ANDROID: vendor_hooks: add hook to record setid

Add vendor_hook trace_android_vh_security_audit_log_setid,
allow vendor modules to record root state when setted uid or gid to 0.

As we all known,There are attack paths frequently used by attackers.
When setid to 0, it's most possbility of a hacker is trying to root devices.

Bug: 409487715
Change-Id: If3aab719c5c1c01973c5c2f8ec98d8150b9e5786
Signed-off-by: zhengwei <zhengwei2@honor.com>
This commit is contained in:
zhengwei
2025-04-11 15:35:52 +08:00
committed by Treehugger Robot
parent e873da1ae9
commit a35c9a54dd
3 changed files with 16 additions and 0 deletions
+1
View File
@@ -186,6 +186,7 @@ EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_tune_mmap_readaround);
EXPORT_TRACEPOINT_SYMBOL_GPL(android_rvh_hw_protection_shutdown);
EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_shrink_slab_bypass);
EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_drain_all_pages_bypass);
EXPORT_TRACEPOINT_SYMBOL_GPL(android_vh_security_audit_log_setid);
EXPORT_TRACEPOINT_SYMBOL_GPL(android_rvh_selinux_avc_insert);
EXPORT_TRACEPOINT_SYMBOL_GPL(android_rvh_selinux_avc_node_delete);
EXPORT_TRACEPOINT_SYMBOL_GPL(android_rvh_selinux_avc_node_replace);
+3
View File
@@ -11,6 +11,9 @@ struct task_struct;
DECLARE_HOOK(android_vh_syscall_prctl_finished,
TP_PROTO(int option, struct task_struct *task),
TP_ARGS(option, task));
DECLARE_HOOK(android_vh_security_audit_log_setid,
TP_PROTO(u32 type, u32 old_id, u32 new_id),
TP_ARGS(type, old_id, new_id));
#endif
#include <trace/define_trace.h>
+12
View File
@@ -429,6 +429,8 @@ long __sys_setregid(gid_t rgid, gid_t egid)
if (retval < 0)
goto error;
trace_android_vh_security_audit_log_setid(4, old->gid.val, new->gid.val);
return commit_creds(new);
error:
@@ -475,6 +477,8 @@ long __sys_setgid(gid_t gid)
if (retval < 0)
goto error;
trace_android_vh_security_audit_log_setid(3, old->gid.val, gid);
return commit_creds(new);
error:
@@ -594,6 +598,8 @@ long __sys_setreuid(uid_t ruid, uid_t euid)
if (retval < 0)
goto error;
trace_android_vh_security_audit_log_setid(1, old->uid.val, new->uid.val);
flag_nproc_exceeded(new);
return commit_creds(new);
@@ -657,6 +663,8 @@ long __sys_setuid(uid_t uid)
if (retval < 0)
goto error;
trace_android_vh_security_audit_log_setid(0, old->uid.val, uid);
flag_nproc_exceeded(new);
return commit_creds(new);
@@ -742,6 +750,8 @@ long __sys_setresuid(uid_t ruid, uid_t euid, uid_t suid)
if (retval < 0)
goto error;
trace_android_vh_security_audit_log_setid(2, old->uid.val, new->uid.val);
flag_nproc_exceeded(new);
return commit_creds(new);
@@ -832,6 +842,8 @@ long __sys_setresgid(gid_t rgid, gid_t egid, gid_t sgid)
if (retval < 0)
goto error;
trace_android_vh_security_audit_log_setid(5, old->gid.val, new->gid.val);
return commit_creds(new);
error: