diff --git a/kernel/include/preset.h b/kernel/include/preset.h
index ba7471f..8165819 100644
--- a/kernel/include/preset.h
+++ b/kernel/include/preset.h
@@ -98,6 +98,10 @@ _Static_assert(sizeof(map_symbol_t) == MAP_SYMBOL_SIZE, "sizeof map_symbol_t mis
 #endif
 
 #ifndef __ASSEMBLY__
+
+#define PATCH_CONFIG_SU_ENABLE 0x1
+#define PATCH_CONFIG_SU_HOOK_NO_WRAP 0x2
+
 struct patch_config
 {
     union
@@ -119,6 +123,8 @@ struct patch_config
             uint64_t avc_denied;
             uint64_t slow_avc_audit;
             uint64_t input_handle_event;
+
+            uint8_t patch_su_config;
         };
         char _cap[PATCH_CONFIG_LEN];
     };
diff --git a/kernel/patch/android/sepolicy_flags.c b/kernel/patch/android/sepolicy_flags.c
index 2875c89..fa17b08 100644
--- a/kernel/patch/android/sepolicy_flags.c
+++ b/kernel/patch/android/sepolicy_flags.c
@@ -21,11 +21,17 @@
 /*
  * @see: https://android-review.googlesource.com/c/kernel/common/+/3009995
  */
+
+static void before_policydb_write(hook_fargs2_t *args, void *udata)
+{
+    struct _policy_file *fp = (struct _policy_file *)args->arg1;
+    args->local.data0 = (uint64_t)fp->data;
+}
+
 static void after_policydb_write(hook_fargs2_t *args, void *udata)
 {
     struct _policydb *p = (struct _policydb *)args->arg0;
-    struct _policy_file *fp = (struct _policy_file *)args->arg1;
-    char *data = fp->data;
+    char *data = (char *)args->local.data0;
 
     if (!args->ret) {
         __le32 *config = (__le32 *)(data + POLICYDB_CONFIG_OFFSET);
@@ -46,7 +52,7 @@ int android_sepolicy_flags_fix()
     unsigned long policydb_write_addr = kallsyms_lookup_name("policydb_write");
 
     if (likely(policydb_write_addr)) {
-        hook_err_t err = hook_wrap2((void *)policydb_write_addr, 0, after_policydb_write, 0);
+        hook_err_t err = hook_wrap2((void *)policydb_write_addr, before_policydb_write, after_policydb_write, 0);
 
         if (unlikely(err != HOOK_NO_ERR)) {
             log_boot("hook policydb_write_addr: %llx, error: %d\n", policydb_write_addr, err);
diff --git a/kernel/patch/common/sucompat.c b/kernel/patch/common/sucompat.c
index 1e31b60..0911bd8 100644
--- a/kernel/patch/common/sucompat.c
+++ b/kernel/patch/common/sucompat.c
@@ -39,6 +39,7 @@
 #include <sucompat.h>
 #include <symbol.h>
 #include <uapi/linux/limits.h>
+#include <predata.h>
 
 const char sh_path[] = SH_PATH;
 const char default_su_path[] = SU_PATH;
@@ -451,19 +452,21 @@ static void su_handler_arg1_ufilename_before(hook_fargs6_t *args, void *udata)
         int cplen = 0;
 #ifdef TRY_DIRECT_MODIFY_USER
         cplen = compat_copy_to_user(*u_filename_p, sh_path, sizeof(sh_path));
-#endif
         if (cplen > 0) {
             args->local.data0 = cplen;
             args->local.data1 = (uint64_t)*u_filename_p;
             logkfi("su uid: %d, cp: %d\n", uid, cplen);
         } else {
+#endif
             void *uptr = copy_to_user_stack(sh_path, sizeof(sh_path));
             if (uptr && !IS_ERR(uptr)) {
                 *u_filename_p = uptr;
             } else {
                 logkfi("su uid: %d, cp stack error: %d\n", uid, uptr);
             }
+#ifdef TRY_DIRECT_MODIFY_USER
         }
+#endif
     }
 }
 
@@ -496,6 +499,11 @@ int su_compat_init()
 
     hook_err_t rc = HOOK_NO_ERR;
 
+    uint8_t su_config = patch_config->patch_su_config;
+    bool enable = su_config & PATCH_CONFIG_SU_ENABLE;
+    bool wrap = su_config & PATCH_CONFIG_SU_HOOK_NO_WRAP;
+    log_boot("su config, enable: %d, wrap: %d\n");
+
     rc = hook_syscalln(__NR_execve, 3, before_execve, after_execve, (void *)0);
     log_boot("hook __NR_execve rc: %d\n", rc);