KernelSU now has a safe mode(kernel and manager version 10606+ required):

Press the volume down key more than three times when device boot (note that it is press-release, press-release, press-release, not keep pressing all the time)

All modules will be disabled in safe mode, you can fix problematic modules at this time.

v0.3.9 Changelog:

1. Fix incorrect file permission of modules.
2. Fix vendor/product overlay bootloop on some devices.
3. Fix common scripts are not executed properly.
4. Some UI fixes.

Both manager and kernel can be downloaded from release: https://github.com/tiann/KernelSU/releases/tag/v0.3.9

It is recommended to use KernelFlasher(or other Kernel Manager) to update KernelSU if you are on old version: https://github.com/capntrips/KernelFlasher/releases/tag/v1.0.0-alpha13

docs for KernelSU module is here: https://kernelsu.org/guide/module.html

Many thanks to Magisk’s great docs and ChatGPT!

v0.4.1 Changelog:

1. Module supports REPLACE and REMOVE now, check details here: https://kernelsu.org/guide/module.html#system-directory
2. Common scripts are moved to /data/adb/post-fs-data.d and /data/adb/service.d.

And we have a doc for Rescue from bootloop: https://kernelsu.org/guide/rescue-from-bootloop.html

Changelog for version 0.5.0:

1. The "su" command in KernelSU is now compatible with MagiskSU, supporting parameters such as -v, -V, --mount-master/-mm, --preserve-environment/-p, etc. Many root apps that depend on MagiskSU should now be able to run in KernelSU.
2. The mount point for module updates has been changed to be consistent with Magisk: /data/adb/modules_update.
3. Kernel 5.10 and above will by default unmount files mounted by modules for applications without authorized su permissions .
4. Fixed an issue with side-channel attacks detecting KernelSU.

Note: The Kernel and Manager must be upgraded together, otherwise "su" may not work properly.

If you're curious why KernelSU's CI and Release lack many kernel versions since v0.5.0, It is suggested to take a look at the official documentation about KMI: https://kernelsu.org/guide/installation.html#kmi. For example, android12-5.10.101 can be used directly with the android12-5.10.160 version.

Changelog for v0.5.2:

1. Fix the issue that the module system may conflict with the stock mounts of the system, causing the bootloop.
2. Fix the reboot issue that may be caused by using the manager on Meizu devices.
3. Fix the failure of the built-in sepolicy patch on some devices.

https://github.com/tiann/KernelSU/releases/tag/v0.5.2

Changelog for v0.5.3:

1. Refactored module mounting to fix several mounting issues. by @a13e300 .
2. Added support for granting root permissions to apps in work profile.
3. Added a confirmation dialog when granting root access.
4. Improved bugreport.

https://github.com/tiann/KernelSU/releases/tag/v0.5.3

Changelog for v0.5.7:

1. Translations for several languages.
2. Fixed a bug where REPLACE in modules may not take effect.
3. Fixed an issue where x86_64 devices may not work.
4. Fixed some issues with module mounting.

https://github.com/tiann/KernelSU/releases/tag/v0.5.7

KernelSU is going to develop a feature called the "App Profile", which consists of three parts:

1. Root Authorization: granting specified applications access to root permissions
2. Blacklist and Whitelist: providing a list of modules to mount or hide
3. Root Profile

The Root Profile can be used to restrict applications that already have root privileges.

Root permissions can actually be divided into several aspects:

- UID and GID
- Groups
- Capabilities
- SELINUX

In all previous root implementations, permissions in these aspects have been unlimited. This means that a firewall app could format your phone and delete all data, even though it only needed network management privileges; a file manager app could implant viruses, load kernel modules, and hide itself, even though it only needed full file access permissions. There are many similar examples. Imagine hiring a cleaner to tidy up your house, only for them to open your safe and transfer all your possessions away. In fact, most root apps only need a very small subset of root permissions. Why should we grant them unrestricted root privileges?

The Root Profile aims to solve this problem by granting applications restricted root permissions based on appropriate identification, groups, capabilities, and a series of SELinux rules. You can customize the rules yourself or use rules created by others. Of course, if you want to use unrestricted root permissions, there is no problem.

This feature is still in development, and we welcome any feedback and suggestions!

Credits to @nu11ptr @Ylarod for the ideas!

Forget to tell everyone, the App Profile feature has been preliminarily working and has been released for a while, you can download and experience it on the github release page: https://github.com/tiann/KernelSU/releases/tag/v0.6.0.

In addition, the patch made by arter97 to optimize the performance of KernelSU was also merged today (previously delayed due to code conflicts with new features). Many thanks to arter97 for his contributions!

PS. After upgrading to the version that supports App Profile, the list of superusers will be reset, so you will need to re-authorize. Please don't be surprised!

ChromeOS's CI has also been added, if you are interested in using KernelSU on ChromeOS, you can check here: https://github.com/tiann/KernelSU/issues/637

v0.6.1 changelog:

1. Support online updates for modules and manager.
2. Fix the potential issue of umount failing.
3. Harden the signature verification of the manager.

Download

The docs of App Profile is online now: https://kernelsu.org/guide/app-profile.html

v0.6.6 Changelog:

- [Manager] Lots of translation updates in many languages, thanks to all developers who contributed on Weblate.
- [Manager] Fixed a bug where module list doesn't show in manager under some cases.
- [Module] Boot scripts now support a new boot stage boot-completed, which will run after system finished booting, available for both common and module scripts.
- [Kernel] Kernel tasks are now queued and run in a global single thread, to avoid timing issues causing su allowlist mixup.
- [Module] Fixed a bug where flashing large modules could fail.
- [Manager] Optimized log output when installing modules in manager, UI only shows concise logs while saving detailed logs to file.
- [Module] Uninstalling modules is now delayed until next reboot, avoiding potential incomplete uninstall.
- [Manager] Added loading spinner for module operations in manager.
- [Module] Fixed a bug where common post-fs-data scripts don't run if no modules installed.
- [Manager] Fixed some untcentered prompt texts in manager.
- [SU] Fixed incorrect parameter parsing in su.
- [Manager] Module install log now auto-scrolls to bottom in manager.
- [Manager] Module install screen now automatically mutes system volume keys for module volume key selection.
- [Manager] Refreshes module list after install to avoid user confusion.
- [Kernel] Fixed keyring not installed correctly on 4.9 kernels causing modules not working.
- [Module] SELinux context of module dirs are fixed automatically on boot, avoiding some boot failures.

Download

To those concerned about KernelSU's security:

Today's KernelSU has come a long way from the original KernelSU created by zx2c4 several years ago(kernel-assisted-superuser), and the issues back then have been addressed:

1. We now have authorization management, so we can control which apps can use Root instead of any app being able to use Root without user awareness like before.
2. We use signature verification for manager authentication instead of package name verification. Signatures can't be spoofed like package names.
3. We've also added features like App Profiles to restrict Root privileges.

Additionally, we welcome any security researchers to discuss KernelSU's potential attack surfaces with us. We will spare no effort to improve KernelSU's security.