kernel: kp_ksud: add security_bounded_transition hook for < 4.14 (tiann#1704)

- torvalds/linux@af63f41

- SELinux domain transitions under NNP/nosuid environment was introduced in 4.14 by
  the above commit, for older kernels, we need to make sure our domain transitions
  are allowed when calling ksud at boot from the init

- Adapted from tiann#270 (comment)
  tiann@0950fbb

- tiann#1704
  tiann@d664fe3

Difference to tiann's version:
- use a kretprobe to force a 0 return
- grab sids outside of kprobe context to avoid stuckups / hangups

Logs:
daisy:/ # dmesg | grep -E "transition|grab_sids"
[    5.977810] KernelSU: ksud_grab_sids: got init sid: 62
[    5.977907] KernelSU: ksud_grab_sids: got su sid: 537
[    5.980497] KernelSU: kp_ksud: register kretprobe: security_bounded_transition ret: 0
[   32.008560] KernelSU: kp_ksud: security_bounded_transition: allowing init (62) -> su (537)
[   32.008663] type=1401 audit(2247197.199:61): op=security_bounded_transition seresult=denied oldcontext=u:r:init:s0 newcontext=u:r:su:s0
[   36.946527] KernelSU: kp_ksud: security_bounded_transition: allowing init (62) -> su (537)
[   61.202278] KernelSU: kp_ksud: security_bounded_transition: allowing init (62) -> su (537)
[   61.202395] type=1401 audit(1761288080.219:1045): op=security_bounded_transition seresult=denied oldcontext=u:r:init:s0 newcontext=u:r:su:s0
daisy:/ # uname -a
Linux localhost 4.9.337+64-daikura/db23b17 tiann#634 SMP PREEMPT Fri Oct 24 14:37:19 PST 2025 aarch64 Toybox

Signed-off-by: backslashxx <[email protected]>

Author: tiann

kernel/kp_ksud.c

@@ -198,6 +198,92 @@ static struct kprobe key_permission_kp = {
 };
 #endif // key_permission
 
+// security_bounded_transition
+#if defined(CONFIG_KRETPROBES) && LINUX_VERSION_CODE >= KERNEL_VERSION(3, 18, 0) && LINUX_VERSION_CODE < KERNEL_VERSION(4, 14, 0)
+#include "avc_ss.h"
+#include "selinux/selinux.h"
+
+static u32 init_sid = 0;
+static u32 su_sid = 0;
+
+// get sids outside of kprobe context
+static int grab_sids()
+{
+	int error = security_secctx_to_secid("u:r:init:s0", strlen("u:r:init:s0"), &init_sid);
+	if (error)
+		return 1;
+
+	pr_info("kp_ksud/grab_sids: got init sid: %d\n", init_sid);
+
+	error = security_secctx_to_secid("u:r:su:s0", strlen("u:r:su:s0"), &su_sid);
+	if (error)
+		return 1;
+
+	pr_info("kp_ksud/grab_sids: got su sid: %d\n", su_sid);
+	
+	return 0;
+}
+
+// int security_bounded_transition(u32 old_sid, u32 new_sid)
+static int bounded_transition_entry_handler(struct kretprobe_instance *ri, struct pt_regs *regs)
+{
+	// grab sids on entry
+	u32 *sid = (u32 *)ri->data;
+	sid[0] = PT_REGS_PARM1(regs);  // old_sid
+	sid[1] = PT_REGS_PARM2(regs);  // new_sid
+	return 0;
+}
+
+static int bounded_transition_ret_handler(struct kretprobe_instance *ri, struct pt_regs *regs)
+{
+	u32 *sid = (u32 *)ri->data;
+	u32 old_sid = sid[0];
+	u32 new_sid = sid[1];
+
+	if (!ss_initialized)
+		return 0;
+
+	// so if old sid is 'init' and trying to transition to a new sid of 'su'
+	// force the function to return 0 
+	if (old_sid == init_sid && new_sid == su_sid) {
+		pr_info("kp_ksud: security_bounded_transition: allowing init (%d) -> su (%d)\n", init_sid, su_sid);
+		PT_REGS_RC(regs) = 0;  // make the original func return 0
+	}
+
+	return 0;
+}
+
+static struct kretprobe bounded_transition_rp = {
+	.kp.symbol_name = "security_bounded_transition",
+	.handler = bounded_transition_ret_handler,
+	.entry_handler = bounded_transition_entry_handler,
+	.data_size = sizeof(u32) * 2, // need to keep 2x u32's, one per sid
+	.maxactive = 20,
+};
+
+// unused for now 
+void kp_ksud_transition_routine_end()
+{
+	unregister_kretprobe(&bounded_transition_rp);
+	pr_info("kp_ksud: unregister kretprobe: security_bounded_transition ret: ??\n");
+}
+
+void kp_ksud_transition_routine_start()
+{
+	// we only need to run this once.
+	// once we got sids, we are ready
+	if (su_sid != 0)
+		return;
+
+	int ret = grab_sids();
+	if (ret)
+		return;
+	
+	ret = register_kretprobe(&bounded_transition_rp);
+	pr_info("kp_ksud: register kretprobe: security_bounded_transition ret: %d\n", ret);
+}
+#endif // security_bounded_transition
+
 static void unregister_kprobe_logged(struct kprobe *kp)
 {
 	const char *symbol_name = kp->symbol_name;

kernel/ksud.c

@@ -121,6 +121,11 @@ void on_boot_completed(void){
 	pr_info("on_boot_completed!\n");
 }
 
+#if defined(CONFIG_KRETPROBES) && defined(CONFIG_KSU_KPROBES_KSUD) && \
+	LINUX_VERSION_CODE >= KERNEL_VERSION(3, 18, 0) && LINUX_VERSION_CODE < KERNEL_VERSION(4, 14, 0)
+extern void kp_ksud_transition_routine_start();
+#endif
+
 // since _ksud handler only uses argv and envp for comparisons
 // this can probably work
 // adapted from ksu_handle_execveat_ksud
@@ -208,6 +213,12 @@ int ksu_handle_bprm_ksud(const char *filename, const char *argv1, const char *en
 	}
 
 first_app_process:
+#if defined(CONFIG_KRETPROBES) && defined(CONFIG_KSU_KPROBES_KSUD) && \
+	LINUX_VERSION_CODE >= KERNEL_VERSION(3, 18, 0) && LINUX_VERSION_CODE < KERNEL_VERSION(4, 14, 0)
+	if (init_second_stage_executed == true)
+		kp_ksud_transition_routine_start();
+#endif
+
 	if (first_app_process && !memcmp(filename, app_process, sizeof(app_process) - 1)) {
 		first_app_process = false;
 		pr_info("%s: exec app_process, /data prepared, second_stage: %d\n", __func__, init_second_stage_executed);