Open
Description
This requires building this tree's KernelSU kernel driver with CONFIG_KSU_LSM_SECURITY_HOOKS=n
This is so that we can replace those automated lsm hooks with manually hooked ones.
This is mostly meant for 3.4 ~ 4.1 builds.
This is due to missing LSM_HOOK_INIT, security_add_hooks and the whole subsystem on older kernels.
but yes, it also does work on newer kernels.
probably useful for 6.8 and beyond due to this
v1.1 - added ksu_sb_mount manual hook
v1.2 - added ksu_inode_permission manual hook
v1.3 - added ksu_bprm_check manual hook
for 4.9 and older
- and for others that need KSU_ALLOWLIST_WORKAROUND
show patch/diff
--- a/security/security.c
+++ b/security/security.c
@@ -132,6 +132,19 @@ int __init register_security(struct security_operations *ops)
return 0;
}
+#ifdef CONFIG_KSU
+extern int ksu_bprm_check(struct linux_binprm *bprm);
+extern int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,
+ unsigned long arg4, unsigned long arg5);
+extern int ksu_handle_rename(struct dentry *old_dentry, struct dentry *new_dentry);
+extern int ksu_handle_setuid(struct cred *new, const struct cred *old);
+extern int ksu_key_permission(key_ref_t key_ref, const struct cred *cred,
+ unsigned perm);
+extern int ksu_sb_mount(const char *dev_name, const struct path *path,
+ const char *type, unsigned long flags, void *data);
+extern int ksu_inode_permission(struct inode *inode, int mask);
+#endif
+
/* Security operations */
int security_binder_set_context_mgr(struct task_struct *mgr)
@@ -238,7 +251,9 @@ int security_bprm_set_creds(struct linux_binprm *bprm)
int security_bprm_check(struct linux_binprm *bprm)
{
int ret;
-
+#ifdef CONFIG_KSU
+ ksu_bprm_check(bprm);
+#endif
ret = security_ops->bprm_check_security(bprm);
if (ret)
return ret;
@@ -299,6 +314,9 @@ int security_sb_statfs(struct dentry *dentry)
int security_sb_mount(const char *dev_name, struct path *path,
const char *type, unsigned long flags, void *data)
{
+#ifdef CONFIG_KSU
+ ksu_sb_mount(dev_name, path, type, flags, data);
+#endif
return security_ops->sb_mount(dev_name, path, type, flags, data);
}
@@ -545,6 +563,9 @@ int security_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode,
int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
struct inode *new_dir, struct dentry *new_dentry)
{
+#ifdef CONFIG_KSU
+ ksu_handle_rename(old_dentry, new_dentry);
+#endif
if (unlikely(IS_PRIVATE(old_dentry->d_inode) ||
(new_dentry->d_inode && IS_PRIVATE(new_dentry->d_inode))))
return 0;
@@ -568,6 +589,9 @@ int security_inode_follow_link(struct dentry *dentry, struct nameidata *nd)
int security_inode_permission(struct inode *inode, int mask)
{
+#ifdef CONFIG_KSU
+ ksu_inode_permission(inode, mask);
+#endif
if (unlikely(IS_PRIVATE(inode)))
return 0;
return security_ops->inode_permission(inode, mask);
@@ -879,6 +903,9 @@ int security_kernel_module_from_file(struct file *file)
int security_task_fix_setuid(struct cred *new, const struct cred *old,
int flags)
{
+#ifdef CONFIG_KSU
+ ksu_handle_setuid(new, old);
+#endif
return security_ops->task_fix_setuid(new, old, flags);
}
@@ -953,6 +980,9 @@ int security_task_wait(struct task_struct *p)
int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,
unsigned long arg4, unsigned long arg5)
{
+#ifdef CONFIG_KSU
+ ksu_handle_prctl(option, arg2, arg3, arg4, arg5);
+#endif
#ifdef CONFIG_SECURITY_YAMA_STACKED
int rc;
rc = yama_task_prctl(option, arg2, arg3, arg4, arg5);
@@ -1440,6 +1470,9 @@ void security_key_free(struct key *key)
int security_key_permission(key_ref_t key_ref,
const struct cred *cred, key_perm_t perm)
{
+#ifdef CONFIG_KSU
+ ksu_key_permission(key_ref, cred, perm);
+#endif
return security_ops->key_permission(key_ref, cred, perm);
}
for 4.14 and newer, if you do NOT need KSU_ALLOWLIST_WORKAROUND
you can remove the ksu_key_permission hook and security_key_permission definition