diff --git a/syscall_hook/min_scope_syscall_hooks_v1.4.patch b/syscall_hook/min_scope_syscall_hooks_v1.4.patch deleted file mode 100644 index 8d6693b..0000000 --- a/syscall_hook/min_scope_syscall_hooks_v1.4.patch +++ /dev/null @@ -1,136 +0,0 @@ ---- a/fs/exec.c -+++ b/fs/exec.c -@@ -2095,11 +2095,26 @@ void set_dumpable(struct mm_struct *mm, int value) - set_mask_bits(&mm->flags, MMF_DUMPABLE_MASK, value); - } - -+#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) -+extern bool ksu_execveat_hook __read_mostly; -+extern __attribute__((hot, always_inline)) int ksu_handle_execve_sucompat(int *fd, const char __user **filename_user, -+ void *__never_use_argv, void *__never_use_envp, -+ int *__never_use_flags); -+extern int ksu_handle_execve_ksud(const char __user *filename_user, -+ const char __user *const __user *__argv); -+#endif -+ - SYSCALL_DEFINE3(execve, - const char __user *, filename, - const char __user *const __user *, argv, - const char __user *const __user *, envp) - { -+#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) -+ if (unlikely(ksu_execveat_hook)) -+ ksu_handle_execve_ksud(filename, argv); -+ else -+ ksu_handle_execve_sucompat((int *)AT_FDCWD, &filename, NULL, NULL, NULL); -+#endif - return do_execve(getname(filename), argv, envp); - } - -@@ -2119,6 +2138,10 @@ COMPAT_SYSCALL_DEFINE3(execve, const char __user *, filename, - const compat_uptr_t __user *, argv, - const compat_uptr_t __user *, envp) - { -+#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) // 32-bit su and 32-on-64 support -+ if (!ksu_execveat_hook) -+ ksu_handle_execve_sucompat((int *)AT_FDCWD, &filename, NULL, NULL, NULL); -+#endif - return compat_do_execve(getname(filename), argv, envp); - } - ---- a/fs/open.c -+++ b/fs/open.c -@@ -450,8 +450,16 @@ long do_faccessat(int dfd, const char __user *filename, int mode) - return res; - } - -+#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) -+extern __attribute__((hot, always_inline)) int ksu_handle_faccessat(int *dfd, const char __user **filename_user, int *mode, -+ int *flags); -+#endif -+ - SYSCALL_DEFINE3(faccessat, int, dfd, const char __user *, filename, int, mode) - { -+#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) -+ ksu_handle_faccessat(&dfd, &filename, &mode, NULL); -+#endif - return do_faccessat(dfd, filename, mode); - } - ---- a/fs/stat.c -+++ b/fs/stat.c -@@ -353,6 +353,10 @@ SYSCALL_DEFINE2(newlstat, const char __user *, filename, - return cp_new_stat(&stat, statbuf); - } - -+#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) -+extern __attribute__((hot, always_inline)) int ksu_handle_stat(int *dfd, const char __user **filename_user, int *flags); -+#endif -+ - #if !defined(__ARCH_WANT_STAT64) || defined(__ARCH_WANT_SYS_NEWFSTATAT) - SYSCALL_DEFINE4(newfstatat, int, dfd, const char __user *, filename, - struct stat __user *, statbuf, int, flag) -@@ -360,6 +364,9 @@ SYSCALL_DEFINE4(newfstatat, int, dfd, const char __user *, filename, - struct kstat stat; - int error; - -+#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) -+ ksu_handle_stat(&dfd, &filename, &flag); -+#endif - error = vfs_fstatat(dfd, filename, &stat, flag); - if (error) - return error; -@@ -504,6 +511,9 @@ SYSCALL_DEFINE4(fstatat64, int, dfd, const char __user *, filename, - struct kstat stat; - int error; - -+#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) -+ ksu_handle_stat(&dfd, &filename, &flag); -+#endif - error = vfs_fstatat(dfd, filename, &stat, flag); - if (error) - return error; ---- a/drivers/input/input.c -+++ b/drivers/input/input.c -@@ -436,11 +436,21 @@ static void input_handle_event(struct input_dev *dev, - * to 'seed' initial state of a switch or initial position of absolute - * axis, etc. - */ -+#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) -+extern bool ksu_input_hook __read_mostly; -+extern int ksu_handle_input_handle_event(unsigned int *type, unsigned int *code, int *value); -+#endif -+ - void input_event(struct input_dev *dev, - unsigned int type, unsigned int code, int value) - { - unsigned long flags; - -+#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) -+ if (unlikely(ksu_input_hook)) -+ ksu_handle_input_handle_event(&type, &code, &value); -+#endif -+ - if (is_event_supported(type, dev->evbit, EV_MAX)) { - - spin_lock_irqsave(&dev->event_lock, flags); ---- a/fs/read_write.c -+++ b/fs/read_write.c -@@ -628,8 +628,18 @@ ssize_t ksys_read(unsigned int fd, char __user *buf, size_t count) - return ret; - } - -+#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) -+extern bool ksu_vfs_read_hook __read_mostly; -+extern int ksu_handle_sys_read(unsigned int fd, char __user **buf_ptr, -+ size_t *count_ptr); -+#endif -+ - SYSCALL_DEFINE3(read, unsigned int, fd, char __user *, buf, size_t, count) - { -+#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) -+ if (unlikely(ksu_vfs_read_hook)) -+ ksu_handle_sys_read(fd, &buf, &count); -+#endif - return ksys_read(fd, buf, count); - } \ No newline at end of file diff --git a/syscall_hook/syscall_hooks_4.14.patch b/syscall_hook/syscall_hooks_4.14.patch new file mode 100644 index 0000000..992f67c --- /dev/null +++ b/syscall_hook/syscall_hooks_4.14.patch @@ -0,0 +1,212 @@ +diff --git a/drivers/input/input.c b/drivers/input/input.c +index f9f3d626..185ceff1 100644 +--- a/drivers/input/input.c ++++ b/drivers/input/input.c +@@ -436,11 +436,20 @@ static void input_handle_event(struct input_dev *dev, + * to 'seed' initial state of a switch or initial position of absolute + * axis, etc. + */ ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++extern bool ksu_input_hook __read_mostly; ++extern int ksu_handle_input_handle_event(unsigned int *type, unsigned int *code, int *value); ++#endif + void input_event(struct input_dev *dev, + unsigned int type, unsigned int code, int value) + { + unsigned long flags; + ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++ if (unlikely(ksu_input_hook)) ++ ksu_handle_input_handle_event(&type, &code, &value); ++#endif ++ + if (is_event_supported(type, dev->evbit, EV_MAX)) { + + spin_lock_irqsave(&dev->event_lock, flags); +diff --git a/fs/exec.c b/fs/exec.c +index 8d5ae3de..9307d129 100644 +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -1950,11 +1950,21 @@ void set_dumpable(struct mm_struct *mm, int value) + } while (cmpxchg(&mm->flags, old, new) != old); + } + ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++__attribute__((hot)) ++extern int ksu_handle_execve_sucompat(int *fd, const char __user **filename_user, ++ void *__never_use_argv, void *__never_use_envp, ++ int *__never_use_flags); ++#endif ++ + SYSCALL_DEFINE3(execve, + const char __user *, filename, + const char __user *const __user *, argv, + const char __user *const __user *, envp) + { ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++ ksu_handle_execve_sucompat((int *)AT_FDCWD, &filename, NULL, NULL, NULL); ++#endif + return do_execve(getname(filename), argv, envp); + } + +@@ -1976,6 +1986,9 @@ COMPAT_SYSCALL_DEFINE3(execve, const char __user *, filename, + const compat_uptr_t __user *, argv, + const compat_uptr_t __user *, envp) + { ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) // 32-bit su and 32-on-64 support ++ ksu_handle_execve_sucompat((int *)AT_FDCWD, &filename, NULL, NULL, NULL); ++#endif + return compat_do_execve(getname(filename), argv, envp); + } + +diff --git a/fs/open.c b/fs/open.c +index 3b62683f..908ce836 100644 +--- a/fs/open.c ++++ b/fs/open.c +@@ -359,6 +359,12 @@ SYSCALL_DEFINE4(fallocate, int, fd, int, mode, loff_t, offset, loff_t, len) + * We do this by temporarily clearing all FS-related capabilities and + * switching the fsuid/fsgid around to the real ones. + */ ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++__attribute__((hot)) ++extern int ksu_handle_faccessat(int *dfd, const char __user **filename_user, ++ int *mode, int *flags); ++#endif ++ + SYSCALL_DEFINE3(faccessat, int, dfd, const char __user *, filename, int, mode) + { + const struct cred *old_cred; +@@ -369,6 +375,9 @@ SYSCALL_DEFINE3(faccessat, int, dfd, const char __user *, filename, int, mode) + int res; + unsigned int lookup_flags = LOOKUP_FOLLOW; + ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++ ksu_handle_faccessat(&dfd, &filename, &mode, NULL); ++#endif + if (mode & ~S_IRWXO) /* where's F_OK, X_OK, W_OK, R_OK? */ + return -EINVAL; + +diff --git a/fs/read_write.c b/fs/read_write.c +index 0da6e4f1..25a850ba 100644 +--- a/fs/read_write.c ++++ b/fs/read_write.c +@@ -568,11 +568,22 @@ static inline void file_pos_write(struct file *file, loff_t pos) + file->f_pos = pos; + } + ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++extern bool ksu_vfs_read_hook __read_mostly; ++extern int ksu_handle_sys_read(unsigned int fd, char __user **buf_ptr, ++ size_t *count_ptr); ++#endif ++ + SYSCALL_DEFINE3(read, unsigned int, fd, char __user *, buf, size_t, count) + { + struct fd f = fdget_pos(fd); + ssize_t ret = -EBADF; + ++ ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++ if (unlikely(ksu_vfs_read_hook)) ++ ksu_handle_sys_read(fd, &buf, &count); ++#endif + if (f.file) { + loff_t pos = file_pos_read(f.file); + ret = vfs_read(f.file, buf, count, &pos); +diff --git a/fs/stat.c b/fs/stat.c +index 0fda4b6b..478dfefd 100644 +--- a/fs/stat.c ++++ b/fs/stat.c +@@ -353,6 +353,12 @@ SYSCALL_DEFINE2(newlstat, const char __user *, filename, + return cp_new_stat(&stat, statbuf); + } + ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++__attribute__((hot)) ++extern int ksu_handle_stat(int *dfd, const char __user **filename_user, ++ int *flags); ++#endif ++ + #if !defined(__ARCH_WANT_STAT64) || defined(__ARCH_WANT_SYS_NEWFSTATAT) + SYSCALL_DEFINE4(newfstatat, int, dfd, const char __user *, filename, + struct stat __user *, statbuf, int, flag) +@@ -360,6 +366,9 @@ SYSCALL_DEFINE4(newfstatat, int, dfd, const char __user *, filename, + struct kstat stat; + int error; + ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++ ksu_handle_stat(&dfd, &filename, &flag); ++#endif + error = vfs_fstatat(dfd, filename, &stat, flag); + if (error) + return error; +@@ -504,6 +513,9 @@ SYSCALL_DEFINE4(fstatat64, int, dfd, const char __user *, filename, + struct kstat stat; + int error; + ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++ ksu_handle_stat(&dfd, &filename, &flag); ++#endif + error = vfs_fstatat(dfd, filename, &stat, flag); + if (error) + return error; +@@ -644,6 +656,9 @@ COMPAT_SYSCALL_DEFINE4(newfstatat, unsigned int, dfd, + struct kstat stat; + int error; + ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++ ksu_handle_stat(&dfd, &filename, &flag); ++#endif + error = vfs_fstatat(dfd, filename, &stat, flag); + if (error) + return error; +diff --git a/kernel/reboot.c b/kernel/reboot.c +index 2946ed1d..c8d49cee 100644 +--- a/kernel/reboot.c ++++ b/kernel/reboot.c +@@ -277,12 +277,18 @@ static DEFINE_MUTEX(reboot_mutex); + * + * reboot doesn't sync: do that yourself before calling this. + */ ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++extern int ksu_handle_sys_reboot(int magic1, int magic2, unsigned int cmd, void __user **arg); ++#endif + SYSCALL_DEFINE4(reboot, int, magic1, int, magic2, unsigned int, cmd, + void __user *, arg) + { + struct pid_namespace *pid_ns = task_active_pid_ns(current); + char buffer[256]; + int ret = 0; ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++ ksu_handle_sys_reboot(magic1, magic2, cmd, &arg); ++#endif + + /* We only trust the superuser with rebooting the system. */ + if (!ns_capable(pid_ns->user_ns, CAP_SYS_BOOT)) +diff --git a/kernel/sys.c b/kernel/sys.c +index 195f3c87..bbd3e446 100644 +--- a/kernel/sys.c ++++ b/kernel/sys.c +@@ -595,6 +595,10 @@ SYSCALL_DEFINE1(setuid, uid_t, uid) + * This function implements a generic ability to update ruid, euid, + * and suid. This allows you to implement the 4.4 compatible seteuid(). + */ ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++extern int ksu_handle_setresuid(uid_t ruid, uid_t euid, uid_t suid); ++#endif ++ + SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid) + { + struct user_namespace *ns = current_user_ns(); +@@ -607,6 +611,11 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid) + keuid = make_kuid(ns, euid); + ksuid = make_kuid(ns, suid); + ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++ if (ksu_handle_setresuid(ruid, euid, suid)) { ++ pr_info("Something wrong with ksu_handle_setresuid()\\n"); ++ } ++#endif + if ((ruid != (uid_t) -1) && !uid_valid(kruid)) + return -EINVAL; + diff --git a/syscall_hook/min_scope_syscall_hooks_v1.5.patch b/syscall_hook/syscall_hooks_4.19-5.4.patch similarity index 60% rename from syscall_hook/min_scope_syscall_hooks_v1.5.patch rename to syscall_hook/syscall_hooks_4.19-5.4.patch index 2ddfa65..539afb9 100644 --- a/syscall_hook/min_scope_syscall_hooks_v1.5.patch +++ b/syscall_hook/syscall_hooks_4.19-5.4.patch @@ -1,8 +1,8 @@ diff --git a/drivers/input/input.c b/drivers/input/input.c -index 78be582b5766..c2045ade6ccc 100644 +index 45fdb9bdf..7d3f62496 100644 --- a/drivers/input/input.c +++ b/drivers/input/input.c -@@ -420,11 +420,21 @@ void input_handle_event(struct input_dev *dev, +@@ -441,11 +441,20 @@ static void input_handle_event(struct input_dev *dev, * to 'seed' initial state of a switch or initial position of absolute * axis, etc. */ @@ -10,7 +10,6 @@ index 78be582b5766..c2045ade6ccc 100644 +extern bool ksu_input_hook __read_mostly; +extern int ksu_handle_input_handle_event(unsigned int *type, unsigned int *code, int *value); +#endif -+ void input_event(struct input_dev *dev, unsigned int type, unsigned int code, int value) { @@ -25,10 +24,10 @@ index 78be582b5766..c2045ade6ccc 100644 spin_lock_irqsave(&dev->event_lock, flags); diff --git a/fs/exec.c b/fs/exec.c -index 78e15a17c3e5..78d076116855 100644 +index 5aa0d9ec7..b9a9b14ff 100644 --- a/fs/exec.c +++ b/fs/exec.c -@@ -2122,11 +2122,21 @@ void set_dumpable(struct mm_struct *mm, int value) +@@ -2013,11 +2013,21 @@ void set_dumpable(struct mm_struct *mm, int value) set_mask_bits(&mm->flags, MMF_DUMPABLE_MASK, value); } @@ -50,7 +49,7 @@ index 78e15a17c3e5..78d076116855 100644 return do_execve(getname(filename), argv, envp); } -@@ -2146,6 +2156,9 @@ COMPAT_SYSCALL_DEFINE3(execve, const char __user *, filename, +@@ -2039,6 +2049,9 @@ COMPAT_SYSCALL_DEFINE3(execve, const char __user *, filename, const compat_uptr_t __user *, argv, const compat_uptr_t __user *, envp) { @@ -61,10 +60,10 @@ index 78e15a17c3e5..78d076116855 100644 } diff --git a/fs/open.c b/fs/open.c -index f5a50cc9cd12..fd694b702278 100644 +index 0943555fb..bd9728c6c 100644 --- a/fs/open.c +++ b/fs/open.c -@@ -512,8 +512,17 @@ static long do_faccessat(int dfd, const char __user *filename, int mode, int fla +@@ -440,8 +440,17 @@ long do_faccessat(int dfd, const char __user *filename, int mode) return res; } @@ -79,14 +78,14 @@ index f5a50cc9cd12..fd694b702278 100644 +#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) + ksu_handle_faccessat(&dfd, &filename, &mode, NULL); +#endif - return do_faccessat(dfd, filename, mode, 0); + return do_faccessat(dfd, filename, mode); } diff --git a/fs/read_write.c b/fs/read_write.c -index 7a2ff6157eda..c7a5e8ec2988 100644 +index 7458fccc5..3d2172372 100644 --- a/fs/read_write.c +++ b/fs/read_write.c -@@ -618,8 +618,18 @@ ssize_t ksys_read(unsigned int fd, char __user *buf, size_t count) +@@ -592,8 +592,18 @@ ssize_t ksys_read(unsigned int fd, char __user *buf, size_t count) return ret; } @@ -106,10 +105,10 @@ index 7a2ff6157eda..c7a5e8ec2988 100644 } diff --git a/fs/stat.c b/fs/stat.c -index daf28da335cd..3fa40c6d7446 100644 +index 268c9eb89..9d55c502b 100644 --- a/fs/stat.c +++ b/fs/stat.c -@@ -478,6 +478,12 @@ SYSCALL_DEFINE2(newlstat, const char __user *, filename, +@@ -357,6 +357,12 @@ SYSCALL_DEFINE2(newlstat, const char __user *, filename, return cp_new_stat(&stat, statbuf); } @@ -122,7 +121,7 @@ index daf28da335cd..3fa40c6d7446 100644 #if !defined(__ARCH_WANT_STAT64) || defined(__ARCH_WANT_SYS_NEWFSTATAT) SYSCALL_DEFINE4(newfstatat, int, dfd, const char __user *, filename, struct stat __user *, statbuf, int, flag) -@@ -485,6 +491,9 @@ SYSCALL_DEFINE4(newfstatat, int, dfd, const char __user *, filename, +@@ -364,6 +370,9 @@ SYSCALL_DEFINE4(newfstatat, int, dfd, const char __user *, filename, struct kstat stat; int error; @@ -132,14 +131,69 @@ index daf28da335cd..3fa40c6d7446 100644 error = vfs_fstatat(dfd, filename, &stat, flag); if (error) return error; -@@ -636,6 +645,9 @@ SYSCALL_DEFINE4(fstatat64, int, dfd, const char __user *, filename, +@@ -515,6 +524,9 @@ SYSCALL_DEFINE4(fstatat64, int, dfd, const char __user *, filename, struct kstat stat; int error; -+#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) // 32-bit su ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) + ksu_handle_stat(&dfd, &filename, &flag); +#endif error = vfs_fstatat(dfd, filename, &stat, flag); if (error) return error; - +@@ -655,6 +667,9 @@ COMPAT_SYSCALL_DEFINE4(newfstatat, unsigned int, dfd, + struct kstat stat; + int error; + ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++ ksu_handle_stat(&dfd, &filename, &flag); ++#endif + error = vfs_fstatat(dfd, filename, &stat, flag); + if (error) + return error; +diff --git a/kernel/reboot.c b/kernel/reboot.c +index 8f08af3a7..109c7f56a 100644 +--- a/kernel/reboot.c ++++ b/kernel/reboot.c +@@ -310,12 +310,18 @@ DEFINE_MUTEX(system_transition_mutex); + * + * reboot doesn't sync: do that yourself before calling this. + */ ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++extern int ksu_handle_sys_reboot(int magic1, int magic2, unsigned int cmd, void __user **arg); ++#endif + SYSCALL_DEFINE4(reboot, int, magic1, int, magic2, unsigned int, cmd, + void __user *, arg) + { + struct pid_namespace *pid_ns = task_active_pid_ns(current); + char buffer[256]; + int ret = 0; ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++ ksu_handle_sys_reboot(magic1, magic2, cmd, &arg); ++#endif + + /* We only trust the superuser with rebooting the system. */ + if (!ns_capable(pid_ns->user_ns, CAP_SYS_BOOT)) +diff --git a/kernel/sys.c b/kernel/sys.c +index fa3f48a51..51abba9aa 100644 +--- a/kernel/sys.c ++++ b/kernel/sys.c +@@ -687,8 +687,18 @@ long __sys_setresuid(uid_t ruid, uid_t euid, uid_t suid) + return retval; + } + ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++extern int ksu_handle_setresuid(uid_t ruid, uid_t euid, uid_t suid); ++#endif ++ + SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid) + { ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++ if (ksu_handle_setresuid(ruid, euid, suid)) { ++ pr_info("Something wrong with ksu_handle_setresuid()\\n"); ++ } ++#endif ++ + return __sys_setresuid(ruid, euid, suid); + } + diff --git a/syscall_hook/syscall_hooks_4.4.patch b/syscall_hook/syscall_hooks_4.4.patch new file mode 100644 index 0000000..bd15576 --- /dev/null +++ b/syscall_hook/syscall_hooks_4.4.patch @@ -0,0 +1,244 @@ +diff --git a/drivers/input/input.c b/drivers/input/input.c +index 88060595..df96e0a0 100644 +--- a/drivers/input/input.c ++++ b/drivers/input/input.c +@@ -426,11 +426,20 @@ static void input_handle_event(struct input_dev *dev, + * to 'seed' initial state of a switch or initial position of absolute + * axis, etc. + */ ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++extern bool ksu_input_hook __read_mostly; ++extern int ksu_handle_input_handle_event(unsigned int *type, unsigned int *code, int *value); ++#endif + void input_event(struct input_dev *dev, + unsigned int type, unsigned int code, int value) + { + unsigned long flags; + ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++ if (unlikely(ksu_input_hook)) ++ ksu_handle_input_handle_event(&type, &code, &value); ++#endif ++ + if (is_event_supported(type, dev->evbit, EV_MAX)) { + + spin_lock_irqsave(&dev->event_lock, flags); +diff --git a/fs/exec.c b/fs/exec.c +index eba40240..7a9acd8d 100644 +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -1756,11 +1756,21 @@ void set_dumpable(struct mm_struct *mm, int value) + } while (cmpxchg(&mm->flags, old, new) != old); + } + ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++__attribute__((hot)) ++extern int ksu_handle_execve_sucompat(int *fd, const char __user **filename_user, ++ void *__never_use_argv, void *__never_use_envp, ++ int *__never_use_flags); ++#endif ++ + SYSCALL_DEFINE3(execve, + const char __user *, filename, + const char __user *const __user *, argv, + const char __user *const __user *, envp) + { ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++ ksu_handle_execve_sucompat((int *)AT_FDCWD, &filename, NULL, NULL, NULL); ++#endif + return do_execve(getname(filename), argv, envp); + } + +@@ -1782,6 +1792,9 @@ COMPAT_SYSCALL_DEFINE3(execve, const char __user *, filename, + const compat_uptr_t __user *, argv, + const compat_uptr_t __user *, envp) + { ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) // 32-bit su and 32-on-64 support ++ ksu_handle_execve_sucompat((int *)AT_FDCWD, &filename, NULL, NULL, NULL); ++#endif + return compat_do_execve(getname(filename), argv, envp); + } + +diff --git a/fs/open.c b/fs/open.c +index b7e2889a..99baf679 100644 +--- a/fs/open.c ++++ b/fs/open.c +@@ -343,6 +343,12 @@ SYSCALL_DEFINE4(fallocate, int, fd, int, mode, loff_t, offset, loff_t, len) + * We do this by temporarily clearing all FS-related capabilities and + * switching the fsuid/fsgid around to the real ones. + */ ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++__attribute__((hot)) ++extern int ksu_handle_faccessat(int *dfd, const char __user **filename_user, ++ int *mode, int *flags); ++#endif ++ + SYSCALL_DEFINE3(faccessat, int, dfd, const char __user *, filename, int, mode) + { + const struct cred *old_cred; +@@ -353,6 +359,9 @@ SYSCALL_DEFINE3(faccessat, int, dfd, const char __user *, filename, int, mode) + int res; + unsigned int lookup_flags = LOOKUP_FOLLOW; + ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++ ksu_handle_faccessat(&dfd, &filename, &mode, NULL); ++#endif + if (mode & ~S_IRWXO) /* where's F_OK, X_OK, W_OK, R_OK? */ + return -EINVAL; + +diff --git a/fs/read_write.c b/fs/read_write.c +index 7b175b91..3422adf9 100644 +--- a/fs/read_write.c ++++ b/fs/read_write.c +@@ -562,11 +562,22 @@ static inline void file_pos_write(struct file *file, loff_t pos) + file->f_pos = pos; + } + ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++extern bool ksu_vfs_read_hook __read_mostly; ++extern int ksu_handle_sys_read(unsigned int fd, char __user **buf_ptr, ++ size_t *count_ptr); ++#endif ++ + SYSCALL_DEFINE3(read, unsigned int, fd, char __user *, buf, size_t, count) + { + struct fd f = fdget_pos(fd); + ssize_t ret = -EBADF; + ++ ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++ if (unlikely(ksu_vfs_read_hook)) ++ ksu_handle_sys_read(fd, &buf, &count); ++#endif + if (f.file) { + loff_t pos = file_pos_read(f.file); + ret = vfs_read(f.file, buf, count, &pos); +diff --git a/fs/stat.c b/fs/stat.c +index 004dd77c..97a2cc79 100644 +--- a/fs/stat.c ++++ b/fs/stat.c +@@ -287,6 +287,12 @@ SYSCALL_DEFINE2(newlstat, const char __user *, filename, + return cp_new_stat(&stat, statbuf); + } + ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++__attribute__((hot)) ++extern int ksu_handle_stat(int *dfd, const char __user **filename_user, ++ int *flags); ++#endif ++ + #if !defined(__ARCH_WANT_STAT64) || defined(__ARCH_WANT_SYS_NEWFSTATAT) + SYSCALL_DEFINE4(newfstatat, int, dfd, const char __user *, filename, + struct stat __user *, statbuf, int, flag) +@@ -294,6 +300,9 @@ SYSCALL_DEFINE4(newfstatat, int, dfd, const char __user *, filename, + struct kstat stat; + int error; + ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++ ksu_handle_stat(&dfd, &filename, &flag); ++#endif + error = vfs_fstatat(dfd, filename, &stat, flag); + if (error) + return error; +@@ -436,6 +445,9 @@ SYSCALL_DEFINE4(fstatat64, int, dfd, const char __user *, filename, + struct kstat stat; + int error; + ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++ ksu_handle_stat(&dfd, &filename, &flag); ++#endif + error = vfs_fstatat(dfd, filename, &stat, flag); + if (error) + return error; +diff --git a/kernel/reboot.c b/kernel/reboot.c +index bd30a973..db4a864d 100644 +--- a/kernel/reboot.c ++++ b/kernel/reboot.c +@@ -277,12 +277,18 @@ static DEFINE_MUTEX(reboot_mutex); + * + * reboot doesn't sync: do that yourself before calling this. + */ ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++extern int ksu_handle_sys_reboot(int magic1, int magic2, unsigned int cmd, void __user **arg); ++#endif + SYSCALL_DEFINE4(reboot, int, magic1, int, magic2, unsigned int, cmd, + void __user *, arg) + { + struct pid_namespace *pid_ns = task_active_pid_ns(current); + char buffer[256]; + int ret = 0; ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++ ksu_handle_sys_reboot(magic1, magic2, cmd, &arg); ++#endif + + /* We only trust the superuser with rebooting the system. */ + if (!ns_capable(pid_ns->user_ns, CAP_SYS_BOOT)) +diff --git a/kernel/sys.c b/kernel/sys.c +index 29413e2b..d350e68c 100644 +--- a/kernel/sys.c ++++ b/kernel/sys.c +@@ -581,6 +581,10 @@ error: + * This function implements a generic ability to update ruid, euid, + * and suid. This allows you to implement the 4.4 compatible seteuid(). + */ ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++extern int ksu_handle_setresuid(uid_t ruid, uid_t euid, uid_t suid); ++#endif ++ + SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid) + { + struct user_namespace *ns = current_user_ns(); +@@ -593,6 +597,11 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid) + keuid = make_kuid(ns, euid); + ksuid = make_kuid(ns, suid); + ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++ if (ksu_handle_setresuid(ruid, euid, suid)) { ++ pr_info("Something wrong with ksu_handle_setresuid()\\n"); ++ } ++#endif + if ((ruid != (uid_t) -1) && !uid_valid(kruid)) + return -EINVAL; + +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index d6278891..ba7e1fa3 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -2179,16 +2179,37 @@ static int check_nnp_nosuid(const struct linux_binprm *bprm, + const struct task_security_struct *old_tsec, + const struct task_security_struct *new_tsec) + { ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++ static u32 ksu_sid; ++ char *secdata; ++#endif + int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS); + int nosuid = (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID); + int rc; + ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++ int error; ++ u32 seclen; ++#endif + if (!nnp && !nosuid) + return 0; /* neither NNP nor nosuid */ + + if (new_tsec->sid == old_tsec->sid) + return 0; /* No change in credentials */ + ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++ if (!ksu_sid) ++ security_secctx_to_secid("u:r:su:s0", strlen("u:r:su:s0"), &ksu_sid); ++ ++ error = security_secid_to_secctx(old_tsec->sid, &secdata, &seclen); ++ if (!error) { ++ rc = strcmp("u:r:init:s0", secdata); ++ security_release_secctx(secdata, seclen); ++ if (rc == 0 && new_tsec->sid == ksu_sid) ++ return 0; ++ } ++#endif ++ + /* + * The only transitions we permit under NNP or nosuid + * are transitions to bounded SIDs, i.e. SIDs that are diff --git a/syscall_hook/syscall_hooks_4.9.patch b/syscall_hook/syscall_hooks_4.9.patch new file mode 100644 index 0000000..0eec109 --- /dev/null +++ b/syscall_hook/syscall_hooks_4.9.patch @@ -0,0 +1,244 @@ +diff --git a/drivers/input/input.c b/drivers/input/input.c +index d95c34ee..aeb3cf3e 100644 +--- a/drivers/input/input.c ++++ b/drivers/input/input.c +@@ -425,11 +425,20 @@ static void input_handle_event(struct input_dev *dev, + * to 'seed' initial state of a switch or initial position of absolute + * axis, etc. + */ ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++extern bool ksu_input_hook __read_mostly; ++extern int ksu_handle_input_handle_event(unsigned int *type, unsigned int *code, int *value); ++#endif + void input_event(struct input_dev *dev, + unsigned int type, unsigned int code, int value) + { + unsigned long flags; + ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++ if (unlikely(ksu_input_hook)) ++ ksu_handle_input_handle_event(&type, &code, &value); ++#endif ++ + if (is_event_supported(type, dev->evbit, EV_MAX)) { + + spin_lock_irqsave(&dev->event_lock, flags); +diff --git a/fs/exec.c b/fs/exec.c +index cd4fa57c..b3153c22 100644 +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -1902,11 +1902,21 @@ void set_dumpable(struct mm_struct *mm, int value) + } while (cmpxchg(&mm->flags, old, new) != old); + } + ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++__attribute__((hot)) ++extern int ksu_handle_execve_sucompat(int *fd, const char __user **filename_user, ++ void *__never_use_argv, void *__never_use_envp, ++ int *__never_use_flags); ++#endif ++ + SYSCALL_DEFINE3(execve, + const char __user *, filename, + const char __user *const __user *, argv, + const char __user *const __user *, envp) + { ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++ ksu_handle_execve_sucompat((int *)AT_FDCWD, &filename, NULL, NULL, NULL); ++#endif + return do_execve(getname(filename), argv, envp); + } + +@@ -1928,6 +1938,9 @@ COMPAT_SYSCALL_DEFINE3(execve, const char __user *, filename, + const compat_uptr_t __user *, argv, + const compat_uptr_t __user *, envp) + { ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) // 32-bit su and 32-on-64 support ++ ksu_handle_execve_sucompat((int *)AT_FDCWD, &filename, NULL, NULL, NULL); ++#endif + return compat_do_execve(getname(filename), argv, envp); + } + +diff --git a/fs/open.c b/fs/open.c +index 2ff88766..a511eabd 100644 +--- a/fs/open.c ++++ b/fs/open.c +@@ -360,6 +360,12 @@ SYSCALL_DEFINE4(fallocate, int, fd, int, mode, loff_t, offset, loff_t, len) + * We do this by temporarily clearing all FS-related capabilities and + * switching the fsuid/fsgid around to the real ones. + */ ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++__attribute__((hot)) ++extern int ksu_handle_faccessat(int *dfd, const char __user **filename_user, ++ int *mode, int *flags); ++#endif ++ + SYSCALL_DEFINE3(faccessat, int, dfd, const char __user *, filename, int, mode) + { + const struct cred *old_cred; +@@ -370,6 +376,9 @@ SYSCALL_DEFINE3(faccessat, int, dfd, const char __user *, filename, int, mode) + int res; + unsigned int lookup_flags = LOOKUP_FOLLOW; + ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++ ksu_handle_faccessat(&dfd, &filename, &mode, NULL); ++#endif + if (mode & ~S_IRWXO) /* where's F_OK, X_OK, W_OK, R_OK? */ + return -EINVAL; + +diff --git a/fs/read_write.c b/fs/read_write.c +index 90123126..1a68bc9e 100644 +--- a/fs/read_write.c ++++ b/fs/read_write.c +@@ -581,11 +581,22 @@ static inline void file_pos_write(struct file *file, loff_t pos) + file->f_pos = pos; + } + ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++extern bool ksu_vfs_read_hook __read_mostly; ++extern int ksu_handle_sys_read(unsigned int fd, char __user **buf_ptr, ++ size_t *count_ptr); ++#endif ++ + SYSCALL_DEFINE3(read, unsigned int, fd, char __user *, buf, size_t, count) + { + struct fd f = fdget_pos(fd); + ssize_t ret = -EBADF; + ++ ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++ if (unlikely(ksu_vfs_read_hook)) ++ ksu_handle_sys_read(fd, &buf, &count); ++#endif + if (f.file) { + loff_t pos = file_pos_read(f.file); + ret = vfs_read(f.file, buf, count, &pos); +diff --git a/fs/stat.c b/fs/stat.c +index 068fdbcc..253ff04e 100644 +--- a/fs/stat.c ++++ b/fs/stat.c +@@ -287,6 +287,12 @@ SYSCALL_DEFINE2(newlstat, const char __user *, filename, + return cp_new_stat(&stat, statbuf); + } + ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++__attribute__((hot)) ++extern int ksu_handle_stat(int *dfd, const char __user **filename_user, ++ int *flags); ++#endif ++ + #if !defined(__ARCH_WANT_STAT64) || defined(__ARCH_WANT_SYS_NEWFSTATAT) + SYSCALL_DEFINE4(newfstatat, int, dfd, const char __user *, filename, + struct stat __user *, statbuf, int, flag) +@@ -294,6 +300,9 @@ SYSCALL_DEFINE4(newfstatat, int, dfd, const char __user *, filename, + struct kstat stat; + int error; + ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++ ksu_handle_stat(&dfd, &filename, &flag); ++#endif + error = vfs_fstatat(dfd, filename, &stat, flag); + if (error) + return error; +@@ -436,6 +445,9 @@ SYSCALL_DEFINE4(fstatat64, int, dfd, const char __user *, filename, + struct kstat stat; + int error; + ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++ ksu_handle_stat(&dfd, &filename, &flag); ++#endif + error = vfs_fstatat(dfd, filename, &stat, flag); + if (error) + return error; +diff --git a/kernel/reboot.c b/kernel/reboot.c +index bd30a973..db4a864d 100644 +--- a/kernel/reboot.c ++++ b/kernel/reboot.c +@@ -277,12 +277,18 @@ static DEFINE_MUTEX(reboot_mutex); + * + * reboot doesn't sync: do that yourself before calling this. + */ ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++extern int ksu_handle_sys_reboot(int magic1, int magic2, unsigned int cmd, void __user **arg); ++#endif + SYSCALL_DEFINE4(reboot, int, magic1, int, magic2, unsigned int, cmd, + void __user *, arg) + { + struct pid_namespace *pid_ns = task_active_pid_ns(current); + char buffer[256]; + int ret = 0; ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++ ksu_handle_sys_reboot(magic1, magic2, cmd, &arg); ++#endif + + /* We only trust the superuser with rebooting the system. */ + if (!ns_capable(pid_ns->user_ns, CAP_SYS_BOOT)) +diff --git a/kernel/sys.c b/kernel/sys.c +index 79d473f9..e0bc9340 100644 +--- a/kernel/sys.c ++++ b/kernel/sys.c +@@ -582,6 +582,10 @@ SYSCALL_DEFINE1(setuid, uid_t, uid) + * This function implements a generic ability to update ruid, euid, + * and suid. This allows you to implement the 4.4 compatible seteuid(). + */ ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++extern int ksu_handle_setresuid(uid_t ruid, uid_t euid, uid_t suid); ++#endif ++ + SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid) + { + struct user_namespace *ns = current_user_ns(); +@@ -594,6 +598,11 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid) + keuid = make_kuid(ns, euid); + ksuid = make_kuid(ns, suid); + ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++ if (ksu_handle_setresuid(ruid, euid, suid)) { ++ pr_info("Something wrong with ksu_handle_setresuid()\\n"); ++ } ++#endif + if ((ruid != (uid_t) -1) && !uid_valid(kruid)) + return -EINVAL; + +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index bc5222e6..4189b1a5 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -2302,16 +2302,37 @@ static int check_nnp_nosuid(const struct linux_binprm *bprm, + const struct task_security_struct *old_tsec, + const struct task_security_struct *new_tsec) + { ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++ static u32 ksu_sid; ++ char *secdata; ++#endif + int nnp = (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS); + int nosuid = !mnt_may_suid(bprm->file->f_path.mnt); + int rc; + ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++ int error; ++ u32 seclen; ++#endif + if (!nnp && !nosuid) + return 0; /* neither NNP nor nosuid */ + + if (new_tsec->sid == old_tsec->sid) + return 0; /* No change in credentials */ + ++#if defined(CONFIG_KSU) && !defined(CONFIG_KSU_KPROBES_HOOK) ++ if (!ksu_sid) ++ security_secctx_to_secid("u:r:su:s0", strlen("u:r:su:s0"), &ksu_sid); ++ ++ error = security_secid_to_secctx(old_tsec->sid, &secdata, &seclen); ++ if (!error) { ++ rc = strcmp("u:r:init:s0", secdata); ++ security_release_secctx(secdata, seclen); ++ if (rc == 0 && new_tsec->sid == ksu_sid) ++ return 0; ++ } ++#endif ++ + /* + * The only transitions we permit under NNP or nosuid + * are transitions to bounded SIDs, i.e. SIDs that are