On Dec 7, 2015 5:34 PM, "심현용" <[email protected]> wrote: > > Dear William and Staphen. > > Thank you for your reply. > > I understand when kernel execute init_exec will change kernel to init. > > Dear Stephen. > > My source already applied CVE-2015-3636 path, but it is still rooting by KingRoot.apk > > I think it using another vulnerability.
Kingroot attempts a bunch of vulnerabilities based on what the server tells the app. So you got to have safe guards for all of them, ie security patches. > > I will check another CVE patch... > > Thanks for your recommend. > > > Thanks > > > 2015-12-08 0:42 GMT+09:00 Stephen Smalley <[email protected]>: >> >> On 12/07/2015 04:28 AM, 심현용 wrote: >>> >>> Daer all >>> >>> I have more question about setcon, setenforce. >>> >>> At Lollipop, init can use setcon, setenforce in init.rc's early-init >>> like that.. >>> >>> on early-init >>> # Set init and its forked children's oom_adj. >>> write /proc/1/oom_score_adj -1000 >>> >>> # Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls. >>> write /sys/fs/selinux/checkreqprot 0 >>> >>> # Set the security context for the init process. >>> # This should occur before anything else (e.g. ueventd) is started. >>> *setcon *u:r:init:s0 >>> >>> But from M os, It was deleted. >>> >>> I think, if it was deleted, it would operate kernel domain. >>> But, in M os, it was operated init domain. >>> >>> *In case of M OS, How to change domain kernel to init in init.rc except >>> setcon u:r:init:s0 ?* >>> Kingroot.apk using init domain by kernel's vulnerability, lt will change >>> untrusted_app to init domain, and than using setenforce and setcon. >> >> >> In M, init was changed to re-exec itself to cause an automatic domain transition rather than relying on setcon. Likewise, the setenforce call was taken from init.rc to the init code. >> >> In any event, that isn't relevant to a kernel exploit; the kernel exploit can just directly set the SID in the credential structure of the current task to whatever SID it wants. See the CVE-2015-3636 poc for example. >> >> > > > _______________________________________________ > Seandroid-list mailing list > [email protected] > To unsubscribe, send email to [email protected]. > To get help, send an email containing "help" to [email protected].
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
