kernel: supercall: allow escalation on ioctl interface #2862
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
Author
|
take 2 this addresses what @Ylarod said 
ref: #2861 (comment) usage example: https://godbolt.org/z/Kh91EG5eq |
Contributor
|
+1 If this is safe to merge and can fix requiring |
Ylarod
requested changes
Nov 5, 2025
this is so we can piggy back a userspace su when needed. this is gated by sys_reboot on the first place anyway. so performing this can only be done by uids on allow list. Signed-off-by: backslashxx <[email protected]>
cef024e to
6ca7fbd
Compare
Ylarod
approved these changes
Nov 5, 2025
backslashxx
added a commit
to backslashxx/KernelSU
that referenced
this pull request
Nov 5, 2025
Signed-off-by: backslashxx <[email protected]> Revert "kernel: supercall: allow escalation on ioctl interface (tiann#2862)" This reverts commit 562a3b9. kernel: remove LKM, kprobes and other unsupportable code Since upstream has kprobes default, and now a requirement, cleaning up support for LKM, kprobes and other unsupportable code is kind of a must. This simplifies porting downstream changes, restoring old components, debloat, and makes it easier to maintain downstream, e.g. avoiding excessive use of conditionals (ifdef hell). Theres now massive code divergence so this has to be done. other changes: Kconfig, CONFIG_KSU, tristate to bool ksud.c, stop_input_hook(), short-circuit redundant logic left by this change. restore old formatting Signed-off-by: backslashxx <[email protected]>
KOWX712
pushed a commit
to KOWX712/KernelSU
that referenced
this pull request
Nov 5, 2025
Signed-off-by: backslashxx <[email protected]>
LeCmnGend
pushed a commit
to LeCmnGend/KernelSU
that referenced
this pull request
Nov 5, 2025
Signed-off-by: backslashxx <[email protected]>
KOWX712
pushed a commit
to KOWX712/KernelSU
that referenced
this pull request
Nov 6, 2025
Signed-off-by: backslashxx <[email protected]>
LeCmnGend
pushed a commit
to LeCmnGend/KernelSU
that referenced
this pull request
Nov 7, 2025
Signed-off-by: backslashxx <[email protected]>
LeCmnGend
pushed a commit
to LeCmnGend/KernelSU
that referenced
this pull request
Nov 8, 2025
Signed-off-by: backslashxx <[email protected]>
pershoot
pushed a commit
to pershoot/KernelSU-Next
that referenced
this pull request
Nov 19, 2025
…U#2862) Signed-off-by: backslashxx <[email protected]>
pershoot
pushed a commit
to pershoot/KernelSU-Next
that referenced
this pull request
Nov 25, 2025
…U#2862) Signed-off-by: backslashxx <[email protected]>
pershoot
pushed a commit
to pershoot/KernelSU-Next
that referenced
this pull request
Nov 25, 2025
…U#2862) Signed-off-by: backslashxx <[email protected]>
pershoot
pushed a commit
to pershoot/KernelSU-Next
that referenced
this pull request
Nov 28, 2025
…U#2862) Signed-off-by: backslashxx <[email protected]>
pershoot
pushed a commit
to pershoot/KernelSU-Next
that referenced
this pull request
Nov 30, 2025
…U#2862) Signed-off-by: backslashxx <[email protected]>
pershoot
pushed a commit
to pershoot/KernelSU-Next
that referenced
this pull request
Nov 30, 2025
…U#2862) Signed-off-by: backslashxx <[email protected]>
pershoot
pushed a commit
to pershoot/KernelSU-Next
that referenced
this pull request
Dec 7, 2025
…U#2862) Signed-off-by: backslashxx <[email protected]>
pershoot
pushed a commit
to pershoot/KernelSU-Next
that referenced
this pull request
Dec 7, 2025
…U#2862) Signed-off-by: backslashxx <[email protected]>
rifsxd
added a commit
to KernelSU-Next/KernelSU-Next
that referenced
this pull request
Dec 13, 2025
* kernel: replace renameat hook with fsnotify (#910) * kernel: replace renameat hook with fsnotify * kernel: fix compile * kernel: fix compile below 6.0 --------- Co-authored-by: weishu <[email protected]> * new supercall impl (tiann/KernelSU#2835) Co-authored-by: weishu <[email protected]> * Fix ksud build (tiann/KernelSU#2841) * fix: a lot (tiann/KernelSU#2843) * fix: a lot again (tiann/KernelSU#2845) * Fix ksud build, take 3 (tiann/KernelSU#2842) * Fix ksud build, take 4 (tiann/KernelSU#2846) Remove init_driver_fd function for non-linux/android targets * fix ksucalls, same now * kernel: remove unused * back to kprobe setuid hook * Implement workqueue for unmounting umount schedules, so it cannot be used in kprobe context. * switch ns umount * refact: use feature subsystem * use 64bit feature * fix * add fixme * add feature max to get_info * use 32bit feature id * allow root to get/set feature * more clean perm_check functions * do not expose perm checker * add feature command to ksud * fix security_task_fix_setuid_handler_pre * manager: add kernel_umount switch (tiann/KernelSU#2848) * add name and print command value * fix * ksud: clippy * ksud: cargo fmt * update ioctl macro (tiann/KernelSU#2850) * use cap_task_fix_setuid hook to avoid inline issue * kernel: disable setuid debug log * update embed ksuinit to v2 * kernel: remove dynamic alloc in feature * Reapply: "kernel: Allow to use in Private Space" (tiann/KernelSU#2857) rebase of tiann/KernelSU@0576495 Signed-off-by: backslashxx <[email protected]> Co-authored-by: weishu <[email protected]> * add legacy get_version * fix: get legacy version * [PARTIAL] ksud: migrate to Rust 2024 edition * ksud: add managed_feature * add check_managed_features to installer.sh * manager: fix legacy get version * rename to managedFeatures * ksud: clippy * Revert "Implement workqueue for unmounting" This reverts commit tiann/KernelSU@ec0e5da. * kernel: rework umount with task_work * kernel: init/exit umount feature * Fix legacy prctl check condition (tiann/KernelSU#2864) * kernel: supercall: allow escalation on ioctl interface (tiann/KernelSU#2862) Signed-off-by: backslashxx <[email protected]> * Support building for kernel 6.14+ (tiann/KernelSU#2662) Require [this PR](tiann/KernelSU#1785) which is made for 6.8+ to be able to build. --------- Signed-off-by: hmtheboy154 <[email protected]> * support mainline kernel (tiann/KernelSU#2869) * kernel: use sys_enter tracepoint for sucompat (tiann/KernelSU#2866) Co-authored-by: weishu <[email protected]> * fix: mark tif (tiann/KernelSU#2871) * fix sepolicy patch hint (tiann/KernelSU#2872) * kernel: remove unused workqueue * feature: add enhanced security (tiann/KernelSU#2873) * kernel: Set the tracepoint flag in a tracepoint manner * kernel: clean headers * fix: sucompat (tiann/KernelSU#2874) Co-authored-by: Wang Han <[email protected]> * add mutex for sucompat mark * kill pgrp in enhanced security * fix: enhanced security register * skip init_features in safe mode * revert: still using workqueue for allowlist * Revert "kernel: remove unused workqueue" This reverts commit tiann/KernelSU@9060e61. * build: remove -Wno-implicit-function-declaration * Replace mutex with spinlock for tracepoint registration (tiann/KernelSU#2882) * Switch kretprobe to heap (tiann/KernelSU#2880) Co-authored-by: Ylarod <[email protected]> * kernel: Refactor selinux/selinux.c (tiann/KernelSU#2881) Signed-off-by: shadichy <[email protected]> Co-authored-by: Wang Han <[email protected]> * Use force_sig(SIGKILL) to kill process * kernel: remove workqueue for allowlist * kernel: remove ksu_compat_{open,read,write} because we're in the right context now * kernel: remove unused wrapper for * kernel: Use real_parent to avoid interference from ptrace. * kernel: remove unused kernel_compat * kernel: fix save allowlist * Fix missing unlock on error path * use proxy file for pts (tiann/KernelSU#2886) Signed-off-by: 5ec1cff <[email protected]> Co-authored-by: Wang Han <[email protected]> Co-authored-by: Ylarod <[email protected]> * kernel: fix put_task if alloc failed. * clean unused header * on_module_mounted in ksud.c * refact: use app_profile * unified hook manager * add zygote to hook target * use kprobe for reboot hook * move reboot hook to supercall.c * refactor: kernel_umount setuid_hook * update mark rules, add init mark tracker * update setuid_hook, remove uneeded sucompat enable * log freely * cli: add ksud debug mark * Fix rustfmt warning * Clean up kernel code (tiann/KernelSU#2898) 1) Fix memory leak of callback head in allowlist.c 2) Remove duplicated logic and incorrect log in kernel_umount.c 3) Prevent sleep in kprobe context in ksud.c 4) Remove useless is_unsupported_uid, use euid for security enhance, add FIXME in setuid_hook.c 5) Remove useless fd argument for execve hook, fix incorrent pointer usage in syscall_hook_manager.c and sucompat.c 6) Use correct errno in supercalls.c --------- Co-authored-by: Ylarod <[email protected]> * manager: fix KsuCli cmd * fix missing header * kernel: Don't save allowlist on module exit This is not needed and may trigger UAF as work is async. * kernel: Use task work to install fd There are many fd related functions that can sleep, so we have no choice but move operations to task work. Also close fd when copy_to_user fails. * kernel: Fix task flag marking for root and shell UID Signed-off-by: Wang Han <[email protected]> Co-authored-by: 5ec1cff <[email protected]> * kernel: fix wrong show_fdinfo impl Signed-off-by: Wang Han <[email protected]> * kernel: refine file wrapper Signed-off-by: Wang Han <[email protected]> * kernel: fix zygote mark on first boot (tiann/KernelSU#2924) * kernel: refine syscall_hook_manager - Don't unmark process when setuid if syscall tracepoint is in use - Remark process when app profile updated - Ensure zygote is marked on first boot * userspace: ksud: removed dual mount system and kept only overlayfs for now for future meta module plans and also updated code to follow new ioctl calls * manager: native: introduce new enhanced security functions * manager: removed susfs info and control * manager: remove dual mount system functionality * ksud: fix module mount info * ksud: removed unused variable * script: updated userspace build script * manager: add enhanced security toggle * kernel: remove redundant code * manager: removed redundant minimal checks * manager; fix supported kmi command * manager: refine webui package manager use superuser viewmodel companion to get applist, no longer require QUERY_ALL_PACKAGES permission. Signed-off-by: rifat azad <[email protected]> * feat(ksud): Optimize ensure_dir_exist and do not hardcode path (#2932) I believe that hardcoding `/proc/self/exe` is not feasible, so I used an implementation from the std library. And I optimized ensure_dir_exist logic. Signed-off-by: Tools-app <[email protected]> * kernel: Prune allowlist only after boot completed For unknown reason, packages.list is not reliable during boot for oplus devices, so we have to disable pruning and re-run pruning after boot. * kernel: no need to remark process on post-fs-data and boot-completed - Remark on post-fs-data may unmark zygote unexpectedly, and there is no necessity to remark on these stages, so simply remove them. * kernel: file_wrapper: copy mode of original inode Bionic uses fstat to determine whether an fd is a tty and set proper buffering flags, so we also need to set the wrapper file's inode mode to the original inode mode. see: https://cs.android.com/android/platform/superproject/main/+/main:bionic/libc/upstream-openbsd/lib/libc/stdio/makebuf.c;l=61-95;drc=9a4b68e20d617b2cb3355071521f16e8c3d538df * kernel: Replace kmalloc() usages with kzalloc() (#2939) This ensures we won't use uninitialized pointers for task work. * support metamodule, remove built-in overlayfs mount (#2929) Co-authored-by: weishu <[email protected]> Co-authored-by: YuKongA <[email protected]> * kernel: Add nuke_ext4_sysfs interface * ksud: Add cli interface for nuke_ext4_sysfs * ksud: add modules_update back (#2948) * manager: remove overlayfs quard and shrink sparse * kernel/ksud: Fix KSU_IOCTL_NUKE_EXT4_SYSFS definition * kernel: expose umount list to ioctl interface (#2950) This idea is borrowed from simonpunk's susfs4ksu. What we see here is that, yeah well, lets just have userspace send us what it wants unmounted, this is better than hardcoding everything. This also solves that issue where MNT_DETACH fails, as long as we send unmountables in proper order. A small anti-duplicate mechanism is also added. While in-kernel umount is a bit worse than zygisk-provider-based ones, this can still serve as a healthy alternative. --------- Signed-off-by: backslashxx <[email protected]> Co-authored-by: weishu <[email protected]> * Prevent regular installs when metamodule unstable * userspace: add missing update flag * ksud: Add `mount` flag for module list * ksud: respect `skip_mount` * ksud: Fix the blocking installation issue; it is not working with a fresh installation of the metamodule. * ksud: 1. Handle module upgrade first; 2. Ensure that disabling persists across module upgrades. * ksud: Fix the issue where a newly installed module is not uninstalled after being immediately removed and rebooted. * ksud: Fix the metamodule's non-meta stage script, which is executed twice. * meta-overlayfs: avoid moving skip-mount modules * ksud: make rustix version fixed tiann/KernelSU#2947 (comment) Co-authored-by: CanerKaraca23 * metaovl: use `cp` instead of `mv` to copy files * metaovl: Use xcp to copy image faster. * metaovl: copy selinux context when install * add module config, migrate managedFeatures (#2965) Co-authored-by: YuKongA <[email protected]> * ksud: larger config value size limit, update docs * ksud: config set support read from stdin, and less restriction * ksud: Set KSU_MODULE only for module script (#2971) * ksud: fmt * kernel: remove OVERLAY_FS dependency * kernel: Unmount all isolated process which forks from zygote Kernel has few information about which isolated process belongs to which application, so there is actually no good choice if we don't implement a userspace daemon. One choice is to access cmdline memory from kernel, but cmdline is __user, and it is likely to trigger detections. Before we have more good ideas, use this. * kernel: Remove unreachable vfs_statx handling * sucompat: Fix execve filename access on ARM64 * kernel: Add preempt_{disable|enable}_notrace for MODULE * kernel: Fix execve filename access on ARM64 * ksud: Remove warning for non-tty std * kernel: remove redundant KSU_KPROBES_HOOK guard * kernel: remove unused functions and KSU_ALLOWLIST_WORKAROUND guard * kernel: fix selinux * meta-overlayfs: Moved to module repo * workflow: test new workflow * kernel: update Makefile * kernel: replace deprecated strlcpy and use strscpy * manager: remove closed source lkm warning * userspace: add `feature get --config` * fix #2980 * manager: upgrade ndk29 * kernel: tweak Makefile Signed-off-by: rifat azad <[email protected]> * manager: bump gradle version * manager: add additional gradle properties * manager: fix exec command * manager: remove build output verbose * manager: bump agp lib version * workflow: add manager dispatch trigger * manager: add empty newline to avoid buildtime append syntax error * workflow: add missing API id/hash for telegram upload * kernel: try fix manager crowning * userspace: rename mount system to meta * src: release v3.0.0 * mananger: fix memory leak * manager: combine 3 list packages api into 1 * manager: filter ksuapp in superuser screen this will allow showing kernelsu app info in webui Signed-off-by: KOWX712 <[email protected]> * workflow: configure spoofed and ci manager build --------- Signed-off-by: backslashxx <[email protected]> Signed-off-by: hmtheboy154 <[email protected]> Signed-off-by: shadichy <[email protected]> Signed-off-by: 5ec1cff <[email protected]> Signed-off-by: Wang Han <[email protected]> Signed-off-by: rifat azad <[email protected]> Signed-off-by: Tools-app <[email protected]> Signed-off-by: KOWX712 <[email protected]> Co-authored-by: pershoot <[email protected]> Co-authored-by: weishu <[email protected]> Co-authored-by: Ylarod <[email protected]> Co-authored-by: Wang Han <[email protected]> Co-authored-by: YuKongA <[email protected]> Co-authored-by: backslashxx <[email protected]> Co-authored-by: Huy Minh <[email protected]> Co-authored-by: libingxuan <[email protected]> Co-authored-by: Shadichy <[email protected]> Co-authored-by: 5ec1cff <[email protected]> Co-authored-by: KOWX712 <[email protected]> Co-authored-by: 生于生时 亡于亡刻 <[email protected]>
Olzhas-Kdyr
pushed a commit
to Olzhas-Kdyr/KernelSU-Next
that referenced
this pull request
Dec 17, 2025
…U#2862) Signed-off-by: backslashxx <[email protected]>
Olzhas-Kdyr
pushed a commit
to Olzhas-Kdyr/KernelSU-Next
that referenced
this pull request
Dec 19, 2025
…U#2862) Signed-off-by: backslashxx <[email protected]>
u9521
pushed a commit
to u9521/KernelSU
that referenced
this pull request
Dec 31, 2025
Signed-off-by: backslashxx <[email protected]>
re-noroi
pushed a commit
to re-noroi/KernelSU-Next
that referenced
this pull request
Jan 1, 2026
…U#2862) Signed-off-by: backslashxx <[email protected]>
u9521
pushed a commit
to u9521/KernelSU
that referenced
this pull request
Jan 3, 2026
Signed-off-by: backslashxx <[email protected]>
u9521
pushed a commit
to u9521/KernelSU
that referenced
this pull request
Jan 5, 2026
Signed-off-by: backslashxx <[email protected]>
Olzhas-Kdyr
pushed a commit
to Olzhas-Kdyr/KernelSU-Next
that referenced
this pull request
Jan 10, 2026
…U#2862) Signed-off-by: backslashxx <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.