kernel, ksud, manager: Remove enhanced security feature (tiann/KernelSU#3123)#1035
Merged
Conversation
…SU#3123) This feature does not work with tracepoint hook because setresuid is not even hooked for apps not in allowlist. It was invented when we still use task_fix_setuid LSM hook, but since it is inlined in oplus kernel and we switched to tracepoint hook, we don't have a reliable way to implement this feature without introducing side channels. Remove it and avoid confuse users.
Sorayukii
pushed a commit
to Sorayukii/KernelSU-Next
that referenced
this pull request
Jan 4, 2026
kernel, ksud, manager: Remove enhanced security feature (tiann/KernelSU#3123)
Sorayukii
pushed a commit
to Sorayukii/KernelSU-Next
that referenced
this pull request
Jan 4, 2026
kernel, ksud, manager: Remove enhanced security feature (tiann/KernelSU#3123)
Sorayukii
pushed a commit
to Sorayukii/KernelSU-Next
that referenced
this pull request
Jan 4, 2026
kernel, ksud, manager: Remove enhanced security feature (tiann/KernelSU#3123)
rifsxd
pushed a commit
that referenced
this pull request
Jan 4, 2026
….7 (#1047) * KSU-Next: Debloat Signed-off-by: Sorayukii <sorayukii69@gmail.com> * kernel: fix Wcalloc-transposed-args (tiann/KernelSU#3121) * Merge pull request #1035 from pershoot/dev1 kernel, ksud, manager: Remove enhanced security feature (tiann/KernelSU#3123) * kernel: extras: avc log spoofing * kernel: extras: base implementation of avc log spoofing * kernel: extras: properly version out slow_avc_audit_pre_handler * kernel: extras: add avc spoof to feature this is a rebase of: KOWX712/KernelSU@4b6f76d * kernel/extra: replace sensitive context with priv_app ref: aviraxp/ZN-AuditPatch@a0a46bd Co-Authored-By: backslashxx <118538522+backslashxx@users.noreply.github.com> Co-Authored-By: Wang Han <18079988+aviraxp@users.noreply.github.com> Signed-off-by: Sorayukii <sorayukii69@gmail.com> * kernel: ksud: migrate init.rc handling to security_file_permission LSM devlog backslashxx/KernelSU@5ba658b...8a6ae25 backslashxx/KernelSU@b7df5d1...754bbd5 Signed-off-by: backslashxx <118538522+backslashxx@users.noreply.github.com> Signed-off-by: Sorayukii <sorayukii69@gmail.com> * kernel: Try to fix CONFIG_KSU_ALLOWLIST_WORKAROUND ../drivers/kernelsu/lsm_hooks.c:145:32: error: use of undeclared identifier 'ksu_key_permission'; did you mean 'ksu_inode_permission'? 145 | LSM_HOOK_INIT(key_permission, ksu_key_permission), | ^~~~~~~~~~~~~~~~~~ | ksu_inode_permission ../include/linux/lsm_hooks.h:2060:57: note: expanded from macro 'LSM_HOOK_INIT' 2060 | { .head = &security_hook_heads.HEAD, .hook = { .HEAD = HOOK } } | ^~~~ ../drivers/kernelsu/lsm_hooks.c:107:5: note: 'ksu_inode_permission' declared here 107 | int ksu_inode_permission(struct inode inode, int mask) | ^ ../drivers/kernelsu/lsm_hooks.c:145:32: error: incompatible function pointer types initializing 'int ()(key_ref_t, const struct cred , unsigned int)' (aka 'int ()(struct __key_reference_with_attributes *, const struct cred *, unsigned int)') with an expression of type 'int (struct inode *, int)' [-Wincompatible-function-pointer-types] 145 | LSM_HOOK_INIT(key_permission, ksu_key_permission), | ^~~~~~~~~~~~~~~~~~ 2 errors generated. Signed-off-by: Sorayukii <sorayukii69@gmail.com> --------- Signed-off-by: Sorayukii <sorayukii69@gmail.com> Signed-off-by: backslashxx <118538522+backslashxx@users.noreply.github.com> Co-authored-by: libingxuan <84086386+aaaaaaaa-815@users.noreply.github.com> Co-authored-by: pershoot <190600+pershoot@users.noreply.github.com> Co-authored-by: KOWX712 <leecc0503@gmail.com> Co-authored-by: backslashxx <118538522+backslashxx@users.noreply.github.com> Co-authored-by: Wang Han <18079988+aviraxp@users.noreply.github.com>
slipzryzens
pushed a commit
to slipzryzens/KernelSU-Next
that referenced
this pull request
Jan 6, 2026
….7 (KernelSU-Next#1047) * KSU-Next: Debloat Signed-off-by: Sorayukii <sorayukii69@gmail.com> * kernel: fix Wcalloc-transposed-args (tiann/KernelSU#3121) * Merge pull request KernelSU-Next#1035 from pershoot/dev1 kernel, ksud, manager: Remove enhanced security feature (tiann/KernelSU#3123) * kernel: extras: avc log spoofing * kernel: extras: base implementation of avc log spoofing * kernel: extras: properly version out slow_avc_audit_pre_handler * kernel: extras: add avc spoof to feature this is a rebase of: KOWX712/KernelSU@4b6f76d * kernel/extra: replace sensitive context with priv_app ref: aviraxp/ZN-AuditPatch@a0a46bd Co-Authored-By: backslashxx <118538522+backslashxx@users.noreply.github.com> Co-Authored-By: Wang Han <18079988+aviraxp@users.noreply.github.com> Signed-off-by: Sorayukii <sorayukii69@gmail.com> * kernel: ksud: migrate init.rc handling to security_file_permission LSM devlog backslashxx/KernelSU@5ba658b...8a6ae25 backslashxx/KernelSU@b7df5d1...754bbd5 Signed-off-by: backslashxx <118538522+backslashxx@users.noreply.github.com> Signed-off-by: Sorayukii <sorayukii69@gmail.com> * kernel: Try to fix CONFIG_KSU_ALLOWLIST_WORKAROUND ../drivers/kernelsu/lsm_hooks.c:145:32: error: use of undeclared identifier 'ksu_key_permission'; did you mean 'ksu_inode_permission'? 145 | LSM_HOOK_INIT(key_permission, ksu_key_permission), | ^~~~~~~~~~~~~~~~~~ | ksu_inode_permission ../include/linux/lsm_hooks.h:2060:57: note: expanded from macro 'LSM_HOOK_INIT' 2060 | { .head = &security_hook_heads.HEAD, .hook = { .HEAD = HOOK } } | ^~~~ ../drivers/kernelsu/lsm_hooks.c:107:5: note: 'ksu_inode_permission' declared here 107 | int ksu_inode_permission(struct inode inode, int mask) | ^ ../drivers/kernelsu/lsm_hooks.c:145:32: error: incompatible function pointer types initializing 'int ()(key_ref_t, const struct cred , unsigned int)' (aka 'int ()(struct __key_reference_with_attributes *, const struct cred *, unsigned int)') with an expression of type 'int (struct inode *, int)' [-Wincompatible-function-pointer-types] 145 | LSM_HOOK_INIT(key_permission, ksu_key_permission), | ^~~~~~~~~~~~~~~~~~ 2 errors generated. Signed-off-by: Sorayukii <sorayukii69@gmail.com> --------- Signed-off-by: Sorayukii <sorayukii69@gmail.com> Signed-off-by: backslashxx <118538522+backslashxx@users.noreply.github.com> Co-authored-by: libingxuan <84086386+aaaaaaaa-815@users.noreply.github.com> Co-authored-by: pershoot <190600+pershoot@users.noreply.github.com> Co-authored-by: KOWX712 <leecc0503@gmail.com> Co-authored-by: backslashxx <118538522+backslashxx@users.noreply.github.com> Co-authored-by: Wang Han <18079988+aviraxp@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
kernel, ksud, manager: Remove enhanced security feature (tiann/KernelSU#3123)
Author: Wang Han 416810799@qq.com (aviraxp)
Date: Wed Dec 31 21:56:49 2025 +0800
This feature does not work with tracepoint hook because setresuid is not even hooked for apps not in allowlist. It was invented when we still use task_fix_setuid LSM hook, but since it is inlined in oplus kernel and we switched to tracepoint hook, we don't have a reliable way to implement this feature without introducing side channels. Remove it and avoid confuse users.