Handle unmount for isolated process correctly #2696
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Isolated processes can be directly forked from zygote, but current code doesn't handle it well. Fix it by unmounting unconditionally if isolated process is forked from zygote.
Collaborator
Author
|
I think this cause trouble for some modules. Unlike magisk, ksu doesn't have a userspace daemon to match isolated process with app. |
Contributor
|
I referred to your code, I think there's nothing major about it 💕 |
rsuntk
added a commit
to rsuntk/KernelSU
that referenced
this pull request
Aug 16, 2025
…anges (#131) 1. Wrapper for creds: * Some older kernel does not have {.val}, so, for nicer compatibility support and clean code, make some wrapper for credential use. * After this change, do not use current_uid().val, instead, use ksu_current_uid(). For more info, check kernel/include/ksu_creds.h. 2. Refine disable_seccomp (need to add k6.11+ support) tiann#2708 tiann#2706 3. Revert "Handle unmount for isolated process correctly" Reason: tiann#2696 (comment) Co-authored-by: Wang Han <[email protected]>
ShirkNeko
pushed a commit
to SukiSU-Ultra/SukiSU-Ultra
that referenced
this pull request
Aug 16, 2025
…anges (#131) 1. Wrapper for creds: * Some older kernel does not have {.val}, so, for nicer compatibility support and clean code, make some wrapper for credential use. * After this change, do not use current_uid().val, instead, use ksu_current_uid(). For more info, check kernel/include/ksu_creds.h. 2. Refine disable_seccomp (need to add k6.11+ support) tiann/KernelSU#2708 tiann/KernelSU#2706 3. Revert "Handle unmount for isolated process correctly" Reason: tiann/KernelSU#2696 (comment) 4. consolidate most of the gaps Co-authored-by: Wang Han <[email protected]>
ShirkNeko
pushed a commit
to SukiSU-Ultra/SukiSU-Ultra
that referenced
this pull request
Aug 16, 2025
…anges (#131) 1. Wrapper for creds: * Some older kernel does not have {.val}, so, for nicer compatibility support and clean code, make some wrapper for credential use. * After this change, do not use current_uid().val, instead, use ksu_current_uid(). For more info, check kernel/include/ksu_creds.h. 2. Refine disable_seccomp (need to add k6.11+ support) tiann/KernelSU#2708 tiann/KernelSU#2706 3. Revert "Handle unmount for isolated process correctly" Reason: tiann/KernelSU#2696 (comment) Co-authored-by: Wang Han <[email protected]>
ShirkNeko
added a commit
to SukiSU-Ultra/SukiSU-Ultra
that referenced
this pull request
Aug 16, 2025
…anges (#131) 1. Wrapper for creds: * Some older kernel does not have {.val}, so, for nicer compatibility support and clean code, make some wrapper for credential use. * After this change, do not use current_uid().val, instead, use ksu_current_uid(). For more info, check kernel/include/ksu_creds.h. 2. Refine disable_seccomp (need to add k6.11+ support) tiann/KernelSU#2708 tiann/KernelSU#2706 3. Revert "Handle unmount for isolated process correctly" Reason: tiann/KernelSU#2696 (comment) Co-authored-by: Wang Han <[email protected]>
ShirkNeko
added a commit
to SukiSU-Ultra/SukiSU-Ultra
that referenced
this pull request
Aug 16, 2025
…anges (#131) 1. Wrapper for creds: * Some older kernel does not have {.val}, so, for nicer compatibility support and clean code, make some wrapper for credential use. * After this change, do not use current_uid().val, instead, use ksu_current_uid(). For more info, check kernel/include/ksu_creds.h. 2. Refine disable_seccomp (need to add k6.11+ support) tiann/KernelSU#2708 tiann/KernelSU#2706 3. Revert "Handle unmount for isolated process correctly" Reason: tiann/KernelSU#2696 (comment) Co-authored-by: Wang Han <[email protected]> Co-authored-by: rsuntk <[email protected]>
Ylarod
approved these changes
Aug 23, 2025
pershoot
pushed a commit
to pershoot/KernelSU-Next
that referenced
this pull request
Aug 24, 2025
Isolated processes can be directly forked from zygote, but current code doesn't handle it well. Fix it by unmounting unconditionally if isolated process is forked from zygote.
aviraxp
pushed a commit
that referenced
this pull request
Aug 24, 2025
sidex15
referenced
this pull request
in sidex15/KernelSU-A
Aug 25, 2025
Isolated processes can be directly forked from zygote, but current code doesn't handle it well. Fix it by unmounting unconditionally if isolated process is forked from zygote.
luyanci
pushed a commit
to luyanci/KernelSU
that referenced
this pull request
Aug 26, 2025
…anges (rsuntk#131) 1. Wrapper for creds: * Some older kernel does not have {.val}, so, for nicer compatibility support and clean code, make some wrapper for credential use. * After this change, do not use current_uid().val, instead, use ksu_current_uid(). For more info, check kernel/include/ksu_creds.h. 2. Refine disable_seccomp (need to add k6.11+ support) tiann#2708 tiann#2706 3. Revert "Handle unmount for isolated process correctly" Reason: tiann#2696 (comment) Co-authored-by: Wang Han <[email protected]>
LeCmnGend
pushed a commit
to LeCmnGend/KernelSU
that referenced
this pull request
Sep 2, 2025
Isolated processes can be directly forked from zygote, but current code doesn't handle it well. Fix it by unmounting unconditionally if isolated process is forked from zygote.
Collaborator
Author
|
I reconsidered this. Isolated process which directly forks from zygote is just like normal app, so there is no reason apps won't crash but Isolated process will. Also zygote reopens fd before actually fork, so it should be fine. |
Collaborator
Author
|
I don't use any module that mounts, so maybe feedback is needed for ones especially uses overlay, font modules. |
fadlyas07
added a commit
to bengal-upstream/KernelSU
that referenced
this pull request
Sep 13, 2025
* 'main' of https://github.com/tiann/KernelSU: (42 commits) Unmount isolated process which forks from zygote unconditionally (tiann#2747) fix 'for' loop problem (tiann#2745) update resetprop (tiann#2733) Strip JNI debug logs on release build (tiann#2732) manager: Support search module (tiann#2730) manager: Add uninstall 2nd confirm (tiann#2729) manager: Fix some issues (tiann#2725) manager: fix button issues in module cards (tiann#2719) manager: switch ui to miuix design style (tiann#2710) Revert "Handle unmount for isolated process correctly" (tiann#2718) Handle unmount for isolated process correctly (tiann#2696) Reset seccomp filter count when escaping to root (tiann#2708) kernel: selinux: rules: Micro-optimize get_policydb() and fix illegal RCU lock usage in handle_sepolicy() (tiann#2695) Update resetprop from Magisk v30.2 (tiann#2700) ksud: support vendor_boot patching for some odd devices (tiann#2650) ksud: make clippy happy (tiann#2683) feat(ui): improve predictive back animations (tiann#2675) kernel: added new prctl CMD_GET_MANAGER_UID to get the uid of the crowned manager (tiann#2673) kernel: selinux: rules: Fix illegal RCU lock usage in apply_kernelsu_rules() (tiann#2646) manger: fix lkm detection (tiann#2654) ... Conflicts: kernel/core_hook.c kernel/selinux/rules.c kernel/throne_tracker.c Change-Id: Iebf7dd870a7d9e35f4cecbf97fa13eeb174b7b5d
backslashxx
pushed a commit
to backslashxx/KernelSU
that referenced
this pull request
Sep 25, 2025
Isolated processes can be directly forked from zygote, but current code doesn't handle it well. Fix it by unmounting unconditionally if isolated process is forked from zygote.
backslashxx
added a commit
to backslashxx/KernelSU
that referenced
this pull request
Sep 25, 2025
Added from 5ec1cff@63c615e (+24) implement magic mount restorecon: set adb_file to system_file for module files magic_mount: use trusted.overlay.opaque chore: fmt magic_mount: supports whiteout chore: refine code magic_mount: fix log: make verbose logging optional magic_mount: refine ksud: fix disable / enable modules ksud: fix odm not magic-mounted manager: no need to check overlayfs ksud: fix partition link ksud: fix clone symlink ksud: refine tmpfs ksud: add KSU_MAGIC_MOUNT to env (5ec1cff#5) manager: remove shrink image use module dir name as real id allow restore uninstalled module ksud: make tmpfs and magic mount optional ksud: fix stat reformat rust codes app: persist show system app settings magic mount: make mount points read only Other changes: (+50) ksud: move workdir to /mnt/vendor ksud: remove tmpfs mounting ksud: tell prctl interface about our mounts (5ec1cff#16) ksud: add cmd for add-try-umount (5ec1cff#16) ksud: add cmd for nuke-ext4-sysfs workflows: debloat ksud: add armeabi-v7a support manager: failure mode dummy demo dummy.keystore manager: unofficial build manager: Add ABI and Kernel archirecture info into InfoCardItem Reapply: "Handle unmount for isolated process correctly (tiann#2696)" kernel: drop LKM and kprobes support kernel: restore compat code required for old kernels kernel: expose allowlist workaround as Kconfig option kernel: core_hook: screw path_umount backport, call sys_umount directly kernel: core_hook: expose prctl interface for umount list (5ec1cff#16) kernel: core_hook: only umount when unmountable > 0 kernel: core_hook: expose nuke_ext4_sysfs to prctl interface kernel: throne_tracker: offload to kthread (tiann#2632) kernel: sucompat: increase reliability, commonize and micro-optimize (tiann#2656) kernel: sucompat: sucompat toggle support for non-kp (tiann#2506) kernel: ksud: migrate ksud execution to security_bprm_check (tiann#2653) kernel: core_hook: intercept devpts via security_inode_permission LSM kernel: compat: migrate sucompat strncpy_from_user to copy_from_user kernel: selinux: fix pointer mismatch with 32-bit ksud on 64-bit kernels kernel: ksud: provide dummy handlers for old hooks kernel: core_hook: earlier escape_to_root already-root check kernel: handle backports kernel: expose KSU_LSM_SECURITY_HOOKS on Kconfig kernel: sucompat: provide do_execve_common handler for <= 3.13 kernel: ksud: provide is_ksu_transition check v2 kernel: core_hook: no ext4_unregister_sysfs, no problem kernel: throne_tracker: add strscpy/strlcpy compat kernel: ksud: d_is_reg to IS_REG kernel: Makefile: remove overlayfs requirement kernel: throne_tracker: resolve s_magic for < 3.9 kernel: ksud: handle read_iter requirement conditionally kernel: apk_sign: casting to char for strcmp -> memcmp kernel: apk_sign: migrate generic_file_llseek -> vfs_llseek kernel: throne_tracker: handle filldir_t ABI mismatch on <= 3.18 kernel: compat: inline iterate_dir -> vfs_readdir compat kernel: apk_sign: fix return check for ksu_sha256 kernel: apk_sign: add more size/hash pairs kernel: ksu: printout quirks / backports / etc on init kernel: sucompat: provide getname_flags (user) ultimatum hook kernel: sucompat: provide getname_flags (kernel) ultimatum hook kernel: core_hook: add support for KernelNoSU kernel: kp_ksud: restore kprobes for early-boot and used-once hooks KernelSU v1.0.5+ Warning: Managers built from this repo has a known keystore. See dummy.keystore. Signed-off-by: backslashxx <[email protected]>
backslashxx
added a commit
to backslashxx/KernelSU
that referenced
this pull request
Sep 25, 2025
Added from 5ec1cff@63c615e (+24) implement magic mount restorecon: set adb_file to system_file for module files magic_mount: use trusted.overlay.opaque chore: fmt magic_mount: supports whiteout chore: refine code magic_mount: fix log: make verbose logging optional magic_mount: refine ksud: fix disable / enable modules ksud: fix odm not magic-mounted manager: no need to check overlayfs ksud: fix partition link ksud: fix clone symlink ksud: refine tmpfs ksud: add KSU_MAGIC_MOUNT to env (5ec1cff#5) manager: remove shrink image use module dir name as real id allow restore uninstalled module ksud: make tmpfs and magic mount optional ksud: fix stat reformat rust codes app: persist show system app settings magic mount: make mount points read only Other changes: (+50) ksud: move workdir to /mnt/vendor ksud: remove tmpfs mounting ksud: tell prctl interface about our mounts (5ec1cff#16) ksud: add cmd for add-try-umount (5ec1cff#16) ksud: add cmd for nuke-ext4-sysfs workflows: debloat ksud: add armeabi-v7a support manager: failure mode dummy demo dummy.keystore manager: unofficial build manager: Add ABI and Kernel archirecture info into InfoCardItem Reapply: "Handle unmount for isolated process correctly (tiann#2696)" kernel: drop LKM and kprobes support kernel: restore compat code required for old kernels kernel: expose allowlist workaround as Kconfig option kernel: core_hook: screw path_umount backport, call sys_umount directly kernel: core_hook: expose prctl interface for umount list (5ec1cff#16) kernel: core_hook: only umount when unmountable > 0 kernel: core_hook: expose nuke_ext4_sysfs to prctl interface kernel: throne_tracker: offload to kthread (tiann#2632) kernel: sucompat: increase reliability, commonize and micro-optimize (tiann#2656) kernel: sucompat: sucompat toggle support for non-kp (tiann#2506) kernel: ksud: migrate ksud execution to security_bprm_check (tiann#2653) kernel: core_hook: intercept devpts via security_inode_permission LSM kernel: compat: migrate sucompat strncpy_from_user to copy_from_user kernel: selinux: fix pointer mismatch with 32-bit ksud on 64-bit kernels kernel: ksud: provide dummy handlers for old hooks kernel: core_hook: earlier escape_to_root already-root check kernel: handle backports kernel: expose KSU_LSM_SECURITY_HOOKS on Kconfig kernel: sucompat: provide do_execve_common handler for <= 3.13 kernel: ksud: provide is_ksu_transition check v2 kernel: core_hook: no ext4_unregister_sysfs, no problem kernel: throne_tracker: add strscpy/strlcpy compat kernel: ksud: d_is_reg to IS_REG kernel: Makefile: remove overlayfs requirement kernel: throne_tracker: resolve s_magic for < 3.9 kernel: ksud: handle read_iter requirement conditionally kernel: apk_sign: casting to char for strcmp -> memcmp kernel: apk_sign: migrate generic_file_llseek -> vfs_llseek kernel: throne_tracker: handle filldir_t ABI mismatch on <= 3.18 kernel: compat: inline iterate_dir -> vfs_readdir compat kernel: apk_sign: fix return check for ksu_sha256 kernel: apk_sign: add more size/hash pairs kernel: ksu: printout quirks / backports / etc on init kernel: sucompat: provide getname_flags (user) ultimatum hook kernel: sucompat: provide getname_flags (kernel) ultimatum hook kernel: core_hook: add support for KernelNoSU kernel: kp_ksud: restore kprobes for early-boot and used-once hooks KernelSU v1.0.5+ Warning: Managers built from this repo has a known keystore. See dummy.keystore. Signed-off-by: backslashxx <[email protected]>
backslashxx
added a commit
to backslashxx/KernelSU
that referenced
this pull request
Sep 26, 2025
Added from 5ec1cff@63c615e (+24) implement magic mount restorecon: set adb_file to system_file for module files magic_mount: use trusted.overlay.opaque chore: fmt magic_mount: supports whiteout chore: refine code magic_mount: fix log: make verbose logging optional magic_mount: refine ksud: fix disable / enable modules ksud: fix odm not magic-mounted manager: no need to check overlayfs ksud: fix partition link ksud: fix clone symlink ksud: refine tmpfs ksud: add KSU_MAGIC_MOUNT to env (5ec1cff#5) manager: remove shrink image use module dir name as real id allow restore uninstalled module ksud: make tmpfs and magic mount optional ksud: fix stat reformat rust codes app: persist show system app settings magic mount: make mount points read only Other changes: (+50) ksud: move workdir to /mnt/vendor ksud: remove tmpfs mounting ksud: tell prctl interface about our mounts (5ec1cff#16) ksud: add cmd for add-try-umount (5ec1cff#16) ksud: add cmd for nuke-ext4-sysfs workflows: debloat ksud: add armeabi-v7a support manager: failure mode dummy demo dummy.keystore manager: unofficial build manager: Add ABI and Kernel archirecture info into InfoCardItem Reapply: "Handle unmount for isolated process correctly (tiann#2696)" kernel: drop LKM and kprobes support kernel: restore compat code required for old kernels kernel: expose allowlist workaround as Kconfig option kernel: core_hook: screw path_umount backport, call sys_umount directly kernel: core_hook: expose prctl interface for umount list (5ec1cff#16) kernel: core_hook: only umount when unmountable > 0 kernel: core_hook: expose nuke_ext4_sysfs to prctl interface kernel: throne_tracker: offload to kthread (tiann#2632) kernel: sucompat: increase reliability, commonize and micro-optimize (tiann#2656) kernel: sucompat: sucompat toggle support for non-kp (tiann#2506) kernel: ksud: migrate ksud execution to security_bprm_check (tiann#2653) kernel: core_hook: intercept devpts via security_inode_permission LSM kernel: compat: migrate sucompat strncpy_from_user to copy_from_user kernel: selinux: fix pointer mismatch with 32-bit ksud on 64-bit kernels kernel: ksud: provide dummy handlers for old hooks kernel: core_hook: earlier escape_to_root already-root check kernel: handle backports kernel: expose KSU_LSM_SECURITY_HOOKS on Kconfig kernel: sucompat: provide do_execve_common handler for <= 3.13 kernel: ksud: provide is_ksu_transition check v2 kernel: core_hook: no ext4_unregister_sysfs, no problem kernel: throne_tracker: add strscpy/strlcpy compat kernel: ksud: d_is_reg to IS_REG kernel: Makefile: remove overlayfs requirement kernel: throne_tracker: resolve s_magic for < 3.9 kernel: ksud: handle read_iter requirement conditionally kernel: apk_sign: casting to char for strcmp -> memcmp kernel: apk_sign: migrate generic_file_llseek -> vfs_llseek kernel: throne_tracker: handle filldir_t ABI mismatch on <= 3.18 kernel: compat: inline iterate_dir -> vfs_readdir compat kernel: apk_sign: fix return check for ksu_sha256 kernel: apk_sign: add more size/hash pairs kernel: ksu: printout quirks / backports / etc on init kernel: sucompat: provide getname_flags (user) ultimatum hook kernel: sucompat: provide getname_flags (kernel) ultimatum hook kernel: core_hook: add support for KernelNoSU kernel: kp_ksud: restore kprobes for early-boot and used-once hooks KernelSU v1.0.5+ Warning: Managers built from this repo has a known keystore. See dummy.keystore. Signed-off-by: backslashxx <[email protected]>
backslashxx
added a commit
to backslashxx/KernelSU
that referenced
this pull request
Sep 26, 2025
Added from 5ec1cff@63c615e (+24) implement magic mount restorecon: set adb_file to system_file for module files magic_mount: use trusted.overlay.opaque chore: fmt magic_mount: supports whiteout chore: refine code magic_mount: fix log: make verbose logging optional magic_mount: refine ksud: fix disable / enable modules ksud: fix odm not magic-mounted manager: no need to check overlayfs ksud: fix partition link ksud: fix clone symlink ksud: refine tmpfs ksud: add KSU_MAGIC_MOUNT to env (5ec1cff#5) manager: remove shrink image use module dir name as real id allow restore uninstalled module ksud: make tmpfs and magic mount optional ksud: fix stat reformat rust codes app: persist show system app settings magic mount: make mount points read only Other changes: (+50) ksud: move workdir to /mnt/vendor ksud: remove tmpfs mounting ksud: tell prctl interface about our mounts (5ec1cff#16) ksud: add cmd for add-try-umount (5ec1cff#16) ksud: add cmd for nuke-ext4-sysfs workflows: debloat ksud: add armeabi-v7a support manager: failure mode dummy demo dummy.keystore manager: unofficial build manager: Add ABI and Kernel archirecture info into InfoCardItem Reapply: "Handle unmount for isolated process correctly (tiann#2696)" kernel: drop LKM and kprobes support kernel: restore compat code required for old kernels kernel: expose allowlist workaround as Kconfig option kernel: core_hook: screw path_umount backport, call sys_umount directly kernel: core_hook: expose prctl interface for umount list (5ec1cff#16) kernel: core_hook: only umount when unmountable > 0 kernel: core_hook: expose nuke_ext4_sysfs to prctl interface kernel: throne_tracker: offload to kthread (tiann#2632) kernel: sucompat: increase reliability, commonize and micro-optimize (tiann#2656) kernel: sucompat: sucompat toggle support for non-kp (tiann#2506) kernel: ksud: migrate ksud execution to security_bprm_check (tiann#2653) kernel: core_hook: intercept devpts via security_inode_permission LSM kernel: compat: migrate sucompat strncpy_from_user to copy_from_user kernel: selinux: fix pointer mismatch with 32-bit ksud on 64-bit kernels kernel: ksud: provide dummy handlers for old hooks kernel: core_hook: earlier escape_to_root already-root check kernel: handle backports kernel: expose KSU_LSM_SECURITY_HOOKS on Kconfig kernel: sucompat: provide do_execve_common handler for <= 3.13 kernel: ksud: provide is_ksu_transition check v2 kernel: core_hook: no ext4_unregister_sysfs, no problem kernel: throne_tracker: add strscpy/strlcpy compat kernel: ksud: d_is_reg to IS_REG kernel: Makefile: remove overlayfs requirement kernel: throne_tracker: resolve s_magic for < 3.9 kernel: ksud: handle read_iter requirement conditionally kernel: apk_sign: casting to char for strcmp -> memcmp kernel: apk_sign: migrate generic_file_llseek -> vfs_llseek kernel: throne_tracker: handle filldir_t ABI mismatch on <= 3.18 kernel: compat: inline iterate_dir -> vfs_readdir compat kernel: apk_sign: fix return check for ksu_sha256 kernel: apk_sign: add more size/hash pairs kernel: ksu: printout quirks / backports / etc on init kernel: sucompat: provide getname_flags (user) ultimatum hook kernel: sucompat: provide getname_flags (kernel) ultimatum hook kernel: core_hook: add support for KernelNoSU kernel: kp_ksud: restore kprobes for early-boot and used-once hooks KernelSU v1.0.5+ Warning: Managers built from this repo has a known keystore. See dummy.keystore. Signed-off-by: backslashxx <[email protected]>
backslashxx
pushed a commit
to backslashxx/KernelSU
that referenced
this pull request
Nov 20, 2025
Isolated processes can be directly forked from zygote, but current code doesn't handle it well. Fix it by unmounting unconditionally if isolated process is forked from zygote.
backslashxx
added a commit
to backslashxx/KernelSU
that referenced
this pull request
Nov 20, 2025
Changes on top of upstream (+72): workflows: debloat workflows: debloat pt. 2 dummy.keystore ksud: add armeabi-v7a support manager: bring back namespace config in app profiles manager: failure mode dummy demo manager: no need to check overlayfs manager: unofficial build manager: Add ABI and Kernel archirecture info into InfoCardItem ksud: prevent 32-on-64 pointer mismatches on sepolicy ksud: add avc spoof to feature kernel: remove unsupportable code kernel: restore compat code required for old kernels kernel: compat: remove ksu_android_ns_fs_check Reapply: "Handle unmount for isolated process correctly (tiann#2696)" kernel: core_hook: backport ksu_enhanced_security rules kernel: add support change mount namespace with app profile kernel: core_hook: disable seccomp for allowed uids kernel: supercalls: provide sys_reboot handler kernel: supercalls: backport: "Use task work to install fd" kernel: supercalls: partial backport of do_manage_mark kernel: selinux: force sepol_data.sepol to be u64 kernel: core_hook: screw path_umount backport, call sys_umount directly kernel: throne_tracker: offload to kthread (tiann#2632) kernel: ksud: migrate ksud execution to security_bprm_check (tiann#2653) kernel: core_hook: migrate init_session_keyring grab to security_bprm_check kernel: expose allowlist workaround as Kconfig option kernel: app_profile: shim escape_with_root_profile kernel: allowlist: escape persistent_allow_list to kthread kernel: sucompat: increase reliability, commonize and micro-optimize (tiann#2656) kernel: sucompat: sucompat toggle support for manual hooks (tiann#2506) kernel: sucompat: use seccomp.mode for permission check kernel: app_profile: do not disable seccomp again kernel: expose KSU_LSM_SECURITY_HOOKS on Kconfig kernel: sucompat: provide do_execve_common handler for < 3.14 kernel: sucompat: provide getname_flags (user) ultimatum hook kernel: sucompat: provide getname_flags (kernel) ultimatum hook kernel: file_wrapper: handle more compat kernel: file_wrapper: handle readdir and iterate compat for UL kernel: ksud: provide is_ksu_transition check v4 kernel: kp_ksud: restore kprobes for early-boot and used-once hooks kernel: kp_ksud: add security_bounded_transition hook for < 4.14 (tiann#1704) kernel: kp_ksud: add sys_reboot kp hook kernel: rp_sucompat: add kretprobes-hooked getname_flags for sucompat kernel: extras: base implementation of avc log spoofing kernel: extras/avc_spoof: add kprobe support kernel: extras: add avc spoof to feature kernel/extra: replace sensitive context with priv_app kernel: apk_sign: casting to char for strcmp -> memcmp kernel: apk_sign: migrate generic_file_llseek -> vfs_llseek kernel: core_hook: no ext4_unregister_sysfs, no problem kernel: ksud: d_is_reg to S_ISREG kernel: Makefile: remove overlayfs requirement kernel: throne_tracker: resolve s_magic for < 3.9 kernel: ksud: handle conditional read_iter requirement for < 3.16 kernel: throne_tracker: handle filldir_t ABI mismatch on <= 3.18 kernel: compat: iterate_dir -> vfs_readdir compat for < 3.11 kernel: sucompat: bruteforce writeable stack from start_stack for < 3.8 kernel: compat: provide bin2hex compat for < 3.18 kernel: compat: add strscpy pseudo-compat for < 4.3 kernel: compat: file_inode compat for < 3.9 kernel: compat: provide weak anon_inode_getfd_secure for < 5.12 kernel: compat: provide selinux_inode wrapper for < 5.1 kernel: compat: provide selinux_cred wrapper for < 5.1 kernel: apk_sign: fix return check for ksu_sha256 kernel: handle backports kernel: apk_sign: add more size/hash pairs kernel: ksu: printout quirks / backports / etc on init kernel: scripts: kuid_ul_fix: add small script as helper kernel: selinux: fix wrong return type kernel: app_profile: add compat for mount namespace feature KernelSU v2.1.2+ Warning: Managers built from this repo has a known keystore. See dummy.keystore. Signed-off-by: backslashxx <[email protected]>
backslashxx
pushed a commit
to backslashxx/KernelSU
that referenced
this pull request
Nov 20, 2025
Isolated processes can be directly forked from zygote, but current code doesn't handle it well. Fix it by unmounting unconditionally if isolated process is forked from zygote.
backslashxx
added a commit
to backslashxx/KernelSU
that referenced
this pull request
Nov 20, 2025
Changes on top of upstream (+72): workflows: debloat workflows: debloat pt. 2 dummy.keystore ksud: add armeabi-v7a support manager: bring back namespace config in app profiles manager: failure mode dummy demo manager: no need to check overlayfs manager: unofficial build manager: Add ABI and Kernel archirecture info into InfoCardItem ksud: prevent 32-on-64 pointer mismatches on sepolicy ksud: add avc spoof to feature kernel: remove unsupportable code kernel: restore compat code required for old kernels kernel: compat: remove ksu_android_ns_fs_check Reapply: "Handle unmount for isolated process correctly (tiann#2696)" kernel: core_hook: backport ksu_enhanced_security rules kernel: add support change mount namespace with app profile kernel: core_hook: disable seccomp for allowed uids kernel: supercalls: provide sys_reboot handler kernel: supercalls: backport: "Use task work to install fd" kernel: supercalls: partial backport of do_manage_mark kernel: selinux: force sepol_data.sepol to be u64 kernel: core_hook: screw path_umount backport, call sys_umount directly kernel: throne_tracker: offload to kthread (tiann#2632) kernel: ksud: migrate ksud execution to security_bprm_check (tiann#2653) kernel: core_hook: migrate init_session_keyring grab to security_bprm_check kernel: expose allowlist workaround as Kconfig option kernel: app_profile: shim escape_with_root_profile kernel: allowlist: escape persistent_allow_list to kthread kernel: sucompat: increase reliability, commonize and micro-optimize (tiann#2656) kernel: sucompat: sucompat toggle support for manual hooks (tiann#2506) kernel: sucompat: use seccomp.mode for permission check kernel: app_profile: do not disable seccomp again kernel: expose KSU_LSM_SECURITY_HOOKS on Kconfig kernel: sucompat: provide do_execve_common handler for < 3.14 kernel: sucompat: provide getname_flags (user) ultimatum hook kernel: sucompat: provide getname_flags (kernel) ultimatum hook kernel: file_wrapper: handle more compat kernel: file_wrapper: handle readdir and iterate compat for UL kernel: ksud: provide is_ksu_transition check v4 kernel: kp_ksud: restore kprobes for early-boot and used-once hooks kernel: kp_ksud: add security_bounded_transition hook for < 4.14 (tiann#1704) kernel: kp_ksud: add sys_reboot kp hook kernel: rp_sucompat: add kretprobes-hooked getname_flags for sucompat kernel: extras: base implementation of avc log spoofing kernel: extras/avc_spoof: add kprobe support kernel: extras: add avc spoof to feature kernel/extra: replace sensitive context with priv_app kernel: apk_sign: casting to char for strcmp -> memcmp kernel: apk_sign: migrate generic_file_llseek -> vfs_llseek kernel: core_hook: no ext4_unregister_sysfs, no problem kernel: ksud: d_is_reg to S_ISREG kernel: Makefile: remove overlayfs requirement kernel: throne_tracker: resolve s_magic for < 3.9 kernel: ksud: handle conditional read_iter requirement for < 3.16 kernel: throne_tracker: handle filldir_t ABI mismatch on <= 3.18 kernel: compat: iterate_dir -> vfs_readdir compat for < 3.11 kernel: sucompat: bruteforce writeable stack from start_stack for < 3.8 kernel: compat: provide bin2hex compat for < 3.18 kernel: compat: add strscpy pseudo-compat for < 4.3 kernel: compat: file_inode compat for < 3.9 kernel: compat: provide weak anon_inode_getfd_secure for < 5.12 kernel: compat: provide selinux_inode wrapper for < 5.1 kernel: compat: provide selinux_cred wrapper for < 5.1 kernel: apk_sign: fix return check for ksu_sha256 kernel: handle backports kernel: apk_sign: add more size/hash pairs kernel: ksu: printout quirks / backports / etc on init kernel: scripts: kuid_ul_fix: add small script as helper kernel: selinux: fix wrong return type kernel: app_profile: add compat for mount namespace feature KernelSU v2.1.2+ Warning: Managers built from this repo has a known keystore. See dummy.keystore. Signed-off-by: backslashxx <[email protected]>
KOWX712
pushed a commit
to KOWX712/KernelSU
that referenced
this pull request
Nov 20, 2025
Isolated processes can be directly forked from zygote, but current code doesn't handle it well. Fix it by unmounting unconditionally if isolated process is forked from zygote. - rebased Signed-off-by: backslashxx <[email protected]>
backslashxx
pushed a commit
to backslashxx/KernelSU
that referenced
this pull request
Nov 21, 2025
Isolated processes can be directly forked from zygote, but current code doesn't handle it well. Fix it by unmounting unconditionally if isolated process is forked from zygote.
backslashxx
added a commit
to backslashxx/KernelSU
that referenced
this pull request
Nov 21, 2025
Changes on top of upstream (+72): workflows: debloat workflows: debloat pt. 2 dummy.keystore ksud: add armeabi-v7a support manager: bring back namespace config in app profiles manager: failure mode dummy demo manager: no need to check overlayfs manager: unofficial build manager: Add ABI and Kernel archirecture info into InfoCardItem ksud: prevent 32-on-64 pointer mismatches on sepolicy ksud: add avc spoof to feature kernel: remove unsupportable code kernel: restore compat code required for old kernels kernel: compat: remove ksu_android_ns_fs_check Reapply: "Handle unmount for isolated process correctly (tiann#2696)" kernel: core_hook: backport ksu_enhanced_security rules kernel: add support change mount namespace with app profile kernel: core_hook: disable seccomp for allowed uids kernel: supercalls: provide sys_reboot handler kernel: supercalls: backport: "Use task work to install fd" kernel: supercalls: partial backport of do_manage_mark kernel: selinux: force sepol_data.sepol to be u64 kernel: core_hook: screw path_umount backport, call sys_umount directly kernel: throne_tracker: offload to kthread (tiann#2632) kernel: ksud: migrate ksud execution to security_bprm_check (tiann#2653) kernel: core_hook: migrate init_session_keyring grab to security_bprm_check kernel: expose allowlist workaround as Kconfig option kernel: app_profile: shim escape_with_root_profile kernel: allowlist: escape persistent_allow_list to kthread kernel: sucompat: increase reliability, commonize and micro-optimize (tiann#2656) kernel: sucompat: sucompat toggle support for manual hooks (tiann#2506) kernel: sucompat: use seccomp.mode for permission check kernel: app_profile: do not disable seccomp again kernel: expose KSU_LSM_SECURITY_HOOKS on Kconfig kernel: sucompat: provide do_execve_common handler for < 3.14 kernel: sucompat: provide getname_flags (user) ultimatum hook kernel: sucompat: provide getname_flags (kernel) ultimatum hook kernel: file_wrapper: handle more compat kernel: file_wrapper: handle readdir and iterate compat for UL kernel: ksud: provide is_ksu_transition check v4 kernel: kp_ksud: restore kprobes for early-boot and used-once hooks kernel: kp_ksud: add security_bounded_transition hook for < 4.14 (tiann#1704) kernel: kp_ksud: add sys_reboot kp hook kernel: rp_sucompat: add kretprobes-hooked getname_flags for sucompat kernel: extras: base implementation of avc log spoofing kernel: extras/avc_spoof: add kprobe support kernel: extras: add avc spoof to feature kernel/extra: replace sensitive context with priv_app kernel: apk_sign: casting to char for strcmp -> memcmp kernel: apk_sign: migrate generic_file_llseek -> vfs_llseek kernel: core_hook: no ext4_unregister_sysfs, no problem kernel: ksud: d_is_reg to S_ISREG kernel: Makefile: remove overlayfs requirement kernel: throne_tracker: resolve s_magic for < 3.9 kernel: ksud: handle conditional read_iter requirement for < 3.16 kernel: throne_tracker: handle filldir_t ABI mismatch on <= 3.18 kernel: compat: iterate_dir -> vfs_readdir compat for < 3.11 kernel: sucompat: bruteforce writeable stack from start_stack for < 3.8 kernel: compat: provide bin2hex compat for < 3.18 kernel: compat: add strscpy pseudo-compat for < 4.3 kernel: compat: file_inode compat for < 3.9 kernel: compat: provide weak anon_inode_getfd_secure for < 5.12 kernel: compat: provide selinux_inode wrapper for < 5.1 kernel: compat: provide selinux_cred wrapper for < 5.1 kernel: apk_sign: fix return check for ksu_sha256 kernel: handle backports kernel: apk_sign: add more size/hash pairs kernel: ksu: printout quirks / backports / etc on init kernel: scripts: kuid_ul_fix: add small script as helper kernel: selinux: fix wrong return type kernel: app_profile: add compat for mount namespace feature KernelSU v2.1.2+ Warning: Managers built from this repo has a known keystore. See dummy.keystore. Signed-off-by: backslashxx <[email protected]>
backslashxx
pushed a commit
to backslashxx/KernelSU
that referenced
this pull request
Nov 21, 2025
Isolated processes can be directly forked from zygote, but current code doesn't handle it well. Fix it by unmounting unconditionally if isolated process is forked from zygote.
backslashxx
added a commit
to backslashxx/KernelSU
that referenced
this pull request
Nov 21, 2025
Changes on top of upstream (+72): workflows: debloat workflows: debloat pt. 2 dummy.keystore ksud: add armeabi-v7a support manager: bring back namespace config in app profiles manager: failure mode dummy demo manager: no need to check overlayfs manager: unofficial build manager: Add ABI and Kernel archirecture info into InfoCardItem ksud: prevent 32-on-64 pointer mismatches on sepolicy ksud: add avc spoof to feature kernel: remove unsupportable code kernel: restore compat code required for old kernels kernel: compat: remove ksu_android_ns_fs_check Reapply: "Handle unmount for isolated process correctly (tiann#2696)" kernel: core_hook: backport ksu_enhanced_security rules kernel: add support change mount namespace with app profile kernel: core_hook: disable seccomp for allowed uids kernel: supercalls: provide sys_reboot handler kernel: supercalls: backport: "Use task work to install fd" kernel: supercalls: partial backport of do_manage_mark kernel: selinux: force sepol_data.sepol to be u64 kernel: core_hook: screw path_umount backport, call sys_umount directly kernel: throne_tracker: offload to kthread (tiann#2632) kernel: ksud: migrate ksud execution to security_bprm_check (tiann#2653) kernel: core_hook: migrate init_session_keyring grab to security_bprm_check kernel: expose allowlist workaround as Kconfig option kernel: app_profile: shim escape_with_root_profile kernel: allowlist: escape persistent_allow_list to kthread kernel: sucompat: increase reliability, commonize and micro-optimize (tiann#2656) kernel: sucompat: sucompat toggle support for manual hooks (tiann#2506) kernel: sucompat: use seccomp.mode for permission check kernel: app_profile: do not disable seccomp again kernel: expose KSU_LSM_SECURITY_HOOKS on Kconfig kernel: sucompat: provide do_execve_common handler for < 3.14 kernel: sucompat: provide getname_flags (user) ultimatum hook kernel: sucompat: provide getname_flags (kernel) ultimatum hook kernel: file_wrapper: handle more compat kernel: file_wrapper: handle readdir and iterate compat for UL kernel: ksud: provide is_ksu_transition check v4 kernel: kp_ksud: restore kprobes for early-boot and used-once hooks kernel: kp_ksud: add security_bounded_transition hook for < 4.14 (tiann#1704) kernel: kp_ksud: add sys_reboot kp hook kernel: rp_sucompat: add kretprobes-hooked getname_flags for sucompat kernel: extras: base implementation of avc log spoofing kernel: extras/avc_spoof: add kprobe support kernel: extras: add avc spoof to feature kernel/extra: replace sensitive context with priv_app kernel: apk_sign: casting to char for strcmp -> memcmp kernel: apk_sign: migrate generic_file_llseek -> vfs_llseek kernel: core_hook: no ext4_unregister_sysfs, no problem kernel: ksud: d_is_reg to S_ISREG kernel: Makefile: remove overlayfs requirement kernel: throne_tracker: resolve s_magic for < 3.9 kernel: ksud: handle conditional read_iter requirement for < 3.16 kernel: throne_tracker: handle filldir_t ABI mismatch on <= 3.18 kernel: compat: iterate_dir -> vfs_readdir compat for < 3.11 kernel: sucompat: bruteforce writeable stack from start_stack for < 3.8 kernel: compat: provide bin2hex compat for < 3.18 kernel: compat: add strscpy pseudo-compat for < 4.3 kernel: compat: file_inode compat for < 3.9 kernel: compat: provide weak anon_inode_getfd_secure for < 5.12 kernel: compat: provide selinux_inode wrapper for < 5.1 kernel: compat: provide selinux_cred wrapper for < 5.1 kernel: apk_sign: fix return check for ksu_sha256 kernel: handle backports kernel: apk_sign: add more size/hash pairs kernel: ksu: printout quirks / backports / etc on init kernel: scripts: kuid_ul_fix: add small script as helper kernel: selinux: fix wrong return type kernel: app_profile: add compat for mount namespace feature KernelSU v2.1.2+ Warning: Managers built from this repo has a known keystore. See dummy.keystore. Signed-off-by: backslashxx <[email protected]>
KOWX712
pushed a commit
to KOWX712/KernelSU
that referenced
this pull request
Nov 21, 2025
Isolated processes can be directly forked from zygote, but current code doesn't handle it well. Fix it by unmounting unconditionally if isolated process is forked from zygote. - rebased Signed-off-by: backslashxx <[email protected]>
KOWX712
pushed a commit
to KOWX712/KernelSU
that referenced
this pull request
Nov 21, 2025
Isolated processes can be directly forked from zygote, but current code doesn't handle it well. Fix it by unmounting unconditionally if isolated process is forked from zygote. - rebased Signed-off-by: backslashxx <[email protected]>
backslashxx
pushed a commit
to backslashxx/KernelSU
that referenced
this pull request
Nov 21, 2025
Isolated processes can be directly forked from zygote, but current code doesn't handle it well. Fix it by unmounting unconditionally if isolated process is forked from zygote.
backslashxx
added a commit
to backslashxx/KernelSU
that referenced
this pull request
Nov 21, 2025
Changes on top of upstream (+72): workflows: debloat workflows: debloat pt. 2 dummy.keystore ksud: add armeabi-v7a support manager: bring back namespace config in app profiles manager: failure mode dummy demo manager: no need to check overlayfs manager: unofficial build manager: Add ABI and Kernel archirecture info into InfoCardItem ksud: prevent 32-on-64 pointer mismatches on sepolicy ksud: add avc spoof to feature kernel: remove unsupportable code kernel: restore compat code required for old kernels kernel: compat: remove ksu_android_ns_fs_check Reapply: "Handle unmount for isolated process correctly (tiann#2696)" kernel: core_hook: backport ksu_enhanced_security rules kernel: add support change mount namespace with app profile kernel: core_hook: disable seccomp for allowed uids kernel: supercalls: provide sys_reboot handler kernel: supercalls: backport: "Use task work to install fd" kernel: supercalls: partial backport of do_manage_mark kernel: selinux: force sepol_data.sepol to be u64 kernel: core_hook: screw path_umount backport, call sys_umount directly kernel: throne_tracker: offload to kthread (tiann#2632) kernel: ksud: migrate ksud execution to security_bprm_check (tiann#2653) kernel: core_hook: migrate init_session_keyring grab to security_bprm_check kernel: expose allowlist workaround as Kconfig option kernel: app_profile: shim escape_with_root_profile kernel: allowlist: escape persistent_allow_list to kthread kernel: sucompat: increase reliability, commonize and micro-optimize (tiann#2656) kernel: sucompat: sucompat toggle support for manual hooks (tiann#2506) kernel: sucompat: use seccomp.mode for permission check kernel: app_profile: do not disable seccomp again kernel: expose KSU_LSM_SECURITY_HOOKS on Kconfig kernel: sucompat: provide do_execve_common handler for < 3.14 kernel: sucompat: provide getname_flags (user) ultimatum hook kernel: sucompat: provide getname_flags (kernel) ultimatum hook kernel: file_wrapper: handle more compat kernel: file_wrapper: handle readdir and iterate compat for UL kernel: ksud: provide is_ksu_transition check v4 kernel: kp_ksud: restore kprobes for early-boot and used-once hooks kernel: kp_ksud: add security_bounded_transition hook for < 4.14 (tiann#1704) kernel: kp_ksud: add sys_reboot kp hook kernel: rp_sucompat: add kretprobes-hooked getname_flags for sucompat kernel: extras: base implementation of avc log spoofing kernel: extras/avc_spoof: add kprobe support kernel: extras: add avc spoof to feature kernel/extra: replace sensitive context with priv_app kernel: apk_sign: casting to char for strcmp -> memcmp kernel: apk_sign: migrate generic_file_llseek -> vfs_llseek kernel: core_hook: no ext4_unregister_sysfs, no problem kernel: ksud: d_is_reg to S_ISREG kernel: Makefile: remove overlayfs requirement kernel: throne_tracker: resolve s_magic for < 3.9 kernel: ksud: handle conditional read_iter requirement for < 3.16 kernel: throne_tracker: handle filldir_t ABI mismatch on <= 3.18 kernel: compat: iterate_dir -> vfs_readdir compat for < 3.11 kernel: sucompat: bruteforce writeable stack from start_stack for < 3.8 kernel: compat: provide bin2hex compat for < 3.18 kernel: compat: add strscpy pseudo-compat for < 4.3 kernel: compat: file_inode compat for < 3.9 kernel: compat: provide weak anon_inode_getfd_secure for < 5.12 kernel: compat: provide selinux_inode wrapper for < 5.1 kernel: compat: provide selinux_cred wrapper for < 5.1 kernel: apk_sign: fix return check for ksu_sha256 kernel: handle backports kernel: apk_sign: add more size/hash pairs kernel: ksu: printout quirks / backports / etc on init kernel: scripts: kuid_ul_fix: add small script as helper kernel: selinux: fix wrong return type kernel: app_profile: add compat for mount namespace feature KernelSU v2.1.2+ Warning: Managers built from this repo has a known keystore. See dummy.keystore. Signed-off-by: backslashxx <[email protected]>
backslashxx
added a commit
to backslashxx/KernelSU
that referenced
this pull request
Nov 21, 2025
Changes on top of upstream (+69): workflows: debloat workflows: debloat pt. 2 dummy.keystore ksud: add armeabi-v7a support manager: failure mode dummy demo manager: unofficial build manager: Add ABI and Kernel archirecture info into InfoCardItem ksud: prevent 32-on-64 pointer mismatches on sepolicy ksud: add avc spoof to feature kernel: remove unsupportable code kernel: restore compat code required for old kernels kernel: compat: remove ksu_android_ns_fs_check Reapply: "Handle unmount for isolated process correctly (tiann#2696)" kernel: core_hook: backport ksu_enhanced_security rules kernel: add support change mount namespace with app profile (tiann#2909) kernel: core_hook: disable seccomp for allowed uids kernel: supercalls: provide sys_reboot handler kernel: supercalls: backport: "Use task work to install fd" kernel: supercalls: partial backport of do_manage_mark kernel: selinux: force sepol_data.sepol to be u64 kernel: core_hook: screw path_umount backport, call sys_umount directly kernel: throne_tracker: offload to kthread (tiann#2632) kernel: ksud: migrate ksud execution to security_bprm_check (tiann#2653) kernel: core_hook: migrate init_session_keyring grab to security_bprm_check kernel: expose allowlist workaround as Kconfig option kernel: app_profile: shim escape_with_root_profile kernel: allowlist: escape persistent_allow_list to kthread kernel: sucompat: increase reliability, commonize and micro-optimize (tiann#2656) kernel: sucompat: sucompat toggle support for manual hooks (tiann#2506) kernel: sucompat: use seccomp.mode for permission check kernel: app_profile: do not disable seccomp again kernel: expose KSU_LSM_SECURITY_HOOKS on Kconfig kernel: sucompat: provide do_execve_common handler for < 3.14 kernel: sucompat: provide getname_flags (user) ultimatum hook kernel: sucompat: provide getname_flags (kernel) ultimatum hook kernel: file_wrapper: handle more compat kernel: file_wrapper: handle readdir and iterate compat for UL kernel: ksud: provide is_ksu_transition check v4 kernel: kp_ksud: restore kprobes for early-boot and used-once hooks kernel: kp_ksud: add security_bounded_transition hook for < 4.14 (tiann#1704) kernel: kp_ksud: add sys_reboot kp hook kernel: rp_sucompat: add kretprobes-hooked getname_flags for sucompat kernel: extras: base implementation of avc log spoofing kernel: extras/avc_spoof: add kprobe support kernel: extras: add avc spoof to feature kernel/extra: replace sensitive context with priv_app kernel: apk_sign: casting to char for strcmp -> memcmp kernel: apk_sign: migrate generic_file_llseek -> vfs_llseek kernel: core_hook: no ext4_unregister_sysfs, no problem kernel: ksud: d_is_reg to S_ISREG kernel: Makefile: remove overlayfs requirement kernel: throne_tracker: resolve s_magic for < 3.9 kernel: ksud: handle conditional read_iter requirement for < 3.16 kernel: throne_tracker: handle filldir_t ABI mismatch on <= 3.18 kernel: compat: iterate_dir -> vfs_readdir compat for < 3.11 kernel: sucompat: bruteforce writeable stack from start_stack for < 3.8 kernel: compat: provide bin2hex compat for < 3.18 kernel: compat: add strscpy pseudo-compat for < 4.3 kernel: compat: file_inode compat for < 3.9 kernel: compat: provide weak anon_inode_getfd_secure for < 5.12 kernel: compat: provide selinux_inode wrapper for < 5.1 kernel: compat: provide selinux_cred wrapper for < 5.1 kernel: apk_sign: fix return check for ksu_sha256 kernel: handle backports kernel: apk_sign: add more size/hash pairs kernel: ksu: printout quirks / backports / etc on init kernel: scripts: kuid_ul_fix: add small script as helper kernel: selinux: fix wrong return type KernelSU v2.1.2+ Warning: Managers built from this repo has a known keystore. See dummy.keystore. Signed-off-by: backslashxx <[email protected]>
KOWX712
pushed a commit
to KOWX712/KernelSU
that referenced
this pull request
Nov 21, 2025
Isolated processes can be directly forked from zygote, but current code doesn't handle it well. Fix it by unmounting unconditionally if isolated process is forked from zygote. - rebased Signed-off-by: backslashxx <[email protected]>
backslashxx
added a commit
to backslashxx/KernelSU
that referenced
this pull request
Nov 22, 2025
Changes on top of upstream (+69): workflows: debloat workflows: debloat pt. 2 dummy.keystore ksud: add armeabi-v7a support manager: failure mode dummy demo manager: unofficial build manager: Add ABI and Kernel archirecture info into InfoCardItem ksud: prevent 32-on-64 pointer mismatches on sepolicy ksud: add avc spoof to feature kernel: remove unsupportable code kernel: restore compat code required for old kernels kernel: compat: remove ksu_android_ns_fs_check Reapply: "Handle unmount for isolated process correctly (tiann#2696)" kernel: core_hook: backport ksu_enhanced_security rules kernel: add support change mount namespace with app profile (tiann#2909) kernel: core_hook: disable seccomp for allowed uids kernel: supercalls: provide sys_reboot handler kernel: supercalls: backport: "Use task work to install fd" kernel: supercalls: partial backport of do_manage_mark kernel: selinux: force sepol_data.sepol to be u64 kernel: core_hook: screw path_umount backport, call sys_umount directly kernel: throne_tracker: offload to kthread (tiann#2632) kernel: ksud: migrate ksud execution to security_bprm_check (tiann#2653) kernel: core_hook: migrate init_session_keyring grab to security_bprm_check kernel: expose allowlist workaround as Kconfig option kernel: app_profile: shim escape_with_root_profile kernel: allowlist: escape persistent_allow_list to kthread kernel: sucompat: increase reliability, commonize and micro-optimize (tiann#2656) kernel: sucompat: sucompat toggle support for manual hooks (tiann#2506) kernel: sucompat: use seccomp.mode for permission check kernel: app_profile: do not disable seccomp again kernel: expose KSU_LSM_SECURITY_HOOKS on Kconfig kernel: sucompat: provide do_execve_common handler for < 3.14 kernel: sucompat: provide getname_flags (user) ultimatum hook kernel: sucompat: provide getname_flags (kernel) ultimatum hook kernel: file_wrapper: handle more compat kernel: file_wrapper: handle readdir and iterate compat for UL kernel: ksud: provide is_ksu_transition check v4 kernel: kp_ksud: restore kprobes for early-boot and used-once hooks kernel: kp_ksud: add security_bounded_transition hook for < 4.14 (tiann#1704) kernel: kp_ksud: add sys_reboot kp hook kernel: rp_sucompat: add kretprobes-hooked getname_flags for sucompat kernel: extras: base implementation of avc log spoofing kernel: extras/avc_spoof: add kprobe support kernel: extras: add avc spoof to feature kernel/extra: replace sensitive context with priv_app kernel: apk_sign: casting to char for strcmp -> memcmp kernel: apk_sign: migrate generic_file_llseek -> vfs_llseek kernel: core_hook: no ext4_unregister_sysfs, no problem kernel: ksud: d_is_reg to S_ISREG kernel: Makefile: remove overlayfs requirement kernel: throne_tracker: resolve s_magic for < 3.9 kernel: ksud: handle conditional read_iter requirement for < 3.16 kernel: throne_tracker: handle filldir_t ABI mismatch on <= 3.18 kernel: compat: iterate_dir -> vfs_readdir compat for < 3.11 kernel: sucompat: bruteforce writeable stack from start_stack for < 3.8 kernel: compat: provide bin2hex compat for < 3.18 kernel: compat: add strscpy pseudo-compat for < 4.3 kernel: compat: file_inode compat for < 3.9 kernel: compat: provide weak anon_inode_getfd_secure for < 5.12 kernel: compat: provide selinux_inode wrapper for < 5.1 kernel: compat: provide selinux_cred wrapper for < 5.1 kernel: apk_sign: fix return check for ksu_sha256 kernel: handle backports kernel: apk_sign: add more size/hash pairs kernel: ksu: printout quirks / backports / etc on init kernel: scripts: kuid_ul_fix: add small script as helper kernel: selinux: fix wrong return type KernelSU v2.1.2+ Warning: Managers built from this repo has a known keystore. See dummy.keystore. Signed-off-by: backslashxx <[email protected]>
backslashxx
pushed a commit
to backslashxx/KernelSU
that referenced
this pull request
Nov 22, 2025
Isolated processes can be directly forked from zygote, but current code doesn't handle it well. Fix it by unmounting unconditionally if isolated process is forked from zygote.
backslashxx
added a commit
to backslashxx/KernelSU
that referenced
this pull request
Nov 22, 2025
Changes on top of upstream (+69): workflows: debloat workflows: debloat pt. 2 dummy.keystore ksud: add armeabi-v7a support manager: failure mode dummy demo manager: unofficial build manager: Add ABI and Kernel archirecture info into InfoCardItem ksud: prevent 32-on-64 pointer mismatches on sepolicy ksud: add avc spoof to feature kernel: remove unsupportable code kernel: restore compat code required for old kernels kernel: compat: remove ksu_android_ns_fs_check Reapply: "Handle unmount for isolated process correctly (tiann#2696)" kernel: core_hook: backport ksu_enhanced_security rules kernel: add support change mount namespace with app profile (tiann#2909) kernel: core_hook: disable seccomp for allowed uids kernel: supercalls: provide sys_reboot handler kernel: supercalls: backport: "Use task work to install fd" kernel: supercalls: partial backport of do_manage_mark kernel: selinux: force sepol_data.sepol to be u64 kernel: core_hook: screw path_umount backport, call sys_umount directly kernel: throne_tracker: offload to kthread (tiann#2632) kernel: ksud: migrate ksud execution to security_bprm_check (tiann#2653) kernel: core_hook: migrate init_session_keyring grab to security_bprm_check kernel: expose allowlist workaround as Kconfig option kernel: app_profile: shim escape_with_root_profile kernel: allowlist: escape persistent_allow_list to kthread kernel: sucompat: increase reliability, commonize and micro-optimize (tiann#2656) kernel: sucompat: sucompat toggle support for manual hooks (tiann#2506) kernel: sucompat: use seccomp.mode for permission check kernel: app_profile: do not disable seccomp again kernel: expose KSU_LSM_SECURITY_HOOKS on Kconfig kernel: sucompat: provide do_execve_common handler for < 3.14 kernel: sucompat: provide getname_flags (user) ultimatum hook kernel: sucompat: provide getname_flags (kernel) ultimatum hook kernel: file_wrapper: handle more compat kernel: file_wrapper: handle readdir and iterate compat for UL kernel: ksud: provide is_ksu_transition check v4 kernel: kp_ksud: restore kprobes for early-boot and used-once hooks kernel: kp_ksud: add security_bounded_transition hook for < 4.14 (tiann#1704) kernel: kp_ksud: add sys_reboot kp hook kernel: rp_sucompat: add kretprobes-hooked getname_flags for sucompat kernel: extras: base implementation of avc log spoofing kernel: extras/avc_spoof: add kprobe support kernel: extras: add avc spoof to feature kernel/extra: replace sensitive context with priv_app kernel: apk_sign: casting to char for strcmp -> memcmp kernel: apk_sign: migrate generic_file_llseek -> vfs_llseek kernel: core_hook: no ext4_unregister_sysfs, no problem kernel: ksud: d_is_reg to S_ISREG kernel: Makefile: remove overlayfs requirement kernel: throne_tracker: resolve s_magic for < 3.9 kernel: ksud: handle conditional read_iter requirement for < 3.16 kernel: throne_tracker: handle filldir_t ABI mismatch on <= 3.18 kernel: compat: iterate_dir -> vfs_readdir compat for < 3.11 kernel: sucompat: bruteforce writeable stack from start_stack for < 3.8 kernel: compat: provide bin2hex compat for < 3.18 kernel: compat: add strscpy pseudo-compat for < 4.3 kernel: compat: file_inode compat for < 3.9 kernel: compat: provide weak anon_inode_getfd_secure for < 5.12 kernel: compat: provide selinux_inode wrapper for < 5.1 kernel: compat: provide selinux_cred wrapper for < 5.1 kernel: apk_sign: fix return check for ksu_sha256 kernel: handle backports kernel: apk_sign: add more size/hash pairs kernel: ksu: printout quirks / backports / etc on init kernel: scripts: kuid_ul_fix: add small script as helper kernel: selinux: fix wrong return type KernelSU v2.1.2+ Warning: Managers built from this repo has a known keystore. See dummy.keystore. Signed-off-by: backslashxx <[email protected]>
backslashxx
pushed a commit
to backslashxx/KernelSU
that referenced
this pull request
Nov 22, 2025
Isolated processes can be directly forked from zygote, but current code doesn't handle it well. Fix it by unmounting unconditionally if isolated process is forked from zygote.
backslashxx
added a commit
to backslashxx/KernelSU
that referenced
this pull request
Nov 22, 2025
Changes on top of upstream (+69): workflows: debloat workflows: debloat pt. 2 dummy.keystore ksud: add armeabi-v7a support manager: failure mode dummy demo manager: unofficial build manager: Add ABI and Kernel archirecture info into InfoCardItem ksud: prevent 32-on-64 pointer mismatches on sepolicy ksud: add avc spoof to feature kernel: remove unsupportable code kernel: restore compat code required for old kernels kernel: compat: remove ksu_android_ns_fs_check Reapply: "Handle unmount for isolated process correctly (tiann#2696)" kernel: core_hook: backport ksu_enhanced_security rules kernel: add support change mount namespace with app profile (tiann#2909) kernel: core_hook: disable seccomp for allowed uids kernel: supercalls: provide sys_reboot handler kernel: supercalls: backport: "Use task work to install fd" kernel: supercalls: partial backport of do_manage_mark kernel: selinux: force sepol_data.sepol to be u64 kernel: core_hook: screw path_umount backport, call sys_umount directly kernel: throne_tracker: offload to kthread (tiann#2632) kernel: ksud: migrate ksud execution to security_bprm_check (tiann#2653) kernel: core_hook: migrate init_session_keyring grab to security_bprm_check kernel: expose allowlist workaround as Kconfig option kernel: app_profile: shim escape_with_root_profile kernel: allowlist: escape persistent_allow_list to kthread kernel: sucompat: increase reliability, commonize and micro-optimize (tiann#2656) kernel: sucompat: sucompat toggle support for manual hooks (tiann#2506) kernel: sucompat: use seccomp.mode for permission check kernel: app_profile: do not disable seccomp again kernel: expose KSU_LSM_SECURITY_HOOKS on Kconfig kernel: sucompat: provide do_execve_common handler for < 3.14 kernel: sucompat: provide getname_flags (user) ultimatum hook kernel: sucompat: provide getname_flags (kernel) ultimatum hook kernel: file_wrapper: handle more compat kernel: file_wrapper: handle readdir and iterate compat for UL kernel: ksud: provide is_ksu_transition check v4 kernel: kp_ksud: restore kprobes for early-boot and used-once hooks kernel: kp_ksud: add security_bounded_transition hook for < 4.14 (tiann#1704) kernel: kp_ksud: add sys_reboot kp hook kernel: rp_sucompat: add kretprobes-hooked getname_flags for sucompat kernel: extras: base implementation of avc log spoofing kernel: extras/avc_spoof: add kprobe support kernel: extras: add avc spoof to feature kernel/extra: replace sensitive context with priv_app kernel: apk_sign: casting to char for strcmp -> memcmp kernel: apk_sign: migrate generic_file_llseek -> vfs_llseek kernel: core_hook: no ext4_unregister_sysfs, no problem kernel: ksud: d_is_reg to S_ISREG kernel: Makefile: remove overlayfs requirement kernel: throne_tracker: resolve s_magic for < 3.9 kernel: ksud: handle conditional read_iter requirement for < 3.16 kernel: throne_tracker: handle filldir_t ABI mismatch on <= 3.18 kernel: compat: iterate_dir -> vfs_readdir compat for < 3.11 kernel: sucompat: bruteforce writeable stack from start_stack for < 3.8 kernel: compat: provide bin2hex compat for < 3.18 kernel: compat: add strscpy pseudo-compat for < 4.3 kernel: compat: file_inode compat for < 3.9 kernel: compat: provide weak anon_inode_getfd_secure for < 5.12 kernel: compat: provide selinux_inode wrapper for < 5.1 kernel: compat: provide selinux_cred wrapper for < 5.1 kernel: apk_sign: fix return check for ksu_sha256 kernel: handle backports kernel: apk_sign: add more size/hash pairs kernel: ksu: printout quirks / backports / etc on init kernel: scripts: kuid_ul_fix: add small script as helper kernel: selinux: fix wrong return type KernelSU v2.1.2+ Warning: Managers built from this repo has a known keystore. See dummy.keystore. Signed-off-by: backslashxx <[email protected]>
backslashxx
added a commit
to backslashxx/KernelSU
that referenced
this pull request
Nov 22, 2025
Changes on top of upstream (+68): workflows: debloat workflows: debloat pt. 2 dummy.keystore ksud: add armeabi-v7a support manager: failure mode dummy demo manager: unofficial build manager: Add ABI and Kernel archirecture info into InfoCardItem ksud: prevent 32-on-64 pointer mismatches on sepolicy ksud: add avc spoof to feature kernel: remove unsupportable code kernel: restore compat code required for old kernels kernel: compat: remove ksu_android_ns_fs_check Reapply: "Handle unmount for isolated process correctly (tiann#2696)" kernel: core_hook: backport ksu_enhanced_security rules kernel: core_hook: disable seccomp for allowed uids kernel: supercalls: provide sys_reboot handler kernel: supercalls: backport: "Use task work to install fd" kernel: supercalls: partial backport of do_manage_mark kernel: selinux: force sepol_data.sepol to be u64 kernel: core_hook: screw path_umount backport, call sys_umount directly kernel: throne_tracker: offload to kthread (tiann#2632) kernel: ksud: migrate ksud execution to security_bprm_check (tiann#2653) kernel: core_hook: migrate init_session_keyring grab to security_bprm_check kernel: expose allowlist workaround as Kconfig option kernel: app_profile: shim escape_with_root_profile kernel: allowlist: escape persistent_allow_list to kthread kernel: sucompat: increase reliability, commonize and micro-optimize (tiann#2656) kernel: sucompat: sucompat toggle support for manual hooks (tiann#2506) kernel: sucompat: use seccomp.mode for permission check kernel: app_profile: do not disable seccomp again kernel: expose KSU_LSM_SECURITY_HOOKS on Kconfig kernel: sucompat: provide do_execve_common handler for < 3.14 kernel: sucompat: provide getname_flags (user) ultimatum hook kernel: sucompat: provide getname_flags (kernel) ultimatum hook kernel: file_wrapper: handle more compat kernel: file_wrapper: handle readdir and iterate compat for UL kernel: ksud: provide is_ksu_transition check v4 kernel: kp_ksud: restore kprobes for early-boot and used-once hooks kernel: kp_ksud: add security_bounded_transition hook for < 4.14 (tiann#1704) kernel: kp_ksud: add sys_reboot kp hook kernel: rp_sucompat: add kretprobes-hooked getname_flags for sucompat kernel: extras: base implementation of avc log spoofing kernel: extras/avc_spoof: add kprobe support kernel: extras: add avc spoof to feature kernel/extra: replace sensitive context with priv_app kernel: apk_sign: casting to char for strcmp -> memcmp kernel: apk_sign: migrate generic_file_llseek -> vfs_llseek kernel: core_hook: no ext4_unregister_sysfs, no problem kernel: ksud: d_is_reg to S_ISREG kernel: Makefile: remove overlayfs requirement kernel: throne_tracker: resolve s_magic for < 3.9 kernel: ksud: handle conditional read_iter requirement for < 3.16 kernel: throne_tracker: handle filldir_t ABI mismatch on <= 3.18 kernel: compat: iterate_dir -> vfs_readdir compat for < 3.11 kernel: sucompat: bruteforce writeable stack from start_stack for < 3.8 kernel: compat: provide bin2hex compat for < 3.18 kernel: compat: add strscpy pseudo-compat for < 4.3 kernel: compat: file_inode compat for < 3.9 kernel: compat: provide weak anon_inode_getfd_secure for < 5.12 kernel: compat: provide selinux_inode wrapper for < 5.1 kernel: compat: provide selinux_cred wrapper for < 5.1 kernel: apk_sign: fix return check for ksu_sha256 kernel: handle backports kernel: apk_sign: add more size/hash pairs kernel: ksu: printout quirks / backports / etc on init kernel: scripts: kuid_ul_fix: add small script as helper kernel: selinux: fix wrong return type KernelSU v2.1.2+ Warning: Managers built from this repo has a known keystore. See dummy.keystore. Signed-off-by: backslashxx <[email protected]>
backslashxx
pushed a commit
to backslashxx/KernelSU
that referenced
this pull request
Nov 22, 2025
Isolated processes can be directly forked from zygote, but current code doesn't handle it well. Fix it by unmounting unconditionally if isolated process is forked from zygote.
backslashxx
added a commit
to backslashxx/KernelSU
that referenced
this pull request
Nov 22, 2025
Changes on top of upstream (+68): workflows: debloat workflows: debloat pt. 2 dummy.keystore ksud: add armeabi-v7a support manager: failure mode dummy demo manager: unofficial build manager: Add ABI and Kernel archirecture info into InfoCardItem ksud: prevent 32-on-64 pointer mismatches on sepolicy ksud: add avc spoof to feature kernel: remove unsupportable code kernel: restore compat code required for old kernels kernel: compat: remove ksu_android_ns_fs_check Reapply: "Handle unmount for isolated process correctly (tiann#2696)" kernel: core_hook: backport ksu_enhanced_security rules kernel: core_hook: disable seccomp for allowed uids kernel: supercalls: provide sys_reboot handler kernel: supercalls: backport: "Use task work to install fd" kernel: supercalls: partial backport of do_manage_mark kernel: selinux: force sepol_data.sepol to be u64 kernel: core_hook: screw path_umount backport, call sys_umount directly kernel: throne_tracker: offload to kthread (tiann#2632) kernel: ksud: migrate ksud execution to security_bprm_check (tiann#2653) kernel: core_hook: migrate init_session_keyring grab to security_bprm_check kernel: expose allowlist workaround as Kconfig option kernel: app_profile: shim escape_with_root_profile kernel: allowlist: escape persistent_allow_list to kthread kernel: sucompat: increase reliability, commonize and micro-optimize (tiann#2656) kernel: sucompat: sucompat toggle support for manual hooks (tiann#2506) kernel: sucompat: use seccomp.mode for permission check kernel: app_profile: do not disable seccomp again kernel: expose KSU_LSM_SECURITY_HOOKS on Kconfig kernel: sucompat: provide do_execve_common handler for < 3.14 kernel: sucompat: provide getname_flags (user) ultimatum hook kernel: sucompat: provide getname_flags (kernel) ultimatum hook kernel: file_wrapper: handle more compat kernel: file_wrapper: handle readdir and iterate compat for UL kernel: ksud: provide is_ksu_transition check v4 kernel: kp_ksud: restore kprobes for early-boot and used-once hooks kernel: kp_ksud: add security_bounded_transition hook for < 4.14 (tiann#1704) kernel: kp_ksud: add sys_reboot kp hook kernel: rp_sucompat: add kretprobes-hooked getname_flags for sucompat kernel: extras: base implementation of avc log spoofing kernel: extras/avc_spoof: add kprobe support kernel: extras: add avc spoof to feature kernel/extra: replace sensitive context with priv_app kernel: apk_sign: casting to char for strcmp -> memcmp kernel: apk_sign: migrate generic_file_llseek -> vfs_llseek kernel: core_hook: no ext4_unregister_sysfs, no problem kernel: ksud: d_is_reg to S_ISREG kernel: Makefile: remove overlayfs requirement kernel: throne_tracker: resolve s_magic for < 3.9 kernel: ksud: handle conditional read_iter requirement for < 3.16 kernel: throne_tracker: handle filldir_t ABI mismatch on <= 3.18 kernel: compat: iterate_dir -> vfs_readdir compat for < 3.11 kernel: sucompat: bruteforce writeable stack from start_stack for < 3.8 kernel: compat: provide bin2hex compat for < 3.18 kernel: compat: add strscpy pseudo-compat for < 4.3 kernel: compat: file_inode compat for < 3.9 kernel: compat: provide weak anon_inode_getfd_secure for < 5.12 kernel: compat: provide selinux_inode wrapper for < 5.1 kernel: compat: provide selinux_cred wrapper for < 5.1 kernel: apk_sign: fix return check for ksu_sha256 kernel: handle backports kernel: apk_sign: add more size/hash pairs kernel: ksu: printout quirks / backports / etc on init kernel: scripts: kuid_ul_fix: add small script as helper kernel: selinux: fix wrong return type KernelSU v2.1.2+ Warning: Managers built from this repo has a known keystore. See dummy.keystore. Signed-off-by: backslashxx <[email protected]>
backslashxx
added a commit
to backslashxx/KernelSU
that referenced
this pull request
Nov 23, 2025
Changes on top of upstream (+68): workflows: debloat workflows: debloat pt. 2 dummy.keystore ksud: add armeabi-v7a support manager: failure mode dummy demo manager: unofficial build manager: Add ABI and Kernel archirecture info into InfoCardItem ksud: prevent 32-on-64 pointer mismatches on sepolicy ksud: add avc spoof to feature kernel: remove unsupportable code kernel: restore compat code required for old kernels kernel: compat: remove ksu_android_ns_fs_check Reapply: "Handle unmount for isolated process correctly (tiann#2696)" kernel: core_hook: backport ksu_enhanced_security rules kernel: core_hook: disable seccomp for allowed uids kernel: supercalls: provide sys_reboot handler kernel: supercalls: backport: "Use task work to install fd" kernel: supercalls: partial backport of do_manage_mark kernel: selinux: force sepol_data.sepol to be u64 kernel: core_hook: screw path_umount backport, call sys_umount directly kernel: throne_tracker: offload to kthread (tiann#2632) kernel: ksud: migrate ksud execution to security_bprm_check (tiann#2653) kernel: core_hook: migrate init_session_keyring grab to security_bprm_check kernel: expose allowlist workaround as Kconfig option kernel: app_profile: shim escape_with_root_profile kernel: allowlist: escape persistent_allow_list to kthread kernel: sucompat: increase reliability, commonize and micro-optimize (tiann#2656) kernel: sucompat: sucompat toggle support for manual hooks (tiann#2506) kernel: sucompat: use seccomp.mode for permission check kernel: app_profile: do not disable seccomp again kernel: expose KSU_LSM_SECURITY_HOOKS on Kconfig kernel: sucompat: provide do_execve_common handler for < 3.14 kernel: sucompat: provide getname_flags (user) ultimatum hook kernel: sucompat: provide getname_flags (kernel) ultimatum hook kernel: file_wrapper: handle more compat kernel: file_wrapper: handle readdir and iterate compat for UL kernel: ksud: provide is_ksu_transition check v4 kernel: kp_ksud: restore kprobes for early-boot and used-once hooks kernel: kp_ksud: add security_bounded_transition hook for < 4.14 (tiann#1704) kernel: kp_ksud: add sys_reboot kp hook kernel: rp_sucompat: add kretprobes-hooked getname_flags for sucompat kernel: extras: base implementation of avc log spoofing kernel: extras/avc_spoof: add kprobe support kernel: extras: add avc spoof to feature kernel/extra: replace sensitive context with priv_app kernel: apk_sign: casting to char for strcmp -> memcmp kernel: apk_sign: migrate generic_file_llseek -> vfs_llseek kernel: core_hook: no ext4_unregister_sysfs, no problem kernel: ksud: d_is_reg to S_ISREG kernel: Makefile: remove overlayfs requirement kernel: throne_tracker: resolve s_magic for < 3.9 kernel: ksud: handle conditional read_iter requirement for < 3.16 kernel: throne_tracker: handle filldir_t ABI mismatch on <= 3.18 kernel: compat: iterate_dir -> vfs_readdir compat for < 3.11 kernel: sucompat: bruteforce writeable stack from start_stack for < 3.8 kernel: compat: provide bin2hex compat for < 3.18 kernel: compat: add strscpy pseudo-compat for < 4.3 kernel: compat: file_inode compat for < 3.9 kernel: compat: provide weak anon_inode_getfd_secure for < 5.12 kernel: compat: provide selinux_inode wrapper for < 5.1 kernel: compat: provide selinux_cred wrapper for < 5.1 kernel: apk_sign: fix return check for ksu_sha256 kernel: handle backports kernel: apk_sign: add more size/hash pairs kernel: ksu: printout quirks / backports / etc on init kernel: scripts: kuid_ul_fix: add small script as helper kernel: selinux: fix wrong return type KernelSU v2.1.2+ Warning: Managers built from this repo has a known keystore. See dummy.keystore. Signed-off-by: backslashxx <[email protected]>
backslashxx
added a commit
to backslashxx/KernelSU
that referenced
this pull request
Nov 23, 2025
Changes on top of upstream (+68): workflows: debloat workflows: debloat pt. 2 dummy.keystore ksud: add armeabi-v7a support manager: failure mode dummy demo manager: unofficial build manager: Add ABI and Kernel archirecture info into InfoCardItem ksud: prevent 32-on-64 pointer mismatches on sepolicy ksud: add avc spoof to feature kernel: remove unsupportable code kernel: restore compat code required for old kernels kernel: compat: remove ksu_android_ns_fs_check Reapply: "Handle unmount for isolated process correctly (tiann#2696)" kernel: core_hook: backport ksu_enhanced_security rules kernel: core_hook: disable seccomp for allowed uids kernel: supercalls: provide sys_reboot handler kernel: supercalls: backport: "Use task work to install fd" kernel: supercalls: partial backport of do_manage_mark kernel: selinux: force sepol_data.sepol to be u64 kernel: core_hook: screw path_umount backport, call sys_umount directly kernel: throne_tracker: offload to kthread (tiann#2632) kernel: ksud: migrate ksud execution to security_bprm_check (tiann#2653) kernel: core_hook: migrate init_session_keyring grab to security_bprm_check kernel: expose allowlist workaround as Kconfig option kernel: app_profile: shim escape_with_root_profile kernel: allowlist: escape persistent_allow_list to kthread kernel: sucompat: increase reliability, commonize and micro-optimize (tiann#2656) kernel: sucompat: sucompat toggle support for manual hooks (tiann#2506) kernel: sucompat: use seccomp.mode for permission check kernel: app_profile: do not disable seccomp again kernel: expose KSU_LSM_SECURITY_HOOKS on Kconfig kernel: sucompat: provide do_execve_common handler for < 3.14 kernel: sucompat: provide getname_flags (user) ultimatum hook kernel: sucompat: provide getname_flags (kernel) ultimatum hook kernel: file_wrapper: handle more compat kernel: file_wrapper: handle readdir and iterate compat for UL kernel: ksud: provide is_ksu_transition check v4 kernel: kp_ksud: restore kprobes for early-boot and used-once hooks kernel: kp_ksud: add security_bounded_transition hook for < 4.14 (tiann#1704) kernel: kp_ksud: add sys_reboot kp hook kernel: rp_sucompat: add kretprobes-hooked getname_flags for sucompat kernel: extras: base implementation of avc log spoofing kernel: extras/avc_spoof: add kprobe support kernel: extras: add avc spoof to feature kernel/extra: replace sensitive context with priv_app kernel: apk_sign: casting to char for strcmp -> memcmp kernel: apk_sign: migrate generic_file_llseek -> vfs_llseek kernel: core_hook: no ext4_unregister_sysfs, no problem kernel: ksud: d_is_reg to S_ISREG kernel: Makefile: remove overlayfs requirement kernel: throne_tracker: resolve s_magic for < 3.9 kernel: ksud: handle conditional read_iter requirement for < 3.16 kernel: throne_tracker: handle filldir_t ABI mismatch on <= 3.18 kernel: compat: iterate_dir -> vfs_readdir compat for < 3.11 kernel: sucompat: bruteforce writeable stack from start_stack for < 3.8 kernel: compat: provide bin2hex compat for < 3.18 kernel: compat: add strscpy pseudo-compat for < 4.3 kernel: compat: file_inode compat for < 3.9 kernel: compat: provide weak anon_inode_getfd_secure for < 5.12 kernel: compat: provide selinux_inode wrapper for < 5.1 kernel: compat: provide selinux_cred wrapper for < 5.1 kernel: apk_sign: fix return check for ksu_sha256 kernel: handle backports kernel: apk_sign: add more size/hash pairs kernel: ksu: printout quirks / backports / etc on init kernel: scripts: kuid_ul_fix: add small script as helper kernel: selinux: fix wrong return type KernelSU v2.1.2+ Warning: Managers built from this repo has a known keystore. See dummy.keystore. Signed-off-by: backslashxx <[email protected]>
backslashxx
added a commit
to backslashxx/KernelSU
that referenced
this pull request
Nov 23, 2025
Changes on top of upstream (+68): workflows: debloat workflows: debloat pt. 2 dummy.keystore ksud: add armeabi-v7a support manager: failure mode dummy demo manager: unofficial build manager: Add ABI and Kernel archirecture info into InfoCardItem ksud: prevent 32-on-64 pointer mismatches on sepolicy ksud: add avc spoof to feature kernel: remove unsupportable code kernel: restore compat code required for old kernels kernel: compat: remove ksu_android_ns_fs_check Reapply: "Handle unmount for isolated process correctly (tiann#2696)" kernel: core_hook: backport ksu_enhanced_security rules kernel: core_hook: disable seccomp for allowed uids kernel: supercalls: provide sys_reboot handler kernel: supercalls: backport: "Use task work to install fd" kernel: supercalls: partial backport of do_manage_mark kernel: selinux: force sepol_data.sepol to be u64 kernel: core_hook: screw path_umount backport, call sys_umount directly kernel: throne_tracker: offload to kthread (tiann#2632) kernel: ksud: migrate ksud execution to security_bprm_check (tiann#2653) kernel: core_hook: migrate init_session_keyring grab to security_bprm_check kernel: expose allowlist workaround as Kconfig option kernel: app_profile: shim escape_with_root_profile kernel: allowlist: escape persistent_allow_list to kthread kernel: sucompat: increase reliability, commonize and micro-optimize (tiann#2656) kernel: sucompat: sucompat toggle support for manual hooks (tiann#2506) kernel: sucompat: use seccomp.mode for permission check kernel: app_profile: do not disable seccomp again kernel: expose KSU_LSM_SECURITY_HOOKS on Kconfig kernel: sucompat: provide do_execve_common handler for < 3.14 kernel: sucompat: provide getname_flags (user) ultimatum hook kernel: sucompat: provide getname_flags (kernel) ultimatum hook kernel: file_wrapper: handle more compat kernel: file_wrapper: handle readdir and iterate compat for UL kernel: ksud: provide is_ksu_transition check v4 kernel: kp_ksud: restore kprobes for early-boot and used-once hooks kernel: kp_ksud: add security_bounded_transition hook for < 4.14 (tiann#1704) kernel: kp_ksud: add sys_reboot kp hook kernel: rp_sucompat: add kretprobes-hooked getname_flags for sucompat kernel: extras: base implementation of avc log spoofing kernel: extras/avc_spoof: add kprobe support kernel: extras: add avc spoof to feature kernel/extra: replace sensitive context with priv_app kernel: apk_sign: casting to char for strcmp -> memcmp kernel: apk_sign: migrate generic_file_llseek -> vfs_llseek kernel: core_hook: no ext4_unregister_sysfs, no problem kernel: ksud: d_is_reg to S_ISREG kernel: Makefile: remove overlayfs requirement kernel: throne_tracker: resolve s_magic for < 3.9 kernel: ksud: handle conditional read_iter requirement for < 3.16 kernel: throne_tracker: handle filldir_t ABI mismatch on <= 3.18 kernel: compat: iterate_dir -> vfs_readdir compat for < 3.11 kernel: sucompat: bruteforce writeable stack from start_stack for < 3.8 kernel: compat: provide bin2hex compat for < 3.18 kernel: compat: add strscpy pseudo-compat for < 4.3 kernel: compat: file_inode compat for < 3.9 kernel: compat: provide weak anon_inode_getfd_secure for < 5.12 kernel: compat: provide selinux_inode wrapper for < 5.1 kernel: compat: provide selinux_cred wrapper for < 5.1 kernel: apk_sign: fix return check for ksu_sha256 kernel: handle backports kernel: apk_sign: add more size/hash pairs kernel: ksu: printout quirks / backports / etc on init kernel: scripts: kuid_ul_fix: add small script as helper kernel: selinux: fix wrong return type KernelSU v2.1.2+ Warning: Managers built from this repo has a known keystore. See dummy.keystore. Signed-off-by: backslashxx <[email protected]>
backslashxx
added a commit
to backslashxx/KernelSU
that referenced
this pull request
Nov 23, 2025
Changes on top of upstream (+68): workflows: debloat workflows: debloat pt. 2 dummy.keystore ksud: add armeabi-v7a support manager: failure mode dummy demo manager: unofficial build manager: Add ABI and Kernel archirecture info into InfoCardItem ksud: prevent 32-on-64 pointer mismatches on sepolicy ksud: add avc spoof to feature kernel: remove unsupportable code kernel: restore compat code required for old kernels kernel: compat: remove ksu_android_ns_fs_check Reapply: "Handle unmount for isolated process correctly (tiann#2696)" kernel: core_hook: backport ksu_enhanced_security rules kernel: core_hook: disable seccomp for allowed uids kernel: supercalls: provide sys_reboot handler kernel: supercalls: backport: "Use task work to install fd" kernel: supercalls: partial backport of do_manage_mark kernel: selinux: force sepol_data.sepol to be u64 kernel: core_hook: screw path_umount backport, call sys_umount directly kernel: throne_tracker: offload to kthread (tiann#2632) kernel: ksud: migrate ksud execution to security_bprm_check (tiann#2653) kernel: core_hook: migrate init_session_keyring grab to security_bprm_check kernel: expose allowlist workaround as Kconfig option kernel: app_profile: shim escape_with_root_profile kernel: allowlist: escape persistent_allow_list to kthread kernel: sucompat: increase reliability, commonize and micro-optimize (tiann#2656) kernel: sucompat: sucompat toggle support for manual hooks (tiann#2506) kernel: sucompat: use seccomp.mode for permission check kernel: app_profile: do not disable seccomp again kernel: expose KSU_LSM_SECURITY_HOOKS on Kconfig kernel: sucompat: provide do_execve_common handler for < 3.14 kernel: sucompat: provide getname_flags (user) ultimatum hook kernel: sucompat: provide getname_flags (kernel) ultimatum hook kernel: file_wrapper: handle more compat kernel: file_wrapper: handle readdir and iterate compat for UL kernel: ksud: provide is_ksu_transition check v4 kernel: kp_ksud: restore kprobes for early-boot and used-once hooks kernel: kp_ksud: add security_bounded_transition hook for < 4.14 (tiann#1704) kernel: kp_ksud: add sys_reboot kp hook kernel: rp_sucompat: add kretprobes-hooked getname_flags for sucompat kernel: extras: base implementation of avc log spoofing kernel: extras/avc_spoof: add kprobe support kernel: extras: add avc spoof to feature kernel/extra: replace sensitive context with priv_app kernel: apk_sign: casting to char for strcmp -> memcmp kernel: apk_sign: migrate generic_file_llseek -> vfs_llseek kernel: core_hook: no ext4_unregister_sysfs, no problem kernel: ksud: d_is_reg to S_ISREG kernel: Makefile: remove overlayfs requirement kernel: throne_tracker: resolve s_magic for < 3.9 kernel: ksud: handle conditional read_iter requirement for < 3.16 kernel: throne_tracker: handle filldir_t ABI mismatch on <= 3.18 kernel: compat: iterate_dir -> vfs_readdir compat for < 3.11 kernel: sucompat: bruteforce writeable stack from start_stack for < 3.8 kernel: compat: provide bin2hex compat for < 3.18 kernel: compat: add strscpy pseudo-compat for < 4.3 kernel: compat: file_inode compat for < 3.9 kernel: compat: provide weak anon_inode_getfd_secure for < 5.12 kernel: compat: provide selinux_inode wrapper for < 5.1 kernel: compat: provide selinux_cred wrapper for < 5.1 kernel: apk_sign: fix return check for ksu_sha256 kernel: handle backports kernel: apk_sign: add more size/hash pairs kernel: ksu: printout quirks / backports / etc on init kernel: scripts: kuid_ul_fix: add small script as helper kernel: selinux: fix wrong return type KernelSU v2.1.2+ Warning: Managers built from this repo has a known keystore. See dummy.keystore. Signed-off-by: backslashxx <[email protected]>
backslashxx
added a commit
to backslashxx/KernelSU
that referenced
this pull request
Nov 23, 2025
Changes on top of upstream (+67): workflows: debloat workflows: debloat pt. 2 dummy.keystore ksud: add armeabi-v7a support manager: failure mode dummy demo manager: unofficial build manager: Add ABI and Kernel archirecture info into InfoCardItem ksud: prevent 32-on-64 pointer mismatches on sepolicy ksud: add avc spoof to feature kernel: remove unsupportable code kernel: restore compat code required for old kernels kernel: compat: remove ksu_android_ns_fs_check Reapply: "Handle unmount for isolated process correctly (tiann#2696)" kernel: core_hook: backport ksu_enhanced_security rules kernel: core_hook: disable seccomp for allowed uids kernel: supercalls: provide sys_reboot handler kernel: supercalls: backport: "Use task work to install fd" kernel: supercalls: partial backport of do_manage_mark kernel: selinux: force sepol_data.sepol to be u64 kernel: core_hook: screw path_umount backport, call sys_umount directly kernel: throne_tracker: offload to kthread (tiann#2632) kernel: ksud: migrate ksud execution to security_bprm_check (tiann#2653) kernel: core_hook: migrate init_session_keyring grab to security_bprm_check kernel: expose allowlist workaround as Kconfig option kernel: app_profile: shim escape_with_root_profile kernel: allowlist: escape persistent_allow_list to kthread kernel: sucompat: increase reliability, commonize and micro-optimize (tiann#2656) kernel: sucompat: sucompat toggle support for manual hooks (tiann#2506) kernel: sucompat: use seccomp.mode for permission check kernel: app_profile: do not disable seccomp again kernel: expose KSU_LSM_SECURITY_HOOKS on Kconfig kernel: sucompat: provide do_execve_common handler for < 3.14 kernel: sucompat: provide getname_flags (user) ultimatum hook kernel: sucompat: provide getname_flags (kernel) ultimatum hook kernel: file_wrapper: handle more compat kernel: file_wrapper: handle readdir and iterate compat for UL kernel: ksud: provide is_ksu_transition check v4 kernel: kp_ksud: restore kprobes for early-boot and used-once hooks kernel: kp_ksud: add security_bounded_transition hook for < 4.14 (tiann#1704) kernel: kp_ksud: add sys_reboot kp hook kernel: rp_sucompat: add kretprobes-hooked getname_flags for sucompat kernel: extras: base implementation of avc log spoofing kernel: extras/avc_spoof: add kprobe support kernel: extras: add avc spoof to feature kernel/extra: replace sensitive context with priv_app kernel: apk_sign: casting to char for strcmp -> memcmp kernel: apk_sign: migrate generic_file_llseek -> vfs_llseek kernel: core_hook: no ext4_unregister_sysfs, no problem kernel: ksud: d_is_reg to S_ISREG kernel: throne_tracker: resolve s_magic for < 3.9 kernel: ksud: handle conditional read_iter requirement for < 3.16 kernel: throne_tracker: handle filldir_t ABI mismatch on <= 3.18 kernel: compat: iterate_dir -> vfs_readdir compat for < 3.11 kernel: sucompat: bruteforce writeable stack from start_stack for < 3.8 kernel: compat: provide bin2hex compat for < 3.18 kernel: compat: add strscpy pseudo-compat for < 4.3 kernel: compat: file_inode compat for < 3.9 kernel: compat: provide weak anon_inode_getfd_secure for < 5.12 kernel: compat: provide selinux_inode wrapper for < 5.1 kernel: compat: provide selinux_cred wrapper for < 5.1 kernel: apk_sign: fix return check for ksu_sha256 kernel: handle backports kernel: apk_sign: add more size/hash pairs kernel: ksu: printout quirks / backports / etc on init kernel: scripts: kuid_ul_fix: add small script as helper kernel: selinux: fix wrong return type KernelSU v2.1.2+ Warning: Managers built from this repo has a known keystore. See dummy.keystore. Signed-off-by: backslashxx <[email protected]>
backslashxx
added a commit
to backslashxx/KernelSU
that referenced
this pull request
Nov 23, 2025
Changes on top of upstream (+66): workflows: debloat workflows: debloat pt. 2 dummy.keystore ksud: add armeabi-v7a support manager: failure mode dummy demo manager: unofficial build manager: Add ABI and Kernel archirecture info into InfoCardItem ksud: prevent 32-on-64 pointer mismatches on sepolicy ksud: add avc spoof to feature kernel: remove unsupportable code kernel: restore compat code required for old kernels kernel: compat: remove ksu_android_ns_fs_check Reapply: "Handle unmount for isolated process correctly (tiann#2696)" kernel: core_hook: backport ksu_enhanced_security rules kernel: core_hook: disable seccomp for allowed uids kernel: supercalls: provide sys_reboot handler kernel: supercalls: backport: "Use task work to install fd" kernel: supercalls: partial backport of do_manage_mark kernel: selinux: force sepol_data.sepol to be u64 kernel: core_hook: screw path_umount backport, call sys_umount directly kernel: throne_tracker: offload to kthread (tiann#2632) kernel: ksud: migrate ksud execution to security_bprm_check (tiann#2653) kernel: core_hook: migrate init_session_keyring grab to security_bprm_check kernel: expose allowlist workaround as Kconfig option kernel: app_profile: shim escape_with_root_profile kernel: allowlist: escape persistent_allow_list to kthread kernel: sucompat: increase reliability, commonize and micro-optimize (tiann#2656) kernel: sucompat: sucompat toggle support for manual hooks (tiann#2506) kernel: sucompat: use seccomp.mode for permission check kernel: app_profile: do not disable seccomp again kernel: expose KSU_LSM_SECURITY_HOOKS on Kconfig kernel: sucompat: provide do_execve_common handler for < 3.14 kernel: sucompat: provide getname_flags (user) ultimatum hook kernel: sucompat: provide getname_flags (kernel) ultimatum hook kernel: file_wrapper: handle more compat kernel: file_wrapper: handle readdir and iterate compat for UL kernel: ksud: provide is_ksu_transition check v4 kernel: kp_ksud: restore kprobes for early-boot and used-once hooks kernel: kp_ksud: add security_bounded_transition hook for < 4.14 (tiann#1704) kernel: kp_ksud: add sys_reboot kp hook kernel: rp_sucompat: add kretprobes-hooked getname_flags for sucompat kernel: extras: base implementation of avc log spoofing kernel: extras/avc_spoof: add kprobe support kernel: extras: add avc spoof to feature kernel/extra: replace sensitive context with priv_app kernel: apk_sign: casting to char for strcmp -> memcmp kernel: apk_sign: migrate generic_file_llseek -> vfs_llseek kernel: core_hook: no ext4_unregister_sysfs, no problem kernel: ksud: d_is_reg to S_ISREG kernel: throne_tracker: resolve s_magic for < 3.9 kernel: ksud: handle conditional read_iter requirement for < 3.16 kernel: throne_tracker: handle filldir_t ABI mismatch on <= 3.18 kernel: compat: iterate_dir -> vfs_readdir compat for < 3.11 kernel: sucompat: bruteforce writeable stack from start_stack for < 3.8 kernel: compat: provide bin2hex compat for < 3.18 kernel: compat: add strscpy pseudo-compat for < 4.3 kernel: compat: file_inode compat for < 3.9 kernel: compat: provide weak anon_inode_getfd_secure for < 5.12 kernel: compat: provide selinux_inode wrapper for < 5.1 kernel: compat: provide selinux_cred wrapper for < 5.1 kernel: apk_sign: fix return check for ksu_sha256 kernel: handle backports kernel: apk_sign: add more size/hash pairs kernel: ksu: printout quirks / backports / etc on init kernel: scripts: kuid_ul_fix: add small script as helper kernel: selinux: fix wrong return type KernelSU v2.1.2+ Warning: Managers built from this repo has a known keystore. See dummy.keystore. Signed-off-by: backslashxx <[email protected]>
backslashxx
added a commit
to backslashxx/KernelSU
that referenced
this pull request
Nov 24, 2025
Changes on top of upstream (+66): workflows: debloat workflows: debloat pt. 2 dummy.keystore ksud: add armeabi-v7a support manager: failure mode dummy demo manager: unofficial build manager: Add ABI and Kernel archirecture info into InfoCardItem ksud: prevent 32-on-64 pointer mismatches on sepolicy ksud: add avc spoof to feature kernel: remove unsupportable code kernel: restore compat code required for old kernels kernel: compat: remove ksu_android_ns_fs_check Reapply: "Handle unmount for isolated process correctly (tiann#2696)" kernel: core_hook: backport ksu_enhanced_security rules kernel: core_hook: disable seccomp for allowed uids kernel: supercalls: provide sys_reboot handler kernel: supercalls: backport: "Use task work to install fd" kernel: supercalls: partial backport of do_manage_mark kernel: selinux: force sepol_data.sepol to be u64 kernel: core_hook: screw path_umount backport, call sys_umount directly kernel: throne_tracker: offload to kthread (tiann#2632) kernel: ksud: migrate ksud execution to security_bprm_check (tiann#2653) kernel: core_hook: migrate init_session_keyring grab to security_bprm_check kernel: expose allowlist workaround as Kconfig option kernel: app_profile: shim escape_with_root_profile kernel: allowlist: escape persistent_allow_list to kthread kernel: sucompat: increase reliability, commonize and micro-optimize (tiann#2656) kernel: sucompat: sucompat toggle support for manual hooks (tiann#2506) kernel: sucompat: use seccomp.mode for permission check kernel: app_profile: do not disable seccomp again kernel: expose KSU_LSM_SECURITY_HOOKS on Kconfig kernel: sucompat: provide do_execve_common handler for < 3.14 kernel: sucompat: provide getname_flags (user) ultimatum hook kernel: sucompat: provide getname_flags (kernel) ultimatum hook kernel: file_wrapper: handle more compat kernel: file_wrapper: handle readdir and iterate compat for UL kernel: ksud: provide is_ksu_transition check v4 kernel: kp_ksud: restore kprobes for early-boot and used-once hooks kernel: kp_ksud: add security_bounded_transition hook for < 4.14 (tiann#1704) kernel: kp_ksud: add sys_reboot kp hook kernel: rp_sucompat: add kretprobes-hooked getname_flags for sucompat kernel: extras: base implementation of avc log spoofing kernel: extras/avc_spoof: add kprobe support kernel: extras: add avc spoof to feature kernel/extra: replace sensitive context with priv_app kernel: apk_sign: casting to char for strcmp -> memcmp kernel: apk_sign: migrate generic_file_llseek -> vfs_llseek kernel: core_hook: no ext4_unregister_sysfs, no problem kernel: ksud: d_is_reg to S_ISREG kernel: throne_tracker: resolve s_magic for < 3.9 kernel: ksud: handle conditional read_iter requirement for < 3.16 kernel: throne_tracker: handle filldir_t ABI mismatch on <= 3.18 kernel: compat: iterate_dir -> vfs_readdir compat for < 3.11 kernel: sucompat: bruteforce writeable stack from start_stack for < 3.8 kernel: compat: provide bin2hex compat for < 3.18 kernel: compat: add strscpy pseudo-compat for < 4.3 kernel: compat: file_inode compat for < 3.9 kernel: compat: provide weak anon_inode_getfd_secure for < 5.12 kernel: compat: provide selinux_inode wrapper for < 5.1 kernel: compat: provide selinux_cred wrapper for < 5.1 kernel: apk_sign: fix return check for ksu_sha256 kernel: handle backports kernel: apk_sign: add more size/hash pairs kernel: ksu: printout quirks / backports / etc on init kernel: scripts: kuid_ul_fix: add small script as helper kernel: selinux: fix wrong return type KernelSU v2.1.2+ Warning: Managers built from this repo has a known keystore. See dummy.keystore. Signed-off-by: backslashxx <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Isolated processes can be directly forked from zygote, but current code doesn't handle it well. Fix it by unmounting unconditionally if isolated process is forked from zygote.