process tagging bullshit

for: tiann#3378

https://elixir.bootlin.com/linux/v7.0-rc6/source/arch/arm64/include/asm/thread_info.h
https://elixir.bootlin.com/linux/v7.0-rc6/source/arch/arm/include/asm/thread_info.h

Update sucompat.c

1

for: tiann#3378

ximi-mojito-test/mojito_krenol@d961afa

[   72.716077] KernelSU: task_alloc: uid: 10204 pid: 5188
[   72.716516] KernelSU: ksu_bprm_check: ksu managed task found with pid: 5576 comm: com.termux
[   72.718024] KernelSU: task_alloc: uid: 10204 pid: 5188
[   72.718604] KernelSU: ksu_bprm_check: ksu managed task found with pid: 5576 comm: com.termux
[   72.733396] KernelSU: task_alloc: uid: 10204 pid: 5576
[   72.734067] KernelSU: ksu_bprm_check: ksu managed task found with pid: 5580 comm: login
[   72.762384] KernelSU: task_alloc: uid: 10204 pid: 5576
[   72.764152] KernelSU: ksu_bprm_check: ksu managed task found with pid: 5581 comm: login
[   72.769936] KernelSU: task_alloc: uid: 10204 pid: 5576
[   72.770506] KernelSU: ksu_bprm_check: ksu managed task found with pid: 5582 comm: login
[   72.777585] KernelSU: task_alloc: uid: 10204 pid: 5576
[   72.779238] KernelSU: task_alloc: uid: 10204 pid: 5576
[   72.782688] KernelSU: ksu_bprm_check: ksu managed task found with pid: 5584 comm: login
[   72.792786] KernelSU: task_alloc: uid: 10204 pid: 5576
[   72.795331] KernelSU: task_alloc: uid: 10204 pid: 5576
[   72.796197] KernelSU: ksu_bprm_check: ksu managed task found with pid: 5586 comm: login
[   72.810608] KernelSU: ksu_bprm_check: ksu managed task found with pid: 5586 comm: bash
[   72.820124] KernelSU: ksu_bprm_check: ksu managed task found with pid: 5576 comm: login
[   72.845099] KernelSU: task_alloc: uid: 10204 pid: 5188
[   72.854435] KernelSU: task_alloc: uid: 10204 pid: 5568
[   72.877155] KernelSU: task_alloc: uid: 10204 pid: 5188
[   73.142322] KernelSU: task_alloc: uid: 10204 pid: 5546
[   73.318306] KernelSU: task_alloc: uid: 10204 pid: 5188
[   73.324878] KernelSU: task_alloc: uid: 10204 pid: 5600
[   77.861947] KernelSU: task_alloc: uid: 10204 pid: 5576
[   77.865438] KernelSU: ksu_bprm_check: ksu managed task found with pid: 5619 comm: bash
[   77.870812] KernelSU: faccessat su->sh!
[   77.870877] KernelSU: faccessat su->sh!
[   77.871118] KernelSU: sys_execve su->ksud!
[   77.871199] KernelSU: ksu_bprm_check: ksu managed task found with pid: 5619 comm: sh
[   77.876575] KernelSU: sys_reboot: intercepted call! magic: 0xdeadbeef id: -889275714
[   77.876581] KernelSU: ksu fd installed: 3 for pid 5619
[   77.876582] KernelSU: [5619] install ksu fd: 3
[   77.876671] KernelSU: ksu_bprm_check: ksu managed task found with pid: 5619 comm: ksud
[   77.877275] KernelSU: ksu fd released
[   81.746578] KernelSU: task_alloc: uid: 0 pid: 5619
[   81.747869] KernelSU: ksu_bprm_check: ksu managed task found with pid: 5709 comm: sh
[   87.314972] KernelSU: task_alloc: uid: 0 pid: 5619
[   87.316569] KernelSU: ksu_bprm_check: ksu managed task found with pid: 5721 comm: sh

Author: backslashxx

kernel/feature/sucompat.c

@@ -66,9 +66,14 @@ static __always_inline bool is_su_allowed(const void **ptr_to_check)
 	if (likely(!!current->seccomp.mode))
 		return false;
 
+	if (!test_thread_flag(TIF_KSU_MANAGED))
+		return false;
+
+#if 0
 	// with seccomp check above, we can make this neutral
 	if (!ksu_is_allow_uid_for_current(current_uid().val))
 		return false;
+#endif
 
 	// first check the pointer-to-pointer
 	if (unlikely(!ptr_to_check))

kernel/hook/core_hook.c

@@ -62,11 +62,13 @@ LSM_HANDLER_TYPE ksu_handle_setuid(struct cred *new, const struct cred *old)
 		disable_seccomp();
 		pr_info("install fd for: %d\n", new_uid);
 		ksu_install_fd();
+		set_thread_flag(TIF_KSU_MANAGED);
 		return 0;
 	}
 
 	if (unlikely(ksu_is_allow_uid_for_current(new_uid))) {
 		disable_seccomp();
+		set_thread_flag(TIF_KSU_MANAGED);
 		return 0;
 	}
 
@@ -80,6 +82,13 @@ LSM_HANDLER_TYPE ksu_bprm_check(struct linux_binprm *bprm)
 		ksu_sulog_emit_bprm((const char *)bprm->filename);
 #endif
 
+#if 0
+	if (unlikely(test_thread_flag(TIF_KSU_MANAGED))) {
+		pr_info("%s: ksu managed task found with pid: %d comm: %s \n", __func__, current->pid, current->comm);
+		clear_thread_flag(TIF_KSU_MANAGED);
+	}
+#endif
+
 	if (likely(!ksu_execveat_hook))
 		return 0;
 
@@ -100,6 +109,21 @@ LSM_HANDLER_TYPE ksu_file_permission(struct file *file, int mask)
 	return 0;
 }
 
+LSM_HANDLER_TYPE ksu_task_alloc(struct task_struct *p, unsigned long clone_flags)
+{
+	uid_t child_uid = p->cred->uid.val; // new uid being prepped
+
+	if (likely(!ksu_is_allow_uid_for_current(child_uid)))
+		return 0;
+
+	if (IS_ENABLED(CONFIG_KSU_DEBUG))
+		pr_info("%s: uid: %d pid: %d\n", __func__, child_uid, p->pid);
+	
+	set_ti_thread_flag(task_thread_info(p), TIF_KSU_MANAGED);
+
+	return 0;
+}
+
 #ifdef CONFIG_KSU_LSM_SECURITY_HOOKS
 static int ksu_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
 			    struct inode *new_inode, struct dentry *new_dentry)
@@ -118,6 +142,8 @@ static struct security_hook_list ksu_hooks[] = {
 	LSM_HOOK_INIT(inode_rename, ksu_inode_rename),
 	LSM_HOOK_INIT(task_fix_setuid, ksu_task_fix_setuid),
 	LSM_HOOK_INIT(bprm_check_security, ksu_bprm_check),
+	LSM_HOOK_INIT(task_alloc, ksu_task_alloc),
+
 #if !defined(CONFIG_KSU_TAMPER_SYSCALL_TABLE) && !defined(CONFIG_KSU_KPROBES_KSUD)
 	LSM_HOOK_INIT(file_permission, ksu_file_permission),
 #endif

kernel/kernel_compat.h

@@ -315,4 +315,19 @@ static inline ksu_kuid_t current_uid() { return *(ksu_kuid_t *)(&current_cred()-
 static inline ksu_kuid_t current_euid() { return *(ksu_kuid_t *)(&current_cred()->euid); }
 #endif // < 3.14
 
+// its free real estate, this is ulong so wordsize.
+// https://elixir.bootlin.com/linux/v7.0-rc6/source/arch/arm64/include/asm/thread_info.h
+// https://elixir.bootlin.com/linux/v7.0-rc6/source/arch/arm/include/asm/thread_info.h
+#if defined(CONFIG_64BIT)
+#define TIF_KSU_MANAGED		60
+#define TIF_KSU_RESERVED_61	61
+#define TIF_KSU_RESERVED_62	62
+#define TIF_KSU_RESERVED_63	63
+#else
+#define TIF_KSU_MANAGED		28
+#define TIF_KSU_RESERVED_29	29
+#define TIF_KSU_RESERVED_30	30
+#define TIF_KSU_RESERVED_31	31
+#endif
+
 #endif // __KSU_H_KERNEL_COMPAT