kernel: rp_sucompat: add kretprobes-hooked getname_flags for sucompat

This introduces a kretprobe on getname_flags that improves the stealth
and reliability of sucompat feature.

Changes:
- CONFIG_KSU_KRETPROBES_SUCOMPAT option to enable this hooking method
- Hooks getname_flags() via kretprobe to intercept and modify filename->name
  on the return
- prevent timing-based detections since it avoids individual syscall hijacking
  (newfstat vs newfstatat timing detections)
- prevents doing usercopies, which in turn increases reliability on pagefaulty moments

This allows sucompat to operate against anti-root detection techniques known as
- Delayed syscall - KSU (ND)
- sucompat SCA (Discolusre)
- Abnormal Environment (NT)

This is still very experimental, so default n, but yeah, it works.

Related:
- #5 (comment)

Signed-off-by: backslashxx <[email protected]>

Author: backslashxx

kernel/Kconfig

@@ -16,6 +16,15 @@ config KSU_KPROBES_KSUD
 	  on early boot. Hooks are unregistered at boot complete
 	  to reduce overhead.
 
+config KSU_KRETPROBES_SUCOMPAT
+	bool "EXPERIMENTAL: kretprobes for sucompat"
+	depends on KRETPROBES
+	default n
+	help
+	  EXPERIMENTAL: Use kretprobes for hooking getname_flags, mainly for
+	  sucompat. This method will hijack all fs-related syscalls, but
+	  thwarts timing based detections.
+
 config KSU_DEBUG
 	bool "KernelSU debug mode"
 	depends on KSU

kernel/Makefile

@@ -16,6 +16,10 @@ ifeq ($(CONFIG_KSU_KPROBES_KSUD),y)
 kernelsu-objs += kp_ksud.o
 endif
 
+ifeq ($(CONFIG_KSU_KRETPROBES_SUCOMPAT),y)
+kernelsu-objs += rp_sucompat.o
+endif
+
 kernelsu-objs += selinux/selinux.o
 kernelsu-objs += selinux/sepolicy.o
 kernelsu-objs += selinux/rules.o

kernel/rp_sucompat.c

@@ -0,0 +1,107 @@
+#include <linux/version.h>
+#include <linux/kprobes.h>
+#include <linux/printk.h>
+#include <linux/types.h>
+#include <linux/uaccess.h>
+#include <linux/sched.h>
+#include <linux/slab.h>
+#include <linux/namei.h>
+
+#include "arch.h"
+#include "klog.h"
+#include "ksud.h"
+#include "kernel_compat.h"
+
+static DEFINE_MUTEX(ksu_rp_sucompat_lock);
+
+// struct filename *getname_flags(const char __user *filename, int flags, int *empty)
+// https://elixir.bootlin.com/linux/v4.9.337/source/samples/kprobes/kretprobe_example.c
+
+extern int ksu_getname_flags_kernel(char **kname, int flags);
+
+struct kretprobe *getname_rp;
+
+static int getname_flags_ret_handler(struct kretprobe_instance *ri, struct pt_regs *regs)
+{
+	int *flags = (int *)ri->data;
+
+	struct filename *ret = (struct filename *)PT_REGS_RC(regs);
+	if (IS_ERR(ret) || !ret || !ret->name)
+		return 0;
+
+	ksu_getname_flags_kernel((char **)&ret->name, *flags);
+	return 0;
+}
+
+static int getname_flags_entry_handler(struct kretprobe_instance *ri, struct pt_regs *regs)
+{
+	int *flags = (int *)ri->data; // as per sample, we store everything on ri->data ?
+	*flags = (int)PT_REGS_PARM2(regs); // keep a copy of arg2
+
+	return 0;
+}
+
+#if 0
+static struct kretprobe getname_kretprobe = {
+	.kp.symbol_name = "getname_flags",
+	.entry_handler = getname_flags_entry_handler,
+	.handler = getname_flags_ret_handler,
+	.data_size = sizeof(int),
+	.maxactive = 20,
+};
+#endif
+
+// kanged from upstrteam
+// this method allows high volume register/unregister
+static struct kretprobe *init_kretprobe(const char *symbol,
+					kretprobe_handler_t entry_handler,
+					kretprobe_handler_t ret_handler,
+					size_t data_size,
+					int maxactive)
+{
+	struct kretprobe *rp = kzalloc(sizeof(struct kretprobe), GFP_KERNEL);
+	if (!rp)
+		return NULL;
+
+	rp->kp.symbol_name = symbol;
+	rp->entry_handler = entry_handler;
+	rp->handler = ret_handler;
+	rp->data_size = data_size;
+	rp->maxactive = maxactive;
+
+	mutex_lock(&ksu_rp_sucompat_lock);
+	int ret = register_kretprobe(rp);
+	mutex_unlock(&ksu_rp_sucompat_lock);
+	if (ret) {
+		kfree(rp);
+		return NULL;
+	}
+	pr_info("rp_sucompat: planted kretprobe at %s: %p\n", rp->kp.symbol_name, rp->kp.addr);
+
+	return rp;
+}
+
+static void destroy_kretprobe(struct kretprobe **rp_ptr)
+{
+	if (!rp_ptr || !*rp_ptr)
+		return;
+
+	mutex_lock(&ksu_rp_sucompat_lock);
+	unregister_kretprobe(*rp_ptr);
+	mutex_unlock(&ksu_rp_sucompat_lock);
+	kfree(*rp_ptr);
+	*rp_ptr = NULL;
+}
+
+void rp_sucompat_exit()
+{
+	pr_info("rp_sucompat: unregister getname_flags!\n");
+	destroy_kretprobe(&getname_rp);
+}
+
+void rp_sucompat_init()
+{
+	pr_info("%s: register getname_flags!\n", __func__);
+	getname_rp = init_kretprobe("getname_flags", getname_flags_entry_handler,
+			getname_flags_ret_handler, sizeof(int), 20);
+}

kernel/sucompat.c

@@ -254,14 +254,25 @@ int ksu_getname_flags_kernel(char **kname, int flags)
 	return ksu_sucompat_kernel_common((void *)*kname, "getname_flags", !!!flags);
 }
 
+#ifdef CONFIG_KSU_KRETPROBES_SUCOMPAT
+extern void rp_sucompat_exit();
+extern void rp_sucompat_init();
+#endif
+
 void ksu_sucompat_enable()
 {
+#ifdef CONFIG_KSU_KRETPROBES_SUCOMPAT
+	rp_sucompat_init();
+#endif
 	ksu_sucompat_enabled = true;
 	pr_info("%s: hooks enabled: exec, faccessat, stat\n", __func__);
 }
 
 void ksu_sucompat_disable()
 {
+#ifdef CONFIG_KSU_KRETPROBES_SUCOMPAT
+	rp_sucompat_exit();
+#endif
 	ksu_sucompat_enabled = false;
 	pr_info("%s: hooks disabled: exec, faccessat, stat\n", __func__);
 }