kernel: supercalls: allow userspace to pull list entries by backslashxx · Pull Request #3040 · tiann/KernelSU

backslashxx · 2025-12-05T02:51:17Z

No description provided.

this way userspace can pull up kernel's umount list and deduce by itself. this is a bit of a pointerwalking mess but this allows us to 1. avoid a kmalloc kernel side 2. avoid potential crashes kernel side 3. maintain api backwards compatibility 4. userspace can deduce that the feature is there (get list size first) 5. userspace can get the list of entries this can also help denylist handlers to deduce stuff and for advanced users to do shit. This should help on concerns brought up by tiann#2950 (comment) Signed-off-by: backslashxx <118538522+backslashxx@users.noreply.github.com>

backslashxx · 2025-12-05T02:52:31Z

userspace handling https://godbolt.org/z/MTcqMGG5o

Details

#include <sys/syscall.h>
#include <sys/ioctl.h>
#include <unistd.h>
#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <stdint.h>
#include <stdlib.h>

#define KSU_INSTALL_MAGIC1 0xDEADBEEF
#define KSU_INSTALL_MAGIC2 0xCAFEBABE

struct ksu_add_try_umount_cmd {
	uint64_t arg; // char ptr, this is the mountpoint
	uint32_t flags; // this is the flag we use for it
	uint8_t mode; // denotes what to do with it 0:wipe_list 1:add_to_list 2:delete_entry
};

#define KSU_UMOUNT_WIPE 0  // ignore everything and wipe list
#define KSU_UMOUNT_ADD 1   // add entry (path + flags)
#define KSU_UMOUNT_DEL 2   // delete entry, strcmp
#define KSU_UMOUNT_GETSIZE 3   // get list size
#define KSU_UMOUNT_GETLIST 4   // get list

#define KSU_IOCTL_ADD_TRY_UMOUNT _IOC(_IOC_WRITE, 'K', 18, 0)

int main(int argc, char *argv[]) 
{
	int fd = 0; // we get that fd here

	syscall(SYS_reboot, KSU_INSTALL_MAGIC1, KSU_INSTALL_MAGIC2, 0, (void *)&fd);

	if (!fd) {
		printf("sys_reboot failed\n");
		return 1;
	}

	printf("[+] fd : %d\n", fd);

	struct ksu_add_try_umount_cmd cmd = {0};
	
	size_t total_size = 0;
	
	cmd.arg = (uint64_t)&total_size;
	cmd.flags = 0;
	cmd.mode = KSU_UMOUNT_GETSIZE;

	int ret = ioctl(fd, KSU_IOCTL_ADD_TRY_UMOUNT, &cmd);
	if (ret < 0) {
		printf("[-] KSU_IOCTL_ADD_TRY_UMOUNT failed\n");
		return 1;
	}

	if (!total_size)
		return 1;
	
	printf("total_size: %zu \n", total_size);

	// now we can prepare the same size of memory	
	
	void *buffer = malloc(total_size);
	if (!buffer)
		return 1;

	memset(buffer, 0, total_size);

	cmd.arg = (uint64_t)buffer;
	cmd.flags = 0;
	cmd.mode = KSU_UMOUNT_GETLIST;

	ret = ioctl(fd, KSU_IOCTL_ADD_TRY_UMOUNT, &cmd);
	if (ret < 0) {
		printf("[-] KSU_IOCTL_ADD_TRY_UMOUNT failed\n");
		return 1;
	}

	// now we pointerwalk
	const char *char_buf = (const char *)buffer;
	do {
		printf("list_entry: %s \n", char_buf);
		char_buf = char_buf + strlen(char_buf) + 1;
	} while (*char_buf);

	return 0;
}

backslashxx · 2025-12-05T02:53:48Z

@aviraxp

aviraxp · 2025-12-05T03:13:55Z

What's this usecase? If it is to solve confliction with other umount methods, this is not enough:

Device boots with kernel umount disabled
Zygisk umounted stuff (Note, in rezygisk/neozygisk they just umount stuff in zygote, so zygote is clean since first app fork)
User turns on kernel umount, conflict again

backslashxx · 2025-12-05T03:15:38Z

I thought youll be deleting the mount entries that youll unmount / not included to clean ns, and with this you can pull mount entries
so you know which to delete

aviraxp · 2025-12-05T03:53:05Z

All zygisk solutions don't umount at new app fork time now, so there will always be timing issue.

this way userspace can pull up kernel's umount list and deduce by itself. this is a bit of a pointerwalking mess but this allows us to 1. avoid a kmalloc kernel side 2. avoid potential crashes kernel side 3. maintain api backwards compatibility 4. userspace can deduce that the feature is there (get list size first) 5. userspace can get the list of entries this can also help denylist handlers to deduce stuff and for advanced users to do shit. - tiann#3040 Signed-off-by: backslashxx <118538522+backslashxx@users.noreply.github.com>

Changes on top of upstream (+66): manager: partially revert "manager: Add GKI mode WarningCard" workflows: debloat workflows: debloat pt. 2 dummy.keystore ksud: add armeabi-v7a support manager: failure mode dummy demo manager: unofficial build manager: Add ABI and Kernel archirecture info into InfoCardItem ksud: prevent 32-on-64 pointer mismatches on sepolicy ksud: add avc spoof to feature kernel: remove unsupportable code kernel: restore code required for old kernels kernel: compat: remove ksu_android_ns_fs_check kernel: core_hook: backport ksu_enhanced_security rules kernel: core_hook: disable seccomp for allowed uids kernel: supercalls: provide sys_reboot handler kernel: supercalls: backport: "Use task work to install fd" kernel: supercalls: partial backport of do_manage_mark kernel: selinux: force sepol_data.sepol to be u64 kernel: core_hook: screw path_umount backport, call sys_umount directly kernel: app_profile: shim escape_with_root_profile kernel: throne_tracker: offload to kthread (tiann#2632) kernel: allowlist: escape persistent_allow_list to kthread kernel: ksud: migrate ksud execution to security_bprm_check (tiann#2653) kernel: core_hook: migrate init_session_keyring grab to security_bprm_check kernel: compat: uprev init_session_keyring pullout to < 5.2 kernel: sucompat: increase reliability, commonize and micro-optimize (tiann#2656) kernel: sucompat: sucompat feature support for manual hooks (tiann#2506) kernel: sucompat: provide do_execve_common handler for < 3.14 kernel: sucompat: provide getname_flags handlers kernel: sucompat: provide vfs_statx hook handler >= 5.18 kernel: sucompat: use seccomp.mode for permission check kernel: app_profile: do not disable seccomp again kernel: expose KSU_LSM_SECURITY_HOOKS on Kconfig kernel: file_wrapper: handle more compat kernel: file_wrapper: handle readdir and iterate compat for UL kernel: ksud: provide is_ksu_transition check v4 kernel: kp_ksud: restore kprobes for early-boot and used-once hooks kernel: kp_ksud: add security_bounded_transition hook for < 4.14 (tiann#1704) kernel: kp_ksud: add sys_reboot kp hook kernel: rp_sucompat: add kretprobes-hooked getname_flags for sucompat kernel: extras: SQUASH: avc log spoofing impl kernel: supercalls/debug: expose ksu_set_manager_uid to sys_reboot kernel: supercalls: allow userspace to pull list entries (tiann#3040) kernel: apk_sign: casting to char for strcmp -> memcmp kernel: apk_sign: migrate generic_file_llseek -> vfs_llseek kernel: core_hook: no ext4_unregister_sysfs, no problem kernel: ksud: d_is_reg to S_ISREG kernel: throne_tracker: resolve s_magic for < 3.9 kernel: ksud: handle conditional read_iter requirement for < 3.16 kernel: throne_tracker: handle filldir_t ABI mismatch on <= 3.18 kernel: compat: iterate_dir -> vfs_readdir compat for < 3.11 kernel: sucompat: bruteforce writeable stack from start_stack for < 3.8 kernel: compat: provide bin2hex compat for < 3.18 kernel: compat: add strscpy pseudo-compat for < 4.3 kernel: compat: file_inode compat for < 3.9 kernel: compat: provide weak anon_inode_getfd_secure for < 5.12 kernel: compat: provide selinux_inode wrapper for < 5.1 kernel: compat: provide selinux_cred wrapper for < 5.1 kernel: apk_sign: fix return check for ksu_sha256 kernel: handle backports kernel: apk_sign: add more size/hash pairs kernel: ksu: printout quirks / backports / etc on init kernel: scripts: kuid_ul_fix: add small script as helper kernel: selinux: fix wrong return type KernelSU v3.0.0+ Warning: Managers built from this repo has a known keystore. See dummy.keystore. Signed-off-by: backslashxx <118538522+backslashxx@users.noreply.github.com>