On 12/07/2015 04:28 AM, 심현용 wrote:
Daer allI have more question about setcon, setenforce. At Lollipop, init can use setcon, setenforce in init.rc's early-init like that.. on early-init # Set init and its forked children's oom_adj. write /proc/1/oom_score_adj -1000 # Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls. write /sys/fs/selinux/checkreqprot 0 # Set the security context for the init process. # This should occur before anything else (e.g. ueventd) is started. *setcon *u:r:init:s0 But from M os, It was deleted. I think, if it was deleted, it would operate kernel domain. But, in M os, it was operated init domain. *In case of M OS, How to change domain kernel to init in init.rc except setcon u:r:init:s0 ?* Kingroot.apk using init domain by kernel's vulnerability, lt will change untrusted_app to init domain, and than using setenforce and setcon.
In M, init was changed to re-exec itself to cause an automatic domain transition rather than relying on setcon. Likewise, the setenforce call was taken from init.rc to the init code.
In any event, that isn't relevant to a kernel exploit; the kernel exploit can just directly set the SID in the credential structure of the current task to whatever SID it wants. See the CVE-2015-3636 poc for example.
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
