kernel: kp_ksud: restore kprobes for early-boot and used-once hooks

since kprobes offer dynamic hooking and shit, this is going to be better
on something that we only need temporarily.

this still keeps whole sucompat onto manual hooks as those are performance
sensitive, needed to be permanent and "timeable".

as for these hooks that got hooked here they are only used either only at
boot or on some, used only once.

symbols hooked:

security_bprm_check
- this thing is only needed at boot, so we might as well put this dynamic
  this is needed for _ksud exec decision making and 32-on-64 detection.

vfs_read
- needed only at boot for read proxy-ing atrace.rc

input_event
- needed only up to like boot_complete, for 3-button-press safemode feature

security_key_permission
- needed for a keygrab on allowlist workaround for kernels below 4.10 and some

sys_execve *
- a substitute for security_bprm_check. this is deadcoded here, kept for reference
purposes.
--

for handling registration of those "LSM-hooks-being kprobed", we register once preempt
is suspended.

as for unregistration, we defer this once boot is completed and then have a kthread
unregister everything.

credits: some of these are just straight up copied from upstream.

Tests:
ximi mi a2 lite, arm64, Linux 4.9
samsung galaxy s3, arm, Linux 3.0
#26

Signed-off-by: backslashxx <[email protected]>

Author: backslashxx

kernel/Kconfig

@@ -6,6 +6,16 @@ config KSU
 	help
 	  Enable kernel-level root privileges on Android System.
 
+config CONFIG_KSU_DYNAMIC_BOOT_HOOKS
+	bool "Enable dynamic kprobes for early boot"
+	depends on KPROBES
+	depends on KALLSYMS
+	default y
+	help
+	  Use dynamic hooks via kprobes for functions needed only
+	  on early boot. Hooks are unregistered at boot complete
+	  to reduce overhead.
+
 config KSU_DEBUG
 	bool "KernelSU debug mode"
 	depends on KSU

kernel/Makefile

@@ -8,6 +8,10 @@ kernelsu-objs += ksud.o
 kernelsu-objs += embed_ksud.o
 kernelsu-objs += kernel_compat.o
 
+ifeq ($(CONFIG_KSU_DYNAMIC_BOOT_HOOKS),y)
+kernelsu-objs += kp_ksud.o
+endif
+
 kernelsu-objs += selinux/selinux.o
 kernelsu-objs += selinux/sepolicy.o
 kernelsu-objs += selinux/rules.o

kernel/arch.h

@@ -0,0 +1,106 @@
+#ifndef __KSU_H_ARCH
+#define __KSU_H_ARCH
+
+#include <linux/version.h>
+
+#if defined(__aarch64__)
+
+#define __PT_PARM1_REG regs[0]
+#define __PT_PARM2_REG regs[1]
+#define __PT_PARM3_REG regs[2]
+#define __PT_SYSCALL_PARM4_REG regs[3]
+#define __PT_CCALL_PARM4_REG regs[3]
+#define __PT_PARM5_REG regs[4]
+#define __PT_PARM6_REG regs[5]
+#define __PT_RET_REG regs[30]
+#define __PT_FP_REG regs[29] /* Works only with CONFIG_FRAME_POINTER */
+#define __PT_RC_REG regs[0]
+#define __PT_SP_REG sp
+#define __PT_IP_REG pc
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 16, 0)
+#define SYS_EXECVE_SYMBOL "__arm64_sys_execve"
+#else
+#define SYS_EXECVE_SYMBOL "sys_execve"
+#endif
+
+#elif defined(__arm__)
+
+// https://elixir.bootlin.com/linux/v6.17-rc6/source/tools/lib/bpf/bpf_tracing.h
+#define __PT_PARM1_REG uregs[0]
+#define __PT_PARM2_REG uregs[1]
+#define __PT_PARM3_REG uregs[2]
+#define __PT_PARM4_REG uregs[3]
+
+// seems to work atleast on 3.0 on samsung galaxy s3
+// nfi what im doing
+#define __PT_SYSCALL_PARM4_REG uregs[3] 
+#define __PT_CCALL_PARM4_REG uregs[3]
+
+#define __PT_PARM1_SYSCALL_REG __PT_PARM1_REG
+#define __PT_PARM2_SYSCALL_REG __PT_PARM2_REG
+#define __PT_PARM3_SYSCALL_REG __PT_PARM3_REG
+#define __PT_PARM4_SYSCALL_REG __PT_PARM4_REG
+#define __PT_PARM5_SYSCALL_REG uregs[4]
+#define __PT_PARM6_SYSCALL_REG uregs[5]
+#define __PT_PARM7_SYSCALL_REG uregs[6]
+
+#define __PT_RET_REG uregs[14]
+#define __PT_FP_REG uregs[11]	/* Works only with CONFIG_FRAME_POINTER */
+#define __PT_RC_REG uregs[0]
+#define __PT_SP_REG uregs[13]
+#define __PT_IP_REG uregs[12]
+
+#define SYS_EXECVE_SYMBOL "sys_execve"
+
+#elif defined(__x86_64__)
+
+#define __PT_PARM1_REG di
+#define __PT_PARM2_REG si
+#define __PT_PARM3_REG dx
+/* syscall uses r10 for PARM4 */
+#define __PT_SYSCALL_PARM4_REG r10
+#define __PT_CCALL_PARM4_REG cx
+#define __PT_PARM5_REG r8
+#define __PT_PARM6_REG r9
+#define __PT_RET_REG sp
+#define __PT_FP_REG bp
+#define __PT_RC_REG ax
+#define __PT_SP_REG sp
+#define __PT_IP_REG ip
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 16, 0)
+#define SYS_EXECVE_SYMBOL "__x64_sys_execve"
+#else
+#define SYS_EXECVE_SYMBOL "sys_execve"
+#endif
+
+#else
+#error "Unsupported arch"
+#endif
+
+/* allow some architecutres to override `struct pt_regs` */
+#ifndef __PT_REGS_CAST
+#define __PT_REGS_CAST(x) (x)
+#endif
+
+#define PT_REGS_PARM1(x) (__PT_REGS_CAST(x)->__PT_PARM1_REG)
+#define PT_REGS_PARM2(x) (__PT_REGS_CAST(x)->__PT_PARM2_REG)
+#define PT_REGS_PARM3(x) (__PT_REGS_CAST(x)->__PT_PARM3_REG)
+#define PT_REGS_SYSCALL_PARM4(x) (__PT_REGS_CAST(x)->__PT_SYSCALL_PARM4_REG)
+#define PT_REGS_CCALL_PARM4(x) (__PT_REGS_CAST(x)->__PT_CCALL_PARM4_REG)
+#define PT_REGS_PARM5(x) (__PT_REGS_CAST(x)->__PT_PARM5_REG)
+#define PT_REGS_PARM6(x) (__PT_REGS_CAST(x)->__PT_PARM6_REG)
+#define PT_REGS_RET(x) (__PT_REGS_CAST(x)->__PT_RET_REG)
+#define PT_REGS_FP(x) (__PT_REGS_CAST(x)->__PT_FP_REG)
+#define PT_REGS_RC(x) (__PT_REGS_CAST(x)->__PT_RC_REG)
+#define PT_REGS_SP(x) (__PT_REGS_CAST(x)->__PT_SP_REG)
+#define PT_REGS_IP(x) (__PT_REGS_CAST(x)->__PT_IP_REG)
+
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 16, 0)
+#define PT_REAL_REGS(regs) ((struct pt_regs *)PT_REGS_PARM1(regs))
+#else
+#define PT_REAL_REGS(regs) ((regs))
+#endif
+
+#endif

kernel/core_hook.c

@@ -51,6 +51,12 @@ static bool ksu_su_compat_enabled = true;
 extern void ksu_sucompat_init();
 extern void ksu_sucompat_exit();
 
+#ifdef CONFIG_KSU_DYNAMIC_BOOT_HOOKS
+extern void unregister_kprobe_thread();
+#else
+void unregister_kprobe_thread() {}
+#endif
+
 static inline bool is_allow_su()
 {
 	if (is_manager()) {
@@ -417,6 +423,7 @@ LSM_HANDLER_TYPE ksu_handle_prctl(int option, unsigned long arg2, unsigned long
 			if (!boot_complete_lock) {
 				boot_complete_lock = true;
 				pr_info("boot_complete triggered\n");
+				unregister_kprobe_thread();
 			}
 			break;
 		}
@@ -749,7 +756,7 @@ LSM_HANDLER_TYPE ksu_inode_permission(struct inode *inode, int mask)
 bool ksu_is_compat __read_mostly = false;
 #endif
 
-LSM_HANDLER_TYPE ksu_bprm_check(struct linux_binprm *bprm)
+int ksu_bprm_check(struct linux_binprm *bprm)
 {
 	char *filename = (char *)bprm->filename;
 
@@ -786,7 +793,7 @@ LSM_HANDLER_TYPE ksu_bprm_check(struct linux_binprm *bprm)
 
 // kernel 4.9 and older
 #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0) || defined(CONFIG_KSU_ALLOWLIST_WORKAROUND)
-LSM_HANDLER_TYPE ksu_key_permission(key_ref_t key_ref, const struct cred *cred,
+int ksu_key_permission(key_ref_t key_ref, const struct cred *cred,
 			      unsigned perm)
 {
 	if (init_session_keyring != NULL) {
@@ -827,10 +834,12 @@ static struct security_hook_list ksu_hooks[] = {
 	LSM_HOOK_INIT(inode_rename, ksu_inode_rename),
 	LSM_HOOK_INIT(task_fix_setuid, ksu_task_fix_setuid),
 	LSM_HOOK_INIT(inode_permission, ksu_inode_permission),
+#ifndef CONFIG_KSU_DYNAMIC_BOOT_HOOKS
 	LSM_HOOK_INIT(bprm_check_security, ksu_bprm_check),
 #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0) || defined(CONFIG_KSU_ALLOWLIST_WORKAROUND)
 	LSM_HOOK_INIT(key_permission, ksu_key_permission)
 #endif
+#endif // CONFIG_KSU_DYNAMIC_BOOT_HOOKS
 };
 
 void __init ksu_lsm_hook_init(void)