NOTE: if you're on 6.12 GKI kernel you can try CONFIG_KSU_LSM_SECURITY_HOOKS=y, there is experimental support.
This requires building this tree's KernelSU kernel driver with CONFIG_KSU_LSM_SECURITY_HOOKS=n
This is so that we can replace those automated lsm hooks with manually hooked ones.
--- a/security/security.c
+++ b/security/security.c
@@ -982,10 +982,19 @@
#define lsm_for_each_hook(scall, NAME) \
for (scall = static_calls_table.NAME; \
scall - static_calls_table.NAME < MAX_LSM_COUNT; scall++) \
if (static_key_enabled(&scall->active->key))
+#ifdef CONFIG_KSU
+extern int ksu_bprm_check(struct linux_binprm *bprm);
+extern int ksu_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
+ struct inode *new_dir, struct dentry *new_dentry);
+extern int ksu_task_fix_setuid(struct cred *new, const struct cred *old, int flags);
+extern int ksu_file_permission(struct file *file, int mask);
+extern int ksu_hide_setprocattr(const char *name, void *value, size_t size);
+#endif
+
/* Security operations */
/**
* security_binder_set_context_mgr() - Check if becoming binder ctx mgr is ok
* @mgr: task credentials of current binder process
@@ -1293,10 +1302,13 @@
*
* Return: Returns 0 if the hook is successful and permission is granted.
*/
int security_bprm_check(struct linux_binprm *bprm)
{
+#ifdef CONFIG_KSU
+ ksu_bprm_check(bprm);
+#endif
return call_int_hook(bprm_check_security, bprm);
}
/**
* security_bprm_committing_creds() - Install creds for a process during exec()
@@ -2248,10 +2260,13 @@
*/
int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
struct inode *new_dir, struct dentry *new_dentry,
unsigned int flags)
{
+#ifdef CONFIG_KSU
+ ksu_inode_rename(old_dir, old_dentry, new_dir, new_dentry);
+#endif
if (unlikely(IS_PRIVATE(d_backing_inode(old_dentry)) ||
(d_is_positive(new_dentry) &&
IS_PRIVATE(d_backing_inode(new_dentry)))))
return 0;
@@ -2837,10 +2852,13 @@
*
* Return: Returns 0 if permission is granted.
*/
int security_file_permission(struct file *file, int mask)
{
+#ifdef CONFIG_KSU
+ ksu_file_permission(file, mask);
+#endif
return call_int_hook(file_permission, file, mask);
}
/**
* security_file_alloc() - Allocate and init a file's LSM blob
@@ -3410,10 +3428,13 @@
* Return: Returns 0 on success.
*/
int security_task_fix_setuid(struct cred *new, const struct cred *old,
int flags)
{
+#ifdef CONFIG_KSU
+ ksu_task_fix_setuid(new, old, flags);
+#endif
return call_int_hook(task_fix_setuid, new, old, flags);
}
/**
* security_task_fix_setgid() - Update LSM with new group id attributes
@@ -4253,10 +4274,14 @@
*/
int security_setprocattr(int lsmid, const char *name, void *value, size_t size)
{
struct lsm_static_call *scall;
+#ifdef CONFIG_KSU
+ ksu_hide_setprocattr(name, value, size);
+#endif
+
lsm_for_each_hook(scall, setprocattr) {
if (lsmid != 0 && lsmid != scall->hl->lsmid->id)
continue;
return scall->hl->hook.setprocattr(name, value, size);
}
NOTE:
- These hooks are made for the driver on THIS REPO. These hooks working on others are not assured.
changes:
- v1.1, added ksu_sb_mount manual hook
- v1.2, added ksu_inode_permission manual hook
- v1.3, added ksu_bprm_check manual hook
- v1.4, removed ksu_sb_mount in favor of userspace sending it
- v1.5, remove ksu_inode_permission in favor of userspace devpts workaround
- v1.6, remove ksu_handle_prctl due to new sys_reboot + ioctl from upstream
- v1.7, remove ksu_key_permission, this is now migrated to bprm
- a dummy will be kept for 2 months (251117)
- dummy removed, 260116
- v1.8, added ksu_file_permission as replacement for sys_read/vfs_read hook
- tell 3.x users that this is not needed anymore
- v1.9, replace rename and setuid handlers with proper ones.
- ksu_handle_setuid shim will be kept for a month (260425), removed (260523)
- ksu_handle_rename shim will be kept for a month (260425), removed (260523)
- v2.0, move setprocattr hook here
NOTE: if you're on 6.12 GKI kernel you can try CONFIG_KSU_LSM_SECURITY_HOOKS=y, there is experimental support.
This requires building this tree's KernelSU kernel driver with CONFIG_KSU_LSM_SECURITY_HOOKS=n
This is so that we can replace those automated lsm hooks with manually hooked ones.
NOTE:
changes: