kernel: Only expose su when daemon is running

It has been claimed that the PG implementation of 'su' has security vulnerabilities even when disabled. Unfortunately, the people that find these vulnerabilities often like to keep them private so they can profit from exploits while leaving users exposed to malicious hackers. In order to reduce the attack surface for vulnerabilites, it is therefore necessary to make 'su' completely inaccessible when it is not in use (except by the root and system users). Change-Id: I79716c72f74d0b7af34ec3a8054896c6559a181d Signed-off-by: Davide Garberi <dade.garberi@gmail.com>
author: Tom Marshall <tdm.code@gmail.com> 2017-01-25 18:01:03 +0100
committer: Davide Garberi <dade.garberi@gmail.com> 2022-07-27 19:23:19 +0200
commit: 08ff8a2e58eb226015fa68d577121137a7e0953f (patch)
tree: 6804e0881c1588dd335fbcdacb7a46f2c95f412f /kernel/exit.c
parent: e604a08d460859ac6de5dff7a19f2340edcc7ae8 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/kernel/exit.c b/kernel/exit.c
index babbc3c0a181..4a8dbc4bf4f6 100644
--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -719,6 +719,10 @@ void do_exit(long code)
 	sched_exit(tsk);
 	schedtune_exit_task(tsk);
 
+	if (tsk->flags & PF_SU) {
+		su_exit();
+	}
+
 	if (unlikely(in_atomic())) {
 		pr_info("note: %s[%d] exited with preempt_count %d\n",
 			current->comm, task_pid_nr(current),
author	Tom Marshall <tdm.code@gmail.com>	2017-01-25 18:01:03 +0100
committer	Davide Garberi <dade.garberi@gmail.com>	2022-07-27 19:23:19 +0200
commit	08ff8a2e58eb226015fa68d577121137a7e0953f (patch)
tree	6804e0881c1588dd335fbcdacb7a46f2c95f412f /kernel/exit.c
parent	e604a08d460859ac6de5dff7a19f2340edcc7ae8 (diff)