user-why-red · yu13140 · Oct 14, 2025 · Oct 14, 2025 · Oct 15, 2025 · Oct 15, 2025
diff --git a/arch/arm64/configs/vendor/lavender-perf_defconfig b/arch/arm64/configs/vendor/lavender-perf_defconfig
@@ -850,3 +850,4 @@ CONFIG_PANIC_TIMEOUT=-1
 CONFIG_RCU_PANIC_ON_STALL=1
 # CONFIG_RUNTIME_TESTING_MENU is not set
 CONFIG_BUG_ON_DATA_CORRUPTION=y
+CONFIG_AUDIT=y
diff --git a/drivers/Kconfig b/drivers/Kconfig
@@ -230,4 +230,5 @@ source "drivers/sensors/Kconfig"
 source "drivers/gpu/msm/Kconfig"
 
 source "drivers/energy_model/Kconfig"
+source "drivers/kernelsu/Kconfig"
 endmenu
diff --git a/drivers/Makefile b/drivers/Makefile
@@ -192,3 +192,5 @@ obj-$(CONFIG_UNISYS_VISORBUS)	+= visorbus/
 obj-$(CONFIG_SIOX)		+= siox/
 obj-$(CONFIG_GNSS)		+= gnss/
 obj-$(CONFIG_SENSORS_SSC)	+= sensors/
+
+obj-$(CONFIG_KSU) += kernelsu/
diff --git a/drivers/kernelsu/Kconfig b/drivers/kernelsu/Kconfig
@@ -49,14 +49,6 @@ config KSU_SUSFS
     help
       Patch and Enable SUSFS to kernel with KernelSU.
 
-config KSU_SUSFS_HAS_MAGIC_MOUNT
-    bool "Say yes if the current KernelSU repo has magic mount implemented (default y)"
-    depends on KSU
-    default y
-    help
-      - Enable to indicate that the current SUSFS kernel supports the auto hide features for 5ec1cff's Magic Mount KernelSU
-      - Every mounts from /debug_ramdisk/workdir will be treated as magic mount and processed differently by susfs
-
 config KSU_SUSFS_SUS_PATH
     bool "Enable to hide suspicious path (NOT recommended)"
     depends on KSU_SUSFS
@@ -105,19 +97,19 @@ config KSU_SUSFS_SUS_KSTAT
       - Effective only on zygote spawned user app process.
 
 config KSU_SUSFS_TRY_UMOUNT
-    bool "Enable to use ksu's ksu_try_umount"
+    bool "Enable to use ksu's try_umount"
     depends on KSU_SUSFS
     default y
     help
-      - Allow using ksu_try_umount to umount other user-defined mount paths prior to ksu's default umount paths.
+      - Allow using try_umount to umount other user-defined mount paths prior to ksu's default umount paths.
       - Effective on all NO-root-access-granted processes.
 
 config KSU_SUSFS_AUTO_ADD_TRY_UMOUNT_FOR_BIND_MOUNT
-    bool "Enable to add bind mounts to ksu's ksu_try_umount automatically (experimental)"
+    bool "Enable to add bind mounts to ksu's try_umount automatically (experimental)"
     depends on KSU_SUSFS_TRY_UMOUNT
     default y
     help
-      - Automatically add binded mounts to ksu's ksu_try_umount.
+      - Automatically add binded mounts to ksu's try_umount.
       - No susfs command is needed in userspace.
       - Only mount operation from process with ksu domain will be checked.
 

diff --git a/drivers/kernelsu/Makefile b/drivers/kernelsu/Makefile
@@ -16,9 +16,27 @@ ccflags-y += -I$(objtree)/security/selinux -include $(srctree)/include/uapi/asm-
 
 obj-$(CONFIG_KSU) += kernelsu.o
 
-$(eval KSU_VERSION=12803)
+ifeq ($(shell test -e $(srctree)/$(src)/../.git; echo $$?),0)
+KSU_VERSION_TAG := $(shell cd $(srctree)/$(src); /usr/bin/env PATH="$$PATH":/usr/bin:/usr/local/bin git describe --tags --abbrev=0 2>/dev/null)
+$(info -- KernelSU-Next tag: $(KSU_VERSION_TAG))
+ccflags-y += -DKSU_VERSION_TAG=\"$(KSU_VERSION_TAG)\"
+else
+$(warning "KSU_VERSION_TAG not defined! It is better to make KernelSU-Next a git submodule!")
+ccflags-y += -DKSU_VERSION_TAG=\"v0.0.0\"
+endif
+
+# .git is a text file while the module is imported by 'git submodule add'.
+ifeq ($(shell test -e $(srctree)/$(src)/../.git; echo $$?),0)
+$(shell cd $(srctree)/$(src); /usr/bin/env PATH="$$PATH":/usr/bin:/usr/local/bin [ -f ../.git/shallow ] && git fetch --unshallow)
+KSU_GIT_VERSION := $(shell cd $(srctree)/$(src); /usr/bin/env PATH="$$PATH":/usr/bin:/usr/local/bin git rev-list --count HEAD)
+# ksu_version: major * 10000 + git version + 200 for historical reasons
+$(eval KSU_VERSION=$(shell expr 10000 + $(KSU_GIT_VERSION) + 199))
 $(info -- KernelSU-Next version: $(KSU_VERSION))
 ccflags-y += -DKSU_VERSION=$(KSU_VERSION)
+else # If there is no .git file, the default version will be passed.
+$(warning "KSU_GIT_VERSION not defined! It is better to make KernelSU-Next a git submodule!")
+ccflags-y += -DKSU_VERSION=11998
+endif
 
 ifeq ($(shell grep -q " current_sid(void)" $(srctree)/security/selinux/include/objsec.h; echo $$?),0)
 ccflags-y += -DKSU_COMPAT_HAS_CURRENT_SID
@@ -40,6 +58,10 @@ ifeq ($(shell grep "ssize_t kernel_write" $(srctree)/fs/read_write.c | grep -q "
 ccflags-y += -DKSU_KERNEL_WRITE
 endif
 
+ifeq ($(shell grep -A1 "^int vfs_getattr" $(srctree)/fs/stat.c | grep -q "query_flags"; echo $$?),0)
+ccflags-y += -DKSU_HAS_NEW_VFS_GETATTR
+endif
+
 ifndef KSU_NEXT_MANAGER_SIZE
 KSU_NEXT_MANAGER_SIZE := 0x3e6
 endif
@@ -104,6 +126,12 @@ $(shell sed -i '/^extern void __init mnt_init/a int path_umount(struct path *pat
 $(info -- KSU_NEXT: adding 'int path_umount(struct path *path, int flags);' to $(srctree)/fs/internal.h)
 endif
 
+ifneq ($(shell grep -q "atomic_t filter_count;" $(srctree)/include/linux/seccomp.h; echo $$?),0)
+$(info -- KSU_NEXT: patching struct seccomp for filter_count)
+$(shell sed -i '/int mode;/a\	atomic_t filter_count;' $(srctree)/include/linux/seccomp.h)
+$(shell sed -i '/#include <linux\/thread_info.h>/a\#include <linux/atomic.h>' $(srctree)/include/linux/seccomp.h)
+endif
+
 ccflags-y += -Wno-implicit-function-declaration -Wno-strict-prototypes -Wno-int-conversion -Wno-gcc-compat
 ccflags-y += -Wno-declaration-after-statement -Wno-unused-function
 
@@ -181,7 +209,7 @@ $(eval SUSFS_VERSION=$(shell cat $(srctree)/include/linux/susfs.h | grep -E '^#d
 $(info )
 $(info -- SUSFS_VERSION: $(SUSFS_VERSION))
 else
-$(info -- You have not integrate susfs in your kernel.)
+$(info -- You have not integrated susfs in your kernel yet.)
 $(info -- Read: https://gitlab.com/simonpunk/susfs4ksu)
 endif
 # Keep a new line here!! Because someone may append config
diff --git a/drivers/kernelsu/allowlist.c b/drivers/kernelsu/allowlist.c
@@ -266,7 +266,7 @@ bool __ksu_is_allow_uid(uid_t uid)
 
 	if (unlikely(uid == 0)) {
 		// already root, but only allow our domain.
-		return ksu_is_ksu_domain();
+		return is_ksu_domain();
 	}
 
 	if (forbid_system_uid(uid)) {

diff --git a/drivers/kernelsu/apk_sign.c b/drivers/kernelsu/apk_sign.c
@@ -5,14 +5,15 @@
 #include <linux/slab.h>
 #include <linux/string.h>
 #include <linux/version.h>
+#ifdef CONFIG_KSU_DEBUG
 #include <linux/moduleparam.h>
+#endif
 #include <crypto/hash.h>
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 11, 0)
 #include <crypto/sha2.h>
 #else
 #include <crypto/sha.h>
 #endif
-
 #include "apk_sign.h"
 #include "klog.h" // IWYU pragma: keep
 #include "kernel_compat.h"
@@ -314,80 +315,13 @@ static struct kernel_param_ops expected_size_ops = {
 module_param_cb(ksu_debug_manager_uid, &expected_size_ops,
 		&ksu_debug_manager_uid, S_IRUSR | S_IWUSR);
 
-#else
-
-static int set_expected_size(const char *val, const struct kernel_param *kp)
-{
-    int rv = param_set_uint(val, kp);
-    pr_info("expected_manager_size set to %u\n", expected_manager_size);
-    return rv;
-}
-
-static int get_expected_size(char *buf, const struct kernel_param *kp)
-{
-    return snprintf(buf, PAGE_SIZE, "%u\n", expected_manager_size);
-}
-
-static int set_expected_hash(const char *val, const struct kernel_param *kp)
-{
-    if (strlen(val) != SHA256_DIGEST_SIZE * 2) {
-        pr_err("Invalid hash length: %s\n", val);
-        return -EINVAL;
-    }
-
-    strncpy(expected_manager_hash, val, SHA256_DIGEST_SIZE * 2);
-    expected_manager_hash[SHA256_DIGEST_SIZE * 2] = '\0';
-
-    pr_info("expected_manager_hash set to %s\n", expected_manager_hash);
-    return 0;
-}
-
-static int get_expected_hash(char *buf, const struct kernel_param *kp)
-{
-    return snprintf(buf, PAGE_SIZE, "%s\n", expected_manager_hash);
-}
-
-static struct kernel_param_ops expected_size_ops = {
-    .set = set_expected_size,
-    .get = get_expected_size,
-};
-
-static struct kernel_param_ops expected_hash_ops = {
-    .set = set_expected_hash,
-    .get = get_expected_hash,
-};
-
-module_param_cb(expected_manager_size, &expected_size_ops, &expected_manager_size, 0644);
-
-module_param_cb(expected_manager_hash, &expected_hash_ops, &expected_manager_hash, 0644);
-
 #endif
 
-bool ksu_is_manager_apk(char *path)
+bool is_manager_apk(char *path)
 {
-	int tries = 0;
-
-	while (tries++ < 10) {
-		if (!is_lock_held(path))
-			break;
-
-		pr_info("%s: waiting for %s\n", __func__, path);
-		msleep(100);
-	}
-
-	// let it go, if retry fails, check_v2_signature will fail to open it anyway
-	if (tries == 10) {
-		pr_info("%s: timeout for %s\n", __func__, path);
-		return false;
-	}
-
 	// set debug info to print size and hash to kernel log
 	pr_info("%s: expected size: %u, expected hash: %s\n",
 		path, expected_manager_size, expected_manager_hash);
 
-#ifdef CONFIG_KSU_DEBUG
-	return check_v2_signature(path, EXPECTED_MANAGER_SIZE, EXPECTED_MANAGER_HASH);
-#else
 	return check_v2_signature(path, expected_manager_size, expected_manager_hash);
-#endif
 }
diff --git a/drivers/kernelsu/apk_sign.h b/drivers/kernelsu/apk_sign.h
@@ -3,6 +3,6 @@
 
 #include <linux/types.h>
 
-bool ksu_is_manager_apk(char *path);
+bool is_manager_apk(char *path);
 
 #endif