kernel: extras: base implementation of avc log spoofing

this exposes a new handler int ksu_handle_slow_avc_audit(u32 *tsid)
which will check if su_sid is going to be printed on the audit log.

Usage:
	ksu_handle_slow_avc_audit(&tsid);

on slow_avc_audit() on security/selinux/avc.c
This way, we replace sid right before that struct is created.

This can also be implemented in kprobes which will be on enxt commit.

Signed-off-by: backslashxx <[email protected]>

Author: backslashxx

kernel/Kconfig

@@ -7,6 +7,14 @@ config KSU
 	help
 	  Enable kernel-level root privileges on Android System.
 
+config KSU_EXTRAS
+	bool "Enable custom stuff"
+	depends on KSU
+	default n
+	help
+	  Custom extensions. Experimental.
+	  Currently, only avc log spoofing is implemented.
+
 config KSU_KPROBES_KSUD
 	bool "Enable dynamic kprobes for early boot hooks"
 	depends on KPROBES

kernel/Makefile

@@ -12,6 +12,10 @@ kernelsu-objs += embed_ksud.o
 kernelsu-objs += kernel_compat.o
 kernelsu-objs += file_wrapper.o
 
+ifeq ($(CONFIG_KSU_EXTRAS),y)
+kernelsu-objs += extras.o
+endif
+
 ifeq ($(CONFIG_KSU_KPROBES_KSUD),y)
 kernelsu-objs += kp_ksud.o
 endif

kernel/extras.c

@@ -0,0 +1,66 @@
+#include <linux/security.h>
+#include <linux/atomic.h>
+
+#include "klog.h"
+#include "ksud.h"
+#include "kernel_compat.h"
+
+static u32 su_sid = 0;
+static u32 kernel_sid = 0;
+
+// init as disabled by default
+static atomic_t disable_spoof = ATOMIC_INIT(1);
+
+int ksu_handle_slow_avc_audit(u32 *tsid)
+{
+	if (atomic_read(&disable_spoof))
+		return 0;
+
+	// if tsid is su, we just replace it
+	// unsure if its enough, but this is how it is aye?
+	if (*tsid == su_sid) {
+		pr_info("slow_avc_audit: replacing su_sid: %u with kernel_sid: %u\n", su_sid, kernel_sid);
+		*tsid = kernel_sid;
+	}
+
+	return 0;
+}
+
+static int get_sid()
+{
+	// dont load at all if we cant get sids
+	int err = security_secctx_to_secid("u:r:su:s0", strlen("u:r:su:s0"), &su_sid);
+	if (err) {
+		pr_info("avc_spoof/get_sid: su_sid not found!\n");
+		return -1;
+	}
+	pr_info("avc_spoof/get_sid: su_sid: %u\n", su_sid);
+
+	err = security_secctx_to_secid("u:r:kernel:s0", strlen("u:r:kernel:s0"), &kernel_sid);
+	if (err) {
+		pr_info("avc_spoof/get_sid: kernel_sid not found!\n");
+		return -1;
+	}
+	pr_info("avc_spoof/get_sid: kernel_sid: %u\n", kernel_sid);
+	return 0;
+}
+
+void avc_spoof_exit(void) 
+{
+	atomic_set(&disable_spoof, 1);
+	pr_info("avc_spoof/init: slow_avc_audit spoofing disabled!\n");
+}
+
+void avc_spoof_init(void) 
+{
+	int ret = get_sid();
+	if (ret) {
+		pr_info("avc_spoof/init: sid grab fail!\n");
+		return;
+	}
+	
+	// once we get the sids, we can now enable the hook handler
+	atomic_set(&disable_spoof, 0);
+	
+	pr_info("avc_spoof/init: slow_avc_audit spoofing enabled!\n");
+}

kernel/ksud.c

@@ -34,6 +34,12 @@
 bool ksu_module_mounted __read_mostly = false;
 bool ksu_boot_completed __read_mostly = false;
 
+#ifdef CONFIG_KSU_EXTRAS
+extern void avc_spoof_init();
+#else
+void avc_spoof_init() {}
+#endif
+
 #ifdef CONFIG_KSU_KPROBES_KSUD
 extern void unregister_kprobe_thread();
 #endif
@@ -119,6 +125,7 @@ void on_module_mounted(void){
 void on_boot_completed(void){
 	ksu_boot_completed = true;
 	pr_info("on_boot_completed!\n");
+	avc_spoof_init(); 
 }
 
 #if defined(CONFIG_KRETPROBES) && defined(CONFIG_KSU_KPROBES_KSUD) && \