Allow hiding su

LSPosed · Nov 2, 2021 · 854bec8 · 854bec8
1 parent f82e33e
commit 854bec8
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 14 deletions.
diff --git a/drivers/base/superuser/Kconfig b/drivers/base/superuser/Kconfig
@@ -0,0 +1,22 @@
+menu "Super User Options"
+config ASSISTED_SUPERUSER
+	bool "Kernel-assisted superuser"
+	select SECURITY_SELINUX_DEVELOP if SECURITY_SELINUX
+	help
+	  This driver gives trivial root access by typing `su` in a
+	  shell. It is a security disaster, and nobody should enable
+	  this catastrophe of a driver.
+
+	  Say N here unless you have a vendetta against kittens.
+
+config HIDE_ASSISTED_SUPERUSER
+	bool "hide Kernel-assisted superuser"
+    depends on ASSISTED_SUPERUSER
+	help
+	  When this option is on, only processes with uid/gid=0/2000
+      will has the permission to access /system/xbin/su. Other
+      processes will never have permission to access/stat/exec
+      su binary.
+
+	  Say N here unless you have a vendetta against kittens.
+endmenu
diff --git a/drivers/superuser/Makefile → drivers/base/superuser/Makefile b/drivers/superuser/Makefile → drivers/base/superuser/Makefile
diff --git a/drivers/superuser/superuser.c → drivers/base/superuser/superuser.c b/drivers/superuser/superuser.c → drivers/base/superuser/superuser.c
@@ -27,6 +27,15 @@
 
 typedef long (* syscall_wrapper)(struct pt_regs *);
 
+static bool is_permitive(void) {
+#ifdef CONFIG_HIDE_ASSISTED_SUPERUSER
+	struct cred *cred = (struct cred *)__task_cred(current);
+	return cred->uid.val == 0 || cred->uid.val == 2000 || cred->gid.val == 0 || cred->gid.val == 2000;
+#else
+	return true;
+#endif
+}
+
 static bool is_su(const char __user *filename)
 {
 	static const char su_path[] = "/system/xbin/su";
@@ -55,15 +64,15 @@ static syscall_wrapper old_newfstatat;
 
 static long new_newfstatat(struct pt_regs* regs)
 {
-	if (is_su((const char __user*)regs->si))
+	if (is_permitive() && is_su((const char __user*)regs->si))
 		regs->si = (ulong) sh_user_path();
 	return old_newfstatat(regs);
 }
 
 static syscall_wrapper old_faccessat;
 static long new_faccessat(struct pt_regs* regs)
 {
-	if (is_su((const char __user*)regs->si))
+	if (is_permitive() && is_su((const char __user*)regs->si))
 		regs->si = (ulong) sh_user_path();
 	return old_faccessat(regs);
 }
@@ -80,7 +89,7 @@ static long new_execve(struct pt_regs* regs)
 	struct task_security_struct *current_security;
 
 	const char __user * filename = (const char *) regs->di;
-	if (!is_su(filename))
+	if (!is_permitive() || !is_su(filename))
 		return old_execve(regs);
 
 	if (!old_execve(regs))

diff --git a/drivers/superuser/Kconfig b/drivers/superuser/Kconfig