Kernel Assisted Superuser (KernelSU) – The Final Frontier for SafetyNet and an Essential Developer Tool
Root is very special to us at XDA. It allows users to take control of their devices and add features that aren’t always available, such as call recording, themes and advanced battery monitoring. There have been a few root implementations through the years, with the most-popular likely being SuperSU. Recently though, with the introduction of SafetyNet and increasing restrictions to rooted devices, Magisk has been the root implementation of choice, as its Magisk Hide feature allows users to effectively hide the fact that they have root from apps such as Netflix and Google Pay. However, the implementation and functionality of Magisk Hide is very much a cat-and-mouse game of Google patching it and Magisk working around that patch.
Magisk runs in what’s known as userspace. This is also where most programs on your phone run, whether they be games, music players, or fitness trackers. It’s the user-facing “space” of the device’s operating system. Userspace is also where most of the battle for Magisk Hide takes place. Unfortunately, as time goes on, and Google patches more and more of Magisk Hide’s methods, there’s less and less space left to hide. In the future, Magisk could lose the ability to hide root completely.
Planning for this eventuality, XDA Recognized Developer zx2c4 (Jason Donenfeld), known here on XDA for his work on WireGuard and the discovery of a OnePlus bootloader vulnerability, has created Kernel Assisted Superuser (KernelSU).
Unlike Magisk, KernelSU embeds the ability to gain root into the kernel itself. Here, it hijacks system calls to trick the shell into thinking
/system/bin/su exists on the device, when it actually doesn’t. It then executes commands run with
su as if they were normal commands, but with root privileges. This process cannot be prevented by SELinux—the kernel can even disable SELinux if it wants to—and the ability to hide root status from userspace, and therefore SafetyNet, is almost limitless.
KernelSU is far from complete, however. At the moment, there is no access control mechanism in place (think Magisk Manager). Because of this, KernelSU is currently most helpful to kernel developers rather than users. The process of building a kernel requires developers to constantly rebuild and load boot images to test and fix bugs and features, and having root makes this a lot easier. However, with root options such as Magisk or SuperSU, the boot image must be patched after every build for root to function, which can significantly impact the development process. KernelSU, on the other hand, is meant to be integrated at build-time, with no post-build patching needed. In order to make KernelSU integration easy for developers, a simple one-line command is available:
curl -LsS "https://git.zx2c4.com/kernel-assisted-superuser/plain/fetch-and-patch.sh" | bash -
Once this is executed, KernelSU can be built into the kernel as part of the normal build process. That means that developers can build and test their kernels easily, without having to worry about adding root.
Although KernelSU is in its early days, and more work is needed to make it fully featured, it’s an interesting project. We spoke to Magisk-creator, XDA Recognized Developer topjohnwu, about KernelSU, and he found it interesting as well, saying that, since KernelSU operates at the kernel level, Magisk Hide’s functionality would be much more reliable if added, and that it would be a “fun thing to implement.”