scope-minimized manual hooks v2.2

[backslashxx]

This refactors original KSU hooks to replace deep kernel function hooks with targeted hooks.
This backports KernelSU pr#1657 and having pr#2084 elements (32-bit sucompat).
It reduces the scope of kernel function interception and still maintains full fucntionality.

notes:

• If you're somehow building for 6.8+ make sure to also apply: manual security hooks v2.0 #7
• if you're on a custom rom and wants to hide adb root on selinuxfs, install this ksu module
• on 3.0 to 5.4 ARM / ARM64^[1][2], try CONFIG_KSU_TAMPER_SYSCALL_TABLE=y and you can skip^[3] the following hooks:
  • execve
  • sys_faccessat
  • sys_newfstatat
  • sys_newfstat ret_hook
  • sys_reboot

^[1] make sure to disable CFI / CLANG_CFI
^[2] it also works on 5.10+, but you need to disable CFI, a no go for GKI.
^[3] make sure to remove listed hooks when doing this!

🟢 execve hook

• for sucompat
• choose one which suits your kernel version

show patch/diff (7.0+ via sys_execve)

--- fs/exec.c
+++ fs/exec.c
@@ -1921,11 +1921,20 @@
 
+#ifdef CONFIG_KSU
+__attribute__((hot))
+extern int ksu_handle_execve(const char __user **filename_user,
+			void *argv, void *envp);
+#endif
+
 SYSCALL_DEFINE3(execve,
		const char __user *, filename,
		const char __user *const __user *, argv,
		const char __user *const __user *, envp)
{
+#ifdef CONFIG_KSU
+	ksu_handle_execve(&filename, &argv, &envp);
+#endif
	CLASS(filename, name)(filename);
	return do_execveat_common(AT_FDCWD, name,
				  native_arg(argv), native_arg(envp), 0);
}

@@ -1953,6 +1962,9 @@
COMPAT_SYSCALL_DEFINE3(execve, const char __user *, filename,
	const compat_uptr_t __user *, argv,
	const compat_uptr_t __user *, envp)
{
+#ifdef CONFIG_KSU // 32-bit
+	ksu_handle_execve(&filename, &argv, &envp);
+#endif
	CLASS(filename, name)(filename);
	return do_execveat_common(AT_FDCWD, name,
				  compat_arg(argv), compat_arg(envp), 0);
}

show patch/diff (3.18+ via do_execve)

--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1886,12 +1886,26 @@ static int do_execveat_common(int fd, struct filename *filename,
 	return retval;
 }
 
+#ifdef CONFIG_KSU
+__attribute__((hot))
+extern int ksu_handle_execveat(int *fd, struct filename **filename_ptr,
+				void *argv, void *envp, int *flags);
+#endif
+
 int do_execve(struct filename *filename,
 	const char __user *const __user *__argv,
 	const char __user *const __user *__envp)
 {
 	struct user_arg_ptr argv = { .ptr.native = __argv };
 	struct user_arg_ptr envp = { .ptr.native = __envp };
+#ifdef CONFIG_KSU
+	ksu_handle_execveat((int *)AT_FDCWD, &filename, &argv, &envp, 0);
+#endif
 	return do_execveat_common(AT_FDCWD, filename, argv, envp, 0);
 }
 
@@ -1919,6 +1933,10 @@
static int compat_do_execve(struct filename *filename,
 		.is_compat = true,
 		.ptr.compat = __envp,
 	};
+#ifdef CONFIG_KSU // 32-bit ksud and 32-on-64 support
+	ksu_handle_execveat((int *)AT_FDCWD, &filename, &argv, &envp, 0);
+#endif
 	return do_execveat_common(AT_FDCWD, filename, argv, envp, 0);
 }
 

show patch/diff (3.18, via do_execve_common)

• for 3.18, we can repurpose upstream's do_execveat_common hook for do_execve_common
• no sys_execveat on <= 3.18, so this makes sense instead of hooking sys_execve + compat_sys_execve
• take note: struct filename *filename

--- a/fs/exec.c
+++ b/fs/exec.c
/*
 * sys_execve() executes a new program.
 */
+#ifdef CONFIG_KSU
+__attribute__((hot))
+extern int ksu_handle_execveat(int *fd,
+			struct filename **filename_ptr,
+			void *argv, void *envp, int *flags);
+#endif
+
static int do_execve_common(struct filename *filename,
				struct user_arg_ptr argv,
				struct user_arg_ptr envp)
{
	struct linux_binprm *bprm;
	struct file *file;
	struct files_struct *displaced;
	int retval;

	if (IS_ERR(filename))
		return PTR_ERR(filename);

+#ifdef CONFIG_KSU
+	ksu_handle_execveat((int *)AT_FDCWD, &filename, &argv, &envp, 0);
+#endif
	/*
	 * We move the actual failure in case of RLIMIT_NPROC excess from
	 * set*uid() to execve() because too many poorly written programs

show patch/diff (3.0 - 3.10, via do_execve_common)

• for <= 3.10, this repo provides a handler for do_execve_common
• no sys_execveat on <= 3.18, so this makes sense instead of hooking sys_execve + compat_sys_execve
• take note: const char *filename

/*
 * sys_execve() executes a new program.
 */
+
+#ifdef CONFIG_KSU
+__attribute__((hot)) 
+extern int ksu_legacy_execve_sucompat(const char **filename_ptr, void *argv, void *envp);
+#endif
+
static int do_execve_common(const char *filename,
				struct user_arg_ptr argv,
				struct user_arg_ptr envp)
{
	struct linux_binprm *bprm;
	struct file *file;
	struct files_struct *displaced;
	bool clear_in_exec;
	int retval;
	const struct cred *cred = current_cred();
+
+#ifdef CONFIG_KSU
+	ksu_legacy_execve_sucompat(&filename, &argv, &envp);
+#endif
+
	/*
	 * We move the actual failure in case of RLIMIT_NPROC excess from
	 * set*uid() to execve() because too many poorly written programs

🟢 sys_faccessat hook

• for sucompat
• from original guide
• hook sys_faccessat even if you have do_faccessat, this is for scope minimization.

show patch/diff (4.19 and newer)

--- a/fs/open.c
+++ b/fs/open.c
+#ifdef CONFIG_KSU
+__attribute__((hot)) 
+extern int ksu_handle_faccessat(int *dfd, const char __user **filename_user,
+				int *mode, int *flags);
+#endif
+
 SYSCALL_DEFINE3(faccessat, int, dfd, const char __user *, filename, int, mode)
 {
+#ifdef CONFIG_KSU
+	ksu_handle_faccessat(&dfd, &filename, &mode, NULL);
+#endif
 	return do_faccessat(dfd, filename, mode);
 }
 

show patch/diff (4.14 and older)

--- a/fs/open.c
+++ b/fs/open.c
+#ifdef CONFIG_KSU
+__attribute__((hot)) 
+extern int ksu_handle_faccessat(int *dfd, const char __user **filename_user,
+				int *mode, int *flags);
+#endif
+
/*
 * access() needs to use the real uid/gid, not the effective uid/gid.
 * We do this by temporarily clearing all FS-related capabilities and
 * switching the fsuid/fsgid around to the real ones.
 */
SYSCALL_DEFINE3(faccessat, int, dfd, const char __user *, filename, int, mode)
{
	const struct cred *old_cred;
	struct cred *override_cred;
	struct path path;
	struct inode *inode;
	int res;
	unsigned int lookup_flags = LOOKUP_FOLLOW;
 
+#ifdef CONFIG_KSU
+	ksu_handle_faccessat(&dfd, &filename, &mode, NULL);
+#endif
+
 	if (mode & ~S_IRWXO)	/* where's F_OK, X_OK, W_OK, R_OK? */
 		return -EINVAL;
 

🟢 sys_newfstatat hook

• for sucompat
• scope minimized
• you now have to hook sys_newfstatat, instead of vfs_statx()
• optionally hook sys_fstatat64 if 32-bit su is needed.

show patch/diff

--- a/fs/stat.c
+++ b/fs/stat.c
@@ -353,6 +353,10 @@ SYSCALL_DEFINE2(newlstat, const char __user *, filename,
 	return cp_new_stat(&stat, statbuf);
 }
 
+#ifdef CONFIG_KSU
+__attribute__((hot)) 
+extern int ksu_handle_stat(int *dfd, const char __user **filename_user,
+				int *flags);
+#endif
+

#if !defined(__ARCH_WANT_STAT64) || defined(__ARCH_WANT_SYS_NEWFSTATAT)
SYSCALL_DEFINE4(newfstatat, int, dfd, const char __user *, filename,
		struct stat __user *, statbuf, int, flag)
{
	struct kstat stat;
	int error;

+#ifdef CONFIG_KSU
+	ksu_handle_stat(&dfd, &filename, &flag);
+#endif
 	error = vfs_fstatat(dfd, filename, &stat, flag);
 	if (error)
 		return error;
@@ -504,6 +511,9 @@ 
SYSCALL_DEFINE4(fstatat64, int, dfd, const char __user *, filename,
		struct stat64 __user *, statbuf, int, flag)
{
	struct kstat stat;
	int error;
 
+#ifdef CONFIG_KSU // 32-bit su
+	ksu_handle_stat(&dfd, &filename, &flag); 
+#endif
 	error = vfs_fstatat(dfd, filename, &stat, flag);
 	if (error)
 		return error;

🟢 sys_newfstat ret_hook

• introduced upstream by kernel: ksud: Refine rc injection, fix issue of Android Canary 2601
• needed for later Android 16 and Android 17
• go to fs/stat.c and hook newfstat before it returns
• optionally hook sys_fstat64 for 32-bit, 32-on-64. (likely not needed though)

show patch/diff

--- a/fs/stat.c
+++ b/fs/stat.c
@@ -364,X +364,XX @@  
+#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_KSUD)
+extern void ksu_handle_newfstat_ret(unsigned int *fd, struct stat __user **statbuf_ptr);
+#if defined(__ARCH_WANT_STAT64) || defined(__ARCH_WANT_COMPAT_STAT64)
+extern void ksu_handle_fstat64_ret(unsigned long *fd, struct stat64 __user **statbuf_ptr); // for 32-bit
+#endif
+#endif
+
SYSCALL_DEFINE2(newfstat, unsigned int, fd, struct stat __user *, statbuf)
{
	struct kstat stat;
	int error = vfs_fstat(fd, &stat);

	if (!error)
		error = cp_new_stat(&stat, statbuf);

+#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_KSUD)
+	ksu_handle_newfstat_ret(&fd, &statbuf);
+#endif
	return error;

 
@@ -490,X +497,X @@
SYSCALL_DEFINE2(fstat64, unsigned long, fd, struct stat64 __user *, statbuf)
{
	struct kstat stat;
	int error = vfs_fstat(fd, &stat);

	if (!error)
		error = cp_new_stat64(&stat, statbuf);

+#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_KSUD) // for 32-bit
+	ksu_handle_fstat64_ret(&fd, &statbuf);
+#endif
	return error;
}

🟢 sys_reboot hook

• this is needed by new KernelSU supercall introduced at 12143
• just go to where sys_reboot is and hook right on its entry.

show patch/diff (3.18+)

--- a/kernel/reboot.c
+++ b/kernel/reboot.c
@@ -277,6 +277,11 @@ 
  *
  * reboot doesn't sync: do that yourself before calling this.
  */
+
+#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_KSUD)
+extern int ksu_handle_sys_reboot(int magic1, int magic2, unsigned int cmd, void __user **arg);
+#endif
+
SYSCALL_DEFINE4(reboot, int, magic1, int, magic2, unsigned int, cmd,
		void __user *, arg)
{
	struct pid_namespace *pid_ns = task_active_pid_ns(current);
	char buffer[256];
	int ret = 0;
 
+#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_KSUD)
+	ksu_handle_sys_reboot(magic1, magic2, cmd, &arg);
+#endif
 	/* We only trust the superuser with rebooting the system. */
 	if (!ns_capable(pid_ns->user_ns, CAP_SYS_BOOT))
 		return -EPERM;

show patch/diff (3.0~3.10)

--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -463,6 +463,11 @@ 
  *
  * reboot doesn't sync: do that yourself before calling this.
  */
+
+#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_KSUD)
+extern int ksu_handle_sys_reboot(int magic1, int magic2, unsigned int cmd, void __user **arg);
+#endif
+
SYSCALL_DEFINE4(reboot, int, magic1, int, magic2, unsigned int, cmd,
		void __user *, arg)
{
	struct pid_namespace *pid_ns = task_active_pid_ns(current);
	char buffer[256];
	int ret = 0;
 
+#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_KSUD)
+	ksu_handle_sys_reboot(magic1, magic2, cmd, &arg);
+#endif
+
 	/* We only trust the superuser with rebooting the system. */
 	if (!ns_capable(pid_ns->user_ns, CAP_SYS_BOOT))
 		return -EPERM;

🟡 policy_rwlock

• this is OPTIONAL, nice to have but NOT required.
• ‼️ mostly only for 3.0 ~ 4.9, maybe 4.14
• most 4.14 kernels does NOT need this though (due to selinux_state backported by ACK)
• if you can't find it or too lazy don't bother with it
• basically you just remove "static" on policy_rwlock's definition

show patch/diff

--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -74,7 +74,7 @@
 int selinux_android_netlink_route;
 int selinux_policycap_netpeer;
 int selinux_policycap_openperm;
 
-static DEFINE_RWLOCK(policy_rwlock);
+DEFINE_RWLOCK(policy_rwlock);
 
 static struct sidtab sidtab;
 struct policydb policydb;

🟡 slow_avc_audit

• this is OPTIONAL, and can be handled on userspace
• this is not a standard ksu feature, but its here if you want it

show patch/diff

--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c

+#if defined(CONFIG_KSU) && !defined(CONFIG_KPROBES)
+extern void ksu_slow_avc_audit(u32 *tsid);
+#endif

/* This is the slow part of avc audit with big stack footprint */
noinline int slow_avc_audit(struct selinux_state *state,
			    u32 ssid, u32 tsid, u16 tclass,
			    u32 requested, u32 audited, u32 denied, int result,
			    struct common_audit_data *a,
			    unsigned int flags)
{
	struct common_audit_data stack_data;
	struct selinux_audit_data sad;

+#if defined(CONFIG_KSU) && !defined(CONFIG_KPROBES)
+	ksu_slow_avc_audit(&tsid);
+#endif
	if (!a) {
		a = &stack_data;
		a->type = LSM_AUDIT_DATA_NONE;

Revisions

• v1.1, add ksu_handle_compat_execve_ksud for 32-on-64 usecase, deprecate do_execve hooking.
• v1.2, deprecate devpts hooking
• v1.3, add is_ksu_transition handler (selinux "hook")
  • 250611, edit: remove "ksu_execveat_hook" check for selinux hook
  • reported by @edenadversary
• v1.4, multiple changes
  • add walk_component for UL
  • mark sucompat hooks as __attribute__((hot, always_inline))
    • ksu_handle_execve_sucompat, ksu_handle_faccessat, ksu_handle_stat
    • 250612, edit: remove always_inline for old compiler compatibility.
• v1.5, multiple changes
  • deprecate execve_ksud handlers in favor of LSM hooking
  • edit walk_component for 3.10 for clarity.
  • add ksu_legacy_execve_sucompat for do_execve_common as another option for 3.0~3.10
  • add getname_flags handlers and hooks
  • added hybridization notes
    • 250922, kprobe support added for sys_read and input_event
    • 250925, kprobe replacement for selinux_hook
    • 250925, added cold attribute to sys_read and input_event
  • added vfs_statx >= 5.18 handler documentation
  • remove old commit links, people are likely smart enough to look for them anyway
• v1.6, sys_reboot hook for new supercall
  • 251123, added a kthread flag for walk_component's check
• v1.7, deprecate sys_read / vfs_read
  • this has been migrated to security_file_permission LSM
    • kernel: ksud: migrate ksu_install_rc_hook to security_file_permission LSM
  • dummies will be kept for two months (260101), removed 260301
• v1.8, deprecate input_hook
  • deprecate input hook in favor of a real input handler
    • kernel: ksud: replace input hook with an input handler
      
  • dummies will be kept for two months (260108), removed 260308
  • post about CONFIG_KSU_TAMPER_SYSCALL_TABLE=y
• v1.9, multiple changes
  • deprecate is_ksu_transition
    • this is now deprecated in favor of escaping ksud exec by init to root
    • dummies will be kept for two months (260114) , removed 260314
  • add sys_newfstat ret hook
  • deprecate walk_component "hook" after fixing deadlocks
    • kernel: throne_tracker: fixup deadlocks on iterate_dir
• v2.0, multiple changes
  • tell about optional policy rwlock's exposure
  • deprecate getname_flags handlers
  • move "expose selinux_ops" here
  • remove sys_execve hooking from suggestions, to lessen confusion
  • tweak ksu_legacy_execve_sucompat a little
  • mark selinux_ops exposure as optional
  • proper guards for newfstat_ret and sys_reboot hooks to prevent double hooking
• v2.1, multiple changes
  • add execve handling for k7.0
    • NOTE: kexecve was considered, but sys_execve is much more assured going forward tiann@0b106c7
  • add selinux_hide handlers
  • add selinux_setprocattr handler
  • deprecate selinux_setprocattr for < 6.8, we just unhook it on LSM instead
  • deprecate selinux_ops exposure, scanner is pretty reliable already
  • move ksu_hide_setprocattr to manual security hooks
  • break selinux_hide to selinux_transaction_write and slow_avc_audit
• v2.2, deprecate selinux_hide hooks
  • we hijack selinuxfs f_op instead
  • ksu_sel_write_context on selinux_transaction_write manual hook will be kept in a month (260520)
  • yes basically, v2.2 is same as 2.0

[backslashxx]

show deprecated

🟢 selinux_transaction_write hook

• added by upstream: tiann@0efe3cf tiann@3f388ef
• this is needed for selinux_hide feature to work

show patch/diff

--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c


+#if defined(CONFIG_KSU) && !defined(CONFIG_KPROBES)
+extern void ksu_sel_write_context(struct file **file, char **buf, size_t *size);
+#endif

static ssize_t selinux_transaction_write(struct file *file, const char __user *buf, size_t size, loff_t *pos)
{
	ino_t ino = file_inode(file)->i_ino;
	char *data;
	ssize_t rv;

	if (ino >= ARRAY_SIZE(write_op) || !write_op[ino])
		return -EINVAL;

	data = simple_transaction_get(file, buf, size);
	if (IS_ERR(data))
		return PTR_ERR(data);

+#if defined(CONFIG_KSU) && !defined(CONFIG_KPROBES)
+	ksu_sel_write_context(&file, &data, &size);
+#endif

	rv = write_op[ino](file, data, size);
	if (rv > 0) {
		simple_transaction_set(file, rv);

selinux_setprocattr (6.8+)

--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c

+#ifdef CONFIG_KSU
+extern int ksu_hide_setprocattr(const char *name, void *value, size_t size);
+#endif

static int selinux_setprocattr(const char *name, void *value, size_t size)
{
	int attr = lsm_name_to_attr(name);

+#ifdef CONFIG_KSU
+	ksu_hide_setprocattr(name, value, size);
+#endif

	if (attr)
		return selinux_lsm_setattr(attr, value, size);
	return -EINVAL;
}

selinux_setprocattr (4.14+)

--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c


+#ifdef CONFIG_KSU
+extern int ksu_hide_setprocattr(const char *name, void *value, size_t size);
+#endif

static int selinux_setprocattr(const char *name, void *value, size_t size)
{
	struct task_security_struct *tsec;
	struct cred *new;
	u32 mysid = current_sid(), sid = 0, ptsid;
	int error;
	char *str = value;

+#ifdef CONFIG_KSU
+	ksu_hide_setprocattr(name, value, size);
+#endif

	/*
	 * Basic control over ability to set these attributes at all.

selinux_setprocattr (4.4/4.9)

--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c


+#ifdef CONFIG_KSU
+extern int ksu_hide_setprocattr(const char *name, void *value, size_t size);
+#endif

static int selinux_setprocattr(struct task_struct *p,
			       char *name, void *value, size_t size)
{
	struct task_security_struct *tsec;
	struct cred *new;
	u32 sid = 0, ptsid;
	int error;
	char *str = value;

+#ifdef CONFIG_KSU
+	ksu_hide_setprocattr(name, value, size);
+#endif

	if (current != p) {

🟡 selinux_ops

• this is OPTIONAL, nice to have but NOT required.
• ‼️ only for 3.0 ~ 3.18
• on 3.x, theres no LSM_HOOK_INIT / security_add_hooks.
• so we need this small hack, to "stack" our hooks on top of selinux's
• basically you just remove "static" on selinux_ops

show patch reference

--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -XXXX,X +XXXX,X @@ 

-static struct security_operations selinux_ops = {
+struct security_operations selinux_ops = {
 	.name =				"selinux",
 

🟡 sys_execve

show patch/diff (7.0+ kexecve)

--- a/exec.c
+++ b/exec.c
@@ -1921,12 +1921,20 @@ static inline struct user_arg_ptr native_arg(const char __user *const __user *p)
        return (struct user_arg_ptr){.ptr.native = p};
 }
 
+#ifdef CONFIG_KSU
+__attribute__((hot)) extern int ksu_handle_kexecve(int *fd, struct filename **name, 
+			struct user_arg_ptr argv, struct user_arg_ptr envp, int *flags);
+#endif
+
 SYSCALL_DEFINE3(execve,
                const char __user *, filename,
                const char __user *const __user *, argv,
                const char __user *const __user *, envp)
 {
        CLASS(filename, name)(filename);
+#ifdef CONFIG_KSU
+       ksu_handle_kexecve((int *)AT_FDCWD, &name, native_arg(argv), native_arg(envp), NULL);
+#endif
        return do_execveat_common(AT_FDCWD, name,
                                  native_arg(argv), native_arg(envp), 0);
 }
@@ -1954,6 +1962,9 @@ 
COMPAT_SYSCALL_DEFINE3(execve, const char __user *, filename,
	const compat_uptr_t __user *, argv,
	const compat_uptr_t __user *, envp)
{
	CLASS(filename, name)(filename);
+#ifdef CONFIG_KSU // for 32-bit
+       ksu_handle_kexecve((int *)AT_FDCWD, &name, compat_arg(argv), compat_arg(envp), NULL);
+#endif
	return do_execveat_common(AT_FDCWD, name,
				  compat_arg(argv), compat_arg(envp), 0);
} 

show patch/diff (3.18+ via sys_execve)

• just put the hook right at syscall entry

--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1968,11 +1968,22 @@ void set_dumpable(struct mm_struct *mm, int value)
 	} while (cmpxchg(&mm->flags, old, new) != old);
 }
 
+#ifdef CONFIG_KSU
+__attribute__((hot))
+extern int ksu_handle_execve_sucompat(int *fd,	const char __user **filename_user,
+				void *__never_use_argv,	void *__never_use_envp,
+				int *__never_use_flags);
+#endif
+
 SYSCALL_DEFINE3(execve,
 		const char __user *, filename,
 		const char __user *const __user *, argv,
 		const char __user *const __user *, envp)
 {
+#ifdef CONFIG_KSU
+	ksu_handle_execve_sucompat((int *)AT_FDCWD, &filename, NULL, NULL, NULL);
+#endif
 	return do_execve(getname(filename), argv, envp);
 }
 
@@ -1994,6 +2005,9 @@
COMPAT_SYSCALL_DEFINE3(execve, const char __user *, filename,
 	const compat_uptr_t __user *, argv,
 	const compat_uptr_t __user *, envp)
 {
+#ifdef CONFIG_KSU // 32-bit ksud and 32-on-64 support
+	ksu_handle_execve_sucompat((int *)AT_FDCWD, &filename, NULL, NULL, NULL);
+#endif
 	return compat_do_execve(getname(filename), argv, envp);
 }

show patch/diff (3.10, via sys_execve)

• for 3.10, just hook right at the entrance of sys_execve / compat_sys_execve

--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1736,11 +1736,22 @@ int get_dumpable(struct mm_struct *mm)
 	return __get_dumpable(mm->flags);
 }
 
+#ifdef CONFIG_KSU
+__attribute__((hot)) 
+extern int ksu_handle_execve_sucompat(int *fd,	const char __user **filename_user,
+				void *__never_use_argv, void *__never_use_envp,
+				int *__never_use_flags);
+#endif
+
 SYSCALL_DEFINE3(execve,
 		const char __user *, filename,
 		const char __user *const __user *, argv,
 		const char __user *const __user *, envp)
 {
+#ifdef CONFIG_KSU
+	ksu_handle_execve_sucompat((int *)AT_FDCWD, &filename, NULL, NULL, NULL);
+#endif
 	struct filename *path = getname(filename);
 	int error = PTR_ERR(path);
 	if (!IS_ERR(path)) {
@@ -1754,6 +1765,9 @@
asmlinkage long compat_sys_execve(const char __user * filename,
 	const compat_uptr_t __user * argv,
 	const compat_uptr_t __user * envp)
 {
+#ifdef CONFIG_KSU // 32-bit sucompat and 32-on-64 support
+	ksu_handle_execve_sucompat((int *)AT_FDCWD, &filename, NULL, NULL, NULL);
+#endif
 	struct filename *path = getname(filename);
 	int error = PTR_ERR(path);
 	if (!IS_ERR(path)) {

show patch/diff (3.0 / 3.4, via sys_execve)

• for 3.0 / 3.4, handling this is a bit different.
• The location of the syscall is on arch/$ARCH/kernel/sys_$ARCH.c
• you must pass filenamei to the hook which is what the syscall received.

--- a/arch/arm/kernel/sys_arm.c
+++ b/arch/arm/kernel/sys_arm.c
@@ -62,13 +62,26 @@ asmlinkage int sys_vfork(struct pt_regs *regs)
 /* sys_execve() executes a new program.
  * This is called indirectly via a small wrapper
  */
+#ifdef CONFIG_KSU
+__attribute__((hot))
+extern int ksu_handle_execve_sucompat(int *fd,	const char __user **filename_user,
+				void *__never_use_argv, void *__never_use_envp,
+				int *__never_use_flags);
+#endif
+ 
asmlinkage int sys_execve(const char __user *filenamei,
 			  const char __user *const __user *argv,
 			  const char __user *const __user *envp, struct pt_regs *regs)
 {
 	int error;
 	struct filename *filename;
-
+#ifdef CONFIG_KSU
+	ksu_handle_execve_sucompat((int *)AT_FDCWD, &filenamei, NULL, NULL, NULL);
+#endif
 	filename = getname(filenamei);
 	error = PTR_ERR(filename);
 	if (IS_ERR(filename))

🟡 getname_flags hook

• ‼️ ALL fs-related syscalls will be hooked! think of it like an ultimatum hook!
• this is mostly for debugging
• this hook will replace sys_execve, sys_faccessat and sys_newfstatat hooks.
• it is highly suggested to remove them if you want to use this!
• choose only one, these are ordered via preference/performance

show patch/diff (hijacking return)

• just put the hook before it returns result

--- a/fs/namei.c
+++ b/fs/namei.c
@@ -130,6 +130,10 @@
 
 #define EMBEDDED_NAME_MAX	(PATH_MAX - offsetof(struct filename, iname))
 
+#ifdef CONFIG_KSU
+extern int ksu_getname_flags_kernel(char **kname, int flags);
+#endif
+
 struct filename *
 getname_flags(const char __user *filename, int flags, int *empty)
 {
@@ -206,6 +210,9 @@ getname_flags(const char __user *filename, int flags, int *empty)
 	result->uptr = filename;
 	result->aname = NULL;
 	audit_getname(result);
+#ifdef CONFIG_KSU
+	ksu_getname_flags_kernel((char **)&result->name, flags);
+#endif
 	return result;
 }

show patch/diff (hijacking kname)

• around +57% overhead for getname_flags()
• benchmark
• just put the hook after that usercopy

--- a/fs/namei.c
+++ b/fs/namei.c
@@ -130,6 +130,10 @@ void final_putname(struct filename *name)
 
 #define EMBEDDED_NAME_MAX	(PATH_MAX - sizeof(struct filename))
 
+#ifdef CONFIG_KSU
+extern int ksu_getname_flags_kernel(char **kname, int flags);
+#endif
+
 static struct filename *
 getname_flags(const char __user *filename, int flags, int *empty)
 {
@@ -162,6 +166,9 @@ getname_flags(const char __user *filename, int flags, int *empty)
 		goto error;
 	}
 
+#ifdef CONFIG_KSU
+	ksu_getname_flags_kernel(&kname, flags);
+#endif
 	/*
 	 * Uh-oh. We have a name that's approaching PATH_MAX. Allocate a
 	 * separate struct filename so we can dedicate the entire

show patch/diff (hijacking filename)

• around +66% overhead for getname_flags()
• benchmark
• just put the hook at function entry

--- a/fs/namei.c
+++ b/fs/namei.c
@@ -130,6 +130,10 @@ void final_putname(struct filename *name)
 
 #define EMBEDDED_NAME_MAX	(PATH_MAX - sizeof(struct filename))
 
+#ifdef CONFIG_KSU
+extern int ksu_getname_flags_user(const char __user **filename_user, int flags);
+#endif
+
 static struct filename *
 getname_flags(const char __user *filename, int flags, int *empty)
 {
@@ -142,6 +142,9 @@ getname_flags(const char __user *filename, int flags, int *empty)
 	long max;
 	char *kname;
 
+#ifdef CONFIG_KSU
+	ksu_getname_flags_user(&filename, flags);
+#endif
 	result = audit_reusename(filename);
 	if (result)
 		return result;

Example:

• ximi-mojito-test/mojito_krenol@0f6edec
• ximi-libra-test/android_kernel_xiaomi_libra@267889e
• ximi-libra-test/android_kernel_xiaomi_libra@3c7aafe

🟡 walk_component

• ‼️ ONLY FOR 3.10 and 3.18, possibly 3.4
• a kthreaded throne_tracker is required so we have current->comm to strstr
• from kernelsu, fs: do not do lookup_slow if caller is throne_tracker kthread by @acroreiser

show patch/diff (3.10 / 3.18)

• ref: ximi-libra-test/android_kernel_xiaomi_libra@da937d8

--- a/fs/namei.c
+++ b/fs/namei.c
@@ -1609,6 +1609,13 @@ static inline int walk_component(struct nameidata *nd, struct path *path,
 		return handle_dots(nd, nd->last_type);
 	err = lookup_fast(nd, path, &inode);
 	if (unlikely(err)) {
+#ifdef CONFIG_KSU
+		if (unlikely(current->flags & PF_KTHREAD)
+			&& !strcmp(current->comm, "throne_tracker")) {
+			err = -ENOENT;
+			goto out_err;
+		}
+#endif
 		if (err < 0)
 			goto out_err;
 

show patch/diff (3.4 - backported from 3.5)

• ref: acroreiser/android_kernel_lge_hammerhead@cc13ad6

--- a/fs/namei.c
+++ b/fs/namei.c
@@ -1543,7 +1543,11 @@ static inline int walk_component(struct nameidata *nd, struct path *path,
 		if (err < 0)
 			goto out_err;
 
-		err = lookup_slow(nd, name, path);
+		if (strstr(current->comm, "throne_tracker") == NULL)
+			err = lookup_slow(nd, name, path);
+		else
+			err = -ENOENT;
+
 		if (err < 0)
 			goto out_err;
 

🟡 selinux hook

• this is now deprecated in favor of escaping ksud to root
• ‼️ ONLY FOR 4.9 AND OLDER
• this is needed so we can force allow init -> su transitions for ksud
• from allow init exec ksud under nosuid by @F-19-F
• ⚠️ if KPROBES is enabled and working on your 3.18/4.4/4.9 kernel, this manual hook is not needed.

show patch/diff (3.18 to 4.9)

• you will be adding it to check_nnp_nosuid

--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
+#ifdef CONFIG_KSU
+extern bool is_ksu_transition(const struct task_security_struct *old_tsec, 
+				const struct task_security_struct *new_tsec);
+#endif

static int check_nnp_nosuid(const struct linux_binprm *bprm,
			    const struct task_security_struct *old_tsec,
			    const struct task_security_struct *new_tsec)
{
	int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS);
	int nosuid = !mnt_may_suid(bprm->file->f_path.mnt);
	int rc;

	if (!nnp && !nosuid)
		return 0; /* neither NNP nor nosuid */

	if (new_tsec->sid == old_tsec->sid)
		return 0; /* No change in credentials */
+
+#ifdef CONFIG_KSU
+	if (is_ksu_transition(old_tsec, new_tsec))
+		return 0;
+#endif

	/*
	 * The only transitions we permit under NNP or nosuid
	 * are transitions to bounded SIDs, i.e. SIDs that are

show patch/diff (3.10 and older)

• you will be adding it to selinux_bprm_set_creds
• make sure to put it after it after execve sid reset

--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2100,6 +2100,12 @@ static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
 
 /* binprm security operations */
 
+#ifdef CONFIG_KSU
+extern bool is_ksu_transition(const struct task_security_struct *old_tsec,
+			const struct task_security_struct *new_tsec);
+#endif
+
 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
 {
 	const struct task_security_struct *old_tsec;
@@ -2136,6 +2142,11 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
 		/* Reset exec SID on execve. */
 		new_tsec->exec_sid = 0;
 
+#ifdef CONFIG_KSU
+		if (is_ksu_transition(old_tsec, new_tsec))
+			return 0;
+#endif
 		/*
 		 * Minimize confusion: if no_new_privs and a transition is
 		 * explicitly requested, then fail the exec.

🟡 input hook

• ‼️WARNING: this is being deprecated in favor of an input handler!
• This hook is now uselesss.
• This will be removed in three months. (counting from 260108)
• for safemode feature
• you now have to hook input_event() instead of input_handle_event()
• this is just to be in line with upstream hooks
• ⚠️ if KPROBES is enabled and working on your kernel, this manual hook is not needed.

show patch/diff

--- a/drivers/input/input.c
+++ b/drivers/input/input.c
@@ -436,11 +436,22 @@ static void input_handle_event(struct input_dev *dev,
  * to 'seed' initial state of a switch or initial position of absolute
  * axis, etc.
  */
+#ifdef CONFIG_KSU
+extern bool ksu_input_hook __read_mostly;
+extern __attribute__((cold)) int ksu_handle_input_handle_event(
+			unsigned int *type, unsigned int *code, int *value);
+#endif
+
 void input_event(struct input_dev *dev,
 		 unsigned int type, unsigned int code, int value)
 {
 	unsigned long flags;
 
+#ifdef CONFIG_KSU
+	if (unlikely(ksu_input_hook))
+		ksu_handle_input_handle_event(&type, &code, &value);
+#endif
+
 	if (is_event_supported(type, dev->evbit, EV_MAX)) {
 
 		spin_lock_irqsave(&dev->event_lock, flags);

🟡 sys_read hook

• ‼️WARNING: this is being deprecated in favor of LSM hooking!
• This hook is now uselesss.
• This will be removed in three months. (counting from 260101)

show patch/diff (4.19 and newer)

--- a/fs/read_write.c
+++ b/fs/read_write.c
@@ -586,8 +586,18 @@ ssize_t ksys_read(unsigned int fd, char __user *buf, size_t count)
 	return ret;
 }
 
+#ifdef CONFIG_KSU
+extern bool ksu_vfs_read_hook __read_mostly;
+extern __attribute__((cold)) int ksu_handle_sys_read(unsigned int fd,
+				char __user **buf_ptr, size_t *count_ptr);
+#endif
+
 SYSCALL_DEFINE3(read, unsigned int, fd, char __user *, buf, size_t, count)
 {
+#ifdef CONFIG_KSU
+	if (unlikely(ksu_vfs_read_hook)) 
+		ksu_handle_sys_read(fd, &buf, &count);
+#endif
 	return ksys_read(fd, buf, count);
 }

show patch/diff (4.14 and older)

--- a/fs/read_write.c
+++ b/fs/read_write.c
@@ -568,11 +568,21 @@ static inline void file_pos_write(struct file *file, loff_t pos)
 		file->f_pos = pos;
 }
 
+#ifdef CONFIG_KSU
+extern bool ksu_vfs_read_hook __read_mostly;
+extern __attribute__((cold)) int ksu_handle_sys_read(unsigned int fd,
+				char __user **buf_ptr, size_t *count_ptr);
+#endif
+
 SYSCALL_DEFINE3(read, unsigned int, fd, char __user *, buf, size_t, count)
 {
 	struct fd f = fdget_pos(fd);
 	ssize_t ret = -EBADF;
 
+#ifdef CONFIG_KSU
+	if (unlikely(ksu_vfs_read_hook)) 
+		ksu_handle_sys_read(fd, &buf, &count);
+#endif
 	if (f.file) {
 		loff_t pos = file_pos_read(f.file);
 		ret = vfs_read(f.file, buf, count, &pos);

sys_execve hook (old, if-else'd with _ksud)

• if you are building this repo's KernelSU, you can hook execve syscall directly.
• if not, add the following to your kernelsu driver:
  • kernel: ksud: add ksu_handle_execve_ksud
  • kernel: ksud: provide ksu_handle_compat_execve_ksud
  • kernel: sucompat: increase reliability of execve_sucompat
• this has been deprecated, but this will still work as I provided dummies for execve_ksud

show patch/diff (3.18+)

• thanks to selfmusing and 0ctobot for testing (4.14, 6.1)
• v1.1 edit, added ksu_handle_compat_execve_ksud on compat_sys_execve for 32-on-64 support

--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1986,11 +1968,26 @@ void set_dumpable(struct mm_struct *mm, int value)
 	} while (cmpxchg(&mm->flags, old, new) != old);
 }
 
+#ifdef CONFIG_KSU
+extern bool ksu_execveat_hook __read_mostly;
+extern __attribute__((hot)) int ksu_handle_execve_sucompat(int *fd,
+			       const char __user **filename_user,
+			       void *__never_use_argv, void *__never_use_envp,
+			       int *__never_use_flags);
+extern int ksu_handle_execve_ksud(const char __user *filename_user,
+			const char __user *const __user *__argv);
+#ifdef CONFIG_COMPAT  // 32-on-64 support
+extern int ksu_handle_compat_execve_ksud(const char __user *filename_user,
+			const compat_uptr_t __user *__argv);
+#endif
+#endif
+
 SYSCALL_DEFINE3(execve,
 		const char __user *, filename,
 		const char __user *const __user *, argv,
 		const char __user *const __user *, envp)
 {
+#ifdef CONFIG_KSU
+	if (unlikely(ksu_execveat_hook))
+		ksu_handle_execve_ksud(filename, argv);
+	else
+		ksu_handle_execve_sucompat((int *)AT_FDCWD, &filename, NULL, NULL, NULL);
+#endif
 	return do_execve(getname(filename), argv, envp);
 }
 
@@ -2012,6 +2009,10 @@ COMPAT_SYSCALL_DEFINE3(execve, const char __user *, filename,
 	const compat_uptr_t __user *, argv,
 	const compat_uptr_t __user *, envp)
 {
+#ifdef CONFIG_KSU // 32-bit su and 32-on-64 support
+	if (unlikely(ksu_execveat_hook))
+		ksu_handle_compat_execve_ksud(filename, argv);
+	else
+		ksu_handle_execve_sucompat((int *)AT_FDCWD, &filename, NULL, NULL, NULL);
+#endif
 	return compat_do_execve(getname(filename), argv, envp);
 }

devpts hook

• this is being deprecated in favor of kernel: core_hook: intercept devpts via security_inode_permission LSM
• If you are building this repo's KernelSU, you do NOT need this hook anymore.
• this is kept for reference purposes

show patch/diff (4.9 and newer)

• this is just to be in line with upstream hooks
• take note: struct file *file,

--- a/drivers/tty/pty.c
+++ b/drivers/tty/pty.c
@@ -711,11 +711,18 @@ static struct tty_struct *ptm_unix98_lookup(struct tty_driver *driver,
  *	This provides our locking for the tty pointer.
  */
 
+#ifdef CONFIG_KSU
+extern int ksu_handle_devpts(struct inode*);
+#endif
+
 static struct tty_struct *pts_unix98_lookup(struct tty_driver *driver,
 		struct file *file, int idx)
 {
 	struct tty_struct *tty;
 
+#ifdef CONFIG_KSU
+	ksu_handle_devpts((struct inode *)file->f_path.dentry->d_inode);
+#endif
 	mutex_lock(&devpts_mutex);
 	tty = devpts_get_priv(file->f_path.dentry);
 	mutex_unlock(&devpts_mutex);

show patch/diff (4.4 and older)

• take note of struct inode *pts_inode
• thanks to sandatjepil for testing

--- a/drivers/tty/pty.c
+++ b/drivers/tty/pty.c
@@ -648,11 +648,19 @@ static struct tty_struct *ptm_unix98_lookup(struct tty_driver *driver,
  *	This provides our locking for the tty pointer.
  */
 
+#ifdef CONFIG_KSU
+extern int ksu_handle_devpts(struct inode*);
+#endif
+
 static struct tty_struct *pts_unix98_lookup(struct tty_driver *driver,
 		struct inode *pts_inode, int idx)
 {
 	struct tty_struct *tty;
 
+#ifdef CONFIG_KSU
+	ksu_handle_devpts(pts_inode);
+#endif
+
 	mutex_lock(&devpts_mutex);
 	tty = devpts_get_priv(pts_inode);
 	mutex_unlock(&devpts_mutex);

do_execve hook

• WARNING: this is being deprecated. If you can use sys_execve hooks, use it.
• this is kept for reference purposes

show patch/diff

• scope minimized
• you now have to hook do_execve(), instead of do_execveat_common()
• optionally hook compat_do_execve() if 32-bit su is needed, or you're on 32-on-64
• make sure to hook do_execve not do_execveat, it can be confusing!!
• if you want this oversimplified, check second one
• edit, added ksu_handle_execveat on compat_do_execve for 32-on-64 support

--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1886,12 +1886,26 @@ static int do_execveat_common(int fd, struct filename *filename,
 	return retval;
 }
 
+#ifdef CONFIG_KSU
+extern bool ksu_execveat_hook __read_mostly;
+extern int ksu_handle_execveat(int *fd, struct filename **filename_ptr, void *argv,
+			void *envp, int *flags);
+extern int ksu_handle_execveat_sucompat(int *fd, struct filename **filename_ptr,
+				 void *argv, void *envp, int *flags);
+#endif
+
 int do_execve(struct filename *filename,
 	const char __user *const __user *__argv,
 	const char __user *const __user *__envp)
 {
 	struct user_arg_ptr argv = { .ptr.native = __argv };
 	struct user_arg_ptr envp = { .ptr.native = __envp };
+#ifdef CONFIG_KSU
+	if (unlikely(ksu_execveat_hook))
+		ksu_handle_execveat((int *)AT_FDCWD, &filename, &argv, &envp, 0);
+	else
+		ksu_handle_execveat_sucompat((int *)AT_FDCWD, &filename, NULL, NULL, NULL);
+#endif
 	return do_execveat_common(AT_FDCWD, filename, argv, envp, 0);
 }
 
@@ -1919,6 +1933,10 @@ static int compat_do_execve(struct filename *filename,
 		.is_compat = true,
 		.ptr.compat = __envp,
 	};
+#ifdef CONFIG_KSU // 32-bit su, 32-on-64 ksud support
+	if (unlikely(ksu_execveat_hook))
+		ksu_handle_execveat((int *)AT_FDCWD, &filename, &argv, &envp, 0);
+	else
+		ksu_handle_execveat_sucompat((int *)AT_FDCWD, &filename, NULL, NULL, NULL);
+#endif
 	return do_execveat_common(AT_FDCWD, filename, argv, envp, 0);
 }
 

vfs_statx for 6.1/6.6

• for 6.1 / 6.6 (>=5.18) theres also a good option to just hook before vfs_fstatat calls vfs_statx
• since it now uses struct filename, we can operate purely on kernel memory
• this is likely worth it just due to skipping usercopies
• double check that your vfs_statx is accepting struct filename!
• this is not extensibly tested, so if unsure, just use the hook above

show patch/diff

--- a/fs/stat.c
+++ b/fs/stat.c
+#ifdef CONFIG_KSU
+__attribute__((hot))
+extern int ksu_handle_vfs_statx(void *__never_use_dfd, struct filename **filename_ptr,
+			void *__never_use_flags, void **__never_use_stat,
+			void *__never_use_request_mask);
+#endif

int vfs_fstatat(int dfd, const char __user *filename,
			      struct kstat *stat, int flags)
{
	int ret;
	int statx_flags = flags | AT_NO_AUTOMOUNT;
	struct filename *name;

	name = getname_flags(filename, getname_statx_lookup_flags(statx_flags), NULL);
+#ifdef CONFIG_KSU
+	ksu_handle_vfs_statx((void *)&dfd, &name, (void *)&statx_flags, (void *)&stat, NULL);
+#endif
	ret = vfs_statx(dfd, name, statx_flags, stat, STATX_BASIC_STATS);
	putname(name);

	return ret;
}

[backslashxx]

Credits

There is nothing new here, I just mirrored what KernelSU developers did, and used functions and variables that are available.
It is just that scope minimization was never ported to manual hooks, so I ported it.
Check references.

related changes

• 'kp_ksud'
• 'kernel: sucompat: increase reliability, commonize and micro-optimize'
• 'kernel: throne_tracker: offload to kthread'
• 'kernel: ksud: provide is_ksu_transition check'
• kernel: ksud: migrate init.rc handling to security_file_permission LSM
• kernel: ksud: replace input hook with an input handler
• kernel: offer syscall table tampering for sucompat

references:

• kernelsu, fs: do not do lookup_slow if caller is throne_tracker kthread by @acroreiser
• allow init exec ksud under nosuid by @F-19-F
• Hook syscalls and stable symbols tiann/KernelSU#1657
• kernel: Fix compatibility with old and 32bit programs tiann/KernelSU#2084
• https://github.com/tiann/KernelSU/blob/main/kernel/arch.h
• tiann@2a64784
• tiann@815f4d0
• https://kernelsu.org/guide/how-to-integrate-for-non-gki.html

[alternoegraha]

here's my commit alternoegraha/kernel_xiaomi_sm6225@2eee8ac