From 07e475c5dc80b888c059a28fae1c852830bf6bbd Mon Sep 17 00:00:00 2001 From: weishu Date: Sat, 3 Feb 2024 20:03:26 +0800 Subject: [PATCH] kernel: prevent become manager when failed. close #1328 --- kernel/core_hook.c | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/kernel/core_hook.c b/kernel/core_hook.c index 9c863660dd29..70f85d201683 100644 --- a/kernel/core_hook.c +++ b/kernel/core_hook.c @@ -128,7 +128,8 @@ void escape_to_root(void) // setup capabilities // we need CAP_DAC_READ_SEARCH becuase `/data/adb/ksud` is not accessible for non root process // we add it here but don't add it to cap_inhertiable, it would be dropped automaticly after exec! - u64 cap_for_ksud = profile->capabilities.effective | CAP_DAC_READ_SEARCH; + u64 cap_for_ksud = + profile->capabilities.effective | CAP_DAC_READ_SEARCH; memcpy(&cred->cap_effective, &cap_for_ksud, sizeof(cred->cap_effective)); memcpy(&cred->cap_inheritable, &profile->capabilities.effective, @@ -243,7 +244,7 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3, #ifdef CONFIG_KSU_DEBUG pr_err("become_manager: copy param err\n"); #endif - return 0; + goto block; } // for user 0, it is /data/data @@ -261,7 +262,7 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3, if (startswith(param, (char *)prefix) != 0) { pr_info("become_manager: invalid param: %s\n", param); - return 0; + goto block; } // stat the param, app must have permission to do this @@ -269,12 +270,13 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3, struct path path; if (kern_path(param, LOOKUP_DIRECTORY, &path)) { pr_err("become_manager: kern_path err\n"); - return 0; + goto block; } - if (path.dentry->d_inode->i_uid.val != current_uid().val) { + uid_t inode_uid = path.dentry->d_inode->i_uid.val; + path_put(&path); + if (inode_uid != current_uid().val) { pr_err("become_manager: path uid != current uid\n"); - path_put(&path); - return 0; + goto block; } char *pkg = param + strlen(prefix); pr_info("become_manager: param pkg: %s\n", pkg); @@ -284,8 +286,10 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3, if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) { pr_err("become_manager: prctl reply error\n"); } + return 0; } - path_put(&path); + block: + last_failed_uid = current_uid().val; return 0; } @@ -569,11 +573,13 @@ int ksu_handle_setuid(struct cred *new, const struct cred *old) // when we umount for such process, that is a disaster! bool is_zygote_child = is_zygote(old->security); if (!is_zygote_child) { - pr_info("handle umount ignore non zygote child: %d\n", current->pid); + pr_info("handle umount ignore non zygote child: %d\n", + current->pid); return 0; } // umount the target mnt - pr_info("handle umount for uid: %d, pid: %d\n", new_uid.val, current->pid); + pr_info("handle umount for uid: %d, pid: %d\n", new_uid.val, + current->pid); // fixme: use `collect_mounts` and `iterate_mount` to iterate all mountpoint and // filter the mountpoint whose target is `/data/adb`