Translated using Weblate (Ukrainian)

Currently translated at 100.0% (140 of 140 strings)

Translation: KernelSU/Manager
Translate-URL: https://hosted.weblate.org/projects/kernelsu/manager/uk/

.gitattributes

@@ -0,0 +1 @@
+*.bat eol=crlf

.github/FUNDING.yml

@@ -2,4 +2,3 @@
 
 github: tiann
 patreon: weishu
-custom: https://vxposed.com/donate.html

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,5 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Feature Request
+    url: https://github.com/tiann/KernelSU/issues/1705
+    about: "We do not accept external Feature Requests, see this link for more details."

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -1,40 +0,0 @@
-name: Feature Request
-description: "Suggest an idea for this project"
-title: "[Feature]"
-labels: "feature"
-assignees: tiann
-body:
-  - type: markdown
-    id: feature-info
-    attributes:
-      value: "## Feature Infomation"
-  - type: textarea
-    id: feature-main
-    validations:
-      required: true
-    attributes:
-      label: "Is your feature request related to a problem? Please describe."
-      description: "A clear and concise description of what the problem is."
-      placeholder: "I'm always frustrated when [...]"
-  - type: textarea
-    id: feature-solution
-    validations:
-      required: true
-    attributes:
-      label: "Describe the solution you'd like."
-      description: "A clear and concise description of what you want to happen."
-  - type: textarea
-    id: feature-describe
-    validations:
-      required: true
-    attributes:
-      label: "Describe alternatives you've considered."
-      description: "A clear and concise description of any alternative solutions or features you've considered."
-  - type: textarea
-    id: feature-extra
-    validations:
-      required: false
-    attributes:
-      label: "Additional context"
-      description: "Add any other context or screenshots about the feature request here."
-

.github/dependabot.yml

@@ -0,0 +1,38 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
+    groups:
+      actions:
+        patterns:
+          - "*"
+  - package-ecosystem: cargo
+    directory: userspace/ksud
+    schedule:
+      interval: daily
+    allow:
+      - dependency-type: "all"
+    groups:
+      crates:
+        patterns:
+          - "*"
+  - package-ecosystem: gradle
+    directory: manager
+    schedule:
+      interval: daily
+    groups:
+      maven:
+        patterns:
+          - "*"
+  - package-ecosystem: npm
+    directory: website
+    schedule:
+      interval: daily
+    allow:
+      - dependency-type: "all"
+    groups:
+      npm:
+        patterns:
+          - "*"

.github/manifests/android-14-avd_x86_64.xml

@@ -0,0 +1,71 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!--https://ci.android.com/builds/submitted/9964412/kernel_virt_x86_64/latest/manifest_9964412.xml-->
+<manifest>
+  <remote name="aosp" fetch="https://android.googlesource.com/" review="https://android.googlesource.com/" />
+
+  <default revision="master" remote="aosp" sync-j="4" />
+
+  <superproject name="kernel/superproject" remote="aosp" revision="common-android14-6.1" />
+
+  <project path="build/kernel" name="kernel/build" revision="b0377a072bb3f78cdacfd6d809914a9d1b0c0148">
+    <linkfile dest="tools/bazel" src="kleaf/bazel.sh" />
+
+    <linkfile dest="WORKSPACE" src="kleaf/bazel.WORKSPACE" />
+
+    <linkfile dest="build/build.sh" src="build.sh" />
+
+    <linkfile dest="build/build_abi.sh" src="build_abi.sh" />
+
+    <linkfile dest="build/build_test.sh" src="build_test.sh" />
+
+    <linkfile dest="build/build_utils.sh" src="build_utils.sh" />
+
+    <linkfile dest="build/config.sh" src="config.sh" />
+
+    <linkfile dest="build/envsetup.sh" src="envsetup.sh" />
+
+    <linkfile dest="build/_setup_env.sh" src="_setup_env.sh" />
+
+    <linkfile dest="build/multi-switcher.sh" src="multi-switcher.sh" />
+
+    <linkfile dest="build/abi" src="abi" />
+
+    <linkfile dest="build/static_analysis" src="static_analysis" />
+</project>
+
+  <project path="common" name="kernel/common" revision="7e35917775b8b3e3346a87f294e334e258bf15e6">
+    <linkfile dest=".source_date_epoch_dir" src="." />
+</project>
+
+  <project path="kernel/tests" name="kernel/tests" revision="c90a1c1b226b975cc31e709fa96fc1c6ecdbe272" />
+
+  <project path="kernel/configs" name="kernel/configs" revision="52a7267d6a9f9efabf3cb43839bb5e7f7ff05be3" />
+
+  <project path="common-modules/virtual-device" name="kernel/common-modules/virtual-device" revision="0d03de3246301028775f05ea388c2c444344a268" />
+
+  <project path="prebuilts/clang/host/linux-x86" name="platform/prebuilts/clang/host/linux-x86" clone-depth="1" revision="4f7e5adc160ab726ac5bafb260de98e612904c50" />
+
+  <project path="prebuilts/gcc/linux-x86/host/x86_64-linux-glibc2.17-4.8" name="platform/prebuilts/gcc/linux-x86/host/x86_64-linux-glibc2.17-4.8" clone-depth="1" revision="f7b0d5b0ee369864d5ac3e96ae24ec9e2b6a52da" />
+
+  <project path="prebuilts/build-tools" name="platform/prebuilts/build-tools" clone-depth="1" revision="dc92e06585a7647bf739a2309a721b82fcfa01d4" />
+
+  <project path="prebuilts/clang-tools" name="platform/prebuilts/clang-tools" clone-depth="1" revision="5611871963f54c688d3ac49e527aecdef21e8567" />
+
+  <project path="prebuilts/kernel-build-tools" name="kernel/prebuilts/build-tools" clone-depth="1" revision="2597cb1b5525e419b7fa806373be673054a68d29" />
+
+  <project path="tools/mkbootimg" name="platform/system/tools/mkbootimg" revision="2680066d0844544b3e78d6022cd21321d31837c3" />
+
+  <project path="prebuilts/bazel/linux-x86_64" name="platform/prebuilts/bazel/linux-x86_64" clone-depth="1" revision="4fdb9395071ff22118311d434d697c2b6fd887b4" />
+
+  <project path="prebuilts/jdk/jdk11" name="platform/prebuilts/jdk/jdk11" clone-depth="1" revision="491e6aa056676f29c4541f71bd738e4e876e4ba2" />
+
+  <project path="prebuilts/ndk-r23" name="toolchain/prebuilts/ndk/r23" clone-depth="1" revision="19ac7e4eded12adb99d4f613490dde6dd0e72664" />
+
+  <project path="external/bazel-skylib" name="platform/external/bazel-skylib" revision="f998e5dc13c03f0eae9e373263d3afff0932c738" />
+
+  <project path="build/bazel_common_rules" name="platform/build/bazel_common_rules" revision="707b2c5fe3d0d7d934a93e00a8a4062e83557831" />
+
+  <project path="external/stardoc" name="platform/external/stardoc" revision="e83f522ee95419e55d2c5654aa6e0143beeef595" />
+
+  <project path="external/python/absl-py" name="platform/external/python/absl-py" revision="393d0b1e3f0fea3e95944a2fd3282cc9f76d4f14" />
+</manifest>

.github/manifests/android-15-avd_aarch64.xml

@@ -0,0 +1,89 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!-- https://ci.android.com/builds/submitted/11577653/kernel_virt_aarch64/latest/manifest_11577653.xml -->
+<manifest>
+  <remote name="aosp" fetch="https://android.googlesource.com/" review="https://android.googlesource.com/" />
+
+  <default revision="main" remote="aosp" sync-j="4" />
+
+  <superproject name="kernel/superproject" remote="aosp" revision="common-android15-6.6" />
+
+  <project path="build/kernel" name="kernel/build" groups="ddk" revision="9a2196a1ec1048c2869750c9d3969c88ac18adcd">
+    <linkfile dest="tools/bazel" src="kleaf/bazel.sh" />
+
+    <linkfile dest="WORKSPACE" src="kleaf/bazel.WORKSPACE" />
+
+    <linkfile dest="MODULE.bazel" src="kleaf/bzlmod/bazel.MODULE.bazel" />
+
+    <linkfile dest="WORKSPACE.bzlmod" src="kleaf/bzlmod/bazel.WORKSPACE.bzlmod" />
+</project>
+
+  <project path="common" name="kernel/common" revision="ac1a7c65ff1bc7ece5569d62f02b121b4f2364f8" />
+
+  <project path="kernel/common-patches" name="kernel/common-patches" revision="3807ce65081de12ef4baa2a04487306672685160">
+    <linkfile dest="common/patches" src="android-mainline" />
+</project>
+
+  <project path="kernel/tests" name="kernel/tests" revision="ca9fd66f5b48abc92990c9c770f73380b428362b" />
+
+  <project path="kernel/configs" name="kernel/configs" revision="be625f2ccf377a75d0ea86c082c716c322b8d4c6" />
+
+  <project path="common-modules/virtual-device" name="kernel/common-modules/virtual-device" revision="60a24583ac921279e40a44f818040e40abb3ef46" />
+
+  <project path="prebuilts/clang/host/linux-x86" name="platform/prebuilts/clang/host/linux-x86" revision="93a1369ba33743a87bdf0183373f590a36ff7cb1" clone-depth="1" groups="ddk" />
+
+  <project path="prebuilts/gcc/linux-x86/host/x86_64-linux-glibc2.17-4.8" name="platform/prebuilts/gcc/linux-x86/host/x86_64-linux-glibc2.17-4.8" clone-depth="1" groups="ddk" revision="cef8f53bb61fbdb02dbf4d433004f6cb637c3bc6" />
+
+  <project path="prebuilts/build-tools" name="platform/prebuilts/build-tools" clone-depth="1" groups="ddk" revision="5aca9957ab19d2668c7f1da1954bbe89652d5fed" />
+
+  <project path="prebuilts/clang-tools" name="platform/prebuilts/clang-tools" clone-depth="1" revision="69f9fb9b8e75c6f1ff01f380d5251757785bb823" />
+
+  <project path="prebuilts/kernel-build-tools" name="kernel/prebuilts/build-tools" clone-depth="1" groups="ddk" revision="b09295493adc8d804b6d24286660f6e451e387fd" />
+
+  <project path="prebuilts/rust" name="platform/prebuilts/rust" revision="adc0e5499c3ddac831ca596d12cbef8d9747f737" clone-depth="1" />
+
+  <project path="prebuilts/tradefed" name="platform/tools/tradefederation/prebuilts" clone-depth="1" revision="a76ca09c5593e22e65b0d823d508882c6c64c13e" />
+
+  <project path="prebuilts/asuite" name="platform/prebuilts/asuite" clone-depth="1" revision="24510f175cb313a92241500efee917c2930d5d30" />
+
+  <project path="tools/mkbootimg" name="platform/system/tools/mkbootimg" revision="28b7934249c2885db8b561f1439d74663fcdce93" />
+
+  <project path="prebuilts/jdk/jdk11" name="platform/prebuilts/jdk/jdk11" revision="c6c90521b7c317f13d41bbd9336a8d45ee202cec" clone-depth="1" groups="ddk" />
+
+  <project path="prebuilts/ndk-r26" name="toolchain/prebuilts/ndk/r26" clone-depth="1" groups="ddk" revision="e535051ebc04204cec44bde38f62385d63180388" />
+
+  <project path="external/bazel-skylib" name="platform/external/bazel-skylib" groups="ddk" revision="6b103c40d8113f001475d5e13672922ef2aa0e5a" />
+
+  <project path="build/bazel_common_rules" name="platform/build/bazel_common_rules" groups="ddk" revision="2a10807a06153b5862da0369f4b6b368afc2dd08" />
+
+  <project path="external/libcap-ng" name="platform/external/libcap-ng" revision="2bcc92ae19481dd2b8d3ce3abdfbbee49261abe6" />
+
+  <project path="external/libcap" name="platform/external/libcap" revision="d7d1a0a38c5be06a7e7d6391d140b54878836f48" />
+
+  <project path="external/stardoc" name="platform/external/stardoc" groups="ddk" revision="f31250f9f5b03834d9964aaee7a3794c1d73d4a2" />
+
+  <project path="external/python/absl-py" name="platform/external/python/absl-py" groups="ddk" revision="9ae5a78fc57c3cd539398373ae39601a8b923e62" />
+
+  <project path="external/bazelbuild-bazel-central-registry" name="platform/external/bazelbuild-bazel-central-registry" revision="3422f064566c274ea66633442521704d4a22486d" groups="ddk" />
+
+  <project path="external/bazelbuild-platforms" name="platform/external/bazelbuild-platforms" groups="ddk" revision="e352aabd0131f3ac3f340282a43ba85ffc3fe8fa" />
+
+  <project path="external/bazelbuild-apple_support" name="platform/external/bazelbuild-apple_support" groups="ddk" revision="f6003e1e3763f8aad9fb9acae79cfa5fff9ae988" />
+
+  <project path="external/bazelbuild-rules_cc" name="platform/external/bazelbuild-rules_cc" groups="ddk" revision="f0df148dbeb9b9ed3816aad328ebe7c65efaaa24" />
+
+  <project path="external/bazelbuild-rules_java" name="platform/external/bazelbuild-rules_java" groups="ddk" revision="8e548c7053dffd1717d565f0409a88992f401da1" />
+
+  <project path="external/bazelbuild-rules_license" name="platform/external/bazelbuild-rules_license" groups="ddk" revision="f578df4fd057ffe2023728444759535685631548" />
+
+  <project path="external/bazelbuild-rules_pkg" name="platform/external/bazelbuild-rules_pkg" groups="ddk" revision="429887dfd8db834498ad95e99043f771a3882af0" />
+
+  <project path="external/bazelbuild-rules_python" name="platform/external/bazelbuild-rules_python" groups="ddk" revision="f71847ac898655b67634bb14e77a7408c4fb5e00" />
+
+  <project path="external/bazelbuild-rules_rust" name="platform/external/bazelbuild-rules_rust" groups="ddk" revision="1520b49835be9122c2424231357d4db80069cc38" />
+
+  <project path="external/pigz" name="platform/external/pigz" groups="ddk" revision="9bc9fa17d499ddde88b77820f6d063e16c0cdd42" />
+
+  <project path="external/zlib" name="platform/external/zlib" groups="ddk" revision="eff168fd731068a3faddd9aae056875e10014a51" />
+
+  <project path="external/zopfli" name="platform/external/zopfli" groups="ddk" revision="36c79f00e5229800d2aaa13fc42c301ec8ef1153" />
+</manifest>

.github/manifests/android-15-avd_x86_64.xml

@@ -0,0 +1,89 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!-- https://ci.android.com/builds/submitted/11577653/kernel_virt_x86_64/latest/manifest_11577653.xml -->
+<manifest>
+  <remote name="aosp" fetch="https://android.googlesource.com/" review="https://android.googlesource.com/" />
+
+  <default revision="main" remote="aosp" sync-j="4" />
+
+  <superproject name="kernel/superproject" remote="aosp" revision="common-android15-6.6" />
+
+  <project path="build/kernel" name="kernel/build" groups="ddk" revision="9a2196a1ec1048c2869750c9d3969c88ac18adcd">
+    <linkfile dest="tools/bazel" src="kleaf/bazel.sh" />
+
+    <linkfile dest="WORKSPACE" src="kleaf/bazel.WORKSPACE" />
+
+    <linkfile dest="MODULE.bazel" src="kleaf/bzlmod/bazel.MODULE.bazel" />
+
+    <linkfile dest="WORKSPACE.bzlmod" src="kleaf/bzlmod/bazel.WORKSPACE.bzlmod" />
+</project>
+
+  <project path="common" name="kernel/common" revision="ac1a7c65ff1bc7ece5569d62f02b121b4f2364f8" />
+
+  <project path="kernel/common-patches" name="kernel/common-patches" revision="3807ce65081de12ef4baa2a04487306672685160">
+    <linkfile dest="common/patches" src="android-mainline" />
+</project>
+
+  <project path="kernel/tests" name="kernel/tests" revision="ca9fd66f5b48abc92990c9c770f73380b428362b" />
+
+  <project path="kernel/configs" name="kernel/configs" revision="be625f2ccf377a75d0ea86c082c716c322b8d4c6" />
+
+  <project path="common-modules/virtual-device" name="kernel/common-modules/virtual-device" revision="60a24583ac921279e40a44f818040e40abb3ef46" />
+
+  <project path="prebuilts/clang/host/linux-x86" name="platform/prebuilts/clang/host/linux-x86" revision="93a1369ba33743a87bdf0183373f590a36ff7cb1" clone-depth="1" groups="ddk" />
+
+  <project path="prebuilts/gcc/linux-x86/host/x86_64-linux-glibc2.17-4.8" name="platform/prebuilts/gcc/linux-x86/host/x86_64-linux-glibc2.17-4.8" clone-depth="1" groups="ddk" revision="cef8f53bb61fbdb02dbf4d433004f6cb637c3bc6" />
+
+  <project path="prebuilts/build-tools" name="platform/prebuilts/build-tools" clone-depth="1" groups="ddk" revision="5aca9957ab19d2668c7f1da1954bbe89652d5fed" />
+
+  <project path="prebuilts/clang-tools" name="platform/prebuilts/clang-tools" clone-depth="1" revision="69f9fb9b8e75c6f1ff01f380d5251757785bb823" />
+
+  <project path="prebuilts/kernel-build-tools" name="kernel/prebuilts/build-tools" clone-depth="1" groups="ddk" revision="b09295493adc8d804b6d24286660f6e451e387fd" />
+
+  <project path="prebuilts/rust" name="platform/prebuilts/rust" revision="adc0e5499c3ddac831ca596d12cbef8d9747f737" clone-depth="1" />
+
+  <project path="prebuilts/tradefed" name="platform/tools/tradefederation/prebuilts" clone-depth="1" revision="a76ca09c5593e22e65b0d823d508882c6c64c13e" />
+
+  <project path="prebuilts/asuite" name="platform/prebuilts/asuite" clone-depth="1" revision="24510f175cb313a92241500efee917c2930d5d30" />
+
+  <project path="tools/mkbootimg" name="platform/system/tools/mkbootimg" revision="28b7934249c2885db8b561f1439d74663fcdce93" />
+
+  <project path="prebuilts/jdk/jdk11" name="platform/prebuilts/jdk/jdk11" revision="c6c90521b7c317f13d41bbd9336a8d45ee202cec" clone-depth="1" groups="ddk" />
+
+  <project path="prebuilts/ndk-r26" name="toolchain/prebuilts/ndk/r26" clone-depth="1" groups="ddk" revision="e535051ebc04204cec44bde38f62385d63180388" />
+
+  <project path="external/bazel-skylib" name="platform/external/bazel-skylib" groups="ddk" revision="6b103c40d8113f001475d5e13672922ef2aa0e5a" />
+
+  <project path="build/bazel_common_rules" name="platform/build/bazel_common_rules" groups="ddk" revision="2a10807a06153b5862da0369f4b6b368afc2dd08" />
+
+  <project path="external/libcap-ng" name="platform/external/libcap-ng" revision="2bcc92ae19481dd2b8d3ce3abdfbbee49261abe6" />
+
+  <project path="external/libcap" name="platform/external/libcap" revision="d7d1a0a38c5be06a7e7d6391d140b54878836f48" />
+
+  <project path="external/stardoc" name="platform/external/stardoc" groups="ddk" revision="f31250f9f5b03834d9964aaee7a3794c1d73d4a2" />
+
+  <project path="external/python/absl-py" name="platform/external/python/absl-py" groups="ddk" revision="9ae5a78fc57c3cd539398373ae39601a8b923e62" />
+
+  <project path="external/bazelbuild-bazel-central-registry" name="platform/external/bazelbuild-bazel-central-registry" revision="3422f064566c274ea66633442521704d4a22486d" groups="ddk" />
+
+  <project path="external/bazelbuild-platforms" name="platform/external/bazelbuild-platforms" groups="ddk" revision="e352aabd0131f3ac3f340282a43ba85ffc3fe8fa" />
+
+  <project path="external/bazelbuild-apple_support" name="platform/external/bazelbuild-apple_support" groups="ddk" revision="f6003e1e3763f8aad9fb9acae79cfa5fff9ae988" />
+
+  <project path="external/bazelbuild-rules_cc" name="platform/external/bazelbuild-rules_cc" groups="ddk" revision="f0df148dbeb9b9ed3816aad328ebe7c65efaaa24" />
+
+  <project path="external/bazelbuild-rules_java" name="platform/external/bazelbuild-rules_java" groups="ddk" revision="8e548c7053dffd1717d565f0409a88992f401da1" />
+
+  <project path="external/bazelbuild-rules_license" name="platform/external/bazelbuild-rules_license" groups="ddk" revision="f578df4fd057ffe2023728444759535685631548" />
+
+  <project path="external/bazelbuild-rules_pkg" name="platform/external/bazelbuild-rules_pkg" groups="ddk" revision="429887dfd8db834498ad95e99043f771a3882af0" />
+
+  <project path="external/bazelbuild-rules_python" name="platform/external/bazelbuild-rules_python" groups="ddk" revision="f71847ac898655b67634bb14e77a7408c4fb5e00" />
+
+  <project path="external/bazelbuild-rules_rust" name="platform/external/bazelbuild-rules_rust" groups="ddk" revision="1520b49835be9122c2424231357d4db80069cc38" />
+
+  <project path="external/pigz" name="platform/external/pigz" groups="ddk" revision="9bc9fa17d499ddde88b77820f6d063e16c0cdd42" />
+
+  <project path="external/zlib" name="platform/external/zlib" groups="ddk" revision="eff168fd731068a3faddd9aae056875e10014a51" />
+
+  <project path="external/zopfli" name="platform/external/zopfli" groups="ddk" revision="36c79f00e5229800d2aaa13fc42c301ec8ef1153" />
+</manifest>

.github/patches/5.10/0001-Makefile-Use-CCACHE-for-faster-compilation.patch

@@ -1,48 +0,0 @@
-From f1e398602b989ac197cdd0fda4a7c4c323b03eb9 Mon Sep 17 00:00:00 2001
-From: DozNaka <dozdguide@gmail.com>
-Date: Mon, 11 Apr 2022 20:43:45 -0400
-Subject: [PATCH] Makefile: Use CCACHE for faster compilation
-
----
- Makefile | 20 ++++++++++----------
- 1 file changed, 10 insertions(+), 10 deletions(-)
-
-diff --git a/Makefile b/Makefile
-index e8b8d5894..51e8aac6e 100644
---- a/Makefile
-+++ b/Makefile
-@@ -442,21 +442,21 @@ KBUILD_HOSTLDLIBS   := $(HOST_LFS_LIBS) $(HOSTLDLIBS)
- # Make variables (CC, etc...)
- CPP		= $(CC) -E
- ifneq ($(LLVM),)
--CC		= clang
--LD		= ld.lld
--AR		= llvm-ar
-+CC		= $(CCACHE) clang
-+LD		= $(CCACHE) ld.lld
-+AR		= $(CCACHE) llvm-ar
- NM		= llvm-nm
--OBJCOPY		= llvm-objcopy
--OBJDUMP		= llvm-objdump
-+OBJCOPY		= $(CCACHE) llvm-objcopy
-+OBJDUMP		= $(CCACHE) llvm-objdump
- READELF		= llvm-readelf
- STRIP		= llvm-strip
- else
--CC		= $(CROSS_COMPILE)gcc
--LD		= $(CROSS_COMPILE)ld
--AR		= $(CROSS_COMPILE)ar
-+CC		= $(CCACHE) $(CROSS_COMPILE)gcc
-+LD		= $(CCACHE) $(CROSS_COMPILE)ld
-+AR		= $(CCACHE) $(CROSS_COMPILE)ar
- NM		= $(CROSS_COMPILE)nm
--OBJCOPY		= $(CROSS_COMPILE)objcopy
--OBJDUMP		= $(CROSS_COMPILE)objdump
-+OBJCOPY		= $(CCACHE) $(CROSS_COMPILE)objcopy
-+OBJDUMP		= $(CCACHE) $(CROSS_COMPILE)objdump
- READELF		= $(CROSS_COMPILE)readelf
- STRIP		= $(CROSS_COMPILE)strip
- endif
--- 
-2.37.2
-

.github/patches/5.15/0001-Makefile-Use-CCACHE-for-faster-compilation.patch

@@ -1,48 +0,0 @@
-From f1e398602b989ac197cdd0fda4a7c4c323b03eb9 Mon Sep 17 00:00:00 2001
-From: DozNaka <dozdguide@gmail.com>
-Date: Mon, 11 Apr 2022 20:43:45 -0400
-Subject: [PATCH] Makefile: Use CCACHE for faster compilation
-
----
- Makefile | 20 ++++++++++----------
- 1 file changed, 10 insertions(+), 10 deletions(-)
-
-diff --git a/Makefile b/Makefile
-index e8b8d5894..51e8aac6e 100644
---- a/Makefile
-+++ b/Makefile
-@@ -442,21 +442,21 @@ KBUILD_HOSTLDLIBS   := $(HOST_LFS_LIBS) $(HOSTLDLIBS)
- # Make variables (CC, etc...)
- CPP		= $(CC) -E
- ifneq ($(LLVM),)
--CC		= clang
--LD		= ld.lld
--AR		= llvm-ar
-+CC		= $(CCACHE) clang
-+LD		= $(CCACHE) ld.lld
-+AR		= $(CCACHE) llvm-ar
- NM		= llvm-nm
--OBJCOPY		= llvm-objcopy
--OBJDUMP		= llvm-objdump
-+OBJCOPY		= $(CCACHE) llvm-objcopy
-+OBJDUMP		= $(CCACHE) llvm-objdump
- READELF		= llvm-readelf
- STRIP		= llvm-strip
- else
--CC		= $(CROSS_COMPILE)gcc
--LD		= $(CROSS_COMPILE)ld
--AR		= $(CROSS_COMPILE)ar
-+CC		= $(CCACHE) $(CROSS_COMPILE)gcc
-+LD		= $(CCACHE) $(CROSS_COMPILE)ld
-+AR		= $(CCACHE) $(CROSS_COMPILE)ar
- NM		= $(CROSS_COMPILE)nm
--OBJCOPY		= $(CROSS_COMPILE)objcopy
--OBJDUMP		= $(CROSS_COMPILE)objdump
-+OBJCOPY		= $(CCACHE) $(CROSS_COMPILE)objcopy
-+OBJDUMP		= $(CCACHE) $(CROSS_COMPILE)objdump
- READELF		= $(CROSS_COMPILE)readelf
- STRIP		= $(CROSS_COMPILE)strip
- endif
--- 
-2.37.2
-

.github/scripts/build_a12.sh

@@ -51,7 +51,7 @@ build_from_image() {
 	echo "[+] Images to upload"
 	find . -type f -name "*.gz"
 
-	find . -type f -name "*.gz" -exec python3 "$GITHUB_WORKSPACE"/KernelSU/scripts/ksubot.py {} +
+	# find . -type f -name "*.gz" -exec python3 "$GITHUB_WORKSPACE"/KernelSU/scripts/ksubot.py {} +
 }
 
 for dir in Image*; do

.github/scripts/build_a13.sh

@@ -30,7 +30,7 @@ build_from_image() {
 	echo '[+] Images to upload'
 	find . -type f -name "*.gz"
 
-	find . -type f -name "*.gz" -exec python3 "$GITHUB_WORKSPACE"/KernelSU/scripts/ksubot.py {} +
+	# find . -type f -name "*.gz" -exec python3 "$GITHUB_WORKSPACE"/KernelSU/scripts/ksubot.py {} +
 }
 
 for dir in Image*; do

.github/workflows/add-device.yml

@@ -26,7 +26,7 @@ jobs:
       - name: Make pull request
         if: steps.handle-add-device.outputs.success == 'true'
         id: cpr
-        uses: peter-evans/create-pull-request@v4
+        uses: peter-evans/create-pull-request@v7
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           commit-message: "[add device]: ${{ steps.handle-add-device.outputs.device }}"
@@ -37,6 +37,7 @@ jobs:
           branch: "add-device-${{ github.event.issue.number }}"
           labels: add-device
           delete-branch: true
+          sign-commits: true
       - name: Check outputs
         if: ${{ steps.cpr.outputs.pull-request-number }}
         run: |
@@ -53,7 +54,7 @@ jobs:
           message: "Cannot create pull request. Please check the issue content. Or you can create a pull request manually."
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: close issue
-        uses: peter-evans/close-issue@v1
+        uses: peter-evans/close-issue@v3
         with:
           issue-number: ${{ github.event.issue.number }}
           token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/avd-kernel.yml

@@ -0,0 +1,137 @@
+name: GKI Kernel Build
+
+on:
+  workflow_call:
+    inputs:
+      version_name:
+        required: true
+        type: string
+        description: >
+          With SUBLEVEL of kernel,
+          for example: android12-5.10.66
+      arch:
+        required: true
+        type: string
+        description: >
+          Build arch: aarch64/x86_64
+      debug:
+        required: false
+        type: boolean
+        default: true
+      manifest_name:
+        required: false
+        type: string
+        description: >
+          Local repo manifest xml path,
+          typically for AVD kernel build.
+    secrets:
+      BOOT_SIGN_KEY:
+        required: false
+      CHAT_ID:
+        required: false
+      BOT_TOKEN:
+        required: false
+      MESSAGE_THREAD_ID:
+        required: false
+
+jobs:
+  build:
+    name: Build ${{ inputs.version_name }}
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Maximize build space
+        uses: easimon/maximize-build-space@master
+        with:
+          root-reserve-mb: 8192
+          temp-reserve-mb: 2048
+          remove-dotnet: 'true'
+          remove-android: 'true'
+          remove-haskell: 'true'
+          remove-codeql: 'true'
+
+      - uses: actions/checkout@v4
+        with:
+          path: KernelSU
+          fetch-depth: 0
+
+      - name: Setup need_upload
+        id: need_upload
+        run: |
+          if [ ! -z "${{ secrets.BOT_TOKEN }}" ]; then
+            echo "UPLOAD=true" >> $GITHUB_OUTPUT
+          else
+            echo "UPLOAD=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Setup kernel source
+        run: |
+          echo "Free space:"
+          df -h
+          cd $GITHUB_WORKSPACE
+          sudo apt-get install repo -y
+          mkdir android-kernel && cd android-kernel
+          repo init --depth=1 -u https://android.googlesource.com/kernel/manifest -m "$GITHUB_WORKSPACE/KernelSU/.github/manifests/${{ inputs.manifest_name }}" --repo-rev=v2.16
+          repo --version
+          repo --trace sync -c -j$(nproc --all) --no-tags
+          df -h
+
+      - name: Setup KernelSU
+        env:
+          PATCH_PATH: ${{ inputs.patch_path }}
+          IS_DEBUG_KERNEL: ${{ inputs.debug }}
+        run: |
+          cd $GITHUB_WORKSPACE/android-kernel
+          echo "[+] KernelSU setup"
+          GKI_ROOT=$(pwd)
+          echo "[+] GKI_ROOT: $GKI_ROOT"
+          echo "[+] Copy KernelSU driver to $GKI_ROOT/common/drivers"
+          ln -sf $GITHUB_WORKSPACE/KernelSU/kernel $GKI_ROOT/common/drivers/kernelsu
+          echo "[+] Add KernelSU driver to Makefile"
+          DRIVER_MAKEFILE=$GKI_ROOT/common/drivers/Makefile
+          DRIVER_KCONFIG=$GKI_ROOT/common/drivers/Kconfig
+          grep -q "kernelsu" "$DRIVER_MAKEFILE" || printf "\nobj-\$(CONFIG_KSU) += kernelsu/\n" >> "$DRIVER_MAKEFILE"
+          grep -q "kernelsu" "$DRIVER_KCONFIG" || sed -i "/endmenu/i\\source \"drivers/kernelsu/Kconfig\"" "$DRIVER_KCONFIG"
+          echo "[+] Apply KernelSU patches"
+          cd $GKI_ROOT/common/ && git apply $GITHUB_WORKSPACE/KernelSU/.github/patches/$PATCH_PATH/*.patch || echo "[-] No patch found"
+
+          if [ "$IS_DEBUG_KERNEL" = "true" ]; then
+            echo "[+] Enable debug features for kernel"
+            printf "\nccflags-y += -DCONFIG_KSU_DEBUG\n" >> $GITHUB_WORKSPACE/KernelSU/kernel/Makefile
+          fi
+          repo status
+          echo "[+] KernelSU setup done."
+          cd $GITHUB_WORKSPACE/KernelSU
+          VERSION=$(($(git rev-list --count HEAD) + 10200))
+          echo "VERSION: $VERSION"
+          echo "kernelsu_version=$VERSION" >> $GITHUB_ENV
+
+      - name: Make working directory clean to avoid dirty
+        working-directory: android-kernel
+        run: |
+          rm common/android/abi_gki_protected_exports_* || echo "No protected exports!"
+          git config --global user.email "bot@kernelsu.org"
+          git config --global user.name "KernelSUBot"
+          cd common/ && git add -A && git commit -a -m "Add KernelSU"
+          repo status
+
+      - name: Build kernel
+        working-directory: android-kernel
+        run: |
+          if [ ! -z ${{ vars.EXPECTED_SIZE }} ] && [ ! -z ${{ vars.EXPECTED_HASH }} ]; then
+            export KSU_EXPECTED_SIZE=${{ vars.EXPECTED_SIZE }}
+            export KSU_EXPECTED_HASH=${{ vars.EXPECTED_HASH }}
+          fi
+          tools/bazel run --config=fast --config=stamp --lto=thin //common-modules/virtual-device:virtual_device_${{ inputs.arch }}_dist -- --dist_dir=dist
+          NAME=kernel-${{ inputs.arch }}-avd-${{ inputs.version_name }}-${{ env.kernelsu_version }}
+          TARGET_IMAGE=dist/bzImage
+          if [ ! -e $TARGET_IMAGE ]; then
+            TARGET_IMAGE=dist/Image
+          fi
+          mv $TARGET_IMAGE $NAME
+          echo "file_path=android-kernel/$NAME" >> $GITHUB_ENV
+
+      - name: Upload Kernel
+        uses: actions/upload-artifact@v4
+        with:
+          name: kernel-${{ inputs.arch }}-avd-${{ inputs.version_name }}-${{ env.kernelsu_version }}
+          path: "${{ env.file_path }}"

.github/workflows/build-debug-kernel.yml

@@ -7,9 +7,9 @@ jobs:
     uses: ./.github/workflows/gki-kernel.yml
     with:
       version: android12-5.10
-      version_name: android12-5.10.185
-      tag: android12-5.10-2023-09
-      os_patch_level: 2023-09
+      version_name: android12-5.10.226
+      tag: android12-5.10-2024-11
+      os_patch_level: 2024-11
       patch_path: "5.10"
       debug: true
   build-debug-kernel-a13:
@@ -17,11 +17,11 @@ jobs:
       matrix:
         include:
           - version: "5.10"
-            sub_level: 187
-            os_patch_level: 2023-08
+            sub_level: 223
+            os_patch_level: 2024-11
           - version: "5.15"
-            sub_level: 119
-            os_patch_level: 2023-09
+            sub_level: 167
+            os_patch_level: 2024-11
     uses: ./.github/workflows/gki-kernel.yml
     with:
       version: android13-${{ matrix.version }}
@@ -29,3 +29,34 @@ jobs:
       tag: android13-${{ matrix.version }}-${{ matrix.os_patch_level }}
       patch_path: ${{ matrix.version }}
       debug: true
+  build-debug-kernel-a14:
+    strategy:
+      matrix:
+        include:
+          - version: "5.15"
+            sub_level: 167
+            os_patch_level: 2024-11
+          - version: "6.1"
+            sub_level: 115
+            os_patch_level: 2024-12
+    uses: ./.github/workflows/gki-kernel.yml
+    with:
+      version: android14-${{ matrix.version }}
+      version_name: android14-${{ matrix.version }}.${{ matrix.sub_level }}
+      tag: android14-${{ matrix.version }}-${{ matrix.os_patch_level }}
+      patch_path: ${{ matrix.version }}
+      debug: true
+  build-debug-kernel-a15:
+    strategy:
+      matrix:
+        include:
+          - version: "6.6"
+            sub_level: 57
+            os_patch_level: 2024-12
+    uses: ./.github/workflows/gki-kernel.yml
+    with:
+      version: android15-${{ matrix.version }}
+      version_name: android15-${{ matrix.version }}.${{ matrix.sub_level }}
+      tag: android15-${{ matrix.version }}-${{ matrix.os_patch_level }}
+      patch_path: ${{ matrix.version }}
+      debug: true

.github/workflows/build-kernel-a12.yml

@@ -21,30 +21,16 @@ jobs:
     strategy:
       matrix:
         include:
-          - sub_level: 66
-            os_patch_level: 2022-01
-          - sub_level: 81
-            os_patch_level: 2022-03
-          - sub_level: 101
-            os_patch_level: 2022-05
-          - sub_level: 110
-            os_patch_level: 2022-07
-          - sub_level: 117
-            os_patch_level: 2022-09
-          - sub_level: 136
-            os_patch_level: 2022-11
-          - sub_level: 149
-            os_patch_level: 2023-01
-          - sub_level: 160
-            os_patch_level: 2023-03
-          - sub_level: 168
-            os_patch_level: 2023-05
-          - sub_level: 177
-            os_patch_level: 2023-07
-          - sub_level: 185
-            os_patch_level: 2023-09
-          - sub_level: 198
-            os_patch_level: 2023-11
+          - sub_level: 209
+            os_patch_level: 2024-05
+          - sub_level: 218
+            os_patch_level: 2024-08
+          - sub_level: 226
+            os_patch_level: 2024-11
+          - sub_level: 233
+            os_patch_level: 2025-02
+          - sub_level: 236
+            os_patch_level: 2025-05
     uses: ./.github/workflows/gki-kernel.yml
     secrets: inherit
     with:
@@ -81,11 +67,11 @@ jobs:
       - name: Download prebuilt toolchain
         run: |
           AOSP_MIRROR=https://android.googlesource.com
-          BRANCH=main-kernel-build-2023
+          BRANCH=main-kernel-build-2024
           git clone $AOSP_MIRROR/platform/prebuilts/build-tools -b $BRANCH --depth 1 build-tools
           git clone $AOSP_MIRROR/kernel/prebuilts/build-tools -b $BRANCH --depth 1 kernel-build-tools
           git clone $AOSP_MIRROR/platform/system/tools/mkbootimg -b $BRANCH --depth 1
-          pip3 install telethon==1.31.1
+          pip3 install telethon
 
       - name: Set boot sign key
         env:
@@ -97,7 +83,8 @@ jobs:
 
       - name: Bot session cache
         id: bot_session_cache
-        uses: actions/cache@v3
+        uses: actions/cache@v4
+        if: false
         with:
           path: scripts/ksubot.session
           key: ${{ runner.os }}-bot-session
@@ -129,7 +116,7 @@ jobs:
     uses: ./.github/workflows/gki-kernel.yml
     with:
       version: android12-5.10
-      version_name: android12-5.10.177
-      tag: android12-5.10-2023-06
-      os_patch_level: 2023-06
-      patch_path: "5.10"
+      version_name: android12-5.10.223
+      tag: android12-5.10-2024-11
+      os_patch_level: 2024-11
+      patch_path: "5.10"

.github/workflows/build-kernel-a13.yml

@@ -22,56 +22,50 @@ jobs:
       matrix:
         include:
           - version: "5.10"
-            sub_level: 107
-            os_patch_level: 2022-11
+            sub_level: 209
+            os_patch_level: 2024-05
           - version: "5.10"
+            sub_level: 210
+            os_patch_level: 2024-06
+          - version: "5.10"
+            sub_level: 214
+            os_patch_level: 2024-07
+          - version: "5.10"
+            sub_level: 218
+            os_patch_level: 2024-08
+          - version: "5.10"
+            sub_level: 223
+            os_patch_level: 2024-11
+          - version: "5.10"
+            sub_level: 228
+            os_patch_level: 2025-01
+          - version: "5.10"
+            sub_level: 234
+            os_patch_level: 2025-03
+          - version: "5.15"
+            sub_level: 148
+            os_patch_level: 2024-05
+          - version: "5.15"
             sub_level: 149
-            os_patch_level: 2023-01
-          - version: "5.10"
-            sub_level: 157
-            os_patch_level: 2023-03
-          - version: "5.10"
-            sub_level: 168
-            os_patch_level: 2023-05
-          - version: "5.10"
-            sub_level: 177
-            os_patch_level: 2023-06
-          - version: "5.10"
-            sub_level: 186
-            os_patch_level: 2023-08
-          - version: "5.10"
-            sub_level: 186
-            os_patch_level: 2023-09
-          - version: "5.10"
-            sub_level: 189
-            os_patch_level: 2023-11
-          - version: "5.10"
-            sub_level: 198
-            os_patch_level: 2023-12
+            os_patch_level: 2024-07
           - version: "5.15"
-            sub_level: 41
-            os_patch_level: 2022-11
+            sub_level: 151
+            os_patch_level: 2024-08
           - version: "5.15"
-            sub_level: 74
-            os_patch_level: 2023-01
+            sub_level: 153
+            os_patch_level: 2024-09
           - version: "5.15"
-            sub_level: 78
-            os_patch_level: 2023-03
+            sub_level: 167
+            os_patch_level: 2024-11
           - version: "5.15"
-            sub_level: 94
-            os_patch_level: 2023-05
+            sub_level: 178
+            os_patch_level: 2024-11
           - version: "5.15"
-            sub_level: 104
-            os_patch_level: 2023-07
+            sub_level: 170
+            os_patch_level: 2025-01
           - version: "5.15"
-            sub_level: 119
-            os_patch_level: 2023-09
-          - version: "5.15"
-            sub_level: 123
-            os_patch_level: 2023-11
-          - version: "5.15"
-            sub_level: 137
-            os_patch_level: 2023-12
+            sub_level: 178
+            os_patch_level: 2025-03
     uses: ./.github/workflows/gki-kernel.yml
     secrets: inherit
     with:
@@ -108,11 +102,11 @@ jobs:
       - name: Download prebuilt toolchain
         run: |
           AOSP_MIRROR=https://android.googlesource.com
-          BRANCH=main-kernel-build-2023
+          BRANCH=main-kernel-build-2024
           git clone $AOSP_MIRROR/platform/prebuilts/build-tools -b $BRANCH --depth 1 build-tools
           git clone $AOSP_MIRROR/kernel/prebuilts/build-tools -b $BRANCH --depth 1 kernel-build-tools
           git clone $AOSP_MIRROR/platform/system/tools/mkbootimg -b $BRANCH --depth 1
-          pip3 install telethon==1.31.1
+          pip3 install telethon
 
       - name: Set boot sign key
         env:
@@ -124,7 +118,8 @@ jobs:
 
       - name: Bot session cache
         id: bot_session_cache
-        uses: actions/cache@v3
+        uses: actions/cache@v4
+        if: false
         with:
           path: scripts/ksubot.session
           key: ${{ runner.os }}-bot-session
@@ -157,15 +152,15 @@ jobs:
       matrix:
         include:
           - version: "5.10"
-            sub_level: 189
-            os_patch_level: 2023-10
+            sub_level: 223
+            os_patch_level: 2024-11
           - version: "5.15"
-            sub_level: 123
-            os_patch_level: 2023-10
+            sub_level: 167
+            os_patch_level: 2024-11
     uses: ./.github/workflows/gki-kernel.yml
     with:
       version: android13-${{ matrix.version }}
       version_name: android13-${{ matrix.version }}.${{ matrix.sub_level }}
       tag: android13-${{ matrix.version }}-${{ matrix.os_patch_level }}
       os_patch_level: ${{ matrix.os_patch_level }}
-      patch_path: ${{ matrix.version }}
+      patch_path: ${{ matrix.version }}

.github/workflows/build-kernel-a14.yml

@@ -22,20 +22,62 @@ jobs:
       matrix:
         include:
           - version: "5.15"
-            sub_level: 110
-            os_patch_level: 2023-09
+            sub_level: 148
+            os_patch_level: 2024-05
           - version: "5.15"
-            sub_level: 131
-            os_patch_level: 2023-11
+            sub_level: 149
+            os_patch_level: 2024-06
+          - version: "5.15"
+            sub_level: 153
+            os_patch_level: 2024-07
+          - version: "5.15"
+            sub_level: 158
+            os_patch_level: 2024-08
+          - version: "5.15"
+            sub_level: 164
+            os_patch_level: 2024-09
+          - version: "5.15"
+            sub_level: 167
+            os_patch_level: 2024-11
+          - version: "5.15"
+            sub_level: 170
+            os_patch_level: 2025-01
+          - version: "5.15"
+            sub_level: 178
+            os_patch_level: 2025-03
           - version: "6.1"
-            sub_level: 25
-            os_patch_level: 2023-10
+            sub_level: 75
+            os_patch_level: 2024-05
           - version: "6.1"
-            sub_level: 43
-            os_patch_level: 2023-11
+            sub_level: 78
+            os_patch_level: 2024-06
           - version: "6.1"
-            sub_level: 57
-            os_patch_level: 2023-12
+            sub_level: 84
+            os_patch_level: 2024-07
+          - version: "6.1"
+            sub_level: 90
+            os_patch_level: 2024-08
+          - version: "6.1"
+            sub_level: 93
+            os_patch_level: 2024-09
+          - version: "6.1"
+            sub_level: 99
+            os_patch_level: 2024-10
+          - version: "6.1"
+            sub_level: 112
+            os_patch_level: 2024-11
+          - version: "6.1"
+            sub_level: 115
+            os_patch_level: 2024-12
+          - version: "6.1"
+            sub_level: 118
+            os_patch_level: 2025-01
+          - version: "6.1"
+            sub_level: 128
+            os_patch_level: 2025-03
+          - version: "6.1"
+            sub_level: 134
+            os_patch_level: 2025-05
     uses: ./.github/workflows/gki-kernel.yml
     secrets: inherit
     with:
@@ -72,11 +114,11 @@ jobs:
       - name: Download prebuilt toolchain
         run: |
           AOSP_MIRROR=https://android.googlesource.com
-          BRANCH=main-kernel-build-2023
+          BRANCH=main-kernel-build-2024
           git clone $AOSP_MIRROR/platform/prebuilts/build-tools -b $BRANCH --depth 1 build-tools
           git clone $AOSP_MIRROR/kernel/prebuilts/build-tools -b $BRANCH --depth 1 kernel-build-tools
           git clone $AOSP_MIRROR/platform/system/tools/mkbootimg -b $BRANCH --depth 1
-          pip3 install telethon==1.31.1
+          pip3 install telethon
 
       - name: Set boot sign key
         env:
@@ -88,7 +130,8 @@ jobs:
 
       - name: Bot session cache
         id: bot_session_cache
-        uses: actions/cache@v3
+        uses: actions/cache@v4
+        if: false
         with:
           path: scripts/ksubot.session
           key: ${{ runner.os }}-bot-session
@@ -121,12 +164,15 @@ jobs:
       matrix:
         include:
           - version: "5.15"
-            sub_level: 110
-            os_patch_level: 2023-09
+            sub_level: 167
+            os_patch_level: 2024-11
+          - version: "6.1"
+            sub_level: 115
+            os_patch_level: 2024-12
     uses: ./.github/workflows/gki-kernel.yml
     with:
       version: android14-${{ matrix.version }}
       version_name: android14-${{ matrix.version }}.${{ matrix.sub_level }}
       tag: android14-${{ matrix.version }}-${{ matrix.os_patch_level }}
       os_patch_level: ${{ matrix.os_patch_level }}
-      patch_path: ${{ matrix.version }}
+      patch_path: ${{ matrix.version }}

.github/workflows/build-kernel-a15.yml

@@ -0,0 +1,148 @@
+name: Build Kernel - Android 15
+on:
+  push:
+    branches: ["main", "ci", "checkci"]
+    paths:
+      - ".github/workflows/build-kernel-a15.yml"
+      - ".github/workflows/gki-kernel.yml"
+      - ".github/scripts/build_a13.sh"
+      - "kernel/**"
+  pull_request:
+    branches: ["main"]
+    paths:
+      - ".github/workflows/build-kernel-a15.yml"
+      - ".github/workflows/gki-kernel.yml"
+      - ".github/scripts/build-a13.sh"
+      - "kernel/**"
+  workflow_call:
+jobs:
+  build-kernel:
+    if: github.event_name != 'pull_request' && github.ref != 'refs/heads/checkci'
+    strategy:
+      matrix:
+        include:
+          - version: "6.6"
+            sub_level: 30
+            os_patch_level: 2024-08
+          - version: "6.6"
+            sub_level: 46
+            os_patch_level: 2024-09
+          - version: "6.6"
+            sub_level: 50
+            os_patch_level: 2024-10
+          - version: "6.6"
+            sub_level: 56
+            os_patch_level: 2024-11
+          - version: "6.6"
+            sub_level: 57
+            os_patch_level: 2024-12
+          - version: "6.6"
+            sub_level: 58
+            os_patch_level: 2025-01
+          - version: "6.6"
+            sub_level: 66
+            os_patch_level: 2025-02
+          - version: "6.6"
+            sub_level: 77
+            os_patch_level: 2025-03
+          - version: "6.6"
+            sub_level: 82
+            os_patch_level: 2025-04
+          - version: "6.6"
+            sub_level: 87
+            os_patch_level: 2025-05
+    uses: ./.github/workflows/gki-kernel.yml
+    secrets: inherit
+    with:
+      version: android15-${{ matrix.version }}
+      version_name: android15-${{ matrix.version }}.${{ matrix.sub_level }}
+      tag: android15-${{ matrix.version }}-${{ matrix.os_patch_level }}
+      os_patch_level: ${{ matrix.os_patch_level }}
+      patch_path: ${{ matrix.version }}
+  
+  upload-artifacts:
+    needs: build-kernel
+    runs-on: ubuntu-latest
+    if: ${{ ( github.event_name != 'pull_request' && github.ref == 'refs/heads/main' ) || github.ref_type == 'tag' || github.ref == 'refs/heads/ci' }}
+    env:
+      CHAT_ID: ${{ secrets.CHAT_ID }}
+      BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
+      MESSAGE_THREAD_ID: ${{ secrets.MESSAGE_THREAD_ID }}
+      COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
+      COMMIT_URL: ${{ github.event.head_commit.url }}
+      RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+
+      - uses: actions/checkout@v4
+        with:
+          path: KernelSU
+          fetch-depth: 0
+
+      - name: List artifacts
+        run: |
+          tree
+
+      - name: Download prebuilt toolchain
+        run: |
+          AOSP_MIRROR=https://android.googlesource.com
+          BRANCH=main-kernel-build-2024
+          git clone $AOSP_MIRROR/platform/prebuilts/build-tools -b $BRANCH --depth 1 build-tools
+          git clone $AOSP_MIRROR/kernel/prebuilts/build-tools -b $BRANCH --depth 1 kernel-build-tools
+          git clone $AOSP_MIRROR/platform/system/tools/mkbootimg -b $BRANCH --depth 1
+          pip3 install telethon
+
+      - name: Set boot sign key
+        env:
+          BOOT_SIGN_KEY: ${{ secrets.BOOT_SIGN_KEY }}
+        run: |
+          if [ ! -z "$BOOT_SIGN_KEY" ]; then
+            echo "$BOOT_SIGN_KEY" > ./kernel-build-tools/linux-x86/share/avb/testkey_rsa2048.pem
+          fi
+
+      - name: Bot session cache
+        id: bot_session_cache
+        uses: actions/cache@v4
+        if: false
+        with:
+          path: scripts/ksubot.session
+          key: ${{ runner.os }}-bot-session
+
+      - name: Build boot images
+        run: |
+          export AVBTOOL=$GITHUB_WORKSPACE/kernel-build-tools/linux-x86/bin/avbtool
+          export GZIP=$GITHUB_WORKSPACE/build-tools/path/linux-x86/gzip
+          export LZ4=$GITHUB_WORKSPACE/build-tools/path/linux-x86/lz4
+          export MKBOOTIMG=$GITHUB_WORKSPACE/mkbootimg/mkbootimg.py
+          export UNPACK_BOOTIMG=$GITHUB_WORKSPACE/mkbootimg/unpack_bootimg.py
+          cd $GITHUB_WORKSPACE/KernelSU
+          export VERSION=$(($(git rev-list --count HEAD) + 10200))
+          echo "VERSION: $VERSION"
+          cd -
+          bash $GITHUB_WORKSPACE/KernelSU/.github/scripts/build_a13.sh
+
+      - name: Display structure of boot files
+        run: ls -R
+
+      - name: Upload images artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: boot-images-android15
+          path: Image-android15*/*.img.gz
+
+  check-build-kernel:
+    if: (github.event_name == 'pull_request' && !github.event.pull_request.draft) || github.ref == 'refs/heads/checkci'
+    strategy:
+      matrix:
+        include:
+          - version: "6.6"
+            sub_level: 57
+            os_patch_level: 2024-12
+    uses: ./.github/workflows/gki-kernel.yml
+    with:
+      version: android15-${{ matrix.version }}
+      version_name: android15-${{ matrix.version }}.${{ matrix.sub_level }}
+      tag: android15-${{ matrix.version }}-${{ matrix.os_patch_level }}
+      os_patch_level: ${{ matrix.os_patch_level }}
+      patch_path: ${{ matrix.version }}

.github/workflows/build-kernel-arcvm.yml

@@ -13,20 +13,26 @@ on:
   workflow_call:
   workflow_dispatch:
 
+env:
+  git_tag: chromeos-5.10-arcvm
+
 jobs:
   build:
     if: github.event_name != 'pull_request' || (github.event_name == 'pull_request' && !github.event.pull_request.draft)
     strategy:
       matrix:
-        arch: [x86_64]
-        version: ["5.10.178"]
         include:
           - arch: x86_64
-            git_tag: chromeos-5.10-arcvm
-            file_name: "bzImage"
+            kernel_image_name: bzImage
+            build_config: build.config.gki.x86_64
+            defconfig: x86_64_arcvm_defconfig
+          - arch: arm64
+            kernel_image_name: Image
+            build_config: build.config.gki.aarch64
+            defconfig: arm64_arcvm_defconfig
 
     name: Build ChromeOS ARCVM kernel
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     env:
       LTO: thin
       ROOT_DIR: /
@@ -44,7 +50,7 @@ jobs:
 
           sudo ln -s --force python3 /usr/bin/python
 
-          export LLVM_VERSION=12
+          export LLVM_VERSION=14
           wget https://apt.llvm.org/llvm.sh
           chmod +x llvm.sh
           sudo ./llvm.sh $LLVM_VERSION
@@ -66,7 +72,16 @@ jobs:
           fetch-depth: 0
 
       - name: Setup kernel source
-        run: git clone https://chromium.googlesource.com/chromiumos/third_party/kernel.git -b ${{ matrix.git_tag }} --depth=1
+        run: git clone https://chromium.googlesource.com/chromiumos/third_party/kernel.git -b ${{ env.git_tag }} --depth=1
+
+      - name: Extract version from Makefile
+        working-directory: kernel
+        run: |
+          VERSION=$(grep -E '^VERSION = ' Makefile | awk '{print $3}')
+          PATCHLEVEL=$(grep -E '^PATCHLEVEL = ' Makefile | awk '{print $3}')
+          SUBLEVEL=$(grep -E '^SUBLEVEL = ' Makefile | awk '{print $3}')
+          echo "ChromeOS ARCVM Linux kernel version: $VERSION.$PATCHLEVEL.$SUBLEVEL"
+          echo "version=$VERSION.$PATCHLEVEL.$SUBLEVEL" >> $GITHUB_ENV
 
       - name: Setup KernelSU
         working-directory: kernel
@@ -79,25 +94,30 @@ jobs:
 
           echo "[+] Add KernelSU driver to Makefile"
           DRIVER_MAKEFILE=$KERNEL_ROOT/drivers/Makefile
-          grep -q "kernelsu" $DRIVER_MAKEFILE || echo "obj-y += kernelsu/" >> $DRIVER_MAKEFILE
+          DRIVER_KCONFIG=$KERNEL_ROOT/drivers/Kconfig
+          grep -q "kernelsu" "$DRIVER_MAKEFILE" || printf "\nobj-\$(CONFIG_KSU) += kernelsu/\n" >> "$DRIVER_MAKEFILE"
+          grep -q "kernelsu" "$DRIVER_KCONFIG" || sed -i "/endmenu/i\\source \"drivers/kernelsu/Kconfig\"" "$DRIVER_KCONFIG"
 
           echo "[+] Apply KernelSU patches"
-          cd $KERNEL_ROOT && git apply $GITHUB_WORKSPACE/KernelSU/.github/patches/5.10/*.patch
+          cd $KERNEL_ROOT && git apply $GITHUB_WORKSPACE/KernelSU/.github/patches/5.10/*.patch || echo "[-] No patch found"
 
           echo "[+] Patch script/setlocalversion"
           sed -i 's/-dirty//g' $KERNEL_ROOT/scripts/setlocalversion
 
           echo "[+] KernelSU setup done."
           cd $GITHUB_WORKSPACE/KernelSU
-          VERSION=$(($(git rev-list --count HEAD) + 10200))
-          echo "VERSION: $VERSION"
-          echo "kernelsu_version=$VERSION" >> $GITHUB_ENV
+          KSU_VERSION=$(($(git rev-list --count HEAD) + 10200))
+          echo "KernelSU version: $KSU_VERSION"
+          echo "kernelsu_version=$KSU_VERSION" >> $GITHUB_ENV
 
       - name: Build Kernel
         working-directory: kernel
+        env:
+          KERNEL_IMAGE_NAME: ${{ matrix.kernel_image_name }}
+          ARCH: ${{ matrix.arch }}
         run: |
-          set -a && . build.config.gki.x86_64; set +a
-          export DEFCONFIG=x86_64_arcvm_defconfig
+          set -a && . ${{ matrix.build_config }}; set +a
+          export DEFCONFIG=${{ matrix.defconfig }}
           if [ ! -z ${{ vars.EXPECTED_SIZE }} ] && [ ! -z ${{ vars.EXPECTED_HASH }} ]; then
             export KSU_EXPECTED_SIZE=${{ vars.EXPECTED_SIZE }}
             export KSU_EXPECTED_HASH=${{ vars.EXPECTED_HASH }}
@@ -106,43 +126,12 @@ jobs:
           make LLVM=1 LLVM_IAS=1 DEPMOD=depmod DTC=dtc O=${PWD} mrproper
           make LLVM=1 LLVM_IAS=1 DEPMOD=depmod DTC=dtc O=${PWD} ${DEFCONFIG} < /dev/null
           scripts/config --file .config -e LTO_CLANG -d LTO_NONE -e LTO_CLANG_THIN -d LTO_CLANG_FULL -e THINLTO
-          make LLVM=1 LLVM_IAS=1 DEPMOD=depmod DTC=dtc O=${PWD} -j$(nproc) bzImage modules prepare-objtool
+          make LLVM=1 LLVM_IAS=1 DEPMOD=depmod DTC=dtc O=${PWD} -j$(nproc) ${KERNEL_IMAGE_NAME} modules prepare-objtool
+          ls -l -h ${PWD}/arch/${ARCH}/boot
+          echo "file_path=${PWD}/arch/${ARCH}/boot/${KERNEL_IMAGE_NAME}" >> $GITHUB_ENV
 
-          echo "file_path=${PWD}/arch/x86/boot/bzImage" >> $GITHUB_ENV
-
-      - name: Upload kernel-ARCVM-${{ matrix.arch }}-${{ matrix.version }}
+      - name: Upload kernel-ARCVM-${{ matrix.arch }}-${{ env.version }}
         uses: actions/upload-artifact@v4
         with:
-          name: kernel-ARCVM-${{ matrix.arch }}-${{ matrix.version }}
+          name: kernel-ARCVM-${{ matrix.arch }}-${{ env.version }}
           path: "${{ env.file_path }}"
-
-      - name: Bot session cache
-        if: ${{ ( github.event_name == 'push' && github.ref == 'refs/heads/main' ) || github.ref_type == 'tag' }}
-        id: bot_session_cache
-        uses: actions/cache@v3
-        with:
-          path: scripts/ksubot.session
-          key: ${{ runner.os }}-bot-session
-
-      - name: Post to Telegram
-        if: ${{ ( github.event_name == 'push' && github.ref == 'refs/heads/main' ) || github.ref_type == 'tag' }}
-        env:
-          CHAT_ID: ${{ secrets.CHAT_ID }}
-          BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
-          MESSAGE_THREAD_ID: ${{ secrets.MESSAGE_THREAD_ID }}
-          COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
-          COMMIT_URL: ${{ github.event.head_commit.url }}
-          RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
-        run: |
-          TITLE=kernel-ARCVM-${{ matrix.arch }}-${{ matrix.version }}
-          echo "[+] title: $TITLE"
-          export TITLE
-          export VERSION="${{ env.kernelsu_version }}"
-          echo "[+] Compress images"
-          gzip -n -f -9 "${{ env.file_path }}"
-          echo "[+] Image to upload"
-          ls -l "${{ env.file_path }}.gz"
-          if [ -n "${{ secrets.BOT_TOKEN }}" ]; then
-            pip3 install telethon==1.31.1
-            python3 "$GITHUB_WORKSPACE/KernelSU/scripts/ksubot.py" "${{ env.file_path }}.gz"
-          fi

.github/workflows/build-kernel-avd.yml

@@ -0,0 +1,40 @@
+name: Build Kernel - AVD
+on:
+  push:
+    branches: ["main", "ci", "checkci"]
+    paths:
+      - ".github/workflows/build-kernel-avd.yml"
+      - ".github/workflows/avd-kernel.yml"
+      - ".github/workflows/manifests/*xml"
+      - "kernel/**"
+  pull_request:
+    branches: ["main"]
+    paths:
+      - ".github/workflows/build-kernel-avd.yml"
+      - ".github/workflows/avd-kernel.yml"
+      - ".github/workflows/manifests/*.xml"
+      - "kernel/**"
+  workflow_call:
+  workflow_dispatch:
+jobs:
+  build-kernel:
+    if: github.event_name != 'pull_request' && github.ref != 'refs/heads/checkci'
+    uses: ./.github/workflows/avd-kernel.yml
+    secrets: inherit
+    strategy:
+      matrix:
+        include:
+          - version: "android-14-avd_x86_64"
+            manifest: "android-14-avd_x86_64.xml"
+            arch: "x86_64"
+          - version: "android-15-avd_aarch64"
+            manifest: "android-15-avd_aarch64.xml"
+            arch: "aarch64"
+          - version: "android-15-avd_x86_64"
+            manifest: "android-15-avd_x86_64.xml"
+            arch: "x86_64"
+    with:
+      version_name: ${{ matrix.version }}
+      manifest_name: ${{ matrix.manifest }}
+      arch: ${{ matrix.arch }}
+      debug: true

.github/workflows/build-ksud.yml

@@ -1,25 +0,0 @@
-name: Build KSUD
-on:
-  push:
-    branches: [ "main", "ci" ]
-    paths:
-      - '.github/workflows/build-ksud.yml'
-      - '.github/workflows/ksud.yml'
-      - 'userspace/ksud/**'
-  pull_request:
-    branches: [ "main" ]
-    paths:
-      - '.github/workflows/build-ksud.yml'
-      - '.github/workflows/ksud.yml'
-      - 'userspace/ksud/**'
-jobs:
-  build:
-    strategy:
-      matrix:
-        include:
-          - target: aarch64-linux-android
-          - target: x86_64-linux-android
-          - target: x86_64-pc-windows-gnu # only for build
-    uses: ./.github/workflows/ksud.yml
-    with:
-      target: ${{ matrix.target }}

.github/workflows/build-lkm.yml

@@ -0,0 +1,41 @@
+name: Build LKM for KernelSU
+on:
+  push:
+    branches: ["main", "ci", "checkci"]
+    paths:
+      - ".github/workflows/build-lkm.yml"
+  pull_request:
+    branches: ["main"]
+    paths:
+      - ".github/workflows/build-lkm.yml"
+  workflow_call:
+jobs:
+  build-lkm:
+    strategy:
+      matrix:
+        include:
+          - version: "android12-5.10"
+            sub_level: 236
+            os_patch_level: 2025-05
+          - version: "android13-5.10"
+            sub_level: 234
+            os_patch_level: 2025-03
+          - version: "android13-5.15"
+            sub_level: 178
+            os_patch_level: 2025-03
+          - version: "android14-5.15"
+            sub_level: 178
+            os_patch_level: 2025-03
+          - version: "android14-6.1"
+            sub_level: 134
+            os_patch_level: 2025-05
+          - version: "android15-6.6"
+            sub_level: 87
+            os_patch_level: 2025-05
+    uses: ./.github/workflows/gki-kernel.yml
+    with:
+      version: ${{ matrix.version }}
+      version_name: ${{ matrix.version }}.${{ matrix.sub_level }}
+      tag: ${{ matrix.version }}-${{ matrix.os_patch_level }}
+      os_patch_level: ${{ matrix.os_patch_level }}
+      build_lkm: true

.github/workflows/build-manager.yml

@@ -2,10 +2,11 @@ name: Build Manager
 
 on:
   push:
-    branches: [ "main" ]
+    branches: [ "main", "ci" ]
     paths:
       - '.github/workflows/build-manager.yml'
       - 'manager/**'
+      - 'kernel/**'
       - 'userspace/ksud/**'
   pull_request:
     branches: [ "main" ]
@@ -14,15 +15,33 @@ on:
   workflow_call:
 
 jobs:
+  build-lkm:
+    uses: ./.github/workflows/build-lkm.yml
+    secrets: inherit
+
   build-ksud:
+    needs: build-lkm
     strategy:
       matrix:
         include:
           - target: aarch64-linux-android
+            os: ubuntu-latest
           - target: x86_64-linux-android
+            os: ubuntu-latest
+          - target: x86_64-pc-windows-gnu # windows pc
+            os: ubuntu-latest
+          - target: x86_64-apple-darwin # Intel mac
+            os: macos-latest
+          - target: aarch64-apple-darwin # M chip mac
+            os: macos-latest
+          - target: aarch64-unknown-linux-musl # arm64 Linux
+            os: ubuntu-latest
+          - target: x86_64-unknown-linux-musl # x86 Linux
+            os: ubuntu-latest
     uses: ./.github/workflows/ksud.yml
     with:
       target: ${{ matrix.target }}
+      os: ${{ matrix.os }}
 
   build-manager:
     needs: build-ksud
@@ -50,23 +69,26 @@ jobs:
         if: ${{ ( github.event_name != 'pull_request' && github.ref == 'refs/heads/main' ) || github.ref_type == 'tag' }}
         run: |
           if [ ! -z "${{ secrets.KEYSTORE }}" ]; then
-            echo KEYSTORE_PASSWORD='${{ secrets.KEYSTORE_PASSWORD }}' >> gradle.properties
-            echo KEY_ALIAS='${{ secrets.KEY_ALIAS }}' >> gradle.properties
-            echo KEY_PASSWORD='${{ secrets.KEY_PASSWORD }}' >> gradle.properties
-            echo KEYSTORE_FILE='../key.jks' >> gradle.properties
-            echo ${{ secrets.KEYSTORE }} | base64 --decode > key.jks
+            {
+              echo KEYSTORE_PASSWORD='${{ secrets.KEYSTORE_PASSWORD }}'
+              echo KEY_ALIAS='${{ secrets.KEY_ALIAS }}'
+              echo KEY_PASSWORD='${{ secrets.KEY_PASSWORD }}'
+              echo KEYSTORE_FILE='key.jks'
+            } >> gradle.properties
+            echo ${{ secrets.KEYSTORE }} | base64 -d > key.jks
           fi
 
       - name: Setup Java
         uses: actions/setup-java@v4
         with:
-          distribution: "temurin"
-          java-version: "17"
+          distribution: temurin
+          java-version: 21
 
       - name: Setup Gradle
-        uses: gradle/gradle-build-action@v2
-        with:
-          gradle-home-cache-cleanup: true
+        uses: gradle/actions/setup-gradle@v4
+
+      - name: Setup Android SDK
+        uses: android-actions/setup-android@v3
 
       - name: Download arm64 ksud
         uses: actions/download-artifact@v4
@@ -100,14 +122,22 @@ jobs:
 
       - name: Upload build artifact
         uses: actions/upload-artifact@v4
+        if: ${{ ( github.event_name != 'pull_request' && github.ref == 'refs/heads/main' ) || github.ref_type == 'tag' }}
         with:
           name: manager
           path: manager/app/build/outputs/apk/release/*.apk
 
+      - name: Upload mappings
+        uses: actions/upload-artifact@v4
+        if: ${{ ( github.event_name != 'pull_request' && github.ref == 'refs/heads/main' ) || github.ref_type == 'tag' }}
+        with:
+          name: "mappings"
+          path: "manager/app/build/outputs/mapping/release/"
+
       - name: Bot session cache
         if: github.event_name != 'pull_request' && steps.need_upload.outputs.UPLOAD == 'true'
         id: bot_session_cache
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: scripts/ksubot.session
           key: ${{ runner.os }}-bot-session
@@ -126,6 +156,6 @@ jobs:
           if [ ! -z "${{ secrets.BOT_TOKEN }}" ]; then
             export VERSION=$(git rev-list --count HEAD)
             APK=$(find ./app/build/outputs/apk/release -name "*.apk")
-            pip3 install telethon==1.31.1
+            pip3 install telethon
             python3 $GITHUB_WORKSPACE/scripts/ksubot.py $APK
           fi

.github/workflows/build-su.yml

@@ -26,39 +26,11 @@ jobs:
         else
           echo "UPLOAD=false" >> $GITHUB_OUTPUT
         fi
-    - uses: nttld/setup-ndk@v1
-      with:
-        ndk-version: r25c
     - name: Build su
       working-directory: ./userspace/su
-      run: ndk-build
+      run: $ANDROID_NDK/ndk-build
     - name: Upload a Build Artifact
       uses: actions/upload-artifact@v4
       with:
         name: su
         path: ./userspace/su/libs
-    - name: Bot session cache
-      if: github.event_name != 'pull_request' && steps.need_upload.outputs.UPLOAD == 'true'
-      id: bot_session_cache
-      uses: actions/cache@v3
-      with:
-        path: scripts/ksubot.session
-        key: ${{ runner.os }}-bot-session
-    - name: Upload to telegram
-      if: github.event_name != 'pull_request' && steps.need_upload.outputs.UPLOAD == 'true'
-      env:
-        CHAT_ID: ${{ secrets.CHAT_ID }}
-        BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
-        MESSAGE_THREAD_ID: ${{ secrets.MESSAGE_THREAD_ID }}
-        COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
-        COMMIT_URL: ${{ github.event.head_commit.url }}
-        RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
-        TITLE: SU
-      run: |
-        if [ ! -z "${{ secrets.BOT_TOKEN }}" ]; then
-          export VERSION=$(git rev-list --count HEAD)
-          pip3 install telethon==1.31.1
-          mv ./userspace/su/libs/arm64-v8a/su su-arm64
-          mv ./userspace/su/libs/x86_64/su su-x86_64
-          python3 scripts/ksubot.py su-arm64 su-x86_64
-        fi

.github/workflows/clippy.yml

@@ -22,16 +22,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      # cross build failed after Rust 1.68, see https://github.com/cross-rs/cross/issues/1222
-      - run: rustup default 1.67.0
+      - run: rustup update stable
       - uses: Swatinem/rust-cache@v2
         with:
           workspaces: userspace/ksud
 
       - name: Install cross
-        run: cargo install cross --locked
+        run: |
+          RUSTFLAGS="" cargo install cross --git https://github.com/cross-rs/cross --rev 66845c1
 
       - name: Run clippy
         run: |
           cross clippy --manifest-path userspace/ksud/Cargo.toml --target aarch64-linux-android --release
-          cross clippy --manifest-path userspace/ksud/Cargo.toml --target x86_64-linux-android --release
+          cross clippy --manifest-path userspace/ksud/Cargo.toml --target x86_64-linux-android --release

.github/workflows/deploy-website.yml

@@ -37,11 +37,11 @@ jobs:
       - name: Setup Node
         uses: actions/setup-node@v4
         with:
-          node-version: 18
+          node-version: latest
           cache: yarn # or pnpm / yarn
           cache-dependency-path: website/yarn.lock
       - name: Setup Pages
-        uses: actions/configure-pages@v4
+        uses: actions/configure-pages@v5
       - name: Install dependencies
         run: yarn install --frozen-lockfile
       - name: Build with VitePress
@@ -64,4 +64,4 @@ jobs:
     steps:
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@v4

.github/workflows/gki-kernel.yml

@@ -29,7 +29,7 @@ on:
           for example: 2021-11
         default: 2022-05
       patch_path:
-        required: true
+        required: false
         type: string
         description: >
           Directory name of .github/patches/<patch_path>
@@ -49,6 +49,10 @@ on:
         required: false
         type: boolean
         default: false
+      build_lkm:
+        required: false
+        type: boolean
+        default: false
     secrets:
       BOOT_SIGN_KEY:
         required: false
@@ -124,13 +128,22 @@ jobs:
           ln -sf $GITHUB_WORKSPACE/KernelSU/kernel $GKI_ROOT/common/drivers/kernelsu
           echo "[+] Add KernelSU driver to Makefile"
           DRIVER_MAKEFILE=$GKI_ROOT/common/drivers/Makefile
-          grep -q "kernelsu" $DRIVER_MAKEFILE || echo "obj-y += kernelsu/" >> $DRIVER_MAKEFILE
-          echo "[+] Apply KernelSU patches"
-          cd $GKI_ROOT/common/ && git apply $GITHUB_WORKSPACE/KernelSU/.github/patches/$PATCH_PATH/*.patch || echo "[-] No patch found"
+          DRIVER_KCONFIG=$GKI_ROOT/common/drivers/Kconfig
+          grep -q "kernelsu" "$DRIVER_MAKEFILE" || printf "\nobj-\$(CONFIG_KSU) += kernelsu/\n" >> "$DRIVER_MAKEFILE"
+          grep -q "kernelsu" "$DRIVER_KCONFIG" || sed -i "/endmenu/i\\source \"drivers/kernelsu/Kconfig\"" "$DRIVER_KCONFIG"
+          echo "[+] Apply Compilation Patches"
+          if [ ! -e build/build.sh ]; then
+            GLIBC_VERSION=$(ldd --version 2>/dev/null | head -n 1 | awk '{print $NF}')
+            echo "GLIBC_VERSION: $GLIBC_VERSION"
+            if [ "$(printf '%s\n' "2.38" "$GLIBC_VERSION" | sort -V | head -n1)" = "2.38" ]; then
+              echo "Patching resolve_btfids/Makefile"
+              cd $GKI_ROOT/common/ && sed -i '/\$(Q)\$(MAKE) -C \$(SUBCMD_SRC) OUTPUT=\$(abspath \$(dir \$@))\/ \$(abspath \$@)/s//$(Q)$(MAKE) -C $(SUBCMD_SRC) EXTRA_CFLAGS="$(CFLAGS)" OUTPUT=$(abspath $(dir $@))\/ $(abspath $@)/' tools/bpf/resolve_btfids/Makefile || echo "No patch needed."
+            fi
+          fi
 
           if [ "$IS_DEBUG_KERNEL" = "true" ]; then
             echo "[+] Enable debug features for kernel"
-            echo "ccflags-y += -DCONFIG_KSU_DEBUG" >> $GITHUB_WORKSPACE/KernelSU/kernel/Makefile
+            printf "\nccflags-y += -DCONFIG_KSU_DEBUG\n" >> $GITHUB_WORKSPACE/KernelSU/kernel/Makefile
           fi
           repo status
           echo "[+] KernelSU setup done."
@@ -148,22 +161,55 @@ jobs:
 
       - name: Setup ccache
         if: inputs.use_cache == true
-        uses: hendrikmuhs/ccache-action@v1.2
+        uses: hendrikmuhs/ccache-action@v1
         with:
           key: gki-kernel-aarch64-${{ inputs.version_name }}
           max-size: 2G
           save: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
 
+      - name: Setup for LKM
+        if: ${{ inputs.build_lkm == true }}
+        working-directory: android-kernel
+        run: |
+          pip install ast-grep-cli
+          sudo apt-get install llvm-15 -y
+          ast-grep -U -p '$$$ check_exports($$$) {$$$}' -r '' common/scripts/mod/modpost.c
+          ast-grep -U -p 'check_exports($$$);' -r '' common/scripts/mod/modpost.c
+          sed -i '/config KSU/,/help/{s/default y/default m/}' common/drivers/kernelsu/Kconfig
+          echo "drivers/kernelsu/kernelsu.ko" >> common/android/gki_aarch64_modules
+
+          # bazel build, android14-5.15, android14-6.1 use bazel
+          if [ ! -e build/build.sh ]; then
+            sed -i 's/needs unknown symbol/Dont abort when unknown symbol/g' build/kernel/*.sh || echo "No unknown symbol scripts found"
+            if [ -e common/modules.bzl ]; then
+              sed -i 's/_COMMON_GKI_MODULES_LIST = \[/_COMMON_GKI_MODULES_LIST = \[ "drivers\/kernelsu\/kernelsu.ko",/g' common/modules.bzl
+            fi
+          else
+            TARGET_FILE="build/kernel/build.sh"
+            if [ ! -e "$TARGET_FILE" ]; then
+              TARGET_FILE="build/build.sh"
+            fi
+            sed -i 's/needs unknown symbol/Dont abort when unknown symbol/g' $TARGET_FILE || echo "No unknown symbol in $TARGET_FILE"
+            sed -i 's/if ! diff -u "\${KERNEL_DIR}\/\${MODULES_ORDER}" "\${OUT_DIR}\/modules\.order"; then/if false; then/g' $TARGET_FILE
+            sed -i 's@${ROOT_DIR}/build/abi/compare_to_symbol_list@echo@g' $TARGET_FILE
+            sed -i 's/needs unknown symbol/Dont abort when unknown symbol/g' build/kernel/*.sh || echo "No unknown symbol scripts found"
+          fi
+
       - name: Make working directory clean to avoid dirty
         working-directory: android-kernel
         run: |
+          # Fix bazel build error
+          if [ -f common/BUILD.bazel ]; then
+            [ -f android/abi_gki_protected_exports_aarch64 ] || sed -i '/^[[:space:]]*"protected_exports_list"[[:space:]]*:[[:space:]]*"android\/abi_gki_protected_exports_aarch64",$/d' common/BUILD.bazel
+          fi
+          
           rm common/android/abi_gki_protected_exports_* || echo "No protected exports!"
           git config --global user.email "bot@kernelsu.org"
           git config --global user.name "KernelSUBot"
           cd common/ && git add -A && git commit -a -m "Add KernelSU"
           repo status
 
-      - name: Build boot.img
+      - name: Build Kernel/LKM
         working-directory: android-kernel
         run: |
           if [ ! -z ${{ vars.EXPECTED_SIZE }} ] && [ ! -z ${{ vars.EXPECTED_HASH }} ]; then
@@ -171,7 +217,7 @@ jobs:
             export KSU_EXPECTED_HASH=${{ vars.EXPECTED_HASH }}
           fi
           if [ -e build/build.sh ]; then
-            CCACHE="/usr/bin/ccache" LTO=thin BUILD_CONFIG=common/build.config.gki.aarch64 build/build.sh
+            LTO=thin BUILD_CONFIG=common/build.config.gki.aarch64 build/build.sh CC="/usr/bin/ccache clang"
           else
             tools/bazel run --disk_cache=/home/runner/.cache/bazel --config=fast --config=stamp --lto=thin //common:kernel_aarch64_dist -- --dist_dir=dist
           fi
@@ -184,20 +230,34 @@ jobs:
             OUTDIR=android-kernel/dist
           fi
           mkdir output
-          cp $OUTDIR/Image ./output/
-          cp $OUTDIR/Image.lz4 ./output/
-          git clone https://github.com/Kernel-SU/AnyKernel3
-          rm -rf ./AnyKernel3/.git
-          cp $OUTDIR/Image ./AnyKernel3/
+          if [ "${{ inputs.build_lkm}}" = "true" ]; then 
+            llvm-strip-15 -d $OUTDIR/kernelsu.ko
+            mv $OUTDIR/kernelsu.ko ./output/${{ inputs.version }}_kernelsu.ko
+          else
+            cp $OUTDIR/Image ./output/
+            cp $OUTDIR/Image.lz4 ./output/
+            git clone https://github.com/Kernel-SU/AnyKernel3
+            rm -rf ./AnyKernel3/.git
+            cp $OUTDIR/Image ./AnyKernel3/
+          fi
 
       - name: Upload Image and Image.gz
         uses: actions/upload-artifact@v4
+        if: ${{ inputs.build_lkm == false }}
         with:
           name: Image-${{ inputs.version_name }}_${{ inputs.os_patch_level }}
           path: ./output/*
 
       - name: Upload AnyKernel3
+        if: ${{ inputs.build_lkm == false }}
         uses: actions/upload-artifact@v4
         with:
           name: AnyKernel3-${{ inputs.version_name }}_${{ inputs.os_patch_level }}
           path: ./AnyKernel3/*
+
+      - name: Upload LKM
+        uses: actions/upload-artifact@v4
+        if: ${{ inputs.build_lkm == true }}
+        with:
+          name: ${{ inputs.version }}-lkm
+          path: ./output/*_kernelsu.ko

.github/workflows/ksud.yml

@@ -5,32 +5,53 @@ on:
       target:
         required: true
         type: string
+      os:
+        required: false
+        type: string
+        default: ubuntu-latest
+      pack_lkm:
+        required: false
+        type: boolean
+        default: true
       use_cache:
         required: false
         type: boolean
         default: true
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: ${{ inputs.os }}
     steps:
     - uses: actions/checkout@v4
       with:
         fetch-depth: 0
-    # cross build failed after Rust 1.68, see https://github.com/cross-rs/cross/issues/1222
-    - run: rustup default 1.67.0
+
+    - name: Download artifacts
+      uses: actions/download-artifact@v4
+    
+    - name: Prepare LKM fies
+      if: ${{ inputs.pack_lkm }}
+      run: |
+        cp android*-lkm/*_kernelsu.ko ./userspace/ksud/bin/aarch64/
+        
+    - name: Setup rustup
+      run: |
+        rustup update stable
+        rustup target add x86_64-apple-darwin
+        rustup target add aarch64-apple-darwin
     - uses: Swatinem/rust-cache@v2
       with:
         workspaces: userspace/ksud
         cache-targets: false
 
     - name: Install cross
-      run: cargo install cross --locked
+      run: |
+        RUSTFLAGS="" cargo install cross --git https://github.com/cross-rs/cross --rev 66845c1
 
     - name: Build ksud
-      run: cross build --target ${{ inputs.target }} --release --manifest-path ./userspace/ksud/Cargo.toml
+      run: CROSS_NO_WARNINGS=0 cross build --target ${{ inputs.target }} --release --manifest-path ./userspace/ksud/Cargo.toml
 
     - name: Upload ksud artifact
       uses: actions/upload-artifact@v4
       with:
         name: ksud-${{ inputs.target }}
-        path: userspace/ksud/target/**/release/ksud
+        path: userspace/ksud/target/**/release/ksud*

.github/workflows/release.yml

@@ -18,6 +18,9 @@ jobs:
   build-a14-kernel:
     uses: ./.github/workflows/build-kernel-a14.yml
     secrets: inherit
+  build-a15-kernel:
+    uses: ./.github/workflows/build-kernel-a15.yml
+    secrets: inherit
   build-wsa-kernel:
     uses: ./.github/workflows/build-kernel-wsa.yml
     secrets: inherit
@@ -36,6 +39,20 @@ jobs:
     steps:
       - name: Download artifacts
         uses: actions/download-artifact@v4
+      - name: Rename ksud
+        run: |
+          mkdir -p ksud
+          for dir in ./ksud-*; do
+              if [ -d "$dir" ]; then
+                 echo "----- Rename $dir -----"
+                 ksud_platform_name=$(basename "$dir")
+                 find "$dir" -type f -name "ksud" -path "*/release/*" | while read -r ksud_file; do
+                   if [ -f "$ksud_file" ]; then
+                     mv "$ksud_file" "ksud/$ksud_platform_name"
+                   fi
+                 done
+              fi
+          done
       - name: Zip AnyKernel3
         run: |
           for dir in AnyKernel3-*; do
@@ -67,11 +84,13 @@ jobs:
         run: ls -R
 
       - name: release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
         with:
           files: |
             manager/*.apk
+            android*-lkm/*_kernelsu.ko
             AnyKernel3-*.zip
             boot-images-*/Image-*/*.img.gz
             kernel-WSA*.zip
             kernel-ARCVM*.zip
+            ksud/ksud-*

.github/workflows/wsa-kernel.yml

@@ -15,7 +15,7 @@ on:
 jobs:
   build:
     name: Build WSA-Kernel-${{ inputs.version }}-${{ inputs.arch }}
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     env:
       CCACHE_COMPILERCHECK: "%compiler% -dumpmachine; %compiler% -dumpversion"
       CCACHE_NOHASHDIR: "true"
@@ -30,7 +30,7 @@ jobs:
 
       - name: Cache LLVM
         id: cache-llvm
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: ./llvm
           key: llvm-12.0.1
@@ -57,7 +57,7 @@ jobs:
           path: WSA-Linux-Kernel
 
       - name: Setup Ccache
-        uses: hendrikmuhs/ccache-action@v1.2
+        uses: hendrikmuhs/ccache-action@v1
         with:
           key: WSA-Kernel-${{ inputs.version }}-${{ inputs.arch }}
           save: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
@@ -73,9 +73,11 @@ jobs:
           ln -sf $GITHUB_WORKSPACE/KernelSU/kernel $KERNEL_ROOT/drivers/kernelsu
           echo "[+] Add KernelSU driver to Makefile"
           DRIVER_MAKEFILE=$KERNEL_ROOT/drivers/Makefile
-          grep -q "kernelsu" $DRIVER_MAKEFILE || echo "obj-y += kernelsu/" >> $DRIVER_MAKEFILE
+          DRIVER_KCONFIG=$KERNEL_ROOT/drivers/Kconfig
+          grep -q "kernelsu" "$DRIVER_MAKEFILE" || printf "\nobj-\$(CONFIG_KSU) += kernelsu/\n" >> "$DRIVER_MAKEFILE"
+          grep -q "kernelsu" "$DRIVER_KCONFIG" || sed -i "/endmenu/i\\source \"drivers/kernelsu/Kconfig\"" "$DRIVER_KCONFIG"
           echo "[+] Apply KernelSU patches"
-          cd $KERNEL_ROOT && git apply $GITHUB_WORKSPACE/KernelSU/.github/patches/5.15/*.patch
+          cd $KERNEL_ROOT && git apply $GITHUB_WORKSPACE/KernelSU/.github/patches/5.15/*.patch || echo "[-] No patch found"
           echo "[+] KernelSU setup done."
           cd $GITHUB_WORKSPACE/KernelSU
           VERSION=$(($(git rev-list --count HEAD) + 10200))
@@ -101,35 +103,4 @@ jobs:
         uses: actions/upload-artifact@v4
         with:
           name: kernel-WSA-${{ inputs.arch }}-${{ inputs.version }}
-          path: "${{ env.file_path }}"
-
-      - name: Bot session cache
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main' || github.ref_type == 'tag'
-        id: bot_session_cache
-        uses: actions/cache@v3
-        with:
-          path: scripts/ksubot.session
-          key: ${{ runner.os }}-bot-session
-
-      - name: Post to Telegram
-        if: github.event_name == 'push' && github.ref == 'refs/heads/main' || github.ref_type == 'tag'
-        env:
-          CHAT_ID: ${{ secrets.CHAT_ID }}
-          BOT_TOKEN: ${{ secrets.BOT_TOKEN }}
-          MESSAGE_THREAD_ID: ${{ secrets.MESSAGE_THREAD_ID }}
-          COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
-          COMMIT_URL: ${{ github.event.head_commit.url }}
-          RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}    
-        run: |
-          TITLE=kernel-${{ inputs.arch }}-WSA-${{ inputs.version }}
-          echo "[+] title: $TITLE"
-          export TITLE
-          export VERSION="${{ env.kernelsu_version }}"
-          echo "[+] Compress images"
-          gzip -n -f -9 "${{ env.file_path }}"
-          echo "[+] Image to upload"
-          ls -l "${{ env.file_path }}.gz"
-          if [ -n "${{ secrets.BOT_TOKEN }}" ]; then
-            pip3 install telethon==1.31.1
-            python3 "$GITHUB_WORKSPACE/KernelSU/scripts/ksubot.py" "${{ env.file_path }}.gz"
-          fi
+          path: "${{ env.file_path }}"

docs/README.md

@@ -1,38 +1,36 @@
-
-**English** | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | [日本語](README_JP.md) | [Polski](README_PL.md) | [Portuguese-Brazil](README_PT-BR.md) | [Türkçe](README_TR.md) | [Русский](README_RU.md) | [Tiếng Việt](README_VI.md) | [Indonesia](README_ID.md) | [עברית](README_iw.md) | [हिंदी](README_IN.md)
+**English** | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | [日本語](README_JP.md) | [한국어](README_KR.md) | [Polski](README_PL.md) | [Português (Brasil)](README_PT-BR.md) | [Türkçe](README_TR.md) | [Русский](README_RU.md) | [Tiếng Việt](README_VI.md) | [Indonesia](README_ID.md) | [עברית](README_IW.md) | [हिंदी](README_IN.md) | [Italiano](README_IT.md)
 
 # KernelSU
 
 <img src="https://kernelsu.org/logo.png" style="width: 96px;" alt="logo">
 
-A Kernel-based root solution for Android devices.
+A kernel-based root solution for Android devices.
 
-[![latest release badge](https://img.shields.io/github/v/release/tiann/KernelSU?label=Release&logo=github)](https://github.com/tiann/KernelSU/releases/latest)
-[![weblate](https://img.shields.io/badge/Localization-Weblate-teal?logo=weblate)](https://hosted.weblate.org/engage/kernelsu)
+[![Latest release](https://img.shields.io/github/v/release/tiann/KernelSU?label=Release&logo=github)](https://github.com/tiann/KernelSU/releases/latest)
+[![Weblate](https://img.shields.io/badge/Localization-Weblate-teal?logo=weblate)](https://hosted.weblate.org/engage/kernelsu)
 [![Channel](https://img.shields.io/badge/Follow-Telegram-blue.svg?logo=telegram)](https://t.me/KernelSU)
 [![License: GPL v2](https://img.shields.io/badge/License-GPL%20v2-orange.svg?logo=gnu)](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
 [![GitHub License](https://img.shields.io/github/license/tiann/KernelSU?logo=gnu)](/LICENSE)
 
-
 ## Features
 
 1. Kernel-based `su` and root access management.
 2. Module system based on [OverlayFS](https://en.wikipedia.org/wiki/OverlayFS).
 3. [App Profile](https://kernelsu.org/guide/app-profile.html): Lock up the root power in a cage.
 
-## Compatibility State
+## Compatibility state
 
-KernelSU officially supports Android GKI 2.0 devices (kernel 5.10+). Older kernels (4.14+) are also compatible, but the kernel will have to be built manually.
+KernelSU officially supports Android GKI 2.0 devices (kernel 5.10+). Older kernels (4.14+) are also supported, but the kernel will need to be built manually.
 
 With this, WSA, ChromeOS, and container-based Android are all supported.
 
-Currently, only `arm64-v8a` and `x86_64` are supported.
+Currently, only the `arm64-v8a` and `x86_64` architectures are supported.
 
 ## Usage
 
-- [Installation Instruction](https://kernelsu.org/guide/installation.html)
-- [How to build?](https://kernelsu.org/guide/how-to-build.html)
-- [Official Website](https://kernelsu.org/)
+- [Installation](https://kernelsu.org/guide/installation.html)
+- [How to build](https://kernelsu.org/guide/how-to-build.html)
+- [Official website](https://kernelsu.org/)
 
 ## Translation
 
@@ -43,16 +41,17 @@ To help translate KernelSU or improve existing translations, please use [Weblate
 - Telegram: [@KernelSU](https://t.me/KernelSU)
 
 ## Security
+
 For information on reporting security vulnerabilities in KernelSU, see [SECURITY.md](/SECURITY.md).
 
 ## License
 
-- Files under the `kernel` directory are [GPL-2.0-only](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
-- All other parts except the `kernel` directory are [GPL-3.0-or-later](https://www.gnu.org/licenses/gpl-3.0.html)
+- Files under the `kernel` directory are [GPL-2.0-only](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html).
+- All other parts except the `kernel` directory are [GPL-3.0-or-later](https://www.gnu.org/licenses/gpl-3.0.html).
 
 ## Credits
 
-- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/): the KernelSU idea.
-- [Magisk](https://github.com/topjohnwu/Magisk): the powerful root tool.
-- [genuine](https://github.com/brevent/genuine/): apk v2 signature validation.
-- [Diamorphine](https://github.com/m0nad/Diamorphine): some rootkit skills.
+- [Kernel-Assisted Superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/): The KernelSU idea.
+- [Magisk](https://github.com/topjohnwu/Magisk): The powerful root tool.
+- [genuine](https://github.com/brevent/genuine/): APK v2 signature validation.
+- [Diamorphine](https://github.com/m0nad/Diamorphine): Some rootkit skills.

docs/README_CN.md

@@ -1,4 +1,4 @@
-[English](README.md) | [Español](README_ES.md) | **简体中文** | [繁體中文](README_TW.md) | [日本語](README_JP.md) | [Polski](README_PL.md) | [Portuguese-Brazil](README_PT-BR.md) | [Türkçe](README_TR.md) | [Русский](README_RU.md) | [Tiếng Việt](README_VI.md) | [Indonesia](README_ID.md) | [עברית](README_iw.md) | [हिंदी](README_IN.md)
+[English](README.md) | [Español](README_ES.md) | **简体中文** | [繁體中文](README_TW.md) | [日本語](README_JP.md) | [한국어](README_KR.md) | [Polski](README_PL.md) | [Português (Brasil)](README_PT-BR.md) | [Türkçe](README_TR.md) | [Русский](README_RU.md) | [Tiếng Việt](README_VI.md) | [Indonesia](README_ID.md) | [עברית](README_IW.md) | [हिंदी](README_IN.md) | [Italiano](README_IT.md)
 
 # KernelSU
 
@@ -6,18 +6,17 @@
 
 一个 Android 上基于内核的 root 方案。
 
-[![latest release badge](https://img.shields.io/github/v/release/tiann/KernelSU?label=Release&logo=github)](https://github.com/tiann/KernelSU/releases/latest)
-[![weblate](https://img.shields.io/badge/Localization-Weblate-teal?logo=weblate)](https://hosted.weblate.org/engage/kernelsu)
+[![Latest release](https://img.shields.io/github/v/release/tiann/KernelSU?label=Release&logo=github)](https://github.com/tiann/KernelSU/releases/latest)
+[![Weblate](https://img.shields.io/badge/Localization-Weblate-teal?logo=weblate)](https://hosted.weblate.org/engage/kernelsu)
 [![Channel](https://img.shields.io/badge/Follow-Telegram-blue.svg?logo=telegram)](https://t.me/KernelSU)
 [![License: GPL v2](https://img.shields.io/badge/License-GPL%20v2-orange.svg?logo=gnu)](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
 [![GitHub License](https://img.shields.io/github/license/tiann/KernelSU?logo=gnu)](/LICENSE)
 
-
 ## 特性
 
 - 基于内核的 `su` 和权限管理。
 - 基于 [OverlayFS](https://en.wikipedia.org/wiki/OverlayFS) 的模块系统。
-- [App Profile](https://kernelsu.org/guide/app-profile.html): 把 Root 权限关进笼子里。
+- [App Profile](https://kernelsu.org/zh_CN/guide/app-profile.html): 把 Root 权限关进笼子里。
 
 ## 兼容状态
 
@@ -25,13 +24,13 @@ KernelSU 官方支持 GKI 2.0 的设备（内核版本5.10以上）；旧内核
 
 WSA, ChromeOS 和运行在容器上的 Android 也可以与 KernelSU 一起工作。
 
-目前支持架构 : `arm64-v8a` 和 `x86_64`
+目前支持架构 : `arm64-v8a` 和 `x86_64`。
 
 ## 使用方法
 
 - [安装教程](https://kernelsu.org/zh_CN/guide/installation.html)
 - [如何构建？](https://kernelsu.org/zh_CN/guide/how-to-build.html)
-- [官方网站](https://kernelsu.org/)
+- [官方网站](https://kernelsu.org/zh_CN/)
 
 ## 参与翻译
 
@@ -42,12 +41,13 @@ WSA, ChromeOS 和运行在容器上的 Android 也可以与 KernelSU 一起工
 - Telegram: [@KernelSU](https://t.me/KernelSU)
 
 ## 安全性
-有关报告 KernelSU 安全漏洞的信息，请参阅 [SECURITY.md](/SECURITY.md).
+
+有关报告 KernelSU 安全漏洞的信息，请参阅 [SECURITY.md](/SECURITY.md)。
 
 ## 许可证
 
-- 目录 `kernel` 下所有文件为 [GPL-2.0-only](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
-- 除 `kernel` 目录的其他部分均为 [GPL-3.0-or-later](https://www.gnu.org/licenses/gpl-3.0.html)
+- 目录 `kernel` 下所有文件为 [GPL-2.0-only](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)。
+- 除 `kernel` 目录的其他部分均为 [GPL-3.0-or-later](https://www.gnu.org/licenses/gpl-3.0.html)。
 
 ## 鸣谢
 

docs/README_ES.md

@@ -1,47 +1,56 @@
-[ 🇬🇧 English](README.md) | 🇪🇸 **Español** | [🇨🇳 简体中文](README_CN.md) | [🇹🇼 繁體中文](README_TW.md) | [ 🇯🇵 日本語](README_JP.md) | [🇵🇱 Polski](README_PL.md) | [🇧🇷 Portuguese-Brazil](README_PT-BR.md) | [🇹🇷 Türkçe](README_TR.md) | [🇷🇺Русский](README_RU.md) | [🇻🇳Tiếng Việt](README_VI.md) | [ɪᴅ indonesia](README_ID.md) | [עברית](README_iw.md) | [🇮🇳हिंदी](README_IN.md)
+[English](README.md) | **Español** | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | [日本語](README_JP.md) | [한국어](README_KR.md) | [Polski](README_PL.md) | [Português (Brasil)](README_PT-BR.md) | [Türkçe](README_TR.md) | [Русский](README_RU.md) | [Tiếng Việt](README_VI.md) | [Indonesia](README_ID.md) | [עברית](README_IW.md) | [हिंदी](README_IN.md) | [Italiano](README_IT.md)
 
-<div style="display: flex; align-items: center;">
-    <img src="https://kernelsu.org/logo.png" style="width: 96px;" alt="">
-    <div style="margin-left: 20px;">
-        <span style="font-size: large; "><b>KernelSU</b></span>
-        <br>
-        <span style="font-size: medium; "><i>Una solución root basada en el kernel para dispositivos Android.</i></span>   
-    </div>
-</div>
+# KernelSU
 
-## 🚀 Características
+<img src="https://kernelsu.org/logo.png" style="width: 96px;" alt="logo">
 
-**1.** Binario `su` basado en el kernel y gestión de acceso root.<br/>
-**2.** Sistema de módulos basado en **OverlayFS**.
+Una solución root basada en el kernel para dispositivos Android.
 
-## ✅ Estado de compatibilidad
+[![Latest release](https://img.shields.io/github/v/release/tiann/KernelSU?label=Release&logo=github)](https://github.com/tiann/KernelSU/releases/latest)
+[![Weblate](https://img.shields.io/badge/Localización-Weblate-teal?logo=weblate)](https://hosted.weblate.org/engage/kernelsu)
+[![Channel](https://img.shields.io/badge/Seguir-Telegram-blue.svg?logo=telegram)](https://t.me/KernelSU)
+[![License: GPL v2](https://img.shields.io/badge/Licencia-GPL%20v2-orange.svg?logo=gnu)](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
+[![GitHub License](https://img.shields.io/github/license/tiann/KernelSU?logo=gnu)](/LICENSE)
+
+## Características
+
+1. Binario `su` basado en el kernel y gestión de acceso root.
+2. Sistema de módulos basado en [OverlayFS](https://en.wikipedia.org/wiki/OverlayFS).
+
+## Estado de compatibilidad
 
 **KernelSU** soporta de forma oficial dispositivos Android con **GKI 2.0** (a partir de la versión **5.10** del kernel). Los kernels antiguos (a partir de la versión **4.14**) también son compatibles, pero necesitas compilarlos por tu cuenta.
 
-El **Subsistema de Windows para Android (WSA)** e implementaciones de Android basadas en contenedores, como **Waydroid**, también deberían funcionar con **KernelSU** integrado.
+Con esto, WSA, ChromeOS y Android basado en contenedores están todos compatibles.
 
-Actualmente se soportan las siguientes **ABIs**: `arm64-v8a`; `x86_64`.
+Actualmente, solo se admiten las arquitecturas `arm64-v8a` y `x86_64`.
 
-## 📖 Uso
+## Uso
 
-[¿Cómo instalarlo?](https://kernelsu.org/guide/installation.html)
+- [¿Cómo instalarlo?](https://kernelsu.org/guide/installation.html)
+- [¿Cómo compilarlo?](https://kernelsu.org/guide/how-to-build.html)
+- [Site oficial](https://kernelsu.org/)
 
-## 🔨 Compilación
+## Traducción
 
-[¿Cómo compilarlo?](https://kernelsu.org/guide/how-to-build.html)
+Para ayudar a traducir KernelSU o mejorar las traducciones existentes, utilice [Weblate](https://hosted.weblate.org/engage/kernelsu/). Ya no se aceptan PR de la traducción de Manager porque entrará en conflicto con Weblate.
 
-## 💬 Discusión
+## Discusión
 
 - Telegram: [@KernelSU](https://t.me/KernelSU)
 
-## ⚖️ Licencia
+## Seguridad
 
-- Los archivos bajo el directorio `kernel` están licenciados bajo [GPL-2](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html).
-- Todas las demás partes, a excepción del directorio `kernel`, están licenciados bajo [GPL-3](https://www.gnu.org/licenses/gpl-3.0.html).
+Para obtener información sobre cómo informar vulnerabilidades de seguridad en KernelSU, consulte [SECURITY.md](/SECURITY.md).
 
-## 👥 Créditos
+##  Licencia
 
-- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/): la idea de **KernelSU**.
-- [genuine](https://github.com/brevent/genuine/): la validación del **esquema de firmas APK v2**.
+- Los archivos bajo el directorio `kernel` están licenciados bajo [GPL-2-only](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html).
+- Todas las demás partes, a excepción del directorio `kernel`, están licenciados bajo [GPL-3-or-later](https://www.gnu.org/licenses/gpl-3.0.html).
+
+## Créditos
+
+- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/): la idea de KernelSU.
+- [Magisk](https://github.com/topjohnwu/Magisk): la poderosa herramienta root.
+- [genuine](https://github.com/brevent/genuine/): validación de firma apk v2.
 - [Diamorphine](https://github.com/m0nad/Diamorphine): algunas habilidades de rootkit.
-- [Magisk](https://github.com/topjohnwu/Magisk): la implementación de la **política de SELinux (SEPolicy)**.

docs/README_ID.md

@@ -1,13 +1,21 @@
-[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | [日本語](README_JP.md) | [Polski](README_PL.md) | [Portugis-Brasil](README_PT-BR.md) | [Türkçe](README_TR.md) | [Русский](README_RU.md) | [Tiếng Việt](README_VI.md) | **Indonesia** | [עברית](README_iw.md) | [हिंदी](README_IN.md)
+[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | [日本語](README_JP.md) | [한국어](README_KR.md) | [Polski](README_PL.md) | [Português (Brasil)](README_PT-BR.md) | [Türkçe](README_TR.md) | [Русский](README_RU.md) | [Tiếng Việt](README_VI.md) | **Indonesia** | [עברית](README_IW.md) | [हिंदी](README_IN.md) | [Italiano](README_IT.md)
 
 # KernelSU
 
+<img src="https://kernelsu.org/logo.png" style="width: 96px;" alt="logo">
+
 Solusi root berbasis Kernel untuk perangkat Android.
 
+[![Latest release](https://img.shields.io/github/v/release/tiann/KernelSU?label=Release&logo=github)](https://github.com/tiann/KernelSU/releases/latest)
+[![Weblate](https://img.shields.io/badge/Localization-Weblate-teal?logo=weblate)](https://hosted.weblate.org/engage/kernelsu)
+[![Channel](https://img.shields.io/badge/Follow-Telegram-blue.svg?logo=telegram)](https://t.me/KernelSU)
+[![License: GPL v2](https://img.shields.io/badge/License-GPL%20v2-orange.svg?logo=gnu)](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
+[![GitHub License](https://img.shields.io/github/license/tiann/KernelSU?logo=gnu)](/LICENSE)
+
 ## Fitur
 
 1. Manajemen akses root dan `su` berbasis kernel.
-2. Sistem modul berdasarkan overlayfs.
+2. Sistem modul berdasarkan [OverlayFS](https://en.wikipedia.org/wiki/OverlayFS).
 3. [Profil Aplikasi](https://kernelsu.org/guide/app-profile.html): Kunci daya root di dalam sangkar.
 
 ## Status Kompatibilitas
@@ -20,9 +28,9 @@ Dan ABI yang didukung saat ini adalah: `arm64-v8a` dan `x86_64`
 
 ## Penggunaan
 
-- [Petunjuk Instalasi](https://kernelsu.org/guide/installation.html)
-- [Bagaimana cara membuat?](https://kernelsu.org/guide/how-to-build.html)
-- [Situs Web Resmi](https://kernelsu.org/)
+- [Petunjuk Instalasi](https://kernelsu.org/id_ID/guide/installation.html)
+- [Bagaimana cara membuat?](https://kernelsu.org/id_ID/guide/how-to-build.html)
+- [Situs Web Resmi](https://kernelsu.org/id_ID/)
 
 ## Terjemahan
 
@@ -34,8 +42,8 @@ Untuk menerjemahkan KernelSU ke dalam bahasa Anda atau menyempurnakan terjemahan
 
 ## Lisensi
 
-- File di bawah direktori `kernel` adalah [GPL-2](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
-- Semua bagian lain kecuali direktori `kernel` adalah [GPL-3](https://www.gnu.org/licenses/gpl-3.0.html)
+- File di bawah direktori `kernel` adalah [GPL-2-only](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html).
+- Semua bagian lain kecuali direktori `kernel` adalah [GPL-3.0-or-later](https://www.gnu.org/licenses/gpl-3.0.html).
 
 ## Kredit
 

docs/README_IN.md

@@ -1,19 +1,21 @@
+[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | [日本語](README_JP.md) | [한국어](README_KR.md) | [Polski](README_PL.md) | [Português (Brasil)](README_PT-BR.md) | [Türkçe](README_TR.md) | [Русский](README_RU.md) | [Tiếng Việt](README_VI.md) | [Indonesia](README_ID.md) | [עברית](README_IW.md) |  **हिंदी** | [Italiano](README_IT.md)
 
-[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | [日本語](README_JP.md) | [Polski](README_PL.md) | [Portuguese-Brazil](README_PT-BR.md) | [Türkçe](README_TR.md) | [Русский](README_RU.md) | [Tiếng Việt](README_VI.md) | [Indonesia](README_ID.md) | [עברית](README_iw.md) |  **हिंदी**
+# KernelSU
 
-<div style="display: flex; align-items: center;">
-    <img src="https://kernelsu.org/logo.png" style="width: 96px;" alt="">
-    <div style="margin-left: 20px;">
-        <span style="font-size: large; "><b>KernelSU</b></span>
-        <br>
-        <span style="font-size: medium; "><i>Android उपकरणों के लिए कर्नेल-आधारित रूट समाधान।</i></span>   
-    </div>
-</div>
+<img src="https://kernelsu.org/logo.png" style="width: 96px;" alt="logo">
+
+Android उपकरणों के लिए कर्नेल-आधारित रूट समाधान।
+
+[![Latest release](https://img.shields.io/github/v/release/tiann/KernelSU?label=Release&logo=github)](https://github.com/tiann/KernelSU/releases/latest)
+[![Weblate](https://img.shields.io/badge/Localization-Weblate-teal?logo=weblate)](https://hosted.weblate.org/engage/kernelsu)
+[![Channel](https://img.shields.io/badge/Follow-Telegram-blue.svg?logo=telegram)](https://t.me/KernelSU)
+[![License: GPL v2](https://img.shields.io/badge/License-GPL%20v2-orange.svg?logo=gnu)](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
+[![GitHub License](https://img.shields.io/github/license/tiann/KernelSU?logo=gnu)](/LICENSE)
 
 ## विशेषताएँ
 
 1. कर्नेल-आधारित `su` और रूट एक्सेस प्रबंधन।
-2. Overlayfs पर आधारित मॉड्यूल प्रणाली।
+2. [OverlayFS](https://en.wikipedia.org/wiki/OverlayFS) पर आधारित मॉड्यूल प्रणाली।
 3. [App Profile](https://kernelsu.org/guide/app-profile.html): Root शक्ति को पिंजरे में बंद कर दो।
 
 ## अनुकूलता अवस्था
@@ -40,8 +42,8 @@ KernelSU का अनुवाद करने या मौजूदा अन
 
 ## लाइसेंस
 
-- `Kernel` निर्देशिका के अंतर्गत फ़ाइलें हैं [GPL-2](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
-- `Kernel` निर्देशिका को छोड़कर अन्य सभी भाग हैं [GPL-3](https://www.gnu.org/licenses/gpl-3.0.html)
+- `Kernel` निर्देशिका के अंतर्गत फ़ाइलें हैं [GPL-2-only](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
+- `Kernel` निर्देशिका को छोड़कर अन्य सभी भाग हैं [GPL-3.0-or-later](https://www.gnu.org/licenses/gpl-3.0.html)
 
 ## आभार सूची
 

docs/README_IT.md

@@ -0,0 +1,58 @@
+[English](REAME.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | [日本語](README_JP.md) | [한국어](README_KR.md) | [Polski](README_PL.md) | [Português (Brasil)](README_PT-BR.md) | [Türkçe](README_TR.md) | [Русский](README_RU.md) | [Tiếng Việt](README_VI.md) | [Indonesia](README_ID.md) | [עברית](README_IW.md) | [हिंदी](README_IN.md) | **Italiano**
+
+# KernelSU
+
+<img src="https://kernelsu.org/logo.png" style="width: 96px;" alt="logo">
+
+Una soluzione per il root basata sul kernel per i dispositivi Android. 
+
+[![Latest release](https://img.shields.io/github/v/release/tiann/KernelSU?label=Release&logo=github)](https://github.com/tiann/KernelSU/releases/latest)
+[![Weblate](https://img.shields.io/badge/Localization-Weblate-teal?logo=weblate)](https://hosted.weblate.org/engage/kernelsu)
+[![Canale Telegraml](https://img.shields.io/badge/Follow-Telegram-blue.svg?logo=telegram)](https://t.me/KernelSU)
+[![Licenza componenti kernel: GPL v2](https://img.shields.io/badge/License-GPL%20v2-orange.svg?logo=gnu)](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
+[![Licenza elementi non kern](https://img.shields.io/github/license/tiann/KernelSU?logo=gnu)](/LICENSE)
+
+## Funzionalità
+
+1. `su` e accesso root basato sul kernel.
+2. Sistema di moduli per la modifica del sistema basato su [OverlayFS](https://en.wikipedia.org/wiki/OverlayFS).
+3. [App profile](https://kernelsu.org/guide/app-profile.html): Limita i poteri dell'accesso root a permessi specifici.
+
+## Compatibilità
+
+KernelSU supporta ufficialmente i dispositivi Android GKI 2.0 (kernel 5.10 o superiore). I kernel precedenti (kernel 4.14+) sono anche compatibili, ma il kernel deve essere compilato manualmente.
+
+Questo implica che WSA, ChromeOS e tutti le varianti di Android basate su container e virtualizzazione sono supportate.
+
+Allo stato attuale solo le architetture a 64-bit ARM (arm64-v8a) e x86 (x86_64) sono supportate.
+
+## Utilizzo
+
+- [Istruzioni per l'installazione](https://kernelsu.org/guide/installation.html)
+- [Come compilare manualmente?](https://kernelsu.org/guide/how-to-build.html)
+- [Sito web ufficiale](https://kernelsu.org/)
+
+## Traduzioni
+
+Per aiutare a tradurre KernelSU o migliorare le traduzioni esistenti, si è pregati di utilizzare 
+To help translate KernelSU or improve existing translations, please use [Weblate](https://hosted.weblate.org/engage/kernelsu/). Le richieste di pull delle traduzioni del manager non saranno più accettate perché sarebbero in conflitto con Weblate.
+
+## Discussione
+
+- Telegram: [@KernelSU](https://t.me/KernelSU)
+
+## Securezza
+
+Per informazioni riguardo la segnalazione di vulnerabilità di sicurezza per KernelSU, leggi [SECURITY.md](/SECURITY.md).
+
+## Licenza
+
+- I file nella cartella `kernel` sono forniti secondo la licenza [GPL-2.0-only](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html).
+- Tutte le altre parti, ad eccezione della certella `kernel`, seguono la licenza [GPL-3.0-or-later](https://www.gnu.org/licenses/gpl-3.0.html).
+
+## Riconoscimenti e attribuzioni
+
+- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/): l'idea alla base di KernelSU.
+- [Magisk](https://github.com/topjohnwu/Magisk): la potente utilità per il root.
+- [genuine](https://github.com/brevent/genuine/): verifica della firma apk v2.
+- [Diamorphine](https://github.com/m0nad/Diamorphine): alcune capacità di rootkit.

docs/README_IW.md

@@ -1,13 +1,21 @@
-[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | [日本語](README_JP.md) | [Polski](README_PL.md) | [Portuguese-Brazil](README_PT-BR.md) | [Türkçe](README_TR.md) | [Русский](README_RU.md) | [Tiếng Việt](README_VI.md) | [Indonesia](README_ID.md) | **עברית** | [हिंदी](README_IN.md)
+[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | [日本語](README_JP.md) | [한국어](README_KR.md) | [Polski](README_PL.md) | [Português (Brasil)](README_PT-BR.md) | [Türkçe](README_TR.md) | [Русский](README_RU.md) | [Tiếng Việt](README_VI.md) | [Indonesia](README_ID.md) | **עברית** | [हिंदी](README_IN.md) | [Italiano](README_IT.md)
 
 # KernelSU
 
+<img src="https://kernelsu.org/logo.png" style="width: 96px;" alt="logo">
+
 פתרון לניהול root מבוסס על Kernel עבור מכשירי Android.
 
+[![Latest release](https://img.shields.io/github/v/release/tiann/KernelSU?label=Release&logo=github)](https://github.com/tiann/KernelSU/releases/latest)
+[![Weblate](https://img.shields.io/badge/Localization-Weblate-teal?logo=weblate)](https://hosted.weblate.org/engage/kernelsu)
+[![Channel](https://img.shields.io/badge/Follow-Telegram-blue.svg?logo=telegram)](https://t.me/KernelSU)
+[![License: GPL v2](https://img.shields.io/badge/License-GPL%20v2-orange.svg?logo=gnu)](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
+[![GitHub License](https://img.shields.io/github/license/tiann/KernelSU?logo=gnu)](/LICENSE)
+
 ## תכונות
 
 1. ניהול root ו־`su` מבוססים על Kernel.
-2. מערכת מודולים מבוססת overlayfs.
+2. מערכת מודולים מבוססת [OverlayFS](https://en.wikipedia.org/wiki/OverlayFS).
 3. [פרופיל אפליקציה](https://kernelsu.org/guide/app-profile.html): נעילת גישת root בכלוב.
 
 ## מצב תאימות
@@ -34,12 +42,12 @@ KernelSU תומך במכשירי Android GKI 2.0 (kernel 5.10+) באופן רש
 
 ## רשיון
 
-- קבצים תחת הספרייה `kernel` מוגנים על פי [GPL-2](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
-- כל החלקים האחרים, למעט הספרייה `kernel`, מוגנים על פי [GPL-3](https://www.gnu.org/licenses/gpl-3.0.html)
+- קבצים תחת הספרייה `kernel` מוגנים על פי [GPL-2.0-only](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html).
+- כל החלקים האחרים, למעט הספרייה `kernel`, מוגנים על פי [GPL-3.0-or-later](https://www.gnu.org/licenses/gpl-3.0.html).
 
 ## קרדיטים
 
 - [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/): הרעיון של KernelSU.
 - [Magisk](https://github.com/topjohnwu/Magisk): הכלי הסופר חזק לניהול root.
 - [genuine](https://github.com/brevent/genuine/): אימות חתימת apk v2.
-- [Diamorphine](https://github.com/m0nad/Diamorphine): כמה יכולות רוט.
+- [Diamorphine](https://github.com/m0nad/Diamorphine): כמה יכולות רוט.

docs/README_JP.md

@@ -1,4 +1,4 @@
-[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | **日本語** | [Polski](README_PL.md) | [Portuguese-Brazil](README_PT-BR.md) | [Türkçe](README_TR.md) | [Русский](README_RU.md) | | [Tiếng Việt](README_VI.md) | [Indonesia](README_ID.md) | [עברית](README_iw.md) | [हिंदी](README_IN.md)
+[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | **日本語** | [한국어](README_KR.md) | [Polski](README_PL.md) | [Português (Brasil)](README_PT-BR.md) | [Türkçe](README_TR.md) | [Русский](README_RU.md) | [Tiếng Việt](README_VI.md) | [Indonesia](README_ID.md) | [עברית](README_IW.md) | [हिंदी](README_IN.md) | [Italiano](README_IT.md)
 
 # KernelSU
 
@@ -6,19 +6,18 @@
 
 Android におけるカーネルベースの root ソリューションです。
 
-[![latest release badge](https://img.shields.io/github/v/release/tiann/KernelSU?label=Release&logo=github)](https://github.com/tiann/KernelSU/releases/latest)
-[![weblate](https://img.shields.io/badge/Localização-Weblate-teal?logo=weblate)](https://hosted.weblate.org/engage/kernelsu)
-[![Channel](https://img.shields.io/badge/Siga-Telegram-blue.svg?logo=telegram)](https://t.me/KernelSU)
-[![License: GPL v2](https://img.shields.io/badge/Licença-GPL%20v2-orange.svg?logo=gnu)](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
+[![Latest release](https://img.shields.io/github/v/release/tiann/KernelSU?label=Release&logo=github)](https://github.com/tiann/KernelSU/releases/latest)
+[![Weblate](https://img.shields.io/badge/Localization-Weblate-teal?logo=weblate)](https://hosted.weblate.org/engage/kernelsu)
+[![Channel](https://img.shields.io/badge/Follow-Telegram-blue.svg?logo=telegram)](https://t.me/KernelSU)
+[![License: GPL v2](https://img.shields.io/badge/License-GPL%20v2-orange.svg?logo=gnu)](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
 [![GitHub License](https://img.shields.io/github/license/tiann/KernelSU?logo=gnu)](/LICENSE)
 
 ## 特徴
 
-1. カーネルベースの `su` と権限管理
-2. OverlayFS に基づくモジュールシステム
+1. カーネルベースの `su` と権限管理。
+2. [OverlayFS](https://en.wikipedia.org/wiki/OverlayFS) に基づくモジュールシステム。
 3. [アプリのプロファイル](https://kernelsu.org/guide/app-profile.html): root の権限をケージ内に閉じ込めます。
 
-
 ## 対応状況
 
 KernelSU は GKI 2.0 デバイス（カーネルバージョン 5.10 以上）を公式にサポートしています。古いカーネル（4.14以上）とも互換性がありますが、自分でカーネルをビルドする必要があります。
@@ -31,7 +30,7 @@ WSA 、ChromeOS とコンテナ上で動作する Android でも KernelSU を統
 
 - [インストール方法はこちら](https://kernelsu.org/ja_JP/guide/installation.html)
 - [ビルド方法はこちら](https://kernelsu.org/guide/how-to-build.html)
-- [公式サイト](https://kernelsu.org)
+- [公式サイト](https://kernelsu.org/ja_JP/)
 
 ## 翻訳
 
@@ -43,13 +42,12 @@ KernelSU をあなたの言語に翻訳するか、既存の翻訳を改善す
 
 ## ライセンス
 
-- `kernel` ディレクトリの下にあるすべてのファイル： [GPL-2](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
-- `kernel` ディレクトリ以外のすべてのファイル： [GPL-3](https://www.gnu.org/licenses/gpl-3.0.html)
+- `kernel` ディレクトリの下にあるすべてのファイル： [GPL-2-only](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)。
+- `kernel` ディレクトリ以外のすべてのファイル： [GPL-3.0-or-later](https://www.gnu.org/licenses/gpl-3.0.html)。
 
 ## クレジット
 
-- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/)：KernelSU のアイデア元
-- [Magisk](https://github.com/topjohnwu/Magisk)：強力な root ツール
-- [genuine](https://github.com/brevent/genuine/)：apk v2 の署名検証
-- [Diamorphine](https://github.com/m0nad/Diamorphine): rootkit のスキル
-
+- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/)：KernelSU のアイデア元。
+- [Magisk](https://github.com/topjohnwu/Magisk)：強力な root ツール。
+- [genuine](https://github.com/brevent/genuine/)：apk v2 の署名検証。
+- [Diamorphine](https://github.com/m0nad/Diamorphine): rootkit のスキル。

docs/README_KR.md

@@ -0,0 +1,57 @@
+[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | [日本語](README_JP.md) | **한국어** | [Polski](README_PL.md) | [Português (Brasil)](README_PT-BR.md) | [Türkçe](README_TR.md) | [Русский](README_RU.md) | [Tiếng Việt](README_VI.md) | [Indonesia](README_ID.md) | [עברית](README_IW.md) | [हिंदी](README_IN.md) | [Italiano](README_IT.md)
+
+# KernelSU
+
+<img src="https://kernelsu.org/logo.png" style="width: 96px;" alt="logo">
+
+안드로이드 기기에서 사용되는 커널 기반 루팅 솔루션입니다.
+
+[![Latest release](https://img.shields.io/github/v/release/tiann/KernelSU?label=Release&logo=github)](https://github.com/tiann/KernelSU/releases/latest)
+[![Weblate](https://img.shields.io/badge/Localization-Weblate-teal?logo=weblate)](https://hosted.weblate.org/engage/kernelsu)
+[![Channel](https://img.shields.io/badge/Follow-Telegram-blue.svg?logo=telegram)](https://t.me/KernelSU)
+[![License: GPL v2](https://img.shields.io/badge/License-GPL%20v2-orange.svg?logo=gnu)](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
+[![GitHub License](https://img.shields.io/github/license/tiann/KernelSU?logo=gnu)](/LICENSE)
+
+## 기능들
+
+1. 커널 기반 `su` 및 루트 액세스 관리.
+2. [OverlayFS](https://en.wikipedia.org/wiki/OverlayFS) 기반 모듈 시스템.
+3. [App Profile](https://kernelsu.org/guide/app-profile.html): 루트 권한을 케이지에 가둡니다.
+
+## 호환 상태
+
+KernelSU는 공식적으로 안드로이드 GKI 2.0 디바이스(커널 5.10 이상)를 지원합니다. 오래된 커널(4.14 이상)도 사용할 수 있지만, 커널을 수동으로 빌드해야 합니다.
+
+KernelSU는 WSA, ChromeOS, 컨테이너 기반 안드로이드 모두를 지원합니다.
+
+현재는 `arm64-v8a`와 `x86_64`만 지원됩니다.
+
+## 사용 방법
+
+- [설치 방법](https://kernelsu.org/guide/installation.html)
+- [어떻게 빌드하나요?](https://kernelsu.org/guide/how-to-build.html)
+- [공식 웹사이트](https://kernelsu.org/)
+
+## 번역
+
+KernelSU 번역을 돕거나 기존 번역을 개선하려면 [Weblate](https://hosted.weblate.org/engage/kernelsu/)를 이용해 주세요. 매니저의 번역은 Weblate와 충돌할 수 있으므로 더 이상 허용되지 않습니다.
+
+## 토론
+
+- 텔레그램: [@KernelSU](https://t.me/KernelSU)
+
+## 보안
+
+KernelSU의 보안 취약점 보고에 대한 자세한 내용은 [SECURITY.md](/SECURITY.md)를 참조하세요.
+
+## 저작권
+
+- `kernel` 디렉터리 아래의 파일은 [GPL-2.0 전용](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)입니다.
+- `kernel` 디렉토리를 제외한 다른 모든 부분은 [GPL-3.0-이상](https://www.gnu.org/licenses/gpl-3.0.html)입니다.
+
+## 크래딧
+
+- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/): KernelSU의 아이디어.
+- [Magisk](https://github.com/topjohnwu/Magisk): 강력한 루팅 도구.
+- [genuine](https://github.com/brevent/genuine/): apk v2 서명 유효성 검사.
+- [Diamorphine](https://github.com/m0nad/Diamorphine): 일부 rootkit 스킬.

docs/README_PL.md

@@ -1,13 +1,21 @@
-[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | [日本語](README_JP.md) | **Polski** | [Portuguese-Brazil](README_PT-BR.md) | [Türkçe](README_TR.md) | [Русский](README_RU.md) | [Tiếng Việt](README_VI.md) | [Indonesia](README_ID.md) | [עברית](README_iw.md) | [हिंदी](README_IN.md)
+[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | [日本語](README_JP.md) | [한국어](README_KR.md) | **Polski** | [Português (Brasil)](README_PT-BR.md) | [Türkçe](README_TR.md) | [Русский](README_RU.md) | [Tiếng Việt](README_VI.md) | [Indonesia](README_ID.md) | [עברית](README_IW.md) | [हिंदी](README_IN.md) | [Italiano](README_IT.md)
 
 # KernelSU
 
+<img src="https://kernelsu.org/logo.png" style="width: 96px;" alt="logo">
+
 Rozwiązanie root oparte na jądrze dla urządzeń z systemem Android.
 
+[![Latest release](https://img.shields.io/github/v/release/tiann/KernelSU?label=Release&logo=github)](https://github.com/tiann/KernelSU/releases/latest)
+[![Weblate](https://img.shields.io/badge/Localization-Weblate-teal?logo=weblate)](https://hosted.weblate.org/engage/kernelsu)
+[![Channel](https://img.shields.io/badge/Follow-Telegram-blue.svg?logo=telegram)](https://t.me/KernelSU)
+[![License: GPL v2](https://img.shields.io/badge/License-GPL%20v2-orange.svg?logo=gnu)](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
+[![GitHub License](https://img.shields.io/github/license/tiann/KernelSU?logo=gnu)](/LICENSE)
+
 ## Cechy
 
 1. Oparte na jądrze `su` i zarządzanie dostępem roota.
-2. System modułów oparty na overlayfs.
+2. System modułów oparty na [OverlayFS](https://en.wikipedia.org/wiki/OverlayFS).
 
 ## Kompatybilność
 
@@ -19,24 +27,29 @@ Aktualnie obsługiwane ABI to : `arm64-v8a` i `x86_64`.
 
 ## Użycie
 
-[Instalacja](https://kernelsu.org/guide/installation.html)
+- [Instalacja](https://kernelsu.org/guide/installation.html)
+- [Jak skompilować?](https://kernelsu.org/guide/how-to-build.html)
 
-## Kompilacja
+## Tłumaczenie
 
-[Jak skompilować?](https://kernelsu.org/guide/how-to-build.html)
+Aby pomóc w tłumaczeniu KernelSU lub ulepszyć istniejące tłumaczenia, użyj [Weblate](https://hosted.weblate.org/engage/kernelsu/). PR tłumaczenia Managera nie jest już akceptowany, ponieważ będzie kolidował z Weblate.
 
 ## Dyskusja
 
 - Telegram: [@KernelSU](https://t.me/KernelSU)
 
+## Bezpieczeństwo
+
+Informacje na temat zgłaszania luk w zabezpieczeniach w KernelSU można znaleźć w pliku [SECURITY.md](/SECURITY.md).
+
 ## Licencja
 
-- Pliki w katalogu `kernel` są na licencji [GPL-2](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
-- Wszystkie inne części poza katalogiem `kernel` są na licencji [GPL-3](https://www.gnu.org/licenses/gpl-3.0.html)
+- Pliki w katalogu `kernel` są na licencji [GPL-2-only](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html).
+- Wszystkie inne części poza katalogiem `kernel` są na licencji [GPL-3-or-later](https://www.gnu.org/licenses/gpl-3.0.html).
 
 ## Podziękowania
 
 - [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/): pomysłodawca KernelSU.
+- [Magisk](https://github.com/topjohnwu/Magisk): implementacja sepolicy.
 - [genuine](https://github.com/brevent/genuine/): walidacja podpisu apk v2.
 - [Diamorphine](https://github.com/m0nad/Diamorphine): cenna znajomość rootkitów.
-- [Magisk](https://github.com/topjohnwu/Magisk): implementacja sepolicy.

docs/README_PT-BR.md

@@ -1,4 +1,4 @@
-[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | [日本語](README_JP.md) | [Polski](README_PL.md) | **Português (Brasil)** | [Türkçe](README_TR.md) | [Русский](README_RU.md) | [Tiếng Việt](README_VI.md) | [Indonesia](README_ID.md) | [עברית](README_iw.md) | [हिंदी](README_IN.md)
+[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | [日本語](README_JP.md) | [한국어](README_KR.md) | [Polski](README_PL.md) | **Português (Brasil)** | [Türkçe](README_TR.md) | [Русский](README_RU.md) | [Tiếng Việt](README_VI.md) | [Indonesia](README_ID.md) | [עברית](README_IW.md) | [हिंदी](README_IN.md) | [Italiano](README_IT.md)
 
 # KernelSU
 
@@ -6,49 +6,52 @@
 
 Uma solução root baseada em kernel para dispositivos Android.
 
-[![latest release badge](https://img.shields.io/github/v/release/tiann/KernelSU?label=Release&logo=github)](https://github.com/tiann/KernelSU/releases/latest)
-[![weblate](https://img.shields.io/badge/Localização-Weblate-teal?logo=weblate)](https://hosted.weblate.org/engage/kernelsu)
-[![Channel](https://img.shields.io/badge/Siga-Telegram-blue.svg?logo=telegram)](https://t.me/KernelSU)
+[![Latest release](https://img.shields.io/github/v/release/tiann/KernelSU?label=Release&logo=github)](https://github.com/tiann/KernelSU/releases/latest)
+[![Weblate](https://img.shields.io/badge/Localização-Weblate-teal?logo=weblate)](https://hosted.weblate.org/engage/kernelsu)
+[![Channel](https://img.shields.io/badge/Seguir-Telegram-blue.svg?logo=telegram)](https://t.me/KernelSU)
 [![License: GPL v2](https://img.shields.io/badge/Licença-GPL%20v2-orange.svg?logo=gnu)](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
 [![GitHub License](https://img.shields.io/github/license/tiann/KernelSU?logo=gnu)](/LICENSE)
 
 ## Características
 
 1. `su` e gerenciamento de acesso root baseado em kernel.
-
-2. Sistema modular baseado em overlayfs.
-
+2. Sistema de módulos baseado em [OverlayFS](https://en.wikipedia.org/wiki/OverlayFS).
 3. [Perfil do Aplicativo](https://kernelsu.org/pt_BR/guide/app-profile.html): Tranque o poder root em uma gaiola.
 
-## Estado de Compatibilidade
+## Estado de compatibilidade
 
-O KernelSU oferece suporte oficial a dispositivos Android GKI 2.0 (kernel 5.10+). Kernels mais antigos (4.14+) também são compatíveis, mas o kernel terá que ser construído manualmente.
+O KernelSU oferece suporte oficial a dispositivos Android GKI 2.0 (kernel 5.10+). Kernels mais antigos (4.14+) também são compatíveis, mas será necessário construir o kernel manualmente.
 
 Com isso, WSA, ChromeOS e Android baseado em contêiner são todos suportados.
 
-Atualmente, apenas `arm64-v8a` e `x86_64` são suportados.
+Atualmente, apenas as arquiteturas `arm64-v8a` e `x86_64` são compatíveis.
 
 ## Uso
+
  - [Instalação](https://kernelsu.org/pt_BR/guide/installation.html)
- - [Como construir o KernelSU?](https://kernelsu.org/pt_BR/guide/how-to-build.html)
+ - [Como compilar](https://kernelsu.org/pt_BR/guide/how-to-build.html)
  - [Site oficial](https://kernelsu.org/pt_BR/)
 
 ## Tradução
-Para contribuir com a tradução do KernelSU ou aprimorar traduções existentes, por favor, utilize o [Weblate](https://hosted.weblate.org/engage/kernelsu/). PR para a tradução do Gerenciador não são mais aceitos, pois podem entrar em conflito com o Weblate.
+
+Para contribuir com a tradução do KernelSU ou aprimorar traduções existentes, por favor, use o [Weblate](https://hosted.weblate.org/engage/kernelsu/). PR para a tradução do Manager não são mais aceitas, pois podem entrar em conflito com o Weblate.
 
 ## Discussão
 
 - Telegram: [@KernelSU](https://t.me/KernelSU)
 
+## Segurança
+
+Para obter informações sobre como relatar vulnerabilidades de segurança do KernelSU, consulte [SECURITY.md](/SECURITY.md).
+
 ## Licença
 
-- Os arquivos no diretório `kernel` são [GPL-2](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
-
-- Todas as outras partes, exceto o diretório `kernel` são [GPL-3](https://www.gnu.org/licenses/gpl-3.0.html)
+- Os arquivos no diretório `kernel` são [GPL-2.0-only](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html).
+- Todas as outras partes, exceto o diretório `kernel` são [GPL-3.0-or-later](https://www.gnu.org/licenses/gpl-3.0.html).
 
 ## Créditos
 
-- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/): a ideia do KernelSU.
-- [Magisk](https://github.com/topjohnwu/Magisk): a poderosa ferramenta root.
-- [genuine](https://github.com/brevent/genuine/): validação de assinatura apk v2.
-- [Diamorphine](https://github.com/m0nad/Diamorphine): algumas habilidades de rootkit.
+- [Kernel-Assisted Superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/): A ideia do KernelSU.
+- [Magisk](https://github.com/topjohnwu/Magisk): A poderosa ferramenta root.
+- [genuine](https://github.com/brevent/genuine/): Validação de assinatura APK v2.
+- [Diamorphine](https://github.com/m0nad/Diamorphine): Algumas habilidades de rootkit.

docs/README_RU.md

@@ -1,13 +1,22 @@
-[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | [日本語](README_JP.md) | [Polski](README_PL.md) | [Portuguese-Brazil](README_PT-BR.md) | [Türkçe](README_TR.md) | **Русский** | [Tiếng Việt](README_VI.md) | [Indonesia](README_ID.md) | [עברית](README_iw.md) | [हिंदी](README_IN.md)
+[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | [日本語](README_JP.md) | [한국어](README_KR.md) | [Polski](README_PL.md) | [Português (Brasil)](README_PT-BR.md) | [Türkçe](README_TR.md) | **Русский** | [Tiếng Việt](README_VI.md) | [Indonesia](README_ID.md) | [עברית](README_IW.md) | [हिंदी](README_IN.md) | [Italiano](README_IT.md)
 
 # KernelSU
 
+<img src="https://kernelsu.org/logo.png" style="width: 96px;" alt="logo">
+
 Решение на основе ядра root для Android-устройств.
 
+[![Latest release](https://img.shields.io/github/v/release/tiann/KernelSU?label=Release&logo=github)](https://github.com/tiann/KernelSU/releases/latest)
+[![Weblate](https://img.shields.io/badge/Localization-Weblate-teal?logo=weblate)](https://hosted.weblate.org/engage/kernelsu)
+[![Channel](https://img.shields.io/badge/Follow-Telegram-blue.svg?logo=telegram)](https://t.me/KernelSU)
+[![License: GPL v2](https://img.shields.io/badge/License-GPL%20v2-orange.svg?logo=gnu)](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
+[![GitHub License](https://img.shields.io/github/license/tiann/KernelSU?logo=gnu)](/LICENSE)
+
 ## Особенности
 
 1. Управление `su` и root-доступом на основе ядра.
-2. Система модулей на основе overlayfs.
+2. Система модулей на основе [OverlayFS](https://en.wikipedia.org/wiki/OverlayFS).
+3. [Профиль приложений](https://kernelsu.org/ru_RU/guide/app-profile.html): Запри корневую силу в клетке.
 
 ## Совместимость
 
@@ -19,11 +28,9 @@ WSA и Android на основе контейнеров также должны
 
 ## Использование
 
-[Установка](https://kernelsu.org/ru_RU/guide/installation.html)
-
-## Сборка
-
-[Как собрать?](https://kernelsu.org/ru_RU/guide/how-to-build.html)
+- [Установка](https://kernelsu.org/ru_RU/guide/installation.html)
+- [Как собрать?](https://kernelsu.org/ru_RU/guide/how-to-build.html)
+- [официальный сайт](https://kernelsu.org/ru_RU/)
 
 ## Обсуждение
 
@@ -31,12 +38,12 @@ WSA и Android на основе контейнеров также должны
 
 ## Лицензия
 
-- Файлы в директории `kernel` - [GPL-2](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
-- Все остальные части, кроме директории `kernel` - [GPL-3](https://www.gnu.org/licenses/gpl-3.0.html)
+- Файлы в директории `kernel` [GPL-2-only](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html).
+- Все остальные части, кроме директории `kernel` [GPL-3-or-later](https://www.gnu.org/licenses/gpl-3.0.html).
 
 ## Благодарности
 
 - [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/): идея KernelSU.
+- [Magisk](https://github.com/topjohnwu/Magisk): реализация sepolicy.
 - [genuine](https://github.com/brevent/genuine/): проверка подписи apk v2.
 - [Diamorphine](https://github.com/m0nad/Diamorphine): некоторые навыки руткита.
-- [Magisk](https://github.com/topjohnwu/Magisk): реализация sepolicy.

docs/README_TR.md

@@ -1,4 +1,4 @@
-[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | [日本語](README_JP.md) | [Polski](README_PL.md) | [Portuguese-Brazil](README_PT-BR.md) | **Türkçe** | [Русский](README_RU.md) | [Tiếng Việt](README_VI.md) | [Indonesia](README_ID.md) | [עברית](README_iw.md) | [हिंदी](README_IN.md)
+[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | [日本語](README_JP.md) | [한국어](README_KR.md) | [Polski](README_PL.md) | [Português (Brasil)](README_PT-BR.md) | **Türkçe** | [Русский](README_RU.md) | [Tiếng Việt](README_VI.md) | [Indonesia](README_ID.md) | [עברית](README_IW.md) | [हिंदी](README_IN.md) | [Italiano](README_IT.md)
 
 # KernelSU
 
@@ -6,17 +6,16 @@
 
 Android cihazlar için kernel tabanlı root çözümü.
 
-[![latest release badge](https://img.shields.io/github/v/release/tiann/KernelSU?label=Release&logo=github)](https://github.com/tiann/KernelSU/releases/latest)
-[![weblate](https://img.shields.io/badge/Localization-Weblate-teal?logo=weblate)](https://hosted.weblate.org/engage/kernelsu)
+[![Latest release](https://img.shields.io/github/v/release/tiann/KernelSU?label=Release&logo=github)](https://github.com/tiann/KernelSU/releases/latest)
+[![Weblate](https://img.shields.io/badge/Localization-Weblate-teal?logo=weblate)](https://hosted.weblate.org/engage/kernelsu)
 [![Channel](https://img.shields.io/badge/Follow-Telegram-blue.svg?logo=telegram)](https://t.me/KernelSU)
 [![License: GPL v2](https://img.shields.io/badge/License-GPL%20v2-orange.svg?logo=gnu)](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
 [![GitHub License](https://img.shields.io/github/license/tiann/KernelSU?logo=gnu)](/LICENSE)
 
-
 ## Özellikler
 
 1. Kernel-tabanlı `su` ve root erişimi yönetimi.
-2. Overlayfs'ye dayalı modül sistemi.
+2. [OverlayFS](https://en.wikipedia.org/wiki/OverlayFS)'ye dayalı modül sistemi.
 3. [Uygulama profili](https://kernelsu.org/guide/app-profile.html): Root gücünü bir kafese kapatın.
 
 ## Uyumluluk Durumu
@@ -35,19 +34,20 @@ Bununla birlikte; WSA, ChromeOS ve konteyner tabanlı Android'in tamamı destekl
 
 ## Çeviri
 
-KernelSU'nun çevirisine veya mevcut çevirilerin iyileştirilmesine yardımcı olmak için lütfen [Weblate](https://hosted.weblate.org/engage/kernelsu/) kullanın. Yönetici uygulamasının PR ile çevirisi, Weblate ile çakışacağından artık kabul edilmeyecektir.
+KernelSU'nun başka dillere çevrilmesine veya mevcut çevirilerin iyileştirilmesine yardımcı olmak için lütfen [Weblate](https://hosted.weblate.org/engage/kernelsu/) kullanın. Yönetici uygulamasının PR ile çevirisi, Weblate ile çakışacağından artık kabul edilmeyecektir.
 
 ## Tartışma
 
 - Telegram: [@KernelSU](https://t.me/KernelSU)
 
 ## Güvenlik
-KernelSU'daki güvenlik açıklarını bildirme hakkında bilgi için, bkz. [SECURITY.md](/SECURITY.md).
+
+KernelSU'daki güvenlik açıklarını bildirme hakkında bilgi için, bkz [SECURITY.md](/SECURITY.md).
 
 ## Lisans
 
-- `kernel` klasöründeki dosyalar [GPL-2](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html) lisansı altındadır.
-- `kernel` klasörü dışındaki bütün diğer bölümler [GPL-3](https://www.gnu.org/licenses/gpl-3.0.html) lisansı altındadır.
+- `kernel` klasöründeki dosyalar [GPL-2-only](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html) lisansı altındadır.
+- `kernel` klasörü dışındaki bütün diğer bölümler [GPL-3-veya-sonraki](https://www.gnu.org/licenses/gpl-3.0.html) lisansı altındadır.
 
 ## Krediler
 

docs/README_TW.md

@@ -1,42 +1,57 @@
-[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | **繁體中文** | [日本語](README_JP.md) | [Polski](README_PL.md) | [Portuguese-Brazil](README_PT-BR.md) | [Türkçe](README_TR.md) | [Русский](README_RU.md) | [Tiếng Việt](README_VI.md) | [Indonesia](README_ID.md) | [עברית](README_iw.md) | [हिंदी](README_IN.md)
+[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | **繁體中文** | [日本語](README_JP.md) | [한국어](README_KR.md) | [Polski](README_PL.md) | [Português (Brasil)](README_PT-BR.md) | [Türkçe](README_TR.md) | [Русский](README_RU.md) | [Tiếng Việt](README_VI.md) | [Indonesia](README_ID.md) | [עברית](README_IW.md) | [हिंदी](README_IN.md) | [Italiano](README_IT.md)
 
 # KernelSU
 
-一個基於核心的 Android 裝置 Root 解決方案
+<img src="https://kernelsu.org/logo.png" style="width: 96px;" alt="標誌">
 
-## 功能
+一套基於 Android 裝置核心的 Root 解決方案。
 
-- 基於核心的 Su 和 Root 存取權管理。
-- 基於 Overlayfs 的模組系統。
+[![最新版本](https://img.shields.io/github/v/release/tiann/KernelSU?label=%e7%99%bc%e8%a1%8c%e7%89%88%e6%9c%ac&logo=github)](https://github.com/tiann/KernelSU/releases/latest)
+[![Weblate](https://img.shields.io/badge/%e6%9c%ac%e5%9c%9f%e5%8c%96%e7%bf%bb%e8%ad%af-Weblate-teal?logo=weblate)](https://hosted.weblate.org/engage/kernelsu)
+[![頻道](https://img.shields.io/badge/%e8%bf%bd%e8%b9%a4-Telegram-blue.svg?logo=telegram)](https://t.me/KernelSU)
+[![授權條款：《GPL v2》](https://img.shields.io/badge/%e6%8e%88%e6%ac%8a%e6%a2%9d%e6%ac%be-%E3%80%8AGPL%20v2%E3%80%8B-orange.svg?logo=gnu)](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
+[![GitHub 授權條款](https://img.shields.io/github/license/tiann/KernelSU?logo=gnu)](/LICENSE)
 
-## 相容性狀態
+## 特色功能
 
-KernelSU 官方支援 Android GKI 2.0 的裝置 (核心版本 5.10+)；舊版核心同樣相容 (最低 4.14+)，但需要自行編譯核心。
+1. 以核心內 `su` 管理 Root 存取。
+2. 以 [OverlayFS](https://zh.wikipedia.org/zh-tw/OverlayFS) 運作模組系統。
+3. [App Profile](https://kernelsu.org/zh_TW/guide/app-profile.html)：使 Root 掌握的生殺大權受制於此。
 
-WSA 和執行在容器中的 Android 也可以與 KernelSU 一同運作。
+## 相容事態
 
-目前支援架構：`arm64-v8a` 和 `x86_64`
+理論上採以 Android GKI 2.0 的裝置（核心版本 5.10+），皆受 KernelSU 支援；採以老舊核心版本（4.14+）的裝置在手動建置核心後，亦受支援。
 
-## 使用方法
+另可在 WSA、ChromeOS 一類的容器式 Android 中運作。
 
-[安裝教學](https://kernelsu.org/zh_TW/guide/installation.html)
+目前僅適用 `arm64-v8a` 以及 `x86_64` 架構。
 
-## 建置
+## 使用手冊
 
-[如何建置？](https://kernelsu.org/zh_TW/guide/how-to-build.html)
+- [安裝教學](https://kernelsu.org/zh_TW/guide/installation.html)
+- [如何建置 KernelSU？](https://kernelsu.org/zh_TW/guide/how-to-build.html)
+- [官方網站](https://kernelsu.org/zh_TW/)
 
-### 討論
+## 多語翻譯
+
+欲要協助 KernelSU 邁向多語化，抑或改進翻譯品質，請前往 [Weblate](https://hosted.weblate.org/engage/kernelsu/) 進行翻譯。為避免與 Weblate 上的翻譯發生衝突，現已不再受理翻譯相關的管理工具 PR。
+
+## 綜合討論
 
 - Telegram：[@KernelSU](https://t.me/KernelSU)
 
-## 授權
+## 安全政策
 
-- 目錄 `kernel` 下所有檔案為 [GPL-2](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
-- 除 `kernel` 目錄的其他部分均為 [GPL-3](https://www.gnu.org/licenses/gpl-3.0.html)
+欲要得知、回報 KernelSU 的安全性漏洞，請參閱 [SECURITY.md](/SECURITY.md)。
 
-## 致謝
+## 授權條款
 
-- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/)：KernelSU 的靈感。
-- [genuine](https://github.com/brevent/genuine/)：apk v2 簽章驗證。
-- [Diamorphine](https://github.com/m0nad/Diamorphine)：一些 rootkit 技巧。
-- [Magisk](https://github.com/topjohnwu/Magisk)：sepolicy 實作。
+- 位於 `kernel` 資料夾的檔案以[《GPL-2.0-only》](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)規範。
+- 非位於 `kernel` 資料夾的其他檔案以[《GPL-3.0-or-later》](https://www.gnu.org/licenses/gpl-3.0.html)規範。
+
+## 致謝名單
+
+- [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/)：KernelSU 的靈感來源。
+- [Magisk](https://github.com/topjohnwu/Magisk)：強而有力的 Root 工具。
+- [genuine](https://github.com/brevent/genuine/)：用於確效 Apk v2 簽章。
+- [Diamorphine](https://github.com/m0nad/Diamorphine): 用於增進 Rootkit 技巧。

docs/README_VI.md

@@ -1,13 +1,21 @@
-[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | [日本語](README_JP.md) | [Polski](README_PL.md) | [Portuguese-Brazil](README_PT-BR.md) | [Türkçe](README_TR.md) | [Русский](README_RU.md) | **Tiếng Việt** | [Indonesia](README_ID.md) | [עברית](README_iw.md) | [हिंदी](README_IN.md)
+[English](README.md) | [Español](README_ES.md) | [简体中文](README_CN.md) | [繁體中文](README_TW.md) | [日本語](README_JP.md) | [한국어](README_KR.md) | [Polski](README_PL.md) | [Português (Brasil)](README_PT-BR.md) | [Türkçe](README_TR.md) | [Русский](README_RU.md) | **Tiếng Việt** | [Indonesia](README_ID.md) | [עברית](README_IW.md) | [हिंदी](README_IN.md) | [Italiano](README_IT.md)
 
 # KernelSU
 
+<img src="https://kernelsu.org/logo.png" style="width: 96px;" alt="logo">
+
 Giải pháp root thông qua thay đổi trên Kernel hệ điều hành cho các thiết bị Android.
 
+[![Latest release](https://img.shields.io/github/v/release/tiann/KernelSU?label=Release&logo=github)](https://github.com/tiann/KernelSU/releases/latest)
+[![Weblate](https://img.shields.io/badge/Localization-Weblate-teal?logo=weblate)](https://hosted.weblate.org/engage/kernelsu)
+[![Channel](https://img.shields.io/badge/Follow-Telegram-blue.svg?logo=telegram)](https://t.me/KernelSU)
+[![License: GPL v2](https://img.shields.io/badge/License-GPL%20v2-orange.svg?logo=gnu)](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
+[![GitHub License](https://img.shields.io/github/license/tiann/KernelSU?logo=gnu)](/LICENSE)
+
 ## Tính năng
 
 1. Hỗ trợ gói thực thi `su` và quản lý quyền root.
-2. Hệ thống mô-đun thông qua overlayfs.
+2. Hệ thống mô-đun thông qua [OverlayFS](https://en.wikipedia.org/wiki/OverlayFS).
 3. [App Profile](https://kernelsu.org/guide/app-profile.html): Hạn chế quyền root của ứng dụng.
 
 ## Tình trạng tương thích
@@ -16,7 +24,7 @@ KernelSU chính thức hỗ trợ các thiết bị Android với kernel GKI 2.0
 
 WSA, ChromeOS và Android dựa trên container(container-based) cũng được hỗ trợ bởi KernelSU.
 
-Hiên tại Giao diện nhị phân của ứng dụng (ABI) được hỗ trợ bao gồm `arm64-v8a` và `x86_64`
+Hiên tại Giao diện nhị phân của ứng dụng (ABI) được hỗ trợ bao gồm `arm64-v8a` và `x86_64`.
 
 ## Sử dụng
 
@@ -34,12 +42,12 @@ Nếu bạn muốn hỗ trợ dịch KernelSU sang một ngôn ngữ khác hoặ
 
 ## Giấy phép
 
-- Tất cả các file trong thư mục `kernel` dùng giấy phép [GPL-2](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
-- Tất cả các thành phần khác ngoại trừ thư mục `kernel` dùng giấy phép [GPL-3](https://www.gnu.org/licenses/gpl-3.0.html)
+- Tất cả các file trong thư mục `kernel` dùng giấy phép [GPL-2-only](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html).
+- Tất cả các thành phần khác ngoại trừ thư mục `kernel` dùng giấy phép [GPL-3-or-later](https://www.gnu.org/licenses/gpl-3.0.html).
 
 ## Lời cảm ơn
 
 - [kernel-assisted-superuser](https://git.zx2c4.com/kernel-assisted-superuser/about/): ý tưởng cho KernelSU.
 - [Magisk](https://github.com/topjohnwu/Magisk): công cụ root mạnh mẽ.
 - [genuine](https://github.com/brevent/genuine/): phương pháp xác thực apk v2.
-- [Diamorphine](https://github.com/m0nad/Diamorphine): các phương pháp ẩn của rootkit .
+- [Diamorphine](https://github.com/m0nad/Diamorphine): các phương pháp ẩn của rootkit.

js/README.md

@@ -0,0 +1,121 @@
+# Library for KernelSU's module WebUI
+
+## Install
+
+```sh
+yarn add kernelsu
+```
+
+## API
+
+### exec
+
+Spawns a **root** shell and runs a command within that shell, returning a Promise that resolves with the `stdout` and `stderr` outputs upon completion.
+
+- `command` `<string>` The command to run, with space-separated arguments.
+- `options` `<Object>`
+  - `cwd` - Current working directory of the child process.
+  - `env` - Environment key-value pairs.
+
+```javascript
+import { exec } from 'kernelsu';
+
+const { errno, stdout, stderr } = await exec('ls -l', { cwd: '/tmp' });
+if (errno === 0) {
+    // success
+    console.log(stdout);
+}
+```
+
+### spawn
+
+Spawns a new process using the given `command` in **root** shell, with command-line arguments in `args`. If omitted, `args` defaults to an empty array.
+
+Returns a `ChildProcess` instance. Instances of `ChildProcess` represent spawned child processes.
+
+- `command` `<string>` The command to run.
+- `args` `<string[]>` List of string arguments.
+- `options` `<Object>`:
+  - `cwd` `<string>` - Current working directory of the child process.
+  - `env` `<Object>` - Environment key-value pairs.
+
+Example of running `ls -lh /data`, capturing `stdout`, `stderr`, and the exit code:
+
+```javascript
+import { spawn } from 'kernelsu';
+
+const ls = spawn('ls', ['-lh', '/data']);
+
+ls.stdout.on('data', (data) => {
+  console.log(`stdout: ${data}`);
+});
+
+ls.stderr.on('data', (data) => {
+  console.log(`stderr: ${data}`);
+});
+
+ls.on('exit', (code) => {
+  console.log(`child process exited with code ${code}`);
+});
+```
+
+#### ChildProcess
+
+##### Event 'exit'
+
+- `code` `<number>` The exit code if the child process exited on its own.
+
+The `'exit'` event is emitted when the child process ends. If the process exits, `code` contains the final exit code; otherwise, it is null.
+
+##### Event 'error'
+
+- `err` `<Error>` The error.
+
+The `'error'` event is emitted whenever:
+
+- The process could not be spawned.
+- The process could not be killed.
+
+##### `stdout`
+
+A `Readable Stream` that represents the child process's `stdout`.
+
+```javascript
+const subprocess = spawn('ls');
+
+subprocess.stdout.on('data', (data) => {
+  console.log(`Received chunk ${data}`);
+});
+```
+
+#### `stderr`
+
+A `Readable Stream` that represents the child process's `stderr`.
+
+### fullScreen
+
+Request the WebView enter/exit full screen.
+
+```javascript
+import { fullScreen } from 'kernelsu';
+fullScreen(true);
+```
+
+### toast
+
+Show a toast message.
+
+```javascript
+import { toast } from 'kernelsu';
+toast('Hello, world!');
+```
+
+### moduleInfo
+
+Get module info.
+
+```javascript
+import { moduleInfo } from 'kernelsu';
+// print moduleId in console
+console.log(moduleInfo());
+```

js/index.d.ts

@@ -0,0 +1,48 @@
+interface ExecOptions {
+    cwd?: string,
+    env?: { [key: string]: string }
+}
+
+interface ExecResults {
+    errno: number,
+    stdout: string,
+    stderr: string
+}
+
+declare function exec(command: string): Promise<ExecResults>;
+declare function exec(command: string, options: ExecOptions): Promise<ExecResults>;
+
+interface SpawnOptions {
+    cwd?: string,
+    env?: { [key: string]: string }
+}
+
+interface Stdio {
+    on(event: 'data', callback: (data: string) => void)
+}
+
+interface ChildProcess {
+    stdout: Stdio,
+    stderr: Stdio,
+    on(event: 'exit', callback: (code: number) => void)
+    on(event: 'error', callback: (err: any) => void)
+}
+
+declare function spawn(command: string): ChildProcess;
+declare function spawn(command: string, args: string[]): ChildProcess;
+declare function spawn(command: string, options: SpawnOptions): ChildProcess;
+declare function spawn(command: string, args: string[], options: SpawnOptions): ChildProcess;
+
+declare function fullScreen(isFullScreen: boolean);
+
+declare function toast(message: string);
+
+declare function moduleInfo(): string;
+
+export {
+    exec,
+    spawn,
+    fullScreen,
+    toast,
+    moduleInfo
+}

js/index.js

@@ -0,0 +1,119 @@
+let callbackCounter = 0;
+function getUniqueCallbackName(prefix) {
+  return `${prefix}_callback_${Date.now()}_${callbackCounter++}`;
+}
+
+export function exec(command, options) {
+  if (typeof options === "undefined") {
+    options = {};
+  }
+
+  return new Promise((resolve, reject) => {
+    // Generate a unique callback function name
+    const callbackFuncName = getUniqueCallbackName("exec");
+
+    // Define the success callback function
+    window[callbackFuncName] = (errno, stdout, stderr) => {
+      resolve({ errno, stdout, stderr });
+      cleanup(callbackFuncName);
+    };
+
+    function cleanup(successName) {
+      delete window[successName];
+    }
+
+    try {
+      ksu.exec(command, JSON.stringify(options), callbackFuncName);
+    } catch (error) {
+      reject(error);
+      cleanup(callbackFuncName);
+    }
+  });
+}
+
+function Stdio() {
+    this.listeners = {};
+  }
+  
+  Stdio.prototype.on = function (event, listener) {
+    if (!this.listeners[event]) {
+      this.listeners[event] = [];
+    }
+    this.listeners[event].push(listener);
+  };
+  
+  Stdio.prototype.emit = function (event, ...args) {
+    if (this.listeners[event]) {
+      this.listeners[event].forEach((listener) => listener(...args));
+    }
+  };
+  
+  function ChildProcess() {
+    this.listeners = {};
+    this.stdin = new Stdio();
+    this.stdout = new Stdio();
+    this.stderr = new Stdio();
+  }
+  
+  ChildProcess.prototype.on = function (event, listener) {
+    if (!this.listeners[event]) {
+      this.listeners[event] = [];
+    }
+    this.listeners[event].push(listener);
+  };
+  
+  ChildProcess.prototype.emit = function (event, ...args) {
+    if (this.listeners[event]) {
+      this.listeners[event].forEach((listener) => listener(...args));
+    }
+  };
+  
+  export function spawn(command, args, options) {
+    if (typeof args === "undefined") {
+      args = [];
+    } else if (!(args instanceof Array)) {
+        // allow for (command, options) signature
+        options = args;
+    }
+    
+    if (typeof options === "undefined") {
+      options = {};
+    }
+  
+    const child = new ChildProcess();
+    const childCallbackName = getUniqueCallbackName("spawn");
+    window[childCallbackName] = child;
+  
+    function cleanup(name) {
+      delete window[name];
+    }
+
+    child.on("exit", code => {
+        cleanup(childCallbackName);
+    });
+
+    try {
+      ksu.spawn(
+        command,
+        JSON.stringify(args),
+        JSON.stringify(options),
+        childCallbackName
+      );
+    } catch (error) {
+      child.emit("error", error);
+      cleanup(childCallbackName);
+    }
+    return child;
+  }
+
+export function fullScreen(isFullScreen) {
+  ksu.fullScreen(isFullScreen);
+}
+
+export function toast(message) {
+  ksu.toast(message);
+}
+
+export function moduleInfo() {
+  return ksu.moduleInfo();
+}

js/package.json

@@ -0,0 +1,26 @@
+{
+  "name": "kernelsu",
+  "version": "1.0.7",
+  "description": "Library for KernelSU's module WebUI",
+  "main": "index.js",
+  "types": "index.d.ts",
+  "scripts": {
+    "test": "npm run test"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/tiann/KernelSU.git"
+  },
+  "keywords": [
+    "su",
+    "kernelsu",
+    "module",
+    "webui"
+  ],
+  "author": "weishu",
+  "license": "Apache-2.0",
+  "bugs": {
+    "url": "https://github.com/tiann/KernelSU/issues"
+  },
+  "homepage": "https://github.com/tiann/KernelSU#readme"
+}

justfile

@@ -0,0 +1,14 @@
+alias bk := build_ksud
+alias bm := build_manager
+
+build_ksud:
+    cross build --target aarch64-linux-android --release --manifest-path ./userspace/ksud/Cargo.toml
+
+build_manager: build_ksud
+    cp userspace/ksud/target/aarch64-linux-android/release/ksud manager/app/src/main/jniLibs/arm64-v8a/libksud.so
+    cd manager && ./gradlew aDebug
+
+clippy:
+    cargo fmt --manifest-path ./userspace/ksud/Cargo.toml
+    cross clippy --target x86_64-pc-windows-gnu --release --manifest-path ./userspace/ksud/Cargo.toml
+    cross clippy --target aarch64-linux-android --release --manifest-path ./userspace/ksud/Cargo.toml

kernel/Kconfig

@@ -5,13 +5,15 @@ config KSU
 	depends on OVERLAY_FS
 	default y
 	help
-	Enable kernel-level root privileges on Android System.
+	  Enable kernel-level root privileges on Android System.
+	  To compile as a module, choose M here: the
+	  module will be called kernelsu.
 
 config KSU_DEBUG
 	bool "KernelSU debug mode"
 	depends on KSU
 	default n
 	help
-	Enable KernelSU debug mode
+	  Enable KernelSU debug mode.
 
 endmenu

kernel/Makefile

@@ -1,19 +1,24 @@
-obj-y += ksu.o
-obj-y += allowlist.o
-kernelsu-objs := apk_sign.o
-obj-y += kernelsu.o
-obj-y += module_api.o
-obj-y += sucompat.o
-obj-y += uid_observer.o
-obj-y += manager.o
-obj-y += core_hook.o
-obj-y += ksud.o
-obj-y += embed_ksud.o
-obj-y += kernel_compat.o
+kernelsu-objs := ksu.o
+kernelsu-objs += allowlist.o
+kernelsu-objs += apk_sign.o
+kernelsu-objs += sucompat.o
+kernelsu-objs += throne_tracker.o
+kernelsu-objs += core_hook.o
+kernelsu-objs += ksud.o
+kernelsu-objs += embed_ksud.o
+kernelsu-objs += kernel_compat.o
+
+kernelsu-objs += selinux/selinux.o
+kernelsu-objs += selinux/sepolicy.o
+kernelsu-objs += selinux/rules.o
+ccflags-y += -I$(srctree)/security/selinux -I$(srctree)/security/selinux/include
+ccflags-y += -I$(objtree)/security/selinux -include $(srctree)/include/uapi/asm-generic/errno.h
+
+obj-$(CONFIG_KSU) += kernelsu.o
 
-obj-y += selinux/
 # .git is a text file while the module is imported by 'git submodule add'.
 ifeq ($(shell test -e $(srctree)/$(src)/../.git; echo $$?),0)
+$(shell cd $(srctree)/$(src); /usr/bin/env PATH="$$PATH":/usr/bin:/usr/local/bin [ -f ../.git/shallow ] && git fetch --unshallow)
 KSU_GIT_VERSION := $(shell cd $(srctree)/$(src); /usr/bin/env PATH="$$PATH":/usr/bin:/usr/local/bin git rev-list --count HEAD)
 # ksu_version: major * 10000 + git version + 200 for historical reasons
 $(eval KSU_VERSION=$(shell expr 10000 + $(KSU_GIT_VERSION) + 200))
@@ -42,5 +47,8 @@ $(info -- KernelSU Manager signature hash: $(KSU_EXPECTED_HASH))
 
 ccflags-y += -DEXPECTED_SIZE=$(KSU_EXPECTED_SIZE)
 ccflags-y += -DEXPECTED_HASH=\"$(KSU_EXPECTED_HASH)\"
+
 ccflags-y += -Wno-implicit-function-declaration -Wno-strict-prototypes -Wno-int-conversion -Wno-gcc-compat
-ccflags-y += -Wno-declaration-after-statement
+ccflags-y += -Wno-declaration-after-statement -Wno-unused-function
+
+# Keep a new line here!! Because someone may append config

kernel/allowlist.c

@@ -1,21 +1,21 @@
-#include "ksu.h"
-#include "linux/compiler.h"
-#include "linux/fs.h"
-#include "linux/gfp.h"
-#include "linux/kernel.h"
-#include "linux/list.h"
-#include "linux/printk.h"
-#include "linux/slab.h"
-#include "linux/types.h"
-#include "linux/version.h"
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 14, 0)
-#include "linux/compiler_types.h"
-#endif
+#include <linux/capability.h>
+#include <linux/compiler.h>
+#include <linux/fs.h>
+#include <linux/gfp.h>
+#include <linux/kernel.h>
+#include <linux/list.h>
+#include <linux/printk.h>
+#include <linux/slab.h>
+#include <linux/types.h>
+#include <linux/version.h>
+#include <linux/compiler_types.h>
 
+#include "ksu.h"
 #include "klog.h" // IWYU pragma: keep
 #include "selinux/selinux.h"
 #include "kernel_compat.h"
 #include "allowlist.h"
+#include "manager.h"
 
 #define FILE_MAGIC 0x7f4b5355 // ' KSU', u32
 #define FILE_FORMAT_VERSION 3 // u32
@@ -63,12 +63,14 @@ static void remove_uid_from_arr(uid_t uid)
 
 static void init_default_profiles()
 {
+	kernel_cap_t full_cap = CAP_FULL_SET;
+
 	default_root_profile.uid = 0;
 	default_root_profile.gid = 0;
 	default_root_profile.groups_count = 1;
 	default_root_profile.groups[0] = 0;
-	memset(&default_root_profile.capabilities, 0xff,
-	       sizeof(default_root_profile.capabilities));
+	memcpy(&default_root_profile.capabilities.effective, &full_cap,
+		sizeof(default_root_profile.capabilities.effective));
 	default_root_profile.namespaces = 0;
 	strcpy(default_root_profile.selinux_domain, KSU_DEFAULT_SELINUX_DOMAIN);
 
@@ -109,6 +111,7 @@ void ksu_show_allow_list(void)
 static void ksu_grant_root_to_shell()
 {
 	struct app_profile profile = {
+		.version = KSU_APP_PROFILE_VER,
 		.allow_su = true,
 		.current_uid = 2000,
 	};
@@ -151,11 +154,6 @@ static bool profile_valid(struct app_profile *profile)
 		return false;
 	}
 
-	if (forbid_system_uid(profile->current_uid)) {
-		pr_err("uid lower than 2000 is unsupported: %d\n", profile->current_uid);
-		return false;
-	}
-
 	if (profile->version < KSU_APP_PROFILE_VER) {
 		pr_info("Unsupported profile version: %d\n", profile->version);
 		return false;
@@ -274,6 +272,11 @@ bool __ksu_is_allow_uid(uid_t uid)
 		return false;
 	}
 
+	if (likely(ksu_is_manager_uid_valid()) && unlikely(ksu_get_manager_uid() == uid)) {
+		// manager is always allowed!
+		return true;
+	}
+
 	if (likely(uid <= BITMAP_UID_MAX)) {
 		return !!(allow_list_bitmap[uid / BITS_PER_BYTE] & (1 << (uid % BITS_PER_BYTE)));
 	} else {
@@ -289,6 +292,10 @@ bool __ksu_is_allow_uid(uid_t uid)
 bool ksu_uid_should_umount(uid_t uid)
 {
 	struct app_profile profile = { .current_uid = uid };
+	if (likely(ksu_is_manager_uid_valid()) && unlikely(ksu_get_manager_uid() == uid)) {
+		// we should not umount on manager!
+		return false;
+	}
 	bool found = ksu_get_app_profile(&profile);
 	if (!found) {
 		// no app profile found, it must be non root app

kernel/allowlist.h

@@ -1,7 +1,7 @@
 #ifndef __KSU_H_ALLOWLIST
 #define __KSU_H_ALLOWLIST
 
-#include "linux/types.h"
+#include <linux/types.h>
 #include "ksu.h"
 
 void ksu_allowlist_init(void);

kernel/apk_sign.c

@@ -1,21 +1,23 @@
-#include "linux/err.h"
-#include "linux/fs.h"
-#include "linux/gfp.h"
-#include "linux/kernel.h"
-#include "linux/moduleparam.h"
+#include <linux/err.h>
+#include <linux/fs.h>
+#include <linux/gfp.h>
+#include <linux/kernel.h>
+#include <linux/slab.h>
+#include <linux/version.h>
+#ifdef CONFIG_KSU_DEBUG
+#include <linux/moduleparam.h>
+#endif
+#include <crypto/hash.h>
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 11, 0)
+#include <crypto/sha2.h>
+#else
+#include <crypto/sha.h>
+#endif
 
 #include "apk_sign.h"
 #include "klog.h" // IWYU pragma: keep
 #include "kernel_compat.h"
-#include "crypto/hash.h"
-#include "linux/slab.h"
-#include "linux/version.h"
 
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 11, 0)
-#include "crypto/sha2.h"
-#else
-#include "crypto/sha.h"
-#endif
 
 struct sdesc {
 	struct shash_desc shash;
@@ -188,7 +190,7 @@ static __always_inline bool check_v2_signature(char *path,
 	struct file *fp = ksu_filp_open_compat(path, O_RDONLY, 0);
 	if (IS_ERR(fp)) {
 		pr_err("open %s error.\n", path);
-		return PTR_ERR(fp);
+		return false;
 	}
 
 	// disable inotify for this file
@@ -229,7 +231,8 @@ static __always_inline bool check_v2_signature(char *path,
 		goto clean;
 	}
 
-	for (;;) {
+	int loop_count = 0;
+	while (loop_count++ < 10) {
 		uint32_t id;
 		uint32_t offset;
 		ksu_kernel_read_compat(fp, &size8, 0x8,
@@ -239,7 +242,6 @@ static __always_inline bool check_v2_signature(char *path,
 		}
 		ksu_kernel_read_compat(fp, &id, 0x4, &pos); // id
 		offset = 4;
-		pr_info("id: 0x%08x\n", id);
 		if (id == 0x7109871au) {
 			v2_signing_blocks++;
 			v2_signing_valid =
@@ -251,13 +253,19 @@ static __always_inline bool check_v2_signature(char *path,
 		} else if (id == 0x1b93ad61u) {
 			// http://aospxref.com/android-14.0.0_r2/xref/frameworks/base/core/java/android/util/apk/ApkSignatureSchemeV3Verifier.java#74
 			v3_1_signing_exist = true;
+		} else {
+#ifdef CONFIG_KSU_DEBUG
+			pr_info("Unknown id: 0x%08x\n", id);
+#endif
 		}
 		pos += (size8 - offset);
 	}
 
 	if (v2_signing_blocks != 1) {
+#ifdef CONFIG_KSU_DEBUG
 		pr_err("Unexpected v2 signature count: %d\n",
 		       v2_signing_blocks);
+#endif
 		v2_signing_valid = false;
 	}
 
@@ -273,7 +281,9 @@ clean:
 	filp_close(fp, 0);
 
 	if (v3_signing_exist || v3_1_signing_exist) {
+#ifdef CONFIG_KSU_DEBUG
 		pr_err("Unexpected v3 signature scheme found!\n");
+#endif
 		return false;
 	}
 
@@ -282,25 +292,15 @@ clean:
 
 #ifdef CONFIG_KSU_DEBUG
 
-unsigned ksu_expected_size = EXPECTED_SIZE;
-const char *ksu_expected_hash = EXPECTED_HASH;
+int ksu_debug_manager_uid = -1;
 
 #include "manager.h"
 
 static int set_expected_size(const char *val, const struct kernel_param *kp)
 {
 	int rv = param_set_uint(val, kp);
-	ksu_invalidate_manager_uid();
-	pr_info("ksu_expected_size set to %x\n", ksu_expected_size);
-	return rv;
-}
-
-static int set_expected_hash(const char *val, const struct kernel_param *kp)
-{
-	pr_info("set_expected_hash: %s\n", val);
-	int rv = param_set_charp(val, kp);
-	ksu_invalidate_manager_uid();
-	pr_info("ksu_expected_hash set to %s\n", ksu_expected_hash);
+	ksu_set_manager_uid(ksu_debug_manager_uid);
+	pr_info("ksu_manager_uid set to %d\n", ksu_debug_manager_uid);
 	return rv;
 }
 
@@ -309,27 +309,12 @@ static struct kernel_param_ops expected_size_ops = {
 	.get = param_get_uint,
 };
 
-static struct kernel_param_ops expected_hash_ops = {
-	.set = set_expected_hash,
-	.get = param_get_charp,
-	.free = param_free_charp,
-};
+module_param_cb(ksu_debug_manager_uid, &expected_size_ops,
+		&ksu_debug_manager_uid, S_IRUSR | S_IWUSR);
 
-module_param_cb(ksu_expected_size, &expected_size_ops, &ksu_expected_size,
-		S_IRUSR | S_IWUSR);
-module_param_cb(ksu_expected_hash, &expected_hash_ops, &ksu_expected_hash,
-		S_IRUSR | S_IWUSR);
-
-bool is_manager_apk(char *path)
-{
-	return check_v2_signature(path, ksu_expected_size, ksu_expected_hash);
-}
-
-#else
+#endif
 
 bool is_manager_apk(char *path)
 {
 	return check_v2_signature(path, EXPECTED_SIZE, EXPECTED_HASH);
-}
-
-#endif
+}

kernel/apk_sign.h

@@ -1,7 +1,7 @@
 #ifndef __KSU_H_APK_V2_SIGN
 #define __KSU_H_APK_V2_SIGN
 
-#include "linux/types.h"
+#include <linux/types.h>
 
 bool is_manager_apk(char *path);
 

kernel/arch.h

@@ -1,7 +1,7 @@
 #ifndef __KSU_H_ARCH
 #define __KSU_H_ARCH
 
-#include "linux/version.h"
+#include <linux/version.h>
 
 #if defined(__aarch64__)
 
@@ -18,11 +18,11 @@
 #define __PT_SP_REG sp
 #define __PT_IP_REG pc
 
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 16, 0)
 #define PRCTL_SYMBOL "__arm64_sys_prctl"
-#else
-#define PRCTL_SYMBOL "sys_prctl"
-#endif
+#define SYS_READ_SYMBOL "__arm64_sys_read"
+#define SYS_NEWFSTATAT_SYMBOL "__arm64_sys_newfstatat"
+#define SYS_FACCESSAT_SYMBOL "__arm64_sys_faccessat"
+#define SYS_EXECVE_SYMBOL "__arm64_sys_execve"
 
 #elif defined(__x86_64__)
 
@@ -39,11 +39,11 @@
 #define __PT_RC_REG ax
 #define __PT_SP_REG sp
 #define __PT_IP_REG ip
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 16, 0)
 #define PRCTL_SYMBOL "__x64_sys_prctl"
-#else
-#define PRCTL_SYMBOL "sys_prctl"
-#endif
+#define SYS_READ_SYMBOL "__x64_sys_read"
+#define SYS_NEWFSTATAT_SYMBOL "__x64_sys_newfstatat"
+#define SYS_FACCESSAT_SYMBOL "__x64_sys_faccessat"
+#define SYS_EXECVE_SYMBOL "__x64_sys_execve"
 
 #else
 #error "Unsupported arch"
@@ -67,4 +67,6 @@
 #define PT_REGS_SP(x) (__PT_REGS_CAST(x)->__PT_SP_REG)
 #define PT_REGS_IP(x) (__PT_REGS_CAST(x)->__PT_IP_REG)
 
+#define PT_REAL_REGS(regs) ((struct pt_regs *)PT_REGS_PARM1(regs))
+
 #endif

kernel/core_hook.c

@@ -1,23 +1,37 @@
-#include "linux/capability.h"
-#include "linux/cred.h"
-#include "linux/dcache.h"
-#include "linux/err.h"
-#include "linux/init.h"
-#include "linux/init_task.h"
-#include "linux/kernel.h"
-#include "linux/kprobes.h"
-#include "linux/lsm_hooks.h"
-#include "linux/nsproxy.h"
-#include "linux/path.h"
-#include "linux/printk.h"
-#include "linux/uaccess.h"
-#include "linux/uidgid.h"
-#include "linux/version.h"
-#include "linux/mount.h"
+#include <linux/capability.h>
+#include <linux/cred.h>
+#include <linux/dcache.h>
+#include <linux/err.h>
+#include <linux/init.h>
+#include <linux/init_task.h>
+#include <linux/kallsyms.h>
+#include <linux/kernel.h>
+#include <linux/kprobes.h>
+#include <linux/lsm_hooks.h>
+#include <linux/mm.h>
+#include <linux/nsproxy.h>
+#include <linux/path.h>
+#include <linux/printk.h>
+#include <linux/sched.h>
+#include <linux/security.h>
+#include <linux/stddef.h>
+#include <linux/string.h>
+#include <linux/types.h>
+#include <linux/uaccess.h>
+#include <linux/uidgid.h>
+#include <linux/version.h>
+#include <linux/mount.h>
 
-#include "linux/fs.h"
-#include "linux/namei.h"
-#include "linux/rcupdate.h"
+#include <linux/fs.h>
+#include <linux/namei.h>
+
+#ifdef MODULE
+#include <linux/list.h>
+#include <linux/irqflags.h>
+#include <linux/mm_types.h>
+#include <linux/rcupdate.h>
+#include <linux/vmalloc.h>
+#endif
 
 #include "allowlist.h"
 #include "arch.h"
@@ -27,13 +41,18 @@
 #include "ksud.h"
 #include "manager.h"
 #include "selinux/selinux.h"
-#include "uid_observer.h"
+#include "throne_tracker.h"
+#include "throne_tracker.h"
 #include "kernel_compat.h"
 
 static bool ksu_module_mounted = false;
 
 extern int handle_sepolicy(unsigned long arg3, void __user *arg4);
 
+static bool ksu_su_compat_enabled = true;
+extern void ksu_sucompat_init();
+extern void ksu_sucompat_exit();
+
 static inline bool is_allow_su()
 {
 	if (is_manager()) {
@@ -43,16 +62,11 @@ static inline bool is_allow_su()
 	return ksu_is_allow_uid(current_uid().val);
 }
 
-static inline bool is_isolated_uid(uid_t uid)
+static inline bool is_unsupported_uid(uid_t uid)
 {
-#define FIRST_ISOLATED_UID 99000
-#define LAST_ISOLATED_UID 99999
-#define FIRST_APP_ZYGOTE_ISOLATED_UID 90000
-#define LAST_APP_ZYGOTE_ISOLATED_UID 98999
+#define LAST_APPLICATION_UID 19999
 	uid_t appid = uid % 100000;
-	return (appid >= FIRST_ISOLATED_UID && appid <= LAST_ISOLATED_UID) ||
-	       (appid >= FIRST_APP_ZYGOTE_ISOLATED_UID &&
-		appid <= LAST_APP_ZYGOTE_ISOLATED_UID);
+	return appid > LAST_APPLICATION_UID;
 }
 
 static struct group_info root_groups = { .usage = ATOMIC_INIT(2) };
@@ -89,57 +103,17 @@ static void setup_groups(struct root_profile *profile, struct cred *cred)
 			put_group_info(group_info);
 			return;
 		}
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 9, 0)
 		group_info->gid[i] = kgid;
-#else
-		GROUP_AT(group_info, i) = kgid;
-#endif
 	}
 
 	groups_sort(group_info);
 	set_groups(cred, group_info);
+	put_group_info(group_info);
 }
 
-void escape_to_root(void)
+static void disable_seccomp()
 {
-	struct cred *cred;
-
-	cred = (struct cred *)__task_cred(current);
-
-	if (cred->euid.val == 0) {
-		pr_warn("Already root, don't escape!\n");
-		return;
-	}
-	struct root_profile *profile = ksu_get_root_profile(cred->uid.val);
-
-	cred->uid.val = profile->uid;
-	cred->suid.val = profile->uid;
-	cred->euid.val = profile->uid;
-	cred->fsuid.val = profile->uid;
-
-	cred->gid.val = profile->gid;
-	cred->fsgid.val = profile->gid;
-	cred->sgid.val = profile->gid;
-	cred->egid.val = profile->gid;
-
-	BUILD_BUG_ON(sizeof(profile->capabilities.effective) !=
-		     sizeof(kernel_cap_t));
-
-	// setup capabilities
-	// we need CAP_DAC_READ_SEARCH becuase `/data/adb/ksud` is not accessible for non root process
-	// we add it here but don't add it to cap_inhertiable, it would be dropped automaticly after exec!
-	u64 cap_for_ksud = profile->capabilities.effective | CAP_DAC_READ_SEARCH;
-	memcpy(&cred->cap_effective, &cap_for_ksud,
-	       sizeof(cred->cap_effective));
-	memcpy(&cred->cap_inheritable, &profile->capabilities.effective,
-	       sizeof(cred->cap_inheritable));
-	memcpy(&cred->cap_permitted, &profile->capabilities.effective,
-	       sizeof(cred->cap_permitted));
-	memcpy(&cred->cap_bset, &profile->capabilities.effective,
-	       sizeof(cred->cap_bset));
-	memcpy(&cred->cap_ambient, &profile->capabilities.effective,
-	       sizeof(cred->cap_ambient));
-
+	assert_spin_locked(&current->sighand->siglock);
 	// disable seccomp
 #if defined(CONFIG_GENERIC_ENTRY) &&                                           \
 	LINUX_VERSION_CODE >= KERNEL_VERSION(5, 11, 0)
@@ -153,9 +127,62 @@ void escape_to_root(void)
 	current->seccomp.filter = NULL;
 #else
 #endif
+}
+
+void escape_to_root(void)
+{
+	struct cred *cred;
+
+	cred = prepare_creds();
+	if (!cred) {
+		pr_warn("prepare_creds failed!\n");
+		return;
+	}
+
+	if (cred->euid.val == 0) {
+		pr_warn("Already root, don't escape!\n");
+		abort_creds(cred);
+		return;
+	}
+
+	struct root_profile *profile = ksu_get_root_profile(cred->uid.val);
+
+	cred->uid.val = profile->uid;
+	cred->suid.val = profile->uid;
+	cred->euid.val = profile->uid;
+	cred->fsuid.val = profile->uid;
+
+	cred->gid.val = profile->gid;
+	cred->fsgid.val = profile->gid;
+	cred->sgid.val = profile->gid;
+	cred->egid.val = profile->gid;
+	cred->securebits = 0;
+
+	BUILD_BUG_ON(sizeof(profile->capabilities.effective) !=
+		     sizeof(kernel_cap_t));
+
+	// setup capabilities
+	// we need CAP_DAC_READ_SEARCH becuase `/data/adb/ksud` is not accessible for non root process
+	// we add it here but don't add it to cap_inhertiable, it would be dropped automaticly after exec!
+	u64 cap_for_ksud =
+		profile->capabilities.effective | CAP_DAC_READ_SEARCH;
+	memcpy(&cred->cap_effective, &cap_for_ksud,
+	       sizeof(cred->cap_effective));
+	memcpy(&cred->cap_permitted, &profile->capabilities.effective,
+	       sizeof(cred->cap_permitted));
+	memcpy(&cred->cap_bset, &profile->capabilities.effective,
+	       sizeof(cred->cap_bset));
 
 	setup_groups(profile, cred);
 
+	commit_creds(cred);
+
+	// Refer to kernel/seccomp.c: seccomp_set_mode_strict
+	// When disabling Seccomp, ensure that current->sighand->siglock is held during the operation.
+	spin_lock_irq(&current->sighand->siglock);
+	disable_seccomp();
+	spin_unlock_irq(&current->sighand->siglock);
+
 	setup_selinux(profile->selinux_domain);
 }
 
@@ -187,17 +214,37 @@ int ksu_handle_rename(struct dentry *old_dentry, struct dentry *new_dentry)
 		return 0;
 	}
 
-	if (strcmp(buf, "/system/packages.list")) {
+	if (!strstr(buf, "/system/packages.list")) {
 		return 0;
 	}
 	pr_info("renameat: %s -> %s, new path: %s\n", old_dentry->d_iname,
 		new_dentry->d_iname, buf);
 
-	update_uid();
+	track_throne();
 
 	return 0;
 }
 
+static void nuke_ext4_sysfs() {
+	struct path path;
+	int err = kern_path("/data/adb/modules", 0, &path);
+	if (err) {
+		pr_err("nuke path err: %d\n", err);
+		return;
+	}
+
+	struct super_block* sb = path.dentry->d_inode->i_sb;
+	const char* name = sb->s_type->name;
+	if (strcmp(name, "ext4") != 0) {
+		pr_info("nuke but module aren't mounted\n");
+		path_put(&path);
+		return;
+	}
+
+	ext4_unregister_sysfs(sb);
+	path_put(&path);
+}
+
 int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,
 		     unsigned long arg4, unsigned long arg5)
 {
@@ -209,83 +256,33 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,
 		return 0;
 	}
 
-	// always ignore isolated app uid
-	if (is_isolated_uid(current_uid().val)) {
+	// TODO: find it in throne tracker!
+	uid_t current_uid_val = current_uid().val;
+	uid_t manager_uid = ksu_get_manager_uid();
+	if (current_uid_val != manager_uid &&
+	    current_uid_val % 100000 == manager_uid) {
+		ksu_set_manager_uid(current_uid_val);
+	}
+
+	bool from_root = 0 == current_uid().val;
+	bool from_manager = is_manager();
+
+	if (!from_root && !from_manager) {
+		// only root or manager can access this interface
 		return 0;
 	}
 
-	static uid_t last_failed_uid = -1;
-	if (last_failed_uid == current_uid().val) {
-		return 0;
-	}
-
-	// pr_info("option: 0x%x, cmd: %ld\n", option, arg2);
+#ifdef CONFIG_KSU_DEBUG
+	pr_info("option: 0x%x, cmd: %ld\n", option, arg2);
+#endif
 
 	if (arg2 == CMD_BECOME_MANAGER) {
-		// quick check
-		if (is_manager()) {
+		if (from_manager) {
 			if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) {
 				pr_err("become_manager: prctl reply error\n");
 			}
 			return 0;
 		}
-		if (ksu_is_manager_uid_valid()) {
-			pr_info("manager already exist: %d\n",
-				ksu_get_manager_uid());
-			return 0;
-		}
-
-		// someone wants to be root manager, just check it!
-		// arg3 should be `/data/user/<userId>/<manager_package_name>`
-		char param[128];
-		if (ksu_strncpy_from_user_nofault(param, arg3, sizeof(param)) ==
-		    -EFAULT) {
-#ifdef CONFIG_KSU_DEBUG
-			pr_err("become_manager: copy param err\n");
-#endif
-			return 0;
-		}
-
-		// for user 0, it is /data/data
-		// for user 999, it is /data/user/999
-		const char *prefix;
-		char prefixTmp[64];
-		int userId = current_uid().val / 100000;
-		if (userId == 0) {
-			prefix = "/data/data";
-		} else {
-			snprintf(prefixTmp, sizeof(prefixTmp), "/data/user/%d",
-				 userId);
-			prefix = prefixTmp;
-		}
-
-		if (startswith(param, (char *)prefix) != 0) {
-			pr_info("become_manager: invalid param: %s\n", param);
-			return 0;
-		}
-
-		// stat the param, app must have permission to do this
-		// otherwise it may fake the path!
-		struct path path;
-		if (kern_path(param, LOOKUP_DIRECTORY, &path)) {
-			pr_err("become_manager: kern_path err\n");
-			return 0;
-		}
-		if (path.dentry->d_inode->i_uid.val != current_uid().val) {
-			pr_err("become_manager: path uid != current uid\n");
-			path_put(&path);
-			return 0;
-		}
-		char *pkg = param + strlen(prefix);
-		pr_info("become_manager: param pkg: %s\n", pkg);
-
-		bool success = become_manager(pkg);
-		if (success) {
-			if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) {
-				pr_err("become_manager: prctl reply error\n");
-			}
-		}
-		path_put(&path);
 		return 0;
 	}
 
@@ -302,17 +299,23 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,
 
 	// Both root manager and root processes should be allowed to get version
 	if (arg2 == CMD_GET_VERSION) {
-		if (is_manager() || 0 == current_uid().val) {
-			u32 version = KERNEL_SU_VERSION;
-			if (copy_to_user(arg3, &version, sizeof(version))) {
-				pr_err("prctl reply error, cmd: %lu\n", arg2);
-			}
+		u32 version = KERNEL_SU_VERSION;
+		if (copy_to_user(arg3, &version, sizeof(version))) {
+			pr_err("prctl reply error, cmd: %lu\n", arg2);
+		}
+		u32 version_flags = 0;
+#ifdef MODULE
+		version_flags |= 0x1;
+#endif
+		if (arg4 &&
+		    copy_to_user(arg4, &version_flags, sizeof(version_flags))) {
+			pr_err("prctl reply error, cmd: %lu\n", arg2);
 		}
 		return 0;
 	}
 
 	if (arg2 == CMD_REPORT_EVENT) {
-		if (0 != current_uid().val) {
+		if (!from_root) {
 			return 0;
 		}
 		switch (arg3) {
@@ -336,6 +339,7 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,
 		case EVENT_MODULE_MOUNTED: {
 			ksu_module_mounted = true;
 			pr_info("module mounted!\n");
+			nuke_ext4_sysfs();
 			break;
 		}
 		default:
@@ -345,7 +349,7 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,
 	}
 
 	if (arg2 == CMD_SET_SEPOLICY) {
-		if (0 != current_uid().val) {
+		if (!from_root) {
 			return 0;
 		}
 		if (!handle_sepolicy(arg3, arg4)) {
@@ -358,9 +362,6 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,
 	}
 
 	if (arg2 == CMD_CHECK_SAFEMODE) {
-		if (!is_manager() && 0 != current_uid().val) {
-			return 0;
-		}
 		if (ksu_is_safe_mode()) {
 			pr_warn("safemode enabled!\n");
 			if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) {
@@ -371,57 +372,60 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,
 	}
 
 	if (arg2 == CMD_GET_ALLOW_LIST || arg2 == CMD_GET_DENY_LIST) {
-		if (is_manager() || 0 == current_uid().val) {
-			u32 array[128];
-			u32 array_length;
-			bool success =
-				ksu_get_allow_list(array, &array_length,
-						   arg2 == CMD_GET_ALLOW_LIST);
-			if (success) {
-				if (!copy_to_user(arg4, &array_length,
-						  sizeof(array_length)) &&
-				    !copy_to_user(arg3, array,
-						  sizeof(u32) * array_length)) {
-					if (copy_to_user(result, &reply_ok,
-							 sizeof(reply_ok))) {
-						pr_err("prctl reply error, cmd: %lu\n",
-						       arg2);
-					}
-				} else {
-					pr_err("prctl copy allowlist error\n");
-				}
-			}
-		}
-		return 0;
-	}
-
-	if (arg2 == CMD_UID_GRANTED_ROOT || arg2 == CMD_UID_SHOULD_UMOUNT) {
-		if (is_manager() || 0 == current_uid().val) {
-			uid_t target_uid = (uid_t)arg3;
-			bool allow = false;
-			if (arg2 == CMD_UID_GRANTED_ROOT) {
-				allow = ksu_is_allow_uid(target_uid);
-			} else if (arg2 == CMD_UID_SHOULD_UMOUNT) {
-				allow = ksu_uid_should_umount(target_uid);
-			} else {
-				pr_err("unknown cmd: %lu\n", arg2);
-			}
-			if (!copy_to_user(arg4, &allow, sizeof(allow))) {
+		u32 array[128];
+		u32 array_length;
+		bool success = ksu_get_allow_list(array, &array_length,
+						  arg2 == CMD_GET_ALLOW_LIST);
+		if (success) {
+			if (!copy_to_user(arg4, &array_length,
+					  sizeof(array_length)) &&
+			    !copy_to_user(arg3, array,
+					  sizeof(u32) * array_length)) {
 				if (copy_to_user(result, &reply_ok,
 						 sizeof(reply_ok))) {
 					pr_err("prctl reply error, cmd: %lu\n",
 					       arg2);
 				}
 			} else {
-				pr_err("prctl copy err, cmd: %lu\n", arg2);
+				pr_err("prctl copy allowlist error\n");
 			}
 		}
 		return 0;
 	}
 
+	if (arg2 == CMD_UID_GRANTED_ROOT || arg2 == CMD_UID_SHOULD_UMOUNT) {
+		uid_t target_uid = (uid_t)arg3;
+		bool allow = false;
+		if (arg2 == CMD_UID_GRANTED_ROOT) {
+			allow = ksu_is_allow_uid(target_uid);
+		} else if (arg2 == CMD_UID_SHOULD_UMOUNT) {
+			allow = ksu_uid_should_umount(target_uid);
+		} else {
+			pr_err("unknown cmd: %lu\n", arg2);
+		}
+		if (!copy_to_user(arg4, &allow, sizeof(allow))) {
+			if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) {
+				pr_err("prctl reply error, cmd: %lu\n", arg2);
+			}
+		} else {
+			pr_err("prctl copy err, cmd: %lu\n", arg2);
+		}
+		return 0;
+	}
+
+	if (arg2 == CMD_GET_MANAGER_UID) {
+		uid_t manager_uid = ksu_get_manager_uid();
+		if (copy_to_user(arg3, &manager_uid, sizeof(manager_uid))) {
+			pr_err("get manager uid failed\n");
+		}
+		if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) {
+			pr_err("prctl reply error, cmd: %lu\n", arg2);
+		}
+		return 0;
+	}
+
 	// all other cmds are for 'root manager'
-	if (!is_manager()) {
-		last_failed_uid = current_uid().val;
+	if (!from_manager) {
 		return 0;
 	}
 
@@ -462,6 +466,42 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,
 		return 0;
 	}
 
+	if (arg2 == CMD_IS_SU_ENABLED) {
+		if (copy_to_user(arg3, &ksu_su_compat_enabled,
+				 sizeof(ksu_su_compat_enabled))) {
+			pr_err("copy su compat failed\n");
+			return 0;
+		}
+		if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) {
+			pr_err("prctl reply error, cmd: %lu\n", arg2);
+		}
+		return 0;
+	}
+
+	if (arg2 == CMD_ENABLE_SU) {
+		bool enabled = (arg3 != 0);
+		if (enabled == ksu_su_compat_enabled) {
+			pr_info("cmd enable su but no need to change.\n");
+			if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) {// return the reply_ok directly
+				pr_err("prctl reply error, cmd: %lu\n", arg2);
+			}
+			return 0;
+		}
+
+		if (enabled) {
+			ksu_sucompat_init();
+		} else {
+			ksu_sucompat_exit();
+		}
+		ksu_su_compat_enabled = enabled;
+
+		if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) {
+			pr_err("prctl reply error, cmd: %lu\n", arg2);
+		}
+
+		return 0;
+	}
+
 	return 0;
 }
 
@@ -496,14 +536,10 @@ static bool should_umount(struct path *path)
 
 static void ksu_umount_mnt(struct path *path, int flags)
 {
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 9, 0)
 	int err = path_umount(path, flags);
 	if (err) {
 		pr_info("umount %s failed: %d\n", path->dentry->d_iname, err);
 	}
-#else
-	// TODO: umount for non GKI kernel
-#endif
 }
 
 static void try_umount(const char *mnt, bool check_mnt, int flags)
@@ -516,11 +552,13 @@ static void try_umount(const char *mnt, bool check_mnt, int flags)
 
 	if (path.dentry != path.mnt->mnt_root) {
 		// it is not root mountpoint, maybe umounted by others already.
+		path_put(&path);
 		return;
 	}
 
 	// we are only interest in some specific mounts
 	if (check_mnt && !should_umount(&path)) {
+		path_put(&path);
 		return;
 	}
 
@@ -546,7 +584,7 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old)
 		return 0;
 	}
 
-	if (!is_appuid(new_uid) || is_isolated_uid(new_uid.val)) {
+	if (!is_appuid(new_uid) || is_unsupported_uid(new_uid.val)) {
 		// pr_info("handle setuid ignore non application or isolated uid: %d\n", new_uid.val);
 		return 0;
 	}
@@ -569,22 +607,27 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old)
 	// when we umount for such process, that is a disaster!
 	bool is_zygote_child = is_zygote(old->security);
 	if (!is_zygote_child) {
-		pr_info("handle umount ignore non zygote child: %d\n", current->pid);
+		pr_info("handle umount ignore non zygote child: %d\n",
+			current->pid);
 		return 0;
 	}
+#ifdef CONFIG_KSU_DEBUG
 	// umount the target mnt
-	pr_info("handle umount for uid: %d, pid: %d\n", new_uid.val, current->pid);
+	pr_info("handle umount for uid: %d, pid: %d\n", new_uid.val,
+		current->pid);
+#endif
 
 	// fixme: use `collect_mounts` and `iterate_mount` to iterate all mountpoint and
 	// filter the mountpoint whose target is `/data/adb`
+	try_umount("/odm", true, 0);
 	try_umount("/system", true, 0);
 	try_umount("/vendor", true, 0);
 	try_umount("/product", true, 0);
+	try_umount("/system_ext", true, 0);
 	try_umount("/data/adb/modules", false, MNT_DETACH);
 
 	// try umount ksu temp path
 	try_umount("/debug_ramdisk", false, MNT_DETACH);
-	try_umount("/sbin", false, MNT_DETACH);
 
 	return 0;
 }
@@ -593,22 +636,12 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old)
 
 static int handler_pre(struct kprobe *p, struct pt_regs *regs)
 {
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 16, 0)
-	struct pt_regs *real_regs = (struct pt_regs *)PT_REGS_PARM1(regs);
-#else
-	struct pt_regs *real_regs = regs;
-#endif
+	struct pt_regs *real_regs = PT_REAL_REGS(regs);
 	int option = (int)PT_REGS_PARM1(real_regs);
 	unsigned long arg2 = (unsigned long)PT_REGS_PARM2(real_regs);
 	unsigned long arg3 = (unsigned long)PT_REGS_PARM3(real_regs);
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 16, 0)
 	// PRCTL_SYMBOL is the arch-specificed one, which receive raw pt_regs from syscall
 	unsigned long arg4 = (unsigned long)PT_REGS_SYSCALL_PARM4(real_regs);
-#else
-	// PRCTL_SYMBOL is the common one, called by C convention in do_syscall_64
-	// https://elixir.bootlin.com/linux/v4.15.18/source/arch/x86/entry/common.c#L287
-	unsigned long arg4 = (unsigned long)PT_REGS_CCALL_PARM4(real_regs);
-#endif
 	unsigned long arg5 = (unsigned long)PT_REGS_PARM5(real_regs);
 
 	return ksu_handle_prctl(option, arg2, arg3, arg4, arg5);
@@ -668,23 +701,7 @@ static int ksu_task_prctl(int option, unsigned long arg2, unsigned long arg3,
 	ksu_handle_prctl(option, arg2, arg3, arg4, arg5);
 	return -ENOSYS;
 }
-// kernel 4.4 and 4.9
-#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0)
-static int ksu_key_permission(key_ref_t key_ref, const struct cred *cred,
-			      unsigned perm)
-{
-	if (init_session_keyring != NULL) {
-		return 0;
-	}
-	if (strcmp(current->comm, "init")) {
-		// we are only interested in `init` process
-		return 0;
-	}
-	init_session_keyring = cred->session_keyring;
-	pr_info("kernel_compat: got init_session_keyring\n");
-	return 0;
-}
-#endif
+
 static int ksu_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
 			    struct inode *new_inode, struct dentry *new_dentry)
 {
@@ -697,40 +714,196 @@ static int ksu_task_fix_setuid(struct cred *new, const struct cred *old,
 	return ksu_handle_setuid(new, old);
 }
 
+#ifndef MODULE
 static struct security_hook_list ksu_hooks[] = {
 	LSM_HOOK_INIT(task_prctl, ksu_task_prctl),
 	LSM_HOOK_INIT(inode_rename, ksu_inode_rename),
 	LSM_HOOK_INIT(task_fix_setuid, ksu_task_fix_setuid),
-#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0)
-	LSM_HOOK_INIT(key_permission, ksu_key_permission)
-#endif
 };
 
 void __init ksu_lsm_hook_init(void)
 {
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 11, 0)
 	security_add_hooks(ksu_hooks, ARRAY_SIZE(ksu_hooks), "ksu");
-#else
-	// https://elixir.bootlin.com/linux/v4.10.17/source/include/linux/lsm_hooks.h#L1892
-	security_add_hooks(ksu_hooks, ARRAY_SIZE(ksu_hooks));
-#endif
 }
 
+#else
+static int override_security_head(void *head, const void *new_head, size_t len)
+{
+	unsigned long base = (unsigned long)head & PAGE_MASK;
+	unsigned long offset = offset_in_page(head);
+
+	// this is impossible for our case because the page alignment
+	// but be careful for other cases!
+	BUG_ON(offset + len > PAGE_SIZE);
+	struct page *page = phys_to_page(__pa(base));
+	if (!page) {
+		return -EFAULT;
+	}
+
+	void *addr = vmap(&page, 1, VM_MAP, PAGE_KERNEL);
+	if (!addr) {
+		return -ENOMEM;
+	}
+	local_irq_disable();
+	memcpy(addr + offset, new_head, len);
+	local_irq_enable();
+	vunmap(addr);
+	return 0;
+}
+
+static void free_security_hook_list(struct hlist_head *head)
+{
+	struct hlist_node *temp;
+	struct security_hook_list *entry;
+
+	if (!head)
+		return;
+
+	hlist_for_each_entry_safe (entry, temp, head, list) {
+		hlist_del(&entry->list);
+		kfree(entry);
+	}
+
+	kfree(head);
+}
+
+struct hlist_head *copy_security_hlist(struct hlist_head *orig)
+{
+	struct hlist_head *new_head = kmalloc(sizeof(*new_head), GFP_KERNEL);
+	if (!new_head)
+		return NULL;
+
+	INIT_HLIST_HEAD(new_head);
+
+	struct security_hook_list *entry;
+	struct security_hook_list *new_entry;
+
+	hlist_for_each_entry (entry, orig, list) {
+		new_entry = kmalloc(sizeof(*new_entry), GFP_KERNEL);
+		if (!new_entry) {
+			free_security_hook_list(new_head);
+			return NULL;
+		}
+
+		*new_entry = *entry;
+
+		hlist_add_tail_rcu(&new_entry->list, new_head);
+	}
+
+	return new_head;
+}
+
+#define LSM_SEARCH_MAX 180 // This should be enough to iterate
+static void *find_head_addr(void *security_ptr, int *index)
+{
+	if (!security_ptr) {
+		return NULL;
+	}
+	struct hlist_head *head_start =
+		(struct hlist_head *)&security_hook_heads;
+
+	for (int i = 0; i < LSM_SEARCH_MAX; i++) {
+		struct hlist_head *head = head_start + i;
+		struct security_hook_list *pos;
+		hlist_for_each_entry (pos, head, list) {
+			if (pos->hook.capget == security_ptr) {
+				if (index) {
+					*index = i;
+				}
+				return head;
+			}
+		}
+	}
+
+	return NULL;
+}
+
+#define GET_SYMBOL_ADDR(sym)                                                   \
+	({                                                                     \
+		void *addr = kallsyms_lookup_name(#sym ".cfi_jt");             \
+		if (!addr) {                                                   \
+			addr = kallsyms_lookup_name(#sym);                     \
+		}                                                              \
+		addr;                                                          \
+	})
+
+#define KSU_LSM_HOOK_HACK_INIT(head_ptr, name, func)                           \
+	do {                                                                   \
+		static struct security_hook_list hook = {                      \
+			.hook = { .name = func }                               \
+		};                                                             \
+		hook.head = head_ptr;                                          \
+		hook.lsm = "ksu";                                              \
+		struct hlist_head *new_head = copy_security_hlist(hook.head);  \
+		if (!new_head) {                                               \
+			pr_err("Failed to copy security list: %s\n", #name);   \
+			break;                                                 \
+		}                                                              \
+		hlist_add_tail_rcu(&hook.list, new_head);                      \
+		if (override_security_head(hook.head, new_head,                \
+					   sizeof(*new_head))) {               \
+			free_security_hook_list(new_head);                     \
+			pr_err("Failed to hack lsm for: %s\n", #name);         \
+		}                                                              \
+	} while (0)
+
+void __init ksu_lsm_hook_init(void)
+{
+	void *cap_prctl = GET_SYMBOL_ADDR(cap_task_prctl);
+	void *prctl_head = find_head_addr(cap_prctl, NULL);
+	if (prctl_head) {
+		if (prctl_head != &security_hook_heads.task_prctl) {
+			pr_warn("prctl's address has shifted!\n");
+		}
+		KSU_LSM_HOOK_HACK_INIT(prctl_head, task_prctl, ksu_task_prctl);
+	} else {
+		pr_warn("Failed to find task_prctl!\n");
+	}
+
+	int inode_killpriv_index = -1;
+	void *cap_killpriv = GET_SYMBOL_ADDR(cap_inode_killpriv);
+	find_head_addr(cap_killpriv, &inode_killpriv_index);
+	if (inode_killpriv_index < 0) {
+		pr_warn("Failed to find inode_rename, use kprobe instead!\n");
+		register_kprobe(&renameat_kp);
+	} else {
+		int inode_rename_index = inode_killpriv_index +
+					 &security_hook_heads.inode_rename -
+					 &security_hook_heads.inode_killpriv;
+		struct hlist_head *head_start =
+			(struct hlist_head *)&security_hook_heads;
+		void *inode_rename_head = head_start + inode_rename_index;
+		if (inode_rename_head != &security_hook_heads.inode_rename) {
+			pr_warn("inode_rename's address has shifted!\n");
+		}
+		KSU_LSM_HOOK_HACK_INIT(inode_rename_head, inode_rename,
+				       ksu_inode_rename);
+	}
+	void *cap_setuid = GET_SYMBOL_ADDR(cap_task_fix_setuid);
+	void *setuid_head = find_head_addr(cap_setuid, NULL);
+	if (setuid_head) {
+		if (setuid_head != &security_hook_heads.task_fix_setuid) {
+			pr_warn("setuid's address has shifted!\n");
+		}
+		KSU_LSM_HOOK_HACK_INIT(setuid_head, task_fix_setuid,
+				       ksu_task_fix_setuid);
+	} else {
+		pr_warn("Failed to find task_fix_setuid!\n");
+	}
+	smp_mb();
+}
+#endif
+
 void __init ksu_core_init(void)
 {
-#ifndef MODULE
-	pr_info("ksu_lsm_hook_init\n");
 	ksu_lsm_hook_init();
-#else
-	pr_info("ksu_kprobe_init\n");
-	ksu_kprobe_init();
-#endif
 }
 
 void ksu_core_exit(void)
 {
-#ifndef MODULE
-	pr_info("ksu_kprobe_exit\n");
-	ksu_kprobe_exit();
+#ifdef CONFIG_KPROBES
+	pr_info("ksu_core_kprobe_exit\n");
+	// we dont use this now
+	// ksu_kprobe_exit();
 #endif
 }

kernel/core_hook.h

@@ -1,7 +1,7 @@
 #ifndef __KSU_H_KSU_CORE
 #define __KSU_H_KSU_CORE
 
-#include "linux/init.h"
+#include <linux/init.h>
 
 void __init ksu_core_init(void);
 void ksu_core_exit(void);

kernel/include/ksu_hook.h

@@ -1,8 +1,8 @@
 #ifndef __KSU_H_KSHOOK
 #define __KSU_H_KSHOOK
 
-#include "linux/fs.h"
-#include "linux/types.h"
+#include <linux/fs.h>
+#include <linux/types.h>
 
 // For sucompat
 

kernel/kernel_compat.c

@@ -1,41 +1,10 @@
-#include "linux/version.h"
-#include "linux/fs.h"
-#include "linux/nsproxy.h"
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0)
-#include "linux/sched/task.h"
-#include "linux/uaccess.h"
-#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4, 4, 0)
-#include "linux/uaccess.h"
-#include "linux/sched.h"
-#else
-#include "linux/sched.h"
-#endif
+#include <linux/version.h>
+#include <linux/fs.h>
+#include <linux/nsproxy.h>
+#include <linux/sched/task.h>
+#include <linux/uaccess.h>
 #include "klog.h" // IWYU pragma: keep
-
-#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0)
-#include "linux/key.h"
-#include "linux/errno.h"
-#include "linux/cred.h"
-struct key *init_session_keyring = NULL;
-
-static inline int install_session_keyring(struct key *keyring)
-{
-	struct cred *new;
-	int ret;
-
-	new = prepare_creds();
-	if (!new)
-		return -ENOMEM;
-
-	ret = install_session_keyring_to_cred(new, keyring);
-	if (ret < 0) {
-		abort_creds(new);
-		return ret;
-	}
-
-	return commit_creds(new);
-}
-#endif
+#include "kernel_compat.h"
 
 extern struct task_struct init_task;
 
@@ -81,13 +50,6 @@ void ksu_android_ns_fs_check()
 
 struct file *ksu_filp_open_compat(const char *filename, int flags, umode_t mode)
 {
-#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0)
-	if (init_session_keyring != NULL && !current_cred()->session_keyring &&
-	    (current->flags & PF_WQ_WORKER)) {
-		pr_info("installing init session keyring for older kernel\n");
-		install_session_keyring(init_session_keyring);
-	}
-#endif
 	// switch mnt_ns even if current is not wq_worker, to ensure what we open is the correct file in android mnt_ns, rather than user created mnt_ns
 	struct ksu_ns_fs_saved saved;
 	if (android_context_saved_enabled) {
@@ -110,69 +72,17 @@ struct file *ksu_filp_open_compat(const char *filename, int flags, umode_t mode)
 ssize_t ksu_kernel_read_compat(struct file *p, void *buf, size_t count,
 			       loff_t *pos)
 {
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 14, 0)
 	return kernel_read(p, buf, count, pos);
-#else
-	loff_t offset = pos ? *pos : 0;
-	ssize_t result = kernel_read(p, offset, (char *)buf, count);
-	if (pos && result > 0) {
-		*pos = offset + result;
-	}
-	return result;
-#endif
 }
 
 ssize_t ksu_kernel_write_compat(struct file *p, const void *buf, size_t count,
 				loff_t *pos)
 {
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 14, 0)
 	return kernel_write(p, buf, count, pos);
-#else
-	loff_t offset = pos ? *pos : 0;
-	ssize_t result = kernel_write(p, buf, count, offset);
-	if (pos && result > 0) {
-		*pos = offset + result;
-	}
-	return result;
-#endif
 }
 
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 8, 0)
 long ksu_strncpy_from_user_nofault(char *dst, const void __user *unsafe_addr,
 				   long count)
 {
 	return strncpy_from_user_nofault(dst, unsafe_addr, count);
 }
-#elif LINUX_VERSION_CODE >= KERNEL_VERSION(5, 3, 0)
-long ksu_strncpy_from_user_nofault(char *dst, const void __user *unsafe_addr,
-				   long count)
-{
-	return strncpy_from_unsafe_user(dst, unsafe_addr, count);
-}
-#else
-// Copied from: https://elixir.bootlin.com/linux/v4.9.337/source/mm/maccess.c#L201
-long ksu_strncpy_from_user_nofault(char *dst, const void __user *unsafe_addr,
-				   long count)
-{
-	mm_segment_t old_fs = get_fs();
-	long ret;
-
-	if (unlikely(count <= 0))
-		return 0;
-
-	set_fs(USER_DS);
-	pagefault_disable();
-	ret = strncpy_from_user(dst, unsafe_addr, count);
-	pagefault_enable();
-	set_fs(old_fs);
-
-	if (ret >= count) {
-		ret = count;
-		dst[ret - 1] = '\0';
-	} else if (ret > 0) {
-		ret++;
-	}
-
-	return ret;
-}
-#endif

kernel/kernel_compat.h

@@ -1,18 +1,29 @@
 #ifndef __KSU_H_KERNEL_COMPAT
 #define __KSU_H_KERNEL_COMPAT
 
-#include "linux/fs.h"
+#include <linux/fs.h>
+#include <linux/version.h>
+#include "ss/policydb.h"
 #include "linux/key.h"
-#include "linux/version.h"
+
+/*
+ * Adapt to Huawei HISI kernel without affecting other kernels ,
+ * Huawei Hisi Kernel EBITMAP Enable or Disable Flag ,
+ * From ss/ebitmap.h
+ */
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(4, 9, 0)) &&                           \
+		(LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0)) ||               \
+	(LINUX_VERSION_CODE >= KERNEL_VERSION(4, 14, 0)) &&                      \
+		(LINUX_VERSION_CODE < KERNEL_VERSION(4, 15, 0))
+#ifdef HISI_SELINUX_EBITMAP_RO
+#define CONFIG_IS_HW_HISI
+#endif
+#endif
 
 extern long ksu_strncpy_from_user_nofault(char *dst,
 					  const void __user *unsafe_addr,
 					  long count);
 
-#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0)
-extern struct key *init_session_keyring;
-#endif
-
 extern void ksu_android_ns_fs_check();
 extern struct file *ksu_filp_open_compat(const char *filename, int flags,
 					 umode_t mode);

kernel/ksu.c

@@ -1,13 +1,15 @@
-#include "linux/fs.h"
-#include "linux/module.h"
-#include "linux/workqueue.h"
+#include <linux/export.h>
+#include <linux/fs.h>
+#include <linux/kobject.h>
+#include <linux/module.h>
+#include <linux/workqueue.h>
 
 #include "allowlist.h"
 #include "arch.h"
 #include "core_hook.h"
 #include "klog.h" // IWYU pragma: keep
 #include "ksu.h"
-#include "uid_observer.h"
+#include "throne_tracker.h"
 
 static struct workqueue_struct *ksu_workqueue;
 
@@ -30,8 +32,10 @@ int ksu_handle_execveat(int *fd, struct filename **filename_ptr, void *argv,
 					    flags);
 }
 
-extern void ksu_enable_sucompat();
-extern void ksu_enable_ksud();
+extern void ksu_sucompat_init();
+extern void ksu_sucompat_exit();
+extern void ksu_ksud_init();
+extern void ksu_ksud_exit();
 
 int __init kernelsu_init(void)
 {
@@ -51,15 +55,20 @@ int __init kernelsu_init(void)
 
 	ksu_allowlist_init();
 
-	ksu_uid_observer_init();
+	ksu_throne_tracker_init();
 
 #ifdef CONFIG_KPROBES
-	ksu_enable_sucompat();
-	ksu_enable_ksud();
+	ksu_sucompat_init();
+	ksu_ksud_init();
 #else
 	pr_alert("KPROBES is disabled, KernelSU may not work, please check https://kernelsu.org/guide/how-to-integrate-for-non-gki.html");
 #endif
 
+#ifdef MODULE
+#ifndef CONFIG_KSU_DEBUG
+	kobject_del(&THIS_MODULE->mkobj.kobj);
+#endif
+#endif
 	return 0;
 }
 
@@ -67,10 +76,15 @@ void kernelsu_exit(void)
 {
 	ksu_allowlist_exit();
 
-	ksu_uid_observer_exit();
+	ksu_throne_tracker_exit();
 
 	destroy_workqueue(ksu_workqueue);
 
+#ifdef CONFIG_KPROBES
+	ksu_ksud_exit();
+	ksu_sucompat_exit();
+#endif
+
 	ksu_core_exit();
 }
 
@@ -80,7 +94,4 @@ module_exit(kernelsu_exit);
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("weishu");
 MODULE_DESCRIPTION("Android KernelSU");
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 0, 0)
 MODULE_IMPORT_NS(VFS_internal_I_am_really_a_filesystem_and_am_NOT_a_driver);
-#endif

kernel/ksu.h

@@ -1,8 +1,8 @@
 #ifndef __KSU_H_KSU
 #define __KSU_H_KSU
 
-#include "linux/types.h"
-#include "linux/workqueue.h"
+#include <linux/types.h>
+#include <linux/workqueue.h>
 
 #define KERNEL_SU_VERSION KSU_VERSION
 #define KERNEL_SU_OPTION 0xDEADBEEF
@@ -21,6 +21,9 @@
 #define CMD_SET_APP_PROFILE 11
 #define CMD_UID_GRANTED_ROOT 12
 #define CMD_UID_SHOULD_UMOUNT 13
+#define CMD_IS_SU_ENABLED 14
+#define CMD_ENABLE_SU 15
+#define CMD_GET_MANAGER_UID 16
 
 #define EVENT_POST_FS_DATA 1
 #define EVENT_BOOT_COMPLETED 2

kernel/ksud.c

@@ -1,15 +1,17 @@
-#include "asm/current.h"
-#include "linux/compat.h"
-#include "linux/dcache.h"
-#include "linux/err.h"
-#include "linux/fs.h"
-#include "linux/input-event-codes.h"
-#include "linux/kprobes.h"
-#include "linux/printk.h"
-#include "linux/types.h"
-#include "linux/uaccess.h"
-#include "linux/version.h"
-#include "linux/workqueue.h"
+#include <asm/current.h>
+#include <linux/compat.h>
+#include <linux/cred.h>
+#include <linux/dcache.h>
+#include <linux/err.h>
+#include <linux/file.h>
+#include <linux/fs.h>
+#include <linux/version.h>
+#include <linux/input-event-codes.h>
+#include <linux/kprobes.h>
+#include <linux/printk.h>
+#include <linux/types.h>
+#include <linux/uaccess.h>
+#include <linux/workqueue.h>
 
 #include "allowlist.h"
 #include "arch.h"
@@ -55,6 +57,8 @@ bool ksu_execveat_hook __read_mostly = true;
 bool ksu_input_hook __read_mostly = true;
 #endif
 
+u32 ksu_devpts_sid;
+
 void on_post_fs_data(void)
 {
 	static bool done = false;
@@ -67,6 +71,9 @@ void on_post_fs_data(void)
 	ksu_load_allow_list();
 	// sanity check, this may influence the performance
 	stop_input_hook();
+
+	ksu_devpts_sid = ksu_get_devpts_sid();
+	pr_info("devpts sid: %d\n", ksu_devpts_sid);
 }
 
 #define MAX_ARG_STRINGS 0x7FFFFFFF
@@ -107,7 +114,7 @@ static const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr)
  * count() counts the number of strings in array ARGV.
  */
 
- /*
+/*
  * Make sure old GCC compiler can use __maybe_unused,
  * Test passed in 4.4.x ~ 4.9.x when use GCC.
  */
@@ -140,7 +147,8 @@ static int __maybe_unused count(struct user_arg_ptr argv, int max)
 
 // IMPORTANT NOTE: the call from execve_handler_pre WON'T provided correct value for envp and flags in GKI version
 int ksu_handle_execveat_ksud(int *fd, struct filename **filename_ptr,
-				struct user_arg_ptr *argv, struct user_arg_ptr *envp, int *flags)
+			     struct user_arg_ptr *argv,
+			     struct user_arg_ptr *envp, int *flags)
 {
 #ifndef CONFIG_KPROBES
 	if (!ksu_execveat_hook) {
@@ -166,8 +174,9 @@ int ksu_handle_execveat_ksud(int *fd, struct filename **filename_ptr,
 		return 0;
 	}
 
-	if (unlikely(!memcmp(filename->name, system_bin_init, 
-				sizeof(system_bin_init) - 1) && argv)) {
+	if (unlikely(!memcmp(filename->name, system_bin_init,
+			     sizeof(system_bin_init) - 1) &&
+		     argv)) {
 		// /system/bin/init executed
 		int argc = count(*argv, MAX_ARG_STRINGS);
 		pr_info("/system/bin/init argc: %d\n", argc);
@@ -175,8 +184,10 @@ int ksu_handle_execveat_ksud(int *fd, struct filename **filename_ptr,
 			const char __user *p = get_user_arg_ptr(*argv, 1);
 			if (p && !IS_ERR(p)) {
 				char first_arg[16];
-				ksu_strncpy_from_user_nofault(first_arg, p, sizeof(first_arg));
-				pr_info("/system/bin/init first arg: %s\n", first_arg);
+				ksu_strncpy_from_user_nofault(
+					first_arg, p, sizeof(first_arg));
+				pr_info("/system/bin/init first arg: %s\n",
+					first_arg);
 				if (!strcmp(first_arg, "second_stage")) {
 					pr_info("/system/bin/init second_stage executed\n");
 					apply_kernelsu_rules();
@@ -188,7 +199,8 @@ int ksu_handle_execveat_ksud(int *fd, struct filename **filename_ptr,
 			}
 		}
 	} else if (unlikely(!memcmp(filename->name, old_system_init,
-				sizeof(old_system_init) - 1) && argv)) {
+				    sizeof(old_system_init) - 1) &&
+			    argv)) {
 		// /init executed
 		int argc = count(*argv, MAX_ARG_STRINGS);
 		pr_info("/init argc: %d\n", argc);
@@ -197,7 +209,8 @@ int ksu_handle_execveat_ksud(int *fd, struct filename **filename_ptr,
 			const char __user *p = get_user_arg_ptr(*argv, 1);
 			if (p && !IS_ERR(p)) {
 				char first_arg[16];
-				ksu_strncpy_from_user_nofault(first_arg, p, sizeof(first_arg));
+				ksu_strncpy_from_user_nofault(
+					first_arg, p, sizeof(first_arg));
 				pr_info("/init first arg: %s\n", first_arg);
 				if (!strcmp(first_arg, "--second-stage")) {
 					pr_info("/init second_stage executed\n");
@@ -214,13 +227,15 @@ int ksu_handle_execveat_ksud(int *fd, struct filename **filename_ptr,
 			if (envc > 0) {
 				int n;
 				for (n = 1; n <= envc; n++) {
-					const char __user *p = get_user_arg_ptr(*envp, n);
+					const char __user *p =
+						get_user_arg_ptr(*envp, n);
 					if (!p || IS_ERR(p)) {
 						continue;
 					}
 					char env[256];
 					// Reading environment variable strings from user space
-					if (ksu_strncpy_from_user_nofault(env, p, sizeof(env)) < 0)
+					if (ksu_strncpy_from_user_nofault(
+						    env, p, sizeof(env)) < 0)
 						continue;
 					// Parsing environment variable names and values
 					char *env_name = env;
@@ -231,10 +246,14 @@ int ksu_handle_execveat_ksud(int *fd, struct filename **filename_ptr,
 					*env_value = '\0';
 					env_value++;
 					// Check if the environment variable name and value are matching
-					if (!strcmp(env_name, "INIT_SECOND_STAGE") && (!strcmp(env_value, "1") || !strcmp(env_value, "true"))) {
+					if (!strcmp(env_name,
+						    "INIT_SECOND_STAGE") &&
+					    (!strcmp(env_value, "1") ||
+					     !strcmp(env_value, "true"))) {
 						pr_info("/init second_stage executed\n");
 						apply_kernelsu_rules();
-						init_second_stage_executed = true;
+						init_second_stage_executed =
+							true;
 						ksu_android_ns_fs_check();
 					}
 				}
@@ -242,10 +261,11 @@ int ksu_handle_execveat_ksud(int *fd, struct filename **filename_ptr,
 		}
 	}
 
-	if (unlikely(first_app_process &&
-		!memcmp(filename->name, app_process, sizeof(app_process) - 1))) {
+	if (unlikely(first_app_process && !memcmp(filename->name, app_process,
+						  sizeof(app_process) - 1))) {
 		first_app_process = false;
-		pr_info("exec app_process, /data prepared, second_stage: %d\n", init_second_stage_executed);
+		pr_info("exec app_process, /data prepared, second_stage: %d\n",
+			init_second_stage_executed);
 		on_post_fs_data(); // we keep this for old ksud
 		stop_execve_hook();
 	}
@@ -264,7 +284,8 @@ static ssize_t read_proxy(struct file *file, char __user *buf, size_t count,
 	bool first_read = file->f_pos == 0;
 	ssize_t ret = orig_read(file, buf, count, pos);
 	if (first_read) {
-		pr_info("read_proxy append %ld + %ld\n", ret, read_count_append);
+		pr_info("read_proxy append %ld + %ld\n", ret,
+			read_count_append);
 		ret += read_count_append;
 	}
 	return ret;
@@ -376,6 +397,18 @@ int ksu_handle_vfs_read(struct file **file_ptr, char __user **buf_ptr,
 	return 0;
 }
 
+int ksu_handle_sys_read(unsigned int fd, char __user **buf_ptr,
+			size_t *count_ptr)
+{
+	struct file *file = fget(fd);
+	if (!file) {
+		return 0;
+	}
+	int result = ksu_handle_vfs_read(&file, buf_ptr, count_ptr, NULL);
+	fput(file);
+	return result;
+}
+
 static unsigned int volumedown_pressed_count = 0;
 
 static bool is_volumedown_enough(unsigned int count)
@@ -430,35 +463,37 @@ bool ksu_is_safe_mode()
 
 #ifdef CONFIG_KPROBES
 
-// https://elixir.bootlin.com/linux/v5.10.158/source/fs/exec.c#L1864
-static int execve_handler_pre(struct kprobe *p, struct pt_regs *regs)
+static int sys_execve_handler_pre(struct kprobe *p, struct pt_regs *regs)
 {
-	int *fd = (int *)&PT_REGS_PARM1(regs);
-	struct filename **filename_ptr =
-		(struct filename **)&PT_REGS_PARM2(regs);
-	struct user_arg_ptr argv;
-#ifdef CONFIG_COMPAT
-	argv.is_compat = PT_REGS_PARM3(regs);
-	if (unlikely(argv.is_compat)) {
-		argv.ptr.compat = PT_REGS_CCALL_PARM4(regs);
-	} else {
-		argv.ptr.native = PT_REGS_CCALL_PARM4(regs);
-	}
-#else
-	argv.ptr.native = PT_REGS_PARM3(regs);
-#endif
+	struct pt_regs *real_regs = PT_REAL_REGS(regs);
+	const char __user **filename_user =
+		(const char **)&PT_REGS_PARM1(real_regs);
+	const char __user *const __user *__argv =
+		(const char __user *const __user *)PT_REGS_PARM2(real_regs);
+	struct user_arg_ptr argv = { .ptr.native = __argv };
+	struct filename filename_in, *filename_p;
+	char path[32];
 
-	return ksu_handle_execveat_ksud(fd, filename_ptr, &argv, NULL, NULL);
+	if (!filename_user)
+		return 0;
+
+	memset(path, 0, sizeof(path));
+	ksu_strncpy_from_user_nofault(path, *filename_user, 32);
+	filename_in.name = path;
+
+	filename_p = &filename_in;
+	return ksu_handle_execveat_ksud(AT_FDCWD, &filename_p, &argv, NULL,
+					NULL);
 }
 
-static int read_handler_pre(struct kprobe *p, struct pt_regs *regs)
+static int sys_read_handler_pre(struct kprobe *p, struct pt_regs *regs)
 {
-	struct file **file_ptr = (struct file **)&PT_REGS_PARM1(regs);
-	char __user **buf_ptr = (char **)&PT_REGS_PARM2(regs);
-	size_t *count_ptr = (size_t *)&PT_REGS_PARM3(regs);
-	loff_t **pos_ptr = (loff_t **)&PT_REGS_CCALL_PARM4(regs);
+	struct pt_regs *real_regs = PT_REAL_REGS(regs);
+	unsigned int fd = PT_REGS_PARM1(real_regs);
+	char __user **buf_ptr = (char __user **)&PT_REGS_PARM2(real_regs);
+	size_t count_ptr = (size_t *)&PT_REGS_PARM3(real_regs);
 
-	return ksu_handle_vfs_read(file_ptr, buf_ptr, count_ptr, pos_ptr);
+	return ksu_handle_sys_read(fd, buf_ptr, count_ptr);
 }
 
 static int input_handle_event_handler_pre(struct kprobe *p,
@@ -471,23 +506,18 @@ static int input_handle_event_handler_pre(struct kprobe *p,
 }
 
 static struct kprobe execve_kp = {
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 9, 0)
-	.symbol_name = "do_execveat_common",
-#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4, 19, 0)
-	.symbol_name = "__do_execve_file",
-#elif LINUX_VERSION_CODE >= KERNEL_VERSION(3, 19, 0)
-	.symbol_name = "do_execveat_common",
-#endif
-	.pre_handler = execve_handler_pre,
+	.symbol_name = SYS_EXECVE_SYMBOL,
+	.pre_handler = sys_execve_handler_pre,
 };
 
 static struct kprobe vfs_read_kp = {
-	.symbol_name = "vfs_read",
-	.pre_handler = read_handler_pre,
+	.symbol_name = SYS_READ_SYMBOL,
+	.pre_handler = sys_read_handler_pre,
 };
 
-static struct kprobe input_handle_event_kp = {
-	.symbol_name = "input_handle_event",
+
+static struct kprobe input_event_kp = {
+	.symbol_name = "input_event",
 	.pre_handler = input_handle_event_handler_pre,
 };
 
@@ -503,7 +533,7 @@ static void do_stop_execve_hook(struct work_struct *work)
 
 static void do_stop_input_hook(struct work_struct *work)
 {
-	unregister_kprobe(&input_handle_event_kp);
+	unregister_kprobe(&input_event_kp);
 }
 #endif
 
@@ -546,7 +576,7 @@ static void stop_input_hook()
 }
 
 // ksud: module support
-void ksu_enable_ksud()
+void ksu_ksud_init()
 {
 #ifdef CONFIG_KPROBES
 	int ret;
@@ -557,11 +587,21 @@ void ksu_enable_ksud()
 	ret = register_kprobe(&vfs_read_kp);
 	pr_info("ksud: vfs_read_kp: %d\n", ret);
 
-	ret = register_kprobe(&input_handle_event_kp);
-	pr_info("ksud: input_handle_event_kp: %d\n", ret);
+	ret = register_kprobe(&input_event_kp);
+	pr_info("ksud: input_event_kp: %d\n", ret);
 
 	INIT_WORK(&stop_vfs_read_work, do_stop_vfs_read_hook);
 	INIT_WORK(&stop_execve_hook_work, do_stop_execve_hook);
 	INIT_WORK(&stop_input_hook_work, do_stop_input_hook);
 #endif
 }
+
+void ksu_ksud_exit()
+{
+#ifdef CONFIG_KPROBES
+	unregister_kprobe(&execve_kp);
+	// this should be done before unregister vfs_read_kp
+	// unregister_kprobe(&vfs_read_kp);
+	unregister_kprobe(&input_event_kp);
+#endif
+}

kernel/ksud.h

@@ -1,10 +1,14 @@
 #ifndef __KSU_H_KSUD
 #define __KSU_H_KSUD
 
+#include <linux/types.h>
+
 #define KSUD_PATH "/data/adb/ksud"
 
 void on_post_fs_data(void);
 
 bool ksu_is_safe_mode(void);
 
+extern u32 ksu_devpts_sid;
+
 #endif

kernel/manager.c

@@ -1,102 +0,0 @@
-#include "linux/cred.h"
-#include "linux/gfp.h"
-#include "linux/slab.h"
-#include "linux/uidgid.h"
-#include "linux/version.h"
-
-#include "linux/fdtable.h"
-#include "linux/fs.h"
-#include "linux/rcupdate.h"
-
-#include "apk_sign.h"
-#include "klog.h" // IWYU pragma: keep
-#include "ksu.h"
-#include "manager.h"
-
-uid_t ksu_manager_uid = KSU_INVALID_UID;
-
-bool become_manager(char *pkg)
-{
-	struct fdtable *files_table;
-	int i = 0;
-	struct path files_path;
-	char *cwd;
-	char *buf;
-	bool result = false;
-
-#ifdef KSU_MANAGER_PACKAGE
-	// pkg is `/<real package>`
-	if (strncmp(pkg + 1, KSU_MANAGER_PACKAGE,
-		    sizeof(KSU_MANAGER_PACKAGE)) != 0) {
-		pr_info("manager package is inconsistent with kernel build: %s\n",
-			KSU_MANAGER_PACKAGE);
-		return false;
-	}
-#endif
-	// must be zygote's direct child, otherwise any app can fork a new process and
-	// open manager's apk
-	if (task_uid(current->real_parent).val != 0) {
-		pr_info("parent is not zygote!\n");
-		return false;
-	}
-
-	buf = (char *)kmalloc(PATH_MAX, GFP_ATOMIC);
-	if (!buf) {
-		pr_err("kalloc path failed.\n");
-		return false;
-	}
-
-	files_table = files_fdtable(current->files);
-
-	int pkg_len = strlen(pkg);
-	// todo: use iterate_fd
-	for (i = 0; files_table->fd[i] != NULL; i++) {
-		files_path = files_table->fd[i]->f_path;
-		if (!d_is_reg(files_path.dentry)) {
-			continue;
-		}
-		cwd = d_path(&files_path, buf, PATH_MAX);
-		if (startswith(cwd, "/data/app/") != 0 ||
-		    endswith(cwd, "==/base.apk") != 0) {
-			// AOSP generate ramdom base64 with 16bit, without NO_PADDING, so it must have two "="
-			continue;
-		}
-		// we have found the apk!
-		pr_info("found apk: %s\n", cwd);
-		char *pkg_index = strstr(cwd, pkg);
-		if (!pkg_index) {
-			pr_info("apk path not match package name!\n");
-			continue;
-		}
-		char *next_char = pkg_index + pkg_len;
-		// because we ensure the cwd must startswith `/data/app` and endswith `base.apk`
-		// we don't need to check if the pointer is out of bounds
-		if (*next_char != '-') {
-			// from android 8.1: http://aospxref.com/android-8.1.0_r81/xref/frameworks/base/services/core/java/com/android/server/pm/PackageManagerService.java#17612
-			// to android 13: http://aospxref.com/android-13.0.0_r3/xref/frameworks/base/services/core/java/com/android/server/pm/PackageManagerServiceUtils.java#1208
-			// /data/app/~~[randomStringA]/[packageName]-[randomStringB]
-			// the previous char must be `/` and the next char must be `-`
-			// because we use strstr instead of equals, this is a strong verfication.
-			pr_info("invalid pkg: %s\n", pkg);
-			continue;
-		}
-		if (is_manager_apk(cwd)) {
-			// check passed
-			uid_t uid = current_uid().val;
-			pr_info("manager uid: %d\n", uid);
-
-			ksu_set_manager_uid(uid);
-
-			result = true;
-			goto clean;
-		} else {
-			pr_info("manager signature invalid!\n");
-		}
-
-		break;
-	}
-
-clean:
-	kfree(buf);
-	return result;
-}

kernel/manager.h

@@ -1,8 +1,8 @@
 #ifndef __KSU_H_KSU_MANAGER
 #define __KSU_H_KSU_MANAGER
 
-#include "linux/cred.h"
-#include "linux/types.h"
+#include <linux/cred.h>
+#include <linux/types.h>
 
 #define KSU_INVALID_UID -1
 
@@ -33,6 +33,4 @@ static inline void ksu_invalidate_manager_uid()
 	ksu_manager_uid = KSU_INVALID_UID;
 }
 
-bool become_manager(char *pkg);
-
 #endif

kernel/module_api.c

@@ -1,33 +0,0 @@
-#include "linux/kallsyms.h"
-
-#define RE_EXPORT_SYMBOL1(ret, func, t1, v1)                                   \
-	ret ksu_##func(t1 v1)                                                  \
-	{                                                                      \
-		return func(v1);                                               \
-	}                                                                      \
-	EXPORT_SYMBOL(ksu_##func);
-
-#define RE_EXPORT_SYMBOL2(ret, func, t1, v1, t2, v2)                           \
-	ret ksu_##func(t1 v1, t2 v2)                                           \
-	{                                                                      \
-		return func(v1, v2);                                           \
-	}                                                                      \
-	EXPORT_SYMBOL(ksu_##func);
-
-RE_EXPORT_SYMBOL1(unsigned long, kallsyms_lookup_name, const char *, name)
-
-// RE_EXPORT_SYMBOL2(int, register_kprobe, struct kprobe *, p)
-// RE_EXPORT_SYMBOL2(void, unregister_kprobe, struct kprobe *, p)
-
-// RE_EXPORT_SYMBOL2(int, register_kprobe, struct kprobe *, p)
-// RE_EXPORT_SYMBOL2(void, unregister_kprobe, struct kprobe *, p)
-
-// int ksu_register_kprobe(struct kprobe *p);
-// void ksu_unregister_kprobe(struct kprobe *p);
-// int ksu_register_kprobes(struct kprobe **kps, int num);
-// void ksu_unregister_kprobes(struct kprobe **kps, int num);
-
-// int ksu_register_kretprobe(struct kretprobe *rp);
-// void unregister_kretprobe(struct kretprobe *rp);
-// int register_kretprobes(struct kretprobe **rps, int num);
-// void unregister_kretprobes(struct kretprobe **rps, int num);

kernel/selinux/rules.c

@@ -1,6 +1,6 @@
-#include "linux/uaccess.h"
-#include "linux/types.h"
-#include "linux/version.h"
+#include <linux/uaccess.h>
+#include <linux/types.h>
+#include <linux/version.h>
 
 #include "../klog.h" // IWYU pragma: keep
 #include "selinux.h"
@@ -9,9 +9,7 @@
 #include "linux/lsm_audit.h"
 #include "xfrm.h"
 
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 0)
 #define SELINUX_POLICY_INSTEAD_SELINUX_SS
-#endif
 
 #define KERNEL_SU_DOMAIN "su"
 #define KERNEL_SU_FILE "ksu_file"
@@ -21,29 +19,24 @@
 static struct policydb *get_policydb(void)
 {
 	struct policydb *db;
-// selinux_state does not exists before 4.19
-#ifdef KSU_COMPAT_USE_SELINUX_STATE
-#ifdef SELINUX_POLICY_INSTEAD_SELINUX_SS
-	struct selinux_policy *policy = rcu_dereference(selinux_state.policy);
+	struct selinux_policy *policy = selinux_state.policy;
 	db = &policy->policydb;
-#else
-	struct selinux_ss *ss = rcu_dereference(selinux_state.ss);
-	db = &ss->policydb;
-#endif
-#else
-	db = &policydb;
-#endif
 	return db;
 }
 
+static DEFINE_MUTEX(ksu_rules);
+
 void apply_kernelsu_rules()
 {
+	struct policydb *db;
+
 	if (!getenforce()) {
 		pr_info("SELinux permissive or disabled, apply rules!\n");
 	}
 
-	rcu_read_lock();
-	struct policydb *db = get_policydb();
+	mutex_lock(&ksu_rules);
+
+	db = get_policydb();
 
 	ksu_permissive(db, KERNEL_SU_DOMAIN);
 	ksu_typeattribute(db, KERNEL_SU_DOMAIN, "mlstrustedsubject");
@@ -69,6 +62,11 @@ void apply_kernelsu_rules()
 	// we need to save allowlist in /data/adb/ksu
 	ksu_allow(db, "kernel", "adb_data_file", "dir", ALL);
 	ksu_allow(db, "kernel", "adb_data_file", "file", ALL);
+	// we need to search /data/app
+	ksu_allow(db, "kernel", "apk_data_file", "file", "open");
+	ksu_allow(db, "kernel", "apk_data_file", "dir", "open");
+	ksu_allow(db, "kernel", "apk_data_file", "dir", "read");
+	ksu_allow(db, "kernel", "apk_data_file", "dir", "search");
 	// we may need to do mount on shell
 	ksu_allow(db, "kernel", "shell_data_file", "file", ALL);
 	// we need to read /data/system/packages.list
@@ -125,13 +123,11 @@ void apply_kernelsu_rules()
 	// Allow all binder transactions
 	ksu_allow(db, ALL, KERNEL_SU_DOMAIN, "binder", ALL);
 
-	// Allow system server devpts
-	ksu_allow(db, "system_server", "untrusted_app_all_devpts", "chr_file",
-		  "read");
-	ksu_allow(db, "system_server", "untrusted_app_all_devpts", "chr_file",
-		  "write");
+	// Allow system server kill su process
+	ksu_allow(db, "system_server", KERNEL_SU_DOMAIN, "process", "getpgid");
+	ksu_allow(db, "system_server", KERNEL_SU_DOMAIN, "process", "sigkill");
 
-	rcu_read_unlock();
+	mutex_unlock(&ksu_rules);
 }
 
 #define MAX_SEPOL_LEN 128
@@ -178,8 +174,7 @@ static int get_object(char *buf, char __user *user_object, size_t buf_sz,
 // reset avc cache table, otherwise the new rules will not take effect if already denied
 static void reset_avc_cache()
 {
-#if ((!defined(KSU_COMPAT_USE_SELINUX_STATE)) || \
-        LINUX_VERSION_CODE >= KERNEL_VERSION(6, 4, 0))
+#if (LINUX_VERSION_CODE >= KERNEL_VERSION(6, 4, 0))
 	avc_ss_reset(0);
 	selnl_notify_policyload(0);
 	selinux_status_update_policyload(0);
@@ -194,6 +189,8 @@ static void reset_avc_cache()
 
 int handle_sepolicy(unsigned long arg3, void __user *arg4)
 {
+	struct policydb *db;
+
 	if (!arg4) {
 		return -1;
 	}
@@ -211,9 +208,9 @@ int handle_sepolicy(unsigned long arg3, void __user *arg4)
 	u32 cmd = data.cmd;
 	u32 subcmd = data.subcmd;
 
-	rcu_read_lock();
+	mutex_lock(&ksu_rules);
 
-	struct policydb *db = get_policydb();
+	db = get_policydb();
 
 	int ret = -1;
 	if (cmd == CMD_NORMAL_PERM) {
@@ -463,7 +460,7 @@ int handle_sepolicy(unsigned long arg3, void __user *arg4)
 	}
 
 exit:
-	rcu_read_unlock();
+	mutex_unlock(&ksu_rules);
 
 	// only allow and xallow needs to reset avc cache, but we cannot do that because
 	// we are in atomic context. so we just reset it every time.

kernel/selinux/selinux.c

@@ -2,9 +2,6 @@
 #include "objsec.h"
 #include "linux/version.h"
 #include "../klog.h" // IWYU pragma: keep
-#ifndef KSU_COMPAT_USE_SELINUX_STATE
-#include "avc.h"
-#endif
 
 #define KERNEL_SU_DOMAIN "u:r:su:s0"
 
@@ -55,32 +52,20 @@ if (!is_domain_permissive) {
 void setenforce(bool enforce)
 {
 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
-#ifdef KSU_COMPAT_USE_SELINUX_STATE
 	selinux_state.enforcing = enforce;
-#else
-	selinux_enforcing = enforce;
-#endif
 #endif
 }
 
 bool getenforce()
 {
 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
-#ifdef KSU_COMPAT_USE_SELINUX_STATE
 	if (selinux_state.disabled) {
-#else
-	if (selinux_disabled) {
-#endif
 		return false;
 	}
 #endif
 
 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
-#ifdef KSU_COMPAT_USE_SELINUX_STATE
 	return selinux_state.enforcing;
-#else
-	return selinux_enforcing;
-#endif
 #else
 	return true;
 #endif
@@ -129,4 +114,17 @@ bool is_zygote(void *sec)
 	result = strncmp("u:r:zygote:s0", domain, seclen) == 0;
 	security_release_secctx(domain, seclen);
 	return result;
-}
+}
+
+#define DEVPTS_DOMAIN "u:object_r:ksu_file:s0"
+
+u32 ksu_get_devpts_sid()
+{
+	u32 devpts_sid = 0;
+	int err = security_secctx_to_secid(DEVPTS_DOMAIN, strlen(DEVPTS_DOMAIN),
+					   &devpts_sid);
+	if (err) {
+		pr_info("get devpts sid err %d\n", err);
+	}
+	return devpts_sid;
+}

kernel/selinux/selinux.h

@@ -4,10 +4,6 @@
 #include "linux/types.h"
 #include "linux/version.h"
 
-#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 0)) || defined(KSU_COMPAT_HAS_SELINUX_STATE)
-#define KSU_COMPAT_USE_SELINUX_STATE
-#endif
-
 void setup_selinux(const char *);
 
 void setenforce(bool);
@@ -20,4 +16,6 @@ bool is_zygote(void *cred);
 
 void apply_kernelsu_rules();
 
+u32 ksu_get_devpts_sid();
+
 #endif

kernel/selinux/sepolicy.c

@@ -1,26 +1,15 @@
-#include "sepolicy.h"
-#include "linux/gfp.h"
-#include "linux/printk.h"
-#include "linux/slab.h"
-#include "linux/version.h"
+#include <linux/gfp.h>
+#include <linux/printk.h>
+#include <linux/slab.h>
+#include <linux/version.h>
 
+#include "sepolicy.h"
 #include "../klog.h" // IWYU pragma: keep
 #include "ss/symtab.h"
+#include "../kernel_compat.h" // Add check Huawei Device
 
 #define KSU_SUPPORT_ADD_TYPE
 
-/*
- * Adapt to Huawei HISI kernel without affecting other kernels ,
- * Huawei Hisi Kernel EBITMAP Enable or Disable Flag ,
- * From ss/ebitmap.h
- */
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 9, 0) &&                           \
-	LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0)
-#ifdef HISI_SELINUX_EBITMAP_RO
-#define CONFIG_IS_HW_HISI
-#endif
-#endif
-
 //////////////////////////////////////////////////////
 // Declaration
 //////////////////////////////////////////////////////
@@ -535,7 +524,6 @@ static bool add_filename_trans(struct policydb *db, const char *s,
 		return false;
 	}
 
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 7, 0)
 	struct filename_trans_key key;
 	key.ttype = tgt->value;
 	key.tclass = cls->value;
@@ -543,13 +531,8 @@ static bool add_filename_trans(struct policydb *db, const char *s,
 
 	struct filename_trans_datum *last = NULL;
 
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 9, 0)
 	struct filename_trans_datum *trans =
 		policydb_filenametr_search(db, &key);
-#else
-	struct filename_trans_datum *trans =
-		hashtab_search(&db->filename_trans, &key);
-#endif
 	while (trans) {
 		if (ebitmap_get_bit(&trans->stypes, src->value - 1)) {
 			// Duplicate, overwrite existing data and return
@@ -578,39 +561,6 @@ static bool add_filename_trans(struct policydb *db, const char *s,
 
 	db->compat_filename_trans_count++;
 	return ebitmap_set_bit(&trans->stypes, src->value - 1, 1) == 0;
-#else // < 5.7.0, has no filename_trans_key, but struct filename_trans
-
-	struct filename_trans key;
-	key.ttype = tgt->value;
-	key.tclass = cls->value;
-	key.name = (char *)o;
-
-	struct filename_trans_datum *trans =
-		hashtab_search(db->filename_trans, &key);
-
-	if (trans == NULL) {
-		trans = (struct filename_trans_datum *)kcalloc(sizeof(*trans),
-							       1, GFP_ATOMIC);
-		if (!trans) {
-			pr_err("add_filename_trans: Failed to alloc datum\n");
-			return false;
-		}
-		struct filename_trans *new_key =
-			(struct filename_trans *)kmalloc(sizeof(*new_key),
-							 GFP_ATOMIC);
-		if (!new_key) {
-			pr_err("add_filename_trans: Failed to alloc new_key\n");
-			return false;
-		}
-		*new_key = key;
-		new_key->name = kstrdup(key.name, GFP_ATOMIC);
-		trans->otype = def->value;
-		hashtab_insert(db->filename_trans, new_key, trans);
-	}
-
-	return ebitmap_set_bit(&db->filename_trans_ttypes, src->value - 1, 1) ==
-	       0;
-#endif
 }
 
 static bool add_genfscon(struct policydb *db, const char *fs_name,
@@ -619,9 +569,24 @@ static bool add_genfscon(struct policydb *db, const char *fs_name,
 	return false;
 }
 
+static void *ksu_realloc(void *old, size_t new_size, size_t old_size)
+{
+	// we can't use krealloc, because it may be read-only
+	void *new = kzalloc(new_size, GFP_ATOMIC);
+	if (!new) {
+		return NULL;
+	}
+	if (old_size) {
+		memcpy(new, old, old_size);
+	}
+	// we can't use kfree, because it may be read-only
+	// there maybe some leaks, maybe we can check ptr_write, but it's not a big deal
+	// kfree(old);
+	return new;
+}
+
 static bool add_type(struct policydb *db, const char *type_name, bool attr)
 {
-#ifdef KSU_SUPPORT_ADD_TYPE
 	struct type_datum *type = symtab_search(&db->p_types, type_name);
 	if (type) {
 		pr_warn("Type %s already exists\n", type_name);
@@ -651,30 +616,30 @@ static bool add_type(struct policydb *db, const char *type_name, bool attr)
 		return false;
 	}
 
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 1, 0)
-	size_t new_size = sizeof(struct ebitmap) * db->p_types.nprim;
 	struct ebitmap *new_type_attr_map_array =
-		(krealloc(db->type_attr_map_array, new_size, GFP_ATOMIC));
-
-	struct type_datum **new_type_val_to_struct =
-		krealloc(db->type_val_to_struct,
-			 sizeof(*db->type_val_to_struct) * db->p_types.nprim,
-			 GFP_ATOMIC);
+		ksu_realloc(db->type_attr_map_array,
+			    value * sizeof(struct ebitmap),
+			    (value - 1) * sizeof(struct ebitmap));
 
 	if (!new_type_attr_map_array) {
 		pr_err("add_type: alloc type_attr_map_array failed\n");
 		return false;
 	}
 
+	struct type_datum **new_type_val_to_struct =
+		ksu_realloc(db->type_val_to_struct,
+			    sizeof(*db->type_val_to_struct) * value,
+			    sizeof(*db->type_val_to_struct) * (value - 1));
+
 	if (!new_type_val_to_struct) {
 		pr_err("add_type: alloc type_val_to_struct failed\n");
 		return false;
 	}
 
 	char **new_val_to_name_types =
-		krealloc(db->sym_val_to_name[SYM_TYPES],
-			 sizeof(char *) * db->symtab[SYM_TYPES].nprim,
-			 GFP_KERNEL);
+		ksu_realloc(db->sym_val_to_name[SYM_TYPES],
+			    sizeof(char *) * value,
+			    sizeof(char *) * (value - 1));
 	if (!new_val_to_name_types) {
 		pr_err("add_type: alloc val_to_name failed\n");
 		return false;
@@ -697,171 +662,6 @@ static bool add_type(struct policydb *db, const char *type_name, bool attr)
 	}
 
 	return true;
-#elif defined(CONFIG_IS_HW_HISI)
-	/*
-   * Huawei use type_attr_map and type_val_to_struct.
-   * And use ebitmap not flex_array.
-   */
-	size_t new_size = sizeof(struct ebitmap) * db->p_types.nprim;
-	struct ebitmap *new_type_attr_map =
-		(krealloc(db->type_attr_map, new_size, GFP_ATOMIC));
-
-	struct type_datum **new_type_val_to_struct =
-		krealloc(db->type_val_to_struct,
-			 sizeof(*db->type_val_to_struct) * db->p_types.nprim,
-			 GFP_ATOMIC);
-
-	if (!new_type_attr_map) {
-		pr_err("add_type: alloc type_attr_map failed\n");
-		return false;
-	}
-
-	if (!new_type_val_to_struct) {
-		pr_err("add_type: alloc type_val_to_struct failed\n");
-		return false;
-	}
-
-	char **new_val_to_name_types =
-		krealloc(db->sym_val_to_name[SYM_TYPES],
-			 sizeof(char *) * db->symtab[SYM_TYPES].nprim,
-			 GFP_KERNEL);
-	if (!new_val_to_name_types) {
-		pr_err("add_type: alloc val_to_name failed\n");
-		return false;
-	}
-
-	db->type_attr_map = new_type_attr_map;
-	ebitmap_init(&db->type_attr_map[value - 1], HISI_SELINUX_EBITMAP_RO);
-	ebitmap_set_bit(&db->type_attr_map[value - 1], value - 1, 1);
-
-	db->type_val_to_struct = new_type_val_to_struct;
-	db->type_val_to_struct[value - 1] = type;
-
-	db->sym_val_to_name[SYM_TYPES] = new_val_to_name_types;
-	db->sym_val_to_name[SYM_TYPES][value - 1] = key;
-
-	int i;
-	for (i = 0; i < db->p_roles.nprim; ++i) {
-		ebitmap_set_bit(&db->role_val_to_struct[i]->types, value - 1,
-				1);
-	}
-
-	return true;
-#else
-	// flex_array is not extensible, we need to create a new bigger one instead
-	struct flex_array *new_type_attr_map_array =
-		flex_array_alloc(sizeof(struct ebitmap), db->p_types.nprim,
-				 GFP_ATOMIC | __GFP_ZERO);
-
-	struct flex_array *new_type_val_to_struct =
-		flex_array_alloc(sizeof(struct type_datum *), db->p_types.nprim,
-				 GFP_ATOMIC | __GFP_ZERO);
-
-	struct flex_array *new_val_to_name_types =
-		flex_array_alloc(sizeof(char *), db->symtab[SYM_TYPES].nprim,
-				 GFP_ATOMIC | __GFP_ZERO);
-
-	if (!new_type_attr_map_array) {
-		pr_err("add_type: alloc type_attr_map_array failed\n");
-		return false;
-	}
-
-	if (!new_type_val_to_struct) {
-		pr_err("add_type: alloc type_val_to_struct failed\n");
-		return false;
-	}
-
-	if (!new_val_to_name_types) {
-		pr_err("add_type: alloc val_to_name failed\n");
-		return false;
-	}
-
-	// preallocate so we don't have to worry about the put ever failing
-	if (flex_array_prealloc(new_type_attr_map_array, 0, db->p_types.nprim,
-				GFP_ATOMIC | __GFP_ZERO)) {
-		pr_err("add_type: prealloc type_attr_map_array failed\n");
-		return false;
-	}
-
-	if (flex_array_prealloc(new_type_val_to_struct, 0, db->p_types.nprim,
-				GFP_ATOMIC | __GFP_ZERO)) {
-		pr_err("add_type: prealloc type_val_to_struct_array failed\n");
-		return false;
-	}
-
-	if (flex_array_prealloc(new_val_to_name_types, 0,
-				db->symtab[SYM_TYPES].nprim,
-				GFP_ATOMIC | __GFP_ZERO)) {
-		pr_err("add_type: prealloc val_to_name_types failed\n");
-		return false;
-	}
-
-	int j;
-	void *old_elem;
-	// copy the old data or pointers to new flex arrays
-	for (j = 0; j < db->type_attr_map_array->total_nr_elements; j++) {
-		old_elem = flex_array_get(db->type_attr_map_array, j);
-		if (old_elem)
-			flex_array_put(new_type_attr_map_array, j, old_elem,
-				       GFP_ATOMIC | __GFP_ZERO);
-	}
-
-	for (j = 0; j < db->type_val_to_struct_array->total_nr_elements; j++) {
-		old_elem = flex_array_get_ptr(db->type_val_to_struct_array, j);
-		if (old_elem)
-			flex_array_put_ptr(new_type_val_to_struct, j, old_elem,
-					   GFP_ATOMIC | __GFP_ZERO);
-	}
-
-	for (j = 0; j < db->symtab[SYM_TYPES].nprim; j++) {
-		old_elem =
-			flex_array_get_ptr(db->sym_val_to_name[SYM_TYPES], j);
-		if (old_elem)
-			flex_array_put_ptr(new_val_to_name_types, j, old_elem,
-					   GFP_ATOMIC | __GFP_ZERO);
-	}
-
-	// store the pointer of old flex arrays first, when assigning new ones we
-	// should free it
-	struct flex_array *old_fa;
-
-	old_fa = db->type_attr_map_array;
-	db->type_attr_map_array = new_type_attr_map_array;
-	if (old_fa) {
-		flex_array_free(old_fa);
-	}
-
-	ebitmap_init(flex_array_get(db->type_attr_map_array, value - 1));
-	ebitmap_set_bit(flex_array_get(db->type_attr_map_array, value - 1),
-			value - 1, 1);
-
-	old_fa = db->type_val_to_struct_array;
-	db->type_val_to_struct_array = new_type_val_to_struct;
-	if (old_fa) {
-		flex_array_free(old_fa);
-	}
-	flex_array_put_ptr(db->type_val_to_struct_array, value - 1, type,
-			   GFP_ATOMIC | __GFP_ZERO);
-
-	old_fa = db->sym_val_to_name[SYM_TYPES];
-	db->sym_val_to_name[SYM_TYPES] = new_val_to_name_types;
-	if (old_fa) {
-		flex_array_free(old_fa);
-	}
-	flex_array_put_ptr(db->sym_val_to_name[SYM_TYPES], value - 1, key,
-			   GFP_ATOMIC | __GFP_ZERO);
-
-	int i;
-	for (i = 0; i < db->p_roles.nprim; ++i) {
-		ebitmap_set_bit(&db->role_val_to_struct[i]->types, value - 1,
-				1);
-	}
-	return true;
-#endif
-
-#else
-	return false;
-#endif
 }
 
 static bool set_type_state(struct policydb *db, const char *type_name,
@@ -896,18 +696,7 @@ static bool set_type_state(struct policydb *db, const char *type_name,
 static void add_typeattribute_raw(struct policydb *db, struct type_datum *type,
 				  struct type_datum *attr)
 {
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 1, 0)
 	struct ebitmap *sattr = &db->type_attr_map_array[type->value - 1];
-#elif defined(CONFIG_IS_HW_HISI)
-	/*
-   *   HISI_SELINUX_EBITMAP_RO is Huawei's unique features.
-   */
-	struct ebitmap *sattr = &db->type_attr_map[type->value - 1],
-		       HISI_SELINUX_EBITMAP_RO;
-#else
-	struct ebitmap *sattr =
-		flex_array_get(db->type_attr_map_array, type->value - 1);
-#endif
 	ebitmap_set_bit(sattr, attr->value - 1, 1);
 
 	struct hashtab_node *node;

kernel/selinux/sepolicy.h

@@ -1,7 +1,7 @@
 #ifndef __KSU_H_SEPOLICY
 #define __KSU_H_SEPOLICY
 
-#include "linux/types.h"
+#include <linux/types.h>
 
 #include "ss/policydb.h"
 

kernel/setup.sh

@@ -1,50 +1,75 @@
 #!/bin/sh
-set -eux
+set -eu
 
 GKI_ROOT=$(pwd)
 
-echo "[+] GKI_ROOT: $GKI_ROOT"
+display_usage() {
+    echo "Usage: $0 [--cleanup | <commit-or-tag>]"
+    echo "  --cleanup:              Cleans up previous modifications made by the script."
+    echo "  <commit-or-tag>:        Sets up or updates the KernelSU to specified tag or commit."
+    echo "  -h, --help:             Displays this usage information."
+    echo "  (no args):              Sets up or updates the KernelSU environment to the latest tagged version."
+}
 
-if test -d "$GKI_ROOT/common/drivers"; then
-     DRIVER_DIR="$GKI_ROOT/common/drivers"
-elif test -d "$GKI_ROOT/drivers"; then
-     DRIVER_DIR="$GKI_ROOT/drivers"
+initialize_variables() {
+    if test -d "$GKI_ROOT/common/drivers"; then
+         DRIVER_DIR="$GKI_ROOT/common/drivers"
+    elif test -d "$GKI_ROOT/drivers"; then
+         DRIVER_DIR="$GKI_ROOT/drivers"
+    else
+         echo '[ERROR] "drivers/" directory not found.'
+         exit 127
+    fi
+
+    DRIVER_MAKEFILE=$DRIVER_DIR/Makefile
+    DRIVER_KCONFIG=$DRIVER_DIR/Kconfig
+}
+
+# Reverts modifications made by this script
+perform_cleanup() {
+    echo "[+] Cleaning up..."
+    [ -L "$DRIVER_DIR/kernelsu" ] && rm "$DRIVER_DIR/kernelsu" && echo "[-] Symlink removed."
+    grep -q "kernelsu" "$DRIVER_MAKEFILE" && sed -i '/kernelsu/d' "$DRIVER_MAKEFILE" && echo "[-] Makefile reverted."
+    grep -q "drivers/kernelsu/Kconfig" "$DRIVER_KCONFIG" && sed -i '/drivers\/kernelsu\/Kconfig/d' "$DRIVER_KCONFIG" && echo "[-] Kconfig reverted."
+    if [ -d "$GKI_ROOT/KernelSU" ]; then
+        rm -rf "$GKI_ROOT/KernelSU" && echo "[-] KernelSU directory deleted."
+    fi
+}
+
+# Sets up or update KernelSU environment
+setup_kernelsu() {
+    echo "[+] Setting up KernelSU..."
+    test -d "$GKI_ROOT/KernelSU" || git clone https://github.com/tiann/KernelSU && echo "[+] Repository cloned."
+    cd "$GKI_ROOT/KernelSU"
+    git stash && echo "[-] Stashed current changes."
+    if [ "$(git status | grep -Po 'v\d+(\.\d+)*' | head -n1)" ]; then
+        git checkout main && echo "[-] Switched to main branch."
+    fi
+    git pull && echo "[+] Repository updated."
+    if [ -z "${1-}" ]; then
+        git checkout "$(git describe --abbrev=0 --tags)" && echo "[-] Checked out latest tag."
+    else
+        git checkout "$1" && echo "[-] Checked out $1." || echo "[-] Checkout default branch"
+    fi
+    cd "$DRIVER_DIR"
+    ln -sf "$(realpath --relative-to="$DRIVER_DIR" "$GKI_ROOT/KernelSU/kernel")" "kernelsu" && echo "[+] Symlink created."
+
+    # Add entries in Makefile and Kconfig if not already existing
+    grep -q "kernelsu" "$DRIVER_MAKEFILE" || printf "\nobj-\$(CONFIG_KSU) += kernelsu/\n" >> "$DRIVER_MAKEFILE" && echo "[+] Modified Makefile."
+    grep -q "source \"drivers/kernelsu/Kconfig\"" "$DRIVER_KCONFIG" || sed -i "/endmenu/i\source \"drivers/kernelsu/Kconfig\"" "$DRIVER_KCONFIG" && echo "[+] Modified Kconfig."
+    echo '[+] Done.'
+}
+
+# Process command-line arguments
+if [ "$#" -eq 0 ]; then
+    initialize_variables
+    setup_kernelsu
+elif [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
+    display_usage
+elif [ "$1" = "--cleanup" ]; then
+    initialize_variables
+    perform_cleanup
 else
-     echo '[ERROR] "drivers/" directory is not found.'
-     echo '[+] You should modify this script by yourself.'
-     exit 127
+    initialize_variables
+    setup_kernelsu "$@"
 fi
-
-test -d "$GKI_ROOT/KernelSU" || git clone https://github.com/tiann/KernelSU
-cd "$GKI_ROOT/KernelSU"
-git stash
-if [ "$(git status | grep -Po 'v\d+(\.\d+)*' | head -n1)" ]; then
-     git checkout main
-fi
-git pull
-if [ -z "${1-}" ]; then
-    git checkout "$(git describe --abbrev=0 --tags)"
-else
-    git checkout "$1"
-fi
-cd "$GKI_ROOT"
-
-echo "[+] GKI_ROOT: $GKI_ROOT"
-echo "[+] Copy kernel su driver to $DRIVER_DIR"
-
-cd "$DRIVER_DIR"
-if test -d "$GKI_ROOT/common/drivers"; then
-     ln -sf "../../KernelSU/kernel" "kernelsu"
-elif test -d "$GKI_ROOT/drivers"; then
-     ln -sf "../KernelSU/kernel" "kernelsu"
-fi
-cd "$GKI_ROOT"
-
-echo '[+] Add kernel su driver to Makefile'
-
-DRIVER_MAKEFILE=$DRIVER_DIR/Makefile
-DRIVER_KCONFIG=$DRIVER_DIR/Kconfig
-grep -q "kernelsu" "$DRIVER_MAKEFILE" || printf "obj-\$(CONFIG_KSU) += kernelsu/\n" >> "$DRIVER_MAKEFILE"
-grep -q "kernelsu" "$DRIVER_KCONFIG" || sed -i "/endmenu/i\\source \"drivers/kernelsu/Kconfig\"" "$DRIVER_KCONFIG"
-
-echo '[+] Done.'

kernel/sucompat.c

@@ -1,17 +1,16 @@
-#include "asm/current.h"
-#include "linux/cred.h"
-#include "linux/err.h"
-#include "linux/fs.h"
-#include "linux/kprobes.h"
-#include "linux/types.h"
-#include "linux/uaccess.h"
-#include "linux/version.h"
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 11, 0)
-#include "linux/sched/task_stack.h"
-#else
-#include "linux/sched.h"
-#endif
+#include <linux/dcache.h>
+#include <linux/security.h>
+#include <asm/current.h>
+#include <linux/cred.h>
+#include <linux/err.h>
+#include <linux/fs.h>
+#include <linux/kprobes.h>
+#include <linux/types.h>
+#include <linux/uaccess.h>
+#include <linux/version.h>
+#include <linux/sched/task_stack.h>
 
+#include "objsec.h"
 #include "allowlist.h"
 #include "arch.h"
 #include "klog.h" // IWYU pragma: keep
@@ -39,8 +38,15 @@ static char __user *sh_user_path(void)
 	return userspace_stack_buffer(sh_path, sizeof(sh_path));
 }
 
+static char __user *ksud_user_path(void)
+{
+	static const char ksud_path[] = KSUD_PATH;
+
+	return userspace_stack_buffer(ksud_path, sizeof(ksud_path));
+}
+
 int ksu_handle_faccessat(int *dfd, const char __user **filename_user, int *mode,
-			 int *flags)
+			 int *__unused_flags)
 {
 	const char su[] = SU_PATH;
 
@@ -75,11 +81,12 @@ int ksu_handle_stat(int *dfd, const char __user **filename_user, int *flags)
 
 	char path[sizeof(su) + 1];
 	memset(path, 0, sizeof(path));
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 18, 0)
+// Remove this later!! we use syscall hook, so this will never happen!!!!!
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 18, 0) && 0
 	// it becomes a `struct filename *` after 5.18
 	// https://elixir.bootlin.com/linux/v5.18/source/fs/stat.c#L216
 	const char sh[] = SH_PATH;
-	struct filename *filename = * ((struct filename **) filename_user);
+	struct filename *filename = *((struct filename **)filename_user);
 	if (IS_ERR(filename)) {
 		return 0;
 	}
@@ -101,7 +108,8 @@ int ksu_handle_stat(int *dfd, const char __user **filename_user, int *flags)
 
 // the call from execve_handler_pre won't provided correct value for __never_use_argument, use them after fix execve_handler_pre, keeping them for consistence for manually patched code
 int ksu_handle_execveat_sucompat(int *fd, struct filename **filename_ptr,
-				 void *__never_use_argv, void *__never_use_envp, int *__never_use_flags)
+				 void *__never_use_argv, void *__never_use_envp,
+				 int *__never_use_flags)
 {
 	struct filename *filename;
 	const char sh[] = KSUD_PATH;
@@ -129,85 +137,150 @@ int ksu_handle_execveat_sucompat(int *fd, struct filename **filename_ptr,
 	return 0;
 }
 
+int ksu_handle_execve_sucompat(int *fd, const char __user **filename_user,
+			       void *__never_use_argv, void *__never_use_envp,
+			       int *__never_use_flags)
+{
+	const char su[] = SU_PATH;
+	char path[sizeof(su) + 1];
+
+	if (unlikely(!filename_user))
+		return 0;
+
+	memset(path, 0, sizeof(path));
+	ksu_strncpy_from_user_nofault(path, *filename_user, sizeof(path));
+
+	if (likely(memcmp(path, su, sizeof(su))))
+		return 0;
+
+	if (!ksu_is_allow_uid(current_uid().val))
+		return 0;
+
+	pr_info("sys_execve su found\n");
+	*filename_user = ksud_user_path();
+
+	escape_to_root();
+
+	return 0;
+}
+
+int ksu_handle_devpts(struct inode *inode)
+{
+	if (!current->mm) {
+		return 0;
+	}
+
+	uid_t uid = current_uid().val;
+	if (uid % 100000 < 10000) {
+		// not untrusted_app, ignore it
+		return 0;
+	}
+
+	if (!ksu_is_allow_uid(uid))
+		return 0;
+
+	if (ksu_devpts_sid) {
+		struct inode_security_struct *sec = selinux_inode(inode);
+		if (sec) {
+			sec->sid = ksu_devpts_sid;
+		}
+	}
+
+	return 0;
+}
+
 #ifdef CONFIG_KPROBES
 
 static int faccessat_handler_pre(struct kprobe *p, struct pt_regs *regs)
 {
-	int *dfd = (int *)PT_REGS_PARM1(regs);
-	const char __user **filename_user = (const char **)&PT_REGS_PARM2(regs);
-	int *mode = (int *)&PT_REGS_PARM3(regs);
-	// Both sys_ and do_ is C function
-	int *flags = (int *)&PT_REGS_CCALL_PARM4(regs);
+	struct pt_regs *real_regs = PT_REAL_REGS(regs);
+	int *dfd = (int *)&PT_REGS_PARM1(real_regs);
+	const char __user **filename_user =
+		(const char **)&PT_REGS_PARM2(real_regs);
+	int *mode = (int *)&PT_REGS_PARM3(real_regs);
 
-	return ksu_handle_faccessat(dfd, filename_user, mode, flags);
+	return ksu_handle_faccessat(dfd, filename_user, mode, NULL);
 }
 
 static int newfstatat_handler_pre(struct kprobe *p, struct pt_regs *regs)
 {
-	int *dfd = (int *)&PT_REGS_PARM1(regs);
-	const char __user **filename_user = (const char **)&PT_REGS_PARM2(regs);
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 11, 0)
-// static int vfs_statx(int dfd, const char __user *filename, int flags, struct kstat *stat, u32 request_mask)
-	int *flags = (int *)&PT_REGS_PARM3(regs);
-#else
-// int vfs_fstatat(int dfd, const char __user *filename, struct kstat *stat,int flag)
-	int *flags = (int *)&PT_REGS_CCALL_PARM4(regs);
-#endif
+	struct pt_regs *real_regs = PT_REAL_REGS(regs);
+	int *dfd = (int *)&PT_REGS_PARM1(real_regs);
+	const char __user **filename_user =
+		(const char **)&PT_REGS_PARM2(real_regs);
+	int *flags = (int *)&PT_REGS_SYSCALL_PARM4(real_regs);
 
 	return ksu_handle_stat(dfd, filename_user, flags);
 }
 
-// https://elixir.bootlin.com/linux/v5.10.158/source/fs/exec.c#L1864
 static int execve_handler_pre(struct kprobe *p, struct pt_regs *regs)
 {
-	int *fd = (int *)&PT_REGS_PARM1(regs);
-	struct filename **filename_ptr =
-		(struct filename **)&PT_REGS_PARM2(regs);
+	struct pt_regs *real_regs = PT_REAL_REGS(regs);
+	const char __user **filename_user =
+		(const char **)&PT_REGS_PARM1(real_regs);
 
-	return ksu_handle_execveat_sucompat(fd, filename_ptr, NULL, NULL, NULL);
+	return ksu_handle_execve_sucompat(AT_FDCWD, filename_user, NULL, NULL,
+					  NULL);
 }
 
-static struct kprobe faccessat_kp = {
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 17, 0)
-	.symbol_name = "do_faccessat",
-#else
-	.symbol_name = "sys_faccessat",
-#endif
-	.pre_handler = faccessat_handler_pre,
-};
+static int pts_unix98_lookup_pre(struct kprobe *p, struct pt_regs *regs)
+{
+	struct inode *inode;
+	struct file *file = (struct file *)PT_REGS_PARM2(regs);
+	inode = file->f_path.dentry->d_inode;
 
-static struct kprobe newfstatat_kp = {
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 11, 0)
-	.symbol_name = "vfs_statx",
-#else
-	.symbol_name = "vfs_fstatat",
-#endif
-	.pre_handler = newfstatat_handler_pre,
-};
+	return ksu_handle_devpts(inode);
+}
 
-static struct kprobe execve_kp = {
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 9, 0)
-	.symbol_name = "do_execveat_common",
-#elif LINUX_VERSION_CODE >= KERNEL_VERSION(4, 19, 0)
-	.symbol_name = "__do_execve_file",
-#elif LINUX_VERSION_CODE >= KERNEL_VERSION(3, 19, 0)
-	.symbol_name = "do_execveat_common",
-#endif
-	.pre_handler = execve_handler_pre,
-};
+static struct kprobe *init_kprobe(const char *name,
+				  kprobe_pre_handler_t handler)
+{
+	struct kprobe *kp = kzalloc(sizeof(struct kprobe), GFP_KERNEL);
+	if (!kp)
+		return NULL;
+	kp->symbol_name = name;
+	kp->pre_handler = handler;
 
+	int ret = register_kprobe(kp);
+	pr_info("sucompat: register_%s kprobe: %d\n", name, ret);
+	if (ret) {
+		kfree(kp);
+		return NULL;
+	}
+
+	return kp;
+}
+
+static void destroy_kprobe(struct kprobe **kp_ptr)
+{
+	struct kprobe *kp = *kp_ptr;
+	if (!kp)
+		return;
+	unregister_kprobe(kp);
+	synchronize_rcu();
+	kfree(kp);
+	*kp_ptr = NULL;
+}
+
+static struct kprobe *su_kps[4];
 #endif
 
 // sucompat: permited process can execute 'su' to gain root access.
-void ksu_enable_sucompat()
+void ksu_sucompat_init()
 {
 #ifdef CONFIG_KPROBES
-	int ret;
-	ret = register_kprobe(&execve_kp);
-	pr_info("sucompat: execve_kp: %d\n", ret);
-	ret = register_kprobe(&newfstatat_kp);
-	pr_info("sucompat: newfstatat_kp: %d\n", ret);
-	ret = register_kprobe(&faccessat_kp);
-	pr_info("sucompat: faccessat_kp: %d\n", ret);
+	su_kps[0] = init_kprobe(SYS_EXECVE_SYMBOL, execve_handler_pre);
+	su_kps[1] = init_kprobe(SYS_FACCESSAT_SYMBOL, faccessat_handler_pre);
+	su_kps[2] = init_kprobe(SYS_NEWFSTATAT_SYMBOL, newfstatat_handler_pre);
+	su_kps[3] = init_kprobe("pts_unix98_lookup", pts_unix98_lookup_pre);
+#endif
+}
+
+void ksu_sucompat_exit()
+{
+#ifdef CONFIG_KPROBES
+	for (int i = 0; i < ARRAY_SIZE(su_kps); i++) {
+		destroy_kprobe(&su_kps[i]);
+	}
 #endif
 }

kernel/throne_tracker.c

@@ -0,0 +1,405 @@
+#include <linux/err.h>
+#include <linux/fs.h>
+#include <linux/list.h>
+#include <linux/slab.h>
+#include <linux/string.h>
+#include <linux/types.h>
+#include <linux/version.h>
+
+#include "allowlist.h"
+#include "klog.h" // IWYU pragma: keep
+#include "ksu.h"
+#include "manager.h"
+#include "throne_tracker.h"
+#include "kernel_compat.h"
+
+uid_t ksu_manager_uid = KSU_INVALID_UID;
+
+#define SYSTEM_PACKAGES_LIST_PATH "/data/system/packages.list.tmp"
+
+struct uid_data {
+	struct list_head list;
+	u32 uid;
+	char package[KSU_MAX_PACKAGE_NAME];
+};
+
+static int get_pkg_from_apk_path(char *pkg, const char *path)
+{
+	int len = strlen(path);
+	if (len >= KSU_MAX_PACKAGE_NAME || len < 1)
+		return -1;
+
+	const char *last_slash = NULL;
+	const char *second_last_slash = NULL;
+
+	int i;
+	for (i = len - 1; i >= 0; i--) {
+		if (path[i] == '/') {
+			if (!last_slash) {
+				last_slash = &path[i];
+			} else {
+				second_last_slash = &path[i];
+				break;
+			}
+		}
+	}
+
+	if (!last_slash || !second_last_slash)
+		return -1;
+
+	const char *last_hyphen = strchr(second_last_slash, '-');
+	if (!last_hyphen || last_hyphen > last_slash)
+		return -1;
+
+	int pkg_len = last_hyphen - second_last_slash - 1;
+	if (pkg_len >= KSU_MAX_PACKAGE_NAME || pkg_len <= 0)
+		return -1;
+
+	// Copying the package name
+	strncpy(pkg, second_last_slash + 1, pkg_len);
+	pkg[pkg_len] = '\0';
+
+	return 0;
+}
+
+static void crown_manager(const char *apk, struct list_head *uid_data)
+{
+	char pkg[KSU_MAX_PACKAGE_NAME];
+	if (get_pkg_from_apk_path(pkg, apk) < 0) {
+		pr_err("Failed to get package name from apk path: %s\n", apk);
+		return;
+	}
+
+	pr_info("manager pkg: %s\n", pkg);
+
+#ifdef KSU_MANAGER_PACKAGE
+	// pkg is `/<real package>`
+	if (strncmp(pkg, KSU_MANAGER_PACKAGE, sizeof(KSU_MANAGER_PACKAGE))) {
+		pr_info("manager package is inconsistent with kernel build: %s\n",
+			KSU_MANAGER_PACKAGE);
+		return;
+	}
+#endif
+	struct list_head *list = (struct list_head *)uid_data;
+	struct uid_data *np;
+
+	list_for_each_entry (np, list, list) {
+		if (strncmp(np->package, pkg, KSU_MAX_PACKAGE_NAME) == 0) {
+			pr_info("Crowning manager: %s(uid=%d)\n", pkg, np->uid);
+			ksu_set_manager_uid(np->uid);
+			break;
+		}
+	}
+}
+
+#define DATA_PATH_LEN 384 // 384 is enough for /data/app/<package>/base.apk
+
+struct data_path {
+	char dirpath[DATA_PATH_LEN];
+	int depth;
+	struct list_head list;
+};
+
+struct apk_path_hash {
+	unsigned int hash;
+	bool exists;
+	struct list_head list;
+};
+
+static struct list_head apk_path_hash_list = LIST_HEAD_INIT(apk_path_hash_list);
+
+struct my_dir_context {
+	struct dir_context ctx;
+	struct list_head *data_path_list;
+	char *parent_dir;
+	void *private_data;
+	int depth;
+	int *stop;
+};
+// https://docs.kernel.org/filesystems/porting.html
+// filldir_t (readdir callbacks) calling conventions have changed. Instead of returning 0 or -E... it returns bool now. false means "no more" (as -E... used to) and true - "keep going" (as 0 in old calling conventions). Rationale: callers never looked at specific -E... values anyway. -> iterate_shared() instances require no changes at all, all filldir_t ones in the tree converted.
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(6, 1, 0)
+#define FILLDIR_RETURN_TYPE bool
+#define FILLDIR_ACTOR_CONTINUE true
+#define FILLDIR_ACTOR_STOP false
+#else
+#define FILLDIR_RETURN_TYPE int
+#define FILLDIR_ACTOR_CONTINUE 0
+#define FILLDIR_ACTOR_STOP -EINVAL
+#endif
+
+FILLDIR_RETURN_TYPE my_actor(struct dir_context *ctx, const char *name,
+			     int namelen, loff_t off, u64 ino,
+			     unsigned int d_type)
+{
+	struct my_dir_context *my_ctx =
+		container_of(ctx, struct my_dir_context, ctx);
+	char dirpath[DATA_PATH_LEN];
+
+	if (!my_ctx) {
+		pr_err("Invalid context\n");
+		return FILLDIR_ACTOR_STOP;
+	}
+	if (my_ctx->stop && *my_ctx->stop) {
+		pr_info("Stop searching\n");
+		return FILLDIR_ACTOR_STOP;
+	}
+
+	if (!strncmp(name, "..", namelen) || !strncmp(name, ".", namelen))
+		return FILLDIR_ACTOR_CONTINUE; // Skip "." and ".."
+
+	if (d_type == DT_DIR && namelen >= 8 && !strncmp(name, "vmdl", 4) &&
+	    !strncmp(name + namelen - 4, ".tmp", 4)) {
+		pr_info("Skipping directory: %.*s\n", namelen, name);
+		return FILLDIR_ACTOR_CONTINUE; // Skip staging package
+	}
+
+	if (snprintf(dirpath, DATA_PATH_LEN, "%s/%.*s", my_ctx->parent_dir,
+		     namelen, name) >= DATA_PATH_LEN) {
+		pr_err("Path too long: %s/%.*s\n", my_ctx->parent_dir, namelen,
+		       name);
+		return FILLDIR_ACTOR_CONTINUE;
+	}
+
+	if (d_type == DT_DIR && my_ctx->depth > 0 &&
+	    (my_ctx->stop && !*my_ctx->stop)) {
+		struct data_path *data = kmalloc(sizeof(struct data_path), GFP_ATOMIC);
+
+		if (!data) {
+			pr_err("Failed to allocate memory for %s\n", dirpath);
+			return FILLDIR_ACTOR_CONTINUE;
+		}
+
+		strscpy(data->dirpath, dirpath, DATA_PATH_LEN);
+		data->depth = my_ctx->depth - 1;
+		list_add_tail(&data->list, my_ctx->data_path_list);
+	} else {
+		if ((namelen == 8) && (strncmp(name, "base.apk", namelen) == 0)) {
+			struct apk_path_hash *pos, *n;
+			unsigned int hash = full_name_hash(NULL, dirpath, strlen(dirpath));
+			list_for_each_entry(pos, &apk_path_hash_list, list) {
+				if (hash == pos->hash) {
+					pos->exists = true;
+					return FILLDIR_ACTOR_CONTINUE;
+				}
+			}
+
+			bool is_manager = is_manager_apk(dirpath);
+			pr_info("Found new base.apk at path: %s, is_manager: %d\n",
+				dirpath, is_manager);
+			if (is_manager) {
+				crown_manager(dirpath, my_ctx->private_data);
+				*my_ctx->stop = 1;
+
+				// Manager found, clear APK cache list
+				list_for_each_entry_safe(pos, n, &apk_path_hash_list, list) {
+					list_del(&pos->list);
+					kfree(pos);
+				}
+			} else {
+				struct apk_path_hash *apk_data = kmalloc(sizeof(struct apk_path_hash), GFP_ATOMIC);
+				apk_data->hash = hash;
+				apk_data->exists = true;
+				list_add_tail(&apk_data->list, &apk_path_hash_list);
+			}
+		}
+	}
+
+	return FILLDIR_ACTOR_CONTINUE;
+}
+
+void search_manager(const char *path, int depth, struct list_head *uid_data)
+{
+	int i, stop = 0;
+	struct list_head data_path_list;
+	INIT_LIST_HEAD(&data_path_list);
+	unsigned long data_app_magic = 0;
+	
+	// Initialize APK cache list
+	struct apk_path_hash *pos, *n;
+	list_for_each_entry(pos, &apk_path_hash_list, list) {
+		pos->exists = false;
+	}
+
+	// First depth
+	struct data_path data;
+	strscpy(data.dirpath, path, DATA_PATH_LEN);
+	data.depth = depth;
+	list_add_tail(&data.list, &data_path_list);
+
+	for (i = depth; i >= 0; i--) {
+		struct data_path *pos, *n;
+
+		list_for_each_entry_safe(pos, n, &data_path_list, list) {
+			struct my_dir_context ctx = { .ctx.actor = my_actor,
+						      .data_path_list = &data_path_list,
+						      .parent_dir = pos->dirpath,
+						      .private_data = uid_data,
+						      .depth = pos->depth,
+						      .stop = &stop };
+			struct file *file;
+
+			if (!stop) {
+				file = ksu_filp_open_compat(pos->dirpath, O_RDONLY | O_NOFOLLOW, 0);
+				if (IS_ERR(file)) {
+					pr_err("Failed to open directory: %s, err: %ld\n", pos->dirpath, PTR_ERR(file));
+					goto skip_iterate;
+				}
+				
+				// grab magic on first folder, which is /data/app
+				if (!data_app_magic) {
+					if (file->f_inode->i_sb->s_magic) {
+						data_app_magic = file->f_inode->i_sb->s_magic;
+						pr_info("%s: dir: %s got magic! 0x%lx\n", __func__, pos->dirpath, data_app_magic);
+					} else {
+						filp_close(file, NULL);
+						goto skip_iterate;
+					}
+				}
+				
+				if (file->f_inode->i_sb->s_magic != data_app_magic) {
+					pr_info("%s: skip: %s magic: 0x%lx expected: 0x%lx\n", __func__, pos->dirpath, 
+						file->f_inode->i_sb->s_magic, data_app_magic);
+					filp_close(file, NULL);
+					goto skip_iterate;
+				}
+
+				iterate_dir(file, &ctx.ctx);
+				filp_close(file, NULL);
+			}
+skip_iterate:
+			list_del(&pos->list);
+			if (pos != &data)
+				kfree(pos);
+		}
+	}
+
+	// Remove stale cached APK entries
+	list_for_each_entry_safe(pos, n, &apk_path_hash_list, list) {
+		if (!pos->exists) {
+			list_del(&pos->list);
+			kfree(pos);
+		}
+	}
+}
+
+static bool is_uid_exist(uid_t uid, char *package, void *data)
+{
+	struct list_head *list = (struct list_head *)data;
+	struct uid_data *np;
+
+	bool exist = false;
+	list_for_each_entry (np, list, list) {
+		if (np->uid == uid % 100000 &&
+		    strncmp(np->package, package, KSU_MAX_PACKAGE_NAME) == 0) {
+			exist = true;
+			break;
+		}
+	}
+	return exist;
+}
+
+void track_throne()
+{
+	struct file *fp =
+		ksu_filp_open_compat(SYSTEM_PACKAGES_LIST_PATH, O_RDONLY, 0);
+	if (IS_ERR(fp)) {
+		pr_err("%s: open " SYSTEM_PACKAGES_LIST_PATH " failed: %ld\n",
+		       __func__, PTR_ERR(fp));
+		return;
+	}
+
+	struct list_head uid_list;
+	INIT_LIST_HEAD(&uid_list);
+
+	char chr = 0;
+	loff_t pos = 0;
+	loff_t line_start = 0;
+	char buf[KSU_MAX_PACKAGE_NAME];
+	for (;;) {
+		ssize_t count =
+			ksu_kernel_read_compat(fp, &chr, sizeof(chr), &pos);
+		if (count != sizeof(chr))
+			break;
+		if (chr != '\n')
+			continue;
+
+		count = ksu_kernel_read_compat(fp, buf, sizeof(buf),
+					       &line_start);
+
+		struct uid_data *data =
+			kzalloc(sizeof(struct uid_data), GFP_ATOMIC);
+		if (!data) {
+			filp_close(fp, 0);
+			goto out;
+		}
+
+		char *tmp = buf;
+		const char *delim = " ";
+		char *package = strsep(&tmp, delim);
+		char *uid = strsep(&tmp, delim);
+		if (!uid || !package) {
+			pr_err("update_uid: package or uid is NULL!\n");
+			break;
+		}
+
+		u32 res;
+		if (kstrtou32(uid, 10, &res)) {
+			pr_err("update_uid: uid parse err\n");
+			break;
+		}
+		data->uid = res;
+		strncpy(data->package, package, KSU_MAX_PACKAGE_NAME);
+		list_add_tail(&data->list, &uid_list);
+		// reset line start
+		line_start = pos;
+	}
+	filp_close(fp, 0);
+
+	// now update uid list
+	struct uid_data *np;
+	struct uid_data *n;
+
+	// first, check if manager_uid exist!
+	bool manager_exist = false;
+	list_for_each_entry (np, &uid_list, list) {
+		// if manager is installed in work profile, the uid in packages.list is still equals main profile
+		// don't delete it in this case!
+		int manager_uid = ksu_get_manager_uid() % 100000;
+		if (np->uid == manager_uid) {
+			manager_exist = true;
+			break;
+		}
+	}
+
+	if (!manager_exist) {
+		if (ksu_is_manager_uid_valid()) {
+			pr_info("manager is uninstalled, invalidate it!\n");
+			ksu_invalidate_manager_uid();
+			goto prune;
+		}
+		pr_info("Searching manager...\n");
+		search_manager("/data/app", 2, &uid_list);
+		pr_info("Search manager finished\n");
+	}
+
+prune:
+	// then prune the allowlist
+	ksu_prune_allowlist(is_uid_exist, &uid_list);
+out:
+	// free uid_list
+	list_for_each_entry_safe (np, n, &uid_list, list) {
+		list_del(&np->list);
+		kfree(np);
+	}
+}
+
+void ksu_throne_tracker_init()
+{
+	// nothing to do
+}
+
+void ksu_throne_tracker_exit()
+{
+	// nothing to do
+}

kernel/throne_tracker.h

@@ -0,0 +1,10 @@
+#ifndef __KSU_H_UID_OBSERVER
+#define __KSU_H_UID_OBSERVER
+
+void ksu_throne_tracker_init();
+
+void ksu_throne_tracker_exit();
+
+void track_throne();
+
+#endif

kernel/uid_observer.c

@@ -1,144 +0,0 @@
-#include "linux/err.h"
-#include "linux/fs.h"
-#include "linux/list.h"
-#include "linux/slab.h"
-#include "linux/string.h"
-#include "linux/types.h"
-#include "linux/version.h"
-#include "linux/workqueue.h"
-
-#include "allowlist.h"
-#include "klog.h" // IWYU pragma: keep
-#include "ksu.h"
-#include "manager.h"
-#include "uid_observer.h"
-#include "kernel_compat.h"
-
-#define SYSTEM_PACKAGES_LIST_PATH "/data/system/packages.list"
-static struct work_struct ksu_update_uid_work;
-
-struct uid_data {
-	struct list_head list;
-	u32 uid;
-	char package[KSU_MAX_PACKAGE_NAME];
-};
-
-static bool is_uid_exist(uid_t uid, char *package, void *data)
-{
-	struct list_head *list = (struct list_head *)data;
-	struct uid_data *np;
-
-	bool exist = false;
-	list_for_each_entry (np, list, list) {
-		if (np->uid == uid % 100000 &&
-		    strncmp(np->package, package, KSU_MAX_PACKAGE_NAME) == 0) {
-			exist = true;
-			break;
-		}
-	}
-	return exist;
-}
-
-static void do_update_uid(struct work_struct *work)
-{
-	struct file *fp =
-		ksu_filp_open_compat(SYSTEM_PACKAGES_LIST_PATH, O_RDONLY, 0);
-	if (IS_ERR(fp)) {
-		pr_err("do_update_uid, open " SYSTEM_PACKAGES_LIST_PATH
-		       " failed: %ld\n",
-		       PTR_ERR(fp));
-		return;
-	}
-
-	struct list_head uid_list;
-	INIT_LIST_HEAD(&uid_list);
-
-	char chr = 0;
-	loff_t pos = 0;
-	loff_t line_start = 0;
-	char buf[KSU_MAX_PACKAGE_NAME];
-	for (;;) {
-		ssize_t count =
-			ksu_kernel_read_compat(fp, &chr, sizeof(chr), &pos);
-		if (count != sizeof(chr))
-			break;
-		if (chr != '\n')
-			continue;
-
-		count = ksu_kernel_read_compat(fp, buf, sizeof(buf),
-					       &line_start);
-
-		struct uid_data *data =
-			kzalloc(sizeof(struct uid_data), GFP_ATOMIC);
-		if (!data) {
-			goto out;
-		}
-
-		char *tmp = buf;
-		const char *delim = " ";
-		char *package = strsep(&tmp, delim);
-		char *uid = strsep(&tmp, delim);
-		if (!uid || !package) {
-			pr_err("update_uid: package or uid is NULL!\n");
-			break;
-		}
-
-		u32 res;
-		if (kstrtou32(uid, 10, &res)) {
-			pr_err("update_uid: uid parse err\n");
-			break;
-		}
-		data->uid = res;
-		strncpy(data->package, package, KSU_MAX_PACKAGE_NAME);
-		list_add_tail(&data->list, &uid_list);
-		// reset line start
-		line_start = pos;
-	}
-
-	// now update uid list
-	struct uid_data *np;
-	struct uid_data *n;
-
-	// first, check if manager_uid exist!
-	bool manager_exist = false;
-	list_for_each_entry (np, &uid_list, list) {
-		// if manager is installed in work profile, the uid in packages.list is still equals main profile
-		// don't delete it in this case!
-		int manager_uid = ksu_get_manager_uid() % 100000;
-		if (np->uid == manager_uid) {
-			manager_exist = true;
-			break;
-		}
-	}
-
-	if (!manager_exist && ksu_is_manager_uid_valid()) {
-		pr_info("manager is uninstalled, invalidate it!\n");
-		ksu_invalidate_manager_uid();
-	}
-
-	// then prune the allowlist
-	ksu_prune_allowlist(is_uid_exist, &uid_list);
-out:
-	// free uid_list
-	list_for_each_entry_safe (np, n, &uid_list, list) {
-		list_del(&np->list);
-		kfree(np);
-	}
-	filp_close(fp, 0);
-}
-
-void update_uid()
-{
-	ksu_queue_work(&ksu_update_uid_work);
-}
-
-int ksu_uid_observer_init()
-{
-	INIT_WORK(&ksu_update_uid_work, do_update_uid);
-	return 0;
-}
-
-int ksu_uid_observer_exit()
-{
-	return 0;
-}

kernel/uid_observer.h

@@ -1,10 +0,0 @@
-#ifndef __KSU_H_UID_OBSERVER
-#define __KSU_H_UID_OBSERVER
-
-int ksu_uid_observer_init();
-
-int ksu_uid_observer_exit();
-
-void update_uid();
-
-#endif

manager/.gitignore

@@ -1,9 +1,10 @@
 *.iml
 .gradle
-local.properties
 .idea
+.kotlin
 .DS_Store
 build
 captures
 .cxx
+local.properties
 key.jks

manager/app/build.gradle.kts

@@ -1,8 +1,12 @@
+@file:Suppress("UnstableApiUsage")
+
 import com.android.build.gradle.internal.api.BaseVariantOutputImpl
+import com.android.build.gradle.tasks.PackageAndroidArtifact
 
 plugins {
     alias(libs.plugins.agp.app)
     alias(libs.plugins.kotlin)
+    alias(libs.plugins.compose.compiler)
     alias(libs.plugins.ksp)
     alias(libs.plugins.lsplugin.apksign)
     id("kotlin-parcelize")
@@ -33,14 +37,11 @@ android {
         aidl = true
         buildConfig = true
         compose = true
+        prefab = true
     }
 
     kotlinOptions {
-        jvmTarget = "17"
-    }
-
-    composeOptions {
-        kotlinCompilerExtensionVersion = "1.4.3"
+        jvmTarget = "21"
     }
 
     packaging {
@@ -48,7 +49,13 @@ android {
             useLegacyPackaging = true
         }
         resources {
-            excludes += "/META-INF/{AL2.0,LGPL2.1}"
+            // https://stackoverflow.com/a/58956288
+            // It will break Layout Inspector, but it's unused for release build.
+            excludes += "META-INF/*.version"
+            // https://github.com/Kotlin/kotlinx.coroutines?tab=readme-ov-file#avoiding-including-the-debug-infrastructure-in-the-resulting-apk
+            excludes += "DebugProbesKt.bin"
+            // https://issueantenna.com/repo/kotlin/kotlinx.coroutines/issues/3158
+            excludes += "kotlin-tooling-metadata.json"
         }
     }
 
@@ -63,13 +70,30 @@ android {
             val output = it as BaseVariantOutputImpl
             output.outputFileName = "KernelSU_${managerVersionName}_${managerVersionCode}-$name.apk"
         }
-
         kotlin.sourceSets {
             getByName(name) {
                 kotlin.srcDir("build/generated/ksp/$name/kotlin")
             }
         }
     }
+
+    // https://stackoverflow.com/a/77745844
+    tasks.withType<PackageAndroidArtifact> {
+        doFirst { appMetadata.asFile.orNull?.writeText("") }
+    }
+
+    dependenciesInfo {
+        includeInApk = false
+        includeInBundle = false
+    }
+
+    androidResources {
+        generateLocaleConfig = true
+    }
+}
+
+ksp {
+    arg("compose-destinations.defaultTransitions", "none")
 }
 
 dependencies {
@@ -90,15 +114,12 @@ dependencies {
     implementation(libs.androidx.lifecycle.runtime.ktx)
     implementation(libs.androidx.lifecycle.viewmodel.compose)
 
-    implementation(libs.com.google.accompanist.drawablepainter)
-    implementation(libs.com.google.accompanist.navigation.animation)
-    implementation(libs.com.google.accompanist.systemuicontroller)
-
-    implementation(libs.compose.destinations.animations.core)
+    implementation(libs.compose.destinations.core)
     ksp(libs.compose.destinations.ksp)
 
     implementation(libs.com.github.topjohnwu.libsu.core)
     implementation(libs.com.github.topjohnwu.libsu.service)
+    implementation(libs.com.github.topjohnwu.libsu.io)
 
     implementation(libs.dev.rikka.rikkax.parcelablelist)
 
@@ -113,4 +134,7 @@ dependencies {
     implementation(libs.sheet.compose.dialogs.input)
 
     implementation(libs.markdown)
-}
+    implementation(libs.androidx.webkit)
+
+    implementation(libs.lsposed.cxx)
+}

manager/app/proguard-rules.pro

@@ -1,9 +0,0 @@
--dontwarn org.bouncycastle.jsse.BCSSLParameters
--dontwarn org.bouncycastle.jsse.BCSSLSocket
--dontwarn org.bouncycastle.jsse.provider.BouncyCastleJsseProvider
--dontwarn org.conscrypt.Conscrypt$Version
--dontwarn org.conscrypt.Conscrypt
--dontwarn org.conscrypt.ConscryptHostnameVerifier
--dontwarn org.openjsse.javax.net.ssl.SSLParameters
--dontwarn org.openjsse.javax.net.ssl.SSLSocket
--dontwarn org.openjsse.net.ssl.OpenJSSE

manager/app/src/main/AndroidManifest.xml

@@ -12,24 +12,27 @@
         android:fullBackupContent="@xml/backup_rules"
         android:icon="@mipmap/ic_launcher"
         android:label="@string/app_name"
+        android:networkSecurityConfig="@xml/network_security_config"
         android:supportsRtl="true"
         android:theme="@style/Theme.KernelSU"
-        tools:targetApi="33">
+        tools:targetApi="34">
         <activity
             android:name=".ui.MainActivity"
             android:exported="true"
             android:theme="@style/Theme.KernelSU">
             <intent-filter>
                 <action android:name="android.intent.action.MAIN" />
-
                 <category android:name="android.intent.category.LAUNCHER" />
             </intent-filter>
-
-            <meta-data
-                android:name="android.app.lib_name"
-                android:value="" />
         </activity>
 
+        <activity
+            android:name=".ui.webui.WebUIActivity"
+            android:autoRemoveFromRecents="true"
+            android:documentLaunchMode="intoExisting"
+            android:exported="false"
+            android:theme="@style/Theme.KernelSU.WebUI" />
+
         <provider
             android:name="androidx.core.content.FileProvider"
             android:authorities="${applicationId}.fileprovider"
@@ -41,4 +44,4 @@
         </provider>
     </application>
 
-</manifest>
+</manifest>

manager/app/src/main/cpp/CMakeLists.txt

@@ -7,6 +7,9 @@ cmake_minimum_required(VERSION 3.18.1)
 
 project("kernelsu")
 
+find_package(cxx REQUIRED CONFIG)
+link_libraries(cxx::cxx)
+
 add_library(kernelsu
         SHARED
         jni.cc

manager/app/src/main/cpp/jni.cc

@@ -46,6 +46,12 @@ Java_me_weishu_kernelsu_Natives_isSafeMode(JNIEnv *env, jclass clazz) {
     return is_safe_mode();
 }
 
+extern "C"
+JNIEXPORT jboolean JNICALL
+Java_me_weishu_kernelsu_Natives_isLkmMode(JNIEnv *env, jclass clazz) {
+    return is_lkm_mode();
+}
+
 static void fillIntArray(JNIEnv *env, jobject list, int *data, int count) {
     auto cls = env->GetObjectClass(list);
     auto add = env->GetMethodID(cls, "add", "(Ljava/lang/Object;)Z");
@@ -289,4 +295,14 @@ extern "C"
 JNIEXPORT jboolean JNICALL
 Java_me_weishu_kernelsu_Natives_uidShouldUmount(JNIEnv *env, jobject thiz, jint uid) {
     return uid_should_umount(uid);
+}
+extern "C"
+JNIEXPORT jboolean JNICALL
+Java_me_weishu_kernelsu_Natives_isSuEnabled(JNIEnv *env, jobject thiz) {
+    return is_su_enabled();
+}
+extern "C"
+JNIEXPORT jboolean JNICALL
+Java_me_weishu_kernelsu_Natives_setSuEnabled(JNIEnv *env, jobject thiz, jboolean enabled) {
+    return set_su_enabled(enabled);
 }

manager/app/src/main/cpp/ksu.cc

@@ -27,6 +27,8 @@
 
 #define CMD_IS_UID_GRANTED_ROOT 12
 #define CMD_IS_UID_SHOULD_UMOUNT 13
+#define CMD_IS_SU_ENABLED 14
+#define CMD_ENABLE_SU 15
 
 static bool ksuctl(int cmd, void* arg1, void* arg2) {
     int32_t result = 0;
@@ -47,10 +49,15 @@ bool become_manager(const char* pkg) {
     return ksuctl(CMD_BECOME_MANAGER, param, nullptr);
 }
 
-int get_version() {
+// cache the result to avoid unnecessary syscall
+static bool is_lkm = false;
+
+int get_version(void) {
     int32_t version = -1;
-    if (ksuctl(CMD_GET_VERSION, &version, nullptr)) {
-        return version;
+    int32_t flags = 0;
+    ksuctl(CMD_GET_VERSION, &version, &flags); 
+    if (!is_lkm && (flags & 0x1)) {
+        is_lkm = true;
     }
     return version;
 }
@@ -63,6 +70,11 @@ bool is_safe_mode() {
     return ksuctl(CMD_CHECK_SAFEMODE, nullptr, nullptr);
 }
 
+bool is_lkm_mode() {
+    // you should call get_version first!
+    return is_lkm;
+}
+
 bool uid_should_umount(int uid) {
     bool should;
     return ksuctl(CMD_IS_UID_SHOULD_UMOUNT, reinterpret_cast<void*>(uid), &should) && should;
@@ -75,3 +87,14 @@ bool set_app_profile(const app_profile *profile) {
 bool get_app_profile(p_key_t key, app_profile *profile) {
     return ksuctl(CMD_GET_APP_PROFILE, (void*) profile, nullptr);
 }
+
+bool set_su_enabled(bool enabled) {
+    return ksuctl(CMD_ENABLE_SU, (void*) enabled, nullptr);
+}
+
+bool is_su_enabled() {
+    bool enabled = true;
+    // if ksuctl failed, we assume su is enabled, and it cannot be disabled.
+    ksuctl(CMD_IS_SU_ENABLED, &enabled, nullptr);
+    return enabled;
+}

manager/app/src/main/cpp/ksu.h

@@ -17,6 +17,8 @@ bool uid_should_umount(int uid);
 
 bool is_safe_mode();
 
+bool is_lkm_mode();
+
 #define KSU_APP_PROFILE_VER 2
 #define KSU_MAX_PACKAGE_NAME 256
 // NGROUPS_MAX for Linux is 65535 generally, but we only supports 32 groups.
@@ -77,4 +79,8 @@ bool set_app_profile(const app_profile *profile);
 
 bool get_app_profile(p_key_t key, app_profile *profile);
 
+bool set_su_enabled(bool enabled);
+
+bool is_su_enabled();
+
 #endif //KERNELSU_KSU_H

manager/app/src/main/java/me/weishu/kernelsu/KernelSUApplication.kt

@@ -1,15 +1,22 @@
 package me.weishu.kernelsu
 
 import android.app.Application
+import android.system.Os
 import coil.Coil
 import coil.ImageLoader
 import me.zhanghai.android.appiconloader.coil.AppIconFetcher
 import me.zhanghai.android.appiconloader.coil.AppIconKeyer
+import okhttp3.Cache
+import okhttp3.OkHttpClient
+import java.io.File
+import java.util.Locale
 
 lateinit var ksuApp: KernelSUApplication
 
 class KernelSUApplication : Application() {
 
+    lateinit var okhttpClient: OkHttpClient
+
     override fun onCreate() {
         super.onCreate()
         ksuApp = this
@@ -24,7 +31,25 @@ class KernelSUApplication : Application() {
                 }
                 .build()
         )
+
+        val webroot = File(dataDir, "webroot")
+        if (!webroot.exists()) {
+            webroot.mkdir()
+        }
+
+        // Provide working env for rust's temp_dir()
+        Os.setenv("TMPDIR", cacheDir.absolutePath, true)
+
+        okhttpClient =
+            OkHttpClient.Builder().cache(Cache(File(cacheDir, "okhttp"), 10 * 1024 * 1024))
+                .addInterceptor { block ->
+                    block.proceed(
+                        block.request().newBuilder()
+                            .header("User-Agent", "KernelSU/${BuildConfig.VERSION_CODE}")
+                            .header("Accept-Language", Locale.getDefault().toLanguageTag()).build()
+                    )
+                }.build()
     }
 
 
-}
+}

manager/app/src/main/java/me/weishu/kernelsu/Natives.kt

@@ -18,6 +18,12 @@ object Natives {
     // 11071: Fix the issue of failing to set a custom SELinux type.
     const val MINIMAL_SUPPORTED_KERNEL = 11071
 
+    // 11640: Support query working mode, LKM or GKI
+    // when MINIMAL_SUPPORTED_KERNEL > 11640, we can remove this constant.
+    const val MINIMAL_SUPPORTED_KERNEL_LKM = 11648
+
+    // 12040: Support disable sucompat mode
+    const val MINIMAL_SUPPORTED_SU_COMPAT = 12040
     const val KERNEL_SU_DOMAIN = "u:r:su:s0"
 
     const val ROOT_UID = 0
@@ -39,6 +45,9 @@ object Natives {
     val isSafeMode: Boolean
         external get
 
+    val isLkmMode: Boolean
+        external get
+
     external fun uidShouldUmount(uid: Int): Boolean
 
     /**
@@ -49,6 +58,15 @@ object Natives {
     external fun getAppProfile(key: String?, uid: Int): Profile
     external fun setAppProfile(profile: Profile?): Boolean
 
+    /**
+     * `su` compat mode can be disabled temporarily.
+     *  0: disabled
+     *  1: enabled
+     *  negative : error
+     */
+    external fun isSuEnabled(): Boolean
+    external fun setSuEnabled(enabled: Boolean): Boolean
+
     private const val NON_ROOT_DEFAULT_PROFILE_KEY = "$"
     private const val NOBODY_UID = 9999
 

manager/app/src/main/java/me/weishu/kernelsu/ui/MainActivity.kt

@@ -1,15 +1,30 @@
 package me.weishu.kernelsu.ui
 
+import android.os.Build
 import android.os.Bundle
 import androidx.activity.ComponentActivity
 import androidx.activity.compose.setContent
-import androidx.compose.animation.ExperimentalAnimationApi
+import androidx.activity.enableEdgeToEdge
+import androidx.compose.animation.AnimatedContentTransitionScope
+import androidx.compose.animation.EnterTransition
+import androidx.compose.animation.ExitTransition
+import androidx.compose.animation.core.tween
+import androidx.compose.animation.fadeIn
+import androidx.compose.animation.fadeOut
+import androidx.compose.animation.scaleOut
+import androidx.compose.animation.slideInHorizontally
+import androidx.compose.animation.slideOutHorizontally
+import androidx.compose.foundation.layout.WindowInsets
+import androidx.compose.foundation.layout.WindowInsetsSides
+import androidx.compose.foundation.layout.displayCutout
+import androidx.compose.foundation.layout.only
 import androidx.compose.foundation.layout.padding
+import androidx.compose.foundation.layout.systemBars
+import androidx.compose.foundation.layout.union
 import androidx.compose.material3.Icon
 import androidx.compose.material3.NavigationBar
 import androidx.compose.material3.NavigationBarItem
 import androidx.compose.material3.Scaffold
-import androidx.compose.material3.SnackbarHost
 import androidx.compose.material3.SnackbarHostState
 import androidx.compose.material3.Text
 import androidx.compose.runtime.Composable
@@ -19,42 +34,96 @@ import androidx.compose.runtime.remember
 import androidx.compose.ui.Modifier
 import androidx.compose.ui.res.stringResource
 import androidx.compose.ui.unit.dp
+import androidx.navigation.NavBackStackEntry
 import androidx.navigation.NavHostController
-import com.google.accompanist.navigation.animation.rememberAnimatedNavController
+import androidx.navigation.compose.rememberNavController
 import com.ramcosta.composedestinations.DestinationsNavHost
-import com.ramcosta.composedestinations.navigation.popBackStack
+import com.ramcosta.composedestinations.animations.NavHostAnimatedDestinationStyle
+import com.ramcosta.composedestinations.generated.NavGraphs
 import com.ramcosta.composedestinations.utils.isRouteOnBackStackAsState
+import com.ramcosta.composedestinations.utils.rememberDestinationsNavigator
 import me.weishu.kernelsu.Natives
 import me.weishu.kernelsu.ksuApp
-import me.weishu.kernelsu.ui.component.rememberDialogHostState
 import me.weishu.kernelsu.ui.screen.BottomBarDestination
-import me.weishu.kernelsu.ui.screen.NavGraphs
 import me.weishu.kernelsu.ui.theme.KernelSUTheme
-import me.weishu.kernelsu.ui.util.LocalDialogHost
 import me.weishu.kernelsu.ui.util.LocalSnackbarHost
+import me.weishu.kernelsu.ui.util.rootAvailable
+import me.weishu.kernelsu.ui.util.install
 
 class MainActivity : ComponentActivity() {
 
-    @OptIn(ExperimentalAnimationApi::class)
     override fun onCreate(savedInstanceState: Bundle?) {
+
+        // Enable edge to edge
+        enableEdgeToEdge()
+        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.Q) {
+            window.isNavigationBarContrastEnforced = false
+        }
+
         super.onCreate(savedInstanceState)
 
+        val isManager = Natives.becomeManager(ksuApp.packageName)
+        if (isManager) install()
+
         setContent {
             KernelSUTheme {
-                val navController = rememberAnimatedNavController()
-                val snackbarHostState = remember { SnackbarHostState() }
+                val navController = rememberNavController()
+                val snackBarHostState = remember { SnackbarHostState() }
+                val bottomBarRoutes = remember {
+                    BottomBarDestination.entries.map { it.direction.route }.toSet()
+                }
                 Scaffold(
                     bottomBar = { BottomBar(navController) },
-                    snackbarHost = { SnackbarHost(snackbarHostState) }
+                    contentWindowInsets = WindowInsets(0, 0, 0, 0)
                 ) { innerPadding ->
                     CompositionLocalProvider(
-                        LocalSnackbarHost provides snackbarHostState,
-                        LocalDialogHost provides rememberDialogHostState(),
+                        LocalSnackbarHost provides snackBarHostState,
                     ) {
                         DestinationsNavHost(
                             modifier = Modifier.padding(innerPadding),
                             navGraph = NavGraphs.root,
-                            navController = navController
+                            navController = navController,
+                            defaultTransitions = object : NavHostAnimatedDestinationStyle() {
+                                override val enterTransition: AnimatedContentTransitionScope<NavBackStackEntry>.() -> EnterTransition = {
+                                    // If the target is a detail page (not a bottom navigation page), slide in from the right
+                                    if (targetState.destination.route !in bottomBarRoutes) {
+                                        slideInHorizontally(initialOffsetX = { it })
+                                    } else {
+                                        // Otherwise (switching between bottom navigation pages), use fade in
+                                        fadeIn(animationSpec = tween(340))
+                                    }
+                                }
+
+                                override val exitTransition: AnimatedContentTransitionScope<NavBackStackEntry>.() -> ExitTransition = {
+                                    // If navigating from the home page (bottom navigation page) to a detail page, slide out to the left
+                                    if (initialState.destination.route in bottomBarRoutes && targetState.destination.route !in bottomBarRoutes) {
+                                        slideOutHorizontally(targetOffsetX = { -it / 4 }) + fadeOut()
+                                    } else {
+                                        // Otherwise (switching between bottom navigation pages), use fade out
+                                        fadeOut(animationSpec = tween(340))
+                                    }
+                                }
+
+                                override val popEnterTransition: AnimatedContentTransitionScope<NavBackStackEntry>.() -> EnterTransition = {
+                                    // If returning to the home page (bottom navigation page), slide in from the left
+                                    if (targetState.destination.route in bottomBarRoutes) {
+                                        slideInHorizontally(initialOffsetX = { -it / 4 }) + fadeIn()
+                                    } else {
+                                        // Otherwise (e.g., returning between multiple detail pages), use default fade in
+                                        fadeIn(animationSpec = tween(340))
+                                    }
+                                }
+
+                                override val popExitTransition: AnimatedContentTransitionScope<NavBackStackEntry>.() -> ExitTransition = {
+                                    // If returning from a detail page (not a bottom navigation page), scale down and fade out
+                                    if (initialState.destination.route !in bottomBarRoutes) {
+                                        scaleOut(targetScale = 0.9f) + fadeOut()
+                                    } else {
+                                        // Otherwise, use default fade out
+                                        fadeOut(animationSpec = tween(340))
+                                    }
+                                }
+                            }
                         )
                     }
                 }
@@ -65,21 +134,26 @@ class MainActivity : ComponentActivity() {
 
 @Composable
 private fun BottomBar(navController: NavHostController) {
+    val navigator = navController.rememberDestinationsNavigator()
     val isManager = Natives.becomeManager(ksuApp.packageName)
-    val fullFeatured = isManager && !Natives.requireNewKernel()
-    NavigationBar(tonalElevation = 8.dp) {
-        BottomBarDestination.values().forEach { destination ->
+    val fullFeatured = isManager && !Natives.requireNewKernel() && rootAvailable()
+    NavigationBar(
+        tonalElevation = 8.dp,
+        windowInsets = WindowInsets.systemBars.union(WindowInsets.displayCutout).only(
+            WindowInsetsSides.Horizontal + WindowInsetsSides.Bottom
+        )
+    ) {
+        BottomBarDestination.entries.forEach { destination ->
             if (!fullFeatured && destination.rootRequired) return@forEach
             val isCurrentDestOnBackStack by navController.isRouteOnBackStackAsState(destination.direction)
             NavigationBarItem(
                 selected = isCurrentDestOnBackStack,
                 onClick = {
                     if (isCurrentDestOnBackStack) {
-                        navController.popBackStack(destination.direction, false)
+                        navigator.popBackStack(destination.direction, false)
                     }
-
-                    navController.navigate(destination.direction.route) {
-                        popUpTo(NavGraphs.root.route) {
+                    navigator.navigate(destination.direction) {
+                        popUpTo(NavGraphs.root) {
                             saveState = true
                         }
                         launchSingleTop = true

manager/app/src/main/java/me/weishu/kernelsu/ui/component/AboutCard.kt

@@ -1,7 +1,5 @@
 package me.weishu.kernelsu.ui.component
 
-import android.text.method.LinkMovementMethod
-import android.widget.TextView
 import androidx.compose.foundation.Image
 import androidx.compose.foundation.layout.Column
 import androidx.compose.foundation.layout.Row
@@ -11,25 +9,28 @@ import androidx.compose.foundation.layout.height
 import androidx.compose.foundation.layout.padding
 import androidx.compose.foundation.layout.size
 import androidx.compose.foundation.layout.width
+import androidx.compose.foundation.shape.CircleShape
 import androidx.compose.foundation.shape.RoundedCornerShape
 import androidx.compose.material3.ElevatedCard
-import androidx.compose.material3.LocalContentColor
 import androidx.compose.material3.MaterialTheme
+import androidx.compose.material3.Surface
 import androidx.compose.material3.Text
 import androidx.compose.runtime.Composable
-import androidx.compose.runtime.MutableState
 import androidx.compose.ui.Modifier
-import androidx.compose.ui.graphics.toArgb
-import androidx.compose.ui.platform.LocalContext
+import androidx.compose.ui.draw.scale
+import androidx.compose.ui.res.colorResource
+import androidx.compose.ui.res.painterResource
 import androidx.compose.ui.res.stringResource
+import androidx.compose.ui.text.AnnotatedString
+import androidx.compose.ui.text.SpanStyle
+import androidx.compose.ui.text.TextLinkStyles
+import androidx.compose.ui.text.TextStyle
+import androidx.compose.ui.text.fromHtml
+import androidx.compose.ui.text.style.TextDecoration
 import androidx.compose.ui.tooling.preview.Preview
 import androidx.compose.ui.unit.dp
 import androidx.compose.ui.unit.sp
-import androidx.compose.ui.viewinterop.AndroidView
 import androidx.compose.ui.window.Dialog
-import androidx.core.content.res.ResourcesCompat
-import androidx.core.text.HtmlCompat
-import com.google.accompanist.drawablepainter.rememberDrawablePainter
 import me.weishu.kernelsu.BuildConfig
 import me.weishu.kernelsu.R
 
@@ -37,9 +38,8 @@ import me.weishu.kernelsu.R
 @Composable
 fun AboutCard() {
     ElevatedCard(
-        modifier = Modifier
-            .fillMaxWidth(),
-        shape = RoundedCornerShape(8.dp),
+        modifier = Modifier.fillMaxWidth(),
+        shape = RoundedCornerShape(8.dp)
     ) {
         Row(
             modifier = Modifier
@@ -52,32 +52,31 @@ fun AboutCard() {
 }
 
 @Composable
-fun AboutDialog(showAboutDialog: MutableState<Boolean>) {
-    if (showAboutDialog.value) {
-        Dialog(onDismissRequest = { showAboutDialog.value = false }) {
-            AboutCard()
-        }
+fun AboutDialog(dismiss: () -> Unit) {
+    Dialog(
+        onDismissRequest = { dismiss() }
+    ) {
+        AboutCard()
     }
 }
 
 @Composable
 private fun AboutCardContent() {
     Column(
-        modifier = Modifier
-            .fillMaxWidth()
+        modifier = Modifier.fillMaxWidth()
     ) {
-        val drawable = ResourcesCompat.getDrawable(
-            LocalContext.current.resources,
-            R.mipmap.ic_launcher,
-            LocalContext.current.theme
-        )
-
         Row {
-            Image(
-                painter = rememberDrawablePainter(drawable),
-                contentDescription = "icon",
-                modifier = Modifier.size(40.dp)
-            )
+            Surface(
+                modifier = Modifier.size(40.dp),
+                color = colorResource(id = R.color.ic_launcher_background),
+                shape = CircleShape
+            ) {
+                Image(
+                    painter = painterResource(id = R.drawable.ic_launcher_foreground),
+                    contentDescription = "icon",
+                    modifier = Modifier.scale(1.4f)
+                )
+            }
 
             Spacer(modifier = Modifier.width(12.dp))
 
@@ -96,31 +95,31 @@ private fun AboutCardContent() {
 
                 Spacer(modifier = Modifier.height(8.dp))
 
-                HtmlText(
-                    html = stringResource(
+                val annotatedString = AnnotatedString.Companion.fromHtml(
+                    htmlString = stringResource(
                         id = R.string.about_source_code,
                         "<b><a href=\"https://github.com/tiann/KernelSU\">GitHub</a></b>",
                         "<b><a href=\"https://t.me/KernelSU\">Telegram</a></b>"
+                    ),
+                    linkStyles = TextLinkStyles(
+                        style = SpanStyle(
+                            color = MaterialTheme.colorScheme.primary,
+                            textDecoration = TextDecoration.Underline
+                        ),
+                        pressedStyle = SpanStyle(
+                            color = MaterialTheme.colorScheme.primary,
+                            background = MaterialTheme.colorScheme.secondaryContainer,
+                            textDecoration = TextDecoration.Underline
+                        )
+                    )
+                )
+                Text(
+                    text = annotatedString,
+                    style = TextStyle(
+                        fontSize = 14.sp
                     )
                 )
             }
         }
     }
-}
-
-@Composable
-fun HtmlText(html: String, modifier: Modifier = Modifier) {
-    val contentColor = LocalContentColor.current
-    AndroidView(
-        modifier = modifier,
-        factory = { context ->
-            TextView(context).also {
-                it.movementMethod = LinkMovementMethod.getInstance()
-            }
-        },
-        update = {
-            it.text = HtmlCompat.fromHtml(html, HtmlCompat.FROM_HTML_MODE_COMPACT)
-            it.setTextColor(contentColor.toArgb())
-        }
-    )
 }

manager/app/src/main/java/me/weishu/kernelsu/ui/component/Dialog.kt

@@ -1,8 +1,11 @@
 package me.weishu.kernelsu.ui.component
 
 import android.graphics.text.LineBreaker
+import android.os.Build
+import android.os.Parcelable
 import android.text.Layout
 import android.text.method.LinkMovementMethod
+import android.util.Log
 import android.view.ViewGroup
 import android.widget.TextView
 import androidx.compose.foundation.layout.Box
@@ -10,14 +13,10 @@ import androidx.compose.foundation.layout.fillMaxWidth
 import androidx.compose.foundation.layout.size
 import androidx.compose.foundation.layout.wrapContentHeight
 import androidx.compose.foundation.shape.RoundedCornerShape
-import androidx.compose.material3.AlertDialog
-import androidx.compose.material3.CircularProgressIndicator
-import androidx.compose.material3.ExperimentalMaterial3Api
-import androidx.compose.material3.LocalContentColor
-import androidx.compose.material3.Surface
-import androidx.compose.material3.Text
-import androidx.compose.material3.TextButton
+import androidx.compose.material3.*
 import androidx.compose.runtime.*
+import androidx.compose.runtime.saveable.Saver
+import androidx.compose.runtime.saveable.rememberSaveable
 import androidx.compose.ui.Alignment
 import androidx.compose.ui.Modifier
 import androidx.compose.ui.graphics.toArgb
@@ -28,48 +27,48 @@ import androidx.compose.ui.window.Dialog
 import androidx.compose.ui.window.DialogProperties
 import io.noties.markwon.Markwon
 import io.noties.markwon.utils.NoCopySpannableFactory
-import kotlinx.coroutines.CancellableContinuation
-import kotlinx.coroutines.coroutineScope
-import kotlinx.coroutines.launch
-import kotlinx.coroutines.suspendCancellableCoroutine
-import kotlinx.coroutines.sync.Mutex
-import kotlinx.coroutines.sync.withLock
-import me.weishu.kernelsu.ui.util.LocalDialogHost
+import kotlinx.coroutines.*
+import kotlinx.coroutines.channels.Channel
+import kotlinx.coroutines.channels.ReceiveChannel
+import kotlinx.coroutines.flow.FlowCollector
+import kotlinx.coroutines.flow.consumeAsFlow
+import kotlinx.coroutines.flow.onEach
+import kotlinx.parcelize.Parcelize
 import kotlin.coroutines.resume
 
-interface DialogVisuals
+private const val TAG = "DialogComponent"
 
-interface LoadingDialogVisuals : DialogVisuals
-
-interface PromptDialogVisuals : DialogVisuals {
+interface ConfirmDialogVisuals : Parcelable {
     val title: String
     val content: String
-}
-
-interface ConfirmDialogVisuals : PromptDialogVisuals {
+    val isMarkdown: Boolean
     val confirm: String?
     val dismiss: String?
-    val isMarkdown: Boolean
 }
 
-
-sealed interface DialogData {
-    val visuals: DialogVisuals
+@Parcelize
+private data class ConfirmDialogVisualsImpl(
+    override val title: String,
+    override val content: String,
+    override val isMarkdown: Boolean,
+    override val confirm: String?,
+    override val dismiss: String?,
+) : ConfirmDialogVisuals {
+    companion object {
+        val Empty: ConfirmDialogVisuals = ConfirmDialogVisualsImpl("", "", false, null, null)
+    }
 }
 
-interface LoadingDialogData : DialogData {
-    override val visuals: LoadingDialogVisuals
-    fun dismiss()
+interface DialogHandle {
+    val isShown: Boolean
+    val dialogType: String
+    fun show()
+    fun hide()
 }
 
-interface PromptDialogData : DialogData {
-    override val visuals: PromptDialogVisuals
-    fun dismiss()
-}
-
-interface ConfirmDialogData : PromptDialogData {
-    override val visuals: ConfirmDialogVisuals
-    fun confirm()
+interface LoadingDialogHandle : DialogHandle {
+    suspend fun <R> withLoading(block: suspend () -> R): R
+    fun showLoading()
 }
 
 sealed interface ConfirmResult {
@@ -77,143 +76,313 @@ sealed interface ConfirmResult {
     object Canceled : ConfirmResult
 }
 
-class DialogHostState {
+interface ConfirmDialogHandle : DialogHandle {
+    val visuals: ConfirmDialogVisuals
 
-    private object LoadingDialogVisualsImpl : LoadingDialogVisuals
-
-    private data class PromptDialogVisualsImpl(
-        override val title: String, override val content: String
-    ) : PromptDialogVisuals
-
-    private data class ConfirmDialogVisualsImpl(
-        override val title: String,
-        override val content: String,
-        override val confirm: String?,
-        override val dismiss: String?,
-        override val isMarkdown: Boolean,
-    ) : ConfirmDialogVisuals
-
-    private data class LoadingDialogDataImpl(
-        override val visuals: LoadingDialogVisuals,
-        private val continuation: CancellableContinuation<Unit>,
-    ) : LoadingDialogData {
-        override fun dismiss() {
-            if (continuation.isActive) continuation.resume(Unit)
-        }
-    }
-
-    private data class PromptDialogDataImpl(
-        override val visuals: PromptDialogVisuals,
-        private val continuation: CancellableContinuation<Unit>,
-    ) : PromptDialogData {
-        override fun dismiss() {
-            if (continuation.isActive) continuation.resume(Unit)
-        }
-    }
-
-    private data class ConfirmDialogDataImpl(
-        override val visuals: ConfirmDialogVisuals,
-        private val continuation: CancellableContinuation<ConfirmResult>
-    ) : ConfirmDialogData {
-
-        override fun confirm() {
-            if (continuation.isActive) continuation.resume(ConfirmResult.Confirmed)
-        }
-
-        override fun dismiss() {
-            if (continuation.isActive) continuation.resume(ConfirmResult.Canceled)
-        }
-    }
-
-    private val mutex = Mutex()
-
-    var currentDialogData by mutableStateOf<DialogData?>(null)
-        private set
-
-    suspend fun showLoading() {
-        try {
-            mutex.withLock {
-                suspendCancellableCoroutine { continuation ->
-                    currentDialogData = LoadingDialogDataImpl(
-                        visuals = LoadingDialogVisualsImpl, continuation = continuation
-                    )
-                }
-            }
-        } finally {
-            currentDialogData = null
-        }
-    }
-
-    suspend fun <R> withLoading(block: suspend () -> R) = coroutineScope {
-        val showLoading = launch {
-            showLoading()
-        }
-
-        val result = block()
-
-        showLoading.cancel()
-
-        result
-    }
-
-    suspend fun showPrompt(title: String, content: String) {
-        try {
-            mutex.withLock {
-                suspendCancellableCoroutine { continuation ->
-                    currentDialogData = PromptDialogDataImpl(
-                        visuals = PromptDialogVisualsImpl(title, content),
-                        continuation = continuation
-                    )
-                }
-            }
-        } finally {
-            currentDialogData = null
-        }
-    }
-
-    suspend fun showConfirm(
+    fun showConfirm(
         title: String,
         content: String,
         markdown: Boolean = false,
         confirm: String? = null,
         dismiss: String? = null
-    ): ConfirmResult = mutex.withLock {
-        try {
-            return@withLock suspendCancellableCoroutine { continuation ->
-                currentDialogData = ConfirmDialogDataImpl(
-                    visuals = ConfirmDialogVisualsImpl(title, content, confirm, dismiss, markdown),
-                    continuation = continuation
-                )
+    )
+
+    suspend fun awaitConfirm(
+        title: String,
+        content: String,
+        markdown: Boolean = false,
+        confirm: String? = null,
+        dismiss: String? = null
+    ): ConfirmResult
+}
+
+private abstract class DialogHandleBase(
+    val visible: MutableState<Boolean>,
+    val coroutineScope: CoroutineScope
+) : DialogHandle {
+    override val isShown: Boolean
+        get() = visible.value
+
+    override fun show() {
+        coroutineScope.launch {
+            visible.value = true
+        }
+    }
+
+    final override fun hide() {
+        coroutineScope.launch {
+            visible.value = false
+        }
+    }
+
+    override fun toString(): String {
+        return dialogType
+    }
+}
+
+private class LoadingDialogHandleImpl(
+    visible: MutableState<Boolean>,
+    coroutineScope: CoroutineScope
+) : LoadingDialogHandle, DialogHandleBase(visible, coroutineScope) {
+    override suspend fun <R> withLoading(block: suspend () -> R): R {
+        return coroutineScope.async {
+            try {
+                visible.value = true
+                block()
+            } finally {
+                visible.value = false
+            }
+        }.await()
+    }
+
+    override fun showLoading() {
+        show()
+    }
+
+    override val dialogType: String get() = "LoadingDialog"
+}
+
+typealias NullableCallback = (() -> Unit)?
+
+interface ConfirmCallback {
+
+    val onConfirm: NullableCallback
+
+    val onDismiss: NullableCallback
+
+    val isEmpty: Boolean get() = onConfirm == null && onDismiss == null
+
+    companion object {
+        operator fun invoke(onConfirmProvider: () -> NullableCallback, onDismissProvider: () -> NullableCallback): ConfirmCallback {
+            return object : ConfirmCallback {
+                override val onConfirm: NullableCallback
+                    get() = onConfirmProvider()
+                override val onDismiss: NullableCallback
+                    get() = onDismissProvider()
             }
-        } finally {
-            currentDialogData = null
         }
     }
 }
 
+private class ConfirmDialogHandleImpl(
+    visible: MutableState<Boolean>,
+    coroutineScope: CoroutineScope,
+    callback: ConfirmCallback,
+    override var visuals: ConfirmDialogVisuals = ConfirmDialogVisualsImpl.Empty,
+    private val resultFlow: ReceiveChannel<ConfirmResult>
+) : ConfirmDialogHandle, DialogHandleBase(visible, coroutineScope) {
+    private class ResultCollector(
+        private val callback: ConfirmCallback
+    ) : FlowCollector<ConfirmResult> {
+        fun handleResult(result: ConfirmResult) {
+            Log.d(TAG, "handleResult: ${result.javaClass.simpleName}")
+            when (result) {
+                ConfirmResult.Confirmed -> onConfirm()
+                ConfirmResult.Canceled -> onDismiss()
+            }
+        }
+
+        fun onConfirm() {
+            callback.onConfirm?.invoke()
+        }
+
+        fun onDismiss() {
+            callback.onDismiss?.invoke()
+        }
+
+        override suspend fun emit(value: ConfirmResult) {
+            handleResult(value)
+        }
+    }
+
+    private val resultCollector = ResultCollector(callback)
+
+    private var awaitContinuation: CancellableContinuation<ConfirmResult>? = null
+
+    private val isCallbackEmpty = callback.isEmpty
+
+    init {
+        coroutineScope.launch {
+            resultFlow
+                .consumeAsFlow()
+                .onEach { result ->
+                    awaitContinuation?.let {
+                        awaitContinuation = null
+                        if (it.isActive) {
+                            it.resume(result)
+                        }
+                    }
+                }
+                .onEach { hide() }
+                .collect(resultCollector)
+        }
+    }
+
+    private suspend fun awaitResult(): ConfirmResult {
+        return suspendCancellableCoroutine {
+            awaitContinuation = it.apply {
+                if (isCallbackEmpty) {
+                    invokeOnCancellation {
+                        visible.value = false
+                    }
+                }
+            }
+        }
+    }
+
+    fun updateVisuals(visuals: ConfirmDialogVisuals) {
+        this.visuals = visuals
+    }
+
+    override fun show() {
+        if (visuals !== ConfirmDialogVisualsImpl.Empty) {
+            super.show()
+        } else {
+            throw UnsupportedOperationException("can't show confirm dialog with the Empty visuals")
+        }
+    }
+
+    override fun showConfirm(
+        title: String,
+        content: String,
+        markdown: Boolean,
+        confirm: String?,
+        dismiss: String?
+    ) {
+        coroutineScope.launch {
+            updateVisuals(ConfirmDialogVisualsImpl(title, content, markdown, confirm, dismiss))
+            show()
+        }
+    }
+
+    override suspend fun awaitConfirm(
+        title: String,
+        content: String,
+        markdown: Boolean,
+        confirm: String?,
+        dismiss: String?
+    ): ConfirmResult {
+        coroutineScope.launch {
+            updateVisuals(ConfirmDialogVisualsImpl(title, content, markdown, confirm, dismiss))
+            show()
+        }
+        return awaitResult()
+    }
+
+    override val dialogType: String get() = "ConfirmDialog"
+
+    override fun toString(): String {
+        return "${super.toString()}(visuals: $visuals)"
+    }
+
+    companion object {
+        fun Saver(
+            visible: MutableState<Boolean>,
+            coroutineScope: CoroutineScope,
+            callback: ConfirmCallback,
+            resultChannel: ReceiveChannel<ConfirmResult>
+        ) = Saver<ConfirmDialogHandle, ConfirmDialogVisuals>(
+            save = {
+                it.visuals
+            },
+            restore = {
+                Log.d(TAG, "ConfirmDialog restore, visuals: $it")
+                ConfirmDialogHandleImpl(visible, coroutineScope, callback, it, resultChannel)
+            }
+        )
+    }
+}
+
+private class CustomDialogHandleImpl(
+    visible: MutableState<Boolean>,
+    coroutineScope: CoroutineScope
+) : DialogHandleBase(visible, coroutineScope) {
+    override val dialogType: String get() = "CustomDialog"
+}
+
 @Composable
-fun rememberDialogHostState(): DialogHostState {
+fun rememberLoadingDialog(): LoadingDialogHandle {
+    val visible = remember {
+        mutableStateOf(false)
+    }
+    val coroutineScope = rememberCoroutineScope()
+
+    if (visible.value) {
+        LoadingDialog()
+    }
+
     return remember {
-        DialogHostState()
-    }
-}
-
-private inline fun <reified T : DialogData> DialogData?.tryInto(): T? {
-    return when (this) {
-        is T -> this
-        else -> null
+        LoadingDialogHandleImpl(visible, coroutineScope)
     }
 }
 
 @Composable
-fun LoadingDialog(
-    state: DialogHostState = LocalDialogHost.current,
-) {
-    state.currentDialogData.tryInto<LoadingDialogData>() ?: return
-    val dialogProperties = remember {
-        DialogProperties(dismissOnClickOutside = false, dismissOnBackPress = false)
+private fun rememberConfirmDialog(visuals: ConfirmDialogVisuals, callback: ConfirmCallback): ConfirmDialogHandle {
+    val visible = rememberSaveable {
+        mutableStateOf(false)
     }
-    Dialog(onDismissRequest = {}, properties = dialogProperties) {
+    val coroutineScope = rememberCoroutineScope()
+    val resultChannel = remember {
+        Channel<ConfirmResult>()
+    }
+
+    val handle = rememberSaveable(
+        saver = ConfirmDialogHandleImpl.Saver(visible, coroutineScope, callback, resultChannel),
+        init = {
+            ConfirmDialogHandleImpl(visible, coroutineScope, callback, visuals, resultChannel)
+        }
+    )
+
+    if (visible.value) {
+        ConfirmDialog(
+            handle.visuals,
+            confirm = { coroutineScope.launch { resultChannel.send(ConfirmResult.Confirmed) } },
+            dismiss = { coroutineScope.launch { resultChannel.send(ConfirmResult.Canceled) } }
+        )
+    }
+
+    return handle
+}
+
+@Composable
+fun rememberConfirmCallback(onConfirm: NullableCallback, onDismiss: NullableCallback): ConfirmCallback {
+    val currentOnConfirm by rememberUpdatedState(newValue = onConfirm)
+    val currentOnDismiss by rememberUpdatedState(newValue = onDismiss)
+    return remember {
+        ConfirmCallback({ currentOnConfirm }, { currentOnDismiss })
+    }
+}
+
+@Composable
+fun rememberConfirmDialog(onConfirm: NullableCallback = null, onDismiss: NullableCallback = null): ConfirmDialogHandle {
+    return rememberConfirmDialog(rememberConfirmCallback(onConfirm, onDismiss))
+}
+
+@Composable
+fun rememberConfirmDialog(callback: ConfirmCallback): ConfirmDialogHandle {
+    return rememberConfirmDialog(ConfirmDialogVisualsImpl.Empty, callback)
+}
+
+@Composable
+fun rememberCustomDialog(composable: @Composable (dismiss: () -> Unit) -> Unit): DialogHandle {
+    val visible = rememberSaveable {
+        mutableStateOf(false)
+    }
+    val coroutineScope = rememberCoroutineScope()
+    if (visible.value) {
+        composable { visible.value = false }
+    }
+    return remember {
+        CustomDialogHandleImpl(visible, coroutineScope)
+    }
+}
+
+@Composable
+private fun LoadingDialog() {
+    Dialog(
+        onDismissRequest = {},
+        properties = DialogProperties(dismissOnClickOutside = false, dismissOnBackPress = false)
+    ) {
         Surface(
             modifier = Modifier.size(100.dp), shape = RoundedCornerShape(8.dp)
         ) {
@@ -227,41 +396,10 @@ fun LoadingDialog(
 }
 
 @Composable
-fun PromptDialog(
-    state: DialogHostState = LocalDialogHost.current,
-) {
-    val promptDialogData = state.currentDialogData.tryInto<PromptDialogData>() ?: return
-
-    val visuals = promptDialogData.visuals
+private fun ConfirmDialog(visuals: ConfirmDialogVisuals, confirm: () -> Unit, dismiss: () -> Unit) {
     AlertDialog(
         onDismissRequest = {
-            promptDialogData.dismiss()
-        },
-        title = {
-            Text(text = visuals.title)
-        },
-        text = {
-            Text(text = visuals.content)
-        },
-        confirmButton = {
-            TextButton(onClick = { promptDialogData.dismiss() }) {
-                Text(text = stringResource(id = android.R.string.ok))
-            }
-        },
-        dismissButton = null,
-    )
-}
-
-@OptIn(ExperimentalMaterial3Api::class)
-@Composable
-fun ConfirmDialog(state: DialogHostState = LocalDialogHost.current) {
-    val confirmDialogData = state.currentDialogData.tryInto<ConfirmDialogData>() ?: return
-
-    val visuals = confirmDialogData.visuals
-
-    AlertDialog(
-        onDismissRequest = {
-            confirmDialogData.dismiss()
+            dismiss()
         },
         title = {
             Text(text = visuals.title)
@@ -274,17 +412,18 @@ fun ConfirmDialog(state: DialogHostState = LocalDialogHost.current) {
             }
         },
         confirmButton = {
-            TextButton(onClick = { confirmDialogData.confirm() }) {
+            TextButton(onClick = confirm) {
                 Text(text = visuals.confirm ?: stringResource(id = android.R.string.ok))
             }
         },
         dismissButton = {
-            TextButton(onClick = { confirmDialogData.dismiss() }) {
+            TextButton(onClick = dismiss) {
                 Text(text = visuals.dismiss ?: stringResource(id = android.R.string.cancel))
             }
         },
     )
 }
+
 @Composable
 private fun MarkdownContent(content: String) {
     val contentColor = LocalContentColor.current
@@ -294,7 +433,9 @@ private fun MarkdownContent(content: String) {
             TextView(context).apply {
                 movementMethod = LinkMovementMethod.getInstance()
                 setSpannableFactory(NoCopySpannableFactory.getInstance())
-                breakStrategy = LineBreaker.BREAK_STRATEGY_SIMPLE
+                if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.Q) {
+                    breakStrategy = LineBreaker.BREAK_STRATEGY_SIMPLE
+                }
                 hyphenationFrequency = Layout.HYPHENATION_FREQUENCY_NONE
                 layoutParams = ViewGroup.LayoutParams(
                     ViewGroup.LayoutParams.MATCH_PARENT, ViewGroup.LayoutParams.WRAP_CONTENT
@@ -307,5 +448,6 @@ private fun MarkdownContent(content: String) {
         update = {
             Markwon.create(it.context).setMarkdown(it, content)
             it.setTextColor(contentColor.toArgb())
-        })
+        }
+    )
 }

manager/app/src/main/java/me/weishu/kernelsu/ui/component/KsuValidCheck.kt

@@ -0,0 +1,17 @@
+package me.weishu.kernelsu.ui.component
+ 
+import androidx.compose.runtime.Composable
+import me.weishu.kernelsu.Natives
+import me.weishu.kernelsu.ksuApp
+ 
+@Composable
+fun KsuIsValid(
+    content: @Composable () -> Unit
+) {
+    val isManager = Natives.becomeManager(ksuApp.packageName)
+    val ksuVersion = if (isManager) Natives.version else null
+     
+    if (ksuVersion != null) {
+        content()
+    }
+}

manager/app/src/main/java/me/weishu/kernelsu/ui/component/SearchBar.kt

@@ -5,20 +5,25 @@ import androidx.compose.animation.AnimatedVisibility
 import androidx.compose.animation.fadeIn
 import androidx.compose.animation.fadeOut
 import androidx.compose.foundation.layout.Box
+import androidx.compose.foundation.layout.WindowInsets
+import androidx.compose.foundation.layout.WindowInsetsSides
 import androidx.compose.foundation.layout.fillMaxWidth
+import androidx.compose.foundation.layout.only
 import androidx.compose.foundation.layout.padding
+import androidx.compose.foundation.layout.safeDrawing
 import androidx.compose.foundation.text.KeyboardActions
 import androidx.compose.foundation.text.KeyboardOptions
 import androidx.compose.material.icons.Icons
+import androidx.compose.material.icons.automirrored.outlined.ArrowBack
 import androidx.compose.material.icons.filled.Close
 import androidx.compose.material.icons.filled.Search
-import androidx.compose.material.icons.outlined.ArrowBack
 import androidx.compose.material3.ExperimentalMaterial3Api
 import androidx.compose.material3.Icon
 import androidx.compose.material3.IconButton
 import androidx.compose.material3.OutlinedTextField
 import androidx.compose.material3.Text
 import androidx.compose.material3.TopAppBar
+import androidx.compose.material3.TopAppBarScrollBehavior
 import androidx.compose.runtime.Composable
 import androidx.compose.runtime.DisposableEffect
 import androidx.compose.runtime.LaunchedEffect
@@ -27,7 +32,6 @@ import androidx.compose.runtime.mutableStateOf
 import androidx.compose.runtime.remember
 import androidx.compose.runtime.setValue
 import androidx.compose.ui.Alignment
-import androidx.compose.ui.ExperimentalComposeUiApi
 import androidx.compose.ui.Modifier
 import androidx.compose.ui.focus.FocusRequester
 import androidx.compose.ui.focus.focusRequester
@@ -39,7 +43,7 @@ import androidx.compose.ui.unit.dp
 
 private const val TAG = "SearchBar"
 
-@OptIn(ExperimentalComposeUiApi::class, ExperimentalMaterial3Api::class)
+@OptIn(ExperimentalMaterial3Api::class)
 @Composable
 fun SearchAppBar(
     title: @Composable () -> Unit,
@@ -49,6 +53,7 @@ fun SearchAppBar(
     onBackClick: (() -> Unit)? = null,
     onConfirm: (() -> Unit)? = null,
     dropdownContent: @Composable (() -> Unit)? = null,
+    scrollBehavior: TopAppBarScrollBehavior? = null
 ) {
     val keyboardController = LocalSoftwareKeyboardController.current
     val focusRequester = remember { FocusRequester() }
@@ -115,7 +120,7 @@ fun SearchAppBar(
             if (onBackClick != null) {
                 IconButton(
                     onClick = onBackClick,
-                    content = { Icon(Icons.Outlined.ArrowBack, null) }
+                    content = { Icon(Icons.AutoMirrored.Outlined.ArrowBack, null) }
                 )
             }
         },
@@ -133,10 +138,13 @@ fun SearchAppBar(
                 dropdownContent()
             }
 
-        }
+        },
+        windowInsets = WindowInsets.safeDrawing.only(WindowInsetsSides.Top + WindowInsetsSides.Horizontal),
+        scrollBehavior = scrollBehavior
     )
 }
 
+@OptIn(ExperimentalMaterial3Api::class)
 @Preview
 @Composable
 private fun SearchAppBarPreview() {

manager/app/src/main/java/me/weishu/kernelsu/ui/component/SettingsItem.kt

@@ -1,12 +1,18 @@
 package me.weishu.kernelsu.ui.component
 
+import androidx.compose.foundation.LocalIndication
+import androidx.compose.foundation.interaction.MutableInteractionSource
+import androidx.compose.foundation.selection.toggleable
 import androidx.compose.material3.Icon
 import androidx.compose.material3.ListItem
 import androidx.compose.material3.RadioButton
 import androidx.compose.material3.Switch
 import androidx.compose.material3.Text
 import androidx.compose.runtime.Composable
+import androidx.compose.runtime.remember
+import androidx.compose.ui.Modifier
 import androidx.compose.ui.graphics.vector.ImageVector
+import androidx.compose.ui.semantics.Role
 
 @Composable
 fun SwitchItem(
@@ -17,7 +23,18 @@ fun SwitchItem(
     enabled: Boolean = true,
     onCheckedChange: (Boolean) -> Unit
 ) {
+    val interactionSource = remember { MutableInteractionSource() }
+
     ListItem(
+        modifier = Modifier
+            .toggleable(
+                value = checked,
+                interactionSource = interactionSource,
+                role = Role.Switch,
+                enabled = enabled,
+                indication = LocalIndication.current,
+                onValueChange = onCheckedChange
+            ),
         headlineContent = {
             Text(title)
         },
@@ -25,7 +42,12 @@ fun SwitchItem(
             { Icon(icon, title) }
         },
         trailingContent = {
-            Switch(checked = checked, enabled = enabled, onCheckedChange = onCheckedChange)
+            Switch(
+                checked = checked,
+                enabled = enabled,
+                onCheckedChange = onCheckedChange,
+                interactionSource = interactionSource
+            )
         },
         supportingContent = {
             if (summary != null) {
@@ -47,6 +69,6 @@ fun RadioItem(
         },
         leadingContent = {
             RadioButton(selected = selected, onClick = onClick)
-        },
+        }
     )
 }

manager/app/src/main/java/me/weishu/kernelsu/ui/component/profile/RootProfileConfig.kt

@@ -1,11 +1,10 @@
-@file:OptIn(ExperimentalMaterial3Api::class)
-
 package me.weishu.kernelsu.ui.component.profile
 
 import androidx.compose.foundation.clickable
 import androidx.compose.foundation.layout.Column
 import androidx.compose.foundation.layout.ExperimentalLayoutApi
 import androidx.compose.foundation.layout.FlowRow
+import androidx.compose.foundation.layout.fillMaxSize
 import androidx.compose.foundation.layout.fillMaxWidth
 import androidx.compose.foundation.layout.padding
 import androidx.compose.foundation.text.KeyboardActions
@@ -20,16 +19,17 @@ import androidx.compose.material3.ExposedDropdownMenuBox
 import androidx.compose.material3.Icon
 import androidx.compose.material3.ListItem
 import androidx.compose.material3.MaterialTheme
+import androidx.compose.material3.MenuAnchorType
 import androidx.compose.material3.OutlinedCard
 import androidx.compose.material3.OutlinedTextField
+import androidx.compose.material3.OutlinedTextFieldDefaults
 import androidx.compose.material3.Text
-import androidx.compose.material3.TextFieldDefaults
 import androidx.compose.runtime.Composable
 import androidx.compose.runtime.getValue
+import androidx.compose.runtime.mutableIntStateOf
 import androidx.compose.runtime.mutableStateOf
 import androidx.compose.runtime.remember
 import androidx.compose.runtime.setValue
-import androidx.compose.ui.ExperimentalComposeUiApi
 import androidx.compose.ui.Modifier
 import androidx.compose.ui.platform.LocalSoftwareKeyboardController
 import androidx.compose.ui.res.stringResource
@@ -53,6 +53,7 @@ import me.weishu.kernelsu.Natives
 import me.weishu.kernelsu.R
 import me.weishu.kernelsu.profile.Capabilities
 import me.weishu.kernelsu.profile.Groups
+import me.weishu.kernelsu.ui.component.rememberCustomDialog
 import me.weishu.kernelsu.ui.util.isSepolicyValid
 
 @OptIn(ExperimentalMaterial3Api::class)
@@ -72,6 +73,7 @@ fun RootProfileConfig(
             )
         }
 
+        /* 
         var expanded by remember { mutableStateOf(false) }
         val currentNamespace = when (profile.namespace) {
             Natives.Profile.Namespace.INHERITED.ordinal -> stringResource(R.string.profile_namespace_inherited)
@@ -86,7 +88,7 @@ fun RootProfileConfig(
             ) {
                 OutlinedTextField(
                     modifier = Modifier
-                        .menuAnchor()
+                        .menuAnchor(MenuAnchorType.PrimaryNotEditable)
                         .fillMaxWidth(),
                     readOnly = true,
                     label = { Text(stringResource(R.string.profile_namespace)) },
@@ -125,6 +127,7 @@ fun RootProfileConfig(
                 }
             }
         })
+        */
 
         UidPanel(uid = profile.uid, label = "uid", onUidChange = {
             onProfileChange(
@@ -146,7 +149,7 @@ fun RootProfileConfig(
 
         val selectedGroups = profile.groups.ifEmpty { listOf(0) }.let { e ->
             e.mapNotNull { g ->
-                Groups.values().find { it.gid == g }
+                Groups.entries.find { it.gid == g }
             }
         }
         GroupsPanel(selectedGroups) {
@@ -159,7 +162,7 @@ fun RootProfileConfig(
         }
 
         val selectedCaps = profile.capabilities.mapNotNull { e ->
-            Capabilities.values().find { it.cap == e }
+            Capabilities.entries.find { it.cap == e }
         }
 
         CapsPanel(selectedCaps) {
@@ -184,14 +187,11 @@ fun RootProfileConfig(
     }
 }
 
-@OptIn(ExperimentalLayoutApi::class)
+@OptIn(ExperimentalLayoutApi::class, ExperimentalMaterial3Api::class)
 @Composable
 fun GroupsPanel(selected: List<Groups>, closeSelection: (selection: Set<Groups>) -> Unit) {
-
-    var showDialog by remember { mutableStateOf(false) }
-
-    if (showDialog) {
-        val groups = Groups.values().sortedWith(
+    val selectGroupsDialog = rememberCustomDialog { dismiss: () -> Unit ->
+        val groups = Groups.entries.toTypedArray().sortedWith(
             compareBy<Groups> { if (selected.contains(it)) 0 else 1 }
                 .then(compareBy {
                     when (it) {
@@ -217,7 +217,7 @@ fun GroupsPanel(selected: List<Groups>, closeSelection: (selection: Set<Groups>)
             state = rememberUseCaseState(visible = true, onFinishedRequest = {
                 closeSelection(selection)
             }, onCloseRequest = {
-                showDialog = false
+                dismiss()
             }),
             header = Header.Default(
                 title = stringResource(R.string.profile_groups),
@@ -237,14 +237,20 @@ fun GroupsPanel(selected: List<Groups>, closeSelection: (selection: Set<Groups>)
         )
     }
 
-    OutlinedCard(modifier = Modifier
-        .fillMaxWidth()
-        .padding(16.dp)
-        .clickable {
-            showDialog = true
-        }) {
+    OutlinedCard(
+        modifier = Modifier
+            .fillMaxWidth()
+            .padding(16.dp)
+    ) {
 
-        Column(modifier = Modifier.padding(16.dp)) {
+        Column(
+            modifier = Modifier
+                .fillMaxSize()
+                .clickable {
+                    selectGroupsDialog.show()
+                }
+                .padding(16.dp)
+        ) {
             Text(stringResource(R.string.profile_groups))
             FlowRow {
                 selected.forEach { group ->
@@ -259,17 +265,14 @@ fun GroupsPanel(selected: List<Groups>, closeSelection: (selection: Set<Groups>)
     }
 }
 
-@OptIn(ExperimentalLayoutApi::class)
+@OptIn(ExperimentalLayoutApi::class, ExperimentalMaterial3Api::class)
 @Composable
 fun CapsPanel(
     selected: Collection<Capabilities>,
     closeSelection: (selection: Set<Capabilities>) -> Unit
 ) {
-
-    var showDialog by remember { mutableStateOf(false) }
-
-    if (showDialog) {
-        val caps = Capabilities.values().sortedWith(
+    val selectCapabilitiesDialog = rememberCustomDialog { dismiss ->
+        val caps = Capabilities.entries.toTypedArray().sortedWith(
             compareBy<Capabilities> { if (selected.contains(it)) 0 else 1 }
                 .then(compareBy { it.name })
         )
@@ -286,7 +289,7 @@ fun CapsPanel(
             state = rememberUseCaseState(visible = true, onFinishedRequest = {
                 closeSelection(selection)
             }, onCloseRequest = {
-                showDialog = false
+                dismiss()
             }),
             header = Header.Default(
                 title = stringResource(R.string.profile_capabilities),
@@ -305,14 +308,20 @@ fun CapsPanel(
         )
     }
 
-    OutlinedCard(modifier = Modifier
-        .fillMaxWidth()
-        .padding(16.dp)
-        .clickable {
-            showDialog = true
-        }) {
+    OutlinedCard(
+        modifier = Modifier
+            .fillMaxWidth()
+            .padding(16.dp)
+    ) {
 
-        Column(modifier = Modifier.padding(16.dp)) {
+        Column(
+            modifier = Modifier
+                .fillMaxSize()
+                .clickable {
+                    selectCapabilitiesDialog.show()
+                }
+                .padding(16.dp)
+        ) {
             Text(stringResource(R.string.profile_capabilities))
             FlowRow {
                 selected.forEach { group ->
@@ -327,7 +336,6 @@ fun CapsPanel(
     }
 }
 
-@OptIn(ExperimentalComposeUiApi::class)
 @Composable
 private fun UidPanel(uid: Int, label: String, onUidChange: (Int) -> Unit) {
 
@@ -336,10 +344,10 @@ private fun UidPanel(uid: Int, label: String, onUidChange: (Int) -> Unit) {
             mutableStateOf(false)
         }
         var lastValidUid by remember {
-            mutableStateOf(uid)
+            mutableIntStateOf(uid)
         }
-
         val keyboardController = LocalSoftwareKeyboardController.current
+
         OutlinedTextField(
             modifier = Modifier.fillMaxWidth(),
             label = { Text(label) },
@@ -372,13 +380,13 @@ private fun UidPanel(uid: Int, label: String, onUidChange: (Int) -> Unit) {
     })
 }
 
+@OptIn(ExperimentalMaterial3Api::class)
 @Composable
 private fun SELinuxPanel(
     profile: Natives.Profile,
     onSELinuxChange: (domain: String, rules: String) -> Unit
 ) {
-    var showDialog by remember { mutableStateOf(false) }
-    if (showDialog) {
+    val editSELinuxDialog = rememberCustomDialog { dismiss ->
         var domain by remember { mutableStateOf(profile.context) }
         var rules by remember { mutableStateOf(profile.rules) }
 
@@ -430,7 +438,7 @@ private fun SELinuxPanel(
                     onSELinuxChange(domain, rules)
                 },
                 onCloseRequest = {
-                    showDialog = false
+                    dismiss()
                 }),
             header = Header.Default(
                 title = stringResource(R.string.profile_selinux_context),
@@ -449,10 +457,10 @@ private fun SELinuxPanel(
             modifier = Modifier
                 .fillMaxWidth()
                 .clickable {
-                    showDialog = true
+                    editSELinuxDialog.show()
                 },
             enabled = false,
-            colors = TextFieldDefaults.outlinedTextFieldColors(
+            colors = OutlinedTextFieldDefaults.colors(
                 disabledTextColor = MaterialTheme.colorScheme.onSurface,
                 disabledBorderColor = MaterialTheme.colorScheme.outline,
                 disabledPlaceholderColor = MaterialTheme.colorScheme.onSurfaceVariant,
@@ -460,7 +468,7 @@ private fun SELinuxPanel(
             ),
             label = { Text(text = stringResource(R.string.profile_selinux_context)) },
             value = profile.context,
-            onValueChange = { },
+            onValueChange = { }
         )
     })
 }

manager/app/src/main/java/me/weishu/kernelsu/ui/component/profile/TemplateConfig.kt

@@ -2,16 +2,17 @@ package me.weishu.kernelsu.ui.component.profile
 
 import androidx.compose.foundation.layout.fillMaxWidth
 import androidx.compose.material.icons.Icons
+import androidx.compose.material.icons.automirrored.filled.ReadMore
 import androidx.compose.material.icons.filled.ArrowDropDown
 import androidx.compose.material.icons.filled.ArrowDropUp
 import androidx.compose.material.icons.filled.Create
-import androidx.compose.material.icons.filled.ReadMore
 import androidx.compose.material3.DropdownMenuItem
 import androidx.compose.material3.ExperimentalMaterial3Api
 import androidx.compose.material3.ExposedDropdownMenuBox
 import androidx.compose.material3.Icon
 import androidx.compose.material3.IconButton
 import androidx.compose.material3.ListItem
+import androidx.compose.material3.MenuAnchorType
 import androidx.compose.material3.OutlinedTextField
 import androidx.compose.material3.Text
 import androidx.compose.runtime.Composable
@@ -54,7 +55,7 @@ fun TemplateConfig(
         ) {
             OutlinedTextField(
                 modifier = Modifier
-                    .menuAnchor()
+                    .menuAnchor(MenuAnchorType.PrimaryNotEditable)
                     .fillMaxWidth(),
                 readOnly = true,
                 label = { Text(stringResource(R.string.profile_template)) },
@@ -105,7 +106,7 @@ fun TemplateConfig(
                             IconButton(onClick = {
                                 onViewTemplate(tid)
                             }) {
-                                Icon(Icons.Filled.ReadMore, null)
+                                Icon(Icons.AutoMirrored.Filled.ReadMore, null)
                             }
                         }
                     )

manager/app/src/main/java/me/weishu/kernelsu/ui/screen/AppProfile.kt

@@ -7,29 +7,36 @@ import androidx.compose.foundation.layout.Arrangement
 import androidx.compose.foundation.layout.BoxWithConstraints
 import androidx.compose.foundation.layout.Column
 import androidx.compose.foundation.layout.Row
+import androidx.compose.foundation.layout.WindowInsets
+import androidx.compose.foundation.layout.WindowInsetsSides
 import androidx.compose.foundation.layout.fillMaxSize
 import androidx.compose.foundation.layout.fillMaxWidth
 import androidx.compose.foundation.layout.height
+import androidx.compose.foundation.layout.only
 import androidx.compose.foundation.layout.padding
+import androidx.compose.foundation.layout.safeDrawing
 import androidx.compose.foundation.layout.width
 import androidx.compose.foundation.rememberScrollState
 import androidx.compose.foundation.verticalScroll
 import androidx.compose.material.icons.Icons
+import androidx.compose.material.icons.automirrored.filled.ArrowBack
 import androidx.compose.material.icons.filled.AccountCircle
 import androidx.compose.material.icons.filled.Android
-import androidx.compose.material.icons.filled.ArrowBack
 import androidx.compose.material.icons.filled.Security
-import androidx.compose.material3.Divider
 import androidx.compose.material3.DropdownMenu
 import androidx.compose.material3.DropdownMenuItem
 import androidx.compose.material3.ExperimentalMaterial3Api
 import androidx.compose.material3.FilterChip
+import androidx.compose.material3.HorizontalDivider
 import androidx.compose.material3.Icon
 import androidx.compose.material3.IconButton
 import androidx.compose.material3.ListItem
 import androidx.compose.material3.Scaffold
+import androidx.compose.material3.SnackbarHost
 import androidx.compose.material3.Text
 import androidx.compose.material3.TopAppBar
+import androidx.compose.material3.TopAppBarDefaults
+import androidx.compose.material3.TopAppBarScrollBehavior
 import androidx.compose.runtime.Composable
 import androidx.compose.runtime.getValue
 import androidx.compose.runtime.mutableStateOf
@@ -39,6 +46,7 @@ import androidx.compose.runtime.saveable.rememberSaveable
 import androidx.compose.runtime.setValue
 import androidx.compose.ui.Modifier
 import androidx.compose.ui.geometry.Offset
+import androidx.compose.ui.input.nestedscroll.nestedScroll
 import androidx.compose.ui.input.pointer.pointerInput
 import androidx.compose.ui.platform.LocalContext
 import androidx.compose.ui.platform.LocalDensity
@@ -47,9 +55,13 @@ import androidx.compose.ui.tooling.preview.Preview
 import androidx.compose.ui.unit.Dp
 import androidx.compose.ui.unit.DpOffset
 import androidx.compose.ui.unit.dp
+import androidx.lifecycle.compose.dropUnlessResumed
 import coil.compose.AsyncImage
 import coil.request.ImageRequest
 import com.ramcosta.composedestinations.annotation.Destination
+import com.ramcosta.composedestinations.annotation.RootGraph
+import com.ramcosta.composedestinations.generated.destinations.AppProfileTemplateScreenDestination
+import com.ramcosta.composedestinations.generated.destinations.TemplateEditorScreenDestination
 import com.ramcosta.composedestinations.navigation.DestinationsNavigator
 import kotlinx.coroutines.launch
 import me.weishu.kernelsu.Natives
@@ -58,8 +70,6 @@ import me.weishu.kernelsu.ui.component.SwitchItem
 import me.weishu.kernelsu.ui.component.profile.AppProfileConfig
 import me.weishu.kernelsu.ui.component.profile.RootProfileConfig
 import me.weishu.kernelsu.ui.component.profile.TemplateConfig
-import me.weishu.kernelsu.ui.screen.destinations.AppProfileTemplateScreenDestination
-import me.weishu.kernelsu.ui.screen.destinations.TemplateEditorScreenDestination
 import me.weishu.kernelsu.ui.util.LocalSnackbarHost
 import me.weishu.kernelsu.ui.util.forceStopApp
 import me.weishu.kernelsu.ui.util.getSepolicy
@@ -73,19 +83,20 @@ import me.weishu.kernelsu.ui.viewmodel.getTemplateInfoById
  * @author weishu
  * @date 2023/5/16.
  */
-@Destination
+@OptIn(ExperimentalMaterial3Api::class)
+@Destination<RootGraph>
 @Composable
 fun AppProfileScreen(
     navigator: DestinationsNavigator,
     appInfo: SuperUserViewModel.AppInfo,
 ) {
     val context = LocalContext.current
-    val snackbarHost = LocalSnackbarHost.current
+    val snackBarHost = LocalSnackbarHost.current
+    val scrollBehavior = TopAppBarDefaults.pinnedScrollBehavior()
     val scope = rememberCoroutineScope()
-    val failToUpdateAppProfile =
-        stringResource(R.string.failed_to_update_app_profile).format(appInfo.label)
-    val failToUpdateSepolicy =
-        stringResource(R.string.failed_to_update_sepolicy).format(appInfo.label)
+    val failToUpdateAppProfile = stringResource(R.string.failed_to_update_app_profile).format(appInfo.label)
+    val failToUpdateSepolicy = stringResource(R.string.failed_to_update_sepolicy).format(appInfo.label)
+    val suNotAllowed = stringResource(R.string.su_not_allowed).format(appInfo.label)
 
     val packageName = appInfo.packageName
     val initialProfile = Natives.getAppProfile(packageName, appInfo.uid)
@@ -97,18 +108,25 @@ fun AppProfileScreen(
     }
 
     Scaffold(
-        topBar = { TopBar { navigator.popBackStack() } },
+        topBar = {
+            TopBar(
+                onBack = dropUnlessResumed { navigator.popBackStack() },
+                scrollBehavior = scrollBehavior
+            )
+        },
+        snackbarHost = { SnackbarHost(hostState = snackBarHost) },
+        contentWindowInsets = WindowInsets.safeDrawing.only(WindowInsetsSides.Top + WindowInsetsSides.Horizontal)
     ) { paddingValues ->
         AppProfileInner(
             modifier = Modifier
                 .padding(paddingValues)
+                .nestedScroll(scrollBehavior.nestedScrollConnection)
                 .verticalScroll(rememberScrollState()),
             packageName = appInfo.packageName,
             appLabel = appInfo.label,
             appIcon = {
                 AsyncImage(
-                    model = ImageRequest.Builder(context).data(appInfo.packageInfo).crossfade(true)
-                        .build(),
+                    model = ImageRequest.Builder(context).data(appInfo.packageInfo).crossfade(true).build(),
                     contentDescription = appInfo.label,
                     modifier = Modifier
                         .padding(4.dp)
@@ -127,14 +145,19 @@ fun AppProfileScreen(
             },
             onProfileChange = {
                 scope.launch {
-                    if (it.allowSu && !it.rootUseDefault && it.rules.isNotEmpty()) {
-                        if (!setSepolicy(profile.name, it.rules)) {
-                            snackbarHost.showSnackbar(failToUpdateSepolicy)
+                    if (it.allowSu) {
+                        // sync with allowlist.c - forbid_system_uid
+                        if (appInfo.uid < 2000 && appInfo.uid != 1000) {
+                            snackBarHost.showSnackbar(suNotAllowed)
+                            return@launch
+                        }
+                        if (!it.rootUseDefault && it.rules.isNotEmpty() && !setSepolicy(profile.name, it.rules)) {
+                            snackBarHost.showSnackbar(failToUpdateSepolicy)
                             return@launch
                         }
                     }
                     if (!Natives.setAppProfile(it)) {
-                        snackbarHost.showSnackbar(failToUpdateAppProfile.format(appInfo.uid))
+                        snackBarHost.showSnackbar(failToUpdateAppProfile.format(appInfo.uid))
                     } else {
                         profile = it
                     }
@@ -174,7 +197,9 @@ private fun AppProfileInner(
         )
 
         Crossfade(targetState = isRootGranted, label = "") { current ->
-            Column {
+            Column(
+                modifier = Modifier.padding(bottom = 6.dp + 48.dp + 6.dp /* SnackBar height */)
+            ) {
                 if (current) {
                     val initialMode = if (profile.rootUseDefault) {
                         Mode.Default
@@ -183,7 +208,7 @@ private fun AppProfileInner(
                     } else {
                         Mode.Custom
                     }
-                    var mode by remember {
+                    var mode by rememberSaveable {
                         mutableStateOf(initialMode)
                     }
                     ProfileBox(mode, true) {
@@ -238,7 +263,10 @@ private enum class Mode(@StringRes private val res: Int) {
 
 @OptIn(ExperimentalMaterial3Api::class)
 @Composable
-private fun TopBar(onBack: () -> Unit) {
+private fun TopBar(
+    onBack: () -> Unit,
+    scrollBehavior: TopAppBarScrollBehavior? = null
+) {
     TopAppBar(
         title = {
             Text(stringResource(R.string.profile))
@@ -246,12 +274,13 @@ private fun TopBar(onBack: () -> Unit) {
         navigationIcon = {
             IconButton(
                 onClick = onBack
-            ) { Icon(Icons.Filled.ArrowBack, contentDescription = null) }
+            ) { Icon(Icons.AutoMirrored.Filled.ArrowBack, contentDescription = null) }
         },
+        windowInsets = WindowInsets.safeDrawing.only(WindowInsetsSides.Top + WindowInsetsSides.Horizontal),
+        scrollBehavior = scrollBehavior
     )
 }
 
-@OptIn(ExperimentalMaterial3Api::class)
 @Composable
 private fun ProfileBox(
     mode: Mode,
@@ -263,7 +292,7 @@ private fun ProfileBox(
         supportingContent = { Text(mode.text) },
         leadingContent = { Icon(Icons.Filled.AccountCircle, null) },
     )
-    Divider(thickness = Dp.Hairline)
+    HorizontalDivider(thickness = Dp.Hairline)
     ListItem(headlineContent = {
         Row(
             modifier = Modifier.fillMaxWidth(), horizontalArrangement = Arrangement.SpaceEvenly
@@ -304,7 +333,8 @@ private fun AppMenuBox(packageName: String, content: @Composable () -> Unit) {
                     touchPoint = it
                     expanded = true
                 }
-            }) {
+            }
+    ) {
 
         content()