zhuowei/gist:775f88f54b4dece3d39dc7f560151df1

## gistfile1.txt
From 57beb8c9d0e68d30e02eadf705eaa1c6e6e7a8bb Mon Sep 17 00:00:00 2001
From: Zhuowei Zhang <_@_>
Date: Sat, 24 Sep 2016 11:17:20 -0700
Subject: [PATCH] kernel: add harambe backdoor syscall

This patch adds a new syscall for elevating any program to root and for
switching SELinux to permissive mode. There are no security checks,
so this should never be used in production.

Example program:

int main() {
        syscall(278, 0x33ff22dd); // become root
        syscall(278, 0x33ff22de); // selinux permissive
        execl("/system/bin/sh", "/system/bin/sh", (char*)0);
        return 0;
}
---
 include/linux/syscalls.h          |  1 +
 include/uapi/asm-generic/unistd.h |  4 +++-
 kernel/sys.c                      | 23 +++++++++++++++++++++++
 3 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
index 55b8b74..5aacea5 100644
--- a/include/linux/syscalls.h
+++ b/include/linux/syscalls.h
@@ -873,3 +873,4 @@ asmlinkage long sys_finit_module(int fd, const char __user *uargs, int flags);
 asmlinkage long sys_seccomp(unsigned int op, unsigned int flags,
 			    const char __user *uargs);
 #endif
+asmlinkage long sys_harambe(int cmd);
diff --git a/include/uapi/asm-generic/unistd.h b/include/uapi/asm-generic/unistd.h
index 2464ed5..7786bd6 100644
--- a/include/uapi/asm-generic/unistd.h
+++ b/include/uapi/asm-generic/unistd.h
@@ -702,9 +702,11 @@ __SYSCALL(__NR_sched_getattr, sys_sched_getattr)
 __SYSCALL(__NR_renameat2, sys_ni_syscall)
 #define __NR_seccomp 277
 __SYSCALL(__NR_seccomp, sys_seccomp)
+#define __NR_harambe 278
+__SYSCALL(__NR_harambe, sys_harambe)

 #undef __NR_syscalls
-#define __NR_syscalls 278
+#define __NR_syscalls 279

 /*
  * All syscalls below here should go away really,
diff --git a/kernel/sys.c b/kernel/sys.c
index 0b08c9f..5a49bf7 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -2661,3 +2661,26 @@ COMPAT_SYSCALL_DEFINE1(sysinfo, struct compat_sysinfo __user *, info)
 	return 0;
 }
 #endif /* CONFIG_COMPAT */
+
+/*
+ * Backdoor syscall for setting root and/or disabling SELinux.
+ */
+extern int selinux_enforcing;
+extern void selnl_notify_setenforce(int val);
+extern void selinux_status_update_setenforce(int enforcing);
+SYSCALL_DEFINE1(harambe, int, cmd)
+{
+	if (cmd == 0x33ff22dd) {
+		// get root
+		commit_creds(prepare_kernel_cred(0));
+		return 0;
+	} else if (cmd == 0x33ff22de) {
+		// disable SELinux
+		selinux_enforcing = 0;
+		selnl_notify_setenforce(selinux_enforcing);
+		selinux_status_update_setenforce(selinux_enforcing);
+		return 0;
+	} else {
+		return -1;
+	}
+}
--
2.5.0
	From 57beb8c9d0e68d30e02eadf705eaa1c6e6e7a8bb Mon Sep 17 00:00:00 2001
	From: Zhuowei Zhang <_@_>
	Date: Sat, 24 Sep 2016 11:17:20 -0700
	Subject: [PATCH] kernel: add harambe backdoor syscall

	This patch adds a new syscall for elevating any program to root and for
	switching SELinux to permissive mode. There are no security checks,
	so this should never be used in production.

	Example program:

	int main() {
	syscall(278, 0x33ff22dd); // become root
	syscall(278, 0x33ff22de); // selinux permissive
	execl("/system/bin/sh", "/system/bin/sh", (char*)0);
	return 0;
	}
	---
	include/linux/syscalls.h \| 1 +
	include/uapi/asm-generic/unistd.h \| 4 +++-
	kernel/sys.c \| 23 +++++++++++++++++++++++
	3 files changed, 27 insertions(+), 1 deletion(-)

	diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
	index 55b8b74..5aacea5 100644
	--- a/include/linux/syscalls.h
	+++ b/include/linux/syscalls.h
	@@ -873,3 +873,4 @@ asmlinkage long sys_finit_module(int fd, const char __user *uargs, int flags);
	asmlinkage long sys_seccomp(unsigned int op, unsigned int flags,
	const char __user *uargs);
	#endif
	+asmlinkage long sys_harambe(int cmd);
	diff --git a/include/uapi/asm-generic/unistd.h b/include/uapi/asm-generic/unistd.h
	index 2464ed5..7786bd6 100644
	--- a/include/uapi/asm-generic/unistd.h
	+++ b/include/uapi/asm-generic/unistd.h
	@@ -702,9 +702,11 @@ __SYSCALL(__NR_sched_getattr, sys_sched_getattr)
	__SYSCALL(__NR_renameat2, sys_ni_syscall)
	#define __NR_seccomp 277
	__SYSCALL(__NR_seccomp, sys_seccomp)
	+#define __NR_harambe 278
	+__SYSCALL(__NR_harambe, sys_harambe)

	#undef __NR_syscalls
	-#define __NR_syscalls 278
	+#define __NR_syscalls 279

	/*
	* All syscalls below here should go away really,
	diff --git a/kernel/sys.c b/kernel/sys.c
	index 0b08c9f..5a49bf7 100644
	--- a/kernel/sys.c
	+++ b/kernel/sys.c
	@@ -2661,3 +2661,26 @@ COMPAT_SYSCALL_DEFINE1(sysinfo, struct compat_sysinfo __user *, info)
	return 0;
	}
	#endif /* CONFIG_COMPAT */
	+
	+/*
	+ * Backdoor syscall for setting root and/or disabling SELinux.
	+ */
	+extern int selinux_enforcing;
	+extern void selnl_notify_setenforce(int val);
	+extern void selinux_status_update_setenforce(int enforcing);
	+SYSCALL_DEFINE1(harambe, int, cmd)
	+{
	+ if (cmd == 0x33ff22dd) {
	+ // get root
	+ commit_creds(prepare_kernel_cred(0));
	+ return 0;
	+ } else if (cmd == 0x33ff22de) {
	+ // disable SELinux
	+ selinux_enforcing = 0;
	+ selnl_notify_setenforce(selinux_enforcing);
	+ selinux_status_update_setenforce(selinux_enforcing);
	+ return 0;
	+ } else {
	+ return -1;
	+ }
	+}
	--
	2.5.0