Changelog for v0.5.7:

1. Translations for several languages.
2. Fixed a bug where REPLACE in modules may not take effect.
3. Fixed an issue where x86_64 devices may not work.
4. Fixed some issues with module mounting.

https://github.com/tiann/KernelSU/releases/tag/v0.5.7

KernelSU is going to develop a feature called the "App Profile", which consists of three parts:

1. Root Authorization: granting specified applications access to root permissions
2. Blacklist and Whitelist: providing a list of modules to mount or hide
3. Root Profile

The Root Profile can be used to restrict applications that already have root privileges.

Root permissions can actually be divided into several aspects:

- UID and GID
- Groups
- Capabilities
- SELINUX

In all previous root implementations, permissions in these aspects have been unlimited. This means that a firewall app could format your phone and delete all data, even though it only needed network management privileges; a file manager app could implant viruses, load kernel modules, and hide itself, even though it only needed full file access permissions. There are many similar examples. Imagine hiring a cleaner to tidy up your house, only for them to open your safe and transfer all your possessions away. In fact, most root apps only need a very small subset of root permissions. Why should we grant them unrestricted root privileges?

The Root Profile aims to solve this problem by granting applications restricted root permissions based on appropriate identification, groups, capabilities, and a series of SELinux rules. You can customize the rules yourself or use rules created by others. Of course, if you want to use unrestricted root permissions, there is no problem.

This feature is still in development, and we welcome any feedback and suggestions!

Credits to @nu11ptr @Ylarod for the ideas!

Forget to tell everyone, the App Profile feature has been preliminarily working and has been released for a while, you can download and experience it on the github release page: https://github.com/tiann/KernelSU/releases/tag/v0.6.0.

In addition, the patch made by arter97 to optimize the performance of KernelSU was also merged today (previously delayed due to code conflicts with new features). Many thanks to arter97 for his contributions!

PS. After upgrading to the version that supports App Profile, the list of superusers will be reset, so you will need to re-authorize. Please don't be surprised!

ChromeOS's CI has also been added, if you are interested in using KernelSU on ChromeOS, you can check here: https://github.com/tiann/KernelSU/issues/637

v0.6.1 changelog:

1. Support online updates for modules and manager.
2. Fix the potential issue of umount failing.
3. Harden the signature verification of the manager.

Download

The docs of App Profile is online now: https://kernelsu.org/guide/app-profile.html

v0.6.6 Changelog:

- [Manager] Lots of translation updates in many languages, thanks to all developers who contributed on Weblate.
- [Manager] Fixed a bug where module list doesn't show in manager under some cases.
- [Module] Boot scripts now support a new boot stage boot-completed, which will run after system finished booting, available for both common and module scripts.
- [Kernel] Kernel tasks are now queued and run in a global single thread, to avoid timing issues causing su allowlist mixup.
- [Module] Fixed a bug where flashing large modules could fail.
- [Manager] Optimized log output when installing modules in manager, UI only shows concise logs while saving detailed logs to file.
- [Module] Uninstalling modules is now delayed until next reboot, avoiding potential incomplete uninstall.
- [Manager] Added loading spinner for module operations in manager.
- [Module] Fixed a bug where common post-fs-data scripts don't run if no modules installed.
- [Manager] Fixed some untcentered prompt texts in manager.
- [SU] Fixed incorrect parameter parsing in su.
- [Manager] Module install log now auto-scrolls to bottom in manager.
- [Manager] Module install screen now automatically mutes system volume keys for module volume key selection.
- [Manager] Refreshes module list after install to avoid user confusion.
- [Kernel] Fixed keyring not installed correctly on 4.9 kernels causing modules not working.
- [Module] SELinux context of module dirs are fixed automatically on boot, avoiding some boot failures.

Download

To those concerned about KernelSU's security:

Today's KernelSU has come a long way from the original KernelSU created by zx2c4 several years ago(kernel-assisted-superuser), and the issues back then have been addressed:

1. We now have authorization management, so we can control which apps can use Root instead of any app being able to use Root without user awareness like before.
2. We use signature verification for manager authentication instead of package name verification. Signatures can't be spoofed like package names.
3. We've also added features like App Profiles to restrict Root privileges.

Additionally, we welcome any security researchers to discuss KernelSU's potential attack surfaces with us. We will spare no effort to improve KernelSU's security.

I became a dad last night and the amount of time I spend on KernelSU will probably decrease significantly. We welcome anyone to contribute to the project in any form, I will still review and make suggestions for every PR, thank you all!

To all KernelSU users:

Please upgrade to version 0.6.9 or above AS SOON AS POSSIBLE, it contains a very important security fix; in the worst case, the vulnerability(CVE-2023-5521) may cause root privileges to be taken over by malicious programs.

Please note that just upgrading the Manager application has no effect, you need to upgrade the kernel!

Credits to 0x33c0unt for submitting this vulnerability. His detailed description and PoC provided us with great help!

Also I would like to reiterate that we welcome any security researchers to discuss KernelSU's potential attack surfaces with us. We will spare no effort to improve KernelSU's security.

Some explanations:

1. This does not mean that KernelSU is unsafe. Many vulnerabilities are submitted in the Android system itself every month; in addition, this problem also exists in Magisk.
2. If you keep the manager installed, you will never be affected.
3. If you uninstall the manager, the malicious application needs to be installed on your system to take effect, and the official manager will not work. And we have never received this type of feedback.
4. This fix is not resistant to attacks when the "ignore invalid digest error" function of the Xposed module "CorePatch" is turned on.
5. Finally, upgrade now.

We’re excited to report that we’ve delivered on the App Profile feature we promised 5 months ago! In this release, we have added an important feature to App Profile: Templates. You can create templates by yourself, import templates created by others, or directly use online templates. Templates can be directly applied to App Profile, without having to manually set each configuration! Therefore, even if you don’t understand the complex concepts in App Profile, you can easily restrict ROOT permissions through templates. In addition, welcome to contribute rules to online templates!

Changelog:

1. [Security] Fix a security issue similar to CVE-2023-5521, please upgrade as soon as possible; credits to qwerty472123@github!
2. [SU] App Profile now supports templates!
3. [Module] Fixed the bug that the module directory may be accidentally umounted, causing the manager module directory to be empty.
4. [SU] Fixed the issue where the allowlist may be messed up after an app is uninstalled.
5. [Kernel] Add android14-5.15 and android14-6.1, supporting Pixel8 series.
6. [SU] App Profile’s capability no longer requires CAP_DAC_READ_SEARCH and can run without any capability.
7. [Kernel] Fixed the bootloop issues when working with Magisk.

https://github.com/tiann/KernelSU/releases/tag/v0.7.2

- [SU] Fixed the issue of incorrect allowlist after an app with root permissions is uninstalled.
- [SU] Fixed an issue that caused bootloop when uninstalling an application in multi-user after being granted root permissions.
- [kernel] Support Linux kernel version 6.4.
- [Module] Fixed the problem of non-standard module.prop causing module directory confusion.
- [Module] Update busybox to 1.36.1.
- [Module] Support using /debug_ramdisk as temporary directory.
- [Security] Strengthen signature verification to avoid root privileges being taken over when using unofficial managers (CVE-2023-49794).

Although I am not sure what has transpired, as someone who has also been the target of malicious slander, I understand and support the decision of the LSPosed developers.

For a long time, the module functionality of Magisk / KernelSU was limited to executing boot scripts and modifying system files. Now, we are exploring the possibility of endowing modules with the capability to display UI interfaces!

Previously, after installing some modules, users needed to configure them either through the command line or by directly modifying configuration files in specific locations. Clearly, this process was quite inconvenient for users. At times, in order to configure settings, it was even necessary to write a separate app. With the ability for modules to display interfaces, these issues could become a thing of the past.

Moreover, the display interface can be used for more than just configurations. You have the freedom to present anything you'd like to showcase and interact with the user.

The current interface is implemented through WebUI. You can create HTML pages using any web technology and place them in the module's webroot directory. After the module is installed, users can access this page through the KernelSU manager's list of modules. KernelSU also provides a JavaScript library to facilitate interaction with the system.

However, these trials are still in their infancy, and the jsapi is not yet stable. We welcome your feedback!

KernelSU version 0.8.0 use sparse image to storage module files. If you do not wait patiently for the module installation process to end after upgrading (it takes time to migrate the old version to the new version), but forcefully stop the process and then switch to the old version of the manager, then serious problems will occur at this time.

Because the old version of the manager cannot handle sparse image, it treats sparse files as ordinary files, and one copy is enough to use up all the storage space on your phone.

If you switch to an old manager version, be sure to delete /data/adb/ksu/modues.img and /data/adb/ksu/modules_update.img!

https://github.com/tiann/KernelSU/releases/tag/v0.8.1

And the webui docs

KernelSU now supports installation through kernel modules (LKM) (GKI Only), you can use it with official kernels or third-party kernels; at the same time, the manager has also added installation functionality, you can choose to patch files, install directly, or install after OTA. Regarding the new LKM installation method, there are some tips:

1. LKM does not support non-GKI kernels, and will not support them in the future;
2. When patching files, if the init_boot partition exists, you should choose to patch init_boot; otherwise, patch boot;
3. If you have already installed the GKI kernel provided by KernelSU and want to switch to the LKM method, you need to flash back to the stock kernel; if your device has an init_boot partition, you can directly flash back to the stock boot;
4. The installation method of GKI kernel and LKM will always exist, use whichever you like; in the future, it will also support flashing GKI kernel in the manager.

https://github.com/tiann/KernelSU/releases/tag/v0.9.0

https://github.com/tiann/KernelSU/releases/tag/v0.9.2

- [manager]: Support offline patching of the kernel.
- [kernel]: Fix issue with ColorOS.
- [kernel]: Hide traces of LKM in user space.
- [manager]: Fix possible errors during OTA upgrades.