Optional Extras #29
Description
NOTE:
These are optional. Not enabled by default.
This can change anytime. Don't expect long term support!
selinux avc log spoofing
NOTE:
If you can build your own ROM, you can just pick the fix from Hang Wan.
https://android-review.googlesource.com/c/platform/system/logging/+/3725346
This is the actual fix.
If you don't have that and looking for a kernel side fix, this is supported.
you can build this repo's driver with proper selinux avc log spoofing.
Make sure to build your kernel with:
CONFIG_KSU_EXTRAS=y
if you are on 5.4 and newer and KPROBES work on your kernel, thats all you have to do.
--
however, if your kernel is older than 5.4 or kprobes is disabled, manual hook below is provided:
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
+#ifdef CONFIG_KSU
+extern int ksu_handle_slow_avc_audit_new(u32 tsid, u16 *tclass);
+#endif
/* This is the slow part of avc audit with big stack footprint */
noinline int slow_avc_audit(struct selinux_state *state,
u32 ssid, u32 tsid, u16 tclass,
u32 requested, u32 audited, u32 denied, int result,
struct common_audit_data *a,
unsigned int flags)
{
struct common_audit_data stack_data;
struct selinux_audit_data sad;
+#ifdef CONFIG_KSU
+ ksu_handle_slow_avc_audit_new(tsid, &tclass);
+ if (!tclass)
+ return 0;
+#endif
if (!a) {
a = &stack_data;
a->type = LSM_AUDIT_DATA_NONE;
That's it!
This replaces the following:
https://github.com/aviraxp/ZN-AuditPatch
https://github.com/VD171/AuditPatch
Changes:
- v2 edit: straight up dont log instead of spoofing it.
- kernel/extras: prevent logging for ksu sid instead
- yes this breaks old hook, but this is an optional thing for this repo