: String): Boolean {
     return result
 }
 
-fun installModule(uri: Uri, onFinish: (Boolean) -> Unit, onOutput: (String) -> Unit): Boolean {
+fun installModule(uri: Uri, onFinish: (Boolean) -> Unit, onStdout: (String) -> Unit, onStderr: (String) -> Unit): Boolean {
     val resolver = ksuApp.contentResolver
     with(resolver.openInputStream(uri)) {
         val file = File(ksuApp.cacheDir, "module.zip")
@@ -103,14 +102,20 @@ fun installModule(uri: Uri, onFinish: (Boolean) -> Unit, onOutput: (String) -> U
 
         val shell = getRootShell()
 
-        val callbackList: CallbackList<String?> = object : CallbackList<String?>() {
+        val stdoutCallback: CallbackList<String?> = object : CallbackList<String?>() {
             override fun onAddElement(s: String?) {
-                onOutput(s ?: "")
+                onStdout(s ?: "")
+            }
+        }
+
+        val stderrCallback: CallbackList<String?> = object : CallbackList<String?>() {
+            override fun onAddElement(s: String?) {
+                onStderr(s ?: "")
             }
         }
 
         val result =
-            shell.newJob().add("${getKsuDaemonPath()} $cmd").to(callbackList, callbackList).exec()
+            shell.newJob().add("${getKsuDaemonPath()} $cmd").to(stdoutCallback, stderrCallback).exec()
         Log.i("KernelSU", "install module $uri result: $result")
 
         file.delete()
@@ -140,4 +145,48 @@ fun hasMagisk(): Boolean {
     val result = shell.newJob().add("nsenter --mount=/proc/1/ns/mnt which magisk").exec()
     Log.i(TAG, "has magisk: ${result.isSuccess}")
     return result.isSuccess
+}
+
+fun isSepolicyValid(rules: String?): Boolean {
+    if (rules == null) {
+        return true
+    }
+    val shell = getRootShell()
+    val result =
+        shell.newJob().add("${getKsuDaemonPath()} sepolicy check '$rules'").to(ArrayList(), null).exec()
+    return result.isSuccess
+}
+
+fun getSepolicy(pkg: String): String {
+    val shell = getRootShell()
+    val result =
+        shell.newJob().add("${getKsuDaemonPath()} profile get-sepolicy $pkg").to(ArrayList(), null).exec()
+    Log.i(TAG, "code: ${result.code}, out: ${result.out}, err: ${result.err}")
+    return result.out.joinToString("\n")
+}
+
+fun setSepolicy(pkg: String, rules: String): Boolean {
+    val shell = getRootShell()
+    val result =
+        shell.newJob().add("${getKsuDaemonPath()} profile set-sepolicy $pkg '$rules'").to(ArrayList(), null).exec()
+    Log.i(TAG, "set sepolicy result: ${result.code}")
+    return result.isSuccess
+}
+
+fun forceStopApp(packageName: String) {
+    val shell = getRootShell()
+    val result = shell.newJob().add("am force-stop $packageName").exec()
+    Log.i(TAG, "force stop $packageName result: $result")
+}
+
+fun launchApp(packageName: String) {
+
+    val shell = getRootShell()
+    val result = shell.newJob().add("monkey -p $packageName -c android.intent.category.LAUNCHER 1").exec()
+    Log.i(TAG, "launch $packageName result: $result")
+}
+
+fun restartApp(packageName: String) {
+    forceStopApp(packageName)
+    launchApp(packageName)
 }

manager/app/src/main/java/me/weishu/kernelsu/ui/util/LogEvent.kt

@@ -72,9 +72,9 @@ fun getBugreportFile(context: Context): File {
         pw.println("Nodename: ${uname.nodename}")
         pw.println("Sysname: ${uname.sysname}")
 
-        val ksuKernel = Natives.getVersion()
+        val ksuKernel = Natives.version
         pw.println("KernelSU: $ksuKernel")
-        val safeMode = Natives.isSafeMode()
+        val safeMode = Natives.isSafeMode
         pw.println("SafeMode: $safeMode")
     }
 

manager/app/src/main/java/me/weishu/kernelsu/ui/viewmodel/ModuleViewModel.kt

@@ -1,5 +1,6 @@
 package me.weishu.kernelsu.ui.viewmodel
 
+import android.net.Uri
 import android.os.SystemClock
 import android.util.Log
 import androidx.compose.runtime.derivedStateOf
@@ -13,6 +14,7 @@ import kotlinx.coroutines.launch
 import me.weishu.kernelsu.ui.util.listModules
 import me.weishu.kernelsu.ui.util.overlayFsAvailable
 import org.json.JSONArray
+import org.json.JSONObject
 import java.text.Collator
 import java.util.*
 
@@ -33,6 +35,14 @@ class ModuleViewModel : ViewModel() {
         val enabled: Boolean,
         val update: Boolean,
         val remove: Boolean,
+        val updateJson: String,
+    )
+
+    data class ModuleUpdateInfo(
+        val version: String,
+        val versionCode: Int,
+        val zipUrl: String,
+        val changelog: String,
     )
 
     var isRefreshing by mutableStateOf(false)
@@ -48,6 +58,13 @@ class ModuleViewModel : ViewModel() {
         }
     }
 
+    var isNeedRefresh by mutableStateOf(false)
+        private set
+
+    fun markNeedRefresh() {
+        isNeedRefresh = true
+    }
+
     fun fetchModuleList() {
         viewModelScope.launch(Dispatchers.IO) {
             isRefreshing = true
@@ -70,16 +87,19 @@ class ModuleViewModel : ViewModel() {
                     .map { obj ->
                         ModuleInfo(
                             obj.getString("id"),
-                            obj.getString("name"),
+
+                            obj.optString("name"),
                             obj.optString("author", "Unknown"),
                             obj.optString("version", "Unknown"),
                             obj.optInt("versionCode", 0),
-                            obj.getString("description"),
+                            obj.optString("description"),
                             obj.getBoolean("enabled"),
                             obj.getBoolean("update"),
                             obj.getBoolean("remove"),
+                            obj.optString("updateJson")
                         )
                     }.toList()
+                isNeedRefresh = false
             }.onFailure { e ->
                 Log.e(TAG, "fetchModuleList: ", e)
                 isRefreshing = false
@@ -94,4 +114,47 @@ class ModuleViewModel : ViewModel() {
             Log.i(TAG, "load cost: ${SystemClock.elapsedRealtime() - start}, modules: $modules")
         }
     }
+
+    fun checkUpdate(m: ModuleInfo): Triple<String, String, String> {
+        val empty = Triple("", "", "")
+        if (m.updateJson.isEmpty() || m.remove || m.update || !m.enabled) {
+            return empty
+        }
+        // download updateJson
+        val result = kotlin.runCatching {
+            val url = m.updateJson
+            Log.i(TAG, "checkUpdate url: $url")
+            val response = okhttp3.OkHttpClient()
+                .newCall(
+                    okhttp3.Request.Builder()
+                        .url(url)
+                        .build()
+                ).execute()
+            Log.d(TAG, "checkUpdate code: ${response.code}")
+            if (response.isSuccessful) {
+                response.body?.string() ?: ""
+            } else {
+                ""
+            }
+        }.getOrDefault("")
+        Log.i(TAG, "checkUpdate result: $result")
+
+        if (result.isEmpty()) {
+            return empty
+        }
+
+        val updateJson = kotlin.runCatching {
+            JSONObject(result)
+        }.getOrNull() ?: return empty
+
+        val version = updateJson.optString("version", "")
+        val versionCode = updateJson.optInt("versionCode", 0)
+        val zipUrl = updateJson.optString("zipUrl", "")
+        val changelog = updateJson.optString("changelog", "")
+        if (versionCode <= m.versionCode || zipUrl.isEmpty()) {
+            return empty
+        }
+
+        return Triple(zipUrl, version, changelog)
+    }
 }

manager/app/src/main/java/me/weishu/kernelsu/ui/viewmodel/SuperUserViewModel.kt

@@ -6,6 +6,7 @@ import android.content.ServiceConnection
 import android.content.pm.ApplicationInfo
 import android.content.pm.PackageInfo
 import android.os.IBinder
+import android.os.Parcelable
 import android.os.SystemClock
 import android.util.Log
 import androidx.compose.runtime.derivedStateOf
@@ -16,6 +17,7 @@ import androidx.lifecycle.ViewModel
 import com.topjohnwu.superuser.Shell
 import kotlinx.coroutines.Dispatchers
 import kotlinx.coroutines.withContext
+import kotlinx.parcelize.Parcelize
 import me.weishu.kernelsu.IKsuInterface
 import me.weishu.kernelsu.Natives
 import me.weishu.kernelsu.ksuApp
@@ -34,14 +36,32 @@ class SuperUserViewModel : ViewModel() {
         private var apps by mutableStateOf<List<AppInfo>>(emptyList())
     }
 
-    class AppInfo(
+    @Parcelize
+    data class AppInfo(
         val label: String,
-        val packageName: String,
-        val icon: PackageInfo,
-        val uid: Int,
-        val onAllowList: Boolean,
-        val onDenyList: Boolean
-    )
+        val packageInfo: PackageInfo,
+        val profile: Natives.Profile?,
+    ) : Parcelable {
+        val packageName: String
+            get() = packageInfo.packageName
+        val uid: Int
+            get() = packageInfo.applicationInfo.uid
+
+        val allowSu: Boolean
+            get() = profile != null && profile.allowSu
+        val hasCustomProfile: Boolean
+            get() {
+                if (profile == null) {
+                    return false
+                }
+
+                return if (profile.allowSu) {
+                    !profile.rootUseDefault
+                } else {
+                    !profile.nonRootUseDefault
+                }
+            }
+    }
 
     var search by mutableStateOf("")
     var showSystemApps by mutableStateOf(false)
@@ -51,8 +71,8 @@ class SuperUserViewModel : ViewModel() {
     private val sortedList by derivedStateOf {
         val comparator = compareBy<AppInfo> {
             when {
-                it.onAllowList -> 0
-                it.onDenyList -> 1
+                it.allowSu -> 0
+                it.hasCustomProfile -> 1
                 else -> 2
             }
         }.then(compareBy(Collator.getInstance(Locale.getDefault()), AppInfo::label))
@@ -67,7 +87,7 @@ class SuperUserViewModel : ViewModel() {
                 .toPinyinString(it.label).contains(search)
         }.filter {
             it.uid == 2000 // Always show shell
-                    || showSystemApps || it.icon.applicationInfo.flags.and(ApplicationInfo.FLAG_SYSTEM) == 0
+                    || showSystemApps || it.packageInfo.applicationInfo.flags.and(ApplicationInfo.FLAG_SYSTEM) == 0
         }
     }
 
@@ -107,13 +127,9 @@ class SuperUserViewModel : ViewModel() {
         val result = connectKsuService {
             Log.w(TAG, "KsuService disconnected")
         }
-        
+
         withContext(Dispatchers.IO) {
             val pm = ksuApp.packageManager
-            val allowList = Natives.getAllowList().toSet()
-            val denyList = Natives.getDenyList().toSet()
-            Log.i(TAG, "allowList: $allowList")
-            Log.i(TAG, "denyList: $denyList")
             val start = SystemClock.elapsedRealtime()
 
             val binder = result.first
@@ -128,13 +144,11 @@ class SuperUserViewModel : ViewModel() {
             apps = packages.map {
                 val appInfo = it.applicationInfo
                 val uid = appInfo.uid
+                val profile = Natives.getAppProfile(it.packageName, uid)
                 AppInfo(
                     label = appInfo.loadLabel(pm).toString(),
-                    packageName = it.packageName,
-                    icon = it,
-                    uid = uid,
-                    onAllowList = uid in allowList,
-                    onDenyList = uid in denyList
+                    packageInfo = it,
+                    profile = profile,
                 )
             }.filter { it.packageName != ksuApp.packageName }
             Log.i(TAG, "load cost: ${SystemClock.elapsedRealtime() - start}")

manager/app/src/main/res/values-ar/strings.xml

@@ -1,68 +1,83 @@
+<?xml version="1.0" encoding="utf-8"?>
 <resources>
-    <string name="app_name" translatable="false">KernelSU</string>
-
     <string name="home">الرئيسية</string>
     <string name="home_not_installed">غير مثبت</string>
-    <string name="home_click_to_install">اضغط لتثبيت</string>
+    <string name="home_click_to_install">إضغط للتثبيت</string>
     <string name="home_working">يعمل</string>
-    <string name="home_working_version">الاصدار: %d</string>
-    <string name="home_superuser_count">مستخدمين الجذر: %d</string>
+    <string name="home_working_version">الإصدار: %d</string>
+    <string name="home_superuser_count">المستخدمين الخارقين: %d</string>
     <string name="home_module_count">الوحدات: %d</string>
     <string name="home_unsupported">غير مدعوم</string>
-    <string name="home_unsupported_reason">KernelSU يدعم GKI kernels الان</string>
-    <string name="home_copied_to_clipboard">نسخ الي حافظة</string>
-    <string name="home_support">مدعوم</string>
-
-    <string name="home_kernel">نواه</string>
-    <string name="home_arch">معمارية</string>
-    <string name="home_manager_version">اصدار المدير</string>
-    <string name="home_api">API Level</string>
-    <string name="home_abi">ABI</string>
-    <string name="home_fingerprint">بصمة</string>
-    <string name="home_securitypatch">تصحيح الأمان</string>
-
+    <string name="home_unsupported_reason">KernelSU يدعم GKI kernels فقط</string>
+    <string name="home_kernel">إصدار النواة</string>
+    <string name="home_manager_version">إصدار المدير</string>
+    <string name="home_fingerprint">البصمة</string>
     <string name="home_selinux_status">وضع SELinux</string>
-    <string name="selinux_status_disabled">غير مفعل</string>
-    <string name="selinux_status_enforcing">فرض</string>
+    <string name="selinux_status_disabled">معطل</string>
+    <string name="selinux_status_enforcing">مفروض</string>
     <string name="selinux_status_permissive">متساهل</string>
     <string name="selinux_status_unknown">مجهول</string>
-    <string name="superuser">مستخدم الجذر</string>
-    <string name="superuser_failed_to_grant_root">فشل منح الجذر لـ %d</string>
-    <string name="superuser_allow_root_confirm">هل أنت متأكد من منح حق الوصول إلى الجذر إلى %s?</string>
-    <string name="module_failed_to_enable">فشل في تمكين الوحدة النمطية: %s</string>
-    <string name="module_failed_to_disable">فشل تعطيل الوحدة النمطية: %s</string>
+    <string name="superuser">مستخدم خارق</string>
+    <string name="module_failed_to_enable">فشل في تمكين الوحدة: %s</string>
+    <string name="module_failed_to_disable">فشل تعطيل الوحدة : %s</string>
     <string name="module_empty">لا توجد وحدة مثبتة</string>
-
-    <string name="module">وحدة</string>
-    <string name="uninstall">الغاء التثبيت</string>
-    <string name="module_install">تثبيت</string>
+    <string name="module">الوحدات</string>
+    <string name="uninstall">إلغاء التثبيت</string>
+    <string name="module_install">تثبيت الوحدة</string>
     <string name="install">تثبيت</string>
-    <string name="reboot">اعادة تشغيل</string>
-    <string name="settings">الاعدادات</string>
-    <string name="reboot_userspace">اعادة تشغيل سريع</string>
-    <string name="reboot_recovery">اعادة تشغيل الي ريكفيري</string>
-    <string name="reboot_bootloader">اعادة تشغيل الي بوت لودر</string>
-    <string name="reboot_download">اعادة تشغيل الي وضع داونلود</string>
-    <string name="reboot_edl">اعادة تشغيل الي وضع EDL</string>
+    <string name="reboot">إعادة تشغيل</string>
+    <string name="settings">الإعدادات</string>
+    <string name="reboot_userspace">إعادة تشغيل سريعة</string>
+    <string name="reboot_recovery">إعادة تشغيل إلى وضع Recovery</string>
+    <string name="reboot_bootloader">إعادة تشغيل إلى وضع Bootloader</string>
+    <string name="reboot_download">إعادة تشغيل إلى وضع Download</string>
+    <string name="reboot_edl">إعادة تشغيل إلى وضع EDL</string>
     <string name="about">من نحن</string>
-    <string name="require_kernel_version_8">يتطلب KernelSU اصدار 8+</string>
-    <string name="module_uninstall_confirm">Are you sure you want to uninstall module %s?</string>
-    <string name="module_uninstall_success">%s uninstalled</string>
-    <string name="module_uninstall_failed">Failed to uninstall: %s</string>
-    <string name="module_version">الاصدار</string>
-    <string name="module_author">مؤلف</string>
+    <string name="module_uninstall_confirm">هل أنت متأكد أنك تريد إلغاء تثبيت الوحدة  %s ?</string>
+    <string name="module_uninstall_success">تم إلغاء التثبيت %s</string>
+    <string name="module_uninstall_failed">فشل إلغاء التثبيت: %s</string>
+    <string name="module_version">الإصدار</string>
+    <string name="module_author">المطور</string>
     <string name="module_overlay_fs_not_available">التراكبات غير متوفرة ، لا يمكن للوحدة أن تعمل!</string>
-    <string name="refresh">رفريش</string>
-    <string name="show_system_apps">عرض تطبيقات النظام</string>
-    <string name="hide_system_apps">اخفاء تطبيقات النظام</string>
-    <string name="send_log">ارسال اللوج</string>
-    <string name="safe_mode">وضع الامن</string>
-    <string name="reboot_to_apply">اعادة تشغيل لتطبيق التغيرات</string>
-    <string name="module_magisk_conflict">تم تعطيل الوحدات النمطية لأنها تتعارض مع Magisk\'s!</string>
+    <string name="refresh">إنعاش</string>
+    <string name="show_system_apps">إظهار تطبيقات النظام</string>
+    <string name="hide_system_apps">إخفاء تطبيقات النظام</string>
+    <string name="send_log">إرسال السجلات</string>
+    <string name="safe_mode">الوضع الآمن</string>
+    <string name="reboot_to_apply">إعادة التشغيل لتطبيق التغييرات</string>
+    <string name="module_magisk_conflict">تم تعطيل الوحدات النمطية لأنها تتعارض مع Magisk!</string>
     <string name="home_learn_kernelsu">تعلم KernelSU</string>
     <string name="home_learn_kernelsu_url">https://kernelsu.org/guide/what-is-kernelsu.html</string>
-    <string name="home_click_to_learn_kernelsu">تعرف على كيفية تثبيت KernelSU واستخدام الوحدات النمطية</string>
-    <string name="home_support_title">ادعمنا</string>
-    <string name="home_support_content">KernelSU هو وسيظل دائمًا مجانيًا ومفتوح المصدر. ومع ذلك ، يمكنك أن تظهر لنا أنك تهتم بالتبرع.</string>
-    <string name="about_source_code"><![CDATA[View source code at %1$s<br/>Join our %2$s channel]]></string>
-</resources>
+    <string name="home_click_to_learn_kernelsu">تعرف على كيفية تثبيت KernelSU واستخدام الوحدات</string>
+    <string name="home_support_title">إدعمنا</string>
+    <string name="home_support_content">KernelSU سيظل دائماً مجانياً ومفتوح المصدر. مع ذلك، يمكنك أن تظهر لنا أنك تهتم بالتبرع.</string>
+    <string name="about_source_code"><![CDATA[أنظر إلى مصدر البرمجة في %1$s<br/>إنضم إلى قناتنا في %2$s ]]></string>
+    <string name="profile_capabilities">القدرات</string>
+    <string name="module_update">تحديث</string>
+    <string name="module_downloading">تحمبل الوحدة : %s</string>
+    <string name="module_start_downloading">ابدأ التنزيل: %s</string>
+    <string name="new_version_available">الإصدار الجديد: %s متاح ، انقر للتحديث</string>
+    <string name="launch_app">تشغيل</string>
+    <string name="profile_default">الإفتراضي</string>
+    <string name="profile_template">نموذج</string>
+    <string name="profile_namespace_inherited">موروث</string>
+    <string name="profile_namespace_global">عالمي</string>
+    <string name="profile_namespace_individual">فردي</string>
+    <string name="profile_groups">مجموعات</string>
+    <string name="profile_custom">مُخصّص</string>
+    <string name="profile_namespace">تركيب مساحة الاسم</string>
+    <string name="profile_umount_modules">الغاء تحميل الوحدات</string>
+    <string name="failed_to_update_app_profile">فشل تحديث ملف تعريف التطبيق لـ %s</string>
+    <string name="profile_selinux_context">سياق SELinux</string>
+    <string name="force_stop_app">ايقاف إجباري</string>
+    <string name="settings_umount_modules_default">الغاء تحميل الوحدات بشكل افتراضي</string>
+    <string name="settings_umount_modules_default_summary">القيمة الافتراضية العامة ل \"إلغاء تحميل الوحدات \" في ملفات تعريف التطبيقات. إذا تم تمكينه ، إزالة جميع تعديلات الوحدة النمطية على النظام للتطبيقات التي لا تحتوي على مجموعة ملف تعريف.</string>
+    <string name="profile_umount_modules_summary">سيسمح تمكين هذا الخيار ل KernelSU باستعادة أي ملفات معدلة بواسطة الوحدات النمطية لهذا التطبيق.</string>
+    <string name="profile_selinux_domain">المجال</string>
+    <string name="profile_selinux_rules">القواعد</string>
+    <string name="restart_app">إعادة تشغيل التطبيق</string>
+    <string name="failed_to_update_sepolicy">فشل تحديث قواعد SELinux لما يلي: %s</string>
+    <string name="profile_name">اسم الملف الشخصي</string>
+    <string name="require_kernel_version">إصدار KernelSU الحالي %d منخفض جدًا بحيث لا يعمل المدير بشكل صحيح. الرجاء الترقية إلى الإصدار %d أو أعلى!</string>
+    <string name="module_changelog">سجل التغييرات</string>
+</resources>

manager/app/src/main/res/values-az/strings.xml

@@ -0,0 +1,81 @@
+<?xml version="1.0" encoding="utf-8"?>
+<resources>
+    <string name="home">Ana səhifə</string>
+    <string name="home_superuser_count">Super istifadəçilər: %d</string>
+    <string name="home_kernel">Nüvə</string>
+    <string name="home_not_installed">Yüklənmədi</string>
+    <string name="home_click_to_install">Yükləmək üçün toxunun</string>
+    <string name="home_working">İşləyir</string>
+    <string name="home_working_version">Versiya: %d</string>
+    <string name="home_module_count">Modullar: %d</string>
+    <string name="home_unsupported_reason">Hal-hazırda KernelSU yalnız GKI nüvələrini dəstəkləyir</string>
+    <string name="home_unsupported">Dəstəklənmir</string>
+    <string name="module_install">Yüklə</string>
+    <string name="install">Yüklə</string>
+    <string name="selinux_status_unknown">Naməlum</string>
+    <string name="home_fingerprint">Barmaq izi</string>
+    <string name="home_manager_version">Menecer versiyası</string>
+    <string name="selinux_status_disabled">Qeyri-aktiv</string>
+    <string name="home_selinux_status">SELinux vəziyyəti</string>
+    <string name="selinux_status_permissive">Sərbəst</string>
+    <string name="selinux_status_enforcing">Məcburi</string>
+    <string name="superuser">Super istifadəçi</string>
+    <string name="uninstall">Sil</string>
+    <string name="module_failed_to_enable">Modulu aktiv etmək mümkün olmadı: %s</string>
+    <string name="module_failed_to_disable">Modulu deaktiv etmək mümkün olmadı: %s</string>
+    <string name="module_empty">Heç bir modul quraşdırılmayıb</string>
+    <string name="module">Modul</string>
+    <string name="reboot">Yenidən başlat</string>
+    <string name="settings">Parametrlər</string>
+    <string name="reboot_recovery">Bərpa rejimində yenidən başlat</string>
+    <string name="reboot_userspace">Yüngül vəziyyətdə yenodən başlat</string>
+    <string name="reboot_bootloader">Bootloader rejimində yenidən başlat</string>
+    <string name="reboot_download">Yükləmə rejimində yenidən başlat</string>
+    <string name="module_version">Versiya</string>
+    <string name="module_author">Sahib</string>
+    <string name="module_uninstall_confirm">Modulu silmək istədiyinizdən əminsiniz %s\?</string>
+    <string name="show_system_apps">Sistem proqramlarını göstər</string>
+    <string name="about">Haqqında</string>
+    <string name="reboot_edl">EDL rejimində yenidən başlat</string>
+    <string name="module_uninstall_failed">Silmək mümkün olmadı: %s</string>
+    <string name="module_uninstall_success">%s silindi</string>
+    <string name="hide_system_apps">Sistem proqramlarını gizlət</string>
+    <string name="module_overlay_fs_not_available">overlayfs mövcud deyil,modul işləyə bilməyəcək!</string>
+    <string name="send_log">Log-u göndər</string>
+    <string name="refresh">Yenilə</string>
+    <string name="safe_mode">Təhlükəsiz rejimi</string>
+    <string name="reboot_to_apply">Qüvvəyə minməsi üçün yenidən başlat</string>
+    <string name="module_magisk_conflict">Modular deaktiv edilir,çünki o Magisk-in modulları ilə toqquşur!</string>
+    <string name="home_learn_kernelsu">KernelSU-yu öyrən</string>
+    <string name="home_learn_kernelsu_url">https://kernelsu.org/guide/what-is-kernelsu.html</string>
+    <string name="home_support_title">Bizi dəstəkləyin</string>
+    <string name="home_click_to_learn_kernelsu">KernelSU-yu necə quraşdırılacağını və modulların necə istifadə ediləcəyini öyrən</string>
+    <string name="profile_template">Şablon</string>
+    <string name="profile_default">Defolt</string>
+    <string name="profile_custom">Özəl</string>
+    <string name="home_support_content">KernelSU pulsuz və açıq mənbəlidir,həmişə belə olacaqdır. Bununla belə, ianə etməklə bizə qayğı göstərdiyinizi göstərə bilərsiniz.</string>
+    <string name="about_source_code">Mənbə kodlarımıza baxın %1$s<br/>Kanalımıza %2$s qoşulun</string>
+    <string name="profile_name">Profil adı</string>
+    <string name="profile_capabilities">Bacarıqlar</string>
+    <string name="profile_umount_modules">Modulları umount et</string>
+    <string name="profile_namespace_inherited">Miras qalmış</string>
+    <string name="profile_namespace_global">Qlobal</string>
+    <string name="profile_namespace">Bölmənin ad sahəsi</string>
+    <string name="profile_namespace_individual">Fərdi</string>
+    <string name="profile_groups">Qruplar</string>
+    <string name="settings_umount_modules_default">Defolt olaraq modulları umount et</string>
+    <string name="profile_selinux_context">SELinux konteksi</string>
+    <string name="failed_to_update_app_profile">%s görə tətbiq profillərini güncəlləmək mümkün olmadı</string>
+    <string name="settings_umount_modules_default_summary">Tətbiq Profillərində \"Umount modulları\" üçün qlobal standart dəyər. Aktivləşdirilərsə, o, Profil dəsti olmayan proqramlar üçün sistemdəki bütün modul dəyişikliklərini siləcək.</string>
+    <string name="profile_selinux_domain">Domen</string>
+    <string name="profile_selinux_rules">Qaydalar</string>
+    <string name="module_update">Güncəllə</string>
+    <string name="module_start_downloading">Endirməni başlat: %s</string>
+    <string name="new_version_available">Yeni versiya: %s əlçatandır, endirmək üçün toxunun</string>
+    <string name="module_downloading">Modul yüklənir: %s</string>
+    <string name="profile_umount_modules_summary">Bu seçimi aktivləşdirmək KernelSU-ya bu proqram üçün modullar tərəfindən hər hansı dəyişdirilmiş faylları bərpa etməyə imkan verəcək.</string>
+    <string name="launch_app">Aç</string>
+    <string name="force_stop_app">Məcburi dayandır</string>
+    <string name="restart_app">Yenidən başlat</string>
+    <string name="failed_to_update_sepolicy">%s görə SELinux qaydalarını güncəlləmək mümkün olmadı</string>
+</resources>