kernel: backport support for sucompat disable/enable

I have no idea if this is needed or any useful for manual fs hooks users.
Upstream, this is likely to, well, simply disable hooking of those functions,
to remove and mitigate timing issues as some detection methods can actually
differentiate these.

This is done like how vfs_read_hook, input_hook and execve_hook is disabled.
While this is not exactly the same thing, this *CAN* achieve the same results.
The complete disabling of all KernelSU hooks.

While this is probably not so useful for us, honestly, I have no idea for shit
what I am doing, but lets still port it for the sake of feature parity.

adapted from upstream:
	kernel: add support for disable sucompat - tiann@2096bd7
	kernel: Allow to re-enable sucompat - tiann@4593ae8

Signed-off-by: backslashxx <118538522+backslashxx@users.noreply.github.com>

Author: tiann

kernel/core_hook.c

@@ -33,6 +33,10 @@ static bool ksu_module_mounted = false;
 
 extern int handle_sepolicy(unsigned long arg3, void __user *arg4);
 
+static bool ksu_su_compat_enabled = true;
+extern void ksu_sucompat_init();
+extern void ksu_sucompat_exit();
+
 static inline bool is_allow_su()
 {
 	if (is_manager()) {
@@ -284,8 +288,9 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,
 		if (copy_to_user(arg3, &version, sizeof(version))) {
 			pr_err("prctl reply error, cmd: %lu\n", arg2);
 		}
-		u32 is_lkm = 0x0;
-		if (arg4 && copy_to_user(arg4, &is_lkm, sizeof(is_lkm))) {
+		u32 version_flags = 0;
+		version_flags |= 0x0;
+		if (arg4 && copy_to_user(arg4, &version_flags, sizeof(version_flags))) {
 			pr_err("prctl reply error, cmd: %lu\n", arg2);
 		}
 		return 0;
@@ -432,6 +437,34 @@ int ksu_handle_prctl(int option, unsigned long arg2, unsigned long arg3,
 		return 0;
 	}
 
+	if (arg2 == CMD_IS_SU_ENABLED) {
+		if (copy_to_user(arg3, &ksu_su_compat_enabled,
+				 sizeof(ksu_su_compat_enabled))) {
+			pr_err("copy su compat failed\n");
+			return 0;
+		}
+		if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) {
+			pr_err("prctl reply error, cmd: %lu\n", arg2);
+		}
+		return 0;
+	}
+	if (arg2 == CMD_ENABLE_SU) {
+		bool enabled = (arg3 != 0);
+		if (enabled == ksu_su_compat_enabled) {
+			pr_info("cmd enable su but no need to change.\n");
+			return 0;
+		}
+		if (enabled) {
+			ksu_sucompat_init();
+		} else {
+			ksu_sucompat_exit();
+		}
+		ksu_su_compat_enabled = enabled;
+		if (copy_to_user(result, &reply_ok, sizeof(reply_ok))) {
+			pr_err("prctl reply error, cmd: %lu\n", arg2);
+		}
+		return 0;
+	}
 	return 0;
 }
 

kernel/ksu.h

@@ -21,6 +21,8 @@
 #define CMD_SET_APP_PROFILE 11
 #define CMD_UID_GRANTED_ROOT 12
 #define CMD_UID_SHOULD_UMOUNT 13
+#define CMD_IS_SU_ENABLED 14
+#define CMD_ENABLE_SU 15
 
 #define EVENT_POST_FS_DATA 1
 #define EVENT_BOOT_COMPLETED 2

kernel/sucompat.c

@@ -25,6 +25,12 @@
 
 extern void escape_to_root();
 
+bool ksu_faccessat_hook __read_mostly = true;
+bool ksu_stat_hook __read_mostly = true;
+bool ksu_execve_sucompat_hook __read_mostly = true;
+bool ksu_execveat_sucompat_hook __read_mostly = true;
+bool ksu_devpts_hook __read_mostly = true;
+
 static void __user *userspace_stack_buffer(const void *d, size_t len)
 {
 	/* To avoid having to mmap a page in userspace, just write below the stack
@@ -51,8 +57,13 @@ static char __user *ksud_user_path(void)
 int ksu_handle_faccessat(int *dfd, const char __user **filename_user, int *mode,
 			 int *__unused_flags)
 {
+	
 	const char su[] = SU_PATH;
 
+	if (!ksu_faccessat_hook) {
+		return 0;
+	}
+	
 	if (!ksu_is_allow_uid(current_uid().val)) {
 		return 0;
 	}
@@ -74,6 +85,10 @@ int ksu_handle_stat(int *dfd, const char __user **filename_user, int *flags)
 	// const char sh[] = SH_PATH;
 	const char su[] = SU_PATH;
 
+	if (!ksu_stat_hook) {
+		return 0;
+	}
+	
 	if (!ksu_is_allow_uid(current_uid().val)) {
 		return 0;
 	}
@@ -118,6 +133,10 @@ int ksu_handle_execveat_sucompat(int *fd, struct filename **filename_ptr,
 	const char sh[] = KSUD_PATH;
 	const char su[] = SU_PATH;
 
+	if (!ksu_execveat_sucompat_hook){
+		return 0;
+	}
+	
 	if (unlikely(!filename_ptr))
 		return 0;
 
@@ -147,6 +166,10 @@ int ksu_handle_execve_sucompat(int *fd, const char __user **filename_user,
 	const char su[] = SU_PATH;
 	char path[sizeof(su) + 1];
 
+	if (!ksu_execve_sucompat_hook){
+		return 0;
+	}
+	
 	if (unlikely(!filename_user))
 		return 0;
 
@@ -169,6 +192,10 @@ int ksu_handle_execve_sucompat(int *fd, const char __user **filename_user,
 
 int ksu_handle_devpts(struct inode *inode)
 {
+	if (!ksu_devpts_hook) {
+		return 0;
+	}
+	
 	if (!current->mm) {
 		return 0;
 	}
@@ -196,3 +223,24 @@ int ksu_handle_devpts(struct inode *inode)
 
 	return 0;
 }
+
+void ksu_sucompat_init()
+{
+	ksu_faccessat_hook = true;
+	ksu_stat_hook = true;
+	ksu_execve_sucompat_hook = true;
+	ksu_execveat_sucompat_hook = true;
+	ksu_devpts_hook = true;
+	pr_info("ksu_sucompat_init: hooks enabled: execve/execveat_su, faccessat, stat, devpts\n");
+}
+
+void ksu_sucompat_exit()
+{
+	ksu_faccessat_hook = false;
+	ksu_stat_hook = false;
+	ksu_execve_sucompat_hook = false;
+	ksu_execveat_sucompat_hook = false;
+	ksu_devpts_hook = false;
+	pr_info("ksu_sucompat_exit: hooks disabled: execve/execveat_su, faccessat, stat, devpts\n");
+
+}