kernel: selinux: add security_bounded_transition hook for kernel < 4.14

- torvalds/linux@af63f41

- SELinux domain transitions under NNP/nosuid environment was introduced in 4.14 by
  the above commit, for older kernels, we need to make sure our domain transitions
  are allowed when calling ksud at boot from the init

Signed-off-by: Ookiineko <[email protected]>

Author: tiann

kernel/ksu.c

@@ -1,6 +1,7 @@
 #include "linux/fs.h"
 #include "linux/module.h"
 #include "linux/workqueue.h"
+#include "linux/version.h"
 
 #include "allowlist.h"
 #include "arch.h"
@@ -32,6 +33,9 @@ int ksu_handle_execveat(int *fd, struct filename **filename_ptr, void *argv,
 
 extern void ksu_enable_sucompat();
 extern void ksu_enable_ksud();
+#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 14, 0)
+extern void ksu_enable_selinux_compat();
+#endif
 
 int __init kernelsu_init(void)
 {
@@ -56,6 +60,9 @@ int __init kernelsu_init(void)
 #ifdef CONFIG_KPROBES
 	ksu_enable_sucompat();
 	ksu_enable_ksud();
+#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 14, 0)
+	ksu_enable_selinux_compat();
+#endif
 #else
 #warning("KPROBES is disabled, KernelSU may not work, please check https://kernelsu.org/guide/how-to-integrate-for-non-gki.html")
 #endif

kernel/selinux/Makefile

@@ -1,9 +1,10 @@
 obj-y += selinux.o
 obj-y += sepolicy.o
 obj-y += rules.o
+obj-y += kernel_compat.o
 
 
 ccflags-y += -Wno-implicit-function-declaration -Wno-strict-prototypes -Wno-int-conversion
 ccflags-y += -Wno-macro-redefined -Wno-declaration-after-statement -Wno-unused-function
 ccflags-y += -I$(srctree)/security/selinux -I$(srctree)/security/selinux/include
-ccflags-y += -I$(objtree)/security/selinux
+ccflags-y += -I$(objtree)/security/selinux

kernel/selinux/kernel_compat.c

@@ -0,0 +1,68 @@
+#include "linux/version.h"
+
+#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 14, 0)
+#include "linux/types.h"
+#ifdef CONFIG_KPROBES
+#include "linux/kprobes.h"
+#endif
+#include "avc_ss.h"
+
+#include "selinux.h"
+#include "../klog.h" // IWYU pragma: keep
+#include "../arch.h"
+int ksu_handle_security_bounded_transition(u32 *old_sid, u32 *new_sid) {
+	u32 init_sid, su_sid;
+	int error;
+
+	if (!ss_initialized)
+		return 0;
+
+	/* domain unchanged */
+	if (*old_sid == *new_sid)
+		return 0;
+
+	const char *init_domain = INIT_DOMAIN;
+	const char *su_domain = KERNEL_SU_DOMAIN;
+
+	error = security_secctx_to_secid(init_domain, strlen(init_domain), &init_sid);
+	if (error) {
+		pr_warn("cannot get sid of init context, err %d\n", error);
+		return 0;
+	}
+
+	error = security_secctx_to_secid(su_domain, strlen(su_domain), &su_sid);
+	if (error) {
+		pr_warn("cannot get sid of su context, err %d\n", error);
+		return 0;
+	}
+
+	if (*old_sid == init_sid && *new_sid == su_sid) {
+		pr_info("init to su transition found\n");
+		*old_sid = *new_sid;  // make the original func return 0
+	}
+
+	return 0;
+}
+
+#ifdef CONFIG_KPROBES
+static int handler_pre(struct kprobe *p, struct pt_regs *regs) {
+	u32 *old_sid = (u32 *)&PT_REGS_PARM1(regs);
+	u32 *new_sid = (u32 *)&PT_REGS_PARM2(regs);
+
+	return ksu_handle_security_bounded_transition(old_sid, new_sid);
+}
+
+static struct kprobe kp = {
+	.symbol_name = "security_bounded_transition",
+	.pre_handler = handler_pre,
+};
+
+// selinux_compat: make ksud init trigger work for kernel < 4.14
+void ksu_enable_selinux_compat() {
+	int ret;
+
+	ret = register_kprobe(&kp);
+	pr_info("selinux_compat: kp: %d\n", ret);
+}
+#endif
+#endif

kernel/selinux/selinux.c

@@ -3,8 +3,6 @@
 #include "linux/version.h"
 #include "../klog.h" // IWYU pragma: keep
 
-#define KERNEL_SU_DOMAIN "u:r:su:s0"
-
 static u32 ksu_sid;
 
 static int transive_to_domain(const char *domain)

kernel/selinux/selinux.h

@@ -3,6 +3,9 @@
 
 #include "linux/types.h"
 
+#define KERNEL_SU_DOMAIN	"u:r:su:s0"
+#define INIT_DOMAIN		"u:r:init:s0"
+
 void setup_selinux();
 
 void setenforce(bool);
@@ -13,4 +16,4 @@ bool is_ksu_domain();
 
 void apply_kernelsu_rules();
 
-#endif
+#endif