tiann · aviraxp · Dec 31, 2025 · Dec 31, 2025
diff --git a/kernel/feature.h b/kernel/feature.h
@@ -6,7 +6,6 @@
 enum ksu_feature_id {
     KSU_FEATURE_SU_COMPAT = 0,
     KSU_FEATURE_KERNEL_UMOUNT = 1,
-    KSU_FEATURE_ENHANCED_SECURITY = 2,
 
     KSU_FEATURE_MAX
 };

diff --git a/kernel/setuid_hook.c b/kernel/setuid_hook.c
@@ -14,7 +14,6 @@
 
 #include "allowlist.h"
 #include "setuid_hook.h"
-#include "feature.h"
 #include "klog.h" // IWYU pragma: keep
 #include "manager.h"
 #include "selinux/selinux.h"
@@ -23,29 +22,6 @@
 #include "syscall_hook_manager.h"
 #include "kernel_umount.h"
 
-static bool ksu_enhanced_security_enabled = false;
-
-static int enhanced_security_feature_get(u64 *value)
-{
-    *value = ksu_enhanced_security_enabled ? 1 : 0;
-    return 0;
-}
-
-static int enhanced_security_feature_set(u64 value)
-{
-    bool enable = value != 0;
-    ksu_enhanced_security_enabled = enable;
-    pr_info("enhanced_security: set to %d\n", enable);
-    return 0;
-}
-
-static const struct ksu_feature_handler enhanced_security_handler = {
-    .feature_id = KSU_FEATURE_ENHANCED_SECURITY,
-    .name = "enhanced_security",
-    .get_handler = enhanced_security_feature_get,
-    .set_handler = enhanced_security_feature_set,
-};
-
 static void ksu_install_manager_fd_tw_func(struct callback_head *cb)
 {
     ksu_install_fd();
@@ -60,31 +36,6 @@ int ksu_handle_setresuid(uid_t ruid, uid_t euid, uid_t suid)
 
     pr_info("handle_setresuid from %d to %d\n", old_uid, new_uid);
 
-    // if old process is root, ignore it.
-    if (old_uid != 0 && ksu_enhanced_security_enabled) {
-        // disallow any non-ksu domain escalation from non-root to root!
-        // euid is what we care about here as it controls permission
-        if (unlikely(euid == 0)) {
-            if (!is_ksu_domain()) {
-                pr_warn("find suspicious EoP: %d %s, from %d to %d\n",
-                        current->pid, current->comm, old_uid, new_uid);
-                force_sig(SIGKILL);
-                return 0;
-            }
-        }
-        // disallow appuid decrease to any other uid if it is not allowed to su
-        if (is_appuid(old_uid)) {
-            if (euid < current_euid().val &&
-                !ksu_is_allow_uid_for_current(old_uid)) {
-                pr_warn("find suspicious EoP: %d %s, from %d to %d\n",
-                        current->pid, current->comm, old_uid, new_uid);
-                force_sig(SIGKILL);
-                return 0;
-            }
-        }
-        return 0;
-    }
-
     if (likely(ksu_is_manager_appid_valid()) &&
         unlikely(ksu_get_manager_appid() == new_uid % PER_USER_RANGE)) {
         spin_lock_irq(&current->sighand->siglock);
@@ -125,14 +76,10 @@ int ksu_handle_setresuid(uid_t ruid, uid_t euid, uid_t suid)
 void ksu_setuid_hook_init(void)
 {
     ksu_kernel_umount_init();
-    if (ksu_register_feature_handler(&enhanced_security_handler)) {
-        pr_err("Failed to register enhanced security feature handler\n");
-    }
 }
 
 void ksu_setuid_hook_exit(void)
 {
     pr_info("ksu_core_exit\n");
     ksu_kernel_umount_exit();
-    ksu_unregister_feature_handler(KSU_FEATURE_ENHANCED_SECURITY);
 }
diff --git a/manager/app/src/main/cpp/jni.cc b/manager/app/src/main/cpp/jni.cc
@@ -325,18 +325,6 @@ Java_me_weishu_kernelsu_Natives_setKernelUmountEnabled(JNIEnv *env, jobject thiz
     return set_kernel_umount_enabled(enabled);
 }
 
-extern "C"
-JNIEXPORT jboolean JNICALL
-Java_me_weishu_kernelsu_Natives_isEnhancedSecurityEnabled(JNIEnv *env, jobject thiz) {
-    return is_enhanced_security_enabled();
-}
-
-extern "C"
-JNIEXPORT jboolean JNICALL
-Java_me_weishu_kernelsu_Natives_setEnhancedSecurityEnabled(JNIEnv *env, jobject thiz, jboolean enabled) {
-    return set_enhanced_security_enabled(enabled);
-}
-
 extern "C"
 JNIEXPORT jstring JNICALL
 Java_me_weishu_kernelsu_Natives_getUserName(JNIEnv *env, jobject thiz, jint uid) {

diff --git a/manager/app/src/main/cpp/ksu.cc b/manager/app/src/main/cpp/ksu.cc
@@ -186,19 +186,3 @@ bool is_kernel_umount_enabled() {
     }
     return value != 0;
 }
-
-bool set_enhanced_security_enabled(bool enabled) {
-    return set_feature(KSU_FEATURE_ENHANCED_SECURITY, enabled ? 1 : 0);
-}
-
-bool is_enhanced_security_enabled() {
-    uint64_t value = 0;
-    bool supported = false;
-    if (!get_feature(KSU_FEATURE_ENHANCED_SECURITY, &value, &supported)) {
-        return false;
-    }
-    if (!supported) {
-        return false;
-    }
-    return value != 0;
-}
diff --git a/manager/app/src/main/cpp/ksu.h b/manager/app/src/main/cpp/ksu.h
@@ -83,7 +83,6 @@ int get_app_profile(app_profile *profile);
 enum ksu_feature_id {
     KSU_FEATURE_SU_COMPAT = 0,
     KSU_FEATURE_KERNEL_UMOUNT = 1,
-    KSU_FEATURE_ENHANCED_SECURITY = 2,
 };
 
 // Generic feature API
@@ -159,11 +158,6 @@ bool set_kernel_umount_enabled(bool enabled);
 
 bool is_kernel_umount_enabled();
 
-// Enhanced security
-bool set_enhanced_security_enabled(bool enabled);
-
-bool is_enhanced_security_enabled();
-
 // IOCTL command definitions
 #define KSU_IOCTL_GRANT_ROOT _IOC(_IOC_NONE, 'K', 1, 0)
 #define KSU_IOCTL_GET_INFO _IOC(_IOC_READ, 'K', 2, 0)

diff --git a/manager/app/src/main/java/me/weishu/kernelsu/Natives.kt b/manager/app/src/main/java/me/weishu/kernelsu/Natives.kt
@@ -72,15 +72,6 @@ object Natives {
     external fun isKernelUmountEnabled(): Boolean
     external fun setKernelUmountEnabled(enabled: Boolean): Boolean
 
-    /**
-     * Enhanced security can be enabled/disabled.
-     *  0: disabled
-     *  1: enabled
-     *  negative : error
-     */
-    external fun isEnhancedSecurityEnabled(): Boolean
-    external fun setEnhancedSecurityEnabled(enabled: Boolean): Boolean
-
     /**
      * Get the user name for the uid.
      */

diff --git a/manager/app/src/main/java/me/weishu/kernelsu/ui/screen/Settings.kt b/manager/app/src/main/java/me/weishu/kernelsu/ui/screen/Settings.kt
@@ -312,66 +312,6 @@ fun SettingPager(
                             stringResource(id = R.string.settings_mode_temp_enable),
                             stringResource(id = R.string.settings_mode_always_enable),
                         )
-                        val currentEnhancedEnabled = Natives.isEnhancedSecurityEnabled()
-                        var enhancedSecurityMode by rememberSaveable { mutableIntStateOf(if (currentEnhancedEnabled) 1 else 0) }
-                        val enhancedPersistValue by produceState(initialValue = null as Long?) {
-                            value = getFeaturePersistValue("enhanced_security")
-                        }
-                        println("Enhanced persist value: $enhancedPersistValue")
-                        LaunchedEffect(enhancedPersistValue) {
-                            enhancedPersistValue?.let { v ->
-                                enhancedSecurityMode = if (v != 0L) 2 else if (currentEnhancedEnabled) 1 else 0
-                            }
-                        }
-                        val enhancedStatus by produceState(initialValue = "") {
-                            value = getFeatureStatus("enhanced_security")
-                        }
-                        val enhancedSummary = when (enhancedStatus) {
-                            "unsupported" -> stringResource(id = R.string.feature_status_unsupported_summary)
-                            "managed" -> stringResource(id = R.string.feature_status_managed_summary)
-                            else -> stringResource(id = R.string.settings_enable_enhanced_security_summary)
-                        }
-                        SuperDropdown(
-                            title = stringResource(id = R.string.settings_enable_enhanced_security),
-                            summary = enhancedSummary,
-                            items = modeItems,
-                            leftAction = {
-                                Icon(
-                                    Icons.Rounded.EnhancedEncryption,
-                                    modifier = Modifier.padding(end = 16.dp),
-                                    contentDescription = stringResource(id = R.string.settings_enable_enhanced_security),
-                                    tint = colorScheme.onBackground
-                                )
-                            },
-                            enabled = enhancedStatus == "supported",
-                            selectedIndex = enhancedSecurityMode,
-                            onSelectedIndexChange = { index ->
-                                when (index) {
-                                    // Default: disable and save to persist
-                                    0 -> if (Natives.setEnhancedSecurityEnabled(false)) {
-                                        execKsud("feature save", true)
-                                        prefs.edit { putInt("enhanced_security_mode", 0) }
-                                        enhancedSecurityMode = 0
-                                    }
-
-                                    // Temporarily enable: save disabled state first, then enable
-                                    1 -> if (Natives.setEnhancedSecurityEnabled(false)) {
-                                        execKsud("feature save", true)
-                                        if (Natives.setEnhancedSecurityEnabled(true)) {
-                                            prefs.edit { putInt("enhanced_security_mode", 0) }
-                                            enhancedSecurityMode = 1
-                                        }
-                                    }
-
-                                    // Permanently enable: enable and save
-                                    2 -> if (Natives.setEnhancedSecurityEnabled(true)) {
-                                        execKsud("feature save", true)
-                                        prefs.edit { putInt("enhanced_security_mode", 2) }
-                                        enhancedSecurityMode = 2
-                                    }
-                                }
-                            }
-                        )
 
                         val currentSuEnabled = Natives.isSuEnabled()
                         var suCompatMode by rememberSaveable { mutableIntStateOf(if (!currentSuEnabled) 1 else 0) }

diff --git a/manager/app/src/main/res/values-bg/strings.xml b/manager/app/src/main/res/values-bg/strings.xml
@@ -136,8 +136,6 @@
     <string name="settings_disable_su_summary">Деактивирайте възможността на всяко приложение да получава root права чрез командата ⁠SU (съществуващите root процеси няма да бъдат засегнати).</string>
     <string name="settings_disable_kernel_umount">Деактивирайте кернелово разкачане</string>
     <string name="settings_disable_kernel_umount_summary">Деактивирани на кернел-ниво разкачщо поведение контролирано от KernelSU.</string>
-    <string name="settings_enable_enhanced_security">Активиране на подобрена защита</string>
-    <string name="settings_enable_enhanced_security_summary">Активирайте по-строги политики за сигурност.</string>
     <string name="feature_status_unsupported_summary">Кърнълът не поддържа тази функция.</string>
     <string name="feature_status_managed_summary">Тази функция е управлявана от модул.</string>
     <string name="settings_mode_default">По подразбиране</string>

diff --git a/manager/app/src/main/res/values-da/strings.xml b/manager/app/src/main/res/values-da/strings.xml
@@ -133,8 +133,6 @@
     <string name="install_only_support_ko_file">Kun .ko-filer understøttes</string>
     <string name="settings_disable_kernel_umount">Deaktiver kerne umount</string>
     <string name="settings_disable_kernel_umount_summary">Deaktiver umount-adfærd på kerneniveau, der styres af KernelSU.</string>
-    <string name="settings_enable_enhanced_security">Aktivér forbedret sikkerhed</string>
-    <string name="settings_enable_enhanced_security_summary">Aktivér strengere sikkerhedspolitikker.</string>
     <string name="settings_mode_default">Standard</string>
     <string name="settings_mode_temp_enable">Aktivér midlertidigt</string>
     <string name="settings_mode_always_enable">Aktivér permanent</string>

diff --git a/manager/app/src/main/res/values-fr/strings.xml b/manager/app/src/main/res/values-fr/strings.xml
@@ -140,8 +140,6 @@
     <string name="refresh_refresh">Actualisation…</string>
     <string name="refresh_complete">Actualisé avec succès</string>
     <string name="settings_module_check_update">Rechercher des mises à jour des modules</string>
-    <string name="settings_enable_enhanced_security">Activer la sécurité améliorée</string>
-    <string name="settings_enable_enhanced_security_summary">Activer des règles de sécurité plus strictes.</string>
     <string name="settings_mode_default">Par défaut</string>
     <string name="settings_mode_temp_enable">Activer temporairement</string>
     <string name="settings_mode_always_enable">Activer définitivement</string>

diff --git a/manager/app/src/main/res/values-hr/strings.xml b/manager/app/src/main/res/values-hr/strings.xml
@@ -141,8 +141,6 @@
     <string name="app_profile_affects_following_apps">Utječe na sljedeće aplikacije</string>
     <string name="settings_module_check_update">Provjerite ažuriranja modula</string>
     <string name="install_select_partition">Odaberite particiju</string>
-    <string name="settings_enable_enhanced_security">Omogući poboljšanu sigurnost</string>
-    <string name="settings_enable_enhanced_security_summary">Omogući strože sigurnosne politike.</string>
     <string name="feature_status_unsupported_summary">Kernel ne podržava ovu značajku.</string>
     <string name="feature_status_managed_summary">Ovom značajkom upravlja modul.</string>
     <string name="settings_mode_default">Zadano</string>

diff --git a/manager/app/src/main/res/values-in/strings.xml b/manager/app/src/main/res/values-in/strings.xml
@@ -134,8 +134,6 @@
     <string name="install_only_support_ko_file">Hanya berkas .ko yang didukung</string>
     <string name="settings_disable_kernel_umount">Nonaktifkan umount kernel</string>
     <string name="settings_disable_kernel_umount_summary">Nonaktifkan umount pada level kernel yang dikontrol oleh KernelSU.</string>
-    <string name="settings_enable_enhanced_security">Aktifkan keamanan tingkat lanjut</string>
-    <string name="settings_enable_enhanced_security_summary">Aktifkan kebijakan keamanan yang lebih ketat.</string>
     <string name="settings_mode_default">Bawaan</string>
     <string name="settings_mode_temp_enable">Aktifkan sementara</string>
     <string name="settings_mode_always_enable">Aktifkan permanen</string>

diff --git a/manager/app/src/main/res/values-ja/strings.xml b/manager/app/src/main/res/values-ja/strings.xml
@@ -136,8 +136,6 @@
     <string name="install_only_support_ko_file">.koファイルのみサポートされています</string>
     <string name="settings_disable_kernel_umount">カーネルのアンマウントを無効にする</string>
     <string name="settings_disable_kernel_umount_summary">KernelSU によって制御されるカーネルレベルのアンマウント動作を無効にします。</string>
-    <string name="settings_enable_enhanced_security">強化されたセキュリティを有効にする</string>
-    <string name="settings_enable_enhanced_security_summary">より厳格なセキュリティ ポリシーを有効にします。</string>
     <string name="settings_mode_default">デフォルト</string>
     <string name="settings_mode_temp_enable">一時的に有効にする</string>
     <string name="settings_mode_always_enable">永続的に有効にする</string>

diff --git a/manager/app/src/main/res/values-ko/strings.xml b/manager/app/src/main/res/values-ko/strings.xml
@@ -133,8 +133,6 @@
     <string name="settings_disable_su_summary">su 명령어로 아무 앱이 루트 권한을 획득하는 것을 비활성화합니다 (이미 존재하는 루트 프로세스는 영향을 받지 않음).</string>
     <string name="settings_disable_kernel_umount">커널 마운트 해제 비활성화</string>
     <string name="settings_disable_kernel_umount_summary">KernelSU에서 제어하는 커널 수준 마운트 해제 동작을 비활성화합니다.</string>
-    <string name="settings_enable_enhanced_security">향상된 보안 활성화</string>
-    <string name="settings_enable_enhanced_security_summary">더욱 엄격한 보안 규칙을 활성화합니다.</string>
     <string name="settings_mode_default">기본값</string>
     <string name="settings_mode_temp_enable">임시 활성화</string>
     <string name="settings_mode_always_enable">항상 활성화</string>

diff --git a/manager/app/src/main/res/values-nl/strings.xml b/manager/app/src/main/res/values-nl/strings.xml
@@ -136,8 +136,6 @@
     <string name="install_only_support_ko_file">Alleen .ko bestanden worden ondersteund</string>
     <string name="settings_disable_kernel_umount">Kernel umount uitschakelen</string>
     <string name="settings_disable_kernel_umount_summary">Schakel het umount-gedrag op kernelniveau uit dat wordt beheerd door KernelSU.</string>
-    <string name="settings_enable_enhanced_security">Verbeterde beveiliging inschakelen</string>
-    <string name="settings_enable_enhanced_security_summary">Strengere beveiligingsbeleidsmaatregelen inschakelen.</string>
     <string name="settings_mode_default">Standaard</string>
     <string name="settings_mode_temp_enable">Tijdelijk inschakelen</string>
     <string name="settings_mode_always_enable">Permanent inschakelen</string>

diff --git a/manager/app/src/main/res/values-pl/strings.xml b/manager/app/src/main/res/values-pl/strings.xml
@@ -142,8 +142,6 @@
     <string name="refresh_refresh">Odświeżanie…</string>
     <string name="refresh_complete">Odświeżono pomyślnie</string>
     <string name="settings_module_check_update">Sprawdź aktualizację modułów</string>
-    <string name="settings_enable_enhanced_security">Włącz rozszerzone zabezpieczenia</string>
-    <string name="settings_enable_enhanced_security_summary">Włącz bardziej rygorystyczne zasady bezpieczeństwa.</string>
     <string name="settings_mode_default">Domyślnie</string>
     <string name="settings_mode_temp_enable">Włącz tymczasowo</string>
     <string name="settings_mode_always_enable">Włącz na stałe</string>

diff --git a/manager/app/src/main/res/values-ru/strings.xml b/manager/app/src/main/res/values-ru/strings.xml
@@ -143,8 +143,6 @@
     <string name="settings_disable_kernel_umount">Отключить размонтирование ядра</string>
     <string name="install_upload_lkm_file">Использовать локальный LKM файл</string>
     <string name="install_only_support_ko_file">Поддерживаются только .ko файлы</string>
-    <string name="settings_enable_enhanced_security">Включить повышенную безопасность</string>
-    <string name="settings_enable_enhanced_security_summary">Включить более строгие политики безопасности.</string>
     <string name="settings_mode_default">По умолчанию</string>
     <string name="settings_mode_temp_enable">Включить временно</string>
     <string name="settings_mode_always_enable">Включить постоянно</string>

diff --git a/manager/app/src/main/res/values-th/strings.xml b/manager/app/src/main/res/values-th/strings.xml
@@ -135,8 +135,6 @@
     <string name="install_only_support_ko_file">รองรับเฉพาะไฟล์ .ko เท่านั้น</string>
     <string name="settings_disable_kernel_umount">ปิดใช้งานการ umount เคอร์เนล</string>
     <string name="settings_disable_kernel_umount_summary">ปิดใช้งานพฤติกรรมการ umount ในระดับเคอร์เนลที่ถูกควบคุมโดย KernelSU</string>
-    <string name="settings_enable_enhanced_security">เปิดใช้งานการรักษาความปลอดภัยขั้นสูง</string>
-    <string name="settings_enable_enhanced_security_summary">เปิดใช้งานนโยบายความปลอดภัยที่เข้มงวดยิ่งขึ้น</string>
     <string name="settings_mode_default">ค่าเริ่มต้น</string>
     <string name="settings_mode_temp_enable">เปิดใช้งานชั่วคราว</string>
     <string name="settings_mode_always_enable">เปิดใช้งานถาวร</string>

diff --git a/manager/app/src/main/res/values-uk/strings.xml b/manager/app/src/main/res/values-uk/strings.xml
@@ -136,8 +136,6 @@
     <string name="install_only_support_ko_file">Підтримуються лише файли .ko</string>
     <string name="settings_disable_kernel_umount">Вимкнути розмонтування ядра</string>
     <string name="settings_disable_kernel_umount_summary">Вимкнути поведінку розмонтування на рівні ядра, контрольовану KernelSU.</string>
-    <string name="settings_enable_enhanced_security">Увімкнути посилену безпеку</string>
-    <string name="settings_enable_enhanced_security_summary">Увімкніть суворіші політики безпеки.</string>
     <string name="settings_mode_default">За замовчуванням</string>
     <string name="settings_mode_temp_enable">Тимчасово ввімкнути</string>
     <string name="settings_mode_always_enable">Увімкнути назавжди</string>