kernel: ksud: migrate ksud execution to security_bprm_check (tiann#2653)

This migrates ksud execution decision-making to bprm_check_security.
This requires passing proper argv and envp to a modified _ksud handler
aptly named 'ksu_handle_bprm_ksud'.

Introduces:
int ksu_handle_bprm_ksud(const char *filename, const char *argv1,
			const char *envp, size_t envp_len)

which is adapted from:
int ksu_handle_execveat_ksud(int *fd, struct filename **filename_ptr,
			     struct user_arg_ptr *argv,
			     struct user_arg_ptr *envp,
			     int *flags)

ksu_handle_bprm_ksud handles all the decision making, it decides when it is
time to apply_kernelsu_rules depending if it sees "second_stage".

For LSM hook, turns out we can pull out argv and envp from mm_struct.
The code in here explains itself on how to do it.

whole blob exists on arg_start to arg_end, so we just pull it out and grab next
array after the first null terminator.

as for envp, we pass the pointer then hunt for it when needed

My reasoning on adding a fallback on usercopy is that on some devices a fault
happens, and it copies garbled data. On my creation of this, I actually had to lock
that _nofault copy on a spinlock as a way to mimic preempt_disable/enable without
actually doing it. As per user reports, no failed _nofault copies anyway but we
have-to-have a fallback for resilience.

References:
- old version1 6efcd81
- old version2 37d5938
- bad usercopy #21

This now provides a small helper function, ksu_copy_from_user_retry, which explains
itself. First we attempt a _nofault copy, if that fails, we try plain.

While using strncpy_from_user_nofault was considered, this wont do, this will
only copy up to the first \0.

devlog:
ximi-libra-test/android_kernel_xiaomi_libra@16e5dce...16c1f5f
ximi-mojito-test/mojito_krenol@28642e6...728de0c

References:
https://elixir.bootlin.com/linux/v4.14.1/source/include/linux/mm_types.h#L429
https://elixir.bootlin.com/linux/v4.14.1/source/include/linux/lsm_hooks.h

Stale: tiann#2653

Signed-off-by: backslashxx <[email protected]>

Author: backslashxx

kernel/core_hook.c

@@ -5,6 +5,7 @@
 #include <linux/init.h>
 #include <linux/init_task.h>
 #include <linux/kernel.h>
+#include <linux/binfmts.h>
 #include <linux/lsm_hooks.h>
 #include <linux/nsproxy.h>
 #include <linux/path.h>
@@ -691,6 +692,19 @@ int ksu_inode_permission(struct inode *inode, int mask)
 	return 0;
 }
 
+int ksu_bprm_check(struct linux_binprm *bprm)
+{
+	char *filename = (char *)bprm->filename;
+	
+	if (likely(!ksu_execveat_hook))
+		return 0;
+
+	ksu_handle_pre_ksud(filename);
+
+	return 0;
+
+}
+
 static int ksu_task_prctl(int option, unsigned long arg2, unsigned long arg3,
 			  unsigned long arg4, unsigned long arg5)
 {
@@ -728,6 +742,7 @@ static int ksu_task_fix_setuid(struct cred *new, const struct cred *old,
 }
 
 static struct security_hook_list ksu_hooks[] = {
+	LSM_HOOK_INIT(bprm_check_security, ksu_bprm_check),
 	LSM_HOOK_INIT(task_prctl, ksu_task_prctl),
 	LSM_HOOK_INIT(inode_rename, ksu_inode_rename),
 	LSM_HOOK_INIT(task_fix_setuid, ksu_task_fix_setuid),

kernel/kernel_compat.c

@@ -88,7 +88,9 @@ struct file *ksu_filp_open_compat(const char *filename, int flags, umode_t mode)
 	// switch mnt_ns even if current is not wq_worker, to ensure what we open is the correct file in android mnt_ns, rather than user created mnt_ns
 	struct ksu_ns_fs_saved saved;
 	if (android_context_saved_enabled) {
+#ifdef CONFIG_KSU_DEBUG
 		pr_info("start switch current nsproxy and fs to android context\n");
+#endif
 		task_lock(current);
 		ksu_save_ns_fs(&saved);
 		ksu_load_ns_fs(&android_context_saved);
@@ -99,7 +101,9 @@ struct file *ksu_filp_open_compat(const char *filename, int flags, umode_t mode)
 		task_lock(current);
 		ksu_load_ns_fs(&saved);
 		task_unlock(current);
+#ifdef CONFIG_KSU_DEBUG
 		pr_info("switch current nsproxy and fs back to saved successfully\n");
+#endif
 	}
 	return fp;
 }
@@ -181,3 +185,27 @@ int ksu_access_ok(const void *addr, unsigned long size)
 	return access_ok(VERIFY_READ, addr, size);
 #endif
 }
+
+long ksu_copy_from_user_nofault(void *dst, const void __user *src, size_t size)
+{
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 8, 0)
+	return copy_from_user_nofault(dst, src, size);
+#else
+	// https://elixir.bootlin.com/linux/v5.8/source/mm/maccess.c#L205
+	long ret = -EFAULT;
+	mm_segment_t old_fs = get_fs();
+
+	set_fs(USER_DS);
+	// tweaked to use ksu_access_ok
+	if (ksu_access_ok(src, size)) {
+		pagefault_disable();
+		ret = __copy_from_user_inatomic(dst, src, size);
+		pagefault_enable();
+	}
+	set_fs(old_fs);
+
+	if (ret)
+		return -EFAULT;
+	return 0;
+#endif
+}

kernel/kernel_compat.h

@@ -23,5 +23,23 @@ extern ssize_t ksu_kernel_write_compat(struct file *p, const void *buf,
 				       size_t count, loff_t *pos);
 
 extern int ksu_access_ok(const void *addr, unsigned long size);
+extern long ksu_copy_from_user_nofault(void *dst, const void __user *src, size_t size);
+
+/*
+ * ksu_copy_from_user_retry
+ * try nofault copy first, if it fails, try with plain
+ * paramters are the same as copy_from_user
+ * 0 = success
+ */
+static long ksu_copy_from_user_retry(void *to, 
+		const void __user *from, unsigned long count)
+{
+	long ret = ksu_copy_from_user_nofault(to, from, count);
+	if (likely(!ret))
+		return ret;
+
+	// we faulted! fallback to slow path
+	return copy_from_user(to, from, count);
+}
 
 #endif

kernel/ksud.c

@@ -23,6 +23,7 @@
 #else
 #include <linux/sched.h> /* fatal_signal_pending */
 #endif
+#include <linux/slab.h>
 
 #include "allowlist.h"
 #include "klog.h" // IWYU pragma: keep
@@ -154,6 +155,154 @@ static int __maybe_unused count(struct user_arg_ptr argv, int max)
 	return i;
 }
 
+// since _ksud handler only uses argv and envp for comparisons
+// this can probably work
+// adapted from ksu_handle_execveat_ksud
+static int ksu_handle_bprm_ksud(const char *filename, const char *argv1, const char *envp, size_t envp_len)
+{
+	static const char app_process[] = "/system/bin/app_process";
+	static bool first_app_process = true;
+
+	/* This applies to versions Android 10+ */
+	static const char system_bin_init[] = "/system/bin/init";
+	/* This applies to versions between Android 6 ~ 9  */
+	static const char old_system_init[] = "/init";
+	static bool init_second_stage_executed = false;
+
+	// return early when disabled
+	if (!ksu_execveat_hook)
+		return 0;
+
+	if (!filename)
+		return 0;
+
+
+	// debug! remove me!
+	pr_info("%s: filename: %s argv1: %s envp_len: %zu\n", __func__, filename, argv1, envp_len);
+
+	if (init_second_stage_executed)
+		goto first_app_process;
+
+	// /system/bin/init with argv1
+	if (!init_second_stage_executed 
+		&& (!memcmp(filename, system_bin_init, sizeof(system_bin_init) - 1))) {
+		if (argv1 && !strcmp(argv1, "second_stage")) {
+			pr_info("%s: /system/bin/init second_stage executed\n", __func__);
+			apply_kernelsu_rules();
+			init_second_stage_executed = true;
+			ksu_android_ns_fs_check();
+		}
+	}
+
+	// /init with argv1
+	if (!init_second_stage_executed 
+		&& (!memcmp(filename, old_system_init, sizeof(old_system_init) - 1))) {
+		if (argv1 && !strcmp(argv1, "--second-stage")) {
+			pr_info("%s: /init --second-stage executed\n", __func__);
+			apply_kernelsu_rules();
+			init_second_stage_executed = true;
+			ksu_android_ns_fs_check();
+		}
+	}
+
+	// /init without argv1/useless-argv1 but usable envp
+	// untested! TODO: test and debug me!
+	if (!init_second_stage_executed && (!memcmp(filename, old_system_init, sizeof(old_system_init) - 1))) {
+		
+		// we hunt for "INIT_SECOND_STAGE"
+		const char *envp_n = envp;
+		unsigned int envc = 1;
+		do {
+			if (strstarts(envp_n, "INIT_SECOND_STAGE"))
+				break;
+			envp_n += strlen(envp_n) + 1;
+			envc++;
+		} while (envp_n < envp + envp_len);
+		pr_info("%s: envp[%d]: %s\n", __func__, envc, envp_n);
+		
+		if (!strcmp(envp_n, "INIT_SECOND_STAGE=1")
+			|| !strcmp(envp_n, "INIT_SECOND_STAGE=true") ) {
+			pr_info("%s: /init +envp: INIT_SECOND_STAGE executed\n", __func__);
+			apply_kernelsu_rules();
+			init_second_stage_executed = true;
+			ksu_android_ns_fs_check();
+		}
+	}
+
+first_app_process:
+	if (first_app_process && !memcmp(filename, app_process, sizeof(app_process) - 1)) {
+		first_app_process = false;
+		pr_info("%s: exec app_process, /data prepared, second_stage: %d\n", __func__, init_second_stage_executed);
+		on_post_fs_data();
+		stop_execve_hook();
+	}
+
+	return 0;
+}
+
+int ksu_handle_pre_ksud(const char *filename)
+{
+	if (likely(!ksu_execveat_hook))
+		return 0;
+
+	// not /system/bin/init, not /init, not /system/bin/app_process (64/32 thingy)
+	// return 0;
+	if (likely(strcmp(filename, "/system/bin/init") && strcmp(filename, "/init")
+		&& !strstarts(filename, "/system/bin/app_process") ))
+		return 0;
+
+	if (!current || !current->mm)
+		return 0;
+
+	// https://elixir.bootlin.com/linux/v4.14.1/source/include/linux/mm_types.h#L429
+	// unsigned long arg_start, arg_end, env_start, env_end;
+	unsigned long arg_start = current->mm->arg_start;
+	unsigned long arg_end = current->mm->arg_end;
+	unsigned long env_start = current->mm->env_start;
+	unsigned long env_end = current->mm->env_end;
+
+	size_t arg_len = arg_end - arg_start;
+	size_t envp_len = env_end - env_start;
+
+	if (arg_len <= 0 || envp_len <= 0) // this wont make sense, filter it
+		return 0;
+
+	#define ARGV_MAX 32  // this is enough for argv1
+	#define ENVP_MAX 256  // this is enough for INIT_SECOND_STAGE
+	char args[ARGV_MAX];
+	size_t argv_copy_len = (arg_len > ARGV_MAX) ? ARGV_MAX : arg_len;
+	char envp[ENVP_MAX];
+	size_t envp_copy_len = (envp_len > ENVP_MAX) ? ENVP_MAX : envp_len;
+
+	// we cant use strncpy on here, else it will truncate once it sees \0
+	if (ksu_copy_from_user_retry(args, (void __user *)arg_start, argv_copy_len))
+		return 0;
+
+	if (ksu_copy_from_user_retry(envp, (void __user *)env_start, envp_copy_len))
+		return 0;
+
+	args[ARGV_MAX - 1] = '\0';
+	envp[ENVP_MAX - 1] = '\0';
+
+#ifdef CONFIG_KSU_DEBUG
+	char *envp_n = envp;
+	unsigned int envc = 1;
+	do {
+		pr_info("%s: envp[%d]: %s\n", __func__, envc, envp_n);
+		envp_n += strlen(envp_n) + 1;
+		envc++;
+	} while (envp_n < envp + envp_copy_len);
+#endif
+
+	// we only need argv1 !
+	// abuse strlen here since it only gets length up to \0
+	char *argv1 = args + strlen(args) + 1;
+	if (argv1 >= args + argv_copy_len) // out of bounds!
+		argv1 = "";
+
+	return ksu_handle_bprm_ksud(filename, argv1, envp, envp_copy_len);
+}
+
 // IMPORTANT NOTE: the call from execve_handler_pre WON'T provided correct value for envp and flags in GKI version
 static int __ksu_handle_execveat_ksud(int *fd, char *filename,
 			     struct user_arg_ptr *argv,

kernel/ksud.h

@@ -11,4 +11,7 @@ bool ksu_is_safe_mode(void);
 
 extern u32 ksu_devpts_sid;
 
+extern bool ksu_execveat_hook __read_mostly;
+extern int ksu_handle_pre_ksud(const char *filename);
+
 #endif