Skip to content

Commit

Permalink
kernel: prevent become manager when failed. close #1328
Browse files Browse the repository at this point in the history
  • Loading branch information
tiann committed Feb 3, 2024
1 parent eb02e42 commit 07e475c
Showing 1 changed file with 16 additions and 10 deletions.
26 changes: 16 additions & 10 deletions kernel/core_hook.c
Original file line number Diff line number Diff line change
Expand Up @@ -128,7 +128,8 @@ void escape_to_root(void)
// setup capabilities
// we need CAP_DAC_READ_SEARCH becuase `/data/adb/ksud` is not accessible for non root process
// we add it here but don't add it to cap_inhertiable, it would be dropped automaticly after exec!
u64 cap_for_ksud = profile->capabilities.effective | CAP_DAC_READ_SEARCH;
u64 cap_for_ksud =
profile->capabilities.effective | CAP_DAC_READ_SEARCH;
memcpy(&cred->cap_effective, &cap_for_ksud,
sizeof(cred->cap_effective));
memcpy(&cred->cap_inheritable, &profile->capabilities.effective,
Expand Down Expand Up @@ -243,7 +244,7 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,
#ifdef CONFIG_KSU_DEBUG
pr_err("become_manager: copy param err\n");
#endif
return 0;
goto block;
}

// for user 0, it is /data/data
Expand All @@ -261,20 +262,21 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,

if (startswith(param, (char *)prefix) != 0) {
pr_info("become_manager: invalid param: %s\n", param);
return 0;
goto block;
}

// stat the param, app must have permission to do this
// otherwise it may fake the path!
struct path path;
if (kern_path(param, LOOKUP_DIRECTORY, &path)) {
pr_err("become_manager: kern_path err\n");
return 0;
goto block;
}
if (path.dentry->d_inode->i_uid.val != current_uid().val) {
uid_t inode_uid = path.dentry->d_inode->i_uid.val;
path_put(&path);
if (inode_uid != current_uid().val) {
pr_err("become_manager: path uid != current uid\n");
path_put(&path);
return 0;
goto block;
}
char *pkg = param + strlen(prefix);
pr_info("become_manager: param pkg: %s\n", pkg);
Expand All @@ -284,8 +286,10 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,
if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) {
pr_err("become_manager: prctl reply error\n");
}
return 0;
}
path_put(&path);
block:
last_failed_uid = current_uid().val;
return 0;
}

Expand Down Expand Up @@ -569,11 +573,13 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old)
// when we umount for such process, that is a disaster!
bool is_zygote_child = is_zygote(old->security);
if (!is_zygote_child) {
pr_info("handle umount ignore non zygote child: %d\n", current->pid);
pr_info("handle umount ignore non zygote child: %d\n",
current->pid);
return 0;
}
// umount the target mnt
pr_info("handle umount for uid: %d, pid: %d\n", new_uid.val, current->pid);
pr_info("handle umount for uid: %d, pid: %d\n", new_uid.val,
current->pid);

// fixme: use `collect_mounts` and `iterate_mount` to iterate all mountpoint and
// filter the mountpoint whose target is `/data/adb`
Expand Down

1 comment on commit 07e475c

@DeannWinchesterr
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

DexProtector : 😦😒😭

Please sign in to comment.