kernel: scan /data/user_de/0 for actual UID (tiann#155) +

rsuntk · ShirkNeko · LeCmnGend · commit ee2a8f9dd81c · 2025-10-01T22:17:39.000+07:00
* Based on tiann#2759 - This may not perfect (such as lock), but tests were fine on ASUS Zenfone Max Pro M2 (X01BD), Android 16 (AOSP) - Any suggestion or bug reports is highly appreciated! Tested-by: rsuntk <rsuntk@yukiprjkt.my.id> Signed-off-by: rsuntk <rsuntk@yukiprjkt.my.id> Co-authored-by: ShirkNeko <109797057+ShirkNeko@users.noreply.github.com>
diff --git a/kernel/kernel_compat.h b/kernel/kernel_compat.h
@@ -6,6 +6,30 @@
 #include <linux/cred.h>
 #include "ss/policydb.h"
 #include "linux/key.h"
+#include <linux/list.h>
+
+/**
+ * list_count_nodes - count the number of nodes in a list
+ * the head of the list
+ * 
+ * Returns the number of nodes in the list
+ */
+#if LINUX_VERSION_CODE < KERNEL_VERSION(6, 6, 0)
+static inline size_t list_count_nodes(const struct list_head *head)
+{
+	const struct list_head *pos;
+	size_t count = 0;
+
+	if (!head)
+		return 0;
+
+	list_for_each(pos, head) {
+		count++;
+	}
+	
+	return count;
+}
+#endif
 
 /**
  * list_count_nodes - count the number of nodes in a list
diff --git a/kernel/throne_tracker.c b/kernel/throne_tracker.c
@@ -7,6 +7,7 @@
 #include <linux/version.h>
 #include <linux/stat.h>
 #include <linux/namei.h>
+#include <asm/atomic.h>
 
 #include "allowlist.h"
 #include "klog.h" // IWYU pragma: keep
@@ -19,10 +20,23 @@
 
 uid_t ksu_manager_uid = KSU_INVALID_UID;
 
+static atomic_t pkg_lock = ATOMIC_INIT(0);
+static atomic_t scan_lock = ATOMIC_INIT(0);
+
 #define KSU_UID_LIST_PATH "/data/misc/user_uid/uid_list"
 #define USER_DATA_PATH "/data/user_de/0"
 #define USER_DATA_PATH_LEN 288
 
+struct uid_scan_stats {
+	size_t errors_encountered;
+};
+
+struct user_data_context {
+	struct dir_context ctx;
+	struct list_head *uid_list;
+	struct uid_scan_stats *stats;
+};
+
 struct uid_data {
 	struct list_head list;
 	u32 uid;
@@ -251,7 +265,7 @@ FILLDIR_RETURN_TYPE user_data_actor(struct dir_context *ctx, const char *name,
 	}
 
 	char package_path[USER_DATA_PATH_LEN];
-	if (snprintf(package_path, sizeof(package_path), "%s/%.*s", 
+	if (snprintf(package_path, sizeof(package_path), "%s/%.*s",
 		     USER_DATA_PATH, namelen, name) >= sizeof(package_path)) {
 		pr_err("Path too long for package: %.*s\n", namelen, name);
 		if (my_ctx->stats)
@@ -330,14 +344,15 @@ static int scan_user_data_for_uids(struct list_head *uid_list)
 	struct file *dir_file;
 	struct uid_scan_stats stats = {0};
 	int ret = 0;
-	
+
 	if (!uid_list) {
 		return -EINVAL;
 	}
 
 	dir_file = ksu_filp_open_compat(USER_DATA_PATH, O_RDONLY, 0);
 	if (IS_ERR(dir_file)) {
-		pr_err("UserDE UID: Failed to open %s, err: (%ld)\n", USER_DATA_PATH, PTR_ERR(dir_file));
+
+		pr_err("Failed to open %s, err: (%ld)\n", USER_DATA_PATH, PTR_ERR(dir_file));
 		return PTR_ERR(dir_file);
 	}
 
@@ -350,14 +365,11 @@ static int scan_user_data_for_uids(struct list_head *uid_list)
 	ret = iterate_dir(dir_file, &ctx.ctx);
 	filp_close(dir_file, NULL);
 
+	// if 0 errors, that means everything were fine.
 	if (stats.errors_encountered > 0) {
-		pr_warn("Encountered %zu errors while scanning user data directory\n", 
-			stats.errors_encountered);
+		pr_info("Got %zu error(s) while scanning %s directory.\n",
+			stats.errors_encountered, USER_DATA_PATH);
 	}
-
-	pr_info("UserDE UID: Scanned %s directory with %zu errors\n", 
-		USER_DATA_PATH, stats.errors_encountered);
-
 	return ret;
 }
 
@@ -461,7 +473,14 @@ FILLDIR_RETURN_TYPE my_actor(struct dir_context *ctx, const char *name,
 	return FILLDIR_ACTOR_CONTINUE;
 }
 
-void search_manager(const char *path, int depth, struct list_head *uid_data)
+// compat: https://elixir.bootlin.com/linux/v3.9/source/include/linux/fs.h#L771
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(3,9,0)
+#define S_MAGIC_COMPAT(x) ((x)->f_inode->i_sb->s_magic)
+#else
+#define S_MAGIC_COMPAT(x) ((x)->f_path.dentry->d_inode->i_sb->s_magic)
+#endif
+
+static void search_manager(const char *path, int depth, struct list_head *uid_data)
 {
 	int i, stop = 0;
 	struct list_head data_path_list;
@@ -498,7 +517,7 @@ void search_manager(const char *path, int depth, struct list_head *uid_data)
 					pr_err("Failed to open directory: %s, err: %ld\n", pos->dirpath, PTR_ERR(file));
 					goto skip_iterate;
 				}
-				
+
 				// grab magic on first folder, which is /data/app
 				if (!data_app_magic) {
 					if (file->f_inode->i_sb->s_magic) {
@@ -557,26 +576,79 @@ extern bool ksu_uid_scanner_enabled;
 void track_throne(void)
 {
 	struct list_head uid_list;
-
-	// init uid list head
+	struct file *fp;
+	int ret = 0;
 	INIT_LIST_HEAD(&uid_list);
 
-	if (ksu_uid_scanner_enabled) {
-    	pr_info("Scanning %s directory..\n", KSU_UID_LIST_PATH);
-
-    	if (uid_from_um_list(&uid_list) == 0) {
-        	pr_info("loaded uids from %s success\n", KSU_UID_LIST_PATH);
-    	} else {
-       		pr_warn("%s read failed, falling back to %s\n", KSU_UID_LIST_PATH, USER_DATA_PATH);
-        	if (scan_user_data_for_uids(&uid_list) < 0)
-            	goto out;
-        	pr_info("UserDE UID: Scanned %zu packages from user data directory\n", list_count_nodes(&uid_list));
-    	}
+	pr_info("Scanning %s directory..\n", USER_DATA_PATH);
+	ret = scan_user_data_for_uids(&uid_list);
+
+	if (ret < 0) {
+		pr_warn("Failed to scan %s, falling back to %s\n",
+			USER_DATA_PATH, SYSTEM_PACKAGES_LIST_PATH);
+
+		fp = ksu_filp_open_compat(SYSTEM_PACKAGES_LIST_PATH, O_RDONLY, 0);
+		if (IS_ERR(fp)) {
+			pr_err("%s: open " SYSTEM_PACKAGES_LIST_PATH " failed: %ld\n",
+			       __func__, PTR_ERR(fp));
+			return;
+		}
+
+		if (atomic_read(&pkg_lock) != 1) {
+			pr_info("%s: locking to only read %s\n", __func__, SYSTEM_PACKAGES_LIST_PATH);
+			atomic_set(&pkg_lock, 1);
+		}
+
+		char chr = 0;
+		loff_t pos = 0;
+		loff_t line_start = 0;
+		char buf[KSU_MAX_PACKAGE_NAME];
+		for (;;) {
+			ssize_t count = ksu_kernel_read_compat(fp, &chr, sizeof(chr), &pos);
+			if (count != sizeof(chr))
+				break;
+			if (chr != '\n')
+				continue;
+
+			count = ksu_kernel_read_compat(fp, buf, sizeof(buf), &line_start);
+
+			struct uid_data *data = kzalloc(sizeof(struct uid_data), GFP_ATOMIC);
+			if (!data) {
+				filp_close(fp, 0);
+				goto out;
+			}
+
+			char *tmp = buf;
+			const char *delim = " ";
+			char *package = strsep(&tmp, delim);
+			char *uid = strsep(&tmp, delim);
+			if (!uid || !package) {
+				pr_err("update_uid: package or uid is NULL!\n");
+				break;
+			}
+
+			u32 res;
+			if (kstrtou32(uid, 10, &res)) {
+				pr_err("update_uid: uid parse err\n");
+				break;
+			}
+			data->uid = res;
+			strncpy(data->package, package, KSU_MAX_PACKAGE_NAME);
+			list_add_tail(&data->list, &uid_list);
+
+			// reset line start
+			line_start = pos;
+		}
+		filp_close(fp, 0);
 	} else {
-		pr_info("User mode scan status is %s, skipping scan %s\n", ksu_uid_scanner_enabled ? "enabled" : "disabled", KSU_UID_LIST_PATH);
-		if (scan_user_data_for_uids(&uid_list) < 0)
-			goto out;
-		pr_info("UserDE UID: Scanned %zu packages from user data directory\n", list_count_nodes(&uid_list));
+		pr_info("Scanned %zu package(s) from user data directory.\n",
+			list_count_nodes(&uid_list));
+
+		if (atomic_read(&scan_lock) != 1) {
+			pr_info("%s: locking to only read %s directory.\n",
+				__func__, USER_DATA_PATH);
+			atomic_set(&scan_lock, 1);
+		}
 	}
 
 	// now update uid list
@@ -627,6 +699,7 @@ void track_throne(void)
 prune:
 	// then prune the allowlist
 	ksu_prune_allowlist(is_uid_exist, &uid_list);
+
 out:
 	// free uid_list
 	list_for_each_entry_safe (np, n, &uid_list, list) {
