Superkey prctl via TSR + module build hardening (check_symbol, -Wno-implicit, DDK 20260313)#38
Merged
Merged
Conversation
The flag silently allowed three calls to undeclared functions, each compiled with a guessed `int foo()` prototype instead of the real signature: - is_init (hook/syscall_event_bridge.c) -> selinux/selinux.h - is_manager_apk (supercall/dispatch.c) -> manager/apk_sign.h - msleep (manager/superkey.c) -> linux/delay.h Add the missing includes and drop the flag, so a future undeclared call fails the build instead of resolving to a wrong signature by ABI luck.
Move SuperKey's prctl interception from a kprobe on __arm64_sys_prctl to the
existing TSR (Tracepoint Syscall Redirect) dispatcher, consistent with the other
syscall hooks. ksu_hook_prctl() runs in the sleepable dispatcher context rather
than the atomic kprobe breakpoint handler, and no breakpoint is planted on the
hot prctl path. It is __nocfi because it tail-calls the original syscall through
ksu_syscall_table[orig_nr]. Registration moves from register_kprobe(&prctl_kp)
to ksu_register_syscall_hook(__NR_prctl, ...).
Rename the now-misnamed helpers to match: ksu_superkey_{,un}register_prctl_kprobe
-> _prctl_hook, prctl_kprobe_registered -> prctl_hook_registered. The reboot
kprobe (fd install) is unchanged.
kernelsu.ko's build runs tools/check_symbol against $KDIR/vmlinux. On the `ddk` image at release 20251104 the GKI vmlinux has an incomplete .symtab, so check_symbol reports false positives for exported symbols (vmalloc, __kmalloc, strscpy, ...). Upstream CI uses `ddk-min` at 20260313, where it passes. Point the kernel-module build (ddk-lkm.yml and scripts/build.sh) at ddk-min and bump every DDK release pin to 20260313. The Kasumi LKM build stays on `ddk` (it does not run check_symbol).
The check_symbol invocation had been dropped from the `all` target, leaving the tool target orphaned and never run. Restore upstream's wiring: `all` depends on check_symbol (built with the host CC), builds the modules, then runs `./check_symbol kernelsu.ko $(KDIR)/vmlinux` to catch undefined symbols missing from the target kernel.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens the KernelSU LKM build to catch missing symbols/declarations again, updates the CI/build environment to a newer DDK (and ddk-min where needed), and migrates SuperKey’s prctl interception from a kprobe to the existing TSR (tracepoint syscall redirect) hook mechanism.
Changes:
- Restore
check_symbolexecution as part of the default module build and remove-Wno-implicit-function-declaration, adding missing headers where needed. - Move SuperKey
prctlinterception to TSR hooks (renaming the helper APIs accordingly). - Bump DDK pin to
20260313and switch the LKM build toghcr.io/ylarod/ddk-minwherecheck_symbolneeds a complete.symtab.
Reviewed changes
Copilot reviewed 13 out of 13 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| scripts/build.sh | Bump DDK release pin and switch LKM docker image to ddk-min. |
| kernel/supercall/supercall.h | Rename SuperKey prctl registration helpers from kprobe to hook naming. |
| kernel/supercall/supercall.c | Implement prctl interception via TSR hook and update register/unregister flow. |
| kernel/supercall/dispatch.c | Add missing header for is_manager_apk() declaration. |
| kernel/manager/throne_tracker.c | Update call site to renamed SuperKey prctl hook registration helper. |
| kernel/manager/superkey.c | Add missing <linux/delay.h> include for msleep(). |
| kernel/Makefile | Restore running check_symbol from all target (and build tool via check_symbol target). |
| kernel/Kbuild | Drop -Wno-implicit-function-declaration to re-enable declaration checking. |
| kernel/hook/syscall_event_bridge.c | Add missing header for is_init() declaration. |
| .github/workflows/kasumi-lkm.yml | Bump default DDK release pin. |
| .github/workflows/ddk-lkm.yml | Bump default DDK pin and switch container image to ddk-min. |
| .github/workflows/build-lkm.yml | Bump pinned DDK release used by the matrix build. |
| .github/workflows/build-kasumi-lkm.yml | Bump pinned DDK release used by the Kasumi LKM build. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+394
to
401
| void ksu_superkey_unregister_prctl_hook(void) | ||
| { | ||
| if (prctl_kprobe_registered) { | ||
| unregister_kprobe(&prctl_kp); | ||
| prctl_kprobe_registered = false; | ||
| pr_info("SuperKey: prctl kprobe unregistered after " | ||
| if (prctl_hook_registered) { | ||
| ksu_unregister_syscall_hook(__NR_prctl); | ||
| prctl_hook_registered = false; | ||
| pr_info("SuperKey: prctl TSR hook unregistered after " | ||
| "authentication\n"); | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This branch bundles four independent commits — each is self-contained and can be reverted on its own. They cover two themes: making the module build catch symbol/declaration problems again, and moving SuperKey's prctl interception off kprobes.
kernel: drop -Wno-implicit-function-declaration and fix the hidden calls-Wno-implicit-function-declarationwas masking three calls to functions whose headers weren't included, so the compiler emitted implicit C89 declarations instead of type-checking them (they happened to be ABI-compatible, so it still linked):is_init()inhook/syscall_event_bridge.c— addselinux/selinux.his_manager_apk()insupercall/dispatch.c— addmanager/apk_sign.hmsleep()inmanager/superkey.c— add<linux/delay.h>With the includes in place the flag is dropped, so any future undeclared call fails the build instead of silently linking.
superkey: intercept prctl via TSR instead of a kprobeMove SuperKey's prctl interception from a kprobe on
__arm64_sys_prctlto the existing TSR (Tracepoint Syscall Redirect) dispatcher, consistent with the other syscall hooks.ksu_hook_prctl()runs in the sleepable dispatcher context rather than the atomic kprobe breakpoint handler, and no breakpoint is planted on the hot prctl path. The now-misnamed helpers are renamed to match (ksu_superkey_{,un}register_prctl_kprobe→_prctl_hook,prctl_kprobe_registered→prctl_hook_registered). The reboot kprobe (fd install) is unchanged.ci,build: bump DDK to 20260313 and build the LKM on ddk-minkernelsu.ko's build runstools/check_symbolagainst$KDIR/vmlinux. On theddkimage at release 20251104 the GKI vmlinux has an incomplete.symtab, so check_symbol reports false positives for exported symbols (vmalloc,__kmalloc,strscpy, …). Upstream CI usesddk-minat 20260313, where it passes — so point the LKM build (ddk-lkm.yml+scripts/build.sh) atddk-minand bump every DDK release pin to 20260313. The Kasumi LKM build stays onddk(it does not run check_symbol).kernel: restore check_symbol in the module buildThe check_symbol invocation had been dropped from the
alltarget, leaving the tool orphaned and never run. Restore upstream's wiring so the build fails on undefined symbols missing from the target kernel.Testing
kernelsu.koinghcr.io/ylarod/ddk-min:android16-6.12-20260313: clean (0 warnings / 0 errors),check_symbolreports 0 missing symbols.scripts/build.sh -iinstalled to a Qualcomm android16-6.12 device successfully.