Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR extends the SELinux hide feature to reduce detectability via writes to /proc/.../attr/current, by adding an LSM hook for selinux_setprocattr and wiring up the LSM hook subsystem initialization in KernelSU’s lifecycle.
Changes:
- Update Manager UI strings for the SELinux hide setting summary (EN + zh-CN).
- Extend the LSM hook framework to support additional hook-slot selection logic (including an
offsetconcept) and adjust tracking/unhook behavior. - Add a
selinux_setprocattrhook inselinux_hideand initialize/teardown the LSM hook subsystem from KernelSU init/exit.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| manager/app/src/main/res/values/strings.xml | Adjusts SELinux hide setting summary text. |
| manager/app/src/main/res/values-zh-rCN/strings.xml | Adjusts zh-CN SELinux hide setting summary text. |
| kernel/hook/lsm_hook.h | Updates hook struct/macro (adds offset, changes init macro shape). |
| kernel/hook/lsm_hook.c | Reworks hook-slot selection and tracking logic for both <6.12 and >=6.12 kernels. |
| kernel/feature/selinux_hide.c | Hooks selinux_setprocattr to constrain app behavior when writing attr/current. |
| kernel/core/init.c | Initializes and exits the LSM hook subsystem in the KernelSU lifecycle. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
pershoot
pushed a commit
to pershoot/KernelSU-Next
that referenced
this pull request
May 11, 2026
pershoot
pushed a commit
to KernelSU-Next/KernelSU-Next
that referenced
this pull request
May 12, 2026
jinetty
pushed a commit
to jinetty/android_kernel_xiaomi_sm8450
that referenced
this pull request
May 14, 2026
|
When will this be released? |
shoey63
pushed a commit
to shoey63/KernelSU
that referenced
this pull request
May 19, 2026
-'kernel_patches: fs/susfs: Implement SuSFS and Toolkit coexistence' https://gitlab.com/pershoot/susfs4ksu/-/tree/gki-android14-6.1-dev -Accommodate: -4/15/26: 'kernel: refactor allowlist' (upstream: ksu: tiann#3418) allowlist: ksu_uid_should_umount - new app profile lookup (heap-based) -4/18/26: 'Use static_key in replace of boolean toggle switch' (upstream: susfs: ee6b1970) init: moved susfs_init() (top of kernelsu_init()) for jump label alignment extras/supercall: avc/uname for static key (global visibility) -4/22/26: sucompat: Seperate ksu_handle_stat for compatibility -4/23/26: sucompat: Lower boundary for ksu_handle_stat -4/24/26: 'kernel & KernelSU: Invert initial static_key status; Rename all static_key variables' (upstream: susfs: 5c5c0dd9) extras: use new symbol (susfs_is_avc_log_spoofing_enabled) supercall: check new label (susfs_is_uname_spoof_buffer_set) extras/boot_event/ksud_integration/supercall: Move jump_label inclusion to top-level for (uapi) consistency Revert: 'sucompat: Lower boundary for ksu_handle_stat' (4/23/26) (<6.1 uses legacy) -4/25/26: 'KernelSU: Replace bunch of if clauses with switch case in ksu_handle_sys_reboot()' (upstream: susfs: cbda1353) dispatch: convert copy_from_user to peeking for avc/uname 'KernelSU: Disable seccomp for all zygote spawned root allowed app processes' (upstream: susfs: ea24aa94) app_profile: optimize escape_with_root_profile setuid_hook: unify setresuid -4/26/26: 'kernel & KernelSU: Replace ksu_su_compat_enabled boolean toggle with static_key' (upstream: susfs: 71507103) syscall_event_bridge: optimize hot-path via static_branch_likely -4/27/26: 'kernel & KernelSU: Use test_thread_flag() and set_thread_flag() instead of test_ti_thread_flag() and set_ti_thread_flag()' (upstream: susfs: e1c57040) -4/28/26: 'KernelSU: More optimization in ksu_handle_setresuid() and ksu_handle_umount()' (upstream: susfs: b1dceb4c) kernel_umount: remove redundant cred overrides setuid_hook/kernel_umount: consolidate cred overrides -4/29/26: 'KernelSU: Test making some compiler happy' (upstream: susfs: c228b924) setuid_hook: reduce cred override scope -5/2/26: 'kernel & KernelSU: defer susfs_run_sus_path_loop() to workqueue' (upstream: susfs: f6255b5f) init: move susfs_init (above) kernel_umount: restore cred overrides -5/6/26: 'KernelSU: Remove the unused deprecated residual devpts hook' (upstream: susfs: 9da70b0c) -5/11/26: 'feature: selinux hide (tiann#3457)'/'selinux_hide: fix attr/current detection (tiann#3459)' (upstream: ksu: 0efe3cf)/(upstream: ksu: 3f388ef) init: cleanup calls registration (kernelsu_exit) kbuild: refine arch detection and unify core utils 'kernel & KernelSU: Sync with the upstream fix for new selinux detections' (upstream: susfs: 5900f1a3) lsm_hook: sync engine rewrite selinux: implement SID batching and support exec_sid clearing init: Ensure late-load is in-tact and exit cleanup -5/12/26: init: Format a few spaces to tabs dispatch: Disable KSU AVC Spoof conditionally -5/16/26: 'KernelSU: Do not schedule susfs_extra_works when it is already pending' (upstream: susfs: f7ae19ef) -5/17/26: 'kernel: refine symbol_resolver (tiann#3469)' (upstream: ksu: da8e0ab) selinux_hide: use it -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1
shoey63
pushed a commit
to shoey63/KernelSU
that referenced
this pull request
May 20, 2026
-'kernel_patches: fs/susfs: Implement SuSFS and Toolkit coexistence' https://gitlab.com/pershoot/susfs4ksu/-/tree/gki-android14-6.1-dev -Accommodate: -4/15/26: 'kernel: refactor allowlist' (upstream: ksu: tiann#3418) allowlist: ksu_uid_should_umount - new app profile lookup (heap-based) -4/18/26: 'Use static_key in replace of boolean toggle switch' (upstream: susfs: ee6b1970) init: moved susfs_init() (top of kernelsu_init()) for jump label alignment extras/supercall: avc/uname for static key (global visibility) -4/22/26: sucompat: Seperate ksu_handle_stat for compatibility -4/23/26: sucompat: Lower boundary for ksu_handle_stat -4/24/26: 'kernel & KernelSU: Invert initial static_key status; Rename all static_key variables' (upstream: susfs: 5c5c0dd9) extras: use new symbol (susfs_is_avc_log_spoofing_enabled) supercall: check new label (susfs_is_uname_spoof_buffer_set) extras/boot_event/ksud_integration/supercall: Move jump_label inclusion to top-level for (uapi) consistency Revert: 'sucompat: Lower boundary for ksu_handle_stat' (4/23/26) (<6.1 uses legacy) -4/25/26: 'KernelSU: Replace bunch of if clauses with switch case in ksu_handle_sys_reboot()' (upstream: susfs: cbda1353) dispatch: convert copy_from_user to peeking for avc/uname 'KernelSU: Disable seccomp for all zygote spawned root allowed app processes' (upstream: susfs: ea24aa94) app_profile: optimize escape_with_root_profile setuid_hook: unify setresuid -4/26/26: 'kernel & KernelSU: Replace ksu_su_compat_enabled boolean toggle with static_key' (upstream: susfs: 71507103) syscall_event_bridge: optimize hot-path via static_branch_likely -4/27/26: 'kernel & KernelSU: Use test_thread_flag() and set_thread_flag() instead of test_ti_thread_flag() and set_ti_thread_flag()' (upstream: susfs: e1c57040) -4/28/26: 'KernelSU: More optimization in ksu_handle_setresuid() and ksu_handle_umount()' (upstream: susfs: b1dceb4c) kernel_umount: remove redundant cred overrides setuid_hook/kernel_umount: consolidate cred overrides -4/29/26: 'KernelSU: Test making some compiler happy' (upstream: susfs: c228b924) setuid_hook: reduce cred override scope -5/2/26: 'kernel & KernelSU: defer susfs_run_sus_path_loop() to workqueue' (upstream: susfs: f6255b5f) init: move susfs_init (above) kernel_umount: restore cred overrides -5/6/26: 'KernelSU: Remove the unused deprecated residual devpts hook' (upstream: susfs: 9da70b0c) -5/11/26: 'feature: selinux hide (tiann#3457)'/'selinux_hide: fix attr/current detection (tiann#3459)' (upstream: ksu: 0efe3cf)/(upstream: ksu: 3f388ef) init: cleanup calls registration (kernelsu_exit) kbuild: refine arch detection and unify core utils 'kernel & KernelSU: Sync with the upstream fix for new selinux detections' (upstream: susfs: 5900f1a3) lsm_hook: sync engine rewrite selinux: implement SID batching and support exec_sid clearing init: Ensure late-load is in-tact and exit cleanup -5/12/26: init: Format a few spaces to tabs dispatch: Disable KSU AVC Spoof conditionally -5/16/26: 'KernelSU: Do not schedule susfs_extra_works when it is already pending' (upstream: susfs: f7ae19ef) -5/17/26: 'kernel: refine symbol_resolver (tiann#3469)' (upstream: ksu: da8e0ab) selinux_hide: use it -5/20/26: Resolve KernelSU conflicts (@shoey63) -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1
shoey63
pushed a commit
to shoey63/KernelSU
that referenced
this pull request
May 20, 2026
-'kernel_patches: fs/susfs: Implement SuSFS and Toolkit coexistence' https://gitlab.com/pershoot/susfs4ksu/-/tree/gki-android14-6.1-dev -Accommodate: -4/15/26: 'kernel: refactor allowlist' (upstream: ksu: tiann#3418) allowlist: ksu_uid_should_umount - new app profile lookup (heap-based) -4/18/26: 'Use static_key in replace of boolean toggle switch' (upstream: susfs: ee6b1970) init: moved susfs_init() (top of kernelsu_init()) for jump label alignment extras/supercall: avc/uname for static key (global visibility) -4/22/26: sucompat: Seperate ksu_handle_stat for compatibility -4/23/26: sucompat: Lower boundary for ksu_handle_stat -4/24/26: 'kernel & KernelSU: Invert initial static_key status; Rename all static_key variables' (upstream: susfs: 5c5c0dd9) extras: use new symbol (susfs_is_avc_log_spoofing_enabled) supercall: check new label (susfs_is_uname_spoof_buffer_set) extras/boot_event/ksud_integration/supercall: Move jump_label inclusion to top-level for (uapi) consistency Revert: 'sucompat: Lower boundary for ksu_handle_stat' (4/23/26) (<6.1 uses legacy) -4/25/26: 'KernelSU: Replace bunch of if clauses with switch case in ksu_handle_sys_reboot()' (upstream: susfs: cbda1353) dispatch: convert copy_from_user to peeking for avc/uname 'KernelSU: Disable seccomp for all zygote spawned root allowed app processes' (upstream: susfs: ea24aa94) app_profile: optimize escape_with_root_profile setuid_hook: unify setresuid -4/26/26: 'kernel & KernelSU: Replace ksu_su_compat_enabled boolean toggle with static_key' (upstream: susfs: 71507103) syscall_event_bridge: optimize hot-path via static_branch_likely -4/27/26: 'kernel & KernelSU: Use test_thread_flag() and set_thread_flag() instead of test_ti_thread_flag() and set_ti_thread_flag()' (upstream: susfs: e1c57040) -4/28/26: 'KernelSU: More optimization in ksu_handle_setresuid() and ksu_handle_umount()' (upstream: susfs: b1dceb4c) kernel_umount: remove redundant cred overrides setuid_hook/kernel_umount: consolidate cred overrides -4/29/26: 'KernelSU: Test making some compiler happy' (upstream: susfs: c228b924) setuid_hook: reduce cred override scope -5/2/26: 'kernel & KernelSU: defer susfs_run_sus_path_loop() to workqueue' (upstream: susfs: f6255b5f) init: move susfs_init (above) kernel_umount: restore cred overrides -5/6/26: 'KernelSU: Remove the unused deprecated residual devpts hook' (upstream: susfs: 9da70b0c) -5/11/26: 'feature: selinux hide (tiann#3457)'/'selinux_hide: fix attr/current detection (tiann#3459)' (upstream: ksu: 0efe3cf)/(upstream: ksu: 3f388ef) init: cleanup calls registration (kernelsu_exit) kbuild: refine arch detection and unify core utils 'kernel & KernelSU: Sync with the upstream fix for new selinux detections' (upstream: susfs: 5900f1a3) lsm_hook: sync engine rewrite selinux: implement SID batching and support exec_sid clearing init: Ensure late-load is in-tact and exit cleanup -5/12/26: init: Format a few spaces to tabs dispatch: Disable KSU AVC Spoof conditionally -5/16/26: 'KernelSU: Do not schedule susfs_extra_works when it is already pending' (upstream: susfs: f7ae19ef) -5/17/26: 'kernel: refine symbol_resolver (tiann#3469)' (upstream: ksu: da8e0ab) selinux_hide: use it -5/20/26: Resolve KernelSU conflicts (@shoey63) -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1
shoey63
pushed a commit
to shoey63/KernelSU
that referenced
this pull request
May 21, 2026
-'kernel_patches: fs/susfs: Implement SuSFS and Toolkit coexistence' https://gitlab.com/pershoot/susfs4ksu/-/tree/gki-android14-6.1-dev -Accommodate: -4/15/26: 'kernel: refactor allowlist' (upstream: ksu: tiann#3418) allowlist: ksu_uid_should_umount - new app profile lookup (heap-based) -4/18/26: 'Use static_key in replace of boolean toggle switch' (upstream: susfs: ee6b1970) init: moved susfs_init() (top of kernelsu_init()) for jump label alignment extras/supercall: avc/uname for static key (global visibility) -4/22/26: sucompat: Seperate ksu_handle_stat for compatibility -4/23/26: sucompat: Lower boundary for ksu_handle_stat -4/24/26: 'kernel & KernelSU: Invert initial static_key status; Rename all static_key variables' (upstream: susfs: 5c5c0dd9) extras: use new symbol (susfs_is_avc_log_spoofing_enabled) supercall: check new label (susfs_is_uname_spoof_buffer_set) extras/boot_event/ksud_integration/supercall: Move jump_label inclusion to top-level for (uapi) consistency Revert: 'sucompat: Lower boundary for ksu_handle_stat' (4/23/26) (<6.1 uses legacy) -4/25/26: 'KernelSU: Replace bunch of if clauses with switch case in ksu_handle_sys_reboot()' (upstream: susfs: cbda1353) dispatch: convert copy_from_user to peeking for avc/uname 'KernelSU: Disable seccomp for all zygote spawned root allowed app processes' (upstream: susfs: ea24aa94) app_profile: optimize escape_with_root_profile setuid_hook: unify setresuid -4/26/26: 'kernel & KernelSU: Replace ksu_su_compat_enabled boolean toggle with static_key' (upstream: susfs: 71507103) syscall_event_bridge: optimize hot-path via static_branch_likely -4/27/26: 'kernel & KernelSU: Use test_thread_flag() and set_thread_flag() instead of test_ti_thread_flag() and set_ti_thread_flag()' (upstream: susfs: e1c57040) -4/28/26: 'KernelSU: More optimization in ksu_handle_setresuid() and ksu_handle_umount()' (upstream: susfs: b1dceb4c) kernel_umount: remove redundant cred overrides setuid_hook/kernel_umount: consolidate cred overrides -4/29/26: 'KernelSU: Test making some compiler happy' (upstream: susfs: c228b924) setuid_hook: reduce cred override scope -5/2/26: 'kernel & KernelSU: defer susfs_run_sus_path_loop() to workqueue' (upstream: susfs: f6255b5f) init: move susfs_init (above) kernel_umount: restore cred overrides -5/6/26: 'KernelSU: Remove the unused deprecated residual devpts hook' (upstream: susfs: 9da70b0c) -5/11/26: 'feature: selinux hide (tiann#3457)'/'selinux_hide: fix attr/current detection (tiann#3459)' (upstream: ksu: 0efe3cf)/(upstream: ksu: 3f388ef) init: cleanup calls registration (kernelsu_exit) kbuild: refine arch detection and unify core utils 'kernel & KernelSU: Sync with the upstream fix for new selinux detections' (upstream: susfs: 5900f1a3) lsm_hook: sync engine rewrite selinux: implement SID batching and support exec_sid clearing init: Ensure late-load is in-tact and exit cleanup -5/12/26: init: Format a few spaces to tabs dispatch: Disable KSU AVC Spoof conditionally -5/16/26: 'KernelSU: Do not schedule susfs_extra_works when it is already pending' (upstream: susfs: f7ae19ef) -5/17/26: 'kernel: refine symbol_resolver (tiann#3469)' (upstream: ksu: da8e0ab) selinux_hide: use it -5/20/26: Resolve KernelSU conflicts (@shoey63) -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1
jinetty
added a commit
to jinetty/android_kernel_xiaomi_sm8450
that referenced
this pull request
May 22, 2026
…nelSU#3459)" This reverts commit 8e7335e.
jinetty
added a commit
to jinetty/android_kernel_xiaomi_sm8450
that referenced
this pull request
May 22, 2026
…nelSU#3459)" This reverts commit 8e7335e.
shoey63
pushed a commit
to shoey63/KernelSU
that referenced
this pull request
May 23, 2026
-'kernel_patches: fs/susfs: Implement SuSFS and Toolkit coexistence' https://gitlab.com/pershoot/susfs4ksu/-/tree/gki-android14-6.1-dev -Accommodate: -4/15/26: 'kernel: refactor allowlist' (upstream: ksu: tiann#3418) allowlist: ksu_uid_should_umount - new app profile lookup (heap-based) -4/18/26: 'Use static_key in replace of boolean toggle switch' (upstream: susfs: ee6b1970) init: moved susfs_init() (top of kernelsu_init()) for jump label alignment extras/supercall: avc/uname for static key (global visibility) -4/22/26: sucompat: Seperate ksu_handle_stat for compatibility -4/23/26: sucompat: Lower boundary for ksu_handle_stat -4/24/26: 'kernel & KernelSU: Invert initial static_key status; Rename all static_key variables' (upstream: susfs: 5c5c0dd9) extras: use new symbol (susfs_is_avc_log_spoofing_enabled) supercall: check new label (susfs_is_uname_spoof_buffer_set) extras/boot_event/ksud_integration/supercall: Move jump_label inclusion to top-level for (uapi) consistency Revert: 'sucompat: Lower boundary for ksu_handle_stat' (4/23/26) (<6.1 uses legacy) -4/25/26: 'KernelSU: Replace bunch of if clauses with switch case in ksu_handle_sys_reboot()' (upstream: susfs: cbda1353) dispatch: convert copy_from_user to peeking for avc/uname 'KernelSU: Disable seccomp for all zygote spawned root allowed app processes' (upstream: susfs: ea24aa94) app_profile: optimize escape_with_root_profile setuid_hook: unify setresuid -4/26/26: 'kernel & KernelSU: Replace ksu_su_compat_enabled boolean toggle with static_key' (upstream: susfs: 71507103) syscall_event_bridge: optimize hot-path via static_branch_likely -4/27/26: 'kernel & KernelSU: Use test_thread_flag() and set_thread_flag() instead of test_ti_thread_flag() and set_ti_thread_flag()' (upstream: susfs: e1c57040) -4/28/26: 'KernelSU: More optimization in ksu_handle_setresuid() and ksu_handle_umount()' (upstream: susfs: b1dceb4c) kernel_umount: remove redundant cred overrides setuid_hook/kernel_umount: consolidate cred overrides -4/29/26: 'KernelSU: Test making some compiler happy' (upstream: susfs: c228b924) setuid_hook: reduce cred override scope -5/2/26: 'kernel & KernelSU: defer susfs_run_sus_path_loop() to workqueue' (upstream: susfs: f6255b5f) init: move susfs_init (above) kernel_umount: restore cred overrides -5/6/26: 'KernelSU: Remove the unused deprecated residual devpts hook' (upstream: susfs: 9da70b0c) -5/11/26: 'feature: selinux hide (tiann#3457)'/'selinux_hide: fix attr/current detection (tiann#3459)' (upstream: ksu: 0efe3cf)/(upstream: ksu: 3f388ef) init: cleanup calls registration (kernelsu_exit) kbuild: refine arch detection and unify core utils 'kernel & KernelSU: Sync with the upstream fix for new selinux detections' (upstream: susfs: 5900f1a3) lsm_hook: sync engine rewrite selinux: implement SID batching and support exec_sid clearing init: Ensure late-load is in-tact and exit cleanup -5/12/26: init: Format a few spaces to tabs dispatch: Disable KSU AVC Spoof conditionally -5/16/26: 'KernelSU: Do not schedule susfs_extra_works when it is already pending' (upstream: susfs: f7ae19ef) -5/17/26: 'kernel: refine symbol_resolver (tiann#3469)' (upstream: ksu: da8e0ab) selinux_hide: use it -5/20/26: Resolve KernelSU conflicts (@shoey63) -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1
jinetty
pushed a commit
to jinetty/android_kernel_xiaomi_sm8450
that referenced
this pull request
May 24, 2026
jinetty
added a commit
to jinetty/android_kernel_xiaomi_sm8450
that referenced
this pull request
May 25, 2026
…nelSU#3459)" This reverts commit 196d7ca.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.