DirtyPipe-Android icon indicating copy to clipboard operation
DirtyPipe-Android copied to clipboard
verified publisher icon polygraphene

About Closing SELinux

Open YeJZ opened this issue 3 years ago • 3 comments

Hi, here is my reprodued exploit on Pixel 6:

image

I noticed that we need to manually execute setenforce 0 after using magisk to escalate to ROOT.

But in mymod.c, I see that the KO file already has the code to set SELINUX to Permissive mode.

image

Why do we need to manually set setenforce to 0 when selinux is already set to permissive in the KO file?

YeJZ avatar Apr 26 '22 11:04 YeJZ

Because you are in a permissive domain. Permissive domain means permissive mode only when you are in that domain. The kernel module put vendor_modprobe onto a permissive domain.

You need setenforce 0 if you want all domains on the system to be permissive. But I don' think you need that because u:r:magisk:s0 is also a permissive domain. When you run su command, all operations is executed on the permissive domain.

polygraphene avatar Apr 26 '22 14:04 polygraphene

OK.I see a lot of chcon conmand in the script named Start-Root,so it is the reason that u:r:magisk:S0 is a permissive domain, Right? And we can execute chcon command only if we are already in a permissive domain, that's why we need to set vendor_modprobe onto permissive domain first.

YeJZ avatar Apr 26 '22 15:04 YeJZ

OK.I see a lot of chcon conmand in the script named Start-Root,so it is the reason that u:r:magisk:S0 is a permissive domain, Right?

Yes.

And we can execute chcon command only if we are already in a permissive domain, that's why we need to set vendor_modprobe onto permissive domain first.

Yes.

polygraphene avatar Apr 27 '22 05:04 polygraphene