Skip to content

kernel: Fix task flag marking for root and shell UID #2913

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
aviraxp merged 1 commit into from
Nov 11, 2025
Merged

kernel: Fix task flag marking for root and shell UID #2913

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions kernel/allowlist.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,13 @@
#define __KSU_H_ALLOWLIST

#include <linux/types.h>
#include <linux/uidgid.h>
#include "app_profile.h"

#define PER_USER_RANGE 100000
#define FIRST_APPLICATION_UID 10000
#define LAST_APPLICATION_UID 19999

void ksu_allowlist_init(void);

void ksu_allowlist_exit(void);
Expand All @@ -29,4 +34,10 @@ bool ksu_set_app_profile(struct app_profile *, bool persist);

bool ksu_uid_should_umount(uid_t uid);
struct root_profile *ksu_get_root_profile(uid_t uid);

static inline bool is_appuid(uid_t uid)
{
uid_t appid = uid % PER_USER_RANGE;
return appid >= FIRST_APPLICATION_UID && appid <= LAST_APPLICATION_UID;
}
#endif
5 changes: 5 additions & 0 deletions kernel/kernel_umount.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -135,6 +135,11 @@ int ksu_handle_umount(uid_t old_uid, uid_t new_uid)
return 0;
}

// FIXME: isolated process which directly forks from zygote is not handled
if (!is_appuid(new_uid)) {
return 0;
}

if (!ksu_uid_should_umount(new_uid)) {
return 0;
}
Expand Down
21 changes: 0 additions & 21 deletions kernel/setuid_hook.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,10 +39,6 @@
#include "syscall_hook_manager.h"
#include "kernel_umount.h"

#define PER_USER_RANGE 100000
#define FIRST_APPLICATION_UID 10000
#define LAST_APPLICATION_UID 19999

static bool ksu_enhanced_security_enabled = false;

static int enhanced_security_feature_get(u64 *value)
Expand Down Expand Up @@ -75,12 +71,6 @@ static inline bool is_allow_su()
return ksu_is_allow_uid_for_current(current_uid().val);
}

static inline bool is_appuid(uid_t uid)
{
uid_t appid = uid % PER_USER_RANGE;
return appid >= FIRST_APPLICATION_UID && appid <= LAST_APPLICATION_UID;
}

int ksu_handle_setresuid(uid_t ruid, uid_t euid, uid_t suid)
{
// we rely on the fact that zygote always call setresuid(3) with same uids
Expand Down Expand Up @@ -113,17 +103,6 @@ int ksu_handle_setresuid(uid_t ruid, uid_t euid, uid_t suid)
return 0;
}

if (new_uid == 2000) {
ksu_set_task_tracepoint_flag(current);
}

// FIXME: isolated process which directly forks from zygote is not handled
if (!is_appuid(new_uid)) {
pr_info("handle setresuid ignore non application or isolated uid: %d\n", new_uid);
ksu_clear_task_tracepoint_flag(current);
return 0;
}

// if on private space, see if its possibly the manager
if (new_uid > PER_USER_RANGE && new_uid % PER_USER_RANGE == ksu_get_manager_uid()) {
ksu_set_manager_uid(new_uid);
Expand Down
Loading